S2750&S5700&S6700 V200R003(C00&C02&C10) Compatible Commands Reference 04

S2750&S5700&S6700 Series Ethernet Switches

V200R003(C00&C02&C10)

Compatible Commands Reference

Issue 04

Date 2014-07-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://enterprise.huawei.com

Issue 04 (2014-07-30) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://enterprise.huawei.com

About This Document

Intended AudienceThis document is intended for:

l Data configuration engineers

l Commissioning engineers

l Network monitoring engineers

l System maintenance engineers

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

Indicates an imminently hazardous situationwhich, if not avoided, will result in death orserious injury.

Indicates a potentially hazardous situationwhich, if not avoided, could result in death orserious injury.

Indicates a potentially hazardous situationwhich, if not avoided, may result in minor ormoderate injury.

Indicates a potentially hazardous situationwhich, if not avoided, could result inequipment damage, data loss, performancedeterioration, or unanticipated results.NOTICE is used to address practices notrelated to personal injury.

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference About This Document


ii

Symbol Description

NOTE Calls attention to important information, bestpractices and tips.NOTE is used to address information notrelated to personal injury, equipment damage,and environment deterioration.

Command ConventionsThe command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Interface Numbering ConventionsInterface numbers used in this manual are examples. In device configuration, use the existinginterface numbers on devices.

Security Conventionsl Password setting



iii

– When configuring a password in plain text, the password is saved in the configurationfile in plain text. The plain text has high security risks. The cipher text is recommended.To ensure device security, change the password periodically.

– When you configure a password in cipher text that starts and ends with %@%@ (thepassword can be decrypted by the device), the password is displayed in the same manneras the configured one in the configuration file. Do not use this setting.

l Encryption algorithmCurrently, the device uses the following encryption algorithms: DES, AES, SHA-1, SHA-2,and MD5. DES and AES are reversible, and SHA-1, SHA-2, and MD5 are irreversible.The encryption algorithm depends on actual networking. If protocols are used forinterconnection, the locally stored password must be reversible. It is recommended that theirreversible encryption algorithm be used for the administrator password.

l Personal dataSome personal data may be obtained or used during operation or fault location of yourpurchased products, services, features, so you have an obligation to make privacy policiesand take measures according to the applicable law of the country to protect personal data.

Mappings between Product Software Versions and NMSVersions

The mappings between product software versions and NMS versions are as follows.

Product Software Version eSight

V200R003C00 V200R003C01

V200R003C02 V200R003C10

V200R003C10 V200R005C00

Change HistoryChanges between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Changes in Issue 04 (2014-07-30) V200R003(C00&C02&C10)Some contents are modified according to updates in the product.

Changes in Issue 03 (2014-03-12) V200R003(C00&C02&C10)Some contents are modified according to updates in the product.

Changes in Issue 02 (2013-11-06) V200R003(C00&C02)Some contents are modified according to updates in the product.



iv

Changes in Issue 01 (2013-09-29) V200R003C00Initial commercial release.



v

Contents

About This Document.....................................................................................................................ii

1 Basic Configuration Compatible Commands..........................................................................11.1 set save-configuration backup-to-server server..............................................................................................................21.2 set save-configuration.....................................................................................................................................................31.3 super................................................................................................................................................................................4

2 Ethernet Compatible Commands...............................................................................................62.1 Link Aggregation Compatible Commands ....................................................................................................................72.1.1 load-balance.................................................................................................................................................................72.1.2 service-type tunnel.......................................................................................................................................................92.1.3 l2 field dport..............................................................................................................................................................102.1.4 ipv4 field dport..........................................................................................................................................................112.1.5 ipv6 field dport..........................................................................................................................................................122.1.6 mpls field dport..........................................................................................................................................................132.2 MAC Compatible Commands .....................................................................................................................................132.2.1 mac-address blackhole(interface view).....................................................................................................................142.2.2 mac-address static......................................................................................................................................................152.2.3 port-security mac-address sticky enable....................................................................................................................172.2.4 port-security maximum..............................................................................................................................................182.3 VLAN Compatible Commands ...................................................................................................................................192.3.1 port mux-vlan enable.................................................................................................................................................192.3.2 port vlan-stacking......................................................................................................................................................202.4 L2PT Compatible Commands .....................................................................................................................................222.4.1 bpdu-tunnel enable....................................................................................................................................................222.4.2 bpdu-tunnel vlan........................................................................................................................................................232.5 STP Compatible Commands .......................................................................................................................................242.5.1 bpdu filter..................................................................................................................................................................252.5.2 stp-snooping enable...................................................................................................................................................26

3 Interface Compatible Commands............................................................................................283.1 Ethernet Interface Compatible Commands...................................................................................................................293.1.1 port-down holdoff-timer............................................................................................................................................293.1.2 port media type..........................................................................................................................................................30

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference Contents


vi

3.1.3 display ifnet controller-tree.......................................................................................................................................31

4 IP Service Compatible Commands..........................................................................................344.1 DHCP Upgrade-compatible Commands......................................................................................................................354.1.1 expired.......................................................................................................................................................................354.1.2 dhcp server expired....................................................................................................................................................364.1.3 dhcp server forbidden-ip............................................................................................................................................384.1.4 dhcp server ip-pool....................................................................................................................................................394.1.5 dns-suffix...................................................................................................................................................................404.1.6 ip relay address .........................................................................................................................................................414.1.7 lease...........................................................................................................................................................................434.1.8 policy-vlan dhcp-generic...........................................................................................................................................444.1.9 policy-vlan dhcp-mac................................................................................................................................................454.1.10 policy-vlan dhcp-port..............................................................................................................................................47

5 IP Routing Compatible Commands.........................................................................................505.1 display bgp group.........................................................................................................................................................515.2 display bgp network......................................................................................................................................................525.3 display bgp paths..........................................................................................................................................................535.4 display bgp peer............................................................................................................................................................545.5 display bgp routing-table dampened.............................................................................................................................555.6 display bgp routing-table dampening parameter..........................................................................................................565.7 display bgp routing-table flap-info...............................................................................................................................565.8 display bgp routing-table label.....................................................................................................................................585.9 display bgp update-peer-group.....................................................................................................................................595.10 display ipv6 nexthop-indirection................................................................................................................................595.11 display ipv6 routing-table { all-vpn6-instance | vpn6-instance } statistics................................................................605.12 display ipv6 routing-table time-range.........................................................................................................................625.13 display rm ipv6 interface............................................................................................................................................645.14 ipv6 route-static vpn6-instance...................................................................................................................................655.15 ipv6-family vpn6-instance..........................................................................................................................................685.16 isis vpn6-instance.......................................................................................................................................................695.17 reset ipv6 routing-table statistics protocol..................................................................................................................70

6 IP Multicast Compatible Commands......................................................................................726.1 IGMP Snooping Compatible Commands.....................................................................................................................736.1.1 display igmp-proxy....................................................................................................................................................736.1.2 display igmp-proxy configuration.............................................................................................................................756.1.3 display igmp-proxy port-info.....................................................................................................................................766.1.4 display igmp-proxy router-port.................................................................................................................................786.1.5 igmp-proxy enable.....................................................................................................................................................796.1.6 igmp-proxy group-limit.............................................................................................................................................806.1.7 igmp-proxy group-policy (interface view)................................................................................................................81



vii

6.1.8 igmp-proxy group-policy (VLAN view)...................................................................................................................836.1.9 igmp-proxy lastmember-queryinterval......................................................................................................................846.1.10 igmp-proxy max-response-time...............................................................................................................................856.1.11 igmp-proxy prompt-leave........................................................................................................................................866.1.12 igmp-proxy query-interval.......................................................................................................................................886.1.13 igmp-proxy require-router-alert...............................................................................................................................896.1.14 igmp-proxy robust-count.........................................................................................................................................906.1.15 igmp-proxy router-aging-time.................................................................................................................................916.1.16 igmp-proxy send-query enable................................................................................................................................926.1.17 igmp-proxy send-query source-address...................................................................................................................936.1.18 igmp-proxy ssm-policy............................................................................................................................................946.1.19 igmp-proxy static-group..........................................................................................................................................956.1.20 igmp-proxy static-router-port..................................................................................................................................966.1.21 igmp-proxy table limit.............................................................................................................................................976.1.22 igmp-proxy version..................................................................................................................................................986.1.23 igmp-snooping group-policy (interface view).........................................................................................................996.1.24 igmp-snooping group-policy (VLAN view)..........................................................................................................1006.1.25 igmp-snooping proxy enable.................................................................................................................................1016.1.26 igmp-snooping ssm-policy....................................................................................................................................1026.1.27 igmp-snooping static-group...................................................................................................................................1036.1.28 igmp-snooping suppression-time...........................................................................................................................1046.1.29 igmp-snooping table limit......................................................................................................................................1056.1.30 multicast-source-deny interface.............................................................................................................................1066.1.31 reset igmp-proxy group.........................................................................................................................................1076.1.32 undo igmp-proxy router-learning..........................................................................................................................1086.1.33 undo igmp-proxy send-router-alert........................................................................................................................1096.2 MLD Snooping Compatible Commands....................................................................................................................1106.2.1 mld-snooping group-policy (interface view)...........................................................................................................1106.2.2 mld-snooping group-policy (VLAN view)..............................................................................................................1126.3 Multicast VLAN Compatible Commands..................................................................................................................1136.3.1 multicast user-vlan...................................................................................................................................................113

7 QoS compatible command.......................................................................................................1157.1 cpu queue bpdu...........................................................................................................................................................1167.2 port queue statistics enable.........................................................................................................................................1177.3 qos drr (scheduling template view)............................................................................................................................1187.4 qos local-precedence-queue-map................................................................................................................................1197.5 qos queue....................................................................................................................................................................1217.6 qos queue max-buffer.................................................................................................................................................1237.7 qos queue max-length (tail drop template view)........................................................................................................1247.8 qos queue statistics enable..........................................................................................................................................1267.9 qos sred.......................................................................................................................................................................128



viii

7.10 qos wrr (scheduling template view)..........................................................................................................................129

8 Security Compatible Commands............................................................................................1328.1 AAA Compatible Commands.....................................................................................................................................1338.1.1 adminuser-priority...................................................................................................................................................1338.1.2 local-user level.........................................................................................................................................................1338.1.3 local-user password old-password...........................................................................................................................1348.1.4 radius-server test-user detect interval......................................................................................................................1368.2 DHCP Snooping Compatible Commands..................................................................................................................1378.2.1 dhcp option82 format...............................................................................................................................................1378.2.2 dhcp snooping bind-table.........................................................................................................................................1388.2.3 dhcp snooping information circuit-id......................................................................................................................1398.2.4 dhcp snooping information remote-id.....................................................................................................................1408.2.5 dhcp snooping information format..........................................................................................................................1418.2.6 dhcp snooping check dhcp-rate enable....................................................................................................................1428.2.7 dhcp snooping global max-user-number.................................................................................................................1438.2.8 dhcp snooping sticky-mac.......................................................................................................................................1448.2.9 dhcp snooping trust..................................................................................................................................................1468.3 NAC Compatible Commands.....................................................................................................................................1478.3.1 mac-authen username fixed password.....................................................................................................................1478.3.2 web-auth-server (system view)................................................................................................................................1488.4 Local Attack Defense Compatible Commands..........................................................................................................1508.4.1 blacklist....................................................................................................................................................................1508.4.2 car............................................................................................................................................................................1518.4.3 car cpu-port..............................................................................................................................................................1528.4.4 cpu-defend linkup-car bgp enable...........................................................................................................................1538.4.5 deny.........................................................................................................................................................................1538.5 IP Source Guard Compatible Commands...................................................................................................................1548.5.1 ip anti-attack source-ip equals destinetion-ip drop..................................................................................................1548.5.2 ip source check........................................................................................................................................................1568.6 URPF Compatible Commands...................................................................................................................................1568.6.1 ip urpf......................................................................................................................................................................1568.7 Traffic Suppression Compatible Commands..............................................................................................................1588.7.1 broadcast-suppression..............................................................................................................................................1588.7.2 multicast-suppression..............................................................................................................................................1598.7.3 unicast-suppression..................................................................................................................................................1608.8 ACL Compatible Commands.....................................................................................................................................1618.8.1 acl ipv6....................................................................................................................................................................1618.8.2 acl (system view).....................................................................................................................................................1638.8.3 rule (ACL6).............................................................................................................................................................164

9 Reliability Compatible Commands.......................................................................................1689.1 Smart Link Compatible Commands...........................................................................................................................169



ix

9.1.1 load-balance reference-instance...............................................................................................................................1699.2 Ethernet OAM Compatible Commands.....................................................................................................................1709.2.1 efm trigger if-net......................................................................................................................................................1709.2.2 error-shutdown auto-recovery cause efm-threshold-event......................................................................................1719.2.3 error-shutdown auto-recovery interval....................................................................................................................172

10 Device Management Compatible Commands...................................................................17410.1 vrbd...........................................................................................................................................................................17610.2 _shell.........................................................................................................................................................................17710.3 backup elabel............................................................................................................................................................17810.4 cpu-usage threshold..................................................................................................................................................17910.5 display autosave config............................................................................................................................................18010.6 display environment.................................................................................................................................................18110.7 display elabel unit.....................................................................................................................................................18310.8 display fault-management.........................................................................................................................................18610.9 display fault-management alarm information...........................................................................................................18710.10 display reboot-info..................................................................................................................................................18810.11 fault-management alarm.........................................................................................................................................19010.12 reset reboot-info......................................................................................................................................................19210.13 display alarm urgent...............................................................................................................................................19310.14 reset alarm urgent...................................................................................................................................................19410.15 temperature threshold unit......................................................................................................................................19510.16 port-mirroring to observe-port................................................................................................................................19610.17 poe power...............................................................................................................................................................19810.18 port-mirroring.........................................................................................................................................................19910.19 reset fault-management...........................................................................................................................................200

11 Network Management Compatible Commands...............................................................20211.1 Ping and Tracert Compatible Commands.................................................................................................................20311.1.1 ping ipv6................................................................................................................................................................20311.1.2 tracert ipv6.............................................................................................................................................................20811.2 NTP Compatible Commands....................................................................................................................................21311.2.1 ntp-service authentication-keyid............................................................................................................................21311.3 SNMP Compatible Commands................................................................................................................................21511.3.1 snmp-agent usm-user.............................................................................................................................................215

12 MPLS compatible command.................................................................................................22012.1 explicit-path..............................................................................................................................................................22112.2 mpls te bypass-tunnel bandwidth.............................................................................................................................22212.3 snmp-agent trap enable feature-name ldp.................................................................................................................22312.4 static-cr-lsp ingress bandwidth.................................................................................................................................22412.5 static-cr-lsp transit bandwidth..................................................................................................................................22512.6 bandwidth (LSP attribute view)................................................................................................................................227



x

12.7 mpls te bandwidth.....................................................................................................................................................228

13 VPN compatible command....................................................................................................23113.1 display bgp vpnv6 brief............................................................................................................................................23213.2 display bgp vpnv6 vpn6-instance brief.....................................................................................................................23313.3 display bgp vpnv6 vpn6-instance routing-table........................................................................................................23413.4 display bgp vpnv6 vpn6-instance routing-table statistics.........................................................................................24013.5 display ipv6 prefix-limit statistics............................................................................................................................24313.6 display ipv6 routing-table limit................................................................................................................................24513.7 display ipv6 routing-table vpn6-instance.................................................................................................................24713.8 display ipv6 vpn6-instance.......................................................................................................................................25313.9 link-alive...................................................................................................................................................................25913.10 mpls l2vpn traffic-statistics capability enable........................................................................................................260



xi

1 Basic Configuration Compatible Commands

About This Chapter

1.1 set save-configuration backup-to-server server

1.2 set save-configuration

1.3 super

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 1 Basic Configuration Compatible Commands


1

1.1 set save-configuration backup-to-server server

Function

The set save-configuration backup-to-server server command specifies the server where thesystem periodically saves the configuration file.

By default, the system does not periodically save configurations to the server.

Format

set save-configuration backup-to-server server server-ip [ transport-type { ftp | sftp } ]path folder user user-name password password

Parameters

Parameter Description Value

server server-ip Specifies the IP address of the serverwhere the system periodically savesthe configuration file.

-

transport-type Specifies the mode in which theconfiguration file is transmitted tothe server.

The value can be ftp or sftp.

user user-name Specifies the name of the user whosaves the configuration file on theserver.

The value is a string of 1 to 64case-sensitive characters withoutspaces.

password password Specifies the password of the userwho saves the configuration file onthe server.

The value is a string of 1 to 16 or32 case-sensitive characterswithout spaces.

path folder Specifies the relative save path on theserver.


Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Run this command to periodically save the configuration file to the server.



2

Precautions

If the mode in which the configuration file is transmitted to the server is not specified, FTP isused.

If the specified path on the server does not exist, configuration files cannot be sent to the server.The system then sends an alarm message indicating the transmission failure to the NMS, andthe transmission failure is recorded as a log message on the device.

The user name and password must be the same as those used in FTP or SFTP login mode.

Example

# Specify the server to which the system periodically sends the configuration file, and set thetransmission mode to SFTP.

<HUAWEI> system-view[HUAWEI] set save-configuration backup-to-server server 1.1.1.1 transport-type sftp path d:/ftp user huawei password huawei

1.2 set save-configuration

Function

Using the set save-configuration command, you can enable automatic saving of configurations.

Using the undo set save-configuration command, you can disable automatic saving ofconfigurations.

By default, automatic saving of configurations is not enabled.

Format

set save-configuration nochange-time nochange-time

undo set save-configuration nochange-time [ nochange-time ]

Parameters


nochange-time nochange-time

Specifies a period and configuresthe system to automatically saveconfigurations if noconfigurations are changed overthe specified period.

The value is an integerranging from 30 to 43200,in minutes. The defaultvalue is 30.

Views

System view



3

Default Level3: Management level

Usage GuidelinesIf nochange-time nochange-time is specified in the command, the system automatically savesconfigurations if no configuration changes in the period specified by nochange-time.

If the interval from the time of the last configuration to the current time is shorter than the setinterval, the system cancels the current automatic saving operation.

Example# Configure the system to automatically save configurations at 60-minute intervals if noconfiguration changes in the period.

<HUAWEI> system-view[HUAWEI] set save-configuration nochange-time 60

1.3 super

FunctionThe super command changes the level of a user.

Formatsuper [ level ]

Parameters


level Specifies the user level. The value is an integer that ranges from 0 to 15. Thedefault user level is 3.

ViewsUser view

Default Level0: Visit level

Usage GuidelinesUsage Scenario

To prevent illegal intrusion of unauthorized users, when a user switches to a higher user level,the system authenticates the user identity by requiring the user to input the password for thehigher user level. If the user inputs an incorrect password, the login fails.



4

NOTE

The device supports this command only when the super password command is configured in the historyversion and the device has upgraded to the current version.

Precautions

Users are assigned one of 16 levels, and these levels correspond to command levels. After loggingin to the system, users can use only the commands whose levels are equal to or lower than theiruser levels.

The password that the user enters is not displayed. If the user inputs the correct password withinthree times, the user switches to the higher user level. If the password is incorrect, the user levelremains unchanged.

Example# Switch users to level 3.

<HUAWEI> super 3Password:Now user privilege is 3 level, and only those commands whose level is equal to or less than this level can be used.Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE



5

2 Ethernet Compatible Commands

About This Chapter

2.1 Link Aggregation Compatible Commands

2.2 MAC Compatible Commands

2.3 VLAN Compatible Commands

2.4 L2PT Compatible Commands

2.5 STP Compatible Commands

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 2 Ethernet Compatible Commands


6

2.1 Link Aggregation Compatible Commands

2.1.1 load-balance

Function

Using the load-balance command, you can set the load balancing mode of an Eth-Trunk.

Format

load-balance { dip | dmac | sip | smac | sipxordip | smacxordmac }

Parameters


dip Indicates load balancingbased on the destination IPaddresses.

-

dmac Indicates load balancingbased on the destinationMAC addresses.

-

sip Indicates load balancingbased on the source IPaddresses.

-

smac Indicates load balancingbased on the source MACaddresses.

-

sipxordip Indicates load balancingbased on the Exclusive-ORresult of the source anddestination IP addresses.

-

smacxordmac Indicates load balancingbased on the Exclusive-ORresult of the source anddestination MAC addresses.

-

Views

Eth-Trunk interface view



7

Default Level

2: Configuration level

Usage Guidelines

To ensure proper load balancing between the physical links of an Eth-Trunk interface and avoidlink congestion, you can use the load-balance command to set the load balancing mode of theEth-Trunk interface.

Load balancing is valid only for the outbound traffic; therefore, the load balancing modes forthe interfaces at both ends of the link can be different and do not affect each other.

If you run the load-balance command repeatedly, only the latest configuration takes effect.

You can set the load balancing mode according to the actual situation of the network. When aparameter of traffic changes frequently, you can set the load balancing mode based on thisparameter to ensure that the traffic is load balanced evenly.

The device supports the following load balancing modes:

l dip: load balancing based on the destination IP address. In this mode, the system obtainsthe specified three bits from each of the destination IP address and the TCP or UDP portnumber in outgoing packets to perform the Exclusive-OR calculation, and then selects theoutgoing interface from the Eth-Trunk table according to the calculation result.

l dmac: load balancing based on the destination MAC address. In this mode, the systemobtains the specified three bits from each of the destination MAC address, VLAN ID,Ethernet type, and incoming interface information to perform the Exclusive-ORcalculation, and then selects the outgoing interface from the Eth-Trunk table according tothe calculation result.

l sip: load balancing based on the source IP address. In this mode, the system obtains thespecified three bits from each of the source IP address and the TCP or UDP port numberin incoming packets to perform the Exclusive-OR calculation, and then selects the outgoinginterface from the Eth-Trunk table according to the calculation result.

l smac: load balancing based on the source MAC address. In this mode, the system obtainsthe specified three bits from each of the source MAC address, VLAN ID, Ethernet type,and incoming interface information to perform the Exclusive-OR calculation, and thenselects the outgoing interface from the Eth-Trunk table according to the calculation result.

l sipxordip: load balancing based on the Exclusive-OR result of the source IP address anddestination IP address. In this mode, the system performs the Exclusive-OR calculationbetween the Exclusive-OR results of the dip and sip modes, and then selects the outgoinginterface from the Eth-Trunk table according to the calculation result.

l smacxordmac: load balancing based on the Exclusive-OR result of the source MAC addressand destination MAC address. In this mode, the system obtains three bits from each of thesource MAC address, destination MAC address, VLAN ID, Ethernet type, and incominginterface information to perform the Exclusive-OR calculation, and then selects theoutgoing interface from the Eth-Trunk table according to the calculation result.

Example

# Set the load balancing mode of Eth-Trunk 1 to dmac.



8

<HUAWEI> system-view[HUAWEI] interface Eth-Trunk 1[HUAWEI-Eth-Trunk1] load-balance dmac

2.1.2 service-type tunnel

Function

Using the service-type tunnel command, you can enable the service loopback function on anEth-Trunk interface to loop back service packets over tunnels.

Using the undo service-type tunnel command, you can disable the service loopback functionon an Eth-Trunk interface.

By default, the service loopback function is not enabled on an Eth-Trunk interface.

NOTE

S2750, S5700LI and S5700S-LI do not support this command.

Format

service-type tunnel

undo service-type tunnel

Parameters

None

Views


Default Level


Usage Guidelines

An IPv6 packet is encapsulated in an IPv4 packet header by a device, and then is forwarded bythe device according to the IPv4 routing table.

NOTE

After being configured as a service loopback interface, an Eth-Trunk interface can be used only to loopback service packets over tunnels.

A device can be configured with only one service loopback interface.

Example

# Configure Eth-Trunk 0 as a service loopback interface.

<HUAWEI> system-view[HUAWEI] interface eth-trunk 0[HUAWEI-Eth-Trunk0] service-type tunnel



9

2.1.3 l2 field dport

Function

The l2 field dport command sets the load balancing mode of Layer 2 packets to dport in a loadbalancing profile.

The undo l2 field dport command deletes the load balancing mode of Layer 2 packets or restoresthe default load balancing mode of Layer 2 packets.

Product Support

S5700 Only the S5700HI, S5710HI, and S5710EIsupport this configuration.

S6700 Not supported

Format

l2 field dport

undo l2 field dport

ParametersNone

Views

Load balancing profile view

Default Level


Usage Guidelines

None

Example

# In the enhanced load balancing mode profile a, set the load balancing mode of Layer 2 packetsto dport.

<HUAWEI> system-view[HUAWEI] load-balance-profile a[HUAWEI-load-balance-profile-a] l2 field dport



10

2.1.4 ipv4 field dport

Function

The ipv4 field dport command sets the load balancing mode of IPv4 packets to dportin a loadbalancing profile.

The undo ipv4 field dport command deletes the load balancing mode of IPv4 packets or restoresthe default load balancing mode of IPv4 packets.

Product Support

S5700 Only the S5700HI, S5710HI, and S5710EIsupport the ipv4 field command.

S6700 Not supported

Format

ipv4 field dport

undo ipv4 field dport

ParametersNone

Views


Default Level


Usage Guidelines

None.

Example

# In the load balancing profile a, set the load balancing mode of IPv4 packets to dport.

<HUAWEI> system-view[HUAWEI] load-balance-profile a[HUAWEI-load-balance-profile-a] ipv4 field dport



11

2.1.5 ipv6 field dport

Function

The ipv6 field dport command sets the load balancing mode of IPv6 packets to dport in a loadbalancing profile.

The undo ipv6 field dport command deletes the load balancing mode of IPv6 packets or restoresthe default load balancing mode of IPv6 packets.

Product Support

S5700 Only the S5700HI, S5710HI, and S5710EIsupport the ipv6 field command.

S6700 Not supported

Format

ipv6 field dport

undo ipv6 field dport

ParametersNone

Views


Default Level


Usage Guidelines

None

Example

# In the load balancing profile a, set the load balancing mode of IPv6 packets to dport.

<HUAWEI> system-view[HUAWEI] load-balance-profile a[HUAWEI-load-balance-profile-a] ipv6 field dport



12

2.1.6 mpls field dport

Function

The mpls field dport sets the load balancing mode of MPLS packets to dport in a load balancingprofile.

The undo mpls field dport command deletes the load balancing mode of MPLS packets orrestores the default load balancing mode of MPLS packets.

Product Support

S5700 Only the S5700HI, S5710HI, and S5710EIsupport the mpls field command.

S6700 Not supported

Format

mpls field dport

undo mpls field dport

ParametersNone

Views


Default Level


Usage Guidelines

None

Example

# In the load balancing profile a, set the load balancing mode of MPLS packets to dport.

<HUAWEI> system-view[HUAWEI] load-balance-profile a[HUAWEI-load-balance-profile-a] mpls field dport

2.2 MAC Compatible Commands



13

2.2.1 mac-address blackhole(interface view)

FunctionUsing the mac-address blackhole command, you can add a blackhole MAC address entry.

Formatmac-address blackhole mac-address [ interface-type interface-number ] vlan vlan-id1 [ ce-vlan vlan-id2 ]

ParametersParameter Description Value

blackhole Indicates blackhole MACaddress entries. If the sourceor destination MAC addressof a packet is a blackholeMAC address, the devicediscards the packet.

-

mac-address Specifies the destinationMAC address in a MACaddress entry.

The value is in H-H-H format.H is a hexadecimal number of1 to 4 digits.

interface-type interface-number

Specifies the outboundinterface in a MAC addressentry.l interface-type specifies

the type of the outboundinterface.

l interface-numberspecifies the number ofthe outbound interface.

-

vlan vlan-id1 Specifies the VLAN ID inthe outer VLAN tag.

The value is an integer thatranges from 1 to 4094.

ViewsEthernet interface view, GE interface view, XGE interface view, Eth-Trunk interface view

Default Level2: Configuration level




14

Blackhole MAC address entries that are manually configured. A data frame is discarded if thesource or destination MAC address matches a blackhole MAC address entry.

Functions of static and blackhole MAC address entries are: Blackhole MAC address entriesprevent untrusted devices from attacking the device.

Precautions

If you configure a blackhole MAC address entry when the MAC table is full, the device processesthe MAC address entry as follows:

l If a dynamic MAC address entry with the same MAC address exists in the MAC addresstable, the device replaces the dynamic MAC address entry with the configured entry.

l If no dynamic MAC address entry with the same MAC address exists in the MAC addresstable, the MAC address entries cannot be added to the MAC address table.

Example# Configure a blackhole MAC address entry to discard the Ethernet frames whose destinationMAC address is 0004-0004-0004 and VLAN ID is VLAN 5.

<HUAWEI> system-view[HUAWEI] interface GigabitEthernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] mac-address blackhole 4-4-4 vlan 5

2.2.2 mac-address static

FunctionUsing the mac-address static command, you can add a static MAC address entry .

Formatmac-address static mac-address interface-type interface-number vlan vlan-id1

Parameters


static Indicates static MACaddress entries, that is,MAC address entriesconfigured manually.

-

mac-address Specifies the destinationMAC address in a MACaddress entry.

The value is in H-H-H format.H is a hexadecimal number of1 to 4 digits.



15



Specifies the outboundinterface in a MAC addressentry.l interface-type specifies

the type of the outboundinterface.

l interface-numberspecifies the number ofthe outbound interface.

-

vlan vlan-id1 Specifies the VLAN ID inthe outer VLAN tag.


Views

Ethernet interface view, GE interface view, XGE interface view, Eth-Trunk interface view

Default Level


Usage Guidelines

Usage Scenario

Static MAC address entries that are manually configured. They take precedence over dynamicMAC address entries.

Functions of static MAC address entries are: Static MAC address entries prevent bogus packetswith trusted device MAC addresses sent from attackers and guarantee communication betweenthe device and the upstream device or server.

Configuration Impact

You can configure multiple static MAC address entries by running the mac-address commandmultiple times.

Precautions

If you configure a static MAC address entry when the MAC table is full, the device processesthe MAC address entry as follows:

l If a dynamic MAC address entry with the same MAC address exists in the MAC addresstable, the device replaces the dynamic MAC address entry with the configured entry.

l If no dynamic MAC address entry with the same MAC address exists in the MAC addresstable, the MAC address entries cannot be added to the MAC address table.



16

Example

# Add a static MAC address entry to the MAC address table. The destination MAC address is0003-0003-0003. The outbound interface is GigabitEthernet0/0/1, which belongs to VLAN 4.

<HUAWEI> system-view[HUAWEI] mac-address static 3-3-3 GigabitEthernet 0/0/1 vlan 4

2.2.3 port-security mac-address sticky enable

Function

Using the port-security mac-address sticky enable, you can enable the sticky MAC functionon an interface.

Using the undo port-security mac-address sticky enable, you can disable the sticky MACfunction on an interface.

By default, the sticky MAC function is disabled on an interface.

Format

port-security mac-address sticky enable

undo port-security mac-address sticky enable

Parameters

None

Views


Default Level


Usage Guidelines

Usage Scenario

After port security is enabled on an interface, MAC address entries learned by the interface aresaved in the MAC address table as secure dynamic MAC address entries.

After the sticky MAC function is enabled on an interface, the dynamic MAC addresses learnedby the interface change to sticky MAC addresses. If the number of sticky MAC addresses doesnot reach the limit, the MAC addresses learned subsequently change to sticky MAC addresses.When the number of sticky MAC addresses reaches the limit, packets whose source MACaddresses do not match sticky MAC address entries are discarded. In addition, the systemdetermines whether to send a trap message or shut down the interface according to the configuredsecurity protection action.

Prerequisites



17

Port security has been enabled by using the port-security enable command on the interface.

Example

# Enable the sticky MAC function on GigabitEthernet0/0/1.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port-security enable[HUAWEI-GigabitEthernet0/0/1] port-security mac-address sticky enable

2.2.4 port-security maximum

Function

The port-security maximum command sets the maximum number of MAC addresses that canbe learned on an interface.

Format

port-security maximum max-number

Parameters


max-number Specifies the maximumnumber of MAC addressesthat can be learned by aninterface.

Views


Default Level


Usage Guidelines

Usage Scenario

After enabling port security on an interface, you can run the port-security maximum commandto limit the number of MAC addresses that the interface can learn.

Prerequisites

Port security has been enabled by using the port-security enable command on the interface.




18

If you run the port-security maximum command multiple times in the same interface view,only the latest configuration takes effect.

Precautions

If the sticky MAC function is disabled, max-number limits the number of secure dynamic MACaddresses learned by the interface.

If the sticky MAC function is enabled, max-number limits the number of sticky MAC addresseslearned by the interface.

Example

# Set the maximum number of MAC addresses that can be learned by GigabitEthernet0/0/1 to5.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] port-security enable[HUAWEI-GigabitEthernet0/0/1] port-security maximum 5

2.3 VLAN Compatible Commands

2.3.1 port mux-vlan enable

Function

The port mux-vlan enable command enables the MUX VLAN function on an interface.

The undo port mux-vlan enable command disables the MUX VLAN function on an interface.

By default, the MUX VLAN function is disabled on an interface.

Format

port mux-vlan enable

undo port mux-vlan enable

Parameters

None

Views

GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view, portgroup view

Default Level




19


The MUX VLAN function isolates Layer 2 traffic between interfaces in a VLAN. This functioninvolves a MUX VLAN and several subordinate VLANs. Subordinate VLANs are classifiedinto subordinate group VLANs and subordinate separate VLANs. Subordinate VLANs cancommunicate with the principal VLAN but cannot communicate with each other. Interfaces ina subordinate group VLAN can communicate with each other, and interfaces in a subordinateseparate VLAN are isolated from each other.

The MUX VLAN function takes effect only after it is enabled on an interface.

Prerequisites

Before enable MUX VLAN function, complete the following task:l The port has been added to a principal or subordinate VLAN as an access, hybrid, or trunk

interface.l The port has been added to only a VLAN. If the port has been added to multiple VLANs,

the MUX VLAN function cannot be enabled on this port.l The port has been added to a principal or subordinate VLAN in untagged mode as an access

or hybrid interface.

Precautions

Disabling MAC address learning or limiting the number of learned MAC addresses on aninterface affects the MUX VLAN function on the interface.

The MUX VLAN and port security functions conflict on an interface. That is, the port-securityenable and port mux-vlan enable commands cannot be used on the same interface.

The MUX VLAN and MAC address authentication conflict on an interface; therefore, the portmux-vlan enable and mac-authen command cannot be used on the same interface.

The MUX VLAN and 802.1x authentication conflict on an interface; therefore, the port mux-vlan enable and dot1x enable command cannot be used on the same interface.

Example# Enable the MUX VLAN function on GE0/0/1.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] port mux-vlan enable

2.3.2 port vlan-stacking

FunctionThe port vlan-stacking command enables selective QinQ.

Formatport vlan-stacking vlan vlan-id1 [ to vlan-id2 ] push vlan vlan-id3 { remark-8021p 8021p-value | priority-inherit }



20

Parameters


vlan vlan-id1 [ to vlan-id2 ] Specifies a range of customerVLAN (C-VLAN) IDs.l vlan-id1 specifies the start

C-VLAN ID.l to vlan-id2 specifies the

last C-VLAN ID. Thevalue of vlan-id2 must begreater than the value ofvlan-id1. The vlan-id1and vlan-id2 parametersidentify a range ofVLANs.

The value of vlan-id1 is aninteger that ranges from 1 to4094.The value of vlan-id2 is aninteger that ranges from 1 to4094.

push vlan vlan-id3 Specifies the VLAN ID in theouter tags added to frames.


remark-8021p 8021p-value Specifies the internal priorityin the stacked outer VLANtag.

The value is an integer thatranges from 0 to 7. Thegreater the value is, thehigher the priority is.By default, the priority in thestacked outer VLAN tag isthe same as the priority in theinner VLAN tag.

priority-inherit Indicates that the 802.1ppriority in the outer VLANtag of data frames inherits the802.1p priority in the stackedouter VLAN tag.

-

Views


Default Level


Usage Guidelines

When the user packets traverse the ISP network, you can use the port vlan-stacking commandto add a VLAN tag to the data frames sent from user VLANs so that the data frames containdouble VLAN tags.

When you configure selective QinQ, pay attention to the following points:



21

l Selective QinQ can be configured only on hybrid interfaces and it takes effect only in theinbound direction.

l The specified stack VLAN ID must exist and the interface must be added to the specifiedstack VLAN in untagged mode.

Example

# Configure selective QinQ on GigabitEthernet 0/0/1. Add outer VLAN tag 100 to the frameswith C-VLAN IDs 10-13.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] qinq vlan-translation enable[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 100[HUAWEI-GigabitEthernet0/0/1] port vlan-stacking vlan 10 to 13 push vlan 100 priority-inherit

2.4 L2PT Compatible Commands

2.4.1 bpdu-tunnel enable

Function

The bpdu-tunnel enable command enables Layer 2 protocol transparent transmission on aninterface.

Format

bpdu-tunnel { all | protocol-type &<1-14> } enable

Parameters


all Enables or disablestransparent transmission ofpackets of all standard Layer2 protocols and user-definedLayer 2 protocols.

-

protocol-type Enables or disablestransparent transmission ofpackets of a specified Layer2 protocol.NOTE

You can specify multipleprotocols in the command.

-



22

ViewsEthernet interface view, XGE interface view, GE interface view, Eth-Trunk interface view, portgroup view


Usage GuidelinesAfter a user-side interface of a PE on an ISP network is enabled to transparently transmit Layer2 protocol packets, the interface directly forwards Layer 2 protocol packets sent from a usernetwork instead of sending the packets to the CPU. In this way, Layer 2 protocol packets aretransparently transmitted through the ISP network.

Generally, the bpdu-tunnel enable command is run on user-side interfaces of PEs.

Example# Configure GE0/0/1 to transparently transmit all Layer 2 protocols.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] bpdu-tunnel all enable

2.4.2 bpdu-tunnel vlan

FunctionThe bpdu-tunnel vlan command enables VLAN-based Layer 2 protocol transparenttransmission on an interface.

Formatbpdu-tunnel { all | protocol-type &<1-14> } vlan { low-id [ to high-id ] } &<1-10>

Parameters


all Enables or disablestransparent transmission ofpackets of all standard Layer2 protocols and user-definedLayer 2 protocols.

-



23


protocol-type Enables or disablestransparent transmission ofpackets of a specified Layer2 protocol.NOTE

You can specify multipleprotocols in the command.

-

low-id Specifies the start VLAN ID. The value is an integer thatranges from 1 to 4094. Thevalue must be smaller thanthe end VLAN ID.

high-id Specifies the end VLAN ID. The value is an integer thatranges from 1 to 4094. Thevalue must be greater than thestart VLAN ID.

ViewsEthernet interface view, XGE interface view, GE interface view, Eth-Trunk interface view, portgroup view


Usage GuidelinesAfter a user-side interface of a PE on an ISP network is enabled to transparently transmit Layer2 protocol packets, the interface directly forwards Layer 2 protocol packets sent from a usernetwork instead of sending the packets to the CPU. In this way, Layer 2 protocol packets aretransparently transmitted through the ISP network.

The bpdu-tunnel vlan command is usually used on user-side interfaces of PEs.

Example# Enable GE0/0/1 to transparently transmit all Layer 2 protocols with VLAN tags ranging from100 to 200.

<HUAWEI> system-view[HUAWEI] vlan batch 100 to 200[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type trunk[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 200[HUAWEI-GigabitEthernet0/0/1] bpdu-tunnel all vlan 100 to 200

2.5 STP Compatible Commands



24

2.5.1 bpdu filter

Function

Using the bpdu filter enable command, you can configure a port as a BPDU filter port.

Using the bpdu filter disable command, you can configure a port as a non-BPDU filter port.

By default, a port is a non-BPDU filter port.

Format

bpdu filter enable

bpdu filter disable

Parameters

None

Views


Default Level


Usage Guidelines

CAUTIONAfter you run the bpdu filter enable command on a port, the port no longer process or sendBPDUs. In this case, the port cannot negotiate the STP status with the directly connected porton the peer device; therefore, use this command with caution. It is recommended that you usethis command on edge ports.

This command is usually used on edge devices to prevent edge ports from processing and sendingBPDUs.

If this command is not used on an edge device, ports of the device are non-BPDU filter ports.In this case, the ports can send BPDUs even if they are configured as edge ports. Then BPDUsare sent to other networks, causing flapping of other networks.

After you run the bpdu filter disable command on a port, the port becomes a non-BPDU filterport. This port remains a non-BPDU filter port after you run the stp bpdu-filter defaultcommand in the system view.



25

Example

# Configure GE0/0/1 on an edge device as a non-BPDU filter port.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] bpdu filter disable

# Configure GE0/0/2 on an edge device as a BPDU filter port.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 0/0/2[HUAWEI-GigabitEthernet0/0/2] bpdu filter enable

2.5.2 stp-snooping enable

Function

Using the stp-snooping enable command, you can enable STP snooping.

Using the stp-snooping disable command, you can disable STP snooping.

By default, STP snooping is disabled on interfaces.

Format

stp-snooping enable

stp-snooping disable

Parameters

None

Views

System view

Default Level


Usage Guidelines

After the l2protocol-tunnel command is used to enable transparent transmission of Layer 2protocol packets on untagged interfaces or the l2protocol-tunnel vlan command is used toenable transparent transmission of Layer 2 protocol packets on tagged packets, the untagged ortagged interfaces directly forward Layer 2 protocol packets sent from user networks over theISP's network rather than send them to the CPU for processing. When a device enabled withtransparent transmission of Layer 2 protocol packets receives TC packets, if the stp-snoopingenable command is used, the device clears the MAC entries and ARP entires and updates theforwarding table.



26

Example# Enable STP snooping.

<HUAWEI> system-view[HUAWEI] stp-snooping enable



27

3 Interface Compatible Commands

About This Chapter

3.1 Ethernet Interface Compatible Commands

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 3 Interface Compatible Commands


28

3.1 Ethernet Interface Compatible Commands

3.1.1 port-down holdoff-timer

Function

Using the port-down holdoff-timer command, you can set the delay in reporting a port statuschange event.

Format

port-down holdoff-timer interval

Parameters


interval Specifies the delay timer. The value is an integer. Thevalue can be 0 or in the rangeof 50 to 50000, inmilliseconds.

Views

Ethernet interface view, GE interface view, XGE interface view

Default Level


Usage Guidelines

Usage Scenario

When the cable connected to an interface is faulty, the interface status may change frequently.When this occurs, the system frequently updates the matching entries. If link backup isconfigured on the interface, active/standby switchovers occur frequently. To prevent frequentstatus change, you can use the port-down holdoff-timer command to set the delay in reportinga port status change event.

If an S2750&S5700&S6700 interface is connected to a wavelength division multiplexing device,the interface becomes Down when a protective switchover occurs on the wavelength divisionmultiplexing device, and services are interrupted. To prevent service interruption, you can setthe delay in reporting a port Down event.




29

If you run the port-down holdoff-timer command multiple times in the same interface view,only the latest configuration takes effect.

Example# Set the delay in reporting a port status change event to 1000 milliseconds onGigabitEthernet0/0/1.

<HUAWEI> system[HUAWEI] interface gigabitethernet0/0/1[HUAWEI-GigabitEthernet0/0/1] port-down holdoff-timer 1000

3.1.2 port media type

FunctionThe port media type command determines whether an interface configuration item belongs tothe optical interface or electrical interface.

Formatport media type { copper | fiber }

Parameters


copper Indicates that a configurationitem belongs to the electricalinterface.

-

fiber Indicates that a configurationitem belongs to the opticalinterface.

-

ViewsGE interface view


Usage GuidelinesThis command only distinguishes optical interface configuration and electrical interfaceconfiguration, and is not configurable. For example, an interface has the following configuration:

# interface GigabitEthernet0/0/1 port media type copper undo negotiation auto



30

speed 100 port media type fiber undo negotiation auto #

The preceding information shows that undo negotiation auto and speed 100 are configured onthe electrical interface, and undo negotiation auto is configured on the optical interface. Duringconfiguration restoration, these configuration items are restored for the respective interfaces.

3.1.3 display ifnet controller-tree

FunctionThe display ifnet controller-tree command displays information about the control interfaceand related channel interfaces on devices.

Formatdisplay ifnet controller-tree { controller-name | controller-type controller-number } [ slot slot-id ]

Parameters


controller-name Specifies the name of a control interface. -

controller-type controller-number Specifies the type and number of a controlinterface.

-

slot slot-id Specifies the slot ID. -

ViewsDiagnostic view


Usage GuidelinesThe display ifnet controller-tree command displays information about the control interfaceand related channel interfaces on devices.

NOTE

The control interface must be available on a device.

Example# Display hierarchies under a controller.<HUAWEI> system-view[HUAWEI] diagnose[HUAWEI-diagnose] display ifnet controller-tree T3 1/2/0 slot 1



31

Controller Channel Node Information-------------------------------------------------------Channel Node Addr : 0xd2861af4 Next Node : 0xd2861c5c Prev Node: 0xd8b79fe0 Low Level Node Count : 1 Next Node : 0xd285e584 Prev Node : 0xd285e584 ID : 0 Speed : 64000 Type : T3 SubType : T1 Mode : NOT_SURE Framed : FRAMED Shutdown Flag : NOSHUTDOWN―――――――――――――――――――――――――――――――――――― Channel Node Addr : 0xd285e584 Next Node : 0xd2861b00 Prev Node: 0xd2861b00 Low Level Node Count : 1 Next Node: 0xd285e674 Prev Node: 0xd285e674 ID : 1 Speed : 0 Type : T1 SubType : NOT_SURE Mode : CHANNELIZED Framed : FRAMED Shutdown Flag : NOSHUTDOWN

―――――――――――――――――――――――――――――――――――― Channel Node Addr : 0xd285e674 Next Node : 0xd285e590 Prev Node : 0xd285e590 Low Level Node Count : 0 Next Node: 0xd285e680 Prev Node : 0xd285e680 Channel Interface : Serial1/2/0/1:1 TimeSlot Mask : 0xe ID : 1 Speed : 64000 Type : CHANNEL_SET SubType : NOT_SURE Mode : NOT_SURE Framed : NOT_SURE Shutdown Flag : NOSHUTDOWN

Table 3-1 Description of the display ifnet controller-tree command output

Item Description

Channel Node Addr Address of a channel node

Next Node Next node of the current node

Prev Node Previous node of the current node

Low Level Node Count Number of lower-level nodes

Channel Interface Name of a channel interface

ID ID of the current node

Speed Rate of the current node

Type Channel type:l NOT_SUREl CPOSl E3l T3l E1l T1l CHANNEL_SETl PRI_SETl TIMESLOT_LIST



32

Item Description

SubType Channel sub-type:l NOT_SUREl CPOSl E3l T3l E1l T1l CHANNEL_SETl PRI_SETl TIMESLOT_LIST

Mode Working mode of the current node:l NOT_SURE: indicates that the working

mode is uncertain.l CHANNELIZED: indicates the

channelized mode.l UNCHANNELIZED: indicates the

unchannelized mode.l CLEAR_CHANNELIZED: indicates the

clear-channelized mode.l PRI-SET: indicates the channelized

mode.

Framed Whether the current node is framed:l NOT_SURE: indicates that whether the

current node is framed is uncertain.l UNFRAMED: indicates that the current

node is not framed.l FRAMED: indicates that the current node

is framed.

Shutdown Flag When a node is shut down:l SHUTDOWN: indicates that the node is

shut down.l NOSHUTDOWN: indicates that the node

is not shut down.



33

4 IP Service Compatible Commands

About This Chapter

4.1 DHCP Upgrade-compatible Commands

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 4 IP Service Compatible Commands


34

4.1 DHCP Upgrade-compatible Commands

4.1.1 expired

Function

The expired command sets the lease for IP addresses in a global IP address pool.

By default, the lease of IP addresses is one day.

Format

expired { day day [ hour hour [ minute minute ] ] | unlimited }

Parameters


day day Specifies the number of daysin the IP address lease.

The value is an integerranging from 0 to 999, indays. The default value is 1.

hour hour Specifies the number ofhours in the IP address lease.

The value is an integerranging from 0 to 23, inhours. The default value is 0.

minute minute Specifies the number ofminutes in the IP addresslease.

The value is an integerranging from 0 to 59, inminutes. The default value is0.

unlimited Indicates that the IP addresslease is unlimited.

-

Views

IP address pool view

Default Level


Usage Guidelines

Usage Scenario

The expired-hide command applies to DHCP servers. To meet different client requirements,DHCP supports dynamic, automatic, and static address assignment. Different hosts require



35

different IP address leases. For example, if some hosts such as a DNS server need to use certainIP addresses for a long time, configure expired as unlimited to set the IP address lease of thespecified global address pool to unlimited. If some hosts such as a portable computer just needto user temporary IP addresses, set the IP address lease of the specified global address pool tothe required time so that the expired IP addresses can be released and assigned to other clients.

When a DHCP client starts or half of its IP address lease has passed, the DHCP client sends aDHCP Request packet to the DHCP server to renew the lease. If the IP address can still beassigned to the client, the DHCP server informs a renewed IP address lease to the client. If theIP address can no longer be assigned to this client, the DHCP server informs the client that theIP address lease cannot be renewed and it needs to apply for another IP address.

Prerequisites

Run the ip pool command to create a global IP address pool and the dhcp enable command toglobally enable the DHCP server function.

Precautions

Different IP address leases can be specified for different global IP address pools on a DHCPserver. In a global IP address pool, all addresses have the same lease.

Example

# Specify the IP address lease of the global address pool global1 to 1 day 2 hours and 30 minutes.

<HUAWEI> system-view [HUAWEI] ip pool global1 [HUAWEI-ip-pool-global1] expired day 1 hour 2 minute 30

4.1.2 dhcp server expired

Function

The dhcp server expired command sets the lease for IP addresses in an interface IP addresspool.


Format

dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited }

NOTE

S5700LI does not support this commond.

Parameters


day Specifies the number of daysin the IP address lease.




36


hour Specifies the number ofhours in the IP address lease.


minute Specifies the number ofminutes in the IP addresslease.


unlimited Indicates that the IP addresslease is unlimited.

-

Views

VLANIF interface view

Default Level


Usage Guidelines

Usage Scenario

The dhcp server expired command applies to DHCP servers. To meet different clientrequirements, DHCP supports dynamic, automatic, and static address assignment. Differenthosts require different IP address leases. For example, if some hosts such as a DNS server needto use certain IP addresses for a long time, run the dhcp server expired unlimited commandto set the IP address lease of the specified VLANIF interface address pool to unlimited. If somehosts such as a portable computer just need to user temporary IP addresses, run the dhcp serverexpired command to set the IP address lease of the specified VLANIF interface address pool tothe required time so that the expired IP addresses can be released and assigned to other clients.

When a DHCP client starts or half of its IP address lease has passed, the DHCP client sends aDHCP Request packet to the DHCP server to renew the lease. If the IP address can still beassigned to the client, the DHCP server informs the client of a renewed IP address lease. If theIP address can no longer be assigned to this client, the DHCP server informs the client that theIP address lease cannot be renewed.

Prerequisites

Run the dhcp enable command to globally enable the DHCP function. Run the dhcp selectinterface command in the VLANIF interface view to enable the interface IP address pool.

Precautions

Different IP address leases can be specified for different interface IP address pools on a DHCPserver. In an interface IP address pool, all IP addresses have the same lease.



37

Example# Set the IP address lease of the IP address pool on VLANIF 100 to 2 days 2 hours and 30minutes.

<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 10.1.1.1 24[HUAWEI-Vlanif100] dhcp select interface[HUAWEI-Vlanif100] dhcp server expired day 2 hour 2 minute 30

4.1.3 dhcp server forbidden-ip

FunctionThe dhcp server forbidden-ip command specifies the range of IP addresses that cannot beassigned to clients by the DHCP server.

By default, the system does not configure the range of IP addresses that cannot be assigned toclients by the DHCP server.

Formatdhcp server forbidden-ip start-ip-address [ end-ip-address ]

NOTE


Parameters


start-ip-address Specifies the start IP addressthat cannot be automaticallyassigned.

The value is in dotteddecimal notation.

end-ip-address Specifies the end IP addressthat cannot be automaticallyassigned. If end-ip-address isnot specified, only start-ip-address cannot be assigned toclients.

The value is in dotteddecimal notation. end-ip-address and start-ip-addressmust be on the same networksegment and end-ip-addressmust be larger than start-ip-address.

ViewsSystem view




38


The dhcp server forbidden-ip command applies to DHCP servers. In an IP address pool, someIP addresses need to be reserved for other services, and some IP addresses are statically assignedto certain hosts (such as the DNS server) and cannot be automatically assigned to clients. Youcan run the dhcp server forbidden-ip command to specify the range of the IP addresses thatcannot be automatically assigned to clients from the IP address pool.

Precautions

l The excluded IP address must be in the IP address pool range.l The excluded IP address or IP address segment cannot be automatically assigned to clients

from a local address pool.l If you run the dhcp server forbidden-ip command multiple times, you can specify multiple

IP addresses or IP address segments that cannot be automatically assigned to clients fromthe specified address pool.

Example# Configure that IP addresses in the address pool 10.10.10.10 to 10.10.10.20 cannot beautomatically assigned to clients.

<HUAWEI> system-view [HUAWEI] dhcp server forbidden-ip 10.10.10.10 10.10.10.20

4.1.4 dhcp server ip-pool

FunctionThe dhcp server ip-pool command creates a global IP address pool.

The undo dhcp server ip-pool command delete a global IP address pool.

By default, no IP address pool is created.

Formatdhcp server ip-pool pool-name

undo dhcp server ip-pool pool-name

NOTE




39

Parameters


pool-name Specifies the name of aglobal IP address pool.

The value is a string of 1 to64 characters without spaces.A combination of digits,letters, underscores (_), anddots (.) is allowed.

Views

System view

Default Level


Usage Guidelines

The dhcp server ip-pool command applies to DHCP servers. When configuring a DHCP server,run the dhcp server ip-pool command to create an IP address pool and set parameters for theIP address pool, including a gateway address, the IP address lease, and a VPN instance. Thenthe configured DHCP server can assign IP addresses in the IP address pool to clients. If IPaddresses in a global IP address pool are in use, this global address pool cannot be deleted.

Example

# Create a global IP address pool pool1.

<HUAWEI> system-view[HUAWEI] dhcp server ip-pool pool1

4.1.5 dns-suffix

Function

The dns-suffix command configures the domain name suffix to be assigned by the DHCP serverto a DHCP client.

By default, no domain name suffix is configured for a DHCP client.

Format

dns-suffix domain-name

NOTE




40

Parameters


domain-name Specifies the domain namesuffix to be assigned to aDHCP client.

The value is a string of 1 to50 characters without spaces.A combination of digits,letters, underscores (_), anddots (.) is allowed.

Views

IP address pool view

Default Level


Usage Guidelines

Usage Scenario

The dns-suffix command applies to DHCP servers. Each client has a domain name. To enableDHCP clients to communicate by using their domain names and prevent IP address conflicts,the DHCP server needs to specify domain name suffixes for these clients when allocating IPaddresses to them. On the DHCP server, the dns-suffix command specifies a domain name suffixfor each global address pool. When allocating IP addresses to clients, the DHCP server alsosends the domain name suffixes to the clients. During domain name resolution, users only needto enter a part of the domain name, and then the system uses a complete domain name suffix forresolution.

Precautions

If no domain name suffix is configured for a global IP address pool, the DHCP server cannotsend a domain name suffix to clients. In this situation, the clients cannot communicate.

Example

# Configure mydomain.com.cn as the domain name suffix of the IP address pool pool1.

<HUAWEI> system-view[HUAWEI] ip pool pool1[HUAWEI-ip-pool-pool1] dns-suffix mydomain.com.cn

4.1.6 ip relay address

Function

Using the ip relay address command, you can configure DHCP server addresses on a VLANIFinterface enabled with DHCP relay.



41

Using the undo ip relay address command, you can delete the configured DHCP serveraddresses.

By default, no DHCP server address is configured on a VLANIF interface enabled with DHCPrelay.

Formatip relay address ip-address

undo ip relay address { ip-address | all }

Parameters


ip-address Specifies the IP address of aDHCP server.


all Deletes all the DHCP serveraddresses configured on aninterface.

-

ViewsVLANIF interface view



The ip relay address command is applicable to DHCP relay agents. When a DHCP client needsto send a DHCP request packet to a DHCP server on a different network segment by using aDHCP relay agent, run the ip relay address command on the DHCP relay agent to configure aDHCP server address.

Prerequisites

DHCP relay has been enabled on the VLANIF interface by using the dhcp select relaycommand.

Precautions

If you run the ip relay address command multiple times, multiple DHCP server addresses areconfigured.

Example# Configure DHCP server addresses 10.2.2.2 on VLANIF 100 enabled with DHCP relay.



42

<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] dhcp select relay[HUAWEI-Vlanif100] ip relay address 10.2.2.2

4.1.7 lease

FunctionThe lease command sets the lease for IP addresses in a global IP address pool.

The undo lease command restores the default lease of IP addresses in a global IP address pool.


Formatlease day [ hour [ minute ] ]

undo lease

NOTE



day Specifies the number of daysin the IP address lease.


hour Specifies the number ofhours in the IP address lease.


minute Specifies the number ofminutes in the IP addresslease.


ViewsIP address pool view





43

The lease-hide command applies to DHCP servers. To meet different client requirements, DHCPsupports dynamic, automatic, and static address assignment. Different hosts require different IPaddress leases. For example, if some hosts such as a DNS server need to use certain IP addressesfor a long time, set the IP address lease of the current global address pool to unlimited. If somehosts such as a portable computer just need to use temporary IP addresses, run the lease commandto set the IP address lease of the current global IP address pool to the required time so that theexpired IP addresses can be released and assigned to other clients.

When a DHCP client starts or half of its IP address lease has passed, the DHCP client sends aDHCP Request packet to the DHCP server to renew the lease. If the IP address can still beassigned to the client, the DHCP server informs a renewed IP address lease to the client. If theIP address can no longer be assigned to this client, the DHCP server informs the client that theIP address lease cannot be renewed and it needs to apply for another IP address.

Precautions

Different IP address leases can be specified for different global address pools on a DHCP server.In a global address pool, all addresses have the same lease.

Example

# Specify the IP address lease of the global address pool global1 to 1 day.

<HUAWEI> system-view [HUAWEI] ip pool global1 [HUAWEI-ip-pool-global1] lease 1

4.1.8 policy-vlan dhcp-generic

Function

Using the policy-vlan dhcp-generic command, you can configure generic DHCP policy VLAN.

Using the undo policy-vlan dhcp-generic command, you can delete generic DHCP policyVLAN.

By default, the function of generic DHCP policy VLAN is disabled on the device.

Format

policy-vlan dhcp-generic [ priority priority ]

undo policy-vlan dhcp-generic

Parameters


priority priority Specifies the 802.1p priority ofDHCP messages.

The value is an integer thatranges from 0 to 7. Thedefault value is 0.



44

Views

VLAN view

Default Level


Usage Guidelines

You can configure three types of DHCP policy VLAN on the device at the same time. They arelisted in descending order based on priorities as follows:

l DHCP policy VLAN based on MAC addresses

l DHCP policy VLAN based on interfaces

l Generic DHCP policy VLAN

User hosts that access the network for the first time apply generic DHCP policy VLAN onlywhen they cannot apply DHCP policy VLAN based on MAC addresses or DHCP policy VLANbased on interfaces.

Example

# Configure generic DHCP policy VLAN to associate DHCP messages to which DHCP policyVLAN based on MAC addresses and DHCP policy VLAN based on interfaces cannot be appliedwith VLAN 2, and specify the 802.1p priority of the DHCP messages as 5.

<HUAWEI> system-view[HUAWEI] vlan 2[HUAWEI-vlan2] policy-vlan dhcp-generic priority 5

4.1.9 policy-vlan dhcp-mac

Function

Using the policy-vlan dhcp-mac command, you can configure DHCP policy VLAN based onMAC addresses.

Using the undo policy-vlan dhcp-mac command, you can delete DHCP policy VLAN basedon MAC addresses.

By default, the function of DHCP policy VLAN based on MAC addresses is disabled on thedevice.

Format

policy-vlan dhcp-mac mac-address1 [ to mac-address2 ] [ priority priority ]

undo policy-vlan dhcp-mac mac-address [ to mac-address ]



45

Parameters


dhcp-mac mac-address1 [ tomac-address2 ]

Specifies the MAC addressesof user hosts that access thenetwork for the first time.l mac-address1 specifies

the start MAC address.l to mac-address2 specifies

the end MAC address.mac-address2 must begreater than mac-address1. mac-address2and mac-address1 specifythe MAC address range. Ifto mac-address2 is notspecified, DHCP policyVLAN based on only theMAC address specified bymac-address1 isconfigured.

mac-address1 and mac-address2 are in the formatof H-H-H. An H containsone to four hexadecimalnumbers.NOTE

The range specified by mac-address1 and mac-address2cannot contain multicastMAC addresses, broadcastMAC addresses, and all 0address.

priority priority Specifies the 802.1p priorityof DHCP messages.


Views

VLAN view

Default Level


Usage Guidelines

You can configure three types of DHCP policy VLAN on the device at the same time. They arelisted in descending order based on priorities as follows:

l DHCP policy VLAN based on MAC addresses

l DHCP policy VLAN based on interfaces

l Generic DHCP policy VLAN

When multiple user hosts access the network through an interface on the device, you need torun the policy-vlan dhcp-mac command to configure DHCP policy VLAN based on MACaddresses so that the user hosts can obtain IP addresses from the DHCP server and be added tospecific VLANs.



46

Example# Configure DHCP policy VLAN based on the MAC address of the host 0001-0001-0001 toassociate DHCP messages from this host with VLAN 2, and specify the 802.1p priority of theDHCP messages as 5.

<HUAWEI> system-view[HUAWEI] vlan 2[HUAWEI-vlan2] policy-vlan dhcp-mac 1-1-1 priority 5

4.1.10 policy-vlan dhcp-port

FunctionUsing the policy-vlan dhcp-port command, you can configure DHCP policy VLAN based oninterfaces.

Using the undo policy-vlan dhcp-port command, you can delete DHCP policy VLAN basedon interfaces.

By default, the function of DHCP policy VLAN based on interfaces is disabled on the device.

Formatpolicy-vlan dhcp-port interface-type { interface-number1 [ to interface-number ] } &<1–10>[ priority priority ]

undo policy-vlan dhcp-port interface-type { interface-number1 [ to interface-number ] } &<1–10>



47


interface-type interface-number1 [ to interface-number ] &<1–10>

Specifies the interface type andinterface number.l interface-type specifies the

type of an interface.l interface-number1 specifies

the number of the startinterface.

l to interface-number specifiesthe number of the endinterface. interface-numbermust be greater thaninterface-number1. interface-number and interface-number1 specify the interfacerange. If to interface-numberis not specified, DHCP policyVLAN based on only theinterface specified byinterface-number1 isconfigured.

interface-type can be oneof the following:l eth-trunkl gigabitethernetl xgigabitethernet

priority priority Specifies the 802.1p priority ofDHCP messages.


ViewsVLAN view


Usage GuidelinesYou can configure three types of DHCP policy VLAN on the device at the same time. They arelisted in descending order based on priorities as follows:l DHCP policy VLAN based on MAC addressesl DHCP policy VLAN based on interfacesl Generic DHCP policy VLAN

NOTE

DHCP policy VLAN based on interfaces is valid only for hybrid interfaces. Ensure that the interfaces arehybrid interfaces before running the policy-vlan dhcp-port command. The interfaces to be configuredwith this function are hybrid interfaces by default. If not, you can configure an interface as a hybrid interface.



48

Example# Configure DHCP policy VLAN based on GigabitEthernet 0/0/1 to associate DHCP messageson this interface with VLAN 2, and specify the 802.1p priority of the DHCP messages as 5.

<HUAWEI> system-view[HUAWEI] vlan 2[HUAWEI-vlan2] policy-vlan dhcp-port gigabitethernet 0/0/1 priority 5



49

5 IP Routing Compatible Commands

About This Chapter

5.1 display bgp group

5.2 display bgp network

5.3 display bgp paths

5.4 display bgp peer

5.5 display bgp routing-table dampened

5.6 display bgp routing-table dampening parameter

5.7 display bgp routing-table flap-info

5.8 display bgp routing-table label

5.9 display bgp update-peer-group

5.10 display ipv6 nexthop-indirection

5.11 display ipv6 routing-table { all-vpn6-instance | vpn6-instance } statistics

5.12 display ipv6 routing-table time-range

5.13 display rm ipv6 interface

5.14 ipv6 route-static vpn6-instance

5.15 ipv6-family vpn6-instance

5.16 isis vpn6-instance

5.17 reset ipv6 routing-table statistics protocol

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 5 IP Routing Compatible Commands


50

5.1 display bgp group

FunctionUsing the display bgp group command, you can display the peer group.

Formatdisplay bgp vpnv6 vpn6-instance vpn6-instance-name group [ group-name ]

Parameters


group-name Specifies the peer group. It is case-sensitive.

vpnv6 Displays information about BGPVPNv6 peer groups.

-

vpn6-instance vpn6-instance-name

Specifies the name of the IPv6 VPNinstance.

It is case-sensitive.

ViewsAll views

Default Level1: Monitoring level

Usage GuidelinesIf the peer group is specified, the detailed information on the specified peer group is displayed.If the peer group is not specified, the information on all peer groups is displayed.

Example# Display information about all peer groups of the IPv6 VPN instance named vpn6 on the localswitch.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn6 group

BGP peer-group: g1 Remote AS: 65410 Type : external PeerSession Members: 2000::2

Peer Members: 2000::2

# Display information about the peer group named g1 of the IPv6 VPN instance named vpn6 onthe local switch.



51

<HUAWEI> display bgp vpnv6 vpn6-instance vpn6 group g1

BGP peer-group: g1 Remote AS: 65410 Type : external Configured hold timer value: 180 Keepalive timer value: 60 Minimum route advertisement interval is 30 seconds PeerSession Members: 2000::2

Peer Preferred Value: 0 No routing policy is configured Peer Members: Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2000::2 4 65410 103 90 0 01:20:55 Established 0

5.2 display bgp network

Function

Using the display bgp network command, you can view the routes to be advertised by BGPthrough the network command.

Format

display bgp vpnv6 vpn6-instance vpn6-instance-name network

Parameters


vpn6 Displays the VPNv6 routes that are advertisedthrough the network command.

-

vpn6-instance vpn6-instance-name Displays information about the routesadvertised by the specified IPv6 VPN instance.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command is used to display all the configurations of the network command in the specifiedaddress family view. Routes can be imported and then advertised by BGP only when the routeprefix satisfies the following conditions:

l It is specified in the network command.



52

l It already exists in the IP routing table.

l It is active.

Example

# Display the routes of the IPv6 VPN instance named vpn1 advertised by BGP through thenetwork command.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 network

BGP Local Router ID is 1.1.1.1 Local AS Number is 100 Route Distinguisher: 100:1 (vpn1) Network Prefix Route-policy

2000:: 100 policy1

5.3 display bgp paths

Function

Using the display bgp paths command, you can view the path attributes of BGP.

Format

display bgp vpnv6 vpn6-instance vpn6-instance-name paths [ as-regular-expression ]

Parameters


as-regular-expression Displays the regular express of the matchingAS-Path.

-

vpnv6 Displays the path attributes of BGP VPNv6. -

vpn6-instance vpn6-instance-name Displays the AS-Path of the specified VPNinstance.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None.



53

Example

# Display information about BGP4+ paths of IPv6 VPN instance named vpn1.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 paths

Total routes of vpn6-instance vpn1: 4Total Number of Paths: 4

Address Refcount MED Path/Origin 0x50EEF20 1 0 ? 0x50EEEB8 1 0 ? 0x50EEF88 1 i 0x50EF0C0 1 0 65410?

# Display the BGP4+ paths, including AS_Path 65420, of IPv6 VPN instance named vpn1.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 paths 65420*

Total routes of vpn6-instance vpn1: 1Total Number of Paths: 1

Address Refcount MED Path/Origin 0x659D4A8 1 0 65420?

5.4 display bgp peer

Function

Using the display bgp peer command, you can display the BGP peers.

Format

display bgp vpnv6 vpn6-instance vpn6-instance-name peer [ { group-name | ipv6-address }log-info | [ ipv6-address ] verbose ]

Parameters


log-info Displays the log of the peer. -

verbose Displays the detailedinformation of the peer.

-

ipv6-address Specifies the address of theIPv6 peer.

The prefix is a 128-bit hexadecimalnumber, in the format ofX:X:X:X:X:X:X:X.

vpnv6 Displays information aboutBGP VPNv6 peers.

-


Displays the peers of IPv6VPN instance.

It is a string of 1 to 31 case-sensitivecharacters without any spaces.



54

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None.

Example

# Display log information about BGP peer groups of the IPv6 VPN instance.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 peer g1 log-info

5.5 display bgp routing-table dampened

Function

Using the display bgp routing-table dampened command, you can display BGP dampenedroutes.

Format

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table [ statistics ] dampened

Parameters


statistics Displays the statistics of dampenedroutes.

-

vpnv6 Displays BGP routes of VPNv6. -


Specifies the name of the IPv6 VPNinstance.


Views

All views

Default Level

1: Monitoring level



55

Usage GuidelinesNone

Example# Display dampened IPv6 routes in the VPNv6 BGP routing table.<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 routing-table dampened

5.6 display bgp routing-table dampening parameter

FunctionUsing the display bgp routing-table dampening parameter command, you can display BGProute dampening parameters.

Formatdisplay bgp vpnv6 vpn6-instance vpn6-instance-name routing-table dampening parameter

Parameters


vpnv6 Displays BGP route dampening parameters ofVPNv6.

-

vpn6-instance vpn6-instance-name Specifies route dampening parameters of theIPv6 VPN instance.

-

ViewsAll views


Usage GuidelinesNone.

Example# Display BGP route dampening parameters of specified IPv6 VPN instance named vpn1.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 routing-table dampening parameter

5.7 display bgp routing-table flap-info



56

Function

Using the display bgp routing-table flap-info command, you can view information aboutflapping BGP routes.

Format

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table flap-info [ regular-expression as-regular-expression ]

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table flap-info { as-path-filter as-path-filter-number | network-address [ prefix-length [ longer-match ] ] }

Parameters


regular-expression as-regular-expression

Displays the statistics of theroute flapping that matches theAS-Path regular expression.

The value is a string of 1 to80 characters.

as-path-filter Displays the statistics of theroute flapping that matches thespecified AS-Path filter.

-

as-path-filter-number Specifies the number of thematching AS-Path filter.

-

network-address Displays the network addressrelated to the dampeninginformation.

-

mask | mask-length Specifies the network mask ormask length.

-

longer-match Matches according to the masklonger than the specified length.

-

prefix-length Specifies the length of theprefix.

-

vpnv6 Displays statistics of BGP routeflapping of the VPNv6.

-


Specifies statistics of routeflapping of the specified IPv6VPN instance.

-

Views

All views

Default Level

1: Monitoring level



57

Usage Guidelines

None.

Example

# Display statistics of the BGP4+ route flapping of IPv6 VPN instance named vpn1.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 routing-table flap-info

5.8 display bgp routing-table label

Function

Using the display bgp routing-table label command, you can display the labeled routes in theBGP routing table.

Format

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table [ statistics ] label

Parameters


statistics Indicates the statistics of the labeledroutes.

-

vpnv6 Displays the labeled route of VPNv6. -


Specifies the name of a IPv6 VPNinstance.


Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None.

Example

# Display the BGP4+ labeled routes of the IPv6 VPN instance named vpna.

<HUAWEI> display bgp vpnv6 vpn6-instance vpna routing-table label



58

5.9 display bgp update-peer-group

Function

Using the display bgp update-peer-group command, you can view information about BGPupdate-groups.

Format

display bgp vpnv6 { vpn6-instance vpn6-instance-name } update-peer-group [ index update-group-index ]

Parameters


vpnv6 Displays information about BGP VPNv6update-groups.

-

vpn6-instance vpn6-instance-name Displays information about BGP update-groupsin the specified IPv6 VPN instance.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can specify the index of an update-group to view detailed information about the specifiedupdate-group.

Example

# Display information about the BGP update-group with the index being 0.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 update-peer-group index 0

5.10 display ipv6 nexthop-indirection

Function

The display ipv6 nexthop-indirection command displays information about the next-hop IPv6VPN instance iterated control block.



59

Formatdisplay ipv6 nexthop-indirection vpn6-instance vpn6-instance-name [ nexthop nexthop-ipv6-address | indirectid indirectid ]

Parameters



Displays next-hop indirectinformation about a specifiedIPv6 VPN instance.

The value is a string of 1 to 31case-sensitive characters,spaces not supported.

nexthop nexthop-ipv6-address

Specifies the next-hop IPv6address.

The value is an IPv6 address.

indirectid indirectid Specifies the keyword value ofthe next-hop indirection.

The value ranges from 0 toFFFFFFFF, in hexadecimalnotation.

ViewsDiagnosis view



Example# Display information about the IPv6 VPN instance named vpna iterated control block.

<HUAWEI> system-view[HUAWEI] diagnose[HUAWEI-diagnose] display ipv6 nexthop-indirection vpn6-instance vpna indirectid 29

5.11 display ipv6 routing-table { all-vpn6-instance | vpn6-instance } statistics

FunctionUsing the display ipv6 routing-table { all-vpn6-instance | vpn6-instance } statisticscommand, you can view integrated route statistics of the routing tables of IPv6 VPN instances.

Formatdisplay ipv6 routing-table { all-vpn6-instance | vpn6-instance vpn-instance-name } statistics



60

Parameters


all-vpn6-instance Displays integrated routestatistics of the routing tables ofall IPv6 VPN instances.

-

vpn6-instance vpn-instance-name

Specifies the name of an VPNinstance of an enabled IPv6address family.

The value is a string of 1 to31 case-sensitive characterswithout spaces.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Integrated route statistics include the total number of routes, the number of added routes, andthe number of deleted routes.

Example

# Display integrated route statistics of the routing tables of all IPv6 VPN instances.

<HUAWEI> display ipv6 routing-table all-vpn6-instance statisticsSummary Prefixes : 1Protocol route active added deleted freedDIRECT 1 1 1 0 0STATIC 0 0 0 0 0RIPng 0 0 0 0 0OSPFv3 0 0 0 0 0IS-IS 0 0 0 0 0BGP 0 0 0 0 0Total 1 1 1 0 0

Table 5-1 Description of the display ipv6 routing-table all-vpn6-instance statistics commandoutput

Item Description

Summary Prefixes Total number of prefixes in the current routingtable

Protocol Routing protocol

route Number of routes in the current routing table

active Number of active routes in the routing table



61

Item Description

added Number of active and inactive routes added in therouting table

deleted Number of routes deleted from the routing table

freed Number of released routes that are permanentlydeleted from the routing table

5.12 display ipv6 routing-table time-range

FunctionThe display ipv6 routing-table time-range command displays information about routesgenerated in a specified time range in the IPv6 routing table of the specified VPN instance.

Formatdisplay ipv6 routing-table vpn6-instance vpn6-instance-name time-range min-age max-age[ verbose ]

Parameters



Displays information aboutroutes generated in a specifiedtime range in the IPv6 routingtable of the specified VPNinstance.

The value is a string of 1 to 31case-sensitive characters, spacesnot supported.



62


min-age Specifies the end time of theperiod when routes aregenerated.

The format is xxdxxhxxmxxs.l The d indicates days. The

value is an integer rangingfrom 0 to 10000.

l The h indicates hours. Thevalue is an integer rangingfrom 0 to 23.

l The m indicates minutes. Thevalue is an integer rangingfrom 0 to 59.

l The s indicates seconds. Thevalue is an integer rangingfrom 0 to 59.

For example, you can enter5d4h30m20s to specify 5 days, 4hours, 30 minutes, and 20seconds.NOTE

If the value of the d is 10000, thevalues of the h, m, and s can be only0.

max-age Specifies the start time of theperiod when routes aregenerated.

The format is xxdxxhxxmxxs.l The d indicates days. The

value is an integer rangingfrom 0 to 10000.

l The h indicates hours. Thevalue is an integer rangingfrom 0 to 23.

l The m indicates minutes. Thevalue is an integer rangingfrom 0 to 59.

l The s indicates seconds. Thevalue is an integer rangingfrom 0 to 59.

For example, you can enter5d4h30m20s to specify 5 days, 4hours, 30 minutes, and 20seconds.NOTE

If the value of the d is 10000, thevalues of the h, m, and s can be only0.



63


verbose Displays detailed informationabout active and inactiveroutes. If you do not specifythis parameter, the displayipv6 routing-table time-range command displaysonly summary informationabout active routes.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

If route flapping occurs on a network, you can run the display ipv6 routing-table time-rangecommand and specify a small time range for the command. By doing so, you can find the flappingroute in a timely manner and accelerate fault locating.

Precautions

You must make sure that max-age is greater that min-age. Otherwise, the display ipv6 routing-table time-range command does not display any information.

If the specified max-age is greater than min-age and no route was generated within this timerange, the display ipv6 routing-table time-range command displays only the table heading.

Example

# Display information about routes generated in the last 2 hours, 20 minutes, and 10 seconds inthe IPv6 routing table of the VPN instance named vpna.

<HUAWEI> display ipv6 routing-table vpn6-instance vpna time-range 0 2h20m10s

5.13 display rm ipv6 interface

Function

Using the display rm ipv6 interface command, you can view IPv6 VPN instance RMinformation of interfaces, including physical and logical interfaces.



64

Formatdisplay rm ipv6 interface vpn6-instance vpn6-instance-name [ interface-type interface-number ]

Parameters



Specifies the name of anIPv6 VPN instance.


ipv6-address ipv6-address

Displays IPv6 RMinformation with thespecified destination IPv6address.

The value is a 32-digithexadecimal number, in theX:X:X:X:X:X:X:X format.

ViewsAll views



Example# Display RM information of all interfaces bound to IPv6 VPN instance named vpna.

<HUAWEI> display rm ipv6 interface vpn6-instance vpna

5.14 ipv6 route-static vpn6-instance

FunctionUsing the ipv6 route-static vpn6-instance command, you can configure IPv6 static routes in aVPN instance.

Using the undo ipv6 route-static vpn6-instance command, you can withdraw the IPv6 unicaststatic routes in a VPN instance.

By default, the system does not configure IPv6 static routes for VPN instances.

Formatipv6 route-static vpn6-instance vpn6-instance-name dest-ipv6-address prefix-length[ interface-type interface-number ] nexthop-ipv6-address [ preference preference | tag tag ] *[ description text ]



65

ipv6 route-static vpn6-instance vpn6-instance-name dest-ipv6-address prefix-length nexthop-ipv6-address [ public ] [ preference preference | tag tag ] * [ description text ]

ipv6 route-static vpn6-instance vpn6-instance-name dest-ipv6-address prefix-length vpn6-instance vpn6-destination-name nexthop-ipv6-address [ preference preference | tag tag ] *[ description text ]

ipv6 route-static dest-ipv6-address prefix-length vpn6-instance vpn6-destination-namenexthop-ipv6-address [ preference preference | tag tag ] * [ description text ]

undo ipv6 route-static vpn6-instance vpn6-instance-name dest-ipv6-address prefix-length[ interface-type interface-number [ nexthop-ipv6-address ] | nexthop-ipv6-address ][ preference preference | tag tag ] *

undo ipv6 route-static vpn6-instance vpn6-instance-name all

Parameters


vpn6-instance-name Specifies the name of an IPv6VPN instance. Each IPv6 VPNinstance has its own unicastrouting table, and theconfigured static routes areinstalled into the routing tableof the specified IPv6 VPNinstance.

The name is a string of 1 to 31 case-sensitive characters without anyspaces.

dest-ipv6-address Specifies the destination IPv6address.

The value is a 128-digit hexadecimalnumber, in the format ofX:X:X:X:X:X:X:X.

prefix-length Specifies the length of an IPv6prefix, namely, the number ofconsecutive 1s in the mask.

It is an integer ranging from 1 to 128.

interface-type Specifies the type of aninterface.

-

interface-number Specifies the number of aninterface.

-

nexthop-ipv6-address Specifies the next hop IPv6address.




66


vpn6-destination-name Specifies the name of thedestination IPv6 VPNinstance. After the destinationIPv6 VPN instance name isconfigured, the switch cansearch the static routing tablefor the outbound interface tothe destination IPv6 VPNinstance according to theconfigured gateway address.

The name is a string of 1 to 31 case-sensitive characters without anyspaces.

public Indicates that the gatewayaddress is a public networkaddress. After a switch isconfigured to belong to anIPv6 VPN instance, the nexthop or the next hop gatewayrouter of this switch belongs tothis IPv6 VPN instance or thepublic network. If the keywordpublic is specified in thecommand, it indicates that thenext hop is specified as thepublic network router.

-

preference preference Specifies the preference of astatic route.

It is an integer ranging from 1 to 255.

tag tag Specifies the tag value of astatic route. By configuringdifferent tag values, you canclassify static routes toimplement different routingpolicies. For example, routingprotocols can import routeswith specified tag valuesthrough routing policies.

The value is an integer ranging from1 to 4294967295. By default, it is 0.

description text Specifies the description ofstatic routes.

The description is a string of 1 to 19characters that can contain spaces.

all Deletes all the static routesconfigured for the specifiedIPv6 VPN instance.

-

ViewsSystem view




67

Usage Guidelines

Applicable Environment

When an VPN network is simple, you can configure static routes for this VPN by using the ipv6route-static vpn6-instance command. Properly configuring and using static routes can improvenetwork performance.

l To configure VPN users to access a public network, you can run the ipv6 route-staticvpn6-instance command with the keyword public to configure the VPN route with thenext hop being the public network address.

l You can configure description text to add the description of static routes so that theadministrator can check and maintain static routes easily. You can run the display this ordisplay current-configuration command in the system view to view the description.

Precautions

If the destination address and the prefix length are set to all 0s, it indicates that a default routeis configured.

However, after network faults occur or the network topology changes, static routes cannotautomatically change. Therefore, configure static routes with caution.

Example

# Configure a default route with the next hop 2001::1.

<HUAWEI> system-view[HUAWEI] ipv6 route-static vpn6-instance vpn1 :: 0 2001::1

5.15 ipv6-family vpn6-instance

Function

Using the ipv6-family vpn6-instance command, you can enter the BGP-VPN6 instance view.

Using the undo ipv6-family vpn6-instance command, you can remove all configurations in theBGP-VPN6 instance view.

Format

ipv6-family vpn6-instance vpn6-instance-name

undo ipv6-family vpn6-instance vpn6-instance-name

Parameters


vpn6-instance vpn6-instance-name Binds the specified IPv6 VPN instance with theIPv6 address family. You can enter the BGP-VPN6 instance view by using the parameter.

-



68

Views

BGP view

Default Level


Usage Guidelines

None.

Example

# Enter the BGP-VPN6 instance view.

<HUAWEI> system-view[HUAWEI] bgp 100[HUAWEI-bgp] ipv6-family vpn6-instance vpna[HUAWEI-bgp6-vpna]

5.16 isis vpn6-instance

Function

Using the isis vpn6-instance command, you can start the IS-IS process and the specified IPv6VPN instance.

Using the undo isis command, you can cancel the specified IS-IS process.

By default, an IS-IS process is runs in a public network instance.

Format

isis [ process-id ] vpn6-instance vpn6-instance-name

undo isis process-id

Parameters


process-id Specifies the process ID. The value is an integerranging from 1 to 65535.


Specifies the name of the IPv6VPN instance.

The name is a string of 1 to31 characters withoutspaces. It is case-sensitive.

Views

System view



69


Usage GuidelinesTo make IS-IS work normally, do as follows:

l Enable IS-IS process by using the isis command.l Set a Network Entity Title (NET) for the switch by using the network-entity command.l Enable each interface that needs to run IS-IS process by using the isis enable command.

You can start IS-IS only when the above action is done.

Example# Start an IS-IS routing process 1 which has the system ID 0000.0000.0002 and the area ID01.0001.

<HUAWEI> system-view[HUAWEI] isis 1 vpn6-instance vpna[HUAWEI-isis-1] network-entity 01.0001.0000.0000.0002.00

5.17 reset ipv6 routing-table statistics protocol

FunctionUsing the reset ipv6 routing-table statistics protocol command, you can clear statistics in theIPv6 routing table.

Formatreset ipv6 routing-table vpn6-instance vpn6-instance-name statistics protocol { all |protocol }

Parameters


all Clears the statistics of all IPv6 routing protocols in the routing table. -

protocol Clears the statistics of the specified routing protocol. This parameter canbe bgp, direct, isis, ospfv3, ripng, or static.

-

ViewsUser view




70

Usage GuidelinesStatistics in the IPv6 routing table cannot be restored after you clear them. So, confirm the actionbefore using the command.

Example# Clear the statistics of all IPv6 routing protocols in the routing table.

<HUAWEI> reset ipv6 routing-table vpn6-instance vpna statistics protocol all



71

6 IP Multicast Compatible Commands

About This Chapter

6.1 IGMP Snooping Compatible Commands

6.2 MLD Snooping Compatible Commands

6.3 Multicast VLAN Compatible Commands

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 6 IP Multicast Compatible Commands


72

6.1 IGMP Snooping Compatible Commands

6.1.1 display igmp-proxy

FunctionUsing the display igmp-proxy command, you can view the default and non defaultconfigurations of IGMP proxy.

Formatdisplay igmp-proxy [ vlan [ vlan-id ] ]

Parameters


vlan vlan-id Displays the configuration ofthe IGMP proxy in thespecified VLAN. vlan-idspecifies the ID of a VLAN.


ViewsAll views


Usage GuidelinesBefore running the display igmp-proxy command, run the 6.1.5 igmp-proxy enable commandto enable IGMP proxy globally and in the VLAN. Otherwise, no information is displayed.

The IGMP proxy configuration, including the default configuration, is displayed only when theVLAN is in Up state. That is, at least one interface in the VLAN is in Up state.

Example# Display the IGMP proxy configuration of VLAN 3.

<HUAWEI> display igmp-proxy vlan 3 IGMP Snooping Information for VLAN 3 IGMP Snooping is Enabled IGMP Version is Set to default 2 IGMP Query Interval is Set to default 125 IGMP Max Response Interval is Set to default 10



73

IGMP Robustness is Set to default 2 IGMP Last Member Query Interval is Set to default 1 IGMP Router Port Aging Interval is Set to 180s or holdtime in hello IGMP Filter Group-Policy is Set to default : Permit All IGMP Prompt Leave Disable IGMP Router Alert is Not Required IGMP Send Router Alert Enable IGMP Proxy Disable IGMP Report Suppress Disable IGMP Suppress Time is set to default 10 seconds IGMP Querier Disable IGMP Router Port Learning Enable IGMP SSM-Mapping Disable IGMP Limit Action Disable IGMP Suppress-dynamic-join Disable

Table 6-1 Description of the display igmp-proxy command output

Item Description

IGMP Snooping is Enabled IGMP snooping is enabled in the VLAN.

IGMP Version is Set todefault 2

The version of IGMP messages that can be processed in theVLAN is the default version. Both IGMPv1 and IGMPv2messages can be processed.

IGMP Query Interval is Setto default 125

The interval at which IGMP General Query messages are sentin the VLAN is set to the default value, 125 seconds.

IGMP Max ResponseInterval is Set to default 10

The maximum response time for IGMP Query messages in theVLAN is set to the default value, 10 seconds.

IGMP Robustness is Set todefault 2

The IGMP robustness variable is set to the default value 2.

IGMP Last Member QueryInterval is Set to default 1

The interval at which IGMP Group-Specific Query messagesare sent in the VLAN is set to the default value, 1 second.

IGMP Router Port AgingInterval is Set to 180s orholdtime in hello

The aging time of router interfaces in the VLAN is set to thedefault value, 180 seconds or the holdtime in PIM Hellomessages.

IGMP Filter Group-Policyis Set to default : Permit All

The default multicast group policy is used in the VLAN. Thatis, hosts in the VLAN can join all the multicast groups.

IGMP Prompt LeaveDisable

Prompt leave is disabled for interfaces in the VLAN.

IGMP Router Alert is NotRequired

The device does not require that the IGMP messages receivedin the VLAN contain the Router-Alert option in the IP header.

IGMP Send Router AlertEnable

The device sends the IGMP messages that contain the Router-Alert option in the IP headers to the hosts in the VLAN.

IGMP Proxy Disable IGMP proxy is disabled in the VLAN.

IGMP Report SuppressDisable

IGMP Report message suppression is disabled in the VLAN.



74

Item Description

IGMP Suppress Time is setto default 10 seconds

The suppress duration of IGMP Report messages is set to thedefault value, 10 seconds.

IGMP Querier Disable IGMP querier is disabled in the VLAN.

IGMP Router PortLearning Enable

Learning of IGMP router interfaces is enabled in the VLAN.

IGMP SSM-MappingDisable

IGMP SSM mapping is disabled in the VLAN.

IGMP Limit ActionDisable

Multicast entry overwriting is disabled in the VLAN.

IGMP Suppress-dynamic-join Disable

The system does not send Report or Leave messages to theupstream router interface where a static multicast group isconfigured.

6.1.2 display igmp-proxy configuration

Function

Using the display igmp-proxy configuration command, you can display the non-default IGMPproxy configuration.

Format

display igmp-proxy [ vlan [ vlan-id ] ] configuration

Parameters


vlan vlan-id Displays the non-defaultIGMP proxy configuration inthe specified VLAN. vlan-idspecifies the ID of a VLAN.


Views

All views

Default Level

1: Monitoring level



75

Usage GuidelinesBefore running the display igmp-proxy configuration command, you must run the 6.1.5 igmp-proxy enable command to enable IGMP proxy globally and in the VLAN. Otherwise, noinformation is displayed.

If the optional parameter is not specified, the non-default IGMP proxy configurations of allVLANs are displayed.

Example# Display the non-default IGMP proxy configuration of VLAN 2.

<HUAWEI> display igmp-proxy vlan 2 configuration IGMP Snooping Configuration for VLAN 2 igmp-snooping enable igmp-snooping proxy

Table 6-2 Description of the display igmp-proxy configuration command output

Item Description

igmp-snooping enable IGMP snooping is enabled in the VLAN.

igmp-snooping proxy IGMP proxy is enabled in the VLAN.

6.1.3 display igmp-proxy port-info

FunctionUsing the display igmp-proxy port-info command, you can view information about memberinterfaces of a multicast group.

Formatdisplay igmp-proxy port-info [ vlan vlan-id [ group group-address ] ] [ verbose ]

Parameters


vlan vlan-id Displays information aboutthe member interfaces in thespecified VLAN. vlan-idspecifies the ID of a VLAN.




76


group group-address Displays information aboutthe member interfaces of thespecified multicast group inthe VLAN. group-addressspecifies the address of amulticast group.

The value of ranges from224.0.1.0 to239.255.255.255 in dotteddecimal notation.

verbose Displays detailedinformation about themember interfaces.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays information about the member interfaces of a multicast group, includingthe number of member interfaces and name of the member interfaces.

Before running the display igmp-proxy port-info command, you must run the 6.1.5 igmp-proxy enable command to enable IGMP proxy globally and in the VLAN. Otherwise, noinformation is displayed.

Information about the member interfaces (static or dynamic) is displayed only if the interfacesare in Up state.

If vlan-id is not specified, information about member interfaces of multicast groups in all theVLANs is displayed.

Example

# Display information about multicast member interfaces in VLAN 7.

<HUAWEI> display igmp-proxy port-info vlan 7----------------------------------------------------------------------- (Source, Group) Port Flag Flag: S:Static D:Dynamic M: Ssm-mapping -----------------------------------------------------------------------VLAN 7, 3 Entry(s) (1.1.1.1,225.1.1.1) GE0/0/1 D-- 1 port(s) (1.1.1.1,225.1.1.2) GE0/0/2 D-- 1 port(s) (1.1.1.1,225.1.1.3) GE0/0/3 D-- 1 port(s)



77

Table 6-3 Description of the display igmp-snooping port-info command output

Item Description

(Source, Group) (S, G) entry, specifying the multicast source and multicastgroup.

Port Outbound interface in an (S, G) entry.

Flag Type of an outbound interface.l S:static member interfacel D: dynamic member interfacel M: member interface specified in an SSM mapping entry

6.1.4 display igmp-proxy router-port

FunctionUsing the display igmp-proxy router-port command, you can view information about routerinterfaces in the specified VLAN, including the static router interface and the dynamic routerinterface.

Formatdisplay igmp-proxy router-port vlan vlan-id


vlan vlan-id Displays information aboutthe router interfaces in thespecified VLAN. vlan-idspecifies the ID of a VLAN.


ViewsAll views


Usage GuidelinesA router interface connects the S2750&S5700&S6700 to an upstream router. The routerinterface can be dynamically generated after the IGMP Query message is received, or staticallyconfigured.



78

Before running the display igmp-proxy router-port command, run the 6.1.5 igmp-proxyenable command to enable IGMP proxy globally and in the VLAN. Otherwise, no informationis displayed.

You can run the display igmp-proxy router-port command to view information about the type,name, age, and remaining aging time of the router interface.

NOTE

Information about a router interface is displayed only when the interface is in Up state.

Example

# Display information about router interfaces in VLAN 2.

<HUAWEI> display igmp-proxy router-port vlan 2Port Name UpTime Expires Flags-------------------------------------------------------VLAN 2, 2 router-port(s)GE0/0/1 1d:22h 00:01:20 DYNAMICGE0/0/2 2d:10h -- STATIC

Table 6-4 Description of the display igmp-proxy router-port command output

Item Description

Port Name Type and number of an interface.

UpTime Age of a router interface, that is, time that elapsed since theinterface became the router interface.

Expires Remaining aging time of a router interface.l The remaining aging time is displayed for a dynamic router

interface.l A static router interface does not age.

Flags Type of the router interface, which can be either of the following:l STATIC: indicates a static router interface.l DYNAMIC: indicates a dynamic router interface.

6.1.5 igmp-proxy enable

Function

Using the igmp-proxy enable command, you can enable IGMP proxy.

By default., IGMP proxy is disabled.

Format

igmp-proxy enable



79

ParametersNone

ViewsSystem view, VLAN view


Usage GuidelinesThe differences of using the igmp-proxy enable command in the system view and VLAN vieware as follows:

l When you run the commands in the system view, IGMP proxy is enabled globally.l When you run the commands in the VLAN view, IGMP proxy is enabled or in the VLAN.l To enable IGMP proxy in a VLAN, you must first enable IGMP proxy globally.

Example# Enable IGMP proxy globally.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable

# Enable IGMP proxy in VLAN 3.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-proxy enable

6.1.6 igmp-proxy group-limit

FunctionUsing the igmp-proxy group-limit command, you can set the maximum number of IGMP proxyentries on an interface.

Formatigmp-proxy group-limit limit-num vlan { vlan-id1 [ to vlan-id2 ] } & <1-10>



80

Parameters


limit-num Specifies the maximumnumber of IGMP proxyentries on an interface.

The value is an integer andthe value range depends onthe product model:l S2750: 1 to 1022l S5700S-LI, S5700LI, and

S5700SI: 1 to 1024l S5700EI, S5710EI,

S5700HI, S5710HI, andS6700: 1 to 2048

vlan-id1 [ to vlan-id2 ] Specifies the ID of a userVLAN.


Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, port groupview, Eth-Trunk interface view

Default Level


Usage Guidelines

After the igmp-proxy group-limit command is run, the number of IGMP proxy entries on theinterface cannot exceeds the limit.

Example

# Set the maximum number of IGMP proxy entries in VLAN 10 on GE0/0/1 to 100.

<HUAWEI> system view[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] igmp-proxy group-limit 100 vlan 10

6.1.7 igmp-proxy group-policy (interface view)

Function

The igmp-proxy group-policy command configures a multicast group policy for a VLAN onan interface. The policy specifies the multicast groups that hosts in the VLAN can join.

By default, no multicast group policy is configured for a VLAN. That is, hosts in the VLAN canjoin any multicast group.



81

Formatigmp-proxy group-policy acl-number [ version version-number ] vlan vlan-id1 [ to vlan-id2 ]

igmp-proxy group-policy acl-number vlan vlan-id1 [ to vlan-id2 ] version-number


acl-number Specifies the number of theACL that limits the multicastgroups that hosts in a VLANcan join.


version-number Applies the multicast grouppolicy to only the IGMPmessages of the specifiedversion.

The value is an integer thatranges from 1 to 3. The value1 indicates IGMPv1, thevalue 2 indicates IGMPv2and the value 3 indicatesIGMPv3.

vlan vlan-id1 [ to vlan-id2 ] Applies the multicast grouppolicy to the specifiedVLANs on the interface.

vlan-id1 and vlan-id2 areintegers that range 1 from4094.

ViewsEthernet interface view, GE interface view, XGE interface view, 40GE interface view, port groupview, Eth-Trunk interface view


Usage GuidelinesBefore running the igmp-proxy group-policy command, run the 6.1.5 igmp-proxy enablecommand to enable IGMP proxy globally and in the specified VLANs.

By configuring a multicast group policy for a VLAN on an interface, you can prohibit hosts inthe VLAN from joining the specified IP multicast groups.

If the IGMP version is not specified, the device applies the multicast group policy to all IGMPmessages regardless of their versions.

Example# Prohibit hosts in VLAN 3 from join multicast group 225.1.1.123 on GE0/0/10.

<HUAWEI> system-view[HUAWEI] acl number 2008



82

[HUAWEI-acl-basic-2008] rule deny source 225.1.1.123 0[HUAWEI-acl-basic-2008] quit[HUAWEI] igmp-proxy enable[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-proxy enable[HUAWEI-vlan3] quit[HUAWEI] interface gigabitehernet 0/0/10[HUAWEI-GigabitEthernet0/0/10] igmp-proxy group-policy 2008 vlan 3

6.1.8 igmp-proxy group-policy (VLAN view)

Function

Using the igmp-proxy group-policy command, you can configure the multicast group policyin a VLAN. The policy specifies the multicast groups that hosts in the VLAN can join.

By default, no multicast group policy is available in a VLAN. That is, hosts in a VLAN can joinany multicast group.

Format

igmp-proxy group-policy acl-number [ [ version ] version-number ]

Parameters




[ version ] version-number Applies the multicast grouppolicy to only the IGMPmessages of the specifiedversion.


Views

VLAN view

Default Level


Usage Guidelines

Before running the igmp-proxy group-policy command, run the 6.1.5 igmp-proxy enablecommand to enable IGMP proxy globally and in the VLAN.



83

By setting the multicast group policy in a VLAN, you can restrict the access of hosts in theVLAN to multicast groups.

If the IGMP version is not specified, the device applies the multicast group policy to all IGMPmessages regardless of their versions.

Example# Prevent hosts in VLAN 3 from joining multicast group 225.1.1.123.

<HUAWEI> system-view[HUAWEI] acl number 2008[HUAWEI-acl-basic-2008] rule deny source 225.1.1.123 0[HUAWEI-acl-basic-2008] quit[HUAWEI] igmp-proxy enable[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-proxy enable[HUAWEI-vlan3] igmp-proxy group-policy 2008

6.1.9 igmp-proxy lastmember-queryinterval

FunctionUsing the igmp-proxy lastmember-queryinterval command, you can set the interval forsending Group-Specific Query messages (last member query) in a VLAN.

By default, the interval for sending Group-Specific Query messages in a VLAN is 1 second.

Formatigmp-proxy lastmember-queryinterval lastmember-queryinterval


lastmember-queryinterval Specifies the interval forsending IGMP Group-Specific Query messages.

The value is an integer thatranges from 1 to 5, inseconds. The default value is1.

ViewsVLAN view


Usage GuidelinesBefore running the igmp-proxy lastmember-queryinterval command, run the 6.1.5 igmp-proxy enable command to enable IGMP proxy globally and in the VLAN.



84

By setting the interval for sending IGMP Group-Specific messages, you can:

l Adjust and control the delay for hosts to leave a multicast group.For example, when memberships change frequently on the network, you can run the igmp-proxy lastmember-queryinterval command to reduce the interval for sending IGMPGroup-Specific Query messages. In this manner, the device can receive the response to theIGMP Group-Specific Query messages quickly.

l Maintain forwarding entries.When receiving IGMP Leave messages from hosts, the device sets the aging time ofmember interfaces by using the following formula: Aging time = Interval for sendingGroup-Specific Query messages x IGMP robustness variable.

When the device runs IGMPv1, hosts do not send Leave messages when leaving a multicastgroup. Therefore, the igmp-proxy lastmember-queryinterval command is valid only whenIGMPv2 messages are processed in a VLAN.

Example# Set the interval for sending Group-Specific Query messages in VLAN 3 to 4 seconds.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-proxy enable[HUAWEI-vlan3] igmp-proxy lastmember-queryinterval 4

6.1.10 igmp-proxy max-response-time

FunctionUsing the igmp-proxy max-response-time command, you can set the maximum response timefor IGMP messages in the VLAN.

By default, the maximum response time for IGMP messages is 10 seconds.

Formatigmp-proxy max-response-time max-response-time

Parameters


max-response-time Specifies the maximumresponse time for IGMPmessages.


ViewsVLAN view



85


Usage GuidelinesBefore running the igmp-proxy max-response-time command, run the 6.1.5 igmp-proxyenable command to enable IGMP proxy globally and in the VLAN.

By setting the maximum response time, you can:

l Control the deadline for a host to send the IGMP Report message. A proper setting of themaximum response time enables hosts to quickly respond to Query messages, thuspreventing the congestion caused by a large number of Response messages sent at the sametime.

l Adjust the aging time of member interfaces. When receiving IGMP Report messages fromhosts, the device sets the aging time of member interfaces by using the following formula:Aging time = IGMP robustness variable x Interval for sending IGMP General Querymessages + Maximum response time.

NOTE

The maximum response time must be shorter than the interval for sending IGMP General Query messages.

If you run the igmp-proxy max-response-time command multiple times in the same VLANview, the latest configuration takes effect.

Example# Set the maximum response time in VLAN 3 to 20 seconds.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-proxy enable[HUAWEI-vlan3] igmp-proxy max-response-time 20

6.1.11 igmp-proxy prompt-leave

FunctionUsing the igmp-proxy prompt-leave command, you can enable interfaces in a VLAN topromptly leave multicast groups.

By default, interfaces are disabled from promptly leave multicast groups.

Formatigmp-proxy prompt-leave [ group-policy acl-number ]



86

Parameters


group-policy basic-acl-number

Allows interfaces topromptly leave the specifiedmulticast groups. acl-number specifies the numberof an ACL rule.


Views

VLAN view

Default Level


Usage Guidelines

If group-policy basic-acl-number is not specified, interfaces in the VLAN can leave all multicastgroups promptly.

Before running the igmp-proxy prompt-leave command, run the 6.1.5 igmp-proxy enablecommand to enable IGMP proxy globally and in the VLAN.

When an interface of the device receives an IGMP Leave message of a multicast group, thedevice deletes the forwarding entry of the multicast group corresponding to the interface fromthe forwarding table. This process is called prompt leave. When an interface is connected to onlyone host, the prompt leave mechanism can be used to release bandwidth resources quickly.

The configuration is valid only when IGMPv2 messages can be processed in the VLAN.

NOTE

You can configure prompt leave for an interface only when each multicast member interface is connectedto only one host in a VLAN. If the interface is connected to multiple host, the multicast traffic of otherreceivers in the same group is interrupted when prompt leave is enabled.

Example

# Enable interfaces in VLAN 3 to promptly leave multicast group 225.1.1.123.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable[HUAWEI] acl number 2008[HUAWEI-acl-basic-2008] rule permit source 225.1.1.123 0[HUAWEI-acl-basic-2000] rule deny source any[HUAWEI-acl-basic-2008] quit[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-proxy enable[HUAWEI-vlan3] igmp-proxy prompt-leave group-policy 2008



87

6.1.12 igmp-proxy query-interval

Function

Using the igmp-proxy query-interval command, you can set the interval for sending IGMPGeneral Query messages in a VLAN.

By default, the interval for sending Group-Specific Query messages in a VLAN is 125 seconds.

Format

igmp-proxy query-interval query-interval

Parameters


query-interval Specifies the interval forsending IGMP GeneralQuery messages.


Views

VLAN view

Default Level


Usage Guidelines

Before running the igmp-proxy query-interval command, run the 6.1.5 igmp-proxy enablecommand to enable IGMP proxy globally and in the VLAN.

By setting interval for sending IGMP General Query messages, you can:

l Configure the device to send IGMP General Query messages at the set intervals to maintainmemberships of interfaces. The shorter the interval is, the more sensitive the device is andthe more bandwidth and switch resources are occupied.

l Adjust the aging time of member interfaces. When receiving IGMP Report messages fromhosts, the device sets the aging time of member interfaces by using the following formula:Aging time = IGMP robustness variable x Interval for sending IGMP General Querymessages + Maximum response time.

NOTE

The maximum response time must be shorter than the interval for sending IGMP General Query messages.

If you run the igmp-proxy query-interval command multiple times in the same VLAN view,the latest configuration takes effect.



88

Example# Set the interval for sending IGMP General Query messages in VLAN 3 to 100 seconds.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-proxy enable[HUAWEI-vlan3] igmp-proxy query-interval 100

6.1.13 igmp-proxy require-router-alert

FunctionUsing the igmp-proxy require-router-alert command, you can configure the device to processonly the IGMP messages that contain the Router-Alert option in the IP header after receivingthe messages from a VLAN.

By default, the device can process the IGMP messages that do not contain the Router-Alertoption in the IP header.

Formatigmp-proxy require-router-alert

ParametersNone

ViewsVLAN view


Usage GuidelinesAfter you run the igmp-proxy require-router-alert command , the device checks whetherreceived IGMP messages contain the Router-Alert option in the IP header. If not, the devicediscards the IGMP messages.

Before running the igmp-proxy require-router-alert command, run the 6.1.5 igmp-proxyenable command to enable IGMP proxy globally and in the VLAN.

Example# Configure interfaces in VLAN 3 to process only the IGMP messages that contain the Router-Alert option in the IP header.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-proxy enable[HUAWEI-vlan3] igmp-proxy require-router-alert



89

6.1.14 igmp-proxy robust-count

Function

Using the igmp-proxy robust-count command sets the IGMP robustness variable in a VLAN,which specifies how many times IGMP Query messages are sent.

By default, the robustness variable in a VLAN is 2.

Format

igmp-proxy robust-count robust-value

Parameters


robust-value Specifies the IGMProbustness variable in aVLAN.


Views

VLAN view

Default Level


Usage Guidelines

Before running the igmp-proxy lastmember-queryinterval command, run the 6.1.5 igmp-proxy enable command to enable IGMP proxy globally and in the VLAN.

By setting the interval for sending IGMP Group-Specific messages, you can:

l Specify the number of times the querier sends a Group-Specific Query message, whichprevents packet loss on the network.

When receiving an IGMP Leave message for a multicast group, the switch sends a Group-Specific Query message certain times (specified by the IGMP robustness variable) to checkwhether this group has any other members. If the quality of transmission links is low,increase the IGMP robustness variable.

l Change the aging time of multicast group member ports.

When receiving an IGMP Report message from a host, the switch starts the aging timer forthe member port. The aging time is calculated using the following formula: Aging time =IGMP robustness variable x General query interval + Maximum response time for GeneralQuery messages. The igmp-snooping robust-count command sets the general querycount.



90

Example

# Set the IGMP robustness variable to 5 in VLAN 3.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-proxy enable[HUAWEI-vlan3] igmp-proxy robust-count 5

6.1.15 igmp-proxy router-aging-time

Function

Using the igmp-proxy router-aging-time command, you can set the aging time of dynamicrouter interfaces in a VLAN.

By default, the aging time of dynamic router interfaces in a VLAN is 180 seconds or equal tothe holdtime contained in PIM Hello messages.

Format

igmp-proxy router-aging-time router-aging-time

Parameters


router-aging-time Specifies the aging time ofdynamic router interfaces ina VLAN.

The value is an integer thatranges from 1 to 1000, inseconds. The default value is180 seconds or the holdtimecontained in PIM Hellomessages.

Views

VLAN view

Default Level


Usage Guidelines

Before running the igmp-proxy router-aging-time command, run the 6.1.5 igmp-proxyenable command to enable IGMP proxy globally and in the VLAN.

When receiving IGMP Query messages or PIM Hello messages from a dynamic router interface,the device resets the aging time of the router interface.

By default, the device resets the aging time of the router interface as follows:



91

l If IGMP Query messages are received by the interface, the device resets the aging time ofthe interfaces to 180 seconds.

l If PIM Hello messages are received by the interface and the holdtime of the Hello messagesis greater than the remaining aging time of the interface, the device resets the aging timeof the interface to the holdtime contained in the PIM Hello messages.

Example# Set the aging time of router interfaces in VLAN 3 to 500 seconds.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-proxy enable[HUAWEI-vlan3] igmp-proxy router-aging-time 500

6.1.16 igmp-proxy send-query enable

FunctionUsing the igmp-proxy send-query enable command, you can enable the device to send IGMPQuery messages to non-router interfaces.

By default, the device is disabled from sending IGMP Query messages to non-router interfaces.

Formatigmp-proxy send-query enable

ParametersNone

ViewsSystem view


Usage GuidelinesBefore using the igmp-proxy send-query enable command, you must run the 6.1.5 igmp-proxyenable command to enable IGMP proxy globally.

In most situations, the device does not send IGMP Query messages. When the MSTPrecalculation is triggered by changes of network topologies, the device sends IGMP GeneralQuery messages to detect whether multicast members exist on each interface. This is caused bychanges of the forwarding path of packets.

When IGMP General Query messages are sent to hosts, the hosts that remain as multicastmembers reply with IGMP Report messages. The device then updates information aboutmulticast member interfaces according to the IGMP Report messages. In this manner, multicast



92

packets can be quickly switched to new forwarding paths. This ensures smooth transmission ofmulticast services.

Example# Enable the device to send IGMP Query messages that respond to changes of network topologiesto non-router interfaces.

<HUAWEI> system-view[HUAWEI] igmp-proxy send-query enable

6.1.17 igmp-proxy send-query source-address

FunctionUsing the igmp-proxy send-query source-address command, you can set the source IP addresscontained in the IGMP messages sent by the device enabled with IGMP proxy.

Formatigmp-proxy send-query source-address ip-address

Parameters


ip-address Specifies the source IPaddress of IGMP messages.

The address is in dotteddecimal notation and thedefault value is 192.168.0.1.

ViewsSystem view


Usage GuidelinesBefore using the igmp-proxy send-query source-address command, you must run the 6.1.5igmp-proxy enable command to enable IGMP proxy globally.

If 192.168.0.1 is already used by other devices on the network, you can use the command tomodify the source IP address of IGMP General Query messages and other messages sent by thedevice enabled with IGMP proxy.

When multiple devices exist on a shared network, you can set the source IP address of IGMPmessages to identify the devices. For example, you must specify different source IP addressesfor different devicees when the election mechanism is applied to the devicees with differentperformances.



93

If the command is run for multiple times in the same view, the latest configuration overwritesthe earlier ones.

Example# Set the source IP address of IGMP messages sent by the device enabled with IGMP proxy to192.168.10.1.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable[HUAWEI] igmp-proxy send-query source-address 192.168.10.1

6.1.18 igmp-proxy ssm-policy

FunctionThe igmp-proxy ssm-policy command configures an SSM group policy for IGMP proxy.

Formatigmp-proxy ssm-policy basic-acl-number

Parameters


basic-acl-number Specifies the number of thebasic ACL that defines therange of SSM groupaddresses.


ViewsSystem view


Usage GuidelinesBefore this command, enable IGMP snooping globally.

By default, SSM group addresses range from 232.0.0.0 to 232.255.255.255. You can configurean SSM group policy to narrow or expand the range of SSM group addresses.

Example# Configure multicast group 225.1.1.123 as an SSM group.

<HUAWEI> system-view[HUAWEI] acl number 2008



94

[HUAWEI-acl-basic-2008] rule permit source 225.1.1.123 0[HUAWEI-acl-basic-2008] quit[HUAWEI] igmp-snooping enable[HUAWEI] igmp-proxy ssm-policy 2008

6.1.19 igmp-proxy static-group

FunctionThe igmp-proxy static-group command adds an interface statically to a multicast group.

By default, an interface is not statically added to any multicast groups.

Formatigmp-proxy static-group group-ip-address1 [ to group-ip-address2 ] [ source-address source-ip-address ] vlan vlan-id


group-ip-address1 to group-ip-address2

Adds the interface to multiplemulticast groups. The valuesof group-ip-address1 andgroup-ip-address2 must be inthe same network segment(with a 24-bit mask).

-

source-address source-ip-address

Specifies the IP address of amulticast source.

The value of source-ip-address can be any Class A,Class B, or Class C address,in dotted decimal notation.

vlan vlan-id Specifies the ID of a VLAN. The value is an integer thatranges from 1 to 4094.



Usage GuidelinesIn addition to dynamic multicast forwarding entries generated by Layer 2 protocol protocols,you can configure static Layer 2 multicast forwarding entries by binding interfaces to entries.After an interface is statically added to a multicast group, users connected to this interface canreceive multicast data of the multicast group for a long time.



95

Example# Add GE0/0/1 in VLAN 2 to multicast group 224.1.1.1.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] igmp-proxy static-group 224.1.1.1 vlan 2

6.1.20 igmp-proxy static-router-port

FunctionUsing the igmp-proxy static-router-port command, you can configure an interface as a staticrouter interface in a specified VLAN.

Formatigmp-proxy static-router-port vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>


vlan vlan-id Indicates a VLAN. vlan-idspecifies the ID of a VLAN.




Usage GuidelinesBefore running the igmp-proxy static-router-port command, run the 6.1.5 igmp-proxyenable command to enable IGMP proxy globally and in the VLAN.

If the interface is not added to the VLAN specified by vlan-id before the command is run, theconfiguration is kept on the device and becomes valid until the interface is added to the specifiedVLAN.

NOTE

A static router interface does not age.

Example# Configure GE0/0/1 in VLAN 3 as a static router interface.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable



96

[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-proxy enable[HUAWEI-vlan3] quit[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] igmp-proxy static-router-port vlan 3

6.1.21 igmp-proxy table limit

FunctionUsing the igmp-proxy table limit command, you can set the maximum number of IGMP proxyentries on an interface.

Formatigmp-proxy table limit limit-num vlan { vlan-id1 [ to vlan-id2 ] } & <1-10>


limit-num Specifies the maximumnumber of IGMP proxyentries on an interface.


S5700SI: 1 to 1024l S5700EI, S5710EI,

S5700HI, S5710HI, andS6700: 1 to 2048





Usage GuidelinesAfter the igmp-proxy table limit command is run, the number of IGMP proxy entries on theinterface cannot exceeds the limit.

Example# Set the maximum number of IGMP proxy entries in VLAN 10 on GE0/0/1 to 100.



97

<HUAWEI> system view[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] igmp-proxy table limit 100 vlan 10

6.1.22 igmp-proxy version

Function

Using the igmp-proxy version command, you can configure the version of IGMP messages thatcan be processed by the IGMP proxy in a VLAN.

By default, the IGMP proxy can process both IGMPv1 messages and IGMPv2 messages in aVLAN.

Format

igmp-proxy version version

Parameters


version Specifies the version ofIGMP messages that can beprocessed in a VLAN.

The value is an integer thatranges from 1 to 3.l The value 1 indicates that

only IGMPv1 messagescan be processed.

l The value 2 indicates thatboth IGMPv1 andIGMPv2 messages can beprocessed.

l The value 3 indicates thatthe system can processIGMPv1, IGMPv2, andIGMPv3 messages.

Views

VLAN view

Default Level


Usage Guidelines

Hosts in the same VLAN must run the IGMP protocol of the same version. When hosts that rundifferent IGMP versions exist in a VLAN, you need to run the igmp-proxy version commandto configure the IGMP version.



98

Before running the igmp-proxy version command, run the 6.1.5 igmp-proxy enable commandto enable IGMP proxy globally and in the VLAN.

Example

# Configure the IGMP proxy to process only IGMPv1 messages in VLAN 2.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable[HUAWEI] vlan 2[HUAWEI-vlan2] igmp-proxy enable[HUAWEI-vlan2] igmp-proxy version 1

6.1.23 igmp-snooping group-policy (interface view)

Function

The igmp-snooping group-policy command configures a multicast group policy for a VLANon an interface. The policy specifies the multicast groups that hosts in the VLAN can join.

By default, no multicast group policy is configured for a VLAN. That is, hosts in the VLAN canjoin any multicast group.

Format

igmp-snooping group-policy acl-number vlan vlan-id1 [ to vlan-id2 ] version-number

Parameters






vlan vlan-id1 [ to vlan-id2 ] Applies the multicast grouppolicy to the specifiedVLANs on the interface.

vlan-id1 and vlan-id2 areintegers that range 1 from4094.

Views




99


Usage GuidelinesBefore running the igmp-snooping group-policy command, enable IGMP snooping globallyand in the specified VLANs.

By configuring a multicast group policy for a VLAN on an interface, you can prohibit hosts inthe VLAN from joining the specified IP multicast groups.

Example# Prohibit hosts in VLAN 3 from join multicast group 225.1.1.123 on GE0/0/10.

<HUAWEI> system-view[HUAWEI] acl number 2008[HUAWEI-acl-basic-2008] rule deny source 225.1.1.123 0[HUAWEI-acl-basic-2008] quit[HUAWEI] igmp-snooping enable[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-snooping enable[HUAWEI-vlan3] quit[HUAWEI] interface gigabitethernet 0/0/10[HUAWEI-GigabitEthernet0/0/10] igmp-snooping group-policy 2008 vlan 3 2

6.1.24 igmp-snooping group-policy (VLAN view)

FunctionUsing the igmp-snooping group-policy command, you can configure the multicast group policyin a VLAN. The policy specifies the multicast groups that hosts in the VLAN can join.

By default, no multicast group policy is available in a VLAN. That is, hosts in a VLAN can joinany multicast group.

Formatigmp-snooping group-policy acl-number version-number

Parameters






100




ViewsVLAN view


Usage GuidelinesBefore running the igmp-snooping group-policy command, enable IGMP snooping globallyand in the VLAN.

By setting the multicast group policy in a VLAN, you can restrict the access of hosts in theVLAN to multicast groups.

Example# Prevent hosts in VLAN 3 from joining multicast group 225.1.1.123.

<HUAWEI> system-view[HUAWEI] acl number 2008[HUAWEI-acl-basic-2008] rule deny source 225.1.1.123 0[HUAWEI-acl-basic-2008] quit[HUAWEI] igmp-snooping enable[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-snooping enable[HUAWEI-vlan3] igmp-snooping group-policy 2008 2

6.1.25 igmp-snooping proxy enable

FunctionUsing the igmp-snooping proxy enable command, you can enable IGMP snooping globally.

By default., IGMP snooping is disabled globally.

Formatigmp-snooping proxy enable

ParametersNone



101

ViewsSystem view



Example# Enable IGMP proxy globally.

<HUAWEI> system-view[HUAWEI] igmp-snooping proxy enable

# Enable IGMP proxy in VLAN 3.

6.1.26 igmp-snooping ssm-policy

FunctionThe igmp-snooping ssm-policy command configures an SSM group policy for IGMP snooping.All the multicast groups permitted by the SSM group policy are SSM groups.

Formatigmp-snooping ssm-policy basic-acl-number

Parameters


basic-acl-number Specifies the number of thebasic ACL that defines therange of SSM groups.


ViewsSystem view


Usage GuidelinesPerform the following operations before using this command:



102

l Create a basic ACL.

l Enable IGMP proxy globally.

By default, SSM group addresses range from 232.0.0.0 to 232.255.255.255. If hosts need to joinmulticast groups out of this range or they are only allowed to join some of multicast groups inthe range, you can configure an SSM group policy to specify the SSM group range.

Example

# Configure multicast group 225.1.1.123 as an SSM group.

<HUAWEI> system-view[HUAWEI] acl number 2000[HUAWEI-acl-basic-2000] rule permit source 225.1.1.123 0[HUAWEI-acl-basic-2000] quit[HUAWEI] igmp-proxy enable[HUAWEI] igmp-snooping ssm-policy 2000

6.1.27 igmp-snooping static-group

Function

The igmp-snooping static-group command adds an interface statically to a multicast group.

By default, an interface is not statically added to any multicast groups.

Format

igmp-snooping static-group group-ip-address1 [ to group-ip-address2 ] [ source-addresssource-ip-address ] vlan vlan-id

Parameters


group-ip-address1 to group-ip-address2

Adds the interface tomultiple multicast groups.The values of group-ip-address1 and group-ip-address2 must be in the samenetwork segment (with a 24-bit mask).

-

source-address source-ip-address

Specifies the IP address of amulticast source.

The value of source-ip-address can be any Class A,Class B, or Class C address,in dotted decimal notation.

vlan vlanid Specifies the ID of a VLAN. The value is an integer thatranges from 1 to 4094.



103



Usage GuidelinesIn addition to dynamic multicast forwarding entries generated by Layer 2 protocol protocols,you can configure static Layer 2 multicast forwarding entries by binding interfaces to entries.After an interface is statically added to a multicast group, users connected to this interface canreceive multicast data of the multicast group for a long time.

Example# Add GE0/0/1 in VLAN 2 to multicast group 224.1.1.1.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] igmp-snooping static-group 224.1.1.1 vlan 2

6.1.28 igmp-snooping suppression-time

FunctionThe igmp-snooping suppression-time command sets the global IGMP message suppressiontime.

Formatigmp-snooping suppression-time suppression-time


suppression-time Specifies the global IGMPmessage suppression time.


ViewsSystem view




104

Usage Guidelines

To reduce the IGMP messages sent to the upstream router and protects the router from attacks,enable the device to suppress IGMP Report and IGMP Leave messages sent by hosts. After thisfunction is enabled, the device processes IGMP Report and IGMP Leave messages as follows:

l After receiving an IGMP Report message and forwarding the message, the device does notforward the same type of messages to the router interface within the suppression time.

l If the device receives an IGMP General Query message or Group-Specific message, thedevice does not suppress the first IGMP Report message that responds to the General Querymessage. In addition, the device resets the suppression timer when receiving the first IGMPReport message.

The igmp-snooping suppression-time command sets the period during which IGMP Reportand IGMP Leave messages are suppressed.

Example

# Set the global IGMP message suppression time to 15 seconds.

<HUAWEI> system-view[HUAWEI] igmp-snooping suppression-time 15

6.1.29 igmp-snooping table limit

Function

Using the igmp-snooping table limit command, you can set the maximum number of the entriesthat can be configured or learnt by the IGMP snooping module on an interface.

Format

igmp-snooping table limit limit-num vlan vlan-id

Parameters


limit-num Specifies the maximumnumber of the entries that canbe configured or learnt by theIGMP snooping module onan interface.


S5700SI: 1 to 1024l S5700EI, S5710EI,

S5700HI, S5710HI, andS6700: 1 to 2048

vlan vlan-id Specifies a VLAN ID. The value is an integer thatranges from 1 to 4094.



105

Views


Default Level


Usage Guidelines

After the igmp-snooping table limit command is used, the number of the entries that can beconfigured or learnt by the IGMP snooping module on an interface cannot exceed the maximumnumber.

Example

# Set the maximum number of the entries that can be configured or learnt by the IGMP snoopingmodule on GE0/0/1 in VLAN 4 to 100.

<HUAWEI> system view[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] igmp-snooping table limit 100 vlan 4

6.1.30 multicast-source-deny interface

Function

The multicast-source-deny interface command enables the switch to filter outer multicast datapackets sent from a VLAN on specified interfaces.

By default, multicast data packets from all VLANs are accepted.

Format

multicast-source-deny interface interface-type interface-num1 [ to interface-num2 ] & <1-10>

Parameters


interface-type interface-num1 [ to interface-num2 ]

Specifies the interfaces onwhich the multicast packetfiltering function needs to beenabled.

-

Views

VLAN view



106


Usage GuidelinesWhen some interfaces need to reject multicast data packets sent from a VLAN (for example, auser VLAN), you can run the multicast-source-deny command in this VLAN and specify theseinterfaces in the command.

Example# Filter out multicast data packets received from VLAN 10 on GE0/0/1.

<HUAWEI> system-view[HUAWEI] vlan 10[HUAWEI-vlan10] multicast-source-deny interface gigabitethernet 0/0/1

6.1.31 reset igmp-proxy group

FunctionUsing the reset igmp-proxy group command, you can clear the dynamic forwarding entriesfrom the multicast forwarding table.

Formatreset igmp-proxy group vlan { vlan-id | all } all


vlan vlan-id vlan-id specifies the ID of aVLAN. If this parameter isspecified, the device clearsthe dynamic forwardingentries of the specifiedVLAN.


all Clears the dynamicforwarding entries of allVLANs from the multicastforwarding table.

-

ViewsUser view




107

Usage GuidelinesBefore running the reset igmp-proxy group command, you need to run the 6.1.5 igmp-proxyenable command to enable IGMP proxy globally.

If the command clears the dynamic forwarding entries of a VLAN from the multicast forwardingtable, the hosts in the VLAN cannot receive the multicast packets temporarily. The hosts canreceive multicast packets only when they send IGMP Report messages and the device generatesdynamic forwarding entries.

NOTE

This command cannot clear static forwarding entries.

Example# Clear the dynamic forwarding entries of all VLANs.

<HUAWEI> reset igmp-proxy group vlan all all

# Clear all dynamic forwarding entries of VLAN 3.

<HUAWEI> reset igmp-proxy group vlan 3 all

6.1.32 undo igmp-proxy router-learning

FunctionThe undo igmp-proxy router-learning command disables dynamic router interface learningin a VLAN.

By default, dynamic router interface learning is enabled in a VLAN.

Formatundo igmp-proxy router-learning

ParametersNone

ViewsVLAN view


Usage GuidelinesBefore running the undo igmp-proxy router-learning command, run the 6.1.5 igmp-proxyenable command to enable IGMP proxy globally and in the VLAN.

A device running IGMP snooping considers an interface as a router interface when the interfacereceives an IGMP General Query message with any source IP address except 0.0.0.0 or a PIM



108

Hello message. The device records all the router interfaces in the router interface list. Too manyrouter interfaces make it difficult for the device to control the multicast flows that users canreceive. To control the multicast flows received by users, disable router interface learning inVLANs.

Example# Disable router interface learning in VLAN 3.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable[HUAWEI] vlan 3[HUAWEI-vlan3] igmp-proxy enable[HUAWEI-vlan3] undo igmp-proxy router-learning

6.1.33 undo igmp-proxy send-router-alert

FunctionUsing the undo igmp-proxy send-router-alert command, you can configure the device to sendIGMP messages not containing the Router-Alert option in the IP header.

By default, the device sends IGMP messages that contain the Router-Alert option in the IPheader.

Formatundo igmp-proxy send-router-alert

ParametersNone

ViewsVLAN view


Usage GuidelinesBefore running the undo igmp-proxy send-router-alert command, run the 6.1.5 igmp-proxyenable command to enable IGMP proxy globally and in the VLAN.

Example# Configure the device to send IGMP messages that does not contain the Router-Alert option inthe IP header to VLAN 3.

<HUAWEI> system-view[HUAWEI] igmp-proxy enable[HUAWEI] vlan 3



109

[HUAWEI-vlan3] igmp-proxy enable[HUAWEI-vlan3] undo igmp-proxy send-router-alert

6.2 MLD Snooping Compatible Commands

6.2.1 mld-snooping group-policy (interface view)

Function

The mld-snooping group-policy command configures an IPv6 multicast group policy on aninterface.

Format

mld-snooping group-policy acl6-number vlan vlan-id mld-version [ default-permit ]

Parameters


acl6-number Specifies the number of anIPv6 ACL that defines arange of multicast groups. Abasic or advanced ACL canbe used in an IPv6 multicastgroup policy.


vlan vlan-id Applies the IPv6 multicastgroup policy to a specifiedVLAN on an interface.


mld-version Specifies an MLD version.The multicast group policy isapplied only to the MLDmessages of this version. Ifthis parameter is notspecified, the multicast grouppolicy applies to all MLDmessages.

The value is 1 or 2.l 1: MLDv1l 2: MLDv2

default-permit Configures the multicastgroup policy to permit allgroups by default. That is, ifthe referenced ACL has norules, the multicast grouppolicy allows hosts in theVLAN to join all groups.

-



110



Usage GuidelinesAn IPv6 multicast group policy controls the multicast programs that users can order on a devicewith Multicast Listener Discovery (MLD) snooping enabled. In multicast applications, userhosts send MLD Report messages to join a group when they order programs of this group. Whenthe upstream Layer 2 device receives the Report messages, it processes the Report messagesdifferently depending on whether the group policy configured on the inbound interface has thedefault-permit keyword specified:l If default-permit is not specified, the group policy prevents hosts in the VLAN from

joining any group by default. A filter rule must be configured by specifying the permitkeyword in the rule command. If the Report messages match the filter rule, the Layer 2device allows the hosts in the VLAN to join the group and forwards the Report messages.If the Report messages do not match the filter rule, the Layer 2 device prevents the hostsfrom joining the group and drops the Report messages.

l If default-permit is specified, the group policy allows hosts in the VLAN to join all groupsby default. A filter rule must be configured by specifying the deny keyword in the rulecommand. If the Report messages match the filter rule, the Layer 2 device prevents thehosts in the VLAN from joining the group and drops the Report messages. If the Reportmessages do not match the filter rule, the Layer 2 device allows the hosts to join the groupand forwards the Report messages.

Example# Prevent hosts in VLAN 10 on GE0/0/1 from joining IPv6 multicast group ff1c::3/32.

<HUAWEI> system-view[HUAWEI] acl ipv6 number 2000[HUAWEI-acl6-basic-2000] rule deny source ff1c::3/32[HUAWEI-acl6-basic-2000] quit[HUAWEI] mld-snooping enable[HUAWEI] vlan 10[HUAWEI-vlan10] mld-snooping enable[HUAWEI-vlan10] quit[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] port link-type trunk[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 10[HUAWEI-GigabitEthernet0/0/1] mld-snooping group-policy 2000 vlan 10 default-permit

# Allow hosts in VLAN 10 connected to GE0/0/1 to join IPv6 multicast group ff1c::3/32.<HUAWEI> system-view[HUAWEI] acl ipv6 number 2000[HUAWEI-acl6-basic-2000] rule permit source ff1c::3/32[HUAWEI-acl6-basic-2000] quit[HUAWEI] mld-snooping enable[HUAWEI] vlan 10[HUAWEI-vlan10] mld-snooping enable[HUAWEI-vlan10] quit[HUAWEI] interface gigabitethernet 0/0/1



111

[HUAWEI-GigabitEthernet0/0/1] port link-type trunk[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 10[HUAWEI-GigabitEthernet0/0/1] mld-snooping group-policy 2000 vlan 10

6.2.2 mld-snooping group-policy (VLAN view)

FunctionThe mld-snooping group-policy command configures an IPv6 multicast group policy in aVLAN.

Formatmld-snooping group-policy acl6-number mld-version [ default-permit ]

undo mld-snooping group-policy


acl6-number Specifies the number of anIPv6 ACL that defines arange of multicast groups. Abasic or advanced ACL canbe used in an IPv6 multicastgroup policy.


mld-version Applies the multicast grouppolicy only to the MLDmessages of the specifiedversion. If this parameter isnot specified, the multicastgroup policy applies to allMLD messages.

The value is 1 or 3.l 1: MLDv1l 2: MLDv2

default-permit Configures the multicastgroup policy to permit allgroups by default. That is, ifthe referenced ACL has norules, the multicast grouppolicy allows hosts in theVLAN to join all groups.

-

ViewsVLAN view




112

Usage Guidelines

An IPv6 multicast group policy controls the multicast programs that users can order on a devicewith Multicast Listener Discovery (MLD) snooping enabled. In multicast applications, userhosts send MLD Report messages to join a group when they order programs of this group. Whenthe upstream Layer 2 device receives the Report messages, it processes the Report messagesdifferently depending on whether the group policy configured in the VLAN has the default-permit keyword specified:

l If default-permit is not specified, the group policy prevents hosts in the VLAN fromjoining any group by default. A filter rule must be configured by specifying the permitkeyword in the rule command. If the Report messages match the filter rule, the Layer 2device allows the hosts in the VLAN to join the group and forwards the Report messages.If the Report messages do not match the filter rule, the Layer 2 device prevents the hostsfrom joining the group and drops the Report messages.

l If default-permit is specified, the group policy allows hosts in the VLAN to join all groupsby default. A filter rule must be configured by specifying the deny keyword in the rulecommand. If the Report messages match the filter rule, the Layer 2 device prevents thehosts in the VLAN from joining the group and drops the Report messages. If the Reportmessages do not match the filter rule, the Layer 2 device allows the hosts to join the groupand forwards the Report messages.

Example

# Prevent hosts in VLAN 4 from joining IPv6 multicast group ff1e::1/32.

<HUAWEI> system-view[HUAWEI] acl ipv6 number 2001[HUAWEI-acl6-basic-2001] rule deny source ff1e::1/32[HUAWEI-acl6-basic-2001] quit[HUAWEI] mld-snooping enable[HUAWEI] vlan 4[HUAWEI-vlan4] mld-snooping enable[HUAWEI-vlan4] mld-snooping group-policy 2001 default-permit

# Allow hosts in VLAN 4 to join IPv6 multicast group ff1e::1/32.<HUAWEI> system-view[HUAWEI] acl ipv6 number 2001[HUAWEI-acl6-basic-2001] rule permit source ff1e::1/32[HUAWEI-acl6-basic-2001] quit[HUAWEI] mld-snooping enable[HUAWEI] vlan 4[HUAWEI-vlan4] mld-snooping enable[HUAWEI-vlan4] mld-snooping group-policy 2001

6.3 Multicast VLAN Compatible Commands

6.3.1 multicast user-vlan

Function

Using the multicast user-vlan command, you can set the mapping between a multicast VLANand a user VLAN.



113

Formatmulticast user-vlan { vlan-id1 [ to vlan-id2 ] } & <1-10>

Parameters




ViewsVLAN view


Usage GuidelinesA user VLAN can be mapped to only one multicast VLAN. If you configure a multicast VLANfor a user VLAN, and then you configure another multicast VLAN for the user VLAN, the latestconfigured multicast VLAN overrides the previous configuration.

Example# Set the mapping between a multicast VLAN with the ID as 1 and a user VLAN with the ID as2 after VLAN 1 is enabled with the multicast VLAN function.

[HUAWEI] vlan 1[HUAWEI-vlan1] multicast user-vlan 2

# Set the mappings between a multicast VLAN with the ID as 1 and user VLANs with the IDsranging from 2 to 10 after VLAN 1 is enabled with the multicast VLAN function.

[HUAWEI] vlan 1[HUAWEI-vlan1] multicast user-vlan 2 to 10



114

7 QoS compatible command

About This Chapter

7.1 cpu queue bpdu

7.2 port queue statistics enable

7.3 qos drr (scheduling template view)

7.4 qos local-precedence-queue-map

7.5 qos queue

7.6 qos queue max-buffer

7.7 qos queue max-length (tail drop template view)

7.8 qos queue statistics enable

7.9 qos sred

7.10 qos wrr (scheduling template view)

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 7 QoS compatible command


115

7.1 cpu queue bpdu

Function

Using the cpu queue bpdu command, you can set the bandwidth consumed by BPDUs sent tothe queues on the CPU.

NOTE

This command is only supported by S5700SI and S5700EI..

Format

cpu queue bpdu cir cir pir pir

Parameters


cir cir Specifies the CommittedInformation Rate (CIR)of BPDUs sent to thequeues on the CPU.

The value is an integer thatranges from 64 to 512, in kbit/s. By default, the CIR is 128kbit/s.

pir pir Specifies the PeakInformation Rate (PIR)of BPDUs sent to thequeues on the CPU.

The value is an integer thatranges from 64 to 512, in kbit/s. By default, the PIR is 128kbit/s.

Views

System view

Default Level


Usage Guidelines

If packet loss occurs during the transmission of BPDUs, you can use the cpu queue bpducommand to set the bandwidth of BPDUs sent to the queues on the CPU. In this manner, lessBPDUs are lost.

Example

# Set the CIR and PIR of BPDUs sent to the queues on the CPU to 512 kbit/s.

<Quidway> system-view[Quidway] cpu queue bpdu cir 512 pir 512



116

7.2 port queue statistics enable

Function

Using the port queue statistics enable command, you can enable traffic statistics on a specifiedqueue and set parameters.

Using the undo port queue statistics enable command, you can disable traffic statistics on aspecified queue.

By default, traffic statistics on a specified queue is disabled.

NOTE

This command is only supported by S5700EI.

Format

port queue statistics enable queue-index queue-index inbound interface interface-typeinterface-number

port queue statistics enable queue-index queue-index outbound interface interface-typeinterface-number [ from interface interface-type interface-number ]

Parameters


queue-index Specifies a queue index. The value is an integer thatranges from 0 to 7. Value 0 tovalue 7 correspond to queue0 to queue 7 respectively.


Specifies the type andnumber of an interface.

The interface type can beethernet, gigabitethernet,xgigabitethernet.

from interface interface-type interface-number

Enables traffic statistics on aspecified queue from aspecified inbound interfaceto a specified outboundinterface.


Views

System view

Default Level




117

Usage Guidelines

If you have enabled traffic statistics on a specified queue, you can view the number of passedpackets in the queue.

NOTE

port queue statistics enable queue-index queue-index outbound interface interface-type interface-number

The device supports traffic statistics on a maximum of eight queues.

Example

# Display traffic statistics on queue 7 on the ingress interface GigabitEthernet 0/0/1.

<Quidway> system-view[Quidway] port queue statistics enable queue-index 7 inbound interface gigabitethernet 0/0/1

7.3 qos drr (scheduling template view)

Function

Using the qos drr command, you can set parameters for queues on which the DRR schedulingis used.

Using the undo qos drr command, you can restore default values of parameters for queues onwhich the DRR scheduling is used.

By default, the DRR scheduling weight value of a queue is 1.

NOTE

This command can be configured only on the S5700SI.

Format

qos drr queue-index queue-index weight weight-value

undo qos drr queue-index

Parameters


queue-index Specifies the index of aqueue.

The value is an integer thatranges from 0 to 7. Value 0 tovalue 7 correspond to queue0 to queue 7 respectively.

weight-value Specifies the DRRscheduling weight value of aqueue.




118

ViewsScheduling template view

Default Level


Usage GuidelinesYou can set parameters for queues on which the DRR scheduling is used only when thescheduling mode in the scheduling template view is DRR; otherwise, you need to run the qos(scheduling template view) command to change the scheduling mode on an interface to DRRfirst. By default, the scheduling mode of the device is WRR.

If the qos drr command is repeatedly run in the same scheduling template view for the samequeue, the later configuration overrides the previous configuration.

Example# Set the scheduling mode of queue 3 to DRR, and then set the scheduling weight value to 20in global scheduling template a.

<Quidway> system-view[Quidway] qos schedule-profile a[Quidway-qos-schedule-profile-a] qos drr[Quidway-qos-schedule-profile-a] qos drr queue-index 3 weight 20

7.4 qos local-precedence-queue-map

FunctionUsing the qos local-precedence-queue-map command, you can configure the mapping betweena local precedence and a queue.

Using the undo qos local-precedence-queue-map command, you can restore the defaultmapping between a local precedence and a queue.

NOTE

This command is only supported by S5700EI and S5700SI.

Formatqos local-precedence-queue-map local-precedence queue-index

undo qos local-precedence-queue-map



119

Parameters


local-precedence Specifies a local precedence. The value is an integer thatranges from 0 to 7. Thegreater the value, the higherthe priority.



Views

System view

Default Level


Usage Guidelines

If the qos local-precedence-queue-map command is run repeatedly in the same system view,the later configuration overrides the previous configuration.

The device sends packets to the specified queue according to the mapping between a localprecedence and a queue.

By default, the mapping between a local precedence and a queue is shown in the following table.

Table 7-1 Mapping between a local precedence and a queue

Local Precedence Queue Index

7 7

6 6

5 5

4 4

3 3

2 2

1 1

0 0



120

Example# Map queue 3 to local precedence 4.

<Quidway> system-view[Quidway] qos local-precedence-queue-map 4 3

7.5 qos queue

FunctionUsing the qos queue command, you can configure scheduling parameters for queues of eachclass of service on an interface.

Using the undo qos queue command, you can restore the default scheduling parameters forqueues of each class of service on an interface.

Formatqos queue { af1 | af2 | af3 | af4 | be | cs6 | cs7 | ef } cir cir-value pir pir-value [ cbs cbs-valuepbs pbs-value ]

undo qos queue { af1 | af2 | af3 | af4 | be | cs6 | cs7 | ef }

NOTE

This command is only supported by S5700SI and S5700EI.

Parameters


af1, af2, af3, af4 Indicates queues thatguarantee bandwidths,corresponding to queues Q1,Q2, Q3, and Q4 respectively.

-

be Indicates the best effort (BE)queue, corresponding toqueue Q0.

-

cs6, cs7 Indicates high priorityqueues that correspond toqueue Q6 and queue Q7respectively.

-

ef Indicates the low-delayqueue that corresponds toqueue Q5.

-



121


cir cir-value Specifies a CIR, that is,guaranteed bandwidth of aninterface.

It is an integer ranging from64 to the interface bandwidth,in kbit/s. For example, thebandwidth of a GE interfaceis 1000000 kbit/s, and that ofa 10GE interface is 10000000kbit/s.

pir pir-value Specifies a PIR, that is,restricted bandwidth of aninterface.

It is an integer ranging from64 to the interface bandwidth,in kbit/s. For example, thebandwidth of a GE interfaceis 1000000 kbit/s, and that ofa 10GE interface is 10000000kbit/s. The default value isthe interface bandwidth.

cbs cbs-value Specifies a Committed BurstSize (CBS), that is, thecommitted traffic size thatcan pass at a burst of traffic.

It is an integer ranging from4096 bytes to 16773120bytes. The default cbs-valueis related to the configuredcir-value.

pbs pbs-value Specifies a Peak Burst Size(PBS), that is, the peak trafficsize that can pass at a burst oftraffic.

It is an integer ranging from4096 bytes to 16773120bytes. The default pbs-valueis related to the configuredpir-value.

NOTE

The priorities of queues Q7, Q6, …, Q1, and Q0 are 7, 6, …, 1, and 0 respectively, in an descending orderon an interface.

Views

GE interface view, 10GE interface view

Default Level


Usage Guidelines

When the rate of an interface on a downstream device is lower than the rate of an interface onan upstream device, traffic congestion may occur on the interface of the upstream device. In thiscase, you can configure traffic shaping for queues on the outbound interface of the upstreamdevice and adjust the sending rate of the interface.



122

Example

# Configure traffic shaping for queue 2 on GE0/0/1. Set the CIR to 300 kbit/s and the PIR to500 kbit/s.

<Quidway> system-view[Quidway] interface gigabitethernet 0/0/1[Quidway-GigabitEthernet0/0/1] qos queue af2 cir 300 pir 500

7.6 qos queue max-buffer

Function

Using the qos queue max-buffer command, you can set the maximum buffer size of all packetsin a specified queue for a tail drop template.

Using the qos queue green max-buffer command, you can set the maximum buffer size ofgreen packets in a specified queue for a tail drop template.

Using the undo qos queue max-buffer command, you can delete the maximum buffer size ofall packets in a specified queue set for a tail drop template.

Using the undo qos queue green max-buffer command, you can delete the maximum buffersize of green packets in a specified queue set for a tail drop template.

Format

qos queue { af1 | af2 | af3 | af4 | be | cs6 | cs7 | ef } max-buffer cell-number [ green max-buffer cell-number ]

qos queue { af1 | af2 | af3 | af4 | be | cs6 | cs7 | ef } green max-buffer cell-number

undo qos queue { af1 | af2 | af3 | af4 | be | cs6 | cs7 | ef | all } max-buffer [ green max-buffer ]

undo qos queue { af1 | af2 | af3 | af4 | be | cs6 | cs7 | ef | all } green max-buffer

NOTE

Only the S5700SI supports this command.

Parameters


af1, af2, af3, af4 Indicates bandwidthguaranteed queues thatcorrespond to queues Q1, Q2,Q3, and Q4 respectively.

-

be Indicates the BE queue thatcorresponds to queue Q0.

-



123


cs6, cs7 Indicates high priorityqueues that correspond toqueues Q6 and Q7respectively.

-


-

max-buffer cell-number Specifies the maximumbuffer size of all packets in aspecified queue.

The value is an integer thatranges from 1 to 5134, incells. The size of a cell is 256bytes. The default value is 24.

green max-buffer cell-number

Specifies the maximumbuffer size of green packetsin a specified queue.

The value is an integer thatranges from 1 to 5134, incells. The size of a cell is 256bytes. The default value is 12.

Views

Tail drop template view

Default Level


Usage Guidelines

After running the qos tail-drop-profile command to create a tail drop template, you can run theqos queue max-buffer command to set the maximum buffer size of all packets or green packetsin a specified queue for a tail drop template.

Example

# Create a global tail drop template named a, and then set the maximum buffer size of all packetsin a BE queue for the global tail drop template to 200, in cells.

<Quidway> system-view[Quidway] qos tail-drop-profile a[Quidway-qos-tail-drop-profile-a] qos queue be max-buffer 200

7.7 qos queue max-length (tail drop template view)

Function

Using the qos queue max-length command, you can set the maximum length of all packets ina specified queue for a tail drop template.



124

Using the qos queue green max-length command, you can set the maximum length of greenpackets in a specified queue for a tail drop template.

Using the undo qos queue max-length command, you can delete the maximum length of allpackets in a specified queue set for a tail drop template.

Using the undo qos queue green max-length command, you can delete the maximum lengthof green packets in a specified queue set for a tail drop template.

NOTE


Formatqos queue { af1 | af2 | af3 | af4 | be | cs6 | cs7 | ef } max-length packet-number [ green max-length packet-number ]

qos queue { af1 | af2 | af3 | af4 | be | cs6 | cs7 | ef } green max-length packet-number

undo qos queue { af1 | af2 | af3 | af4 | be | cs6 | cs7 | ef | all } max-length [ green max-length ]

undo qos queue { af1 | af2 | af3 | af4 | be | cs6 | cs7 | ef | all } green max-length


af1, af2, af3, af4 Indicates bandwidthguaranteed queues thatcorrespond to queues Q1, Q2,Q3, and Q4 respectively.

-

be Indicates the BE queue thatcorresponds to queue Q0.

-

cs6, cs7 Indicates high priorityqueues that correspond toqueues Q6 and Q7respectively.

-


-

max-length packet-number Specifies the maximumlength of all packets in aspecified queue.

The value is an integer thatranges from 1 to 5134, inpackets. The default value is22.

green max-length packet-number

Specifies the maximumlength of green packets in aspecified queue.

The value is an integer thatranges from 1 to 5134, inpackets. The default value is11.



125

ViewsTail drop template view


Usage GuidelinesAfter running the qos tail-drop-profile command to create a tail drop template, you can run theqos queue max-length command in the tail drop template view to set the maximum length ofall packets or green packets in a specified queue for the tail drop template.

Example# Create a global tail drop template named a, and then set the maximum length of all packets ina BE queue for the global tail drop template to 200, in packets.

<Quidway> system-view[Quidway] qos tail-drop-profile a[Quidway-tail-drop-profile-a] qos queue be max-length 200

7.8 qos queue statistics enable

FunctionUsing the qos queue statistics enable command, you can enable the queue statistics functionon a specified outbound interface.

Using the undo qos queue statistics enable command, you can disable the queue statisticsfunction on a specified outbound interface.

By default, the queue statistics function is disabled.

NOTE


Formatqos queue statistics enable interface interface-type interface-number

undo qos queue statistics enable

Parameters


interface interface-typeinterface-number

Specifies the type andnumber of an interface.




126

Views

System View

Default Level


Usage Guidelines

After enabling the queue statistics function on a specified outbound interface, you can view thenumber of packets in the queue.

When you repeatedly run the qos queue statistics enable command in the system view, thelatest configuration overrides the previous ones.

The function of the qos queue statistics enable command is similar to that of the port queuestatistics enable command, but the port queue statistics enable command can flexiblyconfigure the statistics function of eight queues according to the interface, queue, and direction.The port queue statistics enable command provides powerful functions, but the configurationis complicated. The qos queue statistics enable command simplifies the configuration and cantake the statistics on packets entering the queue and discarded in the queue on the specifiedinterface. For problems of packet scheduling and packet loss in the queue, the qos queuestatistics enable command provides initial location information.

NOTICEThe qos queue statistics enable command is exclusive with the port queue statistics enablecommand.

l If the port queue statistics enable command has been used, the following error messageis displayed on the device when the qos queue statistics enable command is used:Error: Can't perform this operation because the port-queue-statistics is enabled.

l If the qos queue statistics enable command has been used, the following error message isdisplayed on the device when the port queue statistics enable command is used:Error: Can't perform this operation because the qos-queue-statistics is enabled.

After the qos queue statistics enable command is used, the statistics on discarded packets inqueues on other interfaces except for the specified interface are not taken. The output of thedisplay hol-drop command is affected. Therefore, the output of the display hol-drop commandis inaccurate. After the undo qos queue statistics enable command is run, the statistics ondiscarded packets in queues on all the interfaces are taken.

Example

# Take the statistics on outgoing packets of the queue on GE 0/0/1.

<Quidway> system-view[Quidway] qos queue statistics enable interface gigabitethernet 0/0/1



127

7.9 qos sred

Function

Using the qos sred command, you can set the SRED threshold and drop probability for queueson an outbound interface.

Using the undo qos sred command, you can restore the default configuration. By default, theSRED threshold and drop probability for queues on an outbound interface are not set.

NOTE


Format

qos sred queue-index queue-index red start-discard-point discard-probability discard-probability yellow start-discard-point discard-probability discard-probability

undo qos sred [ queue queue-index ]

Parameters




start-discard-point Specifies a threshold fordiscarding packets.

The value ranges from 4 to2047.

discard-probability Specifies a probability fordiscarding packets.

The value ranges from 0 to 7.The mapping between thevalues and percentages is asfollows:l 0: 100%l 1: 6.25%l 2: 3.125%l 3: 1.5625%l 4: 0.78125%l 5: 0.390625%l 6: 0.1953125%l 7: 0.09765625%



128

Views

System view

Default Level


Usage GuidelinesNOTE

Using the trust 8021p command, you can configure an interface to trust priorities carried in packets. Then,the device colors the packets red or yellow according to the 802.1p priorities of the packets; the device setsa threshold for dropping red packets and a threshold for dropping yellow packets. When congestionavoidance based on the SRED is configured,

l A threshold for discarding red packets and the drop probability that are set for queues 0 to 4 takeeffect.

l A threshold for discarding yellow packets and the drop probability that are set for queues 0 to 4 donot take effect.

l A threshold for discarding yellow packets and the drop probability that are set for queues 5 to 7 takeeffect.

l A threshold for discarding red packets and the drop probability that are set for queues 5 to 7 do nottake effect.

Using the trust 8021p command, you can configure an interface to trust DSCP values of packets. Then,the device colors the packets red or yellow according to drop precedences of packets; packets enter differentqueues according to mappings between DSCP values and 802.1p priorities; the device drops packetsaccording to thresholds for dropping packets and drop precedences that are set in queues.

Configuring an SRED threshold impacts on thresholds for discarding packets in all queues onan interface. When you repeatedly run the qos sred command for the same queue, the laterconfiguration overwrites the previous configuration.

When the number of packets in a queue is greater than a threshold for discarding packets,conformed packets are dropped from the tail of the queue according to the drop probability setby a user.

Example

# Configure queue 0 in the system view. Set a threshold for discarding red packets to 10. Set thedrop probability for red packets to 5. Set a threshold for discarding yellow packets to 20. Set thedrop probability for yellow packets to 4.

<Quidway> system-view[Quidway] qos sred queue-index 0 red 10 discard-probability 5 yellow 20 discard-probability 4

7.10 qos wrr (scheduling template view)

Function

Using the qos wrr command, you can set parameters for queues on which the WRR schedulingis used.



129

Using the undo qos wrr command, you can restore default values of parameters for queues onwhich WRR scheduling is used.

By default, the WRR scheduling weight value of a queue is 1.

NOTE


Format

qos wrr queue-index queue-index weight weight-value

undo qos wrr queue-index

Parameters




weight-value Specifies the WRRscheduling weight value of aqueue.


Views

Scheduling template view

Default Level


Usage Guidelines

The device forwards packets of queues round according to values of WRR schedulingparameters. The ratio of WRR weight values refers to the ratio of the number of packets in queuesfor forwarding.

If the qos wrr command is repeatedly run in the same scheduling template view for the samequeue, the later configuration overrides the previous configuration.

Example

# In global scheduling template a, set the scheduling mode of queue 3 to WRR, and then set thescheduling weight value to 20.

<Quidway> system-view[Quidway] qos schedule-profile a



130

[Quidway-qos-schedule-profile-a] qos wrr[Quidway-qos-schedule-profile-a] qos wrr queue-index 3 weight 20



131

8 Security Compatible Commands

About This Chapter

8.1 AAA Compatible Commands

8.2 DHCP Snooping Compatible Commands

8.3 NAC Compatible Commands

8.4 Local Attack Defense Compatible Commands

8.5 IP Source Guard Compatible Commands

8.6 URPF Compatible Commands

8.7 Traffic Suppression Compatible Commands

8.8 ACL Compatible Commands

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 8 Security Compatible Commands


132

8.1 AAA Compatible Commands

8.1.1 adminuser-priority

Function

The adminuser-priority command configures a user as an administrator to log in to the deviceand sets the administrator level during login.

Format

adminuser-priority level

Parameters


level Specifies the level of an administrator. The value is an integer ranging from 0to 15. After logging in to the device, auser can run only the commands of thesame level or lower levels.

Views

Service scheme view

Default Level


Usage Guidelines

The adminuser-priority command configures a user as an administrator to log in to the deviceand sets the administrator level during login.

Example

# Configure a user as an administrator to log in to the device and set the administrator level to15.

<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] service-scheme svcscheme1[HUAWEI-aaa-service-svcscheme1] adminuser-priority 15

8.1.2 local-user level



133

FunctionThe local-user level command sets the level of a local user.

Formatlocal-user user-name level level


user-name Specifies the user name. The value is a string of 1 to64 case-insensitivecharacters without spaces.

level Specifies the user level. The value is an integer thatranges from 0 to 15. A greatervalue indicates a higher levelof a user. The default userlevel is 3.After logging in to the device,a user can run only thecommands of the same levelor lower levels.

ViewsAAA view


Usage GuidelinesThe local-user level command sets the level of a local user.

Example# Set the level of local user [email protected] to 6.

<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] local-user [email protected] level 6

8.1.3 local-user password old-password

FunctionThe local-user password old-password command changes the password for a local user.



134

Formatlocal-user user-name password { cipher | irreversible-cipher } password old-password old-password

Parameters


user-name Specifies a user name. If theuser name contains a domainname delimiter such as @,the character string before @is the user name and thecharacter string behind @ isthe domain name. If the username does not contain @, theentire character string is theuser name and the domainname is the default one.

The value is a string of 1 to64 case-sensitive characterswithout spaces. The value isin format [email protected] querying andmodifying user names, youcan use the wildcard *, forexample, *@isp, user@*,and *@*.

cipher password Indicates a passwordencrypted through thereversible algorithm.It is recommended that youset the user password whencreating a user.cipher indicates that thepassword is encryptedthrough the reversiblealgorithm. That is,unauthorized users candecrypt the passwords ofauthorized users. This modehas low security.

The value is a string of case-sensitive characters withoutspaces. The length of a plain-text password ranges from 8to 16, and the length of acipher-text password is 32.

irreversible-cipherpassword

Indicates a passwordencrypted through theirreversible algorithm.irreversible-cipherindicates that the password isencrypted through theirreversible algorithm. Thatis, unauthorized users cannotdecrypt the passwords ofauthorized users. This modehas high security.

The value is a string of case-sensitive characters withoutspaces. The length of a plain-text password ranges from 8to 16, and the length of acipher-text password is 56.



135


old-password old-password Indicates the old password ofa local user.

The value is a string of case-sensitive characters withoutspaces. The length of a plain-text password ranges from 8to 16, and the length of acipher-text password is 32 or56.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

It is recommended that you change user passwords in the following situations:

l Unauthorized users use the default user name and password to log in to the device.

l A password has been used for a long time, so it is prone to disclosing and deciphering.

Example

# Change the password of the local user user1@vipdomain from admin@12345 tohuawei@1234.

<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] local-user user1@vipdomain password cipher huawei@1234 old-password admin@12345

8.1.4 radius-server test-user detect interval

Function

The radius-server test-user detect interval command sets the interval for automatic user statusdetection.

Format

radius-server test-user detect interval interval-time



136

Parameters


interval-time Specifies the interval forautomatic user statusdetection.

The value is an integer thatranges from 5 to 3600, inseconds.

Views

RADIUS server template view

Default Level


Usage Guidelines

You can use this command to set the interval for automatic user status detection.

Example

# Set the interval for automatic user status detection to 360 seconds.

<HUAWEI> system-view[HUAWEI] radius-server template huawei[HUAWEI-radius-huawei] radius-server test-user detect interval 360

8.2 DHCP Snooping Compatible Commands

8.2.1 dhcp option82 format

Function

The dhcp option82 format command configures the format of the Option 82 field in DHCPmessages.

Format

dhcp option82 [ circuit-id | remote-id ] format userdefined text

Parameters


circuit-id Specifies the format of the circuit-id(CID).

-



137


remote-id Specifies the format of the remote-id(RID).

-

userdefined text Indicates the user-defined format of theOption 82 field.

text is the user-defined characterstring of the Option 82 field.

ViewsSystem view


Usage GuidelinesYou can use the dhcp option82 format command to configure the format of the Option 82 fieldin DHCP messages.

Example# Configure the user-defined string for the CID in the Option 82 field and use the hexadecimalformat to encapsulate the CID type (0, indicating the hexadecimal format), length (excludingthe length of the CID type and the length keyword itself), outer VLAN ID, slot ID (5 bits), subslotID (3 bits), and port number (8 bits).

<HUAWEI> system-view[HUAWEI] dhcp option82 circuit-id format userdefined 0 %length %svlan %5slot %3subslot %8port

8.2.2 dhcp snooping bind-table

FunctionThe dhcp snooping bind-table command configures a device to automatically back up DHCPsnooping binding entries in a specified file.

Formatdhcp snooping bind-table autosave file-name [ write-delay delay-time ]



138

Parameters


file-name Specifies the path for storingthe file that backs up DHCPsnooping binding entries andthe file name. You mustspecify both the path andname of the file supported bythe system.


write-delay delay-time Specifies the interval forlocal automatic backup of theDHCP snooping bindingtable.If this parameter is notspecified, the backup intervalis the default value.

The value is an integer thatranges from 60 to4294967295, in seconds. Bydefault, the system backs upthe DHCP snooping bindingtable every two days.

Views

System view

Default Level


Usage Guidelines

You can use the dhcp snooping bind-table command to back up DHCP snooping binding entriesin a specified file.

Example

# Configure a device to automatically back up DHCP snooping binding entries in the filebackup.tbl in the flash memory.

<HUAWEI> system-view[HUAWEI] dhcp snooping enable[HUAWEI] dhcp snooping bind-table autosave flash:/backup.tbl

8.2.3 dhcp snooping information circuit-id

Function

The dhcp snooping information circuit-id command configures the Option 82 circuit-idformat.



139

FormatSystem view:

dhcp snooping information circuit-id string string

Interface view:

dhcp snooping information vlan vlan-id circuit-id string string


string string Specifies the circuit-idformat.



ViewsSystem view, Ethernet interface view, GE interface view, XGE interface view, 40GE interfaceview, Eth-Trunk interface view


Usage GuidelinesYou can use the dhcp snooping information circuit-id command to configure the Option 82circuit-id format.

Example# Configure the Option 82 circuit-id format.

<Quidway> system-view[Quidway] dhcp snooping information circuit-id string teststring

8.2.4 dhcp snooping information remote-id

FunctionThe dhcp snooping information remote-id command configures the Option 82 remote-idformat.

FormatSystem view:

dhcp snooping information remote-id { sysname | string string }



140

Interface view:

dhcp snooping information vlan vlan-id remote-id string string

Parameters


sysname System name. -

string string Specifies the remote-idformat.



Views

System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interfaceview, Eth-Trunk interface view

Default Level


Usage Guidelines

You can use the dhcp snooping information remote-id command to configure the Option 82remote-id format.

Example

# Configure the Option 82 remote-id format.

<Quidway> system-view[Quidway] dhcp snooping information remote-id string teststring

8.2.5 dhcp snooping information format

Function

The dhcp snooping information format command configures the Option 82 field format.

Format

dhcp snooping information format { hex | ascii }



141

Parameters


hex Sets the Option 82 format tohexadecimal.

-

ascii Sets the Option 82 format toASCII.

-

ViewsSystem view


Usage GuidelinesYou can use the dhcp snooping information format command to configure the Option 82 fieldformat.

Example# Set the Option 82 format to ASCII.

<HUAWEI> system-view[HUAWEI] dhcp snooping information format ascii

8.2.6 dhcp snooping check dhcp-rate enable

FunctionThe dhcp snooping check dhcp-rate enable command enables the alarm function for checkingthe rate of sending DHCP packets to the DHCP stack.

Formatdhcp snooping check dhcp-rate enable rate rate [ alarm { enable | [ enable ] thresholdthreshold } | vlan { vlanstart_id [ to vlanend_id ] } &<1-10>]



142

Parameters


rate rate Specifies the rate of sending DHCPmessages to the CPU.

The value is an integer that rangesfrom 1 to 4094.


threshold threshold Specifies the alarm threshold for thenumber of DHCP packets sent to theCPU. After DHCP packet check isenabled, an alarm is generated if thenumber of discarded DHCP packetsreaches the alarm threshold.


ViewsSystem view, VLAN view, Ethernet interface view, GE interface view, XGE interface view,40GE interface view, Eth-Trunk interface view


Usage GuidelinesYou can use the dhcp snooping check dhcp-rate enable command to enable the alarm functionfor checking the rate of sending DHCP packets to the DHCP stack.

This command can only be used during a configuration restoration.

Example# Enable DHCP packet rate check in the system view.

<HUAWEI> system-view[HUAWEI] dhcp snooping enable[HUAWEI] dhcp snooping check dhcp-rate enable

8.2.7 dhcp snooping global max-user-number

FunctionThe dhcp snooping global max-user-number command sets the maximum number of globalDHCP users.

By default, the maximum number of global DHCP users is 1024.

Formatdhcp snooping global max-user-number max-user-number



143

Parameters


max-user-number Specifies the maximumnumber of global DHCPusers.


Views

System view

Default Level


Usage Guidelines

The dhcp snooping global max-user-number command takes effect only when DHCPsnooping is enabled globally and is valid for only DHCP users. When the number of globalDHCP users reaches the threshold set by this command, no more users can access.

You can use the dhcp snooping global max-user-number command to set the maximumnumber of global users.

Example

# Set the maximum number of global DHCP users to 100.

<HUAWEI> system-view[HUAWEI] dhcp snooping enable[HUAWEI] dhcp snooping global max-user-number 100

8.2.8 dhcp snooping sticky-mac

Function

The dhcp snooping sticky-mac command enables the device to generate static MAC addressentries based on dynamic DHCP snooping binding entries.

The undo dhcp snooping sticky-mac command disables the device from generating static MACaddress entries based on dynamic DHCP snooping binding entries.

By default, the device is disabled to generate static MAC address entries based on dynamicDHCP snooping binding entries.

Format

dhcp snooping sticky-mac

undo dhcp snooping sticky-mac



144

Parameters

None

Views

Ethernet interface view, 40GE interface view, GE interface view, XGE interface view, port groupview, Eth-trunk view

Default Level


Usage Guidelines

Usage Scenario

Dynamic MAC address entries are learned and generated by the device, and static MAC addressentries are configured by command lines. A MAC address entry consists of the MAC address,VLAN ID, and port number of a DHCP client. The device implements Layer 2 forwarding basedon MAC address entries.

After the dhcp snooping sticky-mac command is executed on an interface, the device generatesstatic MAC address entries (snooping type) of DHCP users on the interface based on thecorresponding dynamic binding entries, clears all the dynamic MAC address entries on theinterface, disables the interface to learn dynamic MAC address entries, and enables the deviceto match the source MAC address based on MAC address entries. Then only the message withthe source MAC address matching the static MAC address entry can pass through the interface;otherwise, messages are discarded. Therefore, the administrator needs to manually configurestatic MAC address entries (the static type) for non-DHCP users on the interface so that messagessent from non-DHCP users can pass through; otherwise, DHCP messages are discarded. Thisprevents attacks from non-DHCP users.

NOTE

l If a DHCP snooping binding entry is updated, the corresponding static MAC address entry isautomatically updated.

l If you run the dhcp snooping sticky-mac command on the interface, DHCPv6 users cannot go online.Run the nd snooping enable command in the system view and interface view to enable ND snoopingand the savi enable command in the system view to enable SAVI.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

The dhcp snooping sticky-mac command cannot be used with the following commands on aninterface.

Command Description

dot1x enable Enables 802.1x authentication on aninterface.



145

Command Description

mac-authen Enables MAC address authentication on aninterface.

mac-address learning disable Enables MAC address learning.

mac-limit Sets the maximum number of MAC addressesto be learned.

port vlan-mapping vlan map-vlanport vlan-mapping vlan inner-vlan

Enables VLAN mapping.

port-security enable Enables port security.

Example# Enable the device to generate static MAC address entries based on DHCP snooping bindingentries on GE0/0/1.

<HUAWEI> system-view[HUAWEI] dhcp enable[HUAWEI] dhcp snooping enable[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] dhcp snooping sticky-mac

8.2.9 dhcp snooping trust

FunctionThe dhcp snooping trust command configures an interface as a trusted interface.

The undo dhcp snooping trust command configures an interface as an untrusted interface.

By default, all interfaces are untrusted interfaces.

Formatdhcp snooping trust interface interface-type interface-number

undo dhcp snooping trust interface interface-type interface-number

Parameters


interface interface-type interface-number

Specifies the type and number of aninterface.l interface-type specifies the interface

type.l interface-number specifies the interface

number.

-



146

Views

VLAN view

Default Level


Usage Guidelines

To enable DHCP clients to obtain IP addresses from authorized DHCP servers, DHCP snoopingsupports the trusted interface and untrusted interfaces. The trusted interface forwards DHCPmessages while untrusted interfaces discard received DHCP ACK messages and DHCP Offermessages.

An interface directly or indirectly connected to the DHCP server trusted by the administratorneeds to be configured as the trusted interface, and other interfaces are configured as untrustedinterfaces. This ensures that DHCP clients obtain IP addresses from authorized DHCP servers.

Example

# Configure GE0/0/1 in VLAN 100 as the trusted interface.

<HUAWEI> system-view[HUAWEI] vlan 100[HUAWEI-vlan100] dhcp snooping trust interface gigabitethernet 0/0/1

8.3 NAC Compatible Commands

8.3.1 mac-authen username fixed password

Function

The mac-authen username fixed password command configures the fixed user name andpassword for MAC address authentication.

The undo mac-authen username fixed password command deletes the fixed user name andpassword for MAC address authentication.

By default, no fixed user name and password is configured for MAC address authentication.

Format

mac-authen username fixed username password simple password

undo mac-authen username fixed username password simple password



147

Parameters


fixed username Specifies the fixed user name for MACaddress authentication.

The value is a string of 1 to 64characters.

simple Indicates the password in plain text. -

password Specifies the password for MACaddress authentication.


Views

System view

Default Level


Usage Guidelines

You can use the mac-authen username fixed password command to configure the fixed username and password for MAC address authentication.

Example

# Configure the fixed user name and password for MAC address authentication.

<HUAWEI> system-view[HUAWEI] mac-authen username fixed tester password simple 123456

8.3.2 web-auth-server (system view)

Function

The web-auth-server command configures a web authentication server in the system view.

By default, no web authentication server is configured in the system view.

Format

web-auth-server server-name ip-address [ port port [ all ] ] [ key password | shared-key{ simple password | cipher password } ] [ url url-string ]



148

Parameters


server-name Specifies the name of a webauthentication servertemplate.

The value is a string of 1 to31 case-insensitivecharacters.

ip-address Specifies the IP address of aweb authentication server.


port port Specifies the port numberthat the Portal server uses toreceive and encapsulate UDPpackets from the device.


all Indicates that the devicealways uses the destinationport number specified byport-number to encapsulateUDP packets.

-

key password Specifies the shared key thatthe device uses to exchangeinformation with a Portalserver.


shared-key Specifies the shared key thatthe device uses to exchangeinformation with a Portalserver.

-

simple password Displays a shared key in plaintext.


cipher password Displays a shared key incipher text.


url url-string Specifies the URL of a portalserver. Portal authenticationusers can visit this URL toaccess the Portal server.


ViewsSystem view

Default Level




149

Usage GuidelinesWhen an unauthenticated user goes online, a device forces the user to log in to a special website(namely, the Portal website) so that the user can access the service on the Portal for free. Toaccess the Internet, the user must pass the authentication on the Portal.

Example# Set the IP address of web authentication server huawei to 10.1.1.1.

<HUAWEI> system-view[HUAWEI] web-auth-server huawei 10.1.1.1

8.4 Local Attack Defense Compatible Commands

8.4.1 blacklist

FunctionThe blacklist command configures an ACL-based blacklist.

By default, no blacklist is configured.

Formatblacklist acl { acl-number } &<1-4>

Parameters


acl acl-number Indicates the ACL ID. The ACLreferenced by a blacklist on the devicecan be a basic ACL, an advanced ACL,or a Layer 2 ACL.

The value is an integer that rangesfrom 2000 to 4999.

ViewsSystem view, Attack defense policy view


Usage GuidelinesA maximum of eight blacklists can be configured on the device. You can set the attributes of ablacklist by defining ACL rules.

The packets sent from users in the blacklist are discarded after reaching the device.



150

Example

# Reference ACL 2001 in the blacklist.

<HUAWEI> system-view[HUAWEI] cpu-defend policy test[HUAWEI-cpu-defend-policy-test] blacklist acl 2001

8.4.2 car

Function

The car command sets the rate at which packets are sent to the CPU.

Format

car packet-type bpdu cir cir-value [ cbs cbs-value ]

car packet-type ftp-dynamic cir cir-value [ cbs cbs-value ]

undo car packet-type bpdu

undo car packet-type ftp-dynamic

Parameters


packet-type bpdu Limits the rate of bpdu packets. -

packet-type ftp-dynamic Limits the rate of ftp-dynamicpackets.

-

cir cir-value Indicates the committedinformation rate (CIR).

The value is an integer thatranges from 8 to 4294967295, inkbit/s.

cbs cbs-value Indicates the committed burstsize (CBS).

The value is an integer thatranges from 10000 to4294967295, in bytes.

Views

Attack defense policy view

Default Level


Usage Guidelines

The default CARs for packets of each type range from 64 kbit/s to 512 kbit/s. You can run thedisplay cpu-defend configuration command to query the default CAR.



151

If you run the deny and car commands for the same type of packets sent to the CPU, the commandthat runs later takes effect.

NOTE

If packets are sent to the CPU at a high rate and a large CAR value is configured on the device, the CPUusage may be too high. This may degrade the device performance or even cause the stack split.

Example# Set the CAR of packets in defense policy test as follows: Set the packet type to bpdu, CIR to64 kbit/s, and CBS to 33000 bytes.

<HUAWEI> system-view[HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] car packet-type bpdu cir 64 cbs 33000

8.4.3 car cpu-port

FunctionThe car cpu-port command configures the CIR of all the packets to be sent to the CPU.

By default, the CIR value of all the packets to be sent to the CPU is 1024 kbit/s on the device.

Formatcar cpu-port cir cir-rate


cir cir-rate Sets the CIR of all the packetsto be sent to the CPU.

The value is an integer thatranges from 64 to 2048, inkbit/s.

ViewsAttack defense policy view


Usage GuidelinesThe car cpu-port command limits the total rate of all protocol packets sent to the CPU. Thecar packet-type command limits the rate of packets of a specified protocol. However, the totalCIR of packets of specified protocols cannot exceed the CIR of all the packets sent to the CPU.

When the CIR is exceeded, excess packets including unicast, multicast, and broadcast packetsare not sent to the CPU. In addition, the unicast packets are discarded directly.



152

Example# Set the CIR of all the packets to be sent to the CPU to 512 kbit/s on the device.

<HUAWEI> system-view[HUAWEI] cpu-defend policy test[HUAWEI-cpu-defend-policy-test] car cpu-port cir 512

8.4.4 cpu-defend linkup-car bgp enable

FunctionThe cpu-defend linkup-car bgp enable command enables the BGP protocol association.

The undo cpu-defend linkup-car bgp enable command disables the BGP protocol association.

By default, the BGP protocol association is disabled.

Formatcpu-defend linkup-car bgp enable

undo cpu-defend linkup-car bgp enable

ParametersNone

ViewsSystem view


Usage GuidelinesThis command is provided for compatibility with earlier versions.

Example# Enable the BGP protocol association.

<HUAWEI> system-view[HUAWEI] cpu-defend linkup-car bgp enable

8.4.5 deny

FunctionThe deny command sets the discard action taken for packets sent to the CPU.

The undo deny command restores the default action taken for packets sent to the CPU.



153

By default, the device limits the rate of protocol packets and user-defined flows based on theCAR configuration.

Format

deny packet-type bpdu

deny packet-type ftp-dynamic

undo deny packet-type bpdu

undo deny packet-type ftp-dynamic

Parameters


packet-type bpdu Discards bpdu packets . -

packet-type ftp-dynamic Discards ftp-dynamic packets. -

Views

Attack defense policy view

Default Level


Usage Guidelines

If you run the deny and car commands for the same type of packets sent to the CPU, the commandthat runs later takes effect. The undo deny command restores the default action taken for packetssent to the CPU. After you run this command, the system limits the rate of packets sent to theCPU based on the configured CIR and CBS values.

Example

# Set the discard action taken for bpdu packets sent to the CPU attack in defense policy test.

<HUAWEI> system-view[HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] deny packet-type bpdu

8.5 IP Source Guard Compatible Commands

8.5.1 ip anti-attack source-ip equals destinetion-ip drop



154

Function

The ip anti-attack source-ip equals destinetion-ip drop command enables the device todiscard IP packets with the same source and destination IP addresses.

The undo ip anti-attack source-ip equals destinetion-ip drop command disables the devicefrom discarding IP packets with the same source and destination IP addresses.

By default, the device does not discard IP packets with the same source and destination IPaddresses.

Format

ip anti-attack source-ip equals destinetion-ip drop { all | slot slot-id }

undo ip anti-attack source-ip equals destinetion-ip drop { all | slot slot-id }

Parameters


all All the devices. -

slot slot-id l The value is 0 if stackingis not configured.

l Specifies the stack ID ifstacking is configured.

Set the value according to thedevice configuration.

Views

System view

Default Level


Usage Guidelines

Generally, IP packets with the same source and destination IP addresses can be forwarded. Whenyou determine that the IP packets are attack packets, you can use the ip anti-attack source-ipequals destinetion-ip drop command to enable the device to discard the IP packets.

Example

# Enable the device to discard IP packets with the same source and destination IP addresses.

<HUAWEI> system-view[HUAWEI] ip anti-attack source-ip equals destinetion-ip drop all



155

8.5.2 ip source check

FunctionThe ip source check command enables dynamic IP source guard.

By default, dynamic IP source guard is disabled on the device.

Format

ip source check { ip-address | mac-address | interface } *

ParametersNone

ViewsVLAN view


Usage GuidelinesAfter dynamic IP source guard is enabled on a VLAN, the device checks packets according tothe entries in the DHCP snooping binding table specified by the ip source check command.Packets that do not match the specified entries in the DHCP snooping binding table are discarded.Therefore, access control is implemented and unauthorized users are not allowed to access thenetwork.

Dynamic IP source guard does not generate binding entries. Packets are checked according tothe specified entries in the DHCP snooping binding table. Therefore, you must enable the deviceto check IP and ARP packets before enabling the dynamic IP source guard. Dynamic IP sourceguard configured independently does not take effect.

Example# Enable dynamic IP source guard in VLAN 10 to check the IP address and MAC address of apacket according to the DHCP snooping binding table. View the DHCP snooping binding table.

<HUAWEI> system-view[HUAWEI] vlan 10[HUAWEI-Vlan10] ip source check ip-address mac-address

8.6 URPF Compatible Commands

8.6.1 ip urpf



156

FunctionThe ip urpf command enables URPF check on the interface and configure the URPF checkmode.

The undo ip urpf command disables URPF check on the interface.

NOTE

TheS2750, S5700SI, S5700LI, and S5700S-LI do not support this command.

Formatip urpf { loose | strict } [ allow-default-route ]

undo ip urpf

Parameters


loose Indicates URPF loose check. In this mode, the device forwardsa packet as long as the source address of the packet exists in therouting table or ARP table, regardless of whether the matchingoutbound interface in the routing table or ARP table is the sameas the inbound interface of the packet.

-

strict Indicates URPF strict check. In this mode, the device forwardsa packet only when the source address of the packet exists inthe routing table or ARP table, and the matching outboundinterface in the routing table or ARP table is the same as theinbound interface of the packet.

-

allow-default-route Allows special process for the default route. -

ViewsGE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view, portgroup view


Usage GuidelinesThe URPF check mode configured on an interface is valid only after the URPF is enabled onthe LPU.

The URPF determines how to process the default route based on whether the allow-default-route parameter is specified in the command.l If allow-default-route is set but the source address of a packet does not exist in the routing

table or ARP table, the packet is discarded even if the default route is found, regardless ofthe strict or loose check. If allow-default-route is set and the source address of a packetexists in the routing table or ARP table:



157

– In the strict check mode, the device forwards a packet when the outbound interface inthe default route is the same as the inbound interface of the packet. When the outboundinterface in the default route is different from the inbound interface of the packet, thepacket is discarded.

– In the loose check mode, the device forwards a packet regardless of whether theoutbound interface in the default route is the same as the inbound interface of the packet.

l If allow-default-route is not set, the default route is not processed.

Example

# Enable the strict URPF check on GE0/0/1 and allow the special process for the default route.

<HUAWEI> system-view[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] ip urpf strict allow-default-route

8.7 Traffic Suppression Compatible Commands

8.7.1 broadcast-suppression

Function

The broadcast-suppression command sets the maximum traffic rate of broadcast packets thatcan pass through an interface.

The undo broadcast-suppression command restores the default traffic rate of broadcast packetsthat can pass through an interface.

Format

broadcast-suppression { broadcast-pct | packets packets-per-second }

undo broadcast-suppression

Parameters


broadcast-pct Specifies the maximumpercentage of broadcasttraffic on an interface.

The value ranges from 0 to100. The default value is 100.By default, broadcast trafficis not suppressed oninterfaces.

packets packets-per-second Specifies the maximumnumber of broadcast packetsallowed to pass through aninterface per second.

The value of packets-per-second is an integer.



158

Views


Default Level


Usage Guidelines

When the traffic rate of broadcast packets exceeds the maximum value, the system discardsexcess broadcast packets to control the traffic rate and ensure normal operation of networkservices.

Example

# Set the maximum percentage of broadcast traffic to 20% of interface bandwidth on Eth-Trunk1.

<HUAWEI> system-view[HUAWEI] interface eth-trunk 1[HUAWEI-Eth-Trunk1] broadcast-suppression 20

8.7.2 multicast-suppression

Function

The multicast-suppression command sets the maximum traffic rate of multicast packets thatcan pass through an interface.

The undo multicast-suppression command restores the default traffic rate of multicast packetsthat can pass through an interface.

Format

multicast-suppression { multicast-pct | packets packets-per-second }

undo multicast-suppression

Parameters


multicast-pct Specifies the maximumpercentage of multicasttraffic on an Ethernetinterface.

The value ranges from 0 to100. The default value is 100.By default, multicast traffic isnot suppressed on interfaces.

packets packets-per-second Specifies the maximumnumber of multicast packetsallowed to pass through aninterface per second.




159

Views


Default Level


Usage Guidelines

When the traffic rate of multicast packets exceeds the maximum value, the system discardsexcess multicast packets to control the traffic rate and ensure normal operation of networkservices.

Example

# Set the maximum percentage of multicast traffic to 20% of interface bandwidth on Eth-Trunk1.

<HUAWEI> system-view[HUAWEI] interface eth-trunk 1[HUAWEI-Eth-Trunk1] multicast-suppression 20

8.7.3 unicast-suppression

Function

The unicast-suppression command sets the maximum traffic rate of unknown unicast packetsthat can pass through an interface.

The undo unicast-suppression command restores the default traffic rate of unknown unicastpackets that can pass through an interface.

Format

unicast-suppression { unicast-pct | packets packets-per-second }

undo unicast-suppression

Parameters


unicast-pct Specifies maximumpercentage of unknownunicast traffic on an Ethernetinterface.

The value ranges from 0 to100. The default value is 100.By default, unknown unicasttraffic is not suppressed oninterfaces.

packets packets-per-second Specifies the maximumnumber of unknown unicastpackets allowed to passthrough an interface persecond.




160

ViewsEth-Trunk interface view


Usage GuidelinesWhen the traffic rate of unknown unicast packets exceeds the maximum value, the systemdiscards excess unknown unicast packets to control the traffic rate and ensure normal operationof network services.

Example# Set the maximum percentage of unknown unicast traffic to 20% of interface bandwidth onEth-Trunk1.

<HUAWEI> system-view[HUAWEI] interface eth-trunk1[HUAWEI-Eth-Trunk1] unicast-suppression 20

8.8 ACL Compatible Commands

8.8.1 acl ipv6

FunctionThe acl ipv6 command creates an ACL6 and enters the ACL6 view.

The undo acl ipv6 command deletes an ACL.

Formatacl ipv6 [ number ] acl6-number [ name acl6-name ]

undo acl ipv6 { all | [ number ] acl6-number | name acl6-name }



161

Parameters


number acl6-number Indicates the ID of an ACL6. The value of acl6-number isan integer that ranges from2000 to 3999. In theseoptions,l ACL6s numbered from

2000 to 2999 are basicACL6s.

l ACL6s numbered from3000 to 3999 areadvanced ACL6s.

name acl6-name Specifies a named ACL6. The value of acl6-name is astring of 1 to 32 case-sensitive characters withoutspaces. The name starts witha letter (lowercase a to z oruppercase A to Z) and cancontain letters, digits, andsymbols such as the numbersign (#), percentage symbol(%), and hyphen (-).

all Deletes all ACL6s. -

ViewsSystem view



Example# Create an ACL6 named test and numbered 3100.

<HUAWEI> system-view[HUAWEI] acl ipv6 number 3100 name test[HUAWEI-acl6-adv-test]



162

8.8.2 acl (system view)

FunctionThe acl command creates an ACL and enters the ACL view.

The undo acl command deletes a specified ACL.

Formatacl [ number ] acl-number [ name acl-name ]

undo acl { all | [ number ] acl-number | name acl-name }


number acl-number Indicates the ID of an ACL. The value of acl-number is aninteger that ranges from 2000to 5999.l ACLs numbered from

2000 to 2999 are basicACLs.

l ACLs numbered from3000 to 3999 areadvanced ACLs.

l ACLs numbered from4000 to 4999 are Layer 2ACLs.

l ACLs numbered from5000 to 5999 arecustomized ACLs.

name acl-name Specifies a named ACL. The value of acl-name is astring of 1 to 32 case-sensitive characters withoutspaces. The name starts witha letter (lowercase a to z oruppercase A to Z) and cancontain letters, digits, andsymbols such as the numbersign (#), percentage symbol(%), and hyphen (-).

all Deletes all ACLs. -

ViewsSystem view



163


Usage GuidelinesAn ACL consists of a list of rules. Each rule contains a permit or deny clause. Before creatingan ACL rule, you must create an ACL.

Example# Create an ACL named test and numbered 3100.

<HUAWEI> system-view[HUAWEI] acl number 3100 name test[HUAWEI-acl-adv-test]

8.8.3 rule (ACL6)

FunctionThe rule command adds or modifies advanced ACL6 rules.

The undo rule command deletes IPv6 ACL rules.

Formatrule [ rule-id ] { deny | permit } ipv6-AH [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | dscp dscp | fragment | logging | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | tos tos | vpn-instance vpn-instance-name ] *

rule [ rule-id ] { deny | permit } ipv6-ESP [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | dscp dscp | fragment | logging | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | tos tos | vpn-instance vpn-instance-name ] *



164

Parameters


rule-id Indicates the ID of an ACL6rule.

The value ranges from 0 to 2047.l If the ID of a rule is specified and the

rule exists, the new rule is added to therule with this ID, that is, the old rule ismodified.

l If the rule associated with a rule ID doesnot exist, a rule can be created with thisrule ID and its position in the ACL isdetermined by the rule ID.

l If no rule ID is specified, the deviceallocates an ID to the new rule. The ruleIDs are sorted in ascending order.

deny Discards packets that do notmatch ACL rules.

-

permit Allows packets to pass. -

ipv6-AH Indicates the protocol type. -

ipv6-ESP Indicates the protocol type. -

destination{ destination-ipv6-addressprefix-length |destination-ipv6-address/prefix-length |any }

Indicates the destinationaddress and prefix of a packet.

destination-ipv6-address is expressed inhexadecimal notation. The value of prefix-length is an integer that ranges from 1 to128. You can also use any to represent anydestination address.

destinationdestination-ipv6-addresspostfixpostfix-length

Indicates the destinationaddress and the length ofdestination address postfix.

destination-ipv6-address indicates thedestination address and is expressed inhexadecimal notation. postfix-length is aninteger that ranges from 1 to 64.

dscp dscp-value

Specifies the value of aDifferentiated ServicesCodePoint (DSCP).

The value ranges from 0 to 63.

fragment Indicates that the rule is validfor only non-initialfragments.

-



165


logging Indicates whether to recordlogs for packets that meetACL rules.

Log contents include the ACL rule ID, passor discard of packets, type of the protocolover IP, source or destination address,source or destination port number, andnumber of packets.

precedence Filters packets by priority. The value is a name or a digit that rangesfrom 0 to 7.

source{ source-ipv6-addressprefix-length |source-ipv6-address/prefix-length |any }

Indicates the source addressand prefix of a packet.

source-ipv6-address indicates the sourceaddress and is expressed in hexadecimalnotation. prefix-length is an integer thatranges from 1 to 128. You can also useany to represent any source address.

sourcesource-ipv6-addresspostfixpostfix-length

Indicates the source addressand the length of sourceaddress postfix.

source-ipv6-address indicates the sourceaddress and is expressed in hexadecimalnotation. postfix-length is an integer thatranges from 1 to 64.

time-rangetime-name

Specifies the time range onlyin which ACL6 rules areeffective.time-name indicates the nameof the time range.

The value is a string of 1 to 32 characters.

tos tos Filters packets by Type ofService (ToS).

The value is a name or a digit that rangesfrom 0 to 15.

vpn-instancevpn-instance-name

Specifies the name of a VPNinstance.

The value is a string of 1 to 31 characterswithout spaces. Letters, digits, underscores(_), and dots (.) are allowed.

Views

Advanced ACL6 view

Default Level


Usage Guidelines

This command is used in the IPv6 ACL configuration mode. When adding a rule, specify thesource IPv6 address in the rule. To delete or modify an existing rule, specify the rule ID.



166

Example# Create an advanced ACL6 with ID 3000 and configure a rule that allows only IPv6 ESP packetswith the source IPv6 address 2030:5060::9050 and mask 64 to pass.

<HUAWEI> system-view[HUAWEI] acl ipv6 number 3000[HUAWEI-acl6-adv-3000] rule 0 permit ipv6-esp source 2030:5060::9050/64



167

9 Reliability Compatible Commands

About This Chapter

9.1 Smart Link Compatible Commands

9.2 Ethernet OAM Compatible Commands

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 9 Reliability Compatible Commands


168

9.1 Smart Link Compatible Commands

9.1.1 load-balance reference-instance

Function

The load-balance reference-instance command sets the load balancing mode of a Smart Linkgroup.

The undo load-balance reference-instance command deletes a load balancing instance of aSmart Link group.

Format

load-balance reference-instance instance-id slave

undo load-balance reference-instance [ slave ]

Parameters


instance-id Specifies the ID of a SmartLink instance.


slave Specifies the slave interfacefor transmitting packets of aSmart Link instance.

-

Views

Smart Link group view

Default Level


Usage Guidelines

Before you run the load-balance instance command in a Smart Link group, the Smart Linkgroup must be disabled.

After configuring load balancing in a Smart Link group, you can use the display smart-linkgroup command to verify the configuration.

When the links of all Smart Link group members are Up, the inactive link transmits the trafficfrom the VLANs mapping the specified instance.



169

Example# Set the load balancing mode of the Smart Link group whose ID is 3.

<Quidway> system-view[Quidway] smart-link group 3[Quidway-smlk-group3] load-balance reference-instance 1 slave

9.2 Ethernet OAM Compatible Commands

9.2.1 efm trigger if-net

FunctionThe efm trigger if-net command associates EFM with an interface.

Formatefm trigger if-net

ParametersNone

ViewsGE interface view, XGE interface view



EFM can be associated with interfaces. On a scenario with primary and backup links, if EFMdetects a fault on the primary link, it will set the protocol status of the associated interface toETHOAM Down, speeding up routing convergence. Traffic can be fast switched to the backuplink.

Prerequisites

EFM has been enabled globally and on an interface, and is in detect state.

Precautions

If EFM is associated with an interface and detects a link fault, the protocol status of the interfacebecomes ETHOAM Down, and no packet except EFM OAMPDUs can be forwarded by theinterface, and all Layer 2 and Layer 3 services are blocked. Therefore, associating EFM with aninterface may greatly affect services. When the interface detects link recovery using EFM, theinterface can forward all packets and unblocks Layer 2 and Layer 3 services.



170

Example# Associate EFM with GE0/0/1.

<HUAWEI> system-view[HUAWEI] efm enable[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] efm enable[HUAWEI-GigabitEthernet0/0/1] efm trigger if-net

9.2.2 error-shutdown auto-recovery cause efm-threshold-event

FunctionThe error-shutdown auto-recovery cause efm-threshold-event command enables aninterface in error-shutdown state to go Up.

NOTE

An interface enters the error-shutdown state after being shut down due to an error.

Formaterror-shutdown auto-recovery cause efm-threshold-event

Parameters


cause Indicates the cause for aninterface in error-down state.

-

efm-threshold-event Indicates that a thresholdcrossing event occurs.

-

ViewsSystem view



When link monitoring is configured for an interface on a link, the link is considered unavailable,if the number of errored frames, errored codes, or errored frame seconds detected by the interfacereaches or exceeds the threshold within a period. You can associate an EFM crossing event withan interface. Then the system sets the administrative status of the interface to Down. In thismanner, all services on the interface are interrupted.



171

By default, an interface can only be resumed by a network administrator after being shut down.To configure the interface to restore to the Up state automatically, run the error-down auto-recovery command to set an auto recovery.

Example

# Set the auto recovery after an EFM threshold crossing event is associated with an interface.

<HUAWEI> system-view[HUAWEI] error-shutdown auto-recovery cause efm-threshold-event

9.2.3 error-shutdown auto-recovery interval

Function

The error-shutdown auto-recovery interval command sets the auto recovery delay.

NOTE

An interface enters the error-shutdown state after being shut down due to an error.

Format

error-shutdown auto-recovery interval interval-value

Parameters


interval interval-value Specifies the auto recoverydelay.

The value is an integer thatranges from 30 to 86400, inseconds.l A smaller value indicates

a higher frequency atwhich an interfacealternates between Upand Down states.

l A larger value indicateslonger trafficinterruption.

Views

System view

Default Level




172


By default, an interface can only be resumed by a network administrator after being shut down.To configure the interface to restore to the Up state automatically, run the error-shutdown auto-recovery interval command to set an auto recovery delay. After the delay, the interface goesUp automatically.

Example# Set the auto recovery delay to 50s.

<HUAWEI> system-view[HUAWEI] error-shutdown auto-recovery interval 50



173

10 Device Management CompatibleCommands

About This Chapter

10.1 vrbd

10.2 _shell

10.3 backup elabel

10.4 cpu-usage threshold

10.5 display autosave config

10.6 display environment

10.7 display elabel unit

10.8 display fault-management

10.9 display fault-management alarm information

10.10 display reboot-info

10.11 fault-management alarm

10.12 reset reboot-info

10.13 display alarm urgent

10.14 reset alarm urgent

10.15 temperature threshold unit

10.16 port-mirroring to observe-port

10.17 poe power

10.18 port-mirroring

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 10 Device Management Compatible Commands


174

10.19 reset fault-management



175

10.1 vrbd

Function

The vrbd command displays the compiling time and version of the system software.

Format

vrbd

Parameters

None

Views

Diagnosis view

Default Level

3: Management level

Usage Guidelines

You can run the command to view the compiling time and version of the system software.

Example

# Display the compiling time and version of the system software.

<HUAWEI> system-view[HUAWEI] diagnose[HUAWEI-diagnose] vrbdS5700 Version V200R003C00SPC300 VRP Software Version F100S100 Copyright (C) 2000-2011 Huawei Technologies Co., Ltd. Compiled Mar 26 2012 17:30:56 By S5700 CMO CPLD Ver 257, Date Aug 8 2013 Board 0 SoftWare Version V200R003C00SPC300B440 Board 0 SoftWare for user V200R003C00SPC300

Table 10-1 Description of the vrbd command output

Item Description

S5700 Version V200R003C00SPC300 Device model and system software version.

VRP Software Version VRP software version.



176

Item Description

Copyright (C) 2000-2011 HuaweiTechnologies Co., Ltd.

Enterprise copyright declaration.

Compiled Mar 26 2012 17:30:56 By S5700CMO

System software compiling time.

CPLD Ver 257, Date Aug 8 2013 CPLD version and compiling time. A largerversion number indicates a newer CPLDversion.

SoftWare Version System software internal version.

SoftWare for user System software release version.

10.2 _shell

Function

The _shell command displays the shell mode.

The _shell show command displays the shell mode status.

The _shell slot-id [ kick-out ] command enables you to exit from the shell mode.

Format

_shell { slot-id [ kick-out ] | show }

Parameters


slot-id Specifies the destination slot ID. The value must be set according to thedevice configuration.

kick-out Indicates that users exit from the shellmode. -

show Displays the shell mode status. -

Views

Diagnosis view

Default Level




177

Usage Guidelines

None

Example

# Display the shell mode status.

<HUAWEI> system-view[HUAWEI] diagnose[HUAWEI-diagnose] _shell[HUAWEI-diagnose] _shell show User-ID User-Intf Slot Username 0 con0 2 Unspecified

# Enable slot 0 to exit from the shell mode.

<HUAWEI> system-view[HUAWEI] diagnose[HUAWEI-diagnose] _shell 0 kick-out

10.3 backup elabel

Function

Using the backup elabel command, you can save the electronic label of theS2750&S5700&S6700 to the File Transfer Protocol (FTP) server or to the Flash memory.

Format

backup elabel [ ftp ip-address filename username password ] [ unit unit-id ]

Parameters


ip-address Specifies the IP address ofthe FTP server that stores theelectronic label.


filename Specifies the name of the filethat stores the electronic labelon the FTP server.


username Specifies user name used tolog in to the FTP server.


password Specifies the password usedto log in to the FTP server.




178


unit unit-id l Specifies the slot ID ifstacking is notconfigured.


The value an integer that is 0if stacking is not configured;the value ranges from 0 to 8if stacking is configured.

ViewsUser view


Usage GuidelinesYou can use this command to save the electronic label of the S2750&S5700&S6700 to a file inthe flash memory or on the FTP server. If the electronic label is saved in the flash memory, thefile name is elabel.fls by default.

Example# Save the electronic label of the S2750&S5700&S6700 with the stack ID being 0 to theelabel.fls file in the flash memory.

<HUAWEI> backup elabel unit 0Info: Output information to file: flash:/elabel.fls. Please wait for a moment...

Info: Put file to flash successfully.

10.4 cpu-usage threshold

FunctionThe cpu-usage threshold command sets the upper and lower CPU usage alarm thresholds.

The undo cpu-usage threshold command restores the default setting.

Formatcpu-usage threshold unit unit-id { high | low } threshold-value



179

Parameters


high Specifies the upper CPU usage alarmthreshold.

-

low Specifies the lower CPU usage alarmthreshold.

-

unit unit-id l Specifies the slot ID if stacking is notconfigured.

l Specifies the stack ID if stacking isconfigured.

The value is 0 if stacking is notconfigured; the value ranges from 0 to8 if stacking is configured.

Views

System view

Default Level


Usage Guidelines

When the CPU usage is not within the allowed range, a log is recorded. You can convenientlyknow CPU usage through log information.

Example

# Set the upper CPU usage alarm threshold of a switch to 85%.

<HUAWEI> system-view[HUAWEI] cpu-usage threshold unit 0 high 85

10.5 display autosave config

Function

The display autosave config command displays the configuration about the autosave function,including the status of the autosave function, time for autosave check, threshold of the CPUusage, and interval during which configurations are not changed.

Formatdisplay autosave config

Parameters

None



180

ViewsAll views


Usage GuidelinesAfter the autosave function is configured, you can run the display autosave config commandto check whether the configured parameters are correct. You can also run this command to checkwhether the parameters about the autosave function are properly configured when autosavecannot function normally. If not, run the set save-configuration command to adjust theparameters to restore the normal state of the autosave function.

Example# Display the configuration about the autosave function.

<HUAWEI> display autosave configAuto save function status: enableAuto save checking interval: 60 minutesThe threshold of the CPU usage: 50%The interval of the configuration not changing: 30 minutes

Table 10-2 Description of the display autosave config command output

Item Description

Auto save function status Indicates the status of the autosave function:l Enablel Disable

Auto save checking interval Indicates the time for autosave check.

The threshold of the CPU usage Indicates the threshold of the CPU usageduring the autosave operation.

The interval of the configuration notchanging

Indicates the interval during which systemconfigurations are not changed.

10.6 display environment

FunctionUsing the display environment command, you can view the temperature of theS2750&S5700&S6700.

Formatdisplay environment unit unit-id



181

Parameters




The value is an integer that is0 if stacking is notconfigured; the value rangesfrom 0 to 8 if stacking isconfigured.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can set the temperature alarm threshold of the S2750&S5700&S6700 or a temperaturesensing board.

When the temperature of the S2750&S5700&S6700 exceeds the threshold, check the workingenvironment of the S2750&S5700&S6700 to ensure that the environment is suitable for theS2750&S5700&S6700.

Example

# Display the temperature of the S2750&S5700&S6700 that unit id is 0.

<HUAWEI> display environment unit 0Environment information:Temperature information:SlotID CurrentTemperature LowLimit HighLimit (deg c ) (deg c) (deg c ) 1 33 0 70

Table 10-3 Description of the display environment command output

Item Description

SlotID Stack ID of the S2750&S5700&S6700.

CurrentTemperature Temperature of the S2750&S5700&S6700.It is expressed in Celsius.

LowLimit Lower temperature threshold of theS2750&S5700&S6700. It is expressed inCelsius.



182

Item Description

HighLimit Upper temperature threshold of theS2750&S5700&S6700. It is expressed inCelsius.

10.7 display elabel unit

FunctionThe display elabel unit command displays the electronic label of the device.

Formatdisplay elabel unit unit-id [ subcard-id ]

Parameters


slot slot-id Specifies the stack ID of thedevice.

The value ranges from 0 to 8if stacking is configured. Thevalue is 0 if stacking is notconfigured.

subcard-id Specifies the subcard ID.This parameter can bespecified if any subcard isused on the device.


ViewsAll views


Usage GuidelinesElectronic labels identify the hardware. You can use the display elabel command to view theelectronic label information.

Example# Display the electronic label of the device with stack ID 0.

<HUAWEI> display elabel slot 0



183

/$[System Integration Version] /$SystemIntegrationVersion=3.0 [Slot_0] /$[Board Integration Version] /$BoardIntegrationVersion=3.0 [Main_Board] [Main_Board] /$[ArchivesInfo Version] /$ArchivesInfoVersion=3.0 [Board Properties] BoardType=LS52T52C BarCode=2102353169107C800132 Item=02353169 Description=S5752c-EI Mainframe(48 10/100 BASE-T ports and 4 SFP XGE (100/1000 BASE-X) ports (SFP Req.) and DC -48V) Manufactured=2011-08-24 VendorName=Huawei IssueNumber=00 CLEICode= BOM=02353169 [Port_1] /$[ArchivesInfo Version] /$ArchivesInfoVersion=3.0 [Board Properties] BoardType=VAHS-28-0029 BarCode=5529900015 Item= Description=1Gbps-0nm-Copper Pigtail-2(copper) Manufactured=2010-04-09 /$VendorName=Volex Inc. IssueNumber= CLEICode= BOM= [Port_2] /$[ArchivesInfo Version] /$ArchivesInfoVersion=3.0 [Board Properties] BoardType= BarCode= Item= Description= Manufactured= /$VendorName= IssueNumber= CLEICode= BOM= [Port_3]



184

/$[ArchivesInfo Version] /$ArchivesInfoVersion=3.0 [Board Properties] BoardType=04050017 BarCode=GEC42100170065 Item= Description=1Gbps-0nm-Unknown or Unspecified- Manufactured=2010-10-22 /$VendorName=Amphenol IssueNumber= CLEICode= BOM= [Port_4] /$[ArchivesInfo Version] /$ArchivesInfoVersion=3.0 [Board Properties] BoardType= BarCode= Item= Description= Manufactured= /$VendorName= IssueNumber= CLEICode= BOM= /$[ArchivesInfo Version] /$ArchivesInfoVersion=3.0 [Board Properties] BoardType=CX7M1PWA BarCode=2102316783P0B1002502 Item=02316783 Description=S5300C,CX7M1PWA,AC Power Module Manufactured=2011-01-16 VendorName=Huawei IssueNumber=00 CLEICode= BOM=

Table 10-4 Description of the display elabel command output

Item Description

BoardType Board model of the specified component.

BarCode Bar code of the specified component.

Item BOM code of the specified component.

Description English description of the specifiedcomponent.

Manufactured Production date of the specified component.



185

Item Description

VendorName Vendor name of the specified component.

IssueNumber Issuing number of the specified component.

CLEICode CLEI code of the specified component.

BOM Sales BOM code of the specifiedcomponent.

10.8 display fault-management

Function

The display fault-management command displays the contents of an alarm message, activealarm message, or event.

Format

display fault-management { alarm | active-alarm | event } [ sequence-number sequence-number ]

Parameters


sequence-numbersequence-number

Specifies the number of analarm message, active alarmmessage, or event.

The value is an integer rangingfrom 0 to 2147483647. Whenthe value is 0, informationabout all alarm messages,active messages, or events isdisplayed.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command helps you obtain the contents of all alarm messages or one alarm message on adevice.



186

Example

# Display the contents of active alarm messages in the system.

<HUAWEI> display fault-management active-alarmA/B/C/D/E/F/G/H/I/J A=Sequence, B=RootKindFlag(Independent|RootCause|nonRootCause) C=Generating time, D=Clearing time E=ID, F=Name, G=Level, H=State I=Description information for locating(Para info, Reason info) J=RootCause alarm sequence(Only for nonRootCause alarm) 1/Independent/2008-10-13 01:49:45+08:00/-/0x41932001/hwLldpEnabled/Warning/Start/OID: 1.3.6.1.4.1.2011.5.25.134.2.1 Global LLDP is enabled. 2/Independent/2008-10-13 01:50:06+08:00/-/0x41932000/lldpRemTablesChange/Warning/Start/OID: 1.0.8802.1.1.2.0.0.1 Neighbor information is changed. (LldpStatsRemTablesInserts=1, LldpStatsRemTablesDeletes=0, LldpStatsRemTablesDrops=0, LldpStatsRemTablesAgeouts=0) 5/Independent/2008-10-13 02:22:52+08:00/-/0x40c12014/hwPortPhysicalEthHalfDuplexAlarm/Minor/Start/OID 1.3.6.1.4.1.2011.5.25.129.2.5.11 The port works in half duplex mode. (EntityPhysicalIndex=10, BaseTrapSeverity=3, BaseTrapProbableCause=1024, BaseTrapEventType=8, EntPhysicalName=GigabitEthernet0/0/5, RelativeResource=interface GigabitEthernet0/0/5)

10.9 display fault-management alarm information

Function

The display fault-management alarm information command displays registrationinformation about an alarm message.

Format

display fault-management alarm information [ alarm-name ]

Parameters


alarm-name Specifies the name of an alarm message. The value is a case-sensitive string of1 to 256 characters without spaces.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

If alarm-name is not specified, registration information about all alarm messages is displayed.



187

To view registration information about an alarm message, you can run the display fault-management alarm information command; to modify registration information about an alarmmessage, including alarm level, you can run the fault-management alarm command.

Example# Check registration information about the alarm message named linkUp.

<HUAWEI> display fault-management alarm information linkUp********************************** AlarmName: linkUp AlarmType: Resume Alarm AlarmLevel: Cleared Suppress Period: NA CauseAlarmName: linkDown Match VB Name: ifIndex **********************************

Table 10-5 Description of the display fault-management alarm information command output

Item Description

AlarmName Name of an alarm message

AlarmType Type of an alarm

AlarmLevel Level of an alarm

Suppress Period Suppress period of an alarm

CauseAlarmName Name of the corresponding root alarm

Match VB Name Contents of the matching rule set for the alarm messages

Related Topics10.11 fault-management alarm

10.10 display reboot-info

FunctionUsing the display reboot-info command, you can view the information of restarting theS2750&S5700&S6700.

Formatdisplay reboot-info unit unit-id



188





ViewsAll views



Example# Display the information about restarting the S2750&S5700&S6700 that unit id is 0.

<HUAWEI> display reboot-info unit 0

Slot ID Times Reboot Type Reboot Time(DST) =========================================================================== 0 1 MANUAL 2012/10/13 01:48:28 0 2 MANUAL 2012/10/08 06:43:35 0 3 MANUAL 2012/10/01 01:34:32 0 4 POWER 2012/10/01 00:01:26 0 5 POWER 2012/10/01 00:01:25 0 6 POWER 2012/10/01 00:01:24 0 7 POWER 2012/10/01 00:01:25 0 8 POWER 2012/10/01 00:01:28 0 9 POWER 2012/10/01 00:01:24 0 10 POWER 2012/10/01 00:01:23 0 11 MANUAL 2012/10/03 00:42:32 0 12 POWER 2012/10/01 00:01:21 0 13 MANUAL 2012/10/05 07:12:18 0 14 POWER 2012/10/01 00:01:21 0 15 POWER 2012/10/01 00:01:21 0 16 POWER 2012/10/01 00:01:19 0 17 MANUAL 2012/10/04 07:02:23 0 18 MANUAL 2012/10/03 00:37:50 0 19 MANUAL 2012/10/01 03:21:56 0 20 POWER 2012/10/01 00:01:23 0 21 MANUAL 2012/10/10 02:55:49 0 22 MANUAL 2012/10/10 01:28:13 0 23 POWER 2012/10/01 00:01:19 0 24 MANUAL 2012/10/03 23:49:02 =========================================================================== Total 24



189

Table 10-6 Description of the display reboot-info command output

Item Description

Slot ID Specifies the stack ID if the stacking function is enabled or theslot ID if the stacking function is not enabled.

Times Indicates the times of restarting the S2750&S5700&S6700.

Reboot Type Indicates the types of restarting the S2750&S5700&S6700:l MANUALl POWERRl SCHEDUl OTHER

Reboot Time (DST) Indicates the time of restarting the S2750&S5700&S6700.

10.11 fault-management alarm

FunctionThe fault-management alarm command configures the type or level of an alarm message orevent.

The undo fault-management alarm command cancels the type or level of an alarm messageor event.

Formatfault-management alarm alarm-name level alarm-level

undo fault-management alarm alarm-name [ level ]

Parameters


alarm alarm-name Specifies the name of an alarmmessage or event.

The value is a case-sensitivestring of 1 to 64 characterswithout spaces.



190


level alarm-level Specifies the level of an alarmmessage or event. Mappings betweenalarm levels and severity levels:

1. Critical: Indicates that a serviceaffecting condition has occurredand an immediate correctiveaction is required. Such a severitycan be reported. For example,when a managed object becomestotally out of service, its capabilitymust be restored.

2. Major: Indicates that a serviceaffecting condition has developedand an urgent corrective action isrequired. Such a severity can bereported. For example, when thereis a severe degradation in thecapability of a managed object, itsfull capability must be restored.

3. Minor: Indicates the existence of anon-service affecting faultcondition and that correctiveaction should be taken in order toprevent a more serious (forexample, service affecting) fault.Such a severity can be reported.For example, when the detectedalarm condition is not currentlydegrading the capacity of themanaged object.

4. Warning: Indicates the detectionof a potential or impending serviceaffecting fault, before anysignificant effects have been felt.Action should be taken to furtherdiagnose (if necessary) and correctthe problem in order to prevent itfrom becoming a more seriousservice affecting fault.

5. Indeterminate: Indicates that theseverity level cannot bedetermined.

6. Cleared: Indicates the clearing ofone or more previously reportedalarms. This alarm clears allalarms for this managed object thathave the same Alarm type,

The value is a character string. Inthe X.733 standard, according tothe severity level and emergencylevel, alarm messages areclassified into six levels. Themore serious event an alarmmessage indicates, the smalleralarm-level is. Critical indicatesthe alarm level 1; whereasCleared indicates the alarm level6.



191


Probable cause and Specificproblems (if given). Multipleassociated notifications may becleared by using the Correlatednotifications parameter.

ViewsSystem view

Default Level3: Management

Usage GuidelinesAlarm messages can be classified into root alarm messages and resume-alarm messages. All thealarms are saved on the device.

Events can be classified into critical events and events. Critical events are saved on a device andcan be obtained by the NMS. Events are not saved on a device.

The fault-management alarm command can be used to promote or degrade the level of analarm message according to the severity level and emergency level of the alarm message.

Example# Set the alarm level of the alarm message named hwCfgManEventlog to major respectively.

<HUAWEI> system-view[HUAWEI] fault-management alarm hwCfgManEventlog level major

10.12 reset reboot-info

FunctionUsing the reset reboot-info command, you can clear the reboot information.

Formatreset reboot-info unit unit-id



192





ViewsUser view



Example# clear the reboot information of device that unit id is 0.

<HUAWEI> reset reboot-info unit 0

10.13 display alarm urgent

FunctionUsing the display alarm urgent command, you can view alarms on theS2750&S5700&S6700.

Formatdisplay alarm urgent unit unit-id




The value is an integer thatis0 if stacking is notconfigured; the value rangesfrom 0 to 8 if stacking isconfigured.



193

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can use the command to view alarms, including alarms about the abnormality of thetemperature, the fan, and the chip.

If no parameter is specified, the command displays all the alarms.

Example

# Display alarms of the device that unit id is 0.

<HUAWEI> display alarm urgent unit 0Alarm Slot Date Time Location-------------------------------------------------------------------Power abnormal 0 2008/08/01 00:00:46 slot 0Power plugged out 0 2008/08/01 00:00:46 slot 0

Table 10-7 Description of the display alarm urgent command output

Item Description

Alarm Details about an alarm.

Slot Stack ID of the S2750&S5700&S6700 where alarms are generated.

Date Date when alarms are generated.

Time Time when alarms are generated.

Location Position where alarms are generated.

10.14 reset alarm urgent

Function

The reset alarm urgent command clears all alarm messages.

Format

reset alarm urgent unit unit-id



194

Parameters




The value is an integer that is0 if stacking is notconfigured. The value rangesfrom 0 to 8 if stacking isconfigured.

ViewsSystem view



Example# Clear all alarm messages of the device that unit id is 0.

<HUAWEI> system-view[HUAWEI] reset alarm urgen unit 0

10.15 temperature threshold unit

FunctionThe temperature threshold unitcommand sets the temperature thresholds.

The undo temperature threshold unitcommand cancels the temperature thresholds.

Formattemperature threshold unit unit-id lower-limit low-temperature upper-limit high-teperature

undo temperature threshold unit unit-id lower-limit low-temperature upper-limit high-teperature



195

Parameters


unit-id l Specifies the slot ID ifstacking is notconfigured.


The value is an integer that is0 if stacking is notconfigured. The value rangesfrom 0 to 8 if stacking isconfigured.

lower-limit low-temperature Specify the lowertemperature alarm threshold.


upper-limit high-teperature Specify the uppertemperature alarm threshold.


Views

System view

Default Level


Usage Guidelines

This command sets the upper and lower temperature thresholds for a device. If the devicetemperature is out of the specified range, an alarm is generated.

Example

# Set the upper temperature alarm threshold of the device with stack ID 3 to 40.

<HUAWEI> system-view[HUAWEI] temperature threshold unit 3 lower-limit 0 upper-limit 40

10.16 port-mirroring to observe-port

Function

The port-mirroring to observe-port command configures a mirroring action on an interface.

NOTE

Only S5700EI and S5700SI support this command.

Format

port-mirroring to observe-port index { both | inbound | outbound } remote vlan-id



196

Parameters


index Specifies the index of aglobal observing port.

For the S5700EI series, thevalue ranges from 1 to 4,whereas for the S5700SIseries, the value is 1.

both Indicates that port mirroringis configured for bothincoming and outgoingpackets.

-

inboundincoming

Indicates that port mirroringis configured for incomingpackets.

-

outbound Indicates that port mirroringis configured for outgoingpackets.

-

remote vlan-id Specifies the VLAN ID usedin remote mirroring.


ViewsGE interface view, 10GE interface view, Eth-Trunk interface view


Usage GuidelinesNOTE

The mirrored port cannot be added to the RSPAN VLAN.

In the process of port mirroring, the S2750&S5700&S6700 copies the packets passing throughan observed port to a specified observing port. To ensure information integrity during portmirroring, it is recommended that the observing port and observed port be of the same type andenjoy the same bandwidth.

On the S2750&S5700&S6700, port mirroring is implemented by the Layer 2 switch chip. Ensurethat the Layer 2 header, Layer 3 header, and data of each packet copied to the observing portremain unchanged. Port mirroring can be configured for the incoming traffic, outgoing traffic,or both.

To configure an Eth-Trunk as a mirrored interface, you must run the interface eth-trunk trunk-id command to create the Eth-Trunk first.l If an Eth-Trunk is configured as a mirrored interface, its member interfaces cannot be

configured as mirrored interfaces.



197

l If a member interface of an Eth-Trunk is configured as a mirrored interface, the Eth-Trunkcannot be configured as a mirrored interface.

Example

# Configure GE 0/0/1 as the observed interface and GE0/0/2 as the observing port with the indexas 1. Mirror the incoming traffic of GE0/0/1 to GE0/0/2.

<HUAWEI> system-view[HUAWEI] observe-port 1 interface gigabitethernet 0/0/2[HUAWEI] interface gigabitethernet 0/0/1[HUAWEI-GigabitEthernet0/0/1] port-mirroring to observe-port 1 inbound remote 10

10.17 poe power

Function

The poe power command sets the maximum output power of an interface.

The undo poe power command restores the default maximum output power of an interface.

By default, the maximum output power of an interface is 30000 mW.

Format

poe power port-max-power

undo poe power

Parameters


port-max-power Specifies the maximumoutput power of an interface.

The value is an integer thatranges from 0 to 30000, inmW.

Views

GE interface view, Ethernet interface view, port group view

Default Level


Usage Guidelines

Usage Scenarios



198

The PD negotiation power may be different from the power required by some non-standard PDsor PDs that cannot be classified. You can run the poe power command to set the maximumoutput power of the interface, which prevents power overload for PDs and saves energy.

Prerequisites

The PoE function has been enabled on the interface using the poe enable command.

Example# Set the maximum output power on GigabitEthernet0/0/5 to 20000 mW.<HUAWEI> system-view[HUAWEI] interface gigabitEthernet 0/0/5[HUAWEI-GigabitEthernet0/0/5] poe power 20000

10.18 port-mirroring

FunctionThe port-mirroring command configures a mirroring behavior on an interface.

NOTE

The S5700SI and S5700LI do not support this command.

Formatport-mirroring to observe-port index remote vlan-id


index Specifies the index of aglobal observing interface.

On an S5700EI, the valueranges from 1 to 4.

remote vlan-id Specifies the VLAN ID usedin remote mirroring.


ViewsTraffic behavior view


Usage GuidelinesDuring flow mirroring, the device copies the packets of an observed flow and then sends thecopy to a specified observing interface. The device implements flow mirroring for the incomingflows on an interface through traffic classification.



199

On the S-switch, flow mirroring is implemented by the Layer 2 switch chip. Ensure that theLayer 2 header, Layer 3 header, and data of each packet copied to the observing interface remainunchanged.

You can only specify an existing VLAN for remote mirroring. This VLAN must be configuredas an RSPAN VLAN.

Example# Mirror traffic to observing interface with index 1.

<HUAWEI> system-view[HUAWEI] traffic behavior b1[HUAWEI-traffic-behavior-b1] port-mirroring to observe-port 1 remote 1

10.19 reset fault-management

FunctionThe reset fault-management command clears all alarm messages.

Formatreset fault-management { active-alarm | event } [ sequence-number sequence-number ]

Parameters


sequence-numbersequence-number

Specifies the number of analarm message.

The value is an integer rangingfrom 0 to 2147483647. If thevalue is 0, it indicates that allalarm messages are cleared.

ViewsSystem view

Default Level3: Management

Usage GuidelinesIf sequence-number is not specified, the system clears all the alarm messages on the device.

NOTICEAfter this command is run, all alarm messages on a device are cleared and cannot be restored.



200

Example# Clear all active alarm messages.

<HUAWEI> system-view[HUAWEI] reset fault-management active-alarm



201

11 Network Management CompatibleCommands

About This Chapter

11.1 Ping and Tracert Compatible Commands

11.2 NTP Compatible Commands

11.3 SNMP Compatible Commands

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 11 Network Management Compatible Commands


202

11.1 Ping and Tracert Compatible Commands

11.1.1 ping ipv6

FunctionThe ping ipv6 command checks whether a specified IPv6 IP address is reachable and exportscorresponding statistics.

Formatping ipv6 [ -a source-ipv6-address | -c count | -h ttl-value | -m time | -name | -s packetsize | -ttimeout | -tc traffic-class-value | vpn6-instance vpn6-instance-name ] * { destination-ipv6-address | host } [ -i interface-type interface-number ]

Parameters


-a source-ipv6-address Specifies a source IPv6address for sending ICMPv6Echo Request messages.

If no source IPv6 address isspecified, the IPv6 addressof the outbound interface isused as the source addressfor sending ICMPv6 EchoRequest messages.


-c count Specifies the number oftimes for sending ICMPv6Echo Request messages.

You can increase the numberof outgoing packets to detectthe network quality based onthe packet loss rate.

The value is an integer that rangesfrom 1 to 4294967295. The defaultvalue is 5.



203


-h ttl-value Specifies the TTL value.

If the TTL field is reduced to0 during messageforwarding, the Layer 3switch that the messagereaches sends an ICMPv6timeout message to thesource host, indicating thatthe destination host isunreachable.

The value is an integer that rangesfrom 1 to 255. The default value is255.

-m time Specifies the time to waitbefore sending the nextICMPv6 Echo Requestmessage.

Each time the source sendsan ICMPv6 Echo Requestmessage using the pingipv6 command, the sourcewaits a period of time (2000ms by default) beforesending the next ICMPv6Echo Request message. Youcan set the time to waitbefore sending the nextICMPv6 Echo Requestmessage using the parametertime. In the case of poornetwork condition, the valueshould be equal to or largerthan 2000, in milliseconds.

The value is an integer that rangesfrom 1 to 10000, in milliseconds.The default value is 2000.

-name Displays the name of thedestination host.

-

-s packetsize Specifies the length of anICMPv6 Echo Requestmessage, excluding the IPheader and ICMPv6 header.

The value is an integer that rangesfrom 20 to 9600, in bytes. Thedefault value is 56.



204


-t timeout Specifies the timeout periodto wait for an ICMPv6 EchoReply message after anICMPv6 Echo Requestmessage is sent.

After the ping ipv6command is run, the sourcesends an ICMPv6 EchoRequest message to adestination and waits for anICMPv6 Echo Replymessage. If the destination,after receiving the ICMPv6Echo Request message,returns an ICMPv6 EchoReply message to the sourcewithin the period specifiedby the parameter timeout, thedestination is reachable. Ifthe destination does notreturn an ICMPv6 EchoReply message within thespecified period, the sourcedisplays that the messagetimes out. Normally, thesource receives an ICMPv6Echo Reply message within1 to 10 seconds after sendingan ICMPv6 Echo Requestmessage. If the transmissionspeed is low, properlyprolong the timeout period.


-tc traffic-class-value Specifies the trafficclassification in the ICMPv6Echo Request message.

To configure traffic controlfor ICMPv6 packets, set theparameter traffic-class-value.



Specifies the name of a VPNinstance for the IPv6 addressfamily.

The value is a string of 1 to 31characters without spaces.



205


destination-ipv6-address Specifies the IPv6 address ofthe destination host.


host Specifies the name of thedestination host.


-i interface-type interface-number

Specifies the outboundinterface for sendingICMPv6 Echo Requestmessages.

-

ViewsAll views



The ping ipv6 command is a widely used debugging tool for checking network connectivity andhost reachability on an IPv6 network by transmitting ICMPv6 messages. It can detect thefollowing items:l Availability of the remote devicel Round-trip delay in communication between the local and remote devicesl Packet loss rate

You can run the ping ipv6 command to check the IPv6 network connectivity or line quality inthe following scenarios:l Scenario 1: Check the protocol stack on the local device. You can run the ping ipv6 IPv6-

loopback-address command to check whether the TCP/IP protocol stack works properlyon the local device.

l Scenario 2: Check whether the destination IPv6 host is reachable on an IPv6 network. Youcan run the ping ipv6 host command to send an ICMPv6 Echo Request message to thedestination host. If a reply is received, the destination host is reachable.

l Scenario 3: Check whether the peer is reachable on a Layer 3 VPN. On a Layer 3 VPN,devices may not have routing information about each other. Therefore, you cannot use theping ipv6 host command to check whether the peer is reachable. When a VPN instancename is specified, you can run the ping ipv6 vpn6-instance vpn6-instance-name hostcommand to send an ICMPv6 Echo Request message to the peer. If the peer returns anICMPv6 Echo Reply message, the peer is reachable.

l Scenario 4: In the case of an unstable network, you can run the ping ipv6 -c count -ttimeout { destination-ipv6-address | host } command to check the quality of the network



206

between the local device and the peer. By analyzing the packet loss rate and average delayin the command output, you can evaluate the network quality. If the network is unreliable,set the packet transmission count (-c) and timeout (-t) to the upper limits. This makes thetest result accurate.

Prerequisites

l Before running the ping ipv6 command, ensure that the ICMPv6 module is workingproperly.

l If -vpn6-instance is specified, ensure that the VPN module is working properly.


l When the destination host is unreachable, the system displays "Request time out" indicatingthat the ICMPv6 Echo Request message times out and displays statistics collected by theIPv6 ping test.

Precautions

l If an intermediate device is disabled from responding to ICMPv6 messages, detection onthis node fails.

l If the IPv6 address of the destination host maps the local address, specify the name of thelocal outbound interface through which the ICMPv6 Echo Request message is sent.Otherwise, reply to the ping ipv6 command times out.

l If a fault occurs in the IPv6 ping process, you can press Ctrl+C to terminate the IPv6 pingoperation.

Example# Check whether the host with the IPv6 address as 2001::1 is reachable.

<HUAWEI> ping ipv6 2001::1 PING 2001::1 : 56 data bytes, press CTRL_C to break Reply from 2001::1 bytes=56 Sequence=1 hop limit=64 time=115 ms Reply from 2001::1 bytes=56 Sequence=2 hop limit=64 time=1 ms Reply from 2001::1 bytes=56 Sequence=3 hop limit=64 time=1 ms Reply from 2001::1 bytes=56 Sequence=4 hop limit=64 time=1 ms Reply from 2001::1 bytes=56 Sequence=5 hop limit=64 time=1 ms ---2001::1 ping statistics--- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max=1/23/115 ms

Table 11-1 Description of the ping ipv6 command output

Item Description

PING HH:HH::HH:H IPv6 address of the destination host.

x data bytes Length of a sent ICMPv6 Echo Request message.

press CTRL_C to break The ongoing IPv6 ping test is terminated after you press Ctrl+C.



207

Item Description

Reply fromHH:HH::HH:H

The destination host responds to the ICMPv6 Echo Requestmessage with an ICMPv6 Echo Reply message that contains thefollowing items:l bytes: indicates the length of the ICMPv6 Echo Reply message.l sequence: indicates the sequence number of the ICMPv6 Echo

Reply message.l hop limit: indicates the TTL of the ICMPv6 Echo Reply

message.l time: indicates the RTT, in milliseconds.If no ICMPv6 Echo Reply message is received after the timeoutperiod, the system displays "Request time out".

HH:HH::HH:H pingstatistics

Statistics collected after the IPv6 ping test on the destination host.The statistics include the following information:l packet(s) transmitted: indicates the number of sent ICMPv6

Echo Request messages.l packet(s) received: indicates the number of received ICMPv6

Echo Reply messages.l % packet loss: indicates the percentage of unresponded

messages to total sent messages.l round-trip min/avg/max: indicates the minimum, average, and

maximum RTTs.

Related Topics11.1.2 tracert ipv6

11.1.2 tracert ipv6

FunctionThe tracert ipv6 command checks the path of packets from the source to the destination, checksIPv6 network connectivity, and locates a network fault.

Formattracert ipv6 [ -a source-ip-address | -f first-hop-limit | -m max-hop-limit | -name | -p port-number | -q probes | -s packetsize | -w timeout | vpn6-instance vpn6-instance-name ] *{ destination-ipv6-address | host-name }



208

Parameters


-a source-ip-address Specifies the source addressof a tracert packet.

If this parameter is notspecified, the IP address ofthe outbound interface is usedas the source IP address forsending tracert packets.

The value is a 32-digithexadecimal number, in the formatof X:X:X:X:X:X:X:X.

-f first-hop-limit Specifies the initial hop-limit.

Carried in the IPv6 header,the hop-limit (time to live)indicates the lifetime of IPv6packets and specifies themaximum number of hopsthat the IPv6 packets can passthrough. The hop-limit fieldin IPv6 packets is similar tothe TTL field in the IPv4packets. The hop-limit valueis set on the source andreduced by 1 each time thepacket passes through a Layer3 device. When the hop-limitvalue is reduced to 0 on aLayer 3 device, the Layer 3device discards the packetand sends an ICMPv6Timeout message to thesource.

If first-hop-limit is specifiedand the number of hops issmaller than the specifiedvalue, the hop-limit value willbe greater than 0 after thepacket passes through all thenodes. Therefore, no ICMPv6Timeout message is sent tothe source.

If max-hop-limit is specified,the value of first-hop-limitmust be smaller than the valueof max-hop-limit.




209


-m max-hop-limit Specifies the maximum hop-limit.

Usually, the maximum hop-limit is set to the number ofhops that a packet passesthrough. To change the hop-limit value, you need to usethis parameter.

If first-hop-limit is specified,the value of max-hop-limitmust be greater than the valueof first-hop-limit.


-name Displays the name of thedestination host.

-

-p port-number Specifies the UDP portnumber of the destination.l If no UDP port number is

specified for thedestination, when you runthe tracert ipv6command, a port with theport number greater than32768 is randomly chosenfor the destination toreceive tracert packets.

l Before specifying theUDP port number for thedestination, ensure thatthe port is not in use;otherwise, the tracert fails.

The value is an integer that rangesfrom 1 to 65535. The default valueis 33434.

-q probes Specifies the number oftracert packets sent each time.

In the case of poor networkquality, you can set probes toa comparatively large valueto ensure that tracert packetscan reach the destination.

The value is an integer that rangesfrom 1 to 65535. The default valueis 3.

-s packetsize Specifies the length of anICMPv6 Echo Requestmessage, excluding the IPheader and ICMPv6 header.

The value is an integer that rangesfrom 20 to 9600, in bytes. Thedefault value is 56.



210


-w timeout Sets the timeout period towait for a reply.

If a tracert packet times outwhen reaching a gateway, anasterisk (*) is displayed.

In the case of poor networkquality and a low networktransmission rate, you areadvised to prolong thetimeout period.



Specifies the name of a VPNinstance for the IPv6 addressfamily.

The value is a string of 1 to 31 case-sensitive characters.

destination-ipv6-address Specifies the IPv6 address ofthe destination host.

The value is a 32-digithexadecimal number, in the formatof X:X:X:X:X:X:X:X.

host-name Specifies the name of thedestination host.


Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

When a fault occurs on the network and the peer is an IPv6 device, you can run the ping ipv6command to check network connectivity based on the reply message, and then run the tracertipv6 command to locate the fault.

You can specify different parameters in the tracert ipv6 command for different scenarios:

l To check information about nodes between the source and the IPv6 destination, run thetracert ipv6 host command.

l To check information about nodes between the source and the IPv6 destination on a Layer3 VPN, run the tracert ipv6 vpn6-instance vpn6-instance-name host command. On aLayer 3 VPN, devices may not have routing information about each other. Therefore, youcannot use the tracert ipv6 host command to check whether the peer is reachable. To checkinformation about nodes between the source and the IPv6 destination in a specified VPNinstance, run the tracert ipv6 vpn6-instance vpn6-instance-name host command.



211

l On an unstable network, you can run the tracert ipv6 -q probes -w timeout host commandto check information about nodes between the source and the IPv6 destination. If thenetwork is unreliable, set the packet transmission count (-q) and timeout (-w) to the upperlimits. This makes the test result accurate.

l To check information about nodes along a segment of a path, run the tracert ipv6 -f first-hop-limit -m max-hop-limit host command that has initial hop-limit and maximum hop-limit specified.

Prerequisites

l The UDP module of each node is working properly; otherwise, the IPv6 tracert operationfails.

l The VPN module of each node is working properly if vpn6-instance is specified.

l The ICMPv6 module of each node is working properly; otherwise, " * * * " is displayed.

Procedure

The execution process of the tracert ipv6 command is as follows:

l The source sends a packet with the hop-limit being 1. After the hop-limit times out, thefirst hop sends an ICMPv6 Error message to the source, indicating that the packet cannotbe forwarded.

l The source sends a packet with the hop-limit being 2. After the hop-limit times out, thesecond hop sends an ICMPv6 Error message to the source, indicating that the packet cannotbe forwarded.

l The source sends a packet with the hop-limit being 3. After the hop-limit times out, thethird hop sends an ICMPv6 Error message to the source, indicating that the packet cannotbe forwarded.

l The preceding process proceeds until the packet reaches the destination.

When receiving an IPv6 packet, each destination hop cannot find the port specified in the IPv6packet, and therefore returns an ICMPv6 Port Unreachable message, indicating that thedestination port is unreachable and the IPv6 tracert ends. In this manner, the result of each probeis displayed on the source, according to which you can find the path from the source to thedestination.


If a fault occurs when you run the tracert ipv6 command, the following information may bedisplayed:

l !H: The host is unreachable.

l !N: The network is unreachable.

l !: The port is unreachable.

l !P: The protocol type is incorrect.

l !F: The packet is incorrectly fragmented.

l !S: The source route is incorrect.

Precautions

By default, the ICMPv6 module is automatically enabled after you enable the IPv6 module.



212

Example# Set the number of packets to be sent to 5 and timeout period to 8000 ms, and tracert the gatewaysfrom the source to the destination at 3002::3.

<HUAWEI> tracert ipv6 -q 5 -w 8000 3002::3traceroute to 3002::3 30 hops max,60 bytes packet1 2002::2 26 ms 23 ms 26 ms 30 ms 29 ms 2 3002::3 3020 ms 3024 ms 4040 ms 6820 ms 5584 ms

# Tracert the gateways from the source to the destination at 3002::3 on a specified VPN.

<HUAWEI> tracert ipv6 vpn6-instance vsi6 3002::3traceroute to vsi6 3002::3 30 hops max,60 bytes packet 1 2002::2 26 ms 23 ms 26 ms 2 3002::2 3020 ms !H 3024 ms !H 4040 ms !H

Table 11-2 Description of the tracert ipv6 command output

Item Description

traceroute to HH:HH::HH:H IPv6 address of the destination host.

x hops max Maximum hop-limit value.

x bytes packet Length of a tracert packet.

12

Sequence number of the received ICMPv6Echo Reply message.

HH:HH::HH:H Address of the IPCMPv6 Echo Replymessage.

26 ms 23 ms 26 ms RTT, in milliseconds.

Related Topics11.1.1 ping ipv6

11.2 NTP Compatible Commands

11.2.1 ntp-service authentication-keyid

FunctionThe ntp-service authentication-keyid command sets NTP authentication key.

By default, no authentication key is set.

Formatntp-service authentication-keyid key-id authentication-mode { md5 | hmac-sha256 }plain password-plain



213

Parameters


key-id Indicates the key number. Key ID is an integer andranges from 1 to4294967295.

authentication-mode md5 Indicates MD5 authenticationmode.

-

authentication-mode hmac-sha256

Indicates HMAC-SHA256authentication mode.

-

plain password-plain Indicates that the configuredpassword is displayed in plaintext, and specifies the plain-text password.

NOTICEIf plain is selected, the passwordis saved in the configuration filein plain text. This brings securityrisks. It is recommended thatyou select cipher to save thepassword in cipher text.

The password is a string of 1to 255 case-sensitivecharacters without spaces.

Views

System view

Default Level


Usage Guidelines

Usage Scenario

On a network that requires high security, the NTP authentication must be enabled. You canconfigure password authentication between client and server, which guarantee the client only tosynchronize with server successfully authenticated, and improve network security. If the NTPauthentication function is enabled, a reliable key should be configured at the same time. Keysconfigured on the client and the server must be identical.

NOTE

In NTP symmetric peer mode, the symmetric active peer functions as a client and the symmetric passivepeer functions as a server.

Follow-up Procedure

You can configure multiple keys for each device. After the NTP authentication key is configured,you need to set the key to reliable using the ntp-service reliable authentication-keyidcommand. If you do not set the key to reliable, the NTP key does not take effect.



214

Precautions

You can configure a maximum of 1024 keys for each device.

If the NTP authentication key is a reliable key, it automatically becomes unreliable when youdelete the key. You do not need to run the undo ntp-service reliable authentication-keyidcommand.

Example

# Set authentication text to abc in MD5 authentication with plain option.

<HUAWEI> system-view[HUAWEI] ntp-service authentication-keyid 10 authentication-mode md5 plain abc

11.3 SNMP Compatible Commands

11.3.1 snmp-agent usm-user

Function

The snmp-agent usm-user command adds a user to an SNMP user group.

The undo snmp-agent usm-user command deletes a user from an SNMP user group.

By default, the SNMP user group has no users added.

Format

snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha }password [ privacy-mode { des56 | aes128 } encrypt-password ] ] [ acl acl-number ]

undo snmp-agent usm-user v3 user-name group-name [ engineid engineid | local ]

Parameters


v3 Indicates that the security mode in v3is adopted.

-

user-name Specifies the name of a user. It is a string of 1 to 32 case-sensitive characters withoutspaces.

group-name Specifies the name of the group towhich a user belongs.

It is a string of 1 to 32 case-sensitive characters withoutspaces.



215


authentication-mode Sets the authentication mode.NOTE

Authentication is a process in which theSNMP agent (or the NMS) confirms thatthe message is received from anauthorized NMS (or SNMP agent) andthe message is not changed duringtransmission. RFC 2104 defines Keyed-Hashing for Message AuthenticationCode (HMAC), an effective tool that usesthe security hash function and key togenerate the message authenticationcode. This tool is widely used in theInternet. HMAC used in SNMP includesHWAC-MD5-96 and HWAC-SHA-96.The hash function of HWAC-MD5-96 isMD5 that uses 128-bit authKey togenerate the key. The hash function ofHWAC-SHA-96 is SHA-1 that uses 160-bit authKey to generate the key.

-

md5 | sha Indicates the authentication protocol.l md5: Specifies HMAC-MD5-96

as the authentication protocol.l sha: Specifies HMAC-SHA-96 as

the authentication protocol.

-

password Specifies the password for userauthentication.

For plain-text password, thevalue is a string of 6 to 64characters by default, and theminimum length is 6characters. If the set passwordmin-length command is run toset the minimum length ofpasswords to a value greaterthan 6, the minimum length isthe value configured using theset password min-lengthcommand. For cipher-textpassword, the value is a stringof 32 to 104 characters.

NOTEThe password cannot be the sameas the user name or reverse of theuser name. The password mustcontain at least two types ofcharacters, including letters,digits, and special characters. Thespecial characters cannot bequestion mark (?) or space.



216


privacy-mode Specifies the authentication withencryption.

The system adopts the cipher blockchaining (CBC) code of the dataencryption standard (DES) and uses128-bit privKey to generate the key.The NMS uses the key to calculate theCBC code and then adds the CBCcode to the message while the SNMPagent fetches the authentication codethrough the same key and thenobtains the actual information. Likethe identification authentication, theencryption requires the NMS and theSNMP agent to share the same key toencrypt and decrypt the message.

-

des56 | aes128 Indicates the encryption protocol. -

encrypt-password Indicates the encryption password. For plain-text password, thevalue is a string of 6 to 64characters by default, and theminimum length is 6characters. If the set passwordmin-length command is run toset the minimum length ofpasswords to a value greaterthan 6, the minimum length isthe value configured using theset password min-lengthcommand. For cipher-textpassword, the value is a stringof 32 to 104 characters.

NOTEThe password cannot be the sameas the user name or reverse of theuser name. The password mustcontain at least two types ofcharacters, including letters,digits, and special characters. Thespecial characters cannot bequestion mark (?) or space.

acl acl-number Specifies the ACL number of theaccess view.


engineid engineid Specifies the ID of the engineassociated with a user.

The value is a string of 10 to 64case-insensitive characterswithout spaces.

local Indicates the local entity user. -



217

ViewsSystem view



SNMPv1 and SNMPv2c have serious defects in terms of security. The security authenticationmechanism used by SNMPv1 and SNMPv2c is based on the community name. In thismechanism, the community name is transmitted in plain text. You are not advised to useSNMPv1 and SNMPv2c on untrusted networks.

By adopting the user-based security model, SNMPv3 eradicates the security defects in SNMPv1and SNMPv2c and provides two services, authentication and encryption. The user-based securitymodel defines three security authentication levels: noAuthNoPriv, AuthNoPriv, and AuthPriv.

NOTE

The security authentication level noAuthPriv does not exist. This is because the generation of a key is basedon the authentication information and product information.

Different from SNMPv1 and SNMPv2c, SNMPv3 can implement access control, identityauthentication, and data encryption through the local processing model and user security model.SNMPv3 can provide higher security and confidentiality than SNMPv1 and SNMPv2c. Thefollowing table lists the difference between SNMPv1, SNMPv2c, and SNMPv3:

Table 11-3 Comparison in the security of SNMP of different versions

Protocol version User Checksum Encryption Authentication

v1 Adopts thecommunity name.

None None

v2c Adopts thecommunity name.

None None

v3 Adopts user name-based encryption/decryption.

Yes Yes

The snmp-agent group command can be used to configure the authentication, encryption, andaccess rights for an SNMP group. The snmp-agent group command can be used to configurethe rights for users in a specified SNMP group and bind the SNMP group to a MIB view. TheMIB view is created through the snmp-agent mib-view command. For details, see the usageguideline of this command. After an SNMP user group is configured, the MIB-view-based accesscontrol is configured for the SNMP user group. Users cannot access objects in the MIB viewthrough the SNMP user group. The purpose of adding SNMP users to an SNMP user group isto ensure that SNMP users in an SNMP user group have the same security level and accesscontrol list. When you run the snmp-agent usm-user command to configure a user in an SNMP



218

user group, you configure the MIB-view-based access rights for the user. If an SNMP user groupis configured with the AuthPriv access rights, you can configure the authentication mode andencryption mode when configuring SNMP users. Currently, you can set the authenticationmode to MD5 or SHA and the privacy mode to AES128 or DES56. When setting theauthentication key on the managed object, you can set whether to encrypt packets. Note that theauthentication keys and encryption passwords configured on the NMS and the SNMP agentshould be the same; otherwise, authentication fails.

NOTE

AES128 algorithm is recommeded to improve data transmission security.


If an SNMP agent is configured with a remote user, the engine ID is required during theauthentication. If the engine ID changes after the remote user is configured, the remote userbecomes invalid.

Precautions

The user security level must be higher than or equal to the security level of the SNMP user groupto which the user is added.

The security level of an SNMP user group can be (in descending order):l Level 1: privacy (authentication and encryption)l Level 2: authentication (without encryption)l Level 3: none (neither authentication nor encryption)

For example, if the security level of an SNMP user group is level 1, the security level of the userthat is added to the group must be level 1; if the security level of an SNMP user group is level2, the security level of the user that is added to the group can be level 1 or level 2.

To add an SNMP user to an SNMP group, ensure that the SNMP user group is valid.

If you run the snmp-agent usm-user command multiple times, only the latest configurationtakes effect.

Keep your user name and plain-text password well when creating the user. The plain-textpassword is required when the NMS accesses the device.

Example# Configure an SNMPv3 user with user name u1, group name g1, authentication mode md5,authentication password 8937561bc, encryption mode aes128, and encryption password68283asd.

<HUAWEI> system-view[HUAWEI] snmp-agent usm-user v3 u1 g1 authentication-mode md5 8937561bc privacy-mode aes128 68283asd



219

12 MPLS compatible command

About This Chapter

NOTE

Only the S5700HI, S5710HI, and S5710EI support MPLS.

12.1 explicit-path

12.2 mpls te bypass-tunnel bandwidth

12.3 snmp-agent trap enable feature-name ldp

12.4 static-cr-lsp ingress bandwidth

12.5 static-cr-lsp transit bandwidth

12.6 bandwidth (LSP attribute view)

12.7 mpls te bandwidth

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 12 MPLS compatible command


220

12.1 explicit-path

Function

Using the explicit-path command, you can configure an explicit path of a tunnel.

By default, no explicit path of a tunnel is configured.

Format

explicit-path path-name { enable | disable }

Parameters


path-name Indicates the name of an explicit path. The value is a string of 1 to 31 characters.

enable Enables the explicit path of a tunnel. -

disable Disables the explicit path of a tunnel. -

Views

System view

Default Level


Usage Guidelines

You can configure an explicit path only after MPLS TE is enabled.

The addresses of the hops along the explicit path cannot overlap or loops cannot occur. If a loopoccurs, CSPF detects the loop and fails to calculate the path.

When the explicit path is in use, you cannot perform the following operations:

l Run the explicit-path path-name disable command to disable the explicit path.

l Run the undo explicit-path command to delete the explicit path.

Example

# Create an explicit path named path1.

<HUAWEI> system-view[HUAWEI] mpls[HUAWEI-mpls] mpls te[HUAWEI-mpls] quit[HUAWEI] explicit-path path1 enable[HUAWEI-explicit-path-path1]



221

12.2 mpls te bypass-tunnel bandwidth

Function

Using the mpls te bypass-tunnel bandwidth command, you can configure the bypass LSPbandwidth.

By default, no bypass LSP bandwidth is configured.

Format

mpls te bypass-tunnel bandwidth { bandwidth | { bc0 | bc1 } { bandwidth | un-limited } }

Parameters


bandwidth Specifies the bandwidth that the bypasstunnel can protect.

The value is an integer that rangesfrom 1 to 32000000, in kbit/s.

bc0 Indicates the BC0 bandwidth (globalbandwidth) that the bypass tunnel canprotect.

-

bc1 Indicates the BC1 bandwidth(subaddress pool bandwidth) that thebypass tunnel can protect.

-

un-limited Indicates that there is no limit on the totalbandwidth that can be protected.

-

Views

Tunnel interface view

Default Level


Usage Guidelines

The total bandwidth of LSPs protected by the bypass tunnel is not more than the bandwidth ofthe primary tunnel. When multiple bypass tunnels exist, the system selects a single bypass tunnelthrough the best-fit algorithm.

The total bandwidth of all the LSPs protected by the bypass tunnel is not greater than thebandwidth of the primary tunnel. When multiple bypass tunnels exist, the system determines thebypass tunnel through the best-fit algorithm.



222

Example

# Configure Tunnel 0/0/1 to protect the LSPs that use the BC0 bandwidth and set no limit onthe bandwidth to be protected.

<HUAWEI> system-view[HUAWEI] interface tunnel 0/0/1[HUAWEI-Tunnel0/0/1] tunnel-protocol mpls te[HUAWEI-Tunnel0/0/1] destination 2.2.2.2[HUAWEI-Tunnel0/0/1] mpls te tunnel-id 100[HUAWEI-Tunnel0/0/1] mpls te bypass-tunnel bandwidth bc0 un-limited[HUAWEI-Tunnel0/0/1] mpls te commit

12.3 snmp-agent trap enable feature-name ldp

Function

The snmp-agent trap enable feature-name ldp command enables the trap for the MPLS LDPmodule.

The undo snmp-agent trap enable feature-name ldp command disables the trap for the MPLSLDP module.

By default, the trap is disabled for the MPLS LDP module.

Format

snmp-agent trap enable feature-name ldp trap-name { session-down | session-up }

undo snmp-agent trap enable feature-name ldp trap-name { session-down | session-up }

Parameters


trap-name Enables the trap of MPLS LDP events of a specified type. -

session-down Enables the trap of the event that an LDP session goes Down in theMIB.

-

session-up Enables the trap of the event that an LDP session goes Up in the MIB. -

Views

System view

Default Level




223

Usage Guidelines

Run the snmp-agent trap enable feature-name ldp command to enable the LDP session trap.Currently, all traps of the MPLS LDP module are non-excessive trap. The frequent LDP sessionstatus changes do not trigger a large number of traps.

Example

# Enable the trap of the event that an LDP session is reestablished.

<HUAWEI> system-view[HUAWEI] snmp-agent trap enable feature-name ldp trap-name session-up

12.4 static-cr-lsp ingress bandwidth

Function

Using the static-cr-lsp ingress bandwidth command, you can configure a static CR-LSP andspecify its bandwidth on the ingress LSR.

By default, no static CR-LSP on the ingress LSR is configured.

Format

static-cr-lsp ingress { tunnel-interface tunnel interface-number | tunnel-name } destinationdestination-address { nexthop next-hop-address | outgoing-interface interface-type interface-number } * out-label out-label bandwidth { bc0 | bc1 } bandwidth

Parameters


tunnel-interface tunnelinterface-number

Specifies the tunnel interfaceof a static CR-LSP. interface-number indicates the tunnelinterface number.

-

tunnel-name Specifies the name of a CR-LSP.

The name is a string of 1 to19 case-sensitive characters,spaces and abbreviation notsupported. If you use theinterface Tunnel 0/0/2command to create a tunnelinterface for a static CR-LSP,the tunnel name in the static-cr-lsp ingress command mustbe formatted as"Tunnel0/0/2", otherwise, thetunnel cannot be created.There is no such a limit for thetransit node and egress node.



224


destination destination-address

Specifies the destination IPaddress of a static CR-LSP.

-

nexthop next-hop-address Specifies the next-hop IPaddress of a static CR-LSP.

-

outgoing-interfaceinterface-type interface-number

Specifies the type and numberof an outgoing interface. Thisparameter is only applicable toa P2P link.

-

out-label out-label Specifies the value of anoutgoing label.

out-label is an integer rangingfrom 16 to 1048575.

bc0 Specifies BC0 bandwidth of astatic CR-LSP.

-

bc1 Specifies BC1 bandwidth of astatic CR-LSP.

-

bandwidth Specifies the bandwidthrequired by a CR-LSP.

The value ranges from 0 to4000000000, in kbit/s. Thedefault value is 0.

Views

System view

Default Level


Usage Guidelines

Before setting up an MPLS TE tunnel through a static CR-LSP, configure a static route or anIGP to ensure connectivity between LSRs, and enable basic MPLS and MPLS TE functions.

Example

# Configure the static CR-LSP named Tunnel0/0/1, with the destination IP address being10.1.3.1, the next-hop address being 10.1.1.2, the outgoing label being 237, and the requiredbandwidth being 20 kbit/s from BC0 on the ingress.

<HUAWEI> system-view[HUAWEI] static-cr-lsp ingress tunnel-interface Tunnel0/0/1 destination 10.1.3.1 nexthop 10.1.1.2 out-label 237 bandwidth bc0 20

12.5 static-cr-lsp transit bandwidth



225

FunctionUsing the static-cr-lsp transit bandwidth command, you can configure a static CR-LSP andspecify its bandwidth on a transit LSR.

By default, no static CR-LSP on a transit LSR is configured.

Formatstatic-cr-lsp transit lsp-name incoming-interface interface-type interface-number in-label in-label { nexthop next-hop-address | outgoing-interface interface-type interface-number } * out-label out-label bandwidth { bc0 | bc1 } bandwidth [ description description ]

Parameters


lsp-name Specifies the CR-LSP name. The name is a string of 1 to19 case-sensitive characters,spaces not supported.

incoming-interfaceinterface-type interface-number

Specifies the name of anincoming interface.

-

in-label in-label Specifies the value of anincoming label.

An integer ranging from 16to 1023

nexthop next-hop-address Specifies the next-hop address. -

outgoing-interfaceinterface-type interface-number

Specifies the name of anoutgoing interface.

-

out-label out-label Specifies the value of anoutgoing label.

An integer ranging from 16to 1048575.

bc0 Obtains the bandwidth fromBC0.

-

bc1 Obtains the bandwidth fromBC1.

-

ViewsSystem view


Usage GuidelinesBefore setting up an MPLS TE tunnel through a static CR-LSP, configure a static route or anIGP to ensure connectivity between LSRs, and enable basic MPLS and MPLS TE functions.



226

Example

# Configure the static CR-LSP named tunnel34, with the incoming interface beingVLANIF10, the incoming label being 123, the outgoing interface being VLANIF20, theoutgoing label as 253, the required BC0 bandwidth being 20 kbit/s on the transit node.

<HUAWEI> system-view[HUAWEI] static-cr-lsp transit tunnel34 incoming-interface vlanif 10 in-label 123 outgoing-interface vlanif 20 out-label 253 bandwidth bc0 20

12.6 bandwidth (LSP attribute view)

Function

The bandwidth command configures the bandwidth in the CR-LSP attribute template.

The undo bandwidth command deletes the bandwidth in the CR-LSP attribute template.

By default, no bandwidth in the CR-LSP attribute template is configured.

Format

bandwidth ct0 ct0-bandwidth ct1 ct1-bandwidth

bandwidth ct1 ct1-bandwidth ct0 ct0-bandwidth

undo bandwidth ct0 ct1

undo bandwidth ct1 ct0

Parameters


ct0 ct0-bandwidth Specifies the bandwidth of an LSPof CT0.

The value is an integer that rangesfrom 1 to 4000000000, in kbit/s. Bydefault, the bandwidth is 0 kbit/s.











227








ViewsLSP attribute view


Usage GuidelinesA static TE tunnel does not support the multi-CT configuration.

On a single TE tunnel interface, the multi-CT bandwidth cannot be configured with the followingfeatures:

l CSPF tie-breakingl Bypass tunnel attributes

The preceding constraints do not apply to the single CT configuration for a TE tunnel.

NOTE

If the bandwidth required for a CR-LSP is more than 67,105 kbit/s, it is recommended that additional onethousandth of the required bandwidth be reserved.

Example# Configure the bandwidth of an LSP of CT0 as 20 kbit/s in the CR-LSP attribute template.

<HUAWEI> system-view[HUAWEI] lsp-attribute lsp-attribute-name[HUAWEI-lsp-attribute-lsp-attribute-name] bandwidth ct0 20

12.7 mpls te bandwidth

FunctionThe mpls te bandwidth command sets the bandwidth of an MPLS TE tunnel.

The undo mpls te bandwidth command restores the default settings.



228

The bandwidth of an MPLS TE tunnel is not set by default.

Formatmpls te bandwidth ct0 ct0-bw-value ct1 ct1-bw-value

mpls te bandwidth ct1 ct1-bw-value ct0 ct0-bw-value

undo mpls te bandwidth ct0 ct1

undo mpls te bandwidth ct1 ct0

undo mpls te bandwidth ct0 ct0-bw-value ct1 ct1-bw-value

undo mpls te bandwidth ct1 ct1-bw-value ct0 ct0-bw-value

Parameters


ct0 ct0-bw-value Specifies the bandwidth reserved fora TE tunnel of CT0.

ct0-bw-value is an integer that rangesfrom 1 to 4000000000, in kbit/s.

ct1 ct1-bw-value Specifies the bandwidth reserved fora TE tunnel of CT1.

ct1-bw-value is an integer that rangesfrom 1 to 4000000000, in kbit/s.

ViewsTunnel interface view


Usage GuidelinesA static TE tunnel does not support the multi-CT configuration.

On a single TE tunnel interface, the multi-CT bandwidth cannot be configured with the followingfeatures:

l CSPF tie-breakingl Bypass tunnel attributes

NOTE

The configured bandwidth takes effect only during tunnel establishment and protocol negotiation, and doesnot limits the bandwidth for traffic forwarding.

Example# Set the bandwidth required by Tunnel1. The bandwidth of CT0 is 2 Mbit/s.

<HUAWEI> system-view[HUAWEI] mpls lsr-id 1.1.1.1[HUAWEI] mpls[HUAWEI-mpls] mpls te



229

[HUAWEI-mpls] quit[HUAWEI] interface tunnel 1[HUAWEI-Tunnel1] tunnel-protocol mpls te[HUAWEI-Tunnel1] destination 2.2.2.2[HUAWEI-Tunnel1] mpls te tunnel-id 100[HUAWEI-Tunnel1] mpls te bandwidth ct0 2000[HUAWEI-Tunnel1] mpls te commit



230

13 VPN compatible command

About This Chapter

13.1 display bgp vpnv6 brief

13.2 display bgp vpnv6 vpn6-instance brief

13.3 display bgp vpnv6 vpn6-instance routing-table

13.4 display bgp vpnv6 vpn6-instance routing-table statistics

13.5 display ipv6 prefix-limit statistics

13.6 display ipv6 routing-table limit

13.7 display ipv6 routing-table vpn6-instance

13.8 display ipv6 vpn6-instance

13.9 link-alive

13.10 mpls l2vpn traffic-statistics capability enable

S2750&S5700&S6700 Series Ethernet SwitchesCompatible Commands Reference 13 VPN compatible command


231

13.1 display bgp vpnv6 brief

Function

The display bgp vpnv6 brief command displays brief information about IPv6 VPN instances.

Format

display bgp vpnv6 vpn6-instance vpn-instance-name brief

Parameters


all Displays information about allVPNv6 instances.

-

vpn6-instance vpn-instance-name

Specifies the name of a VPNv6instance.


Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the display bgp vpnv6 brief command is used to display information about VPNv6instances, the VPNv6 instances are displayed and arranged alphabetically by name.

Example

# Display brief information about VPNv6 and all IPv6 VPN instances.

<HUAWEI> display bgp vpnv6 vpn6-instance brief VPN-Instance(IPv6-family): VPN-Instance Name Peer Num Route Num vpna 0 0



232

Table 13-1 Description of the display bgp vpnv6 all brief command output

Item Description

Peer Num Number of peers.

Route Num Number of routes.

VPN-Instance Name Name of a VPN instance.

13.2 display bgp vpnv6 vpn6-instance brief

FunctionThe display bgp vpnv6 vpn6-instance brief command displays brief information about IPv6VPN instances.

Formatdisplay bgp vpnv6 vpn6-instance vpn6-instance-namebrief

Parameters


vpn6-instance-name Specifies the name of a IPv6 VPNv6instance.


ViewsAll views


Usage GuidelinesAfter the display bgp vpnv6 vpn6-instance brief command is used to display information aboutVPNv6 instances, the VPNv6 instances are displayed and arranged alphabetically by name.

Example# Display brief information about VPNv6 and all IPv6 VPN instances.

<HUAWEI> display bgp vpnv6 vpn6-instance vrf0 brief

VPN-Instance(IPv6-family): VPN-Instance Name Peer Num Route Num vrf0 1 2



233

Table 13-2 Description of the display bgp vpnv6 all brief command output

Item Description

Peer Num Number of peers.

Route Num Number of routes.

VPN-Instance Name Name of a VPN instance.

13.3 display bgp vpnv6 vpn6-instance routing-table

FunctionThe display bgp vpnv6 vpn6-instance routing-table command displays BGP VPNv6 routes.

Formatdisplay bgp vpnv6 vpn6-instance vpn6-instance-name routing-table [ ipv6-address [ prefix-length ] ]

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table as-path-filter { as-path-filter-number | as-path-filter-name }

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table community[ community-number | aa:nn ] &<1-29> [ internet | no-advertise | no-export | no-export-subconfed ] * [ whole-match ]

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table community-filter{ { community-filter-name | basic-community-filter-number } [ whole-match ] | advanced-community-filter-number }

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table different-origin-as

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table regular-expression as-regular-expression

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table peer ipv6-address{ advertised-routes [ ipv6–address [ prefix-length [ longer-prefixes ] ] ] | received-routes[ active ] }

Parameters


vpn6-instance Displays the BGP routes of aspecified an IPv6 addressfamily-enabled VPN instanceon the local end.


route-distinguisher route-distinguisher

Displays the BGP routes withthe specified RD.

-



234


ipv6-address Specifies the IPv6 address of apeer to be displayed.

-

prefix-length Specifies the prefix length ofan IPv6 address.

-

as-path-filter as-path-filter-number

Specifies the number of anAS_Path filter.

The value of as-path-filter-number is an integer thatranges from 1 to 256.

as-path-filter-name Specifies the name of thematching AS-Path filter.

The value is case-sensitive.

community Displays the routes carryingthe specified BGP communityattribute in the routing table.

-

community-number Specifies the communitynumber.

-

aa:nn Specifies the communitynumber. A maximum of 29community numbers can beset.

-

internet Displays the BGP routescarrying the Internetcommunity attribute.

-

no-advertise Displays the BGP routescarrying the No-Advertisecommunity attribute.

-

no-export Displays the BGP routescarrying the No-Exportcommunity attribute.

-

no-export-subconfed Displays the BGP routescarrying the No-Export-Subconfed communityattribute.

-

whole-match Indicates exact matching. -

community-filter Displays the routes that matcha specified BGP communityfilter.

-

community-filter-name Specifies the name of acommunity filter.

-

basic-community-filter-number

Specifies the number of a basiccommunity filter.

-

advanced-community-filter-number

Specifies the number of anadvanced community filter.

-



235


different-origin-as Displays the routes that havethe same destination addressbut different source ASnumbers.

-


Specifies the regularexpression used to match theAS_Path information.


peer ipv6-address Displays the BGP routes of aspecified peer.

-

advertised-routes Displays the routes advertisedto a specified peer.

-

longer-prefixes Matches any route whoseprefix mask is longer than thespecified length.

-

received-routes Displays the routes receivedfrom a specified peer.

-

active Displays the active routesreceived from a specified peer.

-

ViewsAll views


Usage GuidelinesInformation about specified routes can be displayed by specifying different parameters.

Example# Display the routes of an IPv6 address family-enabled VPN instance named vpn1 on the localdevice.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 routing-table

BGP Local router ID is 1.1.1.9 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete

Total Number of Routes: 2 *>i Network : 2001:: PrefixLen : 64 NextHop : 2001::1 LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : 65410 ?



236

*>i Network : 2002:: PrefixLen : 64 NextHop : ::FFFF:3.3.3.9 LocPrf : 100 MED : 0 PrefVal : 0 Label : 1037/NULL Path/Ogn : ?

# Display the BGP routes with a specified destination address of an IPv6 address family-enabledVPN instance.

<HUAWEI> display bgp vpnv6 vpn6-instance vrf1 routing-table 2001:: BGP local router ID : 1.1.1.1 Local AS number : 100 Paths: 2 available, 1 best, 1 select BGP routing table entry information of 2001::/64: Imported route. From: :: (0.0.0.0) Route Duration: 1d03h46m24s Direct Out-interface: Vlanif100 Original nexthop: :: AS-path Nil, origin incomplete, MED 0, pref-val 0, valid, local, best, select, pre 0 Advertised to such 1 peers: 2001::1 BGP routing table entry information of 2001::/64: From: 2001::1 (10.10.10.10) Route Duration: 02h39m43s Direct Out-interface: Vlanif100 Original nexthop: 2001::1 AS-path 65410, origin incomplete, MED 0, pref-val 0, external, pre 255 Not advertised to any peer yet

# Display all BGP VPNv6 routes whose AS_Path attribute contains 65420.

<HUAWEI> display bgp vpnv6 all routing-table as-path-filter 1


Total number of routes from all PE: 1

Route Distinguisher: 100:1

*> Network : 2001:: PrefixLen : 64 NextHop : 2001::1 LocPrf : MED : 0 PrefVal : 0 Label : NULL Path/Ogn : 65420 ?

VPN-Instance vpn1 :

Total Number of Routes: 1 Network : 2001:: PrefixLen : 64 NextHop : 2001::1 LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : 65420 ?

# Display BGP4+ routes of the VPN instance named vpn1 whose AS path attribute contains65420.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 routing-table as-path-filter 1



237


VPN-Instance vpn1 :


# Display BGP4+ routes of the VPN instance named vpn1 and matching the BGP communityfilter 1.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 routing-table community-filter 1 whole-match


VPN-Instance vpn1 :

Total Number of Routes: 2 Network : 2001:: PrefixLen : 64 NextHop : 2001::1 LocPrf : MED : 0 PrefVal : 0 Label : *>i Network : 2002:: PrefixLen : 64 NextHop : ::FFFF:3.3.3.9 LocPrf : 100 MED : 0 PrefVal : 0 Label : 1037/NULL

# Display all BGP4+ routes of the VPN instance named vpn1 and matching the AS regularexpression.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 routing-table regular-expression ^65420


VPN-Instance vpn1 : Network : 2001:: PrefixLen : 64 NextHop : 2001::1 LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : 65420 ?

# Display all BGP4+ routes of the VPN instance named vpn1 that are received from the peer at2001::1.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 routing-table peer 2001::1 received-routes

BGP Local router ID is 1.1.1.9 Status codes: * - valid, > - best, d - damped,



238

h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete


# Display BGP4+ routes sent to the peer at 2001::1.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 routing-table peer 2001::1 advertised-routes


Total Number of Routes: 1 *>i Network : 2002:: PrefixLen : 64 NextHop : ::FFFF:3.3.3.9 LocPrf : 100 MED : 0 PrefVal : 0 Label : 1037/NULL Path/Ogn : ?

Table 13-3 Description of the display bgp vpnv6 vpn6-instance routing-table command output

Item Description

BGP Local router ID ID of the local BGP router. The ID is in the sameformat as an IPv4 address.

Total number of routes from all PE Total number of BGP VPNv6 routes received bythe switch from its peer PEs.

Network Destination network or host address of the route.

PrefixLen Prefix length of the destination network or hostaddress of the route.

NextHop IPv6 address of the next hop.

LocPrf Local preference of the BGP route. The defaultvalue is 100.

MED MED of the route. The default value is 0.

PrefVal Preferred value of the route.

Label Label carried by the data packet destined for thedestination network or host address of the route.

Duration Route duration.

Peer IP addresses of the peer.

Path/Ogn AS_Path number and Origin attribute of the route.



239

Item Description

Local AS Number Local AS number.

BGP routing table entry information of Information about a specified BGP routing entry.

From IPv6 address of the route originator.

Route Duration Route duration.

Original nexthop Original next hop.

AS-path AS_Path attribute.Nil indicates that the attribute value is null.

origin Origin attribute of the BGP route.The value can be IGP (for example, the routesimported into the BGP routing table by using thenetwork (BGP) command), EGP (the routesobtained by EGP), or Incomplete (the routes whoseorigin cannot be identified, for example, the routesimported into the BGP routing table by using theimport-route command).

MED MED of a route.The MED is used to identify the optimal route forthe traffic entering an AS. The route with thesmallest MED is selected as the optimal route if theother attributes of the routes are the same.

pref-val Preferred value.

valid The BGP route is a valid route.

external The BGP route is a external route.

best The BGP route is the optimal route.

select The BGP route is a preferred route.

Pre 255 The preference of the BGP route is 255.

Not advertised to any peer yet The BGP route has not been advertised to any peer.

13.4 display bgp vpnv6 vpn6-instance routing-tablestatistics

Function

The display bgp vpnv6 vpn6-instance routing-table statistics command displays statisticsabout BGP VPNv6 routes.



240

Formatdisplay bgp vpnv6 vpn6-instance vpn6-instance-name routing-table statistics [ as-path-filter { as-path-filter-number | as-path-filter-name } | different-origin-as ]

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table statistics regular-expression as-regular-expression

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table statistics community[ community-number | aa:nn ] &<1-29> [ internet | no-advertise | no-export | no-export-subconfed ] * [ whole-match ]

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table statistics community-filter { { community-filter-name | basic-community-filter-number } [ whole-match ] | advanced-community-filter-number }

display bgp vpnv6 vpn6-instance vpn6-instance-name routing-table peer ipv6-address{ advertised-routes | received-routes [ active ] } statistics

Parameters


all Displays statistics about allBGP VPNv6 routes.

-

vpn6-instance-name Displays statistics about theBGP routes of a specified VPNinstance.

It is a string of 1 to 31 case-sensitive characters withoutany spaces.

as-path-filter Displays the routes that matchthe specified filter.

-

as-path-filter-number Specifies the number of thematching AS-Path filter.

It is an integer that rangesfrom 1 to 256.

as-path-filter-name Specifies the name of thematching AS-Path filter.

The name is a string of 1 to 51characters without any space.It is case-sensitive.

community Displays statistics about theroutes carrying the specifiedBGP community attribute inthe routing table.

-

community-number Specifies the communitynumber.

It is an integer ranging from 0to 4294967295.

aa:nn Specifies the communitynumber.

Both aa and nn are integersranging from 0 to 65535.

internet Displays statistics about theBGP routes carrying theInternet community attribute.

-



241


no-advertise Displays statistics about theBGP routes carrying the No-Advertise communityattribute.

-

no-export Displays statistics about theBGP routes carrying the No-Export community attribute.

-

no-export-subconfed Displays statistics about theBGP routes carrying the No-Export-Subconfed communityattribute.

-

whole-match Indicates exact matching. -

community-filter Displays statistics about theroutes that match a specifiedBGP community filter.

-

community-filter-name Specifies the name of acommunity filter.

The name is a string of 1 to 51characters without any space.It is case-sensitive.

basic-community-filter-number

Specifies the number of a basiccommunity filter.

It is an integer ranging from 1to 99.

advanced-community-filter-number

Specifies the number of anadvanced community filter.

It is an integer ranging from100 to 199.

different-origin-as Displays statistics about theroutes that have the samedestination address butdifferent source AS numbers.

-


Specifies the regularexpression used to match theAS_Path information.


active Specifies the number of activeroutes.

-

peer ipv6-address Displays statistics about theBGP routes of a specified peer.

-

advertised-routes Displays statistics about theroutes advertised to a specifiedpeer.

-

received-routes Displays statistics about theroutes received from aspecified peer.

-



242

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display statistics about the routes of an IPv6 address family-enabled VPN instance namedvpn1 on the local device.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 routing-table statistics

Total Number of Routes: 5

# Display statistics of BGP routes sent by the local device to peer 2000::1 of the IPv6 VPNinstance named vpn1.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 routing-table peer 2000::1 received-routes statistics Received routes total: 2

# Display statistics about the IPv6 routes sent by the local device to peer 2000::1 in a VPNinstance named vpn1.

<HUAWEI> display bgp vpnv6 vpn6-instance vpn1 routing-table peer 2000::1 advertised-routes statistics Advertised routes total: 2

Default originated : 0

13.5 display ipv6 prefix-limit statistics

Function

The display ipv6 prefix-limit statistics command displays the statistics of the prefix limits ofIPv6 VPN instances.

Format

display ipv6 prefix-limit { all-vpn6-instance | vpn6-instance vpn-instance-name } statistics

Parameters


all-vpn6-instance Indicates all IPv6 VPN instances. -



243


vpn6-instance vpn-instance-name Specifies the name of an IPv6 VPN instance. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ipv6 prefix-limit statistics command to view the number of times thata protocol re-adds or deletes routes according to the prefix limit of a specified IPv6 VPN instance.

Example

# Display the statistics of the prefix limits of all IPv6 VPN instances.

<HUAWEI> display ipv6 prefix-limit all-vpn6-instance statistics-------------------------------------------------------------------------------IPv6 VPN instance name: vrf1 DenyAdd TryAddInDelState NotifyDelAll NotifyDelFinish NotifyAddRouteDIRECT 0 0 0 0 0 STATIC 0 0 0 0 0 OSPFv3 11 3 1 0 5IS-IS 106 0 1 0 5RIPng 98 0 1 1 5BGP 2 0 1 1 5------------------------------------------------------------------------------IPv6 VPN instance name: VPN123

DenyAdd TryAddInDelState NotifyDelAll NotifyDelFinish NotifyAddRouteDIRECT 0 0 0 0 0 STATIC 0 0 0 0 0 OSPFv3 11 3 1 0 5IS-IS 106 0 1 0 5RIPng 98 0 1 1 5BGP 2 0 1 1 5

Table 13-4 Description of the display ipv6 prefix-limit statistics command output

Item Description

DenyAdd Number of routes that the protocol fails to add to the RIBbecause of the prefix limit.

TryAddInDelState Number of routes that the protocol fails to add to the RIBbecause the RIB is in the process of deleting routes.

NotifyDelAll Number of times that the RIB notifies the protocol of deletingroutes when the prefix limit is decreased.

NotifyDelFinish Number of times that the protocol notifies the RIB ofcompletion of deleting routes.



244

Item Description

NotifyAddRoute Number of times that the RIB notifies the protocol of re-adding routes.

# Display the statistics of the prefix limit of the IPv6 VPN instance named vrf1.

<HUAWEI> display ipv6 prefix-limit vpn6-instance vrf1 statistics-------------------------------------------------------------------------------IPv6 VPN instance name: vrf1 DenyAdd TryAddInDelState NotifyDelAll NotifyDelFinish NotifyAddRouteDIRECT 0 0 0 0 0STATIC 0 0 0 0 0OSPFv3 11 3 1 0 5IS-IS 106 0 1 0 5RIPng 98 0 1 1 5BGP 2 0 1 1 5

13.6 display ipv6 routing-table limit

Function

The display ipv6 routing-table limit command displays limits on the numbers of routes andprefixes of the IPv6 VPN instance.

Format

display ipv6 routing-table limit { all-vpn6-instance | vpn6-instance vpn-instance-name }

Parameters


all-vpn-instance Indicates all IPv6 VPN instances. -

vpn-instance vpn-instance-name Specifies the name of an IPv6 VPN instance. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None.



245

Example# Display limits on the numbers of routes and prefixes of all IPv6 VPN instances.

<HUAWEI> display ipv6 routing-table limit all-vpn-instance

Limit-Object Limit-Type Upper-Limit Warning Current Log-Interval----------------------------------------------------------------------------------IPv6 VPN Instance Name: VPN1Route Simply-Alert 5000 - 4223 5Prefix Alert-Percent 1000 800 760 5-----------------------------------------------------------------------------------IPv6 VPN Instance Name: VPN1234567890123456789123456789Route Alert-Percent 2000 1000 823 5Prefix Default - - 760 5

Table 13-5 Description of the display ipv6 routing-table limit command output

Item Description

Limit-Object Indicates the object whose total number is limited:l Prefixl Route

Limit-Type Indicates the limit mode for the routes and prefixes inthe current routing table:l Simply-Alert: indicates that only alarms are

generated after the number of routes or prefixesexceeds the upper limit.

l Alert-Percent: indicates the percentage of thealarm threshold of routes.

l Default: indicates that the number of routes orprefixes is not limited by default.

Upper-Limit Indicates the upper limit of routes or prefixes in thecurrent routing table.

Warning Indicates the alarm threshold of routes or prefixes inthe current routing table.

Current Indicates the number of routes or prefixes in thecurrent routing table.

Log-Interval Indicates the frequency of displaying logs when thenumber of routes or prefixes in the current routingtable exceeds the upper limit, in seconds.

# Display limits on the numbers of routes and prefixes of the IPv6 VPN instance named vpn1.

<HUAWEI> display ipv6 routing-table limit vpn-instance vpn1IPv6 VPN Instance Name: vpn1Limit-Object Limit-Type Upper-Limit Warning Current Log-IntervalRoute Simply-Alert 5000 - 4223 5Prefix Alert-Percent 1000 800 760 5



246

13.7 display ipv6 routing-table vpn6-instance

Function

The display ipv6 routing-table vpn6-instance command displays the routing table of the VPNinstance.

Format

display ipv6 routing-table vpn6-instance vpn6-instance-name [ verbose ]

display ipv6 routing-table vpn6-instance vpn6-instance-name acl { acl6-number | acl6-name } [ verbose ]

display ipv6 routing-table vpn6-instance vpn6-instance-name ipv6-address [ prefix-length ][ longer-match ] [ verbose ]

display ipv6 routing-table vpn6-instance vpn6-instance-name ipv6-address1 [ prefix-length1 ] ipv6-address2 prefix-length2 [ verbose ]

display ipv6 routing-table vpn6-instance vpn6-instance-name ipv6-prefix ipv6-prefix-name[ verbose ]

display ipv6 routing-table vpn6-instance vpn6-instance-name statistics

display ipv6 routing-table vpn6-instance vpn6-instance-name protocol protocol [ inactive |verbose ]

Parameters


vpn6-instance-name Specifies the name of an VPNinstance.


verbose Displays detailed informationabout active and inactive routesin the routing table of thecurrent VPN instance.

-

acl Uses ACL6 to filter thecommand output. If thespecified ACL6 does not exist,information about all activeroutes is displayed.

-

acl6-number Specifies the number of a basicACL6.




247


acl6-name Specifies the name of a NamedACL6.

The value is a string of 1 to32 case-sensitive characterswithout spaces, begin witha~z or A~Z.

longer-match Displays only the VPN routesthat match the specifiednetwork and mask.

-

ipv6-address Specifies the destination IPv6address.

-

prefix-length Specifies the length of the IPv6address prefix.


ipv6-address1 / ipv6-address2

Specifies the IPv6 address.ipv6-address1 and ipv6-address2 together determine anaddress range. Only the VPNroutes in the address range aredisplayed.

-

prefix-length1/prefix-length2 Specifies the length of the IPv6address prefix.


ipv6-prefix ipv6-prefix-name Specifies the name of the IPv6prefix list.

A string of 1 to 19 characters.

statistics Displays integrated routestatistics in the routing table ofthe VPN instance.

-

protocol Displays the routes of aspecified protocol.

-

protocol Displays the routes of aspecified protocol. It can be oneof the following keywords:l direct: displays direct IPv6

routes.l static: displays IPv6 static

routes.l bgp: displays BGP4+

routes.l isis: displays IS-IS IPv6

routes.l ospfv3: displays OSPFv3

routes.l ripng: displays RIPng

routes.

-



248


inactive Displays the summary ofinactive routes only.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The command output includes the destination address, prefix length, protocol type, preference,cost, next hop, and outbound interface.

NOTE

An iterated route is counted as one route no matter how many outbound interfaces and next hops the routefinds.

This command without the parameter verbose displays the currently preferred routes only.

When using the display ipv6 routing-table vpn6-instance vpn6-instance-name ipv6-addressprefix-length [ longer-match ] [ verbose ] command, you can select parameters in the commandas required.

l If ipv6-address prefix-length is specified, the VPN routes that accurately match thedestination address are displayed.

l If ipv6-address prefix-length longer-match is specified, the IPv6 routes with thedestination address within the specified address range are displayed. If the prefix length is0, all routes in the routing table of the VPN instance are displayed.

For example, there are four routes in the routing table of the VPN instance named vpna,2000::20/128, 2000::/100, 2000::/64, and 1000::/64.

l If the display ipv6 routing-table vpn6-instance vpna 2000:: 64 command is used, only2000::/64 is displayed.

l If the display ipv6 routing-table vpn6-instance vpna 2000:: command is used, only2000::/100 is displayed.

l If the display ipv6 routing-table vpn6-instance vpna 2000:: 127 longer-matchcommand is used, only 2000::/100 and 2000::/64 are displayed.

l If the display ipv6 routing-table vpn6-instance vpna 2000:: 0 longer-match commandis used, four routes are displayed.

Precautions

If the specified ip-prefix ip-prefix-name does not exist, the command displays all of the currentlypreferred routes.



249

Example

# Display the summary of the routing table of the VPN instance named vpn1.

<HUAWEI> display ipv6 routing-table vpn6-instance vpn1Routing Table : vpn1 Destinations : 1 Routes : 1

Destination : 7777:5:344:: PrefixLength : 48 NextHop : 3335::2 Preference : 255 Cost : 0 Protocol : BGP RelayNextHop : :: TunnelID : 0x0 Interface : Vlanif10 Flags : D

Table 13-6 Description of the display ipv6 routing-table vpn6-instance command output

Item Description

Routing Table : vpn1 VPN routing table named vpn1.

Destinations Total number of destination networks or hosts.

Destination Address of the destination network or host.

Routes Total number of routes.

PrefixLength Length of the prefix.

NextHop IPv6 address of the adjacent next hop throughwhich the packet reaches the destination.

Preference Preference of the route.

Cost Route cost.

Protocol Routing protocol name.

RelayNextHop Iterated next hop.

TunnelID Tunnel ID.The value 0x0 indicates that no tunnel is used orthe tunnel is not set up.

Interface Outbound interface through which the next hop isreachable.

Flags Route flags.

# Display detailed information about the route 200:0:1:2::1 of the VPN instance after the instanceis enabled with VPN FRR.

<HUAWEI> display ipv6 routing-table vpn6-instance vrf1 200:0:1:2::1 verboseRouting Table : vrf1Summary Count : 1 Destination : 200:0:1:2::1 PrefixLength : 128 NextHop : ::FFFF:192.168.100.6 Preference : 255 Neighbour : ::192.168.100.6 ProcessID : 0



250

Label : 13313 Protocol : BGP State : Active Adv Relied Cost : 0 Entry ID : 14 EntryFlags : 0x80024904 Reference Cnt: 1 Tag : 0 Priority : low Age : 393sec IndirectID : 0x0 RelayNextHop : :: TunnelID : 0x100a Interface : NULL0 Flags : RD BkNextHop : ::FFFF:192.168.100.7 BkLabel : 13313 BkPETunnelID : 0x100c

Table 13-7 Description of the display ipv6 routing-table vpn6-instance verbose command output

Item Description

Summary Count Total number of route prefixes.

Neighbour IP address of the neighbor interface.

ProcessID Process ID of the routing protocol.

Label Label value carried by the route.

State Route status:l Active: indicates active routes.l Invalid: indicates invalid routes.l Inactive: indicates inactive routes.l NoAdv: indicates the routes that cannot be

advertised.l Adv: indicates the routes that can be advertised.l Del: indicates the routes to be deleted.l Relied: indicates the route that finds the next

hop and outbound interface or the route thatfinds the tunnel during packet forwarding.

l Stale.: indicates the routes with the stale flag.The routes are used in GR.

Entry ID Keyword of the retrieval index of routes in therouting table.

EntryFlags Information about route flags.

Refernce Cnt Number of times that the route is referenced.

Tag Tag for importing routes. The value is an integerranging from 0 to 4294967295.

Priority Priority of the route.

Age Time since the route is generated.

IndirectID Indirect ID of the next hop.

BkNextHop Backup next hop.



251

Item Description

BkLabel Backup label.

BkPETunnelID Backup Tunnel ID.

# Display the statistics of the routing table of the VPN instance named vpn1.

<HUAWEI> display ipv6 routing-table vpn6-instance vpn1 statisticsSummary prefixes: 6Protocol route active added deleted freedDIRECT 4 4 4 0 0STATIC 2 1 2 0 0RIPng 0 0 0 0 0OSPFv3 0 0 0 0 0IS-IS 0 0 0 0 0BGP 0 0 0 0 0UNR 0 0 0 0 0Total 6 5 6 0 0

Table 13-8 Description of the display ipv6 routing-table statistics command output

Item Description

Summary prefixes Total number of prefixes in the current routingtable.

route Indicates the total number of active and inactiveroutes in the current routing table.

active Number of active routes.

added Number of active and inactive routes added in therouting table.

deleted Number of routes deleted from the routing table.

freed Number of released routes that are permanentlydeleted from the routing table.

# Display all the direct routes of the VPN instance named vpn1.

<HUAWEI> display ipv6 routing-table vpn6-instance vpn1 protocol directvpn1 Routing Table : DirectSummary Count : 3

Direct Routing Table's Status : < Active >Summary Count : 3

Destination : 3335:: PrefixLength : 64 NextHop : 3335::1 Preference : 0 Cost : 0 Protocol : Direct RelayNextHop : :: TunnelID : 0x0 Interface : Vlanif10 Flags : D

Destination : 3335::1 PrefixLength : 128 NextHop : ::1 Preference : 0



252

Cost : 0 Protocol : Direct RelayNextHop : :: TunnelID : 0x0 Interface : Vlanif10 Flags : D

Destination : FE80:: PrefixLength : 10 NextHop : :: Preference : 0 Cost : 0 Protocol : Direct RelayNextHop : :: TunnelID : 0x0 Interface : NULL0 Flags : DDirect Routing Table's Status : < Inactive >Summary Count : 0

Table 13-9 Description of the display ipv6 routing-table vpn6-instance protocol commandoutput

Item Description

Active Active routes.

Inactive Inactive routes.

13.8 display ipv6 vpn6-instance

FunctionThe display ipv6 vpn6-instance command displays information about an IPv6 VPN instance.

Formatdisplay ipv6 vpn6-instance [ brief | verbose ] [ vpn6-instance-name ]

Parameters


brief Displays summary informationabout an IPv6 VPN instance.

-

verbose Displays detailed information aboutthe IPv6 VPN instances and theirassociated interfaces.

-

vpn6-instance-name Specifies the name of an IPv6 VPNinstance.

The name is a string of 1 to 31case-sensitive characters.

ViewsAll views




253

Usage GuidelinesIf a VPN instance is configured, you can check the configuration of the instance by using thedisplay ipv6 vpn6-instance command. You can also use this command to view the VPNinstances configured on the local device.

When no parameters are specified, the command displays brief information about all theconfigured VPN instances.

Example# View brief information about all the configured IPv6 VPN instances.

<HUAWEI> display ipv6 vpn6-instance Total VPN-Instances configured : 3 Total IPv4 VPN-Instances configured : 2 Total IPv6 VPN-Instances configured : 1 VPN-Instance Name RD Address-family vpn1 vpna 100:1 IPv4 vpna 100:3 IPv6 vpnb 100:2 IPv4

Table 13-10 Description of the display ip vpn-instance command output

Item Description

Total VPN-Instances configured Total number of VPN instances configuredon the local end.

Total IPv4 VPN-Instances configured Total number of locally configured VPNinstances for which IPv4 address families areenabled.


VPN-Instance Name Name of the VPN instance.

RD RD of the VPN instance IPv4 addressfamily or IPv6 address family.

Creation Time Time when an IPv4 or IPv6 address family isenabled for the VPN instance.



254

Item Description

Address-family Address family enabled for the VPN instance.The address family can be:l Null, if no address family is enabled.l ipv4, if only the IPv4 address family is

enabled.l ipv6, if only the IPv6 address family is

enabled.

<HUAWEI> display ipv6 vpn6-instance brief Total VPN-Instances configured : 3 Total IPv4 VPN-Instances configured : 2 Total IPv6 VPN-Instances configured : 1 VPN-Instance Name RD Address-family vpn1 vpna 100:1 IPv4 vpna 100:3 IPv6 vpnb 100:2 IPv4

# View detailed information about all IPv6 VPN instances.

<HUAWEI> display ipv6 vpn6-instance verbose Total VPN-Instances configured : 1 Total IPv4 VPN-Instances configured : 1 Total IPv6 VPN-Instances configured : 1 VPN-Instance Name and ID : vpna, 6 Description : vpna-1 Service ID : 12 Interfaces : Vlanif10 Address family ipv4 Create date : 2012/12/3 15:36:20 UTC+08:00 Up time : 6 days, 04 hours, 41 minutes and 57 seconds Route Distinguisher : 100:1 Export VPN Targets : 1:1 Import VPN Targets : 1:1 Label Policy : label per instance Per-Instance Label : 1024 IP FRR Route Policy : 20 VPN FRR Route Policy : 12 Import Route Policy : 10 Export Route Policy : 20 Tunnel Policy : bindTE Maximum Routes Limit : 2000 Threshold Routes Limit : 80% Maximum Prefixes Limit : 1024 Threshold Prefixes Limit : 50% Install Mode : route-unchanged Log Interval : 10 Address family ipv6



255

Create date : 2012/12/3 15:36:20 UTC+08:00 Up time : 6 days, 04 hours, 41 minutes and 57 seconds Log Interval : 5

Table 13-11 Description of the display ip vpn-instance verbose command output

Item Description

Total VPN-Instances configured Total number of VPN instances configuredon the local end.



VPN-Instance Name and ID Name and ID of the VPN instance. The ID isassigned by the system, which facilitatesindexing.

Description Description of the VPN instance. This field isdisplayed in the command output only whenthe description (VPN instance view)command is used.

Service ID Service ID of the VPN instance. This item isdisplayed only after the service-id (VPNinstance view) command is run in the VPNinstance view.

Interfaces Interfaces bound to the VPN instance. Thisfield is displayed only after the ip bindingvpn-instance command is configured onthese interfaces.

Address family ipv4 Information about the IPv4 address familyenabled for the VPN instance.

Address family ipv6 Information about the IPv6 address familyenabled for the VPN instance.

Create date Time when the VPN instance is created.

Up time Period during which the VPN instancemaintains in the Up state.

Route Distinguisher RD of the VPN instance IPv4 address familyor IPv6 address family

Export VPN Targets Route Target list in the outbound direction.To set the VPN target, run the vpn-targetcommand.



256

Item Description

Import VPN Targets Route Target list in the inbound direction. Toset the VPN target, run the vpn-targetcommand.

Label Policy Label policy:l label per instance: indicates that the same

label is allocated to routes of a VPNinstance. This field is displayed in thecommand output only when the apply-label per-instance command is run in theVPN instance view.

l label per route: indicates that each routeof a VPN instance is assigned a label.Label allocation for routes of a VPNinstance is implemented in this mode.

Per-Instance Label Label value used when all VPN routes of theVPN instance address family share onelabel. This field is displayed only after theapply-label per-instance command is run inthe VPN instance address family view.

IP FRR Route Policy IP FRR route policy used for the addressfamily. This item is displayed only after theip frr command is run in the VPN instanceIPv4 address family view.

VPN FRR Route Policy VPN FRR route policy used for the addressfamily. This item is displayed only after thevpn frr command is run in the VPN instanceIPv4 address family view.

Import Route Policy Import Route-Policy applied to the VPNinstance. This field is displayed only after theimport route-policy command is run in theVPN instance address family view.

Export Route Policy Export Route-Policy applied to the VPNinstance. This field is displayed only after theexport route-policy command is run in theVPN instance address family view.

Tunnel Policy Tunnel policy applied to the VPN instance.This field is displayed only after the tnl-policy command is run in the VPN instanceaddress family view.



257

Item Description

Maximum Routes Limit Maximum number of routes supported by thecurrent address family. This field is displayedonly after the routing-table limit commandis run in the VPN instance address familyview.

Threshold Routes Limit Percentage of the maximum number of routesspecified for the current address family.When the maximum number of routesreaches the percentage threshold, an alarm isgenerated.This field is displayed only afterthe routing-table limit command is run in theVPN instance address family view.

Maximum Prefixes Limit Maximum number of prefixes supported bythe current address family of the VPNinstanceThis field is displayed only after theprefix limit command is run in the VPNinstance address family view.

Threshold Prefixes Limit Percentage of the maximum number ofprefixes specified for the current addressfamily of the VPN instance. When themaximum number of prefixes reaches thepercentage threshold, an alarm isgenerated.This field is displayed only afterthe prefix limit command is run in the VPNinstance address family view.

Install Mode Method of processing routes. The prefixlimit command can be used to specify theroute processing method when the thresholdis lowered due to the number of route prefixesexceeding the upper threshold.l If route-unchanged is configured, routes

in the routing information base (RIB)table remain unchanged.

l If route-unchanged is not configured, allroutes in the RIB table are deleted and theroutes are re-installed in the RIB table.

Log Interval Interval for displaying log messages when thenumber of VPN instance routes exceeds themaximum value. The default interval is 5seconds. The value can be set by thecommand limit-log-interval.



258

13.9 link-alive

FunctionThe link-alive command enables the link-alive function on a GRE tunnel.

The undo link-alive command disables the link-alive function on a GRE tunnel.

By default, the link-alive function is disabled on a GRE tunnel.

Formatlink-alive [ period period ] [ retry-times retry-times ]

undo link-alive

Parameters


period Specifies the interval for sendinglink-alive packets.

The value is an integer thatranges from 1 to 32767, inseconds. The default value is 5.

retry-times retry-times Specifies the tunnel-unreachablecounter value.


ViewsTunnel interface view


Usage GuidelinesThe link-alive function takes effect on a GRE tunnel immediately after you run the link-alivecommand on the tunnel interface. After you run the undo link-alive command, the link-alivefunction immediately becomes invalid. The source end of a GRE tunnel periodically sends link-alive packets. The tunnel-unreachable counter increases by 1 every time a link-alive packet issent. If the source end does not receive any response packet when the tunnel-unreachable countervalue reaches retry-times, the source end considers the remote end unreachable.

Example# Enable the link-alive function on a GRE tunnel and retain the default parameter values.

<HUAWEI> system-view[HUAWEI] interface tunnel 1



259

[HUAWEI-Tunnel1] tunnel-protocol gre[HUAWEI-Tunnel1] link-alive

# Disable the link-alive function on a GRE tunnel.

<HUAWEI> system-view[HUAWEI] interface tunnel 1[HUAWEI-Tunnel1] undo link-alive

# Enable the link-alive function on a GRE tunnel. Set the interval for sending link-alive packetsto 12 seconds and retain the default tunnel-unreachable counter value.

<HUAWEI> system-view[HUAWEI] interface tunnel 1[HUAWEI-Tunnel1] link-alive period 12

# Enable the link-alive function on a GRE tunnel. Set the interval for sending link-alive packetsto 12 seconds and the tunnel-unreachable counter to 4.

<HUAWEI> system-view[HUAWEI] interface tunnel 1[HUAWEI-Tunnel1] link-alive period 12 retry-times 4

13.10 mpls l2vpn traffic-statistics capability enable

Function

The mpls l2vpn traffic-statistics capability enable command enables VLL traffic statistics.

The undo mpls l2vpn traffic-statistics capability command disables VLL traffic statistics.

By default, VLL traffic statistics function is disabled..

Format

mpls l2vpn traffic-statistics capability enable

undo mpls l2vpn traffic-statistics capability

Parameters

None.

Views

System view

Default Level


Usage Guidelines

The traffic statistics function takes effect only on the VLLs created after you run the mpls l2vpntraffic-statistics capability enable or mpls l2vpn traffic-statistics enable command.



260

After you run the mpls l2vpn traffic-statistics capability enable command to enable VLLtraffic statistics, you can run the display traffic-statistics l2vpn interface command to viewthe traffic statistics result.

Example# Enable L2VPN traffic statistics.

<HUAWEI>system-view[HUAWEI] mpls l2vpn traffic-statistics capability enableInfo: The modification can only take effect for newly created VC.

System ResponseNone.



261

Documents

S2750&S5700&S6700 V200R003(C00&C02&C10) Compatible Commands Reference 04