Command Ref

Published on June 2016 | Categories: Types, Instruction manuals | Downloads: 53 | Comments: 0 | Views: 602
of 1150
Download PDF   Embed   Report

Comments

Content

Router Command Reference Guide

Router 5000 Family Version 2.1

http://www.3com.com/ Part No. 10014596-AA Published November 2004

3Com Corporation 350 Campus Drive Marlborough, MA 01752-3064

Copyright © 2004, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change. 3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time. If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or!LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you. UNITED STATES GOVERNMENT LEGEND If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following: All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide. Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries. 3Com and the 3Com logo are registered trademarks of 3Com Corporation. Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. All other company and product names may be trademarks of the respective companies with which they are associated.

CONTENTS

ABOUT THIS GUIDE
Conventions 7 Related Documentation 10

1

CONFIGURATION COMMANDS
Basic Configuration Commands 11

2

SYSTEM MAINTENANCE & MANAGEMENT COMMANDS
Debugging 27 HWPing Commands 35 HWPing Server Commands 51 Information Processing Commands 53 System Operating Management Commands 70 Lock-Down Commands 77 File Management Commands 78 FTP Server Configuration Commands 88 FTP client module commands 91 TFTP Configuration Commands 102 Configuration Files Management Commands 103 User Interface Configuration Commands 108 debugging ntp-service 124 SNMP Configuration Commands 137 Terminal Service Commands 155 SSH Configuration Commands 157

3

INTERFACE MANAGEMENT COMMANDS
Interface Management Commands 171 Fundamental Ethernet Interface Configuration Commands 176 Fundamental WAN Interface Configuration Commands 180 Fundamental CE1/PRI Interface Configuration Commands 187 Fundamental CT1/PRI Interface Configuration Commands 194 E1-F Interface Configuration Commands 200 T1-F Interface Configuration Commands 205 Fundamental CE3 Interface Configuration Commands 209 Fundamental CT3 Interface Configuration Commands 218 ATM E3/T3 Interface Configuration Commands 227 ATM OC-3c/STM-1 Interface Configuration Commands 230

ADSL Interface Configuration Commands 233 Fundamental Logical Interface Configuration Commands 239 Logic-Channel Interface 241 Configuration Command of Virtual Template and Virtual Access Interface MP-group Interface Configuration Command 244 Virtual Ethernet Interface Configuration Command 246 Configuration Command of Loopback Interface and Null Interface 248

242

4

LINK LAYER PROTOCOL
PPP and MP Configuration Commands 251 PPPoE Server Configuration Commands 265 PPPoE Client Configuration Commands 268 VLAN Configuration Commands 272 ISDN Configuration Commands 276 SLIP Configuration Commands 304 HDLC Configuration Commands 305 Frame Relay Configuration Commands 307 ATM Configuration Commands 340 LAPB and X.25 Configuration Commands 366

5

NETWORK PROTOCOL
IP Address Configuration Commands 413 ARP Configuration Commands 417 Static Domain Name Resolution 421 DNS Client Configuration Commands 422 DHCP Public Configuration Commands 426 DHCP Server Configuration Commands 428 DHCP Client Configuration Commands 456 DHCP Relay Configuration Commands 458 IP Performance Configuration Commands 463 IP Unicast Policy Routing Configuration Commands 490 IP Multicast Policy Routing Configuration Commands 498 IPX Configuration Commands 503 DLSw Configuration Commands 531

6

ROUTING PROTOCOL
Display Commands of the Routing Table 559 Static Route Configuration Commands 569 RIP Configuration Commands 571 OSPF Configuration Commands 587 BGP Configuration Commands 626 MBGP Configuration Commands 665 IP Routing Policy Configuration Commands 668 Route Capacity Configuration Commands 682

7

MULTICAST COMMON CONFIGURATION COMMANDS
Multicast Common Configuration Commands 687 IGMP Configuration Commands 697 PIM Configuration Commands 708 MSDP Configuration Commands 725 MBGP Multicast Extension Configuration Commands 740 Multicast Static Route Configuration Commands 753

8

MPLS BASIC CONFIGURATION COMMANDS
Basic Configuration Commands 757 LDP Configuration Commands 767 BGP/MPLS VPN Configuration Commands 778 MPLS L2VPN CCC Configuration Commands 800 SVC MPLS L2VPN Configuration Commands 804 Martini MPLS L2VPN Configuration Commands 805 Kompella MPLS L2VPN Configuration Commands 806

9

SECURITY
AAA Configuration Commands 813 Ethernet Type-Code Values 832 ASPF Configuration Commands 844 Firewall Configuration Commands 853 IPSec Configuration Commands 858 IKE Configuration Commands 933 PKI Configuration Commands 962 HWTACACS Configuration Commands 980

10

L2TP CONFIGURATION COMMANDS
GRE Configuration Commands Dynamic VPN 1017 1010

11

TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS
Traffic Policing (TP) Configuration Commands 1029 Traffic Shaping Configuration Commands 1032 Physical Interface Rate-limit Configuration Commands 1034 FIFO Queue Configuration Commands 1035 PQ Configuration Commands 1036 CQ Configuration Commands 1041 WFQ Configuration Commands 1047 CBQ Configuration Commands 1048 RTP Priority Queue Configuration Commands 1074 Weighted Random Early Detection Configuration Commands 1077 IP Header Compression Configuration Commands 1080 MPLS QoS Configuration Commands 1105

12

BACKUP CENTER CONFIGURATION COMMANDS
Backup Center Configuration Commands VRRP Configuration Commands 1116 1109

13

DCC CONFIGURATION COMMANDS
DCC Configuration Commands 1123 Modem Configuration Commands 1142

Conventions

7

ABOUT THIS GUIDE

This guide describes the 3Com® Router 5000 Family of routers and how to install hardware, configure and boot software, and maintain software and hardware. This guide also provides troubleshooting and support information for your router. This guide is intended for the system or network administrator who is responsible for installing, configuring, using, and managing the routers. It assumes a working knowledge of wide area network (WAN) operations and familiarity with communication protocols that are used to interconnect WANs. Always download the Release Notes for your product from the 3Com World Wide Web site for the latest updates to product documentation:
http://www.3com.com

Conventions

and Table 2: list conventions that are used throughout this guide.

Table 1: Notice Icons Icon Notice Type Information note Description Information that describes important features or instructions. Information that alerts you to potential loss of data or potential damage to an application, system, or device.

Caution

8

CHAPTER : ABOUT THIS GUIDE

Table 1: Notice Icons Icon Notice Type Warning Description Information that alerts you to potential personal injury.

Table 2: Text Conventions Convention Screen displays Description This typeface represents information as it appears on the screen. If you must press two or more keys simultaneously, the key names are linked with a plus sign (+), for example: The words “enter” and type”

Keyboard key names

Press Ctrl+Alt+D el

Conventions

9

Table 2: Text Conventions Convention When you see the word “enter” in this guide, you must type something, and then press Return or Enter. Do not press Return or Enter when an instruction simply says “type.” Italics are used to: Denote a new term at the place where it is defined in the text. Description Words in italics

Emphasize a point. Identify menu names, menu commands, and software button names. Examples: Click OK.

From the Help menu, select Contents.

10

CHAPTER : ABOUT THIS GUIDE

Table 2: Text Conventions Convention Words in bold Description Boldface type is used to highlight command names in text. For example, “Use the display user-interface command to...

Related Documentation

The following manuals offer additional information necessary for managing your Router 5000:


3Com Router 5000 Family Installation Guide — Provides detailed descriptions of the Router 5000 Family products. 3Com Router Configuration Guide— Describes how to configure your Router 5000 using the supported protocols and CLI commands. Release Notes — Contains the latest information about your product. If information in this guide differs from information in the release notes, use the information in the Release Notes.





These documents are available in Adobe Acrobat Reader Portable Document Format (PDF) on the CD-ROM that accompanies your router or on the 3Com World Wide Web site:
http://www.3com.com/

1

CONFIGURATION COMMANDS

This chapter describes how to use the following commands: Basic Configuration Commands
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

Clock Summer Times clock datetime clock timezone command-privilege display clipboard display clock display history-command display version header3Com hotkey language-mode lock quit Reboot return super super password sysname system-view

Basic Configuration Commands
Clock Summer Times Syntax
Clock summer-time zone_name {absolute / recurring} HH:MM:SS YYYY/MM/DD HH:MM:SS YYYY/MM/DD HH:MM:SS Undo clock summer-time zone.

View User view

12

CHAPTER 1: CONFIGURATION COMMANDS

Parameter zone_name: Name of the summer time, which is a character string of 1 to 32 characters. absolute: Only sets the summer time of some year. recurring: Sets the summer time of every year starting from some year. HH:MM:SS: Time (hour/minute/second). YYYY/MM/DD: Date (year/month/day). Description Using the clock summer-time command, you can set the name, and the starting and ending time of the summer time. Using the undo clock summer-time command, you can remove the configuration of the summer time. After the configuration takes effect, it can be verified by using the display clock command. Beside the time of the log or debug information will be the local time on which the adjustment of the time zone and summer time has been made. For related command, see clock timezone. Example Add one hour to the clock for the summer time z2 that starts at 06:00:00 on 2002/06/08 and ends at 06:00:00 on 2002/09/01.
<3Com> clock summer-time z2 absolute 06:00:00 2002/06/08 06:00:00 2002/09/01 01:00:00

# Add one hour to the clock each year starting from 2002 for the summer time z2 that starts at 06:00:00 on 08/06 and ends at 06:00:00 on 01/09.
<3Com> clock summer-time z2 recurring 06:00:00 2002/06/08 06:00:00 2002/09/01 01:00:00

clock datetime

Syntax
clock datetime HH:MM:SS YYYY/MM/DD

View User view Parameter HH:MM:SS: Time (hour/minute/second). YYYY/MM/DD: Date (year/month/day) in the range of 1993 to 2035. Description Using the clock datetime command, you can set the date and time.

Basic Configuration Commands

13

After the configuration takes effect, it can be verified by executing the display clock command. The time applied to the log and debug information has been adjusted. Example Set the current system time to 10:20:55 2003/04/05.
<3Com> clock datetime 10:20:55 2003/04/05

clock timezone

Syntax
clock timezone zone_name { add | minus } HH:MM:SS undo clock timezone

View User view Parameter zone_name: Timezone name, which is a string of 1 to 32 characters. add: Adds the time on the basis of Universal Time Coordinated (UTC) timezone. minus: Reduces the time on the basis of UTC timezone. HH:MM:SS: Time (hour/minute/second). Description Using the clock timezone command, you can set the information for the local timezone. Using the undo clock timezone command, you can restore the local timezone to the default UTC timezone. After the configuration takes effect, you can view it by executing the display clock command. The time applied to the log and debug information has been adjusted according to the involved timezone and summer time. For related command, see clock summer-time. Example Set the local timezone name to Z5 and set Z5 to be five hours faster than UTC time.
<3Com> clock timezone z5 add 05:00:00

command-privilege

Syntax
command-privilege level level view view command-key undo command-privilege view view command-key

View System view Parameter level level: Command priority ranging from 0 to 3. view view: View. The command line provides the following views:

14

CHAPTER 1: CONFIGURATION COMMANDS



shell: View of current user level. system: System view Routing protocol view: Include ospf (OSPF view), rip (RIP view), bgp (BGP view), isis (IS-IS view), etc. Interface view: Include ethernet (FE), gigabitethernet (GE), serial (serial interface), ce1 (cE1 interface), ce3 (E3 interface), ct1 (cT1 interface), atm (ATM interface), pos (POS interface), virtual-template (virtual interface template), virtual-ethernet (virtual Ethernet interface), loopback (Loopback interface), null (Null interface), tunnel (Tunnel interface). user-interface: User view l2tp-group: System view of L2TP group. route-policy: Route map view













Refer to "Command Line Views" section in the Operation Manual for more details. commandkey: Command to be set. Description Using the command-privilege command, you can set the command level in the specified view. Using the undo command-privilege view command, you can remove current settings. Command priority falls into 4 levels, access, monitor, configure and manage, that are identified with 0 to 3. The administrator can grant certain rights to a user on their demand so that the user can operate in the related view. When the user logs in, the system can set the command operation rights, either, according to the rights corresponding to the user name, or based on the rights of the user-interface. If the two sets of rights conflict, the minimum rights will be adopted. By default, the command level of the ping, tracert and telnet commands is access (level 0), the command level of the display and debugging commands is monitor (level 1), that of configuration commands is system (level 2), and the commands for user key setting, FTP, XMODEM, TFTP and file system operation fit into commands of manage-level (level 3). Example Set the priority of the “interface” command to 0.
[3Com] command-privilege level 0 view system interface

display clipboard

Syntax
display clipboard

View Any view

Basic Configuration Commands

15

Parameter None Description Using the display clipboard command, you can display the contents of clipboard. Example Display the contents of clipboard.
<3Com> display clipboard -----------------clipboard ----------------ip route 10.1.0.0 255.0.0.0 eth 0

display clock

Syntax
display clock

View Any view Parameter None Description Using the display clock command, you can display the clock status and the configuration information. Example Display the current time.
<3Com> display clock

display cpu-usage

Syntax display cpu-usage [ configuration | number [ offset ] [ verbose ] [ from-device ] ] View Any view Parameter configuration: Displays the configuration about CPU usage statistics, such as whether CPU usage statistics is enabled, statistic period, and CPU usage alarm thresholds. number: Number of CPU usage statistics queries. offset: Offset of the starting entry to be displayed to the last statistic entry.

16

CHAPTER 1: CONFIGURATION COMMANDS

verbose: Displays the detailed information. from-device: Displays information stored on an external storage device such as a Flash or hard disk. (Not available yet.) Description Using the display cpu-usage command, you can view statistics about CPU usage. The commands display cpu-usage and dispaly cpu-usage 1 0 verbose function the same to display detailed information on the last CPU usage measurement. Example Display detailed information on CPU usage statistics.
[Router] display cpu-usage ===== Current CPU usage info ===== CPU Usage Stat. Cycle: 1 (Second) CPU Usage : 1% CPU Usage Stat. Time : 2004-09-15 15:51:48 CPU Usage Stat. Tick : 0x27(CPU Tick High) 0x88cf18e4(CPU Tick Low) Actual Stat. Cycle : 0x0(CPU Tick High) 0x2264cc2(CPU Tick Low) TaskName VIDL TICK co0 SRM ROUT SOCK VTYD IPSP TAC SC RDS ACM LSSO TRAP NTPT PIMT LSPM L2V IPS SIP DHCP HOT DHCC CPU 99% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% Runtime(CPU Tick High/CPU Tick Low) 0/ 222de39 0/ 88d8 0/ 6e5 0/ 1da 0/ 1d6c 0/ 3c65 0/ 1074 0/ 28b 0/ 15ac 0/ 10de 0/ e71 0/ 180a 0/ 3a2 0/ 2d0 0/ 1082a 0/ 2f8 0/ 90c 0/ 1066 0/ 7575 0/ 6b87 0/ 33d 0/ fca 0/ 414

display history-command

Syntax
display history-command

View Any view Parameter None

Basic Configuration Commands

17

Description Using the display history-command command, you can browse the history commands. The terminal will automatically save the history commands typed by the user, that is, completely record the user's input (via keyboard) separated by "Enter". For the related command, see history-command size. Example Display history commands.
<3Com> display history-command show interface show interface e 1/0/0 c in e 1/0/0

display version

Syntax
Display version

View Any view Parameter None Description Using the display version command, you can browse system version information. Through viewing system version information, you will learn about the software version in use, rack type, and the information related to the main processing board and interface cards. Example Display system version information of a 3Com R1760 router.
<3Com> display version 3Com Versatile Routing Platform Software VRP(tm) software, Version 3.30 Copyright (c) 2000-2002 3Com Corporation. 3Com Serial Router R1760 System has kept running 0weeks, 0days, 0hours, 15minutes CPU type Powerpc8241 166Mhz 64M bytes SDRAM 8M bytes Flash Memory Pcb Version:001 Logic Version:001 BootROM Version:0.0 Slot0: WAN (pcb)001 (software)000 (logic)001

18

CHAPTER 1: CONFIGURATION COMMANDS

header3Com

Syntax
header [ shell | incoming | login ] text undo header [ shell | incoming | login ]

View System view Parameter login: Greeting information when login. shell: Greeting information of the creation of a user session. incoming: Greeting information when login to the user view. text: Content of greeting information. Description Using the header command, you can set the greeting information that will be displayed. Using the undo header command, you can remove the preset greeting information. When a user is logging on to a router via a terminal line, the router prompts related information by setting the title attribute. After activating the terminal connection, the router sends the login title to the terminal. If the user logs on to the router successfully, the shell greeting information will be displayed. Text takes the first English character as the start and end characters. After the end character is input, the system will quit the interactive process automatically. If you do not want to start the interactive process, make sure that the first and last characters of the text are the same English character and press <Enter> directly. Example Configure a session creation title.
[3Com] header shell % Enter TEXT message. End with the character '%'. SHELL : Hello! Welcome use 3Com R1760.% # Test the configuration. [3Com] quit <3Com> quit Press RETURN to get started SHELL : Hello! Welcome use 3Com R1760. <3Com>

hotkey

Syntax
hotkey [ CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U ] command_text undo hotkey [ CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U ]

Basic Configuration Commands

19

View System view Parameter CTRL_G: Specify a command for the hotkey <CTRL+G>. CTRL_L: Specify a command for the hotkey <CTRL+L>. CTRL_O: Specify a command for the hotkey <CTRL+O>. CTRL_T: Specify a command for the hotkey <CTRL+T>. CTRL_U: Specify a command for the hotkey <CTRL+U>. command_text: The command line correlated with the hotkey. Description Using the hotkey command, you can correlate a command line with a hotkey. Using the undo hotkey command, you can recover the default value of the system. By default, CTRL_G, CTRL_L and CTRL_O correspond to the following commands respectively:
display current-configuration (display current configuration); display ip routing-table (display routing table information); undo debugging all (disable the overall debugging function, that is, disable the output of all debugging information).

You can change the definitions on your demand. The default values for the other hotkeys are null. Example Correlate the display tcp status command with the hotkey CTRL_T.
[3Com] hotkey ctrl_t display tcp status [3Com] display hotkey ----------------- HOTKEY ----------------=Defined hotkeys= Hotkeys Command CTRL_G display current-configuration CTRL_L display ip routing-table CTRL_O undo debug all CTRL_T display tcp status =Undefined hotkeys= Hotkeys Command CTRL_U NULL =System hotkeys= Hotkeys Function CTRL_A Move the cursor to the beginning of the current line. CTRL_B Move the cursor one character left. CTRL_C Stop current command function. CTRL_D Erase current character. CTRL_E Move the cursor to the end of the current line. CTRL_F Move the cursor one character right.

20

CHAPTER 1: CONFIGURATION COMMANDS

CTRL_H Erase the character left of the cursor. CTRL_K Kill outgoing connection. CTRL_N Display the next command from the history buffer. CTRL_P Display the previous command from the history buffer. CTRL_R Redisplay the current line. CTRL_V Paste text from the clipboard. CTRL_W Delete the word left of the cursor. CTRL_X Delete all characters up to the cursor. CTRL_Y Delete all characters after the cursor. CTRL_Z Return to the user view. CTRL_] Kill incoming connection or redirect connection. ESC_B Move the cursor one word back. ESC_D Delete remainder of word. ESC_F Move the cursor forward one word. ESC_N Move the cursor down a line. ESC_P Move the cursor up a line. ESC_< Specify the beginning of clipboard. ESC_> Specify the end of clipboard.

language-mode

Syntax
language-mode { chinese | english }

View User view Parameter None Description Using the language-mode command, you can switch between different language modes of command line interface. By default, the language mode is English. The command line interface of the system also supports Chinese mode for domestic users in China. Example Switch from English mode to Chinese mode.
<3Com> language-mode Chinese Change language mode, confirm? [Y/N]y % Switch to Chinese mode.

lock

Syntax
lock

View User view

Basic Configuration Commands

21

Parameter None Description Using the lock command, you can lock the active user interface to prevent an unauthorized user from operating the interface. A user interface includes CON port, AUX port and VTY, etc. After inputting the lock command, the user is prompted to enter the screensaver's password and confirm the password. If the two passwords are the same, the interface will be successfully locked. To enter the system once again, you must press <Enter> first, and enter the preset password following the prompt. Example Log in from the CON port and lock the active user interface.
<3Com> lock Password: Again:

quit

Syntax
quit

View Any view Parameter None Description Using the quit command, you can quit from the active view to a lower-level view (if the active view is user view, you will exit the system). Views fall into three levels; in ascending order:


User view (with user level as 0) System view (with user level as 3) and Configuration view (routing protocol view, interface view, VPDN group view, etc).





For the related command, see return. Example Switch from Ethernet1/0/0 interface view to system view, and then to user view.
[3Com-Ethernet1/0/0] quit [3Com] quit <3Com>

22

CHAPTER 1: CONFIGURATION COMMANDS

Reboot

Syntax
reboot

View User view Parameter None Description Using the reboot command, you can reboot the device. This command produces the same effect as the power being turned on and then off, but provides the user with a convenient method of rebooting the device from a remote site. The operation of this command will render the network unusable for a short period of time, so it should be used with caution. Before rebooting the Router, remember to save the configuration file if necessary, Example Reboot the device.
<3Com> reboot System will reboot! Continue?[Y/N]

return

Syntax
return

View Any view, except user view Parameter None Description Using the return command, you can return to user view from any other view. The combination key <Ctrl+Z> performs the same function as the return command. For the related command, see quit. Example Return to user view from system view.
[3Com] return <3Com>

super

Syntax
super [ level ]

Basic Configuration Commands

23

View User view Parameter Level: User level ranging from 0 to 3. Description Using the super command, you can switch from current user level to a specified level. User level refers to the class of a login user. There are 4 user levels corresponding to 4 command levels. After a user of certain level logs in, it can only use the commands of the same or lower level. There are 4 command levels access, monitor, configure and manage, as follows:


Access: Includes the network diagnosis tool commands (ping, tracert); commands for accessing an external device from local device (including Telnet client, SSH client, RLOGIN), etc. Commands of this level cannot perform configuration file saving operation. Monitor: Commands used for system maintenance, service fault diagnosis and so on, including the display and debugging commands. Commands of this level cannot perform configuration file saving operation. Configure: Service configuration commands, including routing commands and commands of various network layers. Commands of this level provide direct network services for users. Manage: Commands related to basic system running and system support modules. These commands provide support for various services. Commands of this level include file system, FTP, TFTP, Xmodem download and configuration file switchover commands, power control commands, standby board control commands, user management commands, level setting commands, system internal parameter setting commands (not being provided in protocols or RFC documentation), etc.







To prevent unauthorized users from intruding on the system, you must pass the authentication when you are trying to switch from current user to a higher-level user. This means that you must enter the password of the higher-level user (if the super password [ level user-level ] { simple | cipher } line command is configured). For the sake of security, your entered password is not directly displayed on the screen. If you enter the correct password, you will be able to switch to the higher-level user, or you will stay at current level. Authentication allows three trys to switch to a higher-level user. For the related command, see super password. Example
<3Com> super 3 Password: User privilege changes to 3 level, just equal or less this level's commands can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

24

CHAPTER 1: CONFIGURATION COMMANDS

super password

Syntax
super password [ level user-level ] { simple | cipher } password undo super password [ level user-level ]

View System view Parameter user-level: User level ranging from 0 to 3. simple: Configure simple text password. cipher: Configure cipher text password. password: Content of password. A simple text password is a consecutive character string with the length no more than 16, such as 1234567. A cipher text password has 24 characters in length, and is in the format of "_(TT8F]Y\5SQ=^Q`MAF4<1!!". Description Using the super password command, you can set the password needed to switch from a lower-level user to a higher-level user. Using the undo super password command, you can remove the current setting. By default, simple text password is adopted. Example Execute the following command in system view:
[3Com] super password level 3 simple zbr

sysname

Syntax
sysname sysname

View System view Parameter sysname: Name of the router. It is a character string containing 1 to 30 characters. Description Using the sysname command, you can set the name of a router. By default, a router is named "3Com". Modification to a router's name will affect the prompt of the command line interface. For example, if the router's name is "3Com", the prompt of user view will be "<3Com>".

Basic Configuration Commands

25

Example Set the name of the router to R1760.
[3Com] sysname R1760 [R1760]

system-view

Syntax
system-view

View User view Parameter None Description Using the system-view command, you can enter system view from current user view. For the related command, see quit, return. Example
<3Com> system-view Enter system view , return user view with Ctrl+Z. [3Com]

vrbd

Syntax vrbd View Any view Parameter None Description Using the vrbd command, you can view software version details, including product software version and the matched platform software version. Example Display the internal version information.
[Router] vrbd

Routing Platform Software Version AR46XX 8040V300R003B01D009 (COMWAREV300R002B11D001), RELEASE SOFTWARE

26

CHAPTER 1: CONFIGURATION COMMANDS

2
Debugging

SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Network Test Tool Commands

Syntax
debugging { all | module-name [ debug-option1 ] [ debug-option2 ] …} undo debugging { all | module-name [ debug-option1 ] [ debug-option2 ] … }

View User view Parameter all: Enables or disables all the debugging switches. module-name: Module name. debug-option: Debugging option. Description Using the debug command, you can enable system debugging. Using the undo debug command, you can disable system debugging. By default, the system disables all the debugging switches. The router system provides a variety of debugging functions mainly for the support technicians and senior maintenance engineers to perform network fault diagnosis. Enabling debugging will generate a large amount of debugging information that can result in a decrease in system efficiency. This is especially the case when the command debugging all is executed to enable all the debugging switches. An extreme aftermath after doing so can be system paralysis. For these reasons, you are recommended not to use the command debugging all. On the contrary, using undo debugging all will bring you great convenience because you can disable all the debugging switches at once rather than disabling them one by one. For related command, see display debugging. Example Enable IP packet debugging.

28

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

display debugging

Syntax
display debugging [ interface interface-type interface-number] [ module-name ]

View Any view Parameter module-name: Module name. interface-type: Interface type. interface-number: Interface number. Description Using the display debugging command, you can display the enabled debugging switches. By default, no parameters have been defined and all the enabled debugging switches are displayed. For related command, see debugging. Example Display all the enabled debugging switches.
<3Com> display debugging IP packet debugging switch is on.

display diagnostic-information

Syntax
display diagnostic-information

View Any view Parameter None Description Using the display diagnostic-information command, you can display the operating information of all the active modules of the system and collect all the information at one time to isolate the problem when failure occurs to the system. In case failures occurs to the system, lots of information needs to be collected for the convenience of isolating the problems. However, it is rather difficult for you to collect all the information at one time because there are many display commands involved. In this case, you can use the display diagnostic-information command to collect the operating information of all the active modules in the system.

Debugging

29

Example Display the technical support information.
<3Com> display diagnostic-information ------------------ display version -----------------3Com3Com Versatile Routing Platform Software VRP 3600E Software Version VRPV3R001M06B03D003, DEBUG SOFTWARE Copyright (c) 2000-2003 by VRP Team Beijing Institute 3Com Tech, Inc Compiled Mar 24 2003 20:28:31 by zhaomin ------------------ display running-config -----------------# sysname 3Com # ------------------ display history commands -----------------display diagnostic-information ------------------ display tasks -----------------ID Name Priority Status CPU Time 1 WEIL 10 Ready 10/20 2 SYST 180 Ready 0/7 3 XMON 140 Event Sem 0/0 4 VMON 140 Event Sem 41/41 5 INFO 100 Event Sem 1/6 6 co0 100 Ready 0/3178 7 LDP 100 Event Sem 1/299 8 LAGT 100 Queue Sem 0/1 9 Clon 100 Event Sem 0/0 10 ROUT 100 Event Sem 0/172 11 FIB 100 Event Sem 0/178 12 SOCK 100 Event Sem 0/47961 13 VTYD 100 Event Sem 0/25 14 IPSP 100 Event Sem 0/537 15 IKE 100 Event Sem 1/20 16 RSA 100 Event Sem 1/94 17 RDUS 100 Delay 1/1574 18 L2TP 100 Event Sem 0/14 19 TNLM 100 Event Sem 0/0 20 AGNT 100 Event Sem 0/4904 21 TRAP 100 Queue Sem 0/0 22 MDMT 100 Queue Sem 0/3 23 NTPT 100 Delay 0/7 24 PIMT 100 Delay 0/7 25 CFM 100 Queue Sem 363/1355 26 LSPM 100 Delay 0/414 27 L2V 100 Delay 0/6 28 VRRP 100 Event Sem 0/0 ------------------ display memory -----------------Slice Memory Usage: Block Size 32 Free 960 Used 60134 Total 61094 Block Size 64 Free 275 Used 29356 Total 29631 Block Size 128 Free 9 Used 5882 Total 5891 Block Size 256 Free 8 Used 1664 Total 1672 Block Size 512 Free 1 Used 120 Total 121 Block Size 1024 Free 58 Used 157 Total 215 Block Size 2048 Free 5 Used 1547 Total 1552 Block Size 4096 Free 1 Used 67 Total 68 -----------------------------Summary-------------------------------Used(Byte) 8646848 Free 1317 Used 98927 Total 100244

30

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Total Slice Memory(Include Control Data and Free Slice): 10742144 bytes Raw Slice Memory Usage: Total Size: 10501832 bytes Num: 77 Total Raw Slice Memory(Include Control Data and Free Slice): 12606400 bytes System Total Memory(bytes): 33541536 ------------------ display interfaces -----------------Atm1/0/0 is down , line protocol is down Description : 3Com, 3Com Series, Atm1/0/0 Interface The Maximum Transmit Unit is 1500 Internet protocol processing : disabled AAL enabled: AAL5, Maximum VCs: 32 Current VCs: 0 (0 on main interface) 5 minutes input rate 0.00 bytes/sec, 0.00 packets/sec 5 minutes output rate 0.00 bytes/sec, 0.00 packets/sec 0 packets input, 0 bytes 0 packets output, 0 bytes 0 input errors, 0 CRCs, 0 giants, 0 pads, 0 aborts,0 overflows 0 output errors, 0 underflows, 0 overflows NULL0 is up , line protocol is up (spoofing) Description : 3Com, 3Com Series, NULL0 Interface The Maximum Transmit Unit is 1500 Internet protocol processing : disabled Serial0/0/0 is down , line protocol is down Description : 3Com, 3Com Series, Serial0/0/0 Interface The Maximum Transmit Unit is 1500, The keepalive is 10(sec) Internet protocol processing : disabled Encapsulation is PPP LCP initial FIFO queuing: (Outbound queue:Size/Length/Discards) FIFO: 0/75/0 Physical layer is synchronous,Baudrate is 64000 bps, Interface is no cable 5 minutes input rate 0.00 bytes/sec, 0.00 packets/sec 5 minutes output rate 0.00 bytes/sec, 0.00 packets/sec 0 packets input, 0 bytes, 0 no buffers 0 packets output, 0 bytes, 0 no buffers 0 input errors, 0 CRC, 0 frame errors 0 overrunners, 0 aborted sequences, 0 input no buffers DCD=DOWN DTR=DOWN DSR=DOWN RTS=DOWN CTS=DOWN

ping

Syntax
ping [ -a X.X.X.X | -c count | -d | -h ttl_value | -i { interface-type interface-number } | ip | -n | - p pattern | -q | -r | -s packetsize | -t timeout | -v | vpn-instance vpn-instance-name ] * host

View Any view Parameter -a X.X.X.X: Sets the source IP address where ICMP ECHO-REQUEST packets can be sent.

Debugging

31

-c count: Times that ICMP ECHO-REQUEST packets are sent. It is ranging from 1 to 4294967295. -d: Sets socket to DEBUG mode. -h ttl_value: Sets the value of TTL_value, which is ranging from 1 to 255. -i: Sets the interface for sending ICMP ECHO-REQUEST packets. interface-type: Interface type interface-number: Interface number -n: Directly uses the host parameter as IP address without domain name resolution. -p pattern: The filling byte of ICMP ECHO-REQUEST packet in hexadecimal format, with the value ranging from 0 to FFFFFFFF. For example, if the parameter is set to -p ff, the entire packet will be filled with ff. -q: Displays statistic figures rather than details. -r: Records routes. -s packetsize: The length of ECHO-REQUEST packet (excluding IP and ICMP headers), which is in the range of 20 to 8100 bytes. -t timeout: Timeout in milliseconds waiting for ECHO-RESPONSE upon completion of sending ECHO-REQUEST, in the range from 0 to 65535. -v: Displays the received ICMP packets other than ECHO-RESPONSE packets. vpn-instance vpn-instance-name: Sets the vpn-instance name of MPLS VPN to specify the VPN attribute configured in this ping command, that is, name of the associated vpn-instance created at the local. host: Domain name or IP address of destination host. ip: IP protocol is used. Description Using the ping command, you can check the IP network connection and whether the host is reachable. If the above parameters have not been specified, the following default settings will be used:


the ECHO-REQUEST packet is sent for 5 times at most. the Socket is non-DEBUG mode. the Host is first regarded as an IP address. If it is not an IP address, domain name resolution will be performed. the filling begins at 0x01 and increases gradually until 0x09 and then repeats.







32

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS



All the information including statistics is displayed. the Router is not recorded. the length of ECHO-REQUEST packet is 56 bytes. the timeout time waiting for an ECHO-RESPONSE packet is 2000ms. the ICMP packets other than ECHO-RESPONSE packets are not displayed. the parameter vpn-instance is not defined.











Following is the process of executing the ping command:


A host sends an ICMP ECHO-REQUEST to a destination. If the connection to the destination network is working normally, the destination host will be able to receive the ICMP ECHO-REQUEST packet and send an ICMP ECHO-REPLY packet back to the source host. The ping command can be used to test the network for connection failure or network line quality problem. The output information includes: The state of the reply that a destination has made to each ECHO-REQUEST. It will be “Request time out." if no reply has been received upon the expiration of the timeout time. Otherwise, the state information will include the bytes of the reply packet, packet sequence number, TTL, reply time etc. The last statistic information includes the count of packets sent, the count of reply packets received, the percentage of the packets that have no reply, and the minimum, maximum, and average reply time settings. If the network transmission is slow, you can appropriately prolong the timeout time waiting for reply.









For related command, see tracert. Example Check the reachability of the host at 202.38.160.244.
<3Com> ping 202.38.160.244 ping 202.38.160.244 : 56 data bytes , press CTRL-C to break Reply from 202.38.160.244 : bytes=56 sequence=1 ttl=255 time = 1ms Reply from 202.38.160.244 : bytes=56 sequence=2 ttl=255 time = 2ms Reply from 202.38.160.244 : bytes=56 sequence=3 ttl=255 time = 1ms Reply from 202.38.160.244 : bytes=56 sequence=4 ttl=255 time = 3ms Reply from 202.38.160.244 : bytes=56 sequence=5 ttl=255 time = 2ms --202.38.160.244 ping statistics-5 packets transmitted 5 packets received 0% packet loss round-trip min/avg/max = 1/2/3 ms

reboot

Syntax
reboot

View User view

Debugging

33

Parameter None Description Using the reboot command, you can reboot the device. This command produces the same effect as the power being turned off and then on, but provides the user with a convenient method of rebooting the device from a remote site. The operation of this command will render the network unusable for a short period of time. So it should be used with caution. Before rebooting the Router, remember to save the configuration file if necessary,. Example Reboot the device.
<3Com> reboot System will reboot! Continue?[Y/N]

tracert

Syntax
tracert [ -a X.X.X.X | -f first_TTL | -m max_TTL | -p port | -q nqueries | vpn-instance vpn-instance-name | -w timeout ] * host

View Any view Parameter -a: Specifies source IP address of the tracert packets, which is in the format of X.X.X.X and must be the address of a local interface. -f: Tests the correctness of the –f switch with first_TTL specifying an initial TTL in the range of 0 to the maximum TTL. -m: Tests the correctness of the –m switch with max_TTL specifying a maximum TTL which can be any TTL larger than the initial TTL. -p: Tests the correctness of the –p switch with port being an integer specifying the port of the destination host. There is no need to change this option in normal circumstances. -q: Tests the correctness of the –q switch with nqueries specifying the number of the query packets sent each time. It can be any integer larger than 0. vpn-instance vpn-instance-name: Sets the vpn-instance name of MPLS VPN to specify the VPN attribute configured in this tracert command, that is, name of the associated vpn-instance created at the local. -w timeout: Tests the correctness of the –w switch with timeout specifying the timeout time of IP packets. It is in seconds and can be any integer larger than 0.

34

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

host: IP address of the destination host. Description Using the tracert command, you can test the gateways that a packet sent by the host will pass by in order to reach the destination for the purpose of testing the reachability of a network connection and locating the position where faults occur on the network. Given no parameters have been specified, by default, The parameters –a and vpn-instance are omitted; first_TTL is 1; max_TTL is 30; port is 33434; nqueries is 3; timeout is 5s. The tracert command is executed following this procedure: The system first sends a packet with TTL as 1 and the first hop returns an ICMP error message indicating that the packet cannot be transmitted due to TTL timeout. and then the system transmits the packet again with TTL being set to 2 and the second hop returns TTL timeout message similarly. This process continues until the packet reaches its destination. The purpose of such a process is to record the source addresses where these ICMP TTL timeout messages are sent so as to outline the path along which the IP packet can reach the destination. When a network fault is detected by using the ping command, tracert can be used to locate the failure on the network. The output information of the command tracert includes IP addresses of all the GWs along the path to the destination. If some GW times out, “***” will be output. Example
<3Com> tracert 18.26.0.115 tracert to allspice.lcs.mit.edu (18.26.0.115), 30 hops max 1 helios.ee.lbl.gov (128.3.112.1) 0 ms 0 ms 0 ms 2 lilac-dmc.Berkeley.EDU (128.32.216.1) 19 ms 19 ms 19 ms 3 lilac-dmc.Berkeley.EDU (128.32.216.1) 39 ms 19 ms 19 ms 4 ccngw-ner-cc.Berkeley.EDU (128.32.136.23) 19 ms 39 ms 39 ms 5 ccn-nerif22.Berkeley.EDU (128.32.168.22) 20 ms 39 ms 39 ms 6 128.32.197.4 (128.32.197.4) 59 ms 119 ms 39 ms 7 131.119.2.5 (131.119.2.5) 59 ms 59 ms 39 ms 8 129.140.70.13 (129.140.70.13) 80 ms 79 ms 99 ms 9 129.140.71.6 (129.140.71.6) 139 ms 139 ms 159 ms 10 129.140.81.7 (129.140.81.7) 199 ms 180 ms 300 ms 11 129.140.72.17 (129.140.72.17) 300 ms 239 ms 239 ms 12 * * * 13 128.121.54.72 (128.121.54.72) 259 ms 499 ms 279 ms

HWPing Commands

35

14 * * * 15 * * * 16 * * * 17 * * * 18 ALLSPICE.LCS.MIT.EDU (18.26.0.115) 339 ms 279 ms 279 ms

HWPing Commands
HWPing Client Commands count Syntax count times undo count View HWPing test group view Parameter times: Number of transmitted test packets, which is in the range 1 to 15 and defaults to 1. Description Using the count command, you can configure the number of packets sent for each test. Using the undo count command, you can restore the default setting. A test timer is started when the system sends the first test packet. In the event that the argument times is set greater than 1, the system will continue to send the second one upon the receipt of the acknowledgement to the first one. If receiving no acknowledgement upon the expiration of the timer, the system will send the second test packet and the rest of the packets all the same as required. For the related command, see frequency. Example Send ten packets for each test.
[Router-administrator-icmp] count 10

datafill

Syntax datafill string undo datafill View HWPing test group view Parameter string: Data used for stuffing test datagrams. This argument can be a string of less than 1024 characters in length. By default, datagrams are stuffed with characters between 0 and 255 cyclically.

36

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Description Using the datafill command, you can configure the data used for stuffing test datagrams. Using the undo datafill command, you can restore the default setting. You can stuff HWPing test datagrams with any character strings. If the size of a test datagram is smaller than that of the configured stuffing string, only a portion of the string will be used for stuffing. If the size of the test datagrams is larger, the string will be used cyclically for stuffing. Suppose a stuffing string, “abcd” is configured. If the test datagram size is 3, only “abc” will be used for stuffing; if it is 6, the string “abcdab" will be used. Example Configure a datagram stuffing string “abcd”.
[Router-administrator-icmp] datafill abcd

datasize

Syntax datasize size undo datasize View HWPing test group view Parameter size: Test datagram size, which is in the range 20 to 65535 and defaults to 100. Description Using the datasize command, you can configure size of the datagrams for the test purpose. Using the undo datasize command, you can restore the default datagram size. Example Set the size of test datagrams to 50.
[Router-administrator-icmp] datasize 50

description

Syntax description string undo description View HWPing test group view Parameter string: Brief description of a test operation. By default, no description information is configured. Description Using the description command, you can make a brief description on a test operation. Using the undo description command, you can delete the configured description.

HWPing Commands

37

Example Describe a test group as “icmp-test”.
[Router-administrator-icmp] description icmp-test

destination-ip

Syntax destination-ip ip-address undo destination-ip View HWPing test group view Parameter ip-address: Destination IP address in a test. Description Using the destination-ip command, you can configure the destination IP address for a test. Using the undo destination-ip command, you can remove the configure destination IP address. By default, no destination IP address is configured for any test. For the related command, see destination-port. Example Set the destination IP address for a test to 169.254.10.3.
[Router-administrator-icmp] destination-ip 169.254.10.3

destination-port

Syntax destination-port port-number undo destination-port View HWPing test group view Parameter port-number: Destination port number in a test, which is in the range 1 to 65535 and defaults to 0. Description Using the destination-port command, you can configure the destination port for a test. Using the undo destination-port command, you can remove the destination port configuration. By default, no destination port is configured for any test. This command is configured only for DHCP, DLSw, FTP, HTTP, Jitter, TCP-private, or UDP-private test. For the related command, see destination-ip.

38

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Example Set the destination port to 9000 for a test.
[Router-administrator-icmp] destination-port 9000

display hwping

Syntax display hwping { result | history | jitter } [ administrator-name operation-tag ] View Any view Parameter result: Displays the latest test result. history: Displays the test history information. jitter: Displays the jitter test information. administrator-name: Name of the administrator creating a test. operation-tag: Test operations tag. Description Using the display hwping command, you can display test result(s). If you have specified a test group by specifying the arguments administrator-name and test-operation-tag, the system will display only the test result of the group; if not, it will display the test results of all the test groups. For the related command, see test-enable. Example Display the test result of the test group whose administrator name is “administrator” and operation tag is “jitter”.
[Router] display hwping result administrator jitter HWPing entry(admin administrator, tag jitter) test result: Destion ip address: 169.254.10.3 Send operation times: 50 Receive respondse times: 50 Min Round Rip Time: 2 Max Round Rip Time: 10 Average Round Rip Time: 3 Square-Sum of Round Rip Time: 651 Last complete test time: 2003-10-19 17:18:39.1 Extend result: Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Dorp operation number: 0 Operation sequence errors: 0 Operation statics errors: 0 Jitter result: RTT Number : 50 Min Positive SD : 1 Max Positive SD : 2

HWPing Commands

39

Positive SD Number : 9 Positive SD Sum : 12 Positive SD Square Sum Min Negative SD : 1 Max Negative SD : 2 Negative SD Number: 10 Negative SD Sum: 13 Negative SD Square Sum Min Positive DS : 7 Max Positive DS: 7 Positive DS Number :1 Positive DS Sum : 7 Positive DS Square Sum Min Negative DS :7 Max Negative DS : 7 Negative DS Number:1 Negative DS Sum: 7 Negative DS Square Sum

: 18

: 19

:49

: 4

filename

Syntax filename file-name undo filename View HWPing test group view Parameter file-name: Name of the file to be gotten from or put onto an FTP server. Description Using the filename command, you can configure name of the file to be gotten from or put onto an FTP server. Using the undo filename command, you can remove the configuration of the file name. By default, no file name is configured. This command applies only to FTP test. For the related commands, see username, password, and ftp-operation. Example Specify the file to be gotten from or put onto an FTP server by specifying its name “config.txt".
[Router-administrator-ftp] filename config.txt

frequency

Syntax frequency interval undo frequency View HWPing test group view

40

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Parameter interval: Automatic test interval, which is in the range 0 to 65535 seconds and defaults to 0, i.e., no automatic test. Description Using the frequency command, you can configure an automatic test interval. Using the undo frequency command, you can disable automatic test. The system automatically performs a test at intervals specified by this command, given the argument interval is greater than 0. For the related command, see count. Example Set the automatic test interval to ten seconds.
[Router-administrator-icmp] frequency 10

ftp-operation

Syntax ftp-operation { get | put } View HWPing test group view Parameter get: Gets a file from an FTP server. put: Sends a file to an FTP server. Description Using the ftp-operation command, you can configure the FTP operation done by the system. FTP operations include get and put, with the former being performed to obtain files from an FTP server and the latter to send files to the FTP server. By default, the operation of get is done. This command applies only to FTP test. For the related commands, see username and password. Example Perform FTP getting operation.
[Router-administrator-ftp] ftp-operation get

history-records

Syntax history-records number undo history-records View HWPing test group view

HWPing Commands

41

Parameter number: Number of test results allowed to be retained, which is in the range 0 to 50 and defaults to 50. Description Using the history-records command, you can configure the number of test results that the system can retain. Using the undo history-records command, you can restore the default number of retained test results. Example Set the number of retained history records concerning the test group whose administrator name is “administrator" and operation tag is “icmp” to 10.
[Router-administrator-icmp] history-records 10

http-operation

Syntax http-operation { get | post } View HWPing test group view Parameter get: Obtains data from an HTTP server. post: Sends data to an HTTP server. Description Using the http-operation command, you can configure an HTTP operation type. HTTP operations are divided into two types: get and post. Operations of the former type is performed to obtain data from an HTTP server and operations of the latter type to send data to the HTTP server. By default, the operation of get is done. This command applies only to HTTP test. For the related command, see http-string. Example Perform get operations in HTTP tests.
[Router-administrator-http] http-operation get

http-string

Syntax http-string url-string undo http-string View HWPing test group view

42

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Parameter url-string: Uniform Resource Locator string used in HTTP. It is used by the WWW service program to identify the location of information on the Internet. By default, no URL is configured. Description Using the http-string command, you can configure an URL for an HTTP test. Using the undo http-string command, you can delete the configured URL information. This command applies only to HTTP test. For the related command, see http-operation. Example Configure the URL “/index.htm http/1.1”.
[Router-administrator-http] http-string /index.htm http/1.1

hwping

Syntax hwping administrator-name operation-tag undo hwping administrator-name operation-tag View System view Parameter administrator-name: Specifies name of the administrator creating an HWPing test group. operation-tag: Test operation tag. Description Using the hwping command, you can create an HWPing test group. Executing this command will allow the system to access HWPing test group view. Example Create an HWPing test group, given the administrator name is “administrator” and the test operation tag is “icmp”.
[Router] hwping administrator icmp

hwping-agent enable

Syntax hwping-agent enable undo hwping-agent enable View System view Parameter None

HWPing Commands

43

Description Using the hwping-agent enable command, you can enable the HWPing client function. Using the undo hwping-agent enable command, you can disable the HWPing client function. Before you perform the test operations of any type, you must enable the HWPing client function. For the related command, see hwping-server enable. Example Enable HWPing Client.
[Router] hwping-agent enable

hwping-agent max-requests

Syntax hwping-agent max-requests max-number undo hwping-agent max-requests View System view Parameter max-number: The allowed maximum number of concurrent tests, which is in the range 0 to 4294967295 and defaults to 10. Description Using the hwping-agent max-requests command, you can set the allowed maximum number of concurrent tests. Using the undo hwping-agent max-requests command, you can restore the default maximum number of concurrent tests. Example Set the maximum number of concurrent tests to 20.
[Router] hwping-agent max-requests 20

jitter-interval

Syntax jitter-interval interval undo jitter-interval View HWPing test group view Parameter interval: Packet sending interval in a jitter test, which is in the range 10 to 1000 milliseconds and defaults to 20 milliseconds.

44

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Description Using the jitter-interval command, you can set a packet sending interval for a jitter test. Using the undo jitter-interval command, you can restore the default test packet sending interval. This command applies only to jitter test. For the related command, see jitter-packetnum. Example Send packets at intervals of 30 milliseconds in a jitter test.
[Router-administrator-icmp] jitter-interval 30

jitter-packetnum

Syntax jitter-packetnum number undo jitter-packetnum View HWPing test group view Parameter number: Number of packets to be sent in a jitter test, which is in the range of 10 to 100 and defaults to 20. Description Using the jitter-packetnum command, you can configure the number of packets to be sent for a jitter test. Using the undo jitter-packetnum command, you can restore the number of packets to be sent for a jitter test to its default value. This command applies only to jitter test. For the related command, see jitter-interval. Example Send 30 packets for a test.
[Router-administrator-icmp] jitter-packetnum 30

password

Syntax password password undo password View HWPing test group view Parameter password: Password required for accessing an FTP server.

HWPing Commands

45

Description Using the password command, you can configure the password required for the login to an FTP server. Using the undo password command, you can remove the configured password. By default, no password is configured for the login to an FTP server. This command applies only to FTP test. For the related commands, see username and ftp-operation. Example Set the login password for accessing an FTP server to “hwping”.
[Router-administrator-ftp] password hwping

probe-failtimes

Syntax probe-failtimes times undo probe-failtimes View HWPing test group view Parameter times: Number of consecutive probe failures. It is in the range 1 to 65535 and defaults to 1. Description Using the probe-failtimes command, you can configure the number of consecutive probe failures allowed in a HWPing test before a trap is sent to the NMS. Using the undo probe-failtimes command, you can restore the default. A test may include multiple probes. Example Send a trap to the NMS after three consecutive probe failures for a HWPing test.
[Router] probe-failtimes 3

send-trap

Syntax send-trap { all | probefailure | testcomplete | testfailure } undo send-trap { all | probefailure | testcomplete | testfailure } View HWPing test group view Parameter probefailure: Sends traps upon test packet transmission failures. testcomplete: Sends traps upon the completion of test. testfailure: Sends traps upon test failures. all: Sends traps for all the events described above.

46

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Description Using the send-trap command, you can configure the type of events that may trigger trap sending. Using the undo send-trap command, you can remove the configuration of the event type. By default, no traps are sent. Example Send traps upon the completion of tests.
[Router-administrator-icmp] send-trap testcomplete

sendpacket passroute

Syntax sendpacket passroute undo sendpacket passroute View HWPing test group view Parameter None Description Using the sendpacket passroute command, you can enable routing table bypass. Using the undo sendpacket passroute command, you can disable routing table bypass. By default, routing table bypass is disabled. With routing table bypass, a remote host can bypass the normal routing tables and send ICMP packets directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. You can use this function when pinging a local host on an interface that has no route defined. Example Bypass routing table when sending ICMP packets.
[Router] sendpacket passroute

source-interface

Syntax source-interface interface-type interface-number undo source-interface View HWPing test group view Parameter interface-type: Interface type. interface-number: Interface number.

HWPing Commands

47

Description Using the source-interface command, you can configure a source interface for test packet transmission. Using the undo source-interface command, you can remove the source interface configuration. By default, no source interface is configured for test packet transmission. Example Specify Ethernet 1 as the source interface for test packet transmission.
[Router-administrator-dhcp] source-interface ethernet 1

source-ip

Syntax source-ip ip-address undo source-ip View HWPing test group view Parameter ip-address: Source IP address used in a test. Description Using the source-ip command, you can configure a source IP address for this test. Using the undo source-ip command, you can remove the source address configuration. By default, IP address of the interface where test packets are to be sent is used as the source IP address. Example Set the source IP address for this test to 169.254.10.2.
[Router-administrator-icmp] source-ip 169.254.10.2

source-port

Syntax source-port port-number undo source-port View HWPing test group view Parameter port-number: Source port number used in a test. By default, it is 0. Description Using the source-port command, you can configure a source port number for this test. Using the undo source-port command, you can remove the configuration of source port number.

48

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Example Set the source port number to 8000 for this test.
[Router-administrator-icmp] source-port 8000

test-type

Syntax test-type type View HWPing test group view Parameter test-type: Test type, which can be one of the following keywords:
dhcp: DHCP test. dlsw: DLSw test. ftp: FTP connection test. http: HTTP connection test. icmp-echo: ICMP test. jitter: Jitter test, performed for analyzing the delay variations in UDP packet transmission. snmpquery: SNMP test. tcp-private: Tests the TCP connection of a specified port (an unknown port). tcp-public: Tests the TCP connection of port 7. udp-private: Tests the UDP connection of a specified port (an unknown port). udp-public: Tests the UDP connection of port 7.

By default, test type is set to icmp-echo. Description Using the test-type command, you can configure a test type. HWPing tests include DHCP, DLSw, FTP, HTTP, ICMP, Jitter, SNMP, TCP, and UDP tests. Example Set test type to ICMP test.
[Router-administrator-icmp] test-type icmp-echo

test-enable

Syntax test-enable View HWPing test group view Parameter None Description Using the test-enable command, you can enable an HWPing test.

HWPing Commands

49

After you execute the test-enable command, the system does not display the test result. You may view the test result information by executing the display hwping command. For the related command, see display hwping. Example Execute the HWPing test defined by the test group “wgw-testicmp”.
[Router-hwping-wgw-testicmp] test-enable

test-failtimes

Syntax test-failtimes times undo test-failtimes View HWPing test group view Parameter times: Number of consecutive test failures. It is in the range 1 to 65535 and defaults to 1. Description Using the test-failtimes command, you can configure the number of consecutive test failures allowed before a trap is sent to the NMS. Using the undo test-failtimes command, you can restore the default. A test may include multiple probes. Example Send a trap to the NMS after three consecutive test failures.
[Router] test-failtimes 3

timeout

Syntax timeout time undo timeout View HWPing test group view Parameter time: Timeout time, which is in the range 1 to 60 and defaults to 3 seconds. Description Using the timeout command, you can configure a timeout time for a test. Using the undo timeout command, you can restore the default timeout time. Example Set the timeout time to ten seconds.
[Router-administrator-icmp] timeout 10

50

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

tos

Syntax tos value undo tos View HWPing test group view Parameter value: ToS field in the header of HWPing test packets, which is in the range 0 to 255. By default, ToS field is not set. Description Using the tos command, you can assign a value to the ToS field in the header of HWPing test packets. Using the undo tos command, you can remove the ToS value configuration. In a ping command, service type is set by using the argument “-o”. Example Set the ToS field in the header of HWPing packets to one.
[Router-administrator-ftp] tos 1

ttl

Syntax ttl number undo ttl View HWPing test group view Parameter number: Time to Live (TTL) value or lifetime of HWPing ICMP test packets, which is in the range 1 to 255 and defaults to 255. Description Using the ttl command, you can configure TTL of ICMP test packets. Using the undo ttl command, you can restore the default TTL of ICMP test packets. TTL is actually a hop count limit on how far a test packet can travel on a network. In a ping command, it is defined by the argument “-i”. This command applies only to ICMP test. Example Set the TTL of HWPing ICMP test packets to 16.
[Router-administrator-icmp] ttl 16

username

Syntax username name undo username

HWPing Server Commands

51

View HWPing test group view Parameter name: Name of the user allowed to access an FTP server. Description Using the username command, you can configure name used for logging into an FTP server. Using the undo username command, you can remove the username configuration. By default, no username is configured for accessing an FTP server. This command applies only to FTP test. For the related commands, see password and ftp-operation. Example Use "administrator" as the username for the login to an FTP server.
[Router-administrator-ftp] username administrator

vpninstance

Syntax vpninstance name undo vpninstance View HWPing test group view Parameter name: VPN instance name, a string of 1 to 19 characters. Description Using the vpninstance command, you can configure VPN instance information for ICMP. Using the undo vpninstance command, you can remove the VPN instance information of ICMP. By default, no VPN instance information is configured for ICMP. Example Set the VPN instance name of ICMP to vpn1.
[Router] vpninstance vpn1

HWPing Server Commands
hwping-server enable Syntax hwping-server enable undo hwping-server enable

52

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

View System view Parameter None Description Using the hwping-server enable command, you can enable HWPing Server. Using the undo hwping-server enable command, you can disable HWPing Server. By default, HWPing Server is disabled. By far, jitter test and UDP/TCP tests of a specified port are only available for Huawei’s devices. Before performing one of the tests, you must enable HWPing Server on the device to be tested. You must enable the function of HWPing Server on a device in order to provide HWPing server services. For the related commands, see hwping-agent enable, hwping-server tcpconnet, and hwping-server udpconnet. Example Enable HWPing Server.
[Router] hwping-server enable

hwping-server tcpconnect

Syntax hwping-server tcpconnect ip-address port-number undo hwping-server tcpconnect ip-address port-number View System view Parameter ip-address: IP address where HWPing Server provides the TCP listening service. port-number: Port where HWPing Server provides the TCP listening service. Description Using the hwping-server tcpconnect command, you can create a TCP listening service. Using the undo hwping-server tcpconnect command, you can delete the established TCP listening service. If you want to use Huawei’s router as the server in an HWPing test on the TCP connection of a specified port, you must create the TCP listening service on the server. For the related command, see hwping-server enable. Example Create a TCP listening service, setting IP address to 169.254.10.2 and port number to 9000.
[Router] hwping-server tcpconnect 169.254.10.2 9000

Information Processing Commands

53

hwping-server udpecho

Syntax hwping-server udpecho ip-address port-number undo hwping-server udpecho ip-address port-number View System view Parameter ip-address: IP address where HWPing server implements the UDP listening service. port-number: Port where HWPing Server provides the UDP listening service. Description Using the hwping-server udpecho command, you can create a UDP listening service. Using the undo hwping-server udpecho command, you can delete the established UDP listening service. If you want to use Huawei’s router as the server in an HWPing test on the UDP connection of a specified port, you must create the UDP listening service on the server. For the related command, see hwping-server enable. Example Create a UDP listening service, setting IP address to 169.254.10.2 and port number to 9000.
[Router] hwping-server udpecho 169.254.10.2 9000

Information Processing Commands
display channel Syntax
display channel [ channel-number | channel-name ]

View Any view. Parameter channel-number: Channel number, ranging 0 to 9. That is, the system has 10 channels. channel-name: Channel name.
Table 1 Channel names and their associated channel numbers
Information channel number 6 7

Channel name channel6 channel7

54

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Table 1 Channel names and their associated channel numbers
Information channel number 8 9 0 4 2 1 5 3

Channel name channel8 channel9 console logbuffer loghost monitor snmpagent trapbuffer

Description Using the display channel command, you can display the contents of an information channel. This command displays the setting states of all channels when executed without any parameter. Example Display the contents of information channel 0.
<3Com> display channel 0 channel number:0, channel name:console MODU_ID NAME ENABLE LOG LEVEL ENABLE TRAP LEVEL ENABLE DEBUG LEVEL ffff0000 all Y warning Y debugging Y debugging

display info-center

Syntax
display info-center

View Any view Parameter None Description Using the display info-center command, you can display all the information recorded in the info-center. For related commands, see info-center enable, info-center loghost, info-center logbuffer, info-center trapbuffer, info-center console channel, and info-center monitor channel. Example Display the information recorded in the info-center.

Information Processing Commands

55

<3Com> display info-center Information Center: enabled Log host: Console: channel number : 0, channel name : console Monitor: channel number : 1, channel name : monitor SNMP Agent: channel number : 5, channel name : snmpagent Log buffer: enabled,max buffer size 1024, current buffer size 256, current messages 89, channel number : 4, channel name : logbuffer dropped messages 0, overwrote messages 0 Trap buffer: enabled,max buffer size 1024, current buffer size 256, current messages 0, channel number:3, channel name:trapbuffer dropped messages 0, overwrote messages 0 Information timestamp setting: log - date, trap - date, debug - boot Sent messages = 89, Received messages = 89

display logbuffer

Syntax
display logbuffer [ size size-value | summary ] [ level level-number ] [ | [ begin | include | exclude ] string ]

View Any view Parameter size: Displays the number of information entries in the logbuffer. size-value: The number of displayed information entries. summary: A summary of the logbuffer. level: Displays only the count of information entries at a specified level. level-number: The specified level in the ranging 1 to 8. |: Uses regular expression to filter the information for display. begin: Displays the information beginning with the specified characters (string). include: Displays the information including the specified characters (string). exclude: Displays the information excluding the specified characters (string). string: Characters of the regular expression. Description Using the display logbuffer command, you can display the information recorded in the logbuffer.

56

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

By default, executing display logbuffer without any parameter displays all the information in the logbuffer. If the number of information entries in the current logging buffer is smaller than the specified size-value, logging information of the actual entries will be displayed. For related commands, see info-center enable, info-center logbuffer, and display info-center. Example Display the information in the logging buffer.
<3Com> display logbuffer Logging Buffer Confiuration and contents:enabled allowed max buffer size : 1024 actual buffer size : 256 channel number : 4 , channel name : logbuf dropped messages : 0 overwritten messages : 0 current messages : 96 %8/28/2101 5:34:48-IC-7-SYS_RESTART: System restarted -3Com Versatile Routing Platform Software Copyright (c) 2000-2002 by VRP Team Beijing Institute 3Com Tech, Inc %9/9/2002 15:50:36-SHELL-5-CMD:task:CFM ip:** user:** command:interface Ethernet %11/6/2002 22:18:52-SHELL-5-CMD:task:CFM ip:** user:** command:interface Aux0 %3/15/2003 15:50:36-SHELL-5-CMD:task:CFM ip:** user:** command:controller E1 3/0 %4/1/2003 21:29:47-PHY-2-PHY: Console0: change status to up

display trapbuffer

Syntax
display trapbuffer [ size sizeval ]

View Any view Parameter size: Specifies the number of information entries in the logbuffer. sizeval: The number of displayed information entries. Description Using the display trapbuffer command, you can display the information recorded in the trapbuffer. By default, executing the command without any parameter displays all the information in the trapbuffer. If the number of information entries in the current trapbuffer is smaller than the specified sizeval, the actual number of traps will be displayed.

Information Processing Commands

57

For related commands, see info-center enable, info-center trapbuffer, and display info-center. Example Display trapbuffer information.
<3Com> display trapbuffer Trapping Buffer Confiuration and contents: enabled allowed max buffer size : 1024 actual buffer size : 256 channel number : 3 , channel name : trapbuf dropped messages : 0 overwrote messages : 0 current messages : 0 # Display 23 entries of information in the trapbuffer. <3Com> display trapbuffer size 23 Trapping Buffer Confiuration and contents: enabled allowed max buffer size : 1024 actual buffer size : 256 channel number : 3 , channel name : trapbuf dropped messages : 0 overwrote messages : 0 current messages : 0

info-center channel

Syntax
info-center channel channel-number name channel-name undo info-center channel channel-number

View System view Parameter channel-number: The channel number, with the value ranging from 0 to 9. That is, the system has 10 channels. channel-name is a channel name, with maximum length of 30 characters, excluding ”-“, ”/” and ”\”.. Description Using the rename channel command, you can rename the information channel numbered channel-number as channel-name. When naming the information channels, please note that no duplicated channel name is allowed. Example Name Channel 0 as "execconsole".

58

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

[3Com] info-center channel 0 name execconsole

info-center console channel

Syntax
info-center console channel { channel-number | channel-name } undo info-center console channel

View System view Parameter channel-number: Channel number, ranging 0 to 9, that is, the system has 10 channels. channel-name: Channel name. Description Using the info-center console channel command, you can enable outputting information to the console and set the information output channel. Using the undo info-center console channel command, you can disable the current settings. By default, no logging information is output to the console. This command will not become valid unless the syslog function has been enabled. For related commands, see info-center enable and display info-center. Example Enable outputting information to the console and set the output channel.
[3Com] info-center console channel console

info-center enable

Syntax
info-center enable undo info-center enable

View System view Parameter None Description Using the info-center enable command, you can enable the info-center. Using the undo info-center enable command, you can disable the info-center.

Information Processing Commands

59

By default, the info-center has been enabled. Only when the info-center has been enabled will the system output information go to the loghost and the console. For related commands, see info-center loghost, info-center logbuffer, info-center trapbuffer, info-center console channel, info-center monitor channel, display info-center. Example Enable the info-center.
[3Com] info-center enable % information center is enabled

info-center logbuffer

Syntax
info-center logbuffer [ channel { channel-number | channel-name } | size buffersize ] * undo info-center logbuffer [ channel | size ]

View System view Parameter channel: Sets the channel for information output to the logbuffer. channel-number: Channel number ranging 0 to 9. That is, the system has 10 channels. channel-name: Channel name. size: Sets logbuffer size. buffersize: Size of the logbuffer (the accommodated message entries). Description Using the info-center logbuffer command, you can enable the logbuffer and set the channel number for logging information output as well as the size of the logging buffer. Using the undo info-center logbuffer command, you can cancel the current settings. By default, the information outputted to the logbuffer is allowed, and the logbuffer size is 256. Only when the info-center has been enabled will this command become effective. By setting channel number after enabling logbuffer, you can specify information’s outbound direction. For related commands, see info-center enable, display info-center, and display info-center logbuffer.

60

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Example Enable the router to send information to the logbuffer and set the logbuffer size to 50.
[3Com] info-center logbuffer size 50

info-center loghost

Syntax
info-center loghost X.X.X.X [ channel { channel-number | channel-name } | facility local-number | language { chinese | english } ] * undo info-center loghost X.X.X.X

View System view Parameter X.X.X.X: IP address of the loghost. channel: Information channel for the loghost. channel-number: Channel number ranging 0 to 9. That is, the system has 10 channels. channel-name: Channel name. facility: Sets the recording tool of the loghost. local-number: Recording tool of the loghost, which is ranging local0 to local7. language: Sets the logging language. chinese and english: Logging language which can be Chinese or English. Description Using the info-center loghost command, you can enable the router to output information to the loghost. Using the undo info-center loghost command, you can cancel the current configuration. By default, no information is output to the loghost. If not specified, the information channel for the loghost defaults to channel2 that is named loghost, the loghost recording tool local-number to local7, and the language to english. Only when the information center has been enabled will this command become effective. By setting the IP address of loghost, you can specify the information outbound direction. You can set up to 4 loghosts. For related command, see info-center enable, and display info-center.

Information Processing Commands

61

Example Enable the router to send information to the UNIX workstation at 202.38.160.1.
[3Com] info-center loghost 202.38.160.1

info-center loghost source

Syntax
info-center loghost source interface-type interface-number [ subinterface-type ] undo info-center loghost source

View System view Parameter interface-type: Interface types. interface-number: Number of the interface. subinterface-name: Subinterface types. Description The info-center loghost source command is used to specify the source address for sending packets to the logging host while the undo info-center loghost source command is used to cancel the current configuration. Undo info-center loghost source is for the canceling of the current configuration. When a logging message is sent out from a router, the default source address is the IP address of the interface which has sent the logging message. If the user wants to change the source address, he can use this command to achieve it. You can judge which router has sent out the message by setting different source addresses for different routers, accordingly you can also search among the received messages. Example Set the IP address of Loopback0 as the source address of the logging message packets.
[3Com] interface loopback 0 [3Com-LoopBack0] ip address 1.1.1.1 255.255.255.0 [3Com-LoopBack0] quit [3Com] info-center loghost source loopback 0

info-center monitor channel

Syntax
info-center monitor channel { channel-number | channel-name } undo info-center monitor channel

View System view

62

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Parameter channel-number: Channel number ranging 0 to 9. That is, the system has 10 channels. channel-name: Channel name. Description Using the info-center monitor channel command, you can enable the router to output information to the user terminal and set the output channel. Using the undo info-center monitor channel command, you can cancel the current configuration. By default, no information is output to the user terminal. Only when the info-center has been enabled will this command become effective. For related commands, see info-center enable, and display info-center. Example Enable the router to output information to the user terminal and set the output channel.
[3Com] info-center monitor channel monitor

info-center snmp channel

Syntax
info-center snmp channel { channel-number | channel-name } undo info-center snmp channel

View System view Parameter channel-number: Channel number ranging 0 to 9. That is, the system has 10 channels. channel-name: Channel name. Description Using the info-center snmp channel command, you can set the information channel for snmp. Using the undo info-center snmp channel command, you can cancel the current configuration. By default, channel 5 is used. For the related command, see display snmp-agent statistics. Example Set snmp information channel to channel 6.

Information Processing Commands

63

[3Com] info-center snmp channel 6

info-center source

Syntax
info-center source { module-name | default } { channel { channel-number | channel-name} } [ log { state { on | off } | level severity }* | trap { state { on | off } | level severity } * | debug { state { on | off } | level severity }* ]* undo info-center source { module-name | default } { channel { channel-number | channel-name }

View System view Parameter module-name: Module name. default: Sets the default information record. channel-number: Information channel number to be set. channel-name: Information channel name to be set. log: Log information. trap: Alarm information. debug: Debugging information. on: Enables outputting information. off: Disables outputting information. level: Sets information level to disable the output of the information at a level higher than the specified severity. severity: Information level. As shown in the following table, the info-center divides information into eight levels by severity or emergency, with a lower level indicating a more emergent event. emergencies indicates level 0 and debugging indicates level 7.l
Table 2 Definition of information leve
Severity level emergencies alerts critical errors warnings notifications informational debugging Description Extremely emergent errors Errors requiring immediate correction Critical errors Errors that is not critical but require your concern Warning indicating that there may be some errors Information needs your concern Common prompt information Debugging information

64

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

*: Indicate multiple choices can be selected. At least one choice must be selected and all the choices can be selected at most. Description Using the info-center source command, you can add records to an information channel. Using the undo info-center source command, you can remove the records from the information channel. For a specified module, by default, The state of logging information output is on and the allowed information level is informational. The state of trapping information output is on and the allowed information level is informational. The state of debugging information ouput is off. So far, the system allocates one information channel for each output direction. They are: The Output directionInformation channel number and the Default information channel name Console 0 console

Monitor terminal1 monitor Loghost Trapbuffer Logbuffer snmp 2 loghost 3 trapbuffer

4 logbuffer 5snmpagent

In addition, each information channel has a default record for which the module name and number are default and 0xffff0000. But for different channels, the record may have different default settings for logging information, trapping information, and debugging information. If a module has no explicit configuration record in the channel, the default configuration record will be used. Example Enable the output of log information of the IP module in the snmp channel and the allowed highest level of the output information is emergence.
[3Com] info-center source ip channel snmpagent log level emergence

# Remove the setting of the cmd module in the snmp channel.
[3Com] undo info-center source cmd channel snmp

Information Processing Commands

65

info-center timestamp

Syntax
info-center timestamp { trap | debugging | log } { boot | date | none } undo info-center timestamp { trap | debugging | log }

View System view Parameter trap: Trap information debugging: Debugging information. log: log information. boot: Post booting time that the system experiences. It is in the format of xxxxxx.yyyyyy, with xxxxxx being the 32 high bits and yyyyyy the 32 low bits of the passed milliseconds. date: Current system date and time, in the form of “yyyy/mm/dd-hh:mm:ss” in Chinese and “mm/dd/yyyy-hh:mm:ss” in English. none: No time stamp. Description Using the info-center timestamp command, you can set the time stamp format for the output debugging/trapping/logging information. Using the undo info-center timestamp command, you can cancel the current configuration. By default, the date time stamp is used in information of all types. Example Set the time stamp format for traps to boot.
[3Com] info-center timestamp trap boot

info-center trapbuffer

Syntax
info-center trapbuffer [ channel { channel-number | channel-name } | size buffersize ] * undo info-center trapbuffer [ channel | size ]

View System view Parameter channel: Sets the channel for outputting information to the trapbuffer. channel-number: Channel number ranging 0 to 9. That is, system has 10 channels.

66

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

channel-name: Channel name. size: Sets trapbuffer size. buffersize: Size of the trapbuffer (the information entries that can be accommodated). Description Using the info-center trapbuffer command, you can enable the trapbuffer and set the output channel number and trapbuffer size. Using the undo info-center trapbuffer command, you can cancel the current configuration. By default, information output to trapbuffer is allowed and the trapbuffer size is 256. Only when the info-center has been enabled will this command become effective. By setting a trapbuffer size, you can make the router output information to the trapbuffer. For related commands, see info-center enable, display info-center, and display info-center trapbuffer. Example Enable the router to send information to the trapbuffer, given the trapbuffer size is 30.
[3Com] info-center trapbuffer size 30

reset logbuffer

Syntax
reset logbuffer

View User view Parameter None Description Using the reset logbuffer command, you can clear information in the logbuffer. Example
<3Com> reset logbuffer

reset trapbuffer

Syntax
reset trapbuffer

Information Processing Commands

67

View System view Parameter None Description Using the reset trapbuffer command, you can clear information in the trapbuffer. Example
<3Com> reset trapbuffer

service modem-callback

Syntax
service modem-callback undo service modem-callback

View System view Parameter None Description Using the service modem-callback command, you can enable user callback. Using the undo service modem-callback command, you can disable user callback. By default, the callback function is disabled. Example Enable the callback function.
[3Com] service modem-callback

terminal debugging

Syntax
terminal debugging undo terminal debugging

View User view Parameter None

68

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Description Using the terminal debugging command you can enable the terminal debugging display function. Using the undo terminal debugging command you can disable the function. By default, terminal display is disabled. For related command, see debugging. Example Enable terminals to display the debugging information.
<3Com> terminal debugging

terminal logging

Syntax
terminal logging undo terminal logging

View User view Parameter None Description Using the terminal logging command, you can enable the log display function of terminals. Using the undo terminal logging command, you can disable log display function of terminals. By default, the log display function of terminals is enabled. Example Disable the log display function of terminals.
<3Com> undo terminal logging

terminal monitor

Syntax
terminal monitor undo terminal monitor

View User view Parameter None

Information Processing Commands

69

Description Using the terminal monitor command, you can enable terminals to display the debugging /logging/trapping information sent by the info-center. Using the undo terminal monitor command, you can disable terminals to display the debugging/logging/trapping information. By default, the display function of console users is enabled but the display function of terminal users is disabled. The command only affects the current terminal that inputs it. The undo terminal monitor command is equivalent to the execution of undo terminal debugging, undo terminal logging, and undo terminal trapping commands, that is, all the debugging/logging/trapping information will not be displayed at the current terminal. In the event that terminal monitor has been enabled, the terminal debugging/undo terminal debugging, terminal logging/undo terminal logging, and terminal trapping/undo terminal trapping commands can be used to enable/disable the debugging/logging/trapping information. Example Disable terminal monitor.
<3Com> undo terminal monitor

terminal trapping

Syntax
terminal trapping undo terminal trapping

View User view Parameter None Description Using the terminal trapping command, you can enable the function of trap information display at terminals. Using the undo terminal trapping command, you can disable the function of trap information display at terminals. By default, the system configuration is to enable the display function. Example Disable the trapping information display function.
<3Com> terminal trapping

70

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

System Operating Management Commands
boot bootldr Syntax
boot bootldr filename

View System view Parameter filename: File name of the booting software package. Description Using the boot bootldr command, you can specify the system booting file. Example Specify the file ibox.bin stored in the flash as the default system booting file.
[3Com] boot bootldr flash:/ibox.bin

display alarm urgent

Syntax
display alarm urgent [ time | slot | id ]

View Any view Parameter time: Displays the alarms in a latest time range. id: Displays the alarms of an ID. slot: Displays the alarms involved a slot. Description Using the display alarm urgent command, you can display the stored alarms in a specified way. Executing the command defined without any parameter will display all the alarms. Example Display the stored alarms.
<3Com> display alarm urgent Alarm ID Slot Date Time Para1 Para2 2 11 00/04/01 23:55:18 2 24

System Operating Management Commands

71

2 0

10 12

00/04/01 00/04/04

23:55:18 10:00:14

1 0

24 1

display bootvar

Syntax
display bootvar

View Any view Parameter None Description Using the display bootvar command, you can display file name of the boot software package stored in the flash on RPU. Example Display the program configuration information of RPU.
<3Com> display bootvar Boot file on flash is flash:/ibox.bin.

display environment

Syntax
display environment

View Any view Parameter None Description Using the display environment command, you can display the current values and the threshold values of the hardware system environment. Example Display the system environment.
<3Com> display environment GET 3 TEMPERATUREPOINT VALUE SUCCESSFULLY environment information: Temperature information: local CurrentTemperature LowLimit HighLimit (deg c ) (deg c) (deg c ) RPU 34 0 80 VENT 31 0 80

72

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

display device

Syntax
display device slot-number

View Any view Parameter
slot-number: Slot number.

Description Using the display device command, you can display the system hardware configuration information, including the in-position states of MPU, NPU, interface card, power module, and fan module, the operating state of interface card, power module, and fan module, as well as the offline information of MPU and NPU. Executing the command defined without parameters will display the essential information of all the devices in position. Executing the command defined with the parameter slot-number will display only the details on the defined slot, including reset times and history records of the reset causes. Example Display the essential information of the router.
<3Com> display device Slot # Type Online 0 RPU Present 6 PWR Present 7 FAN Present Status Normal Normal Normal

display schedule reboot

Syntax
display schedule reboot

View Any view Parameter None Description Using the display schedule reboot command, you can check the configuration of related parameters of the router schedule reboot terminal service. For the related command, see reboot, schedule reboot at, schedule reboot delay, undo schedule reboot.

System Operating Management Commands

73

Example Display the configuration of the schedule reboot terminal service parameters of the current router.
<3Com> display schedule reboot Reboot system at 16:00:00 2002/11/1 (in 2 hours and 5 minutes).

remove slot

Syntax remove slot slotnum
undo remove slot slotnum

View User view Parameter slotnum: Slot number for the interface card Description Using the remove slot command, you can run pre-processing before removing an interface card. You can also cancel a misoperation with the undo remove slot command if you change your mind to remove the card after executing the remove slot command. The undo remove slot command is unnecessary when you remove a card, but insert it immediately. For the related command, see reboot, schedule reboot at, schedule reboot delay, undo schedule reboot. Example Remove the interface card at slot 3.
<3Com>remove slot 3

reset alarm urgent

Syntax
reset alarm urgent

View User view Parameter None Description Using the reset alarm urgent command, you can clear all the stored alarms.

74

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Example Clear the all the stored alarms.
<3Com> reset alarm urgent

reset slot

Syntax
reset slot slot-number

View User view Parameter slot-number: The number of the slot to be reset. Description Using the reset slot command, you can reset the device in a specified slot. Example Reset the device in slot 3.
<3Com> reset slot 3

schedule reboot at

Syntax
schedule reboot at hh:mm [ yyyy/mm/dd ]

View User view Parameter hh:mm: Reboot time of the router, in the format of "hour: minute" The hh ranges from 0 to 23, and the mm ranges from 0 to 59. yyyy/mm/dd: Reboot date of the router, in the format of "year/month/day. The yyyy ranges from 2000 to 2099, the mm ranges from 1 to 12, and the value of dd is related to the specific month. Description Using the schedule reboot at command, you can enable the timing reboot function of the router and set the specific reboot time and date. By default, the timing reboot router function is disabled. If the schedule reboot at command sets specified date parameters, which represents a data in the future, the router will be restarted in specified time, with error not more than 1 minute.

System Operating Management Commands

75

If no specified date parameters are configured, two cases are involved; if the configured time is after the current time, then the router will be restarted at the time point of that day, or if the configured time is before the current time, the router will be restarted at the time point of the next day. It should be noted that the configured date should not exceed the current date more than 30 days. In addition, after the command is configured, the system will prompt you to input confirmation information. Only after the "Y" or the "y" is entered can the configuration be valid. If there is related configuration before, it will be covered directly. Moreover, after the schedule reboot at command is configured and the system time is adjusted by the clock command, the former configured schedule reboot at parameter will go invalid. For the related command, see reboot, schedule reboot delay, undo schedule reboot, display schedule reboot. Example Set the router to be restarted at 22:00 that night (the current time is 15:50).
<3Com> schedule reboot at 22:00 Reboot scheduled for 22:00:00 UTC 2002/11/18 (in 6 hours and 10 minutes) Proceed with reboot? [Y/N]:y

schedule reboot delay

Syntax
schedule reboot delay { hhh:mm | mmm }

View User view Parameter hhh:mm: Waiting time for rebooting a router, in the format of "hour: minute" The hhh ranges from 0 to 720, and the mm ranges from 0 to 59. mmm: Waiting delay for rebooting a router, in the format of "absolute minutes" . Ranging from 0 to 43200, Description Using the schedule reboot delay command, you can enable the timing reboot router function and set the waiting time. By default, the timing reboot router function is disabled. Two formats can be used to set the waiting delay of timing reboot router, the format of "hour: minute" and the format of "absolute minutes". But the total minutes should be no more than 30×24×60 minutes, or 30 days. After this command is configured, the system will prompt you to input confirmation information. Only after the "Y" or the "y" is entered can the

76

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

configuration be valid. If there is related configuration before, it will be covered directly. Moreover, after the schedule reboot at command is configured, and the system time is adjusted by the clock command, the original schedule reboot at parameter will become invalid. For the related command, see reboot, schedule reboot at, undo schedule reboot, display schedule reboot. Example Configure the router to be restarted after 88 minutes (the current time is 21:32).
<3Com> schedule reboot delay 88 Reboot scheduled for 23:00:00 UTC 2002/11/1 (in 1 hours and 28 minutes) Proceed with reboot? [Y/N]:y

upgrade

Syntax
upgrade [ bootrom | pico-code] filename

View System view Parameter bootrom: Upgrades the BootROM on line . pico-code: Upgrades the pico-code on line. filename: The file name of the upgrade software package to be used. Description Using the upgrade command, you can upgrade the BootRom program, pico-code or the logic. Example Upgrade the pico-code on line, given the file name of the upgrade software package is filename.
[3Com] upgrade pico-code filename

undo schedule reboot

Syntax
undo schedule reboot

View User view

Lock-Down Commands

77

Parameter None Description Using the undo schedule reboot command, you can cancel the parameter configuration of the schedule reboot terminal service. For the related command, see reboot, schedule reboot at, schedule reboot delay, display schedule reboot. Example Cancel the timing reboot router function.
<3Com> undo schedule reboot

Lock-Down Commands
display configure-user Syntax display configure-user View Any view Parameter None Description Using the display configure-user command, you can view information about the user who is currently authorized to configure the equipment. Users can configure the same equipment through the Console port, the AUX port, the VTY interface (in cases such as Telnet and SSH) and others. If configurations by these various means are permitted to be conducted simultaneously, the configuration of one user is liable to overwrite others' configuration. For this reason, the VRP requires that only one user should have right to modify configurations of the equipment at a time. In other words, once a user is performing configurations on the equipment, other users, including those with higher priorities, are not permitted to configure the equipment at that very moment, but rather wait till the user currently conducting the configurations quitting or timed out of the system. Example Display information about the user who is currently authorized to configure the equipment.
<3Com> display configure-user

78

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

If the adopted authentication does not require a username, the actual display shall be: The information of current configuration user:
34 UI VTY 0 Delay 00:00:04 Type Ipaddress TEL 10.153.17.100 Username

If the login authentication otherwise requires a username, the actual display shall be: The information of current configuration user:
34 UI VTY 0 Delay 00:00:05 Type Ipaddress TEL 10.153.17.100 Username test

File Management Commands
File System Commands Syntax
cd directory

View User view Parameter directory: Name of destination directory. Description Using the cd command, you can modify the current operating path of the router to the specified directory. By default, the flash memory is the operating path set when the router starts. Example Modify the current operating path of the router to test.
<3Com> cd test <3Com> pwd flash:/test

clear

Syntax
clear filename

View User view

File Management Commands

79

Parameter filename: Name of file to be deleted. Description Using the clear command, you can delete all files from the recycle bin. The wildcard “*” is available here. Using the delete command, you can only move the target files into the recycle bin. If you want to remove them from the recycle bin, you must use the clear command. Example Clear the recycle bin.
<3Com> clear flash:/p1h_logic.out clear flash:/plh_logic.out?[Y/N]

copy

Syntax
copy filename_source filename_dest

View User view Parameter filename_source: Name of the source file. filename_dest: Name of the destination file or directory. Description Using the copy command, you can copy a file. If the name of the destination file is the same with an existing directory name, the target file will be copied to the directory. If the name of the destination file is the same with an existing file name, the user will be prompted whether the existing file should be overwritten. Example
<3Com>pwd Slave#flash: <3Com> dir Directory of flash:/ -rwxrwxrwx 1 noone nogroup 4316742 Oct 10 2002 10:10:10 system drwxrwxrwx 1 noone nogroup - Jan 01 2001 10:47:14 buckup -rwxrwxrwx 1 noone nogroup 16 Jan 02 2001 08:53:52 private-data.t -rwxrwxrwx 1 noone nogroup 625 Jan 02 2001 08:54:01 vrpcfg.txt -rwxrwxrwx 1 noone nogroup 375 Jan 02 2001 08:53:13 config -rwxrwxrwx 1 noone nogroup 524288 Jan 02 2001 11:47:39 bootromfull 7672832 bytes total (2295808 bytes free)

Copy the file from Flash to buckup..

80

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

<3Com> copy vrpcfg.txt buckup Copy flash:/vrpcfg.txt to flash:/backup/vrpcfg.txt ?[Y/N]:y % Copied file flash:/vrpcfg.txt to flash:/backup/vrpcfg.txt <3Com> dir Directory of flash:/backup/ -rwxrwxrwx 1 noone nogroup 625 Jan 02 2001 13:28:32 vrpcfg.txt 7672832 bytes total (2295808 bytes free)

delete

Syntax
delete /unreserved filename

View User view Parameter unreserved: Deletes the specified file unreservedly, and the deleted file can never be restored. filename: Name of the file to be deleted. Description Using the delete command, you can move the specified file, which can be restored with the undelete command, to the recycle bin. If you want to delete it from the recycle bin, you can use the reset recycle-bin filename command. If you delete two files are in different directories but with the same filename, only the last one will be stored in the recycle bin. If the unreserved parameter is seleted using the delete command, the target file cannot be restored. The dir command does not display the information of deleted files. However, by using the dir /all command, the information of all files under the directory, including deleted files, will be displayed. Example Delete the file flash:/test/test.txt.
<3Com> delete flash:/test/test.txt Delete flash:/test/test.txt?[Y/N] <3Com>

dir

Syntax
dir [ /all | /h ] [ filename ]

View User view

File Management Commands

81

Parameter /all: Displays all files (including the deleted files). /h: Displays the information about the private files. This parameter is unavailable if there is no storage device on the router. filename: Name of the file or directory displayed. Description Using the dir command, you can display the information about the specified file or directory in the router storage device. By default, this command displays the file information under the current directory. This command supports "*" wildcard. The dir /all command can be used to display the information about all the files, including the deleted files. The names of the deleted files are denoted with "[]", for instance, [temp.cfg]. Such deleted files can be restored via the undelete command. The reset recycle-bin command can be used to delete the file from the recycle bin permanently. The dir /h command can be used to display the information about the private file under the current path. The attribute of the private file is represented by “---h”. Example Display the information about the file flash:/test/test.txt.
<3Com> dir flash: Directory of flash: -rwxrwxrwx 1 noone nogroup 4316742 system -rwxrwxrwx 1 noone nogroup 16 private-data.t xt -rwxrwxrwx 1 noone nogroup 351 vrpcfg.txt 7672832 bytes total (3351552 bytes free)

Oct 10 2002 10:10:10 Jan 01 1970 00:00:57

Jan 01 1970 00:01:03

execute

Syntax
execute filename

View System view Parameter filename: Name of the batch file, ranging from 1 to 256, with a suffix of “.bat”.

82

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Description Using the execute command, you can execute the specified batch file. The batch command executes the command lines in the batch file one by one. There should be no invisible character in the batch file. If invisible characters are found, the batch command will quit the current execution without back off operation. The batch command does not guarantee the execution of each command, nor does it perform hot backup itself. The forms and contents of the commands are not restricted in the batch file. Example Execute the batch file “test.bat” in the directory of “flash:/”.
[3Com] execute test.bat

file prompt

Syntax
file prompt {alert | quiet }

View System view Parameter alert: Enables interactive acknowledgement on the condition that data loss or destruction may happen due to user operation (e.g., deleting a file.). quiet: No prompt on the condition that data loss or destruction may happen due to user operation (e.g., deleting a file.). Description Using the file prompt command, you can modify the prompt mode of file operation of the router. By default, the prompt mode is alert. When the prompting mode of file operation is set to quiet, for the possible data loss due to user operation (e.g., deleting a file), the system will have no prompt. Example Set the prompt mode of file operation to quiet.
[3Com] file prompt quiet # Set the prompt mode of file operation to alert. [3Com] file prompt alert

format

Syntax
format device-name

File Management Commands

83

View User view Parameter device-name: Device name. Description Using the format command, you can format the storage device. Formatting will result in loss of all files on a specified storage device and these files cannot be restored. Example Format flash.
<3Com> format flash: All sectors will be erased, proceed? [Y/N]y Format flash: completed

mkdir

Syntax
mkdir directory

View User view Parameter directory: Name of directory. Description Using the mkdir command, you can create a directory under the specified directory in the specified storage device. The name of the directory to be created cannot be the same with the names of other directories or files under the specified directory. Example Create a directory dd.
<3Com> mkdir dd Created dir flash:/dd.

more

Syntax
more filename

84

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

View User view Parameter filename: File name. Description Using the more command, you can display content of a specified file. By default, the file system displays the file in the form of text, that is, the contents of the file. Example Display the content of the file test.txt.
<3Com> more test.txt AppWizard has created this test application for you. This file contains a summary of what you will find in each of the files that make up your test application. Test.dsp This file (the project file) contains information at the project level and is used to build a single project or subproject. Other users can share the project (.dsp) file, but they should export the makefiles locally.

move

Syntax
move filename_source filename_dest

View User view Parameter filename_source: Name of the source file. filename_dest: Name of the destination file. Description Using the move command, you can move a file. If the name of the target file has the same name as an existing directory, the target file will be moved into the directory, with the same file name. If the name of the destination file is the same with an existing file name, the user will be prompted whether the existing file should be overwritten. Example
<3Com> dir Directory of * 0 -rw- 2145123 Jul 12 2001 12:28:08 ne80.bin 1 -rw595 Jul 12 2001 10:47:50 vrpcfg.txt

File Management Commands

85

2 drw0 Jul 12 2001 19:41:20 test 6477 KBytes total (2144 KBytes free) <3Com> dir flash:/test/ Directory of flash:/test/ 0 drw- Jul 12 2001 20:23:37 subdir 1 -rw595 Jul 12 2001 20:13:19 vrpcfg.txt 2 -rw50 Jul 12 2001 20:08:32 sample.txt 6477 KBytes total (2144 KBytes free) # Move the file flash:/test/sample.txt to flash:/sample.txt. <3Com> move flash:/test/sample.txt flash:/sample.txt Move flash:/test/sample.txt to flash:/sample.txt ?[Y/N]:y % Moveded file flash:/test/sample.txt flash:/sample.txt <3Com> dir Directory of * 0 -rw- 2145123 Jul 12 2001 12:28:08 ne80.bin 1 -rw595 Jul 12 2001 10:47:50 vrpcfg.txt 2 drw0 Jul 12 2001 19:41:20 test 3 -rw50 Jul 12 2001 20:26:48 sample.txt 6477 KBytes total (2144 KBytes free) <3Com> dir flash:/test/ Directory of flash:/test/ 0 drw- Jul 12 2001 20:23:37 subdir 1 -rw595 Jul 12 2001 20:13:19 vrpcfg.txt 6477 KBytes total (2144 KBytes free)

pwd

Syntax
pwd

View User view Parameter None Description Using the pwd command, you can display the current path. If the current path has not been set, the operation will fail. Example Display the current path.
<3Com> pwd flash:/test

rename

Syntax
rename filename_source filename_dest

View User view

86

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Parameter filename_source: Name of the source file. filename_dest: Name of the destination file. Description Using the rename command, you can rename a file. If the name of the destination file is the same with the name of an existing directory, the execution will fail. If the name of the destination file is the same with an existing file, the operation will fail. Example
<3Com> dir Directory of * 0 -rw- 2145123 Jul 12 2001 12:28:08 ne.bin 1 -rw595 Jul 12 2001 10:47:50 vrpcfg.txt 2 drw- Jul 12 2001 19:41:20 test 3 -rw50 Jul 12 2001 20:26:48 sample.txt 6477 KBytes total (2144 KBytes free)

Rename the file sample.txt to sample.bak.
<3Com> rename sample.txt sample.bak Rename flash:/sample.txt to flash:/sample.bak ?[Y/N]:y % Renamed file flash:/sample.txt flash:/sample.bak <3Com> dir Directory of * 0 -rw- 2145123 Jul 12 2001 12:28:08 ne.bin 1 -rw595 Jul 12 2001 10:47:50 vrpcfg.txt 2 drw- Jul 12 2001 19:41:20 test 3 -rw50 Jul 12 2001 20:29:55 sample.bak 6477 KBytes total (2144 KBytes free)

reset recycle-bin

Syntax
reset recycle-bin filename

View User view Parameter filename: Name of the file to be deleted. Description Using the reset recycle-bin command, you can delete a file from the recycle bin permanently. This command supports "*" wildcard. The delete command only deletes a file to the recycle bin directory. To delete a file permanently, use the reset recycle-bin command.

File Management Commands

87

Example Delete a file from the recycle bin.
<3Com> reset recycle-bin flash:/p1h_logic.out reset flash:/plh_logic.out?[Y/N]

rmdir

Syntax
rmdir directory

View User view Parameter directory: Name of the directory. Description Using the rmdir command, you can delete a directory. The directory to be deleted must be an empty one. Example
<3Com>dir Directory of * 0 drw- Jul 12 2001 20:23:37 subdir 1 -rw595 Jul 12 2001 20:13:19 vrpcfg.txt 6477 KBytes total (2144 KBytes free) # Display how to delete the directory subdir. <3Com> rmdir subdir Rmdir subdir?[Y/N]:y % Removed directory subdir <3Com> dir Directory of * 0 -rw595 Jul 12 2001 20:13:19 vrpcfg.txt 6477 KBytes total (5944 KBytes free)

undelete

Syntax
undelete filename

View User view Parameter filename: Name of the file to be restored. Description Using the undelete command, you can restore a deleted file.

88

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

If the name of the file to be restored is the same as the name of an existing directory, the execution will fail. If the name of this file is the same as that of an existing file, the user will be prompted whether the existing file should be overwritten. Example
<3Com> dir /all Directory of * 0 -rw595 Jul 12 2001 20:13:19 1 -rw50 Jul 12 2001 20:09:23 6477 KBytes total (2144 KBytes free) # Restore the deleted file sample.bak. <3Com> undelete sample.bak Undelete flash:/test/sample.bak ?[Y/N]:y % Undeleted file flash:/test/sample.bak <3Com> dir /all Directory of * 0 -rw50 Jul 12 2001 20:34:19 1 -rw595 Jul 12 2001 20:13:19 6477 KBytes total (2144 KBytes free)

vrpcfg.txt [sample.bak]

sample.bak vrpcfg.txt

FTP Server Configuration Commands
display ftp-server Syntax
display ftp-server

View Any view Parameter None Description Using the display ftp-server command, you can display the parameters of the current FTP server. After the FTP parameters are configured, this command can be used to display the configuration results. Example Display the FTP parameters configured.
<3Com> display ftp-server Ftp server is running Max user number5 User count2 Timeout(minute)30

FTP Server Configuration Commands

89

The information shown above indicates that the FTP server has started and can support up to 5 log-on users simultaneously and now there are two log-on users and the timeout of an FTP user is 30 minutes. display ftp-user Syntax
display ftp-user

View Any view Parameter None Description Using the display ftp-user command, you can display the parameters of the current FTP user. Example Display the FTP user parameter configuration.
<3Com> display ftp-user usernamehost porttopdiridle 3Com 10.110.3.51074c:/3Com2

The information shown above indicates that a connection between an FTP user named 3Com and the FTP server has been established. the IP address of the remote host is 10.110.3.5 and the remote port number is 1074. the authorization directory is flash:/3Com and so far the user has not sent any service request to the FTP server for 2 minutes. ftp server enable Syntax
ftp server enable undo ftp server

View System view Parameter None Description Using the ftp server enable command, you can enable the FTP server and allow the login of FTP users. Using the undo ftp server command, you can disable the FTP server and the login of FTP users. By default, the FTP server is off.

90

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Example Disable the FTP server.
[3Com] undo ftp server

ftp timeout

Syntax
ftp timeout minute undo ftp timeout

View System view Parameter minute: Connection timeout in minutes, in the range of 1 to 35791. By default, the connection timeout is 30 minutes. Description Using the ftp timeout command, you can set the connection timeout. Using the undo ftp timeout command, you can restore the default connection timeout. Once the user logs on the FTP server, he establishes a connection with the FTP server. If an abnormal disconnection occurs or the user abnormally disrupts the connection, FTP server is not notified and thus the connection is still on. To avoid such a problem, the connection timeout should be set. If no command interaction is conducted during this period, FTP will regard the connection failed and disrupt the connection. Example Set the connection timeout to 36 minutes.
[3Com] ftp timeout 36

ftp update

Syntax
ftp update { fast | normal } undo ftp update{ fast | normal }

View System view Parameter fast: Fast upgrading mode. normal: Normal upgrading mode.

FTP client module commands

91

Description Using the ftp update command, you can set the upgrading mode. Using the undo ftp update command, you can restore the default upgrading mode. By default, the FTP update is in fast mode. The FTP server updates the data of files in its flash memory in two modes, normal and fast. When receiving files transfered by the user using the FTP command PUT. Each of the two modes is demonstrated respectively as follows: Fast mode: The FTP server writes the data to the flash memory after the completion of the file transfer. This can safeguard that the files in the flash memory of the Router will not be damaged even on abnormal occasions such as power failure. Normal mode: The FTP server writes the data to the flash memory during the file transfer. This means that the occurence of some abnormal conditions such as power failure might cause the damage of the files in the flash memory of the Router. But the normal updating mode consumes fewer memmory. Example Set the FTP update mode to normal.
[Router] ftp update normal

FTP client module commands
ascii Syntax
ascii

View FTP client view Parameter None Description Using the ascii command, you can set the transmission data type to ASCII. By default, the data type is set to ASCII. Example Set the transmission data type to ASCII.
[ftp] ascii 200 Type set to A.

92

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

binary

Syntax
binary

View FTP client view Parameter None Description Using the binary command, you can set file type to support binary files transmission. Example Set file type to support binary files transmission.
[ftp] binary 200 Type set to B.

bye

Syntax
bye

View FTP client view Parameter None Description Using the bye command, you can disconnect with remote FTP server and exit to user view. Example Terminate the connection with remote FTP server and exit to user view.
[ftp] bye <3Com>

cd

Syntax
cd pathname

View FTP client view

FTP client module commands

93

Parameter pathname: Path name. Description Using the cd command, you can change the operating path on remote FTP server. This command can be used to access another directory on FTP server. Example Change the operating path to d:/temp.
[ftp] cd d:/temp

cdup

Syntax
cdup

View FTP client view Parameter None Description Using the cdup command, you can change the operating path to the upper directory. This command is used to exit current directory and return to an upper directory. Example Change the operating path to an upper directory.
[ftp] cdup

close

Syntax
close

View FTP client view Parameter None Description Using the close command, you can terminate the connection with remote FTP server, but remain in FTP client view.

94

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

This command will terminate both control connection and data connection with the remote FTP server simultaneously. Example Terminate the connection with the remote FTP server and still keep in FTP client view.
[ftp] close [ftp]

debugging

Syntax
debugging undo debugging

View FTP client view Parameter None Description Using the debugging command, you can enable the debugging. Using the undo debugging command, you can disable the debugging. By default, the debugging of FTP client commands is disabled. Example Enable the debugging.
[ftp] debugging

delete

Syntax
delete remotefile

View FTP client view Parameter remotefile: File name. Description Using the delete command, you can delete a specified file. Example Delete temp.c.

FTP client module commands

95

[ftp] delete temp.c

dir

Syntax
dir [ filename ] [ localfile ]

View FTP client view Parameter filename: File name queried. localfile: Local file name saved. Description Using the dir command, you can query a specified file. This command displays all the files under the directory or the file queried. Example Query temp.c and save the query result in temp1.
[ftp] dir temp.c temp1

disconnect

Syntax
disconnect

View FTP client view Parameter None Description Using the disconnect command, you can terminate the connection with the remote FTP server and still keep in FTP client view. This command will terminate both control connection and data connection with the remote FTP server. Example Terminate the connection with the remote FTP server and still keep in FTP client view.
[ftp] disconnect [ftp]

96

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

ftp

Syntax
ftp [host [ port ] ]

View User view Parameter host: IP address or hostname of the remote FTP server. port: Port number of the remote FTP server. Description Using the ftp command, you can establish control connection with the remote FTP server and enter FTP client view. Example Connect to the remote FTP server with the IP address of 1.1.1.1.
<3Com> ftp 1.1.1.1

get

Syntax
get remotefile [ localfile ]

View FTP client view Parameter localfile: Local file name. remotefile: File name on the remote FTP server. Description Using the get command, you can download remote files and save them locally. By default, if the local file name is not specified, this command will consider that it is the same with that of the file on the remote FTP server. Example Download temp1.c and save it as temp.c.
[ftp] get temp1.c temp.c

lcd

Syntax
lcd

FTP client module commands

97

View FTP client view Parameter None Description Using the lcd command, you can get the local operating path of FTP client. Example Display local operating path.
[ftp] lcd % Local directory now flash:

ls

Syntax
ls [ remotefile ] [ localfile ]

View FTP client view Parameter remotefile: Remote file queried. localfile: Local file name saved. Description Using the ls command, you can query a specified file. By default, all the files will be displayed when there is no parameter. Example Query temp.c.
[ftp] ls temp.c

mkdir

Syntax
mkdir pathname

View FTP client view Parameter pathname: Directory name.

98

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Description Using the mkdir command, you can establish a directory at the remote FTP server. Example Establish test directory at the remote FTP server.
[ftp] mkdir test

open

Syntax
open ipaddr [ port ]

View FTP client view Parameter ipaddr: IP address of the remote FTP server. port: Port number of the remote FTP server. Description Using the open command, you can establish control connection with the remote FTP server. Example Establish FTP connection with the FTP server of the host 10.110.3.1.
[ftp] open 10.110.3.1

passive

Syntax
passive undo passive

View FTP client view Parameter None Description Using the passive command, you can set data transmission mode to passive mode. Using the undo passive command, you can set data transmission mode to active mode. By default, the transmission mode is passive.

FTP client module commands

99

Example Set data transmission mode to passive mode.
[ftp] passive

put

Syntax
put localfile [ remotefile ]

View FTP client view Parameter localfile: Local file name. remotefile: File name on the remote FTP server. Description Using the put command, you can upload a local file to the remote FTP server. If no file name on the remote server is specified, this command will consider that it is the same with that of the local file. Example Upload local file temp.c to the remote FTP server and save it as temp1.c.
[ftp] put temp.c temp1.c

pwd

Syntax
pwd

View FTP client view Parameter None Description Using the pwd command, you can display the working directory on the remote FTP server. Example Display the working directory on the remote FTP server.
[ftp] pwd "d:/temp" is current directory.

100

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

quit

Syntax
quit

View FTP client view Parameter None Description Using the quit command, you can terminate the connection with the remote FTP server and exit to user view. Example Terminate the connection with the remote FTP server and exit to user view.
[ftp] quit <3Com>

remotehelp

Syntax
remotehelp [ protocol-command ]

View FTP client view Parameter protocol-command: FTP command. Description Using the remotehelp command, you can display the help of FTP command. Example Display the syntax of the command user.
[ftp] remotehelp user 214 Syntax: USER <sp> <username>

rmdir

Syntax
rmdir pathname

View FTP client view

FTP client module commands

101

Parameter pathname: Directory name on the remote FTP server. Description Using the rmdir command, you can delete a specified directory on FTP server. Example Delete d:/temp1 directory on FTP server.
[ftp] rmdir d:/temp1

user

Syntax
user username [ password ]

View FTP client view Parameter username: Logon user name. password: Logon password. Description Using the user command, you can register FTP user. Example Log on FTP server with the user name tom and the password bjhw.
[ftp] user tom bjhw

verbose

Syntax
verbose undo verbose

View FTP client view Parameter None Description Using the verbose command, you can enable the verbose function to view information from FTP server. Using the undo verbose command, you can disable the verbose function.

102

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

By default, it is disabled. Example Enable the verbose function.
[ftp] verbose

TFTP Configuration Commands
tftp Syntax
tftp ip_address { get | put } source-filename [ destination-filename ]

View User view Parameter p_address: IP address of TFTP server. source-filename: Source file name. destination-filename: Destination file name. get: Downloads files. put: Uploads files. Description Using the tftp command, you can upload files to a TFTP server or downloads files to the local. For related command, see tftp-server acl. Example Download the file vrpcfg.txt in the root directory of the TFTP server at 1.1.254.2 to the local hardware and save it as vrpcfg.bak.
<3Com> tftp 1.1.254.2 get vrpcfg.txt flash:/vrpcfg.bak

Upload the file vrpcfg.txt stored in the root directory of the flash onto the default directory on the TFTP server at 1.1.254.2 and save the file on the server as vrpcfg.bak.
<3Com> tftp 1.1.254.2 put flash:/vrpcfg.txt vrpcfg.bak

tftp-server acl

Syntax
tftp-server acl acl-number

Configuration Files Management Commands

103

View System view Parameter acl-number: IP ACL number in the range of 1 to 99. Description Using the tftp-server acl command, you can set the number of ACL permitting the access to a TFTP server. For related command, see tftp. Example Set the number of ACL permitting the access to the TFTP Server to 1.
[3Com] tftp-server acl 1

Configuration Files Management Commands
display current-configuration Syntax
display current-configuration [ controller | interface interface-type [ interface-number ] | configuration [ rip | ospf | bgp | post-config | system | user-interface ] ] [ | [begin | include | exclude ] string ]

View Any view Parameter controller: Displays the configuration of controller. interface: Displays the configuration of the interface. interface-type: Interface type. interface-number: Interface number configuration: Displays the specified configurations. rip: Displays the RIP configuration. ospf: Displays the OSPF configuration. bgp: Displays the BGP configuration. post-system: Displays the greeting message configuration. system: Displays the system configuration.

104

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

user-interface: Displays the user interface configuration. |: Uses regular expression to filter the router configurations. begin: Displays the configurations beginning with the specified characters (string). include: Displays the configurations including the specified characters (string). exclude: Displays the configurations excluding the specified characters (string). string: Characters of the regular expression. Description Using the display current-configuration command, you can display the current configurations of router. The current configuration parameters that take the default values will not be displayed. After finishing a set of configurations, the user can execute the display current-configuration command to view the currently effective parameters for the purpose of verifying the correctness of the configurations. Some parameters that the user has configured will not be displayed if their functions have not become valid yet. For example, the user can configure PPP parameters on an interface encapsulated with X.25 at the link layer, but he will not be able to see the PPP configuration information on the interface after executing the display current-configuration command. For related commands, see save, reset saved-configuration, and display saved-configuration. Example Display the currently effective configuration parameters of the router.
<3Com> display current-configuration sysname R1760 super password level 3 simple 123456 tcp window 8 # undo multicast igmp-all-enable # interface Aux0 link-protocol ppp # interface Ethernet0/0/0 # interface Serial0/0/0 link-protocol ppp # interface NULL0 # bgp 15535 undo synchronization

Configuration Files Management Commands

105

# # ospf 2 router-id 1.1.1.1 # rip # user-interface con 0 set authentication password simple 123456 history-command max-size 30 user-interface aux 0 user-interface vty 0 4 # return

display saved-configuration

Syntax
display saved-configuration

View Any view Parameter None Description Using the display saved-configuration command, you can display the saved router configurations, that is, the configurations that the router will apply the next time it is booted. For related commands, see save, reset saved-configuration, and display current-configuration. Example Display the router configuration file in the storage device.
<3Com> display saved-configuration # sysname 3Com # tcp window 8 # undo multicast igmp-all-enable # controller E1 3/0/0 # interface Aux0 link-protocol ppp # interface Ethernet0/0/0 # interface Serial0/0 link-protocol ppp #

106

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

interface NULL0 # user-interface con 0 user-interface aux 0 user-interface vty 0 4 # return

display this

Syntax
display this

View Any view Parameter None Description Using the display this command, you can display the current configurations under this view. Example Display the current configuration of the view in question.
<3Com> display this # sysname 3Com # tcp window 8 #

reset saved-configuration

Syntax
reset saved-configuration

View User view Parameter None Description Using the reset saved-configuration command, you can erase the saved router configuration. You are recommended to use this command only when necessary and under the guidance of the support technician.

Configuration Files Management Commands

107

This command is likely to be used when: A used router is applied to a new application environment and the existing configuration file cannot meet the requirements of the new environment. In this case, you need to erase the existing configuration file and reconfigure the router. For related commands, see save, display current-configuration, display saved-configuration. Example Erase the saved router configuration.
<3Com> reset saved-configuration This will erase the configuration in the device. The Router configurations will be erased to reconfigure! Are you sure?[Y/N]y

save

Syntax
save[file-name ]

View User view Parameter file-name: Filename, whose extension must be cfg Description Using the save command, you can save the current configuration information into the storage device. After you finish a set of configurations and make their functions valid, you should save the current configuration file into the storage device. For related commands, see reset saved-configuration, display current-configuration, and display saved-configuration. Example Save the current configuration information in the default storage device.
<3Com> save

upgrade

Syntax
upgrade bootrom [ full ]

View User view

108

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Parameter bootrom: Upgrades the BootRom program. full: Upgrades the entire BootRom. Description Using the upgrade command, you can upgrade the bootrom program. 3Com Routers support online BootROM upgrade. You can upgrade the BootROM online by extracting the BootROM program from the upgrade software package and writing it into the BootROM. When executing this command, you should make sure that the upgrade software package (named bootromfull) has existed in the root directory of the flash. Example Upgrade the BootROM program of R1760 Router, given that the upgrade software package has been stored in the root directory of the flash and the file name is “bootromfull”.
<3Com> upgrade bootrom full

User Interface Configuration Commands
acl Syntax
acl acl-number { inbound | outbound } undo acl { inbound | outbound }

View User interface view Parameter acl-number: Address access control list number. inbound: Restricts incoming calls of a user interface. outbound: Restricts outgoing calls of a user interface. Description Using the acl command, you can reference an ACL to restrict the rights of VTY (Telnet or SSH) and other types of user interfaces in placing incoming and outgoing calls. Using the undo acl command, you can remove the current settings. By default, there is no incoming or outgoing call barring.

User Interface Configuration Commands

109

acl-number can only be the basic ACL. Example Remove the restriction on Telnet outgoing calls.
[3Com-ui-vty0] undo acl outbound

authentication-mode

Syntax
authentication-mode { local | password | scheme { list | default } } authentication-mode none

View User interface view Parameter local: Performs local database authentication. password: Performs local password authentication. scheme: Performs AAA authorization authentication. default: Uses the default authentication parameter. list: Uses the authentication list. none: Performs no authentication. Description Using the authentication-mode command, you can set the mode that a user interface uses to authenticate the login users. Using the authentication-mode none command, you can set the authentication mode to none, that is, the login users need not undergo authentication before they access the user interface. By default, the authentication mode is set to password for the VTY user interface and none for other user interfaces. For related command, see set authentication password. Example Enable local password authentication.
[3Com-ui0] authentication-mode password

auto-execute command

Syntax
auto-execute command command undo auto-execute command

110

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

View User interface view Parameter command: Command to be automatically executed. Description Using the auto-execute command command, you can set a command to be automatically executed. Using the undo auto-execute command command, you can disable the automatic execution of the command. By default, command auto-execution is disabled. You should be aware of the following constraints before using the auto-execute command command:


CON does not support auto-execute command. If there is only AUX but no CON on a router (AUX and CON shares the same port), the AUX will not support auto-execute command as well.



These constraints do not apply to other types of user interfaces. When a user logs on, some command configured using auto-execute command on the terminal will automatically be executed. The user connection will be disconnected automatically once the execution of the command is finished. A common approach is to configure the Telnet command using the auto-execute command command on the terminal so that the user may automatically connect to the specified host. You should use this command with caution because it will probably make you unable to make the regular system configurations via this user interface. CAUTION: Before configuring the auto-execute co mmand command and saving the configuration (by executing the save command), you should make sure that you can access the system to remove the configuration by other means. Example Execute the telnet 10.110.100.1 command automatically after the user logs on from the AUX interface.
[3Com-ui-aux0] auto-execute command telnet 10.110.100.1

databits

Syntax
databits { 5 | 6 | 7 | 8 } undo databits

View User interface view

User Interface Configuration Commands

111

Parameter 5: Five data bits. 6: Six data bits. 7: Seven data bits. 8: Eight data bits. Description Using the databits command, you can set user interface data bit. Using the undo databits command, you can restore the default data bit setting. By default, data bit is set to 8. The configuration can take effect only when the serial interface works in the asynchronous flow mode. Example Set data bit to 5.
[3Com-ui-aux0] databits 5

debugging vty

Syntax
debugging vty { fsm | negotiate } undo debugging vty { fsm | negotiate }

View User view Parameter fsm: Debugging of the Telnet state machine. negotiate: Debugging of the VTY negotiation. Description Using the debugging vty command, you can enable the debugging of the VTY. Using the undo debugging vty command you can disable the debugging of the VTY protocol. Example Enable the debugging of the VTY negotiation.
<3Com> debugging vty negotiate

display user-interface

Syntax
display user-interface [ type-name ] [ number ]

112

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

View Any view Parameter type-name: Name of user interface type. number: Number of user interface. Description Using the display user-interface command, you can display the details of user interface. Example Display information of user interface 0.
<3Com> display user-interface 0 Idx Type Tx/Rx Modem Privi Auth * 0 CON 0 9600 3 N * : Current user-interface is active. I : Current user-interface is active and work in async mode. Idx : Absolute index of user-interface. Type : Type and relative index of user-interface. Privi: The privilege of user-interface. Auth : The authentication mode of user-interface. A: Authenticate use AAA. L: Authenticate use local database. N: Current user-interface need not authentication. P: Authenticate use current UI's password.

display users

Syntax
display users [ all ]

View Any view Parameter all: Displays the information of all the user interface users. Description Using the display users command, you can display the login information of the users on each user interface. Example Execute display users on the console.
<3Com> display users UI Delay IPaddressUsername * 0 CON 000:00:00

User Interface Configuration Commands

113

* 1 VTY 000:00:0910.110.101.39dd

Where, *: Terminal line in use. UI: The first number and the second number are respectively the absolute number and relative number of user interface. Username: Display the name of the user using this user-interface, namely the username that the user uses for accessing. As AAA authentication is unavailable yet, this item is null so far. Delay: In minutes, it is the interval since the last input made by the user. IP address: Displays the starting connection location, namely, IP address of the call-in host. flow-control Syntax
flow-control { hardware | software | none } undo flow-control

View User interface view Parameter none: No flow control. software: Software flow control. hardware: Hardware flow control , only be effective to AUX port. Description Using the flow-control command, you can configure flow control mode. Using the undo flow-control command, you can restore the default flow control mode. By default, none mode is used, that is, there is no flow control. The configuration can become effective only when the involved serial interface works in the asynchronous flow mode. When system is outputting, pressing <Ctrl+s> will stop the screen output, and <Ctrl+q> will resume the screen output. Example Configure software flow control in user interface view.
[3Com-ui-console0] flow-control software

114

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

free user-interface

Syntax
free user-interface [type-name] number

View User view Parameter type-name: User interface type. number: Absolute/Relative user interface number. Description Using the free user-interface number command, you can clear the user interface with the number defined by the parameter number. Using the free user-interface type-name number command, you can clear the user interface with the number defined by number in the user interfaces of the type defined by type-name. Example Clear user-interface 0.
<3Com> free user-interface 0

history-command max-size

Syntax
history-command max-size size-value undo history-command max-size

View User interface view Parameter size-value: History buffer size, which is in the range of 0 to 256 and defaults to 10, that is, up to ten history commands can be stored. Description Using the history-command max-size command, you can set the history command buffer size. Using the undo history-command max-size command, you can restore the default history command buffer size. Example Set size of the history command buffer to 20.
[3Com-ui-console0] history-command max-size 20

User Interface Configuration Commands

115

idle-timeout

Syntax
idle-timeout minutes [ seconds ] undo idle-timeout

View User interface view Parameter minutes: Number of minutes, in the range of 0 to 35791. seconds: Number of seconds, in the range of 0 to 59. Description Using the idle-timeout command, you can set time interval for timed disconnection. Using the undo idle-timeout command, you can restore the default time value of timed disconnection. The time interval for timed disconnection defaults to ten minutes. Setting the time value to 0 will disable the timed disconnection, in which case a connection will not be cut off upon the expiration of preset time interval.. Example Set the time interval for timed disconnection to one minute and 30 seconds.
[3Com-ui-console0] idle-timeout 1 30

modem

Syntax
modem [ call-in | both ] undo modem [ call-in | both ]

View User interface view Parameter call-in: Allows incoming calls. both: Allows both incoming and outgoing calls. Description Using the modem command, you can set the incoming/outgoing call attributes with Modem. Using the undo modem command, you can disable incoming and outgoing calls. By default, both incoming and outgoing calls are allowed.

116

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

When executed without any parameters, the modem command enables both incoming and outgoing calls. When executed without any parameters, the undo modem command disables both incoming and outgoing calls. This command is only available for the AUX interface and other asynchronous interface, but not for Console port. Example Set Modem dialup at asynchronous serial ports.
[3Com-ui-tty] modem

modem auto-answer

Syntax
modem auto-answer undo modem auto-answer

View User interface view Parameter None Description Using the modem auto-answer command, you can set the answering mode to auto-answer. Using the undo modem auto-answer command, you can set the answering mode to manual answer. By default, the answering mode is manual answer. This command is valid for the AUX interface and other asynchronous interfaces but not for the console interface. When taking the modem dial-up connection approach, the user should first set the modem parameters on the involved user interface. Example Set the answering mode to auto-answer.
[3Com-ui-aux0] modem auto-answer modem timer answer

Syntax
modem timer answer seconds undo modem timer answer

User Interface Configuration Commands

117

View User interface view Parameter seconds: Timeout time in the range of 1 to 60 seconds. Description Using the modem timer answer command, you can set the timeout time waiting for the carrier signal after the off-hook action for setting up an inbound connection. Using the undo modem timer answer command, you can restore the default waiting timeout time. The waiting timeout time defaults to 30 seconds. This command is valid for the AUX interface and other asynchronous interfaces but not for the console interface. Example None parity Syntax
parity { none | even | odd | mark | space } undo parity

View User interface view Parameter none: Implements no check. even: Implements even parity check. odd: Implements odd parity check. mark: Implements mark check. space: Implements space check. Description Using the parity command, you can set the check bit of a user interface. Using the undo parity command, you can restore the check mode of user interface to none. By default, no check is performed. The configuration can become effective only when the involved serial interface works in the asynchronous flow mode.

118

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Example Set the transmission check bit on AUX interface to odd parity.
[3Com-ui-aux0] parity odd

redirect

Syntax
redirect undo redirect

View User interface view Parameter None Description Using the redirect command, you can set the redirection function, which is only valid for the AUX and TTY user interfaces, on an asynchronous port. Using the undo redirect command, you can disable the rediction function on the involved port. By default, the system does not support redirection. This command is only valid for the AUX and the TTY user interfaces. For example, executing the redirect command on a TTY user interface will enable the redirection function of the user interface. For related commands, see telnet and display tcp status. Example Enable the redirection function of user interface TTY7.
[3Com-ui-tty7] redirect

screen-length

Syntax
screen-length screen-length undo screen-length

View User interface view Parameter screen-length: Number of rows displayed in a screen in the event of split screen display, which is in the range of 0 to 512.

User Interface Configuration Commands

119

Description Using the screen-length command, you can set the number of rows displayed in one screen at the terminal. Using the undo screen-length command, you can restore the number of rows in a terminal screen to 24. By default, the number of rows in one screen is 24. screen-length 0 indicates to disable the split screen function. Example Set the number of rows in one screen of the terminal to 30.
[3Com-ui-console0] screen-length 30

send

Syntax
send [ number | all | type-name number ]

View User view Parameter all: Sends messages to all user interfaces. type-name: Name of user interface type. number: Absolute/Relative user interface number. Description Using the send command, you can transfer messages between user interfaces. Using the send all command, you can send messages to all user-interfaces. Using the send number command, you can send messages to the user interface defined by specifying its number. Using the send type-name number command, you can send messages to the user interface of type-name with specified number. Example Send messages to the console user-interface.
<3Com> send con 0 Enter message, end with CTRL+Z or Enter; abort with CTRL+C: Hello,good morning! Send message? [Y/N]

set authentication password

Syntax
set authentication password { simple | cipher } password undo set authentication password

120

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

View User interface view Parameter simple: Plain text password. cipher: Encrypted password. password: If password form is set to simple, the parameter password must be in plain text. If the password form is set to cipher, the password can be either in encrypted text or in plain text depending on what has been input. A plain-text password can be a string of no more than 16 consecutive characters, 1234567 for example. An encrypted password, however, must be of 24 characters in length and must be in ciphertext, _(TT8F]Y\5SQ=^Q`MAF4<1!! for example. Description Using the set authentication password command, you can set a local authentication password. Using the undo set authentication password command, you can remove the local authentication password. Regardless of whether the password format is set to plain text or ciphertext, a user must input plain text password during the authentication. When configuring a password, you must specify its format to simple or cipher. If the former has been specified, the password saved in the configuration file will be in plain text. If the latter is specified, however, the password will be displayed in ciphertext regardless of whether the password you enter is a simple password of 1 to 16 bytes or an encrypted password of 24 bytes. By default, Telnet users are required to undergo login password authentication (which can be set by using the authentication-mode password command). If no password has been configured, the following information will be displayed:


password required, but none set

For related command, see authentication-mode. Example Set the local authentication password for the user interfaces vtys 0 to 4 to "3Com".
[3Com-ui-vty0-4] authentication-mode password [3Com-ui-vty0-4] set authentication password simple 3Com

shell

Syntax
shell undo shell

User Interface Configuration Commands

121

View User interface view Parameter None Description Using the shell command, you can enable terminal services on a user interface. Using the undo shell command, you can remove the current setting. By default, the terminal services are enabled on all the user interfaces. Some constraints are put on the undo shell command. First, CON does not support this command. Second, if there is only AUX but no CON on a router (AUX and CON shares the same port), the AUX will not support this command as well. These constraints do not apply to other types of user interfaces. Example Disable terminal services on the virtual terminals (VTYs) 0 to 4.
[3Com] user-interface vty 0 4 [3Com-ui-vty0-4] undo shell

The following information will be displayed for a login Telnet terminal:
% connection refused by remote host!

speed

Syntax
speed speed-value undo speed

View User interface view Parameter speed-value: Transmission rate in bps. Description Using the speed command, you can set the transmission rate of a user interface. Using the undo speed command, you can restore the default transmission rate of the user interface. By default, the transmission rate is 9600bps. Only when the serial interface works in asynchronous flow mode will the configuration be effective. The transmission rates supported by asynchronous serial interfaces include:

122

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS



300bps 600bps 1200bps 4800bps 9600bps 19200bps 38400bps 57600bps 115200bps

















Example Set the transmission rate of the user interface to 19200bps.
[3Com-ui-vty0] speed 19200

stopbits

Syntax
stopbits { 1.5 | 1 | 2 } undo stopbits

View User interface view Parameter 1.5: Sets the stop bit to 1.5. 1: Sets the stop bit to 1. 2: Sets the stop bit to 2. Description Using the stopbits command, you can set the stop bit of a user interface. Using the undo stopbits command, you can restore the default stop bit of the user interface. By default, the stop bit is set to 1. Only when the serial interface works in asynchronous flow mode will the configuration be effective. Example Set the stop bit to 1.5.
[3Com-ui-vty0] stopbits 1.5

User Interface Configuration Commands

123

user privilege

Syntax
user privilege level level undo user privilege level

View User interface view Parameter level: Command level in the range of 0 to 3. Description Using the user privilege command, you can configure the command accessing level commensurate with the users accessing the system from the current user interface. Using the undo user privilege command, you can disable the current setting. By default, the default command accessing levels of CON user interface and other user interfaces have been set to 3 and 0. If the command accessing level assigned to a user interface conflicts with the precedence level assigned to the used username in the granted rights, the rights commensurate with the username will be preferred. For example, the precedence of the user 007 allows 007 to access level-3 commands and the privilege level assigned to the user interface VTY 0 only allows the login users to access level-2 commands. If 007 accesses the system from VTY0 in this case, it will be able to access the commands of level-3 and lower levels. Example Assign the users accessing the system from the user interface with the privilege allowing them to access level-2 commands.
[3Com-ui-vty0] user privilege level 2

After the user accesses the router from vty 0 via Telnet, the terminal will display:
<3Com>

user-interface

Syntax
user-interface [ type-keyword ] user-interface-number [ ending-user-interface-number ]

View System view Parameter type-keyword: Type name of user-interface. user-interface-number: The first user-interface to be configured.

124

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

ending- user-interface-number: The last user-interface to be configured. Description Using the user-interface command, you can enter the single-user interface view or multi-user interface view. Example Enter the user-interface console 0 view to configure console 0.
[3Com] user-interface console 0 [3Com-ui-console0]

Enter the user-interface vty 0 view to configure vty 0.
[3Com] user-interface vty 0 [3Com-ui-vty0]

Enter the user-interface vty view to configure user-interfaces vtys 0 through 3.
[3Com] user-interface vty 0 3 [3Com-ui-vty0-3]

enter the user-interface view to configure user-interfaces 0 through 4, including of console port type, of AUX interface type and of VTY interface type. The user interface types will be configured depending on the configuration interface available on the router. The following example configures one console user interface and three VTY user interfaces, which may be right for the case where the router does not provide the AUX interface.
[3Com] user-interface 0 3 [3Com-ui0-3]

debugging ntp-service

Syntax
debugging ntp-service { access | adjustment | authentication | event | filter | packet | parameter | refclock | selection | synchronization | validity | all } undo debugging ntp-service { access | adjustment | authentication | event | filter | packet | parameter | refclock | selection | synchronization | validity | all }

View User view Parameter access: NTP access control debugging. adjustment: NTP clock adjustment debugging. all: All the NTP information debugging.

debugging ntp-service

125

authentication: NTP identification authentication debugging. event: NTP event debugging. filter: NTP filter information debugging. packet: NTP packet debugging. parameter: NTP clock parameter debugging. refclock: NTP reference clock debugging. selection: NTP clock selection information debugging. synchronization: NTP clock synchronous information debugging. validity: Validity debugging of NTP remote host. Description Using the debugging ntp-service command, you can enable debugging of all types of NTP service information. Using the undo debugging ntp-service command, you can disable NTP service debugging. By default, all the information debugging is disabled. Example Enable the ntp access control debugging.
<3Com> debugging ntp-service access

display ntp-service sessions

Syntax
display ntp-service sessions [ verbose ]

View Any view Parameter verbose: Displays the detailed information of sessions. Description Using the display ntp-service sessions command, you can display the status of all the sessions maintained by the local device ntp. By default, the status of all the sessions maintained by the local device NTP is displayed. The command without parameter verbose will display the brief information of all the sessions maintained by the local device NTP.

126

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

The command with parameter verbose will display the detailed information of all the sessions maintained by the local device NTP. Example Display the brief information of all the sessions maintained by the local device NTP
<3Com> display ntp-service sessions sourcerefidstnowpollreachdelayoffsetdis ****************************************************************** [12345]1.0.1.11LOCAL(0)316437726.1199.539.7 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

display ntp-service status

Syntax
display ntp-service status

View Any view Parameter None Description Using the display ntp-service status command, you can display the state information of the NTP service. Example
<3Com> display ntp-service status clock status: unsynchronized clock stratum: 16 reference clock ID: none nominal frequency: 100.0000 Hz actual frequency: 100.0000 Hz clock precision: 2^18 clock offset: 0.0000 ms root delay: 0.00 ms root dispersion: 0.00 ms peer dispersion: 0.00 ms reference time: 00:00:00.000 UTC Jan 1 1900(00000000.00000000)

Description of the display information is shown in the following table.
Table 3 Stating information of the NTP service
Display information synchronized unsynchronized stratum Description Indicate that the local system is synchronized to a remote NTP server or a clock source Indicate that the local system is not synchronized to any remote NTP server The NTP stratum of the local system

debugging ntp-service

127

Table 3 Stating information of the NTP service
Display information reference Description If the local system has been synchronized to a remote NTP server or a clock source, it indicates the address of the remote server or clock source ID Nominal frequency of the hardware clock of the local system Actual frequency of the hardware clock of the local system Precision of the local system clock Reference timestamp Offset of the NTP server relative to the local clock Overall delay from the local to the master reference clock Dispersion of the local master reference clock Dispersion of the remote NTP server

nominal freq actual freq precision reftime offset root delay root disper peer disper

display ntp-service trace

Syntax
display ntp-service trace [ X.X.X.X ]

View Any view Parameter X.X.X.X: The IP address of the NTP server functioning as the reference clock source. Description Using the display ntp-service trace command, you can display the summary information of each NTP time server from the local device tracing to the reference clock source. This command is used to trace to the reference clock source from the local device along the time synchronous NTP server chain and display the summary information of each NTP server. Example
<3Com> display ntp-service trace server4: stratum 4, offset 0.0019529, synch distance 0.144135 server3: stratum 3, offset 0.0124263, synch distance 0.115784 server2: stratum 2, offset 0.0019298, synch distance 0.011993 server1: stratum 1, offset 0.0019298, synch distance 0.011993 refid 'GPS Reciever'

The above information displays the synchronous chain of server4. It indicates that server 4 can be synchronized to server 3, server 3 to server 2 and server 2 to server 1. Server 1 is synchronized from the reference clock source GPS Receiver. ntp-service access Syntax
ntp-service access { query | synchronization | server | peer } acl-number

128

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

undo ntp-service access { query | synchronization | server | peer }

View System view Parameter query: Query authority is limited. synchronization: Only the server is permitted to access. server: Allows the server to perform access and query. peer: Absolute access. acl-number: IP address access list number in the range of 1 to 99. Description Using the ntp-service access command, you can set the access control authority of the local device services. Using the undo ntp-service access command, you can remove the access control authority that has been set. By default, there is no access authority. This command is used to set the access authority of the NTP service of the local device. A security approach of minimum authority is provided in this manual. The more secure approach is to perform ID authentication. When there is an access request, this command can be used to make the matches in sequence from minimum access authority to the maximum authority. All matches are based on the first match. The match order is peer, server, synchronization, query. Example Enable the peer in No.76 access list to perform time request, query control and time synchronization on the local device.
[3Com] ntp-service access peer 76

Enable the peer in No.28 access list to perform time request, query control on the local device.
[3Com] ntp-service access server 28

ntp-service authentication enable

Syntax
ntp-service authentication enable undo ntp-service authentication enable

View System view

debugging ntp-service

129

Parameter None Description Using the ntp-service authentication enable command, you can set NTP-service ID authentication. Using the undo ntp-service authentication enable command, you can remove NTP-service ID authentication. By default, no ID authentication is set. Example Enable NTP ID authentication.
[3Com] ntp-service authentication enable

ntp-service authentication-keyid

Syntax
ntp-service authentication-keyid number authentication-mode md5 value undo ntp-service authentication-keyid number

View System view Parameter number: Key number in the range of 1 to 4294967295. value: Key itself that is represented with 1 to 32 ASCII characters. Description Using the ntp-service authentication-keyid command, you can set NTP authentication key. Using the undo ntp-service authentication-keyid command, you can remove NTP authentication key. By default, no authentication key is set. This command is used to set NTP authentication key, which only supports MD5 authentication. Example Set MD5 ID authentication key. The key ID number is 10 and the key is BetterKey.
[3Com] ntp-service authentication-keyid 10 authentication-mode md5 BetterKey

ntp-service broadcast-client

Syntax
ntp-service broadcast-client undo ntp-service broadcast-client

130

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

View Interface view Parameter None Description Using the ntp-service broadcast-client command, you can configure the NTP broadcast client mode. Using the undo ntp-service broadcast-client command, you can remove the NTP broadcast client mode. By default, no NTP broadcast client service is configured. This command is used to specify the local interface on the local device to receive the NTP broadcast packets. The local device is run in client mode. It first listens discreetly to the broadcast packets from the server. When the first broadcast packet is received, the local device enables a short client/server mode to exchange messages with the remote server in order to estimate network delay. Then it enters the client mode to listen discreetly to the broadcast packets and synchronize the local clock according to the coming broadcast packets. Example Enable the interface Ethernet 1/0/1 to receive NTP broadcast message.
[3Com] interface ethernet 1/0/1 [3Com-Ethernet1/0/1] ntp-service broadcast-client

ntp-service broadcast-server

Syntax
ntp-service broadcast-server [ authentication-keyid keyid | version number ] * undo ntp-service broadcast-server

View Interface view Parameter authentication-keyid: Defines the ID authentication key. keyid: Key ID number used to transmit message to broadcast clients, which is in the range of 1 to 4294967295. version: Defines the NTP version number. number: NTP version number in the range of 1 to 3.

debugging ntp-service

131

Description Using the ntp-service broadcast-server command, you can configure NTP broadcast server mode. Using the undo ntp-service broadcast-server command, you can remove the NTP broadcast server mode. By default, no broadcast service is configured and the version number is 3. This command is used to specify an interface on the local device to transmit NTP broadcast packets. The local device is run in broadcast-server mode, which acts as the broadcast server to transmit broadcast messages periodically to the broadcast clients. Example Enable Ethernet 1/0/0 to transmit NTP broadcast packets. No.4 key is used for encryption and NTP version number is set to 3.
[3Com] interface ethernet 1/0/0 [3Com-Ethernet1/0/0] ntp-service broadcast-server authentication-key 4 version 3

ntp-service max-dynamic-sessions

Syntax
ntp-service max-dynamic-sessions number undo ntp-service max-dynamic-sessions

View System view Parameter number: Number of sessions allowed to be established locally. It is in the range of 0 to (232-1). Description Using the ntp-service max-dynamic-sessions command, you can set the number of sessions allowed to be established locally. Using the undo ntp-service max-dynamic-sessions command, you can restore the default number of the sessions. By default, 100 sessions are allowed to be established. Example Set the number of sessions the local allows to establish to 50.
[3Com] ntp-service max-dynamic-sessions 50

ntp-service multicast-client

Syntax
ntp-service multicast-client [ X.X.X.X ] undo ntp-service multicast-client [ X.X.X.X ]

132

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

View Interface view Parameter X.X.X.X: Multicast IP address, which is a Class D address. Description Using the ntp-service multicast-client command, you can configure the NTP multicast client mode. Using the undo ntp-service multicast-client command, you can remove the NTP multicast client mode. By default, no multicast client service is configured and the X.X.X.X is 224.0.1.1. This command is used to specify an interface on the local device to receive the NTP multicast packets. The local device is run in client mode. It first listens discreetly to the multicast packets from the server. When the first multicast packet is received, the local device enables a short client/server mode to exchange messages with the remote server in order to estimate network delay. Then it enters the client (multicast-client) mode to listen discreetly to the multicast packets and synchronize the local clock according to the coming multicast packets. Example Configure Ethernet 1/0/0 to receive NTP multicast packets. The multicast address corresponding to the multicast packets is 244.0.1.1.
[3Com] interface ethernet 1/0/0 [3Com-Ethernet1/0/0] ntp-service multicast-client 224.0.1.1

ntp-service multicast-server

Syntax
ntp-service multicast-server [ X.X.X.X ] [ authentication-keyid keyid | ttl ttl-number | version number ] * undo ntp-service multicast-server [ X.X.X.X ]

View Interface view Parameter X.X.X.X: Multicast IP address, which is a Class D address. The default address is 224.0.1.1. authentication-keyid: Defines the ID authentication key. keyid: ID number used when transmitting messages to the multicast clients in the range of 1 to 4294967295. ttl: Defines the life span of the multicast packet. ttl-number: Life span of the multicast packet in the range of 1 to 255.

debugging ntp-service

133

version: Defines the NTP version number. number: NTP version number in the range of 1 to 3. Description Using the ntp-service multicast-server command, you can configure the NTP multicast server mode. Using the undo ntp-service multicast-server command, you can remove the NTP multicast server mode. By default, no multicast service is configured, the IP address is 224.0.1.1 and the version number is 3. This command is used to specify an interface on the local device to transmit NTP multicast packets. The local device is run in server (multicast-server) mode, which acts as the multicast server to transmit multicast messages periodically to the multicast clients. Example Configure Ethernet 1/0/0 to transmit NTP multicast messages. The multicast address is 244.0.1.1, encrypted by No.4 key. The NTP version number is set to 3.
[3Com] interface ethernet 1/0/0 [3Com-Ethernet1/0/0] ntp-service multicast-server 224.0.1.1 authentication-keyid 4 version 3

ntp-service refclock-master

Syntax
ntp-service refclock-master [ X.X.X.X ] [ layers-number ] undo ntp-service refclock-master [ X.X.X.X ]

View System view Parameter X.X.X.X: IP address of the reference clock 127.127.t.u. layers-number: Specifies the stratum of the local clock, which is in the range of 1 to 15. Description Using the ntp-service refclock-master command, you can set the external reference clock or the local clock to be the NTP master clock. Using the undo ntp-service refclock-master command, you can remove the setting of the NTP master clock. By default, the X.X.X.X is not specified and the stratum is 1. Setting the external reference clock or the local clock to be the NTP master clock provides other devices with synchronous time. The X.X.X.X is the IP address 127.127.t.u of the reference clock. When no IP address is specified, the local clock

134

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

is the NTP master clock by default. This command can be used to specify the stratum of the NTP master clock. Example Set the local device to be the NTP master clock to provide synchronous time for other peers. The stratum is set to 3.
[3Com] ntp-service refclock-master 3

ntp-service reliable authentication-keyid

Syntax
ntp-service reliable authentication-keyid number undo ntp-service reliable authentication-keyid number

View System view Parameter number: Key number in the range of 1 to 4294967295. Description Using the ntp-service reliable authentication-keyid command, you can specify the key to be reliable. Using the undo ntp-service reliable authentication-keyid command, you can remove the specified reliable key. By default, no reliable authentication key is set. If ID authentication is enabled, this command is used to specify that one or more keys are reliable. That is, the client can only synchronize the server that provides the reliable key. The client cannot synchronize the server that provides keys not being reliable. Example Enable NTP ID authentication in MD5 encryption method. The key ID number is 37 and the key is BetterKey. The key is specified to be reliable.
[3Com] ntp-service authentication enable [3Com] ntp-service authentication-keyid 37 authentication-mode md5 BetterKey [3Com] ntp-service reliable authentication-keyid 37

ntp-service source-interface

Syntax
ntp-service source-interface {interface-type interface-number } undo ntp-service source-interface

View System view

debugging ntp-service

135

Parameter interface-type: Interface type, which determines an interface along with the interface-number. interface-number: Interface number, which determines an interface along with the interface-type. Description Using the ntp-service source-interface command, you can specify the interface for the local end to transmit NTP messages. Using the undo ntp-service source-interface command, you can delete the interface for the local end to transmit NTP messages. The source IP address is determined by the output interface. The source IP address is the specified one when specifying the local to transmit all the NTP messages. The IP address is obtained from the specified interface. If the user does not want the IP addresses on other interfaces to become the destination address responding to the messages, this command can be used to specify one interface to send all the NTP packets. Example Specify the source IP address of all the NTP output packets to use the IP address on the interface Ethernet 1/0/0.
[3Com] ntp-service source-interface ethernet 1/0/0

ntp-service unicast-peer

Syntax
ntp-service unicast-peer X.X.X.X [ version number | authentication-key keyid | source-interface {interface-type interface-number } | priority ] * undo ntp-service unicast-peer X.X.X.X

View System view Parameter X.X.X.X: IP address of the remote server. version: Defines the NTP version number. number: NTP version number in the range of 1 to 3. authentication-keyid: Defines ID authentication key. keyid: Key ID number in the range of 1 to 4294967295, which is used when transmitting messages to the remote server. source-interface: Specifies the interface name.

136

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

interface-type: Interface type, which determines an interface along with the interface-number. interface-number: Interface number, which determines an interface along with the interface-type. The source IP address for the NTP packets sent from the local end to the peer is got from this interface. priority: Specifies the server as the preferred one. Description Using the ntp-service unicast-peer command, you can configure the NTP peer mode. Using the undo ntp-service unicast-peer command, you can remove the NTP peer mode. By default, the version number is 3, ID authentication is not supported and the server is not the preferred one. This command is used to set the remote server specified by the X.X.X.X as the peer of the local device. The local device is run in symmetric active mode. The X.X.X.X is a host address and cannot be the address of the broadcast, multicast, or reference clock. In this configuration, the local device can be synchronized to the remote server and the remote server can also be synchronized to the local server. Example Display the configuration that the peer 128.108.22.44 provides the synchronous time for the local and the local peer can provide synchronous time for the peer. The version number is 3. The IP address of the NTP packets is obtained from Ethernet 1/0/0.
[3Com] ntp-service unicast-peer 128.108.22.44 version 3 source-interface ethernet 1/0/0

ntp-service unicast-server

Syntax
ntp-service unicast-server X.X.X.X [ version number | authentication-keyid keyid | source-interface {interface-type interface-number } | priority ] * undo ntp-service unicast-server X.X.X.X

View System view Parameter X.X.X.X: IP address of the remote server. version: Defines the NTP version number. number: NTP version number in the range of 1 to 3. authentication-keyid: Defines ID authentication key. keyid: Key ID number in the range of 1 to 4294967295, which is used when transmitting messages to the remote server.

SNMP Configuration Commands

137

source-interface: Specifies the interface name. interface-type: Interface type, which determines an interface along with the interface-number. interface-number: Interface number, which determines an interface along with the interface-type. The source IP address for the NTP packets sent from the local end to the server is got from this interface. priority: Specifies the server as the preferred one. Description Using the ntp-service unicast-server command, you can configure the NTP server mode. Using the undo ntp-service unicast-server command, you can remove the NTP server mode. By default, the version number is 3, ID authentication is enabled and the server is not the preferred one. This command is used to set the remote server specified by the X.X.X.X as the local time server. The X.X.X.X is a host address and cannot be the IP address of the broadcast, multicast or reference clock. In this configuration, the local client device can be synchronized to the remote server and the remote server cannot be synchronized to the local client device. Example Configure the local device to be provided with the synchronous time by the server 128.108.22.44. The version number is 3.
[3Com] ntp-service unicast-server 128.108.22.44 version 3

SNMP Configuration Commands
debugging snmp-agent Syntax
debugging snmp-agent { header | packet | process | trap } undo debugging snmp-agent { header | packet | process | trap }

View User view Parameter header: Enables the debugging of packet information header. packet: Enables the packet debugging. process: Enables the process debugging of SNMP packets. trap: Enables the debugging of Trap packets.

138

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Description Using the debugging snmp-agent command, you can enable the SNMP Agent debugging and specify the debugging information of SNMP module. Using the undo debugging snmp-agent command, you can remove the current settings. By default, the SNMP Agent debugging is disabled. Example Enable the debugging of SNMP Agent packet information header.
<3Com> debugging snmp-agent header

display snmp-agent

Syntax
display snmp-agent { local-engineid | remote-engineid }

View Any view Parameter None Description Using the display snmp-agent command, you can display the SNMP engine ID of local or remote device. The SNMP engine is the only identification of the SNMP management, and it uniquely identifies a SNMP entity in one management domain. The SNMP engine is an important component of the SNMP entity, completing the functions of SNMP messages such as message dispatching, message processing, security authentication and access control. Example Display the engine ID of the local device.
<3Com> display snmp-agent local-engineid SNMP local EngineID: 000007DB7F0000013859

in the above information: SNMP local EngineID indicates the ID of the local SNMP engine. display snmp-agent community Syntax
display snmp-agent community [ read | write ]

View Any view

SNMP Configuration Commands

139

Parameter read: Displays the community name information with the read-only authority. write: Displays the community name information with the authority of read and write. Description Using the display snmp-agent community command, you can display the currently configured community name of SNMPv1 or SNMPv2. Example Display the currently configured community name.
<3Com> display snmp-agent community Community name:8040zlz Group name:8040zlz Storage-type: nonVolatile Community name:8040core Group name:8040core Storage-type: nonVolatile

display snmp-agent group

Syntax
display snmp-agent group [ group-name ]

View Any view Parameter group-name: Specifies the group name of the SNMP information to be displayed, ranging 1 to 32 bytes. Description Using the display snmp-agent group command, you can display the group information based on USM. Without parameters, the command displays the group information corresponding to all the specified group names, including group name, security mode, storage types on the router etc. Example Display the SNMP group name and security mode.
<3Com> display snmp-agent group Group name: v3r2 Security model: v3 noAuthnoPriv Readview: ViewDefault Writeview: <no specified> Notifyview :<no specified> Storage-type: nonVolatile

140

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

The corresponding fields displayed above are described in the following table:
Table 4 Description of display snmp-agent group fields
Content Groupname Readview Writeview Notifyview Storage-type Description Name of SNMP group corresponding to the user Name of read-only MIB view corresponding to the group Name of writable MIB view corresponding to the group Name of notifying MIB view corresponding to the group the type of storage type

display snmp-agent mib-view

Syntax
display snmp-agent mib-view [ exclude | include | viewname view-name ]

View Any view Parameter exclude: Specifies to exclude the SNMP MIB view attributes displayed and set. include: Specifies to include the SNMP MIB view attributes displayed and set. viewname: Specifies the view name to be displayed. Description Using the display snmp-agent mib-view command, you can display the currently configured MIB view. Example Display the currently configured MIB view.
<3Com> display snmp-agent mib-view View name:ViewDefault MIB Subtree:internet Subtree mask: Storage-type: nonVolatile View Type:included View status:active View name:ViewDefault MIB Subtree:snmpUsmMIB Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active View name:ViewDefault MIB Subtree:snmpVacmMIB Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active View name:ViewDefault

SNMP Configuration Commands

141

MIB Subtree:snmpModules.18 Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active

The following table describes the parameters displayed above.
Table 5 Description of display snmp-agent mib-view fields
Content View name MIB Subtree Storage-type ViewType: Included/excluded Active Description View name MIB subtree Storage type Indicate whether to enable or disable the access to a MIB object Indicate the state of lines in the list

CAUTION: When the SNMP Agent is disabled, "Snmp Agent disabled" will be displayed for all the above display commands. display snmp-agent statistics Syntax
display snmp-agent statistics

View Any view Parameter None Description Using the diplay snmp-agent statistics command, you can display the state and statistics of SNMP. Example Check the statistics of SNMP communication.
<3Com> display snmp-agent statistics 0 Messages delivered to the SNMP entity 0 Messages which were for an unsupported version 0 Messages which used a SNMP community name not known 0 Messages which represented an illegal operation for the community supplied 0 ASN.1 or BER errors in the process of decoding 0 Messages passed from the SNMP entity 0 SNMP PDUs which had badValue error-status 0 SNMP PDUs which had genErr error-status 0 SNMP PDUs which had noSuchName error-status 0 SNMP PDUs which had tooBig error-status (Maximum packet size 500) 0 MIB objects retrieved successfully 0 MIB objects altered successfully 0 GetRequest-PDU accepted and processed

142

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

0 GetNextRequest-PDU accepted and processed 0 GetBulkRequest-PDU accepted and processed 0 GetResponse-PDU accepted and processed 0 SetRequest-PDU accepted and processed 0 Trap PDUs accepted and processed

The following table describes the fields displayed above:
Table 6 Description of diplay snmp-agent statistics fields
Content Messages delivered to the SNMP entity Description Total number of input SNMP packets

Messages which were for an unsupported Number of packets with version errors version Messages which used an unknown community name Messages which represented an illegal operation for the community supplied ASN.1 or BER errors in the process of decoding MIB objects retrieved successfully MIB objects altered successfully Get-request PDUs accepted and processed Get-next PDUs accepted and processed Number of packets with community name errors Number of packets with authority errors corresponding to community name Number of SNMP packets with encoding errors Number of variables requested by NMS Number of variables set by NMS Number of get-request packets accepted and processed (PDU: Protocol Data Unit) Number of received packets that get next requests Total number of output SNMP packets Number of SNMP packets with Too_big errors Maximum SNMP packet size is 1500. Number of packets with requests of non-existing MIB object Number of SNMP packets with Bad_values errors Number of SNMP packets with General_errors Number of response packets accepted and processed Number of Trap packets accepted and processed

Set-request PDUs accepted and processed Number of received packets that set requests Messages passed from the SNMP entity SNMP PDUs which had a tooBig error (Maximum packet size 1500) SNMP PDUs which had a noSuchName error SNMP PDUs which had a badValue error SNMP PDUs which had a general error Response PDUs accepted and processed Trap PDUs accepted and processed

display snmp-agent sys-info

Syntax
display snmp-agent sys-info [ contact | location | version ]*

View Any view Parameter contact: Displays the contact information of the local device. location: Displays the physical location information of the local device.

SNMP Configuration Commands

143

version: Displays the SNMP version running in the local agent. Description Using the display snmp-agent sys-info command, you can display the system information of the local SNMP device. Example Display the system information.
<3Com> display snmp-agent sys-info

display snmp-agent usm-user

Syntax
display snmp-agent usm-user [ engineid engineid | username user-name | group group-name ] *

View Any view Parameter engineid: Displays the SNMPv3 user information of the specified engine ID. engineid-string: Character string of the engine ID. username: Displays the information of the specified SNMPv3 user. user-name: User name, in the range of 1 to 32 bytes. group: Displays the user information belonging to the related SNMP group. group-name: Group name, in the range of 1 to 32 bytes. Description Using the display snmp-agent usm-user command, you can display the information about SNMP users. An SNMP user is the remote user who executes SNMP management operation. The snmp-agent usm-user command is used to specify the SNMP user. Example Display the information about all the current users.
<3Com> display snmp-agent usm-user User name: authuser Engine ID: 8000007DB20000000C025808 active

144

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

The following table describes the corresponding fields displayed above.
Table 7 Description of display snmp-agent usm-user fields
Content authuser User name Engine ID Active Description Modify display information Character string used to identify the SNMP user Character string used to identify the SNMP device Indicate the state of SNMP USER

snmp-agent

Syntax
snmp-agent undo snmp-agent

View System view Parameter None Description Using the snmp-agent command, you can enable the SNMP Agent and specify the SNMP configuration information. Using the undo snmp-agent command, you can disable SNMP Agent. By default, the SNMP Agent is disabled. The snmp-agent command can be used to enable SNMP Agent, and any configuration command of snmp-agent can also enable SNMP Agent. However, the undo form of the corresponding command does not have the functions. It will be invalid configuring the undo form of the command when the SNMP Agent is not enabled. The undo snmp-agent command is used to disable the SNMP Agent on the condition that SNMP Agent has been enabled. Example Disable the operating SNMP version.
[3Com] undo snmp-agent SNMP Agent disabled

snmp-agent community

Syntax
snmp-agent community { read | write } community-name [ [ mib-view view-name ] | [ acl acl-number ] ]* undo snmp-agent community community-name

SNMP Configuration Commands

145

View System view Parameter read: Indicates that the community name has the read-only authority in the specified view. write: Indicates that the community name has the read and write authority in the specified view. community-name: Character string of community name. mib-view: MIB view available for the specified community name view-name: Name of MIB view. acl: Sets the ACL corresponding to the community name. acl-number: Number of the ACL, range 1 to 99. Description Using the snmp-agent community command, you can set the community access name of SNMPV1 and SNMPV2C and MIB views and ACLs available for the community name. Using the undo snmp-agent community command, you can remove the setting. For the related command, see snmp-agent group, snmp-agent usm-user. Example Set the community name to comaccess and allow read-only access with this community name.
[3Com] snmp-agent community read comaccess

Set the community name to mgr and enable reading and writing access.
[3Com] snmp-agent community write mgr

Delete the community name comaccess.
[3Com] undo snmp-agent community comaccess

snmp-agent group

Syntax
snmp-agent group { v1 | v2c } group-name { [ read read-view ] | [ write write-view ] | [ notify notify-view ] } [ acl acl-number ] undo snmp-agent group { v1 | v2c } group-name snmp-agent group v3 group-name [ authentication | privacy ] { [ read read-view ] | [ write write-view ] | [ notify notify-view ] } [ acl acl-number ] undo snmp-agent group v3 group-name [ authentication | privacy ]

146

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

View System view Parameter v1: V1 security mode the user uses. v2c: V2C security mode the user uses. v3: V3 security mode the user uses. group-name: Group name, in the range of 1 to 32 bytes. authentication: Performs authentication of the packet without encryption. privacy: Performs authentication and encryption of the packet. read: Enables the setting of read-only view. read-view: Name of the read-only view, in the range of 1 to 32 bytes. write: Enables the setting of reading and writing view. write-view: Name of the reading and writing view, in the range of 1 to 32 bytes. notify: Enables the setting of notify view. notify-view: Name of the notify view , in the range of 1 to 32 bytes. acl: Sets the list of access view. acl-number: Standard access list, in the range of 1 to 99. Description Using the snmp-agent group command, you can configure a new SNMP group, i.e., to map the SNMP user to the SNMP view. Using the undo snmp-agent group command, you can delete a specified SNMP group. By default, the snmp-agent group group-name v3 command adopts the method of not authenticating and encrypting. For the related command, see snmp-agent mib-view, snmp-agent usm-user. Example Create an SNMPv3 group known as Johngroup.
[3Com] snmp-agent group v3 Johngroup

snmp-agent local-engineid

Syntax
snmp-agent local-engineid engineid undo snmp-agent local-engineid

SNMP Configuration Commands

147

View System view Parameter engineid: Character string of engine ID. It must be a hexadecimal number with the length of 5 to 32. Description Using the snmp-agent local-engineid command, you can configure an ID for the local SNMP engine on the router. Using the undo snmp-agent local-engineid command, you can remove the current settings. By default, the engine ID is "enterprise number + equipment information" of the company. Each device determines the equipment information. It can be either the IP address, MAC address or the device defined hexadecimal number string. For the related command, see snmp-agent usm-user. Example Configure the name of the local equipment as 12345.
[3Com] snmp-agent local-engineid 12345

snmp-agent mib-view

Syntax
snmp-agent mib-view { included | excluded } view-name oid-tree undo snmp-agent mib-view view-name

View System view Parameter view-name: Name of the view. oid-tree: OID MIB subtree for the Mib object subtree, which can be a character string of the variable OID or a character string of variable name. For example, it can be character strings such as 1.4.5.3.1 and system character strings or use "*" as wildcard, for example, 1.4.5.*.*.1. included: Indicates to include the MIB subtree. excluded: Indicates to exclude the MIB subtree. Description Using the snmp-agent mib-view command, you can create or update the information about a view. Using the undo snmp-agent mib-view command, you can delete the view information.

148

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

By default, the view name is ViewDefault and the OID is 1.3.6.1. Currently, this command supports not only the input of the character string of the variable OID as a parameter but also the input of the node name as a parameter. For the related command, see snmp-agent group. Example Create a view that includes all MIB-II objects.
[3Com] snmp-agent mib-view included mib2 1.3.6.1

snmp-agent packet max-size

Syntax
snmp-agent packet max-size byte-count undo snmp-agent packet max-size

View System view Parameter byte-count: The maximum length of the SNMP packets that Agent can receive/send, in the range of 484 to 17940 bytes. The default value is 1500 bytes. Description Using the snmp-agent packet max-size command, you can set the maximum length of the SNMP message packets that Agent can receive/forward. Using the undo snmp-agent packet max-size command, you can remove the current setting. Example Set the maximum length of the SNMP packet that Agent can receive/forward to 1042 bytes.
[3Com] snmp-agent packet max-size 1042

snmp-agent sys-info

Syntax
snmp-agent sys-info { contact sysContact | location sysLocation | version { { v1 | v2c | v3 } * | all } } undo snmp-agent sys-info { contact | location | version { { v1 | v2c | v3 } * | all } }

View System view Parameter contact: Sets the system maintenance contact information.

SNMP Configuration Commands

149

sysContact: Character sting describing the system maintenance contact information. location: Sets the physical location of the device. sysLocation: Device location information. version: Sets the SNMP version number used by the system. v1: SNMP V1. v2c: SNMP V2C. v3: SNMP V3. *: Indicates selecting one to three items from the three options of v1, v2c and v3. all: SNMP V1, SNMP V2C and SNMP V3. Description Using the snmp-agent sys-info command, you can set the system information, including the system maintenance information, physical location information of the device and the SNMP version number used. Using the undo snmp-agent sys-info command, you can remove the current setting. By default, By default, the system contact information is "R&D Beijing,3Com Technologies Co.,Ltd.", the system location character string is "Beijing China" and the version is SNMPv3 For the related command, see display snmp-agent sys-info. Example Set the system maintenance information as call Operator at 010-82882488.
[3Com] snmp-agent sys-info contact call Operator at 010-82882488

snmp-agent target-host

Syntax
snmp-agent target-host trap address udp-domain X.X.X.X [ udp-port port-number ] params securityname security-string [ v1 | v2c | v3 { authentication | privacy } ] undo snmp-agent target-host X.X.X.X securityname security-string

View System view Parameter trap: Specifies the host as the trap host.

150

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

address: Specifies the address of the destination host where the SNMP message transmits. udp-domain: Specifies that the transmission domain of the destination host is based on UDP. X.X.X.X: IP address of the host. udp-port: Specifies the port. port-number: Specifies the port number that receives the trap packet. params: Specifies the information of the logging host that generates SNMP messages. securityname: Specifies the community name of SNMPV1, V2C or the username of SNMPV3. security-string: Community name of SNMPV1, V2C or the username of SNMPV3, in the range of 1 to 32 bytes. v1: SNMPV1. v2c: SNMPv2c. v3: SNMPV3. authentication: Performs authentication with the packet without encryption. privacy: Performs both authentication and encryption with the packet. Description Using the snmp-agent target-host command, you can set the destination that receives the SNMP notification. Using the undo snmp-agent target-host command, you can remove the host that receives the SNMP notification.


The snmp-agent target-host command should be used in cooperation with the snmp-agent trap enable command. The snmp-agent trap enable command is used to enable to forward Trap packets. If one host is specified to forward notify message, the host should be configured at least one snmp-agent target-host command and one snmp-agent trap enable command.



For the related command, see snmp-agent trap enable, snmp-agent trap source, snmp-agent trap life. Example Enable to send SNMP Trap packets to 10.1.1.1, using the community name of comaccess.
[3Com] snmp-agent trap enable snmp [3Com] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname comaccess

SNMP Configuration Commands

151

Send SNMP Trap packets to 10.1.1.1, using the community name of public.
[3Com] snmp-agent trap enable standard [3Com] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public

snmp-agent trap enable

Syntax
snmp-agent trap enable [ trap-type [ trap-list ] ] undo snmp-agent trap enable [ trap-type [ trap-list ] ]

View System view Parameter trap-type: Enables the trap packet of this type. trap-list: The parameter list corresponding to the trap packets of trap-type. Description Using the snmp-agent trap enable command, you can enable the device to send Trap packets and set the trap or notification parameters. Using the undo snmp-agent trap enable command, you can remove the current setting. By default, sending Trap packets is enabled. The snmp-agent trap enable command indicates to allow sending all types of SNMP Trap packets of all the modules, when there is no parameter. The snmp-agent trap enable command should be used in cooperation with the snmp-agent target-host command. The snmp-agent target-host command is used to specify the hosts to which the Trap information will be sent. To send Trap information, the user should configure at least one snmp-agent target-host command. The module trap-type forwarding the Trap packets can be snmp, bgp and vrrp (VRRP Trap packets). Types of packets that SNMP modules can send include authentication, coldstart, linkdown, linkup and warmstart. For the related command, see snmp-agent target-host, snmp-agent trap-source, snmp-agent trap-timeout. Example Allow sending the Trap packets, which fail to perform SNMP authentication, to 10.1.1.1. The trap packets are in the form of V2C with the community name of public.
[3Com] snmp-agent trap enable snmp authentication

152

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

[3Com] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public v2c

Enable to send all types of BGP Trap packets to 10.1.1.1. The trap packets are in the form of V3 with the community name of super. The packets are authenticated but not encrypted.
[3Com] snmp-agent trap enable bgp [3Com] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname super v3 authentication

snmp-agent trap life

Syntax
snmp-agent trap life seconds undo snmp-agent trap life

View System view Parameter seconds: Timeout in seconds, ranging 1 to 2592000 with the default value as 120 seconds. Description Using the snmp-agent trap life command, you can set the conservation time of the Trap packet and the Trap packets exceeding the time will be dropped. Using the undo snmp-agent trap life command, you can remove the current setting. If the conservation time for the Trap packets the system has configured is seconds. The Trap packets over the conservation time will be discarded without being sent or conserved. For the related command, see snmp-agent trap enable, snmp-agent target-host. Example Set the timeout of the Trap packet to 60 seconds.
[3Com] snmp-agent trap-life 60

snmp-agent trap queue-size

Syntax
snmp-agent trap queue-size size undo snmp-agent trap queue-size

View System view

SNMP Configuration Commands

153

Parameter size: Length of the message queue, ranging 1 to 1000. Description Using the snmp-agent trap queue-size command, you can set the length of the message queue of the Trap packet sent to the destination host. Using the undo snmp-agent trap queue-size command, you can cancel the setting. By default, the length is 100. For the related command, see snmp-agent trap enable, snmp-agent target-host, snmp-agent trap life. Example Set the length of the message queue of the host forwarding the Trap packet to 200.
[3Com] snmp-agent trap queue-size 200

snmp-agent trap source

Syntax
snmp-agent trap source interface-type interface-number [ subinterface-type ] undo snmp-agent trap source

View System view Parameter interface-type: Interface type. interface-number: Interface number. subinterface-name: Subinterface type. Description Using the snmp-agent trap source command, you can specify the source address from which Trap will be sent. Using the undo snmp-agent trap source command, you can remove the Trap source address. There is always a Trap address when the SNMP Trap message is being sent from a server, no matter from which interface it is sent. This command can be used to trace a special event. For the related command, see snmp-agent trap enable, snmp-agent target-host.

154

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Example Specify the IP address of the Ethernet interface 1/0/0 as the source address of Trap packet.
[3Com] snmp-agent trap source ethernet 1/0/0

snmp-agent usm-user

Syntax
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] undo snmp-agent usm-user { v1 | v2c } user-name group-name snmp-agent usm-user v3 user-name group-name [ [ authentication-mode { md5 | sha } auth-password ] [ privacy des56 priv-password ] ] [ acl acl-number ] undo snmp-agent usm-user v3 user-name group-name { local | engineid engineid-string }

View System view Parameter v1: V1 security mode the user uses. v2c: V2C security mode the user uses. v3: V3 security mode the user uses. user-name: User name, in the range of 1 to 32 bytes. group-name: Group name the user is corresponding to, in the range of 1 to 32 bytes. authentication-mode: Specifies the security level as requiring authentication. md5: Specifies the authentication protocol as HMAC-MD5-96. sha: Specifies the authentication protocol as HMAC-SHA-96. auth-password: Authentication password, which is a character string in the range of 1 to 64 bytes. privacy: Specifies the security level as encrypted. des56: Specifies the encryption protocol as DES. priv-password: Encryption password, which is a character string in the range of 1 to 64 bytes. acl: Sets the list of access view. acl-number: Standard access list, in the range of 1 to 99. local: Indicates the local entity user.

Terminal Service Commands

155

engineid: Specifies the engine ID associated with the user. engineid-string: Character string of engine ID. Description Using the snmp-agent usm-user command, you can add a new user to a SNMP group. Using the undo snmp-agent usm-user command, you can delete a SNMP group user. When the user configures a remote user for a certain Agent, the engine ID is needed during authentication. If the engine ID changes after the user has been configured, the user corresponding to the original engine ID will be ineffective. For SNMPV1 and SNMPV2C, this command adds a new community name. For SNMPV3, it adds a new user to a SNMP group. For the related command, see snmp-agent group, snmp-agent community, snmp-agent local-engineid. Example Add a user named "John" to the SNMP group named "Johngroup", with the security level being "auth", the authentication protocol being HMAC-MD5-96 and the password being "hello".
[3Com] snmp-agent usm-user v3 John Johngroup authentication-mode md5 hello

Terminal Service Commands
Terminal Service of Telnet debugging telnet Syntax
debugging telnet undo debugging telnet

View User view Parameter None Description Using the debugging telnet command, you can enable the debugging for Telnet connection. Using the undo debugging telnet command, you can disable the debugging for Telnet connection. By default, the debugging for Telnet connection is disabled.

156

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

For the related command, see telnet. Example
<3Com> debugging telnet

display tcp status

Syntax
display tcp status

View Any view Parameter None Description Using the display tcp status command, you can display all TCP connections currently established with the router. This command is used to display all TCP connections currently established with the router. Compared with display users, the display tcp status command can display more information about Telnet clients and servers. The information that this command can display includes: the local address of TCP connection, local port number, external address, external port number, and connection state. For the related command, see telnet. Example
<3Com> display tcp status TCPCB Local Address Foreign Address 129.102.100.142 23 129.102.001.092 028ca414 0.0.0.0.23 0.0.0.0.0 State ESTABLISHED LISTEN

The above shown information indicates: one TCP connection has been set up. the local IP address of the TCP connection is 129.102.100.142 with the local port number as 23, and the remote IP address is 129.102.001.92, and there is also a local server process monitoring the No. 23 port. telnet Syntax
telnet [ vpn-instance vpn-instance-name ] host-ip-address [ service-port ]

View User view Parameter vpn-instance vpn-instance-name: Sets the vpn-instance name of MPLS VPN.

SSH Configuration Commands

157

host-ip-address: Hostname or IP address of the remote router, in dotted decimal format. service-port: TCP port number for the remote router to provide Telnet service, in the range of 0 to 65535. Description Using the telnet command, you can log on another device from the current router. By default, if the service-port is not specified, the Telnet port number is 23. By executing the telnet command, the user can conveniently log on another device from a router to achieve remote management. For the related command, see display tcp status. Example Log on another router 3Com2 (the IP address is 129.102.0.1) from the current router 3Com1.
<3Com>telnet 129.102.0.1 Trying 129.102.0.1... Service port is 23 Connected to 129.102.0.1 <3Com2>

SSH Configuration Commands
debugging rsa Syntax
debugging rsa undo debugging rsa

View User view Parameter None Description Using the debugging rsa command, you can send the detailed information about each process and packet structure of RSA algorithm to the information center in debugging form and to debug certain user-interface separately. Using the undo debugging rsa command, you can disable the debugging. By default, the debugging is disabled.

158

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

For the related command, see rsa local-key-pair create, rsa local-key-pair destroy. Example Enable the RSA debugging.
<3Com> debugging rsa

debugging ssh server

Syntax
debugging ssh server { VTY index | all } undo debugging ssh server { VTY index | all }

View User view Parameter index: Debugged SSH channel. In default, its value ranges from 0 to 4 and is limited by VTY number. all: All SSH channels. Description Using the debugging ssh server command, you can send the information about negotiation process regulated by SSH1.5 protocol to information center as debugging formation and to debug certain user-interface separately. Using the undo debugging ssh server command, you can disable the debugging. By default, the debugging is disabled. For the related command, see ssh server authentication-retries, ssh server rekey-interval, ssh server timeout. Example Print debugging information when running SSH.
[3Com] debugging ssh server vty 0 00:23:20: SSH0: starting SSH control process 00:23:20: SSH0: sent protocol version id SSH-1.5-3Com-1.25 00:23:20: SSH0: protocol version id is - SSH-1.5-1.2.26 00:23:20: SSH0: SSH_SMSG_PUBLIC_KEY msg 00:23:21: SSH0: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03 00:23:21: SSH: RSA decrypt started 00:23:21: SSH: RSA decrypt finished 00:23:21: SSH: RSA decrypt started 00:23:21: SSH: RSA decrypt finished

display rsa local-key-pair public

Syntax
display rsa local-key-pair public

SSH Configuration Commands

159

View Any view Parameter None Description Using the display rsa local-key-pair public command, you can display the public key of host key pair of server and server key pair. If no key is generated, the system will prompt that no key is found, e.g., RSA keys not found. For the related command, see rsa local-key-pair create. Example
<3Com> display rsa local-key-pair public % Key pair was generated at: 12:26:33 UTC 2002/4/4 Key name: rtvrp_Host Usage: Encryption Key Key Data: 30470240 AF7DB1D0 DA78944F 53B7B59B 40D425D0 DC9C57D2 A60916C2 1F165807 08B84DDB 5F4DB8E7 A115B74E 2D41D96C AC61D276 AA027E41 DD48DE64 696E0934 EB872805 02030100 01 % Key pair was generated at: 12:26:45 UTC 2002/4/4 Key name: rtvrp_Server Usage: Encryption Key Key Data: 30670260 C05280D9 BA0D56C8 7BE43379 8634CDE7 83ABA9A2 3F36280E 25995487 4FF6AD7A 0E57871C 761E6D92 9914D8C5 CC577388 5B580B94 C2172C8F 36039EED 160A0478 651DED3A 9CCF1AAD D800AAF2 DF7FBEC4 A13ADA59 9E738319 AF366B8B 519D39F5 02030100 01

display rsa peer-public-key

Syntax
display rsa peer-public-key [ brief | name keyname ]

View Any view Parameter brief: Displays the brief information of all the remote public key. keyname: Specifies the key name to be displayed. It is the continuous character string, 0< length value<64. Description Using the display rsa peer-public-key command, you can display the specified RSA public key. If there is no public key specified, all public keys will be displayed. For the related command, see rsa local-key-pair create.

160

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Example
<3Com> display rsa peer-public-key Address Bits Name 1023 abcd 1024 hq 1024 wn1 1024 hq_all [3Com] display rsa peer-public-key name abcd Key name:abcd Key address: Data: 30818602 8180739A 291ABDA7 04F5D93D C8FDF84C 42746319 91C164B0 DF178C55 FA833591 C7D47D53 81D09CE8 2913D7ED F9C08511 D83CA4ED 2B30B809 808EB0D1 F52D045D E40861B7 4A0E1355 23CCD74C AC61F8E5 8C452B2F 3F2DA0DC C48E3306 367FE187 BDD94401 8B3B69F3 CBB0A573 202C16BB 2FC1ACF3 EC8F828D 55A36F1C DDC4BB45 504F0201 25

display ssh server

Syntax
display ssh server { status | session }

View Any view Parameter status: Displays the SSH status information. session: Displays SSH session information. Description Using the display ssh server command, you can display the SSH status or session. For the related command, see ssh server authentication-retries, ssh server rekey-interval, ssh server timeout. Example Display SSH status and configuration parameters.
[3Com]display ssh server status SSH version : 1.5 SSH connection timeout : 60 seconds SSH server key generating interval : 1 hours SSH Authentication retries : 3 times Display SSH session respectively. [3Com] display ssh server session ConnectionVersionEncryptionStateUsername VTY0 1.5 DESSession started3Com VTY3 1.5 DESSession startedrouter

SSH Configuration Commands

161

peer-public-key end

Syntax
peer-public-key end

View Public key view Parameter None Description Using the peer-public-key end command, you can return to the system view from the public key view. For the related command, see rsa peer-public-key and public-key-code begin. Example Exit public view and save the configuration.
[3Com] rsa peer-public-key 3Com003 [3Com-rsa-public-key] peer-public-key end [3Com]

display ssh user-information

Syntax
display ssh user-information [ username ]

View Any view Parameter username: Valid SSH user name defined by AAA. Description Using the display ssh user-information command, you can display the information about current SSH user including user name, corresponding key name and user authentication mode. If you specify the username parameter, then the information about the specified user will be displayed. For the related command, see ssh user username assign rsa-key, ssh user username authentication-type. Example Display the user information.
[3Com] display ssh user-information Username user-public-key-name authentication-type Jin jin rsa hanqi1 816pubpassword 1024 file3rsa

162

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

4000 hq_rsaall hanqi_rsa hq_rsa rsa hanqi_all hq_all all

protocol inbound

Syntax
protocol inbound { all | ssh | telnet | pad }

View User interface view of VTY type Parameter all: Supports all the protocols, including Telnet and SSH. ssh: Only supports SSH, not support Telnet. telnet: Only supports Telnet, not support SSH. pad: Only supports pad protocol. Description Using the protocol inbound command, you can specify the protocols supported by the current user interface. By default, the system supports all the protocols, that is, Telnet and SSH. When the command is used to specify the protocols supported by the current user interface and SSH is enabled, SSH is still unavailable if the rsa key of the local router is not configured. The configuration result will take effect at the next login request. If SSH is configured as the protocols supported by the current user interface, you should configure the corresponding authentication method as authentication-mode local or authentication-mode scheme default (using AAA) to ensure the successful login. If the authentication method is configured as authentication-mode password and authentication-mode none, the configuration of protocol inbound ssh will fail. For the related command, see user-interface vty. Example Disable the Telnet function of vty0 to vty4 and only support the SSH function.
[3Com] user-interface vty 0 4 [3Com-ui-vty0-4] protocol inbound ssh Disable the Telnet function of vty0 and only support the SSH function. [3Com] user-interface vty 0 [3Com-ui-vty0] protocol inbound ssh

public-key-code begin

Syntax
public-key-code begin

SSH Configuration Commands

163

View Public key view Parameter None Description Using the public-key-code begin command, you can enter the edit view of public key. Before using this command, you must use the rsa peer-public-key command to specify one key name. After the public-key-code begin command is input, the system enters the edit view of public key and you can input the key data. When the key data are input, the space can exist between characters and you can press enter key to continue the data input. The public key configured must be the hex character ring coded according to public key format. The public key is generated in stochastic mode by the client software supporting SSH. For the related command, see rsa peer-public-key, public-key-code end. Example Enter the edit view of public key and to input key.
[3Com] rsa peer-public-key 3Com003 [3Com-rsa-public-key] public-key-code begin [3Com-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463 [3Com-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [3Com-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [3Com-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [3Com-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [3Com-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [3Com-key-code] public-key-code end

public-key-code end

Syntax
public-key-code end

View Public key edit view Parameter None Description Using the public-key-code end command, you can quit public key edit view to public key view and to save the public key configured by the user. In addition, to quit public key view to public key chain view.

164

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

After this command is executed, the edit process of public key will be ended. Before saving the public key, the system will check the validity of key. If there are illegal characters in the public key character string configured by the user, the system will display relevant prompt information that illegal characters are input. The public key configured by the user will be discarded so this configuration fails. If the public key configured is valid, it will be saved in public key chain table of client. For the related command, see rsa peer-public-key, public-key-code begin. Example Quit and save the configuration.
[3Com-rsa-key-code] public-key-code end [3Com-rsa-public-key]

rsa local-key-pair create

Syntax
rsa local-key-pair create

View System view Parameter None Description Using the rsa local-key-pair create command, you can generate the local RSA host key pair and server key pair. When this command is used to configure, the system will give alarm and prompt that former key will be replaced if RSA key has existed. The view of generated key pair is router name+ server and router name+ host, e.g., 3Com_host and 3Com_server. This command will not be stored in configuration file. After this command is input, the system will prompt you to enter the digit of host key. The digit of server key pair should differ from that of host key pair in 128 digits at least. The minimum length of server key pair and host key pair is 512 digits and the maximum length is 2048 digits. If there has been key pair, the user should confirm whether to change it. The primary operation to accomplish SSH login is to configure and generate local RSA key pair. Before performing other SSH configurations, you must accomplish the configuration of the rsa local-key-pair create command to generate local key pair. It is necessary to execute this command only once and it is unnecessary to execute again after the router restarts. For the related command, see rsa local-key-pair destroy.

SSH Configuration Commands

165

Example Configure and generate local host key pair and server key pair.
[3Com] rsa local-key-pair create The name for the keys will be: rtvrp_Host % You already have RSA keys defined for rtvrp_Host % Do you really want to replace them? [yes/no]:y Choose the size of the key modulus in the range of 512 to 2048 for your Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]:512 Generating keys... .....++++++++++++ ........................++++++++++++ ..........++++++++ ............................++++++++ [3Com]

rsa local-key-pair destroy

Syntax
rsa local-key-pair destroy

View System view Parameter None Description Using the rsa local-key-pair destroy command, you can remove all RSA keys of server (including host key pair and server key pair). After this command is input, you should confirm whether to remove all RSA keys of server. This command is not stored in configuration file. For the related command, see rsa local-key-pair create. Example Remove all keys of server.
[3Com] rsa local-key-pair destroy % Keys to be removed are named rtvrp_Host . % Do you really want to remove these keys? [yes/no]:y [3Com]

rsa peer-public-key

Syntax
rsa peer-public-key key-name

View System view

166

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Parameter None Description Using the rsa peer-public-key command, you can enter the view of public key view. After the command is input, the system will enter the view of public key view. This command can be used to configure the public key of client with the public-key-code begin command together. The public key of client is generated in stochastic mode by the client software. Please use the client software supporting SSH1.5. For the related command, see public-key-code begin, public-key-code end. Example Enter the public key view.
[3Com] rsa peer-public-key 3Com002 [3Com-rsa-public]

ssh server authentication-retries

Syntax
ssh server authentication-retries times undo ssh server authentication-retries

View System view Parameter times: Specifies the authentication re-try times, 1<=re-try times<=5. Description Using the ssh server authentication-retries command, you can set the SSH connection authentication re-try times to enable it in next login. Using the undo ssh server authentication-retries command, you can restore the default value of SSH connection authentication retry times. By default, the re-try times are 3. For the related command, see display ssh sever. Example Specify the re-try times for registration authentication as 4.
[3Com] ssh server authentication-retries 4

SSH Configuration Commands

167

ssh server rekey-interval

Syntax
ssh server rekey-interval hours undo ssh server rekey-interval

View System view Parameter hours: Updates period. It ranges from 1 to 24 in hour. 0 cannot be input for this parameter. Description Using the ssh server rekey-interval command, you can set the update times of server key. Using the undo ssh server rekey-interval command, you can cancel the current settings. By default, the server key is not updated. For the related command, see display ssh sever. Example Set the update interval of server key to 3 hours.
[3Com] ssh server rekey-interval 3 [3Com]

ssh server timeout

Syntax
ssh server timeout seconds undo ssh server timeout

View System view Parameter seconds: Specifies the login time-out time. It ranges from 1 to 120 seconds. Description Using the ssh server timeout command, you can set the time-out time of SSH connection authentication to make it valid in next login. Using the undo ssh server timeout command, you can restore the default value of time-out time of SSH connection authentication. By default, the time-out time is 60 seconds. For the related command, see display ssh sever.

168

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

Example Set the login time-out time to 80 seconds. [3Com] ssh server timeout 80 ssh user assign Syntax
ssh user username assign rsa-key keyname undo ssh user username assign rsa-key

View System view Parameter keyname: Configured public key name of client. It is the continuous character string, 0< length value £ 32. username: Valid SSH user name defined by AAA module. Description Using the ssh user assign command, you can assign one existing public key (keyname) for the user (username). Using the undo ssh user assign command, you can delete the relationship between the user and its public key. When the system assigns public key for the user, the system will regard the public key assigned last if the user has been assign a public key. AAA module takes charge of the creation and deletion of local system users. When AAA module creates one user of SSH type, it will notice SSH and SSH will add the user into user set maintained by it. When AAA module deletes any one user, it will notice SSH and SSH will match the user in its user name set. SSH will delete the user from the user set if it finds the match of the user in user name set. The new configured user public key will be valid in next login. For the related command, see display ssh user-information. Example Assign key key1 for the user smith.
[3Com] ssh user smith assign rsa-key key1 [3Com]

ssh user authentication-type

Syntax
ssh user username authentication-type { password | rsa | all } undo ssh user username authentication-type { password | rsa | all }

SSH Configuration Commands

169

View System view Parameter password: Forces to specify the authentication mode of the user as password. rsa: Forces to specify the authentication mode of the user as RSA. all: Specifies the authentication mode of the user as either password or RSA. Description Using the ssh user authentication-type command, you can specify the authentication method for a special user. Using the undo ssh user authentication-type command, you can restore the default mode that login is always denied. By default, the system will always deny the login. The authentication mode must be specified for the new user, or the user will not be able to login. The new configured authentication mode will take effect in next login. For the related command, see display ssh user-information. Example Specify the authentication mode as password for the user smith.
[3Com] ssh user smith authentication-type password [3Com3Com]

170

CHAPTER 2: SYSTEM MAINTENANCE & MANAGEMENT COMMANDS

3
Interface Management Commands
debugging physical

INTERFACE MANAGEMENT COMMANDS

Syntax
debugging physical { all | error | cell | packet } interface interface-type interface-number undo debugging physical { all | error | cell | packet } interface interface-type interface-number

View User view Parameter all: Enables alarming of all levels. error: Enables error-level alarming. cell: Enables cell-level alarming. packet: Enables packet-level alarming. interface interface-type interface-number: Specifies interface type and number. Description Using the debugging physical command, you can enable alarming for a specified interface. Using the undo debugging physical command, you can disable alarming for a specified interface. Example None description Syntax
description interface-description undo description

View Interface view

172

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Parameter interface-description: Character string describing the router interface, which is allowed to comprise no more than 80 characters. By default, the description string is “3Com Router, xxxxxx interface”. Description Using the description command, you can set the interface description. Using the undo description command, you can restore the default interface description. This command has no special purpose or function other than identifying an interface. For related command, see display interface. Example Change the description of the Ethernet interface Ethernet 0/0/0 to “3Com Router Ethernet interface”.
[3com]interface ethernet 0/0/0 [3com-Ethernet0/0/0]description 3Com Router ethernet interface

display interface

Syntax
display interface type number [ .sub-number ]

View Any view Parameter type: Interface type which is used along with number to identify an interface. number: Interface number which is used along with type for identifying an interface. sub-number: Subinterface number. Description Using the display interface command, you can display the current running state and other information of an interface. Executing this command will display the following information:


The physical state and protocol state of the interface The physical features of the interface (including operating mode, DTE/DCE, clock selection, external cable, etc.) The IP address of the interface The encapsulated link layer protocol of the interface and the running state of the link layer protocol and the statistics.







Interface Management Commands

173



The statistics of the incoming and outgoing packets on the interface

For a related command, see reset counters interface. Example View the running state and the relevant information of Serial 0/0/0.
[3com]display interface serial 0/0/0 Serial0/0/0 is up , line protocol is up Description : 3Com Router, Serial0/0/0 Interface The Maximum Transmit Unit is 1500, The keepalive is 10(sec) Internet protocol processing : disabled Link layer protocol is PPP LCP opened, MPLSCP stopped FIFO queuing: (Outbound queue:Size/Length/Discards) FIFO: 0/75/0 Physical layer is synchronous,Baudrate is 64000 bps Interface is DCE, Cable type is V35 5 minutes input rate 0.56 bytes/sec, 0.04 packets/sec 5 minutes output rate 0.66 bytes/sec, 0.05 packets/sec 51 packets input, 640 bytes, 0 no buffers 55 packets output, 700 bytes, 0 no buffers 0 input errors, 0 CRC, 0 frame errors 0 overrunners, 0 aborted sequences, 0 input no buffers DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP

Table 1 Description of the displayed interface information
Field Serial0 is up line protocol is up 5 minutes input rate 5 minutes output rate FIFO queueing: FIFO 51 packets input, 640 bytes, 0 no buffers 55 packets output, 700 bytes, 0 no buffers input errors:0, CRC:0, frame errors:0 DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP Description Physical layer state of the interface Link layer state of the interface The input rate of the interface within the last five minutes The output rate of the interface within the last five minutes Type of the output queue on the interface Packets and bytes received by the interface and the packets discarded due to the unavailability of receive-buffer. Packets and bytes sent by the interface and the packets discarded due to the unavailability of send-buffer. The received packets that contain errors, including CRC errors and frame errors. States of the physical electric signals DCD, DTR, DSR, RTS, and CTS

interface

Syntax
interface type number [ .sub-number ] undo interface type number [ .sub-number ]

View System view

174

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Parameter type: Interface type. The following table lists the interfaces that VRP supports so far. number: Interface number. VRP numbers the interfaces separately by interface type, with the numbers of each type of interfaces begin at 0 or 1. sub-number: Subinterface number, which is separated from the main interface number by a dot (“.”). Description Using the interface command, you can enter the specified interface view or create a logical interface or subinterface. Using the undo interface command, you can delete a specified logical interface or subinterface.
Table 2 Interfaces supported by VRP
Interface ATM AUX Analogmodem Async Bri Bridge-Template Dialer Ethernet Logic-Channel Loopback NULL MFR Serial Virtual-Ethernet Virtual-Template Tunnel Description ATM interface AUX interface Analog modem interface Asynchronous serial interface ISDN BRI interface Bridge-group virtual interface Dialer interface Ethernet interface Logic-channel interface Loopback interface Null interface Multi-link FR (MFR) interface Synchronous serial interface VE interface Virtual-template interface Tunnel interface Attribute Physical interface Physical interface Physical interface Physical interface Physical interface Logical interface Logical interface Physical interface Logical interface Logical interface Logical interface Logical interface Physical interface Logical interface Logical interface Logical interface

An interface name is represented by interface type + interface number. For example, Ethernet0/0/0 represents the Ethernet interface numbered 0/0/0, and Serial0/0/0.1 represents the first subinterface on the interface Serial0/0/0, and interface Serial3/0/0:2 is the second channel set of the CE1/PRI interface (namely controller interface) numbered 3/0/0. To simplify input, the type portion of the interface name can be shortened to several leading letters, given that these letters do not conflict with other interface types. Therefore, you can input e0/0/0 for Ethernet 0/0/0 and s0/0/0.1 for Serial 0/0/0.1. You can enter the view of the desired physical interface and creating logical interfaces or subinterfaces as needed by executing the interface command.

Interface Management Commands

175

You can create subinterfaces for an Ethernet interface or a serial interface encapsulated with X.25 or Frame Relay (FR). The subinterface numbered 0 corresponds to the main interface. Note that executing the undo interface command also deletes the defined logical interfaces (such as dialer, tunnel, and virtual-template interfaces) and subinterfaces. Example Enter the Ethernet interface view in system view.
[3com]interface ethernet 0/0/0 [3com-Ethernet0/0/0]

Switch from Ethernet0 view to the view of the subinterface Serial0/0/0.1.
[3com-Ethernet0/0/0]interface serial0/0/0.1 [3com-Serial0/0/0.1]

reset counters interface

Syntax
reset counters interface [ type number ]

View User view Parameter type: Interface type which is used along with number for identifying an interface. number: Interface number which is used along with type for identifying an interface. Description Using the reset counters interface command, you can clear the statistics of the transmitted and received packets on an interface. If no interface has been specified, the statistics about the transmitted and received packets on all the interfaces are cleared. To count the traffic size on an interface within a specific period, you must clear the existing statistics about the transmitted and received packets on the interface before taking a new count. For a related command, see display interface. Example Clear the statistics about the transmitted and received packets on Serial 0/0/0.
<3com> reset counters interface serial 0/0/0

176

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

shutdown

Syntax
shutdown undo shutdown

View Interface view Parameter None Description Using the shutdown command, you can shut down an interface. Using the undo shutdown command, you can enable an interface. This command takes effect not only on physical interfaces but also on tunnel and MFR interfaces. In some circumstances, such as when you are modifying the operating parameters of an interface, the modification do not take effect immediately. Rather, you must shut down the interface and re-enable it. For a related command, see display interface. Example Shut down Ethernet 0/0/0.
[3com-Ethernet0/0/0]shutdown % Interface Ethernet0/0/0 is down % Interface Ethernet0/0/0 changed state to DOWN % Line protocol ip on interface Ethernet0/0/0, changed state to DOWN

Fundamental Ethernet Interface Configuration Commands
display interface ethernet Syntax
display interface ethernet interface-number

View Any view Parameter interface-number: Interface number. If no interface has been specified, the configuration and state information of all the interfaces will be displayed.

Fundamental Ethernet Interface Configuration Commands

177

Description Using the display interface ethernet command, you can view the configuration parameters, current running state, and some other information of an Ethernet interface. Example View the state information of the Ethernet interface 2/0/0.
<3com> display interface ethernet 2/0/0 Ethernet2/0/0 current state : UP Line protocol current state : UP Description : 3Com Routers, Ethernet0/0 Interface The Maximum Transmit Unit is 1500, Hold timer is 10(sec) Internet Address is 172.31.29.103/16 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0.fc06.3085 Media type is twisted pair, loopback not set, promiscuous mode not set 100Mb/s-speed mode,Full-duplex mode,link type is autonegotiation Output flow-control is unsupported, input flow-control is unsupported Output queue : (Urgent queue : Size/Length/Discards) 0/500/0 Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 Last 5 minutes input rate 227.13 bytes/sec, 2.67 packets/sec Last 5 minutes output rate 0.00 bytes/sec, 0.00 packets/sec Input: 542665 packets, 47721004 bytes 271460 broadcasts, 271205 multicasts 0 errors, 0 runts, 0 giants, 0 CRC, 0 align errors, 0 overruns, 0 dribbles, 0 aborts, 0 no buffers Output:0 packets, 0 bytes 0 errors, 0 underruns, 0 collisions 0 deferred

duplex

Syntax
duplex { full | half | negotiation } undo duplex

View Ethernet interface view Parameter full: Sets the Ethernet interface to work in full duplex mode. half: Sets the Ethernet interface to work in half duplex mode. negotiation: Sets the Ethernet interface to work in auto-negotiation mode. Description Using the duplex command, you can set the operating mode of the 100Base-TX FE interface. Using the undo duplex command, you can restore the default operating mode of the Ethernet interface.

178

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

By default, the Ethernet interface is working in auto-negotiation mode. An Ethernet interface on a router that is connected to a hub must work in half-duplex mode. When an Ethernet interface is connected to a network device that supports full-duplex, it must work in full-duplex mode, however. Before setting the FE interface to work in auto-negotiation mode, you must make sure that the connected remote end has been working in auto-negotiation mode. If this cannot be guaranteed, the two parties should use the forced setting for the consistency in operating mode. For related commands, see speed and display interface. Example Set the 100Base-TX FE interface to work in full duplex mode.
[3com-Ethernet0/0/0] duplex full

loopback

Syntax
loopback undo loopback

View Ethernet interface view Parameter None Description Using the loopback command, you can enable an Ethernet interface to perform loopback. Using the undo loopback command, you can disable loopback. By default, the Ethernet interface is disabled to perform loopback. You must enable the Ethernet interface to perform loopback only for the purpose of testing some special functions. Example Enable the Ethernet interface to perform loopback.
[3com-Ethernet0/0/0]loopback

mtu

Syntax
mtu size undo mtu

Fundamental Ethernet Interface Configuration Commands

179

View Ethernet interface view Parameter size: MTU size on the Ethernet interface, which is in bytes. It is in the range of 46 to 1500 if the adopted frame format is Ethernet_II. Description Using the mtu command, you can set the maximum transmission unit (MTU) of the Ethernet interface. Using the undo mtu command, you can restore the default configuration. MTU defaults to 1500 if the adopted frame format is Ethernet_II. The MTU setting of an Ethernet interface can affect the assembly and fragmentation of IP packets on the interface. For a related command, see display interface. Example Set MTU of the Ethernet interface to 1492.
[3com-Ethernet0/0/0]mtu 1492

speed

Syntax
speed { 10 | 100 | negotiation } undo speed

View Ethernet interface view Parameter 10: Forces the FE interface to work in 10Base-T (at 10Mbps) mode. 100: Forces the FE interface to work in 100Base-TX (100Mbps) mode. negotiation: Sets the FE interface to work in auto-negotiation mode. Description Using the speed command, you can set the operating speed of the FE interface. Using the undo speed command, you can restore the default operating speed of the FE interface. By default, the FE interface operates in auto-negotiation mode. Before setting the FE interface to work in auto-negotiation mode, you must make sure that the connected remote end has been working in auto-negotiation mode.

180

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

If this cannot be guaranteed, the two parties should use the forced setting for operating consistency. For related commands, see duplex and display interface. Example Set the FE interface to work in 10Base-T mode.
[3com-Ethernet0/0/0]speed 10

Fundamental WAN Interface Configuration Commands
async mode Syntax
async mode { protocol | flow }

View Asynchronous serial interface view, AUX interface view Parameter protocol: Protocol mode, with which the local end directly adopts the configured link layer protocol parameters to set up a link with the remote end after setting up a physical link. flow: Flow mode, which is also known as interactive mode. With this approach, the two ends set up a link by interacting with each other upon the setup of a physical link. Specifically, the calling party sends the configuration commands to the called party (it is equal to the operation of manually inputting configuration commands at the remote end), sets the link layer protocol operating parameters of the called party, and then sets up the link. This approach is normally adopted in the event of man-machine interaction. Description Using the async mode command, you can set the operating mode of an asynchronous serial interface. By default, the asynchronous serial interface is working in protocol mode and the AUX interface in flow mode. For related command, see modem. Example Set the asynchronous serial interface to work in flow mode.
[3com-Serial0/0/0]async mode flow

Fundamental WAN Interface Configuration Commands

181

baudrate

Syntax
baudrate baudrate

View Serial interface view Parameter baudrate: Baud rate of serial interface in bps. It is in the range of 300 to 115200 for an asynchronous serial interface and 1200 to 2048000 for a synchronous serial interface. Description Using the baudrate command, you can set the baud rate for a serial interface. By default, the baud rate is 9600 bps on the asynchronous serial interface and 64000 bps on a synchronous serial interface. Following are the baud rates available for the asynchronous serial interface.


300 bps, 600 bps, 1200 bps, 2400 bps, 4800 bps, 9600 bps, 19200 bps, 38400 bps, 57600 bps, 115200 bps.

Following are the baud rates available for the synchronous serial interface.


1200 bps, 2400 bps, 4800 bps, 9600 bps, 19200 bps, 38400 bps, 57600 bps, 64000 bps, 72000 bps, 115200 bps, 128000 bps, 384000 bps, 2048000 bps.

The baud rate range available for the synchronous serial interface depends on the applied physical electric specifications.


V.24 DTE/DCE supports the range of 1200 bps to 64000 bps V.35 DCE/DCE, X.21 DTE/DCE, EIA/TIA-449 DTE/DCE and EIA-530 DTE/DCE supports the range of 1200 bps to 2048000 bps



After a synchronous/asynchronous serial interface makes the synchronous/ asynchronous switchover, the baud rate of the interface will resume the default baud rate in the new operating mode. When setting baud rate for a serial interface, you should take into consideration the elements, such as operating mode (synchronous/asynchronous mode) and the electric specifications of the connected external cable. In addition, you should note that the baud rate of asynchronous serial interface is only significant for the connection between router and modem. If two modems are concerned, they will negotiate the baud rate between them. Therefore, different baud rate settings can be set on the routers at the two ends of a connection, if the routers are working in asynchronous mode. In synchronous mode, however, the router working as DCE will determine the baud rate for the line transmission. Therefore, you must set baud rate at the DCE side.

182

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Example Set the baudrate of the asynchronous serial interface to 115200bps.
[3com-Serial0/0/0]baudrate 115200

clock

Syntax
clock { dceclk | dteclk1 | dteclk2 | dteclk3 | dteclk4 }

View Serial interface view Parameter dceclk: Sets the interface clock selection mode to DCE clock. dteclk1: Sets the interface clock selection mode to DTE clock option 1. dteclk2: Sets the interface clock selection mode to DTE clock option 2. dteclk3: Sets the interface clock selection mode to DTE clock option 3. dteclk4: Sets the interface clock selection mode to DTE clock option 4. Description Using the clock command, you can set the clock selection mode for a synchronous serial interface. By default, dceclk (providing clock to the DTE device) and dteclk3 are selected for the synchronous serial interfaces at the DCE side and the DTE side. Different operating clocks are selected for the synchronous serial interfaces working as DTE and DCE, as shown in the following figure.

TxClk DCE RxClk DTE

Figure 1 Selecting a clock for a synchronous serial interface

In the figure, “TxClk” represents transmitting clock and “RxClk” receiving clock. As a DCE device is required to provide clock for the remote DTE device, you must select DCEclk as the operating clock for the synchronous serial interface working as DCE. Working as DTE, the synchronous serial interface must accept the clock provided by the remote DCE. As transmitting and receiving clocks of synchronization devices are independent, the receiving clock of a DTE device can be either the

Fundamental WAN Interface Configuration Commands

183

transmitting or receiving clock of the DCE device. So is the transmitting clock. Therefore, four clock options are available for a DTE device. The following table gives the four clock selection options.
Table 3 Clock options available for a synchronous serial interface working as DTE
Clock selection option DTEclk1 DTEclk2 DTEclk3 DTEclk4 Description TxClk = TxClk, RxClk = RxClk TxClk = TxClk, RxClk = TxClk TxClk = RxClk, RxClk = TxClk TxClk = RxClk, RxClk = RxClk

In the table, the clock ahead of “=” is the DTE clock and the one after is the DCE clock. Example Set the synchronous serial interface working as DTE to use the clock selection option DTEclk2.
[3com-Serial0/0/0]clock dteclk2

code nrzi

Syntax
code nrzi undo code

View Synchronous serial interface view Parameter None Description Using the code nrzi command, you can set the digital signal coding format to None-Return-to-Zero-Inverse (NRZI) for a synchronous serial interface. Using the undo code command, you can restore the digital coding format of the synchronous serial interface to NRZ. The digital signal coding format defaults to NRZ on the synchronous serial interface. Example Set the digital signal coding format to NRZI on the synchronous serial interface.
[3com-Serial0/0/0]code nrzi

184

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

detect

Syntax
1 Asynchronous serial interface detect dsr-dtr undo detect dsr-dtr 2 Synchronous serial interface detect { dcd | dsr-dtr } undo detect { dcd | dsr-dtr }

View Synchronous serial interface view, asynchronous serial interface view Parameter dsr-dtr: Detects DSR and DTR signals of DSU/CSU. dcd: Detects the DCD signal of the DSU/CSU on the serial interface. Description Using the detect command, you can enable data carrier detection as well as level detection on a serial interface. Using the undo detect command, you can disable data carrier detection as well as level detection on the serial interface. By default, serial interfaces are enabled to make data carrier and level detection. If this function has been disabled on a serial interface, the system will not detect the DCD and DSR/DTR signals when determining the state (UP or DOWN) of the serial interface. Example Disable the serial interface to make data carrier detection.
[3com-Serial0/0/0]undo detect dcd

idle-mark

Syntax
idle-mark undo idle-mark

View Synchronous serial interface view Parameter None

Fundamental WAN Interface Configuration Commands

185

Description Using the idle-mark command, you can set the line idle-mark of the synchronous serial interface to “FF”. Using the undo idle-mark command, you can restore the line idle-mark of the synchronous serial interface to “7E”. Line idle-mark of synchronous serial interfaces defaults to “7E”. In normal circumstances, the synchronous serial interface uses the code “7E” to identify the idle state of the line. However, there are still some devices that use “FF” (that is, the high level of all “1s”) to make the identification. For the sake of compatibility in this case, it is necessary to configure the line idle-mark of the synchronous serial interface. Example Set the line idle-mark of the synchronous serial interface to FF.
[3com-Serial0/0/0]idle-mark

invert transmit-clock

Syntax
invert transmit-clock undo invert transmit-clock

View Serial interface view Parameter None Description Using the invert transmit-clock command, you can enable the inverting of the transmit-clock signal of the synchronous serial interface at the DTE side. Using the undo invert transmit-clock command, you can disable inverting the signal. By default, transmit-clock signal inversion is disabled on the synchronous serial interface at DTE side. In some special cases, for the purpose of eliminating the half-period delay of the clock on the line, you may make the configuration to make the system invert the transmit-clock signal of the synchronous serial interface at the DTE side. This command can take effect only on some specific DCE devices. Clock inversion is unnecessary for general applications. For related commands, see physical-mode and clock. Example Invert the transmit-clock of the synchronous serial interface at DTE side.
[3com-Serial0/0/0]invert transmit-clock

186

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

loopback

Syntax
loopback undo loopback

View Serial interface view Parameter None Description Using the loopback command, you can enable a serial interface to perform loopback. Using the undo loopback command, you can disable the serial interface to perform loopback. By default, loopback of the serial interface is disabled. It is necessary for you to enable the serial interface to perform loopback only for the purpose of testing some special functions. Example Enable the serial interface to perform loopback.
[3com-Serial0/0/0]loopback

mtu

Syntax
mtu size undo mtu

View Serial interface view Parameter size: MTU size on the serial interface, which is in the range of 128 to 1500 bytes and defaults to 1500. Description Using the mtu command, you can set the MTU of a serial interface. Using the undo mtu command, you can restore the default setting. The MTU setting of a serial interface can affect the assembly and fragmentation of IP packets on the interface. Example Set MTU of the serial interface to 1200.

Fundamental CE1/PRI Interface Configuration Commands

187

[3com-Serial0/0/0]mtu 1200

physical-mode

Syntax
physical-mode { sync | async }

View Serial interface view Parameter sync: Sets the synchronous/asynchronous serial interface to work in synchronous mode. async: Sets the synchronous/asynchronous serial interface to work in asynchronous mode. Description Using the physical-mode command, you can set the operating mode of a synchronous/asynchronous serial interface. By default, the synchronous/asynchronous serial interface is working in synchronous mode. Example Set the synchronous/asynchronous serial interface to work in asynchronous mode.
[3com-Serial0/0/0]physical-mode async

Fundamental CE1/PRI Interface Configuration Commands
channel-set Syntax
channel-set set-number timeslot-list range undo channel-set set-number

View CE1/PRI interface view Parameter set-number: The number of the channel set formed by bundling the timeslots on the interface, which is in the range of 0 to 30. range: The number of the timeslots that are bundled, which is in the range of 1 to 31. When specifying the timeslots to be bundled, you can specify a single timeslot by specifying a number, a range of timeslots by specifying a range between

188

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

number1-number2, or several discrete timeslots by specifying number1, number2-number3. Description Using the channel-set command, you can bundle some timeslots of a CE1/PRI interface into a channel-set. Using the undo channel-set command, you can remove the specified timeslot bundle. By default, no timeslots are bundled into channel-sets. A CE1/PRI interface in CE1/PRI mode is physically divided into 32 timeslots numbered from 0 through 31. In actual applications, all the timeslots except timeslot 0 can be bundled into multiple channel-sets and the system will automatically create a serial interface for each set. This serial interface has the same logic features of synchronous serial interface. The serial interface is numbered in the form of serial interface-number :set-number. The interface-number starts from the maximum serial interface number plus 1, and the set-number is the number of the channel-set. Only one timeslot bundling mode can be supported on one CE1/PRI interface during a time period. In other words, this command cannot be used together with the pri-set command. For related command, see pri-set. Example Bundle the timeslots 1, 2, 5, 10-15, and 18 of the CE1/PRI interface into channel-set 0.
[3com-E1 3/0/0]channel-set 0 timeslot-list 1,2,5,10-15,18

Make the same configuration on the CE1/PRI interface on the remote router.
[3com-E1 3/0/0]channel-set 0 timeslot-list 1,2,5,10-15,18

clock

Syntax
clock { master | slave } undo clock

View CE1/PRI interface view Parameter master: Adopts the internal clock mode. slave: Adopts the line clock mode.

Fundamental CE1/PRI Interface Configuration Commands

189

Description Using the clock command, you can set the clock mode on a CE1/PRI interface. Using the undo clock command, you can restore the default clock mode on the interface. By default, the CE1/PRI interface adopts the line clock mode (slave). When a CE1/PRI interface is working as DCE, chose the internal clock for it, that is, master clock mode. When it is working as DTE, chose the line clock, that is, slave clock mode for it. Example Set the clock mode of the CE1/PRI interface to internal clock (master) mode.
[3com-E1 3/0/0]clock master

code

Syntax
code { ami | hdb3 } undo code

View CE1/PRI interface view Parameter ami: Adopts Alternate Mark Inversion (AMI) line code format. hdb3: Adopts High Density Bipolar 3 (HDB3) line code format. This parameter is only significant for a CE1/PRI interface. Description Using the code command, you can set the line code format for a CE1/PRI interface. Using the undo code command, you can restore the default line code format of the interface. The line code format of CE1/PRI interface defaults to hdb3. You should keep the line code format of the interface in consistency with that used by the remote device. Example Set the line code format of the interface E1 3/0/0 to ami.
[3com-E1 3/0/0]code ami

controller e1

Syntax
controller e1 number

190

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

View System view Parameter number: The CE1/PRI interface number. Description Using the controller e1 command, you can enter a CE1/PRI interface view. Example Enter the view of the interface E1 3/0/0.
[3com]controller E1 3/0/0 [3com-E1 3/0/0]

display controller e1

Syntax
display controller [ e1 number ]

View Any view Parameter number: Interface number. Description Using the display controller e1 command, you can display the information related to a CE1/PRI interface. Executing this command will display the following information:


The physical state of interface The clock mode of interface The frame check mode of interface And the line code format of interface







Example Display the information related to the E1 interface.
[3com]display controller E1 3/0/0 E1 1-0 is down. Applique type is Channelized E1 - 75 OHM unbalanced Framing is NO-CRC4, Line Code is HDB3, Source Clock is slave. Alarm State is Loss of Frame Alignment.

Fundamental CE1/PRI Interface Configuration Commands

191

frame-format

Syntax
frame-format { crc4 | no-crc4 } undo frame-format View

CE1/PRI interface view Parameter crc4: Sets the frame format on the CE1 interface to CRC4. no-crc4: Sets the frame format on the CE1 interface to no-CRC4. Description Using the frame-format command, you can set the frame format of CE1 interface. Using the undo frame-format command, you can restore the default frame format of the interface. By default, the frame format of CE1 interface is no-crc4. A CE1/PRI interface working in CE1 mode supports both crc4 and no-crc4 frame formats. Among them, crc4 supports the 4-bit Cyclic Redundancy Check (CRC) on physical frames whereas no-crc4 does not. Example Set the frame format of the interface E1 3/0/0 to crc4.
[3com-E1 3/0/0]frame-format crc4

loopback

Syntax
loopback { local | remote } undo loopback

View CE1/PRI interface view Parameter local: Enables the interface to perform local loopback. remote: Enables the interface to perform remote loopback. Description Using the loopback command, you can enable a CE1/PRI interface to perform loopback. Using the undo loopback command, you can disable the CE1/PRI interface to perform loopback. By default, the interface is disabled to perform loopback in any form.

192

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Loopback is used to check the condition of interface or cable. This function should be disabled when they are in normal operation. If a serial interface formed by bundling timeslots of the CT1/PRI interface is encapsulated with PPP and is set to perform loopback, it is normal for the state of the link layer protocol to be reported as DOWN. Example Set the interface E1 3/0/0 to perform local loopback.
[3com-E1 3/0/0]loopback local

pri-set

Syntax
pri-set timeslot-list [ range ] undo pri-set

View CE1/PRI interface view Parameter range: The number of the timeslots that are bundled, which is in the range of 1 to 31. When specifying the timeslots to be bundled, you can specify a single timeslot by specifying a number, a range of timeslots by specifying a range between number1-number2, or several discrete timeslots by specifying number1, number2-number3. Description Using the pri-set command, you can bundle the timeslots of a CE1/PRI interface into a pri-set. Using the undo pri-set command, you can remove the timeslot bundle. By default, no timeslots are bundled into pri-set. When perform pri-set bundling on a CE1/PRI interface, you should note that you are not allowed to bundle only timeslot 16, as it will be used as the D channel for transmitting signals. Attempts to bundle only timeslot 16 will fail. In a pri-set formed by bundling the timeslots of a CE1/PRI interface, timeslot 0 is used for Frame Synchronization Control (FSC), timeslot 16 as a D channel for signaling transmission, and other timeslots as B channels for data transmission. You may bundle the timeslots except for timeslot 0 into a pri-set (as the D channel, timeslot 16 is automatically bundled). The logic features of this pri-set will be the same like those of an ISDN PRI interface. If no timeslots are specified for bundling, all the timeslots except for timeslot 0 will be bundled into an interface similar to an ISDN PRI interface in the form of 30B+D. The system will automatically create a serial interface after the operation of timeslot bundling on the interface. This serial interface has the same logic features

Fundamental CE1/PRI Interface Configuration Commands

193

of ISDN PRI interface. The serial interface is numbered in the form of serial number:15. Where, number is the maximum serial interface number plus 1. Only one timeslot bundling mode can be supported on one CE1/PRI interface during a time period. In other words, this command cannot be used together with the channel-set command. For a related command, see channel-set. Example Bundle the timeslots 1, 2, and 8-12 of the CE1/PRI interface into a pri-set.
[3com-E1 3/0/0]pri-set timeslot-list 1,2,8-12

using

Syntax
using { ce1 | e1 } undo using

View CE1/PRI interface view Parameter e1: In E1 mode ce1: In CE1/PRI mode Description Using the using command, you can configure the operating mode for a CE1/PRI interface. Using the undo using command, you can restore the default operating mode. By default, the CE1/PRI interface is working in CE1/PRI mode. A CE1/PRI interface can work in either E1 mode (also called non-channelized mode) or CE1/PRI mode (that is, channelized mode). A CE1/PRI interface in E1 mode equals an interface of 2 Mbps data bandwidth, on which, no timeslots are divided. Its logic features are the same like those of a synchronous serial interface. When working in CE1/PRI mode, it is physically divided into 32 timeslots numbered from 0 to 31. Among them, timeslot 0 is used for transmitting the Frame Synchronization Control information. This interface can work as either a CE1 interface or a PRI interface. After the CE1/PRI interface is enabled to work in E1 mode by using the using e1 command, the system will automatically create a serial interface numbered serial interface-number:0. The interface-number starts from the maximum serial interface number plus 1t.

194

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Example Set the CE1/PRI interface to work in E1 mode.
[3com-E1 3/0/0]using e1

Fundamental CT1/PRI Interface Configuration Commands
cable Syntax
cable { long { 0db | -7.5db | -15db | -22.5db } | short { 133ft | 266ft | 399ft | 533ft | 655ft } } undo cable

View CT1/PRI interface view Parameter long: Matches a 655-feet and longer transmission line. The options for this parameter include 0db, -7.5db, -15db and -22.5db. The attenuation parameter is selected depending on the signal quality received at the receiving end. In this case, no external CSU is needed. short: Matches a transmission cable under 655 feet. The options for this parameter include 133ft, 266ft, 399ft, 533ft and 655ft. The length parameter is selected depending on the actual length of the transmission line. Description Using the cable command, you can set cable attenuation and length on a CT1/PRI interface to match the distance of the transmission line. Using the undo cable command, you can restore the default value The transmission cable attenuation that the CT1/PRI interface matches defaults to long 0db. This command is mainly used to configure the signal waveform for transmission to satisfy various transmitting needs. In practice, the signal quality received by the receiving end determines whether this command will be used. If the signal quality is relatively good, use the default setting. In this case, the CT1/PRI interface does not need an external CSU device. Example Set the length of the transmission cable that the CT1/PRI interface matches to 133 feet.
[3com-T1 1/0/0] cable short 133ft

Fundamental CT1/PRI Interface Configuration Commands

195

channel-set

Syntax
channel-set set-number timeslot-list range [ speed { 56k | 64k } ] undo channel-set set-number

View CT1/PRI interface view Parameter set-number: The number of the channel-set formed by bundling the timeslots of the interface, which is in the range of 0 to 23. range: The number of the timeslots that are bundled, which is in the range of 1 to 24. When specifying the timeslots to be bundled, you can specify a single timeslot by specifying a number, a range of timeslots by specifying a range between number1-number2, or several discrete timeslots by specifying number1, number2-number3. speed { 56k | 64k }: The speed of the timeslot bundle, which is in Kbps. If 56k is selected, the timeslots will be bundled into N x 56 Kbps bundles, and if 64k is selected, the timeslots will be bundled into N x 64 Kbps bundles. By default, the system uses 64k. Description Using the channel-set command, you can bundle some timeslots of a CT1/PRI interface into a channel-set. Using the undo channel-set command, you can remove the specified channel-set. By default, no timeslots are bundled into channel-sets. A CT1/PRI interface is physically divided into 24 timeslots numbered from 1 through 24. In actual applications, all the timeslots can be bundled into multiple channel-sets and the system will automatically create a serial interface for each set. This serial interface has the same logic features of synchronous serial interface. The serial interface is numbered in the form of serial interface-number:set-number. Where, interface-number starts from the maximum serial interface number plus 1, and set-number is the number of the channel-set. Only one timeslot bundling mode can be supported on one CT1/PRI interface during a time period. In other words, this command cannot be used together with the pri-set command. For a related command, see pri-set. Example Bundle the timeslots 1, 2, 5, 10-15and 18 of the CE1/PRI interface into channel-set 0.
[3com-T1 1/0/0]channel-set 0 timeslot-list 1,2,5,10-15,18

196

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

clock

Syntax
clock { master | slave } undo clock

View CT1/PRI interface view Parameter master: Adopts the internal clock mode. slave: Adopts the line clock mode. Description Using the clock command, you can set the clock mode on a CT1/PRI interface. Using the undo clock command, you can restore the default clock mode on the interface. By default, the CE1/PRI interface adopts the line clock mode (slave). When a CT1/PRI interface is working as DCE, chose the internal clock for it, that is, master clock mode. When it is working as DTE, chose the line clock, that is, the slave clock mode for it. Example Set the clock mode of the CT1/PRI interface to internal clock (master) mode.
[3com-T1 1/0/0] clock master

code

Syntax
code { ami | b8zs } undo code

View CT1/PRI interface view Parameter ami: Adopts the AMI line code format. b8zs: Adopts the Bipolar with 8-Zero Substitution (b8zs) line code format. Description Using the code command, you can set the line code format for a CT1/PRI interface. Using the undo code command, you can restore the default line code format of the interface. The line code format of CT1/PRI interface defaults to b8zs.

Fundamental CT1/PRI Interface Configuration Commands

197

You should keep the line code format of the interface consistent with the one used by the remote device. Example Set the line code format of the interface T1 1/0/0 to ami.
[3com-T1 1/0/0] code ami

controller t1

Syntax
controller t1 number

View System view Parameter number: The CT1/PRI interface number. Description Using the controller t1 command, you can enter a CT1/PRI interface view. Example Enter the view of the interface T1 1/00.
[3com]controller t1 1/0/0 [3com-T1 1/0/0]

display controller t1

Syntax
display controller t1 number

View Any view Parameter number: Interface number. Description Using the display controller t1 command, you can display the information related to a CT1/PRI interface. All T1 interfaces will be displayed if no parameter is selected. Executing this command will display the following information:


The physical state of interface The clock mode of interface The frame check mode of interface





198

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS



And the line code format of interface

Example Display the information related to the T1 interface.
[3com]display controller t1 1/0/0

frame-format

Syntax
frame-format { sf | esf } undo frame-format

View CT1/PRI interface view Parameter sf: Sets the frame format of CT1/PRI interface to Super Frame (SF). esf: Sets the frame format of CT1/PRI interface to Extended Super Frame (ESF). Description Using the frame-format command, you can set the frame format on a CT1/PRI interface. Using the undo frame-format command, you can restore to the default frame format on the interface. The frame format on the CT1/PRI interface defaults to ESF. A CT1/PRI interface supports two frame formats, that is, SF and ESF. In SF format, multiple frames can share the same FSC and signaling information, so that more significant bits can be used for transmitting user data. In practice, a system should be tested often. The application of ESF makes it possible for the system to provide the services while it is being tested. Example Set the frame format of T1 1/0/0 to SF.
[3com-T1 1/0/0]frame-format sf

loopback

Syntax
loopback { local | remote } undo loopback

View CT1/PRI interface view Parameter local: Enables the CT1/PRI interface to perform local loopback.

Fundamental CT1/PRI Interface Configuration Commands

199

remote: Enables the interface to perform remote loopback. Description Using the loopback command, you can enable a CT1/PRI interface to perform loopback. Using the undo loopback command, you can disable the CT1/PRI interface to perform loopback. By default, the interface is disabled to perform loopback in any form. Loopback is used to check the condition of interface or cable. This function should be disabled when they are in normal operation. If a serial interface formed by bundling timeslots of the CT1/PRI interface is encapsulated with PPP and is set to perform loopback, it is normal for the state of the link layer protocol to be reported as DOWN. Example Set the interface T1 1/0/0 to perform local loopback.
[3com-T1 1/0/0]loopback remote

pri-set

Syntax
pri-set [ timeslot-list range ] undo pri-set

View CT1/PRI interface view Parameter range: The number of the timeslots that are bundled, which is in the range of 1 to 24. When specifying the timeslots to be bundled, you can specify a single timeslot by specifying a number, a range of timeslots by specifying a range between number1-number2, or several discrete timeslots by specifying number1, number2-number3. Description Using the pri-set command, you can bundle the timeslots of a CT1/PRI interface into a pri-set. Using the undo pri-set command, you can remove the timeslot bundle. By default, no timeslots are bundled into pri-set. When performing pri-set bundling on a CT1/PRI interface, you should note that you are not allowed to bundle only timeslot 24, because it is the D channel for transmitting signals. Attempts to bundle only timeslot 24 will fail. In a pri-set formed by bundling the timeslots of a CT1/PRI interface, timeslot 24 is used as D channel for signaling transmission, and other timeslots as B channels for data transmission. All the timeslots can be randomly bundled into a pri-set (as a D

200

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

channel, timeslot 24 is automatically bundled). The logic features of this pri-set will be the same as those of an ISDN PRI interface. If no timeslots are specified for bundling, all the timeslots will be bundled into an interface similar to an ISDN PRI interface in the form of 23B+D. The system will automatically create a serial interface after the operation of timeslot bundling on the interface. This serial interface has the same logic features as an ISDN PRI interface. The serial interface is numbered in the form of serial number:23, in which number starts from the maximum serial interface number plus 1. Only one timeslot bundling mode can be supported on one CE1/PRI interface during a time period. In other words, this command cannot be used together with the channel-set command. For a related command, see channel-set. Example Bundle the timeslots 1, 2, and 8-12 of the CT1/PRI interface into a pri-set.
[3com-T1 1/0/0]pri-set timeslot-list 1,2,8-12

E1-F Interface Configuration Commands
display fe1 serial Syntax
display fe1 [ serial serial-number ]

View Any view Parameter serial serial-number: Interface type and number. If no interface is specified, the information of all the E1-F interfaces will be displayed. Description Using the display fe1 serial command, you can view the configuration and state of E1-F interface. If the specified interface is a serial interface rather than an E1-F interface, the system will display the error prompt “The serial is not a factional interface”. Example Display the information of the E1-F interface.
[3com] display fe1 Serial4/0/0

E1-F Interface Configuration Commands

201

Fractional E1, status is down. Work mode is FRAMED - 120 OHM balanced. Framing : NO-CRC4, Line Code is HDB3, Clock : Slave. Alarm State : Loss-of-Signal.

Table 4 Description of displaying controller FE1 items
Item Framing Line Code Clock Alarm State Description Frame format (crc4/no-crc4) line code format (ami/hdb3) Clock mode (master/slave) Alarm information

fe1 clock

Syntax
fe1 clock { master | slave } undo fe1 clock

View E1-F interface view Parameter master: Internal clock is used. slave: Line clock is used. Description Using the fe1 clock command, you can configure clock used by an E1-F interface. Using the undo fe1 clock command, you can restore the default clock of the interface. By default, the interfaces use the slave clock. For an E1-F interface used as DCE, master clock should be used. If the interface is used as DTE, however, the slave clock should be used. Example Set the E1-F interface to use internal clock.
[3com-Serial0/0/0] fe1 clock master

fe1 code

Syntax
fe1 code { ami | hdb3 } undo fe1 code

View E1-F interface view

202

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Parameter ami: Adopts AMI line code format. hdb3: Adopts HDB3 line code format. Description Using the fe1 code command, you can configure line code format for an E1-F interface. Using the undo fe1 code command, you can restore the default line code format of interface. By default, E1-F interfaces adopt hdb3. The line code of an interface should be set consistent with that of the peer. Example Set the line code format of the E1-F interface to AMI.
[3com-Serial0/0/0] fe1 code ami

fe1 frame-format

Syntax
fe1 frame-format { crc4 | no-crc4 } undo fe1 frame-format

View E1-F interface view Parameter crc4: Adopts CRC4 as the framing format for the E1-F interface. no-crc4: Adopts no-CRC4 as the framing format for the E1-F interface.. Description Using the fe1 frame-format command, you can configure the framing format for an E1-F interface. Using the undo fe1 frame-format command, you can restore the default framing format of the interface. By default, E1-F interfaces use no-crc4. Example Set the framing format for the E1-F interface to CRC4.
[3com-Serial0/0/0] fe1 frame-format crc4

fe1 loopback

Syntax
fe1 loopback { local | remote } undo fe1 loopback [ local | remote ]

E1-F Interface Configuration Commands

203

View E1-F interface view Parameter local: Places the interface in local loopback. remote: Places the interface in remote loopback. Description Using the fe1 loopback command, you can configure an E1-F interface in local or remote loopback. Using the undo fe1 loopback command, you can disable the local and remote loopback on the interface. By default, the interfaces are not placed in local or remote loopback. Local loopback and remote loopback are used for testing the state of interface or cable itself. These functions should be disabled in normal cases. On an interface, using this command, but with different arguments, can enable local loopback and remote loopback, but these two functions cannot be enabled at the same time. Example Place the E1-F interface in local loopback.
[3com-Serial0/0/0] fe1 loopback local

fe1 timeslot-list

Syntax
fe1 timeslot-list { all | range } undo fe1 timeslot-list

View E1-F interface view Parameter all: Binds all the time slots on an interface, the interface rate will become 31 X 64kbps (that is, 1984kbps) after binding. range: Time slots participating in the binding operation, it is in the range of 1 to 31. When specifying time slots for binding, you can configure a single time slot by using the form of “number”, the time slots in a range by using the form of “number1-number2”, or multiple time slots by using the form of “number1, number2-number3”. Description Using the fe1 timeslot-list command, you can configure the time slots that will participate in the binding operation on an E1-F interface. Using the undo fe1 timeslot-list command, you can restore the default setting of time slot binding.

204

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

By default, all the time slots on an E1-F interface are bound. That is, the E1-F interface rate defaults to 1984kbps. Time slot binding operation on an E1-F interface will result in changing of interface rate. For example, after the user binds the time slots 1 through 10, the interface rate will become 10 X 64kbps. If an E1-F interface is working in unframed mode, the fe1 timeslot-list command cannot be configured. For related commands, see fe1 unframed. Example Bind the time slots 1, 2, 5, 10 through 15, and 18 on the E1-F interface.
[3com-Serial0/0/0] fe1 timeslot-list 1,2,5,10-15,18

fe1 unframed

Syntax
fe1 unframed undo fe1 unframed

View E1-F interface view Parameter None Description Using the fe1 unframed command, you can configure an E1-F interface to work in unframed mode. Using the undo fe1 unframed command, you can configure the E1-F interface to work in framed mode. By default, E1-F interfaces work in framed mode. When it works in unframed mode, it is a non-timeslots interface of 2048kbps data bandwidth. In this case, it is logically equivalent to a synchronous serial interface. When it works in framed mode, however, it is physically divided into 32 time slots numbered in the range of 0 to 31, and time slot 0 is used for transmitting synchronization information. For related commands, see fe1 timeslot-list. Example Set the E1-F interface to work in unframed mode.
[3com-Serial0/0/0] fe1 unframed

T1-F Interface Configuration Commands

205

T1-F Interface Configuration Commands
ft1 cable Syntax
ft1 cable { long decibel | short length } undo ft1 cable

View T1-F interface view Parameter long decibel: Matches the transmission line longer than 655 feet. The argument decibel can take 0db, -7.5db, -15db, or -22.5db, depending on the signal quality at the receiving end. In this case, no external CSU is required. short length: Matches transmission line shorter than 655 feet. The argument length can take 133ft, 266ft, 399ft, 533ft, and 655ft, depending on the length of transmission line. Description Using the ft1 cable command, you can configure attenuation or length of the transmission line matched a T1-F interface. Using the undo ft1cable command, you can restore the default setting. By default, the transmission line attenuation matched T1-F interfaces is long 0db. This command is mainly used for configuring the signal waveform required for different types of transmission. In practice, you can decide whether to use this command according to the signal quality at the receiving end. If the signal quality is acceptable, the default setting can be used. Example Set the length of the transmission line matched the T1-F interface to 133 feet.
[3com-Serial0/0/0] ft1 cable short 133ft

display ft1 serial

Syntax
display ft1 [ serial serial-number ]

View Any view Parameter serial serial-number: Interface type and number. If no interface is specified, the information of all the T1-F interfaces will be displayed.

206

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Description Using the display ft1 serial command, you can view the configuration and state of T1-F interface. If the specified interface is a serial interface rather than a T1-F interface, the system will display the error prompt “The serial is not a factional interface”. Example Display the information of the T1-F interface.
[3com] display ft1 Serial4/0/0 Fractional T1, status is down. Work mode is framed - 100 OHM balanced. Framing : ESF, Line Code is B8ZS, Clock : Slave. Alarm State : Loss-of-Signal.

Table 5 Description of displaying controller FT1 items
Item Framing Line Code Clock Alarm State Description Frame format (crc4/no-crc4) line code format (ami/hdb3) Clock mode (master/slave) Alarm information

ft1 clock

Syntax
ft1 clock { master | slave } undo ft1 clock

View T1-F interface view Parameter master: Internal clock is used. slave: Line clock is used. Description Using the ft1 clock command, you can configure the clock used by an E1-F or T1-F interface. Using the undo ft1 clock command, you can restore the default clock of the interface. By default, the interfaces use the slave clock. For a T1-F interface used as DCE, master clock should be used. If the interface is used as DTE, however, the slave clock should be used. Example Set the T1-F interface to use internal clock.

T1-F Interface Configuration Commands

207

[3com-Serial0/0/0] ft1 clock master

ft1 code

Syntax
ft1 code { ami | b8zs } undo ft1 code

View T1-F interface view Parameter ami: Adopts AMI line code format. b8zs: Adopts B8ZS line code format. Description Using the ft1 code command, you can configure the line code format for a T1-F interface. Using the undo ft1 code command, you can restore the default line code format of interface. By default, T1-F interfaces adopt b8zs. The line code of an interface should be set in consistency with that of the peer. Example Set the line code format of the T1-F interface to AMI.
[3com-Serial0/0/0] ft1 code ami

ft1 frame-format

Syntax
ft1 frame-format { sf | esf } undo ft1 frame-format

View T1-F interface view Parameter sf: Adopts SF as the framing format for the T1-F interface. esf: Adopts ESF as the framing format for the T1-F interface. Description Using the ft1 frame-format command, you can configure the framing format for a T1-F interface. Using the undo ft1 frame-format command, you can restore the default framing format of the interface. By default, T1-F interfaces use esf.

208

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

T1-F interfaces support SF and ESF. In SF, multiple frames can share the same frame synchronization and signaling information, so that more significant bits can be used for transmitting user data. In practice, the system test is often required. The application of ESF technology can ensure normal service when system test is being carried out. Example Set the framing format for the T1-F interface to SF.
[3com-Serial0/0/0] ft1 frame-format sf

ft1 loopback

Syntax
ft1 loopback { local | remote } undo ft1 loopback [ local | remote ]

View T1-F interface view Parameter local: Places the interface in local loopback. remote: Places the interface in remote loopback. Description Using the ft1 loopback command, you can configure a T1-F interface in local or remote loopback. Using the undo ft1 loopback command, you can disable the local and remote loopback on the interface. By default, the interfaces are not placed in local or remote loopback. Local loopback and remote loopback are used for testing the state of interface or cable itself. These functions should be disabled in normal cases. On an interface, using this command but with different arguments can respectively enable local loopback and remote loopback, but these two functions cannot be enabled at the same time. Example Place the T1-F interface in local loopback.
[3com-Serial0/0/0] ft1 loopback local

ft1 timeslot-list

Syntax
ft1 timeslot-list { all | range } [ speed { 56 | 64 } ] undo ft1 timeslot-list T1-F interface view

Fundamental CE3 Interface Configuration Commands

209

Parameter all: Binds all the time slots on an interface. The interface rate will become 24 X 64kbps (that is, 1536kbps) after binding. range: Time slots participating in the binding operation. It is in the range of 1 to 24. When specifying time slots for binding, you can configure a single time slot by using the form of “number”, the time slots in a range by using the form of “number1-number2”, or multiple time slots by using the form of “number1, number2-number3”. speed { 56 | 64 }: Speed in kbps, which is used for time slot binding. If the argument 56 is used, timeslots will be bound into N X 56kbps. If the argument 64 is used, timeslots will be bound into N X 64kbps. Description Using the ft1 timeslot-list command, you can configure the time slots that will participate in the binding operation on a T1-F interface. Using the undo ft1 timeslot-list command, you can restore the default setting of time slot binding. By default, all the time slots on a T1-F interface are bound. That is, the T1-F interface rate defaults to 1536kbps. When performing time slot binding on a T1-F interface, the speed assigned to a time slot defaults to 64kbps. The time slot binding operation on a T1-F interface results in a change of interface rate. For example, after the user binds the time slots 1 through 10, the interface rate becomes 10 X 64kbps (or 10 X 56 kbps). Example Bind the time slots 1, 2, 5, 10 through 15, and 18 on the T1-F interface.
[3com-Serial0/0/0] ft1 timeslot-list 1,2,5,10-15,18

Fundamental CE3 Interface Configuration Commands
clock Syntax
clock { master | slave } undo clock

View CE3 interface view Parameter master: Adopts the internal clock mode.

210

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

slave: Adopts the line clock mode. Description Using the clock command, you can set the clock mode on a CE3 interface. Using the undo clock command, you can restore the default clock mode on the interface. By default, the CE3 interface adopts the line clock mode (slave). The clock is selected depending on the connected remote device. If it is a transmission device, the local end will use the line clock. If the CE3 interfaces on the two routers are directly connected, one router should use the internal clock whereas the other router uses the line clock. Example Configure the CE3 interface with internal clock.
[3com-E3 1/0/0] clock master

controller e3

Syntax
controller e3 interface-number

View System view Parameter interface-number: CE3 interface number. Description Using the controller e3 command, you can enter the CE3 interface view. For related command, see display controller e3. Example Enter the view of the interface E3 1/0/0.
[3com]controller e3 1/0/0 [3com-E3 1/0/0]

display controller e3

Syntax
display controller e3 interface-number

View Any view

Fundamental CE3 Interface Configuration Commands

211

Parameter interface-number: CE3 interface number. Description Using the display controller e3 command, you can view the state information of a CE3 interface. In addition to the state information of the CE3 interface, the command can display the information of each E1 line on the CE3 interface if the interface is working in CE3 mode. Example Display the information related to the interface E3 1/0/0.
[3com]display controller e3 1/0/0 E3 1/0/0 is up Description : 3Com Routers, E3 1/0 Interface Applique type is CE3 - 75 OHM unbalanced Frame-format G751, line code HDB3, clock slave, national-bit 1,loopback not set Alarm: none ERROR: 0 BPV, 0 EXZ, 0 FrmErr, 0 FEBE E3-0 CE1 1 is up Frame-format NO-CRC4, clock master, loopback not set E3-0 CE1 2 is up Frame-format NO-CRC4, clock slave, loopback local E3-0 CE1 3 is up Frame-format NO-CRC4, clock slave, loopback remote E3-0 CE1 4 is up Frame-format CRC4, clock slave, loopback not set E3-0 CE1 5 is up Frame-format NO-CRC4, clock slave, loopback not set E3-0 CE1 6 is up Frame-format NO-CRC4, clock slave, loopback not set E3-0 CE1 7 is up Frame-format NO-CRC4, clock slave, loopback not set E3-0 CE1 8 is up Frame-format NO-CRC4, clock slave, loopback not set E3-0 CE1 9 is up Frame-format NO-CRC4, clock slave, loopback not set E3-0 CE1 10 is up Frame-format NO-CRC4, clock slave, loopback not set E3-0 CE1 11 is up Frame-format NO-CRC4, clock slave, loopback not set E3-0 CE1 12 is up Frame-format NO-CRC4, clock slave, loopback not set E3-0 CE1 13 is up Frame-format NO-CRC4, clock slave, loopback not set E3-0 CE1 14 is up Frame-format NO-CRC4, clock slave, loopback not set E3-0 CE1 15 is up Frame-format NO-CRC4, clock slave, loopback not set E3-0 CE1 16 is up Frame-format NO-CRC4, clock slave, loopback not set

212

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

e1 channel-set

Syntax
e1 line-number channel-set set-number timeslot-list range undo e1 line-number channel-set set-number

View CE3 interface view Parameter line-number: E1 line number in the range of 1 to 16. set-number: The number of the channel-set formed by bundling the timeslots of E1 line, which is in the range of 0 to 30. range: The number of the timeslots that are bundled, which is in the range of 1 to 31. When specifying the timeslots to be bundled, you can specify a single timeslot by specifying a number, a range of timeslots by specifying a range between number1-number2, or several discrete timeslots by specifying number1, number2-number3. Description Using the e1 channel-set command, you can bundle the timeslots of an E1 line. Using the undo e1 channel-set command, you can remove the timeslot bundle. By default, no timeslots are bundled into channel-sets. A CE3 interface can be channelized into 64Kbps lines and the timeslots of each E1 line can be bundled up to 31 channels. When an E1 line operates at framed (CE1) mode, you can bundle the timeslots on it. The system will automatically create a serial interface numbered serial number / line-number:set-number. For example, the serial interface created by the channel-set 0 of the first e1 line on E3 7/0 will be numbered 7/0/1:0. This interface can operate at N x 64 Kbps and has the same logic features of a synchronous serial interface on which you make other configurations. For related command, see e1 unframed. Example Bundle a 128Kbps serial interface on the first E1 line on the interface E3 1/0/0.
[3com-E3 1/0/0]e1 1 channel-set 1 timeslot-list 1,2

e1 set clock

Syntax
e1 line-number set clock { master | slave } undo e1 line-number set clock

View CE3 interface view

Fundamental CE3 Interface Configuration Commands

213

Parameter line-number: E1 line number in the range of 1 to 16. master: Adopts the internal clock mode. slave: Adopts the line clock mode. Description Using the e1 set clock command, you can set the clock mode for an E1 line on a CE3 interface. Using the undo e1 clock command, you can restore the default setting. By defaults, the E1 lines on a CE3 interface adopt line clock. The E1 lines on a CE3 interface working in channelized mode are allowed to use separate clocks. Example Configure the first E1 line on the E3 interface to adopt line clock mode.
[3com-E3 1/0/0]e1 1 set clock slave

e1 set frame-format

Syntax
e1 line-number set frame-format { crc4 | no-crc4 } undo e1 line-number set frame-format

View CE3 interface view Parameter line-number: E1 line number in the range of 1 to 16. crc4: The frame format adopted by an E1 line is crc4. no-crc4: The frame format adopted by an E1 line is no-crc4. Description Using the e1 set frame-format command, you can configure the frame format for an E1 line. Using the undo e1 set frame-format command, you can restore the default setting. By default, the frame format no-crc4 is used for E1 line. Only if an E1 line is working in framed format (which can be set by using the undo e1 unframed command) can this command be configured. For related command, see e1 unframed.

214

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Example Configure the first E1 line on the E3 interface to adopt the frame format crc4.
[3com-E3 1/0/0]e1 1 set frame-format crc4

e1 set loopback

Syntax
e1 line-number set loopback { local | remote } undo e1 line-number set loopback

View CE3 interface view Parameter line-number: E1 line number in the range of 1 to 16. local: Enables E1 line to perform local loopback. remote: Enables E1 line to perform remote loopback. Description Using the e1 set loopback command, you can set the loopback mode of an E1 line on an E3 interface. Using the undo e1 set loopback command, you can disable the E1 line to loop back. By default, E1 lines are disabled to loop back. If an E1 line encapsulated with PPP has been set to perform loopback, it is normal for the state of the link layer protocol to be reported as DOWN. Example Set the loopback mode of the first E1 line on the E3 interface to local.
[3com-E3 1/0/0]e1 1 set loopback local

e1 shutdown

Syntax
e1 line-number shutdown undo e1 line-number shutdown

View CE3 interface view Parameter line-number: E1 line number in the range of 1 to 16.

Fundamental CE3 Interface Configuration Commands

215

Description Using the e1 shutdown command, you can shut down an E1 line on the CE3 interface. Using the undo e1 shutdown command, you can enable the E1 line. By default, E1 line is enabled. This command will affect not only the specified E1 line but also the serial interfaces formed by bundling the timeslots of the E1 line. Executing the e1 shutdown command on the specified E1 line will shut down all these serial interfaces and the data transmission and receiving will be stopped as a result. Likewise, executing the undo e1 shutdown command will re-enable all these serial interfaces. Example Shut down the first E1 line on the E3 interface.
[3com-E3 1/0/0]e1 1 shutdown

e1 unframed

Syntax
e1 line-number unframed undo e1 line-number unframed

View CE3 interface view Parameter line-number: E1 line number in the range of 1 to 16. Description Using the e1 unframed command, you can set an E1 line on a CE3 interface to work in unframed mode (E1 mode). Using the undo e1 unframed command, you can set the E1 line on the CE3 interface to work in framed mode (CE1 mode). By default, E1 lines are working in framed mode. An E1 line in unframed mode does not contain the frame control information and cannot be divided into timeslots. Naturally, no timeslot bundling can be performed on it. In this case, the system automatically creates a serial interface numbered serial number / line-number:0 for it. This interface operates at 2048 Kbps and has the same logic features of a synchronous serial interface on which you can make other configurations. For related command, see e1 channel-set. Example Set the first E1 line on the E3 interface to work in unframed mode.
[3com-E3 1/0/0]e1 1 unframed

216

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

loopback

Syntax
loopback { local | payload | remote } undo loopback

View CE3 interface view Parameter local: Enables the CE3 interface to perform local loopback. payload: Places the CE3 interface in an remote payload loopback. Data passes the framer in this case and will be looped back after payload is generated. remote: Enables the CE3 interface to perform remote loopback. Data does not go through the framer in this case and will be looped back before the payload has been generated. Description Using the loopback command, you can configure the loopback mode of a CE3 interface. Using the undo loopback command, you can disable the CE3 interface to perform loopback. By default, loopback is disabled on the CE3 interface. It is necessary for you to enable the CE3 interface to perform loopback only for the purpose of testing some special functions. If a CE3 interface encapsulated with PPP has been set to perform loopback, it is normal for the state of the link layer protocol to be reported as DOWN. Example Enable the interface E3 1/0/0 to perform local loopback.
[3com-E3 1/0/0] loopback local

national-bit

Syntax
national-bit { 0 | 1 } undo national-bit

View CE3 interface view Parameter 0: Sets the national bit of the CE3 interface to 0. 1: Sets the national bit of the CE3 interface to 1.

Fundamental CE3 Interface Configuration Commands

217

Description Using the national-bit command, you can configure national bit for a CE3 interface. Using the undo national-bit command, you can restore the default setting. The national bit of CE3 interface defaults to 1. It is necessary to set the national bit of an E3 interface to 0 only in some special circumstances. For the related command, see controller e3. Example Set the national bit of the interface E3 1/0/0 to 0.
[3com-E3 1/0/0] national-bit 0

using

Syntax
using { e3 | ce3 } undo using

View CE3 interface view Parameter e3: Sets the CE3 interface to work in unchannelized mode. ce3: Sets the CE3 interface to work in channelized mode. Description Using the using command, you can configure the operating mode of a CE3 interface. Using the undo using command, you can restore the default setting. By default, the CE3 interface is working in channelized mode. Only when the CE3 interface is working in channelized mode can you configure the E1 lines on it. When the CE3 interface is working in unchannelized mode, the system automatically creates a serial interface numbered serial number / 0:0 for it. This interface operates at 34.368 Mbps and has the same logic features of a synchronous serial interface on which you can make other configurations. For related command, see controller e3. Example Configure the interface E3 1/0/0 to work in unchannelized mode.
[3com-E3 1/0/0]using e3

218

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Fundamental CT3 Interface Configuration Commands
cable Syntax
cable feet undo cable

View CT3 interface view Parameter feet: Cable length in the range of 0 to 450 feet. Description Using the cable command, you can configure the length of the cable with which a CT3 interface is connected. Using the undo cable command, you can restore the default length of the cable with which the CT3 interface is connected. The parameter feet defaults to 49. The length of the cable for CT3 interface connection refers to the distance between the router and the cable distribution rack. Example Set the cable length to 50 feet for the interface T3 1/0/0.
[3com-T3 1/0/0]cable 50

clock

Syntax
clock { master | slave } undo clock

View CT3 interface view Parameter master: Adopts the internal clock mode. slave: Adopts the line clock mode.

Fundamental CT3 Interface Configuration Commands

219

Description Using the clock command, you can set the clock mode on a CT3 interface. Using the undo clock command, you can restore the default clock mode on the interface. By default, the CT3 interface adopts the line clock mode (slave). The clock is selected depending on the connected remote device. If it is a transmission device, the local end will use the line clock. If the CT3 interfaces on the two routers are directly connected, one router should use the internal clock whereas the other router uses the line clock. Example Configure the CT3 interface with internal clock.
[3com-T3 1/0/0]clock master

controller t3

Syntax
controller t3 interface-number

View System view Parameter interface-number: CT3 interface number. Description Using the controller t3 command, you can enter the CT3 interface view. For the related command, see display controller t3. Example Enter the view of the interface T3 1/0/0.
[3com]controller t3 1/0/0 [3com-T3 1/0/0]

crc

Syntax
crc { 16 | 32 | no-crc} undo crc

View Synchronous serial interface view

220

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Parameter 16: Adopt 16-bit CRC. 32: Adopt 32-bit CRC. no-crc: Adopt no CRC. Description Using the crc command, you can configure CRC mode of the serial interface formed by CT3. Using the undo crc command, you can restore the default setting. By default, 16-bit CRC is used. For the related commands, see t1 channel-set, t1 unframed, and using. Example Apply 32-bit CRC to the serial interface formed by the interface T3 1/0/0 in unchannelized mode.
[3com-Serial1/0/0:0] crc 32

frame-format

Syntax
frame-format { c-bit | m23 } undo frame-format

View CT3 interface view Parameter c-bit: Sets the frame format to C-bit. m23: Sets the frame format to m23. Description Using the frame-format command, you can configure the frame format used by a CT3 interface. Using the undo frame-format command, you can restore the default frame format used by the CT3 interface. By default, the CT3 interface adopts the C-bit frame format. Example Set the frame format of the interface T3 1/0/0 to m23.
[3com-T3 1/0/0] frame-format m23

loopback

Syntax
loopback { local | payload | remote }

Fundamental CT3 Interface Configuration Commands

221

undo loopback

View CT3 interface view Parameter local: Enables the CT3 interface to perform local loopback. payload: Places the CT3 interface in an external payload loop. Data passes the framer in this case and will be looped back after payload is generated. remote: Enables the CT3 interface to perform remote loopback. Data does not go through the framer in this case and will be looped back before the payload has been generated. Description Using the loopback command, you can configure the loopback mode of a CT3 interface. Using the undo loopback command, you can disable the CT3 interface to perform loopback. By default, loopback is disabled on the CT3 interface. Loopback is usually used for some special detection. It should not be enabled in normal working condition. If a CT3 interface encapsulated with PPP has been set to perform loopback, it is normal for the state of its link layer protocol to be reported as DOWN. Example Enable the interface T3 1/0/0 to perform local loopback.
[3com-T3 1/0/0]loopback local

t1 channel-set

Syntax
t1 line-number channel-set set-number timeslot-list range [ speed { 56k | 64k } ] undo t1 line-number channel-set set-number

View CT3 interface view Parameter line-number: T1 line number in the range of 1 to 28. set-number: The number of the channel-set formed by bundling the timeslots of T1 line, which is in the range of 0 to 23. range: The number of the timeslots that are bundled, which is in the range of 1 to 24. When specifying the timeslots to be bundled, you can specify a single timeslot by specifying a number, a range of timeslots by specifying a range between

222

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

number1-number2, or several discrete timeslots by specifying number1, number2-number3. speed: Timeslot bundling mode. If 56k is selected, the timeslots will be bundled into N x 56Kbps. If 64k is selected, the timeslots will be bundled into N x 64 Kbps. Speed defaults to 64k. Description Using the t1 channel-set command, you can bundle the timeslots of a T1 line. Using the undo t1 channel-set command, you can remove the timeslot bundle. By default, no timeslots are bundled into channel-sets. When a T1 line operates at framed (CT1) mode, you can bundle the timeslots on it. The system will automatically create a serial interface numbered serial number / line-number:set-number for the channel-set. This interface operates at N x 64 Kbps (or N x 56 Kbps) and has the same logic features of a synchronous serial interface on which you can make other configurations. For a related command, see t1 unframed. Example Bundle a 128Kbps serial interface on the first T1 line on the interface T3 1/0/0.
[3com-T3 1/0/0]t1 1 set channel-set 1 timeslot-list 1,2

t1 set clock

Syntax
t1 line-number set clock { master | slave } undo t1 line-number set clock

View CT3 interface view Parameter line-number: T1 line number in the range of 1 to 28. master: Adopts the internal clock. slave: Adopts the line clock. Description Using the t1 set clock command, you can set the clock mode for a T1 line on a CT3 interface. Using the undo e1 clock command, you can restore the default setting. By defaults, the T1 lines on a CT3 interface adopt line clock. The E1 lines on a CE3 interface working in channelized mode are allowed to use separate clocks.

Fundamental CT3 Interface Configuration Commands

223

Example Configure the first T1 line on the T3 interface to adopt line clock.
[3com-T3 1/0/0]t1 1 set clock slave

t1 set frame-format

Syntax
t1 line-number set frame-format { esf | sf } undo t1 line-number set frame-format

View CT3 interface view Parameter line-number: T1 line number in the range of 1 to 28. esf: Set the T1 line to use the Extended Super Frame (ESF) format. sf: Set the T1 line to use the Super Frame (SF) format. Description Using the t1 set frame-format command, you can configure the frame format of T1 line. Using the undo t1 set frame-format command, you can restore the default setting. By default, the frame format of T1 line is esf. Only if a T1 line is working in framed format (which can be set by using the undo t1 unframed command) can this command be configured. For the related commands, see t1 set unframed and using. Example Adopt the frame format SF for the first T1 line on the T3 interface.
[3com-T3 1/0/0]t1 1 set frame-format sf

t1 set loopback

Syntax
t1 line-number set loopback { local | remote } undo t1 line-number set loopback

View CT3 interface view Parameter line-number: T1 line number in the range of 1 to 28.

224

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

local: Enables the T1 line to perform local loopback. remote: Enables the T1 line to perform remote loopback. Description Using the t1 set loopback command, you can set the loopback mode of a T1 line on a T3 interface. Using the undo t1 set loopback command, you can disable the T1 line to loop back. By default, T1 lines are disabled to loop back. If a T1 line encapsulated with PPP has been set to perform loopback, it is normal for the state of its link layer protocol to be reported as DOWN. Loopback is usually used for some special tests. It should not be enabled in normal working condition. Example Set the loopback mode on the first T1 line on the T3 interface to local.
[3com-T3 1/0/0]t1 1 set loopback local

t1 shutdown

Syntax
t1 line-number shutdown undo t1 line-number shutdown

View CT3 interface view Parameter line-number: T1 line number in the range of 1 to 28. Description Using the t1 shutdown command, you can shut down a T1 line on the CT3 interface. Using the undo t1 shutdown command, you can enable the T1 line. By default, T1 line is enabled. This command will affect not only the specified T1 line but also the serial interfaces formed by bundling the timeslots of the T1 line. Executing the t1 shutdown command on the specified T1 line will shut down all these serial interfaces and the data transmission and receiving will be stopped as a result. Likewise, executing the undo t1 shutdown command will re-enable all these serial interfaces. Example Shut down the first T1 line on the T3 interface.

Fundamental CT3 Interface Configuration Commands

225

[3com-T3 1/0/0]t1 1 shutdown

t1 unframed

Syntax
t1 line-number unframed [ speed { 56k | 64k } ] undo t1 line-number unframed

View CT3 interface view Parameter line-number: T1 line number in the range of 1 to 28. speed: Timeslot bundling mode. If 56k is selected, the timeslots will be bundled into N x 56Kbps. If 64k is selected, the timeslots will be bundled into N x 64 Kbps. Speed defaults to 64k. Description Using the t1 unframed command, you can set a T1 line on a CT3 interface to work in unframed mode (T1 mode). Using the undo t1 unframed command, you can set the T1 line on the CT3 interface to work in framed mode (CT1 mode). By default, T1 lines are working in framed mode. A T1 line in unframed mode does not contain the frame control information and cannot be divided into timeslots. Naturally, no timeslot bundling can be performed on it. In this case, the system automatically creates a serial interface numbered serial number / line-number:0 for it. This interface operates at 1544 Kbps and has the same logic features of a synchronous serial interface on which you can make other configurations. For the related command, see t1 channel-set. Example Set the first T1 line on the T3 interface to work in unframed mode.
[3com-T3 1/0/0]t1 1 unframed

using

Syntax
using { t3 | ct3 }

View CT3 interface view Parameter t3: Sets the CT3 interface to work in unchannelized mode. ct3: Sets the CT3 interface to work in channelized mode.

226

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Description Using the using command, you can configure the operating mode of a CT3 interface. Using the undo using command, you can restore the default setting. By default, the CT3 interface is working in channelized mode. Only when the CT3 interface is working in channelized mode can you configure the T1 lines on it. When the CT3 interface is working in unchannelized mode, the system automatically creates a serial interface numbered serial number / 0:0 for it. This interface operates at 44.736 Mbps and has the same logic features of a synchronous serial interface on which you can make other configurations. Example Configure the interface T3 1/0/0 to work in unchannelized mode.
[3com-T3 1/0/0]using t3

display controller t3

Syntax
display controller t3 interface-number

View Any view Parameter interface-number: CT3 interface number. Description Using the display controller t3 command, you can view the state information of a CT3 interface. In addition to the state information of the CT3 interface, the command can display the information of each T1 line on the CT3 interface if the interface is working in CT3 mode. Example Display the information related to the interface T3 1/0/0.
[3com]display controller t3 1/0/0 T3 1/0/0 is down Description : 3Com Routers, T3 1/0 Interface Frame-format C-BIT Parity, line code B3ZS, cable 49 feet, clock slave, loopback not set Alarm: none ERROR: 0 BiPolarViolation, 0 EXcessiveZero, 1 FrameError 0 ParityBitError, 0 C-BitParityBitError, 0 FarEndBlockError

ATM E3/T3 Interface Configuration Commands

227

ATM E3/T3 Interface Configuration Commands
cable Syntax
cable { long | short } undo cable

View ATM T3 Interface view Parameter long: Long distance mode. Cable length ranges from 151 to 500 meters. short: Short distance mode. Cable length ranges from 0 to 150 meters. Description Using the cable command, you can configure the cable mode of the ATM T3 cable, to set the distance between the router and the cable distribution frame. Using the undo cable command, you can restore the default setting. By default, short distance mode is used. Example Set the cable length mode of ATM T3 1/0/0 to long.
<3com> system-view [3com] interface atm 1/0/0 [3com-Atm1/0/0] cable long

clock

Syntax
clock { master | slave } undo clock

View ATM E3/T3 interface view. Parameter master: Sets the clock mode of ATM E3/T3 to master mode. slave: Sets the clock mode of ATM E3/T3 to slave mode. Description Using the clock command, you can set the clock mode of ATM E3/T3 interface. Using the undo clock command, you can restore the default setting.

228

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

By default, the clock mode of ATM E3/T3 interface is slave mode. Example Set clock mode of ATM E3/T3 interface 2/0/0 as master.
<3com> system-view [3com] interface atm 2/0/0 [3com-Atm2/0/0] clock master

display interface atm

Syntax
display interface atm [ interface-number ]

View Any view Parameter interface-number: Interface number of ATM E3/T3. Description Using the display interface atm command, you can view the configuration and status of ATM E3/T3 interface. If no interface-number is specified, the system will display the configuration and status of all ATM interfaces. Example View the configuration and status of ATM E3/T3 interface 1/1/0.
<3com> display interface atm 1/1/0

frame-format

Syntax
frame-format { g832-adm | g751-adm | g751-plcp } frame-format { cbit-adm | cbit-plcp | m23-adm | m23-plcp } undo frame-format

View ATM E3/T3 interface view Parameter g832-adm: Configures frame format of ATM E3 as G.823 ATM direct mapping. g751-adm: Configures frame format of ATM E3 as G.751 ATM direct mapping. g751-plcp: Configures frame format of ATM E3 as G.751 Physical Layer Convergence Protocol (PLCP). cbit-adm: Configures frame format of ATM T3 as C-bit ATM direct mapping.

ATM E3/T3 Interface Configuration Commands

229

cbit-plcp: Configures frame format of ATM T3 as C-bit PLCP. m23-adm: Configures frame format of ATM T3 as M23 ATM direct mapping. m23-plcp: Configures frame format of ATM T3 as M23 PLCP. Description Using the frame-format command, you can configure frame format of ATM E3/T3 interface. Using the undo frame-format command, you can restore the default configuration. By default, frame format g751-plcp is used for ATM E3 and cbit-plcp used for ATM T3. Example Configure ATM E3 interface 1/0/0 to use frame format G.832 ADM.
<3com> system-view [3com] interface atm 1/0/0 [3com-Atm1/0/0] frame-format g832-adm

loopback

Syntax
loopback { cell | local | payload | remote } undo loopback

View ATM E3/T3 interface view Parameter cell: Internal cell loopback local: Internal loopback. payload: External payload loopback. remote: External line loopback. Description Using the loopback command, you can enable the loopback function of the interface. Using the undo loopback command, you can disable the loopback function. By default, loopback is disabled. Example Enable external payload loopback of ATM E3/T3 interface 2/0/0.
<3com> system-view [3com] interface atm 2/0/0

230

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

[3com-Atm2/0/0] loopback payload

scramble

Syntax
scramble undo scramble

View ATM E3/T3 interface view Parameter None Description Using the scramble command, you can enable scrambling function of ATM E3/T3 interface. Using the undo scramble command, you can disable the scrambling function. By default, the scrambling function of ATM E3/T3 interface is enabled. The scramble command is used to enable the scramble and descramble function on payload, with no influence on the cell header. Example Disable the scramble function of ATM E3/T3 interface 2/0/0.
<3com> system-view [3com] interface atm 2/0/0 [3com-Atm2/0/0] undo scramble

ATM OC-3c/STM-1 Interface Configuration Commands
clock Syntax
clock { master | slave } undo clock

View ATM interface view Parameter master: Adopts the internal clock mode. slave: Adopts the line clock mode.

ATM OC-3c/STM-1 Interface Configuration Commands

231

Description Using the clock command, you can set the clock mode on an ATM interface. Using the undo clock command, you can restore the default clock mode on the interface. By default, the ATM interface adopts the slave clock. When an ATM interface is working as DCE, choose the master clock mode. When it is working as DTE, choose the slave clock mode for it. When ATM interfaces of two routers are directly connected by fiber, one end should be configured with the master clock mode and the other with the slave clock mode. Example Adopt the master clock on the ATM interface 4/0/0.
<3com> system-view [3com] interface atm 4/0/0 [3com-Atm4/0/0] clock master

display interface atm

Syntax
display interface atm [ interface-number ]

View Any view Parameter interface-number: Interface number. If no interface has been specified, the configuration and state information of all the ATM interfaces will be displayed. Description Using the display interface atm command, you can view the configuration and state information of ATM OC-3c/STM-1 interface(s). Example View the configuration and state information of the ATM interface 4/0/0.
<3com> display interface atm 4/0/0

frame-format

Syntax
frame-format { sdh | sonet } undo frame-format

View ATM interface view

232

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Parameter sdh: Sets the frame format to SDH STM-1. sonet: Sets the frame format to SONET OC-3. Description Using the frame-format command, you can set the frame format of ATM OC-3c/STM-1 interface. Using the undo frame-format command, you can restore the default setting. The frame format on the ATM OC-3c/STM-1 interface defaults to SONET. Example Set the frame format on the ATM OC-3c/STM-1 interface to SDH.
[3com-Atm4/0/0] frame-format sdh

loopback

Syntax
loopback { cell | local | remote } undo loopback

View ATM interface view Parameter cell: Enables the ATM interface to perform cell loopback. local: Enables the ATM interface to perform local loopback. remote: Enables the ATM interface to perform the remote loopback. Description Using the loopback command, you can enable the loopback function on an ATM OC-3c/STM-1 interface. Using the undo loopback command, you can disable the loopback function. By default, loopback function is disabled. It is necessary for you to enable the interface to perform loopback only for the purpose of testing some special functions. You should not enable the loopback function when the interface is providing normal services. Example Enable the ATM interface to perform local loopback.
[3com-Atm4/0/0] loopback local

ADSL Interface Configuration Commands

233

scramble

Syntax
scramble undo scramble

View ATM interface view Parameter None Description Using the scramble command, you can enable an undo scramble to scramble the payload on ATM OC-3c/STM-1 interface. Using the undo scramble command, you can disable the scrambling function. By default, the ATM OC-3c/STM-1 interface is enabled to scramble the payload. Executing the scramble command will make an interface to scramble and descramble the payload but will not affect the cell headers. Example Disable the ATM interface to scramble the payload.
[3com-Atm4/0/0] undo scramble

ADSL Interface Configuration Commands
activate Syntax
activate undo activate

View ADSL interface view Parameter None Description Using the activate command, you can activate an ADSL interface. Using the undo activate command, you can deactivate an ADSL interface. By default, the ADSL interface is active.

234

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Before an ADSL port can operate services, you must activate it. “ACTIVATE” in this particular context refers to the training conducted between an ADSL central office and a remote ATU-R. The activation procedure will be specified in compliance with the ADSL standard, channel mode, uplink and downlink speeds, and the noise tolerance specified in the line configuration template. It will test the line distance and state, make the central office and the remote device make negotiation, and confirm whether the normal operation is allowed in the these conditions. If the training succeeds, the central office and the remote device can set up a communication connection for transporting services between them. This process is also called port activation. This connection will disappear upon the deactivation of the ADSL port. To transport new services, you must re-activate the port. This command is used to manually activate/deactivate an ADSL line for the purpose of testing and troubleshooting. The commands activate/undo activate and shutdown/undo shutdown are different because the former can only take effect on ADSL lines. You should note that ADSL is always online, which is different from DCC. Therefore, after the device is booted, the ADSL interface will automatically enable the activation task and enter the active state. It will stay active as long as the line is in good condition. The router tests the line performance at a regular interval and will automatically deactivate the line and perform a new training and re-activation once it finds out that the line performance has deteriorated. Example Deactivate the ADSL interface.
[3com-Atm1/0]undo activate

adsl standard

Syntax
adsl standard { auto | gdmt | glite | t1413 } undo adsl standard

View ADSL interface view Parameter auto: Auto-sensing mode. gdmt: Adopts the G.DMT(G992.1) standard. glite: Adopts the G.Lite (G992.2) standard. t1413: Adopts the T1.413 standard. Description Using the adsl standard command, you can set the standard applied to an ADSL interface. Using the undo adsl standard command, you can restore the default standard used by the ADSL interface.

ADSL Interface Configuration Commands

235

By default, the ADSL standard is set to auto. You should note that this configuration does not take effect unless you activate the interface again. If you want to make it take effect immediately, you can execute the shutdown/undo shutdown command or the activate/undo activate command. Example Set the standard for the interface atm1/0/0 as T1.413.
[3com-Atm1/0/0]adsl stand t1413 [3com -Atm1/0/0]shutdown Interface Atm1/0/0 has already been shutdown [3com -Atm1/0/0]undo shutdown [3com -Atm1/0/0] %Nov 20 21:17:12 2003 5680 PHY/2/PHY: Atm1/0: change status to up %Nov 20 21:17:13 2003 5680 IFNET/5/UPDOWN:Line protocol on the interface Atm1/0/0 turns into UP state [3com -Atm1/0/0]display dsl configuration int atm 1/0/0 Line Params Set by User Standard: T1.413 Annex: A Framing: 3 Coding Gain(dB): Auto Tx Pow Attn(dB): 0 Bit-Swap: disable LinkCheck: Enable Actual Config Near End Far End Standard: T1.413 T1.413 Trellis Coding: Enable Enable Framing: 3 3 Vendor ID: 0x0039 0x0004 AS0 (DS) LS0(US) Rate(Bytes): 238 26 Rate(kbps): 7616 832 Latency: Intlv Intlv FEC(fast): 0 0 S/D/R(Inlv): 1/64/16 8/8/16 DMT Bits Allocation Per Bin (Up/Down Bits:249/2148) 00: 0 0 0 0 0 0 7 8 a a a a 8 a b c c c b b b b b b 9 9 a a 9 8 8 0 20: 0 0 0 0 2 2 2 3 4 4 5 6 6 7 7 8 8 8 8 8 9 9 a a a a a a a 8 9 a 40: 0 a a a a b b b b b a b b b b b b b b b b b b b b b b b b b b b 60: b b b b b b b b b b b b b b b b b b b a 9 4 a b b b b b b b b b 80: b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b a0: b b b a b a b a b b a b b b b b a a b a a b b a a a a a a a a a c0: a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a e0: a 9 9 a 9 9 9 9 9 9 8 9 9 9 9 9 9 9 9 9 8 8 8 8 8 7 7 7 7 6 6 6

adsl tx_attenuation

Syntax
adsl tx_attenuation attenuation undo adsl tx_attenuation

236

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

View ADSL interface view Parameter attenuation: Attenuation value, in the range of 0~12. By default, it is 0. Description Using the adsl tx_attenuation command, you can set attenuation value for ADSL transmit power. Using the undo adsl tx_attenuation command, you can restore the default value. Example
[3com-Atm1/0/0] adsl tx_attenuation 10

display dsl configuration

Syntax
display dsl configuration interface atm interface-number

View Any view Parameter interface-number: Interface number. Description Using the display dsl configuration command, you can display the actual ADSL configuration information. Example Display the actual ADSL configuration information.
[3com-Atm1/0]display dsl configuration interface atm 1/0 Line Params Set by User Standard: T1.413 Annex: A Framing: 3 Coding Gain(dB): Auto Tx Pow Attn(dB): 0 Bit-Swap: disable LinkCheck: Enable Actual Config Near End Far End Standard: T1.413 T1.413 Trellis Coding: Enable Enable Framing: 3 3 Vendor ID: 0x0039 0x0004 AS0 (DS) LS0(US) Rate(Bytes): 238 26 Rate(kbps): 7616 832 Latency: Intlv Intlv FEC(fast): 0 0

ADSL Interface Configuration Commands

237

S/D/R(Inlv): 1/64/16 8/8/16 DMT Bits Allocation Per Bin (Up/Down Bits:249/2148) 00: 0 0 0 0 0 0 7 8 a a a a 8 a b c c c b b b b b b 9 9 a a 9 8 8 0 20: 0 0 0 0 2 2 2 3 4 4 5 6 6 7 7 8 8 8 8 8 9 9 a a a a a a a 8 9 a 40: 0 a a a a b b b b b a b b b b b b b b b b b b b b b b b b b b b 60: b b b b b b b b b b b b b b b b b b b a 9 4 a b b b b b b b b b 80: b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b a0: b b b a b a b a b b a b b b b b a a b a a b b a a a a a a a a a c0: a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a e0: a 9 9 a 9 9 9 9 9 9 8 9 9 9 9 9 9 9 9 9 8 8 8 8 8 7 7 7 7 6 6 6

Table 6 Displaying information of display dsl configuration
Field Line Params Set by User The following information appears after the link is activated. Actual operating parameters after the link is activated Description Line parameters at ATU-R end, for example, standard, DMT mode, framing, trellis coding or not. You can only modify the standard for special testing or diagnosis, but not the others. Actual Config

Rate(kbps)

Negotiated rate, AS0 Latency (DS) downlink and LS0 (US) uplink, in units of kbps Delay mode and the options include fast and interleave.

display dsl status

Syntax
display dsl status interface atm interface-number

View Any view Parameter interface-number: Interface number. Description Using the display dsl status command, you can display the DSL state information. Example Display the ADSL state information of the interface 1/0/0.
[3com-Atm1/0/0]display dsl status interface atm 1/0/0 State of driver/chipsets Phy Op State: Active Xcvr Op State: Data Mode Active Params Near End Far End SNR Margin(dB): 16.0 3.0

238

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Attenuation(dB): Coding Gain(dB): Tx Power(dBm): Tx Bin Number: Rate(kbps): Adsl Count SEF(sef): LOS(los): RSI(fec-I): RSF(fec-F): CRCI(crc-I): CRCF(crc-F): ATM Count NCDI(ncd-I): NCDF(ncd-F): OCDI(ocd-I): OCDF(ocd-F): HECI(hec-I): HECF(hec-F): Adsl Defects Overall: SEF(sef): LOS(LOS): ATM Defects NCDI(ncd-I): NCDF(ncd-F): LCDI(lcd-I): LCDF(lcd-F): Field

1.0 2.0 5.5 8.3 21.7 25 219 832 7616 Near End Far End 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0

0 0 0 0 0 0 Description Interface state and transceiver state Interface state and options include activating, active, startup, deactivated and test mode Transceiver state and options include idle, data mode, handshaking and training.

Table 7 Displaying information with display dsl status

State of driver/chipsets Phy

Xcvr

The following information appears after the Active Params link is activated. Link parameters, which include SNR margin, Adsl Count attenuation, Tx Bin Number etc. The Present rate(kbps) is consistent with the result of the display dsl configuration command. Error and correction statistics form the Adsl Defects chipset. For their types, refer to ITU-T G. 992 and ANSI T1.413-1998. It shows the current link situation. When the link has deteriorated, non-zero value may appear. While it turns to normal or is activated again, those existing statistics are cleared. The Overall failures value is a aggregate value, but others are not.

display dsl version

Syntax
display dsl version interface atm interface-number

Fundamental Logical Interface Configuration Commands

239

View Any view Parameter interface-number: Interface number. Description Using the display dsl version command, you can display the DSL version information and the supported capabilities. Example Display the ADSL version information.
[3com-Atm1/0/0]display dsl version interface atm 1/0/0 Adsl board chipset and version info Dsl Line Type: Adsl Over Pots Dsl Line Type: Adsl Over Pots ATM SAR Device: 0x823614f1 ATM SAR Revision: 0x02 Chipset Vendor: GSPN FW Release: T7941 Revision: 1 DSP Version: 0 AFE Version: 0 PCB Version: 0.0 CPLD Version: 1.0 Driver Version: 2.0 Hardware Version: 1.0 Adsl Capability ANSI T1.413 Issue 2: Supported ITU G992.1 ANNEX A: Supported ITU G992.2 : Supported

Fundamental Logical Interface Configuration Commands
Sub-Interface Configuration Commands interface

This chapter only discusses basic configuration of logical interfaces. For configuration of link-layer and network-layer protocols, refer to corresponding sections in this guide.

Syntax
interface interface-type interface-number.subinterface-number [ p2mp | p2p ] undo interface interface-type interface-number.subinterface-number

View System view

240

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Parameter interface-type: Type of interface interface-number: Number of interface, including slot number, card number, and port number. subinterface-number: Number of sub-interface, ranging from 0 to 4096. p2mp: Configures type of sub-interface as point to multipoint p2p: Configures type of sub-interface as point to point Description Using the interface command, you can create sub-interface of point to multipoint or point to point types. Using the undo interface command, you can delete specified sub-interface. By default, the type of sub-interface is point to multipoint. Presently, point to multipoint or point to point sub-interface can be configured to ATM interface, interface with frame relay or X.25 as its link layer protocol type. In contrast, sub-interface of Ethernet is of broadcast type. Up to 1024 sub-interfaces can be created for one main-interface. Example Create a sub-interface on ATM interface 2/0/0.
<3com> system-view [3com] interface atm 2/0/0.1 [3com-Atm2/0/0.1]

interface ethernet

Syntax
interface ethernet interface-number.subinterface-number undo interface ethernet interface-number.subinterface-number

View System view Parameter interface-number: Number of interface, including slot number, card number, and port number. subinterface-number: Number of sub-interface, ranging from 0 to 4096.

Logic-Channel Interface

241

Description Using the interface ethernet command, you can create Ethernet sub-interface. Using the undo interface ethernet command, you can delete specified Ethernet sub-interface. Ethernet sub-interface is used for VLAN configuration. For a detailed configuration procedure for VLAN, refer to the section Link Layer Protocol chapter in the 3Com Router Configuration Guide. Up to 256 sub-interfaces can be created for one Ethernet interface. Example Create a sub-interface on Ethernet interface 1/0/0.
[3com] interface ethernet 1/0/0.1 [3com-Ethernet1/0/0.1]

Logic-Channel Interface
interface logic-channel Syntax
interface logic-channel interface-number undo interface logic-channel interface-number

View System view Parameter interface-number: Number of logic-channel, in range of 0~1023. Description Using the interface logic-channel command, you can create logic-channel interface. Using the undo interface ethernet command, you can delete logic-channel interface. Once it is created, a logic-channel interface stays in UP state until it is deleted. Example Create the logic-channel interface 100.
[3com] interface logic-channel 100 [3com-Logic-Channel100]

242

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Configuration Command of Virtual Template and Virtual Access Interface
broadcast-limit link Syntax
broadcast-limit link number undo broadcast-limit link

View Virtual template view Parameter number: Maximum link number that the virtual template supports for sending multicast or broadcast packets, ranging from 0 to 128. The default value is 30. Description Using the broadcast-limit link command, you can configure the maximum link number that virtual template supports for sending multicast or broadcast packets. Using the undo broadcast-limit link command, you can restore the default configuration. When there are many links on a virtual template, sending multicast or broadcast packets from each link may influence the function of the system. In this case, the broadcast-limit link command can be used as a limitation, so that multicast or broadcast packets are discarded if the link number exceeds the limitation. Example Configure maximum link number of virtual template 1 supporting sending multicast or broadcast packet to be 100.
[3com] interface virtual-template 1 [3com-Virtual-Template1] broadcast-limit link 100

display interface virtual-template

Syntax
display interface virtual-template [ number ]

View Any view Parameter virtual-template: Virtual template. number: Number of virtual template, ranging from 0 to 1023. The state of all virtual template will be displayed, if this parameter is not specified.

Configuration Command of Virtual Template and Virtual Access Interface

243

Description Using the display interface virtual-template command, you can view the status information of virtual template. Example View the state of specified virtual template.
<3com> display interface virtual-template 1

display virtual-access

Syntax
display virtual-access [ slot slot-number | vt vt-number | user user-name | peer peer-address | va-number ]

View Any view Parameter slot-number: Slot number of virtual access interface. vt-number: Virtual template number of virtual access interface. user-name: Login username of virtual access interface. peer-address: Peer end address of virtual access interface. va-number: Sequence number of virtual access interface. State information of all virtual access interfaces will be displayed, if no parameter is specified. Description Using the display virtual-access command, you can view the state information of virtual access interface. Example View state information of all virtual access interfaces.
<3com> display virtual-access

interface virtual-template

Syntax
interface virtual-template number undo interface virtual-template number

View System view

244

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Parameter number: Number of virtual template, ranging from 0 to 1023. Description Using the interface virtual-template command, you can create virtual template or enter existing virtual template view. Using the undo interface virtual-template command, you can delete specified virtual template. A virtual template should be created before the creation of a virtual access interface, and should be closed after the virtual access interface has been closed and will not be reused. In deleting the virtual template, make sure that all its derived virtual access interfaces have been removed and this virtual template is not in use any more. Example Create virtual template 10.
[3com] interface virtual-template 10 [3com-Virtual-Template10]

MP-group Interface Configuration Command
display interface mp-group Syntax
display interface mp-group [ number ]

View Any view Parameter number: Number of MP-group interface. If the number of the interface is not specified, status information of all MP-group interfaces is displayed. Description Using the display interface mp-group command, you can view the status of MP-group interface. Example View status information of MP-group interface.
<3com> display interface mp-group

interface mp-group

Syntax
interface mp-group number

MP-group Interface Configuration Command

245

undo interface mp-group number

View System view Parameter number: Number of a MP-group interface. The sequence number ranges from 0 to 1023 so, at most, 1024 MP-group interfaces are supported by one interface card. Description Using the interface mp-group command, you can create a MP-group interface. Using the undo interface mp-group command, you can delete specified MP-group interface. This command is used in concert with the ppp mp mp-group command. Either MP-group interface or interface added in MP group can be configured first. Example Create MP-group interface 3/0/0.
[3com] interface mp-group 3/0/0 [3com-mp-group 3/0/0]

ppp mp mp-group

Syntax
ppp mp mp-group number undo ppp mp mp-group number

View Interface view Parameter number: Number of MP-group interface Description Using the ppp mp mp-group command, you can add the current interface to a specified MP group. Using the undo ppp mp mp-group command, you can remove the current interface from a specified MP group. This command is used with the interface mp-group command. Either MP-group interface or interface added in MP group can be configured first. It should be noted that the interface added to an MP group must be consistent with the slot of the MP-group interface. In addition, the interface added to an MP group must be a physical interface. Tunnel interfaces do not support this command.

246

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Example Add serial port 3/0/0 to MP group 3.
[3com] interface serial 3/0/0 [3com-Serial3/0/0] ppp mp mp-group 3/0/0

Remove serial port 3/0/0 from MP group 3/0/0.
[3com-Serial3/0/0] undo ppp mp mp-group 3/0/0

Virtual Ethernet Interface Configuration Command
display interface virtual-ethernet Syntax
display interface virtual-ethernet [ number ]

View Any view Parameter number: Number of virtual Ethernet interfaces, with sequence number ranging from 0 to 1023. If the number of interfaces is not specified, the status of all virtual Ethernet interfaces will be displayed. Description Using the display interface virtual-ethernet command, you can view status of a virtual Ethernet interface. Example View the status information of virtual Ethernet interface 1/0/0.
<3com> display interface virtual-ethernet 1/0/0

interface virtual-ethernet

Syntax
interface virtual-ethernet number undo interface virtual-ethernet number

View System view Parameter number: Number of virtual Ethernet interface, with sequence number ranging from 0 to 1023.

Virtual Ethernet Interface Configuration Command

247

Description Using the interface virtual-ethernet command, you can create a virtual Ethernet interface. Using the undo interface virtual-ethernet command, you can delete the specified virtual Ethernet interface. Virtual Ethernet interface is mainly applied to PPPoEoA and IPoEoA. Example Create virtual Ethernet interface 12 on interface card 0 of slot 6.
[3com] interface virtual-ethernet 6/0/12 [3com-Virtual-Ethernet6/0/12]

mac-address

Syntax
mac-address H-H-H undo mac-address

View Virtual Ethernet interface view Parameter H-H-H: Mac address of virtual Ethernet interface, in the form of hex character string. Description Using the mac-address command, you can configure the Mac address of a virtual Ethernet interface. Using the undo mac-address command, you can restore the default configuration. By default, for a virtual Ethernet interface created on VIU, its MAC address is the same as the MAC address of Ethernet interface carried by VIU itself. For a virtual Ethernet interface created on RSU, its MAC address is 0 by default. Example Configure the MAC address of virtual Ethernet interface 10/0/0.
[3com] interface virtual-ethernet 10/0/0 [3com-Virtual-Ethernet10/0/0] mac-address 1000-1000-1000

248

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Configuration Command of Loopback Interface and Null Interface
display interface loopback Syntax
display interface loopback [ number ]

View Any view Parameter number: Number of Loopback interface, which must be an existing one. If number of interface is not specified, status of all created loopback interface will be displayed. Description Using the display interface loopback command, you can view status of the loopback interface. For the related command, see interface loopback. Example View status information of specified Loopback interface.
<3com> display interface loopback 6 LoopBack6 current state : UP Line protocol current state :UP Description : 3Com Routers, LoopBack6 Interface The Maximum Transmit Unit is 1536 Internet Address is 10.10.1.1/8

display interface null

Syntax
display interface null [ 0 ]

View Any view Parameter 0: Number of Null interface, fixed as 0. Description Using the display interface null command, you can view status of Null interface. The parameter does not affect the execution result. For a related command, see interface null.

Configuration Command of Loopback Interface and Null Interface

249

Example View status information of Null0 interface.
<3com> display interface null 0 NULL0 current state : UP Line protocol current state :UP (spoofing) Physical is NULL DEV Description : 3Com Routers, NULL0 Interface The Maximum Transmit Unit is 1500 Internet protocol processing : disabled 5 minutes input rate 0 bytes/sec, 0 packets/sec 5 minutes output rate 0 bytes/sec, 0 packets/sec 0 packets input, 0 bytes, 0 drops 0 packets output, 0 bytes, 0 drops

interface loopback

Syntax
interface loopback number undo interface loopback number

View System view Parameter number: Number of Loopback interface, ranging from 0 to 1023. Description Using the interface loopback command, you can create a Loopback interface or enter Loopback interface view. Using the undo interface loopback command, you can delete a specified Loopback interface. After a Loopback interface is created, it always keeps up state, and bears loopback feature, so it is often used to improve the reliability of configuration. For the related command, see display interface loopback. Example Create Loopback interface 5.
[3com] interface loopback 5 [3com-LoopBack5]

interface null

Syntax
interface null 0

View System view

250

CHAPTER 3: INTERFACE MANAGEMENT COMMANDS

Parameter none Description Using the interface null command, you can enter the Null interface view. There is only one Null interface, fixed as null0, which is fixed, and cannot be deactivated or deleted. For the related command, see display interface null. Example Enter view of Null0 interface.
[3com] interface null 0 [3com-NULL0]

4
PPP and MP Configuration Commands
display ppp mp

LINK LAYER PROTOCOL

Syntax
display ppp mp [ interface interface-type interface-num ]

View Any view Parameter interface-type interface-num: Used to specify the interface to be viewed. Description Using the display ppp mp command, you can view all the interface information and statistics of MP. For the related commands, see link-protocol ppp and ppp mp. Example Display the MP interface information.
<3Com> display ppp mp Template is Virtual-Template1 Bundle, quid0, 1 member, slot 3, Master link is Virtual-Template1:0 0 lost fragments, 0 reordered, 0 unassigned, sequence 0/0 rcvd/sent The bundled son channels are: Serial3/0/0

Table 1 3ComMP display information description
Field Template is Virtual-Template1 Bundle quid0 1 member slot 3 Master link is Virtual-Template1:0 0 lost fragments 0 reordered 0 unassigned Description Virtual-template interface Bundle name The number of bound channels Bundled in slot 3 Master link Lost fragments Reordered packet number Unassigned fragments

252

CHAPTER 4: LINK LAYER PROTOCOL

Table 1 3ComMP display information description
Field sequence 0/0 rcvd/sent The bundled son channels are: Description Received sequence number/sent sequence number The following displays all the bundled son channels at this logical channel

Display PPP configuration and operating state of the interface. The part in boldface is the relative information of PPP, including the current status of LCP and IPCP. Users can diagnose some faults according to the information. ip tcp vjcompress Syntax
ip tcp vjcompress undo ip tcp vjcompress

View Interface view Parameter None Description Using the ip tcp vjcompress command, you can enable a PPP interface to compress the VJ TCP header. Using the undo ip tcp vjcompress command, you can disable the PPP interface to compress the VJ TCP header. If the VJ TCP header is permitted to compress at the PPP interface, the interface at the opposite end shall also permit to compress the VJ TCP header. This command is only used in the centralized environment. By default, the VJ TCP header is disabled to compress at the PPP interface. Example The VJ TCP header is permitted to compress at the PPP interface
[3Com-dialer0] ip tcp vjcompress

link-protocol ppp

Syntax
link-protocol ppp

View VT view or Dialer view Parameter None

PPP and MP Configuration Commands

253

Description Using the link-protocol ppp command, you can configure the link-layer protocol encapsulated on the interface as PPP. By default, the link-layer protocol for interface encapsulation is PPP. PPP is a link-layer protocol bearing network-layer packets over the point-to-point link. It defines a whole set of protocols including LCP (link control protocol), NCP (network-layer control protocol), PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). It is widely used for it supports user authentication, easy scalability and synchronization/asynchronization. For the related command, see display interface. Example Configure PPP encapsulation on interface Serial 0/0/0.
[3Com--Dialer0] link-protocol ppp

mp binding-mode

Syntax
ppp mp binding-mode { authentication | both | descriptor } undo ppp mp binding-mode

View System view Parameter authentication: Performs the MP binding according to the authentication user name of PPP. both: Performs the MP binding based on both the authentication user name of PPP and the terminal identifier. descriptor: Performs the MP binding according to the terminal identifier. Description Using the ppp mp binding-mode command, you can set the MP binding condition. Using the undo ppp mp binding-mode command, you can restore the default value of the MP binding condition. By default, it performs the MP binding based on both the authentication user name of PPP and the terminal identifier. User name is the peer one received by the PPP link performing the PAP or CHAP authentication, while the terminal identifier, as a unique flag of a Router, is the peer one received in performing the LCP negotiation. The system can perform the MP binding base on the received user name and terminal identifier, and then the

254

CHAPTER 4: LINK LAYER PROTOCOL

interfaces with the identical user name or the same terminal identifier is bound together. For the related command, see ppp mp user. Example Perform the MP binding only based on the user name of the PPP authentication.
[3Com] ppp mp binding-mode authentication

ppp accounting scheme

Syntax
ppp accounting scheme { default | scheme -name } undo ppp accounting

View Interface view Parameter default: Indicates that the default accounting method list is adopted. scheme -name: Accounting method list, indicating that which method list is adopted for accounting. Description Using the ppp accounting scheme command, you can set accounting for PPP user. Using the undo ppp accounting command, you can disable the accounting . By default, no ppp accounting is performed. After PPP authentication succeeds, AAA will begin to charge the peer user. The command is used to configure the accounting method list. Please refer to “AAA Configuration” for the detailed method list configuration. For the related commands, see ppp authentication-mode and aaa authentication-scheme ppp. Example Configure to adopt the default accounting method list for accounting on Serial 0/0/0.
[3Com-Serial0/0/0] ppp accounting scheme default

ppp authentication-mode

Syntax
ppp authentication-mode { chap | pap } [ call-in ] [ scheme { default | scheme -name } ] undo ppp authentication-mode

PPP and MP Configuration Commands

255

View Interface view Parameter One of chap and pap should be selected. call-in: Authenticates the peer only when the remote user calls in. default and scheme-name: indicates the authentication algorithm lists configured by user while authenticating. For detailed description, refer to “AAA section”. Description Using the ppp authentication-mode command, you can set the local PPP authentication algorithm for the peer router. Using the undo ppp authentication-mode command, you can cancel the configuration, i.e. no authentication. By default, no authentication is performed. There are two PPP authentication algorithms they are:


PAP, a 2-way handshake authentication, which sends the password in plain text. and, CHAP, a 3-way handshake authentication, which sends the password in encrypted text.



In addition, the defined AAA authentication algorithm list can be used. Either CHAP or PAP is just an authentication process. The success of the authentication is decided by AAA, which can authenticate on the basis of the local authentication database or AAA server. For the related commands, see local-user, ppp chap user, ppp pap local-user, aaa authentication-scheme ppp, ppp pap password, and ppp chap password. Example Authenticate the peer router by means of PAP on interface Serial0/0/0.
[3Com-Serial1/0/0] ppp authentication-mode pap

ppp chap password

Syntax
ppp chap password { simple | cipher } password undo ppp chap password

View Interface view

256

CHAPTER 4: LINK LAYER PROTOCOL

Parameter password: Password. simple or cipher: Passwords in plain text or in encrypted text. Description Using the ppp chap password command, you can configure the default CHAP password while performing CHAP authentication. Using the undo ppp chap password command, you can cancel the configuration. While configuring CHAP authentication, you should configure the local password to be the same as the user password at the other end. For the related commands, see ppp authentication-mode chap and local-user. Example Set the user password as 3Com in plain text when the local router perform the authentication via CHAP.
[3Com-Serial1/0/0] ppp chap password simple 3Com

ppp chap user

Syntax
ppp chap user username undo ppp chap user

View Interface view Parameter username: User name of CHAP authentication, which is the one sent to the peer equipment to be authenticated. Description Using the ppp chap user command, you can configure the user name when performing the CHAP authentication. Using the undo ppp chap user command, you can delete the existing configuration. By default, the user name of the CHAP authentication is blank. While configuring CHAP authentication, you should configure the username of each end as the local_user of the peer end, and configure the corresponding password accordingly. For the related commands, see ppp authentication-mode and local-user.

PPP and MP Configuration Commands

257

Example Configure the local user name as Root when CHAP authentication is performed on interface Serial0/0/0.
[3Com-Serial1/0/0] ppp chap user Root

ppp compression iphc

Syntax
ppp compression iphc [ nonstandard | rtp-connections rtp-connections | tcp-connections tcp-connections ]

View Interface view Parameter nonstandard: uses the nonstandard mode in compressing the IP/UDP/RTP header rtp-connections rtp-connections: sets the maximum rtp-connections of the iphc function, its value ranges from 3 to 1000. tcp-connections tcp-connections: sets the maximum number of tcp-connections of the iphc function, its value ranges from 3 to 256. Description Using the ppp compression iphc command, you can enable the iphc. For the related command, see link-protocol ppp. Example None ppp compression stac-lzs Syntax
ppp compression stac-lzs undo ppp compression stac-lzs

View Interface view Parameter None Description Using the ppp compression stac-lzs command, you can set the PPP protocol to use the Stac compression algorithm. Using the undo ppp compression stac-lzs command, you can disable the compression at the relevant interface. By default, compression is disabled.

258

CHAPTER 4: LINK LAYER PROTOCOL

When stac-lzs compression is configured on the interface, the data frame size can be reduced through data compression without losing the data. However, this configuration will add load to the router. It is recommended that this function be disabled when the router has already been overloaded. In addition, only when stac-lzs is configured at both ends of a point-to-point link, will this link support the stac-lzs compression. For the related command, see link-protocol ppp. Example Configure stac-lzs compression on the local router.
[3Com-Serial0/0/0] ppp compression stac-lzs

ppp ipcp dns

Syntax
ppp ipcp dns { primary-dns-address [ secondary-dns-address ] | admit-any } undo ppp ipcp dns { primary-dns-address [ secondary-dns-address ] | admit-any }

View Interface view Parameter primary-dns-address: Address of the primary DNS server. secondary-dns-address: Address of the secondary DNS server. admit-any: Accepts any DNS address requested by the peer. Description Using the ppp dns command, you can enable the Router to provide the DNS address for the peer. Using the undo ppp dns command, you can disable this process. By default, the Router does not provide the DNS address for the peer. When other devices are connected with the Router (e.g. PC is connected to the Router by dialing up) via the PPP protocol, the Router can assign the DNS address to the peer equipment after the negotiation. Thus, the peer equipment can directly access the network via the domain name. If you connect the Router with your PC, you can use the command winipcfg or ipconfig /all on your PC to view the DNS address provided by the Router. For the related commands, see ppp authentication–mode pap and local-user. Example Configure the primary DNS address of the local Router as 100.1.1.1, and the secondary DNS address as 100.1.1.2.

PPP and MP Configuration Commands

259

[3Com-Serial0/0/0] ppp ipcp dns 100.1.1.1 100.1.1.2

ppp mp

Syntax
ppp mp undo ppp mp

View Interface view Parameter None Description Using the ppp mp command, you can enable the interface encapsulated with PPP to operate in the MP mode. Using the undo ppp mp command, you can enable the interface to operate in the Single PPP mode. By default, the interface encapsulated with PPP operates in the Single PPP mode. To increase the bandwidth, multiple PPP links can be bound to form a logical MP interface. For this purpose, it is necessary to specify a virtual-template in system view. MP can be configured and used only at the physical interfaces which can encapsulate PPP. To enable MP, you must configure the ppp mp command and the PAP or CHAP authentication at the physical interface. For the related commands, see link-protocol ppp, ppp mp user, and interface virtual-template. Example Configure the PPP encapsulated interface Serial0/0/0 to work in MP mode.
[3Com-Serial1/0/0] ppp mp

ppp mp lfi

Syntax
ppp mp lfi [ delay-per-frag max-delay ] undo ppp mp lfi [ delay-per-frag ]

View Virtual template interface view Parameter max-delay: Maximum delay in millisecond, its value ranges from 1 to 1000.

260

CHAPTER 4: LINK LAYER PROTOCOL

Description Using the ppp mp lfi command, you can configure the link fragmentation and interleaving features. Using the undo ppp mp lfi command, you can restore the default configuration. By default, the value of number is 10. Example Set a maximum delay of 100 milliseconds for per fragmentation.
[3Com-Virtual-Template0] ppp mp lfi delay-per-frag 100

ppp mp max-bind

Syntax
ppp mp max-bind max-bind-num undo ppp mp max-bind

View Virtual template interface view Parameter max-bind-num: Indicates maximum number of links which can be bound, in the range from 1 to 128. Description Using the ppp mp max-bind command, you can configure maximum number of bound links of MP. Using the undo ppp mp max-bind command, you can restore the default configuration. By default, its value is 16. Normally, it is not necessary to configure the parameter, which should be performed under the guidance of technical engineers when necessary. Such a configuration may have impact on the performance of PPP. If it is necessary to bind more than 16 PPP channels, the parameter max-bind-num can be changed. If a VIU board reports failure in MP removing links, it is possible that the maximum binding number is smaller than the actually configured one. Make sure that the maximum binding number should be larger than the actual one. For the related command, see ppp mp. Example Set the maximum number of bound links to 12.
[3Com-Virtual-Template10] ppp mp max-bind 12

PPP and MP Configuration Commands

261

ppp mp min-fragment

Syntax
ppp mp min-fragment size undo ppp mp min-fragment

View Virtual template interface view Parameter size: Minimum packet size for MP outgoing packet fragmentating. When the MP outgoing packet is smaller than this value, fragmentating is avoided. When the MP packet is larger than this value, fragment is involved. It is in byte in the range from 128 to 1500. Description Using the ppp mp min-fragment command, you can set the minimum packet size when MP outgoing packets begin to be fragmented in multiple-link binding. Using the undo ppp mp min-fragment command, you can restore the default setting. By default, it is 128. If the small packet fragmentating is not expected, this command can be used to set larger packet size value of the MP packet fragment. For the related command, see ppp mp. Example Set the minimum packet of the MP packet fragmentating to 500 bytes.
[3Com-Virtual-Template10] ppp mp min-fragment 500

ppp mp user

Syntax
ppp mp user username bind virtual-template number undo ppp mp user username

View System view Parameter username: User name number: Virtual-template number. Description Using the ppp mp user command, you can configure MP binds based on the username. Using the undo ppp mp user command, you can cancel MP binds.

262

CHAPTER 4: LINK LAYER PROTOCOL

During the establishment of a PPP connection, after PPP authentication succeeds, if a virtual-template is specified, MP will be bound on the basis of parameters of the virtual-template and a new virtual interface will be formed to transfer data. Operating parameters that could be configured on the virtual-template include:


Local IP address and the IP address (or IP address pool) assigned to the peer PPP

PPP working parameter For the related commands, see ppp mp and ppp mp max-bind. Example
Specify the corresponding virtual-template as 1 for the username 3Com, and configure the IP address of the virtual-template as 202.38.60.1. [3Com] ppp mp user 3Com bind virtual-template 1 [3Com] interface virtual-template 1 [3Com-virtual-template1] ip address 202.38.60.1 255.255.255.0

ppp mp virtual-template

Syntax
ppp mp virtual-template [ number ] undo ppp mp

View Interface view Parameter number: Configures the virtual template number to be bound by the interface, which ranges from 0 to 1023. Description Using the ppp mp virtual-template command, you can configure the virtual template number to be bound by the interface. Using the undo ppp mp command, you can disable the MP binding of the interface. By default, the MP binding of the interface is disabled, and the interface works in ordinary PPP mode. This command specifies the virtual template number to be bound on the interface. The interface using this command to perform the MP binding needs not configuring PAP or CHAP authentication. Two or more interfaces with the same virtual template number is bound directly together. Moreover, this command is mutually exclusive with the ppp mp command. That is, only one of the two commands can be configured on a same interface. For the related commands, see link-protocol ppp and interface virtual-template.

PPP and MP Configuration Commands

263

Example Configure the PPP encapsulated interface Serial0/0/0 to work in MP view.
[3Com-Serial0/0/0] ppp mp virtual-template 1

ppp pap local-user

Syntax
ppp pap local-user username password { simple | cipher } password undo ppp pap local-user

View Interface view Parameter username: Username sent. password: Password sent. simple: Password in plain text. cipher: Password in encrypted text. Description Using the ppp pap local-user command, you can configure the username and password sent by the local router when it is authenticated by the peer router via the PAP method. Using the undo ppp pap local-user command, you can disable the configuration. By default, when the local router is authenticated by the peer router via the PAP method, both the username and the password sent by the local router are empty. When the local router is authenticated via the PAP method by the peer router, the username and password sent by the local router must be the same as the user and password of the peer router. For the related commands, see ppp authentication pap-mode and local-user. Example Set the username of the local router authenticated by the peer end via the PAP method as 3Com and the password as 3Com.
[3Com-Serial1/0/0] ppp pap local-user 3Com password simple 3Com

ppp timer hold

Syntax
ppp timer hold seconds undo ppp timer hold

264

CHAPTER 4: LINK LAYER PROTOCOL

View Serial interface view Parameter seconds: Time interval for the interface to send keepalive packet in second. The value ranges from 0 to 32767 and defaults to 10. Description Using the ppp timer hold command, you can set the timer to send keepalive packet, while using the undo ppp timer hold command, you can restore the default value. For the very slow data links, the seconds parameter must not be set too small. Because the long datagram can only be transferred totally after a long time, the transfer of keepalive datagram is delayed. The data link would be regarded to be broken if the interface has not received the keepalive packet from the other end for many keepalive periods. So if the keepalive time is set for a very long time, the datalink would be considered to be broken by the other end, and then be closed. The keepalive time must be set same at the two end of a ppp link. For the related command, see display interface. Example Set the PPP timer hold to 20 seconds.
[3Com-Serial1/0/0] ppp timer hold 20

ppp timer negotiate

Syntax
ppp timer negotiate seconds undo ppp timer negotiate

View Interface view Parameter seconds: Time of negotiation timeout in seconds. During the PPP negotiation, if the local end does not receive the response packet of the peer end, PPP will resend the last packet. The time ranges from 1 to 10 seconds. Description Using the ppp timer negotiate command, you can set the PPP negotiation timeout, while using the undo ppp timer negotiate command, you can restore the default value. By default, the PPP timeout is 3 seconds.

PPPoE Server Configuration Commands

265

For the related command, see link-protocol ppp. Example Set the PPP negotiation timeout to 5 seconds.
[3Com-Serial1/0/0] ppp timer negotiate 5

PPPoE Server Configuration Commands
display pppoe-server session Syntax
display pppoe-server session { all | packet | statistics interface interface-type interface-number }

View Any view Parameter all: Displays all information of each PPPoE session. packet: Displays packet statistics of each PPPoE session. statistics: Displays the statistics information of PPPoE sessions over an interface. interface-type interface-number: Specifies an interface. Description Using the display pppoe-server session command, you can view the status and statistics of PPPoE session. For the related commands, see link-protocol ppp and pppoe-server bind. Example View all the session information of PPPoE.
<3Com> display pppoe-server session all SID Intf State OIntf RemMAC LocMAC 2 Virtual-Template1:0 UP Ethernet0/2/0 0050.ba22.7369 00e0.fc08.f4de

Table 2 Output information description
Field SID Intf State OIntf RemMAC LocMAC Description Session Identifier The corresponding Virtual-Template interface State of sessions corresponding Ethernet interface Remote MAC, MAC address of the other end. Local MAC

266

CHAPTER 4: LINK LAYER PROTOCOL

View the statistics information of PPPoE session.
<3Com> display pppoe-server session packet SID RemMAC LocMAC InP InO InD 1 0050ba1a02ce 0001af02a40f 42 2980 0 OutP 16 OutO OutD 343 0

Table 3 Description of the output
Field InP InO InD OutP OutO OutD Description In Packets, Packages received In Octets, Bytes received In Discards, Received and then discarded packages Out Packets, Packages sent Out Octets, Bytes sent Out Discard, Discarded packages that might be sent.

pppoe-server bind virtual-template

Syntax
pppoe-server bind virtual-template number undo pppoe-server bind

View Interface view Parameter number: Number of the virtual-template for access to PPPoE, and its value ranges from 0 to 1023. Description Using the pppoe-server bind virtual-template command, you can enable PPPoE on the virtual-template specified by the Ethernet interface. Using the undo pppoe-server bind command, you can disable PPPoE protocol on the relevant interface. By default, PPPoE protocol is disabled. For the related command, see link-protocol ppp. Example Enable PPPoE on virtual-template 1 of Ethernet interface Ethernet1/0/0.
[3Com-Ethernet1/0/0] pppoe-server bind virtual-template 1

pppoe-server max-sessions local-mac

Syntax
pppoe-server max-sessions local-mac number undo pppoe-server max-sessions local-mac

View System view

PPPoE Server Configuration Commands

267

Parameter number: Maximum number of sessions that can be established at a local MAC address, which ranges from 1 to 4069. Description Using the pppoe-server max-sessions local-mac command, you can set the maximum number of PPPoE sessions that can be established at a local MAC address. Using the undo pppoe-server max-sessions local-mac command, you can restore the default configuration. By default, the value of number is 1000. For the related commands, see pppoe-server max-sessions remote-mac and pppoe-server max-sessions total. Example Set the maximum number of PPPoE sessions that can be established at a local MAC address to 50.
[3Com] pppoe-server max-sessions local-mac 50

pppoe-server max-sessions remote-mac

Syntax
pppoe-server max-sessions remote-mac number undo pppoe-server max-sessions remote-mac

View System view Parameter number: Maximum number of PPPoE sessions that can be established at a peer MAC address, which ranges from 1 to 4096. Description Using the pppoe-server max-sessions remote-mac command, you can set the maximum number of PPPoE sessions that can be established at a peer MAC address. Using the undo pppoe-server max-sessions remote-mac command, you can restore the default configuration. By default, the value of number is 1000. For the related commands, see pppoe-server max-sessions local-mac and pppoe-server max-sessions total. Example Display how to set the maximum number of PPPoE sessions that can be established at a remote MAC address to 50.

268

CHAPTER 4: LINK LAYER PROTOCOL

[3Com] pppoe-server max-sessions remote-mac 50

pppoe-server max-sessions total

Syntax
pppoe-server max-sessions total number undo pppoe-server max-sessions total

View System view Parameter number: maximum number of PPPoE sessions that the system can establish, which ranges from 1 to 65535. Description Using the pppoe-server max-sessions total command, you can set the maximum number of PPPoE sessions that the system can establish. Using the undo pppoe-server max-sessions total command, you can restore the default configuration. By default, the value of number is 4096. For the related commands, see pppoe-server max-sessions remote-mac and pppoe-server max-sessions local-mac. Example Set the maximum number of PPPoE sessions established by the system to 3000.
[3Com] pppoe-server max-sessions total 3000

PPPoE Client Configuration Commands
debugging pppoe-client Syntax
debugging pppoe-client option [ interface type number ]

View User view and system view Parameter option: PPPoE Client debugging switch type, see the following table for more details.

PPPoE Client Configuration Commands

269

interface type number: Interface type and number, used to enable the debugging switch of the specified interface. If no interface is specified, the system will enable the debugging switch of all interfaces.
Table 4 PPPoE Client debugging switch type and explanation
Debugging switch type all data error event packet verbose Explanation Enable all PPPoE Client debugging switches Enable the PPPoE Session phase data packet debugging switch Enable PPPoE Client error information debugging switch Enable PPPoE Client event debugging switch Enable PPPoE Discovery phase negotiation packet debugging switch Display the verbose contents of PPPoE data

Description The command debugging pppoe-client is used to enable PPPoE Client debugging switch. Example None display pppoe-server session Syntax
display pppoe-client session { summary | packet } [ dial-bundle-number number ]

View Any view Parameter summary: Displays the summary of PPPoE session. packet: Displays the statistics of PPPoE session data packet. dial-bundle-number number: Displays the statistics of the specified PPPoE session. If PPPoE session is not specified, the system will display the statistics of all PPPoE sessions. Description The command display pppoe-client session is used to display the status and statistics of PPPoE session. Example Display the summary of PPPoE session.
[3Com]display pppoe-client session summary PPPoE Client Session:

270

CHAPTER 4: LINK LAYER PROTOCOL

ID Bundle Dialer Intf 1 2 1 2 1 2 Eth0 Eth0

Client-MAC

Server-MAC

State

00e0fc0254f3 00049a23b050 PPPUP 00e0fc0254f3 00049a23b050 PPPUP

For more details of the display information, see the following table.
Table 5 Explanation of display pppoe-client session summary
Field ID Server-MAC Client-MAC Dialer Bundle Intf State Explanation Session ID, PPPoE session ID Server MAC, server MAC address Client MAC, client MAC address Corresponding Dialer interface of PPPoE session Dialer Bundle containing PPPoE session Ethernet interface containing PPPoE session State of PPPoE session

Display the statistics of PPPoE session data packet
<3Com> display pppoe-server session packet PPPoE Client Session: SID InP InO InD OutP OutO OutD ============================================================= 1 164 6126 0 83 1069 0 2 304 9886 0 156 2142 0

For more details of the display information, see the following table.
Table 6 Explanation of the information displayed by pppoe-client session packet
Field SID InP InO InD OutP OutO OutD Explanation Session ID, PPPoE session ID In Packets: number of received packets In Octets: number of received octets In Discards: number of received illegal and discarded packets Out Packets: number of sent packets Out Octets: number of sent octets Out Discard: number of sent and discarded illegal packets

pppoe-client

Syntax
pppoe-client dial-bundle-number number [ no-hostuniq ] [ idle-timeout seconds [ queue-length packets ] ] undo pppoe-client dial-bundle-number number

View Ethernet interface view or virtual Ethernet interface view

PPPoE Client Configuration Commands

271

Parameter dial-bundle-number number: Dialer Bundle number corresponding to PPPoE session, and its value ranges from 1 to 255.The parameter number can be used to identify a PPPoE session, or as a PPPoE session. no-hostuniq: The call originated from PPPoE Client does not carry the Host-Uniq field. By default, no no-hostuniq parameter is configured, i.e. PPPoE session works in permanent online mode by default. idle-timeout seconds: Idle time of PPPoE session in seconds, and its value ranges from 1 to 65535. If the parameter is not configured, PPPoE session will work in permanent online mode. Otherwise, it will works in packet trigger mode. queue-length packets: packet number cached in the system before PPPoE session is established, its value ranges from 1 to 100.Only after idle-timeout is configured will the parameter be enabled. By default, packets is 10. Description Using the pppoe-client command, you can establish a PPPoE session and specify the Dialer Bundle corresponding to the session. Using the undo pppoe-client command, you can delete a PPPoE session. By default, no PPPoE session is configured. Multiple PPPoE sessions can be configured at one Ethernet interface, i.e. one Ethernet interface might simultaneously belong to multiple Dialer Bundles. However, one Dialer Bundle only has one Ethernet interface. PPPoE session and Dialer Bundle are one-to-one. If the Dialer Bundle at a certain Dialer has had one Ethernet interface used by PPPoE, any other interfaces cannot be added to this Dialer Bundle. Likewise, if Dialer Bundle has had interfaces other than the PPPoE Ethernet interface, this Dialer Bundle can also not be added to the Ethernet interface used by PPPoE Client. When PPPoE session works in permanent online mode, and the physical lines go UP, the Router will immediately initiate PPPoE call to establish PPPoE session. This PPPoE connection will exist constantly unless users use the command undo pppoe-client to delete PPPoE session. When PPPoE session works in packet trigger mode, the Router will not initiate PPPoE call to establish PPPoE session unless it has data to transmit. If there is no data transmission on the PPPoE link within seconds, the Router will automatically terminate PPPoE session. Only after it has new data to transmit, PPPoE session will be re-established. For the related command, see reset pppoe-client. Example Create a PPPoE session on the interface Ethernet 0/0/0.
[3Com-Ethernet0/0/0]pppoe-client dial-bundle-number 1

reset pppoe-client

Syntax
reset pppoe-client { all | dial-bundle-number number }

272

CHAPTER 4: LINK LAYER PROTOCOL

View User view Parameter all: Clears all PPPoE sessions. dial-bundle-number number: Dialer Bundle number, its value ranges from 1 to 255. Used to clear the PPPoE session corresponding to Dialer Bundle. Description Using the reset pppoe-client command, you can terminate PPPoE session and re-initiate the connection later. If PPPoE session in permanent online mode is terminated using the command reset pppoe-client, the Router will automatically re-establish PPPoE session in sixteen seconds. If PPPoE session is terminated in packet trigger mode using the command reset pppoe-client, the Router will not re-establish PPPoE session unless it has data to transmit. For the related command, see pppoe-client. Example Clear all PPPoE sessions, and re-initiate PPPoE session later.
<3Com>reset pppoe-client all

VLAN Configuration Commands
display vlan interface Syntax
display vlan interface interface-type interface-num

View Any view Parameter interface-type interface-num: Specifies the interface. At present, the interface types supported include Ethernet interface and Gigabit Ethernet interface, and it only supports sub-interface. Description Using the display vlan interface command, you can view VLAN configuration information on a certain interface (only supporting sub-interface).

VLAN Configuration Commands

273

Example Display the VLAN configuration information at the Ethernet interface 2/0/0.1.
<3Com> display vlan interface ethernet 2/0/0.1 encapsulation isl vid 60

display vlan max-packet-process

Syntax
display vlan max-packet-process vid

View Any view Parameter vid: VLAN ID, used to identify a VLAN. Description Using the display vlan max-packet-process command, you can view the maximum number of processed packets configured on a certain VLAN per second. For the related command, see max-packet-process. Example Display the maximum number of processed packets configured on the VLAN 10.
<3Com> display vlan max-packet-process 10 Max Packet Process Count for Vid 10 is 300000

display vlan statistics interface

Syntax
display vlan statistics interface interface-type interface-num protocol { arp | ip }

View Any view Parameter interface-type interface-num: Used to specify the interface. At present, the interface types supported include Ethernet interface and Gigabit Ethernet interface, and it only supports sub-interface. arp: packet type is ARP. ip: packet type is IP. Description Using the display vlan statistics interface command, you can view the packet statistics on a certain VLAN. For the related command, see reset vlan statistics interface.

274

CHAPTER 4: LINK LAYER PROTOCOL

Example Display the VLAN statistics on Ethernet subinterface 2/0/0.1.
<3Com> display vlan statistics interface ethernet 0/2/0.1 Packets Discarded :0 Packets forwarded to IP/ARP module : 0 Packets forwarded by VLAN module: 0

display vlan statistics vid

Syntax
display vlan statistics vid vid

View Any view Parameter vid: VLAN ID, used to identify a VLAN. Description Using the display vlan statistics vid command, you can view the packet statistics on a certain VLAN, e.g. the received packet number and the sent packet number. For the related command, see reset vlan statistics interface. Example Display the packet statistics on VLAN 10.
<3Com> display vlan statistics vid 10 Packets received: 53 Packets transmitted: 14

max-packet-process

Syntax
max-packet-process count vid undo max-packet-process vid

View System view Parameter count: Maximum number of processed packets. vid: VLAN ID, used to identify a VLAN. Description Using the max-packet-process command, you can set the maximum number of processed packets per second on a certain VLAN. Using the undo max-packet-process command, you can restore it to the default setting.

VLAN Configuration Commands

275

By default, the system has no limitation of the maximum number of processed packets. After setting the maximum number of processed packets per second on a certain VLAN, and the received packet number belonging to this VLAN reaches the limitation, the subsequently received packets belonging to the VLAN will be discarded. Through this command, you can perform flow control. For the related command, see display vlan max-packet-process. Example Set the maximum number of processed packets per second on the VLAN 10 as 200000.
[3Com] max-packet-process 200000 10

reset vlan statistics interface

Syntax
reset vlan statistics interface interface-type interface-number

View User view Parameter interface-type interface-num: Used to specify the interface. At present, the interface types supported include Ethernet interface and Gigabit Ethernet interface, and it only supports sub-interface. Description Using the reset vlan statistics interface command, you can clear VLAN statistics on a certain interface. For the related command, see show vlan statistics interface. Example Clear the VLAN statistics on Ethernet subinterface 2/0/0.1.
<3Com> reset vlan statistics interface ethernet 2/0/0.1

reset vlan statistics vid

Syntax
reset vlan statistics vid vid

View User view Parameter vid: VLAN ID, used to identify a VLAN.

276

CHAPTER 4: LINK LAYER PROTOCOL

Description Using the reset vlan statistics vid command, you can clear the VLAN statistics. For the related command, see display vlan statistics vid. Example Clear the statistics with VLAN ID 10.
<3Com> reset vlan statistics vid 10

vlan-type dot1q

Syntax
vlan-type dot1q vid vid

View Interface view Parameter vid: VLAN ID, used to identify a VLAN, its value ranges from 1 to 4094. Description Using the vlan-type dot1q command, you can set the encapsulation types on the sub-interface. By default, there is no encapsulation on the subinterface, nor VLAN ID related to the subinterface. For the related command, see display vlan interface. Example Set the Ethernet sub-interface 2/0/0.1 to be related to VLAN ID 60, and its encapsulation format is dot1q.
[3Com-Ethernet2/0/0.1] vlan-type dot1q vid 60

ISDN Configuration Commands
debugging isdn Syntax
debugging isdn { cc | q921 | q931 | spid } [ interface type number ] undo debugging isdn { cc | q921 | q931| spid } [ interface type number ]

View User view

ISDN Configuration Commands

277

Parameter cc: Enables ISDN CC module debugging. q921: Enables Q.921 debugging. q931: Enables ISDN Q.931 module debugging. spid: Enables SPID debugging for the BRI interfaces running the NI protocol. interface type number: Interface type and number. You can enable ISDN signaling debugging on an interface by specifying its type and number. If no interface has been specified, the system will enable ISDN signaling debugging on all the ISDN interfaces. Description Using the debugging isdn command, you can enable ISDN debugging. Using the undo debugging isdn command, you can disable ISDN debugging. You must enable terminal debugging first before ISDN debugging can take effect. Example Enable CC debugging.
<3Com> debugging isdn cc

Disable CC debugging.
<3Com> undo debugging isdn cc

display isdn active-channel

Syntax
display isdn active-channel [ interface type number ]

View Any view Parameter interface type number: Interface type and number. Description Using the display isdn active-channel command, you can view the active call information on ISDN interfaces. If no interface has been specified, the system will display the active call information on all the ISDN interfaces. The displayed information can help you with ISDN call troubleshooting. Example Display the active call information on the interface bri 0/0/0.
[3Com] display isdn active-channel interface bri 0/0/0

278

CHAPTER 4: LINK LAYER PROTOCOL

Bri0/0/0 : ------------------------------------------------------------Channel Call Call Calling Calling Called Called Info Property Type Number Subaddress Number Subaddress B1 Digital Out 8810124 B2 Analog In 8810118 380 8810150 2201 -------------------------------------------------------------

display isdn call-info

Syntax
display isdn call-info [ interface type number ]

View Any view Parameter interface type number: Interface type and number. Description Using the display isdn call-info command, you can view the current states of ISDN interfaces. If no interface has been specified, the system will display the current states of all the ISDN interfaces. Executing this command will output the state of each layer of the ISDN protocol on one or all interfaces, including the information of Q.921, Q.931 and CC modules. You may make troubleshooting based on the output information. For the related command, see display interfaces. Example Display the current states of all ISDN interfaces.
[3Com]display isdn call-info Bri0/0/0: Link Layer: TEI = NONE, State = TEI_UNASSIGNED Network Layer: 0 connection(s) Serial0/0/0:15: Link Layer: TEI = 0, State = MULTIPLE_FRAME_ESTABLISHED Network Layer: 1 connection(s) Connection 1: CCIndex: 0x0000, State: Active, CES: 1, Channel: 0x00000002 Calling_Num[:Sub]: 003 Called_Num[:Sub]: 002

Table 7 Description of the information displayed by executing display isdn call-info
Item Bri0/0/0 Description The interface Bri0/0/0 runs ISDN.

Link Layer: TEI = 0, Displays the parameters related to the link layer protocol Q.921 State = of ISDN on the interface. MULTIPLE_FRAME_EST ABLISHED Network Layer: 1 connection(s) There is only one network layer connection on the interface currently.

ISDN Configuration Commands

279

Table 7 Description of the information displayed by executing display isdn call-info
Item CCIndex State Channel Calling_Num[:Sub] Called_Num[:Sub] Description Call index Call state Channel map Calling number: calling sub-address Called number: called sub-address

Disabling an interface will clear all the statistic data related to the interface and new counting will be started. display isdn call-record Syntax
display isdn call-record [ interface type number ]

View Any view Parameter interface type number: Displays only the call history of the specified interface. Description Using the display isdn call-record command, you can view the information of ISDN call history. Executing this command will display information of the calls activated in the last 15 minutes, but the number of retained entries is limited to 100. Example Display the information of ISDN call history.
[3Com] display isdn call-record Call Calling Called Start Stop Seconds Type Number Number Time Time Used --------------------------------------------------------------------In 10660016 10660016 11:23:09 0 In 10660022 10660022 03-07-05 11:23:09 0 Out 660016 03-07-05 11:23:01 03-07-05 11:23:04 3 Out 660022 03-07-05 11:23:01 03-07-05 11:23:04 3 In 10660016 10660016 03-07-05 11:23:01 03-07-05 11:23:04 3 In 10660022 10660022 03-07-05 11:23:01 03-07-05 11:23:04 3

03-07-05

display isdn parameters

Syntax
display isdn parameters { protocol | interface type number }

View Any view

280

CHAPTER 4: LINK LAYER PROTOCOL

Parameter protocol: ISDN protocol type, which can be DSS1, NTT, NI, ETSI, ANSI or AT&T. interface type number: ISDN interface type and number. Description Using the display isdn parameters command, you can view the system parameters at layers 2 and 3 of the ISDN protocol, such as the durations of system timers and frame size. If only ISDN protocol is specified, the system will display the default system parameters of ISDN. For the related command, see display interfaces. Example Display the system parameters of the ISDN protocol DSS1.
[3Com] display isdn parameters dss1 DSS1 ISDN layer 2 system parameters: T200(sec) T202(sec) T203(sec) N200 K(Bri) 1 2 10 3 1 DSS1 ISDN layer 3 system timers: Timer-Number Value(sec) T301 240 T302 15 T303 4 T304 30 T305 30 T308 4 T309 90 T310 40 T313 4 T314 4 T316 120 T317 10 T318 4 T319 4 T321 30 T322 4 Item T200(sec) T202(sec) T203(sec) N200 K(Bri) K(Pri) Timer-Number Description Retransmit-timer (in seconds) of the L2 protocol of ISDN Retransmit-timer (in seconds) for the TEI request messages of the ISDN L2 protocol The maximum link idle time (in seconds) of the ISDN L2 protocol The maximum retransmission times The maximum number of unacknowledged frames (slide window size) on the ISDN BRI port. The maximum number of unacknowledged frames (slide window size) on the ISDN PRI port. ISDN L3 timer

K(Pri) 7

Table 8 Description of the displayed system parameters of ISDN

ISDN Configuration Commands

281

Table 8 Description of the displayed system parameters of ISDN
Item Value(sec) Description Duration (in seconds) of each ISDN L3 timer

display isdn spid

Syntax
display isdn spid [ interface type number ]

View Any view Parameter interface type number: ISDN interface type and number. Description Using the display isdn spid command, you can view the related information of SPID on the BRI interface running the NI protocol. You may execute this command to view the SPID type, SPID value and some other information when ISDN is running. Executing this command without specifying an interface, you may view the related information of SPI on all the SPID-supported BRI interfaces. Alternatively, you may view the information only on one interface by specifying its type and number. Example Display the related information of SPID on the NI-supported interface bri 0/0/0.
[3Com] display isdn spid interface bri 0/0/0 Interface bri 0/0/0: SPID Type : AUTO SPID B1 : SPID Num: 124345 Neg State : SPID_ASSIGNED Init State: INIT_NULL SPID B2 : SPID Num: 45645754 Neg State : SPID_ASSIGNED Init State: INIT_NULL SPID timer : 30 seconds SPID resend: 2

Table 9 Description of the SPID parameters
Item SPID Type Description SPID Type, which can be NIT, STATIC (having only the L3 initialization process), or AUTO (including both the negotiation and the L3 initialization) SPID value of the BRI interface B1 channel. It can be a static configuration or the result of a dynamic negotiation, all depending on the specified SPID Type. SPID value of the BRI interface.It can be a static configuration or the result of a dynamic negotiation, all depending on the specified SPID Type.

SPID B1

SPID Num

282

CHAPTER 4: LINK LAYER PROTOCOL

Table 9 Description of the SPID parameters
Item Neg State Description Negotiation state of the SPID, which can be SPID_UNASSIGNED, ASSIGN_AWAITING_SPID, SPID_ASSIGNED, ASSIGN_AWAITING_CALL_CLEAR. Initialization state of the SPID, which can be INIT_NULL, INIT_IND, INIT_PROCEEDING, INIT_END, INIT_AWAITING_CALL_CLEAR. SPID value of the BRI interface B2 channel. It can be a static configuration or the result of a dynamic negotiation, all depending on the specified SPID Type. Duration of the timer TSPID SPID message retransmission times

Init State SPID B2

SPID timer SPID resend

isdn bch-local-manage

Syntax
isdn bch-local-manage undo isdn bch-local-manage

View ISDN interface view Parameter None Description Using the isdn bch-local-manage command, you can enable local ISDN B channel management. Using the undo isdn bch-local-manage command, you can disable the setting. It is very important to put appropriate control on the B channels used for calls in process, especially in the PRI mode. Proper channel management can improve call efficiency and reduce call loss. Normally, the centralized B channel management provided by exchanges can work well. For this reason, you are recommended to adopt the management function provided by exchanges in most cases, despite the ISDN module can provide the channel management function as well. Example Enable local ISDN B channel management.
[3Com-Bri2/0/0] isdn bch-local-manage

isdn bch-select-way

Syntax
isdn bch-select-way { ascending | descending}

View ISDN interface view

ISDN Configuration Commands

283

Parameter ascending: Selects B channels in ascending order. descending: Selects B channels in descending order. Description Using the isdn bch-select-way command, you can set a B channel selection method. By default, B channels are selected in ascending order. Example Configure B channel selection method on the interface Bri2/0/0 to descending order.
[3Com-Bri2/0/0] isdn bch-select-way descending

isdn caller-number

Syntax
isdn caller-number caller-number undo isdn caller-number

View ISDN interface view Parameter caller-number: Caller number that an incoming ISDN call can carry, which is a character string of 1 to 24 characters. Description Using the isdn caller-number command, you can configure the range of the numbers that the router can receive. Using the undo isdn caller-number command, you can delete the configured caller number. Example Configure the router to receive only the incoming calls from the caller numbers with 400.
[3Com-Serial0/0/0:15] isdn caller-number 400

isdn calling

Syntax
isdn calling calling-number undo isdn calling

View ISDN interface view

284

CHAPTER 4: LINK LAYER PROTOCOL

Parameter calling-number: Calling number. Description Using the isdn calling command, you can have the messages from a calling party to a called party carry the calling number. Using the undo isdn calling command, you can delete calling number in the messages that a calling party transmitted. This command mainly applies on BRI interfaces. If a calling party has configured this command on its BRI interface, the call party will be able to see the calling number by viewing the call history information. Example Configure the message from a calling party to a called party on interface Bri0/0/0 to carry calling number.
[3Com-Bri0/0/0] isdn calling 8060170

isdn check-called-number

Syntax
isdn check-called-number check-index called-party-number [ : subaddress ] undo isdn check-called-number check-index

View ISDN BRI Interface view, ISDN PRI Interface view Parameter check-index: Called number or subaddress checking index, which is in the range of 1 to 3. called-party-number: Called number, a string comprising 1 to 20 digits. subaddress: Subaddress, which is a string comprising digits and/or case-insensitive English letters and is 1 to 20 characters in length. Description Using the isdn check-called-number command, you can configure the called number or subaddress that the system should verify when receiving a digital call. Using the undo isdn check-called-number command, you can remove the configuration. By default, the system does not check the called number or subaddress carried by incoming digital calls. This command is used for setting the examined item when a digital call is received. If a subaddress is specified, the system will deny an incoming digital call if the calling party sends a wrong subaddress or does not send at all.

ISDN Configuration Commands

285

Example Check whether the called number carried by incoming digital calls is 66668888 on the interface Bri 0/0/0.
[3Com-Bri0/0/0] isdn check-called-number 1 66668888 : 123

isdn crlength

Syntax
isdn crlength call-reference-length undo isdn crlength

View ISDN interface view Parameter call-reference-length: ISDN call reference length, which can be one or two bytes. Description Using the isdn crlength command, you can set length of the call reference used when a call is placed on an ISDN interface. Using the undo isdn crlength command, you can restore the default ISDN call reference length on the interface. Call reference is equal to the sequence number that the protocol assigns to each call. It is one or two bytes in length and can be used cyclically. When the router receives a call from a remote device, it can automatically identify the length of the call reference. However, some devices on the network do not have such capability. In the event that the router is required to place calls to such a device connected to it, you must configure the router to use the same call reference length configured on the connected device. By default, the call reference length is two bytes for E1 PRI and T1 PRI interfaces and one byte for BRI interfaces. You are not allowed to configure this command on an ISDN interface if there is still a call on it. This command can take effect only if it is configured when there is no call on the interface. Alternatively, you can manually disable the interface by executing the shutdown command, configure the command, and then enable the interface by executing the undo shutdown command. The operations, however, will lead to the disconnection of the call existing on the interface. Example Set the call reference length carried by the ISDN messages on the PRI interface serial0/0/0:15 to 1 byte.
[3Com-serial0/0/0:15] isdn crlength 1

isdn ignore connect-ack

Syntax
isdn ignore connect-ack

286

CHAPTER 4: LINK LAYER PROTOCOL

undo isdn ignore connect-ack

View ISDN interface view Parameter None Description Using the isdn ignore connect-ack command, you can configure the router to switch the ISDN protocol state to ACTIVE to start the data and voice service communications after sending a CONNECT message without having to wait for a CONNECT ACK message. Using the undo isdn ignore connect-ack command, you can restore the default setting. By default, in the event that the router is communicating with an exchange, the ISDN protocol must wait for the CONNECT ACK message in response to the CONNECT message before it can switch to the ACTIVE state to start data and voice service communications. In the event that the router is communicating with an ISDN exchange, its settings must be the same as those on the exchange. You are not allowed to configure this command on an ISDN interface if there is still a call on it. This command can take effect only if it is configured when there is no call on the interface. Alternatively, you can manually disable the interface by executing the shutdown command, configure the command, and then enable the interface by executing the undo shutdown command. The operations, however, will lead to the disconnection of the call existing on the interface. Example Set the call process on the BRI interface 0/0/0 to proceed to the ACTIVE state without waiting for CONNECT ACK messages.
[3Com-Bri0/0/0] isdn ignore connect-ack

isdn ignore hlc

Syntax
isdn ignore hlc undo isdn ignore hlc

View ISDN interface view Parameter None

ISDN Configuration Commands

287

Description Using the isdn ignore hlc command, you can disable ISDN to carry the higher layer compatibility (HLC) information element in the SETUP messages sent when placing voice calls. Using the undo isdn ignore hlc command, you can configure ISDN to carry the HLC information element in SETUP messages. By default, HLC information element is carried in SETUP messages when placing voice calls. In the event that the router is communicating with an ISDN exchange, its settings must be the same as those on the exchange. You are not allowed to configure this command on an ISDN interface if there is still a call on it. This command can take effect only if it is configured when there is no call on the interface. Alternatively, you can manually disable the interface by executing the shutdown command, configure the command, and then enable the interface by executing the undo shutdown command. The operations, however, will lead to the disconnection of the call existing on the interface. Example Configure ISDN to carry the HLC information element in the SETUP messages for the voice calls placed on the Bri interface 0/0/0.
[3Com-Bri0/0/0] isdn ignore hlc

isdn ignore llc

Syntax
isdn ignore llc undo isdn ignore llc

View ISDN interface view Parameter None Description Using the isdn ignore llc command, you can disable ISDN to carry the Lower Layer Compatibility (LLC) information element in the SETUP messages sent when placing voice calls. Using the undo isdn ignore llc command, you can configure ISDN to carry the LLC information element in SETUP messages. By default, LLC information element is carried in SETUP messages when placing voice calls. In the event that the router is communicating with an ISDN exchange, its settings must be the same as those on the exchange. You are not allowed to configure this command on an ISDN interface if there is still a call on it. This command can take effect only if it is configured when there is no

288

CHAPTER 4: LINK LAYER PROTOCOL

call on the interface. Alternatively, you can manually disable the interface by executing the shutdown command, configure the command, and then enable the interface by executing the undo shutdown command. The operations, however, will lead to the disconnection of the call existing on the interface. Example Disable ISDN to carry the LLC information element in the SETUP messages for the voice calls placed on the interface Bri 0/0/0.
[3Com-Bri0/0/0] isdn ignore llc

isdn ignore sending-complete

Syntax
isdn ignore sending-complete [ incoming | outgoing ] undo isdn ignore sending-complete [ incoming | outgoing ]

View ISDN interface view Parameter incoming: Ignores the Sending Complete Information Element in SETUP messages with respect to incoming calls. outgoing: Sends SETUP messages without the Sending Complete Information Element with respect to outgoing calls. Description Using the isdn ignore sending-complete command, you can configure the ISDN protocol to ignore the processing on the Sending Complete Information Element. Using the undo isdn ignore sending-complete command, you can restore the default setting. By default, in the event that the router is communicating with an exchange, the ISDN protocol checks whether the received SETUP messages carry the Sending Complete Information Element with respect to incoming calls and carries the Sending Complete Information Element in SETUP messages with respect to outgoing calls. In the event that the router is communicating with an ISDN exchange, its settings must be the same as those on the exchange. You are not allowed to configure this command on an ISDN interface if there is still a call on it. This command can take effect only if it is configured when there is no call on the interface. Alternatively, you can manually disable the interface by executing the shutdown command, configure the command, and then enable the interface by executing the undo shutdown command. The operations, however, will lead to the disconnection of the call existing on the interface. You can configure this command on an interface only when the ISDN protocol running on the interface is DSS1 or ETSI.

ISDN Configuration Commands

289

Example Ignore the Sending Complete Information Element in the received SETUP messages.
[3Com-Bri0/0/0] isdn ignore sending-complete incoming

Disable carrying the Sending Complete Information Element in the transmitted SETUP messages.
[3Com-Bri0/0/0] isdn ignore sending-complete outgoing

isdn L3-timer

Syntax
isdn L3-timer timer-name time-interval undo isdn L3-timer { timer-name | all }

View ISDN interface view Parameter timer-name: Name of a L3 timer of the ISDN protocol. time-interval: Timer duration, which can take on one of the values listed in the following table. all: Restores the default durations of all the L3 timers.
Table 10 Description of Q931 timers
timer-name t301 t302 t303 t304 t305 t308 t309 t310 t313 t316 t322 Value range (in units) 30 ~ 1200 5 ~ 60 2 ~ 10 10 ~ 60 4 ~ 30 2 ~ 10 10 ~ 180 10 ~ 180 2 ~ 10 2 ~ 180 2 ~ 10 Default (in units) 240 15 4 30 30 4 90 40 4 120 4

Description Using the isdn L3-timer command, you can configure the duration of an ISDN L3 timer. Using the undo isdn L3-timer command, you can restore the default duration of the ISDN L3 timer on the interface.

290

CHAPTER 4: LINK LAYER PROTOCOL

You can view the default durations of the L3 timers in the ISDN protocol by executing the display isdn parameters command. Example Set the duration of the L3 timer T301 on the interface Bri 0/0/0 to 160 seconds.
[3Com-Bri0/0/0] isdn l3-timer t301 160

isdn number-property

Syntax
isdn number-property number-property [ calling | called ] undo isdn number-property [ calling | called ]

View ISDN interface view Parameter number-property: Type and number scheme of ISDN numbers. The argument takes on a hex value in the range of 0 to FF. When it is expressed in 8 bits, bits 1 through 4 represent the code scheme, bits 5 through 7 represent the code type, and bit 8 is reserved. The following table lists the possible number type and code schemes. For more information, see the related protocol for reference.

ISDN Configuration Commands

291

The undefined bits in all the protocols are reserved for other purposes. Table 11
Protocol Field (Bit) value Type 8 6 3 ANSI 0 User-specified 1 National network identification 1 International network identification 0 0 Unknown/user-specified 0 0 Carrier identification code 0 0 Data network identification code (ITU-T Recommendation X.121) 0 1 AT&T 0 Unknown 0 0 International number 0 1 National number 1 0 Subscriber number 0 0 0 Unknown 0 0 0 1 0 1 0 1 0 0 1 0 0 0 0 5 2 Definition Code scheme 7 4 1 0

292

CHAPTER 4: LINK LAYER PROTOCOL

Table 11
Protocol 0 1 Field (Bit) value 0 ISDN/telephony numbering loan ( Recommendatio n E.164/E.163) 0 0 Definition 0

1 1

Private DSS1 numbering plan 0 0 Unknown 0 0 International number 0 1 National number 0 1 Network specific number 1 0 Subscriber number 1 1 Abbreviated number 1 1 Reserved for extension 0 0 Unknown 0 ISDN/telephony numbering plan( Recommendation E.164) 0 Data numbering plan( Recommendation X.121)

0

1

0

1

0

0

1

0

0 0

0

1

0 1 1

ISDN Configuration Commands

293

Table 11
Protocol Field (Bit) value 0 0 0 Definition 1 Telex numbering plan( Recommendation F.69) 0 National standard numbering plan 0 Private numbering plan 1 Reserved for extension 0 0 0 1 0 0 0 1 1 0 1 0 1 1

1 0 0

1 0 1 1 1 ETSI 0 Unknown 0 International number 1 National number 1 Network specific number 0 Subscriber number 1 Abbreviated number 1 Reserved for extension 1

0 0 Unknown 0 0 0 1 0 0

294

CHAPTER 4: LINK LAYER PROTOCOL

Table 11
Protocol ISDN/telephony numbering plan( Recommendation E.164) 0 0 Data numbering plan( Recommendation X.121) 0 1 Telex numbering plan( Recommendation F.69) 1 0 National standard numbering plan 1 0 Private numbering plan 1 1 Reserved for extension 0 0 0 1 NI 0 0 Unknown number in Unknown numbering plan 0 0 International number in ISDN numbering plan (Rec. E.164) 1 0 National number in ISDN numbering plan (Rec. E.164) 1 0 Network specific number in private numbering plan 0 0 0 0 1 0 0 0 1 0 0 0 1 0 1 0 0 0 0 1 1 Field (Bit) value Definition

0 0 1

0 0 1

0 1 1

1 0

ISDN Configuration Commands

295

Table 11
Protocol 1 Field (Bit) value Local (directory) number in ISDN numbering plan (Rec. E.164) 1 0 0 0 Definition

1 1 1

Abbreviated NTT number in private numbering plan 0 0 Unknown 0 1 National number 0 1 Network specific number 1 0 Subscriber number 0 0 Unknown 0 ISDN/telephony numbering plan( Recommendation E.164) 0 Private numbering plan

0

0

1

0

0

0 0

0

1

1 0 1

Types and code schemes of ISDN numbers

calling: Code scheme of the calling number. called: Code scheme of the called number. Description Using the isdn number-property command, you can set type and code scheme of ISDN calling numbers or called numbers. Using the undo isdn number-property command, you can restore the default type and code scheme of ISDN calling numbers or called numbers.

296

CHAPTER 4: LINK LAYER PROTOCOL

By default, the number type and code scheme are respectively unknown and ISDN for both ISDN calling numbers and called numbers, and the number-property representing them is 01 in hex format. You are not allowed to configure this command on an ISDN interface if there is still a call on it. This command can take effect only if it is configured when there is no call on the interface. Alternatively, you can manually disable the interface by executing the shutdown command, configure the command, and then enable the interface by executing the undo shutdown command. The operations, however, will lead to the disconnection of the call existing on the interface. Example Set both number type and code scheme of ISDN calling numbers on the interface Bri 0/0/0 to unknown.
[3Com-Bri0/0/0] isdn number-property 0 calling

isdn overlap-sending

Syntax
isdn overlap-sending [ digits ] undo isdn overlap-sending

View ISDN interface view Parameter digits: The number of the digits, which is sent each time in overlap-sending mode and is in the range of 1 to 15.By default, digits are 10. Description Using the isdn overlap-sending command, you can set the system to send the called number information in the overlap mode on the ISDN interface. Using the undo isdn overlap-sending command, you can set the system to send the called information in full mode. In "overlap-sending” mode, the digits of each called number will be sent separately and the number of the digits sent each time can be set using this command. In "full-sending" mode, all the digits of each called number will be collected and sent at a time. By default, full-sending mode applies. You are not allowed to configure this command on an ISDN interface if there is still a call on it. This command can take effect only if it is configured when there is no call on the interface. Alternatively, you can manually disable the interface by executing the shutdown command, configure the command, and then enable the interface by executing the undo shutdown command. The operations, however, will lead to the disconnection of the call existing on the interface.

ISDN Configuration Commands

297

Overlap-sending is only suitable for four ISDN protocols: ANSI, DSS1, ETSI, and NI. Example Apply the overlap-sending function on the interface Bri0/0/0 and set the number of digits allowed to be sent each time to 12 digits.
[3Com-Bri0/0/0] isdn overlap-sending 12

isdn pri-slipwnd-size

Syntax
isdn pri-slipwnd-size window-size isdn pri-slipwnd-size default

View Interface view Parameter window-size: Slide window size in the range of 5 to 14. By default, the slide window size on PRI interfaces is 7. Description Using the isdn pri-slipwnd-size command, you can set the slide window size on a PRI interface. Using the isdn pri-slipwnd-size default command, you can restore the default slide window size on the PRI interface. Example Configure the slide window size on the interface e1 0/0/0 to 10.
[3Com] controller e1 0/0/0 [3Com-E1 0/0/0] using [3Com-E1 0/0] pri-set [3Com-Serial0/0/0:15] isdn pri-slipwnd-size 10

isdn protocol-type

Syntax
isdn protocol-type protocol

View ISDN interface view Parameter protocol: ISDN protocol, which can be DSS1, NTT, NI, ETSI, ANSI, or AT&T. Description Using the isdn protocol-type command, you can set the ISDN protocol to be run on an ISDN interface. By default, both BRI and PRI interfaces run the ISDN protocol DSS1.

298

CHAPTER 4: LINK LAYER PROTOCOL

You are not allowed to configure this command on an ISDN interface if there is still a call on it. This command can take effect only if it is configured when there is no call on the interface. Alternatively, you can manually disable the interface by executing the shutdown command, configure the command, and then enable the interface by executing the undo shutdown command. The operations, however, will lead to the disconnection of the call existing on the interface. You are allowed to configure: ANSI ISDN on BRI and T1 PRI interfaces; AT&T ISDN on T1 PRI interfaces; DSS1 ISDN on BRI, E1 PRI, and T1 PRI interfaces; ETSI ISDN on BRI, E1 PRI, and T1 PRI interfaces; NI (National ISDN) on BRI interfaces; NTT ISDN on BRI and T1 PRI interfaces. Example Apply ISDN ETSI on the interface Bri0/0/0.
[3Com-Bri0/0/0] isdn protocol-type etsi

isdn send-restart

Syntax
isdn send-restart undo isdn send-restart

View System view Parameter None Description Using the isdn send-restart command, you can set restart mark in a distributed system (6000/3000 DSL Family routers), so that the MPU will control the PRI interface to send RESTART message after re-establishing a link. Using the undo isdn send-restart command, you can remove the restart mark. This command is invalid for the MCU in a centralized system, 6000/3000 DSL Family Routers for example. Example Enable the MCU to automatically send RESTART messages to interface boards automatically.

ISDN Configuration Commands

299

[3Com] isdn send-restart

Disable automatic RESTART message sending.
[3Com] undo isdn send-restart

isdn spid auto_trigger

Syntax
isdn spid auto_trigger

View ISDN BRI interface view Parameter None Description Using the isdn spid auto_trigger command, you can enable SPID auto-negotiation once on the BRI interface running the NI protocol. On a BRI interface compliant with the North American ISDN protocol, the router can place a call only after SPID negotiation or initialization. SPID information can be obtained via static configuration or dynamic negotiation. You may manually trigger a new SPID negotiation request by executing this command if the SPID negotiation in dynamic negotiation fails or just for the purpose of testing. By default, a BRI interface does not originate a SPID negotiation request unless triggered by a call. This command applies only on the BRI interface running the NI protocol. Example Manually trigger a new SPID negotiation request on the interface bri0/0/0.
[3Com-bri0/0/0] isdn spid auto_trigger

isdn spid nit

Syntax
isdn spid nit undo isdn spid nit

View ISDN BRI interface view Parameter None

300

CHAPTER 4: LINK LAYER PROTOCOL

Description Using the isdn spid nit command, you can set the SPID processing mode to NIT (Not Initial Terminal) on an NI-compliant BRI interface. Using the undo isdn spid nit command, you can disable the NIT mode on the BRI interface. By default, NIT mode does not apply on BRI interfaces. Instead, static SPID or dynamic SPID negotiation is applied. On an NI-compliant BRI interface, calls can be placed only after the SPID negotiation or initialization is finished. When the router is communicating with an NI-compliant exchange that does not support SPID negotiation, you can use this command to set the SPID processing mode on the router to NIT and the ISDN will ignore ISPID negotiation and initialization. This command applies only on NI-compliant BRI interfaces. Example Ignore SPID negotiation and initialization on the interface bri0/0/0, i.e., adopting the NIT mode.
[3Com-bri0/0/0] isdn spid nit

isdn spid timer

Syntax
isdn spid timer seconds undo isdn spid timer

View ISDN BRI interface view Parameter seconds: Duration of the SPID timer, which is in the range of 1 to 255 seconds, and defaults to 30 seconds. Description Using the isdn spid timer command, you can set the duration of the timer TSPID for an NI-compliant BRI interface to timer_length. Using the undo isdn spid timer command, you can restore the default duration of the timer TSPID for the NI-compliant BRI interface. On a BRI interface compliant with the ISDN protocol in North America, calls can be placed only after the SPID negotiation or initialization is finished. SPID information can be obtained via static configuration or dynamic negotiation. The timer TSPID is started when the terminal originates a negotiation or initialization request by sending the INFORMATION message. You can use this command to modify the duration of TSPID. This command applies only on NI-compliant BRI interfaces.

ISDN Configuration Commands

301

Example Set the duration of TSPID on the interface bri0/0/0 to 50 seconds.
[3Com-bri0/0/0] isdn spid timer 50

isdn spid service

Syntax
isdn spid service [audio | data | speech] undo isdn spid service

View ISDN BRI interface view Parameter audio: Supports audio service. data: Supports data service. speech: Supports voice service. Description Using the isdn spid service command, you can configure the service types that must be supported in SPI negotiation on the BRI interface adopting NI protocol. Using the undo isdn spid service command, you can delete he service types that must be supported in SPI negotiation on the BRI interface adopting NI protocol. There are three types of services, you can select any one of them or none. None means all services are supported. By default, SPID needs to support data and voice service simultaneously. Generally, as for the BRI interface adopting North America ISDN protocol, you need to negotiate or initialize SPID before originate a call. During negotiation, SPCS may send multiple SPIDs and carry the service types supported by the SPID, therefore, the router needs to choose a proper SPID according to the local service type. This command can only be applied on the BRI interface adopting NI protocol. Example Set the service type supported by BRI interface to data and voice.
[3Com-bri0] isdn spid service data [3Com-bri0/0] isdn spid service speech

isdn spid resend

Syntax
isdn spid resend times undo isdn spid resend

302

CHAPTER 4: LINK LAYER PROTOCOL

View ISDN BRI interface view Parameter times: An integer in the range of 1 to 255 times, which defaults to 1. Description Using the isdn spid resend command, you can set the number of INFORMATION message retransmission attempts for SPID negotiation or initialization on an NI-compliant BRI interface. Using the undo isdn spid resend command, you can restore the default number of INFORMATION message retransmission attempts on the interface. On a BRI interface compliant with the ISDN protocol in North America, calls can be placed only after the SPID negotiation or initialization is finished. The timer TSPID is started when the terminal originates a negotiation or initialization request by sending the INFORMATION message. If the terminal does not receive any response upon the expiration of TSPID, it will retransmit the INFORMAITON message. You can use this command to modify the number of INFORMATION message retransmission attempts. This command applies only on NI-compliant BRI interfaces. Example Set the allowed number of INFORMATION retransmission attempts to five.
[3Com-bri0/0/0] isdn spid resend 5

isdn spid1

Syntax
isdn spid1 spid undo isdn spid1

View ISDN BRI interface view Parameter spid: String comprising 1 to 20 digits. Description Using the isdn spid1 command, you can configure SPID information for the B1 channel on an NI-compliant BRI interface. Using the undo isdn spid1 command, you can remove the SPID information of the B1 channel on the interface. On a BRI interface compliant with the ISDN protocol in North America, calls can be placed only after the SPID negotiation or initialization is finished. SPID information can be obtained via static configuration or dynamic negotiation. Only after SPID

ISDN Configuration Commands

303

information is configured for the B1 channel on the BRI interface can the system makes the L3 initialization to place calls normally. By default, SPID for the B1 channel on a BRI interface is null. This command applies only on NI-compliant BRI interfaces. Example Set SPID to “012345” for the B1 channel on the interface bri0/0/0.
[3Com-bri0/0/0] isdn spid1 012345

isdn spid2

Syntax
isdn spid2 spid undo isdn spid2

View ISDN BRI interface view Parameter spid: String comprising 1 to 20 digits. Description Using the isdn spid2 command, you can configure SPID information for the B1 channel on an NI-compliant BRI interface. Using the undo isdn spid2 command, you can remove the SPID information of the B1 channel on the interface. On a BRI interface compliant with the ISDN protocol in North America, calls can be placed only after the SPID negotiation or initialization is finished. SPID information can be obtained via static configuration or dynamic negotiation. Only after SPID information is configured for the B2 channel on the BRI interface can the system makes the L3 initialization to place calls normally. By default, SPID for the B2 channel on a BRI interface is null. This command applies only on NI-compliant BRI interfaces. Example Set SPID to “012345” for the B2 channel on the interface bri0/0/0.
[3Com-bri0/0/0] isdn spid2 012345

isdn statistics

Syntax
isdn statistics { clear | continue | display [ flow ] | start | stop }

View ISDN interface view

304

CHAPTER 4: LINK LAYER PROTOCOL

Parameter clear: Clears the statistics. continue: Continues counting. display: Displays the statistics. display flow: Displays the statistic information about message flows. start: Starts counting. stop: Stops counting. Description Using the isdn statistics command, you can have the system make statistics on the information received and transmitted at an ISDN interface. By default, no statistics is made on the information transmitted and received at interfaces. You can input the isdn statistics start command in the view of an interface to start making statistics on the messages received and transmitted at the interface, isdn statistics display command to view the statistic information, isdn statistics continue to continue the effort in making statistics, isdn statistics display flow to view the statistics in the form of flow, and isdn statistics stop to stop making statistics. Example Display statistics information on the PRI interface.
[3Com-serial0/0/0:15] isdn statistics display Q.931 message received and sent out on current port: CALL_PROC Send(0) Recv(6) SETUP Send(6) Recv(13) CONN Send(13) Recv(5) SETUP_ACK Send(0) Recv(6) CONNECT_ACK Send(5) Recv(13) DISCONNECT Send(3) Recv(16) RELEASE Send(1) Recv(18) RELEASE_COM Send(18) Recv(1)

SLIP Configuration Commands
debugging slip Syntax
debugging slip { event | error | packet | all }

View User view

HDLC Configuration Commands

305

Parameter packet: Enables packet debugging output switch. Description Using the debugging slip command, you can enable the debugging switch of the SLIP protocol. Example None link-protocol slip Syntax
link-protocol slip

View Interface view Parameter None Description Using the link-protocol slip command, you can set the link layer protocol of the interface as SLIP. By default, the link-layer protocol for interface is PPP. P2P link can use simpler link layer protocol SLIP(Serial Line IP), which is mainly used to run TCP/IP on the P2P serial port. SLIP is only used for the asynchronous link. SLIP only defines the start and end identifiers of frame, so as to intercept IP packet on the serial line. Compared with PPP, SLIP has no address concept, negotiation process, differentiation of packet types (so only one network protocol can be supported at the same time) and error correction function. The link layer protocol of the interface shall be consistent with that of the peer interface. Example Configure the link layer protocol on the interface Serial0/0/0 as SLIP.
[3Com-Serial0/0/0] link-protocol slip

HDLC Configuration Commands
link-protocol hdlc Syntax
link-protocol hdlc

306

CHAPTER 4: LINK LAYER PROTOCOL

View Interface view Parameter None Description Using the link-protocol hdlc command, you can configure the interface encapsulation as HDLC. HDLC is a link layer protocol and can bear network layer protocols, such as IP and IPX. By default, the interface is encapsulated with PPP. For the related commands, see timer hold and display interface. Example Configure HDLC encapsulation on interface Serial1/0/0.
[3Com-Serial1/0/0] link-protocol hdlc

timer hold

Syntax
timer hold seconds undo timer hold

View Interface view Parameter seconds: Value of the polling interval. The value is in the range from 0 to 32767 in seconds. 0 indicates that the link detection function is disabled. Description Using the timer hold command, you can set the polling interval. Using the undo timer hold command, you can restore the default value of the polling interval. By default, the value of seconds is 10 seconds. The polling interval should be set to equal at the two ends of the data link. A zero polling interval set in both ends will close the polling operation of the data link. For the related command, see display interface. Example Set the value of polling interval on interface Serial1/0/0 to 100 seconds.
[3Com-Serial1/0/0] timer hold 100

Frame Relay Configuration Commands

307

Frame Relay Configuration Commands
debugging fr Syntax
debugging fr { all | inarp | compress | congestion | de | event | fragment | lmi | mfr control | packet | transmit-rate } [ interface interface-type interface-number [ dlci dlci-number ] ] undo debugging fr { all | inarp | compress | congestion | de | event | fragment | ipc | lmi | mfr control | packet | transmit-rate } [ interface interface-type interface-number [ dlci dlci-number ] ]

View User view Parameter all: All frame relay information debugging. arp: Information debugging of frame relay address resolution protocol. When this parameter is in use, DLCI can be specified. compress: Information debugging of frame relay compression. congestion: Information debugging of frame relay traffic congestion management. de: DE information debugging of FRTS. event: Information debugging of frame relay event. When this parameter is used, no interface can be specified. fragment: Information debugging of frame relay fragment. When this parameter is in use, DLCI must be specified. lmi: Information debugging of frame relay LMI (Local Management Interface) protocol. mfr control: Information debugging of multilink frame relay bundle and bundle link. packet: Information debugging of frame relay packet. When this parameter is in use, DLCI can be specified. transmit-rate: Information debugging of FRTS transmit rate. interface-type: Interface type. interface-number: Interface number, in 3-dimension form (slot number/card number/interface number). dlci dlci-number: DLCI number of virtual circuit, ranging from 16 to 1007.

308

CHAPTER 4: LINK LAYER PROTOCOL

Description Using the debugging fr command, you can enable frame relay information debugging. Using the undo debugging fr command, you can disable frame relay information debugging. By default, frame relay information debugging is disabled. For multilink frame relay, if the information debugging of multilink frame relay bundle and bundle link (mfr control) are enabled, the sent/received bundle link controlling information and status change of bundle link will be displayed. If FRTS function is enabled, the change of frame relay sending rate can be seen after the transmit rate information debugging (transmit-rate) is enabled. The enabling of frame relay information debugging greatly affects system performance, so this command should be used cautiously. Example Enable frame relay compression debugging of all interfaces.
<3Com> debugging fr compress

Enable the FRTS congestion management debugging of serial interface 5/0/1.
<3Com> debugging fr congestion interface serial 5/0/1

Enable DE debugging of FRTS on serial interface 5/0/1.
<3Com> debugging fr de interface serial 5/0/1

Enable FRTS transmit rate debugging of serial interface 5/0/1.
<3Com> debugging fr transmit-rate interface serial 5/0/1

Enable debugging of the bundle interface MFR1/0/0, supposing several links have been bundle on it.
<3Com> debugging fr mfr control interface mfr1/0/0serial3/0/2(Out): MFR msg=Add_link, Length=28, Link=serial5/1/0, BL state=Add_sent e1 00 01 01 07 4d 46 52 30 00 02 0c 53 65 72 69 61 6c 32 3a serial3/0/2(In): MFR msg=Add_link, Length=30, Link=serial5/1/0, BL state=Add_sent e1 00 01 01 09 6b 70 6c 6b 70 6c 00 02 0c 53 65 72 69 61 6c serial3/0/2(Out): MFR msg=Add_link_ack, Length=28, Link=serial5/1/0, BL state=Add_rx e1 00 02 01 07 4d 46 52 30 00 02 0c 53 65 72 69 61 6c 32 3a serial3/0/2(Out): MFR msg=Hello, Length=9, Link=serial5/1/0, BL state=Up e1 00 05 03 06 43 4b 01 f6 serial3/0/2(In): MFR msg=Hello_ack, Length=9, Link=serial5/1/0, BL state=Up e1 00 05 03 06 2f f7 00 a5

Frame Relay Configuration Commands

309

display fr compress

Syntax
display fr compress [ interface interface-type interface-number ]

View Any view. Parameter interface-type: Interface type. interface-number: Interface number, in 3-dimension form: slot number/card number/interface number. Description Using the display fr compress command, you can view the statistics information of the frame relay compression. If no interface is specified, the DLCI statistics information of all the interfaces will be displayed. For the related command, see fr compression frf9. Example View the frame relay compression statistics information of MFR interface 4/0/0.
<3Com> display fr compress interface mfr 4/0/0 MFR4/0/0 -DLCI:25 uncompressed bytes xmt/rcv 0/0 compressed bytes xmt/rcv 0/0 1 min avg ratio xmt/rcv 0.000/0.000 5 min avg ratio xmt/rcv 0.000/0.000

display fr dlci-switch

Syntax
display fr dlci-switch [ interface interface-type interface-num ]

View Any view Parameter interface-type: Type of the interface. interface-number: Number of the interface, including slot-number/ card-number/ port-number. The specified interface can only be main interface. Information of all interfaces will be displayed without specifying interface. Description Using the display fr dlci-switch command, you can view the information of the configured FR switching to check if the frame relay switching of a user is correctly configured. For the related command, see fr dlci-switch.

310

CHAPTER 4: LINK LAYER PROTOCOL

Example View the information of the configured FR switching.
<3Com> display fr dlci-switch Status Interface(Dlci) < -----> Interface(Dlci) Inactive Serial0/1/1:10(100) Serial1/1/0:10(100) Table 12 Description of the output information of command display fr dlci-switch Item Status Interface(Dlci) < -- > Interface(Dlci) Description The status of FR switching function Input interface and its DLCI, output interface and its DLCI

display fr inarp-info

Syntax
display fr inarp-info [ interface interface-type interface-num ]

View Any view Parameter interface-type interface-num: Used to specify the interface to be viewed. Only the main interface can be specified here. The information of all interfaces will be displayed for the command without specifying an interface. Description Using the display fr inarp-info command, you can view the packet statistics of the FR inverse address resolution protocol. The packets of FR inverse ARP include the address resolution request packet and address resolution reply packet. According to the output information via this command, you can diagnose if the inverse ARP operates normally. For the related command, see fr inarp. Example Display the packet statistics of the FR inverse address resolution protocol.
<3Com> display fr inarp-info interface Serial1/1/1:1: dlci type size in/out/drop 200 FRF12(ETE) 80 0/0/0 T Table 13 Output information description Item interface dlci type size Description Current interface DLCI number Fragment type Fragment size

Frame Relay Configuration Commands

311

Table 13 Output information description
Item in/out/drop Description Received/transmitted/dropped fragments

display fr interface

Syntax
display fr interface interface-type interface-num

View Any view Parameter interface-type interface-num: Used to specify the interface to be viewed. The specified interface can be a main interface or a sub-interface. The whole information will be displayed for the command without specifying an interface. Description Using the display fr interface command, you can view the FR status, which is helpful for you to perform fault diagnosis. For the related command, see display interface. Example Display the FR protocol status.
<3Com> display fr interface Serial1/0/0, DTE, physical up, protocol up Serial1/0/0.1, multi-point, protocol up Serial1/0/0.2, point-to-point, protocol down Serial2/0/0, DCE, physical down, protocol down

This command displays the protocol status of each interface encapsulated with FR. The above information indicates that: Frame Relay interface type of Serial1/0/0 is DTE. Physical layer protocol and link layer protocol of Serial1/0/0 are activated. display fr lmi-info Syntax
display fr lmi-info [ interface interface-type interface-num ]

View Any view Parameter interface-type interface-num: Used to specify the interface to be viewed. The whole information will be displayed for the command without specifying an interface.

312

CHAPTER 4: LINK LAYER PROTOCOL

Description Using the display fr lmi-info command, you can view the statistics of LMI protocol frame. The LMI protocol is used to maintain the current frame relay link, including the status enquiry packet and status packet. The displayed information helps you to diagnose the faults. For the related command, see fr interface-type. Example Display the statistics of LMI protocol frame.
<3Com> display fr lmi-info Frame relay LMI statistics for interface Serial1/0/0(DTE) T391DTE = 10 (keepalive 10) N391DTE = 6, N392DTE = 3, N393DTE = 4 out status enquiry = 96, in status = 85 status timeout = 3, discarded messages = 3 Frame relay LMI statistics for interface Serial2/0/0 (DCE, ANSI) T391DTE = 0 (no keepalive) T392DCE = 15, N392DCE = 3, N393DCE = 4 in status enquiry = 0, out status = 0 status enquiry timeout = 0, discarded messages = 0

The above shows various information about the FR LMI protocol. For example, the Frame Relay interface type of Serial1/0/0 is DTE. LMI protocol type is Cisco-compatible protocol. T391 parameter on DTE side is 10. N391 parameter on DTE side is 6. N392 parameter on DTE side is 3. N393 parameter on DTE side is 4. The number Status Enquiry packets sent through Serial1/0/0 is 96. Received Status Enquiry packets are 85. Timeout packets are 3. Discarded packets are 3. display fr map-info Syntax
display fr map-info [ interface interface-type interface-num ]

View Any view Parameter interface-type interface-num: Used to specify the interface to be viewed. The specified interface can be a main interface or a sub-interface. The whole information will be displayed for the command without specifying an interface. Description Using the display fr map-info command, you can view the FR address mapping table.

Frame Relay Configuration Commands

313

The displayed information via the command indicates whether the static mapping configured by a user is correct and whether the dynamic address mapping operates normally. For the related commands, see fr map ip and fr inarp. Example Display Frame Relay address mapping table.
<3Com> display fr map-info Map Statistics for interface Serial1/0/2 (DTE) DLCI = 100, IP INARP 100.100.1.1, Serial1/0/2 create time = 2002/10/21 14:48:44, status = ACTIVE encapsulation = ietf, vlink = 14, broadcast DLCI = 200, IP INARP 100.100.1.1, Serial1/0/2 create time = 2002/10/21 14:34:42, status = ACTIVE encapsulation = ietf, vlink = 0, broadcast DLCI = 300, IP 1.1.1.1, Serial1/0/2 create time = 2002/10/21 15:03:35, status = ACTIVE encapsulation = ietf, vlink = 15

The above indicates the information of each MAP configured with Frame Relay protocol. For example, as for the first address mapping, the mapping indicates that PVC (DLCI=100) on Serial1/0/2 establishes the address mapping with the peer end (IP address is 100.100.1.1) through Inverse ARP. The time of creating the mapping is 2002/10/21 14:48:44, and its status is active. Encapsulation format is IETF, and broadcast packet is available. display fr pvc-info Syntax
display fr pvc-info [ interface interface-type interface-num ]

View Any view Parameter interface-type interface-num: Used to specify the interface to be viewed. The specified interface can be a main interface or a sub-interface. The whole information will be displayed for the command without specifying an interface. Description Using the display fr pvc-info command, you can view the FR PVC table. This command displays the statistics of the FR PVC status and receiving/sending data on this VC. For the related command, see fr dlci.

314

CHAPTER 4: LINK LAYER PROTOCOL

Example Display the FR PVC table.
<3Com> display fr pvc-info PVC statistics for interface Serial1/0/0 (DTE, physical UP) DLCI = 100, USAGE = UNUSED (0000), INTERFACE = Serial1/0/0 create time = 2000/04/01 23:55:39, status = active in BECN = 0, in FECN = 0 in packets = 0, in bytes = 0 out packets = 0, out bytes = 0 DLCI = 102, USAGE = LOCAL (0010), INTERFACE = Serial1/0/0.1 create time = 2000/04/01 23:56:14, status = active in BECN = 0, in FECN = 0 in packets = 0, in bytes = 0 out packets = 0, out bytes = 0

The information listed above shows various information about the FR PVC. The above information indicates that: The PVC (DLCI=100) is the one (UNUSED) obtained through negotiating with the peer end via LMI. It is configured on Serial1/0/0. Establishing time is 2000/04/01 23:55:39. PVC status is active. The packets received of Forward Explicit Congestion Notifications (FECN) and Backward Explicit Congestion Notifications (BECN) are both 0. Received/sent frames are 0. Received/sent bytes are 0. display fr statistics Syntax
display fr statistics [ interface interface-type interface-num ]

View Any view Parameter interface-type interface-num: Used to specify the interface to be viewed. Only the main interface can be specified here. The information of all interfaces will be displayed for the command without specifying an interface. Description Using the display fr statistics command, you can view the current Frame Relay statistics about receiving and sending packets. The output information of this command can help the user to perform FR traffic statistics and fault diagnosis. For the related command, see display interface. Example Display the Frame Relay statistics about receiving and sending packets.
<3Com> display fr statistics Frame relay packet statistics for interface Serial1/0/0 (DTE)

Frame Relay Configuration Commands

315

in packets = 84, in bytes = 1333 out packets = 92, out bytes = 1217 discarded in packets = 13, discarded out packets = 0 Frame relay packet statistics for interface Serial1/1/0 (DCE) in packets = 0, in bytes = 0 out packets = 0, out bytes = 0 discarded in packets = 0, discarded out packets = 0

The above information displays Frame Relay statistics about receiving and sending packets. For instance, it is known from the above information that the Frame Relay interface type of Serial1/0/0 is DTE. Received packets are 84. Received bytes are 1333. Sent packets are 92. Sent bytes are 1217. Discarded packets in received ones are 13. Discarded packets in sent ones are 0. display interface mfr Syntax
display interface mfr [interface-number .sub-number]

View Any view Parameter interface-number: Interface number, in 3-dimension form (slot number/card number/interface number). Sub-number: sub-interface number. Description This command is used to display the information of FR interface, including the statistical information. Example To view the configuration and status information of MFR interface 4/0/123
<3Com> display interface mfr 4/0/123 MFR4/0/123 current state : UP Line protocol current state : UP Description : 3Com, 3Com Series, MFR4/0/123 Interface The Maximum Transmit Unit is 1500 Internet Address is 12.12.12.2/16 link-protocol is FRAME-RELAY IETF LMI DLCI is 0, LMI type is Q.933a, frame relay DTE LMI status enquiry sent 435, LMI status received 435 LMI status timeout 0, LMI message discarded 0 FIFO queuing: (Outbound queue:Size/Length/Discards) FIFO: 0/75/0 5 minutes input rate 0 bytes/sec, 0 packets/sec 5 minutes output rate 0 bytes/sec, 0 packets/sec 1058 packets input, 832389 bytes, 0 drops 619 packets output, 828190 bytes, 0 drops

316

CHAPTER 4: LINK LAYER PROTOCOL

display mfr

Syntax
display mfr [ interface interface-type interface-number | verbose ]

View Any view Parameter interface-type: Interface type. interface-number: Interface number, in 3-dimension form (slot number/card number/interface number). verbose: Displays detailed statistics information, including the number of controlling packets sent and received. Description Using the display mfr command, you can view configuration and statistics information of multilink frame relay bundle and bundle link. If no bundle or bundle link is specified, information of all bundles and bundle links will be displayed. For the related command, see link-protocol fr mfr and interface mfr. Example View configuration and state information of all frame relay bundles and frame relay bundle links.
<3Com-Serial4/1/2>display mfr Bundle interface:MFR4/1/0, Bundle state = down, Bundle class = A, fragment disabled Bundle BID = MFR4/1/0 Number of bundle links = 0, Peer's bundle-id = Bundle links: Bundle interface:MFR4/1/1, Bundle state = down, Bundle class = A, fragment disabled Bundle BID = MFR4/1/1 Number of bundle links = 1, Peer's bundle-id = Bundle links: Serial4/1/1, PHY state = up, link state : add sent, LID : Serial4/1/1

View detailed state information of all frame relay bundle links.
<3Com> display mfr verbose Bundle interface:MFR4/1/0, Bundle state = down, Bundle class = A, fragment disabled Bundle BID = MFR4/1/0 Number of bundle links = 0, Peer's bundle-id = Bundle links: Bundle interface:MFR4/1/1, Bundle state = down, Bundle class = A, fragment disabled Bundle BID = MFR4/1/1

Frame Relay Configuration Commands

317

Number of bundle links = 1, Peer's bundle-id = Bundle links: Serial4/1/1, PHY state = up, link state : add sent, LID : Serial4/1/1 Bundle Link statistics: Add_link: sent packets = 112, rcv'd packets = 2, Add_link_ack: sent packets = 2, rcv'd packets = 2, Add_link_rej: sent packets = 0, rcv'd packets = 0, Remove_link: sent packets = 0, rcv'd packets = 0, Remove_link_ack: sent packets = 0, rcv'd packets = 0, Hello: sent packets = 2180, rcv'd packets = 2174, Hello_ack: sent packets = 2174, rcv'd packets = 2174, outgoing pak dropped = 0, incoming pak dropped = 83 Cause code = ack timer expiry, Ack timer = 4, Hello timer = 10, Max retry count = 2, Current count = 0, Peer LID = Table 14 Output information description of display mfr command Item Bundle interface Bundle state Bundle class Description Bundle Running state of bundle interface Class A indicates if there is one bundle link is in up state, the bundle is flagged as up. Moreover, all bundle links should be flagged as down before the bundle is down. Disable fragmentation function Bundle identifier Number of bundle links Bundle identifier of the peer Physical interface information of each bundle link Running state of physical interface Running state of bundle link line protocol Bundle link identifier Packet statistics information of bundle link Number of “Add_link” packets sent and received

fragment disabled Bundle BID Number of bundle links Peer's bundle-id Bundle links PHY state Link state LID Bundle Link statistics: Add_link

The “Add_link” packet Add_link_ack is used to notify the peer that the local node has prepared for processing frames. Number of “Add_link” The “Add_link_ack” packet is used to notify the peer that an acknowledgment “Add_link” packet has been received. packets sent and received Add_link_rej Number of “Add_link” reject packets sent and received The “Add_link_rej” Remove_link packet is used to notify the peer that an “Add_link” packet has been rejected. Number of “Remove_link” packets sent and received The “Remove_link” packet is used to notify the peer that the local node is removing a bundle link from the bundle.

318

CHAPTER 4: LINK LAYER PROTOCOL

Table 14 Output information description of display mfr command
Item Remove_link_ack Description Number of “Remove_link” acknowledgement packets sent and received

The Hello “Remove_link_ack” packet is used to notify the peer that a “Remove_link” packet has been received. Number of “Hello” packets sent and received. Hello_ack The “Hello” packet is used to maintain link state.

Number of “Hello” acknowledgment packets sent and received.

The “Hello_ack” outgoing pak dropped packet is used to notify the peer that a “Hello” packet has been received. Number of discarded packets that are sent Number of discarded packets that are received The reason for bundle link to be in the current state, possibly being the following values: incoming pak dropped Cause code

inconsistent bundle: The peer has associated the bundle with another bundle, thus making inconsistent BID.

none: The link is in normal bundle link idle: The peer bundle link is idle, which generally occurs when the state. peer bundle interface is disabled. ack timer expiry: The loopback detected: Loopback is enabled on the physical line of local bundle current link state is caused link. by the timeout of the local T-ack timer. other: Other reasons, such unexpected Add_link: The “add_link” message is received when as LID error. the bundle link is in up state. This case may occur when the line protocol is ready for being enabled and will disappear once the connection is created. Ack timer The time of resending hello message before bundle link receives acknowledgment message or of waiting for hello acknowledgment message before resending an “add_link” message used for initial synchronization. Interval for bundle link to send hello message Maximum retry times for bundle link to resend hello message or resend “Add_link” that is used for initial synchronization before the bundle link waits for hello acknowledgement message. Current retry times Bundle link identifier of the peer link

Hello timer Max retry count

Current count Peer LID

Frame Relay Configuration Commands

319

fr compression frf9

Syntax
fr compression frf9 undo fr compression

View Frame relay interface view Parameter None Description Using the fr compression frf9 command, you can enable frame relay compression function. Using the undo fr compression command, you can disable frame relay compression function. By default, frame relay compression function is disabled. This command is only valid for point-to-point interfaces. In other words, it is used for frame relay sub-interfaces of point-to-point type. Only when the frame relay packets type of the interface is IETF, can frame relay compression take effect. When this command is configured, the system will automatically change the packet type of the interface into IETF if the frame relay packets type of an interface is not IETF. For the related command, see fr map. Example Enable frame relay compression on the point-to-point frame relay sub-interface Serial4/1/3.1.
[3Com] interface serial 4/1/3.1 p2p [3Com-Serial4/1/3.1] fr compression frf9

fr compression iphc

Syntax
fr compression iphc undo fr compression iphc

View Frame Relay interface view Parameter None

320

CHAPTER 4: LINK LAYER PROTOCOL

Description Using the fr compression iphc command, you can enable the IP header compression. Using the undo fr compression iphc command, you can disable the function. By default, the Frame Relay compression function is disabled. For the related command, see fr map. Example Configure the Frame Relay interface Serial 4/1/0 to adopt IP header compression.
[3Com-Serial4/1/0] fr compression iphc

fr dlci

Syntax
fr dlci dlci undo fr dlci dlci

View Interface view Parameter dlci: Virtual circuit number allocated for Frame Relay interface. The range of the number is 16 to 1007. 0 to 15 and 1008 to 1023 are reserved by the protocol for special purpose. Description Using the fr dlci command, you can configure the virtual circuit for Frame Relay interface. Using the undo fr dlci command, you can cancel the configuration. When the Frame Relay interface type is DCE or NNI, it is necessary to manually configure virtual circuit for interface (either main interface or sub-interface). When the Frame Relay interface type is DTE, if the interface is main interface, the system will automatically configure the virtual circuit according to the peer device. For the related command, see fr interface-type. Example Assign a virtual circuit with DLCI 100 to Frame Relay sub-interface Serial1/0/0.1.
[3Com-Serial1/0/0.1] fr dlci 100

fr dlci-switch

Syntax
fr dlci-switch in-dlci interface interface-type interface-number dlci out-dlci undo fr dlci-switch in-dlci

Frame Relay Configuration Commands

321

View Frame relay interface view and MFR interface view Parameter in-dlci: DLCI assigned to an interface to receive datagram, ranging from 16 to 1007. interface-type: Interface type. interface-number: Interface number, in 3-dimension form (slot number/card number/interface number). out-dlci: DLCI of the specified interface where the packet is forwarded, ranging from 16 to 1007. Description Using the fr dlci-switch command, you can configure a static route for frame relay PVC switching. Using the undo fr dlci-switch command, you can delete a static route for frame relay PVC switching. By default, no static route for frame relay PVC switching is configured. Before the static route of frame relay PVC is configured, it is necessary to enable the frame relay PVC switching first by using the command fr switching. The type of the interface for forwarding packets can be either a frame relay interface or an MFR interface. If Tunnel interface is specified as the forwarding interface, the frame relay packets over IP can be realized. For the related command, see fr switching. Example Configure a static route that allows packets on the link with DLCI of 100 on Seiral1/0/0 to be forwarded via the link with DLCI of 200 on interface Serial2/0/0.
[3Com-Serial1/0/0] fr dlci-switch 100 interface serial2/0/0 dlci 200

Configure a static route that allows packets on the link with DLCI of 200 on Seiral4/1/2 to be forwarded via the link with DLCI of 300 on Tunnel interface Serial4/0/0.
[3Com-Serial4/1/2] fr dlci-switch 200 interface Tunnel4/0/0 dlci 300

fr inarp

Syntax
fr inarp [ ip ] [ dlci ] undo fr inarp [ ip ] [ dlci ]

View Interface view

322

CHAPTER 4: LINK LAYER PROTOCOL

Parameter Ip: Indicates that the inverse address resolution is performed on the ip network protocol. dlci: Data link connection identifier number, i.e., virtual circuit number, indicating that the inverse address resolution is performed for this DLCI number only. Description Using the fr inarp command, you can enable the inverse address resolution of Frame Relay. Using the undo fr inarp command, you can disable this function. By default, system permits enabling the Frame Relay inverse address resolution. When the Frame Relay sends data over the interface, it is necessary to map the network address to the DLCI numbers. Such a map can be specified manually or can be completed via the function of automatic inverse address resolution. Automatic inverse address resolution can be started by using the command. If it is expected to enable the inverse address resolution function of all PVCs, the command without any parameters is adopted. If it is expected to enable the inverse address resolution function in the specified data link, the command with dlci parameter is adopted. For the related commands, see fr map, reset fr inarp, and display fr map-info. Example Enable the inverse address resolution at all PVCs of the Frame Relay interface Serial1/0/0.
[3Com-Serial1/0/0] fr inarp

fr interface-type

Syntax
fr interface-type { dce | dte | nni } undo fr interface-type

View Interface view Parameter dte, dce and nni: Three types of Frame Relay interfaces. Description Using the fr interface-type command, you can set the Frame Relay interface type. Using the undo fr interface-type command, you can restore the default Frame Relay interface type. By default, the frame relay interface type is DTE

Frame Relay Configuration Commands

323

In Frame Relay, there are two communicating parties, the user side and network side. The user side is called Data Terminal Equipment (DTE), and the network side is called Data Communications Equipment (DCE). In a Frame Relay network, the interface between the Frame Relay switches is Network-to-Network Interface (NNI), and the corresponding interface adopts the NNI operating view. If the device is used as Frame Relay switching, the Frame Relay interface should operate in the NNI view or DCE mode. NE16E/08E/05 routers support the three modes. In NE16E/08E/05 routers, while configuring the Frame Relay interface type as DCE or NNI, it is unnecessary to perform the fr switching command in the System view. Please notice that this is different from Cisco. For the related command, see link-protocol fr. Example Set the type of the frame relay interface Serial1/0/0 to DCE.
[3Com] interface Serial1/0/0 [3Com-Serial1/0/0] fr interface-type dce

fr iphc

Syntax
fr iphc { nonstandard | rtp-connections number1 | tcp-connections number2 | tcp-include } undo fr iphc { nonstandard | rtp-connections number1 | tcp-connections number2 | tcp-include }

View Frame relay interface view and MFR interface view Parameter nonstandard: Nonstandard compatible compression format. rtp-connections number1: The number of RTP compression connections, ranging from 3 to 255. By default, the number of RTP compression connections is 256. tcp-connections number2: The number of TCP compression connections, ranging from 3 to 255. By default, the number of TCP compression connections is 256. tcp-include: Includes TCP header compression when performing RTP compression. Description Using the fr iphc command, you can enable IP header compression function, including RTP/TCP header compression. Using the undo fr iphc command, you can disable this function. For the related configuration, see fr map ip.

324

CHAPTER 4: LINK LAYER PROTOCOL

Example Configure the number of RTP compression connections as 200 on the frame relay Serial1/0/0.
[3Com-Serial1/0/0] fr iphc rtp-connections 200

fr lmi n391dte

Syntax
fr lmi n391dte n391-value undo fr lmi n391dte

View Interface view Parameter Status counter of the PVC. The range of the value is 1 to 255. Description Using the fr lmi n391dte command, you can configure N391 parameter at the DTE side. Using the undo fr lmi n391dte command, you can restore the default value. By default, its value is 6. The DTE sends a Status-Enquiry packet at regular interval set by T391 to the DCE. There are two types of Status-Enquiry packets: link integrity authentication packet and link status enquiry packet. The N391 parameter defines the ratio of sending the two types of packets, that is, link integrity authentication packets: link status enquiry packets = (N391 - 1): 1. For the related command, see fr interface-type. Example Set DTE as the operating mode of Frame Relay interface Serial1/0/0, and the counter value of the PVC status to 10.
[3Com-Serial1/0/0] link-protocol fr [3Com-Serial1/0/0] fr interface-type dte [3Com-Serial1/0/0] fr lmi n391dte 10

fr lmi n392dce

Syntax
fr lmi n392dce n392-value undo fr lmi n392dce

View Interface view

Frame Relay Configuration Commands

325

Parameter n392-value: Error threshold, which ranges from 1 to 10. Description Using the fr lmi n392dce command, you can set N392 parameter at the DCE side. Using the undo fr lmi n392dce command, you can restore the default configuration. By default, the parameter value is 3. The DCE requires the DTE to send a Status-Enquiry packet at regular interval (set by T392). If the DCE does not receive the Status-Enquiry packet within a period of time, it will record the error by adding 1 to the error count. If the errors exceed the threshold, the DCE would consider the physical channels and all the DLCIs to be unavailable. N392 and N393 together define the “error threshold”. N393 defines the event number observed and N392 defines the error threshold of that number (N393). That is, if number of errors that occurred to the DCE reaches N392 in N393 events, DCE will consider the errors have reached the threshold and declare the physical channels and all DLCIs to be unavailable. N392 should be less than N393. For the related commands, see fr interface-type and fr lmi n393dce. Example Set the operation of frame relay interface Serial1/0/0 as DCE mode and sets N392 to 5 and N393 to 6.
[3Com] interface Serial1/0/0 [3Com-Serial1/0/0] link-protocol fr [3Com-Serial1/0/0] fr interface-type dce [3Com-Serial1/0/0] fr lmi n392dce 5 [3Com-Serial1/0/0] fr lmi n393dce 6

fr lmi n392dte

Syntax
fr lmi n392dte n392-value undo fr lmi n392dte

View Interface view Parameter n392-value: Error threshold, which ranges from 1 to 10.

326

CHAPTER 4: LINK LAYER PROTOCOL

Description Using the fr lmi n392dte command, you can set N392 parameter at the DTE side. Using the undo fr lmi n392dte command, you can restore the default configuration. By default, the parameter is 3. The DTE sends a Status-Enquiry packet at a regular interval to the DCE to inquire the link status. On receiving this packet, the DCE will immediately send a Status-Response packet. If the DTE does not receive the response packet in the specified time, it will record the error by adding 1 to the error count. If the errors exceed the threshold, the DTE will consider that the physical channels and all the DLCIs to be unavailable. N392 and N393 together define the “error threshold”. N393 indicates the event number observed and N392 indicates the error threshold of that number (N393). That is, if N392 errors occurred in N393 Status-Enquiry packets in the DTE, the DTE would consider that the error has exceeded the threshold and declare the physical channels and all DLCIs to be unavailable. N392 at DTE side should be less than N393 at DTE side. For the related commands, see fr interface-type and fr lmi n393dte. Example Set the operation of frame relay interface Serial1/0/0 as the DTE mode and sets N392 to 5 and N393 to 6.
[3Com-Serial1/0/0] link-protocol fr [3Com-Serial1/0/0] fr interface-type dte [3Com-Serial1/0/0] fr lmi n392dte 5 [3Com-Serial1/0/0] fr lmi n393dte 6

fr lmi n393dce

Syntax
fr lmi n393dce n393-value undo fr lmi n393dce

View Interface view Parameter Event counter. The range of the value is 1~10. Description Using the fr lmi n393dce command, you can set the N393 parameter at the DCE side. Using the undo fr lmi n393dce command, you can restore the default configuration. By default, the parameter value is 4.

Frame Relay Configuration Commands

327

The DCE requires the DTE to send a Status-Enquiry packet at a regular interval (set by T392). If the DCE does not receive the Status-Enquiry packet, it will record the error by adding 1 to the error count. If the errors exceed the threshold, the DCE would consider the physical channels and all the DLCIs to be unavailable. N392 and N393 together define the “error threshold”. N393 defines the event number observed and N392 defines the error threshold of that number (N393). That is, if the number of errors that occurred to the DCE reach N392 in N393 events, DCE will consider the errors have reached the threshold and declare the physical channels and all DLCIs to be unavailable. N392 at DCE side should be less than N393 at DCE side. For the related commands, see fr interface-type and fr lmi n392dce. Example Set the operation of frame relay interface Serial1/0/0 as DCE mode and sets N392 to 5 and N393 to 6.
[3Com] interface Serial1/0/0 [3Com-Serial1/0/0] link-protocol fr [3Com-Serial1/0/0] fr interface-type dce [3Com-Serial1/0/0] fr lmi n392dce 5 [3Com-Serial1/0/0] fr lmi n393dce 6

fr lmi n393dte

Syntax
fr lmi n393dte n393-value undo fr lmi n393dte

View Interface view Parameter Event counter. The range of the value is 1~10. Description Using the fr lmi n393dte command, you can set N393 parameter at the DTE side. Using the undo fr lmi n393dte command, you can restore the default configuration. By default, the parameter value is 4. The DTE sends a Status-Enquiry packet at a regular interval to the DCE to inquire the link status. On receiving this packet, the DCE will immediately send a Status-Response packet. If the DTE does not receive the response packet in the specified time, it will record the error by adding 1 to the error count. If the errors exceed the threshold, the DTE will consider that the physical channels and all the DLCIs to be unavailable.

328

CHAPTER 4: LINK LAYER PROTOCOL

N392 and N393 together define the “error threshold”. N393 indicates the event number observed and N392 indicates the error threshold of that number (N393). That is, if N392 errors occurred in N393 Status-Enquiry packets in the DTE, the DTE would consider that the error count has exceeded the threshold and declare the physical channels and all DLCIs to be unavailable. N392 at DTE side should be less than N393 at DTE side. For the related commands, see fr interface-type and fr lmi n392dte. Example Set the operation of frame relay interface Serial1/0/0 as the DTE mode and sets N392 to 5 and N393 to 6.
[3Com-Serial1/0/0] link-protocol fr [3Com-Serial1/0/0] fr interface-type dte [3Com-Serial1/0/0] fr lmi n392dte 5 [3Com-Serial1/0/0] fr lmi n393dte 6

fr lmi t392dce

Syntax
fr lmi t392dce t392-value undo fr lmi t392dce

View Interface view Parameter t392-value: Value of the polling timer. The range of the value is 5 to 30, in seconds. Description Using the fr lmi t392dce command, you can set T392 parameter at the DCE side. Using the undo fr lmi t392dce command, you can restore the default configuration. By default, the parameter value is 15s. This parameter defines the maximum time for DCE waiting for a Status-Enquiry. T392 at DCE side should be greater than T391 at DTE side. For the related command, see fr interface-type. Example Set the frame relay interface Serial1/0/0 to operate in DCE mode and set T392 to 10s.
[3Com] interface Serial1/0/0 [3Com-Serial1/0/0] link-protocol fr [3Com-Serial1/0/0] fr interface-type dce

Frame Relay Configuration Commands

329

[3Com-Serial1/0/0] fr lmi t392dce 10

fr lmi type

Syntax
fr lmi type { ansi | nonstandard | q933a } undo fr lmi type

View Interface view Parameter ansi: Standard LMI protocol type of ANSI T1.617 Appendix D. nonstandard: Nonstandard compatible LMI protocol type. q933a: Standard LMI protocol type of Q.933 Appendix A. Description Using the fr lmi type command, you can configure the Frame Relay LMI protocol type. Using the undo fr lmi type command, you can restore to the default value of LMI protocol type. By default, the LMI protocol type is q933a. The NE16E/08E/05 routers usually support three LMI protocols, namely, Q.933 Appendix A, ANSI T1.617 Appendix D and Nonstandard compatible LMI protocol. For the related command, see display interface. Example Set the FR LIMI type of Serial1/0/0 to nonstandard.
[3Com-Serial1/0/0] fr lmi type nonstandard

fr map ip

Syntax
fr map ip { protocol-address [ ip-mask ] | default } dlci [ broadcast ] [ nonstandard | ietf ] undo fr map ip { protocol-address | default } dlci

View Interface view Parameter protocol-address: Peer protocol address. ip-mask: IP mask used to establish a network segment map. dlci: local virtual circuit number, and the range of the value is 16 to 1007.

330

CHAPTER 4: LINK LAYER PROTOCOL

default: Indicates that the system establishes one default map. broadcast: optional, which is used to specify if broadcast packet can be sent in the mapping. nonstandard: Indicates that map adopts nonstandard compatible encapsulation format. letf: Indicates that map adopts ietf encapsulation format. Description Using the fr map ip command, you can add a FR address mapping. Using the undo fr map ip command, you can cancel the configuration. By default, no static address mapping existing and inverse address resolution enabled. The mapping can be manually established or can be completed via the inverse address resolution protocol. Manually configure the static mapping when there are a few peer hosts or there is a default route. When the peer router supports inverse address resolution protocol and the network is rather complex, the dynamic address mapping is established via the inverse address resolution protocol. For the related commands, see display fr map and fr inarp. Example The peer router IP address connected to the local interface serial1/0/0 is 202.38.163.252. There is a virtual circuit with DLCI 50 on local Serial1/0/0 connected to this router. Configure the static address mapping as follows:
[3Com-Serial1/0/0] fr map ip 202.38.163.252 50

fr switch

Syntax
fr switch name [ interface interface-type interface-number dlci dlci1 interface interface-type interface-number dlci dlci2 ] undo fr switch name

View System view Parameter name: Name of PVC used for frame relay switching, consisting of 30 characters at most. interface interface-type interface-number dlci dlci: DLCI number at both ends of PVC as well as the type and number of its interface. The peer can be specified as Tunnel interface.

Frame Relay Configuration Commands

331

Description Using the fr switch command, you can create a PVC used for frame relay switching and enter frame relay switching view. Using the undo fr switch command, you can delete a specified PVC. By default, there is no PVC used for frame relay switching. The interface for forwarding packets can be either a frame relay interface or an MFR interface. If Tunnel interface is specified as the forwarding interface, frame relay packets over IP can thus be realized. In frame relay switching view, the shutdown/undo shutdown operation can be executed on a PVC. If a PVC used for switching has been configured, its interface and DLCI cannot be changed any longer. To change them, you must delete the defined PVC used for switching first. For the related commands, see display fr pvc-info, fr dlci-switch, fr switching, and fr dlci. Example Create a PVC named pvc1 on the DCE serving as the switch, which is from the DCLI 100 of serial interface 0/0/0 to the DLCI 200 of serial interface 1/0/0.
[3Com] fr switching [3Com] fr switch pvc1 interface serial 0/0/0 dlci 100 interface serial 1/0/0 dlci 200 [3Com-fr-switching-pvc1]

fr switching

Syntax
fr switching undo fr switching

View System view Parameter None Description Using the fr switching command, you can enable frame relay PVC switching. Using the undo fr switching command, you can disable frame relay PVC switching. By default, no FR switching is enabled. The command is used to enable Frame Relay PVC switching.

332

CHAPTER 4: LINK LAYER PROTOCOL

Example Enable PVC switching on FR interface.
[3Com] fr switching

interface mfr

Syntax
interface mfr interface-number [ .subnumber] undo interface mfr interface-number [ .subnumber ]

View System view Parameter interface-number: Interface number of a multilink frame relay bundle, including slot number/card number/interface number, in which interface number ranges from 0 to 1023. subnumber: Sub-interface number of a multilink frame relay bundle, ranging from 0 to 4095. Description Using the interface mfr command, you can create a multilink frame relay bundle interface or sub-interface and enter the corresponding interface view. Using the undo interface mfr command, you can delete a specified multilink frame relay bundle interface or sub-interface. By default, there is no multilink frame relay interface or sub-interface. Before using the undo interface mfr command to delete an MFR interface, you must delete all physical interfaces from the MFR interface. Before an MFR sub-interface is created, the MFR interface must be created first. For the related commands, see link-protocol fr mfr and mfr bundle-name. Example Create a multilink frame relay bundle interface with a point-to-multipoint sub-interface.
[3Com] interface mfr 4/0/123 [3Com-MFR4/0/123] quit [3Com] interface mfr 4/0/123.1 [3Com-MFR4/0/123.1]

link-protocol fr

Syntax
link-protocol fr [ nonstandard | ietf ]

Frame Relay Configuration Commands

333

View Interface view Parameter nonstandard: Nonstandard compatible encapsulation format. ietf: Default encapsulation format according to the Internet Engineering Task Force (IETF) standard. Description Using the link-protocol fr command, you can encapsulate interface link layer protocol as Frame Relay. By default, the link-layer protocol encapsulated on the interface is PPP, and the frame relay encapsulation format is IETF. In VRP, the Frame Relay encapsulation can be either ietf or nonstandard compatible encapsulation (nonstandard). IETF encapsulation conforms to RFC1490, that is, it supports the IETF standard. For the related command, see display interface. Example Configure Frame Relay encapsulation on interface Serial1/0/0 and select the nonstandard encapsulation compatible format.
[3Com-Serial1/0/0] link-protocol fr nonstandard

link-protocol fr mfr

Syntax
link-protocol fr mfr interface-number

View Interface view Parameter interface-number: Interface number, in 3-dimension form (slot number/card number/interface number). Description Using the link-protocol fr mfr command, you can configure the current physical interface as a multilink frame relay bundle link and bundle it onto a specified MFR interface. By default, there is no multilink frame relay bundle link. When this command is configured, the specified MFR interface must exist. A maximum of 16 physical interfaces can be bundled onto an MFR interface.

334

CHAPTER 4: LINK LAYER PROTOCOL

To delete a physical interface from an MFR interface, use the link-protocol command to apply a link layer protocol of non frame relay MFR to the interface. For the related commands, see interface mfr and mfr link-name. Example Configure the current serial interface as a bundle link and add it onto the frame relay bundle interface mfr4/0/123.
[3Com-Serial4/1/2] link-protocol fr mfr 4/0/123

mfr bundle-name

Syntax
mfr bundle-name [ name ] undo mfr bundle-name [ name ]

View MFR interface view Parameter name: Bundle identification, in the form of character string, with a length ranging from 1 to 49. Description Using the mfr bundle-name command, you can set frame relay bundle identification (BID). Using the undo mfr bundle-name command, you can restore the default value. By default, BID is in the form of “mfr + frame relay bundle number”, such as mfr4/0/123. Each multilink frame relay bundle has a BID, which is only significant at the local. Therefore, the BIDs at both ends of the link can be the same. When changing the BID of an interface, you must execute the shutdown/undo shutdown command on the interface to make the new BID valid. For the related command, see mfr link-name. Example Set the frame relay link BID to bundle1.
[3Com-MFR4/0/123] mfr bundle-name bundle1

mfr fragment

Syntax
mfr fragment undo mfr fragment

Frame Relay Configuration Commands

335

View MFR interface view Parameter None Description Using the mfr fragment command, you can enable fragmentation of a multilink frame relay bundle. Using the undo mfr fragment command, you can disable the function. By default, the fragmentation of a multilink frame relay bundle is disabled. For the related commands, see mfr fragment-size and mfr window-size. Example Enable fragmentation on the MFR interface 4/0/123.
[3Com] interface mfr 4/0/123 [3Com-MFR4/0/123] mfr fragment

mfr fragment-size

Syntax
mfr fragment-size bytes undo mfr fragment-size

View Frame relay interface view and MFR interface view Parameter bytes: Fragment size, in bytes, ranging from 60 to 1500. Description Using the mfr fragment-size command, you can configure the maximum fragment size allowed on a frame relay bundle link. Using the undo mfr fragment-size command, you can restore the default setting. By default, the maximum fragment size allowed on a frame relay bundle link is of 300 bytes. The priority of the fragment size configured in frame relay interface view is higher than that of the one configured in MFR interface view. For the related commands, see mfr fragment and mfr window-size. Example Configure the maximum fragment size allowed on the multilink frame relay bundle link Serial4/1/2 to be 70 bytes.

336

CHAPTER 4: LINK LAYER PROTOCOL

[3Com-Serial4/1/2] mfr fragment-size 70

mfr link-name

Syntax
mfr link-name [ name ] undo mfr link-name [ name ]

View Frame relay interface view Parameter name: Name of a bundle link identification, in the form of character string, ranging from 1 to 49. Description Using the mfr link-name command, you can set the frame relay bundle link identification (LID). Using the undo mfr link-name command, you can restore the default setting. By default, LID is the name of the corresponding physical interface. The peer equipment identifies a frame relay bundle link via LID or associates the bundle link with a frame relay bundle by using LID. LID is locally valid; therefore, the LIDs at both ends of a link can be the same. When changing the bundle LID on an interface, you must execute the shutdown/undo shutdown command on the interface to make the new bundle LID valid. For the related command, see mfr bundle-name. Example Set the bundle LID of the multilink frame relay bundle link Serial4/1/2 to be bl1.
[3Com-Serial4/1/2] mfr link-name bl1

mfr retry

Syntax
mfr retry number undo mfr retry

View Frame relay interface view Parameter number: The maximum times that a bundle link can resend hello messages, ranging from 1 to 5. By default, it is twice.

Frame Relay Configuration Commands

337

Description Using the mfr retry command, you can set the maximum times that a frame relay bundle link can resend hello message when waiting for a hello acknowledgement message. Using the undo mfr retry command, you can restore the default setting. If the times that a bundle link resends hello message reach the maximum without receiving acknowledgement from the peer, the system will regard the link protocol on the bundle link to be malfunctioning. Only after the link-protocol fr mfr command is used to associate a frame relay bundle link interface with a frame relay bundle, can this command be configured. For the related commands, see mfr timer ack and mfr timer hello. Example Set the bundle link Serial4/1/2 to resend hello message for 3 times at most.
[3Com-Serial4/1/2] mfr retry 3

mfr timer ack

Syntax
mfr timer ack seconds undo mfr timer ack

View Frame relay interface view Parameter seconds: Time of waiting for hello acknowledgment message before resending hello message, in second, ranging from 1 to 10. By default, it is 4 seconds. Description Using the mfr timer ack command, you can set the time of waiting for hello acknowledgment message before frame relay bundle link resends hello message. Using the undo mfr timer ack command, you can restore the default setting. For the related commands, see mfr timer hello and mfr retry. Example Set the frame relay bundle link Serial4/1/2 to wait for 6 seconds before resending hello message.
[3Com-Serial4/1/2] link-protocol fr mfr 4/0/123 [3Com-Serial4/1/2] mfr timer ack 6

mfr timer hello

Syntax
mfr timer hello [ seconds ]

338

CHAPTER 4: LINK LAYER PROTOCOL

undo mfr timer hello [ seconds ]

View Frame relay interface view Parameter seconds: Interval for a bundle link to send hello message, in seconds, ranging from 1 to 180. By default, it is 10 seconds. Description Using the mfr timer hello command, you can set the interval for a frame relay bundle link to send hello message. Using the undo mfr timer hello command, you can restore the default setting. Both ends of a frame relay bundle link periodically send hello message to the peer end. After the peer receives the hello message, it will response hello acknowledgement message. For the related commands, see mfr timer ack and mfr retry. Example Set the bundle link Serial4/1/2 to send hello message once every 15 seconds.
[3Com-Serial4/1/2] mfr timer hello 15

mfr window-size

Syntax
mfr window-size number undo mfr window-size

View MFR interface view Parameter number: Number of fragments, ranging from 1 to 16. Description Using the mfr window-size command, you can configure the number of fragments that can be held by the window used in sliding window algorithm when multilink frame relay reassembles received fragments. By default, the size of a sliding window is equal to the number of physical interfaces of an MFR bundle. For the related commands, see interface mfr, mfr fragment, and mfr fragment-size.

Frame Relay Configuration Commands

339

Example Set the size of the sliding window of the MFR bundle interface MFR4/0/123 to be 8.
[3Com-MFR4/0/123] mfr window-size 8

shutdown

Syntax
shutdown undo shutdown

View Frame relay switching view Description Using the shutdown command, you can disable any current switching PVCs. Using the undo shutdown command, you can enable any current switching PVCs. By default, switching PVC is enabled. Example Disable all the current switching PVCs.
[3Com] fr switch pvc1 interface serial 1/0/0 dlci 100 interface serial 2/0/0 dlci 200 [3Com-fr-switching-pvc1] shutdown

reset fr inarp

Syntax
reset fr inarp

View User view Parameter None Description Using the reset fr inarp command, you can clear the address mapping established by inverse ARP. In some special cases, for example, when the network architecture changes, the dynamic address maps originally established will become invalid. hence it is necessary to establish them again. Users can use this command to clear all the dynamic address maps. For the related command, see fr inarp.

340

CHAPTER 4: LINK LAYER PROTOCOL

Example Clear all the Frame Relay dynamic address maps.
[3Com] reset fr inarp

timer hold

Syntax
timer hold seconds undo timer hold

View Interface view Parameter seconds: value of polling timer, which ranges from 0 to 32767 in seconds. 0 indicates that the LMI protocol is disabled. Description Using the timer hold command, you can configure the polling timer at the DTE side. Using the undo timer hold command, you can restore its default value. By default, the parameter is 10 seconds. The parameter defines the interval of Status-Enquiry packet sent by DTE. For the related commands, see fr interface-type and fr lmi t392dce. Example Configure that Frame Relay interface serial1/0/0 to work in DTE mode, and set the value of polling timer to 15 seconds.
[3Com-Serial1/0/0] link-protocol fr [3Com-Serial1/0/0] fr interface-type dte [3Com-Serial1/0/0] timer hold 15

ATM Configuration Commands
atm-class Syntax
atm-class atm-class-name undo atm-class atm-class-name

View Interface view and PVC view

ATM Configuration Commands

341

Parameter atm-class-name: Name of ATM-Class. Description Using the atm-class command, you can apply a set of parameters (which are defined in ATM-Class) to an ATM interface or a PVC. Using the undo atm-class command, you can delete the specified ATM-Class. For the related command, see atm class. Example Apply an ATM-Class named "main" to the interface Atm1/0/0.
[3Com-Atm1/0/0] atm-class main

atm class

Syntax
atm class atm-class-name undo atm class atm-class-name

View System view Parameter atm-class-name: Name of ATM-Class. Description Using the atm class command, you can create an ATM-Class and enter the ATM-Class view. Using the undo atm class command, you can delete the specified ATM-Class. An ATM-Class is a group of predefined parameters that can be used for ATM interface or PVC. For the related command, see atm-class. Example Create an ATM-Class named "main".
[3Com] atm class main

clock

Syntax
clock { master | slave } undo clock

342

CHAPTER 4: LINK LAYER PROTOCOL

View ATM master interface view Parameter master: Specify ATM interface to use the internal transmission clock signal. slave: Restore the line clock signal. Description Using the clock command, you can specify ATM interface to use internal transmission clock signal. Using the undo clock command, you can restore the usage of network clock signal. By default, ATM interface uses the network clock signal. This clock signal is usually provided by the device which provides ATM interfaces. When two network devices are directly connected in the back-to-back method through the ATM interfaces, this command is used to set the internal transmission clock at the ATM interface of one device. Although this command is valid on both ATM main interface and sub-interface, it can only be used in ATM main interface view and there is not this command in ATM sub-interface view. For the related command, see display atm interface. Example Specify ATM interface Atm1/0/0 to use the internal transmission clock.
[3Com-Atm1/0/0] clock master

debugging atm all

Syntax
debugging atm all undo debugging atm all

View User view Parameter None Description Using the debugging atm all command, you can enable all the debugging switches of ATM. Using the undo debugging atm all command, you can disable the debugging. By default, all the ATM debugging switches are disabled.

ATM Configuration Commands

343

Because the use of this command can lead to a mass of output information, this may cause that users cannot control network devices through terminals and the efficiency of packet transmitting and receiving may be greatly damaged. For the related commands, see debugging atm error, debugging atm event, and debugging atm packet. debugging atm error Syntax
debugging atm error [ interface { interface-name | interface-type interface-num } [ pvc { pvc-name | vpi/vci } ] ] undo debugging atm error [ interface { interface-name | interface-type interface-num } [ pvc { pvc-name | vpi/vci } ] ]

View User view Parameter interface-name: ATM interface name. For detailed naming rules, please refer to the “Interface Configuration” chapter in this manual. If it is not specified, all the error debugging of ATM are enabled (including global debugging, interface-level debugging and PVC-level debugging). interface-type: Interface type, which can determine an ATM interface together with interface-num. interface-num: Interface number, which can determine an ATM interface together with interface-type. pvc-name: PVC name, optional. If no PVC name and VPI/VCI pair are specified, all the error debugging of the PVC will be enabled. vpi/vci: VPI/VCI pair, optional. For more details, please refer to “Parameter Description” in the pvc command. Description Using the debugging atm error command, you can enable the error debugging of ATM. Using the undo debugging atm error command, you can disable the debugging. By default, all the ATM error debugging switches are disabled. The interface-name parameter is actually composed of interface-type and interface-num. The difference of using them only lies in the space. In the command line, there are spaces in interface-type and interface-num, but there is no space in interface-name. For the related commands, see display debugging and debugging atm all. Example Enable all the error debugging of ATM.

344

CHAPTER 4: LINK LAYER PROTOCOL

<3Com> debugging atm error

debugging atm event

Syntax
debugging atm event [ interface { interface-name | interface-type interface-num } [ pvc { pvc-name | vpi/vci } ] ] undo debugging atm event [ interface { interface-name | interface-type interface-num } [ pvc { pvc-name |[ vpi/vci ] | vpi/vci } ] ]

View User view Parameter interface-name: ATM interface name. For detailed naming rules, please refer to “Interface Configuration” part of this manual. If it is not specified, all the event debugging of ATM is enabled by default (including global debugging, interface-level debugging and PVC-level debugging). interface-type: Interface type, which can determine an ATM interface together with interface-num. interface-num: Interface number, which can determine an ATM interface together with interface-type. pvc-name: PVC name, optional. If no PVC name and no VPI/VCI pair are specified, all the event debugging of PVC will be enabled. vpi/vci: VPI/VCI pair, optional. For more details, please refer to “Parameter Description” in the pvc command. Description Using the debugging atm event command, you can enable the event debugging of ATM. Using the undo debugging atm event command, you can disable the debugging. By default, all the debugging of ATM event is disabled. The interface-name parameter is actually composed of interface-type and interface-num. The difference of using them only lies in the space. In the command line, there are spaces in interface-type and interface-num, but there is no space in interface-name. This command is used to enable all the debugging of events that happen at the ATM interface or a PVC, which can be used to trace some essential events of the system. Such information may be helpful for detecting network faults. Example The example is a case to enable the debugging of ATM events and display the results. Enable all the event debugging of ATM.

ATM Configuration Commands

345

<3Com> debugging atm event

debugging atm packet

Syntax
debugging atm packet [ interface { interface-name | interface-type interface-num } [ pvc { pvc-name [ vpi/vci ] | vpi/vci } ] ] undo debugging atm packet [ interface { interface-name | interface-type interface-num } [ pvc { pvc-name [ vpi/vci ] | vpi/vci } ] ]

View User view Parameter interface-name: ATM interface name, optional. For detailed naming rules, please refer to “Interface Configuration” part of this manual. If it is not specified, all the packet debugging of ATM are enabled by default (including global debugging, interface-level debugging and PVC-level debugging). interface-type: Interface type, which can determine an ATM interface together with interface-num. interface-num: Interface number, which can determine an ATM interface together with interface-type. pvc-name: PVC name, optional. If no PVC name and no VPI/VCI pair are specified, all the packet debugging of PVC will be enabled. vpi/vci: VPI/VCI pair, optional. For more details, please refer to “Parameter Description” in the pvc command. Description Using the debugging atm packet command, you can enable the packet debugging of ATM. Using the undo debugging atm packet command, you can disable the debugging. By default, all the debugging of ATM packet is disabled. The interface-name parameter is actually composed of interface-type and interface-num. The difference between them only lies in the space. In the command line, there are spaces in interface-type and interface-num, but there is no space in interface-name. After the packet switch is enabled, the detailed information about receiving/sending packets at the ATM interface or PVC will be displayed. This will be very helpful for system troubleshooting. The received packets will display all the information about received frames , which can indicate whether the sending side correctly encapsulates these frames. This will be greatly helpful for the network device detection. Packet debug information displays the PDU byte information in hex, through which technical support personnel or engineers can locate some system errors.

346

CHAPTER 4: LINK LAYER PROTOCOL

Since the use of this command can lead to a mass of output information during each packet receiving and transmitting, this may cause that users cannot control network devices through their terminals, and thus greatly affect the efficiency of packet transmitting and receiving. Example The example is a case to enable the debugging of ATM packet and display the results. Enable all the packet debugging of ATM.
<3Com> debugging atm packet

After some time, the following messages may appear:
…… *515396.229644-atm-8-debug8: *515396.229710-atm-8-debug8: *515396.229812-atm-8-debug8: *515396.232644-atm-8-debug8: *515396.232710-atm-8-debug8: *515396.232812-atm-8-debug8: Atm1/0/0 pvc 1/32 out ppp pkt, snap, 22 FE FE 03 CF FF 03 C0 21 01 22 00 0E 01 04 05 DC 05 06 00 00 1F 38 Atm1/0/0 pvc 1/32 out ppp pkt, snap, 22 FE FE 03 CF FF 03 C0 21 01 23 00 0E 01 04 05 DC 05 06 00 00 1F 38

It indicates that PPP packets are being output from PVC 1/32 of Atm1/0/0. display atm class Syntax
display atm class [ atm-class-name ]

View Any view Parameter atm-class-name: ATM-Class name. Description Using the display atm class command, you can view the information about ATM-Class. By default, if no ATM-Class name is specified, the information of all ATM-Class is displayed. For the related command, see atm class. Example Display the information about the ATM-Class named "main" in devices.
<3Com> display atm class main

The following information is displayed:
ATM VC-CLASS: main Service ubr 8000 encapsulation aal5snap

ATM Configuration Commands

347

The explanation on the above messages is: ATM-Class name is "main", and the following contents are set in the ATM-Class: the service type is unspecified bit rate and the output peak rate of ATM cells is 8000 and the AAL encapsulation type is SNAP. display atm interface Syntax
display atm interface [ interface-name | interface-type interface-num ]

View Any view Parameter interface-name: ATM interface name. For detailed naming rules, please refer to “Interface Configuration” part of this manual. If it is not specified, all the information about ATM interface will be displayed by default. interface-type: Interface type, which can determine an ATM interface together with interface-num. interface-num: Interface number, which can determine an ATM interface together with interface-type. Description Using the display atm interface command, you can locate the problems efficiently and get detailed information related to ATM configuration. The interface-name parameter is actually composed of interface-type and interface-num. The difference between them only lies in the space. In the command line, there are spaces in interface-type and interface-num, but there is no space in interface-name. When the interface is the main interface, the information of all interfaces (including sub-interface) at the interface will be displayed. For the related command, see display atm. Example Display the information about ATM interface atm4/0/0.
<3Com> display atm interface atm 4/0/0

The following information is displayed:
ATM interface Atm4/0/0, State UP Port Information: Maximum VCs: 1024, PVCs: 4, MAPs: 4 input pkts: 0, input bytes: 0, input pkt errors: 0 output pkts: 69, output bytes: 2218, output pkt errors: 8 Sub-interface Information: PVCs: 4, MAPs: 4

348

CHAPTER 4: LINK LAYER PROTOCOL

input pkts: 0, input bytes: 0, input pkt errors: 0 output pkts: 69, output bytes: 2218, output pkt errors: 8

The explanation on the above messages is: The maximum number of PVCs on the ATM interface is 1024. The input packets, bytes and errors of input packets are all 0; output packets are 69, output bytes are 2218 and output packet errors are 8; there are totally 4 PVCs and 4 MAPs at the interface and the interface status is active (UP). display atm map-info Syntax
display atm map-info [ interface { interface-name | interface-type interface-num } [ pvc { pvc-name | vpi/vci } ] ]

View Any view Parameter interface-name: ATM interface name. For detailed naming rules, please refer to “Interface Configuration” part of this manual. If it is not specified, all the information about the higher layer mapping table of ATM interface will be displayed by default. interface-type: Interface type, which can determine an ATM interface together with interface-num. interface-num: Interface number, which can determine an ATM interface together with interface-type. pvc-name: PVC name, optional parameter. If no PVC name and no VPI/VCI pair are specified, the information of the higher layer protocol mapping table about all PVCs within specified ATM interface will be displayed by default. vpi/vci: VPI/VCI pair, optional. For more details, please refer to “Parameter Description” in the pvc command. Description Using the display atm map-info command, you can view the information about the upper layer protocol mapping table of ATM. The interface-name parameter is actually composed of interface-type and interface-num. The difference between them only lies in the space. In the command line, there are spaces in interface-type and interface-num, but there is no space in interface-name. For the related commands, see map ip, map ppp, and map bridge. Example Display the information about the upper layer protocol mapping table of all ATM interfaces.

ATM Configuration Commands

349

<3Com> display atm map-info

The following information is displayed:
Atm1/0/0, PVC 1/32, PPP, Virtual-Template10, UP Atm1/0/0, PVC 1/33, IP & Mask, State UP 100.11.1.1, mask 255.255.0.0, vlink 1 Atm1/0/0, PVC 2/101, ETH, Virtual-Ethernet1/1/1, MAC 00E0.FC01.0203, UP

The explanation on the above messages is: PVC 1/32 of Atm 1/0/0 interface uses PPPoA mapping, the VT interface numbered 10 is used and the status is activated (UP); PVC 1/33 of Atm 1/0/0 interface uses IPoA mapping, the configured mapping static IP address is 100.11.1.1, the address mask is 255.255.0.0, it occupies No.1 vlink and its status is activated (UP); PVC 2/101 of Atm 1/0/0 interface uses PPPoEoA mapping or IPoEoA mapping, VE interface numbered 1/1/1 is adopted, the configured MAC address is 00E0.FC01.0203 and its status is activated (UP). display atm pvc-group Syntax
display atm pvc-group [ interface { interface-name | interface-type interface-num } [ pvc { pvc-name [ vpi/vci ] | vpi/vci } ] ]

View Any view Parameter interface-name: ATM interface name. The detailed naming rules can be determined according to the actual-configured network device type. If it is not specified, all the information about PVC-Group of ATM interface will be displayed by default. interface-type: Interface type, which can determine an ATM interface together with interface-num. interface-num: Interface number, which can determine an ATM interface together with interface-type. pvc-name: PVC name, optional. If no PVC name and no VPI/VCI pair are specified, the information about all PVC-Groups within the specified ATM interface will be displayed by default. vpi/vci: VPI/VCI pair, optional. For more details, please refer to “Parameter description” in the pvc command. Description Using the display atm pvc-group command, you can view the information about PVC-Group.

350

CHAPTER 4: LINK LAYER PROTOCOL

The interface-name parameter is actually composed of interface-type and interface-num. The difference between them only relies on a space. In the command line, there is a space in interface-type and interface-num, but there is no space in interface-name. For the related command, see pvc-group. Example Display the information about PVC-Group of all ATM interfaces.
<3Com> display atm pvc-group

The following information is displayed:
VPI/VCI PVC-NAME STATE ENCAP PROT INTERFACE 1/32 3Com UP SNAP IP Atm10/1/0(UP) 1/32 1/33 UP SNAP IP Atm10/1/0(UP) 1/32 3/34 UP SNAP IP Atm10/1/0(UP) 1/32 2/32 UP MUX IP Atm10/1/0.1(UP) 2/32 2/33 UP MUX IP Atm10/1/0.1(UP) 2/32 GROUP

The explanation on the above messages is as follows (Taking the first record as an example, and the last four records can refer to the following explanation.): PVC with VPI/VCI pair as 1/32, its has been activated (UP) and the name is "3Com". The AAL encapsulation type is SNAP. The application type is IPoA. The interface is ATM main interface: Slot number is 1, adapter number is 1 and the interface number is 0. The PVC-Group is created based on PVC "1/32". display atm pvc-info Syntax
display atm pvc-info [ interface { interface-name | interface-type interface-num } [ pvc { pvc-name [ vpi/vci ] | vpi/vci } ] ]

View Any view Parameter interface-name: ATM interface name. For detailed naming rules, please refer to “Interface Configuration” part of this manual. If it is not specified, all the information about PVC of ATM interface will be displayed by default. interface-type: Interface type, which can determine an ATM interface together with interface-num. interface-num: Interface number, which can determine an ATM interface together with interface-type. pvc-name: PVC name, optional parameter. If no PVC name and no VPI/VCI pair are specified, the information about all PVCs within the specified ATM interface will be displayed by default.

ATM Configuration Commands

351

vpi/vci: VPI/VCI pair, optional. For more details, please refer to “Parameter Description” in the pvc command. Description Using the display atm pvc-info command, you can view the information about PVC. The interface-name parameter is actually composed of interface-type and interface-num. The difference between them only lies in the space. In the command line, there are spaces in interface-type and interface-num, but there is no space in interface-name. For the related command, see pvc. Example Display the information about PVC of all ATM interfaces.
<3Com> display atm pvc-info

The following information is displayed:
VPI/VCI | STATE | PVC-NAME | INDEX | ENCAP | PROT | INTERFACE --------|-------|----------|-------|-------|------|---------1/32 |UP |3Com |1 |SNAP |IP |Atm1/0/0 (UP) 1/33 |UP |3Com |5 |MUX |None |Atm1/0/0 (UP) 1/55 |UP |datacomm |2 |SNAP |PPP |Atm1/0/0.1 (UP) 2/66 |UP | |4 |SNAP |IP |Atm1/0/0.4 (UP) 2/101 |UP |beijing |3 |SNAP |ETH |Atm1/0/0.2 (UP)

The explanation on the above messages is as follows (Taking the first record as an example, and the last four records can refer to the following explanation.): PVC with VPI/VCI pair as 1/32, its has been activated (UP) and the name is "3Com". The index number is 1. The AAL encapsulation type is SNAP. The application type is IPoA. The interface is ATM main interface: Slot number is 1, adapter number is 0 and the interface number is 0. encapsulation Syntax
encapsulation aal5-encap undo encapsulation

View PVC view Parameter aal5-encap: AAL5 encapsulation type, its possible values are as follows:


aal5snap: LLC/SNAP (Logical Link Control / Subnet Access Protocol) encapsulation type aal5mux: MUX encapsulation type



352

CHAPTER 4: LINK LAYER PROTOCOL



aal5nlpid: RFC1490 encapsulation type

Description Using the encapsulation command, you can specify ATM AAL5 encapsulation type for PVC. Using the undo encapsulation command, you can restore the default encapsulation. By default, aal5snap encapsulation is adopted. Only aal5snap encapsulation supports InARP protocol. InARP is not supported when aal5mux and aal5nlpid encapsulations are adopted. To change the encapsulation type for PVC to aal5mux or aal5nlpid, InARP must be deleted first. In addition, some types of encapsulations may not support some applications method (one or more of IPoA, IPoEoA, PPPoA and PPPoEoA). When such cases appear, the system will give a prompt. Example The two examples can both specify AAL5 encapsulation type of PVC as aal5snap. Display how to specify AAL5 encapsulation type of PVC 1/32 as aal5snap.
[3Com-atm-pvc-Atm1/0/0-1/32] encapsulation aal5snap

Display how to specify AAL5 encapsulation type of PVC 1/33 as aal5snap.
[3Com-atm-pvc-Atm1/0/0-1/33] undo encapsulation

interface atm

Syntax
interface atm interface-num interface atm interface-number.subinterface-num [ multi-point | point-to-point ] undo interface atm interface-number.subinterface-num

View System view Parameter Interface number: ATM master interface number. For detailed numbering rules, please refer to “Interface Configuration” part of this manual. subinterface number: ATM sub-interface number. For detailed numbering rules, please refer to “Interface Configuration” part of this manual.. multi-point | point-to-point: Sub-interface connection type.

ATM Configuration Commands

353

Description Using the interface atm command, you can create an ATM sub-interface or enter an ATM interface view. Using the undo interface atm command, you can delete an ATM sub-interface. By default, the connection type of sub-interface is multi-point. ATM sub-interface has two connection types: multi-point and point-to-point. Multiple PVCs can be created at the sub-interface of multi-point connection type, but only one PVC can be created at the sub-interface of point-to-point type. For the related command, see display atm interface. Example The two examples display how to enter the ATM main interface or create/enter the ATM sub-interface. Enter the main interface Atm1/0/0.
[3Com] interface atm 1/0/0

Create/enter the sub-interface Atm1/0/0.1 and set its connection type as point-to-point.
[3Com] interface atm 11/1/0.1 p2p

ip-precedence

Syntax
ip-precedence{ pvc-name [ vpi/vci ] | vpi/vci } { min [ max ] | default } undo ip-precedence{ pvc-name [ vpi/vci ] | vpi/vci }

View ATM PVC-Group view Parameter pvc-name: PVC name, whose maximum length is 16 characters (case insensitive). It should be unique at ATM interface. And it shouldn't be legal VPI/VCI pair. For example, "1/20" cannot be a PVC name. The PVC corresponding to pvc-name must have already been created. vpi/vci: vpi is ATM Virtual Path Identifier (VPI), which ranges from 0 to 255; vci is ATM Virtual Channel Identifier (VCI) , which ranges from 0 to 2047. Usually, the vci values from 0 to 31 are reserved for special usage and cannot be used. PVC corresponding to vpi/vci must have already been created. min: Minimum preference of IP packets carried by the PVC. max: Maximum preference of IP packets carried by the PVC. default: Packets carried by the PVC with default preference.

354

CHAPTER 4: LINK LAYER PROTOCOL

Description Using the ip-precedence command, you can set the precedence of IP packets carried over PVC. Using the undo ip-precedence command, you can delete the precedence configuration of IP packets carried over PVC. This command can be only used to set the PVC within the PVC-Group. The specified minimum preference min must be less than or equal to the specified maximum preference max. For the related commands, see pvc-group and pvc. Example Display how to set an IP packet named "3Com" whose VPI/VCI is 1/32 and the PVC carrying preference is 0 to 3.
[3Com-atm-pvc-group-Atm1/0/0-1/32-3Com] ip-precedence 3Com 1/32 0 3

map bridge

Syntax
map bridge virtual-ethernet interface-num undo map bridge

View PVC view Parameter interface-num: Interface number of the VE interface, which is determined by a set of tri-dimensional indices, i.e., slot number/module number/port number. Description Using the map bridge command, you can establish the IPoEoA mapping or PPPoEoA mapping on the PVC. Using the undo map bridge command, you can delete the mapping. By default, no mapping is configured. Before using this command, make sure that VE has been created. As the upper layer of the link layer on the VE interface is Ethernet and the lower layer is carried by AAL5, the MAC address used by VE is not the actual MAC address and it cannot be obtained from the hardware and must be configured manually. Users need to configure the correct MAC address by themselves. Example The following example shows a complete process of IPoEoA configuration. Establish a VE interface Virtual-Ethernet2/0/0.
[3Com] interface virtual-ethernet 2

ATM Configuration Commands

355

Configure IP address 10.1.1.1/16 for the VE interface.
[3Com-Virtual-Ethernet2/0/0] ip address 10.1.1.1 255.255.0.0 [3Com-Virtual-Ethernet2/0/0] quit

Establish PVC 1/102 on the ATM interface Atm2/0/0
[3Com] interface atm 2/0/0 [3Com-Atm2/0/0] pvc 1/102

Establish the IPoE mapping using the established VE interface in PVC view.
[3Com-atm-pvc-Atm2/0/0-1/102] map bridge virtual-ethernet2

map ip

Syntax
map ip { ip-address [ ip-mask ] | default | inarp [ minutes ] } [ broadcast ] undo map ip { ip-address | default | inarp }

View PVC view Parameter ip-address: Opposite IP address mapping to PVC. ip-mask: IP address mask, optional. If a packet cannot find the next hop at the interface, but the next hop address belongs to the network segment specified by ip-address and ip-mask, it can be sent over the PVC. default: A mapping with the default route property is set. If a packet cannot find a mapping with the same address of next hop at the interface, but one PVC has the default mapping, the packet can be sent over the PVC. inarp: Enables Inverse Address Resolution Protocol (InARP) at PVC. minutes: Time interval to send InARP packets in minutes, optional. The range of the value is 1 to 600 and the default value is 15. broadcast: Pseudobroadcast, optional parameter. If a mapping with such property is configured at PVC, the broadcast packets at the interfaces should be sent a copy at the PVC. Description Using the map ip command, you can create IPoA mapping for PVC. Using the undo map ip command, you can delete the mapping. By default, no mapping is configured. If a mapping is set, pseudobroadcast is not supported by default. When InARP is used, it must be aal5snap encapsulation type. InARP is not supported when aal5mux and aal5nlpid encapsulations are adopted.

356

CHAPTER 4: LINK LAYER PROTOCOL

Example The two examples are the cases creating IPoA mapping for PVC. Display how to create a static mapping at PVC 1/32, specify the opposite IP address to 61.123.30.169 and support pseudobroadcast.
[3Com-atm-pvc-Atm1/0/0-1/32] map ip 61.123.30.169 broadcast

Display how to enable InARP at PVC 1/33 to automatically obtain the opposite address and send InARP packets every 10 minutes.
[3Com-atm-pvc-Atm1/0/0.1-1/33] map ip inarp 10

map ppp

Syntax
map ppp virtual-template vt-number undo map ppp View

View PVC view Parameter Virtual-template (VT) Interface number corresponding to PPPoA. It should be created previously. Description Using the map ppp command, you can create PPPoA mapping at PVC in PVC view. Using the undo map ppp command, you can delete the mapping. By default, no mapping is configured. Before this command is used, the VT must have already been created. Example Display a complete PPPoA configuration process. At first, a VT interface with the number 10 is created and its IP address is configured.
[3Com] interface virtual-template 10 [3Com-Virtual-Template10] ip address 202.38.160.1 255.255.255.0 [3Com-Virtual-Template10] quit

And then PVC 1/101 at ATM interface Atm1/0/0 is created.
[3Com] interface atm 1/0/0 [3Com-Atm1/0/0] pvc 1/101

The newly created VT interface is used to create the PPPoA mapping.
[3Com-atm-pvc-Atm1/0/0-1/101] map ppp virtual-template 10

ATM Configuration Commands

357

mtu

Syntax
mtu mtu-number undo mtu

View Interface view Parameter mtu-number: MTU size of ATM interface in bytes, the range of the value is 128 to 16384. Description Using the mtu command, you can set the size of Maximum Transmission Unit (MTU) of the ATM interface. Using the undo mtu command, you can restore the default of the value. By default, 1500 bytes. MTU of ATM interface only influences the packet assembling and packet disassembling of IP layer at the ATM interface. Because of the limit of the QoS queue length (for example, the default length of the FIFO queue is 75), the too small MTU will lead to too many fragments and will be dropped by the QoS queue. In this case, the length of the QoS queue can be enlarged appropriately. FIFO is the queue dispatching mechanism used by PVC by default, and its queue length can be changed by using the fifo queue-length command in the PVC view. This command can be used in ATM main interface and sub-interface at the same time. Example Display how to set MTU of ATM interface Atm1/0/0 to 1492 bytes.
[3Com-Atm1/0/0] mtu 1492

oam frequency

Syntax
oam frequency frequency [ up up-count down down-count retry-frequency retry-frequency ] undo oam frequency

View PVC view, ATM Class view. Parameter frequency: Time interval to send OAM F5 Loopback cells in seconds, and the range of the value is 1 to 600.

358

CHAPTER 4: LINK LAYER PROTOCOL

up-count: The number of OAM F5 Loopback cells continuously and correctly received before PVC status changes to UP. The range of the number is 1 to 600. down-count: The number of OAM F5 Loopback cells continuously and correctly not received before PVC status changes to DOWN. The range of the number is 1 to 600. retry-frequency: Before PVC status changes, the sending interval of OAM F5 Loopback cell in retransmission check, in second. The range of the value is 1 to 1000. Description Using the oam frequency command, you can enable the transmission of OAM F5 Loopback cell so as to check the PVC status. You can also enable OAM F5 Loopback retransmission check or modify the related parameters of the retransmission check. Using the undo oam frequency command, you can disable the transmission and retransmission check of the cell. By default, OAM F5 Loopback cell transmission is disabled, but if OAM F5 Loopback cell is received, it should be responded. By default, up-count is 3, down-count is 5 and retry-frequency is 1 second. Example Display how to enable OAM F5 Loopback check at PVC 1/32, with the period of 12 seconds. And set the retransmission check up-count as 4, down-count as 4 and retransmission period as 1 second.
[3Com-atm-pvc-Atm1/0/0-1/32] oam frequency 12 up 4 down 4 retry-frequency 1

pvc

Syntax
pvc { pvc-name [ vpi/vci ] | vpi/vci } undo pvc { pvc-name [ vpi/vci ] | vpi/vci }

View ATM interface view or PVC-Group view Parameter pvc-name: PVC name, whose maximum length is 16 characters. It shall be unique at ATM interface (case insensitive), and can not be legal VPI/VCI pair. For example, "1/20" cannot be a PVC name. vpi/vci: vpi is ATM Virtual Path Identifier (VPI) in the range 0 to 255; vci is ATM Virtual Channel Identifier (VCI). Its value range depends on interface type. See the following table for reference. Usually, the vci values from 0 to 31 are reserved for special usage and cannot be used
Table 15 VCI range for each type of ATM interface
nterface type ADSL VCI <0-255>

ATM Configuration Commands

359

Table 15 VCI range for each type of ATM interface
nterface type GSHDSL ATMOC3 ATM25 ATME3 ATMT3 VCI <0-255> <0-1023> <0-511> <0-1023> <0-1023>

1) vpi and vci cannot both be 0. 2) A PVC in certain PVC-Group cannot be deleted at ATM interface. Description Using the pvc command, you can create a PVC or enter the PVC view at ATM interface or in PVC-Group view. Using the undo pvc command, you can delete the specified PVC. By default, no PVC is created. This command is used to create a PVC with specified VPI/VC. Once pvc-name is specified for one PVC (e.g. "3Com"), it is possible to re-enter the PVC view by inputting pvc pvc-name (e.g. " pvc 3Com"). The deletion of the PVC can be done by inputting undo pvc pvc-name (e.g. " undo pvc 3Com") or through the undo pvc vpi/vci (if the VPI/VCI of this PVC is 1/32, it is " undo pvc 1/32") command. The VPI/VCI pair of each PVC is unique at an ATM interface (including main interface and sub-interface). The actual number of PVCs that can be created is determined by the pvc max-number command. For the related commands, see display atm pvc-info and pvc max-number. Example Display how to create a PVC named "3Com" with VPI/VCI as 1/101.
[3Com-Atm1/0/0] pvc 3Com 1/101

pvc-group

Syntax
pvc-group { pvc-name [ vpi/vci ] | vpi/vci } undo pvc-group { pvc-name [ vpi/vci ] | vpi/vci }

View ATM interface view

360

CHAPTER 4: LINK LAYER PROTOCOL

Parameter pvc-name: PVC name, whose maximum length is 16 characters. It is case insensitive and should be unique at ATM interface. And it shouldn't be legal VPI/VCI pair. For example, "1/20" cannot be a PVC name. The PVC corresponding to pvc-name must have already been created. vpi/vci: vpi is ATM Virtual Path Identifier (VPI) in the range 0 to 255; vci is ATM Virtual Channel Identifier (VCI). For its value range, refer to VCI range for each type of ATM interface. Usually, the vci values from 0 to 31 are reserved for special usage and cannot be used. PVC corresponding to vpi/vci must have already been created. Description Using the pvc-group command, you can create a PVC-Group or enter the PVC-Group view at ATM interface. Using the undo pvc-group command, you can delete the specified PVC-Group. Once pvc-name is specified for some PVC (e.g. "3Com"), it is possible to enter the PVC-Group view by inputting pvc-group pvc-name (e.g. "pvc-group 3Com"). The deletion of the PVC-Group can be done by inputting undo pvc-group pvc-name (e.g. "undo pvc-group 3Com") or through the undo pvc-group vpi/vci (if the VPI/VCI of this PVC is 1/32, it is " undo pvc-group 1/32") command. For the related commands, see ip-precedence and pvc. Example Display how to create a PVC-Group based on the name "3Com" and the PVC with VPI/VCI as 1/32.
[3Com-Atm1/0/0] pvc-group 3Com 1/32.

pvc max-number

Syntax
pvc max-number max-number undo pvc max-number

View ATM master interface view Parameter max-number: Maximum number of supported VCs. Value range of this parameter depends on interface type, as shown in the following table:
Table 16 The maximum number of VCs allowed for each type of ATM interface
Interface type ADSL GSHDSL ATMOC3 max-number <1-32> <1-32> <1-1024>

ATM Configuration Commands

361

Table 16 The maximum number of VCs allowed for each type of ATM interface
Interface type ATM25 ATME3 ATMT3 max-number <1-256> <1-1024> <1-1024>

Description Using the pvc max-number command, you can set the maximum number of ATM interface virtual circuits (VC). Using the undo pvc max-number command, you can restore the default value. This command is used to set the maximum number of the total available VCs for ATM main interfaces and sub-interfaces. Although this command is valid on both ATM main interface and sub-interface, it can only be used in ATM main interface view and there is not this command in ATM sub-interface view. For the related command, see display atm interface. Example The two examples can both make ATM interface Atm1/0/0 support totally 2048 VCs. Display how to set ATM interface Atm1/0/0 to totally support maximum 2048 VCs.
[3Com-Atm1/0/0] pvc max-number 2048

Display how to set ATM interface Atm1/0/0 to support the default maximum number of VCs (2048).
[3Com-Atm1/0/0] undo pvc max-number

pvp limit

Syntax
pvp limit vpi peak-rate undo pvp limit vpi

View ATM master interface view Parameter vpi: Virtual path identifier of ATM network, its value ranges from 0 to 255. peak-rate: Normal flow to be held. Value range of this parameter depends on interface type, as shown in the following table:

362

CHAPTER 4: LINK LAYER PROTOCOL

Table 17 Value ranges of peak-rate
nterface type ADSL GSHDSL ATMOC3 ATM25 ATME3 ATMT3 peak-rate <64-640> <64-2312> <2000-155000> <64-25600> <64-34000> <64-45000>

Description Using the pvp limit command, you can set the parameters for VP policing. Using the undo pvp limit command, you can delete the VP policing. By default, the VP policing is not performed. When applying VP policing, the parameters of PVC are still valid. Only when the parameters of PVC and VP policing are satisfied, will the packets be transmitted. When calculating the traffic, the LLC/SNAP, MUX and NLPID headers are included, but the ATM cell head is not included. For the related commands, see pvc, service cbr, service vbr-nrt, and service vbr-rt, service ubr. Example Set the traffic of VP with vpi 1 to 2M.
[3Com-Atm1/0/0] pvp limit 1 2000

service cbr

Syntax
service cbr output-pcr [ cdvt cdvt_value ]

View PVC view Parameter output-pcr: Output peak rate of ATM cell in Kbit/s. Value range of this parameter depends on interface type, as shown in the following table
Table 18 Value ranges of output-pcr
Interface type ADSL GSHDSL ATMOC3 ATM25 ATME3 output-pcr <64-640> <64-2312> <2000-155000> <64-25600> <64-34000>

ATM Configuration Commands

363

Table 18 Value ranges of output-pcr
Interface type ATMT3 output-pcr <64-45000>

cdvt_value: cell delay variation tolerance, in ìs, and the range of the value is 0 to 10000ìs. Description Using the service cbr command, you can specify PVC service type as constant bit rate (CBR). By default, the service type is UBR after creating a PVC. When the value of cdvt is not specified, it is 500ìs by default. This command is used to set the PVC service type and parameter. The newly specified PVC service type will replace the existing service type. It is recommended that the PVC with larger bandwidth be created first and then the one with smaller bandwidth. If the creation fails, the cdvt_value can be adjusted larger to create the PVC once more. The above case will be prompted in the command line, as follows: “fail to set service parameter, please adjust cdvt value” The command does not support ATM E1 interface and ATM E3 interface. For the related commands, see service vbr-nrt, service vbr-rt, and service ubr. Example Create a PVC named "3Com" with VPI/VCI as 1/101.
[3Com-Atm1/0/0] pvc 3Com 1/101

Specify the service type of the PVC as cbr and the peak rate of ATM cell as 50,000Kbits/s.Cell delay variation tolerance is 1000ìs.
[3Com-atm-pvc-Atm1/0/0-1/101-3Com] service cbr 50000 cdvt 1000

service ubr

Syntax
service ubr output-pcr

View PVC view Parameter output-pcr: Output peak rate of ATM cell in Kbit/s. For the value ranges of this parameter, see Value ranges of output-pcr.

364

CHAPTER 4: LINK LAYER PROTOCOL

Description Using the service ubr command, you can specify the service type of PVC as Unspecified Bit Rate (UBR) and specify the related rate parameters. By default, the service type is UBR after creating a PVC. This command as well as the service vbr-nrt, service vbr-rt and service cbr commands can be used to set the service type and service parameters of PVC. The newly specified PVC service type will supersede the existing service type. For the related commands, see service vbr-nrt, service vbr-rt, and service cbr. Example Display how to create a PVC named "3Com" with VPI/VCI as 1/101.
[3Com-Atm1/0/0] service pvc 3Com 1/101

Display how to specify the service type of the PVC as ubr and the peak cell rate of ATM cell as 100,000Kbps.
[3Com-atm-pvc-Atm1/0/0-1/101-3Com] service ubr 100000

service vbr-nrt

Syntax
service vbr-nrt output-pcr output-scr output-mbs

View PVC view Parameter output-pcr: Peak rate of ATM cell output in Kbit/s. For the value ranges of this parameter, see Value ranges of output-pcr. output-scr: Sustainable rate of ATM cell output in Kbps. Its value ranges are the same as those of output-pcr. output-mbs: Maximum burst size of ATM cell output, i.e., the maximum cache size of ATM cell output at the interface in cell number. Description Using the service vbr-nrt command, you can specify the service type of PVC as Variable Bit Rate-Non Real Time (VBR-NRT) and specify the related rate parameters. By default, the service type is UBR after creating a PVC. This command as well as the service ubr, service vbr-rt and service cbr commands can be used to set the service type and service parameters of PVC. The newly specified PVC service type will supercede the existing service type. For the related commands, see service vbr-rt, service ubr, and service cbr.

ATM Configuration Commands

365

Example Display how to create a PVC named "3Com" with VPI/VCI as 1/101.
[3Com-Atm1/0/0] pvc 3Com 1/101

Display how to specify the service type of the PVC as VBR-NRT and set the peak bit rate of ATM cell to 100,000kbit/s, sustainable bit rate to 50,000Kbps, the maximum burst size to 320 cells.
[3Com-atm-pvc-Atm1/0/0-1/101-3Com] service vbr-nrt 100000 50000 320

service vbr-rt

Syntax
service vbr-rt output-pcr output-scr output-mbs

View PVC view Parameter output-pcr: Peak cell rate of ATM output in Kbit/s. For the value ranges of this parameter. output-scr: Sustainable cell rate of ATM output in Kbps. Its value ranges are the same as those of output-pcr. output-mbs: Maximum burst size of ATM cell output, i.e., the maximum cache size of ATM cell output at the interface in cell number. The range of the value is 1 to 512. When it is used in ATM E3 interface, the range of the parameter is 1 to 512. Description Using the service vbr-rt command, you can set the service type of PVC to Variable Bit Rate - Real Time (VBR-RT) and specify the related rate parameters in the PVC view. By default, the service type is UBR after creating a PVC. This command as well as the service ubr, service cbr and service vbr-nrt commands can be used to set the service type and service parameters of PVC. The newly specified PVC service type will supercede the existing service type. The command does not support ATM E1 interface. For the related commands, see service cbr, service ubr, and service vbr-nrt. Example Display how to create a PVC named "3Com" with VPI/VCI as 1/101.
[3Com-if-Atm1/0/0] pvc 3Com 1/101

Display how to specify the service type of the PVC as VBR-NRT and set the peak cell rate of ATM to 100,000kbit/s, sustainable cell rate to 50,000Kbps, the maximum burst size to 320 cells.

366

CHAPTER 4: LINK LAYER PROTOCOL

[3Com-atm-pvc-Atm1/0/0-1/101-3Com] service vbr-rt 100000 50000 320

LAPB and X.25 Configuration Commands
channel Syntax
channel { interface serial interface-number | xot ip-address } undo channel { interface serial interface-number | xot ip-address }

View X.25 hunt group view Parameter interface-number: Interface number, its value ranges from 0 to 3. ip-address: IP address of the peer XOT host. Description Using the channel command, you can add X.25 interface or XOT channel of one serial port to the current hunt group. Using the undo channel command, you can delete the specified interface or XOT channel from the current hunt group. One interface may belong to six hunt groups at most at the same time. For the related command, see X25 hunt-group. Example Add the serial interface serial0/0/0 to the hunt group hg1.
[3Com] x25 hunt-group hg1 round-robin [3Com-hg-hg1] channel interface serial0/0/0

debugging pad

Syntax
debugging pad { all | error | event | packet } undo debugging pad { all | error | event | packet }

View User view Parameter all: All debugging switch of PAD. error: Error debugging switch of PAD. event: Event debugging switch of PAD.

LAPB and X.25 Configuration Commands

367

packet: Packet debugging switch of PAD. Description Using the debugging pad command, you can enable the debugging switch of PAD. Using the undo debugging pad command, you can disable the debugging switch of PAD. Example None debugging x25 xot Syntax
debugging x25 xot { all | event | packet } undo debugging x25 xot { all | event | packet }

View User view Parameter all: All debugging switch of XOT. event: Event debugging switch of XOT. packet: Packet debugging switch of XOT Description Using the debugging x25 xot command, you can enable the debugging switch of XOT Using the undo debugging x25 xot command, you can disable the debugging switch of XOT Example None display interface Syntax
display interface serial [ number ]

View Any view Parameter number: Serial interface number.

368

CHAPTER 4: LINK LAYER PROTOCOL

Description Using the display interface command, you can view the LAPB or X.25 interface information. After configuring PVC of X.25, users can use the command to obtain the status information on one interface. Example Encapsulate Serial0/0/0 with LAPB protocol and view the encapsulated interface information using the following commands.
<3Com> system-view [3Com] interface Serial1/0/0 [3Com-Serial0/0/0] linl-protocol lapb [3Com-Serial0/0/0] display interface serial 0/0/0 Serial0/0/0 current state : UP Line protocol current state : UP Description : 3Com, 3Com Series, Serial4/0/0 Interface The Maximum Transmit Unit is 1500, Holder timer is 10(sec) Internet protocol processing : disabled Link-protocol is X.25 DCE Ietf, address is , state R1, modulo 8 input/output: window sizes 7/7, packet sizes 256/256 Channels: Incoming-only 10-20, Two-way 30-40, Outgoing-only 50-60 Timers: T10 60, T11 180, T12 60, T13 60, Idle_Timer 0 (seconds) New configuration(will be effective after restart): modulo 8 input/output: window sizes 7/7, packet sizes 256/256 Channels: Incoming-only 10-20, Two-way 30-40, Outgoing-only 50-60 Statistic: Restarts 0 (Restart Collisions 0) Refused Incoming Call 0, Failing Outgoing Call 0 input/output: RESTART 1/1 CALL 9/2 DIAGNOSE 0/0 DATA 119/121 INTERRUPT 0/0 Bytes 2497/2731 RR 6/113 RNR 0/0 REJ 0/0 Invalid Pr: 0 Invalid Ps: 0 Unknown: 0 Link-protocol is LAPB LAPB DCE, module 8, window-size 7, max-frame 12056, retry 10 Timer: T1 3000, T2 1500, T3 0 (milliseconds), x.25-protocol state CONNECT, VS 6, VR 3, Remote VR 6 IFRAME 147/254, RR 11/6, RNR 0/0, REJ 0/0 FRMR 0/0, SABM 0/1, DM 0/0, UA 1/0 DISC 0/0, invalid ns 0, invalid nr 0, link resets 0 FIFO queuing: (Outbound queue:Size/Length/Discards) FIFO 0/75/0 Physical layer is synchronous, Interface is DTE, Cable type is V24 5 minutes input rate 0.00 bytes/sec, 0.01 packets/sec 5 minutes output rate 0.07 bytes/sec, 0.01 packets/sec 159 packets input, 3338 bytes, 0 no buffers 261 packets output, 4057 bytes, 0 no buffers 0 input errors, 0 CRC, 0 frame errors 0 overrunners, 0 aborted sequences, 0 input no buffers DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP

The above information will be displayed after entering the command series, in which the contents in boldface are those related to X.25 and LAPB protocols. The main parameters are described as follows:

LAPB and X.25 Configuration Commands

369



Link-protocol is X.25 DCE Ietf: Current encapsulation protocol of this interface is X.25 protocol that works in DCE mode, and the data packet encapsulation format is IETF. address is: X.121 address of this X.25 interface; this field will be empty if there is no address. state: Current status of this X.25 interface. modulo: Data packets and traffic control packets sent by this X.25 interface are numbered in modulo 8 mode. input/output: Window sizes 7/7, packet sizes 256/256: Flow control parameters of this X.25 interface, including receiving window size, sending window size, maximum received packet size (in bytes), and maximum sent packet size (in bytes). Channels: Channel range division of this X.25 interface, sequentially as incoming-only channel section, two-way channel section, outgoing-only channel section; if both demarcating values of an section are 0, this section is disabled. Timers: Delay values of various timers of this X.25 interface, in unit of second. New Configuration: New configuration of this X.25 interface taking effect after next restart; if this configuration is wrong, the default value will be restored. Restarts 0 ( Restart Collision 0): Statistics of this X.25 interface, including times of restart (including restart collision). Refused Incoming Call: Statistics information of this X.25 interface: times of call refusals. times of call failures. Failing Outgoing Call: Statistics information of this X.25 interface: input/output: RESTART 1/1 ... REJ 0/0:Statistics information of this X.25 interface: quantities of received and sent packets, format: received quantity/sent quantity. Invalid Pr: Error statistics information of this X.25 interface: total of received data packets and traffic control packets carrying erroneous acknowledgement numbers. Invalid Ps: Error statistics information of this X.25 interface: total of received data packets carrying erroneous sequence numbers. Unknown: Error statistics information of this X.25 interface: total of received irresolvable packets. Link-protocol is LAPB: Current encapsulation protocol of this interface is LAPB protocol. LAPB DCE: LAPB of this interface works in DCE mode. module 8: Information frame and monitoring frame sent by this interface LAPB are numbered in the modulo 8 view. window-size 7: Window size of this interface LAPB is 7. max-frame 12056: The maximum length of frame sent by the interface LAPB is 12056 bits.







































370

CHAPTER 4: LINK LAYER PROTOCOL



retry 10: Maximum re-sending times of information frame of this interface LAPB is 10. timer: Delay value of timers of this interface LAPB, in milliseconds. The unit of T3 is second. state: Current status of this interface LAPB. VS: Sending variable of this interface LAPB. VR: Receiving variable of this interface LAPB. Remote VR: Peer’s last acknowledgment on information frame received by this interface LAPB. IFRAME 147/254 ... DISC 0/0: Statistics information of frames sent and received by this interface LAPB, format: received quantity/sent quantity. Invalid ns: Error statistics of this interface LAPB, including total of received information frames carrying erroneous sequence numbers. Invalid nr: Error statistics of this interface LAPB, including total of received information frames and monitoring frames carrying erroneous acknowledgment numbers. Link resets: Restarting times of this interface LAPB link.



















display x25 alias-policy

Syntax
display x25 alias-policy [ interface interface-type slot-number ]

View Any view Parameter interface-type: Interface type. slot-number: Interface number. Description Using the display x25 alias-policy command, you can view X.25 alias table. For the related command, see x25 alias-policy. Example Display X.25 alias table.
<3Com> display x25 alias-policy Alias for Serial0/0/0: Alias for Serial1/0/0: Alias- 1:$20112405$strict Alias- 2:$20112450left Alias- 3:20112450$right

The above information indicates: the interface Serial0/0/0 is set without alias, and the interface Serial1/0/0 is set with 3 aliases, which are $20112405$ (in strict

LAPB and X.25 Configuration Commands

371

match mode), $20112405 (in left alignment match mode) and 20112405$ (in right alignment match mode). display x25 hunt-group-info Syntax
display x25 hunt-group-info [ hunt-group-name ]

View Any view Parameter hunt-group-name: hunt group name Description Using the display x25 hunt-group-info command, you can view the status information of X.25 hunt group. You can use this command to learn the hunt group of the Router and the information about the interfaces and XOT channel inside the hunt group. For the related command, see x25 hunt-group. Example Display the status information of X.25 hunt group hg1.
[3Com] display x25 hunt-group-info hg1 HG_ID : hg1 HG_Type: round-robin member state vc-used in-pkts out-pkts Serial0/0/0 Last 2 51 20 Serial1/0/0 Next 1 21 15 1.1.1.1 Normal 1 24 3

The following table introduces the meaning of each field in the displayed information.
Table 19 Explanation of each field in the command display x25 hunt-group-info
Field hg1 round-robin member state Last:Last: last used Normal: normal state Explanation Hunt group name Hunt group call channel selection policy Interfaces or XOT channel contained in hunt group The state of the current interface or XOT channel, including: Next: interfaces or XOT channel selected by rotary selection policy next vc-used

Call number on the in-pkts interface or XOT channel (including call success and call failure)

372

CHAPTER 4: LINK LAYER PROTOCOL

Table 19 Explanation of each field in the command display x25 hunt-group-info
Field Input flow on the interface or XOT channel in packets Output flow on the interface or XOT channel in packets Explanation out-pkts

display x25 map

Syntax
display x25 map

View Any view Parameter None Description Using the display x25 map command, you can view the X.25 address mapping table. The X.25 address mapping can be configured in two methods: special configuration (through the x25 map command) or implied configuration (through the x25 pvc command). The display x25 map command can be used to show all the address mappings. For the related commands, see x25 map, x25 pvc, x25 switch pvc, x25 xot pvc, and x25 fr pvc. Example Display the X.25 address map table.
<3Com> display x25 map Interface:Serial3/0/0(protocol status is up): ip address:202.38.162.2 X.121 address: 22 map-type: SVC_MAP VC-number: 0 Facility: ACCEPT_REVERSE; BROADCAST; PACKET_SIZE: I 512 O 512 ;

display x25 pad

Syntax
display x25 pad [ pad-id ]

View Any view

LAPB and X.25 Configuration Commands

373

Parameter pad-id: PAD ID, its value ranges from 0 to 255. If it is not specified, all PAD connection information will be displayed. Description Using the display x25 pad command, you can view X.25 PAD connection information. PAD is a kind of application similar to telnet. It can establish the connection between two ends through X121 address, and then, to carry out configuration operations. For the related commands, see display x25 vc and x25 xot. Example Display X.25 PAD connection information.
[3Com] display x25 pad UI-INDEX130: From remote 22 connected to local 11, State: Normal X.3Parameters(In): 1:1,2:0,3:2,4:1,5:0,6:0,7:21,8:0,9:0,10:0,11:14 12:0,13:0,14:0,15:0,16:127,17:21,18:18,19:0,20:0,21:0,22:0 X.3Parameters(Out): 1:1,2:0,3:2,4:1,5:0,6:0,7:21,8:0,9:0,10:0,11:14 12:0,13:0,14:0,15:0,16:127,17:21,18:18,19:0,20:0,21:0,22:0 Input: Pkts(total/control): 13/2 bytes:12 queue(size/max) :0/200 Output: Pkts(total/control): 15/2 bytes:320

display x25 switch-table pvc

Syntax
display x25 switch-table pvc

View Any view Parameter None Description Using the display x25 switch-table pvc command, you can view X.25 switching virtual circuit table. For the related commands, see x25 pvc, x25 switch pvc, x25 xot pvc, x25 fr pvc, and x25 switch svc.

374

CHAPTER 4: LINK LAYER PROTOCOL

Example Display X.25 switching virtual circuit table.
[3Com] display x25 switch-table pvc #1 (In: Serial0/0/0-vc1024)<— —>(Out: Serial1/0/0-vc1} #2 (In: Serial1/0/0-vc1024)<— —>(Out: Serial0/0/0-vc1}

display x25 switch-table svc

Syntax
display x25 switch-table svc { dynamic | static }

View Any view Parameter None Description The command display x25 switch-table svc is used to display X.25 switching routing table. For the related command, see x25 switch svc. Example Display X.25 switching routing table.
[3Com] display x25 switch-table svc static Number Destination Substitute- Substitute- CUD SwitchTo(type/name) src dst 1 11 I/Serial2/0/0 2 22 I/Serial2/1/0 3 133 H/hg1 4 132 T/123.123.123.123 5 133 T/123.123.123.123 T/124.124.124.124 T/125.125.125.125 6 111 222 333 T/4.4.4.4 Total of static svc is 6. The item type of SwitchTo meaning: I: interface H: hunt-group T: xot

The following table introduces the meaning of each field in the displayed information.
Table 20 Explanation of each field in the command display x25 switch-table svc
Field Number Substitute-src Substitute-dst Explanation Sequence number of this route in the routing table X.121 source address after substitution, if the content is blank, it means no substitution. X.121 destination address after substitution, if the content is blank, it means no substitution.

LAPB and X.25 Configuration Commands

375

Table 20 Explanation of each field in the command display x25 switch-table svc
Field CUD SwitchTo Explanation Call User Data Forwarding address of this route, including interface, XOT channel and hunt group

display x25 vc

Syntax
display x25 vc [ lci ]

View Any view Parameter lci: Logical channel identifier, its value ranges from 1 to 4095. If the logical channel identifier is not specified, all virtual circuits will be displayed. Description Using the display x25 vc command, you can view the information about the X.25 virtual circuit. SVC (Switched Virtual Circuit) is set up temporarily by X.25 through call connection when data transmission is required. PVC is configured manually and exists regardless of the data transmission requirement. When the router works in X.25 switched mode, virtual circuits will be set up in order to transfer the switched data. The information about these virtual circuits can be shown via this command, and only some fields in the displayed information differ. For the related commands, see x25 pvc, x25 switch pvc, x25 xot pvc, and x25 fr pvc. Example Display X.25 virtual circuit.
<3Com> display x25 vc Interface: Serial2/0/0 SVC 1 State: P4 Map: ip 10.1.1.2 to 130 Window size: input 2 output 2 Packet Size: input 128 output 128 Local PS: 5 Local PR: 5 Remote PS: 5 Remote PR: 4 Local Busy: FALSE Reset times: 0 Input/Output: DATA 5/5 INTERRUPT 0/0 RR 0/0 RNR 0/0 REJ 0/0 Bytes 420/420 Snd Queue(Current/Max): 0/200 Interface: Serial2/1/0 SVC 10 State: P4

376

CHAPTER 4: LINK LAYER PROTOCOL

SVC <--> Serial2/0/0 SVC 60 Window size: input 2 output 2 Packet Size: input 128 output 128 Local PS: 0 Local PR: 0 Remote PS: 0 Remote PR: 0 Local Busy: FALSE Reset times: 0 Input/Output: DATA 5/5 INTERRUPT 0/0 RR 0/0 RNR 0/0 REJ 0/0 Bytes 420/420 Snd Queue(Current/Max): 0/200 Interface: Serial2/0/0-1.1.1.1 PVC 1 State: P/Inactive XOT PVC <--> Serial2/0/0 PVC 1 connected Window size: input 2 output 2 Packet Size: input 128 output 128 Local PS: 0 Local PR: 0 Remote PS: 0 Remote PR: 0 Local Busy: FALSE Reset times: 0 Input/Output: DATA 0/0 INTERRUPT 0/0 RR 0/0 RNR 0/0 REJ 0/0 Bytes 0/0 Snd Queue(Current/Max): 1/200 Interface: Serial2/0 PVC 1 State: D3 PVC <--> XOT Serial2/0/0-1.1.1.1 PVC 1 connected Window size: input 2 output 2 Packet Size: input 128 output 128 Local PS: 0 Local PR: 0 Remote PS: 0 Remote PR: 0 Local Busy: FALSE Reset times: 0 Input/Output: DATA 0/0 INTERRUPT 0/0 RR 0/0 RNR 0/0 REJ 0/0 Bytes 0/0 Snd Queue(Current/Max): 0/200 Interface: Serial2/0/0 SVC 59 State: P4 PAD: UI-130 From remote 130 connected to local 220 Window size: input 2 output 2 Packet Size: input 128 output 128 Local PS: 3 Local PR: 1 Remote PS: 1 Remote PR: 2 Local Busy: FALSE Reset times: 0 Input/Output: DATA 9/11 INTERRUPT 0/0 RR 6/2 RNR 0/0 REJ 0/0 Bytes 53/363 Snd Queue(Current/Max): 0/200

display x25 xot

Syntax
display x25 xot

View Any view

LAPB and X.25 Configuration Commands

377

Parameter None Description Using the display x25 xot command, you can view XOT link information. You can use the command display x25 xot to view the detailed information about all XOT links, including peer ip and port, local ip and port, keepalive setting of socket and come/go interface names. For the related commands, see x25 switch svc xot and x25 xot pvc. Example Display XOT link information.
[3Com] display x25 xot SVC 1024: ( ESTAB ) tcp peer ip: 10.1.1.1, peer port: 1998 tcp local ip: 10.1.1.2, local port: 1024 socket keepalive period: 5, keepalive tries: 3 come interface name: Serial0/0/0-10.1.1.1-1024 go interface name: Serial0/0/0:

The above information indicates: there is one established XOT link via SVC, whose peer IP is 10.1.1.1, peer port is 1998, local IP is 10.1.1.2, local port is 1024, keepalive period of socket is 5 seconds, keepalive tries are 3, come interface name is Serial0/0/0-10.1.1.1-1024 (XOT interface), and go interface name is Serial0/0/0. lapb max-frame Syntax
lapb max-frame n1-value undo lapb max-frame

View Interface view Parameter n1-value: The value of the parameter N1 in bits, and its value ranges from 1096 to 12104.By default, the parameter N1 of LAPB is 12032. Description Using the lapb max-frame command, you can configure the LAPB parameter N1. Using the undo lapb max-frame command, you can restore the default value. N1 shall indicate the maximum bit of I frame that DCE or DTE wish to receive from DTE or DCE, and its value is maximum transmission unit (MTU) plus the total bytes of protocol header times 8, which stipulates the maximum length of transmission frame.

378

CHAPTER 4: LINK LAYER PROTOCOL

Example Set the parameter N1 of LAPB on the interface Serial 0/0/0 is 1160.
[3Com-Serial0/0/0] lapb max-frame 1160

lapb modulo

Syntax
lapb modulo { 128 | 8 } undo lapb modulo

View Interface view Parameter 128: Using modulus 128 numbering view. 8: Using modulus 8 numbering view. Description Using the lapb modulo command, you can specify the LAPB frame numbering view (also called modulo). Using the undo lapb modulo command, you can restore the default value. By default, the LAPB frame protocol view is modulo 8. There are two LAPB frame numbering views: modulo 8 and modulo 128. Each information frame (I frame) is numbered in sequence, ranging from 0 to the modulo minus 1. In addition, sequential numbers will cycle within the range of modulo. Modulo 8 is a basic view, LAPB can implement all the standards via the view. It is sufficient for most links. For the related command, see lapb window-size. Example Set the LAPB frame numbering view on Serial0/0/0 to modulo 8.
[3Com-Serial0/0/0] lapb modulo 8

lapb retry

Syntax
lapb retry n2-value undo lapb retry

View Interface view

LAPB and X.25 Configuration Commands

379

Parameter n2-value: The value of N2, its value ranges from 1 to 255.By default, the parameter N2 of LAPB is 10. Description Using the lapb retry command, you can configure LAPB parameter N2. Using the undo lapb retry command, you can restore the default value. The value of N2 indicates the maximum retries that DCE or DTE sends one frame to DTE or DCE. Example Set the LAPB parameter N2 on Serial0/0/0 to 20.
[3Com-Serial0/0/0] lapb retry 20

lapb timer

Syntax
lapb timer { t1 t1-value | t2 t1-value | t3 t3-value } undo lapb timer { t1 | t2 | t3 }

View Interface view Parameter t1-value: The value of timer T1 in ms, its value ranges from 1 to 64000ms.The default value of T1 is 2000ms. t2-value: Value of the timer T2 in ms, ranging 1 to 32000.The default value of T2 is 1000ms. t3-value: Value of the timer T3 in ms, its value ranges from 0 to 255. The default value of T3 is 0ms. Description Using the lapb timer command, you can configure the LAPB timers T1, T2 and T3..Using the undo lapb timer command, you can restore their default values. T1 is a transmission timer. When T1 expires, DTE (DCE) will start retransmission. The value of T1 shall be greater than the maximum time between the sending of a frame and the receiving of its response frame. T2 is a reception timer. When it expires, the DTE/DCE must send an acknowledgement frame so that this frame can be received before the peer DTE/DCE T1 timer expires (T2<T1). T3 is an idle channel timer, when it expires, the DCE reports to the packet layer that the channel stays idle for a long time. T3 should be greater than the timer T1 (T3>T1) on a DCE. When T3 is 0, it indicates that it does not function yet.

380

CHAPTER 4: LINK LAYER PROTOCOL

Example Set the LAPB timer T1 on Serial0/0/0 to 3000ms.
[3Com-Serial0/0/0] lapb timer t1 3000

lapb window-size

Syntax
lapb window-size k-value undo lapb window-size

View Interface view Parameter k-value: Maximum number of I frame of unacknowledged sequence number that DTE or DCE may send, if the modulus is 8, the value of the window parameter K ranges 1 to 7. If the modulus is 128, the value of the window parameter K ranges 1 to 127. By default, the window parameter K is 7. Description Using the lapb window-size command, you can configure the LAPB window parameter K. Using the undo lapb window-size command, you can restore the default value of the LAPB window parameter K. The value of the window parameter K is determined by the value of modulus. For the related command, see lapb modulo. Example Set the LAPB window parameter K on the interface Serial 0/0/0 to be 5.
[3Com-Serial0/0/0] lapb window-size 5

link-protocol lapb

Syntax
link-protocol lapb [ dte | dce ] [ ip | multi-protocol ]

View Interface view Parameter dte: Indicates that the interface works in DTE mode of LAPB. dce: Indicates that the interface works in DCE mode of LAPB. ip: Indicates that the network layer protocol borne by LAPB is IP.

LAPB and X.25 Configuration Commands

381

Description Using the link-protocol lapb command, you can specify the link layer protocol of the interface as LAPB. By default, DTE is the default LAPB operating mode. IP is the default network layer protocol. Though LAPB is a layer-2 protocol of X.25, it can act as an independent link-layer protocol for simple data transmission. Generally, LAPB can be used when two routers are directly connected with a dedicated line. At that time one end works in the DTE mode, and the other in the DCE mode. For the related command, see display interface. Example Configure LAPB as the link layer protocol of the interface Serial 0/0/0, and enable it to work in DCE mode.
[3Com-Serial0/0/0] link-protocol lapb dce

link-protocol x25

Syntax
link-protocol x25 [ dte | dce ] [ ietf | nonstandard ]

View Interface view Parameter dte: Indicates that the interface works in DTE mode. dce: Indicates that the interface works in DCE mode. letf: Based on the standard stipulation of the IETF RFC 1356, encapsulate IP or other network protocols on the X.25 network. nonstandard: Encapsulates IP or other network protocols on the X.25 network with nonstandard. Description Using the link-protocol x25 command, you can encapsulate X.25 protocol to the specified interface. By default, the link-layer protocol for interface is PPP. When the interface uses X.25 protocol, it works in DTE IETF mode by default. If the X.25 switching function is not used, and two Routers are directly connected back to back via the X.25 protocol, one Router shall work in DTE mode, while the other shall work in DCE mode. When two Routers are connected via the X.25 public packet network, they shall generally work in DTE mode. If the X.25 switching function is used, the Router shall generally work in DCE mode.

382

CHAPTER 4: LINK LAYER PROTOCOL

In practice, select the IETF format of datagram if there is no special requirement. For the related command, see display interface. Example Specify X.25 as the link layer protocol of the interface Serial 0/0/0 that works in DTE IETF mode.
[3Com-Serial0/0/0] link-protocol x25 dte ietf

pad

Syntax
pad x121-address

View User view Parameter x121-address: x121 destination address. Description Using the pad command, you can establish a PAD connection with the remote site. PAD is a kind of application similar to telnet. It can establish the connection between two ends through X121 address, and then, to carry out configuration operations. Example Establish a PAD connection, and the destination x121 address is 2.
<03Com> pad 2

reset xot

Syntax
reset xot local local-ip-address local-port remote remote-ip-address remote-port

View User view Parameter local-ip-address: Local IP address of the XOT connection. local-port: Local port number of the XOT connection. remote-ip-address: Remote IP address of the XOT connection. remote-port: Remote port number of the XOT connection.

LAPB and X.25 Configuration Commands

383

Description For SVC, using the reset xot command, you can initiatively clear an XOT link. For PVC, using reset xot command, you can initiatively reset an XOT link. You can initiatively clear or reset the XOT link using the command reset xot. When you clear or reset the XOT link, you can obtain the required ports using the commands display x25 xot or display tcp status. For the related commands, see display x25 vc, x25 switching, display x25 xot, and display tcp status. Example Clear or reset an XOT link.
[3Com] reset xot local 10.1.1.1 1998 remote 10.1.1.2 1024

x25 alias-policy

Syntax
x25 alias-policy match-type alias-string undo x25 alias-policy match-type alias-string

View Interface view Parameter match-type: Match type of the alias. There are 9 optional match types:


free: Free match free-ext: Extended free match left: Left alignment match left-ext: Extended left alignment match right: Right alignment match right-ext: Extended right alignment match strict: Strict match whole: Whole match whole-ext: Extended whole match

















alias-string: String of the alias Description Using the x25 alias-policy command, you can configure the alias of an X.121 address. Using the undo x25 alias-policy command, you can delete the alias of an X.121 address. By default, no x.25 alias is configured.

384

CHAPTER 4: LINK LAYER PROTOCOL

When an X.25 call is forwarded between networks, different X.25 networks may perform some operations on the destination addresses (that is, the called DTE address) carried by this call packet, for example, regularly adding or deleting the prefix and suffix. In this case, a user needs to set an interface alias for the router to adapt this change. Please consult your ISP to learn if the network supports this function before deciding whether the alias function is enabled or not. For the details about the X.25 alias matching method, please see the chapter LAPB and X.25 Configurations in Operation Manual. For the related commands, see display x25 alias-policy and x25 x121-address. Example Configure the link-layer protocol on interface Serial0/0/0 as X.25 and its X.121 address to 20112451, and set two aliases with different match types for it.
[3Com] interface serial 0/0/0 [3Com-Serial0/0/0] link-protocol x25 [3Com-Serial0/0/0] x25 x121-address 20112451 [3Com-Serial0/0/0] x25 alias-policy right 20112451$ [3Com-Serial0/0/0] x25 alias-policy left $20112451

With the above configurations, a call whose destination address is 20112451 can be accepted as long as it can reach the local X.25 interface Serial0/0/0, no matter whether the network is performing the prefix adding operation or suffix adding operation. x25 call-facility Syntax
x25 call-facility facility-option undo x25 call-facility facility-option

View Interface view Parameter facility-option: User facility option, its value includes:


closed-user-group number: Specifies a closed user group (CUG) number for the X.25 interface. The facility enables DTE to belong to one or more CUGs. CUG allows the DTEs in it to communicate with each other, but not to communicate with other DTEs. packet-size input-size output-size: Specifies the maximum packet size negotiation in initiating call from X.25 interface. Maximum packet size negotiation is part of flow control parameter negotiation. It needs two parameters: maximum reception packet size and maximum transmission packet size, which must range from 16 to 1024 (including 16 and 1024), and must be the integer power of 2. reverse-charge-request: Specifies reverse charging request while calling from X.25 interface.





LAPB and X.25 Configuration Commands

385



roa-list name: Specifies an ROA list name configured by the command X25 roa-list in system view for the X.25 interface. send-delay value: Specifies the maximum network send delay request while calling from X.25 interface. You can set this request to any value ranging from 0 to 65534 ms (including 0 and 65534). threshold in out: Specifies throughput negotiation while calling from X.25 interface. The values of in/out are defined as 75, 150, 300, 600, 1200, 2400, 4800, 9600, 19200, and 48000. window-size input-window-size output-window-size: Specifies the window size negotiation while calling from X.25 interface. Window size negotiation is a part of flow control parameter negotiation. It needs two parameters: reception window size and transmission window size, which must be in the range of 1 to modulo -1 (including 1 and modulo -1).The default values of the two parameters are 2.







Description Using the x25 call-facility command, you can set user options for an X.25 interface. After an option is set, all X.25 calls from the X.25 interface will carry the relevant information field in call packet. Using the undo x25 call-facility command, you can delete the set option. By default, no facility is set. The user facilities set via this command are available for all the calls originating from this X.25 interface. You can set a user option for an X.25 call from a certain address mapping through the command x25 map protocol-name protocol-address x.121-address x.121-address [ option ]. For the related command, see x25 map. Example Specify the flow control parameter negotiation with the peer end for the calls from the X.25 interface serial0/0/0.
[3Com-Serial0/0/0] x25 call-facility packet-size 512 512 [3Com-Serial0/0/0] x25 call-facility window-size 5 5

x25 cug-service

Syntax
x25 cug-service [ incoming-access ] [ outgoing-access ] [ suppress { all | preferential } ] undo x25 cug-service

View Interface view Parameter incoming-access: Performs the suppress processing of incoming access outgoing-access: Performs the suppress processing of outgoing access

386

CHAPTER 4: LINK LAYER PROTOCOL

all: Suppresses all CUGs configured with preferential suppress preferential: Only processes those CUGs configured with preferential suppress Description Using the x25 cug-service command, you can map the local CUG facility to the network CUG. When the call with CUG facility meets CUG suppress conditions, it will be processed. Using the undo x25 cug-service command, you can delete CUG suppress. The command is used on DCE side, and you can use the command link-protocol x25 dce to set DCE as the working mode of the interface. By default, no CUG suppress is defined. For the related commands, see x25 call-facility and x25 local-cug. Example Define the suppress processing of incoming access on the interface Serial0/0/0.
[3Com-Serial0/0/0] x25 cug-service incoming-access

x25 default-protocol

Syntax
x25 default-protocol protocol-type undo x25 default-protocol

View Interface view Parameter protocol-type: Protocol type, may be IP. Description Using the x25 default-protocol command, you can set the default upper-layer protocol carried over X.25 for the X.25 interface. Using the undo x25 default-protocol command, you can restore the default upper-layer protocol. By default, IP is carried over X.25. During X.25 SVC setup, the called device will check the call user data field of X.25 call request packet. If it is an unidentifiable one, the called device will deny the setup of the call connection. However, a user can specify a default upper-layer protocol carried over X.25. When X.25 receives a call with unknown CUD, the call can be treated based on the default upper-layer protocol specified by a user. For the related command, see x25 map. Example Set the default upper-layer protocol over the X.25 interface Serial0/0/0 as IP.

LAPB and X.25 Configuration Commands

387

[3Com-Serial0/0/0] x25 default-protocol ip

x25 hunt-group

Syntax
x25 hunt-group hunt-group-name { round-robin | vc-number } undo x25 hunt-group hunt-group-name

View System view Parameter hunt-group-name: Name of hunt group. round-robin: Select call channel using cyclic selection policy. vc-number: Select call channel using the policy of computing available logical channel. Description Using the x25 hunt-group command, you can create or enter an X.25 hunt group. Using the undo x25 hunt-group command, you can delete the specified X.25 hunt group. X.25 hunt group supports two call channel selection policies: round-robin mode and vc-number mode, and a hunt group only uses one channel selection policy. The round-robin mode will select next interface or XOT channel inside hunt group for each call request using cyclic selection method. The vc-number mode will select the interface with the most idle-logical channels in hunt group for each call request. A hunt group can have 10 interfaces or XOT channels at most, and it may nondistinctively select the available channels between interface and XOT channel. XOT channel cannot join the hunt group that adopts the vc-number selection policy. For the related command, see display x25 hunt-group. Example Create hunt group hg1 which uses cyclic selection policy.
[3Com] x25 hunt-group hg1 round-robin [3Com-hg-hg1]

x25 ignore called-address

Syntax
x25 ignore called-address undo x25 ignore called-address

388

CHAPTER 4: LINK LAYER PROTOCOL

View Interface view Parameter None Description Using the x25 ignore called-address command, you can enable it to ignore the X.121 address of the called DTE when X.25 initiates calls. Using the undo x25 ignore called-address command, you can disable this function. By default, this function is disabled. According to X.25, the calling request packet must carry the address bits. However, on some occasions, the X.25 calling request does not have to carry the called/calling DTE address in a specific network environment or as is required by the application. This command enables users to specify whether the call request packet sent by X.25 in the 3Com series routers carries the called DTE address. For the related commands, see x25 response called-address, x25 response calling-address, and x25 ignore calling-address. Example Specify the call request packet from the X.25 interface Serial0/0/0 not to carry the called DTE address.
[3Com-Serial0/0/0] x25 ignore called-address

x25 ignore calling-address

Syntax
x25 ignore calling-address undo x25 ignore calling-address

View Interface view Parameter None Description Using the x25 ignore calling-address command, you can enable it to ignore the X.121 address of the calling DTE when X.25 initiates calls. Using the undo x25 ignore calling-address command, you can disable this function. By default, this function is disabled. According to X.25, the calling request packet must carry the address bits. However, on some occasions, the X.25 calling request does not have to carry the

LAPB and X.25 Configuration Commands

389

called/calling DTE address in a specific network environment or as is required by the application. This command enables users to specify whether the call request packet sent by X.25 in the 3Com series routers carries the calling DTE address. For the related commands, see x25 response called-address, x25 response calling-address, and x25 ignore called-address. Example Specify the call request packet from the X.25 interface Serial0/0/0 not to carry the calling DTE address.
[3Com-Serial0/0/0] x25 ignore calling-address

x25 local-cug

Syntax
x25 local-cug cug-number network-cug cug-number [ no-incoming ] [ no-outgoing ] [ preferential ] undo x25 local-cug cug-number

View Interface view Parameter local-cug cug-number: Number of local cug. network-cug cug-number: Number of network cug. no-incoming: Suppresses incoming access. no-outgoing: Suppresses outgoing access. preferential: Suppresses the CUGs configured with preferential. Description Using the x25 local-cug command, you can define CUG suppress rules. Using the undo x25 local-cug command, you can delete the rules. CUG suppress rules have two: suppressing all CUG facilities and suppressing the mapping CUG facility configured with preferential. By default, no suppress rule is defined. For the related commands, see x25 call-facility and x25 cug-service. Example Define the rule on the serial interface Serial0/0/0: the incoming calls with 100 local CUGs or 200 network CUGs are denied.
[3Com-Serial0/0/0] x25 cug-service [3Com-Serial0/0/0] x25 local-cug 100 network-cug 200 no-incoming

390

CHAPTER 4: LINK LAYER PROTOCOL

x25 map

Syntax
x25 map { ip | compressedtcp } protocol-address x121-address x.121-address [ option ] undo x25 map { ip | compressedtcp } protocol-address

View Interface view Parameter ip: Uses IP protocol. compressedtcp: Uses TCP header compression. protocol-address: Network protocol address of the peer host. x.121-address: X.121 address of the peer host. option: Specifies some attributes or user facilities for the address mapping. Description Using the x25 map command, you can set the address mapping between IP address used by LANs and X.121 address. Using the undo x25 map command, you can delete one existing mapping. By default, no address mapping is set. Since X.25 protocol can multiplex more logical virtual circuits on a physical interface, you need to manually specify the mapping relation between all network addresses and X.121 address. Once you have specified an address mapping, its contents (including protocol address, X.121 address and all options) cannot be changed. To make modifications, you can first delete this address mapping via the undo x25 map command, and then establish one new address mapping. Two or more address mappings with an identical protocol address shall not exist on the same X.25 interface. Detailed explanations are as follows:


broadcast: Sends any broadcasts of internetworking protocol and the multicast of IP to the destination. This option provides powerful support for some routing protocols (such as Routing Information Protocol). closed-user-group group-number: Number of the closed user group corresponding to this address mapping. encapsulation-type: Encapsulation type, optional types include nonstandard, ietf, multi-protocol and snap. idle-timer minutes: Maximum idle time for the VC associated with the address mapping. 0 means that the idle time is infinite. no-callin: Disables accepting call to the address mapping.









LAPB and X.25 Configuration Commands

391



no-callout: Disables call originating from the address mapping. packet-size input-packet output-packet: When the address mapping is used to originate a call, it will negotiate the maximum packet size in bytes with the peer end. Its value must range from 16 to 4096 (including 16 and 4096), and must be the integer power of 2. reverse-charge-accept: If a call initiated by the address mapping carries reverse charging request, to accept the call, this option must be configured in the address mapping. reverse-charge-request: Specifies reverse charging request while calling from the address mapping. roa-list name: Specifies an ROA list name configured by the command X25 roa-list in system view for the X.25 interface. send-delay milliseconds: When the address mapping is used to originate a call, it carries the maximum transmission delay request. threshold in out: When the address mapping is used to originate a call, it negotiates throughput with the peer end. The values of in/out are defined to be 75, 150, 300, 600, 1200, 2400, 4800, 9600, 19200, and 48000. vc-per-map count: Maximum number of VCs associated with the address mapping. window-size input-window-size output-window-size: When the address mapping is used to originate a call, it negotiates the window size with the peer end. The values of input-window-size and output-window-size range between 1 and the number that is 1 less than the modulus of the X.25 interface where the address mapping exists (including 1 and modulus minus 1).

















For the related commands, see display x25 map, x25 reverse-charge-accept, x25 call-facility, x25 timer idle, and x25 vc-per-map. Example Set two address mappings on the X.25 interfaces Serial0/0/0 and Serial1/0/0, respectively, and the four address mappings have different attributes.
[3Com] interface serial 0/0/0 [3Com-Serial0/0/0] x25 map ip 202.38.160.11 x121-address 20112451 reverse-charge-request reverse-charge-accept [3Com-Serial0/0/0] x25 map ip 202.38.160.138 x121-address 20112450 packet-size 512 512 idle-timer 10 [3Com] interface serial1/0/0 [3Com-Serial1/0/0] x25 map ip 20.30.4.1 x121-address 25112451 window-size 4 4 broadcast [3Com-Serial0/0/0] x25 map ip 20.30.4.8 x121-address 25112450 no-callin

x25 modulo

Syntax
x25 modulo modulus undo x25 modulo

392

CHAPTER 4: LINK LAYER PROTOCOL

View Interface view Parameter modulus: Modulus, whose value is 8 or 128. Description Using the x25 modulo command, you can set the window modulus of an X.25 interface. Using the undo x25 modulo command, you can restore its default window modulus. By default, the window modulus of X.25 interface is modulus 8 mode. The slip window is the basis for X.25 traffic control, and the key about the slip window is that the sent packets are numbered cyclically in order and are to be acknowledged by the peer end. The order in numbering refers to the ascending order, like “…2, 3, 4, 5, 6…” “Cyclically” means that the numbering starts again from the beginning when a certain number (called modulus) is reached. For example, when the modulus is 8, the numbering goes “…4, 5, 6, 7, 0, 1…”. X.25 defines two numbering modulus: 8 (also called the basic numbering) and 128 (also called extended numbering), and the X.25 of the 3Com series routers supports both views. For the related commands, see display interface, x25 call-facility, x25 map, x25 pvc, x25 switch pvc, x25 xot pvc, x25 fr pvc, and x25 window-size. Example Set the modulus on the X.25 interface Serial0/0/0 to 128.
[3Com-Serial0/0/0] x25 modulo 128

x25 packet-size

Syntax
x25 packet-size input-packet output-packet undo packet-size

View
Interface view

Parameter input-packet: Maximum input packet length in bytes, its value ranges from 16 to 1024 (including 16 and 1024) and must be the integer power of 2.By default, the maximum input packet length of X.25 interface is 128 bytes. output-packet: Maximum output packet length in bytes, its value ranges from 16 to 1024 (including 16 and 1024) and must be the integer power of 2. By default, the maximum output packet length of X.25 interface is 128 bytes.

LAPB and X.25 Configuration Commands

393

Description Using the x25 packet-size command, you can set the maximum input and output packet lengths of X.25 interface. Using the undo x25 packet-size command, you can restore their default values. Usually, the X.25 packet-switching network has a limitation of the transmission packet size, and the maximum size of a data packet sent by the DTE shall not exceed this size (otherwise it will trigger the reset of the VC).In this way, the DTE devices at sending end and receiving end are required to have datagram fragmentation and reassembly functions. The DTE device at sending end fragments the datagram with a length exceeding the maximum transmission packet length based on the maximum transmission packet length, and sets M bit in other fragments besides the final fragment. After receiving these fragments, the DTE at receiving end will reassemble them as a datagram to submit the upper-layer protocol based on the M bit. Please consult users' ISP about this maximum receiving packet length. Normally, the maximum receiving packet length is equivalent to the maximum send packet. Unless users' ISP allows, please do not set these two parameters to different values. For the related commands, see x25 call-facility, x25 pvc, x25 switch pvc, x25 xot pvc and x25 fr pvc. Example Set the maximum receiving packet length and maximum sending packet length on X.25 interface Serial0/0/0 to 256 bytes.
[3Com-Serial0/0/0] x25 packet-size 256 256

x25 pvc

Syntax
x25 pvc pvc-number protocol-type protocol-address x121-address x.121-address [ option ] undo x25 pvc pvc-number

View Interface view Parameter pvc-number: PVC number, which must range from 1 to 4095 (including 1 and 4095), and must be in the PVC channel range. protocol-type: Upper-layer protocol carried over the permanent virtual circuit, which may be IP or compressedtcp. protocol-address: Network protocol address of the peer end of the PVC. x.121-address: X.121 address of the peer end of this PVC. option: Attribute of the PVC.

394

CHAPTER 4: LINK LAYER PROTOCOL

Description Using the x25 pvc command, you can configure one PVC route encapsulated with datagram. Using the undo x25 pvc command, you can delete this route. By default, no PVC encapsulated with datagram is created. When creating such a PVC, you do not set the relevant attributes for the PVC, its flow control parameters will be the same as that of the X.25 interface on which it resides (the flow control parameters on an X.25 interface can be set by the x25 packet-size and x25 window-size commands). As one corresponding address mapping is impliedly established while establishing the PVC, it is unnecessary (or impossible) to establish an address mapping first before establishing PVCs. Before establishing PVCs, users should first enable the PVC channel section. The section is between 1 and the latest unprohibited channel section PVC number minus 1 (including 1 and the lowest PVC number minus 1). Naturally, if the lowest PVC number is 1, the PVC section will be disabled naturally. The following table shows some typical PVC sections.
Table 21 PVC channel section of some typical configurations
Incoming-only channel range [0, 0] [0, 0] [1, 10] [5, 10] [0, 0] [0, 0] Two-way channel range [1, 1024] [10, 24] [15, 30] [15, 25] [0, 0] [0, 0] Outgoing-only channel range [0, 0] [0, 0] [0, 0] [30, 32] [20, 45] [0, 0] PVC channel range Disabled [1, 9] Disabled [1, 4] [1, 19] [1, 4095]

Detailed explanations of PVC options are follows:


broadcast: Forward broadcast packet to the peer PVC. encapsulation-type: Encapsulation type, which may be nonstandard, ietf, multi-protocol and snap. packet-size input-packet output-packet: Specifies the maximum receiving packet length and maximum sending packet length. The length is counted in byte, which must range from 16 to 4096 (including 16 and 4096), and must be the integer power of 2. window-size input-window-size output-window-size: Specifies the receiving window and transmitting window sizes of the VC, which range between 1 and the number that is 1 less than the modulus of the X.25 interface where the address mapping exists (including 1 and modulus minus 1).







For the related commands, see display x25, x25 map. Example Configure the link layer protocol on the interface Serial0/0/0 to X.25, enable PVC channel section, and set two VCs.

LAPB and X.25 Configuration Commands

395

[3Com] interface serial 0/0/0 [3Com-Serial0/0/0] link-protocol x25 [3Com-Serial0/0/0] x25 vc-range bi-channel 8,102 4 [3Com-Serial0/0/0] x25 pvc 2 ip 202.38.168.1 x121-address 20112451 broadcast packet-size 512 512 [3Com-Serial0/0/0] x25 pvc 6 ip 202.38.168.3 x121-address 20112453 broadcast window-size 5 5

x25 queue-length

Syntax
x25 queue-length queue-length undo x25 queue-length

View Interface view Parameter queue-length: Length of queue in packets, which ranges from 0 to 9999.By default, the data queue length on X.25 VC is 500. Description Using the x25 queue-length command, you can set the data queue length on X.25 VC. Using the undo x25 queue-length command, you can restore its default value. When the data traffic is too heavy, you can use this command to extend the receiving queue and sending queue of the X.25 VC to avoid data loss that may affect transmission performance. It should be noted here that modifying this parameter would not affect the existing data queue of VC. For the related command, see x25 packet-size Example Set the VC data queue length of the X.25 interface Serial0/0/0 to 75 datagrams.
[3Com-Serial0/0/0] x25 queue-length 75

x25 receive-threshold

Syntax
x25 receive-threshold count undo x25 receive-threshold

View Interface view Parameter count: The number of data packets that can be received before previous acknowledgement, ranging from 0 to input window size. If it is set to 0 or the input window size, this function will be disabled. If it is set to 1, X.25 of the 3Com

396

CHAPTER 4: LINK LAYER PROTOCOL

serial routers will send an acknowledgement for each correct packet received. By default, the number of data packets that can be received on X.25 before previous acknowledgement is 0. Description Using the x25 receive-threshold command, you can set the number of receivable maximum packets before X.25 sends the acknowledged packet. Using the undo x25 receive-threshold command, you can restore its default value. After enabling this function, the 3Com series routers can send acknowledgement to the peer router upon the receipt of some correct packets, even if the input window is not yet full. If there is not much data traffic in users' application environment and users pay more attention to the response speed, they can appropriately adjust this parameter to meet the requirement. For the related command, see x25 window. Example Specify that each VC on the X.25 interface Serial0/0/0 acknowledges each correctly received data packet.
[3Com-Serial0/0/0] x25 receive-threshold 1

x25 response called-address

Syntax
x25 response called-address undo x25 response called-address

View Interface view Parameter None Description Using the x25 response called-address command, you can enable X.25 to carry the address information of the called DTE in sending call reception packet. Using the undo x25 response called-address command, you can disable the above function. By default, this function is disabled. According to X.25, the call receiving packet of a call may or may not carry an address code group, depending on the specific network requirements. This command enables users to easily specify whether the call receiving packet of a call sent by X.25 of the 3Com series routers carries the called DTE address. For the related commands, see x25 response calling-address, x25 ignore called-address, and x25 ignore calling-address.

LAPB and X.25 Configuration Commands

397

Example Specify that the call receiving packet of a call sent from the X.25 interface Serial0/0/0 carries the called DTE address.
[3Com-Serial0/0/0] x25 response called-address

x25 response calling-address

Syntax
x25 response calling-address undo x25 response calling-address

View Interface view Parameter None Description Using the x25 response calling-address command, you can enable X.25 to carry the address information of the calling DTE in sending call reception packet. Using the undo x25 response calling-address command, you can disable the above function. By default, this function is disabled. According to X.25, the call receiving packet of a call may or may not carry an address code group, depending on the specific network requirements. This command enables users to easily specify whether the call receiving packet of a call sent by X.25 of the 3Com series routers carries the calling DTE address. For the related commands, see x25 response called-address, x25 ignore called-address, and x25 ignore calling-address. Example Specify that the call receiving packet of a call sent from the X.25 interface Serial0/0/0 carries the calling DTE address.
[3Com-Serial0/0/0] x25 response calling-address

x25 reverse-charge-accept

Syntax
x25 reverse-charge-accept undo x25 reverse-charge-accept

View Interface view

398

CHAPTER 4: LINK LAYER PROTOCOL

Parameter None Description Using the x25 reverse-charge-accept command, you can enable this interface to accept the call with “reverse charging request”, the information added by some certain user facilities. Using the undo x25 reverse-charge-accept command, you can disable this above function. By default, this function is disabled. This function does not affect any call without “reverse charging request”. If you enable this function on an X.25 interface, all these calls that reach the interface will be accepted. If you enable this function for a certain address mapping by the option reverse-charge-accept in the command x25 map, only such calls that reach the interface and map this address will be accepted, while other calls (carrying reverse charging request, and not mapping this address) will be cleared. For the related command, see x25 map. Example Set the “accepting calls with reverse charging request” function on interface Serial0/0/0.
[3Com-Serial0/0/0] x25 reverse-charge-accept

x25 roa-list

Syntax
x25 roa-list roa-name roa-id1 [ , id2, id3.... ] undo x25 roa-list roa-name id1 [ , id2, id3.... ]

View System view Parameter roa-name: Name of ROA. id: ID specified for this ROA, and its value ranges from 0 to 9999. You can specify multiple IDs for the ROA. Description Using the x25 roa-list command, you can define ROA list. Using the undo x25 roa-list command, you can delete ROA list items. By default, no ROA list is defined.

LAPB and X.25 Configuration Commands

399

You can configure multiple (0 to 20) ROAs, and each ROA can be specified with multiple(1 to 10) IDs. After configuring ROA, you can cite it by its name in the commands x25 call-facility or x25 map. For the related commands, see x25 call-facility and x25 map. Example Define two ROA lists, and cite them on the interfaces Serial 0/0/0 and Serial 1/0/0.
[3Com] x25 roa-list list1 11 23 45 [3Com] x25 roa-list list2 345 [3Com] interface serial 0/0/0 [3Com-Serial0/0/0] x25 call-facility roa-size list1 [3Com] interface serial 1/0/0 [3Com-Serial0/0/0] x25 call-facility roa-list list2

x25 switch pvc

Syntax
x25 switch pvc pvc-number1 interface serial number pvc pvc-number2 [ option ] undo x25 switch pvc pvc-number1

View Interface view Parameter pvc-number1: PVC number on the input interface, and its value ranges from 1 to 4095. pvc-number2: PVC number on the output interface, and its value ranges from 1 to 4095. number: Number of the input interface. option: Attribute of PVC. Description Using the x25 switch pvc (packet switching) command, you can configure one PVC route. Using the undo x25 switch pvc command, you can delete one PVC route. By default, no PVC route is defined. Based on the X.25 switching configuration, you can use the 3Com series Routers as a simple X.25 switch. When PVC switching is configured, the link layer protocols on the input and output interfaces must be X.25. Moreover, the specified PVCs on the two interfaces have been presented and enabled. Note that PVC switching cannot be configured on the X.25 sub-interface. Detailed explanations of PVC options are as follows:


broadcast: Forwards broadcast packet to the peer PVC.

400

CHAPTER 4: LINK LAYER PROTOCOL



encapsulation-type: Encapsulation type, which may be nonstandard, ietf, multi-protocol and snap. packet-size input-packet output-packet: Specifies the maximum receiving packet length and maximum sending packet length. The length is counted in byte, which must range from 16 to 4096 (including 16 and 4096), and must be the integer power of 2. window-size input-window-size output-window-size: Specifies the input window and output window sizes of the VC, which range between 1 and the number that is 1 less that the modulus of the X.25 interface where the address mapping exists (including 1 and modulus minus 1).





For the related commands, see display x25 vc and x25 switching. Example Perform the packet switching between PVC1 on the Serial0/0/0 and PVC1 on the Serial1/0/0.
[3Com-Serial0/0/0] link-protocol x25 dce ietf [3Com-Serial0/0/0] interface serial1/0/0 [3Com-Serial0/0/0] link-protocol x25 dce ietf [3Com-Serial1/0/0] x25 switch pvc 1 interface serial 0/0/0 pvc 1

x25 switch svc hunt-group

Syntax
x25 switch svc x.121-address [ sub-dest destination-address ] [ sub-source source-address ] hunt-group hunt-group-name undo x25 switch svc x.121-address [ sub-dest destination-address ] [ sub-source source-address ] hunt-group hunt-group-name

View System view Parameter x.121-address: Destination address of X.121.This parameter consists of mode matching string, and its length ranges from 1 to 15 characters. For the specific description of mode matching, see the segment Description. sub-dest destination-address: Substitution destination address. sub-source source-address: Substitution source address. hunt-group-name: Name of hunt group. Description Using the x25 switch svc hunt-group command, you can add an X.25 switching route whose forwarding address is a hunt group. Using the undo x25 switch svc hunt-group command, you can delete the specified X.25 switching route. By default, no X.25 switching route is configured.

LAPB and X.25 Configuration Commands

401

After the X.25 switching route whose forwarding address is a hunt group is configured, the relevant X.25 call request packet will be forwarded to different interfaces or XOT channels in the specified hunt group, so as to implement the load sharing under X.25 protocol.
Table 22 X.121 mode matching rules
Wildcard characters * Matching rules Example Matching zero or more previous characters Matching zero or more previous characters fo* Matchable character string fo, foo, fooo

+

fo+

fo, foo, fooo

^

Matching the ^hell beginning of the entered characters Matching the end of the entered characters Matching a single character specified by char. Matching arbitrary single character ar$

hell, hello, hellaaa

$

ar, car, hear

\char

b\+

b+

.

l.st

last, lbst, lost

.*

Matching fo.* arbitrary zero or more characters. Matching fo.+ arbitrary one or more characters.

fo, foo, fot

.+

foo, fot, foot

Table 23 Input rules of X.121 address mode matching string
Characters * Input rules Cannot be placed at the beginning of character string

Cannot be placed after Cannot be placed before and after the symbols + and *. the symbol ^ + Cannot be placed after the symbol ^ \ ^ Cannot be placed at the beginning of character string Cannot be placed before and after the symbols + and *. Cannot be placed at the end of character string Cannot be placed before the symbols + and *.

For the related commands, see display x25 switch-table svc. Example Add an X.25 switching route, whose destination address is 8888 and forwarding address is the hunt group hg1, and substitute the destination address with 9999.

402

CHAPTER 4: LINK LAYER PROTOCOL

[3Com] x25 switch svc 111 sub-dest 9999 sub-source 8888 hunt-group hg1

x25 switch svc xot

Syntax
x25 switch svc x.121-address [ sub-dest destination-address ] [ sub-source source-address ] xot ip-address1 [ ip-address2 ] … [ ip-address6 ] [ xot-option ] undo x25 switch svc x.121-address [ sub-dest destination-address ] [ sub-source source-address ] [ xot ip-address1 [ ip-address2 ] … [ ip-address6 ] ]

View System view Parameter x.121-address: Destination address of X.121. This parameter consists of mode matching string, and its length ranges from 1 to 15 characters. For the specific description of mode matching, see Table 10-4 and Table 10-5. sub-dest destination-address: Substitution destination address. sub-source source-address: Substitution source address. ip-address1 - ip-address6: Destination IP address of XOT connection, up to 6 addresses can be configured. xot-option: XOT channel parameter option. For the specific configuration, see XOT channel parameter option. Description Using the x25 switch svc xot command, you can add an X.25 switching route whose forwarding address is XOT channel. Using the undo x25 switch svc xot command, you can delete the specified X.25 switching route. By default, no X.25 switching route is configured. After configuring the XOT switching command of X.25 SVC, a user can cross IP network from the local X.25 network to implement the interconnection with the remote X.25 network. If a user configures the keepalive attribute, the link detection for XOT will be supported.
Table 24 XOT channel parameter option
Option timer seconds Explanation Keepalive timer delay of XOT connection. The timer sends the keepalive packet upon timeout to detect the connection availability. Its value ranges from 1 to 3600. Number of maximum retries of sending keepalive. If the number exceeds times, the XOT connection will be disconnected. Its value ranges from 3 to 3600. Interface name of initiating XOT connection

retry times

source interface-type interface-name

LAPB and X.25 Configuration Commands

403

For the related commands, see x25 switch svc interface, display x25 switch-table svc, and x25 switching. Example Switch SVC 1 to the destination address 10.1.1.1.
[3Com] x25 switch svc 1 xot 10.1.1.1

x25 switching

Syntax
x25 switching undo x25 switching

View System view Parameter None Description Using the x25 switching command, you can enable the X.25 switching function. Using the undo x25 switching command, you can disable this function, which will not affect the established VC switching function. By default, X.25 packet switching function is disabled. X.25 packet switching is used to accept packets from an X.25 interface and send them to a certain interface based on the destination information contained in the packets. The Router can be used as a small-sized packet switch by the packet layer switching function. For the related commands, see x25 pvc, x25 switch pvc, x25 xot pvc, x25 fr pvc, x25 switch svc, display x25 vc, and display x25 switch-table svc. Example Enable X.25 switching function.
[3Com] x25 switching

x25 timer hold

Syntax
x25 timer hold minutes undo x25 timer hold

View Interface view

404

CHAPTER 4: LINK LAYER PROTOCOL

Parameter minutes: Value of delay time in minutes, and its value ranges from 0 to 1000. If the previous call failed at one destination, the X.25 won’t send calls to such a destination again within the time set by this command. By default, the delay time is 0. Description Using the x25 timer hold command, you can set the delay to send calls to a destination with failed calls. Using the undo x25 timer hold command, you can restore its default value. Frequently sending call requests to a wrong destination (which does not exist or is faulty) will deteriorate the operating efficiency of the 3Com series router. The use of this function can avoid this problem to a certain extent. If this parameter is set to 0, it is equal to disabling the function. In addition, this function is only effective to the calls originated from the local. That is to say, this parameter is meaningless when the X.25 operates in the switching mode. For the related command, see display interface. Example Set the parameter of the X.25 interface Serial0/0/0 to 5 minutes.
[3Com-Serial0/0/0] x25 timer hold 5

x25 timer idle

Syntax
x25 timer idle minutes undo x25 timer idle

View Interface view Parameter minutes: Maximum idle time of SVC in minutes, and its value ranges from 0 to 255.By default, this value is 0. Description Using the x25 timer idle command, you can set the maximum idle time of the SVC on the interface. Using the undo x25 timer idle command, you can restore its default value. When a SVC stays idle (no data transmission) for a period (the period length is decided by the parameter), the router will clear this SVC automatically. If this parameter is set to 0, this SVC will be reserved no matter how long it stays idle.

LAPB and X.25 Configuration Commands

405

The configuration of this parameter will affect all the SVCs on this X.25 interface. Also users can set the maximum idle time for a SVC attached to this address mapping through the option in the command x25 map. For PVC or the established SVC for X.25 switching, the command will be disabled. For the related command, see x25 map. Example Set the maximum idle time of the SVC on the interface Serial 0/0/0 to 10 minutes.
[3Com-Serial0/0/0] x25 timer idle 10

x25 timer tx0

Syntax
x25 timer tx0 seconds undo x25 timer tx0

View Interface view Parameter seconds: Delay time for the X.25 restarting timer in seconds. It ranges 0 to 1000. By default, the delay on the X.25 DTE restarting timer is 180 seconds and that on the DCE timer is 60 seconds. Description Using the x25 timer tx0 command, you can set the restart/retransmission timer delay for DTE (or DCE). Using the undo x25 timer tx0 command, you can restore their default values. According to X.25, a timer should be started when a DTE sends a restart request (or a DCE sends a restart indication). If no peer acknowledgement is received after this timer is timeout, the sending end will take some measures to guarantee the normal proceeding of the local procedure. This parameter specifies the delay time of this timer before the timeout. For the related commands, see x25 timer tx1, x25 timer tx2, and x25 timer tx3. Example Set the restarting timer delay on the X.25 interface Serial0/0/0 to 120 seconds.
[3Com-Serial0/0/0] x25 timer tx0 120

x25 timer tx1

Syntax
x25 timer tx1 seconds undo x25 timer tx1

406

CHAPTER 4: LINK LAYER PROTOCOL

View Interface view Parameter seconds: Delay time of calling request (indication) transmission timer in seconds, and its value ranges from 0 to 1000. By default, the delay time on a DTE call timer is 200 seconds; that on a DCE call sending timer is 180 seconds. Description Using the x25 timer tx1 command, you can set calling request (indication) transmission timer delay for DTE (or DCE). Using the undo x25 timer tx1 command, you can restore its default value. According to X.25, a timer should be started when a DTE sends a call request (or a DCE sends a call indication). If no peer acknowledgement is received after this timer is timeout, the sending end will take some measures to guarantee the normal proceeding of the local procedure. This parameter specifies the delay time of this timer before the timeout. For the related commands, see x25 timer tx0, x25 timer tx2, and x25 timer tx3. Example Set the timer delay on the X.25 interface Serial0/0/0 to 100 seconds.
[3Com-Serial0/0/0] x25 tx1 100

x25 timer tx2

Syntax
x25 timer tx2 seconds undo x25 timer tx2

View Interface view Parameter seconds: Delay time of resetting request (indication) timer in seconds, and its value ranges from 0 to 1000. By default, the delay time on a DTE reset timer is 180 seconds; that on a DCE reset timer is 60 seconds. Description Using the x25 timer tx2 command, you can set resetting request (indication) transmission timer delay for DTE (or DCE). Using the undo x25 timer tx2 command, you can restore its default value. According to X.25, a timer should be started when a DTE sends a reset request (or a DCE sends a reset indication). If no peer acknowledgement is received after this timer is timeout, the sending end will take some measures to guarantee the

LAPB and X.25 Configuration Commands

407

normal proceeding of the local procedure. This parameter specifies the delay time of this timer before the timeout. For the related commands, see x25 timer tx0, x25 timer tx1, and x25 timer tx3. Example Set the reset timer delay on the X.25 interface Serial0/0/0 to 120 seconds.
[3Com-Serial0/0/0] x25 tx2 120

x25 timer tx3

Syntax
x25 timer tx3 seconds undo x25 timer tx3

View Interface view Parameter seconds: Delay time of clearing request (indication) transmission timer in seconds, and its value ranges from 0 to 1000. By default, the delay time on a DTE clearing timer is 180 seconds; that on a DCE clearing timer is 60 seconds. Description Using the x25 timer tx3 command, you can set clearing request (indication) transmission timer delay for DTE (or DCE). Using the undo x25 timer tx3 command, you can restore its default value. According to X.25, a timer should be started when a DTE sends a clear request (or a DCE sends a clear indication). If no peer acknowledgement is received after this timer is timeout, the sending end will take some measures to guarantee the normal proceeding of the local procedure. This parameter specifies the delay time of this timer before the timeout. For the related commands, see x25 timer tx0, x25 timer tx1, and x25 timer tx2. Example Set the delay time of clearing timer on the X.25 interface Serial0/0/0 to 100 seconds.
[3Com-Serial0/0/0] x25 timer tx3 100

x25 vc-per-map

Syntax
x25 vc-per-map count undo x25 vc-per-map

408

CHAPTER 4: LINK LAYER PROTOCOL

View Interface view Parameter count: Maximum number of VCs, and its value ranges from 1 to 8.By default, its value is 1. Description Using the x25 vc-per-map command, you can set the maximum number of VCs for connections with the same destination device. Using the undo x25 vc-per-map command, you can restore their default values. If the parameter is greater than 1, and the sending window and the sending queue of VC are filled full, the system will create a new VC to the same destination. If the new VC cannot be created, the datagram will be discarded. For the related commands, see display interface and x25 map. Example Set the maximum value of VCs on the X.25 interface Serial 0/0/0 to 3.
[3Com-Serial0/0/0] x25 vc-per-map 3

x25 vc-range

Syntax
x25 vc-range [ in-channel lic hic ] [ bi-channel ltc htc ] [ out-channel loc hoc ] undo x25 vc-range

View Interface view Parameter ltc htc: Lowest and highest two-way channels of X.25 VC, and its value ranges from 0 to 4095. If htc (highest two-way channel) is set to 0, ltc (lowest two-way channel) must also be set to 0, which indicates that the two-way channel section is disabled. By default, the htc of X.25 VC is 1024. lic hic: Lowest and highest incoming-only channels of X.25 VC, and its value ranges from 0 to 4095.If hic (highest incoming-only channel) is set to 0, lic (lowest incoming-only channel) must also be set to 0, which indicates that the incoming-only channel section is disabled. By default, the hic in X.25 VC range is 0. loc hoc: Lowest and highest outgoing-only channels of X.25 VC, and its value ranges from 0 to 4095. If hoc (highest outgoing-only channel) is set to 0, loc (lowest outgoing-only channel) must also be set to 0, which indicates that the outgoing-only channel section is disabled. By default, the hoc in X.25 VC range is 0.

LAPB and X.25 Configuration Commands

409

Description Using the x25 vc-range command, you can set highest and lowest values of X.25 VC range. Using the undo x25 vc-range command, you can restore their default values. By default, VRP X.25 disables incoming-only channel range and outgoing-only channel, and only the two-way channel range (1-1024) is reserved for use. Please set the VC range correctly according to the requirements of the ISP. Example Configure the link layer protocol on the interface Serial 0/0/0 to X.25, enable incoming-only channel section and two-way channel section and disable outgoing –only channel section. After executing a series of commands, the three sections are [1, 7], [8, 1024] and [0, 0], respectively.
[3Com] interface serial 0/0/0 [3Com-Serial0/0/0] link-protocol x25 [3Com-Serial0/0/0] x25 vc-range in-channel 1 7 bi-channel 8 1024

x25 window-size

Syntax
x25 window-size input-window-size output-window-size undo x25 window-size

View Interface view Parameter input-window-size: Size of input window. When X.25 window modulus is 8, its value ranges from 1 to 7. When X.25 window modulus is 128, its value ranges from 1 to 127.By default, its value is 2. output-window-size: Size of output window. When X.25 window modulus is 8, its value ranges from 1 to 7. When X.25 window modulus is 128, its value ranges from 1 to 127. By default, its value is 2. Description Using the x25 window-size command, you can set the sizes of input and output windows on the interface X.25. Using the undo x25 window-size command, you can restore their default values. This parameter in-packets determines the maximum number of correctly received packets before X.25 sends the acknowledgement information. As long as the bandwidth allows, the greater the window size, the higher the transmission efficiency. Out-packets determines the maximum number of data packets sent by X.25 before it receives the correct acknowledgment information. As long as the bandwidth allows, the greater the window size, the higher the transmission efficiency.

410

CHAPTER 4: LINK LAYER PROTOCOL

Please consult users' ISP about the sending and receiving window sizes. Unless supported by the network, do not set these two parameters to different values. For the related commands, see display interface, x25 map, x25 pvc, x25 switch pvc, x25 xot pvc, x25 fr pvc, and x25 receive-threshold. Example Set the receiving and sending window sizes on the X.25 interface Serial0/0/0 to 5.
[3Com-Serial0/0/0] x25 window-size 5 5

x25 x121-address

Syntax
x25 x121-address x.121-address undo x25 x121-address

View Interface view Parameter x.121-address: X.121 address of an interface. It is formatted using the numerical string from 1 to 15 bytes. Description Using the x25 x121-address command, you can set the X.121 address of an X.25 interface. Using the undo x25 x121-address command, you can delete the address. If the Router is accessed to X.25 public packet network, the ISP must assign a valid X.121 address to it. If two Routers are only directly connected back to back, a user can randomly specify the valid X.121 address. If you only wants the Router to work in switching mode, the X.121 address needs not to be configured. When you reconfigure an X.121 address for an X.25 interface, you need not delete the original X.121 address, because the new address will overwrite the old one. After an X.25 interface is re-configured, the original X.121 address will be deleted. So the X.121 address must be re-configured to work properly. Note: For the format of the X.121 address and the dynamic conversion between IP address and X.121 address, please refer to ITU-T Recommendation X.121 and the relative RFC document. For the related command, see display interface. Example Configure the link layer protocol on the interface Serial 0/0/0 as X.25, and X.121 address as 20112451.
[3Com] interface serial 0/0/0 [3Com-Serial0/0/0] link-protocol x25

LAPB and X.25 Configuration Commands

411

[3Com-Serial0/0/0] x25 x121-address 20112451

x25 xot pvc

Syntax
x25 xot pvc pvc-number1 ip-address interface type number pvc pvc-number2 [ xot-option ] [ packet-size input-packet output-packet window-size input-window-size output-window-size ] undo x25 pvc pvc-number1

View Interface view Parameter pvc-number1: Number of PVC on the local interface, and its value ranges from 1 to 4095. pvc-number2: Number of PVC on the peer interface, and its value ranges from 1 to 4095. ip-address: IP address of the peer destination for connection with XOT. interface type number: Type and number of interface, and the interface type can only be Serial. xot-option: Option of XOT channel parameter. For the specific configuration, see XOT channel parameter option. packet-size input-packet output-packet: Specifies the maximum receiving packet length and maximum sending packet length. The length is counted in byte, which must range from 16 to 4096 (including 16 and 4096), and must be the integer power of 2. window-size input-window-size output-window-size: Specifies the receiving window and sending window sizes of the VC, which range between 1 and the number that is 1 less than the modulus of the X.25 interface where the address mapping exists (including 1 and modulus minus 1). Description Using the x25 xot pvc command, you can add a PVC route of XOT. Using the undo x25 pvc command, you can delete the specified PVC route of XOT. By default, no PVC route is configured. After configuring the XOT switching command of X.25 PVC, a user can cross IP network from the local X.25 network to implement the interconnection with the remote X.25 network. If a user configures the keepalive attribute, the link detection for XOT will be supported. For the related commands, see display x25 vc and x25 switching.

412

CHAPTER 4: LINK LAYER PROTOCOL

Example Connect PVC1 on the interface Serial0/0/0(10.1.1.1) of Router RTA with PVC2 on the interface Serial1/0/0(10.1.1.2) of Router RTB via XOT tunnel, and then perform packet switching. Perform the configurations on the Router RTA.
[3Com-Serial0/0/0] ip address 10.1.1.1 255.255.255.0 [3Com-Serial0/0/0] link-protocol x25 dce ietf [3Com-Serial0/0/0] x25 xot pvc 1 10.1.1.2 interface serial 1/0/0 pvc 2

Perform the configurations on the Router RTB.
[3Com-Serial1/0/0] ip address 10.1.1.2 255.255.255.0 [3Com-Serial0/0/0] link-protocol x25 dce ietf [3Com-Serial1/0/0] x25 xot pvc 2 10.1.1.1 interface serial 0/0/0 pvc 1

x29 timer inviteclear-time

Syntax
x29 timer inviteclear-time seconds

View System view Parameter seconds: Delay time in seconds, and its value ranges from 5 to 2147483. The delay of waiting for response after inviting PAD clear procedure, its default value is 5. Description Using the x29 timer inviteclear-time command, you can set the delay of waiting for response after inviting PAD clear procedure. After exceeding the time, the system will forcedly exit from the PAC connection and start x.25 clear procedure. Example Set the parameter of X.29 to 10 seconds.
[3Com] x29 timer inviteclear-time 10

5
IP Address Configuration Commands
display ip interface

NETWORK PROTOCOL

Syntax
display ip interface { interface-type interface-number | interface-name }

View Any view Parameter interface-type: Interface type. interface-number: Interface sequence number. interface-name: Interface name. Description Using the display ip interface command, you can display the running condition of all the interfaces. Example
3Com<3Com> display ip interface Ethernet6/0/0 Ethernet6/0/0 current state : UP Line protocol current state : UP Internet Address : 5.5.5.5/8 Broadcast address : 0.0.0.0 The Maximum Transmit Unit : 1500 bytes input packets : 1231, bytes : 57557, multicasts : 1177 output packets : 0, bytes : 0, multicasts : 0

The following information is displayed: the current physical link state of Ethernet 6/0/0 is UP, the protocol of link layer is UP, the IP address is 5.5.5.5, the broadcast address is 0.0.0.0, the maximum transmit unit is 1500 bytes and some other information about packets receiving/sending via this interface. ip address Syntax
ip address ip-address net-mask [ sub ]

414

CHAPTER 5: NETWORK PROTOCOL

undo ip address [ ip-address net-mask [sub] ]

View Interface view Parameter ip-address: Interface IP address, in dot delimitated decimal format. net-mask: The mask of the corresponding subnet, in dot delimitated decimal format. sub: To enable communications among different subnets, the configured slave IP address should be used. Description Using the ip address command, you can set an IP address for an interface. Using the undo ip address command, you can delete an IP address of the interface. By default, no IP address is configured. IP address is classified into five types, and users can select proper IP subnet according to actual conditions. Moreover, in the case that part of the host address is composed of 0, or the entire host address is composed of 1, the address has some special use and can not be used as an ordinary IP address. The mask identifies the network number in an IP address. Under normal conditions, one interface only needs to be configured with one IP address. However, to enable one interface of a router to connect to several subnets, one interface can be configured with several IP addresses. Among them, one is master IP address, and others are slave IP addresses. The following is the relationship between the master and slave IP addresses: If a master IP address is configured while there’s already an existing master IP address, the original one will be deleted and the newly configured will take effect. The command undo ip address without parameters indicates to delete all the IP addresses of the interface. The command undo ip address ip-address net-mask indicates to delete the master IP address, and undo ip address ip-address net-mask sub indicates to delete the slave address. All the slave addresses must be deleted before the master IP address can be deleted. In addition, any two IP addresses configured for all interfaces on a router cannot be located in the same subnet. For the related commands, see ip route-static, display ip interface, and display interface. Example Configure the interface Serial 0/0/0 with the master IP address as 129.102.0.1, the slave IP address is 202.38.160.1, and the subnet mask of both is 255.255.255.0.

IP Address Configuration Commands

415

[3Com-Serial1/0/0] ip address 129.102.0.1 255.255.255.0 [3Com-Serial1/0/0] ip address 202.38.160.1 255.255.255.0 sub

ip address ppp-negotiate

Syntax
ip address ppp-negotiate undo ip address ppp-negotiate

View Interface view Parameter None Description Using the ip address ppp-negotiate command, you can allow IP address to be assigned through negotiation at the interface. Using the undo ip address ppp-negotiate command, you can disable this function. By default, no interface ip address negotiation is allowed. As PPP supports IP address negotiation, only when the interface is encapsulated with the link-layer protocol PPP, can the IP address negotiation at this interface be configured. Normally, it is not necessary to configure ip address negotiation. Only in some special circumstances such as, accessing Internet through the ISP, the IP addresses of the interface that are connected with the ISP are allocated by the ISP through negotiation. When IP address negotiation for the interface is configured, it is not necessary to configure the IP address manually for this interface. Example Display how to set IP address of interface Serial 0/0/0 to be allocated by peer through negotiation.
[3Com-Serial0/0/0] ip address ppp-negotiate

ip address unnumbered

Syntax
ip address unnumbered { interface interface-type interface-number | interface-name } undo ip address unnumbered

View Interface view Parameter interface-type: Name of the unnumbered interface.

416

CHAPTER 5: NETWORK PROTOCOL

interface-number: Serial number of the unnumbered interface. interface-name: Interface name of the unnumbered interface. Description Using the ip address unnumbered command, you can enable an interface to borrow the IP address of another interface. Using the undo ip address unnumbered command, you can disable this function on the interface. By default, an interface does not borrow IP addresses from other interfaces. This command is used to enable serial interfaces encapsulated with PPP, HDLC, Frame Relay, SLIP and Tunnel to borrow the IP addresses from the Ethernet interface or other interfaces. Example Display how to make the serial interface 0/0/0 encapsulated with PPP borrow the unnumbered IP address from Ethernet interface 0/0/0.
[3Com-Serial0/0/0] ip address unnumbered Ethernet 0/0/0

remote address

Syntax
remote address { ip-address | pool [ pool-number ] } undo remote address

View Interface view Parameter ip-address: IP address. pool-number: Address pool number, i.e., assigning one address in the pool-number to the peer interface. It is a number ranging 0 to 99 with the default value as 0. Description Using the remote address command, you can configure to assign IP address for the peer interface. Using the undo remote address command, you can disable the IP address assigned for the peer interface. By default, the interface does not assign address for the peer interface. When an interface is encapsulated with PPP, but not configured with IP address, perform the following task to configure the negotiable attribute of IP address for this interface (configuring the ip address ppp-negotiate command on local router while configuring the remote address command on the peer router), so that the local interface can accept the IP address originated from PPP negotiation. This IP address is assigned by the opposite end. This configuration is mainly used to obtain IP address assigned by ISP when accessing Internet via ISP.

ARP Configuration Commands

417

For the related command, see ip address ppp-negotiate. Example The serial interface encapsulated with PPP assigns an IP address 10.0.0.1 for the peer.
[3Com-Serial0/0/0] remote address 10.0.0.1

ARP Configuration Commands
arp static Syntax
arp static ip-address ethernet-address [ vpn-instance-name ] undo arp ip-address [ vpn-instance-name ]

View System view Parameter ip-address: IP addresses of the ARP mapping entries in dot deliminated decimal format. ethernet-address: Ethernet MAC address of ARP mapping entries. Its format is H-H-H, in which H is a hexadecimal number with 1 to 4 bits. vpn-instance-name: The name of VPN instance. Description Using the arp static command, you can configure ARP mapping table. And using the undo arp command, you can delete mapping items corresponding to some addresses in the ARP mapping table. By default, the mapping table of the system ARP is empty and the address mapping can be obtained through dynamic ARP. Normally, ARP mapping table is maintained by dynamic ARP, only in special circumstances is manual configuration needed. Besides, ARP mapping table is used for LAN only, WAN address resolution is accomplished in a different way, for instance the inverse address resolution of frame relay. For the related commands, see arp static and display arp. Example Configure the Ethernet MAC address e0-fc01-0 corresponding to the IP address 129.102.0.1.
[3Com] arp static 129.102.0.1 e0-fc01-0

418

CHAPTER 5: NETWORK PROTOCOL

Configure the Ethernet MAC address aa-fcc-12 corresponding to the IP address 11.0.0.1.
[3Com] arp static 11.0.0.1 aa-fcc-12

arp check enable

Syntax arp check enable undo arp check enable View System view
Parameter

None Description Using the arp check enable command, you can enable ARP entry check to have the device not learn the ARP entries with broadcast MAC addresses. Using the undo arp check enable command, you can disable ARP entry check to have the system learn the ARP entries with broadcast MAC addresses. By default, ARP entry check is enabled. The device does not learn the ARP entries with broadcast MAC addresses. Example Enable ARP entry check.
[Router] arp check enable

debugging arp packet

Syntax
debugging arp packet undo debugging arp packet

View User view Parameter None Description Using the debugging arp packet command, you can enable ARP packets debugging; and using the undo debugging arp packet command, you can disable the function. Example Enable ARP packets debugging.
<3Com> debugging arp packet

ARP Configuration Commands

419

display arp

Syntax
display arp [ static | dynamic | all ]

View Any view Parameter static: Indicates to show the static ARP entries. dynamic: Indicates to show the dynamic ARP entries. all: Indicates to show all ARP entries. Description Using the display arp command, you can view the ARP mapping table. By default, all the ARP entries of the RSU are displayed. For the related commands, see arp static and reset arp. Example Display all static ARP entries.
<3Com> display arp static IP Address MAC AddressType Vrf NameInterface 129.102.0.100e0-fc01-0000S 10.110.28.4400e0-fc07-5b2bIEth0/0

reset arp

Syntax
reset arp [ all | dynamic | static | interface { interface-type interface-number | interface-name } ]

View User view Parameter static: Indicates to clear the static ARP entries. dynamic: Indicates to clear the dynamic ARP entries. all: Indicates to clear all ARP entries. interface: Indicates the selected interface. interface-type: Interface type. interface-number: Interface sequence number. interface-name: Interface name.

420

CHAPTER 5: NETWORK PROTOCOL

Description Using the reset arp command, you can clear the ARP entries in the ARP mapping table. By default, if slot-number is not specified, the operation will be performed upon RSU board. When operation is performed to the interface with specified interface, the interface type can only be Ethernet, GE or virtual Ethernet and only the dynamic entries can be deleted on the interface. For the related commands, see arp static and display arp. Example The following example shows how to delete the dynamic entries in the ARP mapping table on Ethernet 0/0/0. arp-proxy enable Syntax arp-proxy enable undo arp-proxy enable View Ethernet interface view Parameter None Description Using the arp-proxy enable command, you can enable proxy ARP on an interface. Using the undo arp-proxy enable command, you can disable proxy arp on the interface. By default, the proxy ARP is disabled. This command is applied on Ethernet interface. As for the hosts in the same hop but on different physical networks, the proxy ARP function hides the fact that the physical network are separated, and makes the user feel like he is on the same and one physical network. Example
Enable proxy ARP at Ethernet 0/0/0. [Router-Ethernet0/0/0]arp-proxy enable

Static Domain Name Resolution

421

Static Domain Name Resolution
display ip host Syntax
display ip host

View Any view Parameter None Description Using the display ip host command, you can display all the host names and their corresponding IP addresses. Example Display all the host names and their corresponding IP addresses.
<3Com> display ip host Host Age Flags Address(es) eth 0 static 6.1.1.1 3Com 0 static 1.1.1.1

ip host

Syntax
ip host hostname ip-address undo ip host hostname [ ip-address ]

View System view Parameter hostname: The name of a host, a character string with its length from 1 to 20. ip-address: The IP address corresponding to a host name, whose format can be A.B.C.D Description Using the ip host command, you can configure the IP address corresponding to a host name; while using the undo ip host command, you can remove the IP address corresponding to a host name. By default, the static domain name table is empty, i.e. there’s no host name and IP address pair.

422

CHAPTER 5: NETWORK PROTOCOL

Example Configure the IP address corresponding to the host name router1 as 10.110.0.1.
[3Com] ip host router1 10.110.0.1

Configure the IP address corresponding to the host name router2 as 10.110.0.2.
[3Com] ip host router2 10.110.0.2

Configure to assign the IP address 10.110.0.3 to the host name router3.
[3Com] ip host router3 10.110.0.3

Remove the IP address 10.110.0.2 corresponding to the host name router2.
[3Com] undo ip host router2 10.110.0.2

DNS Client Configuration Commands
dns resolve Syntax dns resolve undo dns resolve View System view Parameter None Description Using the dns resolve command, you can enable DNS resolving. Using the undo dns resolve command, you can disable DNS resolving. By default, DNS resolving is disabled. Example
Enable DNS resolving. [Router] dns resolve

dns server

Syntax dns server ip-address undo dns server [ip-address] View System view

DNS Client Configuration Commands

423

Parameter ip-address: IP address of a DNS server. Description Using the dns server command, you can configure IP address of a DNS server. Using the undo dns server command, you can delete IP address of a DNS server. Example Configure IP address of a DNS server.
[Router] dns server 10.110.66.1 Delete IP address of a specified DNS server. [Router] undo dns server 10.110.66.1 Delete IP addresses of all the DNS servers. [Router] undo dns server

dns domain

Syntax dns domain domain-name undo dns domain [domain-name] View System view Parameter domain-name: DNS domain name. Description Using the dns domain command, you can configure a DNS domain name. Using the undo dns domain command, you can delete one or all DNS domain names. Example
Configure a DNS domain name. [Router] dns domain huawei-3com.com Delete a specified DNS domain name. [Router] undo dns domain huawei-3com.com Delete all the DNS domain names. [Router] undo dns domain

display dns domain

Syntax display dns domain [dynamic] View Any view Parameter dynamic: displays DNS domain names that are dynamically obtained through DHCP or by other means. Description Using the display dns domain command, you can view the DNS domain names that are manually configured. Using the display dns domain dynamic command,

424

CHAPTER 5: NETWORK PROTOCOL

you can view the DNS domain names that are dynamically obtained through DHCP or other protocols. Example Display the DNS domain names that are manually configured.
[Router] display dns domain No Domain-name 0 3com.com

Display the DNS domain names that are dynamically obtained.
[Router]display dns domain dynamic No Domain-name 0 3com.com

display dns server

Syntax display dns server [dynamic] View Any view Parameter dynamic: displays DNS server addresses that are dynamically obtained through DHCP or other protocols. Description Using the display dns server command, you can view the DNS server addresses manually configured. Using the display dns server dynamic command, you can view the DNS server addresses that are dynamically obtained through DHCP or other protocols. Example Display the DNS server addresses that are dynamically obtained.
[Router]display dns server dynamic Domain-server IpAddress 0 10.72.66.36

Display the DNS server addresses that are manually configured.
[Router]display dns server Domain-server IpAddress 0 10.72.74.5

display dns dynamic-host

Syntax display dns dynamic-host View Any view Parameter None

DNS Client Configuration Commands

425

Description Using the display dns dynamic-host command, you can view the current contents in the domain name cache of the DNS client. The DNS client retains the result of each successful domain name resolution in its cache. If it receives the same resolving request later, it first looks up the cache for a match. And if no match is found, it sends a domain name resolving request to the DNS server. You can use this command to view the current contents in the buffer. Example Display the current contents in the domain name cache of the DNS client.
[Router]display dns dynamic-host No Domain-name Ipaddress 0 www.baidu.com 202.108.249.134 1 www.yahoo.akadns.net 66.94.230.39 2 www.hotmail.com 207.68.172.239 3 www.eyou.com 61.136.62.70 TTL 63000 24 3585 3591 Alias

reset dns dynamic-host

Syntax reset dns dynamic-host View User view Parameter None Description Using the reset dns dynamic-host command, you can clear the current contents in the domain name cache of the DNS client. Example Clear the current contents in the domain name cache of the DNS client.
[Router]reset dns dynamic-host

debugging dns

Syntax debugging dns undo debugging dns View User view Parameter None Description Using the debugging dns command, you can enable DNS client debugging. Using the undo debugging dns command, you can disable DNS client debugging. By default, DNS client debugging is disabled.

426

CHAPTER 5: NETWORK PROTOCOL

Example Enable DNS client debugging.
<Router>debugging dns <Router>undo debugging dns

DHCP Public Configuration Commands
dhcp enable Syntax
dhcp enable undo dhcp enable

View System view Parameter None Description Using the dhcp enable command, you can enable DHCP services. Using the undo dhcp enable command, you can disable DHCP services. By default, DHCP services are enabled. Before you can configure DHCP, you must enable DHCP services. This configuration is essential to both DHCP server and DHCP relay. Example Enable DHCP services on current router.
[3Com] dhcp enable

dhcp select (in Interface View)

Syntax
dhcp select { global | interface | relay } undo dhcp select

View Interface view Parameter global: The address DHCP client gets is the one selected by the local DHCP server from a global address pool upon the receipt of the DHCP request from the client.

DHCP Public Configuration Commands

427

interface: The address DHCP client gets is the one selected by the local DHCP server from an interface address pool upon the receipt of the DHCP request from the client. relay: The address DHCP client gets is allocated by an external DHCP server. Description Using the dhcp select command in interface view, you can select a method for disposing the DHCP packets destined to the local device. Using the undo dhcp select command in interface view, you can restore the default setting. By default, DHCP packets destined to the local device will be sent to the internal server and the clients sending them will be allocated with addresses selected from a global address pool (in global approach). For the related command, see dhcp select (in system view). Example Allocate addresses selected from an interface address pool on the internal DHCP server to the clients sending DHCP packets destined to the local device.
[3Com-Ethernet1/0/0] dhcp select interface

dhcp select (in System View)

Syntax
dhcp select { global | interface | relay } { interface ethernet-subinterface-range | all } undo dhcp select { interface ethernet-subinterface-range | all }

View System view Parameter global: The address DHCP client gets is the one selected by the local DHCP server from a global address pool upon the receipt of the DHCP request from the client. interface: The address DHCP client gets is the one selected by the local DHCP server from an interface address pool upon the receipt of the DHCP request from the client. relay: The address DHCP client gets is allocated by an external DHCP server. ethernet-subinterface-range: Includes all the subinterfaces between two subinterfaces (including these two subinterfaces) by inserting the keyword “to” between these two interfaces. all: All the interfaces. Description Using the dhcp select command in system view, you can select a method for multiple interfaces in a specified range to dispose the DHCP packets destined to

428

CHAPTER 5: NETWORK PROTOCOL

the local device. Using the undo dhcp select command in system view, you can restore the default setting. By default, DHCP packets destined to the local device will be sent to the internal server and the clients sending them will be allocated with addresses selected from a global address pool (in global approach). For the related command, see dhcp select (in interface view). Example Configure the interfaces in the range of Ethernet2/0/0.1 to Ethernet2/0/0.5 to allocate addresses selected from an interface address pool maintained by the internal server to the clients sending DHCP packets destined to the local device.
[3Com] dhcp select interface interface ethernet 2/0/0.1 to ethernet 2/0/0.5

dhcp server detect

Syntax
dhcp server detect undo dhcp server detect

View Interface view Parameter None Description Using the dhcp server detect command, you can enable pseudo-DHCP-server detection. Using the undo dhcp server detect command, you can disable the function. By default, pseudo-DHCP-server detection is disabled. Example Enable pseudo DHCP server detection on the interface Ethernet 2/0/0.
[3Com-Ethernet2/0/0] dhcp server detect

DHCP Server Configuration Commands
debugging dhcp server Syntax
debugging dhcp server { all | error | events | packets } undo debugging dhcp server { all | error | events | packets }

View User view

DHCP Server Configuration Commands

429

Parameter all: All debugging functions of DHCP server. error: Error debugging on the DHCP server, specifically, the debugging on the errors that occur when the DHCP server processes DHCP packets, allocates addresses, etc. events: Event debugging on the DHCP server, specifically, the debugging on the events such as address allocation, ping detection timeout, etc. packet: DHCP packet debugging, specifically, the debugging on the packets that the DHCP server has received and sent and on the ping packets sent for the purpose of detection and the received response packets. Description Using the debugging dhcp server command, you can enable debugging on the DHCP server. Using the undo debugging dhcp server command, you can disable debugging. By default, debugging is disabled on the DHCP server. Example Enable event debugging on the DHCP server.
<3Com> debugging dhcp server events *0.62496500-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: ICMP Timeout *0.62496583-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: Still Need to ICMP detect for 1 times *0.62497000-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: ICMP Timeout *0.62497083-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: All Try finished *0.62497166-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: Ack User's Lease

Enable packet debugging on the DHCP server.
<3Com> debugging dhcp server packet *0.62080906-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: receive DHCPRELEASE from 00.05.5D.85.D5.45. *0.62081016-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: Release Lease for MAC 00.05.5D.85.D5.45. IP is 5.5.5.2 *0.62082240-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: receive DHCPDISCOVER from 00.05.5D.85.D5.45. *0.62082350-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: Sending ICMP ECHO to Target IP: 5.5.5.2 *0.62082733-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: Sending ICMP ECHO to Target IP: 5.5.5.2 *0.62083233-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: Send DHCPOFFER to MAC=> 00.05.5D.85.D5.45. Offer IP=> 5.5.5.2 *0.62083366-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: receive DHCPREQUEST from 00.05.5D.85.D5.45. *0.62083483-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: Send DHCPACK to MAC=> 00.05.5D.85.D5.45. Offer IP=> 5.5.5.2

430

CHAPTER 5: NETWORK PROTOCOL

Enable error debugging on the DHCP server.
<3Com> debugging dhcp server error *0.63269475-DHCP SER-8-DHCPS_DEBUG_COMMON: DhcpServer: Icmp Packet is not EHHOREPLY!

dhcp server dns-list (in Interface View)

Syntax
dhcp server dns-list ip-address [ ip-address ] undo dhcp server dns-list { ip-address | all }

View Interface view Parameter ip-address: IP address of DNS. You can configure up to eight IP addresses separated by spaces in a command. Description Using the dhcp server dns-list command in interface view, you can configure DNS IP addresses for an interface configured with a DHCP address pool. Using the undo dns-list command in interface view, you can delete the configuration. By default, no DNS address is configured. By far, only up to eight DNS server addresses can be set in each DHCP address pool. For the related commands, see dhcp server dns-list (in system view), dhcp server ip-pool, and dns-list. Example Configure the DNS server address 1.1.1.254 for the DHCP address pool of the interface Ethernet1/0/0.
[3Com] interface ethernet 1/0/0 [3Com-Ethernet 1/0/0] dhcp server dns-list 1.1.1.254

dhcp server dns-list (in System View)

Syntax
dhcp server dns-list ip-address [ ip-address ] { interface ethernet-subinterface-range | all } undo dhcp server dns-list { ip-address | all } { interface ethernet-subinterface-range | all }

View System view Parameter ip-address: IP address of DNS. You can configure up to eight IP addresses separated by spaces in a command. ethernet-subinterface-range: Includes any the subinterfaces whose interface number lies between the two given subinterface number (including these two

DHCP Server Configuration Commands

431

subinterfaces) by inserting the keyword “to” between these two interface numbers. all: In the undo form of the command, the first “all” refers to all the Gateway (GW) addresses and the second, all the interfaces. Description Using the dhcp server dns-list command in system view, you can assign DNS IP addresses to the DHCP address pool of multiple interfaces in a specified range. Using the undo dns-list command in system view, you can delete the configuration. By default, no DNS address is configured. Only up to eight DNS server addresses, by far, can be set in each DHCP address pool. For the related commands, see dhcp server dns-list (in interface view), dhcp server ip-pool, and dns-list. Example Assign the DNS server address 1.1.1.254 to the DHCP address pool of the interfaces in the range of Ethernet1/0/0.0 to Ethernet2/0/0.5.
[3Com] dhcp server dns-list 1.1.1.254 interface ethernet 2/0/0.0 to ethernet 2/0/0.5

dhcp server domain-name (in Interface View)

Syntax
dhcp server domain-name domain-name undo dhcp server domain-name domain-name

View Interface view Parameter domain-name: Domain name that the DHCP server allocates to clients, which is a string comprising at least three characters and at most 50 characters. Description Using the dhcp server domain-name command in interface view, you can configure the domain name that the DHCP address pool of the current interface allocates to clients. Using the undo dhcp server domain-name command in interface view, you can delete the configured domain name. By default, no domain name has been allocated to DHCP clients and domain name is null. For the related commands, see dhcp server ip-pool, dhcp server domain-name (in system view), and domain-name. Example Configure the domain name eth1_0_0.com.cn in an interface DHCP address pool.
[3Com] interface ethernet 1/0/0 [3Com-Ethernet 1/0/0] dhcp server domain-name eth1_0_0.com.cn

432

CHAPTER 5: NETWORK PROTOCOL

dhcp server domain-name (in System View)

Syntax
dhcp server domain-name domain-name { interface ethernet-subinterface-range | all } undo dhcp server domain-name domain-name { interface ethernet-subinterface-range | all }

View System view Parameter domain-name: Domain name that the DHCP server allocates to clients, which is a string comprising 3 to 50 characters. ethernet-subinterface-range: Includes any the subinterfaces whose interface number lies between two subinterface numbers (including these two subinterfaces) by inserting the keyword “to” between these two interface numbers. all: All the interfaces. Description Using the dhcp server domain-name command in system view, you can configure the domain name that the DHCP address pool of the interfaces in a specified range allocates to DHCP clients. Using the undo dhcp server domain-name command in system view, you can delete the configured domain name. By default, no domain name is configured for clients. After configuring this command you cannot view the configuration of the command by executing the display current-configuration command. By executing the dhcp server domain-name command respectively on the specified interfaces, you can fulfill the batch configurations of the command. For the related command, see dhcp server ip-pool. Example Configure eth2_1_5.com.cn as the domain name in the interface DHCP address pool of the interfaces Ethernet2/0/0.1 through Ethernet2/0/0.5.
[3Com] dhcp server domain-name eth1_0_0.com.cn interface ethernet 2/0/0.1 to ethernet 2/0/0.5

dhcp server expired (in Interface View)

Syntax
dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } undo dhcp server expired

View Interface view Parameter day day: Number of days in the range of 0 to 365. hour hour: Number of hours in the range of 0 to 23.

DHCP Server Configuration Commands

433

minute minute: Number of hours in the range of 0 to 59. unlimited: The valid period is unlimited. Description Using the dhcp server expired command in interface view, you can configure a valid period allowed for leasing IP addresses in the current interface DHCP address pool. Using the undo dhcp server expired command in interface view, you can restore the default setting. By default, the leasing valid period is one day. For the related commands, see dhcp server ip-pool, dhcp server expired (in system view), and expired. Example Set the valid period for leasing IP addresses in the interface address pool maintained by Ethernet1/0/0 to unlimited.
[3Com] interface ethernet 1/0/0 [3Com-Ethernet 1/0/0] dhcp server expired unlimited

dhcp server expired (in System View)

Syntax
dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } { interface ethernet-subinterface-range | all } undo dhcp server expired { interface ethernet-subinterface-range | all }

View System view Parameter day day: Number of days in the range of 0 to 365. hour hour: Number of hours in the range of 0 to 23. minute minute: Number of hours in the range of 0 to 59. unlimited: The valid period is unlimited. ethernet-subinterface-range: Includes any the subinterfaces whose interface number lies between two subinterface numbers (including these two subinterfaces) by inserting the keyword “to” between these two interface numbers. all: All the interfaces. Description Using the dhcp server expired command in system view, you can configure a valid period allowed for leasing IP addresses in the interface DHCP address pool of the interfaces in a specified range. Using the undo dhcp server expired command in system view, you can restore the default setting. By default, the leasing valid period is one day.

434

CHAPTER 5: NETWORK PROTOCOL

After configuring this command, you cannot view the configuration by executing the display current-configuration command. By calling the dhcp server expired command respectively on the specified interfaces, you can fulfill the batch configurations of the command. For the related commands, see dhcp server ip-pool, dhcp server expired (in interface view), and expired. Example Set the valid period for leasing IP addresses in the interface address pool of the interfaces in the range of Ethernet2/0/0.1 to Ethernet2/0/0.5 to unlimited.
[3Com] dhcp server expired unlimited interface ethernet 2/0/0.1 to ethernet 2/0/0.5

dhcp server forbidden-ip

Syntax
dhcp server forbidden-ip low-ip-address [ high-ip-address ] undo dhcp server forbidden-ip low-ip-address [ high-ip-address ]

View System view Parameter low-ip-address: The low IP address that does not participate in the auto-allocation. high-ip-address: The high IP address that does not participate in the auto-allocation. It must belong to the same segment to which the low-ip-address belongs as well and must not be smaller than the low-ip-address. If this parameter is not specified, there will be only one IP address, i.e., low-ip-address. Description Using the dhcp server forbidden-ip command, you can exclude IP addresses in a specified range to participate in the auto-allocation. Using the undo dhcp server forbidden-ip command, you can delete the configuration. By default, all the IP addresses in address pools participate in the auto-allocation. You can configure multiple IP address ranges that do not participate in the auto-allocation. Before using the undo dhcp server forbidden-ip command to delete the setting, you must make sure that you are using exactly the same parameters that you have configured. In other words, you cannot delete only some addresses from the configured range. For the related commands, see dhcp server ip-pool, network, and static-bind ip-address. Example Reserve the IP addresses in the range of 10.110.1.1 to 10.110.1.63 so that these addresses will not participate in the address auto-allocation.
[3Com] dhcp server forbidden-ip 10.110.1.1 10.110.1.63

dhcp server ip-pool

Syntax
dhcp server ip-pool pool-name

DHCP Server Configuration Commands

435

undo dhcp server ip-pool pool-name

View System view Parameter pool-name: Address pool name uniquely identifying an address pool, which is a string comprising at least one character and 35 characters at most. Description Using the dhcp server ip-pool command, you can create a DHCP address pool and access the DHCP address pool view. Using the undo dhcp server ip-pool command, you can delete the specified address pool. By default, no DHCP address pool is created. If the specified address pool has existed, executing the dhcp server ip-pool command will directly access the DHCP address pool view. If the address pool does not exist, the DHCP server will create it before accessing the DHCP address pool view. Each DHCP server is allowed to configure multiple address pools, but no more than 50. For the related commands, see dhcp enable, expired, and network. Example Create DHCP address pool 0.
[3Com] dhcp server ip-pool 0 [3Com-dhcp-0]

dhcp server nbns-list (in Interface View)

Syntax
dhcp server nbns-list ip-address [ ip-address ] undo dhcp server nbns-list { ip-address | all }

View Interface view Parameter ip-address: IP address of NetBIOS server. You can configure up to eight IP addresses separated by spaces in a command. all: All the NetBIOS server IP addresses. Description Using the dhcp server nbns-list command in interface view, you can configure NetBIOS server addresses in the DHCP address pool of current interface. Using the undo dns-list command in interface view, you can delete the configuration. By default, no NetBIOS address is configured. By far, only up to eight NetBIOS addresses can be configured in each DHCP address pool. For the related commands, see dhcp server ip-pool, dhcp server nbns-list (in system view), nbns-list, and netbios-type.

436

CHAPTER 5: NETWORK PROTOCOL

Example In the DHCP address pool of Ethernet1/0/0, allocate the NetBIOS server at 10.12.1.99 to the clients.
[3Com] interface ethernet 1/0/0 [3Com-Ethernet 1/0/0] dhcp server nbns-list 10.12.1.99

dhcp server nbns-list (in System View)

Syntax
dhcp server nbns-list ip-address [ ip-address ] { interface ethernet-subinterface-range | all } undo dhcp server nbns-list { ip-address | all } { interface ethernet-subinterface-range | all }

View System view Parameter ip-address: IP address of NetBIOS server. You can configure up to eight IP addresses separated by spaces in a command. all: In the undo form of the command, the first “all” refers to all the NetBIOS server addresses and the second, all the interfaces. ethernet-subinterface-range: Includes any the subinterfaces whose interface number lies between two subinterface numbers (including these two subinterfaces) by inserting the keyword “to” between these two interface numbers. Description Using the dhcp server nbns-list command in system view, you can configure NetBIOS server addresses for the clients that get ip address from the DHCP address pool of the interfaces in a specified range. Using the undo dhcp server nbns-list command in system view, you can delete the configuration. By default, no NetBIOS address is configured. By far, only up to eight NetBIOS addresses can be configured in each DHCP address pool. After configuring this command, you cannot view the configuration by executing the display current-configuration command. By calling the dhcp server nbns-list command respectively on the specified interfaces, you can fulfill the batch configurations of the command. For the related commands, see dhcp server ip-pool, dhcp server nbns-list (in interface view), nbns-list, and netbios-type. Example In the DHCP address pool of interfaces in the range of Ethernet2/0/0.1 to Ethernet2/0/0.5, assign the NetBIOS server at 10.12.1.99 to the clients.
[3Com] dhcp server nbns-list 10.12.1.99 interface ethernet 2/0/0.1 to ethernet 2/0/0.5

DHCP Server Configuration Commands

437

dhcp server netbios-type (in Interface View)

Syntax
dhcp server netbios-type { b-node | h-node | m-node | p-node } undo dhcp server netbios-type

View Interface view Parameter b-node: Broadcast mode, i.e., hostname-IP maps are obtained by means of broadcast. p-node: Peer-to-peer mode, i.e., maps are obtained by means of communicating with the NetBIOS server. m-node: Mixed (m) mode, i.e., the mode of type b nodes running “peer-to-peer” communications mechanism. h-node: Hybrid (h) mode, i.e., the mode of type p nodes possessing some of the broadcast features. Description Using the dhcp server netbios-type command in interface view, you can configure the NetBIOS node type of the DHCP clients of the current interface. Using the undo dhcp server netbios-type command in interface view, you can restore the default setting. By default, clients adopt type h node (h-node). Hostname-IP maps are required in the event that DHCP clients use the NetBIOS protocol on a WAN. For the related commands, see dhcp server ip-pool, netbios-type, dhcp server netbios-type (in system view), and nbns-list. Example In the DHCP address pool of Ethernet1/0/0, set the NetBIOS node type of its clients to p-node.
[3Com] interface ethernet 1/0/0 [3Com-Ethernet 1/0/0] dhcp server netbios-type p-node

dhcp server netbios-type (in System View)

Syntax
dhcp server netbios-type { b-node | h-node | m-node | p-node } { interface ethernet-subinterface-range | all } undo dhcp server netbios-type { interface ethernet-subinterface-range | all }

View System view Parameter b-node: Broadcast mode, i.e., hostname-IP maps are obtained by means of broadcast.

438

CHAPTER 5: NETWORK PROTOCOL

p-node: Peer-to-peer mode, i.e., maps are obtained by means of communicating with the NetBIOS server. m-node: Mixed (m) mode, i.e., the mode of type b nodes running “peer-to-peer” communications mechanism. h-node: Hybrid (h) mode, i.e., the mode of type p nodes possessing some of the broadcast features. ethernet-subinterface-range: Includes all the subinterfaces between two subinterfaces (including these two subinterfaces) by inserting the keyword “to” between these two interfaces. all: All the interfaces. Description Using the dhcp server netbios-type command in system view, you can configure a NetBIOS node type for the DHCP clients of the interfaces in a specified range. Using the undo dhcp server netbios-type command in system view, you can restore the default setting. By default, clients adopt type h node (h-node). Hostname-IP maps are required in the event that DHCP clients use the NetBIOS protocol on a WAN. After configuring this command, you cannot view the configuration by executing the display current-configuration command. By calling dhcp server netbios-type respectively on the specified interfaces, you can fulfill the batch configurations of the command. For the related commands, see dhcp server ip-pool, netbios-type, dhcp server netbios-type, and nbns-list. Example In the DHCP address pool of interfaces in the range of Ethernet2/0/0.1 to Ethernet2/0/0.5, set the NetBIOS node type of clients to p-node.
[3Com] dhcp server netbios-type p-node interface ethernet 2/0/0.1 to ethernet 2/0/0.5

dhcp server option (in Interface View)

Syntax
dhcp server option code { ascii ascii-string | hex hex-string | ip-address ip-address } undo dhcp server option code

View Interface view Parameter code: Option value that needs to be assigned by the user. ascii ascii-string: ASCII string. hex hex-string: 2-digit or 4-digit hexadecimal string, such as hh or hhhh. ip-address ip-address: IP address.

DHCP Server Configuration Commands

439

Description Using the dhcp server option command in interface view, you can configure a DHCP self-defined option for the DHCP address pool of the current interface. Using the undo dhcp server option command in interface view, you can delete the configuration. For the related commands, see option and dhcp server option (in system view). Example Define the hexadecimal strings of the option code 100 to 0x11 and 0x22 for the DHCP address pool of the interface Ethernet1/0/0.
[3Com] interface ethernet 1/0/0 [3Com-Ethernet 1/0/0] dhcp server option 100 hex 11 22

dhcp server option (in System View)

Syntax
dhcp server option code { ascii ascii-string | hex hex-string | ip-address ip-address } { interface ethernet-subinterface-range | all } undo dhcp server option code { interface ethernet-subinterface-range | all }

View System view Parameter code: Option value that needs to be assigned by the user. ascii ascii-string: ASCII string. hex hex-string: 2-digit or 4-digit hexadecimal string, such as hh or hhhh. ip-address ip-address: IP address. ethernet-subinterface-range: Includes all the subinterfaces between two subinterfaces (including these two subinterfaces) by inserting the keyword “to” between these two interfaces. all: All the interfaces. Description Using the dhcp server option command in system view, you can configure a DHCP self-defined option for the interfaces in a specified range. Using the undo dhcp server option command in system view, you can delete the configuration. After configuring this command, you cannot view the configuration by executing the display current-configuration command. By calling dhcp server option respectively on the specified interfaces, you can fulfill the batch configurations of the command. For the related commands, see dhcp server option (in interface view) and option.

440

CHAPTER 5: NETWORK PROTOCOL

Example Define the hexadecimal strings of the option code 100 to 0x11 and 0x22 for the interface DHCP address pool of the interfaces in the range of Ethernet2/0/0.1 to Ethernet2/0/0.5.
[3Com] dhcp server option 100 hex 11 22 interface ethernet 2/0/0.1 to ethernet 2/0/0.5

dhcp server ping

Syntax
dhcp server ping { packets number | timeout milliseconds } undo dhcp server ping { packets | timeout }

View System view Parameter packets number: The maximum number of ping packets allowed to be sent, which is in the range of 0 to 10 and defaults to 2, with 0 indicating that no ping operation will be performed. timeout milliseconds: The longest time period that the DHCP server waits for the response to each ping packet, which is in the range of 0 to 10000 milliseconds and defaults to 500 milliseconds. Description Using the dhcp server ping command, you can configure the maximum number of ping packets that the DHCP server is allowed to send and the longest time period that the DHCP server should wait for the response to each ping packet. Using the undo dhcp server ping command, you can restore the default settings. To prevent the address collision resulted from repeated IP address allocation, DHCP server sends ping packets to detect that an address is available. Example Allow the DHCP server to send up to ten ping packets and wait 500 milliseconds (the default setting) for the response to each packet.
[3Com] dhcp server ping packets 10

dhcp server static-bind

Syntax
dhcp server static-bind ip-address ip-address mac-address mac-address undo dhcp server static-bind { ip-address ip-address | mac-address mac-address }

View Interface view Parameter ip-address: Statically bound IP address. It must be a valid IP address selected from the current interface address pool. mac-address: Statically bound MAC address.

DHCP Server Configuration Commands

441

Description Using the dhcp server static-bind command, you can configure a static address binding in the DHCP address pool of the current interface. Using the undo dhcp server static-bind command, you can delete the configuration. By default, static address binding is not configured in any interface address pool. In all the static address binding operations performed on an interface, the IP addresses and the MAC addresses must be unique. Example Statically bind the MAC address 0000-e03f-0305 with the IP address 10.1.1.1.
[3Com-Ethernet1/0/0] dhcp server static-bind 10.1.1.1 0000-e03f-0305

display dhcp server conflict

Syntax
display dhcp server conflict [ ip ip-address | all ]

View Any view Parameter ip-address: A specified IP address. all: All the IP addresses. Description Using the display dhcp server conflict command, you can view the DHCP address conflict statistics, including the information in conflicted IP address, conflict detection type, conflict time, etc. If no optional parameter has been specified, the information displayed will depend on the current view:


In Ethernet interface view, the information displayed is concerned with the address pool of the current interface. In any other views, the information displayed is concerned with all the address pools.



For the related command, see reset dhcp server conflict. Example View the DHCP address conflict statistics.
<3Com> display dhcp server conflict Address Discover Time 10.110.1.2 Jan 11 2003 11:57: 7 PM

Table 1 Description of the information displayed by executing display dhcp server conflict
Major item Address Discover Time Description The conflicted IP address Time when the conflict is discovered

442

CHAPTER 5: NETWORK PROTOCOL

display dhcp server expired

Syntax
display dhcp server expired [ ip ip-address | pool [ pool-name ] | interface [ interface-name ] all ]

View Any view Parameter ip-address: A specified IP address. pool-name: Name of a global address pool. All the global address pools will apply if no address pool has been specified. interface-name: Interface address pool. All the interface address pools will apply if no interface has been specified. all: All the IP addresses. Description Using the display dhcp server expired command, you can view the expired address leases in a DHCP address pool. In certain conditions, the addresses of the expired leases will be allocated to other DHCP clients. Example View the expired leases in DHCP address pools.
<3Com> display dhcp server expired all Global pool: IP address Hardware address Lease expiration Interface pool: IP address Hardware address Lease expiration

Type Type

DHCP Server Configuration Commands

443

Table 2 Description of the information displayed by executing display dhcp server expired
Major item Global pool: Interface pool: IP address Hardware address Lease expiration Type Description Expired address leases in global address pools. Expired address leases in interface address pools. The bound IP address The bound MAC address The lease expiration time Address binding type

display dhcp server free-ip

Syntax
display dhcp server free-ip

View Any view Parameter None Description Using the display dhcp server free-ip command, you can view the ranges of available addresses in DHCP address pools, i.e., information of the IP addresses that have not been allocated yet. Example View the ranges of the available addresses in DHCP address pools.
<3Com> display dhcp server free-ip IP Range from 1.0.0.0 to 2.2.2.1 IP Range from 2.2.2.3 to 2.255.255.255 IP Range from 4.0.0.0 to 4.255.255.255 IP Range from 5.5.5.0 to 5.5.5.0 IP Range from 5.5.5.2 to 5.5.5.255

display dhcp server ip-in-use

Syntax
display dhcp server ip-in-use [ ip ip-address | pool [ pool-name ] | interface [ interface-name ] ]

View Any view Parameter ip-address: Specifies an IP address. If no IP address has been specified, information of all the bound addresses will be displayed. pool-name: Specifies a global address pool. If no global address pool has been specified, the bound addresses in all the global address pools will be displayed.

444

CHAPTER 5: NETWORK PROTOCOL

interface-name: Specifies an interface address pool. If no interface address pool has been specified, the bound addresses in all the interface address pools will be displayed. Description Using the display dhcp server ip-in-use command, you can view the address binding information of DHCP clients, such as the information in hardware address, IP address, and address lease expiration. If no optional parameter has been specified, the information output by executing the command will be:


In Ethernet interface view, the information in the address pool of the current interface. In any other views, the information in all the address pools.



For the related command, see reset dhcp server ip-in-use. Example View the DHCP address binding information.
<3Com> display dhcp server ip-in-use all Global pool: IP address Hardware address Lease expiration Type 2.2.2.2 44444-4444-4444 NOT Used Manual Interface pool: IP address Hardware address Lease expiration Type 5.5.5.1 0050-ba28-930a Jun 5 2003 10:56: 7 AM Auto:COMMITED

Table 3 Description of the information output by executing display dhcp server ip-in-use
Major item Global pool: Interface pool: IP address Hardware address Lease expiration Type Description Address binding information of global address pools Address binding information of interface address pools The bound IP address The bound MAC address The lease expiration time Address binding type

display dhcp server statistics

Syntax
display dhcp server statistics

View Any view Parameter None Description Using the display dhcp server statistics command, you can view the statistics on the DHCP server, including such information as number of DHCP address pools, automatically or manually bound address and expired addresses, number of unknown packets, number of DHCP request packets, and number of response packets.

DHCP Server Configuration Commands

445

For the related command, see reset dhcp server statistics. Example View the statistic information on the DHCP server.
<3Com> display dhcp server statistics Global Pool: Pool Number: 5 Binding Auto: 0 Manual: 1 Expire: 0 Interface Pool: Pool Number: 1 Binding Auto: 1 Manual: 0 Expire: 0 Boot Request: 6 Dhcp Discover: 1 Dhcp Request: 4 Dhcp Decline: 0 Dhcp Release: 1 Dhcp Inform: 0 Boot Reply: 4 Dhcp Offer: 1 Dhcp Ack: 3 Dhcp Nak: 0 Bad Messages: 0

Table 4 Description of the information output by executing display dhcp server statistics
Major item Global Pool: Interface Pool: Pool Number Auto Manual Expire Boot Request Description Statistics of global address pools Statistics of interface address pools Number of address pools Number of automatically bound IP addresses Number of manually bound IP addresses Number of IP addresses of expired leases Number of messages that DHCP clients sent to the DHCP server

Dhcp Discover, Dhcp Statistics of the received DHCP packets Request, Dhcp Decline, Dhcp Release, Dhcp Inform Boot Reply Number of messages that the DHCP server sent to DHCP clients

Dhcp Offer, Dhcp Ack, Statistics of the transmitted DHCP packets Dhcp Nak Bad Messages Statistics of packets containing errors

446

CHAPTER 5: NETWORK PROTOCOL

display dhcp server tree

Syntax
display dhcp server tree [ pool [ pool-name ] | interface [ interface-name ] | all ]

View Any view Parameter pool-name: Name of a global address pool. All the global address pools will apply if no address pool has been specified. interface-name: Interface address pool. All the interface address pools will apply if no interface has been specified. all: All the DHCP address pools. Description Using the display dhcp server tree command, you can view the tree-structure information of DHCP address pools, including the address pool at each node, option, address lease period, and DNS server information. If no optional parameter has been specified, the information output by executing the command will be:


In Ethernet interface view, the information displayed is concerned with the address pool of the current interface. In any other views, the information in all the address pools.



Example View the tree-structure information of DHCP address pools.
<3Com> display dhcp server tree all Global pool: Pool name: 5 network 10.10.1.0 255.255.255.0 Child node:6 Sibling node:7 option 1 ip-address 255.0.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Pool name: 6 host 10.10.1.2 255.0.0.0 hardware-address 1111.2222.3333 ethernet Parent node:5 option 1 ip-address 255.255.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Pool name: 7 network 10.10.1.64 255.255.255.192 PrevSibling node:5 Sibling node:8 option 1 ip-address 255.0.0.0 Pool name: 8 network 20.10.1.1 255.255.255.0 Child node:9 PrevSibling node:7 option 1 ip-address 255.0.0.0 gateway-list 2.2.2.2

DHCP Server Configuration Commands

447

nbns-list 3.3.3.3 netbios-type m-node expired 2 0 0 option 58 hex 00 01 51 80 option 59 hex 00 00 00 3C Pool name: 9 network 30.10.1.64 255.255.255.0 Parent node:8 option 1 ip-address 255.0.0.0 gateway-list 2.2.2.2 dns-list 1.1.1.1 domain-name 444444 nbns-list 3.3.3.3 netbios-type m-node expired 2 0 0 option 58 hex 00 01 51 80 option 59 hex 00 00 00 3C Interface pool: Pool name: Ethernet11/2/0 network 5.5.5.0 mask 255.255.255.0 option 1 ip-address 255.255.255.0 gateway-list 5.5.5.5 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C

Table 5 Description of the information output by executing display dhcp server tree
Major item Global pool: Interface pool: Pool Name: network host 10.10.1.2 255.0.0.0 child node:6 The node in this position can be: Description Global address pool information Interface address pool information Address pool name Address ranges available for allocation hardware-address 1111.2222.3333 ethernet Statically bound IP address and MAC address The child node of the current node is address pool 6. Child node, which is the child node (subnet) address pool of the current address pool

Parent node, which is Sibling node, which is the next sibling node (another subnet on the father node the same natural network segment) address pool. The order of (natural network sibling nodes depends on the order in which they are configured. segment) address pool of the current node PrevSibling node, which is the previous sibling node of the current node Self-definable DHCP option option

expired

The address lease gateway-list period that is indicated by days, hours, and minutes The egress GW router allocated to DHCP clients dns-list

448

CHAPTER 5: NETWORK PROTOCOL

Table 5 Description of the information output by executing display dhcp server tree
Major item The DNS servers allocated to DHCP clients Domain name specified for DHCP clients The NetBIOS server allocated to DHCP clients NetBIOS node type specified for DHCP clients Description domain-name

nbns-list

netbios-type

dns-list

Syntax
dns-list ip-address [ ip-address ] undo dns-list { ip-address | all }

View DHCP address pool view Parameter ip-address: IP address of the DNS. You can configure up to eight IP addresses separated by spaces in a command. Description Using the dns-list command, you can configure DNS server IP addresses in a global DHCP address pool. Using the undo dns-list command, you can delete the configuration. By default, no DNS server address is configured. By far, only up to eight DNS server addresses can be set in each DHCP address pool. For the related commands, see dhcp server dns-list interface, dhcp server dns-list, and dhcp server ip-pool. Example Specify 1.1.1.254 as a DNS server address for DHCP address pool 0.
[3Com] dhcp server ip-pool 0 [3Com-dhcp-0] dns-list 1.1.1.254

domain-name

Syntax
domain-name domain-name undo domain-name domain-name

View DHCP address pool view

DHCP Server Configuration Commands

449

Parameter domain-name: Domain name that the DHCP server allocates to clients, which is a string comprising at least three characters and at most 50 characters. Description Using the domain-name command, you can configure the domain name that a global address pool of the DHCP server allocates to clients. Using the undo domain-name command, you can delete the configured domain name. By default, no domain name has been allocated to DHCP clients and domain name is null. For the related commands, see dhcp server ip-pool, dhcp server domain-name interface, and dhcp server domain-name. Example Set the domain name of DHCP address pool 0 to mydomain.com.cn.
[3Com] dhcp server ip-pool 0 [3Com-dhcp-0] domain-name mydomain.com.cn

expired

Syntax
expired { day day [ hour hour [ minute minute ] ] | unlimited } undo expired

View DHCP address pool view Parameter day day: Number of days in the range of 0 to 365. hour hour: Number of hours in the range of 0 to 23. minute minute: Number of hours in the range of 0 to 59. unlimited: The valid period is unlimited. Description Using the expired command, you can configure a valid period allowed for leasing IP addresses in a global DHCP address pool. Using the undo expired command, you can restore the default setting. By default, the leasing valid period is one day. For the related commands, see dhcp server ip-pool, dhcp server expired, and dhcp server expired interface. Example Set the IP address lease period of global address pool 0 to three minutes, two hours, and one day.
[3Com] dhcp server ip-pool 0 [3Com-dhcp-0] expired 1 2 3

450

CHAPTER 5: NETWORK PROTOCOL

gateway-list

Syntax
gateway-list ip-address [ ip-address ] undo gateway-list { ip-address | all }

View DHCP address pool view Parameter ip-address: IP address of egress GW router. You can configure up to eight IP addresses separated by spaces in a command. all: IP addresses of all the egress GW routers. Description Using the gateway-list command, you can configure IP addresses of the egress GW routers used by DHCP clients. Using the undo gateway-list command, you can delete the configuration. By default, no egress GW router is configured. For the related commands, see dhcp server ip-pool and network. Example Associate the egress GW router at 10.110.1.99 with DHCP address pool 0.
[3Com] dhcp server ip-pool 0 [3Com-dhcp-0] gateway-list 10.110.1.99

nbns-list

Syntax
nbns-list ip-address [ ip-address ] undo nbns-list { ip-address | all }

View DHCP address pool view Parameter ip-address: IP address of NetBIOS server. You can configure up to eight IP addresses separated by spaces in a command. all: All the NetBIOS server IP addresses. Description Using the nbns-list command, you can configure NetBIOS server addresses in a global DHCP address pool for the clients. Using the undo nbns-list command, you can remove the configured NetBIOS server addresses. By default, no NetBIOS address is configured. By far, only up to eight NetBIOS addresses can be configured in each DHCP address pool. For the related commands, see dhcp server ip-pool, dhcp server nbns-list, dhcp server nbns-list interface, and netbios-type.

DHCP Server Configuration Commands

451

Example In the DHCP address pool 0, allocate the NetBIOS server at 10.12.1.99 to the clients.
[3Com] dhcp server ip-pool 0 [3Com-dhcp-0] nbns-list 10.12.1.99

netbios-type

Syntax
netbios-type { b-node | h-node | m-node | p-node } undo netbios-type

View DHCP address pool view Parameter b-node: Broadcast mode, i.e., hostname-IP maps are obtained by means of broadcast. p-node: Peer-to-peer mode, i.e., maps are obtained by means of communicating with the NetBIOS server. m-node: Mixed (m) mode, i.e., the mode of type b nodes running “peer-to-peer” communications mechanism. h-node: Hybrid (h) mode, i.e., the mode of type p nodes possessing some of the broadcast features. Description Using the netbios-type command, you can configure the NetBIOS node type of the clients of a global DHCP address pool. Using the undo netbios-type command, you can restore the default setting. By default, clients adopt type h node (h-node). For the related commands, see dhcp server ip-pool, dhcp server netbios-type (in interface view), dhcp server netbios-type (in system view), and nbns-list. Example Specify b-node as the NetBIOS node type of clients of DHCP address pool 0.
[3Com] dhcp server ip-pool 0 [3Com-dhcp-0] netbios-type b-node

network

Syntax
network ip-address [ mask netmask ] undo network

View DHCP address pool view

452

CHAPTER 5: NETWORK PROTOCOL

Parameter ip-address: The subnet address of an IP address pool used for dynamic allocation. mask netmask: Network mask of the IP address pool. Natural mask will be adopted if the parameter is not specified. Description Using the network command, you can configure an IP address range used for dynamic allocation. Using the undo network command, you can delete the configuration. By default, no IP address range has been configured for dynamic allocation. Each DHCP address pool can be configured with a network segment and the new configuration will replace the old one. If the system requires several such address segments, you should configure them in multiple address pools. For the related commands, see dhcp server ip-pool and dhcp server forbidden-ip. Example Use 192.168.8.0/24 as the address space for DHCP address pool 0.
[3Com-dhcp-0] network 192.168.8.0 mask 255.255.255.0

option

Syntax
option code { ascii ascii-string | hex hex-string | ip-address ip-address } undo option code

View DHCP address pool view Parameter code: Option value that needs to be assigned by the user. ascii ascii-string: ASCII string. hex hex-string: 2-digit or 4-digit hexadecimal string, such as hh or hhhh. ip-address ip-address: IP address. Description Using the option command, you can configure the self-defined options for a DHCP global address pool. Using the undo option command, you can delete the DHCP self-defined options. New options are emerging along with the development of DHCP. In order to accommodate these options, manual option addition is supported so that they can be added into the attribute list maintained by the DHCP server. For the related commands, see dhcp server option (in interface view) and dhcp server option interface (in system view).

DHCP Server Configuration Commands

453

Example Define the hexadecimal strings of the option code 100 to 0x11 and 0x22.
[3Com-dhcp-0] option 100 hex 11 22

reset dhcp server conflict

Syntax reset dhcp server conflict [ ip-address | all ] View User view Parameter ip-address: A specified IP address. all: All the address pools. Description Using the reset dhcp server conflict command, you can clear the statistics about DHCP address collision. In the case that no parameter has been specified when the command is configured, the scope in which the command takes effect will depend on the view in which the command is executed:


If the command is executed in Ethernet interface view, it will take effect on the address pool of the current interface. If the command is executed in any other views, it will take effect on all the address pools.



For the related command, see display dhcp server conflict. Example Clear all the address collision statistics.
<3Com> reset dhcp server conflict

reset dhcp server ip-in-use

Syntax
reset dhcp server ip-in-use [ ip ip-address | pool [ pool-name ] | interface [ interface-name ] | all ]

View User view Parameter ip-address: Binding information of a specified IP address. pool-name: Specifies a global address pool. All the global address pools will apply if no address pool has been specified. interface-name: Specifies an interface address pool. If no interface has been specified, all the interface address pools will apply. all: All the address pools.

454

CHAPTER 5: NETWORK PROTOCOL

Description Using the reset dhcp server ip-in-use command, you can clear the DHCP dynamic address binding information. In the case that no parameter has been specified when the command is configured, the scope in which the command takes effect will depend on the view in which the command is executed:


If the command is executed in Ethernet interface view, it will take effect on the address pool of the current interface. If the command is executed in any other views, it will take effect on all the address pools.



For the related command, see display dhcp server ip-in-use. Example Clear the binding information of the address 10.110.1.1.
<3Com> reset dhcp server ip-in-use ip 10.110.1.1

reset dhcp server statistics

Syntax
reset dhcp server statistics

View User view Parameter None Description Using the reset dhcp server statistics command, you can clear the statistics on the DHCP server, including such information as number of DHCP address pools, automatically and manually bound addresses and expired addresses, number of unknown packets, number of DHCP request packets, and number of response packets. For the related command, see display dhcp server statistics. Example Clear statistic information of the DHCP server.
<3Com> reset dhcp server statistics

static-bind ip-address

Syntax
static-bind ip-address ip-address [ mask netmask ] undo static-bind ip-address

View DHCP address pool view Parameter ip-address: IP address to be bound.

DHCP Server Configuration Commands

455

netmask: Mask of the IP address to be bound. If it is not specified, the natural mask will be adopted. Description Using the static-bind ip-address command, you can bind an IP address statically. Using the undo static-bind ip-address command, you can delete the statically bound IP address. By default, no IP address is bound statically. The commands static-bind ip-address and static-bind mac-address must be used in pairs so that an IP address and a MAC address can be bound together. For the related commands, see dhcp server ip-pool, network, and static-bind mac-address. Example Bind the PC at the MAC address 0000-e03f-0305 with the IP address 10.1.1.1 using the mask 255.255.255.0.
[3Com-dhcp-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0 [3Com-dhcp-0] static-bind mac-address 0000-e03f-0305

static-bind mac-address

Syntax
static-bind mac-address mac-address undo static-bind mac-address

View DHCP address pool view Parameter mac-address: The host MAC address to be bound, which is in the format of H-H-H. Description Using the static-bind mac-address command, you can bind a MAC address statically. Using the undo static-bind mac-address command, you can delete the statically bound MAC address. By default, no MAC address is bound statically. The commands static-bind mac-address and static-bind ip-address must be used in pairs so that a MAC address and an IP address can be bound together. For the related commands, see dhcp server ip-pool, and static-bind ip-address. Example Bind the PC at the MAC address 0000-e03f-0305 with the IP address 10.1.1.1 using the mask 255.255.255.0.
[3Com-dhcp-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0 [3Com-dhcp-0] static-bind mac-address 0000-e03f-0305

456

CHAPTER 5: NETWORK PROTOCOL

DHCP Client Configuration Commands
debugging dhcp client Syntax
debugging dhcp client { event | packet | error | all } undo debugging dhcp client { event | packet | error | all }

View User view Parameter event: Protocol events of the DHCP client, which include address allocation and data updating. packet: DHCP packets received and sent by the DHCP client. error: Unknown packet information or error information. all: Enables debugging of the DHCP client in all the information (event, packet, and error). Description Using the debugging dhcp client command, you can enable debugging on the DHCP client. Using the undo debugging dhcp client command, you can disable debugging on the DHCP client. By default, DHCP client debugging is disabled. Example Enable event debugging on the DHCP client.
<3Com>debugging dhcp client event

display dhcp client

Syntax
display dhcp client [ verbose ]

View Any view Parameter verbose: Statistic details of the DHCP client. Description Using the display dhcp client command, you can display the statistic information of the DHCP client. Executing the command attached without the keyword parameter verbose will display only the brief address allocation information on the DHCP client. Example Display the statistic details of the DHCP client.
[3Com] display dhcp client verbose

DHCP Client Configuration Commands

457

DHCP client statistic infomation: Ethernet0/0: Current machine state: BOUND Alloced IP: 169.254.0.2 255.255.0.0 Alloced lease: 86400 seconds, T1: 43200 seconds, T2: 75600 seconds Lease from 2002.09.20 01:05:03 to 2002.09.21 01:05:03 Server IP: 169.254.0.1 Transaction ID = 0x3d8a7431 Default router: 2.2.2.2 DNS server: 1.1.1.1 Domain name: 3Com.com Client ID: 3Com-00e0.fc0a.c3ef-Ethernet0/0 Next timeout will happen after 0 days 11 hours 56 minutes 1 seconds. Ethernet2/0: Current machine state: HALT

The statistic information shows that two interfaces, i.e., Ethernet0/0 and Ethernet2/0, have been configured to be DHCP clients. Ethernet0/0 has been assigned with the address 169.254.0.2/16 subject to the lease expiration of 86400 seconds and the current machine state is BOUND. The renewal timer is set to 43200 seconds, the rebinding timer to 75600 seconds, and the lease expiration to the period since 2002.09.20 01:05:03 to 2002.09.21 01:05:03. The selected DHCP server is at 169.254.0.1, the GW at 2.2.2.2, and the DNS server at 1.1.1.1, given the domain name is 3Com.com. In addition, the next timeout will happen 1 second, 56 minutes, and 11 hours later. The allocation process has not been started at Ethernet2/0 yet. The current machine state is HALT, which is normally as a result of the DOWN state of the interface. Display more details of the DHCP client.
[3Com]display dhcp client verbose DHCP client statistic infomation: Ethernet0/0: Current machine state: BOUND Alloced IP: 169.254.0.2 255.255.0.0 Alloced lease: 300 seconds, T1: 150 seconds, T2: 262 seconds Lease from 2002.09.15 07:11:55 to 2002.09.15 07:16:55 Server IP: 169.254.0.1 Transaction ID = 0x3d8432b1 Client ID: 3Com-00e0.fc0a.c3ef-Ethernet0/0 Next timeout will happen after 0 days 0 hours 1 minutes 36 seconds.

Table 6 Statistic information field description of DHCP client
Item Ethernet0/0 Current machine state Alloced IP lease T1 T2 Lease from….to…. Server IP Transaction ID Description Interface where the client is allowed to dynamically obtain an IP address State of the client state machine IP address allocated to the client Lease period Duration of the renewal timer Duration of the rebinding timer The starting time and the end time of the lease The selected DHCP server address Transaction ID

458

CHAPTER 5: NETWORK PROTOCOL

Table 6 Statistic information field description of DHCP client
Item Client ID Default router DNS server Domain name Requested IP Offered IP Description User ID GW address DNS server address Domain name The requested IP address The provided IP address

ip address dhcp-alloc

Syntax
ip address dhcp-alloc undo ip address dhcp-alloc

View Interface view Parameter None Description Using the ip address dhcp-alloc command, you can allocate local IP addresses by making use of DHCP. Using the undo ip address dhcp-alloc command, you can disable the allocation of local IP addresses via DHCP negotiation. This command must be configured and executed in Ethernet interface (including subinterface) view. By default, DHCP negotiation is not used for the allocation of local IP addresses. Example Adopt DHCP negotiation for the allocation of local IP addresses on Ethernet0/0/0.
[3Com-Ethernet0/0/0] ip address dhcp-alloc

DHCP Relay Configuration Commands
debugging dhcp relay Syntax
debugging dhcp relay undo debugging dhcp relay

View User view Parameter None

DHCP Relay Configuration Commands

459

Description Using the debugging dhcp relay command, you can enable debugging on the DHCP-relay module. Using the undo debugging dhcp relay command, you can disable DHCP-relay module debugging. Example Enable DHCP-relay module debugging.
<3Com>debugging dhcp relay

dhcp relay release

Syntax
dhcp relay release { client-ip mac-address } [ server-ip ]

View Interface view System view Parameter client-ip: IP address of the DHCP client. mac-address: MAC address of the DHCP client, which is in the format of H-H-H. server-ip: IP address of the DHCP server. Description Using the dhcp relay release command, you can send an IP address releasing request to a DHCP server via the DHCP relay. Given that no IP address of DHCP server has been specified, release packets will be sent either to all the DHCP servers, if this command is configured in system view, or to all the relay addresses configured on an interface, if this command is configured in the interface view. Example Send a release packet to the DHCP server at 10.110.91.174, requesting to release the IP address 192.2.2.25, which was offered to the client whose MAC address is 0050-ba34-2000.
[3Com] dhcp relay release 192.2.2.25 0050-ba34-2000 10.110.91.174

display dhcp relay address

Syntax
display dhcp relay address [ interface interface-name | all ]

View Any view Parameter interface-name: Specifies an interface name, which is represented by interface type plus interface number. all: All the interfaces.

460

CHAPTER 5: NETWORK PROTOCOL

Description Using the display dhcp relay address command, you can view the DHCP relay address configuration of an interface. For the related commands, see ip relay address and ip relay address interface. Example View the DHCP relay address configurations of all the interfaces.
<3Com> display dhcp relay address all ** Ethernet11/2/0 DHCP Relay Address ** Relay Address [0] : 3.3.3.3

display dhcp relay statistics

Syntax
display dhcp relay statistics

View Any view Parameter None Description Using the display dhcp relay statistics command, you can view the statistics of DHCP relay in packet errors, DHCP packets received from clients, DHCP packets received from and sent to servers, and DHCP packets sent to clients (including unicast and broadcast packets). Example View DHCP relay statistics.
<3Com> display dhcp relay statistics Bad Packets recieved: 0 DHCP packets received from clients: 0 DHCP DISCOVER packets received: 0 DHCP REQUEST packets received: 0 DHCP INFORM packets received: 0 DHCP DECLINE packets received: 0 DHCP packets received from servers: 0 DHCP OFFER packets received: 0 DHCP ACK packets received: 0 DHCP NAK packets received: 0 DHCP packets sent to servers: 0 DHCP packets sent to clients: 0 Unicast packets sent to clients: 0

ip relay address

Syntax
ip relay address ip-address undo ip relay address [ ip-address ]

View Interface view

DHCP Relay Configuration Commands

461

Parameter ip-address: IP relay address in dot-deliminated decimal format. Description Using the ip relay address command, you can specify the exact location of a DHCP server by configuring an IP relay address for it. Using the undo ip relay address command, you can delete one or all relay IP addresses used by an interface. By default, no relay IP address has been configured. Executing undo ip relay address without ip-address will delete all the relay IP addresses configured on the current interface. As the packets sent by DHCP client machines in some phases of DHCP are broadcast packets, the interfaces configured with relay IP addresses must support broadcast. In other words, this command can be used on the broadcast-supported network interfaces, Ethernet interfaces for example. For the related command, see dhcp select interface. Example Add two relay IP addresses on Ethernet 0/0/0.
[3Com-Ethernet0/0/0] ip relay address 202.38.1.2 [3Com-Ethernet0/0/0] ip relay address 202.38.1.3

ip relay address cycle

Syntax
ip relay address cycle undo ip relay address cycle

View System view Parameter None Description Using the ip relay address cycle command, you can adopt the polling approach to relay packets, ensuring that different clients use different DHCP servers and the same clients use the same DHCP server so long as it is possible. Using the undo ip relay address cycle command, you can adopt the broadcast approach to relay packets to broadcast client requests to all the DHCP servers. By default, the broadcast approach is adopted. Suppose that there are three clients, i.e., A, B, and C, and the DHCP server has been configured with three relay addresses, i.e., S1, S2, and S3. If the polling approach is adopted to relay packets, A, B, and C will respectively use the relay addresses S1, S2, and S3. If A is shut down and restarted again, it will continue to use S1. But if a client other than these three clients started, it will use S1. Thus, the relay addresses will be used cyclically. For the related command, see ip relay address.

462

CHAPTER 5: NETWORK PROTOCOL

Example Adopt the polling approach to relay.
[3Com] ip relay address cycle

ip relay address interface

Syntax
ip relay address ip-address [ interface ethernet-subinterface-range | all ] undo ip relay address { ip-address | all } { interface ethernet-subinterface-range | all }

View System view Parameter ip-address: IP address of the DHCP server. ethernet-subinterface-range: Includes all the subinterfaces whose interface number lies between two subinterface numbers (including these two subinterfaces) by inserting the keyword “to” between these two interface numbers. all: In the undo form of the command, the first “all” refers to all the relay addresses and the second all, the interfaces. Description Using the ip relay address interface command, you can configure a relay address for the Ethernet interfaces in a specified range for the purpose of transparent forwarding. Using the undo ip relay address interface command, you can delete the configured relay address. By default, no relay IP address has been configured on any Ethernet interface. For the related command, see ip relay address. Example Add a relay IP address for the interfaces in the range of Ethernet2/0/0.1 to Ethernet2/0/0.5.
[3Com] ip relay address 202.38.1.2 interface ethernet 2/0/0.1 to ethernet 2/0/0.5

reset dhcp relay statistics

Syntax
reset dhcp relay statistics

View User view Parameter None Description Using the reset dhcp relay statistics command, you can clear the DHCP relay statistics. For the related command, see display dhcp relay statistics.

IP Performance Configuration Commands

463

Example Clear the DHCP relay statistics.
<3Com> reset dhcp relay statistics

IP Performance Configuration Commands
debugging ip Syntax
debugging ip { icmp | packet [ acl { acl-number1 | acl-number2 } ] } undo debugging ip { icmp | packet }

View User view Parameter acl-number1: ACL based on the interface, in the range of 1000 to 1999. acl-number2: ACL in the range of 1 to 199. The ACL in the range of 1 to 99 is the basic ACL and that in the range of 100 to 199 is the advanced ACL. Description Using debugging ip icmp command, you can enable the ICMP debugging. Using the undo debugging ip icmp command, you can disable the ICMP debugging. The debugging ip packet command is used to enable the IP packet debugging. The filtration to the debugging information can be accomplished by filtering the IP packets via acl. Using the undo debugging ip packet command, you can disable the IP packet debugging. Example
Enable the IP debugging. <3Com> debugging ip packet *0.129680-IP-8-debug_case: Delivering, interface = Serial0/0/0, version = 4, headlen = 20, tos = 6,pktlen = 70, pktid = 49, offset = 0, ttl = 1, protocol = 17,checksum = 50, s = 1.1.1.2, d = 224.0.0.2 prompt: IP packet is delivering up! *0.129680-IP-8-debug_case: Sending, interface = Serial0/0/0, version = 4, headlen = 20, tos = 6,pktlen = 70, pktid = 49, offset = 0, ttl = 1, protocol = 17,checksum = 55147, s = 1.1.1.2, d = 224.0.0.2 prompt: Sending the packet from local at Serial0/0/0 <3Com> debugging ip icmp *0.157090-IP-8-debug_icmp: ICMP Receive: echo(Type=8, Code=0), Src = 127.0.0.1, Dst = 1.1.1.2 *0.157090-IP-8-debug_icmp: ICMP Send: echo-reply(Type=0, Code=0), Src = 1.1.1.2, Dst = 127.0.0.1 *0.157090-IP-8-debug_icmp: ICMP Receive: echo-reply(Type=0, Code=0), Src = 1.1.1.2, Dst = 127.0.0.1

464

CHAPTER 5: NETWORK PROTOCOL

debugging tcp event

Syntax
debugging tcp event [ task_id socket_id ] undo debugging tcp event [ task_id socket_id ]

View User view Parameter task_id: The ID of a task. socket_id: The ID of a socket. Description Using the debugging tcp event command, you can enable TCP events debugging. And using the undo debugging tcp event command, you can disable TCP events debugging. There is a limit for the number of debugging switches enabled, that is, only a fixed number of debugging switches can be enabled at one time (combination of task ID and socket ID). In addition, when TCP is enabled to receive connection request reactively, a new socket will be created to establish that connection, and some programs will create a new task to process the connection, like Telnet server. So, to view information about a connection, such parameters as task_id and socket_id cannot be used for filtering. Example Enable debugging of TCP events.
<3Com> debugging tcp event *0.630270-SOCKET-8-TCP EVENT: 1043494683: task = Co0(2), socketid = 0, TCPCB 0x02c6fd74 created *0.630270-SOCKET-8-TCP EVENT: 1043494683: task = Co0(2), socketid = 1, state CLOSED changed to SYN_SENT *0.630270-SOCKET-8-TCP EVENT: 1043494683: task = Co0(2), socketid = 1, sending SYN, seq = 74249530, LA = 127.0.0.1:1025, FA = 1.1.1.1:23 *0.630270-SOCKET-8-TCP EVENT: 1043494683: task = Co0(2), socketid = 1, advertising MSS = 512, LA = 127.0.0.1:1025, FA = 1.1.1.1:23 *0.630270-SOCKET-8-TCP EVENT: 1043494683: task = VTYD(9), socketid = 0, received MSS = 512, LA = 1.1.1.1:23, FA = 127.0.0.1:1025 *0.50959090-SOCKET-8-TCP EVENT: 733759463: sending RST to 2.2.2.1:11022 *0.1293330-SOCKET-8-TCP EVENT: 1043495346: task = Co0(2), socketid = 1, connection refused because remote sent RST! LA = 1.1.1.1:1026, FA = 1.1.1.2:21 <3Com> display debugging TCP:

IP Performance Configuration Commands

465

TCP event debugging is on for task any socket any

debugging tcp md5

Syntax
debugging tcp md5 undo debugging tcp md5

View User view Parameter None Description Using the debugging tcp md5 command, you can enable the MD5 authentication debugging of the TCP connection. Using the undo debugging tcp md5 command, you can disable the MD5 authentication debugging of the TCP connection. Example Enable the MD5 authentication debugging of the TCP connection.
<3Com> debugging tcp md5

debugging tcp packet

Syntax
debugging tcp packet [ task_id socket_id ] undo debugging tcp packet [ task_id socket_id ]

View User view Parameter task_id: The ID of a task. socket_id: The ID of a socket. Description Using the debugging tcp packet command, you can enable the debugging of TCP connection. The number of debugging switches users can enable is limited, that is, at the same time only a fixed number of debugging switches can be enabled (combination of task ID and socket ID). Using the undo debugging tcp packet command, you can disable the debugging of TCP connection. Example Enable the debugging of TCP connection.
<3Com> debugging tcp packet <3Com> display debugging *0.100070-SOCKET-8-TCP PACKET: 1043204051: Input: Co0(5) socketId = 2, state = SYN_SENT, src = 127.0.0.1:1025, dst = 2.2.2.2:23, seq = 11084380, ack = 0, optlen = 4, flag = SYN ,

466

CHAPTER 5: NETWORK PROTOCOL

window = 8192 1043204051: Output: Co0(5) SocketId = 2, State = SYN_SENT, src = 127.0.0.1:1025, Dst = 2.2.2.2:23, Seq = 11084380, Ack = 0, Datalen = 4, Flag = ACK PSH , Window = 8192 1043204051: Retrans: Co0(5) SocketId = 2, State = SYN_SENT, Src = 127.0.0.1:1025, Dst = 2.2.2.2:23, Seq = 11084380, Ack = 0, Optlen = 4, Flag = SYN , Window = 8192

debugging udp packet

Syntax
debugging udp packet [ task_id socket_id ] undo debugging udp packet [ task_id socket_id ]

View User view Parameter task_id: The ID of a task. socket_id: The ID of a socket. Description Using the debugging udp packet command, you can enable the debugging of UDP connection. The number of debugging switches users can enable is limited, that is, at the same time only a fixed number of debugging switches can be enabled (combination of task ID and socket ID). Using the undo debugging udp packet command, you can disable the debugging of UDP connection. Example Enable the debugging of UDP connection.
<3Com> debugging udp packet <3Com> display debugging *0.377770-SOCKET-8-UDP: 1043494431: Output: task = ROUT(6), socketid = 3, src = 1.1.1.1:520, dst = 255.255.255.255:520, datalen = 24,

display fib

Syntax
display fib

View Any view Parameter None Description Using the display fib command, you can view the summary of the Forwarding Information Base.

IP Performance Configuration Commands

467

This command outputs the Forwarding Information Base in a list, in which each line represents one route. The following points are included:


a Destination address/mask length a Next hop The current flag, which is expressed in the combination of G, H and U. G represents Gateway, H is Host (host route), and U is UP (available). a Time stamp an Outbound interface









Example Display the summary of the forwarding information base.
<3Com> display fib Destination/MaskNexthopFlagTimeStampIInterface 80.10.0.2/3280.10.0.2GHUt[0]Serial2/0/0 80.10.255.255/32127.0.0.1HUt[0]InLoopBack0 80.10.0.0/1680.10.0.1Ut[0]Serial2/0/0 80.50.0.2/3280.50.0.2GHUt[0]Serial2/0/0 80.50.255.255/32127.0.0.1HUt[0]InLoopBack0

display fib acl

Syntax
display fib acl { listnumber | listname }

View Any view Parameter listnumber: The ACL rules expressed in number, ranging from 1 to 99. listname: The ACL rules expressed in name. Description Using the display fib acl command, you can filter and display FIB information. According to ACL number or name entered, you can display the FIB table entries matching the filtering rules in a format. A standard ACL name must be input if the ACL is expressed in name; otherwise, the system will prompt an abnormal entering. When the ACL name or number ranging from 1 to 99 is entered, the corresponding ACL will be searched. If no ACL is found, all FIB table entries information will be displayed; and if such an ACL is found, the FIB table entries information will be output in a format. If the number of FIB table entries matching the filtering rules is 0, the following information will be output:
Route entry matched by access-list 2: Summary count: 0

If the number of FIB table entries matching the filtering rules is not 0, the FIB table entry information will be output in the following format:
Route entry matched by access-list 1:

468

CHAPTER 5: NETWORK PROTOCOL

Summary count: 1 Destination/MaskNexthopFlagTimeStampInterface 127.0.0.0/8127.0.0.1Ut[0]InLoopBack0

Example Display the FIB table entries matched by the ACL.
<3Com> display fib acl 10 Route entry matched by access-list 10: Summary counts: 1 Destination/MaskNexthopFlagTimeStampInterface 127.0.0.0/8127.0.0.1Ut[0]InLoopBack0

display fib begin

Syntax
display fib | [ { begin | include | exclude } text ]

View Any view Parameter text: Character. Description Using the display fib command, you can output the lines related to the line containing the character string text in the buffer according to the regular expression. Using the display fib | begin text command, you can view the lines beginning from the line containing the character string text to the end line of the buffer. Using the display fib | include text command, you can just view the lines containing the character string text. Using the display fib | exclude text command, you can view the lines not containing the character string text. Example Display the lines beginning from the line containing the character string “169.254.0.0” to the end line of the buffer:
<3Com> display fib | begin 169.254.0.0 Destination/MaskNexthopFlagTimeStampInterface 169.254.0.0/162.1.1.1Ut[0]Ethernet0/0/0 2.0.0.0/16 2.1.1.1 U t[0]Ethernet0/0/0 127.0.0.0/8127.0.0.1Ut[0]InLoopBack0

Display all the lines containing the character string “Ethernet0”:
<3Com> display fib | include ethernet0/0/0 Destination/MaskNexthopFlagTimeStampInterface 169.254.0.0/162.1.1.1Ut[0]Ethernet0/0/0 2.0.0.0/16 2.1.1.1U t[0]Ethernet0/0/0

Display all the lines not containing the character string ”169.254.0.0”:

IP Performance Configuration Commands

469

<3Com> display fib | exclude 169.254.0.0 Destination/MaskNexthopFlagTimeStampInterface 2.0.0.0/16 2.1.1.1 U t[0]Ethernet0/0/0 127.0.0.0/8127.0.0.1Ut[0]InLoopBack0

display fib ip-prefix

Syntax
display fib ip-prefix listname

View Any view Parameter listname: The name of the prefix list. Description Using the display fib ip-prefix command, you can filter and display FIB information. According to the name of prefix-list entered, you can display the FIB entries matching the filtering rules in the prefix list in a format. If there is no FIB table entry matching the prefix list, the prompt information will be displayed that the number of FIB entry matched by the prefix list is 0. If the name of ip-prefix cannot be found, all FIB table entries will be displayed; if the FIB table entries after filtering is not 0, they will be output in a format. If no FIB table entry matching the prefix list, the following information will be output:
Route entry matched by prefix-list abc1: Summary count: 0

If the number of FIB table entries after filtering is not 0, FIB table entry information will be output in the following format:
Route entry matched by prefix-list abc2: Summary count: 1 Destination/Mask Nexthop Flag TimeStamp Interface 127.0.0.0/8 127.0.0.1 U t[0] InLoopBack0

Example Display the FIB table entries matched by the prefix list abc0.
<3Com> display fib ip-prefix abc0 Route Entry matched by prefix-list abc0: Summary count: 4 Destination/MaskNexthopFlagTimeStampInterface 127.0.0.0/8127.0.0.1Ut[0]InLoopBack0 127.0.0.1/32127.0.0.1Ut[0]InLoopBack0 169.0.0.0/82.1.1.1SU t[0]Ethernet 0/0/0 169.0.0.0/152.1.1.1SUt[0]Ethernet 0/0/0

display fib longer

Syntax
display fib dest-addr1 [ dest-mask2 ] [ longer ]

470

CHAPTER 5: NETWORK PROTOCOL

1. Using the above command, you can display the FIB table entries matching the destination address. Different parameters selected leads to different matching methods.
display fibdest-addr1 dest-mask1 dest-addr2 dest-mask2

2. Using the above command, you can display the FIB table entries whose destination address ranges from dest-addr1 dest-mask1 to dest-addr2 dest-mask2, including the FIB entries exactly matching dest-addr1 dest-mask1 and dest-addr2 dest-mask2. View Any view Parameter dest-addr1: The destination IP address 1, which is expressed in dot-deliminated decimal format. dest-mask1: The subnet mask 1 corresponding to the destination IP address 1, which is the mask in dot-deliminated decimal format or the mask length in integer format. dest-addr2: The destination IP address 2, which is expressed in dot-deliminated decimal format. dest-mask2: The subnet mask 2 corresponding to the destination IP address 2, which is the mask in dot-deliminated decimal format or the mask length in integer format. Description Different parameters selected leads to different matching methods;


display fib dest-addr: According to the destination address, if FIB table entries can be found within the range of natural mask, all the subnets will be displayed. Otherwise, only the FIB table entries found by operating the longest match will be displayed, display fib dest-addr dest-mask: The FIB table entries exactly matching the destination address and mask are displayed, display fib dest-addr longer: The FIB table entries matching the destination addresses within the range of natural mask, display fib dest-addr dest-mask longer: The FIB table entries matching the destination IP addresses within the entered mask rang,. The display fib dest-addr1 dest-mask1 dest-addr2 dest-mask2 command is used to display FIB table entries whose destination address is within the range from dest-addr1 dest-mask1 to dest-addr2 dest-mask2.









Example Display the FIB table entries whose destination address matches169.253.0.0 longest with the natural mask range.
<3Com> display fib 169.253.0.0 Destination/MaskNexthopFlagTimeStampInterface

IP Performance Configuration Commands

471

169.0.0.0/162.1.1.1 Ut[0]Ethernet0/0/0

Display the FIB entries whose destination address is within the range from 69.254.0.0/16 to 169.254.0.6/16.
<3Com> display fib 169.254.0.0 255.255.0.0 169.254.0.6 255.255.0.0 Destination/MaskNexthopFlagTimeStampInterface 169.254.0.1/162.1.1.1Ut[0]Ethernet0/0/0

display fib statistics

Syntax
display fib statistics

View Any view Parameter None Description Using the display fib statistics command, you can display the total numbers of FIB table entries. Example Display the total numbers of FIB table entries.
<3Com> display fib statistics Route Entry Count : 30

display ip fast-forwarding cache

Syntax
display ip fast-forwarding cache

View Any view Parameter None Description Using the display ip fast-forwarding cache command, you can view the information on the fast-forwarding table. Example Display the information of the fast-forwarding table.
[Router] display ip fast-forwarding cache Fast-Forwarding cache: Index SrIP SrPort DsIP DsPort Pro Input_If Output_If FLAG 600:0 1.1.3.149 1463 10.10.26.30 23 6 Ethernet0/0/0 Ethernet1/0/0 81

The above information indicates that the latest cache contains the data flow from port 1463 at 1.1.3.149 to port 23 at 10.10.26.30, with a protocol number 6, i.e. the TCP data, ingress is Ethernet0/0/0 and the egress is Ethernet1/0/0.

472

CHAPTER 5: NETWORK PROTOCOL

display ip interface

Syntax
display ip interface [ interface-type interface-number | interface-name ]

View Any view Parameter interface-type: Interface type. interface-number: Interface number. interface-name: Interface name. Description Using the display ip interface command, you can view the information of IP interfaces. By default, if no interface is specified, the information about all IP interfaces will be displayed. This command is used to display all the information related to IP on the interface. The information is helpful for fault diagnosis. For the related command, see display interface. Example Display IP-related information at the interface Serial 0/0/0.
<3Com> display ip interface Serial 0/0/0 Serial 0/0/0 current state : UP Line protocol current state : UP Internet Address : 10.10.10.10/16 Broadcast address : 10.10.255.255 The Maximum Transmit Unit : 1500 bytes input packets : 1231, bytes : 57557, multicasts : 1177 output packets : 0, bytes : 0, multicasts : 0

The above information shows that the physical link state of the interface serial 0/0/0 is UP, link-layer protocol state is UP, the maximum transmit unit is 1500 bytes, the IP address is 10.10.10.10, the broadcast subnet is 10.10.255.255 and the packet receiving/sending conditions at this interface. display ip socket Syntax
display ip socket [ socktype sock_type ] [ task_id socket_id ]

View Any view Parameter sock_type: The type of a socket: (tcp:1, udp 2, raw ip 3) task_id: The ID of a task. socket_id: The ID of a socket.

IP Performance Configuration Commands

473

Description Using the display ip socket command, you can display the information about all sockets in the current system. Example Display the information about the socket of TCP type.
<3Com> display ip socket socktype 1 SOCK_STREAM: Task = VTYD(9), socketid = 1, Proto = 6, LA = 0.0.0.0:23, FA = 0.0.0.0:0, sndbuf = 4096, rcvbuf = 4096, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN socket state = SS_PRIV SS_ASYNC SOCK_DGRAM: Task = ROUT(6), socketid = 1, Proto = 17, LA = 0.0.0.0:0, FA = 0.0.0.0:0, sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0, socket option = SO_UDPCHECKSUM socket state = SS_PRIV SS_ASYNC SOCK_RAW: Task = ROUT(6), socketid = 2, Proto = 2, LA = 0.0.0.0, FA = 0.0.0.0, sndbuf = 32767, rcvbuf = 32767, sb_cc = 0, rb_cc = 0, socket option = 0, socket state = SS_PRIV SS_NBIO SS_ASYNC

Explanations of the display information:


SOCK_STREAM: the socket type. Proto: the protocol number used by the socket. sndbuf: the sending buffer size of the socket. rcvbuf: the receiving buffer size of the socket. sb_cc: the current data size in the sending buffer. The value makes sense only for the socket of TCP type, because only TCP is able to cache data. rb_cc: the current data size in the receiving buffer. socket option: the option of the socket. socket state: the state of the socket.















Display the information about the socket with socket ID as 4 and task ID as 8.
<3Com> display ip socket 8 4 Task = VTYD(8), socketid = 4, Proto = 6, LA = 0.0.0.0:23, FA = 0.0.0.0:0, sndbuf = 4096, rcvbuf = 4096, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN socket state = SS_PRIV SS_ASYNC

display ip statistics

Syntax
display ip statistics

474

CHAPTER 5: NETWORK PROTOCOL

View Any view Parameter None Description Using the display ip statistics command, you can view IP traffic statistics information. This command is used to display such statistics information as IP packet transmit/receive, packet assembly/disassembly, which is helpful to fault diagnosis. For the related commands, see display interface, display ip interface, and reset ip statistics. Example Display the IP traffic statistic information.
<3Com> disp ip stat Input: sum 0 local 0 bad protocol 0 bad format bad checksum 0 bad options Output: forwarding 0 local dropped 0 no route compress fails 0 Fragment:input 0 output dropped 0 fragmented 0 couldn't fragment Reassembling:sum 0 timeouts

0 0 0 0 0 0 0

display icmp statistics

Syntax display icmp statistics View Any view Parameter None Description Using the display icmp statistics command, you can view the statistics of ICMP packet traffic. For the related command, see display interface. Example Display the statistics of ICMP packet traffic.
[Router] display icmp statistics Input: bad formats 0 echo 5 source quench 0 echo reply 15 timestamp 0 bad checksum destination unreachable redirects parameter problem information request 0 0 0 0 0

IP Performance Configuration Commands

475

mask requests 0 time exceeded 1 Output:echo 15 source quench 0 echo reply 5 timestamp 0 mask requests 0 time exceeded 1
■ ■ ■ ■

mask replies destination unreachable redirects parameter problem information reply mask replies

0 0 0 0 0 0

Input: bad formats-Number of input packets in bad format bad checksum-Number of input packets with wrong checksum echo-Number of input/output echo request packets destination unreachable-Number of input/output packets with unreachable destination source quench-Number of input/output source quench packets redirects-Number of input/output redirected packets echo reply-Number of input/output echo reply packets parameter problem-Number of input/output packets with parameter problem timestamp-Number of input/output timestamp packets information request-Number of input information request packets mask requests-Number of input/output mask request packets mask replies-Number of input/output mask reply packets information reply-Number of output information reply packets time exceeded-Number of time exceeded packets

■ ■ ■ ■ ■ ■ ■ ■ ■ ■

display tcp statistics

Syntax
display tcp statistics

View Any view Parameter None Description Using the display tcp statistics command, you can view TCP traffic statistic information. The command is used to display the traffic statistic information of all the active TCP connections. Statistics information is classified into two parts, receiving and sending, and each part is further classified according to different types of packets. For example, for receiving packets, there are retransmission packet numbers, keep-alive detection packet numbers, etc. Also the statistics closely related to connection are displayed, such as, connection number received, retransmission packet numbers and keep-alive detection packet numbers. The unit of statistics results is packet, and sometimes is byte. For the related command, see display tcp status.

476

CHAPTER 5: NETWORK PROTOCOL

Example Display the TCP traffic statistic information.
<3Com> display tcp statistics Received packets: Total: 0 packets in sequence: 0 (0 bytes) window probe packets: 0, window update packets: 0 checksum error: 0, bad offset : 0, too short : 0 duplicate packets : 0 (0 bytes), partially duplicate packets : 0(0 bytes) out-of-order packets : 0 (0 bytes) packets with data after window : 0 (0 bytes) packets after close : 0 ack packets:0 (0 bytes), duplicate ack packets:0, ack packets with unsend data:0 Sent packets: Total: 0 urgent packets: 0 control packets: 0 ( 0 RST) window probe packets: 0, window update packets: 0 data packets : 0 (0 bytes), data packets retransmitted: 0 (0 bytes) ack only packets : 0(0 delayed) Total retransmit timeout: 0, connections dropped in retransmit timeout: 0 Keepalive timeout: 0, keepalive probe: 0, dropped connections in keepalive: 0 Initiated connections: 0, accepted connections: 0,established connections: 0 Closed connections: 0,( dropped: 0, embryonic dropped: 0) Dropped packets with MD5 authentication : 0 Permitted packets with MD5 authentication : 0

The above information means:


Receiving statistics: Total number of packets received: 0 The number of packets reaching as the order (total bytes: 0): 0 Window detection packets number: 0, window upgrading packets number: 0. The number of packet verification errors: 0, the number of packet length errors: 0. The number of totally repeated packets: 0 (the total bytes: 0), the number of partial repeated packets: 0 (the total bytes: 0). The number of packets with confusing order: 0 (the total bytes: 0). The number of packets reaching outside of the receiving window: 0 (the total bytes: 0). The number of packets reaching after connection being closed: 0. The confirmed packets number: 0 (the bytes of the confirmed data: 0), the repeated confirmed packets number: 0, ACK packets number already being confirmed but not being sent yet: 0. Sending statistics: Total number of packets sent: 0. The urgent packets number: 0. The control packets number: 0. (RST packets number: 0).



























IP Performance Configuration Commands

477



The window detection packets number: 0, the window upgrading packets number: 0. The data packets number: 0 (the total bytes: 0) he retransmission packets number: 0 (the total bytes: 0). ACK packets number: 0 (delay ACK packets number: 0) The time-out times of retransmission timer: 0, the connection number discarded due to retransmission times beyond limitation: 0. The time-out times of keep-alive timer: 0, the times of sending keep-alive detection packets: 0. The number of connections initiated: 0, the number of connections received: 0, the number of connections established: 0. The number of connections closed already: 0, the number of connections discarded accidentally (after SYN is received):0, the times of connections actively failed to establish (before SYN is received): 0. The packets number discarded after MD5 verification: 0. The packets number passing MD5 verification: 0.

















display tcp status

Syntax
display tcp status

View Any view Parameter None Description Using the display tcp status command, you can monitor TCP connection any time. For the related command, see display local-user. Example Display the TCP connection status.
<3Com> display tcp status TCPCB Local AddressForeign AddressState 0442c394 10.110.93.146.2310.110.93.175.1538ESTAB 045d8074 0.0.0.0.210.0.0.0.0 LISTEN

display udp statistics

Syntax
display udp statistics

View Any view Parameter None

478

CHAPTER 5: NETWORK PROTOCOL

Description Using the display udp statistics command, you can view TCP traffic statistic information. The command is used to display the traffic statistic information of all the active TCP connections. Statistics information is classified into two parts, receiving and sending, and each part can be further classified according to different types of packets, as checksum packets and error packets, for example. Moreover there are statistics closely related to connection, such as the number of broadcast packets. The statistics information is organized in terms of packet. For relate configuration, please refer to the reset udp statistics command. Example Display the UDP traffic statistic information.
<3Com> display udp statistics Received packet: Total:0 checksum error:0 shorter than header:0, data length larger than packet:0 no socket on port:0 broadcast:0 not delivered, input socket full:0 input packets missing pcb cache:0 Sent packet: Total:0

The displayed information is explained as below: UDP packet is received, 0 packet has checksum error. And there is 0 packet whose packet length is shorter than the packet header, 0 packet whose data length is bigger than the packet length, 0 packet whose socket uses this port No. 0 packet being broadcast packet, 0 packet not being delivered due to full socket buffer, 0 packet not finding pcb and 0 UDP packet being sent. ip fast-forwarding Syntax
ip fast-forwarding [ inbound | outbound ] undo ip fast-forwarding

View Interface view Parameter inbound: Allows fast-forwarding only on the inbound interface. outbound: Allows fast-forwarding only on the outbound interface. Description Using the ip fast-forwarding command, you can enable fast packet forwarding on the outbound interface. Using the undo ip fast-forwarding command, you can disable fast-forwarding on the outbound interface. By default, fast-forwarding is allowed on both inbound and outbound interfaces.

IP Performance Configuration Commands

479

Fast-forwarding is well suited to high-speed links (such as Ethernet and FR). Its function will be rendered useless, however, on a low-speed link, due to the low transmission rate such a link can provide. 3Com Series Routers support fast-forwarding on the links of various high-speed interfaces such as Ethernet, synchronous PPP, FR, and HDLC, on the interfaces configured with firewall and NAT features, and on the virtual tunnel interface of GRE as well. However, it should be noted that the interface configured with the function of fast-forwarding will be unable to send ICMP redirection packets. Example Disable the interface to fast forward packets.
[3Com-Ethernet/0/0] undo ip fast-forwarding

Enable the interface to fast forward packets on ingress.
[3Com-Ethernet0/0/0] ip fast-forwarding inbound

reset ip fast-forwarding cache

Syntax
reset ip fast-forwarding cache

View User view Parameter None Description Using the reset ip fast-forwarding cache command, you can reset the fast-forwarding cache. This command is used to clear the fast-forwarding cache. The fast-forwarding table will not contain any fast-forwarding entry after having been cleared. Example Clear the fast-forwarding cache.
<3Com> reset ip fast-forwarding cache

reset ip statistics

Syntax
reset ip statistics

View User view Parameter None Description Using the reset ip statistics command, you can clear the IP statistics information. In some special cases, it is necessary to clear the IP statistics information and perform new statistics.

480

CHAPTER 5: NETWORK PROTOCOL

For the related commands, see display ip interface and display ip statistics. Example Clear IP statistics information.
<3Com> reset ip statistics

reset tcp statistics

Syntax
reset tcp statistics

View User view Parameter None Description Using the reset tcp statistics command, you can clear TCP traffic statistic information. After the execution of this command, there’s no prompt information on the screen, and the existing statistics are cleared. For the related command, see display tcp statistics. Example Display the TCP traffic statistic information.
<3Com> reset tcp statistics

reset udp statistics

Syntax
reset udp statistics

View User view Parameter None Description Using the reset udp statistics command, you can clear the UDP statistics information. After the execution of this command, there’s no prompt information on the screen, and the existing statistics are cleared. Example Clear UDP traffic statistics information.
<3Com> reset udp statistics

tcp mss

Syntax
tcp mss value undo tcp mss

IP Performance Configuration Commands

481

View Interface view Parameter Value: The threshold for the TCP packet to be fragmented, with the value ranging from 128 to 2048. Description Using the tcp mss command, you can designate a value as a threshold for TCP packets to be fragmented. The undo tcp mss command is used to prevent TCP packets from being fragmented. As the default MTU of the interface being 1500 bytes, this restricts the total length of encryption packet head + data link expenditure + IP packet head + TCP packet to 1500 bytes. So the dear length of TCP packets to fragment may be about 1200 bytes. By default, TCP packets are not fragmented. Example Configure the threshold of TCP packet fragmentation to be 300.
3Com-Ethernet0/0/0] tcp mss 300

tcp timer fin-timeout

Syntax
tcp timer fin-timeout time-value undo tcp timer fin-timeout

View System view Parameter time-value: TCP finwait timer value, in second, with the value range of 76 to 3600. Description Using the tcp timer fin-timeout command, you can configure the TCP finwait timer. Using the undo tcp timer fin-timeout command, you can restore the default value of the timer. By default, TCP finwait timer value is 675 seconds. When the TCP connection status changes from FIN_WATI_1 to FIN_WAIT_2, the finwait timer is enabled. If FIN packet is not received before the timeout of finwait timer, the TCP connection will be closed. The configuration of this parameter needs to be implemented under the guidance of the technical support engineers. For the related commands, see tcp timer syn-timeout and tcp window. Example Configure the TCP finwait timer value as 675 seconds.
[3Com] tcp timer fin-timeout 675

482

CHAPTER 5: NETWORK PROTOCOL

tcp timer syn-timeout

Syntax
tcp timer syn-timeout time-value undo tcp timer syn-timeout

View System view Parameter time-value: TCP synwait timer value in second, with the value range of 2 to 600. Description Using the tcp timer syn-timeout command, you can configure the TCP synwait timer. Using the undo tcp timer syn-timeout command, you can restore the default value of the timer. By default, TCP synwai timer value is 75 seconds. When a syn packet is sent, TCP enables the synwait timer. If the response packet is not received before synwait timeout, the TCP connection will be disabled. The configuration of this parameter needs to be implemented under the guidance of the technical support engineers. For the related commands, see tcp timer fin-timeout and tcp window. Example Configure the TCP synwait timer value as 75 seconds.
[3Com] tcp timer syn-timeout 75

tcp window

Syntax
tcp window-size window undo tcp window

View System view Parameter window-size: The size of the transceiving buffer of the connection-oriented Socket in kilobytes (KB), with the value ranging 1 to 32. Description Using the tcp window command, you can configure the size of the transceiving buffer of the connection-oriented Socket. Using the undo tcp window command, you can restore the default size of the buffer. By default, the size of the connection-oriented transceiving buffer is 4K bytes. The configuration of this parameter needs to be implemented under the guidance of the technical support engineers. For the related commands, see tcp timer fin-timeout and tcp timer syn-timeout.

IP Performance Configuration Commands

483

Example Configure the size of the transceiving buffer of the connection-oriented Socket as 4 KB.
[3Com] tcp window 4

debugging nat

Syntax
debugging nat { alg | event | packet [ interface { interface-type interface-number | interface-name } ] } undo debugging nat { alg | event | packet [ interface { interface-type interface-number | interface-name } ] }

View User view Parameter alg: Enables the application level gateway NAT debugging information. event: Enables NAT event debugging information. packet: Enables NAT data packet debugging information. Interface: Enables NAT packet debugging for a special interface. Description Using the debugging nat command, you can enable the NAT debugging function. Using the undo debugging nat command, you can disable the NAT debugging function. display nat Syntax
display nat { address-group | aging-time | all | outbound | server | statistics | session [ vpn-instance vpn-instance-name ] [ slot slot-number ] [ destination ip-addr ] [source global global-addr | source inside inside-addr ] }

View Any view Parameter address-group: Displays the information of the address pool. aging-time: Displays the effective time for NAT connection. all: Displays all the information about NAT. outbound: Displays the information of the outbound NAT. server: Displays the information of the internal server. statistics: Displays the statistics of current NAT records. session: Displays the information of the currently activated connection.

484

CHAPTER 5: NETWORK PROTOCOL

vpn-instance vpn-instance-name: Displays the NAT table items of a special VPN. The omittance of this parameter means that NAT items for all VPNs will be listed out. slot slot-number: Designates the slot number of an interface. This parameter is reserved especially for distributed environment use. destination ip-addr: Displays the NAT table items of a special IP destination. source global global-addr: Only displays the NAT entry with address as global-addr after NAT. source inside inside-addr: Only displays the NAT entry with internal address as inside-addr. Description Using the display nat command, you can display the configuration of address translation. Users can verify if the configuration of address translation is correct according to the output information after execution of this command. When address translation connection information is displayed, the parameters of global-addr and inside-addr can be specified for the display nat session command simultaneously. Example Display all the information about address translation.
<3Com> display nat all NAT address-group Information: 1: from 11.1.1.1to11.1.1.20 2: from 22.1.1.1to22.1.1.20 NAT outbound information: Serial0/0/0: acl(11)-NAT address-group(1) [no-pat] Serial0/0/0: acl(22)-NAT address-group(2) [no-pat] Server in private network information: InterfaceGlobalAddrGlobalPort InsideAddr InsidePort Pro Serial0/0/0201.119.11.380805.5.5.580(www)6(tcp) Serial0/0/0201.119.11.32121 5.5.5.521(ftp)6(tcp) NAT aging-time value information: tcp------aging-time value is 240(seconds) udp------aging-time value is 40(seconds) icmp-----aging-time value is 20(seconds)

The information above indicates:

Two address pools are configured: Address pool 1 ranges from 11.1.1.1 to 11.1.1.20, and address tool 2 ranges from 22.1.1.1 to 22.1.1.20. Two address translation associations are configured at Serial0/0/0: ACL 11 is associated with address pool 1 and one-to-one address translation is performed; and ACL 22 is associated with address pool 2, and one-to-one address translation is performed. Serial0/0/0 is configured with 2 internal servers: the www server of http://202.119.11.3:8080, whose internal address is 5.5.5.5; and the ftp server of ftp://202.119.11.3:2121, whose internal address is 5.5.5.5.

IP Performance Configuration Commands

485

nat address-group

Syntax
nat address-group group-number start-addr end-addr undo nat address-group group-number

View System view Parameter group-number: defined Address pool ID, it is an integer ranging from 0 to 31. start-addr: Starting IP address in the address pool. end-addr: Ending IP address in the address pool. Description Using the nat address-group command, you can configure an address pool. Using the undo nat address-group command, you can delete an IP address pool. Address pool indicates the cluster of some outside IP addresses. If start-addr and end-addr are the same, it means that there is only one address. CAUTION: The length of an address pool (numbers of all addresses contained in an address pool) cannot exceed 256. The address pool cannot be deleted, if it has been correlated to some certain access control list to perform the address translation. Example Configure an address pool from 202.110.10.10 to 202.110.10.15, with its NAT pool ID being 1.
[3Com] nat address-group 1 202.110.10.10 202.110.10.15

nat aging-time

Syntax { default | { dns | ftp-ctrl | ftp-data | icmp | pptp | tcp | tcp-fin | tcp-syn | udp } seconds } View System view Parameter default: Sets the address translation lifetime values to the defaults. dns: Sets the address translation lifetime for DNS to 60 seconds (default). ftp-ctrl: Sets the address translation lifetime for FTP control links to 7200 seconds (default). ftp-data: Sets the address translation lifetime for FTP data links to 240 seconds (default). icmp: Sets the address translation lifetime for ICMP to 60 seconds (default).

486

CHAPTER 5: NETWORK PROTOCOL

pptp: Sets the address translation lifetime for PPTP to 86400 seconds (default). tcp: Sets the address translation lifetime for TCP to 86400 seconds (default). tcp-fin: Sets the address translation lifetime for TCP FIN or TCP RST connections to 60 seconds (default). tcp-syn: Sets the address translation lifetime for TCP SYN connections to 60 seconds (default). udp: Sets the address translation lifetime for UDP to 300 seconds (default). seconds: Time value in the range 10 to 86400 (24 hours). Description Using the nat aging-time command, you can set the lifetime of NAT connections. This command is used to set the lifetime of address translation connection in seconds, and different time values are set for different types of protocols.

nat outbound

Syntax
nat outbound acl-number [ address-group group-number [ no-pat ] ] undo nat outbound acl-number [ address-group group-number [ no-pat ] ]

View Interface view Parameter address-group: Configures address translation by means of address pool. If the address pool is not specified, use the IP address of the interface as the translated address, i.e., the "easy ip" feature. no-pat: Uses simple address translation, which means only to translate the address of the packet but not use port information. acl-number: ACL index in the range of 1 to 199 (the advanced ACL can be used). group-number: The number of a defined address pool. Description Using the nat outbound command, you can associate an ACL with an address pool, indicating that the address specified in the acl-number can be translated by using address pool group-number. Using the undo nat outbound command, you can remove the corresponding address translation. Translation of the source address of the packet that conforms to the ACL is accomplished by configuring the association between the ACL and the address pool. The system performs address translation by selecting one address in the address pool or by directly using the IP address of the interface. Users can configure different address translation associations at the same interface. The corresponding undo form of the command can be used to delete the related

IP Performance Configuration Commands

487

address translation association. Normally, this interface is connected to ISP, and serves as the exit interface of the inside network. The command without the address-group parameter implements the "easy-ip" feature. When performing address translation, the IP address of the interface is used as the translated address and the ACL can be used to control which addresses can be translated. Example Enable the hosts of the 10.110.10.0/24 network segment to perform address translation by selecting the addresses from 202.110.10.10 to 202.110.10.12 as the translated address. Suppose that the interface Serial0/0/0 connects to ISP.
[3Com] acl number 1 [3Com-acl-basic-1] rule permit source 10.110.10.0 0.0.0.255 [3Com-acl-basic-1] rule deny

Configure the address pool.
[3Com] nat address-group 1 202.110.10.10 202.110.10.12

Allow address translation and use the addresses of address pool 1 for address translation. During translation, the information of TCP/UDP port is used.
[3Com-Serial0/0/0] nat outbound 1 address-group 1

Delete the corresponding configuration.
[3Com-Serial0/0/0] undo outbound 1 address-group 1

Configuration of simple address translation (not using the TCP/UDP port information to perform the address translation)
[3Com-Serial1/0/0] nat outbound 1 address-group 1 no-pat

Delete the corresponding configuration.
[3Com-Serial0/0/0] undo nat outbound 1 address-group 1 no-pat

The configuration that can be used when performing address translation by using the IP address of interface Serial0/0/0 directly.
[3Com-Serial0/0/0] nat outbound 1

Delete the corresponding configuration.
[3Com-Serial0/0/0] undo nat outbound 1

nat server

Syntax
nat server [ vpn-instance vpn-instance-name ] protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port nat server [ vpn-instance vpn-instance-name ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ] undo nat server [ vpn-instance vpn-instance-name ] protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port

488

CHAPTER 5: NETWORK PROTOCOL

undo nat server [ vpn-instance vpn-instance-name ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]

View Interface view Parameter vpn-instance-name: The virtual route forwarding instance of the VPN the internal server belongs to. If the parameter is not configured, it represents that the internal server belongs to an ordinary private network, other than one MPLS VPN. global-addr: An IP address provided for the outside to access (a legal IP address). global-port: A service port number provided for the outside to access. If ignored, its value shall be the same with the host-port’s value. host-addr: IP address of the server in internal LAN. host-port: Service port number provided for a server in the range of 0 to 65535, and the common used port numbers are replaced by key words. For example, www service port number is 80, which can also be represented by www. ftp service port number is 21, and ftp can also stands for it. If the inside-port is 0, it indicates that all the types of services can be provided and the key word any can be used to stand for it in this situation. If the parameter is not configured, it is considered as the case of any, which is the same as that there is a static connection between global-addr and host-addr. When the host-port is configured as any, the global-port also should be any, otherwise the configuration is illegal. global-port1, global-port2: Specifies a port range through two port numbers, forming a corresponding relation with the internal host address range. global-port2 must be larger than global-port1. host-addr1, host-addr2: Defines a group of consecutive address ranges, which respectively one-to-one matches the port ranges defined above. host-addr2 must be bigger than host-addr1. The number of the address ranges should be the same as the number of ports defined by global-port1 and global-port2. pro-type: The protocol type carried by IP, possibly being a protocol ID, or a key word as a substitution. For example: icmp (its protocol ID is 1), tcp (its protocol ID is 6), udp (its protocol ID is 7). Description Using the nat server command, you can define the mapping table of an internal server. Users can access the internal server with the address and port as host-addr and host-port respectively through the address port defined by global-addr and global-port. Using the undo nat server command, you can remove the mapping table. Through this command, you can configure some internal network servers for outside use. The internal server can locate in the ordinary private network or in MPLS VPN. For example, www, ftp, telnet, kpop3, dns and so on. Up to 256 internal server conversion commands can be configured on one interface and at most 4096 internal servers can be configured on one interface.

IP Performance Configuration Commands

489

Up to 1024 internal server conversion commands can be configured in one system. If the nat servers are configured in the form of port range (i.e., specify a port range through configuring global-port1 and global-port2, forming a corresponding relation with the address range of the internal hosts), then the number of internal servers will be the same as that of the ports configured, and the max number of them are also 4096. The interface on which this command is configured is interconnected with ISP and serves as the gateway of the internal network. Example Specify the IP address of the interior www server of the LAN as 10.110.10.10, the IP address of the interior ftp server as 10.110.10.11. It is expected that the outside can access WEB through http:// 202.110.10.10:8080 and connect FTP web site through ftp://202.110.10.10. Suppose that Serial0/0/0 is connected to ISP.
[3Com-Serial0/0/0] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www [3Com] ip vpn-instance vrf10 [3Com-vpn-instance] route-distinguisher 100:001 [3Com-Serial0/0/0] nat server protocol tcp global 202.110.10.10 inside 10.110.10.11 ftp

Specify one interior host 10.110.10.12, expecting that the host of the exterior network can ping it with ping 202.110.10.11 command.
[3Com-Serial0/0/0] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12

Delete the www server.
[3Com-Serial0/0/0] undo nat server protocol tcp global 202.110.10.10 8070 inside 10.110.10.10 www

By the command below, the internal ftp server of VPN vrf10 can be removed.
[3Com-Serial0/0/0] undo nat server protocol tcp global 202.110.10.11 8070 inside 10.110.10.11 ftp

Specify an outside address as 202.110.10.10, and map the ports ranging from 1001 to 1100 to the addresses of 10.110.10.1 to 10.110.10.100 respectively to access ftp service inside VPN vrf10. 202.110.10.10:1001 accesses 10.110.10.1 and 202.110.10:1002 accesses 10.110.10.2, etc.
[3Com-Serial0/0/0] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet

reset nat

Syntax
reset nat { log-entry | session slot slot-number }

View User view Parameter log-entry: Clears NAT log buffer.

490

CHAPTER 5: NETWORK PROTOCOL

slot slot-number: Number of the interface card, which only exists in the distributed environment. session: Clears the information of the address translation table. Description This command is used to clear up the mapping tables of address translation in the memory and release all the memory dynamically allocated to store the mapping tables. Example In the central environment, clear NAT log buffer.
<3Com> reset nat log-entry

In the distributed environment, clear NAT log buffer.
<3Com> reset nat log-entry slot 10

In the central environment, clear information of the address translation table.
<3Com> reset nat session

In the distributed environment, clear information of the address translation table.
<3Com> reset nat session slot 10

IP Unicast Policy Routing Configuration Commands
apply default output-interface Syntax
apply default output-interface interface-type interface-number [ ... interface-type interface-number ] undo apply default output-interface interface-type interface-number [ ... interface-type interface-number ]

View Route-policy view Parameter interface-type: Interface type. interface-number: Interface number. Description Using the apply default output-interface command, you can set default forwarding interface for packets. Using the undo apply default output-interface command, you can cancel the configuration of the default forwarding interface of packets.

IP Unicast Policy Routing Configuration Commands

491

This command is used to set forwarding interface for the matched IP packet, and the clause is valid for the packet whose route has not been found. For the related commands, see apply ip-precedence, apply ip-address next-hop, apply output-interface, and apply ip-address default next-hop. Example Set the default forwarding interface of packets as serial 0/0/0.
[3Com-route-policy] apply default output-interface serial 0/0/0

apply ip-address default next-hop

Syntax
apply ip-address default next-hop ip-address [...ip address ] undo apply ip-address default next-hop ip-address [...ip address ]

View Route-policy view Parameter ip-address: IP address of default next hop. Description Using the apply ip-address default next-hop command, you can set the default next hop of a packet. Using the undo apply ip-address default next-hop command, you can cancel the configured default packet next hop. This command is only valid for the packet whose route has not been found. For the related commands, see apply ip-precedence, apply output-interface, apply default output-interface, and apply ip-address next-hop. Example Set the default next hop of a packet to 1.1.1.1.
[3Com-route-policy] apply ip-address default next-hop 1.1.1.1

apply ip-address next-hop

Syntax
apply ip-address next-hop ip-address [ ip-address ] undo apply ip-address next-hop ip-address [ ip-address ]

View Route-policy view Parameter ip-address: IP address of next hop. Description Using the apply ip-address next-hop command, you can set the packet next hop. Using the undo apply ip-address next-hop command, you can cancel the configuration about the next hop. This command is used to set the next hop for the matched IP packet and at most two next hops can be specified. The next hop should be adjacent to this device.

492

CHAPTER 5: NETWORK PROTOCOL

For the related commands, see apply ip-precedence, apply output-interface, apply default output-interface, and apply ip-address default next-hop. Example Set the packet next hop to 1.1.1.1.
[3Com-route-policy] apply ip-address next-hop 1.1.1.1

apply ip-precedence

Syntax
apply ip-precedence value undo apply ip-precedence

View Route-policy view Parameter value: The preference value. There are totally 8 (in the range 0 to 7) preferences:


0 1 2 3 4 5 6 7

routine priority immediate flash flash-override critical internet network















Description Using the apply ip-precedence command, you can set precedence of IP packets. Using the undo apply ip-precedence command, you can remove the precedence of IP packets. This command is used to configure the set clause of route-policy and the preference for the matched IP packets. For the related commands, see apply output-interface, apply ip-address next-hop, apply default output-interface, and apply ip-address default next-hop. Example Set the preference of IP packet to 5 (critical).
[3Com-route-policy] apply ip-precedence critical

apply output-interface

Syntax
apply output-interface interface-type interface-number [ interface-type interface-number ] undo apply output-interface interface-type interface-number [ interface-type interface-number ]

IP Unicast Policy Routing Configuration Commands

493

View Route-policy view Parameter interface-type: Interface type. interface-number: Interface number. Description Using the apply output-interface command, you can set a packet forwarding interface. Using the undo apply output-interface command, you can cancel the configuration on a forwarding interface. This command is used to set the packet forwarding interface for the matched IP packet. At most two forwarding interfaces can be specified. For the related commands, see apply ip-precedence, apply ip-address next-hop, apply default output-interface, and apply ip-address default next-hop. Example Specify forwarding interface as serial0/0/0 for the matched IP packet.
[3Com-route-policy] apply output-interface Serial 0/0/0

display ip policy

Syntax
display ip policy

View Any view Parameter None Description Using the display ip policy command, you can view the routing policies of local and configured interface policy routings. This command is used to display the routing policies of local and configured interface policy routings. Example Display the routing policies of the local and configured interface policy routings.
<3Com> display ip policy Route-policy Interface pr02 Local pr02 Virtual-Template0 pr01 Ethernet 0/0/0

The first line is prompt information. The first row shows where is used the routing policy indicated in the second row. Take the first line as an example, "local" indicates that the policy routing is used on the local router, i.e., all packets sent from the local router (not forward through it) using the policy routing "pr02". The

494

CHAPTER 5: NETWORK PROTOCOL

second and third lines represent that the interfaces virtual-template0 and Ethernet0/0/0 use route policy pr02 and pr01 respectively. display ip policy setup Syntax
display ip policy setup { policy-tag | local | interface interface-type interface-number }

View Any view Parameter policy-tag: Displays the setting information of policy routings identified by map-tag. local: Displays the setting information of local policy routings. interface: Displays the setting information of interface policy routings. interface-type: Interface type. interface-number: Interface number. Description Using the display ip policy setup command, you can view the setting information of policy routings. The display output of the display ip policy setup local command is the same as that with policy-tag which will be shown soon, except that it displays the policy routing enabled on the local router but not the configuration of a certain specified route-policy. The display ip policy setup interface command displays the configuration of the policy routing enabled on the interface. Example Display the specific configurations of the specified policy routing, enabled or disabled.
<3Com> display ip policy setup pr01 route-policy pr01 permit node 0 if-match acl 11 apply ip-address next-hop 3.3.3.3

This command displays the specific configuration of the policy routing named pr01. As shown above, the policy routing has one 0 node and includes an if-match clause and an apply clause. For the accurate meanings of the if-match clause and the apply clause, you can refer to the configuration guide of the command. The example shows how the option map-tag is used. display ip policy statistic Syntax
display ip policy statistic { { policy-tag | local | interface interface-type interface-number } [ verbose ] }

IP Unicast Policy Routing Configuration Commands

495

View Any view Parameter policy-tag: Displays the statistics of the policy identified by policy-tag performing policy routing process on packets. local: Displays the statistics of local policy routing packets. interface: Displays the statistics of interface policy routings. interface-type: Interface type. interface-number: Interface number. verbose: Displays the detailed information. Description Using the display ip policy statistic command, you can view the statistics of policy routings. Example Display the matching statistics of the specified policy routing.
<3Com> display ip policy statistic local local policy pr02 summary information: Main board Total success packet number: 0 Total failure packet number: 0

The above information shows the forwarding success and failure times for all the forwarding policy (i.e., the apply clause) of the local router policy routing. To display the more detail statistics classified according to each apply clause, the option verbose should be added.
<3Com> display ip policy statistic local verbose local policy pr02 detail information: Main board apply output-interface: NULL0 Total success packet number: 0 Fail for interface not exists: 0 Fail for interface down: 0 apply ip-address next-hop: 5.5.5.5 Total success packet number: 0 Fail for error next-hop: 0 Fail for interface not exists: 0 Fail for interface down: 0

If the optional field verbose is added, the more detail statistics of each apply clause in the policy routing will be displayed separately and the statistics of the forwarding errors has been classified.

496

CHAPTER 5: NETWORK PROTOCOL

if-match acl

Syntax
if-match acl acl-number undo if-match acl acl-number

View Route-policy view Parameter acl-number: Address access control list number. Description Using the if-match acl command, you can set the match condition for IP address. Using the undo if-match acl command, you can delete the IP address match condition. An acl-number can be basic standard access-list or advanced access-list. For the related command, see if-match packet-length. Example Set packets that accord with the access list 10 to be matched.
[3Com] route-policy map1 permit node 10 [3Com-route-policy] if-match acl 10

if-match packet-length

Syntax
if-match packet-length min-len max-len undo if-match packet-length

View Route-policy view Parameter min-len: Minimum packet length of network layer. max-len: Maximum packet length of network layer. Description Using the if-match packet-length command, you can set length match conditions of IP packets. Using the undo if-match packet-length command, you can delete the configuration about IP packet length match conditions. For the related command, see if-match acl. Example Set the packet in the range 100 to 200 to be matched.
[3Com] route-policy map1 permit node 10 [3Com-route-policy] if-match packet-length 100 200

ip local policy route-policy

Syntax
ip local policy route-policy policy-tag

IP Unicast Policy Routing Configuration Commands

497

undo ip local policy route-policy policy-tag

View System view Parameter policy-tag: Policy name. Description Using the ip local policy route-policy command, you can enable local policy routing. Using the undo ip local policy route-policy command, you can delete the existing setting of the policy routing. By default, interface local policy routing is disabled. This command is used to enable or disable the local policy routing for the packets sent by the local device. If there is no special demand, it is recommended that users do not configure local policy routing. For the related command, see ip policy route-policy. Example Enable a local policy routing at system view. The policy routing is specified by route-policy AAA.
[3Com] ip local policy route-policy AAA

ip policy route-policy

Syntax
ip policy route-policy policy-name undo ip policy route-policy policy-name

View Interface view Parameter policy-name: Policy name. Description Using the ip policy route-policy command, you can enable policy routing at an interface. Using the undo ip policy route-policy command, you can delete the existing policy routing at an interface. By default, interface policy routing is disabled. For the related command, see ip local policy route-policy. Example Enable the policy routing specified by route-policy AAA at the interface Ethernet 0/0/0.
[3Com-ethernet0/0/0] ip policy route-policy AAA

498

CHAPTER 5: NETWORK PROTOCOL

IP Multicast Policy Routing Configuration Commands
apply ip-address next-hop Syntax
apply ip-address next-hop { acl acl-number | ip-address [ ip-address ] } undo apply ip-address next-hop [ acl acl-number | ip-address [ ip-address ] ]

View Route-policy view Parameter acl-number: Standard ACL number ranging from 1 to 99. ip-address: Specifies the next hop address. Multiple next hop addresses can be specified. Description Using the apply ip-address command, you can configure the next hop IP address list in a route-node. Using the undo apply ip-address command, you can remove the configuration. By default, no apply clause is defined. This command specifies the next hop address for packets that match the if-match acl command. It specifies the next hop IP address list for multicast policy routing through the ACL. This command is in juxtaposition relation with the apply output-interface command. If both apply clauses are configured at the same time, in multicast policy routing, the packets will be replicated and forwarded to all the interfaces and next hops specified by the ACLs respectively. This is different from unicast policy routing because only one apply clause works. For the next hop IP address, the specified ACL is the standard ACL. For the related commands, see if-match acl, apply output-interface, and display ip multicast-policy. apply output-interface Syntax
apply output-interface acl acl-number undo apply output-interface [ acl acl-number ]

View Route-policy view Parameter acl-number: ID of interface-based ACL, ranging from 1000 to 1999. Description Using the apply output-interface command, you can configure an outgoing interface list in a route-node. Using the undo apply output-interface command, you can remove the configuration.

IP Multicast Policy Routing Configuration Commands

499

By default, no apply clause is defined. This command specifies outgoing interfaces for packets that match the if-match command. It specifies outgoing interfaces for multicast policy routing through the ACL. The action executed to packets that meet the if-match conditions defined by the match clause are as follows: If outgoing forwarding interfaces are set in the route-node through the ACL, the packets will be replicated and forwarded to all interfaces specified by the ACL. For an outgoing interface, the specified ACL is the one based on interface. This command is in juxtaposition relation with the apply ip-address next-hop command. If both apply clauses are configured at the same time, in multicast policy routing, the packets will be replicated and forwarded to all the interfaces and next hops specified by the ACLs respectively. This is different from unicast policy routing because only one apply clause works. For the related commands, see apply ip-address next-hop, if-match acl, and display ip multicast-policy. debugging ip multicast-policy Syntax
debugging ip multicast-policy [ acl-number ] undo debugging ip multicast-policy

View User view Parameter acl-number: ID of interface-based ACL ranging 1000 to 1999. Description Using the debugging ip multicast-policy command, you can enable the debugging of IP multicast policy routing. Using the undo debugging ip multicast-policy command, you can disable the debugging of multicast policy routing. The contents of the debugging information contain the route-node that the packets match and the next hop/outgoing interface to which the packets are forwarded. The debugging information output can be filtered with the interface-based ACL. It should be noted that enabling the debugging will affect the performance of the system. You should disable the debugging when the system is running normally. For the related command, see route-policy. display ip multicast-policy Syntax
display ip multicast-policy [ setup interface interface-name | statistic interface interface-name ]

View Any view

500

CHAPTER 5: NETWORK PROTOCOL

Parameter interface-name: Interface name. Description Using the display ip multicast-policy command, you can view the multicast policy routing information. Example Display the information about the multicast policy routing configured on interface Ethernet2/0/0.
[3Com] display ip multicast-policy setup interface ethernet2/0/0 route-policy cc permit node 10 if-match acl 110 apply ip-address next-hop acl 50 route-policy cc permit node 20 if-match acl 120 apply output-interface acl 1005

Display the statistic information about the multicast policy routing configured on interface Ethernet2/0/0.
[3Com] display ip multicast-policy statistic interface ethernet2/0/0 interface Ethernet2/0/0 multicast-policy routing summary information: Total packets matched: 5 Total packets forward : 20

if-match acl

Syntax
if-match { acl acl-number | ip-prefix ip-prefix-name } undo if-match { acl acl-number | ip-prefix ip-prefix-name }

View Route-policy view Parameter acl-number: Standard or extended ACL number ranging from 1 to 199. ip-prefix-name: Specifies the name of an address prefix list used for filtering. Description Using the if-match acl command, you can set conditions that multicast packets should meet in each policy node. Using the undo if-match acl command, you can remove the match conditions set. By default, no if-match clause is defined. If a packet meets the if-match conditions specified in a policy node, actions specified by the node will be performed. If a packet does not meet the if-match conditions specified in a policy node, the next node will be detected. If a packet does not meet the conditions of all policy nodes, the packet will return to the normal forwarding flow. The configuration and use of this command are the same as those of the same command in the unicast policy routing.

IP Multicast Policy Routing Configuration Commands

501

ip multicast-policy route-policy

Syntax
ip multicast-policy route-policy policy-name undo ip multicast-policy route-policy policy-name

View Interface view Parameter policy-name: Specifies the name of a route-policy, which uniquely identifies one route-policy. Description Using the ip multicast-policy route-policy command, you can enable a multicast policy routing on an interface. Using the undo ip multicast-policy route-policy command, you can remove a multicast policy route applied on the interface. By default, no multicast route policy is enabled. Using this command can enable multicast policy routing defined by the route-policy named policy-name on an interface. When multicast policy routing is configured on an interface of a router, all multicast packets entering the router on the interface will be filtered. The filter method is that all policy nodes of the route-policy specified by the policy routing are tried in the order of the ascending sequence of the numbers. If a packet meets the if-match conditions specified in a policy node, actions specified by the node will be performed. If a packet does not meet the if-match conditions specified in a policy node, the next node will be detected. If a packet does not meet the conditions of any policy nodes, the packet will return to the normal forwarding flow. For the related command, see route-policy. Example Enable multicast policy routing named map1 on interface Ethernet 2/0/0.
[3Com-Ethernet2/0/0] ip multicast-policy route-policy map1

route-policy

Syntax
route-policy policy-name { permit | deny } node sequence-number undo route-policy policy-name [ permit | deny ] [ node sequence-number ]

View System view Parameter policy-name: Specifies the name of a route-policy, which uniquely identifies one route-policy. permit: Specifies the match mode of the route-policy node defined as permit. When a route entry meets the if-match clause of the node, the entry is permitted

502

CHAPTER 5: NETWORK PROTOCOL

to pass the filter of the node and the apply clause of the node will be performed. If a route entry does not meet the if-match clause of the node, the next node of the route-policy will be tested. For multicast policy routing configuration, all the if-match clauses except the if-match acl clause are invalid. deny: Specifies the match mode of the route-policy node defined as deny. When a route entry meets the if-match clause of the node, the entry is denied to pass the filter of the node and the next node will not be tested. For multicast policy routing configuration, all the if-match clauses except the if-match acl clause are invalid. sequence-number: Identifies a node in the route-policy. When the route-policy is used for routing information filtering, the node with a smaller sequence-number is tested first. This parameter ranges from 0 to 65535. Description Using the route-policy command, you can configure a route-policy node and enter the route-policy view. Using the undo route-policy command, you can remove a route-policy or a node. By default, no route-policy is defined. The policy of IP multicast policy routing is implemented by configuring route-policies. Multiple route-policies can be configured on a router. Each route-policy may contain multiple route-nodes. Different route-nodes in a route-policy are identified by different integer sequence-numbers. In each route-node, set the conditions that packets should match (i.e., the match rule) with the if-match command, and configure the forwarding actions to be executed to packets that meet the match conditions with the apply command. The logical relation that filter the if-match clauses is “and”. This means that any if-match clause passing the filter will cause others to be ignored. Only the if-match acl clause is effective for multicast policy routing. The logical relation between route-policy nodes is “or”. That is, one packet forwarded in one policy node results in all the following nodes being ignored. If all permit nodes can not succeed in matching with the features of packet or any deny node is matched, the packet will then be forwarded or discarded normally, up to the route table. When multicast policy routing is configured on an interface of a router, all multicast packets entering the router on the interface will be filtered. The filter method is that all policy nodes of the route-policy are applied in the ascending sequence of their ID(a number). For the related commands, see if-match, apply output-interface, apply ip-address next-hop, and display ip multicast-policy. Example Configure a route-policy named map1 with the node ID of 10 and with the match mode of permit and enter the route-policy view.
[3Com] route-policy map1 permit node 10 [3Com-route-policy]

IPX Configuration Commands

503

IPX Configuration Commands
debugging ipx packet Syntax
debugging ipx packet [ interface-type interface-num | interface-name ] undo debugging ipx packet [ interface-type interface-num | interface-name ]

View User view Parameter interface-type: Interface type. interface-num: Interface number. interface-name: Interface name. Description Using the debugging ipx packet command, you can enable IPX packet debugging switch to view the contents of IPX packet received and transmitted. Using the undo debugging ipx packet command, you can disable the debugging switch. By default, IPX packet debugging switch is disabled. Example Enable IPX packet debugging switch.
<3Com> debugging ipx packet *0.8942310-IPX-8-IPXPKT: Sending, interface = Serial3/0/0, pktlen = 40, hops = 0, pkttype = 0x1, dstnet = 0xb, dstnode = ffff-ffff-ffff, dstsocket = 0x453, srcnet = 0xb, srcnode = 00e0-fc01-5517, srcsocket = 0x453 prompt: Sending the packet. *0.8942610-IPX-8-IPXPKT: Delivering, interface = Serial3/0/0, pktlen = 480, hops = 0, pkttype = 0x4, dstnet = 0xb, dstnode = ffff-ffff-ffff, dstsocket = 0x452, srcnet = 0xb, srcnode = 00e0-fc01-54f6, srcsocket = 0x452 prompt: IPX packet is delivering up!

Table 7 Description of display information of the debugging ipx packet command
Item pktlen = hops = pkttype = dstnet = dstnode = dstsocket = srcnet = Description Length of packet in decimal format (not including MAC address header). How many routers the packet has passed through. Packet type in hexadecimal format. Destination network number of the packet. Destination node address of the packet. Destination socket of the packet. Source network number of the packet.

504

CHAPTER 5: NETWORK PROTOCOL

Table 7 Description of display information of the debugging ipx packet command
Item srcnode = srcsocket = promt: Description Source node address of the packet. Source socket of the packet. Prompt of how router processes the packet and reasons of discarding packet.

debugging ipx ping

Syntax
debugging ipx ping undo debugging ipx ping

View User view Parameter None Description Using the debugging ipx ping command, you can enable IPX Ping packet debugging switch to view the contents of Ping packet received and transmitted. Using the undo debugging ipx ping command, you can disable the debugging switch. By default, IPX Ping packet debugging switch is disabled. Example Enable IPX Ping packet debugging switch.
<3Com> debugging ipx ping *0.15396012-IPX-8-IPXHWPING: Ping receiving: Request, Src = a.00e0-fc04-8859, Dst = a.00e0-fc01-54f6 *0.15396130-IPX-8-IPXPING: Ping sending: Response, Src = a.00e0-fc01-54f6, Dst = a.00e0-fc04-8859

Table 8 Description of display information of the debugging ipx ping command
Item Src = Dst = Description Source address of Ping packet. Destination address of Ping packet.

IPX Configuration Commands

505

debugging ipx rip

Syntax
debugging ipx rip { packet [ verbose ] | event } undo debugging ipx rip { packet [ verbose ] | event }

View User view Parameter packet: Debugging information of packet received and transmitted. verbose: Displays detailed information about packet received and transmitted. event: Event debugging information, such as Up/Down of an interface and related timer events. Description Using the debugging ipx rip command, you can enable RIP debugging switch to view information on RIP packet received and transmitted, routing changes and timer expiry. Using the undo debugging ipx rip command, you can disable RIP debugging switch. By default, IPX RIP debugging switch is disabled. Example Enable IPX RIP packet debugging switch.
<3Com> debugging ipx rip packet Send RIP Response to Ethernet0/0, length 96 src:a.00e0-fc01-5517(453), dst:a.ffff-ffff-ffff(453) Number of Entries in Pkt: 8

Enable IPX RIP packet verbose debugging switch.
<3Com> debugging ipx rip packet verbose Send RIP Response to Ethernet0/0, length 96 src:a.00e0-fc01-5517(453), dst:a.ffff-ffff-ffff(453) Number of Entries in Pkt: 8 Network 0x1, hops 2, delay 2 Network 0x2, hops 2, delay 2 Network 0x3, hops 2, delay 2 Network 0x4, hops 2, delay 2 Network 0x5, hops 2, delay 2 Network 0x6, hops 2, delay 2 Network 0x8, hops 2, delay 8 Network 0xa, hops 1, delay 2

Enable IPX RIP event debugging switch.
<3Com> debugging ipx rip event *0.274181351-IPXRIP-8-IPXRIP_Event: The number 1 equal route nexthop: 00e0-fc04-8859 *0.274181450-IPXRIP-8-IPXRIP_Event: The network 8 totally have 1 equal route

506

CHAPTER 5: NETWORK PROTOCOL

debugging ipx rtpro-flash

Syntax
debugging ipx rtpro-flash undo debugging ipx rtpro-flash

View User view Parameter None Description Using the debugging ipx rtpro-flash command, you can turn on the debugging switch of route refreshing in the IPXRM module. Using the undo debugging ipx rtpro-flash command, you can turn off the debugging switch of route refreshing in the IPXRM module. This kind of debugging information is generated when routes are refreshed for the sake of route change. Example Switch on route refreshing debugging for IPXRM module.
<3Com>debugging ipx rtpro-flash <3Com>

Remove an IPX static route.
[3Com]undo ipx route-static b2 Serial 1

*0.18537610 3Com RMX/8/DBG: IPXRM set a Rth on the flash list, ulRthDest = 0xb2 .
[3Com]

*0.18537820 3Com RMX/8/DBG: IPXRM finish a flash, reset a Rth on the flash list, ulRthDest = 0xb2 .
[3Com]

debugging ipx rtpro-interface

Syntax
debugging ipx rtpro-interface undo debugging ipx rtpro-interface

View User view Parameter None Description Using the debugging ipx rtpro-interface command, you can turn on the debugging switch of interface change in the IPXRM module. Using the undo debugging ipx rtpro-interface command, you can turn off the debugging switch of interface change in the IPXRM module.

IPX Configuration Commands

507

Such debugging information is generated whenever IPXRM module receives interface change messages. These messages are generated when interface status changes between up and down, or interface is added or removed. Example Enable IPX RIP packet debugging switch
<3Com> debugging ipx rip packet

Switch on interface change debugging for IPXRM module.
<3Com>debugging ipx rtpro-interface <3Com>

Trigger interface change by using shut/undo shut command.
[3Com-Serial1] shut [3Com-Serial1]

%Oct 24 14:11:27 2003 3Com PHY/2/PHY:

Serial1: change status to down

%Oct 24 14:11:27 2003 3Com IFNET/5/UPDOWN:Line protocol on the interface Serial1 turns into DOWN state %Oct 24 14:11:27 2003 3Com IFNET/5/UPDOWN:Protocol IPX on the interface Serial1 turns into DOWN state *0.19023320 3Com RMX/8/DBG:IPXRM recieve interface change msg, msg type IPX_IF_DOWN .if_index is 0x286 .Interface name is Serial1 .
[3Com-Serial1] [3Com-Serial1]undo shut [3Com-Serial1]

%Oct 24 14:11:34 2003 3Com PHY/2/PHY:

Serial1: change status to up

%Oct 24 14:11:34 2003 3Com IFNET/5/UPDOWN:Line protocol on the interface Serial1 turns into UP state %Oct 24 14:11:34 2003 3Com IFNET/5/UPDOWN:Protocol IPX on the interface Serial1 turns into UP state *0.19032220 3Com RMX/8/DBG:IPXRM recieve interface change msg, msg type IPX_IF_UP .if_index is 0x286 .Interface name is Serial1 .
[3Com-Serial1]

debugging ipx rtpro-routing

Syntax
debugging ipx rtpro-routing undo debugging ipx rtpro-routing

View User view

508

CHAPTER 5: NETWORK PROTOCOL

Parameter None Description Using the debugging ipx rtpro-routing command, you can turn on the debugging switch of route change in the IPXRM module. Using the undo debugging ipx rtpro-routing command, you can turn off the debugging switch of route change in the IPXRM module. This kind of debugging information is generated when route changes as addition, deletion or attribute adjustment occur. Example Switch on route change debugging for IPXRM module.
<3Com>debugging ipx rtpro-routing <3Com>

Add a static route
3Com]ipx route-static d10 Serial 1

*0.19579120 3Com RMX/8/DBG:IPXRM ADD route !
Dest: d10 Nexthop: 0.0000-0000-0000

Interface: a.00e0-fcfb-3a00(Serial1) Protocol: Static Ticks: 6 Preference: 60 Hops: 1

*0.19579230 3Com RMX/8/DBG:IPXRM route change to ACTIVE !
Dest: d10 Nexthop: 0.0000-0000-0000

Interface: a.00e0-fcfb-3a00(Serial1) Protocol: Static Ticks: 6 Preference: 60 Hops: 1

debugging ipx sap packet

Syntax
debugging ipx sap [ packet [ verbose ] | event ] undo debugging ipx sap [ packet [ verbose ] | event ]

View User view Parameter packet: Debugging information of packet received and transmitted. verbose: Displays detailed information about packet received and transmitted. event: Event debugging information, such as Up/Down of an interface and related timer events.

IPX Configuration Commands

509

Description Using the debugging ipx sap command, you can enable IPX SAP debugging switch to view information on SAP packet received and transmitted, routing changes and timer expiry. Using the undo debugging ipx sap command, you can disable IPX SAP debugging switch. Enabling IPX SAP debugging switch, you can confirm whether SAP packet is received. Normally, a router or server sends out an SAP update packet every minute. By default, each SAP packet includes up to seven service information items at most. If a lot service information needs advertising on the network, the router sends out multiple packets per update. For example, if a router has 20 service information items in SIT, it sends three SAP packets per update. The first SAP includes the first seven items, the second SAP includes the next seven items, and the last update includes the last six items. The debugging ipx sap command generates significant amount of output, use it with caution on networks that have many interfaces and a great deal of service information. Disable debugging switch immediately after debugging to reduce effect to normal services as possible. Example Enable SAP packet verbose debugging switch.
<3Com> debugging ipx sap packet verbose *0.20909856-IPXSAP-8-IPX SAP: MSG: Receive Response Packet From Eth0,Length 480 Src: 000a.0000-0104-8f02 (0452) Dest: 000a.ffff-ffff-ffff (0452) Number of entries in pkt: 7 Server type 2000 "PS1" 0008.000a-000a-000a (0452) hop 3 Server type 2345 "kkkkk" 000d.0005-0005-0005 (0452) hop 6 Server type 9000 "kiran-temp" 000d.0006-0006-0006 (0452) hop 16 Server type 6000 "kiran3" 000d.0003-0003-0003 (0452) hop 6 Server type 5000 "kiran2" 000d.0002-0002-0002 (0452) hop 16 Server type 4000 "kiran1" 000d.0001-0001-0001 (0452) hop 16 Server type 1000 "FS2" 000d.000a-000a-000a (0452) hop 2

Enable SAP packet debugging switch.
<3Com> debugging ipx sap packet *0.20909856-IPXSAP-8-IPX SAP : MSG:Recieve Response Packet From Eth0,Length 480 Src: 000a.0000-0104-8f01 (0452) Dest: 000a.ffff-ffff-ffff (0452) Number of entries in pkt: 4

Enable SAP event debugging switch.
<3Com> debugging ipx sap Event *0.20776625-IPXSAP-8-IPX SAP: MSG: IPXSAP: Route UP Event Received: N

display ipx interface

Syntax
display ipx interface [ interface- type interface-num | interface-name ]

View Any view

510

CHAPTER 5: NETWORK PROTOCOL

Parameter Interface-type: Interface type. Interface-num: Interface number. Interface-name: Interface name. Description Using the display ipx interface command, you can view IPX interface configuration information and interface parameters in communication devices. Example Display IPX configuration and statistics of the interface Ethernet1/0/0.
<3Com> display ipx interface ethernet 1/0/0 Ethernet1/0/0 is up IPX address is 2.00E0-FC01-0000 [up] SAP is enabled Split horizon is enabled Update change only is disabled Forwarding of IPX type 20 propagation packet is enabled Delay of this IPX interface, in ticks is 1 SAP GNS response is enabled RIP packet maximum size is 432 bytes SAP packet maximum size is 480 bytes IPX encapsulation is Netware 802.3 0 received, 0 sent 0 bytes received, 0 bytes sent 0 RIP received, 0 RIP sent, 0 RIP discarded 0 RIP specific requests received, 0 RIP specific responses sent 0 RIP general requests received, 0 RIP general responses sent 0 SAP received, 0 SAP sent, 0 SAP discarded 0 SAP requests received, 0 SAP responses sent

Table 9 Description of display information of the display ipx interface command
Item Ethernet1/0/0 is ... IPX address is ... Description In terms of physical layer and link layer status, the current interface is UP, DOWN or administratively DOWN. IPX network ID and node value of the current interface. Refer to the commands ipx network and ipx enable for details of network ID and node value. IPX protocol status of the current interface. Whether SAP is enabled on the current interface. Whether split horizon is enabled on the current interface. The related command is ipx split-horizon. Whether trigger update is enabled on the current interface. The related command is ipx update-change-only.

[up] SAP is … Split horizon is … Update change only is …

Forwarding of IPX type Whether IPX type 20 propagation packet is permitted to be 20 propagation packet forwarded on the current interface. The related command is ipx is ... netbios-propagation. Delay of this IPX interface, in ticks is ... Delay value of the current interface. The value is configured by the ipx tick command.

SAP GNS response is ... Whether SAP GNS reply is enabled on the current interface. The related command is ipx sap gns-disable-reply.

IPX Configuration Commands

511

Table 9 Description of display information of the display ipx interface command
Item RIP packet maximum size is ... bytes SAP packet maximum size is ... bytes received sent bytes received bytes sent RIP received RIP sent RIP discarded RIP specific requests received RIP specific responses sent RIP general requests received RIP general responses sent SAP received SAP sent SAP discarded SAP requests received SAP responses sent Description Maximum size of RIP updating packet on the current interface. The related command is ipx rip mtu. Maximum size of SAP updating packet on the current interface. The related command is ipx sap mtu. Total number of packets received on the current interface. Total number of packets sent on the current interface. Total number of bytes received on the current interface. Total number of bytes sent on the current interface. Total number of IPX RIP packets received on the current interface. Total number of IPX RIP packets sent on the current interface. Total number of IPX RIP packets discarded on the current interface. Total number of IPX RIP specific requests received on the current interface. Total number of IPX RIP specific responses sent on the current interface. Total number of IPX RIP general requests received on the current interface. Total number of IPX RIP general responses sent on the current interface. Total number of SAP packets received on the current interface. Total number of SAP packets sent on the current interface. Total number of SAP packets discarded on the current interface. Total number of SAP requests received on the current interface. Total number of SAP responses sent on the current interface.

display ipx routing-table

Syntax
display ipx routing-table [ network ] [ verbose ] display ipx routing-table protocol { default | direct | rip | static } [ inactive | verbose ]

View Any view Parameter network: Destination network ID of IPX static route. It is an 8-bit hexadecimal number, ranging from 1 to 0xFFFFFFFE. Display IPX routing information to specified destination network ID. verbose: Displays detailed route information, including active and inactive routes. default: Displays all the default routing information. direct: Displays all the directly connected routing information. rip: Displays all IPX RIP routing information.

512

CHAPTER 5: NETWORK PROTOCOL

static: Displays all IPX static routing information. inactive: Only displays inactive routing information. Description Using the display ipx routing-table command, you can view active IPX routing information. Using the display ipx routing-table verbose command, you can view detailed IPX routing information including active and inactive routes. Using the display ipx routing-table network command, you can view active IPX routing information to specified destination network ID. Using the display ipx routing-table network verbose command, you can view detailed IPX routing information to specified destination network ID including active and inactive routes. Using the display ipx routing-table protocol { rip | static | default | direct } command, you can view IPX routing information for specified destination type including active and inactive routes. Using the display ipx routing-table protocol { rip | static | default | direct } verbose command, you can view detailed IPX routing information for specified destination type including active and inactive routes. Example Display active IPX routing information.
[3Com] display ipx routing-table Routing tables: Summary count: 4 Dest_Ntwk_ID Proto Pre Ticks Hops Nexthop Interface 0x11 Direct 0 6 0 0.0000-0000-0000 Serial0/0/0 0x22 RIP 100 7 1 11.0000-0165-6401 Serial0/0/0 0x33 Direct 0 1 0 0.0000-0000-0000 Ethernet0/0/0 0x100 Static 60 6 1 0.0000-0000-0000 Serial0/0/0

The following table explains the contents in the above displayed information:

Table 10 Description of display information of the display ipx routing-table command
Item Dest_Ntwk_ID Proto Pre Ticks Hops Nexthop Interface Description Destination network ID of the route Protocol type of the route Preference of the route Ticks value of the route Hops value of the route The next hop of the route Outgoing interface of the route

Display detailed IPX routing information, including active and inactive routes.

IPX Configuration Commands

513

<3Com> display ipx routing-table verbose Routing tables: Destinations: 103 Routes: 103 Destination Network ID: 0x11 Protocol: Direct Preference: 0 Ticks: 6 Hops: 0 Nexthop: 0.0000-0000-0000 Time: 0 Interface: 11.0000-0165-6400(Serial0) State: <Active> Destination Network ID: 0x22 Protocol: RIP Preference: 100 Ticks: 7 Hops: 1 Nexthop: 11.0000-0165-6401Time: 15 Interface: 11.0000-0165-6400(Serial0) State: <Active> Destination Network ID: 0x33 Protocol: Direct Preference: 0 Ticks: 1 Hops: 0 Nexthop: 0.0000-0000-0000Time: 0 Interface: 33.0000-0165-6400(Ethernet0) State: <Active> Destination Network ID: 0x100 Protocol: Static Preference: 60 Ticks: 6 Hops: 1 Nexthop: 0.0000-0000-0000Time: 0 Interface: 11.0000-0165-6400(Serial0) State: <Active>

Table 11 Description of display information of the display ipx routing-table verbose command
Item Time State Description Aging time value of the route. Without aging, the value of interface route and static route is 0. State can be <Active>, <Inactive> or <Delete>. <Active> indicates active route, <Inactive> indicates inactive route and <Delete> indicates the route is being deleted.

display ipx routing-table statistics

Syntax
display ipx routing-table statistics

View Any view Parameter None Description Using the display ipx routing-table statistics command, you can view IPX routing statistics. Example Display IPX routing statistics.
<3Com> display ipx routing-table statistics

514

CHAPTER 5: NETWORK PROTOCOL

Routing tables: Proto/State route Direct 2 Static 1 RIP 1 Default 0 Total 4

active 2 1 1 0 4

added 2 2 1 0 5 0 1 0 0 1

deleted 0 1 0 0 1

freed

display ipx service table

Syntax
display ipx service-table [ [ type service-type | name name | network network | order { network | type } ] | [ inactive ] ] [ verbose ]

View Any view Parameter type: Displays information for specified service type ID. service-type: The type of service. name: Displays information for specified server name. name: Name of the server. network: Displays service information of the server on specified network segment. network: The network ID of the network segment. order: Displays service information after classified by the type. network: Classified by the network ID. type: Classified by the service type. inactive: Displays inactive service information. verbose: Displays details about service information. Description Using the display ipx service-table command, you can view contents of an IPX service information table. The output information of the command helps users with IPX SAP troubleshooting. Example Display contents of IPX service information table.
[3Com] display ipx service-table Abbreviation: S - Static, Pref - Preference(Decimal), NetId - Network number, NodeId - Node address, hop - Hops(Decimal), Recv-If - Interface from which the service is receieved Name Type NetId NodeId Sock Pref Hops Recv-If FS2 1000 000d 000a-000a-000a 0452 500 02 Eth1/0/0 PS1 2000 0008 000a-000a-000a 0452 500 03 Eth1/0/0

IPX Configuration Commands

515

kkkkk 2345 000d Hello3 6000 000d

0005-0005-0005 0003-0003-0003

0452 500 0452 500

06 06

Eth1/0/0 Eth1/0/0

Display contents of service information table of type 5.
[3Com] display ipx service-table type 5 Abbreviation: S - Static, Pref - Preference(Decimal), NetId - Network number, NodeId - Node address, hop - Hops(Decimal), Recv-If - Interface from which the service is receieved Name Type NetId NodeId Sock Pref Hops Recv-If Prn1 0005 000d 000a-000a-000a 0452 500 02 Eth1/0/0 Prn2 0005 0008 000a-000a-000a 0452 500 03 Eth1/0/0 Prn3 0005 000d 0005-0005-0005 0452 500 06 Eth1/0/0 Prn4 0005 000d 0006-006-0006 0452 500 06 Eth1/0/0

display ipx statistics

Syntax
display ipx statistics

View Any view Parameter None Description Using the display ipx statistics command, you can view statistics and type of IPX packet transmitted and received. Example Display IPX statistics.
<3Com> display ipx statistics Received: 0 total, 0 packets pitched 0 packets size errors, 0 format errors 0 bad hops(>16), 0 discarded(hops=16) 0 other errors, 0 local destination 0 can not be dealed Sent: 0 forwarded, 0 generated 0 no route, 0 discarded RIP: 0 sent, 0 received 0 responses sent, 0 responses received 0 requests received, 0 requests dealed 0 requests sent, 0 periodic updates SAP: 0 general requests received 0 specific requests received 0 GNS requests received 0 general responses sent 0 specific responses sent 0 GNS responses sent 0 periodic updates, 0 errors

Table 12 Description of display information of the display ipx statistics command
Item Received 0 total 0 packets pitched Description Statistics for received messages Total number of received messages Total number of messages whose headers are re-pitched

516

CHAPTER 5: NETWORK PROTOCOL

Table 12 Description of display information of the display ipx statistics command
Item 0 packets size errors 0 format errors 0 bad hops 0 discarded(hop=16) 0 other errors 0 local destination 0 can not be dealt Sent: 0 forwarded 0 generated 0 no route 0 discarded RIP: 0 sent 0 received 0 responses sent 0 responses received 0 requests received 0 requests dealt 0 requests sent 0 periodic updates SAP: 0 general requests received 0 specific requests received 0 GNS requests received 0 general responses sent 0 specific responses sent 0 GNS responses sent 0 periodic updates 0 errors Description Total number of discarded messages due to packet size errors Total number of discarded messages due to encapsulation format errors Total number of messages whose hop field values exceed 16 Total number of messages whose hop field values are 16 Total number of discarded messages due to other errors Total number of messages which have local destinations Total number of messages that can not be dealt with Statistics for sent messages Number of messages which need to be forwarded Number of messages which are sent by router itself Number of messages which do not find routes Number of messages discarded during sending Statistics for RIP messages Number of RIP messages sent by router Number of RIP messages received Number of RIP response messages sent by router Number of RIP response messages received Number of RIP request messages received Number of RIP request messages dealt Number of RIP request messages sent by router Number of RIP periodic update messages sent by router Statistics for SAP messages Number of received SAP general request messages Number of received SAP specific request messages Number of received SAP GNS request messages Number of sent SAP general response messages Number of sent SAP specific response messages Number of sent SAP GNS response messages Number of SAP periodic update messages sent by router Number of error SAP messages

ipx enable

Syntax
ipx enable [ node node ] undo ipx enable

View System view

IPX Configuration Commands

517

Parameter node: node value of the router. It is a 48-bit value represented by a triplet of four-digit hexadecimal numbers separated by “-“. It is neither a broadcasting address nor a multicast address. If the parameter is not configured, the router will assign MAC address of the first Ethernet interface as its node value. If there is no Ethernet interface in the router, the system will assign a random node value based on the system clock. Description Using the ipx enable command, you can activate IPX. Using the undo ipx enable command, you can deactivate IPX and remove all IPX configurations simultaneously. Activating IPX again after executing the undo ipx enable command, you can not restore any IPX configuration. Example Enable IPX.
[3Com] ipx enable

Disable IPX.
[3Com] undo ipx enable

ipx encapsulation

Syntax
ipx encapsulation [ dot2 | dot3 | ethernet-2 | snap ] undo ipx encapsulation

View Ethernet Interface view Parameter dot2: Encapsulation format is Ethernet_802.2. dot3: Encapsulation format is Ethernet_802.3. ethernet-2: Encapsulation format is Ethernet_II. snap: Encapsulation format is Ethernet_SNAP. Description Using the ipx encapsulation command, you can set IPX frame encapsulation format on Ethernet interface. Using the undo ipx encapsulation command, you can restore the default IPX frame encapsulation format. By default, IPX frame encapsulation format on Ethernet interface is dot3 (Ethernet_802.3). In WAN interfaces, IPX frame only supports PPP encapsulation.

518

CHAPTER 5: NETWORK PROTOCOL

Example Configure IPX frame encapsulation format on the interface Ethernet0/1/0 as Ethernet_II.
[3Com-Ethernet 0/1/0] ipx encapsulation ethernet-2

Restore the default IPX frame encapsulation format on the interface Ethernet0/1/0.
[3Com-Ethernet 0/1/0] undo ipx encapsulation

ipx netbios-propagation

Syntax
ipx netbios-propagation undo ipx netbios-propagation

View Interface view Parameter None Description Using the ipx netbios-propagation command, you can configure the router to forward type 20 broadcast packets on the current interface. Using the undo ipx netbios-propagation command, you can disable the forwarding of type 20 packets. By default, type 20 broadcast packets will be discarded by the router rather than forwarded. IPX type 20 packet is a packet for NetBIOS (Network Basic Input/Output System) defined by Novell NetWare. Example Enable the receipt and forwarding of type 20 broadcast packets.
[3Com-Ethernet 0/1/0] ipx netbios-propagation

Disable the receipt and forwarding of type 20 broadcast packets.
[3Com-Ethernet 0/1/0] undo ipx netbios-propagation

ipx network

Syntax
ipx network network-number undo ipx network

View Interface view Parameter network: Network ID of IPX interface in hex. It ranges from 0x1 to FFFFFFFD.

IPX Configuration Commands

519

Description Using the ipx network command, you can configure a network ID for an interface. Using the undo ipx network command, you can delete IPX network ID of an interface. By default, IPX is disabled on all interfaces after it is activated. There is no IPX network ID on the interface. Example Configure the interface Ethernet0/1/0 as IPX interface and assign it with a network ID.
[3Com-Ethernet 0/1/0] ipx network 675

Cancel the configuration of the interface Ethernet0/1/0 as IPX interface.
[3Com-Ethernet 0/1/0] undo ipx network

ipx rip import-route

Syntax
ipx rip import-route static undo ipx rip import-route static

View System view Parameter static: Imported static route. Description Using the ipx rip import-route static command, you can import static routes into RIP. RIP adds them in their route updates. Using the undo ipx rip import-route static command, you can disable the importation of static routes. Example Import a static route to RIP.
[3Com] ipx rip import-route static

ipx rip mtu

Syntax
ipx rip mtu bytes undo ipx rip mtu

View Interface view Parameter bytes: Maximum RIP updating packet size in byte, ranging from 432 to 1500. By default, it is 432. Description Using the ipx rip mtu command, you can configure RIP updating packet size. Using the undo ipx rip mtu command, you can restore the default configuration.

520

CHAPTER 5: NETWORK PROTOCOL

By default, the maximum size of RIP updating packets is 432 bytes. In RIP updating packets, the size of each routing information item is 8 bytes and the size of IPX header and RIP header is 32 bytes. So an updating packet can carry up to 50 routing information items at most. Example Configure the maximum size of RIP updating packets on the interface Ethernet1/0/0 to 500 bytes.
[3Com-Ethernet1/0/0] ipx rip mtu 500

ipx rip multiplier

Syntax
ipx rip multiplier multiplier undo ipx rip multiplier

View System view Parameter multiplier: It is used to calculate the aging period of RIP routing information table items, ranging from 1 to 1000. By default, the value is 3. The actual aging time is the value of multiplier multiplied by the RIP updating interval. Description Using the ipx rip multiplier command, you can configure the aging period of RIP routing information table items. Using the undo ipx rip multiplier command, you can restore the default configuration. By default, RIP aging period is 3 times of updating interval. Routers may contain a timer for each item in their routing information table, which keeps track of elapsed time since the route was received. Every time the updating packet containing the routing information is received, the timer is reset to zero. If RIP route is not updated in a period of time, the system will regard the route is no longer valid and delete it from the routing table. For the related command, see ipx rip timer update. Example Configure RIP aging period of routing information table items is 5 times of updating interval.
[3Com] ipx rip multiplier 5

ipx rip timer update

Syntax
ipx rip timer update seconds undo ipx rip timer update

View System view

IPX Configuration Commands

521

Parameter seconds: RIP updating interval in second, ranging from 10 to 60000. Description Using the ipx rip timer update command, you can configure RIP updating interval. Using the undo ipx rip timer update command, you can restore the default value of RIP updating interval. By default, the RIP updating interval is 60 seconds. On a network, routers need to constantly exchange routing information with each other to keep routing information consistent with actual network topology. In RIP, directly connected routers periodically send updating packets to each other. The changes of RIP updating interval will affect aging period. For the related command, see ipx rip multiplier. Example Configure RIP updating interval to 30 seconds.
[3Com] ipx rip timer update 30

ipx route

Syntax
ipx route-static network [ network.node | interface-type interface-num | interface-name ] [ preference value ] [ tick ticks hop hops ] undo ipx route-static { network [ network.node | interface-type interface-num | interface-name ] | all }

View System view Parameter network: Destination network ID of IPX static route. It is an 8-bit hexadecimal number, ranging from 1 to 0xFFFFFFFE. network.node: The next hop address of IPX static route. network is the network ID of the next hop. node is a triplet of four-bit hexadecimal numbers separated by “-“, each ranging from 1 to 0xFFFF. interface-type: Outgoing interface type, only supporting the interface with PPP encapsulation. It can be Serial or POS interface. interface-num: Outgoing interface number. interface-name: Outgoing interface name. preference: Route preference. The preference of directly connected routes is fixed to 0 and cannot be changed. By default, the preference of active IPX static route is 60 and can be configured. The preference of dynamic IPX routes is fixed to 100 and cannot be changed. value: Route preference value, ranging from 0 to 255. The less the value, the higher the preference.

522

CHAPTER 5: NETWORK PROTOCOL

ticks: It indicates the necessary time to destination network (1 tick = 1/18 second). By default, it is the tick value of outgoing interface. Interfaces of different types have different default tick values. The tick value of Ethernet interface is 1 and that of Serial interface is 6. When the tick value of an interface is modified, the tick value of the corresponding static route will also be changed. hops: Number of routers which are passed by to destination network. By default, the value is 1. all: All IPX static routes. Description Using the ipx route-static command, you can configure IPX static route. Using the undo ipx route-static command, you can delete static route. The system regards the IPX static route with destination network ID being -2 (0xFFFFFFFE) as the default route. Example Configure an IPX static route with destination network ID being 0x5a, the next hop being 1000.0-0c91-f61f, ticks 10 and hops 2.
[3Com] ipx enable [3Com] ipx route-static 5a 1000.0-0c91-f61f 10 2

Configure the default IPX route with the next hop being 3.4a-60-7, ticks 10, hops 2 and preference 20.
[3Com] ipx enable [3Com] ipx route-static -2 3.4a.60.7 tick 10 hop 2 preference 20

Configure an IPX static route with destination network ID being 3a, outgoing interface being Serial1/0/0, ticks 10, hops 2 and preference 30.
[3Com] ipx enable [3Com] ipx route-static 3a serial 0/0/0 tick 10 hop 2 preference 30

ipx route load-balance-path

Syntax
ipx route load-balance-path paths undo ipx route load-balance-path

View System view Parameter paths: The maximum equivalent route number to the same destination address, ranging from 1 to 64. By default, the value is 1. Description Using the ipx route load-balance-path command, you can configure the equivalent route number to the same destination address. Using the undo ipx route load-balance-path command, you can restore the default configuration.

IPX Configuration Commands

523

The equivalent route number to the same destination address is the maximum number of active equivalent routes in the current system. If the newly configured value is less than the current active route number, the system will change the excessive active routes to inactive status. Example Configure the equivalent route number to the same destination address to 30.
[3Com] ipx route load-balance-path 30

ipx route max-reserve-path

Syntax
ipx route max-reserve-path paths undo ipx route max-reserve-path

View System view Parameter paths: The maximum dynamic route number to the same destination address, ranging from 1 to 255. By default, the value is 4. Description Using the ipx route max-reserve-path command, you can configure the maximum dynamic route number to the same destination address. Using the undo ipx route max-reserve-path command, you can restore the default configuration. When the dynamic route number to the same destination address exceeds the maximum value configured the newly found dynamic routes will not be added into the routing table; discarded directly. If the newly configured value is less than the original one the excessive routes in the current routing table will not be deleted until they age themselves or are deleted manually. Example Configure the maximum dynamic route number to the same destination address to 200.
[3Com] ipx route max-reserve-path 200

ipx sap disable

Syntax
ipx sap disable undo ipx sap disable

View Interface view Parameter None

524

CHAPTER 5: NETWORK PROTOCOL

Description Using the ipx sap disable command, you can disable SAP on the current interface. Using the undo ipx sap disable command, you can enable SAP on the current interface. By default, the interface SAP is enabled as soon as IPX is enabled. Example Disable SAP on the interface Ethernet0/0/0.
[3Com-Ethernet0/0/0] ipx sap disable

Re-enable SAP on the interface Ethernet0/0/0.
[3Com-Ethernet0/0] undo ipx sap disable

ipx sap gns-disable-reply

Syntax
ipx sap gns-disable-reply undo ipx sap gns-disable-reply

View Interface view Parameter None Description Using the ipx sap gns-disable-reply command, you can disable IPX GNS reply on the current interface. Using the undo ipx sap gns-disable-reply command, you can enable IPX GNS reply on the current interface. By default, GNS reply is enabled on an interface. Example Disable GNS reply on the interface Ethernet0/0/0.
[Ethernet0/0/0] ipx sap gns-disable-reply

Re-enable GNS reply on the interface Ethernet0/0/0.
[Ethernet0/0/0] undo ipx sap gns-disable-reply

ipx sap gns-load-balance

Syntax
ipx sap gns-load-balance undo ipx sap gns-load-balance

View System view Parameter None

IPX Configuration Commands

525

Description Using the ipx sap gns-load-balance command, you can configure the router to respond GNS request in Round-robin method, i.e., all servers respond GNS request in turn. Using the undo ipx sap gns-load-balance command, you can configure the nearest server to respond GNS request. By default, for GNS request, a router will inform all servers it knows to respond in Round-robin method to avoid overload of one server. For the related command, see ipx sap gns-disable-reply. Example Configure the nearest server to respond GNS request.
[3Com] undo ipx sap gns-load-balance

Configure all servers to respond GNS request in Round-robin method.
[3Com] ipx sap gns-load-balance

ipx sap max-reserve-servers

Syntax
ipx sap max-reserve-servers length undo ipx sap max-reserve-servers

View System view Parameter length: The length of the dynamic service information reserve queue, ranges from1 to 2048. By default, the value is 2048. Description Using the ipx sap max-reserve-servers command, you can configure the length of the service information reserve queue. Using the undo ipx sap max-reserve-servers command, you can restore the default configuration. If the newly configured service information queue length is less than the present one, the items in SIT will not be deleted. If the service information item number for the same service type exceeds the maximum value configured, the new service information will not be added. Example Set the maximum length of service information reserve queue to 1024.
[3Com] ipx sap max-reserve-servers 1024

ipx sap mtu

Syntax
ipx sap mtu bytes undo ipx sap mtu

View Interface view

526

CHAPTER 5: NETWORK PROTOCOL

Parameter bytes: The maximum SAP packet size in byte, ranging from 480 to 1500. By default, the value is 480. Description Using the ipx sap mtu command, you can configure the maximum size of SAP updating packet. Using the undo ipx sap mtu command, you can restore the default configuration. By default, the maximum size of SAP updating packet is 480 bytes. The size of IPX header and SAP header is 32 bytes, so a 480-byte SAP updating packet contains 7 service information items (64 bytes each). Example Set the maximum size of SAP updating packet on the interface Ethernet1/0/0 to 674 bytes (carrying 10 service information items at most).
[3Com-Ethernet0/0/0] ipx sap mtu 674

ipx sap multiplier

Syntax
ipx sap multiplier multiplier undo ipx sap multiplier

View System view Parameter multiplier: It is used to calculate the aging period of SAP service information table items, ranging from 1 to 1000. By default, the value is 3. When the updating interval is 60 seconds, the aging period is 60*3 = 180 seconds. Description Using the ipx sap multiplier command, you can configure the aging period of SAP service information table items. Using the undo ipx sap multiplier command, you can restore the default value of SAP aging period. By default, the aging period of SAP service information table items is 3 times of SAP updating interval. For the related command, see ipx sap timer update. Example Set the aging period of SAP service information table items is 5 times of updating interval.
[3Com] ipx sap multiplier 5

ipx sap timer update

Syntax
ipx sap timer update seconds undo ipx sap timer update

IPX Configuration Commands

527

View System view Parameter seconds: SAP updating interval, ranging from 10 to 60000 seconds. By default, the value is 60 seconds. Description Using the ipx sap timer update command, you can configure SAP updating interval. Using the undo ipx sap timer update command, you can restore the default value of SAP updating interval. When an interface adopts trigger update method, the command configuration does not take effect. For the related commands, see ipx sap multiplier and ipx update-change-only. Example Configure SAP updating interval to 300 seconds.
[3Com] ipx sap timer update 300

ipx service

Syntax
ipx service service-type name network.node socket hop hopcount preference preference undo ipx service { { service-type [ name [ network.node ] ] [ preference preference ] } | all }

View System view Parameter service-type: Service type is a 4-byte hexadecimal number. 0 indicates all service types. name: The server name which provides the service, in character string with the maximum length being 48 bytes. network.node: Network ID and node value of a server. Network ID is represented by an 8-bit hexadecimal number, ranging from 0x1 to 0xFFFFFFFD. The 0s in front can be omitted when inputting. Node value is used to identify a node in the network, with the length of 48 bits, represented by a triplet of 4-digit hexadecimal numbers separated by “-“. socket: It is represented by a 4-bit hexadecimal number, ranging from 0x1 to 0xFFFF. hop-count: The number of hops to the server in decimal, ranging from 1 to 15. Note that hop count more than or equal to 16 implies the service is unreachable. preference: The preference of service information, ranging from 1 to 255. The less the value, the higher the preference. By default, the preference of the static

528

CHAPTER 5: NETWORK PROTOCOL

service information table items is 60 and the preference of the dynamic one is 500. Description Using the ipx service command, you can add a static service information item to SIT. Using the undo ipx service command, you can delete a static service information item from SIT. The NetWare server uses SAP to advertise service information and stores the service information to SIT which is dynamically updated by SAP. Adding a service information item to SIT, users can access the service. Example Add a static service information item with service type 4, service name “FileServer”, server network ID 130, node value 0000-0a0b-abcd, server hops 1 and server preference 60.
[3Com] ipx service 4 FileServer 130.0000-0a0b-abcd 451 hop 1 preference 60 [3Com] ipx service 4 FileServer 130.0000-0a0b-abcd 451 hop 1 [3Com] ipx service 114 MyServer 199.0000-0a0b-abcd 451 hop 10

Service information with server type 114 will not be advertised if there is no active route to the network 199. ipx split-horizon Syntax
ipx split-horizon undo ipx split-horizon

View Interface view Parameter None Description Using the ipx split-horizon command, you can enable split horizon on the current interface. Using the undo ipx split-horizon command, you can disable split horizon on the current interface. By default, split horizon is enabled on the interface. Split horizon is a way to avoid routing loops, i.e., routing information received from an interface is not permitted to be sent from the interface. The function does not take effect point-to-point connection links. Example Enable split horizon on the interface Ethernet1/1/0.
[3Com-Ethernet1/1/0] ipx split-horizon

Disable split horizon on the interface Ehernet1/1/0.
[3Com-Ethernet1/1/0] undo ipx split-horizon

IPX Configuration Commands

529

ipx tick

Syntax
ipx tick ticks undo ipx tick

View Interface view Parameter ticks: Delay time in tick, ranging from 0 to 30000. One tick is 1/18 second (approximately 55 ms). By default, the delay of Ethernet interface is 1 tick, that of the asynchronous serial port is 30 ticks and that of WAN port is 6 ticks. Description Using the ipx tick command, you can configure the delay of interface sending IPX packets. Using the undo ipx tick command, you can restore the default value of interface delay. As the IPX RIP delay field, the delay value configured by the ipx tick command is a basis for the optimal routing selection. Example Configure the delay is 5 ticks on the interface Ethernet1/0/0.
[3Com-Ethernet1/0/0] ipx tick 5

ipx update-change-only

Syntax
ipx update-change-only undo ipx update-change-only

View Interface view Parameter None Description Using the ipx update-change-only command, you can enable trigger update on the current interface. Using the undo ipx update-change-only command, you can disable trigger update on the current interface. By default, trigger update is disabled on the interface. IPX RIP and SAP periodically advertise updating broadcast packets. Users can configure trigger update to avoid broadcast flood. Example Enable trigger update on the interface Ethernet1/1/0.
[3Com-Ethernet 1/1/0] ipx update-change-only

Disable trigger update on the interface Ethernet1/1/0.
[3Com-Ethernet 1/1/0] undo ipx update-change-only

530

CHAPTER 5: NETWORK PROTOCOL

ping ipx

Syntax
ping ipx network.node [ -c count ] [ -t timeout ] [ -s size ]

View Any view Parameter network.node: Ping destination address. The parameter network can be an eight-bit hexadecimal number ranging from 0x1 to 0xFFFFFFFD. The 0s in front can be omitted when inputting. The parameter node is a 48-bit value represented by a triplet of four-digit hexadecimal numbers separated by “-“. The 0s in front of node value cannot be omitted. count: Number of Ping packets that are sent. By default, the value is 5. timout: The period of time to wait for Ping response. By default, the value is 2 seconds. size: Ping packet size. By default, the value is 100 bytes. Description Using the ping ipx command, you can check host reachability and network connectivity in IPX network. Example Ping system whose destination address is 675.0000-a0b0-fefe with default parameters.
<3Com> ping ipx 675.0000-a0b0-fefe

reset ipx statistics

Syntax
reset ipx statistics

View User view Parameter None Description Using the reset ipx statistics command, you can clear IPX statistics by the system. Example Clear IPX statistics.
<3Com> reset ipx statistics

reset ipx routing-table statistics

Syntax
reset ipx routing-table statistics protocol [all | default | direct | rip | static]

DLSw Configuration Commands

531

View User view Parameter all: Clears statistical information of all types IPX route. default: Clears the statistical information of the default IPX route type. direct: Clears the statistical information of the IPX route directly connected. rip: Clears the statistical information of the IPX RIP route. static: Clears the statistical information of the static IPX route. Description The reset ipx routing-table statistics command is used to clear the statistical information of a specified type of IPX route. Such information can be shown upon the terminal using the display ipx routing-table statistics command. Example Add 5 IPX static routes to the router, then delete them, and then add anther 9 IPX static routes. The IPX route statistical information would be as follows:
[3Com]dis ipx routing-table statistics Routing tables: Proto/State route active added deleted freed Direct 1 1 1 0 0 Static 9 9 14 5 5 RIP 0 0 0 0 0 Default 0 0 0 0 0 Total 10 10 15 5 5 [3Com] Clear the IPX static route. <3Com>reset ipx routing-table statistics protocol static This will erase the specific routing counters information. Are you sure?[Y/N]y <3Com>

The displayed statistical information shows that all three items (add, delete, freed) of static route have changed to 0, and the below Total item has also changed accordingly.
<3Com>dis ipx routing-table statistics

DLSw Configuration Commands
bridge-set (in synchronous serial interface view) Syntax
bridge-set bridge-set-number undo bridge-set bridge-set-number

532

CHAPTER 5: NETWORK PROTOCOL

View Synchronous serial interface view Parameter bridge-set-number: The bridge group number the synchronous serial port is to be added into, ranging from 1 to 63. Description Using the bridge-set (in Synchronous serial interface system view) command, you can add the synchronous serial interface encapsulated into SDLC into the bridge group. Using the undo bridge-set (in synchronous serial interface view) command, you can delete the interface from the DLSw bridge group. By default, no synchronous serial port is added into the bridge group. In order for the SDLC encapsulated synchronous serial port to join the DLSw forwarding, the SDLC interface is needed to added into a bridge group by using this command. What is different is that the bridge group on the Ethernet interface joins the local forwarding, while the bridge group configured on the SDLC only joins the DLSw forwarding, that is, all the data on it will be forwarded onto the TCP tunnel. If it is configured in the Ethernet Interface view, the Ethernet interface of the same group number on the router can forward packets transparently. But packets cannot be transferred transparently between the serial ports. Each serial port only exchanges packet with the remote end. Example Add the Serial1/0/0 into the DLSw bridge group numbered 20.
[3Com] dlsw bridge-group 20 [3Com] interface Serial1/0/0 [3Com-Serial1/0/0] bridge-set 20

bridge-set (in the Ethernet Interface view)

Syntax
bridge-set bridge-set-number undo bridge-set bridge-set-number

View Ethernet Interface view Parameter bridge-set-number: The bridge group number that the Ethernet interface is added into, ranging from 1 to 63. Description Using the bridge-set (in the Ethernet Interface view) command, you can add the Ethernet interface into the bridge. Using the undo bridge-set (in the Ethernet Interface view) command, you can delete the interface from the DLSw bridge group. By default, no Ethernet interface is added into the bridge group.

DLSw Configuration Commands

533

After an Ethernet interface is added into the bridge group, the LLC2 packets on the Ethernet interface can be sent to the remote peer through the related TCP tunnel. Example Add the Ethernet1/0/0 interface into the DLSw bridge group numbered 20.
[3Com] dlsw bridge-group 20 [3Com] interface Ethernet1/0/0 [3Com-Ethernet1/0/0] bridge-set 20

code nrzi

Syntax
code nrzi undo code

View Synchronous serial interface system view Parameter None Description Using the code nrzi command, you can configure the NRZI encoding of the synchronous serial port. Using the undo code nrzi command, you can remove the NRZI encoding of the synchronous serial port. By default, the NRZ encoding is configured on the synchronous serial port. There are two coding schemes, NRZI and NRZ, available on the synchronous serial port. The NRZ coding scheme is generally used in our router. The serial port coding scheme of some SNA devices is the NRZI coding scheme. Therefore the coding scheme of the router needs to be changed according to the encoding of the connected device. Example Configure the NRZI encoding on the Serial1/0/0.
[3Com-Serial1/0/0] code nrzi

debugging dlsw

Syntax
debugging dlsw { circuit [ correlator ] | tcp [ ip-address ] } undo debugging dlsw { circuit [ correlator ] | tcp [ ip-address ] }

View User view Parameter circuit: Enables the DLSw circuit debugging. correlator: Distinguishes different IDs of the circuits. tcp: Enables the debugging of the DLSw peers.

534

CHAPTER 5: NETWORK PROTOCOL

ip-address: IP address. Description Using the debugging dlsw command, you can enable the DLSw debugging. Using the undo debugging dlsw command, you can disable the DLSw debugging. debugging llc2 Syntax
debugging llc2 circuit [ correlator ] undo debugging llc2 circuit [ correlator ]

View User view Parameter correlator: Distinguishes different IDs of the circuits. Description Using the debugging llc2 command, you can enable the LLC2 debugging. Using the undo debugging llc2 command, you can disable the LLC2 debugging. debugging sdlc Syntax
debugging sdlc [ all | event | packet ] undo debugging sdlc { all | event | packet }

View User view Parameter all: Enables all debuggings of the SDLC. event: Enables the SDLC event debugging. packet: Enables the SDLC packet debugging. Description Using the debugging sdlc command, you can enable the SDLC debugging. Using the undo debugging sdlc command, you can disable the SDLC debugging. display dlsw bridge-entry Syntax
display dlsw bridge-entry [ interface-name | interface-type interface-number ]

View Any view Parameter None

DLSw Configuration Commands

535

Description Using the display dlsw bridge-entry command, you can view the bridge group information. Example Display the bridge group information.
<3Com> display dlsw bridge-entry Mac_entry Port group hashIndex 0000.e81c.b6bf Ethernet0/0/0 1 79

display dlsw circuits

Syntax
display dlsw circuits [ circuit-id ] [ verbose ]

View Any view Parameter circuit-id: Displays the virtual circuit number of the specified DLSw. verbose: Displays the detail information of the virtual circuits. Description Using the display dlsw circuits command, you can view the DLSw virtual circuits. The output information of this command helps the user understand the information regarding DLSw virtual circuits. Example Display the general information of the virtual circuits.
<3Com> display dlsw circuits Correlator Local addr(LSAP) Remote addr(RSAP) State 2ce0005 0020.357b.e065 (4) 0000.1738.6dfd (4) CONNECTED

Syntax description: Correlator: Distinguish different IDs of the circuits Local addr(LSAP) Local MAC address, with the “lsap” being the last SAP used by the local device. Remote addr(RSAP) Remote MAC address, with the “rsap” being the last SAP used by the remote device. State: State of the links. Display the detail information of the virtual circuits.
<3Com> display dlsw circuits verbose Correlator Local addr(LSAP) Remote addr(RSAP) State 2ce0005 0020.357b.e065 (4) 0000.1738.6dfd (4) CONNECTED Port Ethernet 0/0/0 Direction:ORIGIN Connection Time: 14:19:49 Flow Control: Transmit CW:40 GT:0 Receive CW:40 GT:0 Info-Frame: Transmit:0 Receive:0 Drop:0

536

CHAPTER 5: NETWORK PROTOCOL

display dlsw information

Syntax
display dlsw information [ local ] [ ip-address ]

View Any view Parameter local: Displays the local exchange capability information. ip-address: Displays the exchange capability information of specified IP address. Description Using the display dlsw information command, you can view the DLSw exchange capability information. The output information of the command facilitates the user to understand the status of the DLSw virtual circuit and perform fault diagnosis. Example Display the general information of exchange capability.
<3Com> display dlsw information DLSw: Capabilities for peer 10.10.20.1: Vendor ID (OUI) : '00000c' (3Com) Version number : 01 Release number : 00 Init Pacing Window : 40 Num of TCP sessions : 01 Mac address exclusive : no NetBIOS Name exclusive : no Mac address List : none NetBIOS Name List : none Configured IP address : 14.0.0.1 Version string : Copyright (c) 1997-2002 3Com TECH CO., LTD.


Syntax description: Version number: RFC 1795 Release number: Release version of RFC 1795 Init Pacing Window: Size of the initiated window Num of TCP sessions: Number of TCP sessions Mac address exclusive: Reachable MAC address registered in the router NetBIOS Name exclusive: Reachable NetBIOS address registered in the router Mac address List: Reachable MAC address list NetBIOS Name List: Reachable NetBIOS address Configured IP address: Local IP address Version string: Version number of 3Com’s router operation system





















Display the local exchange capability information.

DLSw Configuration Commands

537

<3Com> display dlsw information local DLSw: Capabilities for local: Vendor ID (OUI) : '00e0fc' (3Com) Version number :1 Release number :0 Init Pacing Window : 40 Num of TCP sessions : 1 Mac address exclusive : no NetBIOS Name exclusive : no Mac address List : none NetBIOS Name List : none Configured IP address : 12.0.0.1 Version string : Copyright (c) 1997-2002 3Com TECH CO., LTD.

display dlsw remote

Syntax
display dlsw remote [ ip-address ]

View Any view Parameter ip-address: Displays the information of the remote peer with specified IP address or of all the remote peers. Description Using the display dlsw remote command, you can view the information of the remote peers. The output information helps the user to understand the connection state between the DLSw and the remote peers. Example Display the information of the remote peers.
<3Com> display dlsw remote Peers: State pkts_rx pkts_tx drops uptime *TCP 11.0.0.1 DISCONNECT 0 0 0 00:00:00 *TCP 13.0.0.1 DISCONNECT 0 0 0 00:00:00 *TCP 14.0.0.1 CONNECT 1897 1899 0 14:26:22

Syntax description: *TCP: The * mark indicates the connection can be created on the peer. If there is no this mark before the TCP, it indicates it is an inactivated backup peer.


Peers: The IP address used by PEER. State: The PEER state. pkts_rx: The number of packets received by PEER. pkts_tx: The number of packets sent by PEER. drops: The number of packets dropped by PEER. uptime: The connecting time.











538

CHAPTER 5: NETWORK PROTOCOL

display llc2

Syntax
display llc2 [ circuit correlator ]

View Any view Parameter correlator: ID used to distinguish different circuits. Description The display interface command is used to display statistical information of LLC2. Example Display the statistical information of LLC2
<3Com> display llc2 circuit 46465025 llc2 circuit index 46465025 Local MAC 0.20.35.7b.e0.65 Remote MAC 0. 0.84.25.1e.e9 Local Sap 4 Remote Sap 4 Role secondary State : NORMAL

dlsw bridge-set

Syntax
dlsw bridge-set bridge-set-number undo dlsw bridge-set bridge-set-number

View System view Parameter bridge-set-number: ID of bridge group, ranging from 1 to 63, local valid. Description Using the dlsw bridge-set command, you can configure the bridge group to connect DLSw . Using the undo dlsw bridge-set command, you can delete the bridge. In order to forward packets of specified bridge group to the remote end through the TCP connection, a local bridge group needs to be connected with the DLSw by using this command, that is, packets of the local bridge group can be sent to the remote end through the TCP tunnel. This command can be used many times to connect many bridge groups with the DLSw, and make them all capable of joining the forwarding through the TCP tunnel. Example Configure the bridge group connected with the DLSw, with the ID of the bridge group being 20.
[3Com] dlsw bridge-group 20

DLSw Configuration Commands

539

dlsw enable

Syntax
dlsw enable undo dlsw enable

View System view Parameter None Description Using the dlsw enable command, you can enable the DLSw performance. Using the undo dlsw enable command, you can suspend the DLSw performance. By default, the DLSw performance is enabled. After this command is performed, the system will release all dynamic resources, but retain the original configuration. Example Suspend the DLSw performance.
[3Com] undo dlsw enable

Enable the DLSw performance.
[3Com] dlsw enable

dlsw local

Syntax
dlsw local ip-address [ init-window init-window-size ] [ keepalive keepalive-interval ] [ max-frame max-frame-size ] [ max-window max-window-size ] [ permit-dynamic ] undo dlsw local ip-address [ init-window ] [ keepalive ] [ max-frame ] [ max-window ] [ permit-dynamic ]

View System view Parameter ip-address: IP address of the created local peer. init-window-size: Size of the initialized local response window, ranging from 1 to 2000. keepalive-interval: Time interval for sending the “keepalive”, ranging from 0 to 1200 seconds. max-frame-size: Maximum length of the packet, which can be 516, 1470, 1500, 2052, 4472, 8144, 11407, 11454, or 17800 bytes. max-window-size: Size of the maximum local response window, ranging from 1 to 2000.

540

CHAPTER 5: NETWORK PROTOCOL

permit-dynamic: Permits unpreconfigured remote router to initiate connections and dynamically create peers. The remote peer is unnecessarily be configured on the local end using this parameter, and the local peer waits for the connection initiated by the remote peer. Description Using the dlsw local command, you can create the DLSw local peer. Using the undo dlsw local command, you can delete the local peer or restore the default values of the parameters. The default init-window-size is 40. The default keepalive-interval is 30 seconds. The default max-frame-size is 1500 bytes. The default max-window-size is 50. To create the TCP tunnel is the first step for establishing the DLSw connection. In order to create the TCP tunnel, the DLSw local peer is to be first configured to specify the local IP address that creates the TCP connection before receiving the TCP connection request initiated by the remote router. A router can only have one local peer. Example Create the DLSw local peer, with the IP address being 1.1.1.1, the size of the local response window being 50, time interval for sending the “keepalive” being 40 seconds, both the maximum length of the packet max-frame-size and the size of the maximum local response window being the default value.
[3Com] dlsw local 1.1.1.1 init-window 50 keepalive 40

dlsw remote

Syntax
dlsw remote ip-address [ backup backup-address ] [ priority priority] [ keepalive keepalive-interval ] [ max-frame max-frame-size ] [ max-queue max-queue-length ] [ linger minutes ] display dlsw remote ip-address

View System view Parameter ip-address: Specifies the IP address of the remote peer. backup backup-address: the backup IP address of the remote peer. priority priority: Transmission cost, ranging from 1 to 5. keepalive keepalive-interval: Time interval for sending the “keepalive” packet, ranging from 0 to 1200 seconds. max-frame max-frame-size: Maximum length of the packet, which can be 516, 1470, 1500, 2052, 4472, 8144, 11407, 11454, or 17800 bytes. max-queue max-queue-length: Size of the TCP sending/receiving queue, ranging from 50 to 2000. linger minutes: Linger time of the backup connection after the primary peer being disconnected, ranging from 0 to 1440 minutes.

DLSw Configuration Commands

541

Description Using the dlsw remote command, you can create the DLSw remote peer. Using the undo dlsw remote command, you can delete the remote peer. The default priority is 3. The default keepalive-interval is 30 seconds. The default max-frame-size is 1500 bytes. The default max-queue-length is 200. The default seconds is 90 seconds. The default minutes are 5 minutes. After the local peer is configured, the remote peer needs to be configured to create the TCP tunnel. The router will keep attempting to create the TCP connection with the remote router. A router can be configured with several remote peers so as to create the TCP tunnel with several remote routers. The following deserves special attention on creating the remote backup-address: 1 In order to create the remote backup-address, the ip-address should be the IP address of the backup peer end, and the backup backup-address should be the IP address of the remote primary peer with the TCP connection already being created. In other words, before creating the remote backup peer connection, the user should ensure that the local end has created the TCP connection with a remote primary peer. If the peer end backup peer is created the same time the remote peer being first created, the system will prompt the following information:
Primary peer ip address does not exist

This prompt indicates that the user should first create a remote primary peer before creating the backup peer. 2 If the backup link still exists after the TCP connection of the primary link is interrupted, the TCP link can be retained (use the display dlsw remote command and a TCP connection can be found still exist) till the backup link linger minutes is also timeout. Example Create the DLSw remote peer, with the IP address being 2.2.2.2, the transmission cost being 2, the time interval for sending the “keepalive” being 40 seconds, the maximum length lf-size of the packet being the default value, and the size of the TCP sending/receiving queue being 300.
[3Com] dlsw remote 2.2.2.2 priority 2 keepalive 40 max-queue 300

dlsw timer

Syntax
dlsw timer [ connect seconds ] [ explorer-wait seconds ] [ local-pending seconds ] [ remote-pending seconds ] [ cache seconds ] [ explorer seconds ] undo dlsw timer

View System view Parameter connect seconds: The holding time of a connection, ranging from 1 second to 65535 seconds. The default value is 300 seconds. explorer-wait seconds: The waiting time of local explorer frames, ranging from 1 second to 65535 seconds. The default value is 30 seconds.

542

CHAPTER 5: NETWORK PROTOCOL

local-pending seconds: The local pending time, ranging from 1 second to 65535 seconds. The default value is 30 seconds. remote-pending seconds: The remote pending time, ranging from 1 second to 65535 seconds. The default value is 30 seconds. cache seconds: Address saving time in SNA cache, ranging from 1 second to 65535 seconds. The default value is 120 seconds. explorer seconds: The waiting time of remote explorer frames, ranging from 1 second to 65535 seconds. The default value is 30 seconds. Description Using the dlsw timer command, you can configure the DLSw timer parameters. Using the undo dlsw timer command, you can restore the default value of the DLSw timer parameters. By configuring the DLSw timer, the various kinds of timers used for the DLSw to create the virtual circuit can be revised, but the user is suggested not to revise the DLSw timer parameters randomly. Example Configure the DLSw timer parameters, with the connected timeout being 200 seconds, the waiting timeout of the local explorer frame being 15 seconds, the local waiting timeout being 15 seconds, the remote peer waiting timeout being 25 seconds, the SNA cache address timeout being the default value and the waiting timeout of the remote explorer frame being the default value.
[3Com] dlsw timer connect 20 explorer-wait 15 local-pending 15 remote-pending 25

idle-mark

Syntax
idle-mark undo idle-mark

View Synchronous serial interface view Parameter None Description Using the idle-mark command, you can configure the idle coding scheme of the synchronous serial port. Using the undo idle-mark command, you can restore the default idle coding scheme of the synchronous serial port. By default, the synchronous serial port adopts the “7E” coding scheme. 3Com series routers encapsulate “7E” in the packets to identify the free time of the SDLC serial interface, but some SDLC devices adopt full “1” high level instead. In order to be better compatible to this kind devices, the idle coding scheme of the router needs to be changed. Sometimes when connecting with the AS/400, this command needs to be configured to change the idle coding scheme and accelerate the AS/400 polling speed.

DLSw Configuration Commands

543

Example Configure the idle coding scheme of the synchronous serial port on the Serial1/0/0 as idle-mark.
[3Com-Serial1/0/0] idle-mark

link-protocol sdlc

Syntax
link-protocol sdlc

View Synchronous serial interface view Parameter None Description Using the link-protocol sdlc command, you can change the link layer encapsulation protocol of the synchronous serial interface into SDLC. By default, the encapsulated link layer protocol of the synchronous serial interface is PPP. The SDLC is a kind of link layer protocol relative to the SNA, with working principal similar to that of the HDLC. In order for the DLSw to work normally, the link layer encapsulation protocol of the synchronous serial interface should be changed into SDLC. Note all the IP related commands on the interface should be removed before encapsulating the SDLC, as the SDLC link protocol cannot be used to carry the IP protocol, for example, to delete the IP address on the interface, etc. Example Configure the encapsulation protocol on the Serial1/0/0 as SDLC.
[3Com-Serial1/0/0] link-protocol sdlc

llc2 max-ack

Syntax
llc2 max-ack length llc2 max-ack

View Ethernet Interface view Parameter length: Length of the LLC2 advanced response window, ranging from 1 to 127. Description Using the llc2 max-ack command, you can configure the length of the advance response window before the LLC2 sending the acknowledgement frame. Using the undo llc2 max-ack command, you can restore the default length of the advance response window before the LLC2 sending the acknowledgement frame. By default, the length of the LLC2 advance response window is 3.

544

CHAPTER 5: NETWORK PROTOCOL

The LLC2 advance response window refers to the maximum receivable information frames before sending the acknowledgement frame, that is, to send the response packet in advance on receiving the packet n. Example Configure the length of the advanced response window before the LLC2 sends the acknowledgement frame as 5.
[3Com-Ethernet1/0/0] llc2 max-ack 5

llc2 max-send-queue

Syntax
llc2 max-send-queue length undo llc2 max-send-queue

View Ethernet Interface view Parameter length: The queue length sending the LLC2 packet, ranging from 20 to 200. Description Using the llc2 max-send-queue command, you can configure the queue length sending the LLC2 packet. Using the undo llc2 max-send-queue command, you can restore the default queue length sending the LLC2 packet. By default, the queue length sending the LLC2 packet is 100. Example Example Configure the queue length sending the LLC2 packet as 30.
[3Com-Ethernet1/0/0] llc2 max-send-queue 30

llc2 max-transmission

Syntax
llc2 max-transmission retries undo llc2 max-transmission

View Ethernet Interface view Parameter retries: LLC2 retransmission times, ranging form 1 to 255. Description Using the llc2 max-transmission command, you can configure the retransmission times of the LLC2. Using the undo llc2 max-transmission command, you can restore the default retransmission times of the LLC2. By default, the LLC2 retransmission times are 20 times. The LLC2 retransmission times refers to the times of resending information frames before the acknowledgement frame is received from the peer end.

DLSw Configuration Commands

545

Example Configure the LLC2 retransmission times as 10 times.
[3Com-Ethernet1/0/0] llc2 max-transmission 10

llc2 modulo

Syntax
llc2 modulo n undo llc2 modulo

View Ethernet Interface view Parameter n: The modulus of the LLC2, with the available values of 8 or 128. Description Using the llc2 modulo command, you can configure the modulus of the LLC2. Using the undo llc2 modulo command, you can restore the default modulus of the LLC2. By default, the modulus of the LLC2 is 128. LLC2, like X25, adopts modulus mode to number information packets, and the modulus of LLC2 is 8 or 128. Ethernet generally uses modulus 128. Example Restore the default modulus of the LLC2.
[3Com-Ethernet1/0/0] undo llc2 modulo

llc2 receive-window

Syntax
llc2 receive-window length undo llc2 receive-window

View Ethernet Interface view Parameter length: Length of the local response window, ranging from 1 to 127. Description Using the llc2 receive-window command, you can configure the maximum packets that can be sent before the LLC2 receives the acknowledgement frame. Using the undo llc2 receive-window command, you can restore the default value of the maximum packets that can be sent before the acknowledgement frame is received. By default, the length of the LLC2 local response window is 7. The LLC2 local response window refers to the maximum packets that can be sent continuously before the acknowledgement frame is received.

546

CHAPTER 5: NETWORK PROTOCOL

Example Configure the maximum packets that can be sent before the LLC2 receives the acknowledgement frame as 10.
[3Com-Ethernet1/0/0] llc2 receive-window 10

llc2 timer ack

Syntax
llc2 timer ack mseconds undo llc2 timer ack

View Ethernet Interface view Parameter mseconds: LLC2 local response time, ranging from 1 to 60000ms. Description Using the llc2 timer ack command, you can configure the LLC2 local response time. Using the undo llc2 timer ack command, you can restore the default value of the LLC2 local response time. By default, the LLC2 local response time is 200ms. The LLC2 local response time refers to the maximum waiting time for the response from the peer end after an LLC2 data packet is sent. Example Configure the LLC2 local response time as 10ms.
[3Com-Ethernet1/0/0] llc2 timer ack 10

llc2 timer ack-delay

Syntax
llc2 timer ack-delay mseconds undo llc2 timer ack-delay

View Ethernet Interface view Parameter mseconds: Local acknowledgement delay time on receiving the information frames, ranging from 1 to 60000ms. Description Using the llc2 timer ack-delay command, you can configure the local acknowledgement delay time when the LLC2 receives information frames. Using the undo llc2 timer ack-delay command, you can restore the default value of the local acknowledgement delay time when the LLC2 receives information frame. By default, the LLC2 local acknowledgement delay time is 100ms. The LLC2 local acknowledgement delay time refers to the maximum waiting time for delayed acknowledgement on receiving an LLC2 data packet.

DLSw Configuration Commands

547

Example Configure the local acknowledgement delay time for received information frames as 200 milliseconds.
[3Com-Ethernet1/0/0] llc2 timer ack-delay 200

llc2 timer busy

Syntax
llc2 timer busy mseconds undo llc2 timer busy

View Ethernet Interface view Parameter mseconds: The LLC2 BUSY time, ranging from 1 to 60000ms. Description Using the llc2 timer busy command, you can configure the LLC2 BUSY time. Using the undo llc2 timer busy command, you can restore the default value of the LLC2 BUSY time. By default, the LLC2 BUSY time is 300ms. The LLC2 BUSY time refers to the waiting time before repolling a busy station. Example Configure the LLC2 BUSY time as 200ms.
[3Com-Ethernet1/0/0] llc2 timer busy 200

llc2 timer poll

Syntax
llc2 timer poll mseconds undo llc2 timer poll

View Ethernet Interface view Parameter mseconds: LLC2 P/F waiting time, ranging from 1 to 60000ms. Description Using the llc2 timer poll command, you can configure the P/F waiting time of the LLC2. Using the undo llc2 timer poll command, you can restore the default value of the LLC2 P/F waiting time. By default, the LLC2 P/F waiting time is 5000ms. The LLC2 P/F waiting time refers to the time of waiting for the acknowledgement frame after the frame P is sent. Example Configure the LLC2 P/F waiting time as 2000ms.

548

CHAPTER 5: NETWORK PROTOCOL

[3Com-Ethernet1/0/0] llc2 timer poll 2000

llc2 timer reject

Syntax
llc2 timer reject mseconds undo llc2 timer reject

View Ethernet Interface view Parameter mseconds: The LLC2 REJ time, ranging from 1 to 60000ms. Description Using the llc2 timer reject command, you can configure the REJ time of the LLC2. Using the undo llc2 timer reject command, you can restore the default value of the LLC2 REJ time. By default, the LLC2 REJ time is 500ms. The LLC2 REJ time refers to the waiting time for the acknowledgement frame to come after a deny frame is sent. Example Configure the LLC2 REJ time as 2000ms.
[3Com-Ethernet1/0/0] llc2 timer reject 2000

reset dlsw bridge-entry

Syntax
reset dlsw bridge-entry

View User view Parameter None Description Using the reset dlsw bridge-entry command, you can clear the entry cache information in the DLSw bridge group. Example Clear the entry cache information in the DLSw bridge group.
<3Com> reset dlsw bridge-entry

reset dlsw circuits

Syntax
reset dlsw circuits [ circuit-id ]

View User view

DLSw Configuration Commands

549

Parameter circuit-id: The virtual circuit ID of DLSw, ranging from 0 to 4294967295. Description Using the reset dlsw circuits command, you can clear the DLSw virtual circuit information. Example Clear the virtual circuit information with the virtual circuit number of 100.
<3Com> reset dlsw circuits 100

sdlc controller

Syntax
sdlc controller sdlc-address undo sdlc controller sdlc-address

View Synchronous serial interface view Parameter sdlc-address: The secondary station address of the SDLC. Description Using the sdlc controller command, you can configure the secondary station address of the SDLC. Using the undo sdlc controller command, you can delete the secondary station address of the SDLC. By default, the secondary station address of the SDLC is not configured. The SDLC protocol permits several virtual circuits running on a single SDLC physical link, with one end connected with the primary station and the other end connected with the secondary station. In order to distinguish each virtual circuit, their SDLC addresses need to be designated. Because the SDLC is in unbalanced mode, a primary device can connect with several secondary devices through the medium of shared machine or SDLC switches, while the secondary devices cannot be connected with each other. And there can exist one and only primary device if any. In this sense, the SDLC devices in the same group can be guaranteed to communicate with each other normally only if the addresses of the secondary devices are specified. This command specifies the SDLC address, which is unique on a physical interface, for the virtual circuit. The configured SDLC address on synchronous serial interface is virtually the address of the SDLC secondary station. The SDLC address ranges from 0x01 to 0xFE. The SDLC address of a router is only valid on one physical interface, that is, the SDLC addresses configured on different interfaces can be same. Example Configure the secondary station address of the SDLC on the Serial1/0/0 as 0x05.
[3Com-Serial1/0/0] sdlc controller 05

550

CHAPTER 5: NETWORK PROTOCOL

sdlc mac-map local

Syntax
sdlc mac-map local mac-address undo sdlc mac-map local

View Synchronous serial interface view Parameter mac-address: The virtual MAC address of the SDLC. Description Using the sdlc mac-map local command, you can configure the virtual MAC address of the SDLC. Using the undo sdlc mac-map local command, you can delete the virtual MAC address of the SDLC. By default, the SDLC has no virtual MAC address. Example Configure the virtual MAC address of the SDLC.
[3Com-Serial1/0/0] sdlc mac-map local 0000-e81c-b6bf

sdlc mac-map remote

Syntax
sdlc mac-map remote mac-addr sdlc-addr undo sdlc mac-map remote mac-addr sdlc-addr

View Synchronous serial interface view Parameter mac-addr: The MAC address of the SDLC peer. sdlc-addr: The SDLC address of the SDLC peer. Description Using the sdlc mac-map remote command, you can configure the SDLC peer. Using the undo sdlc mac-map remote command, you can delete the SDLC peer. By default, the synchronous serial interface has no peer. This command is used to specify the MAC address of a peer end for an SDLC virtual circuit so as to provide the destination MAC address on the transformation from the SDLC to the LLC2. When configuring the DLSw, an SDLC address should be configured a related partner (peer). The MAC address of the partner (peer) should be the MAC address of the remote SNA device (physical addresses of such devices as the Ethernet and the Token-Ring), or the MAC address of the peer end compounded by the SDLC. Example Configure the SDLC peer.
[3Com-Serial1/0/0] sdlc mac-map remote 00E0-FC00-0010 0x05

DLSw Configuration Commands

551

sdlc max-pdu

Syntax
sdlc max-pdu n undo sdlc max-pdu

View Synchronous serial interface view Parameter n: The maximum receivable frame length of the SDLC, ranging from 1 to 17600 bytes. Description Using the sdlc max-pdu command, you can configure the maximum receivable frame length of the SDLC. Using the undo sdlc max-pdu command, you can restore the default value of the SDLC maximum receivable frame length. By default, the maximum receivable frame length of the SDLC is of 265 bytes. The SDLC maximum frame length refers to the bytes of the largest packet that can be received and sent, excluding the parity bit and the start/stop bit. The maximum receivable frame length of some PU2.0 devices is of 265 bytes, and that of IBM AS/400 is generally of 521 bytes. Usually we need to configure it the same value as the connected SDLC device. Example Configure the maximum receivable frame length of the SDLC as 512.
[3Com-Serial1/0/0] sdlc max-pdu 521

sdlc max-send-queue

Syntax
sdlc max-send-queue length undo sdlc max-send-queue

View Synchronous serial interface view Parameter length: The queue length sending the SDLC packet, ranging from 20 to 255. Description Using the sdlc max-send-queue command, you can configure the queue length sending the SDLC packet. Using the undo sdlc max-send-queue command, you can restore the default value of the queue length sending the SDLC packet. By default, the queue length sending the SDLC packet is 50. Example Configure the queue length sending the SDLC packet on the Serial1/0/0 as 30.
[3Com-Serial1/0/0] sdlc max-send-queue 30

552

CHAPTER 5: NETWORK PROTOCOL

sdlc max-transmission

Syntax
sdlc max-transmission retries undo sdlc max-transmission

View Synchronous serial interface view Parameter retries: The SDLC timeout retransmission times, ranging from 1 to 255 times. Description Using the sdlc max-transmission command, you can configure the SDLC timeout retransmission times. Using the undo sdlc max-transmission command, you can restore the default value of the SDLC timeout retransmission times. By default, the SDLC timeout retransmission times are 20. The SDLC timeout retransmission times (N2) refers to the retransmission times before receiving the acknowledgement packet from the peer end. Example Configure the SDLC timeout retransmission times as 30.
[3Com-Serial1/0/0] sdlc max-transmission 30

sdlc modulo

Syntax
sdlc modulo n undo sdlc modulo

View Synchronous serial interface view Parameter n: SDLC modulus, with available value of 8 or 128. Description Using the sdlc modulo command, you can configure the modulus of the SDLC. Using the undo sdlc modulo command, you can restore the default modulus of the SDLC. By default, the SDLC modulus is 8. SDLC, like X25, adopts modulus mode to number information packets, and the modulus of SDLC is 8 or 128. Generally modulus 8 is selected. Example Restore the default modulus of the SDLC.
[3Com-Serial1/0/0] undo sdlc modulo

sdlc sap-map local

Syntax
sdlc sap-map local lsap sdlc-addr

DLSw Configuration Commands

553

undo sdlc sap-map local lsap sdlc-addr

View Synchronous serial interface view Parameter lsap: The virtual SAP address set by the device connected with the local interface. sdlc-addr: The SDLC address. Description Using the sdlc sap-map local command, you can configure the SAP address on transforming the SDLC into the LLC2. Using the undo sdlc sap-map local command, you can restore the default value of the LLC2 SAP address. By default, lsap is 04. When the SDLC packet is translated into the LLC2 packet, the SAP address is needed besides the MAC address. Generally speaking, the SAP address of the SNA protocol is 0x04 or 0x08 or 0x0C. For related configuration, please see the sdlc sap-map remote command. Example Configure the SAP address on translating the SDLC into the LLC2.
[3Com-Serial1/0/0] sdlc sap-map local 08 05

sdlc sap-map remote

Syntax
sdlc sap-map remote dsap sdlc-addr undo sdlc sap-map remote dsap sdlc-addr

View Synchronous serial interface view Parameter dsap: The SAP address of the DLSw peer device. By default, dsap is 04. sdlc-addr: The SDLC address. Description Using the sdlc sap-map remote command, you can configure the remote DLSw device SAP address when SDLC is translated into LLC2. And using the undo sdlc sap-map remote command, you can restore the default value. When the SDLC packet is translated into the LLC2 packet, the SAP address is needed besides the MAC address. Generally speaking, the SAP address of the SNA protocol is 0x04 or 0x08 or 0x0C. For related configuration, please see sdlc sap-map local.

554

CHAPTER 5: NETWORK PROTOCOL

Example Configure the remote DLSw device SAP address when SDLC is translated into LLC2.
[3Com-Serial1/0/0] sdlc sap-map remote 0C 05

sdlc simultaneous

Syntax
sdlc simultaneous undo sdlc simultaneous

View Synchronous serial interface view Parameter None Description Using the sdlc simultaneous command, you can configure the SDLC data to use the bidirectional transmission mode. Using the undo sdlc simultaneous command, you can stop the SDLC data to use the bidirectional transmission mode. By default, the SDLC data are transmitted in bidirectional mode. This command configures the synchronous serial interface to work in bidirectional data simultaneous transmission mode. That is, the SDLC primary station can send data to the secondary station and receive data at the same time. Example Configure the SDLC data to use the bidirectional transmission mode.
[3Com-Serial1/0/0] sdlc simultaneous

sdlc status

Syntax
sdlc status { primary | secondary } undo sdlc status

View Synchronous serial interface view Parameter primary: The primary station of the end, controlling the whole connection process. secondary: The secondary station of the end, controlled by the primary station. Description Using the sdlc role command, you can configure the SDLC role the device acts. Using the undo sdlc role command, you can restore the default SDLC role. By default, the device has no role. The SDLC is a kind of link layer protocol in unbalanced mode. That is, the statuses of the devices on the two connected ends are unequal, one is primary and the

DLSw Configuration Commands

555

other is secondary. The primary side, being the primary station, whose role is primary, plays the dominant role and controls the whole connection process. While the other side, being the secondary station, whose role is secondary, receives control passively. Therefore, the user needs to configure the role for the interface encapsulated with SDLC protocol. On the SDLC role configuration, the roles should be decided by the status of the SDLC device connected with the local router. If the SDLC device connected with the local interface is primary, the local interface is to be set secondary, and vice versa. In general, the central IBM mainframe is primary, whereas terminal devices, including UNIX hosts and ATM, are secondary. Example Configure the SDLC device connected with the Serial1/0/0 as primary, and the local interface as secondary.
[3Com-Serial1/0/0] sdlc role secondary

sdlc timer ack

Syntax
sdlc timer ack mseconds undo sdlc timer ack

View Synchronous serial interface view Parameter mseconds: The SDLC primary station response waiting time, ranging from 1 to 60000ms. Description Using the sdlc timer ack command, you can configure the SDLC primary station response waiting time (mseconds). Using the undo sdlc timer ack command, you can restore the default value of the SDLC primary station response waiting time. By default, the configured SDLC primary station response waiting time is 3000ms. The primary station response waiting time (mseconds) refers to the waiting time for the response from the secondary station after the primary station sends information frames. Example Configure the SDLC primary station response waiting time (mseconds) as 2000ms.
[3Com-Serial1/0/0] sdlc timer ack 2000

sdlc timer lifetime

Syntax
sdlc timer lifetime mseconds undo sdlc timer lifetime

View Synchronous serial interface view

556

CHAPTER 5: NETWORK PROTOCOL

Parameter mseconds: The SDLC secondary station response waiting time, ranging from 1 to 60000ms. Description Using the sdlc timer lifetime command, you can configure the SDLC secondary station response waiting time (mseconds). Using the undo sdlc timer lifetime command, you can restore the default value of the SDLC secondary station response waiting time. By default, the SDLC secondary station response waiting time (mseconds) is 500ms. The secondary station response waiting time (mseconds) refers to the waiting time for the response from the primary station after the secondary station sends information frames. Example Configure the SDLC secondary station response waiting time (mseconds) as 1000ms.
[3Com-Serial1/0/0] sdlc timer lifetime 1000

sdlc timer poll

Syntax
sdlc timer poll mseconds undo sdlc timer poll

View Synchronous serial interface view Parameter mseconds: SDLC poll pause timer, ranging from 1 to 10000ms. Description Using the sdlc timer poll command, you can configure the SDLC poll pause timer. Using the undo sdlc timer poll command, you can restore the default value of the SDLC poll pause timer. By default, the SDLC poll pause timer is 1000ms. The SDLC poll pause timer refers to the waiting interval between the two SDLC nodes polled by the SDLC primary station. Example Configure the SDLC poll pause timer as 200ms.
[3Com-Serial1/0/0] sdlc timer poll 200

sdlc window

Syntax
sdlc window length undo sdlc window

DLSw Configuration Commands

557

View Synchronous serial interface view Parameter length: Length of the SDLC local response window, ranging from 1 to 7. Description Using the sdlc window command, you can configure the length of the SDLC local response window. Using the undo sdlc window command, you can restore the default length of the SDLC local response window. By default, the default length of the SDLC local response window is 7. The SDLC local response window refers to the maximum packets number that can be sent continuously without waiting for the response from the peer end. Example Configure the length of the SDLC local response window on the Serial1/0/0 as 5.
[3Com-Serial1/0/0] sdlc window 5

sdlc xid

Syntax
sdlc xid sdlc-address xid-number undo sdlc xid sdlc-address

View Synchronous serial interface view Parameter sdlc-address: The SDLC address of the XID, which should be configured beforehand. xid-number: An integer with a length of 4 bytes, ranging from 1 to 0xFFFFFFFF. The first 12 bits are network numbers, and the last 20 bytes are node numbers. Description Using the sdlc xid command, you can configure the XID of the SDLC. Using the undo sdlc xid command, you can delete the XID of the SDLC. By default, the synchronous serial interface has no XID of the SDLC. The XID is the ID of a device in the SNA world. Generally speaking, there are two kinds of devices: PU2.0 and PU2.1. The XID has been automatically configured on the PU2.1 devices and they can announce their IDs by exchanging the XID. The PU2.0 devices did not exchange the ID, so they can not get ID automatically. Therefore, this command needs not to be configured on PU2.1 typed devices, whereas it is needed to specify an XID for PU2.0 typed devices. Example Configure the XID of the SDLC, in which the xid-number is 0x2000.
[3Com3Com-Serial1/0/0] sdlc xid 05 2000

558

CHAPTER 5: NETWORK PROTOCOL

6

ROUTING PROTOCOL

For the specific examples and parameter explanation of VPN instance, refer to the “MPLS” module of this manual.

Display Commands of the Routing Table
display ip routing-table Syntax
display ip routing-table

View Any view Parameter None Description Using the display ip routing-table command, you can view the routing table summary. This command views routing table information in summary form. Each line represents one route. The contents include destination address/mask length, protocol, preference, cost, next hop and output interface. Only current used route, i.e., best route, is displayed via the display ip routing-table command. Example View the summary of current routing table.
<3Com> display ip routing-table Routing Table: public net Destination/Mask Proto Pre Cost Nexthop Interface 1.1.1.0/24 DIRECT 0 0 1.1.1.1 Interface serial1/0/0 1.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 2.2.2.0/24 DIRECT 0 0 2.2.2.1 Interface serial2/0/0 2.2.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 3.3.3.0/24 DIRECT 0 0 3.3.3.1 Interface ethernet1/0/0 3.3.3.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 4.4.4.0/24 DIRECT0 0 4.4.4.1 Interface ethernet2/0/0 4.4.4.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.0/8 DIRECT 0 0 127.0.0. 1 InLoopBack0 127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0

560

CHAPTER 6: ROUTING PROTOCOL

display ip routing-table acl

Syntax
display ip routing-table acl { acl-number | acl-name } [ verbose ]

View Any view Parameter acl_number: Number of basic ACL, ranging from 1 to 99. acl-name: Name of basic ACL. verbose: The verbose information of both the active and inactive routes that passed filtering rules. Without this parameter, this command only displays the summary of the active routes that passed filtering rules. Description Using the display ip routing-table acl command, you can view the route filtered through specified basic access control list (ACL). The command is used in tracking route policy to display the route that passed the filtering rule according to the input basic ACL number or name. The command is only applicable to view the route that passed basic ACL filtering rules. Example View the summary of active routes that are filtered through basic ACL 1.
<3Com> display ip routing-table acl 1 Routes matched by access-list 1: Summary count: 4 Destination/MaskProtoPreCost NexthopInterface 127.0.0.0/8Direct00 127.0.0.1InLoopBack0 127.0.0.1/32Direct00 127.0.0.1InLoopBack0 169.0.0.0/8Static60 0 2.1.1.1LoopBack1 169.0.0.0/15Static6002.1.1.1LoopBack1 Display the verbose information of the active and inactive routes that are filtered through basic ACL1. <3Com> display ip routing-table acl 1 verbose Routes matched by access-list 1: Generate Default: no + = Active Route, - = Last Active, = Both* = Next hop in use Summary count:5 **Destination: 127.0.0.0Mask: 255.0.0.0 Protocol: DirectPreference: 0 *NextHop: 127.0.0.1Interface: 127.0.0.1(InLoopBack0) Vlinkindex: 0 State: <NoAdvise Int ActiveU Retain Multicast Unicast> Age: 3:47Metric: 0/0 **Destination: 127.0.0.1Mask: 255. 255. 255. 255 Protocol: DirectPreference: 0 *NextHop: 127.0.0.1Interface: 127.0.0.1(InLoopBack0) Vlinkindex: 0 State: <NotInstall NoAdvise Int ActiveU Retain Gateway Multicast Unicast> Age: 3:47Metric: 0/0 **Destination: 179.0.0.0Mask: 255.0.0.0

Display Commands of the Routing Table

561

Protocol: StaticPreference: 60 *NextHop: 4.1.1.1 Vlinkindex: 0 State: <Int Hidden Static Unicast> Age: 3:47Metric: 0/0 **Destination: 169.0.0.0Mask: 255.0.0.0 Protocol: StaticPreference: 60 *NextHop: 2.1.1.1Interface: 2.1.1.1(LoopBack1) Vlinkindex: 0 State: <Int ActiveU Static Unicast> Age: 3:47Metric: 0/0 **Destination: 169.0.0.0Mask: 255.254.0.0 Protocol: StaticPreference: 60 *NextHop: 2.1.1.1Interface: 2.1.1.1(LoopBack1) Vlinkindex: 0 State: <Int ActiveU Static Unicast> Age: 3:47Metric: 0/0

display ip routing-table ip_address

Syntax
display ip routing-table ip_address [ mask ] [ longer-match ] [ verbose ]

View Any view Parameter ip_address: Destination IP address in dotted decimal format. mask: IP address mask, which can be in dotted decimal notation or represented by an integer in the range of 0 to 32. longer-match: Indicates all route destination addresses are matched in the natural mask range. verbose: With the verbose parameter, this command displays the verbose information of both the active and inactive routes. Without the parameter, this command only displays the summary of active routes. Description Using the display ip routing-table ip_address command, you can view the routing information of the specified destination address. With different optional parameters, the output of the command is different. The following is the output description for different forms of this command: display ip routing-table ip_address If destination address, ip_address, has corresponding routes in natural mask range, this command will display all subnet routes. Or, only the route best matching the destination address, ip_address, is displayed. And only the active matching route is displayed. display ip routing-table ip_address mask,

562

CHAPTER 6: ROUTING PROTOCOL

This command only displays the route fully matching with specified destination address and mask. display ip routing-table ip_address longer-match This command displays all route destination addresses matching with destination addresses in natural mask range. Example
There is corresponding route in natural mask range. View the summary. <3Com> display ip routing-table 169.0.0.0 Routing Tables: Summary count:1 Destination/MaskProtoPreCost NexthopInterface 169.0.0.0/16Static6002.1.1.1LoopBack1 There is no corresponding route (only the longest matching route is displayed) in natural mask range and summary is viewed. <3Com> display ip routing-table 169.253.0.0 Routing Tables: Summary count:1 Destination/MaskProtoPreCost NexthopInterface 169.0.0.0/8Static60 02.1.1.1LoopBack1 There are corresponding routes in the natural mask range. View the detailed information. <3Com> display ip routing-table 169.0.0.0 verbose Routing Tables: Generate Default: no + = Active Route, - = Last Active, = Both* = Next hop in use Summary count:2 **Destination: 169.0.0.0Mask: 255.0.0.0 Protocol: StaticPreference: 60 *NextHop: 2.1.1.1Interface: 2.1.1.1(LoopBack1) Vlinkindex: 0 State: <Int ActiveU Static Unicast> Age: 3:47Metric: 0/0 **Destination: 169.0.0.0Mask: 255.254.0.0 Protocol: StaticPreference: 60 *NextHop: 2.1.1.1Interface: 2.1.1.1(LoopBack1) Vlinkindex: 0 State: <Int ActiveU Static Unicast> Age: 3:47Metric: 0/0 There are no corresponding routes in the natural mask range (only display the longest matching route). View the detailed information. <3Com> display ip routing-table 169.253.0.0 verbose Routing Tables: Generate Default: no + = Active Route, - = Last Active, = Both* = Next hop in use Summary count:1 **Destination: 169.0.0.0Mask: 255.0.0.0 Protocol: StaticPreference: -60 *NextHop: 2.1.1.1 Vlinkindex: 0 State: <Int ActiveU Static Unicast> Age: 3:47Metric: 0/0

display ip routing-table ip_address1 ip_address2

Syntax
display ip routing-table ip_address1 mask1 ip_address2 mask2 [ verbose ]

Display Commands of the Routing Table

563

View Any view Parameter ip_address1, ip_address2: Destination IP address in dotted decimal notation. ip_address1 and ip_address2 determine one address range together to display the route in this address range. mask1, mask2: IP address mask, length in dotted decimal notation or integer form. verbose: With the verbose parameter, this command displays the verbose information of both the active and inactive routes. Without the parameter, this command only displays the summary of active routes. Description Using the display ip routing-table ip_address1 ip_address2 command, you can view the routing information in the specified destination address range. Example View the routing information of destination addresses ranging from 1.1.1.0 to 2.2.2.0.
<3Com> display ip routing-table 1.1.1.0 24 2.2.2.0 24 Routing tables: Summary count: 3 Destination/Mask Proto Pre Cost Nexthop Interface 1.1.1.0/24 DIRECT 0 0 1.1.1.1 Interface serial1/0/0 1.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 2.2.2.0/24 DIRECT 0 0 2.2.2.1 Interface serial2/0/0

display ip routing-table ip-prefix

Syntax
display ip routing-table ip-prefix ip-prefix-name [ verbose ]

View Any view Parameter ip-prefix-name: Prefix list name. verbose: With the parameter, this command displays the verbose information of both the active and inactive routes that passed filtering rules. Without the parameter, this command displays the summary of the active routes that passed filtering rules. Description Using the display ip routing-table ip-prefix command, you can view the route that passed the filtering rule according to the specified ip prefix list. If there is no specified prefix list, this command will display the verbose information of all active and inactive routes with the parameter verbose and it will display the summary of all active routes without the parameter verbose.

564

CHAPTER 6: ROUTING PROTOCOL

Example Display the summary of the active route that is filtered through ip prefix list abc2.
<3Com> display ip routing-table ip-prefix abc2 Routes matched by ip-prefix abc2: Summary count: 4 Destination/MaskProtoPreCost NexthopInterface 127.0.0.0/8Direct00 127.0.0.1InLoopBack0 127.0.0.1/32Direct00 127.0.0.1InLoopBack0 169.0.0.0/8Static600 2.1.1.1LoopBack1 169.0.0.0/15Static6002.1.1.1LoopBack1 Display the verbose information of the active and inactive routes that are filtered through ip prefix list abc2. <3Com> display ip routing-table ip-prefix abc2 verbose Routes matched by ip-prefix abc2: Generate Default: no + = Active Route, - = Last Active, = Both* = Next hop in use Summary count:4 **Destination: 127.0.0.0Mask: 255.0.0.0 Protocol: DirectPreference: 0 *NextHop: 127.0.0.1Interface: 127.0.0.1(InLoopBack0) Vlinkindex: 0 State: <NoAdvise Int ActiveU Retain Multicast Unicast> Age: 3:47Metric: 0/0 **Destination: 127.0.0.1Mask: 255. 255. 255. 255 Protocol: DirectPreference: 0 *NextHop: 127.0.0.1Interface: 127.0.0.1(InLoopBack0) Vlinkindex: 0 State: <NotInstall NoAdvise Int ActiveU Retain Gateway Multicast Unicast> Age: 3:47Metric: 0/0 **Destination: 179.0.0.0Mask: 255.0.0.0 Protocol: StaticPreference:-60 *NextHop: 4.1.1.1 Vlinkindex: 0 State: <Int Hidden Static Unicast> Age: 3:47Metric: 0/0 **Destination: 169.0.0.0Mask: 255.0.0.0 Protocol: StaticPreference: 60 *NextHop: 2.1.1.1Interface: 2.1.1.1(LoopBack1) Vlinkindex: 0 State: <Int ActiveU Static Unicast> Age: 3:47 Metric: 0/0 **Destination: 169.0.0.0Mask: 255.254.0.0 Protocol: StaticPreference: 60 *NextHop: 2.1.1.1Interface: 2.1.1.1(LoopBack1) Vlinkindex: 0 State: <Int ActiveU Static Unicast> Age: 3:47 Metric: 0/0

display ip routing-table protocol

Syntax
display ip routing-table protocol protocol [ inactive | verbose ]

View Any view

Display Commands of the Routing Table

565

Parameter protocol: Has multiple selectable values:


direct: Displays direct connection route information static: Displays static route information. bgp: Displays BGP route information. isis: Displays IS-IS route information. ospf: Displays OSPF route information. ospf-ase: Displays OSPF ASE route information. ospf-nssa: Displays OSPF NSSA route information. rip: Displays RIP route information.















inactive: With the parameter, this command displays the inactive route information. Without the parameter, this command displays the active and inactive route information. verbose: With the verbose parameter, this command displays the verbose routing information. Without the parameter, this command displays the route summary. Description Using the display ip routing-table protocol command, you can view the routing information of specified protocol. Example Display all direct connection routes summary.
<3Com> display ip routing-table protocol direct DIRECT Routing tables: Summary count: 4 DIRECT Routing tables status:<active>: Summary count: 3 Destination/MaskProto Pre Cost NexthopInterface: 20.1.1.1/32DIRECT 00127.0.0.1InLoopBack0 127.0.0.0/8DIRECT 00127.0.0.1InLoopBack0 127.0.0.1/32DIRECT 00127.0.0.1InLoopBack0 DIRECT Routing tables status:<inactive>: Summary count: 1 Destination/MaskProto PreCostNexthopInterface 210.0.0.1/32DIRECT 0 0127.0.0.1InLoopBack0 Display the static routing table. <3Com> display ip routing-table protocol static STATIC Routing tables: Summary count: 1 STATIC Routing tables status:<active>: Summary count: 0 STATIC Routing tables status:<inactive>: Summary count: 1 Destination/Mask Proto Pre Cost Nexthop Interface 1.2.3.0/24 STATIC 60 0 1.2.4.5 Ethernet 2/0/0

566

CHAPTER 6: ROUTING PROTOCOL

display ip routing-table radix

Syntax
display ip routing-table radix

View Any view Parameter None Description Using the display ip routing-table radix command, you can view the routing table information in a tree structure. Example View the routing table information in a tree structure.
<3Com> display ip routing-table radix Radix tree for INET (2) inodes 7 routes 5: +-32+--{210.0.0.1 +--0+ | | +--8+--{127.0.0.0 | | | +-32+--{127.0.0.1 | +--1+ | +--8+--{20.0.0.0 | +-32+--{20.1.1.1

display ip routing-table statistics

Syntax
display ip routing-table statistics

View Any view Parameter None Description Using the display ip routing-table statistics command, you can view the integrated routing information. The integrated routing information includes total route amount, the route amount added or deleted by protocol, amount of the routes that are labeled deleted but not deleted, the active route amount and inactive route amount. Example Display the integrated routing information.
<3Com> display ip routing-table statistics Routing tables: Protorouteactiveaddeddeletedfreed BGP 0 0 000 DIRECT5 4 5 00 RIP 0 0 000 STATIC0 0 0 00 IS-IS0 0 0 00

Display Commands of the Routing Table

567

OSPF 0 O_ASE0 0 O_NSSA0 0 Total 5

0 0 0 4

000 00 00 500

display ip routing-table verbose

Syntax
display ip routing-table verbose

View Any view Parameter None Description Using the display ip routing-table verbose command, you can view the verbose routing table information. With the verbose parameter, this command displays the verbose routing table information. The descriptor describing the route state will be displayed first, then the statistics of the entire routing table will be output and finally the verbose description of each route will be output. All current routes, including inactive routes and invalid routes, can be displayed using the display ip routing-table verbose command. Example Display the verbose routing table information.
<3Com> display ip routing-table verbose Routing Tables: Generate Default: no + = Active Route, - = Last Active, = Both* = Next hop in use Destinations: 4 Routes: 4 Holddown: 0 Delete: 9 Hidden: 0 **Destination: 127.0.0.0 Mask: 255.0.0.0 Protocol: Static Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(LO0) State: <NoAdv Int Active Retain Rej> Age: 19:31:06 Metric: 0/0 **Destination: 127.0.0.1 Mask: 255.255.255.255 Protocol: Direct Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(LO0) State: <NoAdv Int Active Retain> Age: 114:03:05 Metric: 0/0

568

CHAPTER 6: ROUTING PROTOCOL

The statistics of the entire routing table is displayed first, then the verbose description of each route is output. The meanings of route state parameters are explained in the following table:
Table 1 Description of the output information of the display ip routing-table verbose command
Main field Holddown Description Number of currently hold down routes – Holddown refers to a route advertising policy used by some distance vector (D-V) routing protocols (such as RIP) in order to avoid expansion of error routes and improve fast and correct transmission of unreachable routing information. It usually advertises a route fixedly at an interval no matter what changes have happened to the routes to the same destination, which have been learned actually. For details, refer to the specific routing protocol. Number of routes that have been deleted currently. Number of currently hidden routes -- Some routes are not available at present for some reason (e.g., the interface is Down) but are not expected to be deleted. They can be hidden for future restoration.

Delete Hidden

display ip routing-table vpn-instance

Syntax
display ip routing-table vpn-instance vpn-instance-name [ ip-address ] [ verbose ]

View Any view Parameter vpn-instance-name: VPN instance name. ip-address: Destination IP address in dotted decimal format. verbose: With the parameter, the command displays the verbose routing information. Without the parameter, the command displays the route summary. Description Using the display ip routing-table vpn-instance command, you can view RIP information associated with vpn instance address family. Given that both ip-address and verbose are configured in the command, you can view all routes to the specified IP address in the VPN-instance, including the local routes as well as the routes learned from the remote. Example Display details of the routes to 10.1.1.1 in the VPN-instance vpn1.
<3Com> display ip routing-table vpn-instance vpn1 10.1.1.1 verbose Routing tables: Generate Default: no + = Active Route, - = Last Active, = Both * = Next hop in use Summary count: 2 **Destination: 10.1.1.1 Mask: 255.255.255.255 Protocol: DIRECT Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0)

Static Route Configuration Commands

569

Vlinkindex: 0 State: <NoAdvise Int ActiveU Retain Gateway Unicast> Age: 54 Cost: 0/0 **Destination: 10.1.1.0 Mask: 255.255.255.0 Protocol: DIRECT Preference: 0 *NextHop: 10.1.1.1 Interface: 10.1.1.1(LoopBack0) Vlinkindex: 0 State: <Int ActiveU Retain Unicast> Age: 54 Cost: 0/0

Display the summary of the routes to 10.1.1.1 in the VPN-instance vpn1.
<3Com> display ip routing-table vpn-instance vpn1 10.1.1.1 Routing tables: vpn1 Route-Distinguisher: 100:1 Destination/Mask Protocol Pre Cost Nexthop Interface 10.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 10.1.1.0/24 DIRECT 0 0 10.1.1.1 LoopBack0

Static Route Configuration Commands
delete static-routes all Syntax
delete static-routes all

View System view Parameter None Description Using the delete static-routes all command, you can cancel all the static routes. When this command is used to cancel static routes, the user should confirm the settings before all the configured static routes are canceled. For the related command, see display ip routing-table and ip route-static. Example Delete all the static routes configured on router.
[3Com] delete static-routes all This will erase all unicast static routes and their configurations, you must reconfigure all static routes Are you sure to delete all the static routes?[Y/N]y

ip route-static

Syntax


ip route-static ip-address { mask | mask-length } { interface-name | nexthop-address } [ preference preference-value ] [ reject | blackhole ] undo ip route-static ip-address { mask | mask-length } [ interface-name | nexthop-address ] [ preference preference-value ]



570

CHAPTER 6: ROUTING PROTOCOL



ip route-static vpn-instance vpn-instance-name1 vpn-instance-name2 … ip-address { mask | mask-length } { interface-name | [ vpn-instance vpn-nexthop-name nexthop-address ] } [ public ] [ preference preference-value ] [ reject | blackhole ] undo ip route-static vpn-instance vpn-instance-name1 vpn-instance-name2 … ip-address { mask | mask-length } { interface-name [ vpn-instance vpn-nexthop-name | nexthop-address ] } [ public ] [ preference preference-value ]



View System view Parameter ip-address: Destination IP address, in dotted decimal notation. mask: Mask. mask-length: Mask length. Since "1" s in the 32-bit mask are required to be consecutive, the mask in dotted decimal notation can be replaced by mask-length, which is the number of the consecutive "1" s in the mask. interface-name: Specifies the outbound interface name of the static route. The interfaces of the public network or under other vpn-instances can be taken as the outbound interface of the static route. vpn-instance-name: Indicates a name of VPN instance. It can take a maximum of 6 values. vpn-nexthop-name: Specifies the vpn-instance of the static route next hop. nexthop-address: Specifies the next hop IP address (in dotted decimal notation) of the static route. preference-value: Preference level of the static route in the range from 1 to 255. reject: Indicates an unreachable route. blackhole: Indicates a blackhole route. Description Using the ip route-static command, you can configure a static route. Using the undo ip route-static command, you can cancel the configured static route. Using the ip route-static vpn-instance command, you can configure a static route. In the application of multi-role host, you can configure a static route on a private network to specify the interface of another private network or public network as its outbound interface. Using the undo ip route-static vpn-instance command, you can remove the static route configuration. By default, the system can obtain the sub-net route directly connected with the router. When configuring a static route, the default preference is 60 if it is not specified. If it is not specified as reject or blackhole, the route will be reachable by default. Precautions when configuring static route:


When the destination IP address and the mask are both 0.0.0.0, it is the default route. If there are no route entries for a specific destination If it is

RIP Configuration Commands

571

failed to detect the routing table, a packet will be forwarded along the default route.


For different configuration of preference level, flexible routing management policy can be adopted. For example, configure multiple routes to the same destination. Load sharing can be fulfilled by specifying the same preference for the routes. Route backup can be realized by specifying different preferences. To configure static route, either transmission interface or next hop address can be specified, which one is adopted in practice depends on actual condition. For the interfaces supporting the resolution from network address to link layer address or point-to-point interface, transmission interface or next hop address can be specified. But for NBMA interfaces, such as the interface or dialing interface encapsulated with X.25 or frame-relay, they support point-to-multi-point. Except IP route is configured, secondary route, i.e. the map from IP address to link layer address should be established on link layer. In such condition, transmission interface cannot be specified and the next hop IP address should be configured when configuring static route. VT interface cannot be configured as outbound interface.





In some conditions (for example, the link layer is encapsulated with PPP), transmission interface can be specified when opposite address cannot be learned in router configuration. After specifying transmission interface, the configuration of this router is unnecessary to be modified as opposite address changes. For the related command, see display ip routing-table. Example Configure the next hop of the default route as 129.102.0.2.
[3Com] ip route-static 0.0.0.0 0.0.0.0 129.102.0.2 Configure the static route, whose destination address is 100.1.1.1 and whose next-hop address is 1.1.1.2. [3Com] ip route-static vpn-instance vpn1 100.1.1.1 16 vpn-instance vpn1 1.1.1.2

RIP Configuration Commands
checkzero

For the specific examples and parameter explanation of VPN instance, refer to “MPLS” module of this manual. Syntax
checkzero undo checkzero

View RIP view Parameter None

572

CHAPTER 6: ROUTING PROTOCOL

Description Using the checkzero command, you can check the zero field of RIP-1 packet. Using the undo checkzero command, you can cancel the check of the zero fields. By default, RIP-1 performs the zero field check. According to the protocol (RFC1058) specifications, some fields in RIP-1 packets must be zero, called zero fields. With the checkzero command, the zero check operation for RIP-1 packet can be enabled or disabled. During the zero check operation, if the RIP-1 packet in which the zero fields are not zeros is received, it will be rejected. This command is ineffective to RIP-2 since RIP-2 packets have no zero fields. Example Configure not to perform zero check for RIP-1 packet.
[3Com-rip] undo checkzero debugging rip

Syntax
debugging rip { packet | receive | send }

View User view Parameter packet: Enables the RIP packets debugging. receive: Enables the RIP receiving packets debugging. send: Enables the RIP sending packets debugging. Description Using the debugging rip command, you can enable the RIP packet debugging. Using the undo debugging rip command, you can disable the RIP packet debugging. Users can learn the current information of receiving and sending RIP packets on each interface by using this command. Example Enable the RIP packets debugging.
<3Com> debugging rip packet

default cost

Syntax
default cost value undo default cost

View RIP view

RIP Configuration Commands

573

Parameter value: Default routing cost to be set, ranging from 1 to 16.The default value is 1. Description Using the default cost command, you can configure the default routing cost of an imported route. Using the undo default cost command, you can restore the default value. If no specific routing cost is specified when importing other protocol routes with the import-route command, the importing will be performed with the default routing cost specified by the default cost command. For the related command, see import-route. Example Set the default routing cost of importing other route protocol routes as 3.
[3Com-rip] default cost 3

display rip

Syntax
display rip

View Any view Parameter None Description Using the display rip command, you can view the current RIP running state and its configuration information. Example Display the current running state and configuration information of the RIP protocol.
<3Com> display rip RIP is turned on public net VPN-Instance Checkzero is on Default cost : 1 Summary is on Preference : 100 Period update timer : 30 Timeout timer : 180 Garbage-collection timer : 120 No peer router

Table 2 Description of the output information of the display rip command
Item RIP is turned on public net VPN-Instance Checkzero is on Default cost : 1 Summary is on Description RIP is enabled. Public networks in the VPN-instance Enables checkzero of RIP. The default cost of the imported route is 1. Enables route summary of RIP.

574

CHAPTER 6: ROUTING PROTOCOL

Table 2 Description of the output information of the display rip command
Item Preference : 100 Period update timer : 30 Garbage-collection timer : 120 No peer router Description The preference of RIP is 100. Timeout timer : 180 Setting on the three timers of RIP RIP has no peer router.

display rip vpn-instance

Syntax
display rip vpn-instance vpn-instance-name

View Any view Parameter vpn-instance vpn-instance-name: VPN instance name. Description Using the display rip vpn-instance command, you can view the related configuration of VPN instance of RIP. Example None filter-policy export Syntax
filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ] undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ]

View RIP view Parameter acl-number: Access control list number used for filtering the destination addresses of the routing information. ip-prefix-name: Name of address prefix list used for filtering the destination addresses of the routing information. routing-protocol: Routing protocol whose routing information is to be filtered, including direct, isis, bgp, ospf, ospf-ase, ospf-nssa, and static at present. Description Using the filter-policy export command, you can configure to filter the advertised routing information by RIP. Using the undo filter-policy export command, you can configure not to filter the advertised routing information. By default, RIP does not filter the advertised routing information. For the related commands, see acl, filter-policy import, and ip ip-prefix.

RIP Configuration Commands

575

Example Filter the advertised route information according to acl 3.
[3Com-rip] filter-policy 3 export

filter-policy import

Syntax
filter-policy gateway ip-prefix-name import undo filter-policy gateway ip-prefix-name import filter-policy { acl-number | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] } import undo filter-policy { acl-number | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] } import

View RIP view Parameter ip-prefix-name: Name of address prefix list used for filtering the destination addresses of the routing information. acl-number: Access control list number used for filtering the destination addresses of the routing information. gateway ip-prefix-name: Name of address prefix list used for filtering the addresses of the neighboring routers advertising the routing information. Description Using the filter-policy gateway command, you can configure to filter the received routing information distributed from the specified address. Using the undo filter-policy gateway command, you can configure not to filter the received routing information distributed from the specified address. Using the filter-policy import command, you can configure the filtering to the received global routing information. Using the undo filter-policy import command, you can disable filtering to the received global routing information By default, RIP does not filter the received routing information. The range of the routes received by RIP can be controlled by specifying the access control list and the address prefix list. For the related command, see acl, filter-policy export, and ip ip-prefix. Example Configure the filtering of the global routing information according to acl 3.
[3Com-rip] filter-policy 3 import

host-route

Syntax
host-route undo host-route

View RIP view

576

CHAPTER 6: ROUTING PROTOCOL

Parameter None Description Using the host-route command, you can control the RIP to accept the host route. Using the undo host-route command, you can reject the host route. By default, router accepts the host route. In some special cases, RIP receives a great number of host routes in the same network segment. These routes cannot help the path searching much but occupy a lot of resources. In this case, the undo host-route command can be used to reject host routes. Example Configure RIP to reject a host route.
[3Com-rip] undo host-route

import-route

Syntax
import-route protocol [ cost value ] [ route-policy route-policy-name ] undo import-route protocol

View RIP view Parameter protocol: Specifies the source routing protocol to be imported by RIP. At present, RIP can import the following routes: direct, ospf, ospf-ase, ospf-nssa, static, bgp and isis. value: Cost value of the route to be imported, ranging from 1 to 16.. route-policy route-policy-name: Configured to import the route matching the condition of the specified Route-policy only. Description Using the import-route command, you can import the routes of other protocols into RIP. Using the undo import-route command, you can cancel the routes imported from other protocols. By default, RIP does not import any other routes. The import-route command is used to import the route of another protocol by using a certain value. RIP regards the imported route as its own route and transmits it with the specified value. This command can greatly enhance the RIP capability of obtaining routes, thus increasing the RIP performance. If the cost value is not specified, routes will be imported according to the default cost. It is in the range of 1 to 16. If it is larger than or equal to 16, it indicates an unreachable route and the transmission will be stopped in 120 seconds. For the related command, see default cost.

RIP Configuration Commands

577

Example Import a static route with cost being 4.
[3Com-rip] import-route static cost 4 Set the default cost and import an OSPF route with the default cost. [3Com-rip] default cost 3 [3Com-rip] import-route ospf

ipv4-family vpn-instance

Syntax
ipv4-family [ unicast ] vpn-instance vpn-instance-name undo ipv4-family [ unicast ] vpn-instance vpn-instance-name

View RIP view Parameter unicast: Unicast address. vpn-instance-name: Associates the specified VPN instance with the IPv4 address family. Enter the MBGP address family view of RIP with this parameter. Description Using the ipv4-family command, you can enter MBGP address family view of RIP. Using the undo ipv4-family command, you can cancel all configurations in extended address family view. ipv4-family command is used to enter the MBGP address family view. In this view, parameters related to address family can be configured for RIP. undo ipv4-family command is only used in RIP view. The ipv4-family vpn-instance command is used for BGP/MPLS VPN. For related description, refer to “MPLS VPN“ section in module “MPLS” chapter of this manual. For the related command, see display rip vpn-instance. Example None network Syntax
network network-address undo network network-address

View RIP view Parameter network-address: Address of the network enabled/disabled. It can be the IP network address of any interface.

578

CHAPTER 6: ROUTING PROTOCOL

Description Using the network command, you can enable Routing Information Protocol (RIP) on the interface. Using the undo network command, you can cancel the RIP on the interface. By default, RIP is disabled on any interface. After enabling a RIP routing process, it is disabled on any interface by default. RIP at a certain interface must be enabled with the network command. The undo network command is similar to the interface undo rip work command in terms of function. But they are not identical. Their similarity is that the interface using either command will not receive/transmit RIP routes. The difference between them is that, in the case of undo rip work , other interfaces will still forward the routes of the interface using the undo rip work command. In the case of undo network, it is like to perform undo rip work command on the interface, and the routes of corresponding interfaces cannot be transmitted by RIP. Therefore, the packets transmitted to this interface cannot be forwarded. When the network command is used on an address, the effect is that the interface on the network segment at this address is enabled. For example, the results of viewing the network 129.102.1.1 with both the display current-configuration command and the display rip command are shown as the network 129.102.0.0. For the related command, see rip work. Example Enable the RIP on the interface with the network address as 129.102.0.0.
[3Com-rip] network 129.102.0.0

peer

Syntax
peer ip-address undo peer ip-address

View RIP view Parameter ip-address: IP address of the peer router with which information will be exchanged in unicast mode, represented in the format of dotted decimal. Description Using the peer command, you can configure the destination address of the peer to which information is sent in unicast mode. Using the undo peer command, you can cancel the set destination address. By default, do not send RIP packet to any destination. This command specifies the sending destination address to fit some non-broadcast networks. Usually, it is not recommended to use this command. Example Specify the sending destination address 202.38.165.1.
[3Com-rip] peer 202.38.165.1

RIP Configuration Commands

579

preference

Syntax
preference value undo preference

View RIP view Parameter value: Preference level, ranging from 1 to 255. By default, the value is 100. Description Using the preference command, you can configure the route preference of RIP. Using the undo preference command, you can restore the default preference. Every routing protocol has its own preference. Its default value is determined by the specific routing policy. The preference will finally determine the routing algorithm to obtain the optimal route in the IP routing table. This command can be used to modify the RIP preference manually. Example Specify the RIP preference as 20.
[3Com-rip] preference 20

reset

Syntax
reset

View RIP view Parameter None Description Using the reset command, you can reset the system parameters of RIP. When you need to re-configure parameters of RIP, this command can be used to restore the default setting. Example Reset the RIP system.
[3Com-rip] reset

rip

Syntax
rip undo rip

View system view

580

CHAPTER 6: ROUTING PROTOCOL

Parameter None Description Using the rip command, you can enable the RIP and enter the RIP view. Using the undo rip command, you can cancel RIP. By default, the system does not run RIP. To enter the RIP view to configure various RIP global parameters, RIP should be enabled first. Whereas the configuration of parameters related to the interfaces is not restricted by enabling/disabling RIP. The interface parameters configured previously would be invalid when RIP is disabled. Example Enable the RIP and enter the RIP view.
[3Com] rip [3Com-rip]

rip authentication-mode

Syntax
rip authentication-mode { { simple password } | { md5 { key-string key-string | key-id key-id } } } undo rip authentication-mode

View Interface view Parameter simple: Simple text authentication mode. password: Simple text authentication key, in character string format with 1 to 16 characters in simple text mode or 24 characters in cipher text mode. md5: MD5 cipher text authentication mode. key-string: MD5 cipher text authentication key, in character string format with 1 to 16 characters in simple text mode or 24 characters in cipher text mode. key-id: MD5 cipher text authentication identifier, ranging from 1 to 255. Description Using the rip authentication-mode command, you can configure RIP-2 authentication mode and corresponding parameters. Using the undo rip authentication-mode command, you can cancel the RIP-2 authentication. RIP-1 does not support authentication. There are two RIP authentication modes: simple text authentication and MD5 cipher text authentication. When MD5 cipher text authentication mode is used, there are two types of packet formats. One of them is described in RFC 1723, which was discussed earlier. The other format is the one described specially in RFC 2082. The router supports both of the packet formats and the user can select either of them.

RIP Configuration Commands

581

For the related command, see rip version. Example Specify Interface serial1/0/0 to use the simple text authentication with the key as aaa.
[3Com] interface serial1/0/0 [3Com-Serial1/0/0] rip version 2 [3Com-Serial1/0/0] rip authentication-mode simple aaa

rip authentication-mode

Syntax
rip authentication-mode md5 type { usual | nonstandard }

View Interface view Parameter usual: Specifies the MD5 cipher text authentication packet to use the general packet format (RFC1723 standard format). nonstandard: Specifies the MD5 cipher text authentication packet to use a nonstandard packet format described in RFC2082. Description Using the rip authentication-mode md5 type command, you can configure md5 type of RIP-2 authentication By default, use nonstandard type. RIP-2 packets can be in the following two formats when MD5 authentication is adopted: The earlier raised format is described in RFC1723, which is adopted by Gated. Another format fits into RFC2082 standard, which is adopted by part of the routers in the industry. For the related commands, see rip authentication-mode and rip version. Example Set MD5 authentication at Serial0, and the packet type is "nonstandard".
[3Com] interface serial1/0/0 [3Com-Serial1/0/0] rip version 2 [3Com-Serial1/0/0] rip authentication-mode md5 type nonstandard

rip input

Syntax
rip input undo rip input

View Interface view Parameter None

582

CHAPTER 6: ROUTING PROTOCOL

Description Using the rip input command, you can allow an interface to receive RIP packets. Using the undo rip input command, you can cancel an interface from receiving RIP packets. By default, RIP packets at all interfaces (except loopback interface) can be received.. This command is used in cooperation with the other two commands: rip output and rip work. Functionally, rip work is equivalent to rip input & rip output. The latter two control the receipt and the transmission of RIP packets respectively on an interface. The former command equals the functional combination of the latter two commands. For the related command, see rip output and rip work. Example Specify the interface serial1/0/0 not to receive RIP packets.
[3Com-serial1/0/0] undo rip input

rip metricin

Syntax
rip metricin value undo rip metricin

View Interface view Parameter value: Additional route metric added when receiving a packet, ranging from 0 to 16. By default, the value is 1. Description Using the rip metricin command, you can configure the additional route metric added to the route when an interface receives RIP packets. Using the undo rip metricin command, you can restore the default value of this additional route metric. This command is valid for the routes distributed by the local network and other routes imported by other routes. This command is invalid for the routes imported by the local router. For the related command, see rip metricout. Example Specify the additional route metric to 2 when the interface serial1/0/0 receives RIP packets.
[3Com] interface serial1/0/0 [3Com-serial1/0/0] rip metricin 2

rip metricout

Syntax
rip metricout value undo rip metricout

RIP Configuration Commands

583

View Interface view Parameter value: Additional route metric added when transmitting a packet, ranging from 1 to 16. By default, the value is 1. Description Using the rip metricout command, you can configure the additional route metric to the route when an interface transmits RIP packets. Using the undo rip metricout command, you can restore the default value of this additional route metric. This command is valid for the routes distributed by the local network and other routes imported by other routes. This command is invalid for the routes imported by the local router. For the related command, see rip metricin. Example Set the additional route metric to 2 when the interface serial1/0/0 transmits RIP packets.
[3Com] interface serial1/0/0 [3Com-serial1/0/0] rip metricout 2

rip output

Syntax
rip output undo rip output

View Interface view Parameter None Description Using the rip output command, you can configure an interface to transmit RIP packets. Using the undo rip output command, you can cancel an interface to transmit RIP packets. By default, RIP packets at all interfaces (except loopback interface) can be transmitted. This command is used in cooperation with the other two commands: rip input and rip work. Functionally, rip work is equivalent to rip input & rip output. The latter two control the receipt and the transmission of RIP packets respectively on an interface. The former command equals the functional combination of the latter two commands. For the related command, see rip input and rip work. Example Disable the interface serial1/0/0 to transmit RIP packets.

584

CHAPTER 6: ROUTING PROTOCOL

[3Com] interface serial1/0/0 [3Com-serial1/0/0] undo rip output

rip split-horizon

Syntax
rip split-horizon undo rip split-horizon

View Interface view Parameter None Description Using the rip split-horizon command, you can configure an interface to use split horizon when transmitting RIP packets. Using the undo rip split-horizon command, you can configure an interface not to use split horizon when transmitting RIP packets. By default, an interface is enabled to use split horizon when transmitting RIP packets. Normally, split horizon is necessary for reducing route loop. Only in some special cases, split horizon should be disabled to ensure the correct execution of protocols. Example Specify the interface serial1/0/0 not to use split horizon when processing RIP packets.
[3Com] interface serial1/0/0 [3Com-serial1/0/0] undo rip split-horizon

rip version

Syntax
rip version { 1| { 2 [ broadcast | multicast ] } } undo rip version

View Interface view Parameter 1: Interface version is RIP-1. 2: Interface version is RIP-2. By default, multicast is used. broadcast: Transmission mode of RIP-2 packet is broadcast. multicast: Transmission mode of RIP-2 packet is multicast.

RIP Configuration Commands

585

Description Using the rip version command, you can configure the version of RIP packets on an interface. Using the undo rip version command, you can restore the default value of RIP packet version on the interface. By default, the interface RIP version is RIP-1. RIP-2 has 2 transmission modes: broadcast and multicast. Multicast is the default mode. The multicast address in RIP-2 is 224.0.0.9. One of the advantages of multicast mode is that the hosts that do not run RIP in this network will not receive the broadcast packets. Additionally, hosts running RIP-1 will be prevented from receiving and processing the RIP-2 routes with subnet masks. When the interface specifies the use of RIP-1, only RIP-1 and RIP-2 broadcast packets will be received. In this case, RIP-2 multicast packets will be rejected. When the interface is specified to use RIP-2 multicast, only RIP-2 multicast packets and RIP-2 broadcast packets will be received. In this case, RIP-1 packets will be rejected. Example Configure the interface serial1/0/0 as RIP-2 broadcast mode.
[3Com] interface serial1/0/0 [3Com-serial1/0/0] rip version 2 broadcast

rip work

Syntax
rip work undo rip work

View Interface view Parameter None Description Using the rip work command, you can enable RIP on an interface. Using the undo rip work command, you can disable RIP on an interface. By default, RIP is enabled on an interface. This command is used in cooperation with rip input, rip output and network commands. For the related commands, see network, rip input, and rip output. Example Disable the interface serial1/0/0 to run the RIP.
[3Com] interface serial1/0/0 [3Com-serial1/0/0] undo rip work

summary

Syntax
summary undo summary

586

CHAPTER 6: ROUTING PROTOCOL

View RIP view Parameter None Description Using the summary command, you can enable RIP-2 automatic route summarization. Using the undo summary command, you can disable RIP-2 automatic route summarization. By default, RIP-2 route summarization is enabled. Route aggregation can be performed to reduce the routing traffic on the network as well as to reduce the size of the routing table. If RIP-2 is used, route summarization function can be disabled with the undo summary command, when it is necessary to broadcast the subnet route. RIP-1 does not support subnet mask. Forwarding subnet route may cause ambiguity. Therefore, RIP-1 uses route summarization all the time. The undo summary command is invalid for RIP-1. For the related command, see rip version. Example Set RIP version on the interface serial1/0/0 as RIP-2 and disable the route summarization function.
[3Com] interface serial1/0/0 [3Com-serial1/0/0] rip version 2 [3Com-serial1/0/0] quit [3Com] rip [3Com-rip] undo summary

timers

Syntax
timers { update update-timer-length | timeout timeout-timer-length } * undo timers { update | timeout } *

View RIP view Parameters update-timer-length: Period update value, measured in seconds ranging from 1 to 3600. The default value is 30 seconds. timeout-timer-length: Timeout value, measured in seconds ranging from 1 to 3600. The default value is 180 seconds. Description Using the timers command, you can modify value for the three timers, Period update, Timeout and Garbage-collection, of RIP. Using the undo timers command, you can restore the default setting.

OSPF Configuration Commands

587

The default values of timer Period update, Timeout and Garbage-collection are respectively 30s, 180s and 120s. Usually, the timing length of timer Garbage-collection is 3 times that of timer Period update. However, in practice, an unreachable route will not be completely deleted until the fourth update packet sent from the same neighbor is received. So the actual timing length of timer Garbage-collection is as 3 to 4 times as that of timer Period update. Additionally, the modification on timer Period update will affect timer Garbage-collection. The modified value of RIP timers will take effect immediately. For the related command, see display rip. Example Set timer Period update to 10 seconds and timer Timeout to 30 seconds.
[3Com] rip [3Com-rip] timers update 10 timeout 30

OSPF Configuration Commands
abr-summary Syntax
abr-summary ip-address mask [ advertise | not-advertise ] undo abr-summary ip-address mask

View OSPF area view Parameter ip-address: Network segment address. mask: Network mask. Advertise: Advertises only the summarized route. Notadvertise: Suppresses the advertisement of the routes in the matched range. Description Using the abr-summary command, you can configure the route aggregation on the area border router (ABR). Using the undo abr-summary command, you can cancel the function of route aggregation on the area border router. By default, the area border router doesn’t aggregate routes. This command is applicable only to the ABR and is used for the route aggregation in an area. The ABR only transmits an aggregated route to other areas. Route aggregation refers to that the routing information is processed in the ABR and for each network segment configured with route aggregation, there is only one route transmitted to other areas. An area can configure multiple aggregation network segments. Thus OSPF can aggregate various network segments together.

588

CHAPTER 6: ROUTING PROTOCOL

Example Aggregate the routes in the two network segments, 36.42.10.0 and 36.42.110.0, of OSPF area 1 into one route 36.42.0.0 and transmit it to other areas.
[3Com-ospf-1] area 1 [3Com-ospf-1-area-0.0.0.1] network 36.42.10.0 0.0.0.255 [3Com-ospf-1-area-0.0.0.1] network 36.42.110.0 0.0.0.255 [3Com-ospf-1-area-0.0.0.1] abr-summary 36.42.0.0 255.255.0.0

area

Syntax
area area-id undo area area-id

View OSPF view, OSPF area view Parameter area-id: ID of the OSPF area, which can be a decimal integer (ranging from 0 to 4294967295) or in IP address format. Description Using the area command, you can enter OSPF area view. Using the undo area command, you can cancel the designated area. Example Enter area 0 view.
[3Com-ospf-1] area 0 [3Com-ospf-1-area-0.0.0.0]

asbr-summary

Syntax
asbr-summary ip-address mask [ not-advertise | tag value ] undo asbr-summary ip-address mask [ not-advertise | tag value ]

View OSPF view Parameter ip-address: Matched IP address in dotted decimal notation. mask: IP address mask in dotted decimal notation. not-advertise: Not advertises routes matching the specified IP address and mask. Aggregated route will be advertised without this parameter. tag-value: Control advertisement of routes via Route-policy. It is in the range from 0 to 4294967295. If it is not specified, it is 1 by default.

OSPF Configuration Commands

589

Description Using the asbr-summary command, you can configure summarization of imported routes by OSPF. Using the undo asbr-summary command, you can cancel the summarization. By default, summarization of imported routes is disabled. After the summarization of imported routes is configured, if the local router is an autonomous system border router (ASBR), this command summarizes the imported Type-5 LSAs in the summary address range. When NSSA is configured, this command will also summarize the imported Type-7 LSAs in the summary address range. If the local router acts as both an ABR and a switch router in the NSSA, this command summarizes Type-5 LSAs transformed from Type-7 LSAs. If the router is not the router in the NSSA, the summarization is disabled. For the related command, see display ospf asbr-summary. Example Set summarization of 3Com imported routes.
[3Com-ospf-1] asbr-summary 10.2.0.0 255.255.0.0 not-advertise

authentication-mode

Syntax
authentication-mode [ simple | md5 ] undo authentication-mode

View OSPF area view Parameter simple: Simple text authentication mode. md5: MD5 cipher text authentication mode. Description Using the authentication-mode command, you can configure one area of OSPF to support the authentication attribute. Using the undo authentication-mode command, you can cancel the authentication attribute of this area. By default, an area does not support authentication attribute. All the routers in one area must use the same authentication mode (no authentication, supporting simple text authentication or MD5 cipher text authentication). If the mode of supporting authentication is configured, all routers on the same segment must use the same authentication key. To configure a simple text authentication key, use the ospf authentication-mode simple command. And, use the ospf authentication-mode md5 command to configure the MD5 cipher text authentication key if the area is configured to support MD5 cipher text authentication mode. For the related command, see ospf authentication-mode.

590

CHAPTER 6: ROUTING PROTOCOL

Example Enter area 0 view.
[3Com-ospf-1] area 0 Specify the OSPF area 0 to support MD5 cipher text authentication. [3Com-ospf-1-area-0.0.0.0] authentication-mode md5

debugging ospf

Syntax
debugging ospf [ process-id ] { event | { packet [ ack | dd | hello | request | update ] } | lsa-generate | spf | te } undo debugging ospf [ process-id ] { event | { packet [ ack | dd | hello | request | update ] } | lsa-generate | spf | te }

View User view Parameter process-id: OSPF process number. If no process number is specified, all the process debugging is enabled or disabled. event: Enables OSPF event information debugging. packet: Enables OSPF packet information debugging. There are five sorts of packets in OSPF as follows: ack: LSAck packet. dd: Database Description packet. hello: Hello message. request: Link State Request packet. update: Link State Update packet. Lsa-generate: Enables OSPF LSA packet information debugging. spf: Enables the debugging of the calculation of the OSPF shortest-path tree. te: Enables the debugging of OSPF TE. Description Using the debugging ospf command, you can enable OSPF debugging. Using the undo debugging ospf command, you can disable the function. In OSPF multi-process, using debugging command, you can enable the debugging of all the process simultaneously or one of the processes only. If no process number is specified in the debugging command, the command is valid to all the processes. And it keeps the state during the router running period no matter OSPF process exits or not. In this way, the execution of this command will enable/disable each enabled OSPF debugging. At the same time, the debugging specified by this command will be enabled automatically when new OSPF is enabled.

OSPF Configuration Commands

591

If there is a specified process number in the debugging command, only the specified process is debugged. The configuration command is invalid if OSPF is not enabled. And the debugging state will not be kept after exiting the process, either. For the related command, see display debugging ospf. Example Enable the information debugging of OSPF packets.
<3Com> debugging ospf packet

default cost

Syntax
default cost value undo default cost

View OSPF view Parameter value: Default routing cost of external route imported by OSPF, ranging from 0 to 16777214. By default, its value is 1. Description Using the default cost command, you can configure the default cost for OSPF to import external routes. Using the undo default cost command, you can restore the default value of the default routing cost configured for OSPF to import external routes. Since OSPF can import external routing information and propagate it to the entire autonomous system, it is necessary to specify the default routing cost for the protocol to import external routes. If multiple OSPFs are enabled, the command is valid to this process only. Example Specify the default routing cost for OSPF to import external routes as 10.
[3Com-ospf-1] default cost 10

default interval

Syntax
default interval seconds undo default interval

View OSPF view Parameter seconds: Default interval for importing external routes. Its unit is second and the value ranges from 1 to 2147483647. By default, the interval for OSPF to import external routes is 1 second.

592

CHAPTER 6: ROUTING PROTOCOL

Description Using the default interval command, you can configure the default interval for OSPF to import external routes. Using the undo default interval command, you can restore the default value of the default interval of importing external routes. Because OSPF can import the external routing information and broadcast it to the entire autonomous system, it is necessary to specify the default interval for the protocol to import external routes. Example Specify the default interval for OSPF to import external routes as 10 seconds.
[3Com-ospf-1] default interval 10

default limit

Syntax
default limit routes undo default limit

View OSPF view Parameter routes: Default value to the imported external routes in a unit time, ranging from 200 to 2147483647. By default, the value is 1000. Description Using the default limit command, you can configure default value of maximum number of imported routes. Using the undo default limit command, you can restore the default value. OSPF can import external route information and broadcast them to the whole autonomous system, so it is necessary to regulate the default value of external route information imported in one process. For the related command, see default interval. Example Specify the default value of OSPF importing external routes as 200.
[3Com-ospf-1] default limit 200

default tag

Syntax
default tag tag undo default tag

View OSPF view Parameter tag: Default tag, ranging from 0 to 4294967295.

OSPF Configuration Commands

593

Description Using the default tag command, you can configure the default tag of OSPF when it redistributes an external route. Using the undo default tag command, you can restore the default tag of OSPF when it redistributes the external route. When OSPF redistributes a route found by other routing protocols in the router and uses it as the external routing information of its own autonomous system, some additional parameters are required, including the default cost and the default tag of the route. For the related command, see default type. Example Set the default tag of OSPF imported external route of the autonomous system as 10.
[3Com-ospf-1] default tag 10

default type

Syntax
default type { 1 | 2 } undo default type

View OSPF view Parameter type 1: External routes of type 1. type 2: External routes of type 2. Description Using the default type command, you can configure the default type when OSPF redistributes external routes. Using the undo default type command, you can restore the default type when OSPF redistributes external routes. By default, the external routes of type 2 are imported. OSPF specifies the two types of external routing information. The command described in this section can be used to specify the default type when external routes are imported. For the related command, see default tag. Example Specify the default type as type 1 when OSPF imports an external route.
[3Com-ospf-1] default type 1

default-cost

Syntax
default-cost value undo default-cost

View OSPF area view

594

CHAPTER 6: ROUTING PROTOCOL

Parameter value: Specifies the cost value of the default route transmitted by OSPF to the STUB or NSSA area, ranging from 0 to 16777214. The default value is 1. Description Using the default-cost command, you can configure the cost of the default route transmitted by OSPF to the STUB or NSSA area. Using the undo default-cost command, you can restore the cost of the default route transmitted by OSPF to the STUB or NSSA area to the default value. This command is applicable for the border routers connected to STUB or NSSA area. The stub and default-cost commands are necessary in configuring STUB area. All the routers connected to STUB area must use stub command to configure the stub attribute to this area. Using the default-cost command, you can specify the cost of the default route transmitted by ABR to STUB or NSSA area. This command is only valid for this process if multiple OSPF processes are enabled. For the related commands, see stub and nssa. Example Set the area 1 as the STUB area and the cost of the default route transmitted to this STUB area to 60.
[3Com-ospf-1] area 1 [3Com-ospf-1-area-0.0.0.1] network 20.0.0.0 0.255.255.255 [3Com-ospf-1-area-0.0.0.1] stub [3Com-ospf-1-area-0.0.0.1] default-cost 60

default-route-advertise

Syntax
default-route-advertise [ always ] [ cost cost-value ] [ type type-value ] [ route-policy route-policy-name ] undo default-route-advertise [ always ] [ cost ] [ type ] [ route-policy ]

View OSPF view Parameter always: Only available for the ASBR. If the parameter is selected, a default route which is advertised via LSAs will be generated no matter whether there is a default route in the routing table. For the ASBR in an general area, the default route is advertised via Type-5 LSA, while in NSSA, the default route is advertised via Type-7 LSA. cost-value: Cost value of this LSA. The cost-value ranges from 0 to 16777214. The default value is 1. type-value: Cost type of this LSA. It ranges from 1 to 2. The default value is 2. route-policy-name: If the default route matches the route-policy specified by route-policy-name, route-policy will affect the value in LSA. The length of route-policy-name parameter ranges from 1 to 19 character.

OSPF Configuration Commands

595

Description Using the default-route-advertise command, you can make the system generate a default route to OSPF area. Using the undo default-route-advertise command, you can cancel generation of a default route. By default, OSPF does not generate default route. Using the default-route-advertise command at ABR, you can generate a default route which is advertised via the Type-5 LSA or Type-7 LSA no matter whether there is a default route in the routing table. An OSPF router after the default-route-advertise command is executed will become an ASBR, as is similar to executing the import-route command on an OSPF router. But you cannot import the default route into the OSPF area with the import-route command. In addition, the default-route-advertise command is not available for the Stub area. For the ABR or ASBR in NSSA, the default-route-advertise command is equivalent to the nssa default-route-advertise command in terms of effect. This command is valid for the current process only if multiple OSPF processes are enabled. For the related commands, see import-route and nssa. Example If local route has default route, the LSA of default route will be generated, otherwise it won’t be generated.
[3Com-ospf-1] default-route-advertise

The LSA of default route will be generated and advertised to OSPF route area even the local router has no default route.
[3Com-ospf-1] default-route-advertise always

display debugging ospf

Syntax
display debugging ospf

View Any view Description Using the display debugging ospf command, you can view the global OSPF debugging state and each process debugging state. For the related command, see debugging ospf. Example View the global OSPF debugging state and each process debugging state.
<3Com> display debugging ospf OSPF global debugging state: OSPF SPF debugging is on OSPF LSA debugging is on OSPF process 100 debugging state: OSPF SPF debugging is on OSPF process 200 debugging state:

596

CHAPTER 6: ROUTING PROTOCOL

OSPF SPF debugging is on OSPF LSA debugging is on

display ospf abr-asbr

Syntax
display ospf abr-asbr

View Any view Parameter None Description Using the display ospf abr-asbr command, you can view the information about the Area Border Router (ABR) and Autonomous System Border Router (ASBR) of OSPF. Example Display the information of the OSPF ABR and ASBR.
<3Com> display ospf abr-asbr Routing Table to ABR and ASBR Destination Area Cost Type Nexthop Interface Intra 1.2.3.9 0.0.0.0 1 ASBR 1.2.3.9 Ethernet2/0/0

display ospf asbr-summary

Syntax
display ospf asbr-summary [ ip-address mask ]

View Any view Parameter ip-address: Matched IP address, in dotted decimal notation. mask: IP address mask in dotted decimal notation. Description Using the display ospf asbr-summary command, you can view the summary information of OSPF imported routes. If the parameters are not configured, the summary information of all imported routes will be viewed. For the related command, see asbr-summary. Example Display the summary information of all OSPF imported routes.
<3Com> display ospf asbr-summary Total summary address count: 2 Summary Address net : 168.10.0.0 mask : 255.254.0.0

OSPF Configuration Commands

597

tag :1 status : Advertise The Count of Route is 0 Summary Address net : 1.1.0.0 mask : 255.255.0.0 tag : 100 status : DoNotAdvertise The Count of Route is 0

display ospf brief

Syntax
display ospf [ process-id ] brief

View Any view Parameter process-id: Process number of OSPF. If no process number is specified, this command displays the main information of all OSPF processes in configuration sequence. Description Using the display ospf brief command, you can view the summary of OSPF. Example Display the OSPF summary.
<3Com> display ospf brief RouterID: 3.3.3.3 Border Router: Area spf-schedule-interval: 5 Routing preference: Inter/Intra: 10 External: 150 Default ASE parameters: Metric: 1 Tag: 0.0.0.1 Type: 2 SPF computation count: 13 Area Count: 2 Nssa Area Count: 0 Area 0.0.0.0: Authtype: none Flags: <> SPF scheduled: <> Interface: 20.0.0.2 (Ethernet1/0/0) Cost: 1 State: BackupDR Type: Broadcast Priority: 1 Designated Router: 20.0.0.1 Backup Designated Router: 20.0.0.2 Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1 Interface: 30.0.0.1 (Ethernet2/0/0) Cost: 1 State: DR Type: Broadcast Priority: 1 Designated Router: 30.0.0.1 Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1 Area 0.0.0.1: Authtype: none Flags: <Transit> SPF scheduled: <> Interface: 40.0.0.1 (LoopBack0) --> 40.0.0.1 Cost: 1562 State: P To P Type: PointToPoint Priority: 1 Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1

598

CHAPTER 6: ROUTING PROTOCOL

Display the routing information of OSPF 100. <3Com> display ospf 100 OSPF Process 100 with Router ID 1.2.3.4 OSPF Protocol Information RouterID: 1.2.3.4 Spf-schedule-interval: 5 Routing preference: Inter/Intra: 10 External: 150 Default ASE parameters: Metric: 1 Tag: 0.0.0.1 Type: 2 SPF computation count: 0 Area Count: 0 Nssa Area Count: 0

display ospf cumulative

Syntax
display ospf cumulative

View Any view Parameter None Description Using the display ospf cumulative command, you can view the OSPF cumulative information. Example Display the OSPF cumulative information.
<3Com> display ospf cumulative IO Statistics Type InputOutput Hello 225 437 DB Description78 86 Link-State Req18 18 Link-State Update 4853 Link-State Ack25 21 ASE: 1 Checksum Sum: FCAF LSAs originated by this router Router: 50SumNet: 40SumASB: 2 LSAs Originated: 92 LSAs Received: 33 Area 0.0.00.0: Neighbors: 1 Interfaces: 1 Spf: 54 Checksum Sum F020 rtr: 2 net: 0 sumasb: 0 sumnet: 1 Area 0.0.0.1: Neighbors: 0 Interfaces: 1 Spf: 19 Checksum Sum 14EAD rtr: 1 net: 0sumasb: 1sumnet: 1 Routing Table: Intra Area: 2 Inter Area: 0ASE: 1

display ospf error

Syntax
display ospf error

OSPF Configuration Commands

599

View Any view Parameter None Description Using the display ospf error command, you can view the statistics of error information which OSPF received. Example Display the statistics of error information which OSPF received .
<3Com> display ospf error OSPF packet error statistics: 0: IP: received my own packet0: OSPF: bad packet type 0: OSPF: bad version0: OSPF: bad checksum 0: OSPF: bad area id0: OSPF: area mismatch 0: OSPF: bad virtual link0: OSPF: bad authentication type 0: OSPF: bad authentication key 0: OSPF: packet too small 0: OSPF: packet size > ip length 0: OSPF: transmit error 0: OSPF: interface down0: OSPF: unknown neighbor 0: HELLO: netmask mismatch0: HELLO: hello timer mismatch 0: HELLO: dead timer mismatch0: HELLO: extern option mismatch 0: HELLO: router id confusion0: HELLO: virtual neighbor unknown 0: HELLO: NBMA neighbor unknown 0: DD: neighbor state low 0: DD: router id confusion0: DD: extern option mismatch 0: DD: unknown LSA type 0: LS ACK: neighbor state low 0: LS ACK: bad ack0: LS ACK: duplicate ack 0: LS ACK: unknown LSA type 0: LS REQ: neighbor state low 0: LS REQ: empty request0: LS REQ: bad request 0: LS UPD: neighbor state low0: LS UPD: newer self-generate LSA 0: LS UPD: LSA checksum bad0: LS UPD:received less recent LSA 0: LS UPD: unknown LSA type 0: OSPF routing: next hop not exist 0: DD: MTU option mismatch

display ospf interface

Syntax
display ospf interface [ interface-type port-number ]

View Any view Parameter interface-type: Interface type port-number: Interface number. Description Using the display ospf interface command, you can view the OSPF interface information. Example Display the OSPF ethernet2/0/0 interface information.

600

CHAPTER 6: ROUTING PROTOCOL

<3Com> display ospf interface ethernet2/0/0 Interface: 10.110.0.2 (Ethernet2/0/0) Cost: 1 State: BackupDR Type: Broadcast Priority: 1 Designated Router: 10.110.0.1 Backup Designated Router: 10.110.0.2 Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1

display ospf lsdb

Syntax
display ospf [ area-id ] lsdb [ brief ] [ asbr | ase | network | nssa | opaque | router | summary ] [ ip-address ] [ originate-router ip-address ] [ self-originate ]

View Any view Parameter area-id: ID of the OSPF area, represented by decimal integer ranging from 0 to 4294967295 or in IP address format. brief: Brief database information. asbr: Database information of Type-4 LSA (summary-Asbr-LSA). ase: Database information of Type-5 LSA (AS-external-LSA). network: Database information of Type-2 LSA (Network-LSA). nssa: Database information of Type-7 LSA (NSSA-external-LSA) opaque: Database information of Opaque LSA. router: Database information of Type-1 LSA (Router-LSA) summary: Database information of Type-3 LSA (Summary-Net-LSA) ip-address: Link state ID in IP address format. originate-router ip-address: IP address of the router advertising LSA packet. self-originate: Database information of self-originated LSA generated by local router.. Description Using the display ospf lsdb command, you can view the database information about OSPF connecting state. Example Display the database information about OSPF connecting state.
<3Com> display ospf lsdb OSPF Process 1 with Router ID 123.1.1.1 Link State Database

OSPF Configuration Commands

601

Area: 0.0.0.0 Type LinkState ID AdvRouter Age Len Sequence Rtr 1.1.1.1 1.1.1.1 563 36 80000008 Net 1.1.1.2 123.1.1.1 595 32 80000001 AS External Database: Type LinkState ID AdvRouter Age Len Sequence ASE 1.1.0.0 1.1.1.1 561 36 80000001 ASE 123.1.1.1 1.1.1.1 561 36 80000001

Metric Where 0 SpfTree 0 SpfTree Metric Where 1 Uninitialized 1 Uninitialized

Display the brief database information about OSPF connecting state.
<3Com> display ospf lsdb brief OSPF Process 1 with Router ID 1.1.1.1 LS Database Statistics: Area ID Stub Router Network S-Net S-ASBR Type-7 Subtotal?? 0.0.0.0 0 2 1 1 0 0 4 0.0.0.1 0 2 1 1 0 4 8 AS External 4 Total 0 4 2 2 0 4 16

Display the database information of Type-7 LSA.
<3Com> display ospf lsdb nssa OSPF Process 1 with Router ID 1.1.1.1 Link State Database Area: 0.0.0.1 type : NSSA ls id : 1.1.0.0 adv rtr : 1.1.1.1 ls age : 93 len : 36 seq : 80000002 chksum : 0x3c66 options : (No Type 7/5 translation, DC) Net mask : 255.255.0.0 Tos 0 metric: 1 E type : 2 Forwarding Address :2.2.2.1 Tag: 1

Display database information of summary route.
<3Com> display ospf lsdb summary OSPF Process 1 with Router ID 1.1.1.1 Link State Database Area: 0.0.0.0 Type : SumNet Ls id : 2.2.0.0 Adv rtr : 1.1.1.1 Ls age : 304 Len : 28 seq : 80000001 chksum : 0x61d4 Options : (DC) Net mask : 255.255.0.0 Tos 0 metric: 1

Display database information of Type-1 LSA.

602

CHAPTER 6: ROUTING PROTOCOL

<3Com> display ospf lsdb router Link State Data Base Area: 0.0.0.0 Type : Router Ls id : 20.0.0.1 Adv rtr : 20.0.0.1 Ls age : 988 Len : 36 seq : 80000006 chksum : 0x428c Options : (DC) ASBR Link count: 1 Link ID: 20.0.0.1 Data : 20.0.0.1 Type : TransNet Metric : 10

Display database information of Type-2 LSA.
<3Com> display ospf lsdb network OSPF Process 1 with Router ID 1.1.1.1 Link State Database Area: 0.0.0.0 Type : Net Ls id : 1.1.1.2 Adv rtr : 123.1.1.1 Ls age : 515 Len : 32 seq : 80000002 chksum : 0xc470 Options : (DC) Net mask : 255.255.0.0 Attached Router 123.1.1.1 Attached Router 1.1.1.1

Display database information of Type-4 LSA.
<3Com> display ospf lsdb asbr OSPF Process 1 with Router ID 2.2.2.2 Link State Database Area: 0.0.0.1 Type : SumASB Ls id : 123.1.1.1 Adv rtr : 1.1.1.1 Ls age : 20 Len : 28 seq : 80000001 chksum : 0x1f9b Options : (DC) Tos 0 metric: 1

Display database information of Type-5 LSA.
<3Com> display ospf lsdb ase OSPF Process 1 with Router ID 1.1.1.1 Link State Database type : ASE ls id : 1.1.0.0

OSPF Configuration Commands

603

adv rtr : 1.1.1.1 ls age : 15 len : 36 seq : 80000001 chksum : 0x4a8 options : (DC) Net mask : 255.255.0.0 Tos 0 metric: 1 E type : 2 Forwarding Address :0.0.0.0 Tag: 1

Display the LSA packets advertised from the router at 3.3.3.3.
<3Com> display ospf lsdb originate-router 3.3.3.3 Link State Database Area: 0.0.0.0 Type LinkState ID AdvRouter Age Len Sequence Metric Where Stub 30.0.0.0 3.3.3.3 -1 24 0 0 SpfTree SNet 40.0.0.0 3.3.3.3 1524 28 80000006 1562 Inter List Area: 0.0.0.1 Type LinkState ID AdvRouter Age Len Sequence Metric Where Stub 40.0.0.0 3.3.3.3 -1 24 0 0 SpfTree ASB 20.0.0.1 3.3.3.3 1524 28 80000003 1 SumAsb List

Display database information of the LSA packets generated by local router.
<3Com> display ospf lsdb self-originate OSPF Process 1 with Router ID 1.1.1.1 Link State Database Area: 0.0.0.0 Type LinkState ID AdvRouter Age Len Sequence Rtr 1.1.1.1 1.1.1.1 539 36 80000016 SNet 2.2.0.0 1.1.1.1 445 28 80000008 Area: 0.0.0.1 Type LinkState ID AdvRouter Age Len Sequence Rtr 1.1.1.1 1.1.1.1 539 36 8000000e SNet 1.1.0.0 1.1.1.1 445 28 8000000a ASB 123.1.1.1 1.1.1.1 445 28 80000007 AS External Database: Type LinkState ID AdvRouter Age Len Sequence ASE 100.0.0.0 1.1.1.1 849 36 8000000a ASE 1.1.0.0 1.1.1.1 737 36 8000000e

Metric Where 0 SpfTree 1 Inter List Metric Where 0 SpfTree 1 Inter List 1 SumAsb List Metric Where 2 Ase List 1 Ase List

display ospf nexthop

Syntax
display ospf nexthop

View Any view Parameter None

604

CHAPTER 6: ROUTING PROTOCOL

Description Using the display ospf nexthop command, you can view the information about the next-hop Example Display the OSPF next-hop information.
<3Com> display ospf nexthop Address Type Refcount Intf Addr Intf Name --------------------------------------------------------------------202.38.160.1Direct 3202.38.160.1 Interface serial2/0/0 202.38.160.2Neighbor 1202.38.160.1 Interface serial2/0/0

display ospf peer

Syntax
display ospf peer [ brief ]

View Any view Parameter brief: Brief information of neighbors in areas. Description Using the display ospf peer command, you can view the information about the neighbors in OSPF areas. Using the display ospf peer brief command, you can view the brief information of neighbors in OSPF, mainly the neighbor number at all states in every area. The display format of OSPF neighbor valid time is different according to the length of time. Description is as follows:


XXYXXMXXD: More than a year, namely year: month: day XXXdXXhXXm: More than a day but less than a year, that is, day: hour: minute XX: XX: XX: Less than a day, namely hour: minute: second





Example View the information of OSPF peer.
<3Com> display ospf peer Area 0.0.0.0 interface 1.1.1.1(Serial2/0/0)'s neighbor(s) RouterID: 1.1.1.3 Address: 1.1.1.3 State: Full Mode: Nbr is Master Priority: 1 DR: 1.1.1.3 BDR: 1.1.1.1 Dead timer expires in 31s Neighbor is comes for 00:08:24

View the brief information of neighbors in areas.
<3Com> display ospf peer brief OSPF Process 1 with Router ID 1.1.1.1 Neighbor Statistics Area ID Down Attempt Init 2-Way ExStart Exchange Loading Full Total 0.0.0.0 0 0 0 0 0 0 0 1 1

OSPF Configuration Commands

605

0.0.0.1 Total

0 0 0 0

0 0 0 0 0 0

0 0

0 0

1 1 2 2

display ospf request-queue

Syntax
display ospf request-queue

View Any view Parameter None Description Using the display ospf request-queue command, you can view the information about the OSPF request-queue. Example View the information about the OSPF request-queue.
<3Com> display ospf request-queue The Router's Neighbors is RouterID: 103.160.1.1 Address: 103.169.2.5 Interface: 103.169.2.2 Area: 0.0.0.1 LSID:129.11.25.0 AdvRouter:103.160.1.1 Sequence:80000001 LSID:129.11.25.0 AdvRouter:103.160.1.1 Sequence:80000001 LSID:129.11.25.0 AdvRouter:103.160.1.1 Sequence:80000001

Age:201 Age:201 Age:201

display ospf retrans-queue

Syntax
display ospf retrans-queue

View Any view Parameter None Description Using the display ospf retrans-queue command, you can view the information about the OSPF retransmission queue. Example View the information about the OSPF retransmission queue.
<3Com> display ospf retrans-queue OSPF Process 200 with Router ID 103.160.1.1 Retransmit List The Router's Neighbors is RouterID: 162.162.162.162 Address: 103.169.2.2 Interface: 103.169.2.5 Area: 0.0.0.1 Retrans list: Type: ASE LSID:129.11.77.0 AdvRouter:103.160.1.1 Type: ASE LSID:129.11.108.0 AdvRouter:103.160.1.1

606

CHAPTER 6: ROUTING PROTOCOL

display ospf routing

Syntax
display ospf routing

View Any view Parameter None Description Using the display ospf routing command, you can view the information about OSPF routing table. Example View the routing table information related to OSPF.
<3Com> display ospf routing Routing for Network Destination Cost Type NextHop AdvRouter Area 10.110.0.0/16 1 Net 10.110.0.1 10.110.0.1 0 30.110.0.0/16 1 Stub 30.110.0.1 3.3.3.3 0 Total Nets: 2 Intra Area: 2 Inter Area: 0 ASE: 0 NSSA: 0

display ospf vlink

Syntax
display ospf vlink

View Any view Parameter None Description Using the display ospf vlink command, you can view the information about OSPF virtual links. Example View OSPF virtual links information.
<3Com> display ospf vlink Virtual-link Neighbor-id -> 1.1.1.1, State: Down Cost: 0 State: Down Type: Virtual Transit Area: 0.0.0.1 Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1

filter-policy export

Syntax
filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ] undo filter-policy {acl-number | ip-prefix ip-prefix-name} export [ routing-protocol ]

View OSPF view

OSPF Configuration Commands

607

Parameter acl-number: Access control list number. ip-prefix-name Name of the address prefix list. routing-protocol: Protocol advertising the routing information, including direct, isis, bgp, rip and static at present. Description Using the filter-policy export command, you can configure rules for OSPF filtering to advertised routing information. Using the undo filter-policy export command, you can cancel the filtering rules that have been set. By default, no filtering of the distributed routing information is performed. In some cases, it may be required that only the routing information meeting some conditions can be advertised. Then, the filter-policy command can be used to configure the filtering conditions for the routing information to be advertised. Only the routing information passing the filtration can be advertised. For the related commands, see acl and ip ip-prefix Example Configure OSPF that only advertises the routing information permitted by acl 1.
[3Com] acl number 1 [3Com-acl-basic-1] rule permit source 11.0.0.0 0.255.255.255 [3Com-acl-basic-1] rule deny source any [3Com-ospf] filter-policy 1 export

filter-policy import

Syntax
filter-policy { acl-number | ip-prefix ip-prefix-name | gateway prefix-list-name } import undo filter-policy { acl-number | ip-prefix ip-prefix-name | gateway ip-prefix-name } import

View OSPF view Parameter acl-number: Access control list number used for filtering the destination addresses of the routing information. ip-prefix-name: Name of address prefix list used for filtering the destination addresses of the routing information. gateway ip-prefix-name: Name of address prefix list used for filtering the addresses of the neighboring routers advertising the routing information. Description Using the filter-policy import command, you can configure the OSPF rules of filtering the routing information received. Using the undo filter-policy import command, you can cancel the filtering of the routing information received. By default, no filtering of the received routing information is performed.

608

CHAPTER 6: ROUTING PROTOCOL

In some cases, it may be required that only the routing information meeting some conditions can be received. Then, the filter-policy command can be used to set the filtering conditions for the routing information to be advertised. Only the routing information passed the filtration can be received. Using the filter-policy import command, you can filter the routes calculated by OSPF. Only the filtered routes can be added to the routing table. The filtering can be performed according to the next hop and destination of the route. Since OSPF is a dynamic routing protocol based on link state, its routing information hides in the link state, this command cannot filter the advertised/received routing information in link state. There is more limitation when using this command in OSPF than using it in distance vector routing protocol. This command is valid for this process only if multiple OSPF processes are enabled. Example Filter the received routing information according to the rule defined by the access control list 2.
[3Com] acl number 2 [3Com-acl-basic-2] rule permit source 20.0.0.0 0.255.255.255 [3Com-acl-basic-2] rule deny source any [3Com-ospf-1] filter-policy 2 import

import-route

Syntax
import-route protocol [ cost value ] [ type value ] [ tag value ] [ route-policy route-policy-name ] undo import-route protocol

View OSPF view Parameter protocol: Specifies the source routing protocol that can be imported. At present, it includes direct, rip, bgp, isis, static, ospf, ospf-ase, and ospf-nssa. ospf process-id: Imports only the internal routes found by OSPF process-id as external routing information. If no process number is specified, the OSPF default process number 1 is used. ospf-ase process-id: Imports only the ASE external routes found by OSPF process-id as external routing information. If no process number is specified, the OSPF default process number 1 is used. ospf-nssa process-id: Imports only the NSSA external routes found by OSPF process-id as external routing information. If no process number is specified, the OSPF default process number 1 is used. route-policy route-policy-name: Imports only the routes matching the specified Route-policy.

OSPF Configuration Commands

609

Description Using the import-route command, you can import the information of another routing protocol. Using the undo import-route command, you can cancel the imported external routing information. By default, the routing information of other protocols is not imported. Example Specify an imported RIP route as the route of type 2, with the route tag as 33 and the route cost as 50.
[3Com-ospf-1] import-route rip type 2 tag 33 cost 50 Specify OSPF process 100 to import the route found by OSPF 160. [3Com-ospf-160] import-route ospf 160

network

Syntax
network ip-address wildcard undo network ip-address wildcard

View OSPF area view Parameter ip-address: Address of the network segment where the interface locates. wildcard: IP address wildcard mask, which is similar to the reversed form of the mask of IP address. But when configure this parameter, you can type it as mask of IP address, it could be translated as wildcard mask by VRP system. Description Using the network command, you can configure the interface running OSPF. Using the undo network command, you can cancel the interface running OSPF. By default, the interface does not belong to any area. To run the OSPF protocol on one interface, the master IP address of this interface must be in the range of the network segment specified by this command. If only the slave IP address of the interface is in the range of the network segment specified by this command, this interface will not run OSPF protocol. After OSPF multi-instance is configured, different OSPF processes are bound with different VPN instances. The network addresses between different processes can be the same or inclusive. But for the same VPN instance, the network addresses between different OSPF processes cannot be the same or inclusive. Otherwise, the later configured command cannot be valid and the following will be displayed: Network already set in OSPF process xx, that is, if network 10.1.0.0 0.0.255.255 is enabled in process 100, network 10.1.0.0 0.0.255.255, network 10.1.1.0 0.0.0.255 or network 10.0.0.0 0.255.255.255 will fail to be enabled in other OSPF processes. CAUTION: OSPF configuration can only enable the interfaces that belong to the same VPN instance.

610

CHAPTER 6: ROUTING PROTOCOL

After OSPF is configured multi-instance, if different VPN instances are bound in the OSPF process, the network addresses between different processes can be the same or included. But for the same VPN instance, the network addresses between different OSPF processes cannot be the same or included. For the related command, see ospf. Example Specify the interfaces whose master IP addresses are in the segment range of 10.110.36.0 to run the OSPF protocol and specify the number of the OSPF area (where these interfaces are located) as 6.
[3Com-ospf] area 6 [3Com-ospf-1-area-0.0.0.6] network 10.110.36.0.0 0.0.0.255

Enable OSPF process 100 on the router and specify the number of the area where the interface is located as 2.
[3Com] router id 10.110.1.9 [3Com] ospf 100 [3Com-ospf-100] area 2 [3Com-ospf-100-area-0.0.0.2] network 131.108.20.0 0.0.0.255

Enable OSPF process 200 on the router and specify the number of the area where the interface is located as 1.
[3Com] ospf 200 vpn-instance vpn1 [3Com-ospf-200] area 1 [3Com-ospf-200-area-0.0.0.1] network 131.108.20.0 0.0.0.255

Enable OSPF process 300 on the router and specify the number of the area where the interface is located as 2.
[3Com] ospf 300 vpn-instance vpn1 [3Com-ospf-300] area 2 [3Com-ospf-300-area-0.0.0.2] network 131.108.20.0 0.0.0.255 Network already set in OSPF process 200

nssa

Syntax
nssa [ default-route-advertise ] [ no-import-route ] [ no-summary ] undo nssa

View OSPF area view Parameter default-route-advertise: Only available for the NSSA ABR or ASBR. When using the parameter at NSSA ABR, you can generate Type-7 LSAs for the default route no matter whether there exists the default route 0.0.0.0 in the routing table. When using the parameter at NSSA ASBR, you can generate Type-7 LSAs for the default route only if there exists the default route 0.0.0.0 in the routing table.

OSPF Configuration Commands

611

no-import-route: Forbids AS external routes to be imported in to the NSSA as Type-7 LSAs. This parameters is available for the NSSA ABR and for the ASBR in OSPF AS, to ensure all external route information is imported into the OSPF areas. no-summary: Only available for the NSSA ABR. When the parameter is selected, the NSSA ABR advertises a default route via the Summary-LSAs (Type-3) in the area, but no other Summary-LSAs to other areas. Description Using the nssa command, you can configure an area as NSSA area. Using the undo nssa command, you can cancel the function. By default, NSSA area is not configured. For all the routers in the NSSA area, the command nssa must be used to configure the area as NSSA . Example Configure area 1 as NSSA.
[3Com-ospf-1] area 1 [3Com-ospf-1-area-0.0.0.1] network 10.110.0.0 0.255.255.255 [3Com-ospf-1-area-0.0.0.1] nssa

opaque-capability

Syntax
opaque-capability enable undo opaque-capability

View OSPF view Parameter None Description Using the opaque-capability enable command, you can enable the Opaque capability of OSPF. Using the undo opaque-capability command, you can disable the Opaque capability of OSPF. CAUTION: By default, Opaque capability of OSPF is enabled. If the application based on Opaque LSA is enabled, for example, the area TE capability is enabled, the Opaque capability cannot be disabled. Example Enable Opaque capability.
[3Com-ospf-100] opaque-capability enable

ospf

Syntax
ospf [ process-id ] undo ospf [ process-id ]

612

CHAPTER 6: ROUTING PROTOCOL

View System view Parameter process-id: Number of OSPF. If no process number is specified, the default number 1 is used. Description Using the ospf command, you can enable the OSPF protocol. Using the undo ospf command, you can disable the OSPF protocol. After enabling OSPF protocol, the user can make the corresponding configuration in OSPF view. By default, the system does not run the OSPF protocol. VRP supports OSPF multi-process. Multiple OSPF processes can be enabled by specifying different process numbers on a router. It is suggested that user should specify router-id with parameter router-id when enabling OSPF. Different router-ids should be specified for different processes if multiple processes are enabled on the router. For the related command, see network. Example Enable the running of the OSPF protocol.
[3Com] router id 10.110.1.8 [3Com] ospf

Enable OSPF process 120 to run OSPF.
[3Com] router id 10.110.1.8 [3Com] ospf 120 [3Com-ospf-120]

ospf authentication-mode

Syntax
ospf authentication-mode { simple password | md5 key-id key } undo ospf authentication-mode { simple | md5 }

View Interface view Parameter simple password: Character string not exceeding 8 characters using simple text authentication. key-id: ID of the authentication key in MD5 cipher text authentication mode in the range from 1 to 255. key: MD5 authentication key. If it is input in a simple form, MD5 key is a character string of 1 to 16 characters. And it will be displayed in a cipher text form in a

OSPF Configuration Commands

613

length of 24 characters when display current-configuration command is executed. Inputting the 24-character MD5 key in a cipher text form is also supported. Description Using the ospf authentication-mode command, you can configure the authentication mode and key between adjacent routers. Using the undo ospf authentication-mode command, you can cancel the authentication key that has been set. By default, the interface does not authenticate the OSPF packets. The passwords for authentication keys of the routers on the same network segment must be identical. In addition, using authentication-mode command, you can set the authentication type of the area authentication key so as to validate the configuration. For the related command, see authentication-mode. Example Set the area 1 where the network segment 131.119.0.0 of Interface serial1/0/0 is located to support MD5 cipher text authentication. The authentication key identifier is set to 15 and the authentication key is 3Com.
[3Com-ospf-1] area 1 [3Com-ospf-1-area-0.0.0.1] network 131.119.0.0 0.0.255.255 [3Com-ospf-1-area-0.0.0.1] authentication-mode md5 [3Com-ospf-1-area-0.0.0.1] interface serial 1/0/0 [3Com-Serial1/0/0] ospf authentication-mode md5 15 3Com

ospf cost

Syntax
ospf cost value undo ospf cost

View Interface view Parameter value: Cost for running OSPF protocol, ranging from 1 to 65535. Description Using the ospf cost command, you can configure different packet sending costs so as to send packets from different interfaces. Using the undo ospf cost command, you can restore the default costs. By default, the interface automatically calculates the costs required for running OSPF protocol according to the current Baud rate. Example Specify the cost spent when an interface runs OSPF as 33.
[3Com] interface serial1/0/0 [3Com-Serial1/0/0] ospf cost 33

614

CHAPTER 6: ROUTING PROTOCOL

ospf dr-priority

Syntax
ospf dr-priority value undo ospf dr-priority

View Interface view Parameter value: Interface priority for electing the "designated router", ranging from 0 to 255. By default, the value is 1. Description Using the ospf dr-priority command, you can configure the priority for electing the "designated router" on an interface. Using the undo ospf dr-priority command, you can restore the default value. Interface priority determines the interface qualification when electing the “designated router”. The interface with high priority is considered first when there is collision in election. Example Set the priority of the interface Ethernet1/0/0 to 8, when electing the DR.
[3Com] interface Ethernet1/0/0 [3Com-Ethernet1/0/0] ospf dr-priority 8

ospf mib-binding

Syntax
ospf mib-binding process-id undo ospf mib-binding

View System view Parameter process-id: Number of OSPF process. Description Using the ospf mib-binding command, MIB operation can be bound on the specified OSPF process. Using the undo ospf mib-binding command, you can restore the default configuration. MIB operation is always bound on the first process enabled by OSPF protocol. Using the this command, MIB operation can be bound on other OSPF processes. Using the undo ospf mib-binding command, you can cancel the binding configuration. MIB operation is rebound automatically by OSPF protocol on the first enabled process. By default, MIB operation is bound on the first enabled OSPF process. Example Bind MIB operation on OSPF process 100.

OSPF Configuration Commands

615

[3Com] ospf mib-binding 100 Cancel MIB operation binding [3Com] undo ospf mib-binding

ospf mtu-enable

Syntax
ospf mtu-enable undo ospf mtu-enable

View Interface view Parameter None Description Using the ospf mtu-enable command, you can enable the interface to write MTU value when sending DD packets. Using the undo ospf mtu-enable command, you can restore the default settings. By default, the MTU value is 0 when sending DD packets, i.e. the actual MTU value of the interface is not written. Database Description Packets (DD packets) are used to describe its own LSDB when the router running OSPF protocol is synchronizing the database. The default MTU value of DD packet is 0. With this command, the specified interface can be set manually to write the MTU value area in DD packets when sending DD packets, i.e. the actual MTU value of the interface is written in. Example Set interface Ethernet1/0/0 to write MTU value area when sending DD packets.
[3Com] interface Ethernet1/0/0 [3Com-Ethernet1/0/0] ospf mtu-enable

ospf network-type

Syntax
ospf network-type { broadcast | nbma | p2mp | p2p } undo ospf network-type

View Interface view Parameter broadcast: Changes the interface network type to broadcast. nbma: Changes the interface network type to Non-Broadcast Multicast Access. p2mp: Changes the interface network type to point-to-multipoint. p2p: Changes the interface network type to point-to-point.

616

CHAPTER 6: ROUTING PROTOCOL

Description Using the ospf network-type command, you can configure the network type of OSPF interface. Using the undo ospf network-type command, you can restore the default network type of the OSPF interface. OSPF divides networks into four types by link layer protocol:


Broadcast: If Ethernet is adopted, OSFP defaults the network type to broadcast. Non-Broadcast Multi-access (nbma): If Frame Relay, ATM, HDLC or X.25 is adopted, OSPF defaults the network type to NBMA. Point-to-Multipoint (p2mp): OSPF will not default the network type of any link layer protocol to p2mp. The general undertaking is to change a partially connected NBMA network to p2mp network if the NBMA network is not fully-meshed. Point-to-point (p2p): If PPP or LAPB is adopted, OSPF defaults the network type to p2p.







If there is a router not supporting multicast address on the broadcast network, the interface network type can be changed to NBMA. The interface network type can also be changed from NBMA to broadcast. A network that can be called an NBMA network or can be changed to a broadcast network should satisfy the following condition: there is a virtual circuit directly connects any two routers on the network. In other words, the network is full-meshed. If the network cannot satisfy this condition, the interface network type must be changed to point-to-multipoint. In this way, these two routers can exchange routing information via a router directly connected with the two routers. If there are only two routers running OSPF protocol on the same network segment, the interface network type can be changed to point-to-point. Note: When the network type of an interface is NBMA or it is changed to NBMA manually, the peer command must be used to configure the neighboring point. For the related command, see ospf dr-priority. Example Set the interface serial1/0/0 to NBMA type.
[3Com] interface serial1/0/0 [3Com-serial1/0/0] ospf network-type nbma

ospf timer dead

Syntax
ospf timer dead seconds undo ospf timer dead

View Interface view

OSPF Configuration Commands

617

Parameter seconds: Dead interval of the OSPF neighbor. It is in second and ranges from 1 to 65535. Description Using the ospf timer dead command, you can configure the dead interval of the OSPF neighbor. Using the undo ospf timer dead command, you can restore the default value of the dead interval of the neighbor. By default, the dead interval for the OSPF neighbors of p2p and broadcast interfaces is 40 seconds, and for those of p2mp and nbma interfaces is 120 seconds. The dead interval of OSPF neighbors means that within this interval, if no Hello message is received from the neighbor, the neighbor will be considered to be invalid. The value of dead seconds should be at least 4 times of that of the Hello seconds. The dead seconds for the routers on the same network segment must be identical. For the related command, see ospf timer hello. Example Set the neighbor dead interval on the interface serial1/0/0 to 80 seconds.
[3Com] interface serial1/0/0 [3Com-serial1/0/0] ospf timer dead 80

ospf timer hello

Syntax
ospf timer hello seconds undo ospf timer hello

View Interface view Parameter seconds: Interval in seconds for an interface to transmit hello message. It ranges from 1 to 255. Description Using the ospf timer hello command, you can configure the interval for transmitting Hello messages on an interface. Using the undo ospf timer hello command, you can restore the default value. By default, the interval is 10 seconds for an interface of p2p or broadcast type to transmit Hello messages, and 30 seconds for an interface of nbma or p2mp type. For the related command, see ospf timer dead. Example Configure the interval of transmitting Hello packets on the interface serial1/0/0 to 20 seconds.
[3Com] interface serial1/0/0

618

CHAPTER 6: ROUTING PROTOCOL

[3Com-serial1/0/0] ospf timer hello 20

ospf timer poll

Syntax
ospf timer poll seconds undo ospf timer poll

View Interface view Parameter seconds: Specifies the poll Hello messages interval, ranging from 1 to 65535 and measured in seconds. By default, the value is 120 seconds. Description Using the ospf timer poll command, you can configure the poll Hello message interval on nbma and p2mp network. Using the undo ospf timer poll command, you can restore the default value. On the nbma and p2mp network, if a neighbor is invalid, the Hello message will be transmitted regularly according to the poll seconds. You can configure the poll seconds to specify how often the interface transmits Hello message before it establishes adjacency with the adjacent router. The value of poll seconds should be no less than 3 times of that of Hello seconds. Example Configure to transmit poll Hello message from interface serial2/0/0 every 130 seconds.
[3Com-serial2/0/0] ospf timer poll 130

ospf timer retransmit

Syntax
ospf timer retransmit interval undo ospf timer retransmit

View Interface view Parameter interval: Interval in seconds for re-transmitting LSA on an interface. It ranges from 1 to 65535.The default value is 5 seconds. Description Using the ospf timer retransmit command, you can configure the interval for LSA re-transmitting on an interface. Using the undo ospf timer retransmit command, you can restore the default interval value for LSA re-transmitting on the interface. If a router running OSPF transmits a "link state advertisement"(LSA) to the peer, it needs to wait for the acknowledgement packet from the peer. If no acknowledgement is received from the peer within the LSA retransmission, this LSA will be re-transmitted. According to RFC2328, the LSA retransmission

OSPF Configuration Commands

619

between adjacent routers should not be set too short. Otherwise, unexpected retransmission will be caused. Example Specify the retransmission for LSA transmitting between the interface serial1/0/0 and the adjacent routers to 12 seconds.
[3Com] interface serial1/0/0 [3Com-serial1/0/0] ospf timer retransmit 12

ospf trans-delay

Syntax
ospf trans-delay seconds undo ospf trans-delay

View Interface view Parameter seconds: Transmitting delay of LSA on an interface. It is in seconds and ranges from 1 to 3600. By default, the value is 1 second. Description Using the ospf trans-delay command, you can configure the LSA transmitting delay on an interface. Using the undo ospf trans-delay command, you can restore the default value of the LSA transmitting delay on an interface. LSA will age in the "link state database" (LSDB) of the router as time goes by (add 1 for every second), but it will not age during network transmission. Therefore, it is necessary to add a period of time set by this command to the aging time of LSA before transmitting it. Example Specify the trans-delay of transmitting LSA on the interface serial1/0/0 as 3 seconds.
[3Com] interface serial1/0/0 [3Com-serial1/0/0] ospf trans-delay 3

peer

Syntax
peer ip-address [ dr-priority dr-priority-number ] undo peer ip-address

View OSPF view Parameter ip-address: IP address of the neighboring point. dr-priority-number: Represents the corresponding value of the network neighbor priority, being an integer ranging from 0 to 255. The default value is 1.

620

CHAPTER 6: ROUTING PROTOCOL

Description Using the peer command, you can configure the IP address of adjacent routers and specify a DR priority on an NBMA network. Using the undo peer command, you can cancel the configuration. On the frame relay network, a full-meshed network (i.e. there is a VC directly connecting any two routers on the network) can be implemented by configuring map. Thus OSPF can perform in the same way in the frame relay network as in the broadcast network (such as electing DR and BDR). However, the IP address of adjacent routers and their election rights must be configured manually for the interface because adjacent routers cannot be found dynamically by advertising Hello messages. Example Configure the IP address of peer router as 10.1.1.1.
[3Com-ospf-1] peer 10.1.1.1

preference

Syntax
preference [ ase ] value undo preference [ ase ]

View OSPF view Parameter value: OSPF protocol route preference, ranging from 1 to 255. ase: Preference of an imported external route of the AS. Description Using the preference command, you can configure the preference of an OSPF protocol route. Using the undo preference command, you can restore the default value of the OSPF protocol route. By default, the preference of an OSPF protocol internal route is 10 and the preference of an external route is 150. Because multiple dynamic routing protocols could be running on a router, there is the problem of routing information sharing among routing protocols and selection. Therefore, a default preference is specified for each routing protocol. When multiple routes to the same destination are found by different routing protocols, the route found by high preference routing protocol will be selected to forward IP packets. Example Specify the preference of an external imported route of the AS as 160.
[3Com-ospf-1] preference ase 160

reset ospf

Syntax
reset ospf [ statistics ] { all | process-id }

OSPF Configuration Commands

621

View User view Parameter statistics: Resets statistics of the OSPF process. process-id: OSPF process number. If no OSPF process number is specified, all the OSPF processes should be reset. all: Resets all the OSPF processes. Description Using the reset ospf all command, you can reset all the OSPF processes. Using the parameter of statistics to reset statistics about OSPF. The reset ospf process-id command can be used to reset the specified process and clear statistics data. Using the parameter of statistics to reset statistics about OSPF. Using the reset ospf command to reset the OSPF process, the following results are expected:


Clear invalid LSA immediately without waiting for LSA timeout. If the Router ID changes, a new Router ID will take effect by executing the command. Re-elect DR and BDR conveniently. OSPF configuration will not be lost if the system is restarted. Delete the original OSPF routes. After OSPF process is restarted, new routes and LSA will be generated correspondingly and LSA will be advertised.











The system will require the user to confirm whether to re-enable the OSPF protocol after execution of the command. Example Reset all the OSPF processes
<3Com> reset ospf all

Reset the OSPF process 200
<3Com> reset ospf 200

router id

Syntax
router id router-id undo router id

View System view

622

CHAPTER 6: ROUTING PROTOCOL

Parameter router-id: Router ID that is a 32-bit unsigned integer. Description Using the router id command, you can configure the ID of a router running the OSPF protocol. Using the undo router id command, you can cancel the router ID that has been configured. By default, no router ID is configured. Router ID is a 32-bit unsigned integer that uniquely identifies a router in an OSPF autonomous system. If the router ID specified, the configurations of OSPF can not be set. When the router ID is configured manually, the IDs of any two routers cannot be identical in the autonomous system. So, the IP address of certain interface might as well be selected as the ID of this router. The modified router ID will not be valid unless OSPF is re-enabled. For the related command, see ospf. Example Set the router ID to 10.1.1.3.
[3Com] router id 10.1.1.3

silent-interface

Syntax
silent-interface interface-type interface-number undo silent-interface interface-type interface-number

View OSPF view Parameter interface-type: Specifies the interface type interface-number: Specifies the interface number. Description Using the silent-interface command, you can disable an interface to transmit OSPF packet. Using the undo silent-interface command, you can restore the default setting. By default, the interface is enabled to transmit OSPF packet. You can use this command to disable an interface to transmit OSPF packet, so as to prevent the router on some network from receiving the OSPF routing information. Different processes can disable the same interface to transmit OSPF packet. While silent-interface command only takes effect on the interface enabled with OSPF by this process, being invalid for the interface enabled by other processes.

OSPF Configuration Commands

623

Example Disable interface serial2/0/0 to transmit OSPF packet.
[3Com-ospf-1] silent-interface serial2/0/0

Disable interface Ethernet2/0/0 to transmit OSPF packet in both OSPF process 100 and OSPF process 200.
[3Com] router id 10.110.1.9 [3Com] ospf 100 [3Com-ospf-100] silent-interface ethernet 2/0/0 [3Com-ospf-100] quit [3Com] router id 20.18.0.7 [3Com] ospf 200 [3Com-ospf-200] silent-interface ethernet 2/0/0

snmp-agent trap enable ospf

Syntax
snmp-agent trap enable ospf [ process-id ] [ trap-type ] undo snmp-agent trap enable ospf [ trap-type ]

View System view Parameter process-id: OSPF process number. If no OSPF process number is specified, this command is valid for all the current OSPF processes. trap-type: Type of SNMP TRAP packet transmitted by OSPF. It can be the keyword in the following table.
Table 3 SNMP TRAP type keywords
keyword ifauthfail ifcfgerror ifrxbadpkt ifstatechange iftxretransmit lsdbapproachoverflow lsdboverflow maxagelsa nbrstatechange originatelsa virifauthfail virifcfgerror virifrxbadpkt virifstatechange viriftxretransmit virnbrstatechange description Enables the InterfaceAuthenticationFailure trap packets Enables the InterfaceConfigError trap packets Enables the InterfaceRecieveBadPacket trap packets Enables the InterfaceStateChange trap packets Enables the InterfaceTxRetransmitPacket trap packets Enables the LsdbApproachOverflow trap packets Enables the LsdbOverflow trap packets Enables the MaxAgeLsa trap packets Enables the NeighborStateChange trap packets Enables the OriginateLsa trap packets Enables the VirtualInterfaceAuthenticationFailure trap packets Enables the VirtualInterfaceConfigError trap packets Enables the VirtualInterfaceRecieveBadPacket trap packets Enables the VirtualInterfaceStateChange trap packets Enables the VirtualInterfaceTxRetransmitPacket trap packets Enables the VirtualNeighborStateChange trap packets

624

CHAPTER 6: ROUTING PROTOCOL

Description Using the snmp-agent trap enable ospf command, you can enable the TRAP function of OSPF. Using the undo snmp-agent trap enable ospf command, you can disable the TRAP function. This command takes no effect on the OSPF process enabled after its execution. By default, no OSPF process is enabled to transmit TRAP packets. For detailed configuration of SNMP TRAP, refer to “system management” section in this manual. Example Enable TRAP function of OSPF process 100.
<3Com> snmp-agent trap enable ospf 100

spf-schedule-interval

Syntax
spf-schedule-interval interval undo spf-schedule-interval

View OSPF view Parameter Interval: SPF calculation interval of OSPF, which is in seconds in the range of 1 to 10. The default value is 5 seconds. Description Using the spf-schedule-interval command, you can configure the route calculation interval of OSPF. Using the undo spf-schedule-interval command, you can restore the default setting. According to the Link State Database (LSDB), the router running OSPF can calculate the shortest path tree taking itself as the root and determine the next hop to the destination network according to the shortest path tree. By adjusting SPF calculation interval, network frequently changing can be restrained, which may lead to that too many bandwidth resources and router resources will be used. Example Set the OSPF route calculation interval of 3Com to 6 seconds.
[3Com-ospf-1] spf-schedule-interval 6

stub

Syntax
stub [ no-summary ] undo stub

View OSPF area view

OSPF Configuration Commands

625

Parameter no-summary: Only available for the ABR in Stub area. When this parameter is selected, the ABR only advertises the Summary-LSA for the default route, but no other Summary-LSAs. The area is also called totally stub area. Description Using the stub command, you can configure the type of an OSPF area as the STUB area. Using the undo stub command, you can cancel the settings. By default, no area is set to be the STUB area. All the routers in a Stub area must be configured with the corresponding attribute. For the related command, see default-cost. Example Set the type of OSPF area 1 to the STUB area.
[3Com-ospf] area 1 [3Com-ospf-area-0.0.0.1] stub

vlink-peer

Syntax
vlink-peer router-id [ hello seconds] [ retransmit seconds ] [ trans-delay seconds ] [ dead seconds ] [ simple password | md5 keyid key ] undo vlink-peer router-id

View OSPF area view Parameter router-id: Router ID of virtual link neighbor. hello seconds: Interval that router transmits hello message. It ranges from 1 to 8192 seconds. This value must equal the hello seconds value of the router virtually linked to the interface. By default, the value is 10 seconds, retransmit seconds: Specifes the interval for re-transmitting the LSA packets on an interface. It ranges from 1 to 8192 seconds. By default, the value is 5 seconds. trans-delay seconds: Specifes the interval for delaying transmitting LSA packets on an interface. It ranges from 1 to 8192 seconds. By default, the value is 1 second. dead seconds: Specifies the interval of death timer. It ranges from 1 to 8192 seconds. This value must equal the dead seconds of the router virtually linked to it and must be at least 4 times of the hello seconds. By default, the value is 40 seconds. simple password: Specifies the simple text authentication key, not exceeding 8 characters, of the interface. This value must equal the authentication key of the virtually linked neighbor. keyid: Specifies the MD5 authentication key ID. Its value ranges from 1 to 255. It must be equal to the authentication key ID of the virtually linked neighbor.

626

CHAPTER 6: ROUTING PROTOCOL

key: Specifies the authentication key on an interface. It is a character string not exceeding 16 characters. This value must equal the authentication key of the virtually linked neighbor. And the key will be displayed in a cipher text form in a length of 24 characters when display current-configuration command is executed. Inputting the key in a cipher text form with 24 characters long is also supported. Description Using the vlink-peer command, you can create and configure a virtual link. Using the undo vlink-peer command, you can cancel an existing virtual link. According to RFC2328, the OSPF area should be connected with the backbone network. You can use vlink-peer command to keep the connectivity. Virtual link somewhat can be regarded as a common ospf enabled interface so that you can easily understand how to configure the parameters such as hello, retransmit, and trans-delay on it. One thing should be mentioned. When configuring virtual link authentication, authentication-mode command is used to set the authentication mode as MD5 cipher text or simple text on the backbone network. For the related command, see authentication-mode, and display ospf. Example Create a virtual link to 10.110.0.3 and use the MD5 cipher text authentication mode.
[3Com-ospf] area 10.0.0.0 [3Com-ospf-area-10.0.0.0] vlink-peer 10.110.0.3 md5 3 345

BGP Configuration Commands

For the commands defining routing policies in BGP, refer to the "IP Routing Policy Configuration Commands" of the next chapter. For the configuration examples and parameter explanation of VPNv4 and VPN instance in BGP, refer to the "Multicast" module and "MPLS" module of this manual.

aggregate

Syntax
aggregate address mask [ as-set ] [ detail-suppressed ] [ suppress-policy route-policy-name ] [ origin-policy route-policy-name ] [ attribute-policy route-policy-name ] undo aggregate address mask [ as-set ] [ detail-suppressed ] [ suppress-policy route-policy-name ] [ origin-policy route-policy-name ] [ attribute-policy route-policy-name ]

View BGP view Parameter address: Address of the aggregated route, in dotted decimal notation. mask: Network mask of the aggregated route, in dotted decimal notation. as-set: Creates a route with AS segment.

BGP Configuration Commands

627

detail-suppressed: Only advertise the aggregated route. suppress-policy route-policy-name: Suppresses the specific route selected, some of which are not advertised. origin-policy route-policy-name: Selects the originating routes used for aggregation. attribute-policy route-policy-name: Sets the attributes of the aggregated route. Description Using the aggregate command, you can establish an aggregated record in the BGP routing table. Using the undo aggregate command, you can cancel the function. By default, there is no route aggregation. The keywords are explained as follows:
Table 4 Functions of the keywords
Keywords as-set Function Used to create an aggregated route, whose AS path information includes detailed routes. Use this keyword carefully when many AS paths need to be aggregated, for the frequent change of routes may lead to route vibration. This keyword does not establish any aggregated route, but it restrains the advertisement of all the specific routes. If only some specific routes are to be restrained, use the peer filter-policy command carefully. Create an aggregated route with this keyword, at the same time, the advertisement of the specified route is restrained. If you want to restrain some specific routes selectively and leaves other routes still being advertised, use the if-match clause of the route-policy command. Select only the specific routes that are in accordance with route-policy to create an aggregated route. Set aggregated route attributes. The same work can be done by using peer route-policy, etc.

detail-suppressed

suppress-policy

origin-policy attribute-policy

Example Establish an aggregated record in the BGP routing table.
[3Com-bgp] aggregate 192.213.0.0 255.255.0.0

balance

Syntax
balance num undo balance

View BGP view Parameter num: Number of BGP load sharing routes. Their ranges are defined according to the router types. You can get prompt information by inputting “?” at its location

628

CHAPTER 6: ROUTING PROTOCOL

to confirm the current product range.When num is 1, it indicates there is no route to perform load sharing. Description Using the balance command, you can configure the number of routes performing BGP load sharing. Using the undo balance command, you can restore the default value. By default, no load sharing is performed. Different from IGP protocol, there is no specific indication for BGP to perform load sharing. The load sharing of BGP is implemented by changing its routing rules. For the related command, see display ip routing-table. Example Configure 2 routes to perform load sharing.
[3Com] bgp 100 [3Com-bgp] balance 2

bgp

Syntax
bgp as-number undo bgp [ as-number ]

View System view Parameter as-number: Specifies local AS number, ranging from 1 to 65535. Description Using the bgp command, you can enable BGP and enter the BGP view. Using the undo bgp command, you can disable BGP. By default, BGP is not enabled. This command is used to enable and disable BGP as well as to specify the local AS number of BGP. Example Enable BGP.
[3Com] bgp 100 [3Com-bgp]

compare-different-as-me d

Syntax
compare-different-as-med undo compare-different-as-med

View BGP unicast view, BGP multicast view, VPNv4 view

BGP Configuration Commands

629

Parameter None Description Using the compare-different-as-med command, you can enable comparison of MED values from different AS neighboring routes when determining the best route. Using the undo compare-different-as-med command, you can disable the comparison. By default, it is disabled to compare the MED attribute values from the routing paths of different AS peers. If there are several routes available to one destination address, the route with smaller MED parameter can be selected as the final route item. You are not recommended to use this command unless you can make sure that the ASs adopt the same IGP and routing method. Example Enable the comparison of the MED attribute values from different AS neighboring route paths.
[3Com-bgp] compare-different-as-med

confederation id

Syntax
confederation id as-number undo confederation id

View BGP view Parameter as-number: Number of the AS which contains multiple sub-ASs. The range is from 1 to 65535. Description Using the confederation id command, you can configure confederation identifier. Using the undo confederation id command, you can cancel the BGP confederation specified by parameter as-number. By default, the confederation ID is not configured. Confederation can be adopted to solve the problem of too many IBGP full connections in a large AS domain. The solution is, first dividing the AS domain into several smaller sub-ASs, and each sub-ASs remains full-connected. These sub-ASs form a confederation. Key IGP attributes of the route, such as next hop, MED, local preference, are not discarded across each sub-ASs. The sub-ASs still look like a whole from the point of view of a confederation although these sub-ASs have EBGP relations. This can assure the integrality of the former AS domain, and ease the problem of too many connections in the domain For the related commands, see confederation nonstandard and confederation peer-as.

630

CHAPTER 6: ROUTING PROTOCOL

Example Confederation 9 consists of four sub-ASs, namely, 38, 39, 40 and 41. Here, the peer 10.1.1.1 is an internal member of the AS confederation while the peer 200.1.1.1 is an external member of the AS confederation. For external members, Confederation 9 is a unified AS domain.
[3Com] bgp 41 [3Com-bgp] confederation id 9 [3Com-bgp] confederation peer-as 38 39 40 [3Com-bgp] peer 10.1.1.1 as-number 38 [3Com-bgp] peer 200.1.1.1 as-number 98

confederation nonstandard

Syntax
confederation nonstandard undo confederation nonstandard

View BGP view Parameter None Description Using the confederation nonstandard command, the router can be compatible with the AS confederation not adopting RFC1965. Using the undo confederation nonstandard command, you can cancel this function. By default, the configured confederation is consistent with RFC1965. All the 3Com routers in the confederation should be configured with this command for interworking with those nonstandard devices. For the related commands, see confederation id and confederation peer-as. Example AS100 contains routers following nonstandard, which is composed of two sub-ASs, 64000 and 65000.
[3Com] bgp 64000 [3Com-bgp] confederation id 100 [3Com-bgp] confederation peer-as 65000 [3Com-bgp] confederation nonstandard

confederation peer-as

Syntax
confederation peer-as as-number-1 [ ......as-number-n ] undo confederation peer-as [ as-number-1 ] [......as-number-n ]

View BGP view

BGP Configuration Commands

631

Parameter as-number-1...as-number-n: Sub-AS number, ranging from 1 to 65535. This command can configure a maximum of 32 sub-Ass belonging to the confederation. Description Using the confederation peer-as command, you can configure a confederation consisting of which sub-ASs. Using the undo confederation peer-as command, you can cancel the specified sub-AS in the confederation. By default, no autonomous system is configured as a member of the confederation. The configured sub-ASs in this command is inside a confederation and each sub-AS uses fully meshed network. The confederation id command is used to specify the confederation to which each sub-AS belongs. This configuration is invalid before this command is performed. For the related commands, see confederation nonstandard and confederation id. Example Configure the confederation that contains AS 2000 and 2001.
[3Com-bgp] confederation peer-as 2000 2001

dampening

Syntax
dampening [ half-life-reachable half-life-unreachable reuse suppress ceiling ] [ route-policy policy-name ] undo dampening

View BGP view Parameter half-life-reachable: Specifies the half-life when the route is reachable. The range is 1 to 45 minutes. By default, the value is 15 minutes. half-life-unreachable: Specifies the half-life when the route is unreachable. The range is 1 to 45 minutes. By default, the value is 15 minutes. reuse: Penalty value of a route when it starts to be reused. The range is 1 to 20000. By default, its value is 750 . suppress: Penalty threshold of a route when it starts to be suppressed. The range is 1 to 20000. By default, its value is 2000. ceiling: Upper threshold of the penalty. The range is 1001 to 20000. By default, its value is 16000. policy-name: Route policy name.

632

CHAPTER 6: ROUTING PROTOCOL

Description Using the dampening command, you can make BGP route attenuation valid or modify various BGP route attenuation parameters. Using the undo dampening command, you can make the characteristics invalid. By default, no route attenuation is configured. If the parameters are not set, the BGP route attenuation is valid and each parameter is taken as the default value. half-life-reachable, half-life-unreachable ,reuse, suppress and ceiling are mutually dependent. Once any parameter is configured, all other parameters should also be specified. For the related command, see reset dampening, reset bgp flap-info, display bgp routing-table dampened, and display bgp routing-table flap-info. Example Modify various BGP route attenuation parameters.
[3Com-bgp] dampening 15 15 1000 2000 10000

debugging bgp

Syntax
debugging bgp { all | event | keepalive | open | packet | route-refresh | update } [ receive | send ] [ verbose ]

View User view Parameter all: Enables all BGP information debugging. event: Enables BGP event information debugging. keepalive: Enables BGP Keepalive packet information debugging. open: Enables BGP Open packet information debugging. packet: Enables BGP packet information debugging. route-refresh: Enables BGP route-refresh packet information debugging. update: Enables BGP Update packet information debugging. Description Using the debugging bgp all command, you can enable all the information debugging of BGP packets and events. Using the debugging bgp event command, you can enable the information debugging of BGP events. Using the debugging bgp keepalive command, you can enable the information debugging of BGP Keepalive packets. Using the debugging bgp packet command, you can enable the information debugging of BGP packets.

BGP Configuration Commands

633

System performance is influenced when information debugging is enabled. Therefore, this command should be used cautiously. You should disable it after debugging. Example Enable the information debugging of BGP packets.
<3Com> debugging bgp packet

default local-preference

Syntax
default local-preference value undo default local-preference

View BGP unicast view, BGP multicast view, VPNv4 view Parameter value: Default local preference to be configured. The range is 0 to 4294967295, the larger the value is, the higher the preference is. By default, its value is 100. Description Using the default local-preference command, you can configure the default local preference. Using the undo default local-preference command, you can restore the default value. Configuring different local preferences will affect BGP routing selection. Example The two routers RTA and RTB in the same autonomous area use X.25 and Frame Relay protocols separately to connect with external autonomous areas. The command can be used to configure the default local preference of RTB as 180 so that the route via RTB is selected first when the same route goes through RTA and RTB at the same time.
[3Com-bgp] default local-preference 180

default med

Syntax
default med med-value undo default med

View BGP unicast view, BGP multicast view, VPNv4 view, VPN instance view Parameter med-value: MED value to be specified. The range is 0 to 4294967295. By default, the med-value is 0. Description Using the default med command, you can configure the system MED value. Using the undo default med command, you can restore the default value of metric.

634

CHAPTER 6: ROUTING PROTOCOL

Multi-Exit Distinguish (MED) is the external metric of a route. Different from local preference, MED is exchanged between ASs and will stay in the AS. MED indicates the attribute of a route. The smaller an MED is, the better a route is. So the route with a low MED is preferred.When a router running BGP obtains several routes with identical destination address and different next-hops from various external peers, it will select the best route depending on the MED value. In the case that all other conditions are the same, the system first selects the route with the smaller MED value as the external route of the autonomous system. Example Routers RTA and RTB belong to AS100 and router RTC belongs to AS200. RTC is the peer of RTA and RTB. The network between RTA and RTC is X.25 network and the network between RTB and RTC is Ethernet. So the MED of RTA can be configured as 25 to allow RTC to select the route transmitted by RTB first.
[3Com-bgp] default med 25

display bgp group

Syntax
display bgp [ multicast | [ vpnv4 { all | route-distinguisher route-distinguisher | vpn-instance vpn-instance-name } ] ] group [ group-name ]

View Any view Parameter group-name: A specified peer group. vpn-instance vpn-instance-name: Name of vpn instance. Description Using the display bgp group command, you can view the information of peer groups. Example View the information of the peer group "aaa".
<3Com> display bgp group aaa group : aaa no as-number still members in this group : Description : aaa route-policy specified in export policy : aaa filter-policy specified in export policy : list no.30304410 acl specified in export policy : list no.30304410 ip-prefix specified in export policy : aaa route-policy specified in import policy : aaa filter-policy specified in import policy : list no.30304410 acl specified in import policy : list no.30304410 ip-prefix specified in import policy : aaa with Route-policy aaa

display bgp network

Syntax
display bgp [ multicast | [ vpnv4 { all | route-distinguisher route-distinguisher | vpn-instance vpn-instance-name } ] ] network

BGP Configuration Commands

635

View Any view Parameter vpn-instance vpn-instance-name: Name of VPN instance. route-distinguisher route-distinguisher: Name of route-distinguisher. Description Using the display bgp network command, you can view the routing information that has been configured. Example View the routing information that has been configured.
<3Com> display bgp network NetworkMask Route-policy 133.1.1.0255.255.255.0None 112.1.0.0255.255.0.0None

display bgp paths

Syntax
display bgp paths as-regular-expression

View Any view Parameter as-regular-expression: Matched AS path regular expression. Description Using the display bgp paths command, you can view the information about AS paths Example Display the information about the AS paths.
<3Com> display bgp paths ^600$ Flags: - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Id Hash-Index References Aggregator Origin As-Path -------------------------------------------------------------------6 90 15 <null> IGP 600

display bgp peer

Syntax
display bgp [ multicast ] peer peer-address verbose display bgp [ multicast ] peer [ verbose ] display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpn-instance vpn-instance-name } peer

View Any view

636

CHAPTER 6: ROUTING PROTOCOL

Parameter peer-address: Specifies the peer to be displayed. vpn-instance vpn-instance-name: Name of VPN instance. route-distinguisher route-distinguisher: Name of route-distinguisher. verbose: Displays the detailed information of the peer. Description Using the display bgp peer command, you can view the information of peer. Using the display bgp multicast peer command, you can view the information of MBGP peer. Using the display bgp vpnv4 peer command, you can view the information of VPN peer. Example Display the information of the peer 10.110.25.20.
<3Com> display bgp peer 10.110.25.20 Peer AS-number Version Queued-Tx Msg-Rx Msg-Tx Up/Down State -------------------------------------------------------------------10.110.25.20 100 4 0 0 0 00:33:43 Active View the details of peer 133.1.1.2. <3Com> display bgp peer 133.1.1.2 verbose Peer: 133.1.1.2 Local: Unspecified Type: External State: Idle Flags: <Idled> Last State: NoState Last Event: NoEvent Last Error: None Options: <> Configuration within the peer : no export policy route-policy no export policy ip-prefix no export policy filter-policy no export policy acl no import policy route-policy no import policy ip-prefix no import policy filter-policy no import policy acl no default route produce

display bgp routing-table

Syntax
display bgp [ multicast | vpnv4 { all | route-distinguisher route-distinguisher | vpn-instance vpn-instance-name } ] routing-table [ ip-address mask ]

View Any view Parameter multicast: Displays the MBGP routing information in BGP routing table.

BGP Configuration Commands

637

all: Displays all VPNv4 routing information. route-distinguisher route-distinguisher: Displays Network Layer Reachable Information (NLRI) matching Routing Distinguisher (RD). vpn-instance vpn-instance-name: Displays NLRI associated with the specified VPN instance. ip-address: Displays the destination network address. mask: Network mask. Description Using the display bgp multicast routing-table command, you can view the BGP routing information of the specified IP address in the BGP routing table. Using the display bgp multicast routing-table command, you can view the MBGP routing information of the specified IP address in the BGP routing table. Using the display bgp vpnv4 routing-table command, you can view the VPN routing information of the specified IP address in the BGP routing table. Example View all the BGP routing information.
<3Com> display bgp routing-table Flags: - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Dest/Mask Pref Next-Hop Med Local-Pref Origin As-Path -------------------------------------------------------------------*> 1.1.1.0/24 10.10.10.1 IGP 200 *> 1.1.2.0/24 10.10.10.1 IGP 200 *> 1.1.3.0/24 10.10.10.1 IGP 200 *> 2.2.3.0/24 10.10.10.1 INC 200 *> 4.4.4.0/24 10.10.10.1 IGP 200 *> 9.9.9.0/24 10.10.10.1 INC 200 *> 10.10.10.0/24 0.0.0.0 IGP * 10.10.10.1 IGP 200

View one BGP routing information.
<3Com> display bgp routing-table 22.1.0.0 BGP route 22.1.0.0/16 Nexthop : 200.1.7.2 Origin : Incompelte, As-path: 200 Local-pref: 100, Status: valid, internal, best From : 200.1.7.2(200.1.7.2)

display bgp routing-table as-path-acl

Syntax
display bgp [ multicast | [ vpnv4 { all | route-distinguisher route-distinguisher | vpn-instance vpn-instance-name } ] ] routing-table as-path-acl acl-number

638

CHAPTER 6: ROUTING PROTOCOL

View Any view Parameter acl-number: Number of the specified AS path to be matched, ranging 1 to 199. Description Using the display bgp routing-table as-path-acl command, you can view routes that match an as-path acl Example Display routes that match filtering list.
<3Com> display bgp routing-table as-path-acl 1 Flags: - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Dest/Mask Pref Next-Hop Med Local-pref Origin As-path -------------------------------------------------------------------^ 1.1.1.0/24 170 10.10.10.1 0 IGP 200 ^ 1.1.2.0/24 170 10.10.10.1 0 IGP 200 ^ 1.1.3.0/24 170 10.10.10.1 0 IGP 200 ^ 2.2.3.0/24 256 10.10.10.1 0 INC 200 ^ 4.4.4.0/24 256 10.10.10.1 0 INC 200 ^ 9.9.9.0/24 256 10.10.10.1 0 INC 200 ^ 10.10.10.0/24 256 10.10.10.1 0 IGP 200 ^ 22.1.0.0/16 256 200.1.7.2 100 INC 200 88.1.0.0/16 60 0.0.0.0 IGP

display bgp routing-table cidr

Syntax
display bgp [ multicast | [ vpnv4 { all | route-distinguisher route-distinguisher | vpn-instance vpn-instance-name } ] ] routing-table cidr

View Any view Parameter None Description Using the display bgp routing-table cidr command, you can view the routing information about the non-natural mask (namely the classless inter-domain routing, CIDR). Example
<3Com> display bgp routing-table cidr Flags: - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Dest/Mask Pref Next-Hop Med Local-pref Origin As-path -------------------------------------------------------------------^ 22.1.0.0/16 256 200.1.7.2 100 INC 200 88.1.0.0/16 60 0.0.0.0 IGP

BGP Configuration Commands

639

display bgp routing-table community

Syntax
display bgp [ multicast | [ vpnv4 { all | route-distinguisher route-distinguisher | vpn-instance vpn-instance-name } ] ] routing-table community [ aa:nn | no-export-subconfed | no-advertise | no-export ] [ whole-match ]

View Any view Parameter aa:nn: Specifies a community number. no-export-subconfed: Not sends the matched routes outside the AS. no-advertise: Not sends the matched routes to any peer. no-export: Not exports routes outside the AS but advertise to other sub Ass. whole-match: Displays the exactly matched routes. Description Using the display bgp routing-table community command, you can view the routing information related to the specified BGP community number in the routing table. Example Display the routing information matching the specified BGP community number.
<3Com> display bgp routing-table community 11:22 Flags: - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Dest/Mask Pref Next-Hop Med Local-pref Origin -------------------------------------------------------------------^ 1.0.0.0/8 170 172.10.0.2 100 IGP ^ 2.0.0.0/8 256 172.10.0.2 100 IGP

As-path

display bgp routing-table community-list

Syntax
display bgp [ multicast | [ vpnv4 { all | route-distinguisher route-distinguisher | vpn-instance vpn-instance-name } ] ] routing-table community-list community-list-number [ whole-match ]

View Any view Parameter community-list-number: Specifies a community-list number. whole-match: Displays the exactly matched routes. Description Using the display bgp routing-table community-list command, you can view the routing information matching the specified BGP community list.

640

CHAPTER 6: ROUTING PROTOCOL

Example View the routing information matching BGP community list 1.
[3Com] display bgp routing-table community-list 1 Flags: - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Destination/Mask Pref Next-hop Med Local-Pref Origin As-Path -------------------------------------------------------------------1.1.1.0/24 170 10.10.10.1 0 IGP 200 1.1.2.0/24 256 10.10.10.1 0 IGP 200 1.1.3.0/24 170 10.10.10.1 0 IGP 200 2.2.3.0/24 256 10.10.10.1 0 INC 200 4.4.4.0/24 170 10.10.10.1 0 INC 200 9.9.9.0/24 256 10.10.10.1 0 INC 200 10.10.10.0/24 0 10.10.10.2 0 IGP 10.10.10.0/24 256 10.10.10.1 0 IGP 200

display bgp routing-table dampened

Syntax
display bgp routing-table dampened

View Any view Parameter None Description Using the display bgp routing-table dampened command, you can view BGP dampened routes. Example View BGP dampened routes.
<3Com> display bgp routing-table dampened Flags: - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Dest/Mask Source Damping-limit Origin As-path ----------------------------------------------------------------D 11.1.0.0 133.1.1.2 1:20:00 IGP 200

display bgp routing-table different-origin-as

Syntax
display bgp [ multicast ] routing-table different-origin-as

View Any view Parameter None

BGP Configuration Commands

641

Description Using the display bgp routing-table different-origin-as command, you can view routes that have different source autonomous systems Example View the routes that have different source ASs.
<3Com> display bgp routing-table different-origin-as Flags: - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Destination/Mask Pref Next-hop Med Local-Pref Origin As-Path -----------------------------------------------------------------10.10.10.0/24 0 10.10.10.2 0 IGP 10.10.10.0/24 256 10.10.10.1 0 IGP 200

display bgp routing-table flap-info

Syntax
display bgp routing-table flap-info [ { regular-expression as-regular-expression } | { as-path-acl acl-number } | { network-address [ mask [ longer-match ] ] } ]

View Any view Parameter as-regular-expression: Displays the route flap-info matching AS path regular expression. acl-number: Number of the specified AS path to be matched, ranging from 1 to 199. network-address: Network IP address related to the flag information to be displayed mask: Network mask. longer-match: Displays the route flap information that is more specific than <network-address, mask>. Description Using the display bgp routing-table flap-info command, you can view BGP flap information. When <network-address mask> is <0.0.0.0.0.0.0.0>, this command will view the flap information of all BGP routes. Example Display BGP flap information.
<3Com> display bgp routing-table flap-info Flags: - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Dest/Mask Source Keepup-time Damping-limit Flap-times Origin As-path -------------------------------------------------------------------D 11.1.0.0/16 133.1.1.2 48 1:20:30 4 IGP 200

642

CHAPTER 6: ROUTING PROTOCOL

display bgp routing-table peer

Syntax
display bgp routing-table peer peer-address { advertised | received }

View Any view Parameter peer-address: Specifies the peer to be displayed. advertised: Routing information advertised by the specified peer. received: Routing information the specified peer received. Description Using the display bgp routing-table peer command, you can view the routing information the specified BGP peer advertised or received. For the related command, see display bgp peer. Example View the routing information advertised by BGP peer 10.10.10.1.
<3Com> display bgp routing table peer 10.10.10.1 advertised Flags: - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Dest/mask Next -Hop Med Local-pref Origin As-path ----------------------------------------------------------------*> 10.10.10.0/24 0.0.0.0 INC

display bgp routing-table regular-expression

Syntax
display bgp [ multicast | [ vpnv4 { all | route-distinguisher route-distinguisher | vpn-instance vpn-instance-name } ] ] routing-table regular-expression as-regular-expression

View Any view Parameter as-regular-expression: Matched AS regular expression. Description Using the display bgp routing-table regular-expression command, you can view the routing information matching the specified AS regular expression Example Display the routing information matching with AS regular expression ^600$.
<3Com> display bgp routing-table regular-expression ^600$ Flags: - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Destination/Mask Pref Next-hop Med Local-Pref Origin As-Path

BGP Configuration Commands

643

-------------------------------------------------------------------1.1.1.0/24 256 10.10.10.1 0 IGP 200 1.1.2.0/24 256 10.10.10.1 0 IGP 200 1.1.3.0/24 256 10.10.10.1 0 IGP 200 2.2.3.0/24 256 10.10.10.1 0 INC 200 4.4.4.0/24 256 10.10.10.1 0 IGP 200 9.9.9.0/24 256 10.10.10.1 0 INC 200 10.10.10.0/24 256 10.10.10.1 0 IGP 200

filter-policy export

Syntax
filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol ] undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol ]

View BGP unicast view, multicast view, VPNv4 view, VPN instance view Parameter acl-number: Specifies the number of access control list matching the destination address field of routing information, ranging from 1 to 199. ip-prefix-name: Specifies the name of the address prefix list matching the destination address field of routing information, ranging from 1 to 19. protocol: Routing information of which kind of route protocol to be filtered. It includes direct, ospf, ospf-ase, ospf-nssa, isis, rip, and static at present. Description Using the filter-policy export command, you can filter the advertised routes and only the routes passing the filter can be advertised by BGP. Using the undo filter-policy export command, you can cancel the filtering to the advertised routes. By default, the advertised routing information is not filtered. If the parameter protocol is specified, only the imported route generated by the specified protocol is filtered and the imported routes generated by other protocols are not affected. If the parameter protocol is not specified, the imported route generated by any protocol will be filtered. Example Use acl 3 to filter the routing information advertised by all BGPs.
[3Com-bgp] filter-policy 3 export

filter-policy import

Syntax
filter-policy gateway ip-prefix-name import undo filter-policy gateway ip-prefix-name import filter-policy { acl-number | ip-prefix ip-prefix-name } import undo filter-policy { acl-number | ip-prefix ip-prefix-name } import

View BGP unicast view, BGP multicast view, VPNv4 view, VPN instance view

644

CHAPTER 6: ROUTING PROTOCOL

Parameter acl-number: Specifies the number of access control list matching the destination address field of routing information, ranging from 1 to 199. ip-prefix ip-prefix-name: Address prefix list name. The matched object is the destination address domain of the routing information, ranging from 1 to 19. gateway ip-prefix-name: Address prefix list name of the neighboring router. The matched object is the routing information distributed by the specified neighboring router, ranging from 1 to 19. Description Using the filter-policy gateway import command, you can filter the learned routing information advertised by the specified address. Using the undo filter-policy gateway import command, you can remove the filtering to the routing information advertised by the specified address. Using the filter-policy import command, you can filter the received global routing information. Using the undo filter-policy import command, you can remove the filtering to the received global routing information. By default, the received routing information is not filtered. This command can be used to filter the routes received by BGP and determines whether to add the routes to the BGP routing table. Example Display how to use acl 3 to filter the routing information received by BGP.
[3Com-bgp] filter-policy 3 import

group

Syntax
group group-name { [ internal ] | external } undo group group-name

View BGP view Parameter group-name: Specifies the name of peer group. It can be described in character and numeral with the length being 1 to 47. internal: Creates an internal peer group. external: Creates an external peer group, including other sub AS groups in the confederation. Description Using the group command, you can establish a peer group. Using the undo group command, you can delete the configured peer group. The use of BGP peer group is for the convenience of the user’s configuration. When the user starts several peers with the same configuration, a peer group can

BGP Configuration Commands

645

be established first and be configured. Then add all the peers to the peer group so that they have the same configuration as this peer group. The default IBGP peer will be added to the default peer group without any configuration. The configuration of the route update policy for any IBGP peer is valid for the other IBGP peers in its group. To be specific, if the router is not a route reflector, all the IBGP peers are in the same group. If the router is a route reflector, all the route reflection clients are in a group, while non-clients are in another group. The external peer group members must be in the same network segment. Otherwise, some EBGP peers may discard the transmitted route update. The peer group members cannot be configured with the route update policy which is different from that of the peer group, but can be configured with different ingress policies. Example Establish a peer group "test".
[3Com-bgp] group test

import-route

Syntax
import-route protocol [ med med-value ] [ route-policy route-policy-name ] undo import-route protocol

View BGP view Parameter protocol: Specifies source routing protocols which can be imported, which includes direct, ospf, ospf-nssa , ospf-ase, rip, bgp, and static at present. med med-value: Specifies the MED value loaded by a redistributed route, ranging from 0 to 4294967295. route-policy route-policy-name: Specifies a route-policy to filter the redistributed protocol route. It can be described in character and numeral with the length being 1 to 19. Description Using the import-route command, you can import routes of other protocols. Using the undo import-route command, you can remove importing routes of other protocols. By default, BGP does not import the routes of other protocols. Example Import routes of RIP.
[3Com-bgp] import-route rip

ip as-path acl

Syntax
ip as-path acl acl-number { permit | deny } as-regular-expression

646

CHAPTER 6: ROUTING PROTOCOL

undo ip as-path acl acl-number

View System view Parameter acl-number: Number of AS path list ranging from 1 to 199. as-regular-expression: AS path regular expression. Description Using the ip as-path acl command, you can configure an AS path regular expression. Using the undo ip as-path acl command, you can disable the defined regular expression. The configured AS path list can be used in BGP policy. For the related command, see peer as-path-acl, and display bgp routing-table as-path-acl. Example Configure an AS path list.
[3Com] ip as-path acl 10 permit 200,300

ip community-list

Syntax
ip community-list stand-comm-list-number { permit | deny } { aa:nn | internet | no-export-subconfed | no-advertise | no-export } ip community-list ext-comm-list-number { permit | deny } as-regular-expression undo ip community-list { stand-comm-list-number | ext-comm-list-number }

View System view Parameter stand-comm-list-number: Number of the standard community list ranging from 1 to 99. ext-comm-list-number: Number of the extended community list ranging from 100 to 199. permit: Permits those that match conditions to access. deny: Denies those that match conditions to access. aa:nn: Community number. internet: Advertises all routes. no-export-subconfed: Used not to advertise the matched route beyond the confederation. no-advertise: Used not to send the matched route to any peer.

BGP Configuration Commands

647

no-export: Used not to pass routes outside the AS but advertise to other sub ASs. as-regular-expression: Community attribute of the regular expression. Description Using the ip community-list command, you can configure a BGP community list. Using the undo ip community-list command, you can delete the configured BGP community list. The configured community list can be used in BGP policy. For the related command, see apply community, and display bgp routing-table community-list. Example Define a community attribute list which does not advertise routes with the community attribute beyond the confederation.
[3Com] ip community-list 6 permit no-export-subconfed

network

Syntax
network ip-address [ address-mask ] [ route-policy route-policy-name ] undo network ip-address [ address-mask ] [ route-policy route-policy-name ]

View BGP view Parameter ip-address: Network address that BGP advertises. address-mask: Mask of the network address. route-policy-name: Route-policy applied to advertised routes. Description Using the network command, you can configure the network routes advertised by the local BGP. Using the undo network command, you can delete the existing configuration. By default, there is no network sent through BGP. Example Advertise routes to network segment 10.0.0.0/16.
[3Com-bgp] network 10.0.0.1 255.255.0.0

peer advertise-community

Syntax
peer { group-name } advertise-community undo peer { group-name } advertise-community

View BGP view, VPNv4 view, VPN instance view

648

CHAPTER 6: ROUTING PROTOCOL

Parameter group-name: Specifies the name of peer group. Description Using the peer advertise-community command, you can enable the transmission of the community attribute to a peer/peer group. Using the undo peer advertise-community command, you can cancel the existing configuration. By default, the community attribute is not transmitted to any peer/peer group. For the related commands, see if-match community-list and apply community. Example Enable the transmission of the community attribute to a peer group "test".
[3Com-bgp] peer test advertise-community

peer allow-as-loop

Syntax
peer { group-name | peer-address } allow-as-loop [ number ] undo peer { group-name | peer-address } allow-as-loop

View BGP view, VPNv4 view, VPN instance view Parameter group-name: Specifies the name of peer group. peer-address: Specifies the IP address of the peer. number: Specifies the repeating times of local AS number. The range is 1 to 10. Description Using the peer allow-as-loop command, you can configure the repeating time of local AS. Using the undo peer allow-as-loop command, you can remove the repeating time of local AS. For the related command, see display current-configuration, display bgp routing-table peer, and display bgp routing-table group. Example Specify to configure the repeating times of local AS to 2.
[3Com-bgp] peer 1.1.1.1 allow-as-loop 2

peer as-number

Syntax
peer { group-name } as-number as-number undo peer { group-name } as-number as-number

View BGP view

BGP Configuration Commands

649

Parameter group-name: Specifies the name of peer group. peer-address: Specifies the IP address of the peer. as-number: Peer AS number of the peer/peer group. The range is 1 to 65535. Description Using the peer as-number command, you can specify the peer AS number of peer group. Using the undo peer as-number command, you can delete the AS number of peer group. By default, no AS number is configured. Example Specify the peer AS number for the peer test as 100.
[3Com-bgp] peer test as-number 100

peer as-path-acl

Syntax
peer { group-name | peer-address } as-path-acl acl-number { import | export } undo peer { group-name | peer-address } as-path-acl acl-number { import | export }

View BGP view, VPNv4 view, VPN instance view Parameter group-name: Specifies the name of peer group. peer-address: Specifies the IP address of the peer. acl-number: Specifies the filter list number of an AS regular expression. The range is 1 to 199. import: Import distribution list. export: Export distribution list. Description Using the peer as-path-acl command, you can specify BGP route filtering policy based on AS path list. Using the undo peer as-path-acl command, you can cancel the existing configuration. By default, the peer group has no AS path list. Example Set the AS path ACL of the peer group test.
[3Com-bgp] peer test as-number 100 [3Com-bgp] peer test as-path-acl 3 export

650

CHAPTER 6: ROUTING PROTOCOL

peer connect-interface

Syntax
peer { group-name | peer-address } connect-interface interface-name undo peer { group-name | peer-address } connect-interface interface-name

View BGP view Parameter group-name: Specifies the name of the peer group. peer-address: Specifies the IP address of the peer. interface-name: Specifies interface name. Description Using the peer connect-interface command, you can specify the source interface of a route update packet. Using the undo peer connect-interface command, you can restore the best source interface. By default, BGP uses the best source interface. Usually, BGP uses the optimal route to update the source interface of the packets. However, you can set the mode of the interface to Loopback in order to send route updates even if the interface does not work normally. Example
None

peer default-route-advertise

Syntax
peer { group-name } default-route-advertise undo peer { group-name } default-route-advertise

View BGP view Parameter group-name: Specifies the name of peer group. Description Using the peer default-route-advertise command, you can configure a peer/peer group to import a default route for a peer. Using the undo peer default-route-advertise command, you can cancel the existing configuration. By default, a peer/peer group does not import the default route. For this command, no default route is required in the routing table. A default route is sent unconditionally to a peer with the next hop as itself. Example Specify a peer group "test" to import the default route.
[3Com-bgp] peer test as-number 100

BGP Configuration Commands

651

[3Com-bgp] peer test default-route-advertise

peer description

Syntax
peer { group-name | peer-address } description description-line undo peer { group-name | peer-address } description

View BGP view Parameter group-name: Specifies the name of peer group. peer-address: Specifies the IP address of the peer. description-line: Description information configured, which can be described in characters or numerals with the length not exceeding 79. Description Using the peer description command, you can configure the description information of the peer/peer group. Using the undo peer description command, you can remove the description information of the peer/peer group. By default, description information of peers/peer group is not configured. For the related command, see display current-configuration, display bgp peer, and display bgp routing-table group. Example Configure the description information of the peer named group1 as beijing1.
[3Com-bgp] peer group1 description beijing1

peer ebgp-max-hop

Syntax
peer group-name ebgp-max-hop [ ttl ] undo peer group-name ebgp-max-hop

View BGP view Parameter group-name: Specifies the name of peer group. ttl: Specifies the maximum hop value. The range is 1 to 255. By default, the value is 64. Description Using the peer ebgp-max-hop command, you can allow establishing EBGP connection with the peer on indirectly connected network. Using the undo peer ebgp-max-hop command, you can cancel the existing configuration. By default, this feature is disabled.

652

CHAPTER 6: ROUTING PROTOCOL

Example Establish EBGP connection with the peer group "test" on the indirectly connected network.
[3Com-bgp] peer test ebgp-max-hop

peer enable

Syntax
peer { group-name | peer-address } enable undo peer { group-name | peer-address } enable

View BGP unicast address family view, IPv4 multicast address family view, VPNv4 address family view, L2VPN address family view Parameter group-name: Specifies the name of the peer group, which specifies the entire peer group. peer-address: IP address of the peer, which specifies a certain peer. Description Using the peer enable command, you can enable the specified peer (group) and can exchange information with a peer. Using the undo peer enable command, you can disable the specified peer (group). Here, The peer peer-address enable command can be configured in unicast address family only. Using this command, you can disable the unicast function of the peer. You can delete the peer from the group in the corresponding address to disable its multicast function or VPNv4 function. By default, BGP peer (group) is enabled in unicast address family, but disabled in VPN and MBP address families. If the specified peer/peer group is disabled, the router will not exchange routing information with the specified peer (group). Example Deactivate the specified peer.
[3Com] bgp 180 [3Com-bgp] peer 18.10.0.9 as-number 180 [3Com-bgp] undo peer 18.10.0.9 enable

peer filter-policy

Syntax
peer { group-name | peer-address } filter-policy list-number { import | export } undo peer { group-name | peer-address } filter-policy list-number { import | export }

View BGP view, IPv4 multicast sub-address family view

BGP Configuration Commands

653

Parameter group-name: Specifies the name of peer group. peer-address: IP address of the peer. list-number: Specifies the IP acl number. import: Peer filter-policy used for imported routes export: Peer filter-policy used for exported routes Description Using the peer filter-policy command, you can set the filter-policy list of a peer group. Using the undo peer filter-policy command, you can cancel the existing configuration. By default, a peer group has no access control list (acl). For the related commands, see ip as-path acl and peer as-path-acl. Example Set the filter-policy list of a peer group test.
[3Com-bgp] peer test as-number 100 [3Com-bgp] peer test filter-policy 3 import

peer group

Syntax
For multicast address family or VPNv4 address family:
■ ■ ■ ■ ■

peer peer-address group group-name undo peer peer-address group For unicast address family or VPN-INSTANCE address family: peer peer-address group group-name [ as-number as-number ] undo peer peer-address group

View BGP view Parameter group-name: Specifies the name of peer group. It can be described in character and numeral with the length being 1 to 47. peer-address: Specifies the IP address of the peer. as-number: Specifies AS number for the peer. Description Using the peer group command, you can add a peer to the peer group. Using the undo peer group command, you can delete the specified peer in the peer group. In the unicast/VPN-INSTANCE address family view, when adding a peer to an external peer group without specified AS number, you should specify the peer AS

654

CHAPTER 6: ROUTING PROTOCOL

number at the same time. While it is unnecessary when adding the peer to an internal peer group or an external peer group with specified AS number. In the multicast/VPNv4 address family view, it is required that the peer to be added should exist and has been added to a peer group in the unicast address family view (The peer can be disabled). In different address family views, a peer can be added to different peer groups and a peer group can have different members. Example Add the peer with IP address being 10.1.1.1 to the peer group TEST.
[3Com-bgp] group TEST [3Com-bgp] peer 10.1.1.1 group TEST

peer ip-prefix

Syntax
peer { group-name | peer-address } ip-prefix prefixname { import | export } undo peer { group-name | peer-address } ip-prefix prefixname { import | export }

View BGP view, VPNv4 view, VPN instance view Parameter group-name: Name of peer group. peer-address: Specifies the IP address of the peer. prefixname: Name of the specified ip-prefix. import: Applies the filtering policy on the route received by the specified peer/peer group. export: Applies the filtering policy on the route transmitted to the specified peer/peer group. Description Using the peer ip-prefix command, you can configure the route filtering policy of the peer/peer group based on the ip-prefix. Using the undo peer ip-prefix command, you can cancel the route filtering policy of the peer/peer group based on the ip-prefix. By default, the route filtering policy of the peer/peer group is not specified. For the related command, see ip ip-prefix. Example Configure the route filtering policy of the peer group based on the ip-prefix 1.
[3Com-bgp] peer group1 ip-prefix list1 import

peer next-hop-local

Syntax
peer { group-name } next-hop-local undo peer { group-name } next-hop-local

BGP Configuration Commands

655

View BGP view Parameter group-name: Specifies the name of peer group. Description Using the peer next-hop-local command, you can perform the process of the next hop in the route to be advertised to the peer/peer group and take the address of itself as the next hop. Using the undo peer next-hop-local command, you can cancel the existing configuration. Example When BGP distributes the route to the peer group "test", it will take its own address as the next hop.
[3Com-bgp] peer test next-hop-local

peer password

Syntax
peer { group-name | peer-address } password { cipher | simple } password undo peer { group-name | peer-address } password

View BGP view, MBGP VPN-instance address family view Parameter group-name: Name of the peer group. peer-address: IP address of the peer, in dotted decimal format. cipher: Displays the configured password in cipher text mode. simple: Displays the configured password in simple text mode. password: Password in character string form with 1 to 16 characters when parameter simple is configured in the command or in the event of inputting the password in simple text mode but parameter cipher is configured in the command; with 24 characters in the event of inputting the password in cipher text mode when parameter cipher is configured in the command. Description Using the peer password command, you can configure MD5 authentication for BGP during TCP connection setup. Using the undo peer password command, you can cancel the configuration. By default, BGP does not perform MD5 authentication when TCP connection is set up. Once MD5 authentication is enabled, both parties involved in the authentication must be configured with identical authentication modes and passwords. Otherwise, TCP connection will not be set up because of the failed authentication.

656

CHAPTER 6: ROUTING PROTOCOL

This command is used to configure MD5 authentication for the specific peer only when the peer group to which the peer belongs is not configured with MD5 authentication. Otherwise, the peer should be consistent with the peer group. Example Adopt MD5 authentication on the TCP connection set up between the local router at 10.1.100.1 and the peer router at 10.1.100.2.
[3Com-bgp] peer 10.1.100.2 password simple 3Com

Perform the similar configuration on the peer.
[3Com-bgp] peer 10.1.100.2 password simple 3Com

peer public-as-only

Syntax
peer { group-name } public-as-only undo peer { group-name } public-as-only

View BGP view Parameter group-name: Specifies the name of a peer group. peer-address: Specifies IP address of a peer. Description Using the peer public-as-only command, you can configure not to carry the AS number when transmitting BGP update packets. Using the undo peer public-as-only command, you can configure to carry the AS number when transmitting BGP update packets. By default, private AS number is carried when transmitting BGP update packets. Generally, BGP transmits BGP update packets with the AS number (either public AS number or private AS number). To enable some outbound routers to ignore the AS number when transmitting update packets, you can configure not to carry the AS number when transmitting BGP update packets. Example Configure not to carry the private AS number when transmitting BGP update packets to the peer named test.
[3Com-bgp] peer test public-as-only

peer reflect-client

Syntax
peer { group-name } reflect-client undo peer { group-name } reflect-client

View BGP view or VPNv4 view

BGP Configuration Commands

657

Parameter group-name: Specifies the name of peer group. Description Using the peer reflect-client command, you can configure a peer/peer group as the route reflector client. Using the undo peer reflect-client command, you can cancel the existing configuration. By default, no route reflector is in AS. Generally speaking, it is not necessary to configure this command for the peer group, because IBGP peers are in its default group. A single peer peer-address reflect-client command should be used to configure the route reflector clients. For the related commands, see reflect between-clients and reflect cluster-id. Example Configure the peer group "test" as the route reflector client.
[3Com-bgp] peer test reflect-client

peer route-policy

Syntax
peer { group-name | peer-address } route-policy route-policy-name { import | export } undo peer { group-name | peer-address } route-policy route-policy-name { import | export }

View BGP view, VPNv4 view, VPN instance view Parameter group-name: Specifies the name of peer group. peer-address: Specifies IP address of a peer. route-policy-name: Specifies route-policy. import: Applies the route-policy to the routes coming from the peer (group). export: Applies the route-policy to the routes advertised to the peer (group). Description Using the peer route-policy command, you can assign the route-policy to the route coming from the peer (group) or the route advertised to the peer (group). Using the undo peer route-policy command, you can delete the specified route-policy. By default, the peer (group) has no route-policy association. Example Apply the route-policy named test-policy to the route coming from the peer group "test".
[3Com-bgp] peer test route-policy test-policy import

658

CHAPTER 6: ROUTING PROTOCOL

peer route-update-interval

Syntax
peer { group-name } route-update-interval seconds undo peer { group-name } route-update-interval

View BGP view, VPNv4 view, VPN instance view Parameter group-name: Specifies the name of peer group. seconds: The minimum interval of sending UPDATE message. The range is 0 to 600. By default, the advertisement interval is: 5 seconds for internal peer (group), and 30 seconds for external peer (group). Description Using the peer route-update-interval command, you can configure the interval for the transmission route of a peer (group). Using the undo peer route-update-interval command, you can restore the default value. Example Configure the interval of the BGP peer 172.168.10.1 sending the route update packet as 10 seconds.
[3Com-bgp] peer 172.168.10.1 as-number 100 [3Com-bgp] peer 172.168.10.1 route-update-interval 10

peer timer

Syntax
peer { group-name | peer-address } timer keep-alive keepalive-interval hold holdtime-interval undo peer { group-name | peer-address } timer

View BGP view Parameter group-name: Specifies the name of peer group. peer-address: Specifies the IP address of the peer. keepalive-interval: Keepalive interval to be specified. The range is 1 to 4294967295 seconds. By default, its value is 60 seconds. holdtime-interval: Holdtime interval to be specified. The range is 3 to 4294967295 seconds. By default, its value is 180 seconds. Description Using the peer timer command, you can configure Keepalive and Keepalive interval for a peer (group). Using the undo peer timer command, you can restore the interval default value.

BGP Configuration Commands

659

The timer configured by using this command has a higher priority than the one configured by using the timer command. Example Configure Keepalive and Holdtime intervals of the peer group "test".
[3Com-bgp] peer test timer keep-alive 60 hold 180

policy vpn-target

Syntax
policy vpn-target undo policy vpn-target

View VPN instance view Parameter None Description Using the policy vpn-target command, you can configure whether to perform the filtering on the vpn-target extended community of the received routing information. Using the undo policy vpn-target command, you can cancel the filter function. By default, the system performs the filtering on the vpn-target extended community of the received routing information. Example Perform the filtering on the vpn-target extended community of the received routing information.
[3Com-bgp] policy vpn-target

preference

Syntax
preference value undo preference

View BGP protocol view, BGP multicast address family view Parameter value: Specifies the preference, ranging from 1 to 256. By default, the value is 170. Description Using the preference command, you can configure the preference of BGP protocol. Using the undo preference command, you can restore the default preference. Each kind of routing protocol has its own preference, by which the routing policy will select the optimal one from the routes of different protocols. The greater the preference value is, the lower the preference is. BGP defines two kinds of routes:

660

CHAPTER 6: ROUTING PROTOCOL

One is learned from external peer. The other is learned from internal peer. The preferences of the two routes can be different, which can be set manually. The system supports to configure different preferences for different sub-address families, including unicast address family and multicast address family at present. Example Configure the preference of BGP protocol to 150.
[3Com-bgp] preference 150

reflect between-clients

Syntax
reflect between-clients undo reflect between-clients

View BGP view, VPNv4 view, VPN instance view Parameter None Description Using the reflect between-clients command, you can set the between-client reflection of a route. Using the undo reflect between-clients command, you can disable this function. By default, the reflection between clients is disabled. After route reflector is configured, it reflects the routes of a client to other clients. For the related commands, see reflector cluster-id and peer reflect-client. Example Disable the reflection between clients.
[3Com-bgp] undo reflect between-clients

reflector cluster-id

Syntax
reflector cluster-id { cluster-id | address } undo reflector cluster-id

View BGP unicast view, BGP multicast view, VPNv4 view Parameter cluster-id: Specifies the cluster ID of the route reflector, in integer or IP address format, with the range from 1 to 4294967295. address: Interface address of the route reflector’s cluster ID.

BGP Configuration Commands

661

Description Using the reflector cluster-id command, you can configure the cluster ID of the route reflector. Using the undo reflector cluster-id command, you can remove the cluster ID of the route reflector. By default, each route reflector uses its Router ID as the cluster ID. Usually, there is only one route reflector in a cluster. It is the router ID of the reflector to identify the cluster. You can configure multiple route reflectors to improve the stability of the network. If a cluster is configured multiple route reflectors, you can use this command to configure identical cluster ID for all the reflectors. For the related commands, see reflect between-clients and peer reflect-client. Example Set cluster ID for local router to identify the cluster.
[3Com-bgp] reflector cluster-id 80 [3Com-bgp] peer 11.128.160.10 reflect-client

refresh bgp

Syntax
refresh bgp { all | peer-address | { group group-name } } [ multicast | vpnv4 | vpn-instance vpn-instance-name ] { import | export }

View User view Parameter all: Refreshes all the peers. peer-address: Refreshes the peer specified address. group-name: Refreshes all the members in the specified peer group. vpnv4: Refreshes routes of VPNv4 address family for the peer. multicast: Refreshes routes of multicast address family for the peer. vpn-instance vpn-instance-name: Refreshes VPN routes for the peer in the specified VPN-INSTANCE. import: Sends ROUTE-REFRESH packet to the peer to require retransmission of all the routes. export: Retransmits all the routes to the peer. Description Using the refresh bgp command, you can request the peer for route retransmission or retransmit routes to the peer. After BGP connection is created, only incremental routes are transmitted. But in some cases, for example, when routing policy is changed, retransmission of routes is required on both ends. And the routes should be filtered again according to the new policy.

662

CHAPTER 6: ROUTING PROTOCOL

Example Request all the peers to retransmit multicast routes.
<3Com> refresh bgp all multicast import

Retransmit all the routes to the CE peer 10.1.1.1 in VPN-INSTANCE vpn1.
<3Com> refresh bgp 10.1.1.1 vpn-instance vpn1 export

reset bgp

Syntax
reset bgp { all | peer-address } [ vpn-instance vpn-instance-name ]

View User view Parameter all: Resets all the connections with BGP. peer-address: Resets connection with a specified BGP peer. vpn-instance vpn-instance-name: Name of specified VPN-INSTANCE. The range is 1 to 19. Description Using the reset bgp peer-address command, you can reset the connection of BGP with a specified BGP peer. Using the reset bgp all command, you can reset all the connections with BGP. After changing the BGP policy or protocol configuration, resetting BGP connection can make the newly configured policy in effect immediately. Example Reset all the BGP connections to enable the new configuration (after configuring the new Keepalive interval and Holdtime interval using the timer command).
<3Com> reset bgp all

reset bgp flap-info

Syntax
reset bgp flap-info [ regular-expression as-regular-expression | as-path-acl acl-number | network-address [ mask ] } ] reset bgp network-address [ flap-info ]

View User view Parameter regular-expression as-regular-expression: Clears the flap information matching the AS path regular expression. as-path-acl acl-number: Clears the flap information in consistency with a specified filter list. The range of the parameter acl-number is 1 to 199.

BGP Configuration Commands

663

network-address: Clears the flap information of a record at this IP address. If this parameter is put before flap-info, the router clears the flap information of all the routes from this address. mask: Network mask. Description Using the reset bgp flap-info command, you can reset the flap information of a route. For the related command, see dampening. Example Clear the flap information of all the routes that go through filter list 10.
<3Com> reset bgp flap-info as-path-acl 10

reset bgp group

Syntax
reset bgp group group-name [ vpn-instance vpn-instance-name ]

View User view Parameter group-name: Specifies the name of the peer group, in characters ranging from 1 to 47. vpn-instance vpn-instance-name: Name of specified VPN-INSTANCE.The range is 1 to 19. Description Using the reset bgp group command, you can reset the connections between the BGP and all the members of a group. For the related command, see peer group. Example Reset BGP connections of all members from group1.
<3Com> reset bgp group group1

reset dampening

Syntax
reset dampening [ network-address [ mask ] ]

View User view Parameter network-address: Network IP address related to the clearing attenuation information. mask: Network mask.

664

CHAPTER 6: ROUTING PROTOCOL

Description Using the reset dampening command, you can clear the attenuation information of a route and release the suppression of a suppressed route. For the related commands, see dampening and display bgp routing-table dampened. Example Clear the attenuation information of the route to the network 20.1.0.0, and release the suppression of a suppressed route.
<3Com> reset dampening 20.1.0.0 255.255.0.0

summary automatic

Syntax
summary automatic undo summary automatic

View BGP unicast view, BGP multicast view, VPN instance view Parameter None Description Using the summary automatic command, you can make automatic aggregation of sub-network routes and disable it by using undo summary automatic command. By default, no automatic aggregation of sub-network routes is executed. After the summary automatic is configured, BGP cannot receive the sub-network routes imported from the IGP, so the amount of the routing information can be reduced. Example Make the automatic aggregation of the sub-network routes.
[3Com-bgp] summary automatic

timer keep-alive hold

Syntax
timer keep-alive keepalive-interval hold holdtime-interval undo timer

View BGP unicast view, BGP multicast view, VPNv4 view, VPN instance view Parameter keepalive-interval: Interval for sending Keepalive, ranging from 1 to 4294967295. By default, its value is 60 seconds. holdtime-interval: Keepalive time of BGP, ranging from 3 to 4294967295. By default, its value is 180 seconds.

MBGP Configuration Commands

665

Description Using the timer keep-alive hold command, you can configure the Keepalive and Holdtime timer of BGP. Using the undo timer keep-alive hold command, you can restore the default value of the Keepalive and Holdtime timer. Example Configure the Keep-alive and Hold-time timer as 30 seconds and 60 seconds.
[3Com-bgp] timer keep-alive 30 hold 60

undo synchronization

Syntax
undo synchronization

View BGP view, VPN instance view Parameter None Description Using the undo synchronization command, you can remove the synchronization between BGP and IBGP. Example
[3Com-bgp] undo synchronization

MBGP Configuration Commands

In the following command description, BGP unicast view indicates the common BGP view. For the specific configuration of MBGP multicast extension, refer to the "Multicast" module of this manual. For the specific configuration of VPN instance and VPNv4, refer to "MPLS" module in this manual.

ipv4-family

Syntax
ipv4-family { multicast | vpn-instance vpn-instance-name } undo ipv4-family [ multicast | vpn-instance vpn-instance-name ]

View BGP view, VPN instance view Parameter multicast: Enters the BGP multicast extended address family view with the parameter. vpn-instance vpn-instance-name: Associates the specified VPN instance with the IPv4 address family. Enter the MBGP address family view of BGP with this parameter.

666

CHAPTER 6: ROUTING PROTOCOL

Description Using the ipv4-family command, you can enter IPv4 extended address family view of BGP. Using the undo ipv4-family command, you can remove all configurations in extended address family view and return to IPv4 unicast address view of BGP. This command is used to enter the IPv4 extended address family view. In this view, parameters related to the address family can be configured for BGP. The undo ipv4-family multicast command can exit the multicast extended address family view, remove all configurations in the address family view and return to BGP unicast view. The undo ipv4-family vpn-instance vpn-instance-name command is used to remove the association between the specified VPN instance and IPv4 address family and delete all configurations in the address family and return to BGP unicast view. The ipv4-family multicast command is used for multicast. For relevant contents, refer to "MBGP Multicast Extended" chapter in module "Multicast" of this manual. The ipv4-family vpn-instance command is used for BGP/MPLS VPN. For related description, refer to "MPLS VPN" chapter in module "MPLS" module of this manual. For the related commands, see ipv4-family vpnv4 and peer enable. Example None ipv4-family vpnv4 Syntax
ipv4-family vpnv4 [ unicast ] undo ipv4-family vpnv4 [ unicast ]

View BGP view Parameter unicast: Enters VPN-IPv4 unicast address family view with this parameter. Description Using the ipv4-family vpnv4 command, you can enter VPNv4 address family view of BGP. Using the undo ipv4-family vpnv4 command, you can delete all configurations in VPNv4 address family view and return to IPv4 unicast address family view of BGP. The ipv4-family vpnv4 command is used for BGP/MPLS VPN. For related description, refer to "MPLS VPN" chapter in module "MPLS" of this manual. The present VRP software platform only supports IPv4 unicast address of VPN. Execution of the ipv4-family vpnv4 command will enter VPN-IPv4 unicast address family view even if the unicast parameter is not specified. For the related commands, see ipv4-family and peer enable.

MBGP Configuration Commands

667

Example None peer enable Syntax
peer { group-name | peer-address } enable undo peer { group-name | peer-address } enable

View BGP view, VPNv4 view, VPN instance view Parameter group-name: Specifies the name of the peer group, which specifies the entire peer group. peer-address: IP address of the peer, which specifies a certain peer. Description Using the peer enable command, you can enable the specified peer/peer group and disable it by using undo peer enable command.
By default, the unicast peer/peer group of IPv4 address family is enabled and other peers/peer groups are disabled.

Using this command, you can enable/disable the routing exchange between the peers (peer groups). By default, the peer (group) of IPv4 unicast is enabled. The undo command is used to disable them. When a connection is used in both unicast and multicast, you can configure to disable unicast peer to delete unicast connection only. By default, the peer (group) in other address families is disabled. It cannot exchange routing information normally until it is enabled. Example Configure and enable the specified peer of VPNv4 unicast address family.
[3Com] bgp 100 [3Com-bgp] peer 10.15.0.15 as-number 100 [3Com-bgp] ipv4-family vpnv4 unicast [3Com-bgp-af-vpn] peer 10.15.0.15 enable

Configure and enable the specified peer of IPv4 multicast address family.
[3Com] bgp 200 [3Com-bgp] peer 20.10.0.1 as-number 200 [3Com-bgp] ipv4-family multicast [3Com-bgp-af-mul] peer 20.10.0.1 enable

668

CHAPTER 6: ROUTING PROTOCOL

IP Routing Policy Configuration Commands
apply as-path Syntax
apply as-path as-number-1 [ as-number-2 [ as-number-3 ... ] ] undo apply as-path

View Routing policy view Parameter as-number-1... as-number-n: AS number to be added. Description Using the apply as-path command, you can specify AS number to be added in front of the original AS path in route-policy. Using the undo apply as-path command, you can cancel the AS sequence number added in front of the original AS path. By default, no AS number is set. If the match condition of route-policy is matched, the AS attribute of the transmitting route will be changed. At least 10 AS numbers can be added. Example Add AS 200 in front of the original AS path in route-policy.
[3Com-route-policy] apply as-path 200

apply community

Syntax
apply community { { {aa:nn | no-export-sunconfed | no-export | no-advertise} … [ additive ] } | additive | none } undo apply community

View Routing policy view Parameter aa:nn: Community number. no-export-subconfed: Not sends the matched route outside AS. no-advertise: Not sends the matched route to any peer. no-export: Not passes route through AS but advertise to other sub Ass. additive: Community attributes of additional routes. none: Community attributes of deleted routes.

IP Routing Policy Configuration Commands

669

Description Using the apply community command, you can specify the set BGP community attribute of route-policy. Using the undo apply community command, you can cancel the set BGP community attribute. By default, BGP community attribute is not set. Configure BGP community attribute after matching the route-policy conditions. For the related command, see ip community-list, if-match community-list, route-policy, and display bgp routing-table community. Example Display how to configure one route-policy named setcommunity, whose node serial number is 16 and match mode is permit, and enter route policy view to set match conditions and attribute modification actions to be executed.
[3Com] route-policy setcommunity permit node 16 [3Com-route-policy] if-match as-path 8 [3Com-route-policy] apply community no-export

apply cost

Syntax
apply cost value undo apply cost

View Routing policy view Parameter value: Specifies the route cost value of route information. Description Using the apply cost command, you can set the route cost value of route information. Using the undo apply cost command, you can cancel the apply clause. For the related commands, see if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply ip-address, apply local-preference, apply origin, and apply tag. Example Display how to define one apply clause. When it is used for setting route information attribute, it sets the route cost value of route information as 120.
[3Com-route-policy] apply cost 120

apply cost-type

Syntax
apply cost-type [ internal | external ] undo apply cost-type

View Routing policy view

670

CHAPTER 6: ROUTING PROTOCOL

Parameter internal: Uses the cost type of IGP as MED value of BGP to advertise route to EBGP peer. external: External cost type value of IS-IS. Description Using the apply cost-type command, you can set the route cost type of route information. Using the undo apply cost-type command, you can cancel the apply clause. By default, route cost type is not set. Example Set the cost type of IGP as MED value of BGP
[3Com-route-policy] apply cost-type internal

apply ip-address

Syntax
apply ip-address { ip-address [ ip-address ] | acl acl-number } undo apply ip-address [ ip-address [ ip-address ] | acl acl-number ]

View Routing policy view Parameter ip-address: Next-hop address. Two next-hop addresses can be specified at most. acl-number: Specifies the number of the access control list used for filtering, ranging from 1 to 99 Description Using the apply ip-address command, you can set the next hop address of route information. Using the undo apply ip-address command, you can cancel the apply clause. By default, no apply clause is defined. One of the apply clauses of the route-policy: When this command is used for setting routing information attribute, it sets the next hop address of the packets passed filtering. If multiple next hop addresses are set through apply ip-address command, other next hop addresses will be tried by turn when the first next hop address is invalid. For the related commands, see if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply local-preference, apply cost, apply origin, and apply tag. Example Define an apply clause to set the next hop address of routing information as 193.1.1.8 when it is used for setting routing information attribute.
[3Com-route-policy] apply ip-address 193.1.1.8

IP Routing Policy Configuration Commands

671

apply local-preference

Syntax
apply local-preference local-preference undo apply local-preference

View Routing policy view Parameter local-preference: Newly set local preference. Description Using the apply local-preference command, you can apply the local preference of route information. Using the undo apply local-preference command, you can cancel the apply clause. For the related commands, see if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply ip-address, apply local-preference, apply origin, and apply tag. Example Apply the local preference level of route information as 130 when this apply clause is used for setting route information attribute.
[3Com-route-policy] apply local-preference 130

apply origin

Syntax
apply origin { igp | egp as-number | incomplete } undo apply origin

View Routing policy view Parameter igp: Sets the BGP route information source as internal route egp: Sets the BGP route information source as external route as-number: Specifies AS number of external route. incomplete: Sets the BGP route information source as unknown source. Description Using the apply origin command, you can set the routing source of BGP routing information. Using the undo apply origin command, you can cancel the apply clause. For the related commands, see if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply ip-address, apply local-preference, apply cost, and apply tag.

672

CHAPTER 6: ROUTING PROTOCOL

Example Display how to define one apply clause. When it is used for setting routing information attribute, it sets the routing source of the routing information as igp.
[3Com-route-policy] apply origin igp

apply tag

Syntax
apply tag value undo apply tag

View Routing policy view Parameter value: Specifies the tag value of route information. Description Using the apply tag command, you can set the tag area of OSPF route information. Using the undo apply tag command, you can cancel the apply clause. For the related commands, see if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply ip-address, apply local-preference, apply cost, and apply origin. Example Display how to define one apply clause. When it is used for setting route information attribute, it sets the tag area of route information as 100.
[3Com-route-policy] apply tag 100

display ip ip-prefix

Syntax
display ip ip-prefix [ ip-prefix-name ]

View Any view Parameter ip-prefix-name: Specifies displayed address prefix list name. Description Using the display ip ip-prefix command, you can view the address prefix list. Display all the configured address prefix lists when no ip-prefix-name is specified. For the related command, see ip ip-prefix. Example Display the information of the address prefix list named p1.
<3Com> display ip ip-prefix p1 ip-prefix p1 index 10: permit 192.168.10.10/16 greater-equal 17 less-equel 18

IP Routing Policy Configuration Commands

673

display route-policy

Syntax
display route-policy [ route-policy-name ]

View Any view Parameter route-policy-name: Specifies displayed route-policy name. Description Using the display route-policy command, you can view the configured route-policy Display all the configured route-policy when no route-policy-name is specified. For the related command, see route-policy. Example Display the information of route-policy named policy1.
<3Com> display route-policy policy1 Route-policy : policy1 Permit 10 : if-match (prefixlist) p1 apply cost 100 matched : 0 denied : 0

filter-policy export

Syntax
filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol ] undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol ]

View Routing protocol view Parameter acl-number: Number of the access control list used for matching the destination address field of the routing information. ip-prefix-name: Address prefix list used for matching the routing information destination address field. protocol: Routing information of which kind of route protocol to be filtered. Description Using the filter-policy export command, you can configure the filtering conditions of the routing information advertised by a certain type of routing protocols. Using the undo filter-policy export command, you can cancel the filtering conditions set. By default, the advertised routing information is not filtered. In some cases, it may be required that only the routing information meeting some conditions can be advertised. Then, the filter-policy command can be used to set

674

CHAPTER 6: ROUTING PROTOCOL

the filtering conditions for the routing information to be advertised. Only the routing information passing the filtering can be advertised. For the related command, see filter-policy import. Example Define the filtering rules for advertising the routing information of RIP. Only the routing information passing the filtering of address prefix list p1 will be advertised by RIP.
[3Com-rip] filter-policy ip-prefix p1 export

filter-policy import

Syntax
filter-policy gateway ip-prefix-name import undo filter-policy gateway ip-prefix-name import filter-policy { acl-number | ip-prefix ip-prefix-name } import undo filter-policy { acl-number | ip-prefix ip-prefix-name } import

View Routing protocol view Parameter acl-number: Access control list number used for matching the destination address field of the routing information. ip-prefix ip-prefix-name: Prefix address list name. Its matching object is the destination address field of the routing information. gateway ip-prefix-name: Prefix address list name of the neighbor router address. Its matching object is the routing information advertised by the specified neighbor router. Description Using the filter-policy gateway import command, you can filter the routing information advertised by a specified router. Using the undo filter-policy gateway import command, you can cancel the setting of the filtering condition. Using the filter-policy import command, you can configure the condition for filtering the routing information. Using the undo filter-policy import command, you can cancel the setting of filter condition. By default, the received routing information is not filtered. In some cases, it may be required that only the routing information meeting some conditions can be received. Then, the filter-policy command can be used to set the filtering conditions. acl-number is the access control list number used for filtering the destination addresses of the routing information and ip-prefix parameter is used to filter the routing information specified destination address. For the related command, see filter-policy export. Example Define the filtering rule for receiving routing information of RIP. Only the routing information filtered through the address prefix list p1 can be received by RIP.

IP Routing Policy Configuration Commands

675

[3Com-rip] filter-policy ip-prefix p1 import

if-match acl

Syntax
if-match acl acl-number undo if-match acl acl-number

View Routing policy view Parameter acl-number: Specifies the number of the access control list used for filtering. ip-prefix-name: Specifies the name of the prefix address list used for filtering. Description Using the if-match acl command, you can configure the IP address range to match the route-policy. Using the undo if-match acl command, you can cancel the setting of the match rule. Filtering is performed by quoting an ACL. For the related command, see if-match ip-prefix, if-match interface, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply ip-address, apply cost, apply local-preference, apply origin, and apply tag. Example Display how to define one if-match clause. When the clause is used for filtering route information, the route information filtered by route destination address through address ACL 10 is enabled to pass the if-match clause.
[3Com-route-policy] if-match acl 10

if-match as-path

Syntax
if-match as-path acl-number undo if-match as-path

View Routing policy view Parameter acl-number: AS path list number. The range is 1 to 199. Description Using the if-match as-path command, you can configure the matched AS path list number of route-policy. Using the undo if-match as-path command, you can cancel the matched path list number. By default, AS path list number is not matched. This if-match clause of route-policy is used to filter BGP routing information. The match condition is specified according to the AS path attributes of the routing information.

676

CHAPTER 6: ROUTING PROTOCOL

Example Define an as-path numbered as 2 and allow the autonomous system number to contain the routing information of 200 and 300. Then, define a route-policy named test. The node No.10 of this route-policy defines a if-match clause, which quotes the definition of as-path.
[3Com] ip as-path acl 2 permit 200:300 [3Com] route-policy test permit node 10 [3Com-route-policy] if-match as-path 2

if-match community

Syntax
if-match community { standard-community-list-number [ whole-match ] | extended-community-list-number } undo if-match community

View Routing policy view Parameter standard-community-list-number: Standard community list number, ranging from 1 to 99. extended-community-list-number: Extended community list number, ranging from 100 to 199. whole-match: Fully matching, i.e., all the communities must appear. Description Using the if-match community command, you can configure the community list number to be matched in route-policy. Using the undo if-match community command, you can cancel the configuration of the matched community list number. By default, community list is not matched. The if-match clause of route-policy is used to filter BGP routing information. The match condition is specified according to the community attributes of the routing information. For the related commands, see route-policy and ip community-list. Example Define a community-list numbered as 1, and allow the autonomous system number to contain the routing information of 100 and 200. Then, the route-policy named test is defined. The node No.10 of the route-policy defines a if-match clause, which quotes the definition of the community-list.
[3Com] ip community-list 1 permit 100:200 [3Com] route-policy test permit node 10 [3Com-route-policy] if-match community 1

if-match cost

Syntax
if-match cost value undo if-match cost

IP Routing Policy Configuration Commands

677

View Routing policy view Parameter value: Specifies the required route cost value, ranging from 0 to 4294967295. Description Using the if-match cost command, you can configure one of the matching rules of route-policy to match the cost of the routing information. Using the undo if-match cost command, you can cancel the configuration of the matching rule. By default, no if-match clause is defined. This if-match clause of route-policy is used to specify the route cost value of the matched routing information. For the related command, see if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match tag, route-policy, apply ip-address, apply local-preference, apply cost, apply origin, and apply tag. Example Define an if-match clause, which allows the routing information with routing cost 8 to pass this if-match clause.
[3Com-route-policy] if-match cost 8

if-match interface

Syntax
if-match interface { interface-name | interface-type interface-number } undo if-match interface

View Routing policy view Parameter interface-type: Specifies interface type. interface-number: Specifies interface number. interface-name: Specifies interface name. Description Using the if-match interface command, you can match the route whose next hop is designated interface. Using the undo if-match interface command, you can cancel the setting of match condition. By default, no if-match clause is defined. This if-match clause of the route-policy is used to match the corresponding interface of the route next hop when it filters the route. For the related command, see if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply ip-address, apply cost, apply local-preference, apply origin, and apply tag.

678

CHAPTER 6: ROUTING PROTOCOL

Example Display how to define one if-match clause to match the route whose next hop interface is ethernet 1/0/2.
[3Com-route-policy] if-match interface Ethernet1/0/2

if-match ip next-hop

Syntax
if-match ip next-hop { acl acl-number | ip-prefix ip-prefix-name } undo if-match ip next-hop [ ip-prefix ]

View Routing policy view Parameter acl-number: Specifies the number of the access control list used for filtering. The range is 1 to 99. ip-prefix-name: Specifies the name of the prefix address list used for filtering. The range is 1 to 19. Description Using the if-match ip next-hop command, you can configure one of the match rules of route-policy on the next hop address of the routing information. Using the undo if-match ip next-hop command, you can cancel the setting of match condition. By default, no if-match clause is defined. This if-match clause of the route-policy is used to specify the next hop address field matching the routing information when it filters the routing information and implement its filtering function by referring to an ACL or address prefix list. For the related command, see if-match interface, if-match acl, if-match ip-prefix, if-match cost, if-match tag, route-policy, apply ip-address, apply cost, apply local-preference, apply origin, and apply tag. Example Define an if-match clause. It permits the routing information, whose route next hop address passes the filtering of the prefix address list p1, to pass this if-match clause.
[3Com-route-policy] if-match ip next-hop ip-prefix p1

if-match ip-prefix

Syntax
if-match ip-prefix ip-prefix-name undo if-match [ ip-prefix ip-prefix-name ]

View Routing policy view Parameter ip-prefix-name: Specifies the name of the prefix address list used for filtering.

IP Routing Policy Configuration Commands

679

Description Using the if-match ip-prefix command, you can configure one of the match rules of route-policy on the IP address range of the routing information. Using the undo if-match ip next-hop command, you can cancel the setting of match condition. The filtering is achieved through importing an IP address prefix name. For the related command, see if-match acl, if-match interface, if-match ip next-hop, if-match cost, if-match tag, route-policy, apply ip-address, apply cost, apply local-preference, apply origin, and apply tag. Example Define an if-match sub-statement in which the IP address prefix list p1 is used in routing information filtering.
[3Com-route-policy] if-match ip-prefix p1

if-match tag

Syntax
if-match tag value undo if-match tag

View Routing policy view Parameter value: Specifies the required tag value. Description Using the if-match tag command, you can match the tag field of OSPF route information. Using the undo if-match tag command, you can cancel the existing matching rules. For the related command, see if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, route-policy, apply ip-address, apply cost, apply local-preference, apply origin, and apply tag. Example Display how to define one if-match clause and enable the OSPF route information whose tag field is 8 to pass the if-match clause.
[3Com-route-policy] if-match tag 8

ip ip-prefix

Syntax
ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } network len [ greater-equal greater-equal | less-equal less-equal ] undo ip ip-prefix ip-prefix-name [ index index-number | permit | deny ]

View System view

680

CHAPTER 6: ROUTING PROTOCOL

Parameter ip-prefix-name: Specifies an address prefix list name. It identifies one address prefix list uniquely. index-number: Identifies an item in the prefix address list. The item with smaller index-number will be tested first. permit: Specifies the match mode of the defined address prefix list items as permit mode. In the permit mode, if the IP address to be filtered is in the defined range, it will not be tested by the next node. Otherwise, it has to go on with the test. deny: Specifies the match mode of the defined address prefix list items as deny mode. In the deny mode, the IP address in the defined range cannot pass the filtering and is refused to go on with the next test. Otherwise, it will have the next test. network: IP address prefix range (IP address). If it is 0.0.0.0 0, all the IP addresses are matched. len: IP address prefix range (mask length). If it is 0.0.0.0 0, all the IP addresses are matched. greater-equal, less-equal: Specifies the address prefix range [greater-equal, less-equal] to be matched after the address prefix network len has been matched. The meaning of greater-equal is "greater than or equal to" , and the meaning of less-equal is "less than or equal to". The range is len <= greater-equal <= less-equal <= 32. When only greater-equal is used, it indicates the prefix range [greater-equal, 32]. When only less-equal is used, it indicates the prefix range [len, less-equal]. Description Using the ip ip-prefix command, you can configure an address prefix list or one of its items. Using the undo ip ip-prefix command, you can delete an address prefix list or one of its items. The address prefix list is used for IP address filtering. An address prefix list may contain several items, and each item specifies one address prefix range. The inter-item filtering relation is "OR", i.e. passing an item means passing the filtering of this address prefix list. Not passing the filtering of all items means not passing the filtering of this prefix address list. The address prefix range may contain two parts, which are determined by len and [greater-equal, less-equal] respectively. If the prefix ranges of these two parts are both specified, the IP to be filtered must match the prefix ranges of these two parts. If you specify network len as 0.0.0.0 0, it only matches the default route. Specify network len as 0.0.0.0 0 less-equal 32 to match all the routes. Example Configure an address prefix list named p1. It permits the routes with the mask of 17 or 18 bits long and in network segment 10.0.192.0.8 to pass.

IP Routing Policy Configuration Commands

681

[3Com] ip ip-prefix p1 permit 10.0.192.0 8 greater-equal 17 less-equal 18

route-policy

Syntax
route-policy route-policy-name { permit | deny } node { node-number } undo route-policy route-policy-name [ permit | deny | node node-number ]

View System view Parameter route-policy-name: Specifies the route-policy name to identify one route-policy uniquely. permit: Specifies the match mode of the defined route-policy node as permit mode. If a route matches all the if-match clauses, it is permitted to pass the filtering and execute the apply clauses of this node. If not, it will take the test of next node of this route-policy. deny: Specifies the match mode of the defined route-policy node as deny mode. When a route matches all the if-match clauses of this node, it will be refused to pass the filtering and will not take the next test. node: Node of the route policy. node-number: Index of the node in the route-policy. When this route-policy is used for routing information filtering, the node with smaller node-number will be tested first. Description Using the route-policy command, you can create and enter route-policy view. Using the undo route-policy command, you can cancel the established route-policy. By default, no route-policy is defined. Route-policy is used for route information filtering or route policy. One route-policy comprises of some nodes and each node comprises of some if-match and apply clauses. The if-match clause defines the match rules of this node and the apply clause defines the actions after passing the filtering of this node. The filtering relationship between the if-match clauses of the node is "and", i.e., all if-match clauses that meet the node. The filtering relation between route-policy nodes is "OR", i.e. passing the filtering of one node means passing the filtering of this route-policy. If the information does not pass the filtering of any nodes, it cannot pass the filtering of this route-policy. For the related command, see if-match interface, if-match acl, if-match ip-prefix, if-match ip next-hop, if-match cost, if-match tag, apply ip-address, apply local-preference, apply cost, apply origin, and apply tag. Example Display how to configure one route-policy policy1, whose node number is 10 and the match mode is permit, and enter route policy view.
[3Com] route-policy policy1 permit node 10

682

CHAPTER 6: ROUTING PROTOCOL

[3Com-route-policy]

Route Capacity Configuration Commands
display memory limit Syntax
dispaly memory limit

View Any view Parameter None Description Using the display memory limit command, you can view the memory setting and state information related to the router capacity. It includes available memory and state information about connections such as times for disconnecting connections, times for reestablishing connections and whether the current system is in the emergent state or not. Example Display the current memory setting and state information.
<3Com> display memory limit

Current memory limit configuration information:
memory safety: 30 memory limit: 20 memory auto-establish enabled Free Memory: 73855332 (Byte) The state information about connection: The times of disconnect: 0 The times of reconnect: 0 The current state: Normal

The information displayed by this command includes the router memory limit, the size of the idle memory, the times of connection disconnecting, the times of connection reestablishment and the current state. The displayed information is described specifically in the following table:
Table 5 Description of the information displayed by the display memory limit command
Item memory safety: 30 memory limit: 20 Description The safety value of the router memory is 30Mbytes. The lower limit of the router memory is 20Mbytes.

memory auto-establish The system allows recovering the connection automatically. (If the enabled automatic recover is disabled, the "auto-establish disabled" will be displayed.) Free Memory: 73855332 (Byte) The size of the current idle memory is 73855332 bytes, that is, 73.855M.

Route Capacity Configuration Commands

683

Table 5 Description of the information displayed by the display memory limit command
Item The times of disconnect: 0 The times of reconnect: 0 The current state: Normal Description The times of the connection disconnecting of the router is 0. The times of the connection re-establishment of the router is 0. The current state is normal. (If entering the emergent state, the system will display "Exigency" .)

memory auto-establish disable

Syntax
memory auto-establish disable

View System view Parameter None Description Using the memory auto-establish disable command, you can disable the function of restoring the connections of all the routing protocols (even if the idle memory reduces to a safety value). By default, when the idle memory of the router recovers to a safety value, connections of all the routing protocols will always recover (when the idle memory of the router reduces to a lower limit, the connection will be disconnected forcibly). Using the memory auto-establish disable command, you can disable the above function. Thus, connections of all the routing protocols will not recover when the idle memory of the router recovers to a safety value. In this case, you need to restart the routing protocol to recover the connections. You shall use the command cautiously. For the related commands, see memory auto-establish enable, memory { safety | limit }, and display memory limit. Example Disable to recover the connections of all the protocols automatically when the current router memory resumes.
[3Com] memory auto-establish disable [3Com] %3/13/2003 15:47:2-RM-5-S1-RTLOG:You have changed the model of connection

memory auto-establish enable

Syntax
memory auto-establish enable

View System view

684

CHAPTER 6: ROUTING PROTOCOL

Parameter None Description Using the memory auto-establish enable command, you can resume connections of all the routing protocols when the idle memory of the router recovers to a safety value. By default, when the idle memory of the router recovers to a safety value, connections of all the routing protocols will always recover (when the idle memory of the router reduces to a lower limit, the connection will be disconnected forcibly). Using the memory auto-establish disable command, you can disable the above function. Using the memory auto-establish enable command, you can enable the above function again. By default, the function is always enabled. For the related command, see memory auto-establish disable, memory { safety | limit }, and display memory limit. Example Enable memory resume of the current router and recover connections of all the protocols automatically.
[3Com] memory auto-establish enable [3Com] %3/13/2003 15:48:2-RM-5-S1-RTLOG:You have changed the model of connection

memory limit

Syntax
memory limit limit-value undo memory limit

View System view Parameter limit-value: Lower limit of the router idle memory, in the unit of Mbytes. Its value range depends on the idle memory of the current router. The default value is 20Mbytes. Description Using the memory limit command, you can configure the lower limit of the router idle memory. When the idle memory of the router is less than this limit, all the routing protocol connections will be disconnected forcibly. Using the undo memory limit command, you can configure the safety value and the lower limit of the router idle memory to the default configuration. The limit-value in the command must be less than the current idle memory safety value, and otherwise the configuration will fail.

Route Capacity Configuration Commands

685

This command can be used with memory safety command to change the safety value and lower limit of the router idle memory. The safety-value must be more than the limit-value in the command, and otherwise the configuration will fail. For the related commands, see memory auto-establish disable, memory auto-establish enable, memory safety, and display memory limit. Example Set the lower limit of the router idle memory to 25Mbytes.
[3Com] memory limit 25 [3Com] %8/19/2002 16:35:41-RM-5-RTLOG:You have changed the memory limit/safety value

Set the lower limit of the router idle memory to 25Mbytes and the safety value to 30Mbytes.
[3Com] memory safety 35 limit 25 [3Com] %8/19/1995 15:45:58-RM-5-RTLOG:Changed the system memory limit(20->25)/ safety(30->35) successfully

memory safety

Syntax
memory safety safety-value undo memory safety

View System view Parameter safety-value: Safety value of the router idle memory, in the unit of Mbytes. Its value range depends on the idle memory of the active router. The default value is 30Mbytes. Description Using the memory safety command, you can configure the safety value of the router idle memory. Using the undo memory safety command, you can configure the safety value and the lower limit of the router idle memory to the default configuration. The safety-value in the command must be more than the current idle memory lower limit, and otherwise the configuration will fail. This command can be used with memory limit command to change the safety value and lower limit of the router idle memory. The safety-value must be more than the limit-value in the command, and otherwise the configuration will fail. For the related commands, see memory auto-establish disable, memory auto-establish enable, memory limit, and display memory limit. Example Set the safety value of the router to 35Mbytes.
[3Com] memory safety 35 [3Com]

686

CHAPTER 6: ROUTING PROTOCOL

%8/19/2002 16:35:41-RM-5-RTLOG:You have changed the memory limit/safety value

Set the lower limit of the router idle memory to 25Mbytes and the safety value to 30Mbytes.
[3Com] memory safety 35 limit 25 [3Com3Com] %8/19/1995 15:45:58-RM-5-RTLOG:Changed the system memory limit(20->25)/ safety(30->35) successfully

7

Multicast Common Configuration Commands

This chapter covers the following commands:
■ ■ ■ ■ ■ ■

Multicast Common Configuration Commands IGMP Configuration Commands PIM Configuration Commands MSDP Configuration Commands MBGP Multicast Extension Configuration Commands Multicast Static Route Configuration Commands

Multicast Common Configuration Commands
debugging multicast forwarding Syntax
debugging multicast forwarding undo debugging multicast forwarding

View User view Parameter None Description Using the debugging multicast forwarding command, you can enable multicast packet forwarding debugging functions. Using the undo debugging multicast forwarding command, you can disable the debugging functions. By default, the debugging function is disabled. Example Enable multicast packet forwarding debugging functions.
<3Com> debugging multicast forwarding

debugging multicast kernel-routing

Syntax
debugging multicast kernel-routing undo debugging multicast kernel-routing

688

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

View User view Parameter None Description Using the debugging multicast kernel-routing command, you can enable multicast kernel routing debugging functions. Using the undo debugging multicast kernel-routing command, you can disable the debugging functions. By default, the multicast kernel routing debugging function is disabled. Example Enable multicast kernel routing debugging functions.
<3Com> debugging multicast kernel-routing

debugging multicast status-forwarding

Syntax
debugging multicast status-forwarding undo debugging multicast status-forwarding

View User view Parameter None Description Using the debugging multicast status-forwarding command, you can enable multicast forwarding status debugging functions. Using the undo debugging multicast status-forwarding command, you can disable the debugging functions. By default, the multicast status debugging function is disabled. Example Enable multicast forwarding status debugging functions.
<3Com> debugging multicast status-forwarding

display multicast forwarding-table

Syntax
display multicast forwarding-table [ group-address [ mask { mask | mask-length } ] | source-address [ mask { mask | mask-length } ] | incoming-interface { interface-type interface-number | register } ] *

View Any view

Multicast Common Configuration Commands

689

Parameter group-address: Multicast group address, used to specify a multicast group, ranging from 224.0.0.0 to 239.255.255.255. mask: Mask. mask-length: Length of mask. Because “1”s in 32-bit mask are required to be continuous, the mask in dotted decimal notation format can be replaced by mask-length (mask-length is the number of continuous “1”s in the mask). source-address: Unicast IP address of the multicast source. incoming-interface: Incoming interface of the multicast forwarding entry. register: Register interface of PIM-SM. Description Using the display multicast forwarding-table command, you can view the information of multicast forwarding table. Source-address and group-address of multicast forwarding table are displayed in hexadecimal notation format and its incoming and outgoing port numbers are displayed by virtual port number. This information can be viewed via display pim interface command. For the related command, see display multicast routing-table. Example Display the multicast forwarding table information.
<3Com> display multicast forwarding-table

display multicast routing-table

Syntax
display multicast routing-table [ group-address [ mask { mask | mask-length } ] | source-address [ mask { mask | mask-length } ] | incoming-interface { interface-type interface-number | register } ]*

View Any view Parameter group-address: Multicast group address, used to specify a multicast group and display the corresponding routing table information of the group. The value ranges from 224.0.0.0 to 239.255.255.255. source-address: Unicast IP address of the multicast source. mask: Mask. mask-length: Length of mask. Because “1” in 32-bit mask is required to be continuous, the mask in dotted decimal notation format can be replaced by mask-length (mask-length is the number of continuous “1”s in the mask). incoming-interface: Incoming interface of the multicast route entry. register: Register interface of PIM-SM.

690

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

Description Using the display multicast routing-table command, you can view the information of an IP multicast routing table. This command displays the multicast routing table information, while the display multicast forwarding-table command displays the multicast forwarding table information. The entry (S, G) in the multicast routing table, i.e., (multicast source, multicast group) acts as the independent entry in the table. Each entry has an unique Upstream, indicating the interface through which RPF goes to the multicast source. Each entry also has a Downstream List indicating which interfaces need multicast forwarding. The related information about (S, G) includes:


proto - The multicast protocol number which possesses the (S, G) (in hexadecimal notation format). Flags - All kinds of flags, such as RPT 0x1, WC 0x2, SPT 0x4, NEG CACHE 0x8 and JOIN SUPP 0x10. All the flags are marked by binary “bit”. In which, RPT indicates the (S, G) is in the shared tree status. WC is the abbreviation of wildcard. SPT indicates the shortest path tree. NEG CACHE indicates the cache record that the downstream interface list is null. JOIN SUPP indicates the prune suppression status.



Example Display the corresponding route entry information of multicast group in the multicast routing table.
<3Com> display multicast routing-table Multicast Routing Table Total 1 entry (10.10.1.2, 225.1.1.1) UpTime: 00:01:28, Timeout in 278 sec Upstream interface: Ethernet0/0/0(10.10.1.20) Downstream interface list: LoopBack0(20.20.20.30), Protocol 0x1: IGMP

display multicast routing-table static

Syntax
display multicast routing-table static [ config ] [ source-address [ mask | mask-length ] ]

View Any view Parameter config: When this parameter is chosen, all the routing information configured will be displayed. If this parameter is not chosen, only effective routing information is displayed. source-address: IP address of the multicast source. mask: Mask.

Multicast Common Configuration Commands

691

mask-length: Length of mask. Because “1”s in 32-bit mask are required to be continuous, the mask in dotted decimal notation format can be replaced by mask-length (mask-length is the number of continuous “1”s in the mask). Description Using the display multicast routing-table static command, you can view the configuration information of a static multicast route. Example Display the configuration information of static multicast route.
<3Com>display multicast routing-table static 100.10.0.0/16 RPF interface = 10.10.1.20(Ethernet0/0/0), RPF neighbor = 10.10.1.20 Matched routing protocol = <none>, route-policy = <none>, preference = 1 Running config = ip rpf-route-static 100.10.0.0 16 Ethernet0/0/0 preference 1

display multicast rpf-info

Syntax
display multicast rpf-info source-address

View Any view Parameter source-address: IP address of the multicast source. Description Using the display multicast rpf-info command, you can view the Reverse Path Forwarding (RPF) routing information for specified a multicast source. Example Display all the RPF routing information.
<3Com> display multicast rpf-info 192.193.194.192 Multicast source's RPF route information about 192.193.194.192 RPF interface: InLoopBack0, RPF neighbor: 127.0.0.1 Referenced route/mask: 192.193.194.192/32 Referenced route type: unicast (DIRECT) RPF-route selecting rule: preference-preferred

mtracert

Syntax
mtracert { source-address } [ last-hop-address ] [ group-address ]

View Any view Parameter source-address: Address of the multicast source. last-hop-address: Unicast address, which is the starting address of path tracing. This address must be an interface address of a hop router. By default, it is a physical interface address of the local router.

692

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

group-address: Address of multicast group. By default, the value is 0.0.0.0. Description Using the mtracert command, you can trace the network path from the multicast source to the destination receiver along the Multicast Distribution Tree according to either the multicast kernel routing table or the RPF rule to the source. This command can help to locate the faults, such as information loss and configuration error. The trace mode to the group address of 0.0.0.0 is called weak trace mode. Example
Trace the path reversely from the local hop router 18.110.0.1 to the multicast source 10.10.1.2 in weak trace mode. <3Com> mtracert 10.10.1.2 Type Ctrl+C to abort Mtrace from 10.10.1.2 to 18.110.0.1 via RPF Querying full reverse path... -1 18.110.0.1 Incoming Interface Address: 18.110.0.1 Previous-Hop Router Address: 18.110.0.2 Input packet count on incoming interface: 0 Output packet count on outgoing interface: 0 Total number of packets for this source-group pair: 0 Protocol: PIM Forwarding TTL: 0 Forwarding Code: No error -2 18.110.0.2 Incoming Interface Address: 11.110.0.2 Previous-Hop Router Address: 11.110.0.4 Input packet count on incoming interface: 0 Output packet count on outgoing interface: 0 Total number of packets for this source-group pair: 0 Protocol: PIM Forwarding TTL: 0 Forwarding Code: No error -3 11.110.0.4 Incoming Interface Address: 10.10.1.3 Previous-Hop Router Address: 0.0.0.0 Input packet count on incoming interface: 0 Output packet count on outgoing interface: 0 Total number of packets for this source-group pair: 0 Protocol: PIM Forwarding TTL: 0 Forwarding Code: No error

Trace reversely the path information of multicast group 225.1.1.1 from the multicast source 10.10.1.3 to the destination address 12.110.0.2.
<3Com>mtracert 10.10.1.3 12.110.0.2 225.1.1.1 Type Ctrl+C to abort Mtrace from 10.10.1.3 to 12.110.0.2 via group 225.1.1.1 Querying full reverse path... -1 12.110.0.2 Incoming Interface Address: 11.110.0.2 Previous-Hop Router Address: 11.110.0.4

Multicast Common Configuration Commands

693

Input packet count on incoming interface: 316 Output packet count on outgoing interface: 135 Total number of packets for this source-group pair: 4 Protocol: PIM Forwarding TTL: 0 Forwarding Code: No error -2 11.110.0.4 Incoming Interface Address: 127.0.0.5 Previous-Hop Router Address: 0.0.0.0 Input packet count on incoming interface: 0 Output packet count on outgoing interface: 0 Total number of packets for this source-group pair: 4 Protocol: Unknown Forwarding TTL: 0 Forwarding Code: No error

multicast minimum-ttl

Syntax
multicast minimum-ttl ttl-value undo multicast minimum-ttl

View Interface view Parameter ttl-value: The minimum TTL value, ranging from 0 to 255. Description Using the multicast minimum-ttl command, you can configure the minimum TTL value for multicast forwarding. Using the undo multicast minimum-ttl command, you can remove the minimum TTL value configured. By default, no minimum TTL value for multicast forwarding is configured. Example Configure the minimum TTL value for multicast forwarding to 8.
<3Com-Ethernet1/0/1] multicast minimum-ttl 8

multicast packet-boundary

Syntax
multicast packet-boundary acl-number undo multicast packet-boundary

View Interface view Parameter acl-number: Number of basic or advanced ACL, ranging from 1 to 199.

694

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

Description Using the multicast packet-boundary command, you can configure a multicast forwarding boundary. Using the undo multicast packet-boundary command, you can remove the multicast forwarding boundary configured. By default, no multicast forwarding boundary is configured. You can set boundary conditions for multicast packets on an interface via basic or advanced Access Control List (ACL). Packets denied by the ACL will be discarded. The source address of a multicast packet can be filtered through the basic ACL. Both the source address and the destination address (source group address) of a multicast packet can be filtered through the advanced ACL. Example Set boundary conditions for multicast packets through the basic ACL 1.
<3Com-Ethernet1/0/1] multicast packet-boundary 1

multicast route-limit

Syntax
multicast route-limit limit

View System view Parameter limit: Limit of multicast routing table capacity, ranging from 0 to MAX_MROUTE_LIMIT. In which, MAX_MROUTE_LIMIT differs with the different router types. Description Using the multicast route-limit command, you can limit the multicast routing table capacity. If the capacity exceeds the limit, the router will discard protocols and data packets of the newly-added (S, G). By default, the limit of multicast routing table capacity is MAX_MROUTE_LIMIT. If the number of route entries in the routing table has exceeded the configured number when configuring the command, the previous route entry in the routing table will not be deleted. The system will prompt “The number of current route entries is more than that configured.” If this command is executed repeatedly, the new configuration will overwrite the previous one. Example Limit the multicast routing table capacity to 1000.
<3Com] multicast route-limit 1000

multicast routing-enable

Syntax
multicast routing-enable undo multicast routing-enable

Multicast Common Configuration Commands

695

View System view Parameter None Description Using the multicast routing-enable command, you can enable IP multicast routing. Using the undo multicast routing-enable command, you can disable IP multicast routing. By default, IP multicast routing is disabled. The system will not forward any multicast packet when IP multicast routing is disabled. For the related commands, see pim dm and pim sm. Example Enable IP multicast routing.
<3Com> system-view <3Com] multicast routing-enable

reset multicast forwarding-table

Syntax
reset multicast forwarding-table [ statistics ] { all | { group-address [ mask { group-mask | group-mask-length } ] | source-address [ mask { source-mask | source-mask-length } ] | { incoming-interface interface-type interface-number } | { slot slot-number } } * }

View User view Parameter statistics: If this parameter is used, the statistics of MFC forwarding entries will be cleared. Otherwise, the MFC forwarding entries will be cleared. all: All the MFC forwarding entries. group-address: Address of the specified group. group-mask: Address mask of the specified group. group-mask-length: Address mask length of the specified group. source-address: Address of the specified source. source-mask: Address mask of the specified source. source-mask-length: Address mask length of the specified source. incoming-interface: Incoming interface of the specified forwarding entry. interface-type interface-number: Interface type and interface number.

696

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

slot-number: Number of the slot where the interface board resides. This parameter is only present in the distributed router. Description Using the reset multicast forwarding-table command, you can clear MFC forwarding entries or the statistics of MFC forwarding entries. The sequence of group-address and source-address can be reversed, but the input group-address and source-address must be valid. Otherwise, the system will prompt input error. For the related commands, see reset pim routing-table, reset multicast routing-table, and display multicast forwarding-table. Example Clear the forwarding entry whose group address is 225.5.4.3 from the MFC forwarding table.
<3Com> reset multicast forwarding-table 225.5.4.3

Clear the statistics of the forwarding entry whose group address is 225.5.4.3 from MFC forwarding table.
<3Com> reset multicast forwarding-table statistics 225.5.4.3

reset multicast routing-table

Syntax
reset multicast routing-table { all | { group-address [ mask { group-mask | group-mask-length } ] | source-address [ mask { source-mask | source-mask-length } ] | { incoming-interface interface-type interface-number } } * }

View User view Parameter all: All the route entries in multicast kernel routing table. group-address: Address of the specified group. group-mask: Address mask of the specified group. group-mask-length: Address mask length of the specified group. source-address: Address of the specified source. source-mask: Address mask of the specified source. source-mask-length: Address mask length of multicast source. incoming-interface: Incoming interface of the specified route entry. interface-type interface-number: Interface type and interface number.

IGMP Configuration Commands

697

Description Using the reset multicast routing-table command, you can clear the route entry in the multicast kernel routing table and remove the corresponding forwarding entry in MFC. The sequence of group-address and source-address can be reversed, but the input group-address and source-address must be valid. Otherwise, the system will prompt input error. For the related commands, see reset pim routing-table, reset multicast forwarding-table. and display multicast forwarding-table. Example Clear the route entry whose group address is 225.5.4.3 from the multicast kernel routing table.
<3Com> reset multicast routing-table 225.5.4.3

IGMP Configuration Commands
debugging igmp Syntax
debugging igmp { all | event | host | packet | timer } undo debugging igmp { all | event | host | packet | timer }

View User view Parameter all: All the debugging information of IGMP. event: Debugging information of IGMP event. host: Debugging information of IGMP host. packet: Debugging information of IGMP packets. timer: Debugging information of IGMP timers. Description Using the debugging igmp command, you can enable IGMP debugging functions. Using the undo debugging igmp command, you can disable the debugging functions. By default, IGMP debugging functions are disabled. Example Enable all IGMP debugging functions
<3Com> debugging igmp all

698

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

display igmp group

Syntax
display igmp group [ group-address | interface interface-type interface-number | local ]

View Any view Parameter group-address: Multicast group address. interface-type interface-number: Interface type and interface number of the router, used to specify the interface. local: Information of the local interface which receives and sends multicast data. Description Using the display igmp group command, you can view the member information of the IGMP multicast group. You can view the information of a group, or the member information of the multicast group, on an interface. The information displayed includes the multicast groups joined through IGMP, and those joined statically through command lines by the downstream host. For the related command, see igmp host-join. Example Display the member information of the directly connected sub-network.
<3Com> display igmp group LoopBack0 (20.20.20.20): Total 3 IGMP Groups reported: Group Address Last Reporter Uptime Expires 225.1.1.1 20.20.20.20 00:02:04 00:01:15 225.1.1.3 20.20.20.20 00:02:04 00:01:15 225.1.1.2 20.20.20.20 00:02:04 00:01:17

Table 1 Description of Output Information of Display IP IGRMP Group Command
Item Group address Last Reporter Uptime Expires Description Multicast group address Report the last host which becomes the multicast group member The time since the multicast group is found (hour, minute, second) The predicted time when the record will be removed from the IGMP group table (hour, minute, second)

display igmp interface

Syntax
display igmp interface [ interface-type interface-number ]

View Any view

IGMP Configuration Commands

699

Parameter interface-type interface-number: Interface type and interface number of the router, used to specify the interface. If the parameters are not specified, information about all the interfaces running IGMP will be displayed. Description Using the display igmp interface command, you can view the IGMP configuration, and running information on an interface. The information displayed through display igmp interface will be different according to the configuration of IGMP proxy on an interface.


If the interface is neither a proxy nor a client, the configuration of IGMP Proxy will not be displayed. If the interface is a proxy, all the clients will be displayed. If the interface is a client, the proxy will be displayed.





Example Display the IGMP configuration and running information on an interface.
<3Com> display igmp interface Ethernet0/0/0 (10.10.1.20): IGMP is enabled Current IGMP version is 2 Value of query interval for IGMP(in seconds): 60 Value of other querier time out for IGMP(in seconds): 120 Value of maximum query response time for IGMP(in seconds): 10 Policy to accept IGMP reports: none Querier for IGMP: 10.10.1.10 Total 2 IGMP groups reported LoopBack0 (20.20.20.30): IGMP is enabled Current IGMP version is 2 Value of query interval for IGMP(in seconds): 60 Value of other querier time out for IGMP(in seconds): 120 Value of maximum query response time for IGMP(in seconds): 10 Policy to accept IGMP reports: none Querier for IGMP: 20.20.20.30 (this router) No IGMP group reported

display igmp local

Syntax
display igmp local

View Any view Parameter local: Information of the local interface which receives and sends multicast data. Description Using the display igmp local command, you can view the IGMP configuration and running information of the local interface, which receives and sends multicast data.

700

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

Example Display the IGMP configuration and running information of the local interface which receives and sends multicast data.
<3Com> display igmp local Mcast_Out_IF (127.0.0.6): IGMP is enabled on interface Current IGMP version is 2 No IGMP group reported Mcast_In_IF (127.0.0.5): IGMP is disabled on interface

igmp enable

Syntax
igmp enable undo igmp enable

View Interface view Parameter None Description Using the igmp enable command, you can enable IGMP on an interface. Using the undo igmp enable command, you can disable IGMP on an interface. By default, IGMP is disabled on an interface. Only after multicast is enabled can this command take effect. After this command is configured, the configuration of other attributes of IGMP can be performed. For the related command, see multicast routing-enable. Example Enable IGMP on the interface Ethernet0/0/0.
<3Com-Ethernet0/0/0] igmp enable

igmp group-limit

Syntax
igmp group-limit limit undo igmp group-limit

View Interface view Parameter limit: Number of IGMP groups, ranging from 0 to MAX_IF_IGMP_GROUP_LIMIT. The value of MAX_IF_IGMP_GROUP_LIMIT on routers is MAX_MROUTE_LIMIT, which differs with the different router types.

IGMP Configuration Commands

701

Description Using the igmp group-limit command, you can limit the number of IGMP groups joined on the interface. If the number exceeds the limit, the router will not process the joined IGMP packet any more. Using the undo igmp group-limit command, you can restore the default configuration. By default, the maximum number of IGMP groups joined on the interface is 1024. If the number of IGMP groups joined on the interface has exceeded the configuration value during configuration, the previously joined IGMP groups will not be deleted. If this command is executed repeatedly, the new configuration will overwrite the previous one. Example Limit the maximum number of IGMP groups joined on the interface Ethernet1/0/0 to 100.
<3Com-Ethernet1/0/0] igmp group-limit 100

igmp group-policy

Syntax
igmp group-policy acl-number [ 1 | 2 ] undo igmp group-policy

View Interface view Parameter acl-number: Number of basic IP ACL, defining the range of a multicast group. The value ranges from 1 to 99. 1: IGMP Version 1. 2: IGMP Version 2. If IGMP version is not specified, IGMP Version 2 is used by default. Description Using the igmp group-policy command, you can set the filter of multicast groups on an interface to control the accessing to the IP multicast groups. Using the undo igmp group-policy command, you can remove the filter configured. By default, no filter is configured, that is, a host can join any multicast group. If you do not want the hosts on the network, that the interface is on, to join some multicast groups and receive the packets from the multicast groups, you can use this command to limit the range of the multicast groups served by the interface. For the related command, see igmp host-join.

702

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

Example Permit the hosts on the interface Ethernet1/0/0 to join multicast group 225.1.1.1 only.
<3Com] acl number 5 <3Com-acl-basci-5] rule permit source 225.1.1.1 0 <3Com-acl-basci-5] quit <3Com] interface ethernet 1/0/0 <3Com-Ethernet1/0/0] igmp group-policy 5

igmp host-join

Syntax
igmp host-join group-address undo igmp host-join group-address

View Interface view Parameter group-address: Multicast address of the multicast group that an interface will join. Description Using the igmp host-join command, you can enable an interface of a router to join a multicast group. Using the undo igmp host-join command, you can disable the configuration. By default, an interface does not join any multicast group. On one router, up to 1024 interfaces can be configured with igmp host-join command at best. For the related command, see igmp group-policy. Example Configure Ethernet1/0/0 to join the multicast group 255.0.0.1.
<3Com-Ethernet1/0/0] igmp host-join 225.0.0.1

igmp lastmember-queryinterv al

Syntax
igmp lastmember-queryinterval seconds undo igmp lastmember-queryinterval

View Interface view Parameter seconds: Interval at which IGMP querier sends the IGMP specified group query packet when it receives IGMP Leave packet from the host, in second. The value ranges from 1 to 5 seconds. By default, the value is 1 second.

IGMP Configuration Commands

703

Description Using the igmp lastmember-queryinterval command, you can set the interval at which IGMP querier sends the IGMP specified group query packet when it receives IGMP Leave packet from the host. Using the undo igmp lastmember-queryinterval command, you can restore the default value. On a shared network, that is, when there are multiple hosts and multicast routers on a network segment, the query router (querier for short) takes charge of maintaining IGMP group membership on an interface. When the host in IGMP Version 2 leaves a group, the host should send IGMP Leave packet. If IGMP querier receives the packet, it must send the IGMP specified group query packet for robust-value times according to the interval seconds configured via igmp lastmember-queryinterval command (if the command is not configured, seconds is 1) and the robust coefficient robust-value configured via igmp robust-count (if the command is not configured, robust-value is 2). If another host receives the IGMP specified group query packet from IGMP querier and is interested in the group, it will send IGMP Membership Report packet within the maximum response time regulated by the packet. If IGMP querier receives IGMP Membership Report packet from another host within the time robust-value x seconds, it will go on maintaining the group membership. If not, it will regard the group is timeout and stop maintaining the group membership. The command is only valid when IGMP query router is running in IGMP Version 2. If the host runs in IGMP Version 1, it may not send IGMP Leave packet when it leaves a group. At that time, the command is invalid to the host. For the related commands, see igmp robust-count and display igmp interface. Example Configure the query interval of the querier for the last group member on the interface Ethernet1/0/0 to 3 seconds.
<3Com-Ethernet1/0/0] igmp lastmember-queryinterval 3

igmp max-response-time

Syntax
igmp max-response-time seconds undo igmp max-response-time

View Interface view Parameter seconds: The maximum response time in the IGMP query packet in second, ranging from 1 to 25. By default, the value is 10 seconds. Description Using the igmp max-response-time command, you can configure the maximum response time contained in the IGMP query packet. Using the undo igmp max-response-time command, you can restore the default value. The maximum query response time determines the period for a router to quickly detect that there are no more directly connected group members in a LAN.

704

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

For the related command, see display igmp group. Example Configure the maximum response time to 8 seconds.
<3Com-Ethernet1/0/0] igmp max-response-time 8

igmp proxy

Syntax
igmp proxy interface-type interface-number undo igmp proxy

View Interface view Parameter interface-type: Proxy interface type. interface-number: Proxy interface number. Description Using the igmp proxy command, you can specify an interface of a leaf network router as the IGMP proxy of another interface. Using the undo igmp proxy command, you can remove the configuration. By default, IGMP proxy function is disabled. An interface cannot act as the IGMP proxy of two or more other interfaces at the same time. If an interface is configured with IGMP proxy multiple times, the last one overrides all the previous configurations. For the related command, see pim neighbor-policy. Example Configure the IGMP proxy of router Ethernet0/0/0 to Ethernet1/0/0.
<3Com-Ethernet0/0/0] igmp proxy ethernet 1/0/0

igmp robust-count

Syntax
igmp robust-count robust-value undo igmp robust-count

View Interface view Parameter robust-value: IGMP robust coefficient, indicating the times IGMP querier sends the IGMP specified group query packet when it receives IGMP Leave packet from the host. The value ranges from 2 to 5. By default, the value is 2.

IGMP Configuration Commands

705

Description Using the igmp robust-count command, you can set the times IGMP querier sends the IGMP specified group query packet when it receives IGMP Leave packet from the host. Using the undo igmp robust-count command, you can restore the default value. On a shared network, with multiple hosts and multicast routers on a network segment, the query router (querier for short) takes charge of maintaining IGMP group membership on an interface. When the host in IGMP Version 2 leaves a group, the host should send an IGMP Leave packet. If IGMP querier receives the packet, it must send the IGMP specified group query packet for robust-value times according to the interval seconds configured via igmp lastmember-queryinterval command (if the command is not configured, seconds is 1) and the robust coefficient robust-value configured via igmp robust-count (if the command is not configured, robust-value is 2). If another host receives the IGMP specified group query packet from IGMP querier and is interested in the group, it will send IGMP Membership Report packet within the maximum response time regulated by the packet. If IGMP querier receives IGMP Membership Report packet from another host within the time robust-value x seconds, it will go on maintaining the group membership. If not, it will regard the group as overtime and stop maintaining the group membership. The command is only valid when IGMP query router is running in IGMP Version 2. If the host runs in IGMP Version 1, it may not send IGMP Leave packet when it leaves a group. At that time, the command is invalid to the host. For the related commands, see igmp lastmember-queryinterval and display igmp interface. Example Configure the robust-value of querier on the interface Ethernet1/0/0 to 3.
<3Com-Ethernet1/0/0] igmp robust-count 3

igmp timer other-querier-present

Syntax
igmp timer other-querier-present seconds undo igmp timer other-querier-present

View Interface view Parameter seconds: IGMP querier present time, in second. The value ranges from 60 to 300 seconds. By default, the value is twice of IGMP query messages interval. It is 120 seconds in general. Description Using the igmp timer other-querier-present command, you can configure the overtime value of the presence of an IGMP querier. Using the undo igmp timer other-querier-present command, you can restore the default value.

706

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

On a shared network, i.e., there are multiple multicast routers on the same network segment, the query router (querier for short) takes charge of sending query messages periodically on the interface. If other non-queriers receive no query messages within the valid period, the router will consider the previous query to be invalid and the router itself becomes a querier. In IGMP Version 1, the selection of a querier is determined by the multicast routing protocol. In IGMP Version 2, the router with the lowest IP address on the shared network segment acts as the querier. For the related commands, see igmp timer query and display igmp interface. CAUTION: If the querier present time configured is less than the twice of query interval, it may lead to the repeated changes of queriers in the network. Example Configure the querier present time on the interface Ethernet1/0/0 to 200 seconds.
<3Com-Ethernet1/0/0] igmp timer other-querier-present 200

igmp timer query

Syntax
igmp timer query seconds undo igmp timer query

View Interface view Parameter seconds: Interval at which the router sends the IGMP query messages, in second. It ranges from 1 to 18000. By default, the value is 60 seconds. Description Using the igmp timer query command, you can configure the interval at which a router interface sends IGMP query messages. Using the undo igmp timer query command, you can restore the default value. A multicast router sends IGMP query messages at intervals to find out whether there are multicast group members on the network. The query interval can be modified according to the practical conditions of the network. For the related command, see igmp timer other-querier-present. Example Configure the interval at which multicast router Ethernet1/0/0 sends IGMP query packet to 125 seconds.
<3Com-Ethernet1/0/0] igmp timer query 125

igmp version

Syntax
igmp version { 1 | 2 } undo igmp version

IGMP Configuration Commands

707

View Interface view Parameter 1: IGMP Version 1. 2: IGMP Version 2. By default, IGMP Version 2 is used. Description Using the igmp version command, you can specify the version of IGMP that a router uses. Using the undo igmp version command, you can restore the default value. All systems running in the same sub-network must support the same version of IGMP. When a router finds the system of Version 1, it cannot switch to Version 1 by itself. Example Specify Ethernet1/0/0 to use IGMP Version 1.
<3Com-Ethernet1/0/0] igmp version 1

reset igmp group

Syntax
reset igmp group { all | interface interface-type interface-number { all | group-address [ group-mask ] } }

View User view Parameter all: All IGMP groups. interface interface-type interface-number: Interface type and interface number. group-address: IGMP group address. group-mask: Network segment mask of group address. Description Using the reset igmp group command, you can delete the IGMP group joined on the interface. The deletion of the group does not affect its joining again. Example Delete all the IGMP groups on all interfaces.
<3Com> reset igmp group all

Delete all the IGMP groups on the interface Ethernet0/0/0.
<3Com> reset igmp group interface ethernet0/0/0 all

Delete the group 225.0.0.1 on the interface Ethernet0/0/0.

708

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

<3Com> reset igmp group interface ethernet0/0/0 225.0.0.1

Delete the IGMP groups ranging between the network segment 225.1.1.0 and 225.1.1.255 on the interface Ethernet0/0/0.
<3Com> reset igmp group interface ethernet0/0/0 225.1.1.0 255.255.255.0

PIM Configuration Commands
bsr-policy Syntax
bsr-policy acl-number undo bsr-policy

View PIM view Parameter acl-number: ACL number used by BSR filter policy , ranging from 1 to 99. Description Using the bsr-policy command, you can restrict the range for valid BSR so as to prevent BSR spoofing. Using the undo bsr-policy command, you can restore the normal state without any range restriction, and all the messages received will be considered valid. In PIM SM network which uses BSR mechanism, any router can set itself as C-BSR and will take charge of advertising BP information in the network, if it succeeds in competition. To prevent the valid BSR in the network from being replaced, the following two measures should be taken:


Change RP mapping relationship to prevent the host from spoofing the router by counterfeiting valid BSR packet. BSR packet is multicast packet with TTL of 1, so this kind of attack usually takes place on the edge router. BSR is in the internal network and the host is in the external network, therefore, performing neighbor check and RPF check to BSR packet can prevent this kind of attack. If a router in the network is controlled by an attacker or an illegal router accesses the network, the attacker can set the router to C-BSR and make it succeed in competition and control the authority of advertising RP information in the network. The router, after being configured as C-BSR, will automatically advertise BSR information to the whole network. BSR packet is the multicast packet which is forwarded hop by hop with TTL of 1. The whole network will not be affected if the neighbor router does not receive the BSR information. The solution is to configure bsr-policy on each router in the whole network to restrict the range for legal BSR. For example, if only 1.1.1.1/32 and 1.1.1.2/32 are permitted as BSR, the router will not receive and forward other BSR information and legal BSR will not compete with it.



PIM Configuration Commands

709

The above two points can partially protect the security of BSR in the network. However, if a legal BSR router is controlled by an attacker, it will lead to the above problem. The source parameter in the related rule command is translated as BSR address in bsr-policy command. For the related commands, see acl and rule. Example Configure BSR filter policy on a router. Only permit 1.1.1.1/32 to act as BSR and regard others are invalid.
<3Com-pim] bsr-policy 1 <3Com-pim] quit <3Com] acl number 1 <3Com-acl-basic-1] rule 0 permit source 1.1.1.1 0

c-bsr

Syntax
c-bsr interface-type interface-number hash-mask-len [ priority ] undo c-bsr

View PIM view Parameter interface-type interface-number: Interface type and interface number of a router. A candidate BSR is configured on this interface. PIM-SM must be enabled on this interface, the configuration can take effect. hash-mask-len: Mask length. The mask performs “And” operation with multicast address at first and then performs the operation of searching for RP. The value ranges from 0 to 32. priority: Priority of the candidate BSR. The larger the value is, the higher the priority of candidate BSR is. The value ranges from 0 to 255. By default, the priority is 0. Description Using the c-bsr command, you can configure a candidate BSR. Using the undo c-bsr command, you can remove the candidate BSR configuration. By default, no candidate BSR is set. Since BSR and other devices in PIM domain need to exchange a great deal of information during candidate BSR configuration, a relatively large bandwidth must be guaranteed. For the related command, see pim sm.

710

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

Example Configure the IP address of the router on Ethernet1/0/0 as a candidate BSR with the priority 2.
<3Com> system-view <3Com] multicast routing-enable <3Com] pim <3Com-pim] c-bsr ethernet1/0/0 30 2

c-rp

Syntax
c-rp interface-type interface-number [ group-policy acl-number ] [ priority priority-value ] undo c-rp interface-type interface-number

View PIM view Parameter interface-type interface-number: Specified interface with the IP address advertised as a candidate RP address. acl-number: Number of basic ACL that defines a group range, which is the service range of the advertised RP. The value ranges from 1 to 99. priority-value: Priority of a candidate RP. The larger the value is, the lower the priority is. The value ranges from 0 to 255. By default, the value is 0. Description Using the c-rp command, you can configure the router to advertise itself as a candidate RP to BSR. Using the undo c-rp command, you can remove the configuration. By default, no candidate RP is configured. When configuring a candidate RP a relatively large bandwidth should be reserved for the router and other devices in PIM domain. For the related command, see c-bsr. Example Configure the interface Ethernet1/0/0 as the candidate RP for all groups.
<3Com> system-view <3Com] multicast routing-enable <3Com] pim <3Com-pim] c-rp ethernet 1/0/0

crp-policy

Syntax
crp-policy acl-number undo crp-policy

PIM Configuration Commands

711

View PIM view Parameter acl-number: ACL number used by C-RP filter policy, ranging from 100 to 199. Description Using the crp-policy command, you can restrict the range for valid C-RP, and the group range served by each C-RP so as to prevent C-RP cheating. Using the undo crp-policy command, you can restore the normal state without any range restriction and regard all the messages received as valid. In PIM SM network which uses BSR mechanism, any router can set itself as a C-RP serving the specific group range. If it is elected in RP election, it will become an RP serving in the group range. In BSR mechanism C-RP router unicasts C-RP information to BSR router which is responsible for advertising all C-RP information to the whole network by using BRP information. To prevent C-RP cheating, crp-policy needs to be configured on a BSR router to restrict the range for valid C-RP and the group address range it serves. Each C-BSR may become a BSR, so the same filter policy should be configured on each C-BSR. This command uses the ACL numbered from 100 to 199. The parameter source in the related rule command indicates C-RP address, and the destination indicates the group range the C-RP serves. Upon matching the received C-RP message, only when the C-RP address in the packet matches source address and the group address range is the subset of that in ACL can this configuration be regarded successful. For the related commands, see acl and rule. Example Configure C-RP policy on C-BSR router. Only permit 1.1.1.1/32 to act as C-RP which only serves the group range 225.1.0.0/16.
<3Com-pim] crp-policy 100 <3Com-pim] quit <3Com] acl number 100 <3Com-acl-adv-100] rule 0 permit ip source 1.1.1.1 0 destination 225.1.0.0 0.0.255.255

debugging pim common

Syntax
debugging pim common { all | event | packet | timer } undo debugging pim common { all | event | packet | timer }

View User view Parameter all: All the common debugging information of PIM.

712

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

event: Debugging information of common PIM event. packet: Debugging information of PIM Hello message. timer: Debugging information of common PIM timer. Description Using the debugging pim common command, you can enable common PIM debugging functions. Using the undo debugging pim common command, you can disable the debugging functions. By default, common PIM debugging functions are disabled. Example Enable all common PIM debugging functions.
<3Com> debugging pim common all

debugging pim dm

Syntax
debugging pim dm { alert | all | mrt | timer | warning | { recv | send } { all | assert | graft | graft-ack | join | prune } } undo debugging pim dm { alert | all | mrt | timer | warning | { recv | send } { all | assert | graft | graft-ack | join | prune } }

View User view Parameter all: All the debugging information of PIM-DM. alert: Debugging information of PIM-DM interoperation event. mrt: Debugging information of PIM-DM multicast routing table. timer: Debugging information of PIM-DM timer. warning: Debugging information of PIM-DM warning message. recv: Debugging information of PIM-DM receiving packets. send: Debugging information of PIM-DM sending packets. all: All packet types. assert: Packet type, assert packet. graft: Packet type, graft packet. graft-ack: Packet type, graft acknowledgment packet. join: Packet type, join packet. prune: Packet type, prune packet.

PIM Configuration Commands

713

Description Using the debugging pim dm command, you can enable PIM-DM debugging functions. Using the undo debugging pim dm command, you can disable the debugging functions. By default, PIM-DM debugging functions are disabled. Example Enable all PIM-DM debugging functions
<3Com> debugging pim dm all

debugging pim sm

Syntax
debugging pim sm { all | mbr | mrt | timer | msdp | verbose | warning | { recv | send } { assert | bootstrap | crpadv | jp | reg | regstop } } undo debugging pim sm { all | mbr | mrt | msdp | timer | verbose | warning | { recv | send } { assert | bootstrap | crpadv | jp | reg | regstop } }

View User view Parameter mbr: Debugging information of PIM-SM multicast boundary router event. mrt: Debugging information of PIM-SM multicast routing table. msdp: Functions between PIM-SM and MSDP. timer: Debugging information of PIM-SM timer. warning: Debugging information of PIM-SM warning message. recv: Debugging information of PIM-SM receiving packets. send: Debugging information of PIM-SM sending packets. assert | bootstrap | crpadv | jp | reg | regstop: Packet type. Description Using the debugging pim sm command, you can enable PIM-SM debugging functions. Using the undo debugging pim sm command, you can disable the debugging functions. By default, PIM-SM debugging functions are disabled. The command debugging pim sm register-proxy, is only suitable for the distributed router. This command can enable the debugging when an interface board acts as a proxy of a main control board, to send register packets. Example Enable all PIM-SM debugging functions
<3Com> debugging pim sm all

714

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

display pim bsr-info

Syntax
display pim bsr-info

View Any view Parameter None Description Using the display pim bsr-info command, you can view Bootstrap Router (BSR) information. For the related commands, see c-bsr and c-rp. Example Execute this command on a router running PIM-SM and display the current BSR information.
<3Com> display pim bsr-info Current BSR Address: 20.20.20.30 Priority: 0 Mask Length: 30 Expires: 00:01:55 Local host is BSR

display pim interface

Syntax
display pim interface [ interface-type interface-number ]

View Any view Parameter interface-type interface-number: Interface type and interface number. Description Using the display pim interface command, you can view the PIM interface information. Example Display the PIM information about the interface Ethernet1/0/0.
<3Com> display pim interface ethernet 1/0/0 PIM information of interface Ethernet1/0/0: IP address of the interface is 10.10.1.20 PIM is enabled on interface PIM version is 2 PIM mode is Sparse PIM query interval is 30 seconds Total 1 PIM neighbor on interface

PIM Configuration Commands

715

PIM DR(designated router) is 10.10.1.20

Table 2 Description of output information of display pim interface command
Item PIM is enabled on interface PIM query interval is 30 seconds PIM DR (designated router) is 10.10.1.20 Description PIM SM is enabled on the interface Ethernet1/0/0. The sending interval of Hello message is 30 seconds. IP address of DR is 10.10.1.20.

display pim neighbor

Syntax
display pim neighbor [ interface interface-type interface-number ]

View Any view Parameter interface-type interface-number: Interface type and interface number. Description Using the display pim neighbor command, you can view the PIM neighbor information. Example Display the PIM neighbor information of the interface Ethernet1/0/0 on the router.
<3Com> display pim neighbor ethernet 1/0/0 Neighbor's Address Interface Name Uptime Expires 10.10.1.10 Ethernet1/0/0 00:41:59 00:01:16

display pim routing-table

Syntax
display pim routing-table [ *g [ group-address [ mask { mask-length | mask } ] ] [ incoming-interface { interface-name | null } ] [ dense-mode | sparse-mode ] display pim routing-table [ **rp [ rp-address [ mask { mask-length | mask } ] ] [ incoming-interface { interface-name | null } ] [ dense-mode | sparse-mode] display pim routing-table [ source-address [ mask { mask-length | mask } ] [ group-address [ mask { mask-length | mask } ] ] [ incoming-interface { interface-name | null } ] [ dense-mode | sparse-mode ]

View Any view Parameter **rp: (*, *, RP) route entry. *g: (*, G) route entry. group-address: Address of the multicast group. source-address: IP address of the multicast source. incoming-address: Route entry of the specified incoming interface.

716

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

Description Using the display pim routing-table command, you can view the contents of the PIM multicast routing table. For the related command, see display multicast routing-table. Example Display the contents of the PIM multicast routing table on the router.
<3Com> display pim routing-table PIM-SM Routing Table Total 0 (S,G) entry, 2 (*,G) entries, 0 (*,*,RP) entry (*, 224.0.1.40), RP 20.20.20.30 Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF UpTime: 00:17:25, never timeout Upstream interface: Null, RPF neighbor: 0.0.0.0 Downstream interface list: Ethernet0/0/0, Protocol 0x1: IGMP, never timeout (*, 225.1.1.1), RP 20.20.20.30 Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF UpTime: 00:08:45, never timeout Upstream interface: Null, RPF neighbor: 0.0.0.0 Downstream interface list: Ethernet0/0/0, Protocol 0x1: IGMP, never timeout Matched 0 (S,G) entry, 2 (*,G) entries, 0 (*,*,RP) entry

display pim rp-info

Syntax
display pim rp-info [ group-address ]

View Any view Parameter group-address: Group address. Description Using the display pim rp-info command, you can view the corresponding RP information of a multicast group; BSR and static RP information. If no group address is specified in this command, the corresponding RP information of all groups will be displayed. Example Display the currently corresponding RP of 224.0.0.0.
<3Com> display pim rp-info 224.0.0.0 PIM-SM RP-SET information: BSR is: 20.20.20.20 Group/MaskLen: 224.0.0.0/4 RP 20.20.20.20 Version: 2 Priority: 0 Uptime: 00:00:05 Expires: 00:02:25

PIM Configuration Commands

717

pim

Syntax
pim undo pim

View System view Parameter None Description Using the pim command, you can enter PIM view. Using the undo pim command, you can clear the configuration in PIM view. The global parameter which is related with the PIM must be configured in PIM view. Example
<3Com> system-view <3Com] multicast routing-enable <3Com] pim <3Com-pim]

pim bsr-boundary

Syntax
pim bsr-boundary undo pim bsr-boundary

View Interface view Parameter None Description Using the pim bsr-boundary command, you can configure an interface to become the PIM domain boundary. Using the undo pim bsr-boundary command, you can remove the boundary. By default, no domain boundary is set. After this command is configured on an interface, Bootstrap messages cannot pass the boundary, whereas other PIM packets can. This command can effectively divide the network into domains which use different BSRs. For the related command, see c-bsr. Example Configure a domain boundary on the interface Pos1/0/0.
<3Com-Pos1/0/0] pim bsr-boundary

718

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

pim dm

Syntax
pim dm undo pim dm

View Interface view Parameter None Description Using the pim dm command, you can enable PIM-DM. Using the undo pim dm command, you can disable PIM-DM. By default, PIM-DM is disabled. Once PIM-DM is enabled on an interface PIM-SM cannot be enabled on the same interface and vice versa. Example Enable PIM-DM on the interface Ethernet1/0/0.
<3Com] multicast routing-enable <3Com] interface ethernet1/0/0 <3Com-Ethernet1/0/0] pim dm

pim neighbor-limit

Syntax
pim neighbor-limit limit undo pim neighbor-limit

View Interface view Parameter limit: Upper limit of PIM neighbor number on an interface, ranging from 0 to 128. Description Using the pim neighbor-limit command, you can limit PIM neighbor number on a router interface. If the number exceeds the limit configured, no new neighbor can be added to the router. Using the undo pim neighbor-limit command, you can restore the default configuration. By default, the upper limit of PIM neighbor number on an interface is 128. If the PIM neighbor number on an interface has exceeded the value configured during configuration, the previous PIM neighbor will not be deleted. Example Limit the upper limit of PIM neighbor number on the interface Ethernet1/0/0/ to 50.

PIM Configuration Commands

719

<3Com-Ethernet1/0/0] pim neighbor-limit 50

pim neighbor-policy

Syntax
pim neighbor-policy acl-number undo pim neighbor-policy

View Interface view Parameter acl-number: Number of basic ACL. The value ranges from 1 to 99. Description Using the pim neighbor-policy command, you can configure a router to filter the PIM neighbor of the current interface. Using the undo pim neighbor-policy command, you can cancel the filtering. Only the router, which is permitted by ACL, can act as PIM neighbor of the current interface, while other routers cannot. If this command is configured repeatedly the new configuration will overwrite the previous one. Example Configure 10.10.1.2 rather than 10.10.1.1 as the PIM neighbor of Ethernet1/0/0.
<3Com-Ethernet1/0/0] pim neighbor-policy 1 <3Com-Ethernet1/0/0] quit <3Com] acl number 1 <3Com-acl-basic-1] rule permit source 10.10.1.2 0 <3Com-acl-basic-1] rule deny source 10.10.1.1 0

pim sm

Syntax
pim sm undo pim sm

View Interface view Parameter None Description Using the pim sm command, you can enable PIM-SM protocol on an interface. Using the undo pim sm command, you can disable PIM-SM protocol. By default, PIM-SM is disabled. Once PIM-SM is enabled on an interface, PIM-DM cannot be enabled on the same interface and vice versa.

720

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

Example Enable PIM-SM on the interface Ethernet1/0/0.
<3Com> system-view <3Com] multicast routing-enable <3Com] interface ethernet 1/0/0 <3Com-Ethernet1/0/0] pim sm

pim timer hello

Syntax
pim timer hello seconds undo pim timer hello

View Interface view Parameter seconds: Interval of sending Hello message in second, ranging from 1 to 18000. By default, the value is 30 seconds. Description Using the pim timer hello command, you can configure the interval of sending a PIM router Hello message. Using the undo pim timer hello command, you can restore the default value. Example Configure the interval of sending Hello message on the interface Ethernet1/0/0 on the PIM router to 40 seconds.
<3Com-Ethernet1/0/0] pim sm <3Com-Ethernet1/0/0] pim timer hello 40

register-policy

Syntax
register-policy acl-number undo register-policy

View PIM view Parameter acl-number: Number of advanced IP ACL, defining the rule of filtering the source and group addresses. The value ranges from 100 to 199. Description Using the register-policy command, you can configure a RP to filter the register packet sent by the DR in the PIM-SM network, and to accept a specific packet only. Using the undo register-policy command, you can remove the configured packet filtering.

PIM Configuration Commands

721

Example If the local device is the RP in the network, using the following command can only accept the multicast data register packets sent by the source on the network segment 10.10.0.0/16 to the multicast address in the range of 225.1.0.0/16.
<3Com> system-view <3Com] acl number 110 <3Com-acl-adv-110] rule permit ip source 10.10.0.0 255.255.0.0 destination 225.1.0.0 255.255.0.0 <3Com-acl-adv-110] quit <3Com] multicast routing-enable <3Com] pim <3Com-pim] register-policy 110

reset pim neighbor

Syntax
reset pim neighbor { all | { neighbor-address | interface interface-type interface-number }*}

View User view Parameter all: All PIM neighbors. neighbor-address: Specifies neighbor address. interface: Specifies the interface. interface-type interface-number: Interface type and interface number. Description Using the reset pim neighbor command, you can clear PIM neighbor. For the related command, see display pim neighbor. Example Clear the PIM neighbor of the interface addressed with 25.5.4.3.
<3Com> reset pim neighbor 25.5.4.3

reset pim routing-table

Syntax
reset pim routing-table all reset pim routing-table { group-address [ mask group-mask | group-mask-length ] [ source-address [ mask source-mask | source-mask-length ] [ incoming-interface { interface-type interface-number | null } ] } *

View User view Parameter all: All PIM route entries.

722

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

group-address: Multicast group address. mask group-mask: Address mask of multicast group. group-mask-length: Address mask length of multicast group. source-address: Multicast source address. mask source-mask: Address mask of multicast source. source-mask-length: Address mask length of multicast source. null: Route entry with null incoming interface. incoming-interface: Incoming interface of the route entry in PIM routing table. interface-type interface-number: Interface type and interface number. Description Using the reset pim routing-table command, you can clear PIM route entry. The sequence of the group-address and source-address can be reversed, but the input group-address and source-address must be valid. Otherwise, the system will prompt input error. If group-address is configured to 244.0.0.0/24 and source-address to RP address (in which, group address may have a mask but the calculation result of the two must be 224.0.0.0, while source address has no mask), it indicates only (*, *, RP) entry is deleted. If group-address is configured to a group address and source-address of 0 (in which, group address may have a mask while source address has no mask), it indicates only (*, G) entry is deleted. After this command is executed, not only the multicast route entry is deleted from PIM, but also the corresponding route entry or forwarding entry in the multicast kernel routing table and the MFC. For the related commands, see reset multicast routing-table, reset multicast forwarding-table, and display pim routing-table. Example Clear the route entry with group address of 225.5.4.3 in PIM routing table.
<3Com> reset pim routing-table 225.5.4.3

source-policy

Syntax
source-policy acl-number undo source-policy

View PIM view

PIM Configuration Commands

723

Parameter acl-number: Number of basic or advanced ACL. The value ranges from 1 to 199. Description Using the source-policy command, you can configure a router to filter the multicast data packet received according to source (group) address. Using the undo source-policy command, you can remove the configuration. If source address filtering and basic ACL are configured all the multicast data packets received will be matched with source addresses. The packet that does not pass the matching will be discarded. If source address filtering and advanced ACL are configured, all the multicast data packets received will be matched with source and group addresses. The packet that does not pass the matching will be discarded. This command filters not only multicast data, but also the multicast data encapsulated in a register packet. If this command is executed repeatedly, the new configuration will overwrite the previous one. Example Configure to accept the multicast data packets with source address of 10.10.1.2 and discard the multicast data packets with source address of 10.10.1.1.
<3Com] multicast routing-enable <3Com] pim <3Com-pim] source-policy 1 <3Com-pim] quit <3Com] acl number 1 <3Com-acl-basic-1] rule permit source 10.10.1.2 0 <3Com-acl-basic-1] rule deny source 10.10.1.1 0

spt-switch-threshold

Syntax
spt-switch-threshold { traffic-rate | infinity } [ group-policy acl-number ] undo spt-switch-threshold { traffic-rate | infinity } [ group-policy acl-number ]

View PIM view Parameter traffic-rate: Switch rate threshold from the RPT to the SPT in Kbps, ranging from 0 to 65535. By default, the switch threshold value is 0, i.e., switching starts when the RPT receives the first data packet. infinity: Indicates never to switch to SPT. acl-number: Number of basic IP ACL, defining the range of a multicast group. The value ranges from 1 to 99.

724

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

Description Using the spt-switch-threshold command, you can set the packet rate threshold when the PIM leaf router switches from the RPT to the SPT. Using the undo spt-switch-threshold command, you can restore the default setting. Example Set the threshold value to 4Kbps. If the transmission rate from the source to the multicast group is higher than it, the router will switch to the SPT toward the source.
<3Com> system-view <3Com] multicast routing-enable <3Com] pim <3Com-pim] spt-switch-threshold 4

static-rp

Syntax
static-rp rp-address [ acl-number ] undo static-rp

View PIM view Parameter rp-address: Static RP address. This address must be valid unicast IP address and cannot be configured as the address in 127 network segment. acl-number: Number of basic ACL, used in controlling the multicast group range that static RP serves. The value ranges from 1 to 99. Description Using the static-rp command, you can configure static RP. Using the undo static-rp command, you can remove the configuration. RP is the kernel router in multicast routing. If the dynamic RP elected through BSR mechanism is invalid for some reason, static RP can be configured as a backup of the dynamic RP to improve the robustness of the network and operation management capability of the multicast network. All routers in the PIM domain should be configured with this command, and be configured with the same RP address. If the configured static RP address is the address of an UP interface on the local device, the local device will act as static RP. PIM is not necessarily enabled on the interface which acts as static RP. If this command is configured, but ACL is not specified, the static RP configured will serve all the multicast groups. If ACL is specified, the static RP configured will only serve the multicast group permitted by the ACL. In the case that the RP elected through BSR mechanism is valid, static RP does not take effect. If this command is executed repeatedly, the new configuration will overwrite the previous one.

MSDP Configuration Commands

725

For the related command, see display pim rp-info. Example Configure 10.110.0.6 as a static RP.
<3Com] multicast routing-enable <3Com] pim <3Com-pim] static-rp 10.110.0.6

MSDP Configuration Commands
cache-sa-enable Syntax
cache-sa-enable undo cache-sa-enable

View MSDP view Parameter None Description Using the cache-sa-enable command, you can enable the router to cache SA state. Using the undo cache-sa-enable command, you can remove the cache from the router. By default, the router caches the SA state, i.e., (S, G) entry after it receives SA messages. If the router is in cache state, it will not send SA request message to the specified MSDP peer when it receives a new group join message. Example Configure the router to cache all the SA states.
<3Com> system-view <3Com] msdp <3Com-msdp] cache-sa-enable

debugging msdp

Syntax
debugging msdp { all | connect | event | packet | source-active } undo debugging msdp { all | connect | event | packet | source-active }

View User view Parameter all: All the debugging information of MSDP.

726

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

connect: Debugging information of MSDP peer connection reset. event: Debugging information of MSDP event. packet: Debugging information of MSDP packet. source-active: Debugging information of active MSDP source. Description Using the debugging msdp command, you can enable MSDP debugging functions. Using the undo debugging msdp command, you can disable MSDP debugging functions. By default, MSDP debugging functions are disabled. Example Enable all common MSDP debugging functions.
<3Com> debugging msdp all

display msdp brief

Syntax
display msdp brief

View Any view Parameter None Description Using the display msdp brief command, you can view the state of MSDP peer. Example Display the state of MSDP peer.
<3Com> display msdp brief MSDP Peer Brief Information Peer's Address State Up/Down time AS SA Count Reset Count 20.20.20.20 Up 00:00:13 100 0 0

display msdp peer-status

Syntax
display msdp peer-status [ peer-address ]

View Any view Parameter peer-address: Address of MSDP peer. Description Using the display msdp peer-status command, you can view the detailed information of MSDP peer.

MSDP Configuration Commands

727

For the related command, see peer. Example Display the detailed information of the MSDP peer 10.110.11.11.
<3Com> display msdp peer-status 10.110.11.11 MSDP Peer 20.20.20.20, AS 100 Description: Information about connection status: State: Up Up/down time: 14:41:08 Resets: 0 Connection interface: LoopBack0 (20.20.20.30) Number of sent/received messages: 867/947 Number of discarded output messages: 0 Elapsed time since last connection or counters clear: 14:42:40 Information about (Source, Group)-based SA filtering policy: Import policy: none Export policy: none Information about SA-Requests: Policy to accept SA-Request messages: none Sending SA-Requests status: disable Minimum TTL to forward SA with encapsulated data: 0 SAs learned from this peer: 0, SA-cache maximum for the peer: none Input queue size: 0, Output queue size: 0 Counters for MSDP message: Count of RPF check failure: 0 Incoming/outgoing SA messages: 0/0 Incoming/outgoing SA requests: 0/0 Incoming/outgoing SA responses: 0/0 Incoming/outgoing data packets: 0/0

display msdp sa-cache

Syntax
display msdp sa-cache [ group-address ] [ source-address ] [ autonomous-system-number ]

View Any view Parameter group-address: Group address of (S, G) entry. source-address: Source address of (S, G) entry. With no source address specified, all the source information of the specified group will be displayed. If neither group address nor source address is determined, all SA caches will be displayed. autonomous-system-number: Displays (S, G) entries from specified autonomous system. Description Using the display msdp sa-cache command, you can view (S, G) state learnt from MSDP peer.

728

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

Only cache-sa-enable command is configured, can cache state be displayed. Example
<3Com> display msdp sa-cache MSDP Total Source-Active Cache - 5 entries (Source, Group) Origin RP Pro AS (10.10.1.2, 225.1.1.1) 10.10.10.10 BGP (10.10.1.3, 225.1.1.1) 10.10.10.10 BGP (10.10.1.2, 225.1.1.2) 10.10.10.10 BGP (10.10.2.1, 225.1.1.2) 10.10.10.10 BGP (10.10.1.2, 225.1.2.2) 10.10.10.10 BGP MSDP matched 5 entries

Uptime Expires 100 00:00:10 00:05:50 100 00:00:11 00:05:49 100 00:00:11 00:05:49 100 00:00:11 00:05:49 100 00:00:11 00:05:49

display msdp sa-count

Syntax
display msdp sa-count [ autonomous-system-number ]

View Any view Parameter autonomous-system-number: Number of sources and groups from the specified autonomous system. Description Using the display msdp sa-count command, you can view the number of sources and groups in MSDP cache. The cache-sa-enable command must be configured before the configuration of this command. Example
<3Com> display msdp sa-count Number of cached Source-Active entries, counted by Peer Peer's Address Number of SA 10.10.10.10 5 Number of source and group, counted by AS AS Number of source Number of group ? 3 3 Total Source-Active entries: 5

import-source

Syntax
import-source [ acl acl-number ] undo import-source

View MSDP view Parameter acl-number: Number of basic or advanced IP ACL, ranging from 1 to 199, controlling which sources SA messages will advertise and to which groups it will be sent in the domain. Basic ACL performs filtering to source and advanced ACL

MSDP Configuration Commands

729

performs filtering to source/group. If no ACL is specified, no multicast source will be advertised. Description Using the import-source command, you can configure which (S, G) entries in the domain need to be advertised when a MSDP originates a SA message. Using the undo import-source command, you can remove the configuration. By default, all the (S, G) entries in the domain are advertised by the SA message. Besides controlling the SA messages creation, you can filter the forwarded SA messages by the commands peer sa-policy import and peer sa-policy export. Example Configure which (S, G) entries from the multicast routing table will be advertised in SA messages originated by the MSDP peer.
<3Com> system-view <3Com] acl number 101 <3Com-acl-adv-101] rule permit ip source 10.10.0.0 0.0.255.255 destination 225.1.0.0 0.0.255.255 <3Com-acl-adv-101] quit <3Com] msdp <3Com-msdp] import-source acl 101

msdp

Syntax
msdp undo msdp

View System view Parameter None Description Using the msdp command, you can enable MSDP and enter the MSDP view. Using the undo msdp command, you can clear all configurations of MSDP, release all resources that MSDP occupies, and restore the initial state. For the related command, see peer. Example Clear all configurations of MSDP.
<3Com> system-view <3Com] undo msdp

msdp-tracert

Syntax
msdp-tracert source-address group-address rp-address [ max-hops max-hops ] [ next-hop-info ] [ sa-info ] [ peer-info ] [ skip-hops skip-hops ]

730

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

View Any view Parameter source-address: Multicast address address. group-address: Multicast group address. rp-address: IP address of RP. max-hops: The maximum number of hops that are traced, ranging from 1 to 255. By default, the value is 16. next-hop-info: Flag bit for collecting the next hop information. sa-info: Flag bit for collecting SA entity information. peer-info: Flag bit for collecting MSDP peer information. skip-hops: Number of hops that are skipped before collecting detailed information, ranging from 0 to 255. By default, the value is 0. Description Using the msdp-tracert command, you can trace the transmission path of SA messages in the network, which helps to locate the faults, such as information loss and configuration error. After the transmission path of the SA messages is determined, the correct configuration can avoid the overflow of SA messages. Example Trace (10.10.1.1, 225.2.2.2, 20.20.20.20) path information.
<3Com> msdp-tracert 10.10.1.1 225.2.2.2 20.20.20.20

Specify the maximum number of hops that are traced and collect detailed information of SA and MSDP peer.
<3Com> msdp-tracert 10.10.1.1 225.2.2.2 20.20.20.20 max-hops 10 sa-info peer-info MSDP tracert: press CTRL_C to break D-bit: set if have this (S,G) in cache but with a different RP RP-bit: set if this router is an RP NC-bit: set if this router is not caching SA's C-bit: set if this (S,G,RP) tuple is in the cache MSDP Traceroute path information: Router Address: 20.20.1.1 Fixed-length response info: Peer Uptime: 10 minutes, Cache Entry Uptime: 30 minutes D-bit: 0, RP-bit: 1, NC-bit: 0, C-bit: 1 Return Code: Reached-max-hops Next Hop info: Next-Hop Router Address: 0.0.0.0 SA info: Count of SA messages received for this (S,G,RP): 0 Count of encapsulated data packets received for this (S,G,RP):0 SA cache entry uptime: 00:30:00 , SA cache entry expiry time: 00:03:32 Peering info:

MSDP Configuration Commands

731

Peering Uptime: 10 minutes, Count of Peering Resets: 3

Table 3 Description of msdp-tracert Command Domain
Item Router Address Peer Uptime Cache Entry Uptime D-bit: 1 But the RP is different from the RP specified in the request message. The local router is an RP, but it is not necessarily the source RP in (S, G, RP) entry. The local router enables SA cache. Description Address where the local router creates Peering session with Peer-RPF neighbor. Time for which the local router performs Peering session with Peer-RPF neighbor in minute, with the maximum value of 255. Present time of (S, G, RP) entry in SA cache of the local router, in minute, with the maximum value of 255. (S, G, RP) entry existing in SA cache of the local router. RP-bit: 1

NC-bit: 0

C-bit: 1

(S, G, RP) entry exists in Return Code: Reached-max-hops SA cache of the local router. Return reason is the Hit-src-RP: The local hop router is the source RP in (S, G, RP) entry. reached maximum hops and other possible value includes: Next-Hop Router Address: 0.0.0.0 If the parameter next-hop-info is used, Peer-RPF neighbor address will be displayed.

Count of SA messages Number of SA messages received for tracing this (S, G, RP) entry. received for this (S,G,RP) Count of encapsulated Number of encapsulated data packets received for tracing this (S, data packets received G, RP) entry. for this (S,G,RP) SA cache entry uptime Present time of SA cache entry. SA cache entry expiry time Peering Uptime: 10 minutes Count of Peering Resets Expiry time of SA cache entry. Time for which the local router performs Peering session with Peer-RPF neighbor. Number of Peering session resets.

originating-rp

Syntax
originating-rp interface-type interface-number undo originating-rp

View MSDP view Parameter interface-type: Interface type.

732

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

interface-number: Interface number. Description Using the originating-rp command, you can allow a MSDP to use the IP address of a specified interface as the RP address in the SA message that was originated. Using the undo originating-rp command, you can remove the configuration. By default, the RP address in the SA message is the RP address configured by PIM. Configure logical RP by using this command. Example Configure IP address of the interface Ethernet1/0/0 as the RP address in the SA message originated.
<3Com> system-view <3Com] msdp <3Com-msdp] originating-rp ethernet 1/0/0

peer

Syntax
peer peer-address connect-interface interface-type interface-number undo peer peer-address

View MSDP view Parameter peer-address: Address of MSDP peer. connect-interface interface-type interface-number: Interface type and number whose primary address is used by the local router as the source IP address to establish TCP connection with remote MSDP peers. Description Using the peer command, you can configure an MSDP peer. Using the undo peer command, you can remove the MSDP peer configured. If the local router is also in BGP peer relation with a MSDP peer, the MSDP peer and the BGP peer should use the same IP address. For the related command, see static-rpf-peer. Example Configure the router using IP address 125.10.7.6 as an MSDP peer of the local router.
<3Com> system-view <3Com] msdp <3Com-msdp] peer 125.10.7.6 connect-interface ethernet 0/1/0

peer description

Syntax
peer peer-address description text

MSDP Configuration Commands

733

undo peer peer-address description

View MSDP view Parameter peer-address: Address of MSDP peer. text: Descriptive text, being case sensitive. The maximum length is 80 characters. Description Using the peer description command, you can configure descriptive text to MSDP peer. Using the undo peer description command, you can remove the descriptive text configured. By default, an MSDP peer has no descriptive text. Administrator can conveniently differentiate MSDP peers by configuring descriptive text. For the related command, see display msdp peer-status. Example Add descriptive text CstmrA to router 125.10.7.6 to specify that the router is Client A.
<3Com> system-view <3Com] msdp <3Com-msdp] peer 125.10.7.6 description router CstmrA

peer mesh-group

Syntax
peer peer-address mesh-group name undo peer peer-address mesh-group name

View MSDP view Parameter name: Name of an Mesh Group, being case sensitive. The maximum length is 32 characters. peer-address: Address of an MSDP peer to be a member of the Mesh Group. Description Using the peer mesh-group command, you can configure an MSDP peer to join a Mesh Group. Using the undo peer mesh-group command, you can remove the configuration. By default, an MSDP peer is not a member of any Mesh Group.

734

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

Example Configure the MSDP peer with address 125.10.7.6 to be a member of the Mesh Group Grp1.
<3Com> system-view <3Com] msdp <3Com-msdp] peer 125.10.7.6 mesh-group Grp1

peer minimum-ttl

Syntax
peer peer-address minimum-ttl ttl undo peer peer-address minimum-ttl

View MSDP view Parameter peer-address: Address of the MSDP peer to which the TTL limitation applies. ttl: TTL threshold, ranging from 0 to 255. Description Using the peer minimum-ttl command, you can configure the minimum TTL (Time-to-Live) value of the multicast data packets encapsulated in SA messages to be sent to specified MSDP peer. Using the undo peer minimum-ttl command, you can restore the default TTL threshold. By default, the value of TTL threshold is 0. For the related command, see peer. Example Configure the TTL threshold value to 10, i.e., only those multicast data packets with a TTL value greater than or equal to 10 can be forwarded to the MSDP peer 110.10.10.1.
<3Com> system-view <3Com] msdp <3Com-msdp] peer 110.10.10.1 minimum-ttl 10

peer request-sa-enable

Syntax
peer peer-address request-sa-enable undo peer peer-address request-sa-enable

View MSDP view Parameter peer-address: Address of MSDP peer.

MSDP Configuration Commands

735

Description Using the peer request-sa-enable command, you can enable the router to send a SA request message to the specified MSDP peer when receiving a new group join message. Using the undo peer request-sa-enable command, you can remove the configuration. By default, when receiving a new group join message, the router sends no SA request messages to MSDP peers but waits to receive the next SA message. For the related command, see cache-sa-enable. Example Configure to send SA request message to the MSDP peer 125.10.7.6.
<3Com> system-view <3Com] msdp <3Com-msdp] peer 125.10.7.6 request-sa-enable

peer sa-cache-maximum

Syntax
peer peer-address sa-cache-maximum sa-limit undo peer peer-address sa-cache-maximum

View MSDP view Parameter peer-address: Address of MSDP peer. sa-limit: Maximum value that the SA cache allows, ranging from 1 to 2048. Description Using the peer sa-cache-maximum command, you can limit the number of caches originated when the router receives SA messages from an MSDP peer. Using the undo peer sa-cache-maximum command, you can restore the default configuration. By default, the maximum number of SA caches is 2048. This configuration is recommended for all MSDP peers in the networks possibly attacked by DoS. For the related commands, see display msdp, sa-count, display msdp peer-status and display msdp brief. Example Limit the number of caches originated to 100 when the router receives SA messages from the MSDP peer 125.10.7.6.
<3Com> system-view <3Com] msdp <3Com-msdp] peer 125.10.7.6 sa-cache-maximum 100

736

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

peer sa-policy

Syntax
peer peer-address sa-policy { import | export } [ acl acl-number ] undo peer peer-address sa-policy { import | export }

View MSDP view Parameter import: Receives SA messages from the specified MSDP peer. export: Forwards SA messages from the specified MSDP peer. peer-address: Address of the MSDP peer whose SA messages need to be filtered. acl acl-number: Number of advanced IP ACL, ranging from 100 to 199. If no ACL is specified, all (S, G) entries are filtered. Description Using the peer sa-policy command, you can configure a filter list for SA messages received or forwarded from the specified MSDP peer. Using the undo peer sa-policy command, you can remove the configuration. By default, messages received or forwarded will not be filtered. All SA messages are received or forwarded from an MSDP peer. For the related command, see peer. Example Forward only those SA messages that passed the advanced IP ACL.
<3Com> system-view <3Com] acl number 100 <3Com-acl-adv-100] rule permit ip source 170.15.0.0 0.0.255.255 destination 225.1.0.0 0.0.255.255 <3Com-acl-adv-100] quit <3Com] msdp <3Com-msdp] peer 125.10.7.6 connect-interface ethernet 0/0/0 <3Com-msdp] peer 125.10.7.6 sa-policy export acl 100

peer sa-request-policy

Syntax
peer peer-address sa-request-policy [ acl acl-number ] undo peer peer-address sa-request-policy

View MSDP view Parameter peer-address: Address from which the local router receives SA request messages sent by the specified MSDP peer.

MSDP Configuration Commands

737

acl acl-number: Number of basic IP ACL, describing multicast group address, ranging from 1 to 99. If no ACL is specified, all SA request messages will be ignored. Description Using the peer sa-request-policy command, you can limit SA request messages that the router receives from MSDP peers. Using the undo peer sa-request-policy command, you can remove the limitation. By default, the router receives all SA request messages from the MSDP peer. If no ACL is specified, all SA requests will be ignored. If ACL is specified, only those SA request messages from the groups permitted by the ACL will be processed and all the others will be ignored. For the related command, see peer. Example Configure the ACL for filtering SA request messages from the MSDP peer 175.58.6.5. The SA request messages from group address range 225.1.1.0/8 will be received and all the others will be ignored.
<3Com> system-view <3Com] acl number 1 <3Com-acl-basic-1] rule permit source 225.1.1.0 0.0.0.255 <3Com-acl-basic-1] quit <3Com] msdp <3Com-msdp] peer 175.58.6.5 sa-request-policy acl 1

reset msdp peer

Syntax
reset msdp peer peer-address

View User view Parameter peer-address: Address of MSDP peer. Description Using the reset msdp peer command, you can reset TCP connection with the specified MSDP peer, and clear all the statistics of the specified MSDP peer. For the related command, see peer. Example Clear TCP connection and statistics of the MSDP peer 125.10.7.6.
<3Com> reset msdp peer 125.10.7.6

reset msdp sa-cache

Syntax
reset msdp sa-cache [ group-address ]

738

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

View User view Parameter group-address: Address of the group, (S, G) entries matching which are cleared from the SA cache. If no multicast group address is specified, all SA cache entries will be cleared. Description Using the reset msdp sa-cache command, you can clear SMDP SA cache entries. For the related commands, see cache-sa-enable and display msdp sa-cache. Example Clear the cache entries with group address 225.5.4.3 from the SA cache.
<3Com> reset msdp sa-cache 225.5.4.3

reset msdp statistics

Syntax
reset msdp statistics [ peer-address ]

View User view Parameter peer-address: Address of the MSDP peer whose statistics, resetting information and input/output information will be cleared. If no MSDP peer address is specified, all MSDP peers statistics will be cleared. Description Using the reset msdp statistics command, you can clear statistics of one or more MSDP peers without resetting the MSDP peer. Example Clear the statistics of the MSDP peer 25.10.7.6.
<3Com> reset msdp statistics 125.10.7.6

shutdown

Syntax
shutdown peer-address undo shutdown peer-address

View MSDP view Parameter peer-address: IP address of MSDP peer.

MSDP Configuration Commands

739

Description Using the shutdown command, you can disable the MSDP peer specified. Using the undo shutdown command, you can remove the configuration. By default, no MSDP peer is disabled. For the related command, see peer. Example Disable the MSDP peer 125.10.7.6.
<3Com> system-view <3Com] msdp <3Com-msdp] shutdown 125.10.7.6

static-rpf-peer

Syntax
static-rpf-peer peer-address [ rp-policy list ] undo static-rpf-peer peer-address

View MSDP view Parameter peer-address: Address of the static RPF peer to receive SA messages. rp-policy list: Filter policy based on RP address, which filters the RP in SA messages. If the parameter is not specified, all SA messages from static RPF peer will be accepted. If the parameter rp-policy list is specified and filter policy is configured, the router will only accept SA messages from the RP which passes filtering. If no filter policy is configured, the router will still accept all SA messages from the static RPF peer. Description Using the static-rpf-peer command, you can configure static RPF peer.. Using the undo static-rpf-peer command, you can remove the static RPF peer. By default, no static RPF peer is configured. You must configure the peer command before using the static-rpf-peer command. If you do not want to perform RPF check to SA messages from a same MSDP peer. If only an MSDP peer is configured on a router, this MSDP peer will be regarded as static RPF peer. For the related commands, see peer and ip prefix-list. Example Configure two static RPF peers.
<3Com> system-view <3Com] ip ip-prefix list1 permit 130.10.0.0 16 <3Com] ip ip-prefix list2 permit 130.10.0.0 16

740

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

<3Com] msdp <3Com-msdp] peer 130.10.7.6 connect-interface ethernet 1/0/0 <3Com-msdp] peer 130.10.7.5 connect-interface ethernet 1/0/0 <3Com-msdp] static-rpf-peer 130.10.7.6 rp-policy list1 <3Com-msdp] static-rpf-peer 130.10.7.5 rp-policy list2

timer retry

Syntax
timer retry seconds undo timer retry

View MSDP view Parameter seconds: Value of connection request re-try period in second, ranging from 1 to 60. Description Using the timer retry command, you can configure the value of connection request re-try period. Using the undo timer retry command, you can restore the default value. By default, the value of connection request re-try period is 30 seconds. For the related command, see peer. Example Configure the connection request re-try period to 60 seconds.
<3Com> system-view <3Com] msdp <3Com-msdp] timer retry 60

MBGP Multicast Extension Configuration Commands
aggregate Syntax
aggregate address mask [ as-set ] [ attribute-policy route-policy-name ] [ detail-suppressed ] [ origin-policy route-policy-name ] [ suppress-policy route-policy-name ] undo aggregate address mask [ as-set ] [ attribute-policy route-policy-name ] [ detail-suppressed ] [ origin-policy route-policy-name ] [ suppress-policy route-policy-name ]

View IPv4 multicast sub-address family view

MBGP Multicast Extension Configuration Commands

741

Parameter address: Address of the aggregated route. mask: Network mask of the aggregated route. as-set: Generates a route with AS_SET segment. This parameter is not recommended to use when many AS paths are aggregated. attribute-policy: Attributes of the aggregated route. detail-suppressed: No detailed route but the aggregated route is advertised. origin-policy: Filters the detailed route involved in aggregation. suppress-policy: Detailed route determined is not advertised. Description Using the aggregate command, you can create a multicast aggregated record in the BGP routing table. Using the undo aggregate command, you can remove the aggregation. By default, no route is aggregated. Using the aggregate command without parameters, you can create one local aggregated route and set atomic aggregation attributes. Example Create a multicast aggregated record in the BGP routing table and set the address of aggregated route is 192.213.0.0.
<3Com-bgp-af-mul] aggregate 192.213.0.0 255.255.0.0

debugging bgp mp-update

Syntax
debugging bgp mp-update undo debugging bgp mp-update

View User view Parameter updates: Debug information of MBGP update packets. Description Using the debugging bgp mp-update command, you can enable the MBGP packet debugging functions. Using the undo debugging bgp mp-update command, you can disable the functions. Example Enable MBGP packet information debugging function.
<3Com> debugging bgp mp-update

742

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

display bgp multicast group

Syntax
display bgp multicast group [ group-name ]

View Any view Parameter group-name: Name of peer group. If no peer group is specified, the information about all peer groups will be displayed. Description Using the display bgp multicast group command, you can view the information about peer groups. Example Display the information about the peer group named my_peer.
<3Com> display bgp multicast group my_peer

display bgp multicast network

Syntax
display bgp multicast network

View Any view Parameter None Description Using the display bgp multicast network command, you can view the routing information that MBGP advertises. Example Display the network segment routing information that MBGP advertises.
<3Com> display bgp multicast network

display bgp multicast routing-table

Syntax
display bgp multicast routing-table ip-address [ mask ]

View Any view Parameter ip-address: MBGP routing information whose IP address is specified in the BGP routing table. Description Using the display bgp multicast routing-table command, you can view the MBGP routing information whose IP address is specified in the BGP routing table.

MBGP Multicast Extension Configuration Commands

743

Example Display the MBGP routing information with destination network segment 14.1.0.0.
<3Com> display bgp multicast routing-table 14.1.0.0

display bgp multicast routing-table cidr

Syntax
display bgp multicast routing-table cidr

View Any view Parameter None Description Using the display bgp multicast routing-table cidr command, you can view the routing information with non-natural network mask (i.e., classless inter-domain routing, CIDR). Example Display CIDR routing information.
<3Com> display bgp multicast routing-table cidr

display bgp multicast routing-table community

Syntax
display bgp multicast routing-table community [ community-number | no-export-subconfed | no-advertise | no-export | whole-match ]

View Any view Parameter community-number: Specifies community number. no-export-subconfed: Not advertises matched routes outside the local autonomous system. no-advertise: Not advertises matched routes to any peer. no-export: Not advertises routes outside the local autonomous system but advertise routes to other sub-autonomous systems. whole-match: Exact match. Description Using the display bgp multicast routing-table community command, you can view the routing information that belongs to the specified MBGP community. Example Display the routing information that belongs to the specified MBGP community.
<3Com> display bgp multicast routing-table community 600:1

744

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

<3Com> display bgp multicast routing-table community no-export

display bgp multicast routing-table community-list

Syntax
display bgp multicast routing-table community-list list-number [ whole-match ]

View Any view Parameter list-number: Number of community list. whole-match: Exact match. Description Using the display bgp multicast routing-table community-list command, you can view the routing information that is permitted by the MBGP community list. Example Display the routing information that is permitted by the MBGP community list.
<3Com> display bgp multicast routing-table community-list

display bgp multicast routing-table different-origin-as

Syntax
display bgp multicast routing-table different-origin-as

View Any view Parameter None Description Using the display bgp multicast routing-table different-origin-as command, you can view AS routes with different origins. Example Display AS routes with different origins.
<3Com> display bgp multicast routing-table different-origin-as

display bgp multicast routing-table peer

Syntax
display bgp multicast routing-table peer peer-address { received | advertised }

View Any view Parameter peer-address: Address of multicast neighbor, in dotted decimal notation format. received: Routing information received from the specified neighbor.

MBGP Multicast Extension Configuration Commands

745

advertised: Routing information sent to the specified neighbor. Description Using the display multicast routing-table peer command, you can view the route received from or sent to the specified multicast neighbor. Example Display the routing information sent to the multicast neighbor 10.10.1.11.
<3Com> display multicast routing-table peer 10.10.1.11 advertised

display bgp multicast routing-table regular-expression

Syntax
display bgp multicast routing-table [ regular-expression as-regular-expression ]

View Any view Parameter as-regular-expression: AS regular expression matched. Description Using the display bgp multicast routing-table regular-expression command, you can view the routing information matching the specified AS regular expression. Example Display the MBGP routing information matching the regular expression ^600$.
<3Com> display bgp multicast routing-table regular-expression ^600$

display bgp multicast routing-table statistic

Syntax
display bgp multicast routing-table statistic

View Any view Parameter None Description Using the display bgp multicast routing-table statistic command, you can view statistics of MBGP route information. Example Display statistics of MBGP route information.
<3Com> display bgp multicast routing-table statistic

import-route

Syntax
import-route protocol [ route-policy policy-name ] [ med metric ] undo import-route protocol

746

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

View IPv4 multicast sub-address family view Parameter protocol: Source routing protocols that can be imported, which can be direct, ospf, ospf-ase, ospf-nssa, rip, isis and static at present. metric: Metric value loaded by an imported route. policy-name: Route policy used by an imported route. Description Using the import-route command, you can import routing information from other protocols to BGP. Using the undo import-route command, you can cancel the import of routing information from other protocols. By default, BGP will not import routing information from other protocols. Example Configure to import a static route.
<3Com-bgp-af-mul] import-route static

ipv4-family multicast

Syntax
ipv4-family multicast undo ipv4-family multicast

View BGP view Parameter None Description Using the ipv4-family multicast command, you can enter the IPv4 multicast sub-address family view. Using the undo ipv4-family multicast command, you can remove all the configurations in the IPv4 multicast sub-address family view. Example Enter the IPv4 multicast sub-address family view.
<3Com> system-view <3Com] bgp 100 <3Com-bgp] ipv4-family multicast <3Com-bgp-af-mul]

network

Syntax
network ip-address [ address-mask ] [ route-policy policy-name ] undo network ip-address [ address-mask ] [ route-policy policy-name ]

MBGP Multicast Extension Configuration Commands

747

View IPv4 multicast sub-address family view Parameter ip-address: Network address that BGP advertises. address-mask: Mask of the network address. route-policy policy-name: Route policy applied to the routes advertised. Description Using the network command, you can configure the network addresses to be sent by the local BGP. Using the undo network command, you can remove the existing configuration. By default, the local BGP does not advertise any route. Example Advertise routes to the network segment 10.0.0.0/16.
<3Com-bgp-af-mul] network 10.0.0.1 255.255.0.0

peer advertise-community

Syntax
peer { group-name | peer-address } advertise-community undo peer { group-name | peer-address } advertise-community

View IPv4 multicast sub-address family view Parameter group-name: Name of the peer group. peer-address: IP address of the peer. Description Using the peer advertise-community command, you can advertise community attributes to a peer (group). Using the undo peer advertise-community command, you can remove the existing configuration. By default, no community attribute is advertised to any peer (group). Example Advertise community attributes to the peer group named test.
<3Com-bgp-af-mul] peer test advertise-community

peer allow-as-loop

Syntax
peer { group-name | peer-address } allow-as-loop asn_limit undo peer ip-address allow-as-loop asn_limit

748

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

View IPv4 multicast sub-address family view Parameter group-name: Peer group name peer-address: Peer IP address asn_limit: Acceptable maximum of local AS number in the route update messages received. Description Using the peer allow-as-loop command, you can choose to contain the local AS number in the AS-PATH attributes recieved. Using the undo peer allow-as-loop command, you can decide not to contain the local AS number in the AS-PATH attributes received. The routing loop should be removed in the route update messages received in Hub&Spoke networking mode. By default, the local AS number is unacceptable in the route update messages received. For the standard BGP routing loop test is based on AS numbers but in Hub&Spoke networking mode, if EBGP runs between a PE and a CE, the local AS number is contained in the PE's advertising routing information to the CE, then the PE will not be able to receive the updated messages for this route. The peer allow-as-loop command can solve this problem, for it allows the containment of the local AS number in the route update messages received from the CE. The acceptable maximum of the local AS number is defined via the asn_limit parameter. Example Specify to contain the local AS number in the AS_PATH attributes received.
<3Com-bgp] ipv4-family multicast <3Com-bgp-af-vpn] peer 1.1.1.1 allow-as-loop 1

peer as-path-acl

Syntax
peer { group-name | peer-address } as-path-acl number { import | export } undo peer { group-name | peer-address } as-path-acl number { import | export }

View IPv4 multicast sub-address family view Parameter group-name: Name of the peer group. peer-address: IP address of the peer. as-path-acl number: Number of AS path list matched, ranging from 1 to 199. import: Filter list applied to incoming routes.

MBGP Multicast Extension Configuration Commands

749

export: Filter list applied to outgoing routes. Description Using the peer as-path-acl command, you can configure BGP filter policy based on AS path list for the peer (group). Using the undo peer as-path-acl command, you can remove the configuration. By default, the peer (group) has no filter policy based on AS path list. Example Set BGP filter policy based on AS path list for the peer (group).
<3Com-bgp] peer test as-number 100 <3Com-bgp] ipv4-family multicast <3Com-bgp-af-mul] peer test enable <3Com-bgp-af-mul] peer test as-path-acl 3 export

peer enable

Syntax
peer { group-name | peer-address} enable undo peer { group-name | peer-address} enable

View IPv4 multicast sub-address family view Parameter peer-address: IP address of the multicast peer. group-name: Name of the multicast peer group. Description Using the peer enable command, you can enable the multicast peer or peer group. Using the undo peer enable command, you can disable the multicast peer or peer group. By default, the multicast peer (or peer group) is disabled. Only after the peer (peer group) is enabled, can it establish connection with the multicast peer. Example Enable the multicast peer 1.1.11.1.
<3Com-bgp-af-mul] peer 1.1.11.1 enable <3Com-bgp] peer test enable

peer filter-policy

Syntax
peer { group-name | peer-address } filter-policy acl-number { import | export } undo peer { group-name | peer-address } filter-policy acl-number { import | export }

750

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

View IPv4 multicast sub-address family view Parameter group-name: Name of the peer group. peer-address: IP address of the peer. acl-number: IP ACL number, ranging from 1 to 199. import: Specifies an import policy. export: Specifies an export policy. Description Using the peer filter-policy command, you can set the filter policy list for a peer (group). Using the undo peer filter-policy command, you can remove the existing setting. By default, the peer (group) has no ACL. For the related command, see peer as-path-acl. Example Set the filter policy list for a peer.
<3Com-bgp] peer test as-number 100 <3Com-bgp] ipv4-family multicast <3Com-bgp-af-mul] peer test enable <3Com-bgp-af-mul] peer test filter-policy 3 import

peer ip-prefix

Syntax
peer { group-name | peer-address } ip-prefix prefixname { import | export } undo peer { group-name | peer-address } ip-prefix prefixname { import | export }

View IPv4 multicast sub-address family view Parameter group-name: Name of the peer group. peer-address: IP address of the peer. ip-prefix prefixname: Specifies ip-prefix name, ranging from 1 to 19 characters. import: Applies the filter policy to routes accepted by the specified peer (group). export: Applies the filter policy to routes sent by the specified peer (group).

MBGP Multicast Extension Configuration Commands

751

Description Using the peer ip-prefix command, you can configure the route filter policy based on the address prefix-list for the peer (group). Using the undo peer ip-prefix command, you can remove the configuration. By default, no route filter policy is configured for the peer (group). Example Configure the route filter policy based on the address prefix-list for the peer.
<3Com-bgp-af-mul] peer group1 ip-prefix list1 import

peer next-hop-local

Syntax
peer { group-name | peer-address } next-hop-local undo peer { group-name | peer-address } next-hop-local

View IPv4 multicast sub-address family view Parameter group-name: Name of the peer group. peer-address: IP address of the peer. Description Using the peer next-hop-local command, you can remove the processing of the next hop in routes which BGP will advertise to the peer (group), and set the local address as the next hop. Using the undo peer next-hop-local command, you can remove the existing setting. Example Set the local address as the next hop when advertising routes to peer group named test.
<3Com-bgp-af-mul] peer test next-hop-local

peer public-as-only

Syntax
peer { group-name | peer-address } public-as-only undo peer { group-name | peer-address } public-as-only

View IPv4 multicast sub-address family view Parameter group-name: Name of the peer group. peer-address: IP address of the peer.

752

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

Description Using the peer public-as-only command, you can configure only to carry public AS number rather than private AS number when BGP sends update packets. Using the undo peer public-as-only command, you can choose to carry a private AS number when BGP sends update packets. By default, the private AS number is carried when BGP sends update packets. Generally, BGP sends update packets with the AS number (which can be either the public AS number or private AS number). To enable some external routers to ignore the private AS number when sending update packets, you can configure not to carry the private AS number when BGP sends update packets. Example Configure not to carry private AS number when BGP sends update packets to peer group named test.
<3Com-bgp-af-mul] peer test public-as-only

peer reflect-client

Syntax
peer { group-name | peer-address } reflect-client undo peer { group-name | peer-address } reflect-client

View IPv4 multicast sub-address family view Parameter group-name: Name of the peer group. peer-address: IP address of the peer. Description Using the peer reflect-client command, you can configure a peer (group) as a client of the route reflector. Using the undo peer reflect-client command, you can remove the existing configuration. By default, there is no route reflector in the autonomous system. Example Configure peer group named test to be client of the route reflector.
<3Com-bgp-af-mul] peer test reflect-client

peer route-policy

Syntax
peer { group-name | peer-address } route-policy policy-name { import | export } undo peer { group-name | peer-address } route-policy policy-name { import | export }

View IPv4 multicast sub-address family view

Multicast Static Route Configuration Commands

753

Parameter group-name: Name of the peer group. peer-address: IP address of the peer. route-policy policy-name: Route policy specified. import: Applies route policy to the routes received from the peer (group). export: Applies route policy to the routes advertised to the peer (group). Description Using the peer route-policy command, you can configure route policy for the specified peer (group). Using the undo peer route-policy command, you can remove the route policy of the peer (group). By default, no route policy is specified for the peer (group). Example Apply route policy policy 1 to the routes received from the peer group named test.
<3Com-bgp-af-mul] peer test route-policy policy1 import

Multicast Static Route Configuration Commands
delete rpf-route-static all Syntax
delete rpf-route-static all

View System view Parameter None Description Using the delete rpf-route-static all command, you can delete all the static multicast routes. When using this command, the system will prompt you to acknowledge. All static multicast routes will be deleted after your acknowledgement. For the related command, see ip rpf-route-static and display multicast routing-table static. Example Delete all the static multicast routes.
<3Com] delete rpf-route-static all

754

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

display multicast routing-table static

Syntax
display multicast routing-table static [ source mask ]

View Any view Parameter source: IP address of multicast source (unicast address). mask: IP address mask of multicast source. Description Using the display multicast routing-table static command, you can view the active multicast static routes. If no multicast source address is specified, all active multicast static routes will be displayed. For the related command, see display multicast routing-table static config. Example Display all active multicast static routes.
<3Com> display multicast routing-table static 22.22.0.0/16 [inactive] RPF interface = serial0/0/0, RPF neighbor = 66.55.99.88 Matched routing protocol = = <none>, route-policy = <none>, preference = 1 Running config = ip mroute 22.22.0.0 16 66.55.99.88 preference 1

Display the multicast static routes that exactly match the address 10.10.0.0/16.
<3Com> display multicast routing-table static 10.10.0.0 255.255.0.0

display multicast routing-table static config

Syntax
display multicast routing-table static config [ source mask ]

View Any view Parameter source: IP address of multicast source (unicast address). mask: IP address mask of multicast source. Description Using the display multicast routing-table static config command, you can view multicast static routes configured. If no multicast source address is specified, all configured multicast static routes will be displayed. For the related command, see display multicast routing-table static.

Multicast Static Route Configuration Commands

755

Example Display all the configured multicast static routes.
<3Com> display multicast routing-table static config

Display the multicast static routes that exactly match the address 1.0.0.0/8.
<3Com> display multicast routing-table static config 1.0.0.0 255.0.0.0

ip rpf-longest-match

Syntax
ip rpf-longest-match undo ip rpf-longest-match

View System view Parameter None Description Using the ip rpf-longest-match command, you can configure the longest-match rule to be the multicast RPF route selecting policy. Using the undo ip rpf-longest-match command, you can restore the default configuration. By default, routes are selected according to the preference-preferred rule. Example Set the longest-match rule to be the multicast RPF route selecting policy.
<3Com] ip rpf-longest-match

ip rpf-route-static

Syntax
ip rpf-route-static source { mask | mask-length } [ protocol ] [ route-policy policyname ] { rpf-nbr | interface-name } [ order order-num | preference preference ] undo ip rpf-route-static source { mask | mask-length } [ protocol ] [ route-policy policyname ]

View System view Parameter source: IP address of multicast source (unicast address). mask: IP address mask of multicast source. mask-length: IP address mask length of multicast source. protocol: Indicates that matched routes must appear in the specified unicast routing protocol. Protocol can be such unicast routing protocols as bgp, isis, ospf, rip and static. route-policy: Match rule for static multicast routes.

756

CHAPTER 7: MULTICAST COMMON CONFIGURATION COMMANDS

rpf-nbr: IP address of RPF neighbor router. interface-name Interface name which is connect to the RPF neighbor router, including interface type and interface number. order-num: Changes the configuration location of routes on the same network segment. The value ranges from 1 to 100. preference: Route preference, ranging from 1 to 255. By default, the value is 1. Description Using the ip rpf-route-static command, you can configure multicast static routes. Using the undo ip rpf-route-static command, you can remove the multicast static routes from the multicast static routing table. For the related commands, see display multicast routing-table static config and display multicast routing-table static. Example Configure a multicast static route.
<3Com> system-view <3Com] ip rpf-route-static 1.0.0.0 255.0.0.0 rip route-policy map1 11.0.0.1

Display the multicast static route configured.
<3Com] display multicast routing-table static config

Continue to configure the multicast static route.
<3Com] ip rpf-route-static 1.0.0.0 255.0.0.0 rip route-policy map1 13.1.1.2

Display the multicast static route configured.
<3Com] display multicast routing-table static config

Continue to configure the multicast static route.
<3Com] ip rpf-route-static 1.0.0.0 255.0.0.0 null0

Display the multicast static route configured.
<3Com] display multicast routing-table static config

8

MPLS Basic Configuration Commands

This chapter describes the following types of commands:
■ ■ ■ ■ ■ ■ ■

Basic Configuration Commands LDP Configuration Commands BGP/MPLS VPN Configuration Commands MPLS L2VPN CCC Configuration Commands SVC MPLS L2VPN Configuration Commands Martini MPLS L2VPN Configuration Commands Kompella MPLS L2VPN Configuration Commands

Basic Configuration Commands
debugging mpls lspm Syntax
debugging mpls lspm { all | packet | event | ftn | process | agent | interface | policy | vpn } undo debugging mpls lspm { all | packet | event | ftn | process | agent | interface | policy | vpn }

View User view Parameter agent: Enables all MPLS Agent information debugging. all: Enables all MPLS-related information debugging. event: Enables information debugging of various MPLS events. ftn: Enables MPLS ftn debugging. interface: Enables the MPLS information debugging on the message sending/receiving interface. packet: Enables MPLS packet debugging. policy: Enables MPLS information debugging. process: Enables internal processing of MPLS information debugging. vpn: Enables all MPLS VPN information debugging.

758

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Description Using the debugging mpls lspm command, you can enable various LSP information debugging. Using the undo debugging mpls lspm command, you can disable corresponding debugging. By default, all debugging is disabled. This command is used for the debugging of the problem that occurred while using MPLS LSPM. Enabling the debugging will affect the performance of the router, so it is recommended that the command be used with caution. Example Enable all relevant debugging of MPLS VPN.
<3Com> debugging mpls lspm vpn

display mpls interface

Syntax
display mpls interface

View Any view Parameter None Description Using the display mpls interface command, you can view all MPLS-enabled interfaces. For the related commands, see display mpls lsp, display mpls statistics, display static-lsp. Example Display all MPLS-enabled interfaces.
[3Com] display mpls interface

display mpls lsp

Syntax
display mpls lsp { verbose | include text }

View Any view Parameter include text: Displays the information with the specified string included. verbose: Displays detailed information. Description Using the display mpls lsp command, you can view LSP information.

Basic Configuration Commands

759

By default, the display mpls lsp command displays all LSP information. For the related commands, see display mpls interface, display mpls statistics, and display static-lsp. Example Display all LSPs whose incoming interfaces are Serial 3/0/0.
[3Com] display mpls lsp include incoming-interface serial3/0/0

display mpls static-lsp Syntax
display mpls static-lsp { verbose | include text }

View Any view Parameter include text: Displays the information with the specified string included. verbose: Displays detailed information. Description Using the display mpls static-lsp command, you can display the information of all or single static LSP(s). For the related commands, see display mpls interface, display mpls lsp, and display mpls statistics. Example Display information of the static LSP named “marlborough”.
[3Com] display mpls static-lsp include marlborough

display mpls statistics

Syntax
display mpls statistics { interface { all | interface-type interface-num } } | { lsp [ lsp-Index | all | name ] } }

View Any view Parameter interface-type: Type of network interface. Interface-num: Number of network interface. lsp-Index: LSP index all: All LSPs name lsp-name: LSP name

760

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Description Using the display mpls statistics command, you can display statistics of all or single LSP(s) and LSP statistics on all or single interface(s). Specifically, the displayed information includes the bytes, packets, errors and discarded packets processed on each LSP ingress and each LSP egress, and those received and transmitted on each MPLS-enabled interface. For the related commands, see display mpls interface and display mpls lsp. Example Display MPLS statistics.
[3Com] display mpls statistics lsp all Building the information... LSP Index/LSP Name : 1/lsp1 InSegment Octets of LSP is: 0 Bytes processed on each LSP ingress InSegment Packets of LSP is: 0 Packets processed on each LSP ingress InSegment Errors of LSP is: 0 Errors processed on each LSP ingress InSegment Discard Packets of LSP is: 0 Discarded packets processed on each LSP ingress LSP Index/LSP Name : 1/lsp1 OutSegment Octets of LSP is: 0 Bytes processed on each LSP egress OutSegment Packets of LSP is: 0 Packets processed on each LSP egress OutSegment Errors of LSP is: 0 Errors processed on each LSP egress OutSegment Discard Packets of LSP is: 0 Discarded packets processed on each LSP egress LSP Index/LSP Name : 17416/dynamic-lsp InSegment Octets of LSP is: 0 InSegment Packets of LSP is: 0 InSegment Errors of LSP is: 0 InSegment Discard Packets of LSP is: 0 LSP Index/LSP Name : 17416/dynamic-lsp OutSegment Octets of LSP is: 0 OutSegment Packets of LSP is: 0 OutSegment Errors of LSP is: 0 OutSegment Discard Packets of LSP is: 0

Display MPLS statistics on all interfaces.
[3Com] display mpls statistics interface all Showing statistics about all MPLS interface: The statistics of interface : Serial6/0/0 The statistics of interface in : In Octets of Mpls interface is: 0 In Packets of Mpls interface is: 0 In Errors of Mpls interface is: 0 In Discard Packets of Mpls interface is: 0 The statistics of interface out : Out Octets of Mpls interface is: 0 Out Packets of Mpls interface is: 0 Out Errors of Mpls interface is: 0 Out Discard Packets of Mpls interface is: 0 The statistics of interface : Serial6/0/1 The statistics of interface in : In Octets of Mpls interface is: 0 In Packets of Mpls interface is: 0 In Errors of Mpls interface is: 0 In Discard Packets of Mpls interface is: 0

Basic Configuration Commands

761

The statistics of interface out : Out Octets of Mpls interface is: 0 Out Packets of Mpls interface is: 0 Out Errors of Mpls interface is: 0 Out Discard Packets of Mpls interface is: 0

Table 1 Description of the Output Information of the Display mpls statistics interface all Command
Field In Octets of Mpls interface is: 0 In Packets of Mpls interface is: 0 In Errors of Mpls interface is: 0 In Discard Packets of Mpls interface is: 0 Out Octets of Mpls interface is: 0 Out Packets of Mpls interface is: 0 Out Errors of Mpls interface is: 0 Out Discard Packets of Mpls interface is: 0 Description Bytes coming from the interface Packets coming from the interface Packet processing errors coming from the interface Discarded packets coming from the interface Bytes sent from the interface Packets sent from the interface Packet processing errors sent from the interface Discarded packets sent from the interface

lsp-trigger

Syntax
lsp-trigger { all | ip-prefix ip-prefix } undo lsp-trigger { all | ip-prefix ip-prefix }

View MPLS view Parameter all: Sets up LSPs at any routes. ip-prefix: Sets up LSPs only at those routes with the specified IP prefix. ip-prefix: IP address prefix list, in the range of 1~19. Description Using the lsp-trigger command, you can configure topology-triggered LSP creation policy. Using the undo lsp-trigger command, you can remove the filtering conditions specified by parameters and enable no route to trigger LSP creation. By default, all kinds of routing protocols are filtered out. If no topology-triggered policy is configured, LSPs can be established at all host routes with 32-bit masks. If you import an IP-prefix rule without contents, LSPs can be established at all host routes according to the IP-prefix usage convention in VRP. For the related command, see ip ip-prefix. Example Allow to set up LSPs at all routes.

762

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

[3Com-mpls] lsp-trigger all

mpls

Syntax
mpls

View System view, routing protocol view, interface view, virtual interface view Parameter None Description Using the mpls command in system view, you can enter MPLS view. Using the mpls command in interface view, you can enable MPLS on the interface. By default, MPLS view is not to be entered. After executing the command, the user can enter MPLS view. Only after entering MPLS view, can the user configure other MPLS commands. To enter MPLS view, the user should configure the mpls lsr-id command first. For the related command, see mpls enable | disable. Example Enter MPLS view in system view.
[3Com] mpls [3Com-mpls]

Execute MPLS in interface view.
[3Com-Ethernet6/0/0] mpls Mpls starting, please wait... OK!

mpls lsr-id

Syntax
mpls lsr-id ip-address undo mpls lsr-id

View System view Parameter ip-address: LSR ID, with a form like IP address, used to identify an LSR. Description Using the mpls lsr-id command, you can configure an LSR ID. Using the undo mpls lsr-id command, you can delete an LSR ID. By default, an LSR has no ID.

Basic Configuration Commands

763

As a premise for configuring other MPLS commands, using this command you can configure an LSR ID. The form of an LSR ID resembles that of an IP address. It is recommended to use a loopback address of LSR. For the related command, see display mpls interface. Example Configure the ID of the LSR as 202.17.41.246.
[3Com] mpls lsr-id 202.17.41.246 % Mpls lsr-id changed.

reset mpls statistics

Syntax
reset mpls statistics { { interface { all | interface-type interface-num } } | { lsp lsp-index | all | name lsp-name } }

View MPLS view Parameter all: All interfaces or all LSPs interface-type: Type of a network interface. Interface-num: Number of a network interface. lsp-Index: LSP index name lsp-name: Name of LSP. Description Using the reset mpls statistics command, you can clear MPLS statistics. This command clears statistics on all or single interface(s) or on all or single LSP(s). For the related command, see display mpls statistics. Example Clear statistics on the LSP named “Marlborough”.
[3Com] reset mpls statistics lsp name marlborough

snmp-agent trap enable ldp

Syntax
snmp-agent trap enable ldp undo snmp-agent trap enable ldp

View System view

764

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Parameter None Description Using the snmp-agent trap enable ldp command, you can enable Trap function in MPLS LDP creation. Using the snmp-agent trap enable ldp command, you can disable Trap function in MPLS LDP creation. By default, TRAP function is not enabled during MPLS LDP creation. Example Enable TRAP function during MPLS LDP creation.
[3Com] snmp-agent trap enable lDp

snmp-agent trap enable lsp

Syntax
snmp-agent trap enable lsp undo snmp-agent trap enable lsp

View System view Parameter None Description Using the snmp-agent trap enable lsp command, you can enable Trap function in MPLS LSP creation. Using the snmp-agent trap enable lsp command, you can disable Trap function in MPLS LSP creation. By default, TRAP function is not enabled during MPLS LSP creation. Example Enable TRAP function during MPLS LSP creation.
[3Com] snmp-agent trap enable lsp

static-lsp egress

Syntax
static-lsp egress lsp-name incoming-interface { interface-type interface-num in-label in-label-value undo static-lsp egress lsp-name

View MPLS view Parameter lsp-name: Name of LSP. interface-type: Type of network interface. Interface-num: Number of network interface.

Basic Configuration Commands

765

in-label-value: Value of inbound label, ranging from 16 to 1024. Description Using the static-lsp egress command, you can configure a static LSP for an egress LSR. Using the undo static-lsp egress command, you can delete an LSP for an egress LSR. By default, this command can be used to configure a static LSP for an egress LSR. For the related commands, see static-lsp ingress and debugging mpls. Example Configure a static LSP named “bj-sh” on the egress LSR.
[3Com-mpls] static-lsp egress bj-sh incoming-interface serial8/0/0 in-label 233

static-lsp ingress

Syntax
static-lsp ingress lsp-name destination dest-addr { addr-mask | mask-length } { { nexthop next-hop-addr } | { outgoing-interface interface-type interface-num } } } out-label out-label-value undo static-lsp ingress lsp-name

View MPLS view Parameter lsp-name: Name of LSP. dest-addr: Destination IP address. addr-mask: Destination IP address mask. mask-length: Mask length of destination IP address next-hop-addr: Next-hop address. interface-type: Type of network interface. Interface-num: Number of network interface. out-label-value: Value of outbound label, ranging from 16 to 1024. Description Using the static-lsp ingress command, you can configure a static LSP for an ingress LSR. Using the undo static-lsp ingress command, you can delete an LSP for an ingress LSR. This command can be used to configure a static LSP for ingress LSR and simultaneously set precedence value and metric value for the LSP. For the related commands, see static-lsp egress, static-lsp transit, and debugging mpls.

766

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Example Configure a static LSP for the ingress LSR heading for the destination address 202.25.38.1.
[3Com-mpls] static-lsp ingress bj-sh destination 202.25.38.1 24 nexthop 202.55.25.33 out-label 237

static-lsp transit

Syntax
static-lsp transit lsp-name incoming-interface interface-type interface-num in-label in-label-value { nexthop next-hop-addr | outgoing-interface interface-type interface-num } out-label out-label-value undo static-lsp transit lsp-name

View MPLS view Parameter lsp-name: Name of LSP. interface-type: Type of an incoming or outgoing interface. Interface-num: Number of an incoming or outgoing interface. next-hop-addr: Next-hop address. in-label-value: Value of inbound label, ranging from 16 to 1024. out-label-value: Value of outbound label, ranging from 16 to 1024. Description Using the static-lsp transit command, you can configure a static LSP for transit LSR. Using the undo static-lsp transit command, you can delete an LSP for transit LSR. This command can be used to configure a static LSP for transmit LSR. For the related commands, see static-lsp egress and static-lsp ingress. Example Configure a static LSP for the serial interface Serial3/0/0 on transit LSR, with an inbound label of 123 and an outbound label of 253.
[3Com-mpls] static-lsp transit bj-sh incoming-interface serial3/0/0 in-label 123 nexthop 202.34.114.7 out-label 253

statistic interval

Syntax
statistics interval interval-time undo statistics interval

View MPLS view

LDP Configuration Commands

767

Parameter interval-time: Time interval in seconds. It ranges from 30 to 65535. Description Using the statistic interval command, you can configure the time interval for reporting statistics. Using the undo statistic interval command, you can restore the default value. By default, the interval is 0 seconds, that is, not to report statistics. Example Configure the time interval as 30 seconds, that is, to report statistics every 30 seconds.
[3Com-mpls] statistics interval 30

LDP Configuration Commands
debugging mpls ldp Syntax
debugging mpls ldp { all | main | advertisement | session | pdu | notification | remote } [ interface interface-type interface-num ] undo debugging mpls ldp { all | main | advertisement | session | pdu | notification | remote } [ interface interface-type interface-num ]

View User view Parameter all: displays all debugging information related to LDP. main: displays the debugging information of main LDP task. advertisement: Displays the debugging information during processing LDP advertisement. session: Displays debugging information during processing LDP session. pdu: Displays the debugging information during processing PDU data packets. notification: displays the debugging information while handling notification messages. remote: Displays debugging information of all remote peers. interface interface-type interface-num: Displays all the debugging information of a specified interface.

768

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Description Using the debugging ldp command, you can enable the debugging of various LDP messages. Using the undo debugging ldp command, you can disable the debugging of various LDP messages. This command displays various LDP debugging information. You are recommended to use the command cautiously. Example Enable LDP debugging.
<3Com> debugging mpls ldp all

display mpls ldp

Syntax
display mpls ldp

View Any view Parameter None Description Using the display mpls ldp command, you can view LDP and LSR information. By default, the command displays LDP and LSR information. For the related command, see mpls ldp. Example Display LDP and LSR information.
[3Com] display mpls ldp

display mpls ldp buffer-info

Syntax
display mpls ldp buffer-info

View Any view Parameter None Description Using the display mpls ldp buffer-info command, you can view the buffer information of LDP. Example Display LDP buffer information.
[3Com] display mpls ldp buffer-info -----------------------------------------------------------------

LDP Configuration Commands

769

Buffer-Name Buffer-ID Buffer-Size Total-Count Free-Count ----------------------------------------------------------------ENTITY 0 292 199 195 LOCAL-IF 1 36 200 196 PEER-IF 2 40 201 195 PDU 3 204 249 249 ADJACENCY 4 56 201 198 PEER-INF 5 116 201 198 SESSION 6 176 201 198 US-BLK 7 264 1052 1028 DS-BLK 8 240 1052 1042 FEC 9 40 1042 1032 US-LIST 10 16 1052 1028 TRIG-BLK 11 56 2076 2071 LABEL-RANGE 12 20 198 198 CR-TUNNEL 13 124 128 128 ER-HOP 14 40 4096 4096 IF-MSG 15 24 9999 9999 ----------------------------------------------------------------Buffer no error.

display mpls ldp interface

Syntax
display mpls ldp interface

View Any view Parameter None Description Using the display mpls ldp interface command, you can view the information of an LDP-enabled interface. For the related commands, see mpls ldp enable and display mpls ldp session. Example Display the information of an LDP-enabled interface.
[3Com-Ethernet3/0/0] display mpls ldp interface

display mpls ldp lsp

Syntax
display mpls ldp lsp

View Any view Parameter None Description Using the display mpls ldp lsp command, you can view relevant LSP information created via LDP.

770

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

For the related command, see display mpls lsp. Example Display LSP.
[3Com-Ethernet3/0/0] display mpls ldp lsp

display mpls ldp peer

Syntax
display mpls ldp peer

View Any view Parameter None Description Using the display mpls ldp peer command, you can display peer information. By default, all peer information is displayed. Example Display peer information.
[3Com] display mpls ldp peer

display mpls ldp remote

Syntax
display mpls ldp remote

View Any view Parameter None Description Using the display mpls ldp remote command, you can display the configured remote peer information. By default, all configured remote-peer information is displayed. For the related commands, see mpls ldp remote and remote-peer. Example Display the configured remote-peer information.
[3Com] display mpls ldp remote

display mpls ldp session

Syntax
display mpls ldp session

LDP Configuration Commands

771

View Any view Parameter None Description Using the display mpls ldp session command, you can display the session between peers. By default, the session between peers is displayed. For the related command, see mpls ldp enable. Example Display the session between peers.
[3Com] display mpls ldp session

mpls ldp

Syntax
mpls ldp undo mpls ldp

View System view Parameter None Description Using the mpls ldp command, you can enable LDP. Using the undo mpls ldp command, you can disable LDP. By default, LDP is disabled. Before enabling LDP, you must enable MPLS and configure LSR ID first. For the related command, see mpls lsr-id. Example Enable LDP.
[3Com] mpls ldp

mpls ldp advertise

Syntax
mpls ldp advertise { implicit-null | explicit-null | non-null } undo mpls ldp advertise { implicit-null | explicit-null | non-null }

View System view

772

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Parameter explicit-null: Specifies to assign explicit null label to the penultimate hop at egress. implicit-null: Specifies to assign implicit null label to the penultimate hop at egress. non-nul: Specifies to assign normal label to the penultimate hop at egress.


Label value 0 stands for IPv4 Explicit NULL Label, which is valid only at the bottom of label stack. That is, the label stack must be popped and forwarded as IPv4 header. Label value 1 stands for Router Alert Label, which is valid except at the bottom of label stack. When receiving messages with label value 1 at the top of the label stack, the system forwards them into local software module for further processing. If a lower-layer label is to be forwarded, it must be put with Router Alert Label. Label value 2 stands for IPv6 Explicit NULL Label, which is valid only at the bottom of label stack. That is, the label stack must be popped and forwarded as IPv4 header. Label value 3 stands for Implicit NULL Label, which can be distributed and forwarded, but cannot be placed in encapsulation. When LSR switches top-layer labels, it only need to pop the labels, but cannot replace them when using label 3 to replace the original label. Labels 4~15 are reserved.









Description Using the mpls label advertise command, you can specify what label is to be assigned to the penultimate hop at egress node. Using the undo mpls label advertise command, you can restore the default value. When the keyword explicit-null is selected, the m-layer label of a packet with m-layer label parameter will be popped at the penultimate LSR of the LSP, but not the egress LSR. This can lower operation restriction at egress node and mitigate the traffic at the egress node to a degree. By default, implicit label is assigned to the penultimate hop at egress node. If explicit null label is assigned to the penultimate hop, it can only reside at the bottom of the label stack. Example Specify at the egress to allocate general labels to the penultimate hop.
[3Com-mpls] mpls label advertise non-null

mpls ldp enable

Syntax
mpls ldp enable mpls ldp disable

View Interface view

LDP Configuration Commands

773

Parameter None Description Using the mpls ldp enable command, you can enable LDP on an interface. Using the undo mpls ldp enable command, you can disable LDP on an interface. By default, LDP is not enabled on an interface. To enable an interface, you must enable LDP first. After LDP is enabled on an interface, peer discovery and session creation proceed. Example Enable LDP on the interface.
[3Com-Ethernet3/0/0] mpls ldp disable

mpls ldp hops-count

Syntax
mpls ldp hops-count hop-number undo mpls ldp hops-count

View System view Parameter hop-number: The maximum hops of loop detection, ranging from 1 to 32. Description Using the mpls ldp hops-count command, you can set the maximum hops of loop detection. Using the undo mpls ldp hops-count command, you can restore the default value. By default, the maximum hops of loop detection is 32. This command should be configured before enabling LDP on all interfaces. Its value, which depends on actual networking situation, decides the loop detection speed during LSP creation For the related commands, see mpls ldp loop-detection and mpls ldp path-vector. Example Set the maximum hops of loop detection to be 22.
[3Com] mpls ldp hops-count 22

Set the maximum hops of loop detection as 32, the default value.
[3Com] undo mpls ldp hops-count

mpls ldp loop-detect

Syntax
mpls ldp loop-detect

774

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

undo mpls ldp loop-detect

View System view Parameter None Description Using the mpls ldp loop-detect command, you can enable loop detection. Using the undo mpls ldp loop-detect command, you can disable loop detection. By default, loop detection is disabled in the system. This command should be configured before enabling LDP on all interfaces. For the related commands, see mpls ldp hops-count, mpls ldp path-vectors. Example Enable loop detection.
[3Com] mpls ldp loop-detect

Disable loop detection.
[3Com] undo mpls ldp loop-detect

mpls ldp password

Syntax
mpls ldp password [cipher | simple ] password undo mpls ldp password

View Interface view, remote-peer view Parameter simple: Transmitted in plain text. cipher:Transmitted in encrypted text. password: User password. Description Using the mpls ldp password command, you can configure LDP authentication mode. Using the undo mpls ldp password command, you can remove the configuration. Example Configure the LDP authentication mode to be in plain text, with a password of 123.
[3Com-Ethernet0/0/0.1] mpls ldp password simple 123

LDP Configuration Commands

775

mpls ldp path-vectors

Syntax
mpls ldp path-vectors pv-number undo mpls ldp path-vectors

View System view Parameter pv-number: The configured maximum value of path vector, ranging from 1 to 32. Description Using the mpls ldp path-vectors command, you can set the maximum value of path vector. Using the undo mpls ldp path-vectors command, you can restore the maximum value of path vector. By default, pv-number is 32. This command should be configured before enabling LDP on all interface. Its value, which depends on actual networking situation, decides the loop detection speed in LSP creation. For the related commands, see mpls ldp loop-detection and mps ldp hops-count. Example Set the maximum value of path vector to be 23
[3Com] mpls ldp path-vectors 23

Restore the maximum value of path vector.
[3Com] undo mpls ldp path-vectors

mpls ldp remote-peer

Syntax
mpls ldp remote-peer Index undo mpls ldp remote-peer Index

View System view or remote-peer view Parameter Index: Index of remote peer, used to identify an entity. It ranges from 0 to 99. Description Using the mpls ldp remote-peer command, you can create a remote-peer entity and enter remote-peer view. Using the undo mpls ldp remote-peer command, you can delete a remote-peer entity. This command can create/delete a remote-peer so as to create remote session. For the related command, see remote-peer.

776

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Example Create a remote-peer.
[3Com] mpls ldp remote-peer 22 [3Com-mpls-remote22]

Delete a remote-peer.
[3Com-mpls-remote22] undo mpls ldp remote-peer 12 [3Com]

mpls ldp reset-session

Syntax
mpls ldp reset-session peer-address

View Interface view Parameter peer-address: Corresponding LDP Peer address (in IP address format). Description Using the mpls ldp reset-session command, you can reset a specified session on an interface. After LDP is configured on an interface and LDP session is created, this command can be used to reset a specified session on the interface only by specifying the address of the peer corresponding to the session to be reset. For the related commands, see mpls ldp and mpls ldp enable. Example Reset the sessions at the interface Ethernet0/0/0.
[3Com-Ethernet0/0/0] mpls ldp reset-session 10.1.1.1

mpls ldp timer

Syntax
mpls ldp timer { session-hold session-holdtime | hello hello-holdtime } undo mpls ldp timer { session-hold | hello }

View Interface view, remote-peer view Parameter hello hello-holdtime: Specifies hold time of hello timer, in seconds and the range of 6 seconds to 65535 seconds. session-hold session-holdtime: Specifies hold time of session timer, in the range of 1 second to 65535 seconds. By default,hello secs is 15 seconds, session-hold secs is 5 seconds.

LDP Configuration Commands

777

Description Using the mpls ldp timer command, you can set the duration of a Hello timer. Using the undo mpls ldp timer command, you can restore the default value. Timeout of Hello timer means that the adjacency relation with the peer is down, while timeout of hold timer means that the session relation with the peer is down. Generally speaking, the default value can be directly adopted. In special cases, it needs to be modified according to requirements. It should be noted that the modification of hello parameter may cause the original session to be recreated and the LSP created on the basis of this session will also be deleted and needs to be recreated. In general, the transmission interval of hello/keepalive packets is one-third of the hold time of hello/session timer. For the related commands, see mpls ldp and mpls ldp enable. Example Modify the duration of a Hello timer.
[3Com-Ethernet3/0/0] mpls ldp timer hello 30

mpls ldp transport-ip

Syntax
mpls ldp transport-ip { interface | ip-address } undo mpls ldp transport-ip

View Interface view Parameter interface: Takes the IP address of the interface as the transport address. ip-address: Takes the IP address as the transport address. Description Using the mpls ldp transport-ip command, you can configure an LDP transport address. Using the undo mpls ldp transport-ip command, you can restore the default LDP transport address. By default, the transport address is the LSR ID of an LSR. For a remote-peer, the configuration of transport address is not supported and its transport address is fixed as an LSR ID. By default, LSR ID is required to be an address of a certain loopback interface and its peer should have route to the address of the loopback interface. Only in this way, can the session be successfully created. In the case of local peer, the address of the local interface or the Router ID of LSR can be adopted as its transport address.

778

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Example Take the address of the local interface as a transport address.
[Quidwa-Ethernet3/0/0] mpls ldp transport-ip interface

Take the address of another interface as the transport address.
[3Com-Ethernet3/0/0] mpls ldp transport-ip 10.1.11.2

remote-ip

Syntax
remote-ip remoteip

View Remote-peer view Parameter remote-ip: IP address of a remote peer. Description Using the remote-ip command, you can configure a remote IP address. The address should be the LSR ID of the remote LSR. For remote peers, as they adopt LSR ID as their transport address, two remote peers take their LSR ID as their transport addresses for creating TCP connection. For the related command, see mpls ldp remote-peer. Example Configure the address of remote-peer.
[3Com] mpls ldp remote-peer 12 [3Com-remote-peer12] remote-ip 192.168.1.

BGP/MPLS VPN Configuration Commands
apply access-vpn vpn-instance Syntax
apply access-vpn vpn-instance { vpn-name1 vpn-name2 … } undo apply access-vpn vpn-instance { vpn-name1 vpn-name2 … }

View Route-policy view Parameter vpn-name: Name of the configured VPN instance. At most, 6 VPN names can be configured. Description Using the apply access-vpn vpn-instance command, you can specify packet to search private network forwarding route in vpn-name1, vpn-name2, vpn-name3, vpn-name4, vpn-name5, vpn-name6(if they all exist) and perform the

BGP/MPLS VPN Configuration Commands

779

corresponding forwarding after policy route to be enabled. Using the undo apply access-vpn vpn-instance command, you can remove this function. Example Specify the configured VPN instance.
[3Com-route-policy] apply access-vpn vpn-instance vpn1

debugging bgp

Syntax
debugging bgp [ { { keepalive | open | packet | update | route-refresh } [ receive | send | verbose ] } { all | event | normal } undo debugging bgp [ { { keepalive | open | packet | update | route-refresh } [ receive | send | verbose ] } { all | event | normal }

View User view Parameter keepalive: Displays BGP keepalives. open: Displays BGP OPEN packet information. packet: Displays BGP packets. update: Displays BGP updates. route-refresh: Displays BGP route refreshing packets. receive: Displays received information. send: Displays sent information. verbose: Displays detailed information all: Displays debugging of all levels. event: Displays BGP event. normal: Displays BGP normal debugging function. Description The debugging bgp command you can display the information concerning BGP processing. The undo debugging bgp command you can disable debugging function. Example
<3Com> debugging bgp vpnv4

description

Syntax
description vpn-instance-description undo description

780

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

View Vpn-instance view Parameter vpn-instance-description: Specify the description information of VPN instance. Description Using the description command, you can configure description information for specified VPN instance. Using the undo description command, you can remove the description of VPN instance. Example Display description information of VPN.
[3Com-vpn-vpna] description 3com

display bgp vpnv4

Syntax
display bgp vpnv4 { all | route-distinguisher rd-value | vpn-instance vpn-instance-name } { group | network | peer | routing-table }

View Any view Parameter all: Displays all VPNv4 database. route-distinguisher: rd-value: Displays matching route distinguisher(RD) and network layer reachable information(NLRI). vpn-instance: vpn-instance-name: Displays network layer reachable information(NLRI) associated with the specified vpn-instance. group: Displays the information related to peer groups. network: Displays the networks advertised through BGP. peer: Displays the information of the connections. routing-table: Displays BGP routes. Description Using the display bgp vpnv4 command, you can display VPNv4 information in BGP database. Example Display the information about all BGP VPNV4 peers.
[3Com] display bgp vpnv4 all BGP local router ID is 1.1.248.23 Status codes: s suppressed, d damped, h history, * valid, > best, i internal Origin codes: i – IGP, e – EGP, ? - incomplete Network Next Hop Label Metric LocPrf Path Route Distinguisher:100:9 (default for vpn-instance vpn-instance_1)

BGP/MPLS VPN Configuration Commands

781

*> 192.5.1.0

0.0.0.0

16/0

display ip routing-table vpn-instance

Syntax
display ip routing-table vpn-instance vpn-instance-name [ ip-address ] [ verbose ]

View Any view Parameter vpn-instance-name: Name assigned to vpn-instance. ip-address: Displays information of the specified address. verbose: Displays the detailed information. Description Using the display ip routing-table vpn-instance command, you can view the specified information in the IP routing table of vpn-instance. Example Display the IP routing table associated with the vpn-instance.
[3Com] display ip routing-table vpn-instance vpn-instance1 Routing Table: vpn-instance1 RD: 1233:11 Destination/Mask ProtoPreMetric Nexthop Interface 192.1.1.0/24 Direct0 0192.1.1.1 GigabitEthernet1/0/0 192.1.1.1/32 Direct0 0127.0.0.1 InLoopBack0 192.1.1.255/32 Direct0 0127.0.0.1 InLoopBack0

display ip vpn-instance

Syntax
display ip vpn-instance [ vpn-instance-name | verbose ]

View Any view Parameter vpn-instance-name: Name assigned to vpn-instance. verbose: Displays the detailed information. Description Using the display ip vpn-instance command, you can view such information associated with vpn-instance as the VPN instance RD, description and associated interface. Example Display the information about vpn-instance 3Com.
[3Com] display ip vpn-instance 3com VPN-Instance : vpn1 No description Route-Distinguisher : 100:6 Interfaces :

782

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Ethernet0/0/0.101

display ospf sham-link

Syntax
display ospf sham-link

View Any view Parameter None Description Using the display ospf sham-link command, you can view the information of sham links. For the related command, see sham-link. Example Display the information of sham links.
<3Com>display ospf sham-link OSPF Process 1 with Router ID 1.1.1.1 Sham Links Sham-link 3.3.3.3 -> 5.5.5.5, State: Down Area: 0.0.0.1 Cost: 1 State: Down Type: Sham Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1

display mpls l3vpn-lsp

Syntax
display mpls l3vpn-lsp [ verbose] [ include text ]

View Any view Parameter include text: Displays the MPLS L3VPN LSPs with the specified FEC string. verbose: Displays detailed information. Description Using the display mpls l3vpn-lsp include command, you can view the information of MPLS L3VPN LSPs. Example Display the label swith path vpn-instance relative information of mpls l3vpn.
<3Com> display mpls l3vpn-lsp transit --------------------------------------------------------------------LSP Information: L3vpn Transit Lsp -------------------------------------------------------------------TOTAL: 0 Record(s) Found.

Display the label swith path relative information of mpls l3vpn.

BGP/MPLS VPN Configuration Commands

783

[3Com] display mpls l3vpn-lsp include 3com

display mpls l3vpn-lsp vpn-instance

Syntax
display mpls l3vpn-lsp [ vpn-instance vpn-instance-name ] [ transit | egress | ingress ] [include ip-address length-prefix | verbose ]

View Any view Parameter transit: LSP of ASBR VPN egress: LSP of egress VPN ingress: LSP of ingress VPN vpn-instance: VPN Routing/Forwarding instance name. include text: Displays the MPLS L3VPN LSPs with the specified FEC string. verbose: Displays detailed information. Description Using the display ip routing-table vpn-instance command, you can view the vpn-instance information of MPLS L3VPN LSPs. Example Display the vpn-instance information of MPLS L3VPN LSPs.
<3Com> display mpls l3vpn-lsp transit --------------------------------------------------------------------LSP Information: L3vpn Transit Lsp -------------------------------------------------------------------TOTAL: 0 Record(s) Found.

domain-id

Syntax
domain-id { id-number | id-addr } undo domain-id

View OSPF protocol view Parameter id-number: Domain ID for a VPN instance, in range of 0~4294967295. By default, it is 0. id-addr: IP address format of the domain ID in VPN instance. By default, it is 0.0.0.0. Description Using the domain-id command, you can specify domain ID for a VPN instance. Using the undo domain-id command, you can restore the default domain ID.

784

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

For standard BGP/OSPF interoperability, when importing routes to OSPF are configured at the PE, their original OSPF attributes cannot be restored. If these BGP VPN IP routes are issued to CE as ASE LSA (type-5 LAS), they cannot be distinguished from other routes imported from other route domains. In order to distinguish external routes imported form OSPF internal routes, it is required to restore their OSPF attributes in importing BGP routes to OSPF, so an OSPF domain can be configured with a domain ID. The domain-id is attached to the corresponding BGP/VPN route in importing OSPF route into BGP/VPN for transmission over BGP/VPN route. Then in importing BGP route into the peer PE, LAS values are filled in accordance to the extended community attributes. If the domain IDs are the same for the BGP VPN IP routes received, they are from the same VPN instance. By default, the domain ID is 0. The specified domain ID will not take effect until the reset ospf command is executed. Example Configure domain ID 100 for OSPF procedure 100.
[3Com-ospf-100]domain-id 100 [3Com-ospf-100]domain-id 0.0.0.100

import-route

Syntax
import-route { ospf | ospf-ase | ospf-nssa } [ process-id ] [ med value | route-policy route-policyname ] undo import-route { ospf | ospf-ase | ospf-nssa } [ process-id ]

View BGP unicast/multicast VPN-instance address family view, MBGP Interface VPN-instance address family view Parameter process-id: OSPF procedure ID. By default, it is 1. ospf: When only OSPF procedure ID is imported, ASE internal route is taken as external route information. ospf-ase: When only OSPF procedure ID is imported, OSPF-ASE route is taken as external route information. ospf-nssa: When only OSPF procedure ID is imported, OSPF-NSSA route is taken as external route information. med value: Route cost value route-policyname: Route policy name Description Using the ip binding vpn-instance command, you can enable to import OSPF route. Using the undo ip binding vpn-instance command, you can disable to import OSPF route.

BGP/MPLS VPN Configuration Commands

785

CAUTION: By default, the procedure ID IS 1. Example Enable to import an OSPF route with procedure ID 100.
[3Com] ip vpn-instance sphinx [3Com-vpn-sphinx] route-distinuisher 168.168.55.1:85 [3Com-vpn-sphinx] quit [3Com] bgp 352 [3Com-bgp] ip vpn-instance sphinx [3Com-bgp-af-vpn-instance] import-route ospf 100

ip binding vpn-instance

Syntax
ip binding vpn-instance vpn-instance-name undo ip binding vpn-instance vpn-instance-name

View Interface view Parameter vpn-instance-name: Name assigned to vpn-instance. Description Using the ip binding vpn-instance command, you can connect an interface or sububterface with a vpn-instance. Using the undo ip binding vpn-instance command, you can remove the connection. By default, global routing table is configured. The IP address of the interface will be removed if executing this command on it, so the IP address of the interface needs to be reconfigured. Example Bind VPN instance vpn1 to the interface atm0/0/0.
[3Com] interface atm1/0/0 [3Com-Atm1/0/0] ip binding vpn-instance vpn1

ip route-static vpn-instance

Syntax
ip route-static vpn-instance { vpn--name1 vpn-name2 …| ip-address1 } { mask | mask-length } { interface-name | [ vpn-instance vpn-name-nexthop ip-address2 ] } [ public ] [ preference preference-value ] [ reject | blackhole ] undo ip route-static vpn-instance { vpn-name1 vpn-name2 …| ip-address1 } { mask | mask-length } { interface-name | [ vpn-instance vpn-name-nexthop ip-address2 ] } [ preference preference-value ] [ reject | blackhole ]

View System view Parameter vpn-name: Name of VPN instance can be configured 6 names at most.

786

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

ip-address: Destination address of the static route. mask: Address mask. mask-length: Length of the mask. As "1" in the 32 bit-mask is required to be consecutive, the mask in dotted decimal format can be substituted by mask-length. (mask-length is represented by the number of consecutive "1"s in the mask.) interface-name: Out-interface name of static route. It can specify the interface of public network or other vpn-instances as the out-interface of the static route. vpn-nexthop-name: Next hop vpn-instance of the static route. ip-address2: Next hop IP address of the static route. reject: Configures a route as unreachable. blackhole: Configures a route as blackhole. Description Using the ip route-static vpn-instance command, you can configure static route, specifying a private network interface as the out-interface of this static route. In the application background of multi-role host, you can configure a static route in a private network with an interface of another private network or public network as its out-interface. Using the undo ip route-static vpn-instance command, you can remove the configuration of this static route. Example Configure static route with destination address 100.1.1.1, next hop address 1.1.1.2.
[3Com] ip route-static vpn-instance vpn1 100.1.1.1 16 vpn-instance vpn1 1.1.1.2

ip vpn-instance

Syntax
ip vpn-instance vpn-name undo ip vpn-instance vpn-name

View System view, routing protocol view Parameter vpn-name: Name assigned to vpn-instance. Description Using the ip vpn-instance command, you can create and configure a vpn-instance. Using the undo ip vpn-instance command, you can delete the specified vpn-instance. By default, vpn-instance is not defined. Neither input nor output list is associated with vpn-instance. No route-map is associated with vpn-instance.

BGP/MPLS VPN Configuration Commands

787

Use the ip vpn-instance command to create a vpn-instance named vpn-name. Example Create VPN instance vpn1.
[3Com] ip vpn-instance vpn1 [3Com-vpn-vpn1]

ipv4-family

Syntax
ipv4-family [ vpnv4 [ unicast ] | multicast | vpn-instance vpn-instance-name ] undo ipv4-family [ vpnv4 [ unicast ] | multicast | vpn-instance vpn-instance-name ]

View BGP view Parameter multicast: IPv4 multicast address used by the address family. This parameter is used to enter MBGP multicast address family view. vpn-instance vpn-instance-name: Associates the specified vpn-instance example with the IPv4 address family. This parameter is used to enter MBGP vpn-instance address family view. unicast: IPv4 unicast address used by the address family. Description Using the ipv4-family command, you can enter BGP IPv4 address family view or MBGP VPNv4 address family view. Using the undo ipv4-family command, you can delete the configuration of specified address family view or MBGP VPNv4 address family view. By default, unicast address is used when configuring VPNv4 address family. By default, unicast address is used when configuring IPv4 address family. Use this command to enter address family view and configure parameters associated with address family for BGP in this view. The ipv4-family vpn-instance command you can enter MBGP vpn-instance address family view. The undo ipv4-family vpn-instance vpn-instance-name command you can remove the association of the specified vpn-instance example with IPv4 address family to exit to BGP unicast view. For the related command, see peer enable. Example Associate the specified vpn-instance example with IPv4 address family to enter MBGP vpn-instance address family view, which can be configured only after vpn-instance has been configured.
[3Com] bgp 100

788

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

[3Com–bgp] ipv4 family vpn-instance abc [3Com-bgp-af-vpn-instance]

Enter VPNv4 address family view.
[3Com] bgp 100 [3Com-bgp] ipv4 family vpnv4 unicast [3Com-bgp-af-vpn]

ospf

Syntax
ospf process-id [ router-id router-id-number ] [ vpn-instance vpn-instance-name ] undo ospf process-id

View System view Parameter process-id: OSPF procedure ID. By default, it is 1. router-id-number: Router ID for OSPF procedure, optional vpn-instance-name: VPN instance bound to the OSPF procedure Description Using the ospf command, you can an enable OSPF procedure. Using the undo ospf command, you can disable an OSPF procedure. After enabling OSPF procedure, you can perform OSPF configurations in the OSPF protocol view. By default, no OSPF protocol is enabled. VRP supports multiple OSPF procedures, so you can specify different procedure IDs to enable multiple OSPF procedures on a router. It is recommended to specify procedure route-id with the router-id parameter in enabling OSPF procedure. If you want to enable multiple processes on a router you are recommended to specify different router IDs for different procedures. To enable an OSPF procedure belonging to public network without specifying router ID, the following conditions should be satisfied:


RM is configured with router ID. There is an interface which configured with IP address.



If router ID is not specified in enabling OSPF procedure, but binding the procedure with a VPN instance is required. An interface must exist that has been configured with IP address. If you want to bind a procedure to a VPN instance, you must specify VPN instance name. One VPN instance may include several procedures. For example, for the VPN instance 1, you can configure it into OSPF procedures 1, 2 and 3 with the

BGP/MPLS VPN Configuration Commands

789

commands ospf 1 vpn-instance vpn1, ospf 2 vpn-instance vpn1, and ospf 3 vpn-instance vpn1. But one procedure can belong to only one instance. If you have executed ospf 1 vpn-instance vpn1, you cannot configure ospf 1 vpn-instance vpn2. Otherwise, the system prompts the information “Wrong configuration. Process 1 has been bound to vpn-instance VRF1”. If you configure ospf 1 first and then execute ospf 1 vpn-instance vpn1, the system prompts the information “Wrong configuration. Process 1 has been running in public domain”. If you execute ospf 1 vpn-instance vpn1 first and then configure ospf 1, the system enters ospf 1 vpn-instance vpn1 view, in which the commands ospf 1 and ospf 1 vpn-instance vpn1 are equivalent. When an OSPF procedure is bound to a VPN instance, the default OSPF router is PE router. After executing the display ospf process-id brief command, you will get the information “PE router, connected to VPN backbone”. CAUTION: A router can run a maximum of 1024 OSPF procedures, with up to 10 procedures in each VPN instance. If you bind an OSPF procedure to a nonexistent VPN instance, the command fails in executing and the system prompts the information “Specified vpn instance not configured”. When a VPN instance is deleted, all OSPF procedures associated to it will be deleted. For example, suppose VPN instance vpn1 includes OSPF procedures 1, 2 and 3. If VPN instance vpn1 is deleted, the OSPF procedures 1, 2 and 3 will all be deleted. For the related command, see network. Example Enable the default OSPF procedure 1.
[3Com] router id 10.110.1.8 [3Com] ospf

Enable OSPF procedure 120 and run OSPF protocol.
[3Com] router id 10.110.1.8 [3Com] ospf 120 [3Com-ospf-120]

Enable OSPF procedure 100, specify its route ID as 2.2.2.2 and bind it to the VPN instance vpn1.
[3Com] ospf 100 router-id 2.2.2.2 vpn-instance vpn1 [3Com-ospf-100]

peer allow-as-loop

Syntax
peer { group-name | peer-address } allow-as-loop asn-limit undo peer { group-name | peer-address } allow-as-loop asn-limit

790

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

View BGP view, MBGP IPv4-family view Parameter group-name: Name of the peer group ip-address: specified IP address of peer. asn-limit: The maximum number allowed in received route updates of the local autonomous system number AS. Description Using the peer allow-as-loop command, you can enable route loop detection in the received route updates in hub&spoke networking mode. Using the undo peer allow-as-loop command, you can prohibit loop to occur in the received route updates. By default, loop information is prohibited in the received route update information. In the case of standard BGP, BGP tests routing loop via AS number. In the case of Hub&Spoke networking, however, PE carries the AS number of the local autonomous system when advertising the routing information to CE, if EBGP is run between PE and CE. Accordingly, the updated routing information will carry the AS number of the local autonomous system when route update is received from CE. In this case, PE cannot receive the route update information. This phenomenon can be avoided by using the peer allow-as-loop command, which makes PE router allow the route update information received from CE to contain AS number of itself. The allowed maximum number is controlled by using the parameter asn-imit. Example Enable route loop detection in the received route updates.
[3Com-bgp] ipv4-family vpn-instance one [3Com-bgp-af-vpn-instance] peer 1.1.1.1 allow-as-loop 1

peer as-number

Syntax
peer { group-name | [ peer-address group group-name ] } as-number as-number undo peer { group-name | [ peer-address group group-name] } as-number as-number

View BGP view, MBGP vpn-instance view Parameter group-name: Peer group name. peer-address: IP address of a peer. as-number: Peer end AS number of a peer (group).

BGP/MPLS VPN Configuration Commands

791

Description Using the peer as-number command, you can configure the remote AS number of the specified peer (group). Using the undo peer as-number command, you can remove the remote AS number of the specified peer (group). By default, a peer of the peer (group) has no AS number. Example Set the remote AS number of the specified peer (group) to 100.
[3Com-bgp] peer test as-number 100

peer enable

Syntax
peer group-name enable undo peer group-name enable

View BGP view, MBGP VPNv4 view Parameter group-name: Peer group name Description Using the peer enable command, you can enable the specified peer (group). Using the undo peer enable command, you can disable the specified peer (group). For IPv4 address family, address switching is enabled by default. Example Enable the peer (group) 168.
[3Com-bgp-af-vpn] peer 168 enable

peer connect-interface

Syntax
peer { group-name | ip-address } connect-interface interface-type interface-number undo peer { group-name | ip-address } connect-interface interface-type interface-number

View BGP view, MBGP vpn-instance view Parameter group-name: Peer group name. peer-address: IP address of a peer. interface-type: Interface type. interface-number: Name of the interface.

792

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Description Using the peer connect-interface command, you can configure to allow the internal BGP session to use any operable interface that connects with TCP. Using the undo peer connect-interface command, you can restore to use the best local address to implement TCP connection. By default, BGP uses the best local address to implement TCP connection. Generally, BGP uses the best local address to implement TCP connection. In order to make the TCP connection valid even when the interface fails, the internal BGP session can be configured to be allow use of any operable TCP-connected interface (For example, Loopback interface). Example Allow the internal BGP session to use any operable interface that connects with TCP.
[3Com-bgp-af-vpn-instance] peer 1.1.1.1 connect-interface loopback 0

peer default-route-advertise

Syntax
peer { group-name | peer-address } default-route-advertise undo peer { group-name | peer-address } default-route-advertise

View BGP view, MBGP IPv4-family view Parameter group-name: Peer group name. peer-address: IP address of a peer. Description Using the peer default-route-advertise command, you can enable a peer (group) to import a default route. Using the undo peer default-route-advertise command, you can remove the existing setting. By default, no default route is redistributed to a peer (group). This command does not require any default route in the routing table but transmits a default route whose next hop address is itself to the peer unconditionally. Example Enable the peer (group) test to import a default route.
[3Com–bgp] peer test as-number [3Com–bgp] peer test default-route-advertise

peer next-hop-local

Syntax
peer { group-name | peer-address } next-hop-local undo peer { group-name | peer-address } next-hop-local

BGP/MPLS VPN Configuration Commands

793

View BGP view, MBGP IPv4-family view Parameter group-name: Peer group name. peer-address: IP address of a peer. Description Using the peer next-hop-local command, you can remove the processing of the next hop in the routes that BGP advertises to a peer (group) and configure to use its self-address as the next-hop. Using the undo peer next-hop-local command, you can remove the existing setting. Example Specify the local IP address as the next hop in BGP's route advertising to the peer (group).
[3Com-bgp-af-vpn] peer test next-hop-local

peer public-as-only

Syntax
peer { group-name | peer-address } public-as-only undo peer { group-name | peer-address } public-as-only

View BGP view, MBGP IPv4-family view Parameter group-name: Peer group name. peer-address: IP address of a peer. Description Using the peer public-as-only command, you can configure not to carry private AS number when transmitting BGP update packets. Using the undo peer public-as-only command, you can configure to carry private AS number when transmitting BGP update packets. By default, private AS number is carried when transmitting BGP update packets. Generally, BGP carries the AS number (either public or private AS number) when transmitting BGP update packets. BGP can be configured not to carry the private AS number so that some output routers may ignore the private AS number when transmitting BGP update packets. Example Send MBGP update packets without bearing private AS number.
[3Com-bgp-af-vpn] peer 168 public-as-only

794

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

peer upe

Syntax
peer peer-address upe undo peer peer-address} upe

View BGP view Parameter peer-address: IP address of a peer. Description Using the peer upe command, you can configure BGP peer as the UPE of hierarchical BGP/MPLS VPN. Using the undo peer upe command, you can remove this configuration. Example Configure BGP peer as the UPE of hierarchical BGP/MPLS VPN.
[3Com-bgp] ipv4-family vpnv4 [3Com-bgp-af-vpn] peer 1.1.1.1 upe

route-distinguisher

Syntax
route-distinguisher route-distinguisher

View vpn-instance view Parameter route-distinguisher: Configures a VPN IPv4 prefix by adding an 8-byte value to a IPv4 prefix. Description Using the route-distinguisher command, you can configure RD for an MPLS VPN instance. A vpn-instance cannot run until it is configured with an RD. A route distinguisher (RD) creates route and forwarding list for a VPN and specify default route identifier. Add RD to a specific IPv4 prefix start to make it the only VPN IPv4 prefix. If ID is associated with an autonomous system number(ASN), it is a combination of an autonomous system number and an arbitrary number; if RD is associated with IP address, it is a combination of an IP address and an arbitrary number. RD has the following formats:


A 16-bit ASN: 32-bit number defined by user, for example, 101:3. A 32-bit IP address: 16-bit number defined by user, for example, 192.168.122.15:1.



Example Configure RD for the MPLS VPN instance.

BGP/MPLS VPN Configuration Commands

795

[3Com] ip vpn-instance vpn_blue [3Com-vpn-vpn_blue] route-distinguisher 100:3 [3Com] ip vpn-instance vpn_red [3Com-vpn-vpn_red] route-distinguisher 173.13.0.12:200

route-tag

Syntax
route-tag tag-number undo route-tag

View OSPF protocol view Parameter tag-number: Tag value to identify VPN import route, in range of 0~4294967295. By default, its first two fields are fixed to 0xD000, while the last two fields are the ASN of local BGP. For example, if local BGP ASN is 100, then the default tag value in decimal is 3489661028. Description Using the route-tag command, you can specify a tag value to identify VPN import route. Using the undo route-tag command, you can restore the default value. If a VPN site is linked to multiple PEs, when the route learned from MPLS/BGP is advertised by a PE router via its type-5 or type-7 LSA to the VPN site, the route may be received by another PE router. This will result in route loop. To avoid route loop, you should configure route-tag and it is recommended to configure the same route-tag for the PEs in the same VPN domain. The route-tag is included in the type-5/-7 LSA. The route-tag is not transmitted in the extended community attributes of BGP, but can only be configured and function on the PE router which receives BGP route and generates OSPF LSA. Configure route-tag in OSPF protocol view. Different processes can be configured with the same route-tag. You can configure the same route-tag with different commands, but with different priority levels:


Those configured with the import-route command are of highest priority level. Those configured with the route-tag command are in the second place in terms of priority level. Those configure with the default tag command are of the lowest priority level.





If the route-tag included in the type-5/-7 LSA is identical with its existing tag, the LSA received will be neglected in route calculation. CAUTION: The route-tag configured will not take effect until the reset ospf command is executed. For the related commands, see import-route and default. Example Configure route-tag 100 to OSPF procedure 100.

796

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

[3Com-ospf-100] route-tag 100 OSPF: Process 100's route tag has been changed OSPF: Reload or use 'reset ospf' command for this to take effect

vpn-target

Syntax
vpn-target vpn-target-ext-community [ import-extcommunity | export-extcommunity | both ] undo vpn-target vpn-target-ext-community [ import-extcommunity | export-extcommunity | both ]

View Vpn-instance view Parameter import-extcommunity: Ingress route information from the extended community of target VPN. export-extcommunity: Egress route information to the extended community of target VPN. both: Imports ingress and egress route information to the extended community of target VPN. vpn-target-ext-community: Adds vpn-target extended community attribute to the ingress and egress of vpn-instance or the vpn-target extended community list of ingress and egress. Description Using the vpn-target command, you can create vpn-target extended community for vpn-instance. Using the undo vpn-target command, you can remove the vpn-target extended community attribute. By default, the default value is both. The vpn-target command you can create ingress and egress route target extended community list for specified vpn-instance. Execute this command once for each target community. Import the received route bearing the specific route target extended community to all vpn-instances, which are configured extended community as ingress route target. Vpn-target specifies a target VPN extended community. Same as RD, an extended community is either composed with an autonomous system number and an arbitrary number or composed with an IP address and an arbitrary number. Extended community has the following formats:


A 16-bit ASN: 32-bit number defined by user, for example, 100:1. A 32-bit IP address: 16-bit number defined by user, for example, 172.1.1.1:1.



Example Create vpn-target extended community for the vpn-instance.
[3Com] ip vpn-instance vpn_red

BGP/MPLS VPN Configuration Commands

797

[3Com-vpn-vpn_red] vpn-target 1000:1 both [3Com-vpn-vpn_red] vpn-target 1000:2 export-extcommunity [3Com-vpn-vpn_red] vpn-target 173.27.0.130:2 import-extcommunity

routing-table limit

Syntax
routing-table limit { warn threshold | simply-alert } undo routing-table limit

View MBGP vpn-instance view Parameter limit: Specifies the route maximum allowed in a vpn-instance. warn threshold: Rejects routes when the threshold value is reached. This threshold value is the percentage of the specified route maximum from 1 to 100. simply-alert: When the route maximum specified for a vpn-instance exceeds the threshold, routes can be added and only a SYSLOG error message is sent out. Description Using the routing-table limit command, you can limit the route maximum in a vpn-instance, to avoid too many routes in the ingress interface of the PE router. Using the undo routing-table limit command, you can remove the limitation. It is necessary to enter the vpn-instance sub-view before using the routing-table command. Create a vpn-instance routing table in this view and allocate a route distinguisher (RD) in one of the following formats:


A 16-bit AS number (ASN): 32-bit user-defined number, e.g., 100:1. A 32-bit IP address: 16-bit user-defined number, e.g., 172.1.1.1:1.



Create a vpn-target extended community for a vpn-instance and specify ingress or egress interface or both of them for the vpn-target command. These parameters can be used to configure input and ingress/egress routing information of the destination VPN extended community for a router. Example
[3Com] ip vpn-instance vpn1 [3Com-vpn- vpn1] route-distinguisher 100:1 [3Com-vpn- vpn1] vpn-target 100:1 import-extcommunity [3Com-vpn- vpn1] routing-table limit 1000 simply-alert

sham-link

Syntax
sham-link source-addr destination-addr [ cost cost-value ] [ dead seconds ] [ hello seconds ] [ md5 keyid key seconds ] [ retransimit seconds ] [ simple password ] [ trans-delay seconds ] undo sham-link source-addr destination-addr

View OSPF area view

798

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Parameter source-addr: Source address of sham-link, a loopback interface address with 32-bit mask destination-addr: Destination address of sham-link, a loopback interface address with 32-bit mask cost-value: Cost at sham link, in the range of 1~65535. By default, it is 1. password: Specify authentication string in plain text at the interface, 8 characters at most. It must be consistent with the authentication string of sham link peer. keyid: Specifies MD5 authentication string at the interface, in range of 1~255 characters. It must be consistent with the authentication string of sham link peer. key: Specifies authentication string at the interface, 16 characters at most. It must be consistent with the authentication string of sham link peer. When the display current-configuration command is executed, the system displays the 24-character MD5 authentication string in cipher text. You can also input 24-character authentication string in cipher text. dead seconds: Specifies interval for the dead timer, in range of 1~8192 seconds. By default, it is 40 seconds. It must be consistent with the dead seconds value for sham link peer. hello seconds: Specifies interval between Hello message transmission at the interface, in range of 1~8192 seconds. By default, it is 10 seconds. It must be consistent with the hello seconds value for sham link peer. retransmit seconds: Specifies internal for LSA message retransmission at the interface, in range of 1~8192 seconds. By default, it is 5 seconds. trans-delay seconds: Specifies delay period for LSA message transmission at the interface, in range of 1~8192 seconds. By default, it is 1 second. Description Using the sham-link command, you can configure a sham link. Using the undo sham-link command, you can delete a sham link. In the OSPF PE-CE connection, suppose that in an OSPF area there are two sites which belong to the same VPN, with each connected to different PE router and an intra-domain link (backdoor) established between them. Though there may be other routes connecting the two sites via the PE router, these routes are just intra-domain routes, so OSPF will select those routes through the backdoor first. Sometimes, the routes through VPN backbone are desired to be selected first, then it is required to establish sham link between PE routers. In this case, the routes through VPN backbone are of the highest priority within the OSPF area. The sham link between VPN PE routers is taken as a link within the OSPF area. Its source and destination addresses are both loopback interface addresses with 32-bit mask. This loopback interface must be bound with a VPN instance and imported into BGP through a direct-connect route. The optional parameters can be appended in the sham link command and only those appended in the sham link command can be selected in the undo command.

BGP/MPLS VPN Configuration Commands

799



CAUTION

The source and destination addresses of a sham link are both loopback interface addresses with 32-bit mask. This loopback interface must be bound with a VPN instance and imported into BGP through a direct-connect route. The source and destination addresses of a sham link cannot be the same. The same sham link cannot be configured in the different OSPF procedures. A maximum of 50 sham link can be configured in an OSPF procedure. Example Configure a sham link, with source address 1.1.1.1 and destination address 2.2.2.2.
[3Com-ospf-100-area-0.0.0.1] sham-link 1.1.1.1 2.2.2.2 cost 100

vpn-instance-capability simple

Syntax
vpn-instance-capability simple undo vpn-instance-capability

View OSPF protocol view Parameter None Description Using the routing-table limit command, you can configure a router as Multi-VPN-Instance CE. Using the undo routing-table limit command, you can remove the configuration. OSPF multi-VPN-instance application is often run at the PE router, so the CE router on which OSPF multi-VPN-instance application runs is called Multi-VPN-Instance CE. Though they both support multi-VPN-instance application, Multi-VPN-Instance CE does not necessarily support BGP/OSPF interoperability. When OSPF procedures are bound with VPN instances, the default OSPF router serves as PE router. This command will remove the default configuration and change a router into Multi-VPN-Instance CE. Then OSPF procedure will set up all peers again. DN bits and route-tag will not be check in routing calculation. To prevent route loss, loop test function is disabled on PE routes. MGP/OSPF interoperability is also disabled to save system resources. After the display ospf brief command is executed successfully, the system prompts the information “Multi-VPN-Instance enable on CE router”. CAUTION: OSPF process will set up all peers again after this command is run. Example Configure OSPF procedure 100 as Multi-VPN-Instance CE.

800

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

[3Com-ospf-100] vpn-instance-capability simple

Restore the OSPF procedure 100 as PE.
[3Com-ospf-100] undo vpn-instance-capability

MPLS L2VPN CCC Configuration Commands
ccc interface transmit-lsp receive-lsp Syntax
ccc ccc-connection-name interface interface-type interface-number transmit-lsp transmit-lsp-name receive-lsp receive-lsp-name undo ccc ccc-connection-name

View System view Parameter interface-type interface-number: Interface for the remote connection. ccc-connection-name: CCC connection name of 1 to 20 characters in length, which uniquely identifies a CCC inside a PE. transmit-lsp-name: Name of the transmit-LSP. receive-lsp-name: Name of the receive-LSP. Description Using the ccc interface transmit-lsp receive-lsp command, you can create a remote CCC connection. Using the undo ccc command, you can delete a remote CCC connection. You can delete a CCC connection in the interface or system view. For the related command, see ccc interface out-interface. Example Create a remote CCC connection clink, with the transmit-LSP being tlsp and the receive-LSP being rlsp.
[3Com-Ethernet3/0/0] ccc clink interface serial0/0/0 transmit-lsp tlsp receive-lsp rlsp

ccc interface out-interface

Syntax
ccc ccc-connection-name interface interface-type interface-number out-interface outinterface-type outinterface-num undo ccc ccc-connection-name

View System view

MPLS L2VPN CCC Configuration Commands

801

Parameter ccc-connection-name: CCC connection name of 1 to 20 characters, which is used for uniquely identifying the CCC inside the PE. interface-type interface-number: Interface connected to the first CE outinterface-type outinterface-num: Interface connected to the second CE. Description Using the ccc interface out-interface command, you can create a local CCC connection. Using the undo ccc command, you can delete the local CCC connection. The supported interfaces include serial, asynchronous serial, ATM, Ethernet, VE, and GE interfaces, as well as ATM, Ethernet, and GE sub-interfaces. For a serial, asynchronous serial, Ethernet, GE, or VE interface, CCC encapsulation defaults to link layer encapsulation and the command does not have any parameter in this case. This is also applies to the CCC encapsulation on an Ethernet sub-interface or GE sub-interface. For an ATM sub-interface, CCC encapsulation defaults to ATM AAL5. In this case, the command can bring with it a parameter indicating whether the encapsulation is ATM AAL5 or ATM CELL. Example Create a local CCC connection clink, with two CEs connected respectively to Ethernet0/0/0 and Ethernet2/0/0.
[3Com] ccc clink interface serial0/0/0 out-interface Ethernet 2/0/0

debugging mpls l2vpn

Syntax
debugging mpls l2vpn { all | advertisement | error | event | connections [ interface interface-name | interface-type interface-num ] } undo debugging mpls l2vpn { all | advertisement | error | event | connections [ interface interface-name | interface-type interface-num ] }

View User view Parameter all: Enables/Disables all L2VPN debugging. advertisement: Enables/Disables BGP/LDP notify information debugging of L2VPN. error: Enables/Disables L2VPN error information debugging. event: Enables/Disables L2VPN event information debugging. connections: Enables/Disables connection information debugging. interface-type interface-num: Specifies CE interface for information connection debugging.

802

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Description Using the debugging mpls l2vpn command, you can view L2VPN link information. Using the undo debugging mpls l2vpn command, you can disable the debug function. Example
<3Com> debugging mpls l2vpn all

display ccc

Syntax
display ccc [ ccc-name | type [ local | remote ] ]

View Any view Parameter ccc-name: Name of the connection to be displayed. local: Displays local CCC connection only. remote: Displays remote CCC connection only. Description Using the display ccc command, you can view CCC connection information. Example Display CCC connection information.
[3Com] display ccc c-link

static-lsp egress l2vpn

Syntax
static-lsp egress lsp-name l2vpn incoming-interface interface-type interface-num in-label in-label undo static-lsp egress lsp-name l2vpn

View MPLS view Parameter lsp-name: LSP name interface-type Interface-num: Interface type and interface number in-label-value: Inbound label value, in range of 16~1024 Description Using the static-lsp egress l2vpn command, you can configure a static LSP used in L2VPN for egress LSR. Using the undo static-lsp egress l2vpn command, you can delete an LSP used in L2VPN of egress LSR. Two LSPs (one in each direction) should be created in advance before creating remote CCC connection.

MPLS L2VPN CCC Configuration Commands

803

For related commands, see static-lsp ingress l2vpn and debugging mpls. Example Add the static LSP bj-sh at egress LSR.
[3Com-mpls] static-lsp egress bj-sh l2vpn incoming-interface serial8/0/0 in-label 233

static-lsp ingress l2vpn

Syntax
static-lsp ingress lsp-name { l2vpn | destination ip_addr } { nexthop next-hop-addr | outgoing-interface interface-type interface-num } out-label out-label undo static-lsp ingress lsp-name l2vpn

View MPLS view Parameter lsp-name: LSP name next-hop-addr: Next hop address interface-type Interface-num: Interface type and interface number out-label-value: Outbound label value, in range of 16~1024 Description Using the static-lsp egress l2vpn command, you can configure a static LSP used in L2VPN for ingress LSR. Using the undo static-lsp egress l2vpn command, you can delete an LSP used in L2VPN of ingress LSR. With this command, you can configure a static LSP for ingress LSR, as well as setting preference and measurement value for it. Two LSPs (one in each direction) should be created in advance before creating remote CCC connection. For related commands, see static-lsp egress lvpn, static-lsp transit, and debugging mpls. Example Add the static LSP with destination address 202.25.38.1 at ingress LSR.
[3Com-mpls] static-lsp ingress bj-sh destination 202.25.38.1 24 nexthop 202.55.25.33 out-label 237

static-lsp transit l2vpn

Syntax
static-lsp transit lsp-name l2vpn incoming-interface interface-type interface-num in-label in-label { nexthop next-hop-addr | outgoing-interface interface-type interface-num } out-label out-label undo static-lsp transit lsp-name l2vpn

View MPLS view

804

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Parameter lsp-name: LSP name interface-type Interface-num: Interface type and interface number next-hop-addr: Next hop address in-label-value: Inbound label value, in range of 16~1024 out-label-value: Outbound label value, in range of 16~1024 Description Using the static-lsp transit command, you can configure a static LSP used in L2VPN for transit LSR. Using the undo static-lsp transit command, you can delete an LSP used in L2VPN of transit LSR. Two LSPs (one in each direction) should be created in advance and configured to the transit LSR before creating remote CCC connection. For related commands, see static-lsp egress l2vpn and static-lsp ingress l2vpn. Example Add a static LSP used in 12vpn for the Serial0/0/0 of transit LSR, with inbound label being 123 and outbound label being 253.
[3Com-mpls] static-lsp transit bj-sh l2vpn incoming-interface serial0/0/0 in-label 123 nexthop 202.34.114.7 out-label 253

SVC MPLS L2VPN Configuration Commands
display mpls static-l2vc Syntax
display mpls static-l2vc [ interface interface-type interface -num ]

View Any view Parameter interface-type interface -num: Interface type and interface number Description Using the display mpls static-l2vc command, you can view the connection information of static MPLS L2VPN. Example Display basic information of static connection.
[3Com-Ethernet1/0/1] display mpls static-l2vc total connections: 1, 0 up, 1 down ce-intf state destination tr-label rcv-label tnl-type tnl-index

Martini MPLS L2VPN Configuration Commands

805

Ethernet1/0/1 down 192.1.1.1 222 111 -0 [3Com] display mpls static-l2vc interface ethernet1/0/1 CE-interface: Ethernet1/0/1 is up, VC State: down, Destination: 192.1.1.1, transmit-vpn-label: 222, receive-vpn-label: 111, tunnel type: --, tunnel index: 0

mpls static-l2vc

Syntax
mpls static-l2vc destination destination-ip-address transmit-vpn-label transmit-label-value receive-vpn-label receive-label-value

View Interface view Parameter destination-ip-address: ROUTER ID of destination router. transmit-label-value: Transmit-label value of VPN. receive-label-value: Receive-label value of VPN. Description Using the mpls static-l2vc command, you can create an SVC MPLS L2VPN connection. Using the undo mpls static-l2vc command, you can delete the connection. Example Create SVC MPLS L2VPN connection.
[3Com-s1/1/0] mpls static-l2vc destination 192.1.1.1 transmit-vpn-label 333 receive-vpn-label 111

Martini MPLS L2VPN Configuration Commands
display mpls l2vc Syntax
display mpls l2vc [ interface interface-type interface-num | verbose ]

View Any view Parameter verbose: Displays the detailed information. interface-type interface-num: Name of the interface connected with CE. Description Using the display mpls l2vc command, you can view the VC information in LDP mode.

806

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Example None mpls l2vc Syntax
mpls l2vc ip-address vc-id undo mpls l2vc

View Interface view Parameter ip-address: lsr-id address of peer PE. vc-id: Connected VC ID. Description Using the mpls l2vc command, you can create an LDP connection. Using the undo mpls l2vc command, you can delete the connection. Supporting interface types: Serial, Asy Serial, POS, ATM, ATM subinterface, Ethernet, Ethernet subinterface, VE, GE, GE subinterface. Enable MPLS L2VPN and encapsulate CCC on the interface before using this command. For the related command, see mpls l2vpn and ccc. Example Create LDP connection.
[3Com-Ethernet3/0/0] mpls l2vc 10.0.0.11

Kompella MPLS L2VPN Configuration Commands
ce Syntax
ce name [ id id range range ] [ default-offset offset ] ] undo ce name

View MPLS L2VPN view Parameter name: CE name, unique in the current PE VPN. id: CE ID, unique in VPN, represents a CE, ranging from 1 to 65535. offset:Specifies default offset value of the original CE.

Kompella MPLS L2VPN Configuration Commands

807

range: CE range, in other words, the maximum CE number local CE can connect with, ranging from 1 to 100. Default value is 10. Description Using the ce command, you can create CE or modify CE range. Using the undo ce command, you can delete CE. After CE is created, the system will create a CE mode and all the configurations of CE will be performed in this mode. To facilitate VPN expansion, CE range can be configured larger than the real capacity. But it’s a waste of identifier because the system will distribute an identifier block as large as the CE range. If the CE range is smaller than need in VPN expansion, for example, the CE range is 10 while the needed CE number is 20, you can modify the CE range to 20. For the related command, see mpls l2vpn encapsulation, connection. Example Create a CE for vpna, named “Marlborough,” with CEID being 1, range default value being 10.
[3Com]mpls l2vpn [3Com] mpls l2vpn vpna encapsulation ppp [3Com-mpls-l2vpn-vpna] ce marlborough id 1 [3Com-mpls-l2vpn-ce-vpna-marlborough]

connection

Syntax
connection [ ce-offset offset ] { interface interface-type interface-num } undo connection [ ce-offset offset ] { interface interface-type interface-num }

View MPLS L2VPN CE view Parameter offset: Specifies remote CE ID for L2VPN connection in establishing local connection interface-type interface-num: Specifies CE interface in establishing remote connection. Description Using the connection command, you can create a CE connection. Using the undo connection command, you can delete a CE connection. Configure RD for MPLS L2VPN first before establishing a CE connection. For related commands, see mpls l2vpn encapsulation and ccc. Example Establish a CE connection.

808

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

[3Com] mpls l2vpn vpna [3Com-l2vpn-vpna] ce ce-a id 1 range 4 [3Com-l2vpn-vpna-ce-ce-a] connection s0/0/0 ce-offset 2

display bgp l2vpn

Syntax
display bgp l2vpn { all | peer | route-distinguisher }

View Any view Parameter all: All L2VPN information in local address family. peer: Information of the specified BGP peer. route-distinguisher: Information of the specified VPN RD. Description Using the display bgp l2vpn all command, you can view system operating information and all L2VPN information. Example Display all L2VPN information.
[3Com] display bgp l2vpn all BGP local router ID is 172.16.1.5 , Origin codes: i - IGP, e - EGP, ? - incomplete bgp.l2vpn: 3 destinations CE ID Label Offset Label Base nexthop pref as-path Route Distinguisher: 100:1 2 1 800000 1.1.1.1 100 I 200 600 3 1 500000 1.1.1.1 100 I 200 600 Route Distinguisher: 100:2 1 1 700000 1.1.1.1 100 I 200 600

display mpls l2vpn forwarding-info

Syntax
display mpls l2vpn forwarding-info [ vc-label ] interface interface-type interface-num

View Any view Parameter vclabel: VC label interface-type interface-num: Interface type and interface number Description Using the display mpls l2vpn forwarding-info command, you can view the L2VPN information under a specific interface. Example Display the L2VPN information under a specific interface.
[3Com] display mpls l2vpn forwarding-info interface serial1/0/0

Kompella MPLS L2VPN Configuration Commands

809

VCLABEL TUNNELTYPE ENTRYTYPE OUTINTERFACE OUTSLOT TOKEN CTRLWORD 102402 LSP SEND Serial1 0 0 FALSE Record(s) Found.

l2vpn-family

Syntax
l2vpn-family undo l2vpn-family

View BGP view Parameter None Description Using the l2vpn-family command, you can create an L2VPN address family view. Using the undo l2vpn-family command, you can delete the L2VPN address family view. By default, it is BGP unicast view. Using this command, you can enter L2VPN address family view. Execute the undo l2vpn-family command to exit multicast extended address family view. Delete all the configurations in this address family and back to BGP unicast view. Example Create L2VPN address family view.
[3Com] bgp 100 [3Com-bgp] l2vpn-family [3Com-bgp-af-l2vpn]

mpls l2vpn

Syntax
mpls l2vpn undo mpls l2vpn

View System view Parameter None Description Using the mpls l2vpn command, you can enable L2VPN. Using the undo mpls l2vpn command, you can disable L2VPN. Enable MPLS before using this command. For the related commands, see mpls and mpls lsr-id.

810

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

Example Enter MPLS view, then configure LSR ID and enable MPLS.
[3Com] undo mpls [3Com-mpls] mpls lsr-id 10.0.0.1 [3Com] mpls

Enable L2VPN.
[3Com] mpls l2vpn

mpls l2vpn encapsulation

Syntax
mpls l2vpn vpn-name encapsulation { atm-aal5 | ethernet | fr | vlan | hdlc | ppp } undo mpls l2vpn vpn-name

View System view Parameter vpn-name: Unique VPN name in PE with 1 to 20 bytes. atm-aal5 | ethernet | fr | vlan | hdlc | ppp: VPN encapsulation types. The CCC encapsulation type on CE interface must keep accordance with that of VPN when creating BGP L2VPN connection. Otherwise, the connection can not be performed normally. Description Using the mpls l2vpn encapsulation command, you can create Kompella MPLS L2VPN and specify encapsulation mode. Using the undo mpls l2vpn encapsulation command, you can remove the encapsulation. Create Kompella MPLS L2VPN after global enable MPLS L2VPN. After creating Kompella MPLS L2VPN, system will create a L2VPN mode, all the parameters of which are configured in L2VPN mode. For related commands, see ce and mtu. Example Create a Kompella MPLS L2VPN, named “3Com”, with encapsulation type being vlan:
[3Com] mpls l2vpn 3Com encapsulation vlan

mtu

Syntax
mtu mtu

View L2VPN view Parameter mtu: Layer2 MTU value of VPN. MTU is defaulted as 1500.

Kompella MPLS L2VPN Configuration Commands

811

Description Using the mtu command, you can configure MTU of Kompella MPLS L2VPN. When configuring VPN layer2 mtu, the mtu value of the same VPN on different PEs must be the consistent in the whole SP network. Otherwise, VPN will not work normally. For the related command, see mpls l2vpn encapsulation. Example Configure the mtu of VPN “3Com” as 1000.
[3Com-l2vpn-3Com] mtu 1000

peer enable

Syntax
peer { group-name | peer-address } enable undo peer { group-name | peer-address } enable

View L2VPN address family view Parameter group-name: Peer group name, specifying the whole peer group. peer-address: IP address of peer, specifying some specified peer. Description Using the peer enable command, you can activate specified peer (group) in L2VPN address family view. Using the undo peer enable command, you can deactivate specified peer (group) in L2VPN address family view. By default, unicast peer (group) of IPv4 address family is activated, while other peer (groups) are deactivated. Example Activate the peer (group) 192 in the L2VPN address family view.
[3Com-bgp] peer 1.1.1.1 as-number 100 [3Com-bgp] l2vpn-family [3Com-bgp-af-l2vpn] peer 1.1.1.1 enable

812

CHAPTER 8: MPLS BASIC CONFIGURATION COMMANDS

9
AAA Configuration Commands
access-limit

SECURITY

This chapter describes security commands for the 3Com routers.

Syntax
access-limit { disable | enable max-user-number } undo access-limit

View ISP domain view Parameter
disable: No limit to the supplicant number in the current ISP domain. enable max-user-number: Specifies the maximum supplicant number in the current ISP domain, ranging from 1 to 1024

Description Using the access-limit command, you can configure a limit to the amount of supplicants in the current ISP domain. Using the undo access-limit command, you can restore the limit to the default setting. By default, there is no limit to the amount of supplicants in the current ISP domain. This command limits the amount of supplicants contained in the current ISP domain. The supplicants may contend with each other for the network resources. So setting a suitable limit to the amount will guarantee the reliable performance for the existing supplicants. Example # Set a limit of 500 supplicants for the ISP domain "3com163.net".
[3Com-isp-3com163.net] access-limit enable 500

accounting optional

Syntax
accounting optional undo accounting optional

View ISP domain view

814

CHAPTER 9: SECURITY

Parameter None Description Using the accounting optional command, you can enable optional accounting. Using the undo accounting optional command, you can disable it. By default, optional accounting is disabled. With the accounting optional command, a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails. This command is normally used for the authentication without accounting. Example # Enable optional accounting for users in the domain “3com163.net”.
[3Com] domain 3com163.net [3Com-isp-3com163.net] accounting optional

display connection

Syntax
display connection [ domain isp-name | interface portnum | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | HWHWTACACSHWHWTACACS-scheme HWHWTACACS-scheme-name | ucibindex ucib-index | user-name user-name ]

View Any view Parameter
domain isp-name: Displays all the user connections belonging to the ISP domain specified by isp-name, a character string not exceeding 24 characters. The specified ISP domain must an existing one. ip ip-address: Displays all the user connections related to the specified IP

address.
mac mac-address: Displays a user connection by specifying its hexadecimal MAC address in the format of x-x-x. radius-scheme radius-scheme-name: Displays all the user connections connected to the RADIUS server specified by radius-scheme-name, a character string not exceeding 32 characters. HWHWTACACS-scheme HWHWTACACS-scheme-name: Displays all the user connections connected to the HWHWTACACS server specified by HWHWTACACS-scheme-name, a character string not exceeding 32 characters. ucibindex ucib-index: Displays information on a user connection by specifying its connection index number, that is, ucib-index ranging from 0 to 1023.

AAA Configuration Commands

815

user-name user-name: Displays information on a user connection by specifying its user name, a character string not exceeding 80 characters and excluding "/", ":", "*", "?", "<" and ">". The @ character can be used only once in one username. The username without domain name (the part before @, namely the user ID) cannot exceed 24 characters.

Description Using the display connection command, you can view the relevant information on the specified user connection or all the connections. The output can help you troubleshoot user connections. By default, information about all user connections is displayed. For the related command, see cut connection. Example # Display the relevant information of all the users.
<3Com> display connection Total 0 connections matched, 0 listed.

display domain

Syntax
display domain [ isp-name ]

View Any view Parameter
isp-name: Specifies the ISP domain name, with a character string not exceeding

24 characters. The specified ISP domain must be an exciting one. Description Using the display domain command, you can view the configuration of a specified ISP domain or display the summary information of all ISP domains. By default, the summary of all ISP domains is displayed. This command is used to output the configuration of a specified ISP domain or display the summary information of all ISP domains. If an ISP domain is specified, the configuration information will be displayed exactly the same, concerning the content and format, as the displayed information of the display domain command. The output information can help with ISP domain diagnosis and troubleshooting. For the related commands, see access-limit, domain, scheme, state, display domain. Example # Display the summary information of all ISP domains of the system.
<3Com> display domain 0 Domain = 2

816

CHAPTER 9: SECURITY

0

Domain = 2 State = Active Access-limit = Disable

Domain User Template: Idle-cut = Disable

1

Domain = ls State = Active Access-limit = Disable

Domain User Template: Idle-cut = Disable

Default Domain Name: system Total 6 domain(s).2 listed.

The following table describes information about the above terminal display.

Table 1 Information displayed after executing display domain (when no ISP domain is specified)
Field 0 Domain=2 State Access-limit Default Domain Name Description ISP domain index number domain name State Limit to the allowed number of access users name of the default ISP domain

display local user

Syntax
display local-user [ domain isp-name | service-type { telnet | ssh | terminal | pad | ftp | ppp } | state { active | block } | user-name user-name ]

View Any view Paramet
domain isp-name: Displays all the local users in the ISP domain specified by

isp-name, a character string not exceeding 24 characters. The specified ISP domain must be an existing one.
service-type: Displays local users by specifying service type, which can be telnet, ssh, terminal (terminal users logging on from Console, AUX, or Asyn port), ftp, ppp, or PAD (X.25 PAD). state { active | block }: Displays local users by specifying user state, where

active means users allowed to request for network services and block means the opposite.

AAA Configuration Commands

817

user-name user-name: Displays a user by specifying its user-name, a character

string not exceeding 80 characters and excluding "/", ":", "*", "?", "<" and ">". The @ character can be used only once in one username. The username without domain name (the part before @, namely the user ID) cannot exceed 24 characters. Description Using the display local-user command, you can view the relevant information on the specified local user or all the local users. The output can help you troubleshoot faults related to local user. By default, information on all local users is displayed. For the related command, see local-user. Example # Display the relevant information of all the local users.
<3Com> display local-user The contents of local user user1: State: Idle-Cut: Access-Limit: Bind location: Vlan ID: IP address: MAC address: Active Disable Disable Disable Disable Disable Disable Current AccessNum: 0 ServiceType Mask: None

Total 1 local user(s) Matched,1 listed.

The following table describes the displayed information.

Table 2 Information displayed after executing local-user.
Field State Idle-cut Access-limit Bind location VLAN ID IP address MAC address Description State Idle-cut switch Limit to the allowed number of access users Whether to be bound to ports VLAN to which users beling IP address of user MAC address of user

818

CHAPTER 9: SECURITY

domain

Syntax
domain [ isp-name | default { disable | enable isp-name } ] undo domain isp-name

View System view Parameter
isp-name: Specifies an ISP domain name. The name is expressed with a character string not exceeding 24 characters, excluding "/", ": ", "*", "? ", "<", and ">". default: Configures the default ISP domain. The default ISP domain of the system is "system". disable: Disables the configured default ISP domain. The users that have usernames without a domain name are to be refused as a result. enable: Enables the configured default ISP domain. It is to be appended to the

usernames that are received without domain name before they are sent to the intended AAA servers. Description Using the domain command, you can configure an ISP domain or enter the view of an existing ISP domain. Using the undo domain command, you can cancel a specified ISP domain. By default, the default domain in the system is "system". ISP domain is a group of users belonging to the same ISP. Generally, for a username in the userid@isp-name format, [email protected] for example, the isp-name ("3com163.net" in the example) following the "@" is the ISP domain name. When an AAA server controls user access, for an ISP user whose username is in userid@isp-name format, the system takes the part "userid" as username for identification and takes the part "isp-name" as domain name. The purpose of introducing ISP domain settings is to support the application environment with several ISP domains. In this case, an access device may have supplicants from different ISP domains. Because the attributes of ISP users, such as username and password structures, service types, may be different, it is necessary to separate them by setting ISP domains. In ISP domain view, you can configure a complete set of ISP domain attributes for each ISP domain, including an AAA scheme (the RADIUS scheme applied). For a router, each supplicant belongs to an ISP domain. The system supports to configure up to 16 ISP domains. When this command is used, if the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state when they are created. For the related commands, see access-limit, scheme, state, and display domain.

AAA Configuration Commands

819

Example # Create a new ISP domain, 3com163.net, and enters its view.
[3Com] domain 3com163.net New Domain added. [3Com-isp-3com163.net]

ip pool

Syntax
ip pool pool-number low-ip-address [ high-ip-address ] undo ip pool pool-number

View System view, ISP domain Parameter
pool-number: Address pool number, ranging from 0 to 99. low-ip-address and high-ip-address: The start and end IP addresses of the

address pool. The number of in-between addresses cannot exceed 1024. If end IP address is not specified, there will be only one IP address in the pool, namely the start IP address. Description Using the ip pool command, you can configure a local address pool for assigning addresses to PPP users. Using the undo ip pool command, you can delete the specified local address pool. By default, no local IP address pool is configured. You can configure an IP address pool in system view and use the remote address command in interface view to assign IP addresses from the pool to PPP users. You can also configure an IP address pool in ISP domain view for assigning IP addresses to PPP users in the current ISP domain. This applies to the case where an interface serves a great amount of PPP users but with inadequate address resources for allocation. For example, an Ethernet interface running PPPoE can accommodate 4095 users at most. However, only one address pool with up to 1024 addresses can be configured on its Virtual Template (VT). This is obviously far from what is required. To address the issue, you can configure address pools for ISP domains and assign addresses from them to their PPP users. For the related command, see remote address. Example # Configure the local IP address pool 0 with the address range of 129.102.0.1 to 129.102.0.10.
[3Com] domain 3com163.net [3Com-isp-3com163.net] ip pool 0 129.102.0.1 129.102.0.10

level

Syntax
level level undo level

820

CHAPTER 9: SECURITY

View Local user view Parameter
level: Specifies user priority level, an integer ranging from 0 to 3.

Description Using the level command, you can configure user priority level. Using the undo level command, you can restore the default user priority level. By default, user priority level is 3. For the related command, see local user. If the configured authentication mode is none authentication or password authentication, the command level that a user can access after login depends on the priority of user interface. In the case of authentication requiring both username and password, however, the accessible command level depends on user priority level. Example # Set the priority level of the user to 3.
[3Com-luser-3com1] level 3

local-user

Syntax
local-user user-name undo local-user { user-name | all }

View System view Parameter
user-name: Specifies a local username with a character string not exceeding 80

characters, excluding "/", ":", "*", "?", "<" and ">". The @ character can be used only once in one username. The username without domain name (the part before @, namely the user ID) cannot exceed 24 characters. user-name is case-insensitive, so UserA and usera are the same for example.
all: All the users.

Description Using the local-user command, you can add a local user and enter the local user view. Using the undo local-user command, you can remove the specified local user. By default, no local user is configured For the related command, see display local user. Example # Add a local user named 3com1.

AAA Configuration Commands

821

[3Com] local-user 3com1 [3Com-luser-3com1]

local-user password-display-mode

Syntax local-user password-display-mode { cipher-force | auto } undo local-user password-display-mode View System view Parameter cipher-force: Forced cipher mode specifies that the passwords of all the accessed users must be displayed in cipher text. auto: The auto mode specifies that a user is allowed to use the password command to set a password display mode. Description Using the local-user password-display-mode command, you can configure the password display mode of all the local users. Using the undo local-user password-display-mode command, you can restore the default password display mode of all the local users. If cipher-force applies, the effort of specifying in the password command to display passwords in simple text is rendered useless. By default, auto applies when displaying passwords of local users. For the related commands, see display local-user and password. Example
Force all the local users to have passwords displayed in cipher text. [3Com] local-user password-display-mode cipher-force

password

Syntax
password { simple | cipher } password undo password

View Local user view Parameter
simple: Specifies to display passwords in simple text. cipher: Specifies to display passwords in cipher text. password: Defines a password, which is a character string of up to 16 characters if it is in simple text or of up to 24 characters if it is in cipher text.

822

CHAPTER 9: SECURITY

Description Using the password command, you can configure a password for a local user. Using the undo password command, you can cancel the password of the local user. If local-user password-display-mode cipher-force applies, the effort of specifying in the password command to display passwords in simple text is rendered useless. For the related command, see display local-user. Example # Display the password of the user 3com1 in simple text, with the password being 20030422.
[3Com-luser-3com1] password simple 20030422

Scheme

Syntax
scheme { radius-scheme radius-scheme-name | HWHWTACACS-scheme HWHWTACACS-scheme-name | local | none } undo scheme { radius-scheme | HWHWTACACS-scheme | none }

View ISP domain view Parameter
radius-scheme-name: RADIUS scheme, a character string not exceeding 32

characters
HWHWTACACS-scheme-name: HWHWTACACS scheme, a character string not

exceeding 32 characters
local: Local authentication none: No authentication

Description Using the scheme command, you can configure the AAA scheme to be referenced by the current ISP domain. Using the undo scheme command, you can restore the default AAA scheme. The default AAA scheme in the system is local. With this command, the current ISP domain can reference a RADIUS/HWHWTACACS scheme that has been configured. If the local or none scheme applies, no RADIUS or HWHWTACACS scheme can be adopted. For the related commands, see radius scheme and HWHWTACACS scheme. Example # Specify the current ISP domain, 3com163.net, to use the RADIUS scheme 3com.
[3Com-isp-3com163.net] scheme radius 3com

AAA Configuration Commands

823

service-type

Syntax
service-type { telnet | ssh | terminal | pad } undo service-type { telnet | ssh | terminal | pad }

View Local user view Parameter
telnet: Authorizes the user to use the Telnet service. ssh:Authorizes the user to use the SSH service. terminal: Authorizes the user to use the terminal service (login from the Console, AUX or Asyn port). pad: Authorizes the user to use the PAD service.

Description Using the service-type command, you can configure a service type for a particular user. Using the undo service-type command, you can delete one or all service types configured for the user. By default, no service is available for the user. For the related commands, see service-type ppp and service-type ftp. Example # Authorize the user to use the Telnet service.
[3Com-luser-3com1] service-type telnet

service-type ftp

Syntax
service-type ftp [ ftp-directory directory] undo service-type ftp [ ftp-directory ]

View Local user view Parameter
ftp-directory directory: Specifies a directory accessible for the FTP user.

Description Using the service-type ftp command, you can specify a directory accessible for the FTP user. Using the undo service-type ftp command, you can restore the default directory accessible for the FTP user. By default, no services of any type are authorized to any user and access of anonymous FTP users is not allowed, but a user that is granted the FTP service is authorized to access the root directory “flash:/”. For the related commands, see service-type and service-type ppp.

824

CHAPTER 9: SECURITY

Example # Authorize the user to use the FTP service.
[3Com-luser-3com1] service-type ftp

service-type ppp

Syntax
service-type ppp [ callback-nocheck | callback-number callback-number | call-number call-number [ subcall-number ] ] undo service-type ppp [ callback-nocheck | callback-number | call-number ]

View Local user view Parameter
callback-nocheck: Specifies PPP user callback without authentication. callback-number callback-number: Specifies a callback number. call-number call-number: Specifies a caller number in ISDN user authentication, with a length up to 64 bytes. [ subcall-number ]: Specifies the sub-caller number. If included, the total length of it plus the caller number cannot exceed 62 bytes.

Description Using the service-type command, you can configure the callback attribute and caller number of the PPP user. Using the undo service-type command, you can restore their default settings. By default, PPP users are allowed to call back without authentication and no callback number is specified; the system does not authenticate caller numbers of ISDN users. For the related commands, see service-type and service-type ftp. Example # Set PPP user to call back without authentication.
[3Com-luser-3com1] service-type ppp callback-nocheck

state

Syntax
state { active | block }

View ISP domain view, local user view Parameter
active: Configured to allow users in the current ISP domain or the current local user to request for network services.

AAA Configuration Commands

825

block: Configured to block users in the current ISP domain or the current local

user to request for network services. Description Using the state command, you can configure the state of the current ISP domain or local user. By default, both ISP domain (in ISP domain view) and local user (in local user view) are in the active state upon their creation (in ISP domain view). Every ISP domain can be active or blocked. If an ISP domain is configured to be active, the supplicants in it can request for network services; whereas in the block state, its users are disallowed to request for any network service, which does not affect the users currently online. This is also applies to local users. For the related command, see domain. Example # Set the state of the current ISP domain "3com163.net" to block. The supplicants in this domain cannot request for network services.
[3Com-isp-3com163.net] state block

# Set the state of the user "3com1" to block.
[3Com-luser-3com1] state block

Access Control List Configuration Commands acl Syntax
acl { number acl-number | name acl-name [ basic | advanced | interface ] } [ match-order { config | auto } ] undo acl { number acl-number | name acl-name | all }

View System View Parameter number: Defines a number-typed ACL ( access control list). The number used for basic ACL is ranges from 1 to 99, and that for advanced ACL ranges from 100-199, and that for interface-based ACL ranges from 1000-1999. name: Defines an ACL by name. basic: Defines a basic ACL. advanced: Defines an advanced ACL. interface: Defines an interface-based ACL.

826

CHAPTER 9: SECURITY

acl-number: ID of ACL, a number ranging from 1 to 199or ranging from 1000-1999. The range from 1 to 99 is used for basic ACL; the range from 100 to 199 is used for advanced ACL rules; the range from 1000 to 1999 is used for interface-based ACL. acl-name: Name of ACL match-order: Indicates the match order. config: Indicates to match the rule according to configuration oder that the user configured them. auto: Indicates to match the rule in automatic order (in acordance with “depth first” principle._ all: Deletes all ACLs. Description Using the acl command, you can create an access control list and enter ACL view. Using the undo acl command, you can delete an access control list. An access control list consists of a list of rules that are described by a series of permit or deny sub-sentences. Several rule lists form an ACL. Before configuring the rules for an access control list, you should create the access control list first. When you create an access control list, you should specify the following parameters:


The number-typed ACL or a name-typed ACL. If it is a name-typed ACL, the usage of the ACL (a basic ACL, an advanced ACL, or an interface-based ACL) needs to be specified. If this name-typed ACL already exists, it will enter ACL view directly. The match order of the ACL. It is optional. By default, the match order is configuration order (config).





Example # Create an ACL numbered 10.
[3Com] acl number 10 [3Com-acl-basic-10]

# Create an advanced ACL named test.
[3Com] acl name test advanced [3Com-acl-adv-test]

# Create an interface-base ACL named int. [3Com] acl name int interface [3Com-acl-if-int]

AAA Configuration Commands

827

display acl

Syntax
display acl { all | acl-number | acl-name }

View Any view Parameter all: All ACL rules. acl-number: ACL expressed by number. acl-name: ACL expressed by name. Description Using the display acl command, you can view the rules of access control list. The default match order of the system is the configuration order (config). If you select match order as auto-match (auto), the system will display the information with the match order as "auto". If the default match order (config) is selected, the system will display without the configuration order information. Example # Display the contents of ACL1 rule.
[3Com-acl-basic-1] display acl 1 Basic ACL 1, 2 rules, rule 1 permit (0 times matched) rule 2 permit source 1.1.1.1 0 (0 times matched)

reset acl counter

Syntax
reset acl counter { all | acl-number | acl-name }

View User View Parameter acl-number: ACL expressed by number. acl-name: ACL expressed by name. all: All ACL rules. Description Using the reset acl counter command, you can clear the statistics of access control list. Example # Reset the statistics of access control list 1.
<3Com> reset acl counter 1

828

CHAPTER 9: SECURITY

rule

Syntax 1.)> Create or delete a rule of a basic access control list.
rule [ rule-id ] { permit | deny } [ source source-addr source-wildcard | any ] [ time-range time-name ] [ logging ] [ fragment ] [ vpn-instance vpn-instance-name ] undo rule rule-id [ source ] [ time-range ] [ logging ] [ fragment ] [ vpn-instance vpn-instance-name ]

2.)> Create or delete a rule of an advanced access control list.
rule [ rule-id ] { permit | deny } protocol [ source source-addr source-wildcard | any ] [ destination dest-addr dest-wildcard | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type icmp-type icmp-code ] [ precedence precedence ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ] [ vpn-instance vpn-instance-name ] undo rule rule-id [ source ] [ destination ] [ source-port ] [ destination-port ] [ icmp-type ] [ precedence ] [ tos ] [ time-range ] [ logging ] [ fragment ] [ vpn-instance vpn-instance-name ]

3.)> Create or delete a rule of an interfaced-based access control list.
rule [ rule-id ] { permit | deny } [ interface interface-name ] [ time-range time-name ] [ logging ] undo rule rule-id

View The first group of commands is used in basic ACL view. The second group of commands is used in advanced ACL view. The third group of commands is used in interface-based ACL view. Parameter In the rule command:


rule-id: ID of an ACL rule, optional, ranging from 0 to 127. If you specify a rule-id, and the ACL rule related to the ID also exists, then the newly defined rule will overwrite the old rule, just as editing an existing ACL rule. If the rule-id you specify does not exist, a new rule related to the specified rule-id will be created. If you do not specify the rule-id, it indicates to add a new rule. The system will assign a rule-id to the ACL rule automatically and add a new rule. deny: Discards the qualified packets that meet the condition to pass. permit: Permits the qualified packets. protocol: protocol type over IP, expressed by name or number. The number range is from 0 to 255, and the name range covers gre, icmp, igmp, ip, ipinip, ospf, tcp and udp. source: Optional, specify source address information of ACL rule. If it is not configured, it indicates that any source address of the packets matches. source-addr: Source IP address of packets in dotted decimal format. Or use "any" to represent the source address 0.0.0.0 with the wildcard 255.255.255.255.











AAA Configuration Commands

829



source-wildcard: Source address wildcard in dotted decimal format. Inputting “0” indicates that the wildcard is 0.0.0.0. It represents a host with the address specified by parameter sour-addr. destination: Optional, specify destination address information of ACL rule. If it is not configured, it indicates that any destination address of the packets matches. dest-addr: destination IP address of packets in dotted decimal format. Or use "any" to represent the destination address 0.0.0.0 with the wildcard 255.255.255.255. dest-wildcard: Destination address wildcard in dotted decimal format. Inputting “0” indicates that the wildcard is 0.0.0.0. It represents a host with the address specified by parameter dest-addr. source-port: Optional, specify source port information of UDP or TCP packets, valid only when the protocol specified by the rule is TCP or UDP. If it is not specified, it indicates that any source port information of TCP/UDP packets matches. destination-port: Optional, specify destination port information of UDP or TCP packets, valid only when the protocol specified by the rule is TCP or UDP. If it is not specified, it indicates that any destination port information of TCP/UDP packets matches. operator: Optional, comparison between port number of source or destination address. Their names and meanings are as follows: lt (lower than), gt (greater than), eq (equal to), neq (not equal to) and range (between). If the operator is range, two port numbers should follow it. Others only need one port number. port: Optional, port number of TCP or UDP, expressed by name or number. The number range is from 0 to 65535. icmp-type: Optional, specify ICMP packet type and ICMP message code, only valid when packet protocol is ICMP. If it is not configured, it indicates any ICMP packet matches. icmp-type: ICMP packet can be filtered according to ICMP message type. It is a number ranging from 0 to 255. icmp-code: ICMP packets that can be filtered according to ICMP message type can also be filtered according to message code. It is a number ranging from 0 to 255. icmp-message: ICMP packets can be filtered according to ICMP message type or ICMP message code. precedence: Optional, a number ranging from 0 to 7, or a name. Packets can be filtered according to precedence field. tos: Optional, a number ranging from 0 to 15 or a name. Packets can be filtered according to type of service. logging: Optional, indicating whether to log qualified packets. The log contents include sequence number of ACL rule, packets passed or discarded, upper layer protocol type over IP, source/destination address, source/destination port number, and number of packets. time-name: specifies that the ACL is valid in this time range.































830

CHAPTER 9: SECURITY



fragment: Specifies that this rule is only valid for the fragment packets that are not the first fragment. When this parameter is contained, it indicates that the rule is only valid for the fragment packets that are not the first fragment. interface: Optional, specify the interface information of the packets. If it is not specified, it indicates that all interfaces match. interface-name: Specifies packets to enter from the interface. Or “any” can be used to indicate all interfaces. vpn-instance: Optional parameter specifying the vpn-instance to which the packets belongs. If it is not specified, the ACL rule will be valid for the packets in all the vpn-instances. If it is specified, the ACL rule will be valid only for the specified vpn-instance. vpn-instance-name: Specifies the name of a vpn-instance that existed. In the undo rule command: rule-id: ID of an ACL rule, it should be an existing ACL rule number. If the command is not followed by other parameters, this ACL rule will be deleted completely; otherwise, only part of information related to this ACL rule will be deleted. source: Optional. Only the information settings related to the source address part of the ACL rule number will be deleted. destination: Optional. Only the information setting related to the destination address part of the ACL rule number will be deleted. source-port: Optional. Only the information setting related to the source port part of the ACL rule number will be deleted, valid only when the protocol is TCP or UDP. destination-port: Optional. Only the information setting related to the destination port part of the ACL rule number will be deleted, valid only when the protocol is TCP or UDP. icmp-type: Optional. Only the information setting related to ICMP type and message code part of the ACL rule number will be deleted, valid only when the protocol is ICMP. precedence: Optional. Only the setting of precedence configuration of the ACL rule will be deleted. tos: Optional. Only related tos setting corresponding to the ACL rule will be deleted. time-range: Optional. Only the setting corresponding to the time range part of the ACL rule will be deleted. logging: Optional. Only the setting corresponding to the logging part of the ACL rule will be deleted. fragment: Optional. Only the setting corresponding to the validity of non-first packets fragmentation of the ACL rule will be deleted. vpn-instance: Optional parameter. If it has been specified, the deletion operation will delete only the settings involved the vpn-instance in the specified ACL rule.



































AAA Configuration Commands

831

Description Using the rule command, you can add a rule in current ACL view. Using the undo rule command, you can delete a rule. The rule ID is needed when you try to delete a rule. If you do not know the ID, using the display acl command to find it out. Example # Create ACL 101 and add a rule to prohibit the receiving or sending of RIP packets.
[3Com] acl number 101 [3Com-acl-adv-101] rule deny udp destination-port eq rip

# Add a rule to permit hosts in the network segment 129.9.0.0 to send WWW packet to hosts in the network segment 202.38.160.0.
[3Com-acl-adv-101] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq www

# Add a rule to deny the WWW access (80) from the host in network segment 129.9.0.0 to the host in network segment 202.38.160.0, and log events that violate the rule.
[3Com-acl-adv-101] rule deny tcp source 129.9.0.0 0.0.255.255 destination 202.38.160. 0 0.0.0.255 eq www logging

# Add a rule to permit the WWW access (80) from the host in network segment 129.9.8.0 to the host in network segment 202.38.160.0.
[3Com-acl-adv-101] rule permit tcp source 129.9.8.0 0.0.0.255 destination 202.38.160.0 0.0.0.255 destination-port eq www

# Add a rule to prohibit all hosts from establishing Telnet (23) connection to the host with the IP address 202.38.160.1.
[3Com-acl-adv-101] rule deny tcp destination 202.38.160.1 0 destination-port eq telnet

# Add a rule to prohibit create UDP connections with port number greater than 128 from the hosts in network segment 129.9.8.0 to the hosts in network segment 202.38.160.0
[3Com-acl-adv-101] rule deny udp source 129.9.8.0 0.0.0.255 destination 202.38.160.0 0.0.0.255 destination-port gt 128

# Add a rule, denying the packets carrying the source address 1.1.1.1 from VPN vrf1.
[3Com-acl-adv-101] rule deny ip source 1.1.1.1 vpn-instance vrf1

Add/delete a MAC-based ACL rule

rule [ rule-id ] { deny | permit } [ type type-code type-mask | lsap lsap-code lsap-mask ] ] [ source-mac sour-addr source-mask ] [ dest-mac dest-addr dest-mask ]

832

CHAPTER 9: SECURITY

Parameter type-code: Data frame type, a 16-bit hexadecimal number equivalent to the type-code field in Ethernet_II and Ethernet_SNAP frames. type-mask: A 16-bit hexadecimal number used for specifying the mask bits. lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number. lsap-mask: LSAP mask, a 16-bit hexadecimal number used to specify mask bits. sour-addr: Source MAC address in the format of xxxx-xxxx-xxxx. sour-mask: Source MAC address mask. dest-addr: Destination MAC address in the format of xxxx-xxxx-xxxx. dest-mask: Destination MAC address mask.

Ethernet Type-Code Values

The following table lists the Ethernet type-code values recommended in RFC 1700 and their meanings.
Table 3 0BAD0888-088AEthernet type-code values
Ethernet type-code value (in hexadecimal) 0000-05DC 0101-01FF 200 201 400 600 660 661 800 801 802 803 804 805 806 807 081C 0888-088A 900 0A00 0A01 0BAD 1000 1001-100F 1600 4242 5208 6000 6001 6002 6003 Represents IEEE802.3 Length Field Experimental XEROX PUP (see 0A00) PUP Addr Trans (see 0A01) Nixdorf XEROX NS IDP DLOG DLOG Internet IP (IPv4) X.75 Internet NBS Internet ECMA Internet Chaosnet X.25 Level 3 ARP XNS Compatability Symbolics Private Xyplex Ungermann-Bass net debugr Xerox IEEE802.3 PUP PUP Addr Trans Banyan Systems Berkeley Trailer nego Berkeley Trailer encap/IP Valid Systems PCS Basic Block Protocol BBN Simnet DEC Unassigned (Exp.) DEC MOP Dump/Load DEC MOP Remote Console DEC DECNET Phase IV Route

Ethernet Type-Code Values

833

Ethernet type-code value (in hexadecimal) 6004 6005 6006 6007 6008-6009 6010-6014 7000 7002 7020-7029 7030 7034 8003 8004 8005 8006 8008 8010 8013 8014 8015 8016 8019 802E 802F 8035 8036 8038 8039-803C 803D 803E 803F 8040-8042 8044 8046 8047 8049 805B 805C 805D 8060 8062 8065 8066 8067 8068 8069 806A 806C 806D 806E-8077

Represents DEC LAT DEC Diagnostic Protocol DEC Customer Protocol DEC LAVC, SCA DEC Unassigned 3Com Corporation Ungermann-Bass download Ungermann-Bass dia/loop LRT Proteon Cabletron Cronus VLN Cronus Direct HP Probe Nestar AT&T Excelan SGI diagnostics SGI network games SGI reserved SGI bounce server Apollo Computers Tymshare Tigan, Inc. Reverse ARP Aeonic Systems DEC LANBridge DEC Unassigned DEC Ethernet Encryption DEC Unassigned DEC LAN Traffic Monitor DEC Unassigned Planning Research Corp. AT&T AT&T ExperData Stanford V Kernel exp. Stanford V Kernel prod. Evans & Sutherland Little Machines Counterpoint Computers Univ. of Mass. @ Amherst Univ. of Mass. @ Amherst Veeco Integrated Auto. General Dynamics AT&T Autophon ComDesign Computgraphic Corp. Landmark Graphics Corp.

834

CHAPTER 9: SECURITY

Ethernet type-code value (in hexadecimal) 807A 807B 807C 807D-807F 8080 8081-8083 809B 809C-809E 809F 80A3 80A4-80B3 80C0-80C3 80C4 80C5 80C6 80C7 80C8-80CC 80CD-80CE 80CF-80D2 80D3-80D4 80D5 80DD 80DE-80DF 80E0-80E3 80E4-80F0 80F2 80F3 80F4-80F5 80F7 80FF-8103 8107-8109 8130 8131 8132-8136 8137-8138 8139-813D 8148 8149 814A 814C 814D 814E 814F 8150 8151-8153 815C-815E 8164-8166 817D-818C 818D

Represents Matra Dansk Data Elektronik Merit Internodal Vitalink Communications Vitalink TransLAN III Counterpoint Computers Appletalk Datability Spider Systems Ltd Nixdorf Computers Siemens Gammasonics Inc. DCA Data Exchange Cluster Banyan Systems Banyan Systems Pacer Software Applitek Corporation Intergraph Corporation Harris Corporation Taylor Instrument Rosemount Corporation IBM SNA Service on Ether Varian Associates Integrated Solutions TRFS Allen-Bradley Datability Retix AppleTalk AARP (Kinetics) Kinetics Apollo Computer Wellfleet Communications Symbolics Private Hayes Microcomputers VG Laboratory Systems Bridge Communications Novell, Inc. KTI Logicraft Network Computing Devices Alpha Micro SNMP BIIN BIIN Technically Elite Concept Rational Corp Qualcomm Computer Protocol Pty Ltd Charles River Data System Protocol Engines Motorola Computer

Ethernet Type-Code Values

835

Ethernet type-code value (in hexadecimal) 819A-81A3 81A4 81A5-81AE 81B7-81B9 81CC-81D5 81D6-81DD 81E6-81EF 81F0-81F2 81F3-81F5 81F6-81F8 8203-8205 8221-8222 823E-8240 827F-8282 8263-826A 829A-829B 829C-82AB 82AC-8693 8694-869D 869E-86A1 86A3-86AC 86DB 86DE 86DF 86E0-86EF 8700-8710 8A96-8A97 9000 9001 9002 9003 FF00 FF00-FF0F

Represents Qualcomm ARAI Bunkichi RAD Network Devices Xyplex Apricot Computers Artisoft Polygon Comsat Labs SAIC VG Analytical Quantum Software Ascom Banking Systems Advanced Encryption Systems Athena Programming Charles River Data System Inst Ind Info Tech Taurus Controls Walker Richer & Quinn Idea Courier Computer Network Tech Gateway Communications SECTRA Delta Controls ATOMIC Landis & Gyr Powers Motorola Invisible Software Loopback 3Com(Bridge) XNS Sys Mgmt 3Com(Bridge) TCP-IP Sys 3Com(Bridge) loop detect BBN VITAL-LanBridge cache ISC Bunker Ramo

Time-range Configuration Commands display time-range Syntax
display time-range { all | time-name }

View
Any view

Parameter time-name: name of the time range.

836

CHAPTER 9: SECURITY

all: Displays all the configured time ranges. Description Using the display time-range command, you can view the configuration and the status of time range. For the active time range at present, it displays "active" and for the inactive time range, it displays "inactive". Since there is a time deviation when the system updates acl status, which is about 1 minute, but display time-range will display the information of time range at the current time exactly. Thus, the following case may happen: use the command display time-range to find that a time range is activated but the acl that should be active in the time range is inactive. This case is normal. Example # Display all time ranges.
[3Com] display time-range all

# Display the time range named trname.
[3Com] display time-range trname Current time is 02:49:36 2-15-2003 Saturday Time-range : trname ( Inactive ) 14:00 to 16:00 off-day from 00:00 12-1-2002 to 00:00 12-1-2003

time-range

Syntax
time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ] undo time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]

View System view Parameter time-name: Name of time range. start-time: Start time of a time range, in the format of HH:MM. end-time: End time of a time range, in the format of HH:MM. days: Indicates on which day of a week the time range is valid or from which day in a week the time range is valid. The following parameters can be input: Number (0 to 6); Monday to Sunday (Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday); Working-day, from Monday to Friday;

Ethernet Type-Code Values

837

Off-day, including Saturday and Sunday; Daily, including the seven days of a week. from time1 date1: optional, which is used to indicate the start time and date. The input format of time is hh:mm, which is shown with 24-hour type. The range of hh is from 0 to 23 and the range of mm is from 0 to 59. The input format of date is MM-DD-YYYY. DD can be in the value range from 1 to 31. MM is one number in the range form 1 to 12 and YYYY is a 4-digit number. If no start time is set, it means that there is no restriction on start time and only the end time should be considered. to time2 date2: Optional. It is used to indicate the end time and date. In addition, the input format of time and date is the same with that of the start time. The end time must be greater than the start time. If the end time is not set, it will be the maximum time that the system can set. Description Using the time-range command, you can specify a time range. Using the undo time-range command, you can delete a time range. A time range consists of 2 parts, the first is the periodic time range within one week described by the parameters start-time and end-time, depending on the parameter days to specify on which day it is valid; the second is the time range specified by from and to, which can be used to emphasize in what time range the periodical time range is valid. You can configure multiple time ranges with the same time-name. These time ranges define a special time range all together and are expressed by name. Example # Configure the time range valid at 0:0 on Jan. 1, 2003, always valid.
[3Com] time-range test from 0:0 1-1-2003

# Configure the time range valid between 14:00 and 16:00 in every weekend from 20:00 on Apr.01, 2003 to 20:00 on Dec.10, 2003.
[3Com] time test 14:00 to 16:00 off-day from 20:00 04-01-2003 to 20:00 12-10-2003

# Configure the time range valid between 8:00 and 18:00 in each working day.
[3Com] time-range test 8:00 to 18:00 working-day

# Configure the time range valid between 14:00 and 18:00 in each weekend day.
[3Com] time-range test 14:00 to 18:00 off-day

838

CHAPTER 9: SECURITY

Packet Filtering Firewall Configuration Commands debugging firewall Syntax
debugging firewall { all | icmp | tcp | udp | fragments-inspect | others } [ interface interface-name ] undo debugging firewall { all | icmp | tcp | udp | fragments-inspect | others } [ interface interface-name ]

View User view Parameter icmp: Debugging information of ICMP packet filtering. tcp: Debugging information of TCP packet filtering. udp: Debugging information of UDP packet filtering. fragments-inspect: Fragment debugging information. others: Debugging information of all the other packets except ICMP, TCP and UDP. interface interface-name: Debugging information of the corresponding packets passing the interface. The debugging information of all the interfaces will be displayed if this parameter is not configured. all: Debugging information of all the packets. Description Using the debugging firewall command, you can enable the information debugging of the firewall packet filtering. Using the undo debugging firewall command, you can disable the information debugging of the firewall packet filtering. By default, all the information debugging of the firewall is disabled. For the related command, see display debugging. Example # Enable the debugging information about UDP packet filtering.
[3Com] debugging firewall udp

display firewall-statistics

Syntax
display firewall-statistics { all | interface interface-name | fragments-inspect }

Ethernet Type-Code Values

839

View Any view Parameter all: Displays the filtering packet statistics of all the interfaces. interface: Displays the filtering packet statistics of a certain interface. interface-name: Name of the interface. fragments-inspect: Displays the fragment inspection information. Description Using the display firewall-statistics command, you can view the firewall statistics. For the related command, see firewall fragments-inspect. Example # Display the information of fragment inspection.
<3Com> display firewall-statistics fragments-inspect Fragments inspection is enabled. The high-watermark for clamping is 10000. The low-watermark for clamping is 1000. Current records for fragments inspection is 0.

firewall default

Syntax
firewall default { permit | deny }

View System view Parameter permit: Default filter rule is permitting packets to pass. deny: Default filter rule is denying packets to pass. Description Using the firewall default command, you can configure the default filtering rule of the firewall, whether to be “permit” or “deny”. By default, the system permits packets. Example # Set the default filtering rule of the firewall to “deny”.
[3Com] firewall default deny

840

CHAPTER 9: SECURITY

firewall enable

Syntax
firewall enable undo firewall enable

View System view Parameter none. Description Using the firewall enable command, you can enable the firewall. Using the undo firewall enable command, you can disable the firewall. By default, the firewall is disabled. Example # Enables the firewall
[3Com] firewall enable

firewall fragments-inspect

Syntax
Firewall fragments-inspect

Undo firewall fragments-inspect View System view Parameter none Description Using the firewall fragments-inspect command, you can enable fragment inspection switch. Using the undo firewall fragments-inspect command, you can disable fragment inspection switch. By default, fragment inspection switch is disabled. This command is the premise of realizing exact match. Only after fragment inspection switch is enabled, can fragment exact match be implemented. Packet filtering firewall will record the status of a fragment, and perform the exact matching to advanced ACL rules according to the information beyond the layer 3 (IP layer). Packet filtering firewall will consume some system resources for recording the fragment status. If the exact match mode is not used, you are recommended to disable this function so as to improve the running efficiency of system and reduce the system cost.

Ethernet Type-Code Values

841

Only when the fragment packet inspection is enabled, can the exact match really take effect. For the related commands, see display firewall fragments-inspect and firewall packet-filter. Example # Enable the fragment inspection switches
[3Com] firewall fragments-inspect

firewall fragments-inspect { high | low }

Syntax
firewall fragments-inspect { high | low } { default | number } undo firewall fragments-inspect { high | low }

View System view Parameter high number: Specifies the high threshold of the fragment status records. It is in the range from 100 to 10000. low number: Specifies the low threshold of the fragment status records. It is in the range from 100 to 10000. default: Default number of fragment status records. The default high threshold of the fragment status records is 2000 and the default low threshold of the fragment status records is 1500. Description Using the firewall fragments-inspect { high | low } command, you can configure the high and low thresholds of records for fragment inspection. Using the undo firewall fragments-inspect { high | low } command, you can restore the default high and low thresholds. If fragment inspection switch is enabled and exact match filtering is applied, the executing efficiency of the packet filtering will be slightly reduced. The more matching entries are configured, the more the efficiency is reduced. Therefore, the (high and low) thresholds should be set. When the number of fragment status records reaches the high threshold, those status entries first reserved will be deleted till the number of records is below the low threshold. The low threshold must be no greater than the high threshold. For the related commands, see display firewall-statistics fragments-inspect and firewall packet-filter. Example # Configure the high threshold for fragment packet inspection to 3000 and configure the low threshold to the default value.
[3Com] firewall fragments-inspect high 3000

842

CHAPTER 9: SECURITY

[3Com] firewall fragments-inspect low default

firewall packet-filter

Syntax firewall packet-filter { acl-number | acl-name } { inbound | outbound } [
match-fragments { normally | exactly } ] undo firewall packet-filter { acl-number | acl-name } { inbound | outbound }

View Interface view Parameter acl-number: Serial number of access control list rule. acl-name: Name of ACL rule, in character string. inbound: Filters the packet received from the interface. outbound: Filters the packet forwarded from the interface. normally: Normal matching mode, the default mode. exactly: Exact matching mode. Description Using the firewall packet-filter command, you can apply the access control list to the corresponding interface. Using the undo firewall packet-filter command, you can delete the corresponding setting. Interface-based ACL (namely ACL rule with sequence number from 1000 to 1999) can only use the parameter outbound. For related command, see acl, display acl and firewall fragments-inspect. Example # Apply access control list rule 101 to the "in" direction of the interface serial 1/0/0.
[3Com-Serial1/0/0] firewall packet-filter 101 inbound

reset firewall-statistics

Syntax
reset firewall-statistics { all | interface interface-name }

View User view Parameter all: Clears the filtering packet statistics of all the interfaces. interface: Clears the filtering packet statistics of a certain interface. interface-name: Name of the interface.

Ethernet Type-Code Values

843

Description Using the reset firewall-statistics command, you can clear the firewall statistics. Example # Clear filtering packet statistics of the interface E3/1/0.
[3Com] reset firewall-statistics interface e3/1/0

844

CHAPTER 9: SECURITY

Example # Specify the ISAKMP Sa duration for IKE proposal 10 as 600 seconds (10 minutes).
[3Com] ike proposal 10 [3Com-ike-proposal-10] sa duration 600

ASPF Configuration Commands
aging-time Syntax
aging-time { syn | fin | tcp | udp } seconds undo aging-time { syn | fin | tcp | udp } seconds

View ASPF policy view Parameter seconds: Specifies the idle timeout time of SYN, FIN, TCP and UDP session entries respectively when the related packets are inspected. The default timeout time of SYN, FIN, TCP and UDP is 30s, 5s, 3600s and 30s respectively. Description Using the aging-time command, you can configure SYN status waiting timeout value and FIN status waiting timeout value of TCP, session entry idle timeout value of TCP and UDP. Using the undo aging-time command, you can restore the default value. Before the aging-time expires, the system will retain the connections and the sessions that have been set up. For related commands, see display aspf all, display aspf policy, display aspf session and display aspf interface. Example # Configure SYN status waiting timeout value of TCP as 20 seconds.
[3Com-aspf-policy-1] aging-time syn 20

# Configure FIN status waiting timeout value of FIN as 10 seconds.
[3Com-aspf-policy-1] aging-time fin 10

# Configure TCP idle timeout value as 3000 seconds.
[3Com-aspf-policy-1] aging-time tcp 3000

# Configure UDP idle timeout value as 110 seconds.
[3Com-aspf-policy-1] aging-time udp 110

ASPF Configuration Commands

845

aspf-policy

Syntax
aspf-policy aspf-policy-number undo aspf-policy aspf-policy-number

View System view Parameter aspf-policy-number: ASPF policy number, ranging from 1 to 99. Description Using the aspf-policy command, you can define an ASPF policy. For a defined policy, the policy can be invoked through its policy number. Example # Define an ASPF policy and enter ASPF view.
[3Com] aspf-policy 1 [3Com-aspf-policy-1]

debugging aspf

Syntax
debugging aspf { all | verbose | events | ftp | h323 | http | rtsp | session | smtp | tcp | timer | udp } undo debugging aspf { all | verbose | events | ftp | h323 | http | rtsp | session | smtp | tcp | timer | udp }

View User view Parameter all: All ASPF debugging switch. verbose: Detailed debugging switch. events: Event debugging switch. ftp: Debugging switch for FTP detect information . h323: Debugging switch for H.323 information detection. http: Debugging switch for HTTP information detection. rtsp: Debugging switch for RSTP information detection. session: Debugging switch for Session information . smtp: Debugging switch for SMTP information detection. tcp : Debugging switch for TCP information detection.

846

CHAPTER 9: SECURITY

timers: Debugging switch for Timer information . udp: Debugging switch for UDP information detection. Description Using the debugging aspf command, you can enable ASPF debugging function. Using the undo debugging aspf command, you can disable ASPF debugging function. By default, ASPF debugging function is disabled. For the related commands, see display aspf all, display aspf policy, display aspf session and display aspf interface. Example # Open all the switches of debugging aspf
<3Com> debugging aspf all

detect

Syntax
detect protocol [ java-list acl-number ] [ aging-time seconds ] undo detect protocol

View ASPF policy view Parameter seconds: Configures the idle timeout time of the protocol, ranging from 10 to 43200 seconds. The default TCP-based timeout time is 3600 seconds, and the default UDP-based timeout time is 30 seconds. java-list: Configures to block the Java Applets to specified network segment packets, valid only when the protocol is HTTP. acl-number: Basic ACL number, ranging from 1 to 99. protocol: Name of the protocols supported by ASPF, the value can be ftp, http, h323, smtp, rtsp, tcp and udp. Description Using the detect command, you can specify ASPF policy for application layer protocols. Using the undo detect command, you can cancel the configuration. When the protocol is HTTP, Java blocking is permitted. For related commands, see display aspf all, display aspf policy, display aspf session and display aspf interface. Example # Configure to specify an ASPF policy for HTTP protocol with policy number 1. At the same time, permit Java blocking and set ACL1 to make ASPF able to filter Java Applets from destination server 10.1.1.1.

ASPF Configuration Commands

847

[3Com] acl number 1 [3Com-acl-basic-1] rule deny source 10.1.1.1 0 [3Com-acl-basic-1] rule permit any [3Com-acl-basic-1] quit [3Com] aspf-policy 1 [3Com-aspf-policy-1] detect http java-list 1

display aspf all

Syntax
display aspf all

View Any view Parameter none Description Using the display aspf all command, you can view the information of all ASPF policies and sessions. Example # View the information of ASPF policy and session.
[3Com] display aspf all [ASPF Policy 1] Session audit trail: tcp synwait-time: tcp finwait-time: tcp idle-time: udp idle-time: h323 timeout: tcp timeout: [Interface Configuration] Interface: Inbound ASPF policy: Ethernet0/0/0 none disabled 30 5 3600 30 sec sec sec sec 3600 33

848

CHAPTER 9: SECURITY

Outbound ASPF policy:

1

Table 4 ASPF Configuration information
Item Session audit trail: disabled tcp syn wait-time tcp finnwait-time tcp idle-time udp idle-time Description The session logging function is disabled. TCP connected SYN status timeout value is 30 seconds. TCP connection FIN status timeout value is 5 seconds. Timeout for the idle-time of TCP session is 3600 seconds. Timeout for the idle-time of UDP session is 30 seconds.

http java-list 1 timeout Detect the HTTP traffic and filter the Java Applets from some particular sites by using ACL 1. The HTTP timeout time is set to 3000 seconds. “h323 timeout” indicates the timeout time of the h323 session entry. h323 timeout tcp timeout Inbound ASPF policy outbound ASPF policy The policy inspects h323 traffic. The timeout time of h323 is 3600 seconds. The policy inspects tcp traffic. The timeout time of tcp is 33 seconds. No ASPF policy is configured in inbound direction of the interface Ethernet0/0/0. ASPF policy 1 is configured in outbound direction of the interface Ethernet0/0/0.

display aspf interface

Syntax
display aspf interface

View Any view Parameter none Description Using the display aspf interface command, you can view the interface configuration of the inspection policy. Example # View the interface configuration of the inspection policy.
<3Com> display aspf interface [Interface Configuration] Interface: Inbound ASPF policy: Ethernet0/0/0 none

ASPF Configuration Commands

849

Outbound ASPF policy:

1

Table 5 ASPF interface configuration information
Item Inbound ASPF policy outbound ASPF policy Description No ASPF policy is configured in inbound direction of the interface Ethernet0/0/0. ASPF policy 1 is configured in outbound direction of the interface Ethernet0/0/0.

display aspf policy

Syntax
display aspf policy aspf-policy-number

View Any view Parameter aspf-policy-number: ASPF policy number, ranging from 1 to 99. Description Using the the display aspf policy command, you can view the configuration of a specific inspection policy. Example # Display the configuration information of the inspection policy with policy number of 1.
[3Com] display aspf policy 1 [ASPF Policy 1] Session audit trail: tcp synwait-time: tcp finwait-time: tcp idle-time: udp idle-time: h323 timeout: tcp timeout: disabled 30 5 3600 30 sec sec sec sec 3600 33

display aspf session

Syntax
display aspf session [ verbose ]

View Any view Parameter verbose: Displays the detail information of the sessions.

850

CHAPTER 9: SECURITY

Description Using the display aspf session command, you can view the information of the ASPF sessions. Example # Display the information of current ASPF sessions.
[3Com] display aspf session [Established Sessions] [ Session 0xC7E5E4 ] (192.168.0.1:2124)=>(13.1.0.5:1720) h323 H323_CALL_ACTIVE

# Display detailed information of current ASPF sessions.
[3Com] display aspf session verbose [ Established Sessions ] [ Session 0xC7E2B4 ] (192.168.0.1:2125)=>(13.1.0.5:2093) h245-media-control H245_OPEN SessNum: 229, TransProt: 6, AppProt: 21 Prev: 0x0, Next: 0x0, Child: 0xCA9EA4, Parent: 0x0 SynNode: 0x0, FinNode: 0x0 Interface: Ethernet1/0/0, Direction: outbound Bytes/Packets sent (initiator:responder) [1339/15 : 1309/12] Tcp SeqNum/AckNum [352115193/62885460 : 62885456/352115193] Timeout 00:02:00(120),

Table 6 Information of current ASPF sessions
Item TransProt: 6 AppProt: 21 Interface: Ethernet1/0/0 ASPF policy is applied in outbound direction of the interface Ethernet1/0/0 Bytes/Packets transmitted between the originating and responding sides of the connection Description Transport layer protocol is numbered 6, which means that TCP is used. Application layer protocol uses port 21, which means that the sessions are FTP sessions Direction: outbound Bytes/Packets sent Timeout 00:02:00(120)

ASPF Configuration Commands

851

Table 6 Information of current ASPF sessions
Item Timeout time set for the protocol is 120 seconds Description

firewall aspf

Syntax
firewall aspf aspf-policy-number { inbound | outbound } undo firewall aspf aspf-policy-number { inbound | outbound }

View Interface view Parameter aspf-policy-number: ASPF policy number used on the interface. inbound: Applies ASPF policy in inbound direction of the interface. outbound: Applies ASPF policy in outbound direction of the interface. Description Using the firewall aspf command, you can apply ASPF policy in specified direction to an interface. Using the undo firewall aspf command, you can delete the applied ASPF policy on the interface. There are two concepts in ASPF, inbound interface and outbound interface. If the router connects with both intranet and internet, and uses ASPF to protect the servers of intranet, the router interface connected with intranet is regarded as inbound interface and the one connected with internet is regarded as outbound interface. When ASPF is applied on outbound interface, ASPF will refuse the access of intranet from internet users, but the returning packets of intranet users accessing internet can pass the detection of ASPF. Example # Configure ASPF firewall function in outbound direction of the interface ethernet1/0/0.
[3Com-Ethernet1/0/0] firewall aspf 1 outbound

log enable

Syntax
log enable undo log enable

View ASPF policy view Description Using the log enable command, you can enable ASPF session logging function. Using the undo log enable command, you can disable logging function.

852

CHAPTER 9: SECURITY

By default, session logging function is disabled. ASPF provides enhanced session logging function which can log all connections, including connection time, source address, destination address, port in use and transmitted bytes number. For related command, see display aspf all, display aspf policy, display aspf session, display aspf interface. Example # Enable ASPF session logging function.
[3Com-aspf-policy-1] log enable

PAM Configuration Commands display port-mapping Syntax
display port-mapping [ application-name | port port-number ]

View Any view Parameter application-name: Specifies the name of application for PAM. Optional applications include ftp, http, h323, smtp and rtsp. port-number: Port number in the range from 0 to 65535. Description Using the display port-mapping command, you can view PAM information. For the related command, see port-mapping. Example # Display all PAM information.
[3Com] display port-mapping

port-mapping

Syntax
port-mapping application-name port port-number [ acl acl-number ] undo port-mapping [ application-name port port-number [ acl acl-number ] ]

View System view Parameter application-name: Specifies the name of the application for PAM. Optional applications include ftp, http, h323, smtp and rtsp.

Firewall Configuration Commands

853

port-number: Port number, ranging from 0 to 65535. acl-number: Number of basic ACL, which is in the range from 1 to 99. Description Using the port-mapping command, you can establish a mapping from the port to application layer protocol. Using the undo port-mapping command, you can delete the PAM ingress defined by the user. PAM supports two mapping mechanisms, general port mapping and host port mapping based on basic ACL. The former is to establish the mapping relation between a user-defined port number and an application protocol. For example, mapping the port 8080 to the HTTP will make all the TCP packets destined to 8080 be regarded as HTTP packets. The latter is to map the self-defined port number to the application protocol for the packets from some specific hosts. For example, you can map the TCP packets using the port 8080, which destine to the hosts residing on the segment 1.1.0.0 to be the HTTP packets. The range of hosts will be specified by the basic ACL. For the same port, general port mapping and host port mapping based on basic ACL cannot be configured at the same time. For the related command, see display port-mapping. Example # Map port 3456 to FTP service, with this configuration, all the data flows destined to port 3456 will be regarded as FTP data flows.
[3Com] port-mapping ftp port 3456

Firewall Configuration Commands
debugging firewall Syntax
debugging firewall { all | icmp | tcp | udp | fragments-inspect | others } [ interface interface-name ] undo debugging firewall { all | icmp | tcp | udp | fragments-inspect | others } [ interface interface-name ]

View User view Parameter icmp: Debugging information of ICMP packet filtering. tcp: Debugging information of TCP packet filtering. udp: Debugging information of UDP packet filtering. fragments-inspect: Fragment debugging information.

854

CHAPTER 9: SECURITY

others: Debugging information of all the other packets except ICMP, TCP and UDP. interface interface-name: Debugging information of the corresponding packets passing the interface. The debugging information of all the interfaces will be displayed if this parameter is not configured. all: Debugging information of all the packets. Description Using the debugging firewall command, you can enable the information debugging of the firewall packet filtering. Using the undo debugging firewall command, you can disable the information debugging of the firewall packet filtering. By default, all the information debugging of the firewall is disabled. For the related command, see display debugging. Example # Enable the debugging information about UDP packet filtering.
[3Com] debugging firewall udp

display firewall-statistics

Syntax
display firewall-statistics { all | interface interface-name | fragments-inspect }

View Any view Parameter all: Displays the filtering packet statistics of all the interfaces. interface: Displays the filtering packet statistics of a certain interface. interface-name: Name of the interface. fragments-inspect: Displays the fragment inspection information. Description Using the display firewall-statistics command, you can view the firewall statistics. For the related command, see firewall fragments-inspect. Example # Display the information of fragment inspection.
<3Com> display firewall-statistics fragments-inspect Fragments inspection is enabled. The high-watermark for clamping is 10000. The low-watermark for clamping is 1000.

Firewall Configuration Commands

855

Current records for fragments inspection is 0.

firewall default

Syntax
firewall default { permit | deny }

View System view Parameter permit: Default filter rule is permitting packets to pass. deny: Default filter rule is denying packets to pass. Description Using the firewall default command, you can configure the default filtering rule of the firewall, whether to be “permit” or “deny”. By default, the system permits packets. Example # Set the default filtering rule of the firewall to “deny”.
[3Com] firewall default deny

firewall enable

Syntax
firewall enable undo firewall enable

View System view Parameter none. Description Using the firewall enable command, you can enable the firewall. Using the undo firewall enable command, you can disable the firewall. By default, the firewall is disabled. Example # Enables the firewall
[3Com] firewall enable

firewall fragments-inspect

Syntax
Firewall fragments-inspect

Undo firewall fragments-inspect

856

CHAPTER 9: SECURITY

View System view Parameter none Description Using the firewall fragments-inspect command, you can enable fragment inspection switch. Using the undo firewall fragments-inspect command, you can disable fragment inspection switch. By default, fragment inspection switch is disabled. This command is the premise of realizing exact match. Only after fragment inspection switch is enabled, can fragment exact match be implemented. Packet filtering firewall will record the status of a fragment, and perform the exact matching to advanced ACL rules according to the information beyond the layer 3 (IP layer). Packet filtering firewall will consume some system resources for recording the fragment status. If the exact match mode is not used, you are recommended to disable this function so as to improve the running efficiency of system and reduce the system cost. Only when the fragment packet inspection is enabled, can the exact match really take effect. For the related commands, see display firewall fragments-inspect and firewall packet-filter. Example # Enable the fragment inspection switches
[3Com] firewall fragments-inspect

firewall fragments-inspect { high | low }

Syntax
firewall fragments-inspect { high | low } { default | number } undo firewall fragments-inspect { high | low }

View System view Parameter high number: Specifies the high threshold of the fragment status records. It is in the range from 100 to 10000. low number: Specifies the low threshold of the fragment status records. It is in the range from 100 to 10000. default: Default number of fragment status records. The default high threshold of the fragment status records is 2000 and the default low threshold of the fragment status records is 1500.

Firewall Configuration Commands

857

Description Using the firewall fragments-inspect { high | low } command, you can configure the high and low thresholds of records for fragment inspection. Using the undo firewall fragments-inspect { high | low } command, you can restore the default high and low thresholds. If fragment inspection switch is enabled and exact match filtering is applied, the executing efficiency of the packet filtering will be slightly reduced. The more matching entries are configured, the more the efficiency is reduced. Therefore, the (high and low) thresholds should be set. When the number of fragment status records reaches the high threshold, those status entries first reserved will be deleted till the number of records is below the low threshold. The low threshold must be no greater than the high threshold. For the related commands, see display firewall-statistics fragments-inspect and firewall packet-filter. Example # Configure the high threshold for fragment packet inspection to 3000 and configure the low threshold to the default value.
[3Com] firewall fragments-inspect high 3000 [3Com] firewall fragments-inspect low default

firewall packet-filter

Syntax firewall packet-filter { acl-number | acl-name } { inbound | outbound } [ match-fragments { normally | exactly } ]
undo firewall packet-filter { acl-number | acl-name } { inbound | outbound }

View Interface view Parameter acl-number: Serial number of access control list rule. acl-name: Name of ACL rule, in character string. inbound: Filters the packet received from the interface. outbound: Filters the packet forwarded from the interface. normally: Normal matching mode, the default mode. exactly: Exact matching mode. Description Using the firewall packet-filter command, you can apply the access control list to the corresponding interface. Using the undo firewall packet-filter command, you can delete the corresponding setting.

858

CHAPTER 9: SECURITY

Interface-based ACL (namely ACL rule with sequence number from 1000 to 1999) can only use the parameter outbound. For related command, see acl, display acl and firewall fragments-inspect. Example # Apply access control list rule 101 to the "in" direction of the interface serial 1/0/0.
[3Com-Serial1/0/0] firewall packet-filter 101 inbound

reset firewall-statistics

Syntax
reset firewall-statistics { all | interface interface-name }

View User view Parameter all: Clears the filtering packet statistics of all the interfaces. interface: Clears the filtering packet statistics of a certain interface. interface-name: Name of the interface. Description Using the reset firewall-statistics command, you can clear the firewall statistics. Example # Clear filtering packet statistics of the interface E3/1/0.
[3Com] reset firewall-statistics interface e3/1/0

IPSec Configuration Commands
ah authentication-algorith m Syntax
ah authentication-algorithm { md5 | sha1 } undo ah authentication-algorithm

View IPSec proposal view Parameter md5: MD5 algorithm is adopted. sha1: SHA1 algorithm is adopted.

IPSec Configuration Commands

859

Description Using the ah authentication-algorithm command, you can set the authentication algorithm adopted by Authentication Header protocol in IPSec proposal. Using the undo ah authentication-algorithm command, you can restore the default setting. By default, the md5 authentication algorithm is adopted by Authentication Header protocol in IPSec proposal. AH proposal can’t be used to encrypt, but to authenticate. MD5 algorithm uses the 128-bit key, and SHA1 uses the 160-bit key. By comparison, MD5 is faster than SHA1, while SHA1 is securer than MD5. The IPSec proposal adopted by the security policy at both ends of the security tunnel must be set as using the same authentication algorithm. Can the AH authentication algorithm be configured only if AH or AH-ESP security protocol was selected by executing the transform command. For the related commands, see ipsec proposal, proposal, sa sip and transform. Example # Set IPSec proposal using AH and SHA1.
[3Com] ipsec proposal prop1 [3Com-ipsec-proposal- prop1] transform ah [3Com-ipsec-proposal- prop1] ah authentication-algorithm sha1

debugging encrypt-card

Syntax
debugging encrypt-card {all | command | error | misc | packet | sa} [ slot-id ] debugging encrypt-card host {all | command | error | misc | packet | sa}

View Any view Parameter
all: Enables all debugging on the encryption card. command: Enables command debugging on the encryption card. error: Enables error debugging on the encryption card. misc: Enables other debugging on the encryption card. packet: Enables packet debugging on the encryption card. sa: Enables security association (SA) debugging on the encryption card. host: Enables host debugging on the encryption card.

860

CHAPTER 9: SECURITY

slot-id: Slot ID for the encryption card, whose range depends on the slot number on the router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the router, y and z are fixed to 0 for the encryption card. If you do not specify a value for the parameter, the system will display the log of all encryption cards.

Description
Using the debugging encrypt-card command, you can enable debugging on the encryption card. Using the undo debugging ipsec command, you can disable debugging on the encryption card. The command is only available on the encryption card.

Example
# Enable command debugging on the encryption card at slot 5/0/0. [Router] debugging encrypt-card command 5/0/0 d

debugging ipsec

Syntax
debugging ipsec { all | sa | misc | packet [ policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ] | misc } undo debugging ipsec { all | sa | misc | packet [ policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ] | misc }

View User view Parameter all: Displays all debugging information. sa: Displays debugging information of SA. packet: Displays debugging information of IPSec packets. policy policy-name: Displays debugging information of IPSec policy whose name is policy-name. seq-number: Displays debugging information of IPSec policy whose sequence number is seq-number. parameters: Displays debugging information of a SA whose remote address is ip-address, Security protocol is protocol, and SPI is spi-number. misc: Displays other debugging information of IPSec. Description Using the debugging ipsec command, you can turn IPSec debugging on, Using the undo debugging ipsec command, you can turn IPSec debugging off. By default, IPSec debugging is off. Example # Enable IPSec SA debugging function.

IPSec Configuration Commands

861

<3Com> debugging ipsec sa

display encrypt-card sa

Syntax
display encrypt-card sa [ slot-id ]

View Any view Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the router, y and z are fixed to 0 for the encryption card. If you do not specify a value for the parameter, the system will display the log of all encryption cards.

Description Using the display encrypt-card sa command, you can view SA information. The command is only available on the encryption card. These kinds of information shall be displayed: SA proposal name, local address, remote address, SA remaining key duration, schedule performance index (SPI), slot ID and other similar information. Example # Display all SA information on the encryption card at slot 5/0/0.
[Router] display encrypt-card sa 5/0/0 AH SAs proposal: ESP-AUTH-SHA1HMAC96 local address: 20.0.0.2 remote address: 20.0.0.1 sa remaining key duration (bytes/sec): 1887435992/2401 spi: 1081108020 (0x40706634) Uses Encrypt5/0

ESP SAs proposal: ESP-ENCRYPT-3DES proposal: ESP-AUTH-SHA1HMAC96 local address: 20.0.0.2 remote address: 20.0.0.1 sa remaining key duration (bytes/sec): 1887436136/2401 spi: 891512401 (0x35236651)

862

CHAPTER 9: SECURITY

Uses Encrypt5/0/0

ESP SAs proposal: ESP-ENCRYPT-3DES proposal: ESP-AUTH-SHA1HMAC96 local address: 20.0.0.1 remote address: 20.0.0.2 sa remaining key duration (bytes/sec): 1887436532/2401 spi: 3024247997 (0xb4425cbd) Uses Encrypt5/0/0

AH SAs proposal: ESP-AUTH-SHA1HMAC96 local address: 20.0.0.1 remote address: 20.0.0.2 sa remaining key duration (bytes/sec): 1887436464/2401 spi: 2937733563 (0xaf1a41bb) Uses Encrypt5/0/0

display encrypt-card statistics

Syntax
display encrypt-card statistics [ slot-id ]

View Any view Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the router, y and z are fixed to 0 for the encryption card. If you do not specify a value for the parameter, the system will display the log of all encryption cards.

Description Using the display encrypt-card statistics command, you can view statistics on the encryption cards. The command is only available on the encryption card. The statistics includes the processing information of ESP/AH packets on the encryption card. More details are displayed in the following example.

IPSec Configuration Commands

863

If the slot ID you type in is greater than the available slot number on the router, the error information "Invalid encrypt-card slot-id" will be prompted. For the related command, see reset encrypt-card statistic. Example # Display the statistics on the encryption card at slot 5/0/0.
[Router] display encrypt-card statistics 5/0/0 Encrypt5/0/0 security packets statistics : input/output security packets: 8/4 input/output security bytes: 1472/604 dropped security packet detail: no enough memory: 0 can't find SA: 0 queue is full: 0 authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 wrong SA: 0 invalid proposal: 0 invalid protocol: 0 buffer error: 0 wrap error: 0 crypto error: 0 pad error: 0

display encrypt-card syslog

Syntax
display encrypt-card syslog [ slot-id ]

View Any view Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the router, y and z are fixed to 0 for the encryption card. If you do not specify a value for the parameter, the system will display the log of all encryption cards.

864

CHAPTER 9: SECURITY

Description Using the display encrypt-card syslog command, you can view the current system log on the encryption cards. The command is only available on the encryption card. If the slot ID you type in is greater than the available slot number on the router, the error information "Invalid encrypt-card slot-id" shall be prompted. For the related command, see encrypt-card set syslog. Example # Display the system log on the encryption card at slot 5/0/0.
[Router] display encrypt-card syslog 5/0/0 Date: 2004-03-27, Time: 11:45 cmd. Date: 2004-03-27, Time: 11:50 Date: 2004-03-27, Time: 11:50 Date: 2004-03-27, Time: 11:50 Date: 2004-03-27, Time: 11:50 Date: 2004-03-27, Time: 11:50 Date: 2004-03-27, Time: 11:50 Encrypt5/0/0 : receive time config

Encrypt5/0/0 : receive add tdb cmd. Encrypt5/0/0 : receive add tdb cmd. Encrypt5/0/0 : receive link tdb cmd. Encrypt5/0/0 : receive add tdb cmd. Encrypt5/0/0 : receive add tdb cmd. Encrypt5/0/0 : receive link tdb cmd.

display interface encrypt

Syntax
display interface encrypt [ slot-id ]

View Any view Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the router, y and z are fixed to 0 for the encryption card. If you do not specify a value for the parameter, the system will display the log of all encryption cards.

Description Using the display interface encrypt command, you can view the information about the ports on the encryption cards. The command is only available on the encryption card. With this command, you can view the status of the encryption card, total number of packets transmitted or received on it, maximum number of packets dropped per second, information during the last five seconds. For the related command, see interface encrypt.

IPSec Configuration Commands

865

Example # Display the port information on the encryption card at slot 5/0/0.
[Router] display interface Encrypt 5/0/0 Description : Encrypt5/0/0 Interface READY READY

Protocol Status: Driver Status :

Total Statistics Packets sent to card Packets received from card Bytes sent to card Bytes received from card Dropped packets Statistics during last 5 seconds Packets sent to card Packets received from card Bytes sent to card Bytes received from card Dropped packets : : : : : 0 0 0 0 0 : : : : : 0 10 9 1216 584

display ipsec policy

Syntax
display ipsec policy [ brief | name policy-name [ seq-number ] ]

View Any view Parameter brief: Displays brief information about all the ipsec policies. name: Displays information of the ipsec policy with the name policy-name and sequence number seq-number. policy-name: Name of an ipsec policy. seq-number: Sequence number of an ipsec policy. If no argument has been specified, the details of all the IPSec policies will be displayed. If name policy-name has been specified but seq-number has not, the information of the specified IPSec policy group will be listed out. Description Using the display ipsec policy command, you can view information about the ipsec policy.

866

CHAPTER 9: SECURITY

The brief keyword is used for displaying brief information about all the ipsec policies, whose display format is the brief format (see the following example). The brief command can be used to quickly display all the ipsec policies. Brief information includes, name and sequence number, negotiation mode, access control list, proposal, local address, and remote address. The other command words are used to display the detailed information about the ipsec policy, whose display format is the detailed format (refer to the following example). For the related commands, see ipsec policy(system view). Example # View brief information about all the ipsec policies.
<3Com> display ipsec policy brief Ipsec-policy-Name Mode policy1-100 test-300 acl Local Address Remote Address 150.1.1.2 150.1.1.1

manual 100 isakmp 120

202.38.160.66

Table 7 Brief Information of IPSec Policy
Item Ipsec-policy-Name Mode acl Local Address Remote Address Description name and sequence number of an ipsec policy negotiation method used by an ipsec policy access control list used by an ipsec policy local IP address remote IP address

# View information about all the ipsec policies
[3Com] display ipsec policy =========================================== IPsec Policy Group: "policy_isakmp" Using interface: {Ethernet1/0/0} =========================================== -------------------------------------------IPsec policy name: "policy_isakmp" sequence number: 10 mode: isakmp -------------------------------------------security data flow : 100 tunnel remote address: 162.105.10.2 PFS (Y/N): N

IPSec Configuration Commands

867

proposal name: prop1 ipsec sa local duration(time based): 3600 seconds ipsec sa local duration(traffic based): 1843200 kilobytes =========================================== IPsec Policy Group: "policy_man" Using interface: {Ethernet1/0/1} =========================================== ----------------------------------------IPsec policy name: "policy_man" sequence number: 10 mode: manual ----------------------------------------security data flow : 100 tunnel local address: 162.105.10.1 tunnel remote address: 162.105.10.2 proposal name: prop1 inbound ah setting: ah spi: 12345 (0x3039) ah string-key: ah authentication hex key : 1234567890123456789012345678901234567890 inbound esp setting: esp spi: 23456 (0x5ba0) esp string-key: esp encryption hex key: 1234567890abcdef1234567890abcdef1234567812345678 esp authentication hex key: 1234567890abcdef1234567890abcdef outbound ah setting: ah spi: 54321 (0xd431) ah string-key: ah authtication hex key: 1122334455667788990011223344556677889900 outbound esp setting: esp spi: 65432 (0xff98) esp string-key: esp encryption hex key: 11223344556677889900aabbccddeeff1234567812345678

868

CHAPTER 9: SECURITY

esp authentication hex key: 11223344556677889900aabbccddeeff

Table 8 Detailed Information of IPSec IPsec Policy
Item ipsec policy security data flow proposal name inbound/outbound ah/esp setting tunnel Local Address tunnel Remote Address PFS (Y/N) Description name, sequence number and negotiation method of an ipsec policy access control list used by an ipsec policy name of the proposal used by an ipsec policy settings of inbound/outbound ends using AH/ESP, including SPI and key local IP address remote IP address Whether using PFS(Perfect Forward Security) or not

display ipsec policy-template

Syntax
display ipsec policy-template [ brief | name template-name [ seq-number ] ]

View Any view Parameter brief: Displays brief information about all the ipsec policy templates. name: Displays information of the ipsec policy template with the name template-name and sequence number seq-number. template-name: Name of an ipsec policy template. seq-number: Sequence number of an ipsec policy template. If seq-number is not specified, then the information about all the ipsec policy templates named template-name is shown. If no parameter is specified, then the detail information about all the ipsec policy templates will be displayed. If name template-name has been specified but seq-number has not, the information of the specified IPSec policy template group will be listed out. Description Using the display ipsec policy-template command, you can view information about the ipsec policy template. Parameter brief is for showing brief information about all the ipsec policy templates, whose display format is the brief format (see the following example). It can be used to quickly display all the ipsec policy templates. Brief information includes, template name and sequence number, access control list, and remote address. Any of the sub-commands can be used to display detail information of the IPSec policy template.

IPSec Configuration Commands

869

For the related commands, see ipsec policy-template. Example # View brief information about all the ipsec policy templates.
[3Com] display ipsec policy-template brief Policy-template-Name acl Remote-Address

-----------------------------------------------------test-tplt300 120

Table 9 Brief Information of IPSec Policy Template
Item Policy-template-Name acl Remote Address Description name, sequence number of an ipsec policy template access control list used by an ipsec policy template remote IP address

display ipsec proposal

Syntax
display ipsec proposal [ proposal-name ]

View Any view Parameter proposal-name: Name of the proposal. Description Using the display ipsec proposal command, you can view information about the proposal. If the name of the proposal is not specified, then information about all the proposals will be shown. For the related commands, see ipsec proposal, display ipsec sa and display ipsec policy. Example # View all the proposals.
[3Com] display ipsec proposal Ipsec proposal name: prop2 encapsulation mode: tunnel transform: ah-new ah protocol: authentication-algorithm sha1-hmac-96 Ipsec proposal name: prop1

870

CHAPTER 9: SECURITY

encapsulation mode: transport transform: esp-new esp protocol: authentication-algorithm md5-hmac96, encryption des

Table 10 IPSec Proposal Information
Item Ipsec proposal name encapsulation mode transform ah protocol esp protocol Description name of the proposal modes used by proposal, including two types: transport mode and tunnel mode security protocols used by proposal, including two types: AH and ESP the authentication-algorithm used by AH: md5 | sha1 the authentication-algorithm and encryption method used by ESP respectively: MD5 and DES

display ipsec sa

Syntax
display ipsec sa [ brief | remote ip-address | policy policy-name [ seq-number ] | duration ]

View Any view Parameter brief: Displays brief information about all the SAs. remote: Displays information about the SA with remote address as ip-address. ip-address: Specifys the remote address in dotted decimal format. policy: Displays information about the SA created by the ipsec policy whose name is policy-name. policy-name: Specifys the name of the ipsec policy. seq-number: Specifys the sequence number of the ipsec policy. duration: Global sa duration to be shown. Description Using the display ipsec sa command, you can view the relevant information about the SA. The command with brief parameter shows brief information about all the SAs, whose display format is the brief format (refer to the following example). Brief information includes source address, destination address, SPI, protocol, and algorithm. A display beginning with "E" in the algorithm stands for the encryption algorithm, and a display beginning with "A" stands for the authentication algorithm. The brief command can be used to quickly display all the SAs already set up.

IPSec Configuration Commands

871

The commands with remote and policy parameters both display the detailed information about the SA. In display mode, part of the information about the ipsec policy is shown first and then the detailed information of the SA in this ipsec policy. The command with duration parameter shows the global sa duration, including "time-based" and "traffic-based" sa duration. Referring to the following examples. Information of all the SAs will be shown when no parameter is specified. For the related commands, see reset ipsec sa, ipsec sa duration, display ipsec sa and display ipsec policy. Example # View brief information about all the SAs.
<3Com> display ipsec sa brief Src Address Dst Address SPI 10.1.1.1 10.1.1.2 10.1.1.2 10.1.1.1 300 400 Protocol ESP ESP Algorithm E:DES; A:HMAC-MD5-96 E:DES; A:HMAC-MD5-96

Table 11 Brief Information of IPSec SA
Item Src Address Dst Address SPI Protocol Algorithm Description Local IP address Remote Ip address security parameter index security protocol used by IPSec The authentication algorithm and encryption algorithm used by the security protocol. A display beginning with "E" in the algorithm stands for the encryption algorithm, and a display beginning with "A" stands for the authentication algorithm.

# View the global duration of SA.
[3Com] display ipsec sa duration

ipsec sa global duration (traffic based): 1843200 kilobytes ipsec sa global duration (time based): 3600 seconds # View information of all the SAs.
[3Com] display ipsec sa =============================== Interface: Ethernet1/0/0 path MTU: 1500 ===============================

872

CHAPTER 9: SECURITY

---------------------------------IPsec policy name: "policy_isakmp" sequence number: 10 mode: isakmp ---------------------------------connection id: 4 in use settings = {tunnel} tunnel local : 162.105.10.1 tunnel remote : 162.105.10.2 [inbound ah SAs] spi: 3752719292 (0xdfadf3bc) transform: AH-SHA1HMAC96 sa remaining key duration (bytes/sec): (1887436384/3594) max received sequence-number: 4 [inbound esp SAs] spi: 74180629 (0x46be815) transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): (1887436528/3594) max received sequence-number: 4 [outbound esp SAs] spi: 1394075637 (0x5317e7f5) transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): (1887436464/3594) max sent sequence-number: 5 [outbound ah SAs] spi: 2132905296 (0x7f218d50) transform: AH-SHA1HMAC96 sa remaining key duration (bytes/sec): (1887436336/3594) max sent sequence-number: 5

Table 12 Detailed Information of IPSec SA
Item Interface path MTU Description Interface using ipsec policy Maximum IP packet length sent from the interface

IPSec Configuration Commands

873

Table 12 Detailed Information of IPSec SA
Item ipsec policy connection id in use settings tunnel local tunnel remote inbound transform sa remaining key duration max received sequence-number Description ipsec policy used, including name, sequence number and negotiation method security channel identifier IPSec mode, including two types: transport mode and tunnel mode local IP address remote IP address SA information of the inbound end proposal used by the ipsec policy rest sa duration of SA maximum sequence number of the received packets (the anti-replay function provided by the security protocol) SA information of the outbound end maximum sequence number of the sent packets (the anti-replay function provided by the security protocol)

outbound max sent sequence-number

display ipsec statistics

Syntax
display ipsec statistics

View Any view Parameter none Description Using the display ipsec statistics command, you can view the IPSec packet statistics information, including the input and output security packet statistics, bytes, number of packets discarded and detailed description of discarded packets. For the related command, see reset ipsec statistics. Example # View IPSec packet statistics.
<3Com> display ipsec statistics the security packet statistics: input/output security packets: 5124/8231 input/output security bytes: 52348/64356 input/output dropped security packets: 0/0 dropped security packet detail: no enough memory: 0

874

CHAPTER 9: SECURITY

can't find SA: 0 queue is full: 0 authen failed: 0 invalid length: 0 replay packet: 0 too long packet: 0 invalid SA: 0

Table 13 IPSec Packet Statistics
Item input/output security packets input/output security bytes input/output discarded security packets Description input/output packets under the security protection input/output bytes under the security protection input/output packets under the security protection discarded by the router

encapsulation-mode

Syntax
encapsulation-mode { transport | tunnel } undo encapsulation-mode

View IPSec proposal view Parameter transport: Sets that the encapsulation mode of IP packets is transport mode. tunnel: Sets that the encapsulation mode of IP packets is tunnel mode. Description Using the encapsulation-mode command, you can set the encapsulation mode that the security protocol applies to IP packets which can be transport or tunnel. Using the undo encapsulation-mode command, you can restore it to the default. By default, tunnel mode is used. There are two encapsulation modes where IPSec is used to encrypt and authenticate IP packets: transport mode and tunnel mode. In transport mode, IPSec does not encapsulate a new header into the IP packet. The both ends of security tunnel is of source and destination of original packets. In tunnel mode, IPSec protects the whole IP packet, and adds a new IP header in the front part of the IP packet. The source and destination addresses of the new IP header are the IP addresses of both ends of the tunnel. Generally, the tunnel mode is used between two security gateways (routers). A packet encrypted in a security gateway can only be decrypted in another security

IPSec Configuration Commands

875

gateway. So an IP packet needs to be encrypted in tunnel mode, that is, a new IP header is added; the IP packet encapsulated in tunnel mode is sent to another security gateway before it is decrypted. The transport mode is suitable for communication between two hosts, or for communication between a host and a security gateway (like the network management communication between the gateway workstation and a router). In transport mode, two devices responsible for encrypting and decrypting packets must be the original sender and receiver of the packet. Most of the data traffic between two security gateways is not of the security gateway’s own. So the transport mode is not ofen used between security gateways. The proposal used by the ipsec policies, set at both ends of the security tunnel, must be set as having the same packet encapsulation mode. For the related commands, see ah authentication-algorithm, ipsec proposal, esp encryption-algorithm, esp authentication-algorithm, proposal and transform. Example # Set the proposal whose name is prop2 as using the transport mode to encapsulate IP packets.
[3Com] ipsec proposal prop2 [3Com-ipsec-proposal- prop2] encapsulation-mode transport

encrypt-card backuped

Syntax
encrypt-card backuped undo encrypt-card backuped

View Any view Parameter None Description Using the encrypt-card backuped command, you can enable backup function for the encryption card. Using the undo encrypt-card backuped command, you can disable backup function for the encryption card. This command is only available on the encryption card. For the IPSec SA implemented by the encryption card, if the card is normal, IPSec is processed by the card. If the card fails, backup function is enabled on the card and the selected encryption/authentication algorithms for the SA are supported by the IPSec module on VRP platform, IPSec shall be implemented by the IPSec module on VRP platform. In the event that the selected algorithms are not supported by the IPSec module, the system drops packets.

876

CHAPTER 9: SECURITY

Example # Enable backup function for the encryption card.
[Router] encrypt-card backuped

esp authentication-algorith m

Syntax
esp authentication-algorithm { md5 | sha1 } undo esp authentication-algorithm

View IPSec proposal configuration view Parameter md5: Use MD5 algorithm with the length of the key 128 bits. sha1: Use SHA1 algorithm with the length of the key 160 bits. Description Using the esp authentication-algorithm command, you can set the authentication algorithm used by ESP. Using the undo esp authentication-algorithm command, you can set ESP not to authenticate packets. By default, MD5 algorithm is used. MD5 is faster than SHA1, while SHA1 is securer than MD5. ESP permits a packet to be encrypted or authenticated or both. The encryption and authentication algorithm used by ESP cannot be set to vacant at the same time. The undo esp authentication-algorithm command is not used to restore the authentication algorithm to the default; instead it is used to set the authentication algorithm to vacant, i.e. not authentication. When the encryption algorithm is not vacant, the undo esp authentication-algorithm command is valid. The proposal used by the ipsec policies, set at both ends of the security tunnel, must be set as having the same authentication algorithm. For the related commands, see ipsec proposal, esp encryption-algorithm, proposal, sa encryption-hex and transform. Example # Set a proposal that adopts ESP, and uses SHA1.
[3Com] ipsec proposal prop1 [3Com-ipsec-proposal- prop1] transform esp [3Com-ipsec-proposal- prop1] esp authentication-algorithm sha1

IPSec Configuration Commands

877

esp encryption-algorithm

Syntax
esp encryption-algorithm { 3des | des } undo esp encryption-algorithm

View IPSec proposal view Parameter des: Data Encryption Standard (DES), a universal encryption algorithm with the length of the key being 56 bits. 3des: 3DES (Triple DES), another universal encryption algorithm with the length of the key being 168 bits. Description Using the esp encryption-algorithm command, you can set the encryption algorithm adopted by ESP. Using the undo esp encryption-algorithm command, you can set the ESP not to encrypt packets. By default, DES algorithm is used. 3des can meet the requirement of high confidentiality and security, but it is comparatively slow. And DES can satisfy the normal security requirements. ESP permits a packet to be encrypted or authenticated or both. The encryption and authentication methods used by ESP cannot be set to a vacant value at the same time. The undo esp encryption-algorithm command can take effect only if the authentication algorithm is not null. For the related commands, see ipsec proposal, esp authentication-algorithm, proposal, sa encryption-hex and transform. Example # Set ESP to use 3des.
[3Com] ipsec proposal prop1 [3Com-ipsec-proposal-prop1] transform esp [3Com-ipsec-proposal-prop1] esp encryption-algorithm 3des

interface encrypt

Syntax
interface encrypt [ slot-id ]

View System view

878

CHAPTER 9: SECURITY

Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the router, y and z are fixed to 0 for the encryption card.

Description Using the interface encrypt command, you can enter encryption card interface mode. This command is only available on the encryption card. In encryption card interface mode, you only can the shutdown and undo shutdown commands, respectively to shut down the encryption card or turn the card up. Example # Enter the interface mode of the encryption card at slot 5/0/0.
[Router] interface encrypt 5/0/0 [Router-Encrypt5/0/0]

ipsec card-proposal

Syntax
ipsec card-proposal proposal-name undo ipsec card-proposal proposal-name

View System view Parameter
proposal-name: Name of the SA proposal view, a string of less than 32 characters.

It is case-sensitive. Description Using the ipsec card-proposal command, you can create an SA proposal for the encryption card and enter the corresponding view. Using the undo ipsec card-proposal command, you can delete an SA proposal of the encryption card. This command is used in encryption card SA proposal view (the corresponding encryption/decryption/authentication are implemented on the encryption card), whereas the host software is also compatible with host proposal view (the ipsec proposal command), in which the encryption/decryption/authentication are implemented by the host. In encryption card SA proposal view, you can also specify the slot ID of the encryption card for the SA proposal, with the use encrypt card command, while other configurations are identical with the ipsec proposal command. After completing SA proposal configuration, you need to return to system view using the quit command, so that you can initiate other configuration.

IPSec Configuration Commands

879

Example # Create the SA proposal "card" using the encryption card at slot 5/0/0, configure security and encryption algorithm.
[Router] ipsec card-proposal card [Router-ipsec-card-proposal] use encrypt-card 5/0/0 [Router-ipsec-card-proposal-card] transform ah-esp [Router-ipsec-card-proposal-card] ah authentication-algorithm sha1 [Router-ipsec-card-proposal-card] esp authentication-algorithm sha1 [Router-ipsec-card-proposal-card] esp encryption-algorithm 3des [Router-ipsec-card-proposal-card]quit [Router]

ipsec policy(interface view)

Syntax
ipsec policy policy-name undo ipsec policy

View Interface view Parameter policy-name: Specifies the name of an ipsec policy group applied at the interface. The ipsec policy group with name policy-name should be configured in system view. Description Using the ipsec policy(interface view) command, you can apply an ipsec policy group with the name policy-name at the interface,. Using the undo ipsec policy(interface view) command, you can cancel the ipsec policy group so as to disable the IPSec function of the interface. At an interface only one ipsec policy group can be applied. An ipsec policy group can be applied at multiple interfaces. When a packet is sent from an interface, it searches for each ipsec policy in the ipsec policy group by number in an ascending order. If the packet matches an access control list used by an ipsec policy, then this ipsec policy is used to process the packet, otherwise it continues to search for the next ipsec policy. If the packet does not match any of the access control lists used by all the ipsec policies, it will be directly transmitted (that is, IPSec will not protect the packet). To prevent transmitting any unencrypted packet from the interface, it is necessary to use the firewall together with IPSec; the firewall is for dropping all the packets that do not need to be encrypted. For the related command, see ipsec policy(system view).

880

CHAPTER 9: SECURITY

Example # Apply an ipsec policy whose name is policy1 to interface Serial 4/1/2.
[3Com] interface serial 4/1/2/ [3Com-Serial4/1/2] ipsec policy policy1

ipsec policy (system view)

Syntax
ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ] undo ipsec policy policy-name [ seq-number ]

View System view Parameter policy-name: Name of the ipsec policy. The naming rule is: the length of the name is 1 to 15 characters, the name is case insensitive and the characters can be English characters or numbers, cannot include “-”. seq-number: Sequence number of the ipsec policy, ranging 1 to 10000, with lower value indicating higher sequence priority. manual: Sets up SA manually. isakmp: Sets up SA through IKE negotiation. template: Dynamically sets up SA by using policy template. The policy-name discussed here will reference template-name which is a created policy template thus named. template-name: Name of the template. Description Using the ipsec policy command, you can establish or modify an ipsec policy, and enter ipsec policy view. Using the undo ipsec policy policy-name command, you can delete an ipsec policy group whose name is policy-name. Using the undo ipsec policy policy-name seq-number command. you can delete an ipsec policy whose name is policy-name and sequence number is seq-number. By default, no ipsec policy exists. To establish an ipsec policy, it is necessary to specify the negotiation mode (manual or isakmp). To modify the ipsec policy, it is not necessary to specify a negotiation mode. Once the ipsec policy is established, its negotiation mode cannot be modified. For example, if an ipsec policy is established in manual mode it cannot be changed to isakmp mode--this ipsec policy must be deleted and then recreated, if appropriate, with the negotiation mode being isakmp. Ipsec policies with the same name constitute an ipsec policy group. The name and sequence number are used together to define a unique ipsec policy. In an ipsec

IPSec Configuration Commands

881

policy group, at most 100 ipsec policies can be set. In an ipsec policy, the smaller the sequence number of an ipsec policy is, the higher is its preference. Apply an ipsec policy group at an interface means applying all ipsec policies in the group simultaneously, so that different data streams can be protected by adopting different SAs. Using the ipsec policy policy-name seq-number isakmp template template-name command, you can establish an ipsec policy according the template through IKE negotiation. Before using this command, the template should have been created. During the negotiation and policy matching, the parameters defined in the template should be compliant, the other parameters are decided by the initiator. The proposal must be defined in policy template, other parameters are optional. Note that IKE will not use a policy with a template argument to initiate a negotiation. Rather, it uses such a policy to response the negotiation initiated by its peer. For the related commands, see ipsec policy (interface view), security acl, tunnel local, tunnel remote, sa duration, proposal, display ipsec policy, ipsec policy-template, and ike-peer. Example # Set an ipsec policy whose name is newpolicy1, sequence number is 100, and negotiation mode is isakmp.
[3Com] ipsec policy newpolicy1 100 isakmp [3Com-ipsec-policy-isakmp-newpolicy1-100]

ipsec policy-template

Syntax
ipsec policy-template policy-name seq-number undo ipsec policy-template policy-name [ seq-number ]

View System view Parameter policy-name: Name of the ipsec policy. The naming rule is as follows: length is 1 to 15 bytes, the name is case insensitive and the characters can be English characters or numbers, cannot include “-”. seq-number: Serial number of the ipsec policy, ranging 1 to 10000. In one ipsec policy group, the smaller the serial number of the ipsec policy, the higher the preference. Description Using the ipsec policy-template command, you can establish or modify an ipsec policy template, and enter ipsec policy view. Using the undo ipsec policy-template policy-name command, you can delete the ipsec policy group named policy-name. Using the undo ipsec policy-template policy-name

882

CHAPTER 9: SECURITY

seq-number command, you can delete an ipsec policy with the name policy-name and the serial number seq-number. By default, no ipsec policy template exists. A policy template that has been created with the name being template-name can be referenced by the ipsec policy policy-name seq-number isakmp template template-name command to create an IPSec policy. The IPSec policy template and the security policy of IPSec IPSAMP negotiation share the same kinds of arguments, including the referenced IPSec proposal, the protected traffic, PFS feature, lifetime, and the address of the remote tunnel end. However, you should note that the proposal argument is compulsory to be configured whereas other arguments are optional. If an IPSec policy template is used for the policy match operation undertaken in an IKE negotiation, the configured arguments must be matched, and the settings of the initiator will be used if the corresponding arguments have not been configured. For the related commands, see ipsec policy, security acl, tunnel local, tunnel remote, proposal, display ipsec policy, and ike-peer. Example # Establish an ipsec policy template with the name template1 and the serial number 100.
[3Com] ipsec policy-template template1 100 [3Com-ipsec-policy-template- template1-100]

ipsec proposal

Syntax
ipsec proposal proposal-name undo ipsec proposal proposal-name

View System view Parameter proposal-name: Name of the specified proposal. The naming rule is: the length of the name is 1 to 15 characters, case insensitive. Description Using the ipsec proposal proposal-name command, you can establish or modify a proposal named proposal-name, and enter IPSec proposal view. Using the undo ipsec proposal proposal-name command, you can delete the proposal named proposal-name. By default, no proposal exists. This proposal is a combination of the security protocol, encryption and authentication algorithm and packet encapsulation format for implementing IPSec protection.

IPSec Configuration Commands

883

An ipsec policy determines the protocol, algorithm and encapsulation mode to be adopted by the use of the proposal. Before the ipsec policy uses a proposal, this proposal must have already been set up. After a new IPSec proposal is established by using the ipsec proposal command, the ESP protocol, DES encryption algorithm and MD5 authentication algorithm are adopted by default. For the related commands, see ah authentication-algorithm, esp encryption-algorithm, esp authentication-algorithm, encapsulation-mode, proposal, display ipsec proposal and transform. Example # Establish a proposal named newprop1.
[3Com] ipsec proposal newprop1

ipsec sa global-duration

Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes } undo ipsec sa global-duration { time-based | traffic-based }

View System view Parameter time-based seconds: Time-based global SA duration in second, ranging 30 to 604800 seconds. It is 3600 seconds (1 hour) by default. traffic-based kilobytes: Traffic-based global SA duration in kilobyte, ranging 256 to 4194303 kilobytes. It is 1843200 kilobytes by default and when the traffic reaches this value, the duration expires. Description Using the ipsec sa global-duration command, you can set a global SA duration. Using the undo ipsec sa global-duration command, you can restore to the default setting of the global SA duration. When IKE negotiates to establish a SA, if the adopted IPSec policy is not configured with its own duration, the system will use the global SA duration specified by this command to negotiate with the peer. If the IPSec policy is configured with its own duration, the system will use the duration of the IPSec policy to negotiate with the peer. When IKE negotiates to set up an SA for IPSec, the smaller one of the lifetime set locally and that proposed by the remote is selected. There are two types of SA duration, time-based (in seconds) and traffic-based (in kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA, is accounted according to the total traffic that can be processed by this SA, and the SA is invalid when the set value is exceeded. No matter which one of the two types expires first the SA will become invalid. Before the SA is about to become

884

CHAPTER 9: SECURITY

invalid IKE will set up a new SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid. Modifying the global SA duration will not affect a map that has individually set up its own SA duration, or an SA already set up. But the modified global SA duration will be used to set up a new SA in the future IKE negotiation. The SA duration does not function for an SA manually set up, that is, the SA manually set up will never be invalidated. For the related commands, see sa duration and display ipsec sa duration. Example # Set the global SA duration to 2 hours.
[3Com] ipsec sa global-duration time-based 7200

# Set the global SA duration to 10M bytes transmitted.
[3Com] ipsec sa global-duration traffic-based 10000

pfs

Syntax
pfs { dh-group1 | dh-group2 } undo pfs

View IPSec policy view, IPSec policy template view Parameter dh-group1: Specifies that the 768-bit Diffie-Hellman group is used. dh-group2: Specifies that the 1024-bit Diffie-Hellman group is used. Description Using the pfs command, you can set the Perfect Forward Secrecy (PFS) feature for the IPSec policy to initiate the negotiation. Using the undo pfs command, you can set not to use the PFS feature during the negotiation. By default, no PFS feature is used. The command is used to add a PFS exchange process when IPSec uses the ipsec policy to initiate a negotiation. This additional key exchange is performed during the phase 2 negotiation to enhance the communication’s safety. The DH group specified by the local and remote ends must be consistent, otherwise the negotiation will fail. Can this command be used only when the security alliance is established through IKE style. For the related commands, see ipsec policy-template, ipsec policy(system view), ipsec policy(interface view), tunnel local, tunnel remote, sa duration and proposal.

IPSec Configuration Commands

885

Example # Set that PFS must be used when negotiating through ipsec policy shanghai 200.
[3Com] ipsec policy shanghai 200 isakmp [3Com-ipsec-policy-isakmp-shanghai-200] pfs group1

proposal

Syntax
proposal proposal-name1 [ proposal-name2...proposal-name6 ] undo proposal [ proposal-name ]

View IPSec policy view, IPSec policy template view Parameter proposal-name1,…, proposal-name6: Name of the proposals adopted. Description Using the proposal command, you can set the proposal used by the IPSec policy. Using the undo proposal command, you can cancel the proposal used by the IPSec policy. By default, no proposal is used. Before using this command, the corresponding IPSec proposal must has been configured. If set up in manual mode, an SA can only use one proposal. If a proposal is already set, it needs to be deleted by using the undo proposal command before a new one can be set. If set up in isakmp mode, an SA can use six proposals at most. IKE negotiation will search for the matching proposal at both ends of the security tunnel. If it is the IPSec template, each template can use six proposals at most, and the IKE negotiation will search for the matching proposal. For the related commands, see ipsec proposal, ipsec policy(system view), ipsec policy(interface view), security acl, tunnel local and tunnel remote. Example # Set a proposal with name prop1, adopting ESP and the default algorithm, and sets an IPSec policy as using a proposal name prop1.
[3Com] ipsec proposal prop1 [3Com-ipsec-proposal-prop1] transform esp [3Com-ipsec-proposal-prop1] quit [3Com] ipsec policy policy1 100 manual [3Com-ipsec-policy-manual-policy1-100] proposal prop1

886

CHAPTER 9: SECURITY

reset counters encrypt

Syntax reset counters encrypt [ slot-id ]

View User view Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the router, y and z are fixed to 0 for the encryption card.

Description Using the reset counters encrypt command, you can clear the statistics on the encryption card. This command is only available on the encryption card. The statistics record all the information starting from normal operation of the encryption card, while system debugging requires statistics of a specific time period for fault analysis. Then you may need to reset the existing statistics and get the statistics of a required time period. For the related commands, see ipsec card-proposal and display encrypt-card sa. Example # Clear the statistics on the encryption card on the slot 5/0/0.
[Router] reset counters encrypt-card 5/0/0

reset encrypt-card sa

Syntax
reset encrypt-card sa [ slot-id ]

View User view Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the router, y and z are fixed to 0 for the encryption card.

Description Using the reset encrypt-card sa command, you can clear the SAs on the encryption card. This command is only available on the encryption card. You may need to clear the SA database information stored on the encryption card, to output only the required information during debugging. For the related commands, see ipsec card-proposal and display encrypt-card sa.

IPSec Configuration Commands

887

Example

# Clear the SAs on the encryption card on the slot 5/0/0.
[Router] reset encrypt-card sa 5/0/0

reset encrypt-card statistics

Syntax
reset encrypt-card statistics [ slot-id ]

View User view Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the router, y and z are fixed to 0 for the encryption card.

Description Using the reset encrypt-card statistics command, you can clear the statistics during processing of the encryption card. This command is only available on the encryption card. The statistics record all the protocol processing information from the last rebooting, including counts of incoming/outgoing ESP/AH packets, dropped packets, failed authentications, erroneous SAs, invalid SA proposals, invalid protocols. For the related command, see display encrypt-card statistic. Example # Clear the processing statistics on the encryption card on the slot 5/0/0.
[Router] reset encrypt-card statistic 5/0/0

reset encrypt-card syslog

Syntax
reset encrypt-card syslog [ slot-id ]

View User view Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the router, y and z are fixed to 0 for the encryption card.

Description Using the reset encrypt-card syslog command, you can clear all the logging information on the encryption card. This command is only available on the encryption card.

888

CHAPTER 9: SECURITY

The encryption card records all logging history information. And all the information (including those obsolete items) shall be reported for every query, which imposes somewhat difficulties to log monitoring and locating. Then you may need to clear the log buffer of the encryption card. For the related commands, see display encrypt-card syslog. Example # Clear all the logging information on the encryption card on the slot 5/0/0.
[Router] reset encrypt-card syslog 5/0

reset ipsec sa

Syntax
reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters dest-addr protocol spi ]

View User view Parameter remote ip-address: Specifies remote address, in dotted decimal format. policy: Specifies the IPSec policy. policy-name: Specifies the name of the IPSec policy. The naming rule is as follows: length is 1 to 15 characters, case sensitive, and the character can be English character or number. seq-number: Optional parameter specifying the serial number of the ipsec policy. If no seq-number is specified, the IPSec policy refers to all the policies in the IPSec policy group named policy-name. parameters: Defines a Security Association (SA) by the destination address, security protocol and SPI. dest-address: Specifies the destination address in the dotted decimal IP address format. protocol: Specifies the security protocol by inputting the key word ah or esp, case insensitive. ah indicates the Authentication Header protocol and esp indicates Encapsulating Security Payload. spi: Specifies the security parameter index (SPI), ranging 256 to 4294967295. Description Using the reset ipsec sa command, you can delete an SA already set up (manually or through IKE negotiation). If no parameter (remote, policy, parameters) is specified, all the SA will be deleted. An SA is uniquely identified by a triplet of IP address, security protocol and SPI. A SA can be set up either manually or through Internet Key Exchange (IKE) negotiation.

IPSec Configuration Commands

889

If an SA set up manually is deleted, the system will automatically set up a new SA according to the parameter manually set up. If a packet re-triggers IKE negotiation after an SA set up through IKE negotiation is deleted, IKE will reestablish an SA through negotiation. The keyword parameters will take effect only after the spi of the outbound SA is defined. Because SAs appear in pairs, the inbound SA will also be deleted after the outbound SA is deleted. For the related command, see display ipsec sa. Example # Delete all the SAs.
<3Com> reset ipsec sa

# Delete an SA whose remote IP address is 10.1.1.2.
<3Com> reset ipsec sa remote 10.1.1.2

# Delete all the SAs in policy1.
<3Com> reset ipsec sa policy policy1

# Delete the SA of the ipsec policy with the name policy1 and the serial number 10.
<3Com> reset ipsec sa policy policy1 10

# Delete an SA whose remote IP address is 10.1.1.2, security protocol is AH, and SPI is 10000
<3Com> reset ipsec sa parameters 10.1.1.2 ah 10000

reset ipsec statistics

Syntax
reset ipsec statistics

View User view Parameter none Description Using the reset ipsec statistics command, you can clear IPSec message statistics, and set all the statistics to zero. For the related command, see display ipsec statistics. Example # Clear IPSec message statistics.
<3Com> reset ipsec statistics

890

CHAPTER 9: SECURITY

sa authentication-hex

Syntax
sa authentication-hex { inbound | outbound } { ah | esp } hex-key undo sa authentication-hex { inbound | outbound } { ah | esp }

View IPSec policy view in manual mode Parameter inbound: Configures the authentication-hex parameter for the inbound SA. IPSec uses the inbound SA for processing the packet in the inbound direction (received). outbound: Configures the authentication-hex parameter for the outbound SA. IPSec uses the outbound SA for processing the packet in the outbound direction (sent). ah: Sets the authentication-hex parameter for the SA using AH. If the IPSec proposal used by the ipsec policy adopts AH, the ah key word is used here to set the AH relevant parameter of the SA. esp: Sets the authentication-hex parameter for the SA using ESP. If the IPSec proposal used by the ipsec policy adopts ESP, the esp key word is used here to set the ESP relevant parameter of the SA. hex-key: Specifies a key for the SA input in the hex format. If MD5 is used, then input a 16-byte key; if SHA1 is used, input a 20-byte key. Description Using the sa authentication-hex command, you can set the SA authentication key manually for the ipsec policy of manual mode. Using the undo sa authentication-hex command, you can delete the SA authentication key already set. This command is only used for the ipsec policy in manual mode. For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter manually. IKE will automatically negotiate the SA parameter and establish a SA. When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately. The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote. There are two methods for inputting the key, hex and character string. For the character string key and hex string key, the last one set will be adopted. At both ends of a security tunnel, the key should be input by the same method. If the key is input in character string at one end, and it is input in hex at the other end, then a security tunnel cannot be set up correctly.

IPSec Configuration Commands

891

For the related commands, see ipsec policy(system view), ipsec policy(interface view), security acl , tunnel local, tunnel remote, sa duration and proposal. Example # Set SPI of the inbound SA to 10000, key to 0x112233445566778899aabbccddeeff00; sets the SPI of the outbound SA to 20000, and its key to 0xaabbccddeeff001100aabbccddeeff00 in the ipsec policy using AH and MD5.
[3Com] ipsec proposal prop_ah [3Com-ipsec-proposal-prop_ah] transform ah [3Com-ipsec-proposal-prop_ah] ah authentication-algorithm md5 [3Com-ipsec-proposal-prop_ah] quit [3Com] ipsec policy tianjin 100 manual [3Com-ipsec-policy-manual-tianjin-100] proposal prop_ah [3Com-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000 [3Com-ipsec-policy-manual-tianjin-100] sa authentication-key inbound ah 112233445566778899aabbccddeeff00 [3Com-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000 [3Com-ipsec-policy-manual-tianjin-100] sa authentication-key outbound ah aabbccddeeff001100aabbccddeeff00

sa duration

Syntax
sa duration { traffic-based kilobytes | time-based seconds } undo sa duration { traffic-based | time-based }

View IPSec policy view, IPSec policy template view Parameter time-based seconds: Time-based SA duration in second, ranging 30 to 604800 seconds. It is 3600 seconds (1 hour) by default. traffic-based kilobytes: Traffic-based SA duration in kilobyte, ranging 256 to 4194303 kilobytes. It is 1843200 kilobytes by default. Description Using the sa duration command, you can set a SA duration of the ipsec policy. Using the undo sa duration command, you can cancel the SA duration, i.e., restore the use of the global SA duration. When IKE negotiates to establish a SA, if the adopted IPSec policy is not configured with its own duration, the system will use the global SA duration to negotiate with the peer. If the IPSec policy is configured with its own duration, the system will use the duration of the IPSec policy to negotiate with the peer. When

892

CHAPTER 9: SECURITY

IKE negotiates to set up an SA for IPSec, the shorter one of the lifetime set locally and that proposed by the remote is selected. There are two types of SA duration, time-based (in seconds) and traffic-based (in kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA is accounted according to the total traffic that can be processed by this SA, and the SA is invalid when the set value is exceeded. No matter which one of the two types expires first, the SA will become invalid. Before the SA is about to become invalid, IKE will set up a new SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid. The SA duration does not function for an SA manually set up, that is, the SA manually set up will never be invalidated. For the related commands, see ipsec sa global-duration, ipsec policy(system view), ipsec policy(interface view), security acl, tunnel local, tunnel remote and proposal. Example # Set the Sa duration for the ipsec policy shenzhen 100 to 2 hours, that is, 7200 seconds.
[3Com] ipsec policy shenzhen 100 isakmp [3Com-ipsec-policy-isakmp-shenzhen-100] sa duration time-based 7200

# Set the Sa duration for the ipsec policy shenzhen 100 to 20M bytes, that is, the SA is overtime when the traffic exceeds 20000 kilobytes.
[3Com] ipsec policy shenzhen 100 isakmp [3Com-ipsec-policy-isakmp-shenzhen-100] sa duration traffic-based 20000

sa encryption-hex

Syntax
sa encryption-hex { inbound | outbound } esp hex-key undo sa encryption-hex { inbound | outbound } esp

View IPSec policy view in manual mode Parameter inbound: Sets the encryption-hex parameter for the inbound SA. IPSec uses the inbound SA for processing the packet in the inbound direction (received). outbound: Sets the encryption-hex parameter for outbound SA. IPSec uses the outbound SA for processing the packet in the outbound direction (sent). esp: Sets the encryption-hex parameter for the SA using ESP. If the IPSec proposal used by the ipsec policy adopts ESP, the esp key word is used here to set the ESP relevant parameter of the SA. hex-key: Specifies a key for the SA input in the hex format. When applied in ESP, if DES is used, then input a 8-byte key; if 3DES is used, then input a 24-byte key.

IPSec Configuration Commands

893

Description Using the sa encryption-hex command, you can set the SA encryption key manually for the ipsec policy of manual mode. Using the undo sa encryption-hex command, you can delete the SA parameter already set. This command is only used for the ipsec policy in manual mode. It is used to set the SA parameter manually and establish a SA manually. For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter manually, and this command is invalid. IKE will automatically negotiate the SA parameter and establish an SA. When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately. The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote. For the related commands, see ipsec policy(system view), ipsec policy(interface view), security acl , tunnel local, tunnel remote, sa duration and proposal. Example # Set the SPI of the inbound SA to 10000, and the key to 0x1234567890abcdef; set the SPI of the outbound SA to 20000, and its key to 0xabcdefabcdef1234 in the ipsec policy using ESP and DES.
[3Com] ipsec proposal prop_esp [3Com-ipsec-proposal-prop_esp] transform esp [3Com-ipsec-proposal-prop_esp] ah encryption-algorithm des [3Com-ipsec-proposal-prop_esp] quit [3Com] ipsec policy tianjin 100 manual [3Com-ipsec-policy-manual-tianjin-100] proposal prop_esp [3Com-ipsec-policy-manual-tianjin-100] sa spi inbound esp 1001 [3Com-ipsec-policy-manual-tianjin-100] sa encryption-hex inbound esp 1234567890abcdef [3Com-ipsec-policy-manual-tianjin-100] sa spi outbound esp 2001 [3Com-ipsec-policy-manual-tianjin-100] sa encryption-hex outbound esp abcdefabcdef1234

sa spi

Syntax
sa spi { inbound | outbound } { ah | esp } spi-number undo sa spi { inbound | outbound } { ah | esp }

View IPSec policy view in manual mode

894

CHAPTER 9: SECURITY

Parameter inbound: Sets the spi parameter for the inbound SA. IPSec uses the inbound SA for processing the packet in the inbound direction (received). outbound: Sets the spi parameter for outbound SA. IPSec uses the outbound SA for processing the packet in the outbound direction (sent). ah: Sets the spi parameter for the SA using AH. If the IPSec proposal set used by the ipsec policy adopts AH, the ah key word is used here to set the spi relevant parameter of the SA. esp: Sets the spi parameter for the SA using ESP. If the IPSec proposal set used by the ipsec policy adopts ESP, the esp key word is used here to set the spi relevant parameter of the SA. spi-number: Security Parameter Index (SPI) in the triplet identification of the SA, ranging 256 to 4294967295. The triplet identification of the SA, which appears as SPI, destination address, and protocol number, must be unique. Description Using the sa spi command, you can set the SA SPI manually for the ipsec policy of manual mode. Using the undo sa spi command, you can delete the SA SPI already set. This command is only used for the ipsec policy in manual mode. It is used to set the SA parameter manually and establish a SA manually. For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter manually, and this command is invalid. IKE will automatically negotiate the SA parameter and establish a SA. When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately. The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote. For the related commands, see ipsec policy(system view), ipsec policy(interface view), security acl , tunnel local, tunnel remote, sa duration and proposal. Example # Set the SPI of the inbound SA to 10000, set the SPI of the outbound SA to 20000, in the ipsec policy using AH and MD5.
[3Com] ipsec proposal prop_ah [3Com-ipsec-proposal-prop_ah] transform ah [3Com-ipsec-proposal-prop_ah] ah authentication-algorithm md5 [3Com-ipsec-proposal-prop_ah] quit [3Com] ipsec policy tianjin 100 manual

IPSec Configuration Commands

895

[3Com-ipsec-policy-manual-tianjin-100] proposal prop_ah [3Com-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000 [3Com-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000

sa string-key

Syntax
sa string-key { inbound | outbound } { ah | esp } string-key undo sa string-key { inbound | outbound } { ah | esp }

View IPSec policy view in manual mode Parameter inbound: Sets the string-key parameter for the inbound SA. IPSec uses the inbound SA for processing the packet in the inbound direction (received). outbound: Sets the string-key parameter for the outbound SA. IPSec uses the outbound SA for processing the packet in the outbound direction (sent). ah: Sets the string-key parameter for the SA using AH. If the IPSec proposal set used by the ipsec policy adopts AH, the ah key word is used here to set the string-key relevant parameter of the SA. esp: Sets the string-key parameter for the SA using ESP. If the IPSec proposal set used by the ipsec policy adopts ESP, the esp key word is used here to set the string-key relevant parameter of the SA. string-key: Specifies the key for an SA input in the character string format, with a length ranging 1 to 256 characters. For different algorithms, you can input character strings of any length in the specified range, and the system will generate keys meeting the algorithm requirements automatically according to the input character strings. As for ESP, the system will automatically generate the key for the authentication algorithm and that for the encryption algorithm at the same time. Description Using the sa string-key command, you can set the SA parameter manually for the ipsec policy of manual mode. Using the undo sa string-key command, you can delete the SA parameter already set. This command is only used for the ipsec policy in manual mode. It is used to set the SA parameter manually and establish a SA manually. For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter manually, and this command is invalid. IKE will automatically negotiate the SA parameter and establish a SA. When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those

896

CHAPTER 9: SECURITY

output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote. There are two methods for inputting the key, hex and character string. For the character string key and hex string key, the last one set will be adopted. At both ends of a security tunnel, the key should be input by the same method. If the key is input in character string at one end, and it is input in hex at the other end, then a security tunnel cannot be set up correctly. For the related commands, see ipsec policy(system view), ipsec policy(interface view), security acl , tunnel local, tunnel remote, sa duration and proposal. Example # Set the SPI of the inbound SA to 10000, and the key string to abcdef; sets the SPI of the outbound SA to 20000, and its key string to efcdab in the ipsec policy using AH and MD5.
[3Com] ipsec proposal prop_ah [3Com-ipsec-proposal-prop_ah] transform ah [3Com-ipsec-proposal-prop_ah] ah authentication-algorithm md5 [3Com-ipsec-proposal-prop_ah] quit [3Com] ipsec policy tianjin 100 manual [3Com-ipsec-policy-manual-tianjin-100] proposal prop_ah [3Com-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000 [3Com-ipsec-policy-manual-tianjin-100] sa string-key abcdef [3Com-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000 [3Com-ipsec-policy-manual-tianjin-100] sa string-key efcdab

security acl

Syntax
security acl acl-number undo security acl

View IPSec policy view, IPSec policy template view Parameter acl-number: Specifies the number of the access control list used by the ipsec policy, ranging 100 to199. Description Using the security acl command, you can set an access control list to be used by the ipsec policy. Using the undo security acl command, you can remove the access control list used by the ipsec policy. By default, no ACL has been specified for the IPSec policies.

IPSec Configuration Commands

897

The data flow that will be protected by the IPSec policy is confined by the ACL in this command. According to the rules in the ACL, IPSec determines which packets need security protection and which do not. The packet permitted by the access control list will be protected, and a packet denied by the access control list will not be protected. The denied packets are sent out derectly without IPSec protection. For the related commands, see ipsec policy(system view), ipsec policy(interface view), tunnel local, tunnel remote, sa duration and proposal. Example # Set the ipsec policy as using access control list 101.
[3Com] acl number 101 [3Com-acl-adv-101] rule permit tcp source 10.1.1.1 0.0.0.255 destination 10.1.1.2 0.0.0.255 [3Com] ipsec policy beijing 100 manual [3Com-ipsec-policy-manual-beijing-100] security acl 101

snmp-agent trap enable encrypt-card

Syntax
snmp-agen trap enable encrypt-card undo snmp-agen trap enable encrypt-card

View System view Parameter None Description Using the snmp-agen trap enable encrypt-card command, you can enable SNMP agent trap function on the encryption card. Using the undo snmp-agent trap enable encrypt-card command, you can disable SNMP agent trap function on the card. By default, no ACL has been specified for the IPSec policies. When combined with appropriate NM configuration, the trap function allow you to view the information about card rebooting, status transition and packet loss processing on the Console of the NM station or router. Example # Enable the trap function on the encryption card.
[Router]snmp-agent trap enable encrypt-card

transform

Syntax
transform { ah | ah-esp | esp } undo transform

898

CHAPTER 9: SECURITY

View IPSec proposal view Parameter ah: Uses AH protocol specified in RFC2402. ah-esp: Uses ESP specified in RFC2406 to protect the packets and then use AH protocol specified in RFC2402 to authenticate packets. esp: Uses ESP specified in RFC2406. Description Using the transform command, you can set a security protocol used by a proposal. Using the undo transform command, you can restore the default security protocol. By default, esp, that is, the ESP specified in RFC2406 is used. If ESP is adopted, the default encryption algorithm is DES and the authentication algorithm is MD5. If AH is adopted, the default authentication algorithm is MD5. If the parameter ah-esp is specified, the default authentication algorithm for AH is MD5 and the default encryption algorithm for ESP is DES without authentication. AH protocol provides data authentication, data integrity check and anti-replay function. ESP protocol provides data authentication, data integrity check, anti-replay function and data encryption. While establishing an SA manually, the proposals used by the ipsec policy set at both ends of the security tunnel must be set as using the same security protocol. The following figure illustrates the data encapsulation formats of different security protocols in the transport mode and the tunnel mode.
Figure 1 Data encapsulation formats of security protocols
Transfer mode

Security protocol

transport IP IP IP AH ESP AH data data ESP ESP-T data ESP-T IP AH IP IP

tunnel data data ESP-T data ESP-T

ah esp ah-esp

IP ESP IP AH

ESP IP

“data” in the figure is the original IP datagram.

IPSec Configuration Commands

899

For the related commands, see ah authentication-algorithm, ipsec proposal, esp encryption-algorithm, esp authentication-algorithm, encapsulation-mode and proposal. Example # Set a proposal using AH.
[3Com] ipsec proposal prop1 [3Com-ipsec-proposal-prop1] transform ah

tunnel local

Syntax
tunnel local ip-address undo tunnel local

View IPSec policy view in Manual mode Parameter ip-address: Local address in dotted decimal format. Description Using the tunnel local command, you can set the local address of an ipsec policy. Using the undo tunnel local command, you can delete the local address set in the ipsec policy. By default, the local address of an ipsec policy is not configured. It is not necessary to set a local address for an ipsec policy in isakmp mode, so this command is invalid in this situation. IKE can automatically obtain the local address from the interface where this ipsec policy is applied. As for the ipsec policy in manual mode, it is necessary to set the local address before the SA can be established. A security tunnel is set up between the local and remote end, so the local address and remote address must be correctly configured before a security tunnel can be set up. For the related commands, see ipsec policy(system view), ipsec policy(interface view), security acl , tunnel remote, sa duration and proposal. Example # Set the local address for the ipsec policy, which is applied at serial 4/1/2 whose IP address is 10.0.0.1.
[3Com] ipsec policy guangzhou 100 manual [3Com-ipsec-policy-manual-guangzhou-100] tunnel local 10.0.0.1 [3Com-ipsec-policy-manual-guangzhou-100] quit [3Com] interface serial 4/1/2 [3Com-if-Serial4/1/2] ipsec policy guangzhou

900

CHAPTER 9: SECURITY

tunnel remote

Syntax
tunnel remote ip-address undo tunnel remote [ ip-address ]

View Manually-established IPSec policy view Parameter ip-address: Remote address in dotted decimal format. Description Using the tunnel remote command, you can set the remote address of an ipsec policy. Using the undo tunnel remote command, you can delete the remote address in the ipsec policy. By default, the remote address of an ipsec policy is not configured. For the ipsec policy in manual mode, only one remote address can be set. If a remote address is already set, this existing address must be deleted before a new one can be set. The security tunnel is established between the local and remote ends. The remote address must be set correctly on both ends of the security tunnel. For the related commands, see ipsec policy(system view), ipsec policy(interface view), security acl , tunnel local, sa duration, proposal. Example # Set the remote address of the ipsec policy to 10.1.1.2.
[3Com] ipsec policy shanghai 10 manual [3Com-ipsec-policy-shanghai-10] tunnel remote 10.1.1.2

use encrypt-card

Syntax
use encrypt-card [ slot-id ] undo use encrypt-card [ slot-id ]

View Card SA proposal view Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the router, y and z are fixed to 0 for the encryption card.

Description Using the use encrypt-card command, you can specify the SA proposal uses the encryption card at a designated slot. Using the undo use encrypt-card command, you can remove the configuration.

IPSec Configuration Commands

901

By default, no ACL has been specified for the IPSec policies. One SA proposal can only be processed by a single encryption card, but one single encryption card can process different SA proposals. For the related command, see ipsec card-proposal. Example Refer to the example of the ipsec card-proposal command. ah authentication-algorith m Syntax
ah authentication-algorithm { md5 | sha1 } undo ah authentication-algorithm

View IPSec proposal view Parameter md5: MD5 algorithm is adopted. sha1: SHA1 algorithm is adopted. Description Using the ah authentication-algorithm command, you can set the authentication algorithm adopted by Authentication Header protocol in IPSec proposal. Using the undo ah authentication-algorithm command, you can restore the default setting. By default, the md5 authentication algorithm is adopted by Authentication Header protocol in IPSec proposal. AH proposal can’t be used to encrypt, but to authenticate. MD5 algorithm uses the 128-bit key, and SHA1 uses the 160-bit key. By comparison, MD5 is faster than SHA1, while SHA1 is securer than MD5. The IPSec proposal adopted by the security policy at both ends of the security tunnel must be set as using the same authentication algorithm. Can the AH authentication algorithm be configured only if AH or AH-ESP security protocol was selected by executing the transform command. For the related commands, see ipsec proposal, proposal, sa sip and transform. Example # Set IPSec proposal using AH and SHA1.
[3Com] ipsec proposal prop1 [3Com-ipsec-proposal- prop1] transform ah [3Com-ipsec-proposal- prop1] ah authentication-algorithm sha1

902

CHAPTER 9: SECURITY

debugging ipsec

Syntax
debugging ipsec { all | sa | misc | packet [ policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ] | misc } undo debugging ipsec { all | sa | misc | packet [ policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ] | misc }

View User view Parameter all: Displays all debugging information. sa: Displays debugging information of SA. packet: Displays debugging information of IPSec packets. policy policy-name: Displays debugging information of IPSec policy whose name is policy-name. seq-number: Displays debugging information of IPSec policy whose sequence number is seq-number. parameters: Displays debugging information of a SA whose remote address is ip-address, Security protocol is protocol, and SPI is spi-number. misc: Displays other debugging information of IPSec. Description Using the debugging ipsec command, you can turn IPSec debugging on, Using the undo debugging ipsec command, you can turn IPSec debugging off. By default, IPSec debugging is off. Example # Enable IPSec SA debugging function.
<3Com> debugging ipsec sa

display ipsec policy

Syntax
display ipsec policy [ brief | name policy-name [ seq-number ] ]

View Any view Parameter brief: Displays brief information about all the ipsec policies. name: Displays information of the ipsec policy with the name policy-name and sequence number seq-number.

IPSec Configuration Commands

903

policy-name: Name of an ipsec policy. seq-number: Sequence number of an ipsec policy. If no argument has been specified, the details of all the IPSec policies will be displayed. If name policy-name has been specified but seq-number has not, the information of the specified IPSec policy group will be listed out. Description Using the display ipsec policy command, you can view information about the ipsec policy. The brief keyword is used for displaying brief information about all the ipsec policies, whose display format is the brief format (see the following example). The brief command can be used to quickly display all the ipsec policies. Brief information includes, name and sequence number, negotiation mode, access control list, proposal, local address, and remote address. The other command words are used to display the detailed information about the ipsec policy, whose display format is the detailed format (refer to the following example). For the related commands, see ipsec policy(system view). Example # View brief information about all the ipsec policies.
<3Com> display ipsec policy brief Ipsec-policy-Name Mode policy1-100 test-300 acl Local Address Remote Address 150.1.1.2 150.1.1.1

manual 100 isakmp 120

202.38.160.66

Table 14 Brief information of IPSec policy
Item Ipsec-policy-Name Mode acl Local Address Remote Address Description name and sequence number of an ipsec policy negotiation method used by an ipsec policy access control list used by an ipsec policy local IP address remote IP address

# View information about all the ipsec policies
[3Com] display ipsec policy =========================================== IPsec Policy Group: "policy_isakmp" Using interface: {Ethernet1/0/0} =========================================== --------------------------------------------

904

CHAPTER 9: SECURITY

IPsec policy name: "policy_isakmp" sequence number: 10 mode: isakmp -------------------------------------------security data flow : 100 tunnel remote address: 162.105.10.2 PFS (Y/N): N proposal name: prop1 ipsec sa local duration(time based): 3600 seconds ipsec sa local duration(traffic based): 1843200 kilobytes =========================================== IPsec Policy Group: "policy_man" Using interface: {Ethernet1/0/1} =========================================== ----------------------------------------IPsec policy name: "policy_man" sequence number: 10 mode: manual ----------------------------------------security data flow : 100 tunnel local address: 162.105.10.1 tunnel remote address: 162.105.10.2 proposal name: prop1 inbound ah setting: ah spi: 12345 (0x3039) ah string-key: ah authentication hex key : 1234567890123456789012345678901234567890 inbound esp setting: esp spi: 23456 (0x5ba0) esp string-key: esp encryption hex key: 1234567890abcdef1234567890abcdef1234567812345678 esp authentication hex key: 1234567890abcdef1234567890abcdef outbound ah setting:

IPSec Configuration Commands

905

ah spi: 54321 (0xd431) ah string-key: ah authtication hex key: 1122334455667788990011223344556677889900 outbound esp setting: esp spi: 65432 (0xff98) esp string-key: esp encryption hex key: 11223344556677889900aabbccddeeff1234567812345678 esp authentication hex key: 11223344556677889900aabbccddeeff

Table 15 Detailed information of IPSec ipsec policy
Item ipsec policy security data flow proposal name inbound/outbound ah/esp setting tunnel Local Address PFS (Y/N) Description name, sequence number and negotiation method of an ipsec policy access control list used by an ipsec policy name of the proposal used by an ipsec policy settings of inbound/outbound ends using AH/ESP, including SPI and key local IP address Whether using PFS(Perfect Forward Security) or not

tunnel Remote Address remote IP address

display ipsec policy-template

Syntax
display ipsec policy-template [ brief | name template-name [ seq-number ] ]

View Any view Parameter brief: Displays brief information about all the ipsec policy templates. name: Displays information of the ipsec policy template with the name template-name and sequence number seq-number. template-name: Name of an ipsec policy template. seq-number: Sequence number of an ipsec policy template. If seq-number is not specified, then the information about all the ipsec policy templates named template-name is shown. If no parameter is specified, then the detail information about all the ipsec policy templates will be displayed. If name template-name has been specified but seq-number has not, the information of the specified IPSec policy template group will be listed out.

906

CHAPTER 9: SECURITY

Description Using the display ipsec policy-template command, you can view information about the ipsec policy template. Parameter brief is for showing brief information about all the ipsec policy templates, whose display format is the brief format (see the following example). It can be used to quickly display all the ipsec policy templates. Brief information includes, template name and sequence number, access control list, and remote address. Any of the sub-commands can be used to display detail information of the IPSec policy template. For the related commands, see ipsec policy-template. Example # View brief information about all the ipsec policy templates.
[3Com] display ipsec policy-template brief Policy-template-Name acl Remote-Address

-----------------------------------------------------test-tplt300 120

Table 16 Brief information of IPSec policy template
Item Policy-template-Name acl Remote Address Description name, sequence number of an ipsec policy template access control list used by an ipsec policy template remote IP address

display ipsec proposal

Syntax
display ipsec proposal [ proposal-name ]

View Any view Parameter proposal-name: Name of the proposal. Description Using the display ipsec proposal command, you can view information about the proposal. If the name of the proposal is not specified, then information about all the proposals will be shown. For the related commands, see ipsec proposal, display ipsec sa and display ipsec policy.

IPSec Configuration Commands

907

Example # View all the proposals.
[3Com] display ipsec proposal Ipsec proposal name: prop2 encapsulation mode: tunnel transform: ah-new ah protocol: authentication-algorithm sha1-hmac-96 Ipsec proposal name: prop1 encapsulation mode: transport transform: esp-new esp protocol: authentication-algorithm md5-hmac96, encryption des

Table 17 IPSec proposal information
Item Ipsec proposal name encapsulation mode transform ah protocol esp protocol Description name of the proposal modes used by proposal, including two types: transport mode and tunnel mode security protocols used by proposal, including two types: AH and ESP the authentication-algorithm used by AH: md5 | sha1 the authentication-algorithm and encryption method used by ESP respectively: MD5 and DES

display ipsec sa

Syntax
display ipsec sa [ brief | remote ip-address | policy policy-name [ seq-number ] | duration ]

View Any view Parameter brief: Displays brief information about all the SAs. remote: Displays information about the SA with remote address as ip-address. ip-address: Specifys the remote address in dotted decimal format. policy: Displays information about the SA created by the ipsec policy whose name is policy-name. policy-name: Specifys the name of the ipsec policy. seq-number: Specifys the sequence number of the ipsec policy. duration: Global sa duration to be shown.

908

CHAPTER 9: SECURITY

Description Using the display ipsec sa command, you can view the relevant information about the SA. The command with brief parameter shows brief information about all the SAs, whose display format is the brief format (refer to the following example). Brief information includes source address, destination address, SPI, protocol, and algorithm. A display beginning with "E" in the algorithm stands for the encryption algorithm, and a display beginning with "A" stands for the authentication algorithm. The brief command can be used to quickly display all the SAs already set up. The commands with remote and policy parameters both display the detailed information about the SA. In display mode, part of the information about the ipsec policy is shown first and then the detailed information of the SA in this ipsec policy. The command with duration parameter shows the global sa duration, including "time-based" and "traffic-based" sa duration. Referring to the following examples. Information of all the SAs will be shown when no parameter is specified. For the related commands, see reset ipsec sa, ipsec sa duration, display ipsec sa and display ipsec policy. Example # View brief information about all the SAs.
<3Com> display ipsec sa brief Src Address Dst Address SPI 10.1.1.1 10.1.1.2 10.1.1.2 10.1.1.1 300 400 Protocol ESP ESP Algorithm E:DES; A:HMAC-MD5-96 E:DES; A:HMAC-MD5-96

Table 18 Brief information of IPSec SA
Item Src Address Dst Address SPI Protocol Algorithm Description Local IP address Remote Ip address security parameter index security protocol used by IPSec The authentication algorithm and encryption algorithm used by the security protocol. A display beginning with "E" in the algorithm stands for the encryption algorithm, and a display beginning with "A" stands for the authentication algorithm.

# View the global duration of SA.
[3Com] display ipsec sa duration

ipsec sa global duration (traffic based): 1843200 kilobytes

IPSec Configuration Commands

909

ipsec sa global duration (time based): 3600 seconds # View information of all the SAs.
[3Com] display ipsec sa =============================== Interface: Ethernet1/0/0 path MTU: 1500 =============================== ---------------------------------IPsec policy name: "policy_isakmp" sequence number: 10 mode: isakmp ---------------------------------connection id: 4 in use settings = {tunnel} tunnel local : 162.105.10.1 tunnel remote : 162.105.10.2 [inbound ah SAs] spi: 3752719292 (0xdfadf3bc) transform: AH-SHA1HMAC96 sa remaining key duration (bytes/sec): (1887436384/3594) max received sequence-number: 4 [inbound esp SAs] spi: 74180629 (0x46be815) transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): (1887436528/3594) max received sequence-number: 4 [outbound esp SAs] spi: 1394075637 (0x5317e7f5) transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): (1887436464/3594) max sent sequence-number: 5 [outbound ah SAs] spi: 2132905296 (0x7f218d50)

910

CHAPTER 9: SECURITY

transform: AH-SHA1HMAC96 sa remaining key duration (bytes/sec): (1887436336/3594) max sent sequence-number: 5

Table 19 Detailed information of IPSec SA
Item Interface path MTU ipsec policy connection id in use settings tunnel local tunnel remote inbound transform sa remaining key duration max received sequence-number outbound max sent sequence-number Description Interface using ipsec policy Maximum IP packet length sent from the interface ipsec policy used, including name, sequence number and negotiation method security channel identifier IPSec mode, including two types: transport mode and tunnel mode local IP address remote IP address SA information of the inbound end proposal used by the ipsec policy rest sa duration of SA maximum sequence number of the received packets (the anti-replay function provided by the security protocol) SA information of the outbound end maximum sequence number of the sent packets (the anti-replay function provided by the security protocol)

display ipsec statistics

Syntax
display ipsec statistics

View Any view Parameter none Description Using the display ipsec statistics command, you can view the IPSec packet statistics information, including the input and output security packet statistics, bytes, number of packets discarded and detailed description of discarded packets. For the related command, see reset ipsec statistics. Example # View IPSec packet statistics.
<3Com> display ipsec statistics the security packet statistics: input/output security packets: 5124/8231 input/output security bytes: 52348/64356

IPSec Configuration Commands

911

input/output dropped security packets: 0/0 dropped security packet detail: no enough memory: 0 can't find SA: 0 queue is full: 0 authen failed: 0 invalid length: 0 replay packet: 0 too long packet: 0 invalid SA: 0

Table 20 IPSec packet statistics
Item input/output security packets input/output security bytes input/output discarded security packets Description input/output packets under the security protection input/output bytes under the security protection input/output packets under the security protection discarded by the router

encapsulation-mode

Syntax
encapsulation-mode { transport | tunnel } undo encapsulation-mode

View IPSec proposal view Parameter transport: Sets that the encapsulation mode of IP packets is transport mode. tunnel: Sets that the encapsulation mode of IP packets is tunnel mode. Description Using the encapsulation-mode command, you can set the encapsulation mode that the security protocol applies to IP packets which can be transport or tunnel. Using the undo encapsulation-mode command, you can restore it to the default. By default, tunnel mode is used. There are two encapsulation modes where IPSec is used to encrypt and authenticate IP packets: transport mode and tunnel mode. In transport mode, IPSec does not encapsulate a new header into the IP packet. The both ends of security tunnel is of source and destination of original packets. In tunnel mode, IPSec protects the whole IP packet, and adds a new IP header in the front part of the IP packet. The source and destination addresses of the new IP header are the IP addresses of both ends of the tunnel.

912

CHAPTER 9: SECURITY

Generally, the tunnel mode is used between two security gateways (routers). A packet encrypted in a security gateway can only be decrypted in another security gateway. So an IP packet needs to be encrypted in tunnel mode, that is, a new IP header is added; the IP packet encapsulated in tunnel mode is sent to another security gateway before it is decrypted. The transport mode is suitable for communication between two hosts, or for communication between a host and a security gateway (like the network management communication between the gateway workstation and a router). In transport mode, two devices responsible for encrypting and decrypting packets must be the original sender and receiver of the packet. Most of the data traffic between two security gateways is not of the security gateway’s own. So the transport mode is not ofen used between security gateways. The proposal used by the ipsec policies, set at both ends of the security tunnel, must be set as having the same packet encapsulation mode. For the related commands, see ah authentication-algorithm, ipsec proposal, esp encryption-algorithm, esp authentication-algorithm, proposal and transform. Example # Set the proposal whose name is prop2 as using the transport mode to encapsulate IP packets.
[3Com] ipsec proposal prop2 [3Com-ipsec-proposal- prop2] encapsulation-mode transport

esp authentication-algorith m

Syntax
esp authentication-algorithm { md5 | sha1 } undo esp authentication-algorithm

View IPSec proposal configuration view Parameter md5: Use MD5 algorithm with the length of the key 128 bits. sha1: Use SHA1 algorithm with the length of the key 160 bits. Description Using the esp authentication-algorithm command, you can set the authentication algorithm used by ESP. Using the undo esp authentication-algorithm command, you can set ESP not to authenticate packets. By default, MD5 algorithm is used. MD5 is faster than SHA1, while SHA1 is securer than MD5. ESP permits a packet to be encrypted or authenticated or both.

IPSec Configuration Commands

913

The encryption and authentication algorithm used by ESP cannot be set to vacant at the same time. The undo esp authentication-algorithm command is not used to restore the authentication algorithm to the default; instead it is used to set the authentication algorithm to vacant, i.e. not authentication. When the encryption algorithm is not vacant, the undo esp authentication-algorithm command is valid. The proposal used by the ipsec policies, set at both ends of the security tunnel, must be set as having the same authentication algorithm. For the related commands, see ipsec proposal, esp encryption-algorithm, proposal, sa encryption-hex and transform. Example # Set a proposal that adopts ESP, and uses SHA1.
[3Com] ipsec proposal prop1 [3Com-ipsec-proposal- prop1] transform esp [3Com-ipsec-proposal- prop1] esp authentication-algorithm sha1

esp encryption-algorithm

Syntax
esp encryption-algorithm { 3des | des } undo esp encryption-algorithm

View IPSec proposal view Parameter des: Data Encryption Standard (DES), a universal encryption algorithm with the length of the key being 56 bits. 3des: 3DES (Triple DES), another universal encryption algorithm with the length of the key being 168 bits. Description Using the esp encryption-algorithm command, you can set the encryption algorithm adopted by ESP. Using the undo esp encryption-algorithm command, you can set the ESP not to encrypt packets. By default, DES algorithm is used. 3des can meet the requirement of high confidentiality and security, but it is comparatively slow. And DES can satisfy the normal security requirements. ESP permits a packet to be encrypted or authenticated or both. The encryption and authentication methods used by ESP cannot be set to a vacant value at the same time. The undo esp encryption-algorithm command can take effect only if the authentication algorithm is not null.

914

CHAPTER 9: SECURITY

For the related commands, see ipsec proposal, esp authentication-algorithm, proposal, sa encryption-hex and transform. Example # Set ESP to use 3des.
[3Com] ipsec proposal prop1 [3Com-ipsec-proposal-prop1] transform esp [3Com-ipsec-proposal-prop1] esp encryption-algorithm 3des

ipsec policy(interface view)

Syntax
ipsec policy policy-name undo ipsec policy

View Interface view Parameter policy-name: Specifies the name of an ipsec policy group applied at the interface. The ipsec policy group with name policy-name should be configured in system view. Description Using the ipsec policy(interface view) command, you can apply an ipsec policy group with the name policy-name at the interface,. Using the undo ipsec policy(interface view) command, you can cancel the ipsec policy group so as to disable the IPSec function of the interface. At an interface only one ipsec policy group can be applied. An ipsec policy group can be applied at multiple interfaces. When a packet is sent from an interface, it searches for each ipsec policy in the ipsec policy group by number in an ascending order. If the packet matches an access control list used by an ipsec policy, then this ipsec policy is used to process the packet, otherwise it continues to search for the next ipsec policy. If the packet does not match any of the access control lists used by all the ipsec policies, it will be directly transmitted (that is, IPSec will not protect the packet). To prevent transmitting any unencrypted packet from the interface, it is necessary to use the firewall together with IPSec; the firewall is for dropping all the packets that do not need to be encrypted. For the related command, see ipsec policy(system view). Example # Apply an ipsec policy whose name is policy1 to interface Serial 4/1/2.
[3Com] interface serial 4/1/2/ [3Com-Serial4/1/2] ipsec policy policy1

IPSec Configuration Commands

915

ipsec policy (system view)

Syntax
ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ] undo ipsec policy policy-name [ seq-number ]

View System view Parameter policy-name: Name of the ipsec policy. The naming rule is: the length of the name is 1 to 15 characters, the name is case insensitive and the characters can be English characters or numbers, cannot include “-”. seq-number: Sequence number of the ipsec policy, ranging 1 to 10000, with lower value indicating higher sequence priority. manual: Sets up SA manually. isakmp: Sets up SA through IKE negotiation. template: Dynamically sets up SA by using policy template. The policy-name discussed here will reference template-name which is a created policy template thus named. template-name: Name of the template. Description Using the ipsec policy command, you can establish or modify an ipsec policy, and enter ipsec policy view. Using the undo ipsec policy policy-name command, you can delete an ipsec policy group whose name is policy-name. Using the undo ipsec policy policy-name seq-number command. you can delete an ipsec policy whose name is policy-name and sequence number is seq-number. By default, no ipsec policy exists. To establish an ipsec policy, it is necessary to specify the negotiation mode (manual or isakmp). To modify the ipsec policy, it is not necessary to specify a negotiation mode. Once the ipsec policy is established, its negotiation mode cannot be modified. For example, if an ipsec policy is established in manual mode it cannot be changed to isakmp mode--this ipsec policy must be deleted and then recreated, if appropriate, with the negotiation mode being isakmp. Ipsec policies with the same name constitute an ipsec policy group. The name and sequence number are used together to define a unique ipsec policy. In an ipsec policy group, at most 100 ipsec policies can be set. In an ipsec policy, the smaller the sequence number of an ipsec policy is, the higher is its preference. Apply an ipsec policy group at an interface means applying all ipsec policies in the group simultaneously, so that different data streams can be protected by adopting different SAs.

916

CHAPTER 9: SECURITY

Using the ipsec policy policy-name seq-number isakmp template template-name command, you can establish an ipsec policy according the template through IKE negotiation. Before using this command, the template should have been created. During the negotiation and policy matching, the parameters defined in the template should be compliant, the other parameters are decided by the initiator. The proposal must be defined in policy template, other parameters are optional. Note that IKE will not use a policy with a template argument to initiate a negotiation. Rather, it uses such a policy to response the negotiation initiated by its peer. For the related commands, see ipsec policy (interface view), security acl, tunnel local, tunnel remote, sa duration, proposal, display ipsec policy, ipsec policy-template, and ike-peer. Example # Set an ipsec policy whose name is newpolicy1, sequence number is 100, and negotiation mode is isakmp.
[3Com] ipsec policy newpolicy1 100 isakmp [3Com-ipsec-policy-isakmp-newpolicy1-100]

ipsec policy-template

Syntax
ipsec policy-template policy-name seq-number undo ipsec policy-template policy-name [ seq-number ]

View System view Parameter policy-name: Name of the ipsec policy. The naming rule is as follows: length is 1 to 15 bytes, the name is case insensitive and the characters can be English characters or numbers, cannot include “-”. seq-number: Serial number of the ipsec policy, ranging 1 to 10000. In one ipsec policy group, the smaller the serial number of the ipsec policy, the higher the preference. Description Using the ipsec policy-template command, you can establish or modify an ipsec policy template, and enter ipsec policy view. Using the undo ipsec policy-template policy-name command, you can delete the ipsec policy group named policy-name. Using the undo ipsec policy-template policy-name seq-number command, you can delete an ipsec policy with the name policy-name and the serial number seq-number. By default, no ipsec policy template exists.

IPSec Configuration Commands

917

A policy template that has been created with the name being template-name can be referenced by the ipsec policy policy-name seq-number isakmp template template-name command to create an IPSec policy. The IPSec policy template and the security policy of IPSec IPSAMP negotiation share the same kinds of arguments, including the referenced IPSec proposal, the protected traffic, PFS feature, lifetime, and the address of the remote tunnel end. However, you should note that the proposal argument is compulsory to be configured whereas other arguments are optional. If an IPSec policy template is used for the policy match operation undertaken in an IKE negotiation, the configured arguments must be matched, and the settings of the initiator will be used if the corresponding arguments have not been configured. For the related commands, see ipsec policy, security acl, tunnel local, tunnel remote, proposal, display ipsec policy, and ike-peer. Example # Establish an ipsec policy template with the name template1 and the serial number 100.
[3Com] ipsec policy-template template1 100 [3Com-ipsec-policy-template- template1-100]

ipsec proposal

Syntax
ipsec proposal proposal-name undo ipsec proposal proposal-name

View System view Parameter proposal-name: Name of the specified proposal. The naming rule is: the length of the name is 1 to 15 characters, case insensitive. Description Using the ipsec proposal proposal-name command, you can establish or modify a proposal named proposal-name, and enter IPSec proposal view. Using the undo ipsec proposal proposal-name command, you can delete the proposal named proposal-name. By default, no proposal exists. This proposal is a combination of the security protocol, encryption and authentication algorithm and packet encapsulation format for implementing IPSec protection. An ipsec policy determines the protocol, algorithm and encapsulation mode to be adopted by the use of the proposal. Before the ipsec policy uses a proposal, this proposal must have already been set up.

918

CHAPTER 9: SECURITY

After a new IPSec proposal is established by using the ipsec proposal command, the ESP protocol, DES encryption algorithm and MD5 authentication algorithm are adopted by default. For the related commands, see ah authentication-algorithm, esp encryption-algorithm, esp authentication-algorithm, encapsulation-mode, proposal, display ipsec proposal and transform. Example # Establish a proposal named newprop1.
[3Com] ipsec proposal newprop1

ipsec sa global-duration

Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes } undo ipsec sa global-duration { time-based | traffic-based }

View System view Parameter time-based seconds: Time-based global SA duration in second, ranging 30 to 604800 seconds. It is 3600 seconds (1 hour) by default. traffic-based kilobytes: Traffic-based global SA duration in kilobyte, ranging 256 to 4194303 kilobytes. It is 1843200 kilobytes by default and when the traffic reaches this value, the duration expires. Description Using the ipsec sa global-duration command, you can set a global SA duration. Using the undo ipsec sa global-duration command, you can restore to the default setting of the global SA duration. When IKE negotiates to establish a SA, if the adopted IPSec policy is not configured with its own duration, the system will use the global SA duration specified by this command to negotiate with the peer. If the IPSec policy is configured with its own duration, the system will use the duration of the IPSec policy to negotiate with the peer. When IKE negotiates to set up an SA for IPSec, the smaller one of the lifetime set locally and that proposed by the remote is selected. There are two types of SA duration, time-based (in seconds) and traffic-based (in kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA, is accounted according to the total traffic that can be processed by this SA, and the SA is invalid when the set value is exceeded. No matter which one of the two types expires first the SA will become invalid. Before the SA is about to become invalid IKE will set up a new SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid.

IPSec Configuration Commands

919

Modifying the global SA duration will not affect a map that has individually set up its own SA duration, or an SA already set up. But the modified global SA duration will be used to set up a new SA in the future IKE negotiation. The SA duration does not function for an SA manually set up, that is, the SA manually set up will never be invalidated. For the related commands, see sa duration and display ipsec sa duration. Example # Set the global SA duration to 2 hours.
[3Com] ipsec sa global-duration time-based 7200

# Set the global SA duration to 10M bytes transmitted.
[3Com] ipsec sa global-duration traffic-based 10000

pfs

Syntax
pfs { dh-group1 | dh-group2 } undo pfs

View IPSec policy view, IPSec policy template view Parameter dh-group1: Specifies that the 768-bit Diffie-Hellman group is used. dh-group2: Specifies that the 1024-bit Diffie-Hellman group is used. Description Using the pfs command, you can set the Perfect Forward Secrecy (PFS) feature for the IPSec policy to initiate the negotiation. Using the undo pfs command, you can set not to use the PFS feature during the negotiation. By default, no PFS feature is used. The command is used to add a PFS exchange process when IPSec uses the ipsec policy to initiate a negotiation. This additional key exchange is performed during the phase 2 negotiation to enhance the communication’s safety. The DH group specified by the local and remote ends must be consistent, otherwise the negotiation will fail. Can this command be used only when the security alliance is established through IKE style. For the related commands, see ipsec policy-template, ipsec policy(system view), ipsec policy(interface view), tunnel local, tunnel remote, sa duration and proposal. Example # Set that PFS must be used when negotiating through ipsec policy shanghai 200.

920

CHAPTER 9: SECURITY

[3Com] ipsec policy shanghai 200 isakmp [3Com-ipsec-policy-isakmp-shanghai-200] pfs group1

proposal

Syntax
proposal proposal-name1 [ proposal-name2...proposal-name6 ] undo proposal [ proposal-name ]

View IPSec policy view, IPSec policy template view Parameter proposal-name1,…, proposal-name6: Name of the proposals adopted. Description Using the proposal command, you can set the proposal used by the IPSec policy. Using the undo proposal command, you can cancel the proposal used by the IPSec policy. By default, no proposal is used. Before using this command, the corresponding IPSec proposal must has been configured. If set up in manual mode, an SA can only use one proposal. If a proposal is already set, it needs to be deleted by using the undo proposal command before a new one can be set. If set up in isakmp mode, an SA can use six proposals at most. IKE negotiation will search for the matching proposal at both ends of the security tunnel. If it is the IPSec template, each template can use six proposals at most, and the IKE negotiation will search for the matching proposal. For the related commands, see ipsec proposal, ipsec policy(system view), ipsec policy(interface view), security acl, tunnel local and tunnel remote. Example # Set a proposal with name prop1, adopting ESP and the default algorithm, and sets an IPSec policy as using a proposal name prop1.
[3Com] ipsec proposal prop1 [3Com-ipsec-proposal-prop1] transform esp [3Com-ipsec-proposal-prop1] quit [3Com] ipsec policy policy1 100 manual [3Com-ipsec-policy-manual-policy1-100] proposal prop1

IPSec Configuration Commands

921

reset ipsec sa

Syntax
reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters dest-addr protocol spi ]

View User view Parameter remote ip-address: Specifies remote address, in dotted decimal format. policy: Specifies the IPSec policy. policy-name: Specifies the name of the IPSec policy. The naming rule is as follows: length is 1 to 15 characters, case sensitive, and the character can be English character or number. seq-number: Optional parameter specifying the serial number of the ipsec policy. If no seq-number is specified, the IPSec policy refers to all the policies in the IPSec policy group named policy-name. parameters: Defines a Security Association (SA) by the destination address, security protocol and SPI. dest-address: Specifies the destination address in the dotted decimal IP address format. protocol: Specifies the security protocol by inputting the key word ah or esp, case insensitive. ah indicates the Authentication Header protocol and esp indicates Encapsulating Security Payload. spi: Specifies the security parameter index (SPI), ranging 256 to 4294967295. Description Using the reset ipsec sa command, you can delete an SA already set up (manually or through IKE negotiation). If no parameter (remote, policy, parameters) is specified, all the SA will be deleted. An SA is uniquely identified by a triplet of IP address, security protocol and SPI. A SA can be set up either manually or through Internet Key Exchange (IKE) negotiation. If an SA set up manually is deleted, the system will automatically set up a new SA according to the parameter manually set up. If a packet re-triggers IKE negotiation after an SA set up through IKE negotiation is deleted, IKE will reestablish an SA through negotiation. The keyword parameters will take effect only after the spi of the outbound SA is defined. Because SAs appear in pairs, the inbound SA will also be deleted after the outbound SA is deleted. For the related command, see display ipsec sa.

922

CHAPTER 9: SECURITY

Example # Delete all the SAs.
<3Com> reset ipsec sa

# Delete an SA whose remote IP address is 10.1.1.2.
<3Com> reset ipsec sa remote 10.1.1.2

# Delete all the SAs in policy1.
<3Com> reset ipsec sa policy policy1

# Delete the SA of the ipsec policy with the name policy1 and the serial number 10.
<3Com> reset ipsec sa policy policy1 10

# Delete an SA whose remote IP address is 10.1.1.2, security protocol is AH, and SPI is 10000
<3Com> reset ipsec sa parameters 10.1.1.2 ah 10000

reset ipsec statistics

Syntax
reset ipsec statistics

View User view Parameter none Description Using the reset ipsec statistics command, you can clear IPSec message statistics, and set all the statistics to zero. For the related command, see display ipsec statistics. Example # Clear IPSec message statistics.
<3Com> reset ipsec statistics

sa authentication-hex

Syntax
sa authentication-hex { inbound | outbound } { ah | esp } hex-key undo sa authentication-hex { inbound | outbound } { ah | esp }

View IPSec policy view in manual mode

IPSec Configuration Commands

923

Parameter inbound: Configures the authentication-hex parameter for the inbound SA. IPSec uses the inbound SA for processing the packet in the inbound direction (received). outbound: Configures the authentication-hex parameter for the outbound SA. IPSec uses the outbound SA for processing the packet in the outbound direction (sent). ah: Sets the authentication-hex parameter for the SA using AH. If the IPSec proposal used by the ipsec policy adopts AH, the ah key word is used here to set the AH relevant parameter of the SA. esp: Sets the authentication-hex parameter for the SA using ESP. If the IPSec proposal used by the ipsec policy adopts ESP, the esp key word is used here to set the ESP relevant parameter of the SA. hex-key: Specifies a key for the SA input in the hex format. If MD5 is used, then input a 16-byte key; if SHA1 is used, input a 20-byte key. Description Using the sa authentication-hex command, you can set the SA authentication key manually for the ipsec policy of manual mode. Using the undo sa authentication-hex command, you can delete the SA authentication key already set. This command is only used for the ipsec policy in manual mode. For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter manually. IKE will automatically negotiate the SA parameter and establish a SA. When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately. The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote. There are two methods for inputting the key, hex and character string. For the character string key and hex string key, the last one set will be adopted. At both ends of a security tunnel, the key should be input by the same method. If the key is input in character string at one end, and it is input in hex at the other end, then a security tunnel cannot be set up correctly. For the related commands, see ipsec policy(system view), ipsec policy(interface view), security acl , tunnel local, tunnel remote, sa duration and proposal. Example # Set SPI of the inbound SA to 10000, key to 0x112233445566778899aabbccddeeff00; sets the SPI of the outbound SA to 20000, and its key to 0xaabbccddeeff001100aabbccddeeff00 in the ipsec policy using AH and MD5.

924

CHAPTER 9: SECURITY

[3Com] ipsec proposal prop_ah [3Com-ipsec-proposal-prop_ah] transform ah [3Com-ipsec-proposal-prop_ah] ah authentication-algorithm md5 [3Com-ipsec-proposal-prop_ah] quit [3Com] ipsec policy tianjin 100 manual [3Com-ipsec-policy-manual-tianjin-100] proposal prop_ah [3Com-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000 [3Com-ipsec-policy-manual-tianjin-100] sa authentication-key inbound ah 112233445566778899aabbccddeeff00 [3Com-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000 [3Com-ipsec-policy-manual-tianjin-100] sa authentication-key outbound ah aabbccddeeff001100aabbccddeeff00

sa duration

Syntax
sa duration { traffic-based kilobytes | time-based seconds } undo sa duration { traffic-based | time-based }

View IPSec policy view, IPSec policy template view Parameter time-based seconds: Time-based SA duration in second, ranging 30 to 604800 seconds. It is 3600 seconds (1 hour) by default. traffic-based kilobytes: Traffic-based SA duration in kilobyte, ranging 256 to 4194303 kilobytes. It is 1843200 kilobytes by default. Description Using the sa duration command, you can set a SA duration of the ipsec policy. Using the undo sa duration command, you can cancel the SA duration, i.e., restore the use of the global SA duration. When IKE negotiates to establish a SA, if the adopted IPSec policy is not configured with its own duration, the system will use the global SA duration to negotiate with the peer. If the IPSec policy is configured with its own duration, the system will use the duration of the IPSec policy to negotiate with the peer. When IKE negotiates to set up an SA for IPSec, the shorter one of the lifetime set locally and that proposed by the remote is selected. There are two types of SA duration, time-based (in seconds) and traffic-based (in kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA is accounted according to the total traffic that can be processed by this SA, and the SA is invalid when the set value is exceeded. No matter which one of the two types expires first, the SA will become invalid. Before the SA is about to become invalid, IKE will set up a new SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid.

IPSec Configuration Commands

925

The SA duration does not function for an SA manually set up, that is, the SA manually set up will never be invalidated. For the related commands, see ipsec sa global-duration, ipsec policy(system view), ipsec policy(interface view), security acl, tunnel local, tunnel remote and proposal. Example # Set the Sa duration for the ipsec policy shenzhen 100 to 2 hours, that is, 7200 seconds.
[3Com] ipsec policy shenzhen 100 isakmp [3Com-ipsec-policy-isakmp-shenzhen-100] sa duration time-based 7200

# Set the Sa duration for the ipsec policy shenzhen 100 to 20M bytes, that is, the SA is overtime when the traffic exceeds 20000 kilobytes.
[3Com] ipsec policy shenzhen 100 isakmp [3Com-ipsec-policy-isakmp-shenzhen-100] sa duration traffic-based 20000

sa encryption-hex

Syntax
sa encryption-hex { inbound | outbound } esp hex-key undo sa encryption-hex { inbound | outbound } esp

View IPSec policy view in manual mode Parameter inbound: Sets the encryption-hex parameter for the inbound SA. IPSec uses the inbound SA for processing the packet in the inbound direction (received). outbound: Sets the encryption-hex parameter for outbound SA. IPSec uses the outbound SA for processing the packet in the outbound direction (sent). esp: Sets the encryption-hex parameter for the SA using ESP. If the IPSec proposal used by the ipsec policy adopts ESP, the esp key word is used here to set the ESP relevant parameter of the SA. hex-key: Specifies a key for the SA input in the hex format. When applied in ESP, if DES is used, then input a 8-byte key; if 3DES is used, then input a 24-byte key. Description Using the sa encryption-hex command, you can set the SA encryption key manually for the ipsec policy of manual mode. Using the undo sa encryption-hex command, you can delete the SA parameter already set. This command is only used for the ipsec policy in manual mode. It is used to set the SA parameter manually and establish a SA manually.

926

CHAPTER 9: SECURITY

For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter manually, and this command is invalid. IKE will automatically negotiate the SA parameter and establish an SA. When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately. The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote. For the related commands, see ipsec policy(system view), ipsec policy(interface view), security acl , tunnel local, tunnel remote, sa duration and proposal. Example # Set the SPI of the inbound SA to 10000, and the key to 0x1234567890abcdef; set the SPI of the outbound SA to 20000, and its key to 0xabcdefabcdef1234 in the ipsec policy using ESP and DES.
[3Com] ipsec proposal prop_esp [3Com-ipsec-proposal-prop_esp] transform esp [3Com-ipsec-proposal-prop_esp] ah encryption-algorithm des [3Com-ipsec-proposal-prop_esp] quit [3Com] ipsec policy tianjin 100 manual [3Com-ipsec-policy-manual-tianjin-100] proposal prop_esp [3Com-ipsec-policy-manual-tianjin-100] sa spi inbound esp 1001 [3Com-ipsec-policy-manual-tianjin-100] sa encryption-hex inbound esp 1234567890abcdef [3Com-ipsec-policy-manual-tianjin-100] sa spi outbound esp 2001 [3Com-ipsec-policy-manual-tianjin-100] sa encryption-hex outbound esp abcdefabcdef1234

sa spi

Syntax
sa spi { inbound | outbound } { ah | esp } spi-number undo sa spi { inbound | outbound } { ah | esp }

View IPSec policy view in manual mode Parameter inbound: Sets the spi parameter for the inbound SA. IPSec uses the inbound SA for processing the packet in the inbound direction (received). outbound: Sets the spi parameter for outbound SA. IPSec uses the outbound SA for processing the packet in the outbound direction (sent).

IPSec Configuration Commands

927

ah: Sets the spi parameter for the SA using AH. If the IPSec proposal set used by the ipsec policy adopts AH, the ah key word is used here to set the spi relevant parameter of the SA. esp: Sets the spi parameter for the SA using ESP. If the IPSec proposal set used by the ipsec policy adopts ESP, the esp key word is used here to set the spi relevant parameter of the SA. spi-number: Security Parameter Index (SPI) in the triplet identification of the SA, ranging 256 to 4294967295. The triplet identification of the SA, which appears as SPI, destination address, and protocol number, must be unique. Description Using the sa spi command, you can set the SA SPI manually for the ipsec policy of manual mode. Using the undo sa spi command, you can delete the SA SPI already set. This command is only used for the ipsec policy in manual mode. It is used to set the SA parameter manually and establish a SA manually. For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter manually, and this command is invalid. IKE will automatically negotiate the SA parameter and establish a SA. When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately. The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote. For the related commands, see ipsec policy(system view), ipsec policy(interface view), security acl , tunnel local, tunnel remote, sa duration and proposal. Example # Set the SPI of the inbound SA to 10000, set the SPI of the outbound SA to 20000, in the ipsec policy using AH and MD5.
[3Com] ipsec proposal prop_ah [3Com-ipsec-proposal-prop_ah] transform ah [3Com-ipsec-proposal-prop_ah] ah authentication-algorithm md5 [3Com-ipsec-proposal-prop_ah] quit [3Com] ipsec policy tianjin 100 manual [3Com-ipsec-policy-manual-tianjin-100] proposal prop_ah [3Com-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000 [3Com-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000

928

CHAPTER 9: SECURITY

sa string-key

Syntax
sa string-key { inbound | outbound } { ah | esp } string-key undo sa string-key { inbound | outbound } { ah | esp }

View IPSec policy view in manual mode Parameter inbound: Sets the string-key parameter for the inbound SA. IPSec uses the inbound SA for processing the packet in the inbound direction (received). outbound: Sets the string-key parameter for the outbound SA. IPSec uses the outbound SA for processing the packet in the outbound direction (sent). ah: Sets the string-key parameter for the SA using AH. If the IPSec proposal set used by the ipsec policy adopts AH, the ah key word is used here to set the string-key relevant parameter of the SA. esp: Sets the string-key parameter for the SA using ESP. If the IPSec proposal set used by the ipsec policy adopts ESP, the esp key word is used here to set the string-key relevant parameter of the SA. string-key: Specifies the key for an SA input in the character string format, with a length ranging 1 to 256 characters. For different algorithms, you can input character strings of any length in the specified range, and the system will generate keys meeting the algorithm requirements automatically according to the input character strings. As for ESP, the system will automatically generate the key for the authentication algorithm and that for the encryption algorithm at the same time. Description Using the sa string-key command, you can set the SA parameter manually for the ipsec policy of manual mode. Using the undo sa string-key command, you can delete the SA parameter already set. This command is only used for the ipsec policy in manual mode. It is used to set the SA parameter manually and establish a SA manually. For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter manually, and this command is invalid. IKE will automatically negotiate the SA parameter and establish a SA. When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote. There are two methods for inputting the key, hex and character string. For the character string key and hex string key, the last one set will be adopted. At both ends of a security tunnel, the key should be input by the same method. If the key

IPSec Configuration Commands

929

is input in character string at one end, and it is input in hex at the other end, then a security tunnel cannot be set up correctly. For the related commands, see ipsec policy(system view), ipsec policy(interface view), security acl , tunnel local, tunnel remote, sa duration and proposal. Example # Set the SPI of the inbound SA to 10000, and the key string to abcdef; sets the SPI of the outbound SA to 20000, and its key string to efcdab in the ipsec policy using AH and MD5.
[3Com] ipsec proposal prop_ah [3Com-ipsec-proposal-prop_ah] transform ah [3Com-ipsec-proposal-prop_ah] ah authentication-algorithm md5 [3Com-ipsec-proposal-prop_ah] quit [3Com] ipsec policy tianjin 100 manual [3Com-ipsec-policy-manual-tianjin-100] proposal prop_ah [3Com-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000 [3Com-ipsec-policy-manual-tianjin-100] sa string-key abcdef [3Com-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000 [3Com-ipsec-policy-manual-tianjin-100] sa string-key efcdab

security acl

Syntax
security acl acl-number undo security acl

View IPSec policy view, IPSec policy template view Parameter acl-number: Specifies the number of the access control list used by the ipsec policy, ranging 1000 to1999. Description Using the security acl command, you can set an access control list to be used by the ipsec policy. Using the undo security acl command, you can remove the access control list used by the ipsec policy. By default, no ACL has been specified for the IPSec policies. The data flow that will be protected by the IPSec policy is confined by the ACL in this command. According to the rules in the ACL, IPSec determines which packets need security protection and which do not. The packet permitted by the access control list will be protected, and a packet denied by the access control list will not be protected. The denied packets are sent out derectly without IPSec protection.

930

CHAPTER 9: SECURITY

For the related commands, see ipsec policy(system view), ipsec policy(interface view), tunnel local, tunnel remote, sa duration and proposal. Example # Set the ipsec policy as using access control list 101.
[3Com] acl number 101 [3Com-acl-adv-101] rule permit tcp source 10.1.1.1 0.0.0.255 destination 10.1.1.2 0.0.0.255 [3Com] ipsec policy beijing 100 manual [3Com-ipsec-policy-manual-beijing-100] security acl 101

transform

Syntax
transform { ah | ah-esp | esp } undo transform

View IPSec proposal view Parameter ah: Uses AH protocol specified in RFC2402. ah-esp: Uses ESP specified in RFC2406 to protect the packets and then use AH protocol specified in RFC2402 to authenticate packets. esp: Uses ESP specified in RFC2406. Description Using the transform command, you can set a security protocol used by a proposal. Using the undo transform command, you can restore the default security protocol. By default, esp, that is, the ESP specified in RFC2406 is used. If ESP is adopted, the default encryption algorithm is DES and the authentication algorithm is MD5. If AH is adopted, the default authentication algorithm is MD5. If the parameter ah-esp is specified, the default authentication algorithm for AH is MD5 and the default encryption algorithm for ESP is DES without authentication. AH protocol provides data authentication, data integrity check and anti-replay function. ESP protocol provides data authentication, data integrity check, anti-replay function and data encryption. While establishing an SA manually, the proposals used by the ipsec policy set at both ends of the security tunnel must be set as using the same security protocol.

IPSec Configuration Commands

931

The following figure illustrates the data encapsulation formats of different security protocols in the transport mode and the tunnel mode.
Figure 2 Data encapsulation formats of security protocols
Transfer Security mode protocol

transport IP IP IP AH ESP AH data data ESP ESP-T data ESP-T IP AH IP IP

tunnel data data ESP-T data ESP-T

ah esp ah-esp

IP ESP IP AH

ESP IP

“data” in the figure is the original IP datagram. For the related commands, see ah authentication-algorithm, ipsec proposal, esp encryption-algorithm, esp authentication-algorithm, encapsulation-mode and proposal. Example # Set a proposal using AH.
[3Com] ipsec proposal prop1 [3Com-ipsec-proposal-prop1] transform ah

tunnel local

Syntax
tunnel local ip-address undo tunnel local

View IPSec policy view in Manual mode Parameter ip-address: Local address in dotted decimal format. Description Using the tunnel local command, you can set the local address of an ipsec policy. Using the undo tunnel local command, you can delete the local address set in the ipsec policy. By default, the local address of an ipsec policy is not configured. It is not necessary to set a local address for an ipsec policy in isakmp mode, so this command is invalid in this situation. IKE can automatically obtain the local address from the interface where this ipsec policy is applied. As for the ipsec policy in manual mode, it is necessary to set the local address before the SA can be established. A security tunnel is set up between the local and

932

CHAPTER 9: SECURITY

remote end, so the local address and remote address must be correctly configured before a security tunnel can be set up. For the related commands, see ipsec policy(system view), ipsec policy(interface view), security acl , tunnel remote, sa duration and proposal. Example # Set the local address for the ipsec policy, which is applied at serial 4/1/2 whose IP address is 10.0.0.1.
[3Com] ipsec policy guangzhou 100 manual [3Com-ipsec-policy-manual-guangzhou-100] tunnel local 10.0.0.1 [3Com-ipsec-policy-manual-guangzhou-100] quit [3Com] interface serial 4/1/2 [3Com-if-Serial4/1/2] ipsec policy guangzhou

tunnel remote

Syntax
tunnel remote ip-address undo tunnel remote [ ip-address ]

View Manually-established IPSec policy view Parameter ip-address: Remote address in dotted decimal format. Description Using the tunnel remote command, you can set the remote address of an ipsec policy. Using the undo tunnel remote command, you can delete the remote address in the ipsec policy. By default, the remote address of an ipsec policy is not configured. For the ipsec policy in manual mode, only one remote address can be set. If a remote address is already set, this existing address must be deleted before a new one can be set. The security tunnel is established between the local and remote ends. The remote address must be set correctly on both ends of the security tunnel. For the related commands, see ipsec policy(system view), ipsec policy(interface view), security acl , tunnel local, sa duration, proposal. Example # Set the remote address of the ipsec policy to 10.1.1.2.
[3Com] ipsec policy shanghai 10 manual [3Com-ipsec-policy-shanghai-10] tunnel remote 10.1.1.2

IKE Configuration Commands

933

IKE Configuration Commands
authentication-algorith m Syntax
authentication-algorithm { md5 | sha } undo authentication-algorithm

View IKE Proposal View Parameter md5: Selects the authentication algorithm: HMAC-MD5. sha: Selects the authentication algorithm: HMAC-SHA1. Description Using the authentication-algorithm command, you can select the authentication algorithm for an IKE proposal. Using the undo authentication-algorithm command, you can restore the authentication algorithm for an IKE proposal to the default. By default, HMAC-SHA1 authentication algorithm is used. For the related commands, see ike proposal, display ike proposal. Example # Set HMAC-MD5 as the authentication algorithm for IKE proposal 10.
[3Com] ike proposal 10 [3Com-ike-proposal-10] authentication-algorithm md5

authentication-method

Syntax
authentication-method { pre-share } undo authentication-method

View IKE proposal view Parameter pre-share: Specifies the pre-shared key authentication as the Internet Key Exchange (IKE) proposal authentication method. Description Using the authentication-method command, you can select the authentication method used by an IKE proposal. Using the undo authentication-method command, you can restore the authentication method used by an IKE proposal to the default.

934

CHAPTER 9: SECURITY

By default, the authentication method used by an IKE proposal is pre-shared key authentication. Authentication key must be configured to adopt the pre-shared key authentication method. For the related commands, see ike proposal and display ike proposal. Example # Specify pre-shared key authentication as the authentication method for IKE proposal 10.
[3Com] ike proposal 10 [3Com-ike-proposal-10] authentication-method pre-share

debugging ike

Syntax
debugging ike { error | exchange | message | misc } undo debugging ike { error | exchange | message | misc }

View User view Parameter error: Displays the IKE error debugging information. exchange: Displays the IKE exchange mode debugging information. message: Displays the IKE message debugging information. misc: Displays all the other IKE debugging information. Description Using the debugging ike command, you can enable IKE debugging. Using the undo debugging ike command, you can disable IKE debugging. By default, IKE debugging is disabled. Example # Enable IKE error debugging.
<3Com> debugging ike error

dh

Syntax
dh { group1 | group2 } undo dh

View IKE proposal view

IKE Configuration Commands

935

Parameter group1: Selects group1, that is, the 768-bit Diffie-Hellman group. group2: Selects group2, that is, the 1024-bit Diffie-Hellman group. Description Using the dh command, you can select the Diffie-Hellman group for an IKE proposal. Using the undo dh command, you can restore the Diffie-Hellman group for an IKE proposal to the default. By default, group1, that is, 768-bit Diffie-Hellman group is used. For the related commands, see ike proposal, display ike proposal. Example # Specify 768-bit Diffie-Hellman for IKE proposal 10.
[3Com] ike proposal 10 [3Com-ike-proposal-10] dh group1

display ike proposal

Syntax
display ike proposal

View Any view Parameter none Description Using the display ike proposal command, you can view the parameters configured for each IKE proposal. This command shows IKE proposals in the sequence of the priority. For the related commands, see ike proposal, encryption-algorithm, authentication-algorithm, dh and sa duration. Example # View the IKE proposal information after two IKE proposals are configured.
[3Com] display ike proposal Protection suite priority 10 encryption algorithm: DES_CBC authentication algorithm: SHA

authentication method: PRE_SHARED Diffie-Hellman group: MODP_1024

936

CHAPTER 9: SECURITY

sa duration(seconds): 5000 Protection suite priority 11 encryption algorithm: DES_CBC authentication algorithm: MD5

authentication method: PRE_SHARED Diffie-Hellman group: MODP_768 sa duration(seconds): 50000 Default protection suite encryption algorithm: DES_CBC authentication algorithm: SHA

authentication method: PRE_SHARED Diffie-Hellman group: MODP_768 sa duration(seconds): 86400

Table 21 Display Information of IKE Proposal
Item Protection suite priority Description priority of the IKE proposal, being any integer between 1 and 100. The larger the priority value, the lower the priority. encryption algorithm used by the IKE proposal authentication algorithm used by the IKE proposal authentication method used by the IKE proposal Diffie-Hellman (DH) group ID ISAKMP Sa duration used by the IKE proposal Default IKE proposal, which is used by default or when all the configured IKE policies are not matched. Its priority is the lowest.

encryption algorithm authentication algorithm authentication method Diffie-Hellman group sa duration Default protection suite

display ike sa

Syntax
display ike sa

View Any view Parameter none Description Using the display ike sa command, you can view the current security tunnels established by IKE. For the related command, see ike proposal.

IKE Configuration Commands

937

Example # View the security tunnels established by IKE.
[3Com] display ike sa conn-id 1 2 remote 202.38.0.2 202.38.0.2 flag RD|ST RD|ST phase 1 2 doi IPSEC IPSEC

flag meaning: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO-TIMEOUT

The descriptions of the items displayed are listed in the following table.
Table 22 Display Information of IKE SA
Item conn-id remote flag RD (READY) means this SA has been established successfully RL (REPLACED) means that this SA has been replaced by a new one, and will be automatically deleted after a period of time. Description Security channel ID Remote IP address of this SA Display the status of this SA ST (STAYALIVE) means that SA duration is negotiated, and this SA will be refreshed in fixed interval. FD (FADING) means this SA has been soft timeout, but is still in use, and will be deleted at the time of hard timeout.

TO (TIMEOUT) means this SA have not phase received any keepalive packet after previous keepalive timeout occurred. If this SA receives no keepalive packet till next keepalive timeout occurs, this SA will be deleted. Phase of the SA: Phase 1: a phase of establishing security channel to communicate, ISAKMP SA will be established in the phase; doi

Phase 2: a phase of negotiating security service, IPSec SA will be established in the phase. Domain of Interpretation

encryption-algorithm

Syntax
encryption-algorithm { des-cbc | 3des-cbc } undo encryption-algorithm

View IKE proposal view Parameter des-cbc: Selects the 56-bit DES-CBC encryption algorithm for an IKE proposal. DES algorithm adopts 56-bit keys for encryption.

938

CHAPTER 9: SECURITY

3des-cbc: Setss the encryption algorithm to the 3DES algorithm in CBC mode. The 3DES algorithm uses 168-bit keys for encryption. Description Using the encryption command, you can specify the encryption algorithm for an IKE proposal. Using the undo encryption command, you can restore to the default. By default, 56-bit DES-CBC encryption algorithm is used. For the related commands, see ike proposal and display ike proposal. Example # Specify the 56-bit DES-CBC encryption algorithm for IKE proposal 10.
[3Com] ike proposal 10 [3Com-ike-proposal-10] encryption-algorithm des-cbc

exchange-mode

Syntax
exchange-mode [ aggressive | main ] undo exchange-mode

View IKE-peer view Parameter aggressive: Aggressive mode main: Main mode. Description Using the exchange-mode command, you can select an IKE negotiation mode. Using the undo exchange-mode command, you can restore the default negotiation mode. By default, main mode is adopted. If the device at one end of a security tunnel obtains IP address dynamically, IKE negotiation mode must be set to aggressive. Example # Adopt the main mode for IKE negotiation.
[Router] ike peer new_peer [RouterA-ike-peer-new_peer] exchange-mode main

id-type

Syntax
id-type [ ip | name ]

IKE Configuration Commands

939

undo id-type

View IKE-peer view Parameter ip: Uses IP address as ID of the local GW. name: Uses name of the local GW as its ID, i.e., IKE local ID designated by the ike local id the command. Description Using the id-type command, you can select the type of ID used for identifying the local GW in an IKE negotiation. Using the undo id-type command, you can restore the default setting. By default, the local GW is identified by its IP address. If the id-type name command is configured, id configured in the ike local id command will be used as ID of the local GW. In main mode, only IP address can be used to identify the local GW. In IKE aggressive mode, however, both IP address and name (configured using the ike local id command) can be used to identify the local GW for SA setup. In the latter case, regardless of the IP address assigned to a subscriber, whether static or dynamic, an SA can be set up so long as the name and password used for setting up the SA are correct. For the related command, see ike local id. Example # Identify the local GW by name.
[Router] ike peer new_peer [Router-ike-peer-new_peer] id-type name

ike local id

Syntax
ike local id id undo ike local id

View System view Parameter id: ID of the local GW, which can be a string of 1 to 32 characters. Description Using the ike local id command, you can configure ID of the local GW. Using the undo ike local id command, you can restore the default ID of the local GW. By default, router name is used as the ID of the local GW.

940

CHAPTER 9: SECURITY

Only if the id-type name command has been configured can the id configured using the ike local id command be ID of the local GW. Example # Identify the local GW by the configured name (local ID) “beijing_VPN”
[Router] ike local id beijing_VPN

ike peer (system view)

Syntax
ike peer peer-name undo ike peer peer-name

View System view Parameter peer-name: IKE peer name, which can be a string of up to 15 characters. Description Using the ike peer command, you can configure an IKE peer and access IKE-peer view. Using the undo ike peer command, you can delete an IKE peer. Example # Configure an IKE peer “new_peer” and access its view.
[Router] ike peer new_peer [3Com-ike-peer-new_peer]

ike peer (IPSec policy view, IPSec policy template view)

Syntax
ike peer peer-name undo ike peer peer-name

View IPSec policy view, IPSec policy template view Parameter peer-name: IKE peer name, which is a string of up to 15 characters. Description Using the ike peer command, you can quote an IKE peer in an IPSec policy or IPSec policy template. Using the undo ike peer command, you can remove the quoted IKE peer from the IPSec policy or IPSec policy template. For the related command, see ipsec policy. Example # Quote an IKE peer in the IPSec policy.
[Router-ipsec-policy-isakmp-policy-10] ike peer new_peer

IKE Configuration Commands

941

ike proposal

Syntax
ike proposal priority-level undo ike proposal priority-level

View System view Parameter priority-level: An integer ranging 1 to 100, it is a priority level of an IKE proposal, and can distinguish this proposal from other proposal, the bigger the value(priority-level) be selected, the lower the priority level be set actually. Description Using the ike proposal command, you can define an IKE proposal. Using the undo ike proposal command, you can delete an IKE proposal. By default, the system provides default IKE proposal with the lowest priority. Performing this command in system view will enter IKE proposal view. In the IKE proposal, you can select encryption algorithm, authentication algorithm, DH group ID, authentication method and specify sa duration for this IKE proposal. Default IKE proposal has a default encryption algorithm, authentication algorithm, DH group ID, authentication method and sa duration, as follows:


an encryption algorithm: DES-CBC an Authentication algorithm: HMAC-SHA1 an Authentication method: Pre-Shared Key a DH group ID: MODP_768 an SA duration and: 86400 seconds









These parameters will be used to establish a security tunnel once these parameters are confirmed by both sides of the negotiation. Both sides of the negotiation can be configured in more then one IKE proposal. During the negotiation, the IKE proposals in both sides are selected to match one by one, by turns of their priority level. The parameters that must be same durning the match are encryption algorithm, authentication algorithm, authentication method, and DH group. The sa duration is decided by the initiator of the negotiation, needing no agreement. For the related commands, see authentication-algorithm, encryption-algorithm, dh, authentication-algorithm, sa duration, display crypto isakmp policy. Example # Define IKE proposal 10 with default encryption algorithm.
[3Com] ike proposal 10 [3Com-ike-proposal-10] authentication-algorithm md5

942

CHAPTER 9: SECURITY

[3Com-ike-proposal-10] authentication-method pre-share [3Com-ike-proposal-10] sa duration 5000

ike sa keepalive-timer interval

Syntax
ike sa keepalive-timer interval seconds undo ike sa keepalive-timer interval

View System view Parameter seconds: Specifies the interval for sending Keepalive packet to the remote end through ISAKMP SA. It can be set to a value in the range 20 to 28800. Description Using the ike sa keepalive-timer interval command, you can configure the interval for sending Keepalive packet to the remote end through ISAKMP SA. Using the undo ike sa keepalive-timer interval command, you can disable the function. By default, this function is disabled. This command is used to configure the interval for sending Keepalive packet to the remote end through ISAKMP SA. IKE maintains the link state of the ISAKMP SA by using the Keepalive packet. In general, if a timeout is configured at the remote end by using the ike sa keepalive-timer timeout command, an interval for sending Keepalive packet must be configured at the local end. When the remote end in the configured timeout time does not receive the Keepalive packet, the ISAKMP SA with the TIMEOUT flag and the IPSec SA corresponding to it will be deleted, and otherwise the ISAKMP SA without the TIMEOUT flag will be marked as TIMEOUT. Thus the configured timeout should be longer than the interval for sending the Keepalive packet during configuration. For the related command, see ike sa keepalive-timer timeout. Example # Configure the interval as 20 seconds for the local end to send Keepalive packet to the remote end.
[3Com] ike sa keepalive-timer interval 20

ike sa keepalive-timer timeout

Syntax
ike sa keepalive-timer timeout seconds undo ike sa keepalive-timer timeout

View System view

IKE Configuration Commands

943

Parameter seconds: Specifies the timeout for ISAKMP SA to wait for the Keepalive packet. It can be set to a value in the range 20 to 28800. Description Using the ike sa keepalive-timer timeout command, you can configure a timeout for ISAKMP SA to wait for the Keepalive packet. Using the undo ike sa keepalive-timer timeout command, you can disable the function. By default, this function is disabled. This command is used to configure the timeout for the remote end to send the Keepalive packet. IKE maintains the link state of the ISAKMP SA by using the Keepalive packet. When the remote end in the configured timeout does not receive the Keepalive packet, the ISAKMP SA with the TIMEOUT flag and the IPSec SA corresponding to it will be deleted, and otherwise the ISAKMP SA without the TIMEOUT flag will be marked as TIMEOUT. Thus the configured timeout should be longer than the interval for sending the Keepalive packet during configuration. Generally, packets will not be lost for more than three consecutive times in the network, so the timeout can be configured as three times of the interval set for the remote end to send Keepalive packets. For the related command, see ike sa keepalive-timer interval. Example # Configure the timeout as 20 seconds for the local end to wait for the remote end to send the Keepalive packet.
[3Com] ike sa keepalive-timer timeout 20

nat-traversal

Syntax
nat-traversal undo nat-traversal

View IKE-peer view Parameter None Description Using the nat-traversal command, you can configure the NAT traversal function of IKE/IPSec. Using the undo nat-traversal command, you can disable the NAT traversal function of IKE/IPSec. This command fits for the application that the NAT GW functionality is included in the VPN tunnel constructed by IKE/IPSec. Example # Enable the NAT traversal function.

944

CHAPTER 9: SECURITY

[Router] ike peer new_peer [Router-ike-peer-new_peer] nat traversal pre-shared-key Syntax
pre-shared-key key undo pre-shared-key

View IKE-peer view Parameter key: Specifies a pre-shared key, which is a string of 1 to 128 characters. Description Using the pre-shared-key command, you can configure a pre-shared key to be used in IKE negotiation. Using the undo pre-shared-key command, you can remove the pre-shared key used in IKE negotiation. Example # Set the pre-shared key used in IKE negotiation to “abcde”.
[Router] ike peer new_peer [Router-ike-peer-new_peer] pre-shared-key abcde

remote-address

Syntax
remote-address ip-address undo remote-address

View IKE-peer view Parameter ip-address: IP address. Description Using the remote-address command, you can configure IP address of the remote GW. Using the undo remote-address command, you can delete IP address of the remote GW. ip-address configured in this command should comply with the one configured for the remote GW. Example # Set IP address of the remote GW to 10.0.0.1.
[Router] ike peer new_peer [Router-ike-peer-new_peer] remote-address 10.0.0.1

IKE Configuration Commands

945

remote-id

Syntax
remote-id id undo remote-id

View IKE-peer view Parameter id: Specifies ID of the remote GW, which is a string of 1 to 32 characters. Description Using the remote-id command, you can specify a remote GW. Using the undo remote-id command, you can remove the configuration of the remote GW. id configured in this command must be the same one configured using the ike local id command on the remote GW. Example # Set ID of the remote GW to “beijing”.
[Router] ike peer new_peer [Router-ike-peer-new_peer] remote-id beijing

reset ike sa

Syntax
reset ike sa [ connection-id ]

View User view Parameter connection-id: Specifies the SA to be deleted. If this parameter is not specified, all the SAs at phase 1 and phase 2 will be deleted. Description Using the reset ike sa command, you can delete the security tunnel set up by IKE. If connection-id is not specified, all the SAs at phase 1 and phase 2 will be deleted. If ISAKMP SA at phase 1 exists when deleting the local security tunnel, a Delete Message notification is sent to the remote under the protection of this security tunnel to notify the remote to delete the SA database. IKE uses ISAKMP of two phases: phase 1 or ISAKMP SA to establish SA, phase 2 or IPSec SA to negotiate and establish IPSec SA, using the former established SA. For the related command, see display ike sa. Example # Delete the security tunnel to 202.38.0.2.
<3Com> display ike sa

946

CHAPTER 9: SECURITY

conn-id 1 2

remote 202.38.0.2 202.38.0.2

flag RD|ST RD|ST

phase 1 2

doi IPSEC IPSEC

flag meaning: RD--READY ST--STAYALIVE RT--REPLACED FD--FADING <3Com> reset ike sa 2 <3Com> display ike sa conn-id 2 remote 202.38.0.2 flag RD|ST phase 2 doi IPSEC

flag meaning: RD--READY ST--STAYALIVE RT--REPLACED FD—FADING

CAUTION: If the SA of phase 1 is deleted first, the remote end cannot be informed of clearing the SA database when deleting the SA of phase 2. sa duration Syntax
sa duration seconds undo sa duration

View IKE proposal view Parameter seconds: Specifies the ISAKMP Sa duration. When the sa duration expires, ISAKMP SA will update automatically. It can be set to a value in the range 60 to 604800 seconds. Description Using the sa duration command, you can specify the ISAKMP Sa duration for an IKE proposal. Using the undo sa duration command, you can restore it to the default. By default, the value of ISAKMP Sa duration is 86400 seconds (one day). Before the sa duration for a SA expires, a new SA will be negotiated for replacing the existing SA, and the old SA will be automatically cleared when the Sa duration expires. For the related commands, see ike proposal and display ike proposal. authentication-algorith m Syntax
authentication-algorithm { md5 | sha } undo authentication-algorithm

IKE Configuration Commands

947

View IKE Proposal View Parameter md5: Selects the authentication algorithm: HMAC-MD5. sha: Selects the authentication algorithm: HMAC-SHA1. Description Using the authentication-algorithm command, you can select the authentication algorithm for an IKE proposal. Using the undo authentication-algorithm command, you can restore the authentication algorithm for an IKE proposal to the default. By default, HMAC-SHA1 authentication algorithm is used. For the related commands, see ike proposal, display ike proposal. Example # Set HMAC-MD5 as the authentication algorithm for IKE proposal 10.
[3Com] ike proposal 10 [3Com-ike-proposal-10] authentication-algorithm md5

authentication-method

Syntax
authentication-method { pre-share } undo authentication-method

View IKE proposal view Parameter pre-share: Specifies the pre-shared key authentication as the Internet Key Exchange (IKE) proposal authentication method. Description Using the authentication-method command, you can select the authentication method used by an IKE proposal. Using the undo authentication-method command, you can restore the authentication method used by an IKE proposal to the default. By default, the authentication method used by an IKE proposal is pre-shared key authentication. Authentication key must be configured to adopt the pre-shared key authentication method. For the related commands, see ike proposal and display ike proposal.

948

CHAPTER 9: SECURITY

Example # Specify pre-shared key authentication as the authentication method for IKE proposal 10.
[3Com] ike proposal 10 [3Com-ike-proposal-10] authentication-method pre-share

debugging ike

Syntax
debugging ike { error | exchange | message | misc } undo debugging ike { error | exchange | message | misc }

View User view Parameter error: Displays the IKE error debugging information. exchange: Displays the IKE exchange mode debugging information. message: Displays the IKE message debugging information. misc: Displays all the other IKE debugging information. Description Using the debugging ike command, you can enable IKE debugging. Using the undo debugging ike command, you can disable IKE debugging. By default, IKE debugging is disabled. Example # Enable IKE error debugging.
<3Com> debugging ike error

dh

Syntax
dh { group1 | group2 } undo dh

View IKE proposal view Parameter group1: Selects group1, that is, the 768-bit Diffie-Hellman group. group2: Selects group2, that is, the 1024-bit Diffie-Hellman group.

IKE Configuration Commands

949

Description Using the dh command, you can select the Diffie-Hellman group for an IKE proposal. Using the undo dh command, you can restore the Diffie-Hellman group for an IKE proposal to the default. By default, group1, that is, 768-bit Diffie-Hellman group is used. For the related commands, see ike proposal, display ike proposal. Example # Specify 768-bit Diffie-Hellman for IKE proposal 10.
[3Com] ike proposal 10 [3Com-ike-proposal-10] dh group1

display ike proposal

Syntax
display ike proposal

View Any view Parameter none Description Using the display ike proposal command, you can view the parameters configured for each IKE proposal. This command shows IKE proposals in the sequence of the priority. For the related commands, see ike proposal, encryption-algorithm, authentication-algorithm, dh and sa duration. Example # View the IKE proposal information after two IKE proposals are configured.
[3Com] display ike proposal Protection suite priority 10 encryption algorithm: DES_CBC authentication algorithm: SHA

authentication method: PRE_SHARED Diffie-Hellman group: MODP_1024 sa duration(seconds): 5000 Protection suite priority 11 encryption algorithm: DES_CBC authentication algorithm: MD5

950

CHAPTER 9: SECURITY

authentication method: PRE_SHARED Diffie-Hellman group: MODP_768 sa duration(seconds): 50000 Default protection suite encryption algorithm: DES_CBC authentication algorithm: SHA

authentication method: PRE_SHARED Diffie-Hellman group: MODP_768 sa duration(seconds): 86400

Table 23 Display information of IKE proposal
Item Description

Protection suite priority priority of the IKE proposal, being any integer between 1 and 100. The larger the priority value, the lower the priority. encryption algorithm authentication algorithm Diffie-Hellman group sa duration Default protection suite encryption algorithm used by the IKE proposal authentication algorithm used by the IKE proposal

authentication method authentication method used by the IKE proposal Diffie-Hellman (DH) group ID ISAKMP Sa duration used by the IKE proposal Default IKE proposal, which is used by default or when all the configured IKE policies are not matched. Its priority is the lowest.

display ike sa

Syntax
display ike sa

View Any view Parameter none Description Using the display ike sa command, you can view the current security tunnels established by IKE. For the related command, see ike proposal. Example # View the security tunnels established by IKE.
[3Com] display ike sa conn-id 1 remote 202.38.0.2 flag RD|ST phase 1 doi IPSEC

IKE Configuration Commands

951

2

202.38.0.2

RD|ST

2

IPSEC

flag meaning: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO-TIMEOUT

The descriptions of the items displayed are listed in the following table.
Table 24 Display information of IKE SA
Item conn-id remote flag Description Security channel ID Remote IP address of this SA Display the status of this SA

RD (READY) means this SA has been established ST (STAYALIVE) means that SA duration is successfully negotiated, and this SA will be refreshed in fixed interval. RL (REPLACED) means that this SA has been replaced by a new one, and will be automatically deleted after a period of time. TO (TIMEOUT) means this SA have not received any keepalive packet after previous keepalive timeout occurred. If this SA receives no keepalive packet till next keepalive timeout occurs, this SA will be deleted. Phase of the SA: FD (FADING) means this SA has been soft timeout, but is still in use, and will be deleted at the time of hard timeout. phase

Phase 1: a phase of establishing security channel to communicate, ISAKMP SA will be established in the phase;

Phase 2: a phase of negotiating security service, doi IPSec SA will be established in the phase. Domain of Interpretation

encryption-algorithm

Syntax
encryption-algorithm { des-cbc | 3des-cbc } undo encryption-algorithm

View IKE proposal view Parameter des-cbc: Selects the 56-bit DES-CBC encryption algorithm for an IKE proposal. DES algorithm adopts 56-bit keys for encryption. 3des-cbc: Setss the encryption algorithm to the 3DES algorithm in CBC mode. The 3DES algorithm uses 168-bit keys for encryption. Description Using the encryption command, you can specify the encryption algorithm for an IKE proposal. Using the undo encryption command, you can restore to the default. By default, 56-bit DES-CBC encryption algorithm is used.

952

CHAPTER 9: SECURITY

For the related commands, see ike proposal and display ike proposal. Example # Specify the 56-bit DES-CBC encryption algorithm for IKE proposal 10.
[3Com] ike proposal 10 [3Com-ike-proposal-10] encryption-algorithm des-cbc

exchange-mode

Syntax
exchange-mode [ aggressive | main ] undo exchange-mode

View IKE-peer view Parameter aggressive: Aggressive mode main: Main mode. Description Using the exchange-mode command, you can select an IKE negotiation mode. Using the undo exchange-mode command, you can restore the default negotiation mode. By default, main mode is adopted. If the device at one end of a security tunnel obtains IP address dynamically, IKE negotiation mode must be set to aggressive. Example # Adopt the main mode for IKE negotiation.
[Router] ike peer new_peer [RouterA-ike-peer-new_peer] exchange-mode main

id-type

Syntax
id-type [ ip | name ] undo id-type

View IKE-peer view Parameter ip: Uses IP address as ID of the local GW. name: Uses name of the local GW as its ID, i.e., IKE local ID designated by the ike local id the command.

IKE Configuration Commands

953

Description Using the id-type command, you can select the type of ID used for identifying the local GW in an IKE negotiation. Using the undo id-type command, you can restore the default setting. By default, the local GW is identified by its IP address. If the id-type name command is configured, id configured in the ike local id command will be used as ID of the local GW. In main mode, only IP address can be used to identify the local GW. In IKE aggressive mode, however, both IP address and name (configured using the ike local id command) can be used to identify the local GW for SA setup. In the latter case, regardless of the IP address assigned to a subscriber, whether static or dynamic, an SA can be set up so long as the name and password used for setting up the SA are correct. For the related command, see ike local id. Example # Identify the local GW by name.
[Router] ike peer new_peer [Router-ike-peer-new_peer] id-type name

ike local id

Syntax
ike local id id undo ike local id

View System view Parameter id: ID of the local GW, which can be a string of 1 to 32 characters. Description Using the ike local id command, you can configure ID of the local GW. Using the undo ike local id command, you can restore the default ID of the local GW. By default, router name is used as the ID of the local GW. Only if the id-type name command has been configured can the id configured using the ike local id command be ID of the local GW. Example # Identify the local GW by the configured name (local ID) “beijing_VPN”
[Router] ike local id beijing_VPN

ike peer (system view)

Syntax
ike peer peer-name

954

CHAPTER 9: SECURITY

undo ike peer peer-name

View System view Parameter peer-name: IKE peer name, which can be a string of up to 15 characters. Description Using the ike peer command, you can configure an IKE peer and access IKE-peer view. Using the undo ike peer command, you can delete an IKE peer. Example # Configure an IKE peer “new_peer” and access its view.
[Router] ike peer new_peer [3Com-ike-peer-new_peer]

ike peer (IPSec policy view, IPSec policy template view)

Syntax
ike peer peer-name undo ike peer peer-name

View IPSec policy view, IPSec policy template view Parameter peer-name: IKE peer name, which is a string of up to 15 characters. Description Using the ike peer command, you can quote an IKE peer in an IPSec policy or IPSec policy template. Using the undo ike peer command, you can remove the quoted IKE peer from the IPSec policy or IPSec policy template. For the related command, see ipsec policy. Example # Quote an IKE peer in the IPSec policy.
[Router-ipsec-policy-isakmp-policy-10] ike peer new_peer

ike proposal

Syntax
ike proposal priority-level undo ike proposal priority-level

View System view

IKE Configuration Commands

955

Parameter priority-level: An integer ranging 1 to 100, it is a priority level of an IKE proposal, and can distinguish this proposal from other proposal, the bigger the value(priority-level) be selected, the lower the priority level be set actually. Description Using the ike proposal command, you can define an IKE proposal. Using the undo ike proposal command, you can delete an IKE proposal. By default, the system provides default IKE proposal with the lowest priority. Performing this command in system view will enter IKE proposal view. In the IKE proposal, you can select encryption algorithm, authentication algorithm, DH group ID, authentication method and specify sa duration for this IKE proposal. Default IKE proposal has a default encryption algorithm, authentication algorithm, DH group ID, authentication method and sa duration, as follows:


an encryption algorithm: DES-CBC an Authentication algorithm: HMAC-SHA1 an Authentication method: Pre-Shared Key a DH group ID: MODP_768 an SA duration and: 86400 seconds









These parameters will be used to establish a security tunnel once these parameters are confirmed by both sides of the negotiation. Both sides of the negotiation can be configured in more then one IKE proposal. During the negotiation, the IKE proposals in both sides are selected to match one by one, by turns of their priority level. The parameters that must be same durning the match are encryption algorithm, authentication algorithm, authentication method, and DH group. The sa duration is decided by the initiator of the negotiation, needing no agreement. For the related commands, see authentication-algorithm, encryption-algorithm, dh, authentication-algorithm, sa duration, display crypto isakmp policy. Example # Define IKE proposal 10 with default encryption algorithm.
[3Com] ike proposal 10 [3Com-ike-proposal-10] authentication-algorithm md5 [3Com-ike-proposal-10] authentication-method pre-share [3Com-ike-proposal-10] sa duration 5000

ike sa keepalive-timer interval

Syntax
ike sa keepalive-timer interval seconds undo ike sa keepalive-timer interval

956

CHAPTER 9: SECURITY

View System view Parameter seconds: Specifies the interval for sending Keepalive packet to the remote end through ISAKMP SA. It can be set to a value in the range 20 to 28800. Description Using the ike sa keepalive-timer interval command, you can configure the interval for sending Keepalive packet to the remote end through ISAKMP SA. Using the undo ike sa keepalive-timer interval command, you can disable the function. By default, this function is disabled. This command is used to configure the interval for sending Keepalive packet to the remote end through ISAKMP SA. IKE maintains the link state of the ISAKMP SA by using the Keepalive packet. In general, if a timeout is configured at the remote end by using the ike sa keepalive-timer timeout command, an interval for sending Keepalive packet must be configured at the local end. When the remote end in the configured timeout time does not receive the Keepalive packet, the ISAKMP SA with the TIMEOUT flag and the IPSec SA corresponding to it will be deleted, and otherwise the ISAKMP SA without the TIMEOUT flag will be marked as TIMEOUT. Thus the configured timeout should be longer than the interval for sending the Keepalive packet during configuration. For the related command, see ike sa keepalive-timer timeout. Example # Configure the interval as 20 seconds for the local end to send Keepalive packet to the remote end.
[3Com] ike sa keepalive-timer interval 20

ike sa keepalive-timer timeout

Syntax
ike sa keepalive-timer timeout seconds undo ike sa keepalive-timer timeout

View System view Parameter seconds: Specifies the timeout for ISAKMP SA to wait for the Keepalive packet. It can be set to a value in the range 20 to 28800. Description Using the ike sa keepalive-timer timeout command, you can configure a timeout for ISAKMP SA to wait for the Keepalive packet. Using the undo ike sa keepalive-timer timeout command, you can disable the function. By default, this function is disabled.

IKE Configuration Commands

957

This command is used to configure the timeout for the remote end to send the Keepalive packet. IKE maintains the link state of the ISAKMP SA by using the Keepalive packet. When the remote end in the configured timeout does not receive the Keepalive packet, the ISAKMP SA with the TIMEOUT flag and the IPSec SA corresponding to it will be deleted, and otherwise the ISAKMP SA without the TIMEOUT flag will be marked as TIMEOUT. Thus the configured timeout should be longer than the interval for sending the Keepalive packet during configuration. Generally, packets will not be lost for more than three consecutive times in the network, so the timeout can be configured as three times of the interval set for the remote end to send Keepalive packets. For the related command, see ike sa keepalive-timer interval. Example # Configure the timeout as 20 seconds for the local end to wait for the remote end to send the Keepalive packet.
[3Com] ike sa keepalive-timer timeout 20

nat-traversal

Syntax
nat-traversal undo nat-traversal

View IKE-peer view Parameter None Description Using the nat-traversal command, you can configure the NAT traversal function of IKE/IPSec. Using the undo nat-traversal command, you can disable the NAT traversal function of IKE/IPSec. This command fits for the application that the NAT GW functionality is included in the VPN tunnel constructed by IKE/IPSec. Example # Enable the NAT traversal function. [Router] ike peer new_peer [Router-ike-peer-new_peer] nat traversal pre-shared-key Syntax
pre-shared-key key undo pre-shared-key

958

CHAPTER 9: SECURITY

View IKE-peer view Parameter key: Specifies a pre-shared key, which is a string of 1 to 128 characters. Description Using the pre-shared-key command, you can configure a pre-shared key to be used in IKE negotiation. Using the undo pre-shared-key command, you can remove the pre-shared key used in IKE negotiation. Example # Set the pre-shared key used in IKE negotiation to “abcde”.
[Router] ike peer new_peer [Router-ike-peer-new_peer] pre-shared-key abcde

remote-address

Syntax
remote-address ip-address undo remote-address

View IKE-peer view Parameter ip-address: IP address. Description Using the remote-address command, you can configure IP address of the remote GW. Using the undo remote-address command, you can delete IP address of the remote GW. ip-address configured in this command should comply with the one configured for the remote GW. Example # Set IP address of the remote GW to 10.0.0.1.
[Router] ike peer new_peer [Router-ike-peer-new_peer] remote-address 10.0.0.1

remote-id

Syntax
remote-id id undo remote-id

View IKE-peer view

IKE Configuration Commands

959

Parameter id: Specifies ID of the remote GW, which is a string of 1 to 32 characters. Description Using the remote-id command, you can specify a remote GW. Using the undo remote-id command, you can remove the configuration of the remote GW. id configured in this command must be the same one configured using the ike local id command on the remote GW. Example # Set ID of the remote GW to “beijing”.
[Router] ike peer new_peer [Router-ike-peer-new_peer] remote-id beijing

reset ike sa

Syntax
reset ike sa [ connection-id ]

View User view Parameter connection-id: Specifies the SA to be deleted. If this parameter is not specified, all the SAs at phase 1 and phase 2 will be deleted. Description Using the reset ike sa command, you can delete the security tunnel set up by IKE. If connection-id is not specified, all the SAs at phase 1 and phase 2 will be deleted. If ISAKMP SA at phase 1 exists when deleting the local security tunnel, a Delete Message notification is sent to the remote under the protection of this security tunnel to notify the remote to delete the SA database. IKE uses ISAKMP of two phases: phase 1 or ISAKMP SA to establish SA, phase 2 or IPSec SA to negotiate and establish IPSec SA, using the former established SA. For the related command, see display ike sa. Example # Delete the security tunnel to 202.38.0.2.
<3Com> display ike sa conn-id 1 2 remote 202.38.0.2 202.38.0.2 flag RD|ST RD|ST phase 1 2 doi IPSEC IPSEC

flag meaning: RD--READY ST--STAYALIVE RT--REPLACED FD--FADING

960

CHAPTER 9: SECURITY

<3Com> reset ike sa 2 <3Com> display ike sa conn-id 2 remote 202.38.0.2 flag RD|ST phase 2 doi IPSEC

flag meaning: RD--READY ST--STAYALIVE RT--REPLACED FD—FADING

CAUTION: If the SA of phase 1 is deleted first, the remote end cannot be informed of clearing the SA database when deleting the SA of phase 2. sa duration Syntax
sa duration seconds undo sa duration

View IKE proposal view Parameter seconds: Specifies the ISAKMP Sa duration. When the sa duration expires, ISAKMP SA will update automatically. It can be set to a value in the range 60 to 604800 seconds. Description Using the sa duration command, you can specify the ISAKMP Sa duration for an IKE proposal. Using the undo sa duration command, you can restore it to the default. By default, the value of ISAKMP Sa duration is 86400 seconds (one day). Before the sa duration for a SA expires, a new SA will be negotiated for replacing the existing SA, and the old SA will be automatically cleared when the Sa duration expires. For the related commands, see ike proposal and display ike proposal.

IKE Configuration Commands

961

Example # Specify the ISAKMP Sa duration for IKE proposal 10 as 600 seconds (10 minutes).
[3Com] ike proposal 10 [3Com-ike-proposal-10] sa duration 600

authentication-method

Syntax
authentication-method { pre-share | rsa-signature } undo authentication-method

View IKE proposal view Parameter
pre-share: decides on pre-shared-key as the authentication method; rsa-signature: decides on PKI digital signature as the authentication method.

Description Using the authentication-method command, you can specify the authentication method IKE policy uses. Using the undo authentication-method command, you can reactivate the default authentication method. pre-shared-key is the default authentication method. This command is used to specify the authentication method for an IKE proposal. Currently, both pre-shared-key and rsa-signature are practicable. pre-shared-key requires the configuration of key, for which, you may refer to ike pre-shared-key. For related commands, see ike pre-shared-key, ike proposal, display ike proposal, pki domain, and pki entity. To configure PKI, please refer to “PKI Configuration.” Example # Specify pre-shared-key as the authentication method of IKE proposal 10
[Router] ike proposal 10 [Router-ike-proposal-10] authentication-method pre-share

authentication-method

Syntax
authentication-method { pre-share | rsa-signature } undo authentication-method

View IKE proposal view Parameter
pre-share: decides on pre-shared-key as the authentication method; rsa-signature: decides on PKI digital signature as the authentication method.

962

CHAPTER 9: SECURITY

Description Using the authentication-method command, you can specify the authentication method IKE policy uses. Using the undo authentication-method command, you can reactivate the default authentication method. pre-shared-key is the default authentication method. This command is used to specify the authentication method for an IKE proposal. Currently, both pre-shared-key and rsa-signature are practicable. pre-shared-key requires the configuration of key, for which, you may refer to ike pre-shared-key. For related commands, see ike pre-shared-key, ike proposal, display ike proposal, pki domain, and pki entity. To configure PKI, please refer to “PKI Configuration.” Example # Specify pre-shared-key as the authentication method of IKE proposal 10
[Router] ike proposal 10 [Router-ike-proposal-10] authentication-method pre-share

PKI Configuration Commands
PKI Domain Configuration Commands ca identifier Syntax
ca identifier name undo ca identifier

View PKI domain view Parameter
name: CA identifier this device trusts, within the range of 1 to 63 characters.

Description Using the ca identifier command, you can specify the CA this device trusts and have the “name” CA bound with this device. Using the undo ca identifier command, you can delete the CA this device trusts. By default, no trusted CA is specified. Before the CA is deleted, the request, retrieval, revocation, and polling of this certificate are carried out.

PKI Configuration Commands

963

Example #Specify the name of the CA this device trusts.
[RouterCA-pki-domain-1]ca identifier new-ca

certificate request from

Syntax
certificate request from { ca | ra } entity entity-name undo certificate request from { ca | ra }

View PKI domain view Parameter
ca: indicates that the entity registers by CA for certificate request. ra: indicates that the entity registers by RA for certificate request. entity entity-name: name of the entity under certificate request. Within the

range of 1 to 15 characters, it shall be identical with that defined by the pki entity command. Description Using the certificate request from command, you can choose between CA and RA to register for certificate request. Using the undo certificate request from command, you can undo the selection registration agent. RA offers an extension to the CA certificate issue management. It takes charge of the input and verification of the applicant information, as well as, the certificate issuing. However, it does not support a signature function. Within some minor PKI systems there is no RA, and its functions are implemented through CA. By default, no registration agent is specified. PKI security policy recommends RA as the registration agent. For the related command, see pki entity. Example # Specify that the entity registers by CA for certificate request
[RouterCA-pki-domain-1]certificate request from ca entity new-entity [RouterCA-pki-domain-1]undo certificate request from ca

certificate request mode

Syntax
certificate request mode { manual | auto } undo certificate request mode

View PKI domain view

964

CHAPTER 9: SECURITY

Parameter
manual: refers to the manual certificate request mode; auto: refers to the auto certificate request mode.

Description Using the certificate request mode command, you can decide between the manual or the auto request mode. Using the undo certificate request mode command, you can restore the default request mode. Auto mode enables the auto delivery of certificate request when there is no certificate, or when the current certificate is about to expire. Manual mode requires manual operation in the request process. By default, certificate request is carried out manually. For related command, see pki request certificate. Example # Set the request mode to Auto
[RouterCA-pki-domain-1]certificate request mode auto [RouterCA-pki-domain-1]undo certificate request mode

certificate request polling

Syntax
certificate request polling { interval minutes | count count } undo certificate request polling { interval | count }

View PKI domain view Parameter
minutes: renders the interval between two polls. Specified in minutes, it ranges from 5 to 60 minutes, and by default, it is 20 minutes; count: indicates the retry times. It ranges from 1 to 100, and by default, is 50.

Description Using the certificate request polling command, you can specify the interval between two polls and the retry times. Using the undo certificate request polling command, you can restore the default parameters. When the request is delivered, if CA requires manual authentication, it will take a long time before the certificate is issued. The client, therefore, needs to periodically poll the request for the timely acquisition of the certificate after being authorized. For related command, see display pki certificate. Example # Specify the interval between two polls and the retry times

PKI Configuration Commands

965

[RouterCA-pki-domain-1]certificate request polling interval 15 [RouterCA-pki-domain-1]certificate request polling count 40

certificate request url

Syntax
certificate request url string undo certificate request url

View PKI domain view Parameter
string: refers to the server URL of the registration authority. Ranging from 1 to

255 characters, it composes server location and CA CGI command interface script location in the format of http://server_location/ca_script_location. Thereamong, server_location is generally expressed as IP address, which if is to be replaced by server name, DNS needs to be configured for the conversion match between IP addressed and server names. Description Using the certificate request url command, you can specify the server URL for certificate request through SCEP protocol. SCEP is a protocol specialized in the communication with authentication authorities. Using the undo certificate request url command, you can delete the concerned location setting. By default, no server URL is specified. Example #Specify the server location for certificate request.
[RouterCA-pki-domain-1] certificate request url http: //169.254.0.100/ certsrv/mscep.dll

crl update period

Syntax
crl update period { default | days } undo crl update period

View PKI domain view Parameter
default: identical with the validity period of CRL days: number of days

Description Using the crl update period command, you can specify the update period of CRL, which is the interval between local downloads of CRLs from access server.

966

CHAPTER 9: SECURITY

Using the undo crl update period command, you can restpre the default CRL update period. By default, it updates according to CRL validity period. Example #Specify CRL update period.
[RouterCA-pki-domain-1] crl update period 20

crl url

Syntax
crl url url-string undo crl url

View PKI domain view Parameter
url-string: refers to the distribution point location of CRL. Ranging from 1 to

255 characters, it is in the format of Idap://server_location. Thereamong,
server_location is generally expressed as IP address, which if is to be replaced by

server name, DNS needs to be configured for the match between IP addresses and server names. Description Using the crl url command, you can specify the distribution point URL for CRL. Using the undo crl url command, you can undo the specification. By default, no CRL distribution point URL is specified. Example #Specify the URL location of CRL database.
[RouterCA-pki-domain-1] crl url ldap: // 169.254.0 30

Idap server

Syntax
Idap server ip ip-address [ port port-num ] [ version version-number] undo Idap server ip

View PKI domain view Parameter
ip-address: IP address of LDAP server. port-num: port number of LDAP server, ranging from 1 to 65535. By default, it is

389.
version-number: LDAP version number, alternatively 2 or 3. By default, it is 2.

PKI Configuration Commands

967

Description Using the Idap server ip command, you can configure the LDAP server IP address and the port. Using the undo ldap server ip command, you can cancel the related configuration. By default, no LDAP server IP address or port is configured. Example #Specify the LDAP server address.
[RouterCA-pki-domain-1]ldap server ip 169.254.0 30

pki domain

Syntax
pki domain name undo pki domain name

View Any view Parameter
name: PKI domain name specified for the quotation of other commands, indicating

the PKI domain this device belongs to. It can contain 1 to 15 characters. Description Using the pki domain command, you can enter PKI domain view, and configure the parameters of LDAP server and for certificate request and authentication. Using the undo pki domain command to delete the specified PKI domain. By default, no PKI domain name is specified. Example #Enter PKI domain view.
[RouterCA]pki domain 1

PKI Entity Configuration Commands fqdn Syntax
fqdn name-str undo fqdn

View PKI entity view Parameter name-str: FQDN of an entity, within the range of 1 to 255 characters.

968

CHAPTER 9: SECURITY

Description Using the fqdn command, you can specify the FQDN of an entity. Using the undo fqdn command, you can delete the entity FQDN. By default, no entity FQDN is specified. FQDN (Fully Qualified Domain Name) is the unique identifier an entity has in the network, like email address. It can be resolved into IP address, usually in the form of user.domain. Example #Configure the FQDN of an entity.
[RouterCA-pki-entity-1]fqdn pki.3com.com

common name

Syntax
common-name name-str undo common-name

View PKI entity view Parameter
name-str: common name of an entity, within the range of 1 to 31 characters

Description Using the common-name command, you can specify the common name of an entity, for instance, User Name. Using the undo common-name command, you can delete the common name of this entity. By default, no common name is specified for any entity. Example #Configure the common name of an entity.
[RouterCA-pki-entity-1]common-name pki test

country code

Syntax
country country-code-str undo country

View PKI entity view Parameter
country-code-str: country code of 2 bytes

PKI Configuration Commands

969

Description Using the country command, you can specify the code of the country the entity belongs to. It is a standard 2-byte code, e.g., CN for China. Using the undo country command, you can delete the country code of this entity. By default, no country code is specified for any entity. Example #Set the country code of an entity.
[RouterCA-pki-entity-1]country CN

ip

Syntax
ip ip-address undo ip

View PKI entity view Parameter
ip-address: IP address of an entity in the form of dotted decimal like A.B.C.D

Description Using the ip command, you can specify the IP address of an entity. Using the undo ip command, you can delete the specified IP address. By default, no entity IP address is specified. Example #Configure the IP address of an entity.
[RouterCA-pki-entity-1]ip 161.12.2.3

locality

Syntax
locality locality-str undo locality

View PKI entity view Parameter
locality-str: name of the geographical locality of an entity, in the range of 1 to

31 characters. Description Using the locality command, you can name the geographical locality of an entity, by a city for example. Using the undo locality command you can cancel the mentioned naming operation. By default, no geographical locality is specifed for an entity.

970

CHAPTER 9: SECURITY

Example #Configure the name of the city where the entity lives.
[RouterCA-pki-entity-1]locality bei jing

organization

Syntax
organization org-str undo organization

View PKI entity view Parameter
org-str: organization name in the range of 1 to 31 characters.

Description Using the organization command, you can specify the name of the organization the entity belongs to. Using the undo organization command, you can delete that name. By default, no organization name is specified for any entity. Example #Configure the name of the organization to which an entity belongs.
[RouterCA-pki-entity-1]organization hua wei - 3com

organizational unit

Syntax
organizational-unit org-unit-str undo organizational-unit

View PKI entity view Parameter
org-unit-str: organization unit name in the range of 1 to 31 characters.

Description Using the organizational-unit command, you can specify the name of the organization unit to which this entity belongs. Using the undo organizational-unit command, you can delete the specified organization unit name. By default, no organization unit name is specified for any entity. Example #Configure the name of the organization unit to which an entity belongs.
[RouterCA-pki-entity-1]organizational-unit soft plat

PKI Configuration Commands

971

state

Syntax
state state-str undo state

View PKI entity view Parameter
state-str: state name within the range of 1 to 31 characters.

Description Using the state command, you can clarify the name of the state where an entity lies. Using the undo state command, you can cancel the previous operation. By default, the state of an entity is not specified. Example #Specify the state where an entity lies.
[RouterCA-pki-entity-1]state bei jing

pki entity

Syntax
pki entity name-str undo pki entity

View Any view Parameter
name-str: device-related unique character string of identification. Specified when

being quoted, it shall be within the range of 1 to 15 characters. Description Using the pki entity command, you can name a PKI entity and enter PKI entity view. Using the undo pki entity command, you can delete the name and cancel all configurations under the name space. A variety of attributes can be configured in PKI entity view. name-str plays only for the convenience in being quoted by other commands. No field of certificate is concerned. By default, entity name is not specified. Example #Enter PKI entity view.
[RouterCA]pki entity en

972

CHAPTER 9: SECURITY

PKI Certificate operation Commands pki delete certificate Syntax
pki delete certificate { local | ca }

View Any view Parameter
local: indicates the deletion of all local certificates that are locally stored. ca: indicated the deletion of all CA certificates that are locally stored.

Description Using the pki delete certificate command, you can delete the locally stored certificates. Example #Delete the local certificates.
[RouterCA] pki delete certificate local

pki request certicicate

Syntax
pki request certificate domain-name [ password ] [ pem ]

View Any view Parameter
domain-name: contains CA or RA related information. It is configured by using the

pki domain command.
password: optionally involved in certificate revocation. pem: optionally involved in the printing of the certificate requests that can be in

outband modes such as phone, disk, and e-mail. Description Using the pki request certificate command, you can deliver certificate request through SCEP to CA for the generated RSA key repair. If SCEP fails to go through normal communication, you can print the local certificate request in base64 format using the optional parameter “pem”, copy it, and send one to CA in an outband mode. This operation is not saved within the configuration. For the related command, see pki domain. Example #Manually apply for a certificate.

PKI Configuration Commands

973

[RouterCA] pki request certificate 1

#Display the request information for local certificates.
[RouterCA] pki request certificate 1 pem

pki retrieval certificate

Syntax
pki retrieval certificate { local | ca } domain domain-name

View Any view Parameter
local: indicates the download of a local certificate. ca: indicates the download of a CA certificate. domain-name: contains CA or RA related information. It is configured by using the

pki domain command. Description Using the pki retrieval certificate command, you can download a certificate from the certificate issuing server. For related command, see pki domain. Example # Retrieve a certificate.
[RouterCA] pki retrieval certificate ca domain 1

pki retrieval crl

Syntax
pki retrieval crl domain domain-name

View Any view Parameter
domain-name: contains CA or RA related information. It is configured by using the

pki domain command. Description Using the pki retrieval crl command, you can obtain the latest CRL from CRL server for the verification of the validity of a current certificate. For related command, see pki domain. Example #Retrieve a CRL.
[RouterCA] pki retrieval crl domain 1

974

CHAPTER 9: SECURITY

pki validation certificate

Syntax
pki validation certificate { local | ca } domain domain-name

View Any view Parameter
local: indicates the validation of a local certificate; ca: indicates the validation of a CA certificate; domain-name: specifies the domain of the certificate about to be verified. It is

configured by using the pki domain command. Description Using the pki validation certificate command, you can verify the validity of a certificate. The focus is to check the CA signature on the certificate, and to make sure that the certificate is still within the validity period and beyond revocation. All certificates with authentic signatures of CA can pass the validation, since it is believed that CA never issues fake certificates. For related command, see pki domain. Example # Verify the validity of a certificate
[RouterCA] pki validation certificate domain 1

PKI Displaying and Debugging Commands debugging pki certificate Syntax
debugging pki { request | retrieval | verify | error } undo debugging pki { request | retrieval | verify | error }

View Any view Parameter
request: debugging in certificate request; retrieval: debugging in certificate retrieval; verify: debugging in certification validation; error: debugging in error cases

Description Using the debugging pki command, you can enable PKI debugging functions. Using the undo debugging pki command, you can disable PKI debugging functions. Unexpected problems do occur during the device operation. Debugging commands enable the optional output and print of debugging information,

PKI Configuration Commands

975

facilitating the network monitor and fault diagnosis for the network operators and developers. By default, all PKI debugging functions are disabled. Example # Enable the debugging function related to errors in PKI certificate operation
[RouterCA] debugging pki error [RouterCA] pki delete certificate ca [RouterCA] pki request certificate 1 Certificate enroll failed! Cannot get the CA/RA certificate when creating the x509 Request

# Enable the debugging function for PKI certificate retrieval
[RouterCA] debugging pki retrieval [RouterCA] pki retrieval certificate local domain 1 Retrievaling CA/RA certificates. Please wait a while...... We receive 3 certificates. The trusted CA's finger print is: MD5 fingerprint: 74C9 B71D 406B DDB3 F74A 96BC E05B 40E9

SHA1 fingerprint: 770E 2937 4E32 ACD4 4ACC 7CF1 0FF0 6FB8 6C34 E24A Is the finger print correct?(Y/N): y Saving the CA/RA certificate to flash.....................Done!

# Enable the debugging function for PKI certificate request
[RouterCA] debugging pki request [RouterCA] pki request certificate 1 Create PKCS#10 request: Create PKCS#10 request: Create PKCS#10 request: token seen: CN=pki test

CN=pki test added subject dn set to '/CN=pki test'

Certificate Request: …..

dir_name: certsrv/mscep/mscep.dll host_name: 169.254.0.100 SCEP transaction id: PKCS#7 envelope: PKCS#7 envelope: 58D41D0C5A7B1E21C5F4A008B580B1A1

creating inner PKCS#7 data payload size: 297 bytes

data payload: …. PKCS#7 envelope: PKCS#7 envelope: PKCS#7 envelope: PKCS#7 envelope: PKCS#7 envelope: successfully encrypted payload size 667 bytes creating outer PKCS#7 signature added successfully adding signed attributes

976

CHAPTER 9: SECURITY

PKCS#7 envelope: PKCS#7 envelope: PKCS#7 envelope: PKCS#7 envelope: PKCS#7 envelope: PKCS#7 envelope:

adding string attribute transId adding string attribute messageType adding octet attribute senderNonce PKCS#7 data written successfully applying base64 encoding base64 encoded payload size: 2145 bytes

SCEP send message: IP = 0xa9fe0064 SCEP send message: Server returned status code

Valid response from server PKCS#7 develope: PKCS#7 develope: PKCS#7 develope: PKCS#7 develope: PKCS#7 develope: PKCS#7 develope: PKCS#7 develope: PKCS#7 develope: reading outer PKCS#7 PKCS#7 payload size: 1872 bytes

PKCS#7 contains 1276 bytes of enveloped data verifying signature signature ok finding signed attributes finding attribute transId allocating 32 bytes for attribute

PKCS#7 develope: reply transaction id: 58D41D0C5A7B1E21C5F4A008B580B1A1

PKCS#7 develope: PKCS#7 develope: PKCS#7 develope: PKCS#7 develope: PKCS#7 develope:

finding attribute messageType allocating 1 bytes for attribute reply message type is good finding attribute senderNonce allocating 16 bytes for attribute

PKCS#7 develope:

senderNonce in reply:

:

a6341944 28d9b544 a4755d9a ba320d35 PKCS#7 develope: PKCS#7 develope: finding attribute recipientNonce allocating 16 bytes for attribute

PKCS#7 develope:

recipientNonce in reply:

:

b98da9c3 20b638c5 634f4924 65f804d9 PKCS#7 develope: PKCS#7 develope: PKCS#7 develope: PKCS#7 develope: PKCS#7 develope: PKCS#7 develope: finding attribute pkiStatus allocating 1 bytes for attribute pkistatus SUCCESS reading inner PKCS#7 decrypting inner PKCS#7 PKCS#7 payload size: 1003 bytes

PKI Get the Signed Certificates: subject: / CN=pki test

issuer: /[email protected]/C=CN/ST=Beijing/L=Beijing/O=hw3c/OU=bjs/

PKI Configuration Commands

977

CN=myca Key usage: general purpose

# Enable the debugging function for PKI certificate validation
[RouterCA] debugging pki validation [RouterCA] pki validation certificate local domain 1 Verify certificate...... Serial Number: 101E266A 00000000 006B Issuer: [email protected] C=CN ST=Beijing L=Beijing O=hw3c OU=bjs CN=myca Subject: C=CN ST=bei jing O=hua wei - 3com CN=pki test Verify result: ok

Table 25 Description of PKI Debugging Information Fields
Field Create PKCS#10 request PKCS#7 envelope inner PKCS#7 outer PKCS#7 PKCS#7 develope host_name dir_name data payload token seen pkistatus SUCCESS FAILURE PENDING fingerprint base64 encoded x509 Request Description Encapsulation of entity request in PKCS#10 format Data encapsulation in PKCS#7 encryption format PKCS#7 encryption of datagram Signing of PKCS#7 datagram De-encapsulation of PKCS#7 encrypted packet Host name of registration server CGI script directory of registration server Data payload DN information of an entity PKI certificate operation status Succeeded Failed Waiting for procession Usually the signature of CA A data encoding mode Request for certificates in standard X509 format

978

CHAPTER 9: SECURITY

Table 25 Description of PKI Debugging Information Fields
Field Key usage Issuer Subject SCEP send message Signed certificates Description Encryption, signature, and other common usages Certificate issuer The entity that delivers certificate request The entity sends a certificate operation packet to CA through SCEP Certificates signed by CA

display pki certificate

Syntax
display pki certificate { local | ca | request-status } [ domain domain-name ]

View Any view Parameter
local: indicates the display of all local certificates; ca: indicates the display of all CA certificates; request-status: refers to the status of the certificate request after being

delivered;
domain-name: represents the domain of the certificate about to be verified. It is

configured by using the pki domain command. Description Using the display pki certificate command, you can display and browse through the certificate. For related commands, see pki retrieval certificate, pki domain, and certificate request polling. Example # Display the local certificates
[RouterCA] display pki certificate local domain 1 Data: Version: 3 (0x2)

Serial Number: 10B7D4E3 00010000 0086 Signature Algorithm: Issuer: [email protected] md5WithRSAEncryption

PKI Configuration Commands

979

C=CN ST=Beijing L=Beijing O=hw3c OU=bjs CN=new-ca Validity Not Before: Not After : Subject: C=CN ST=beijing L=beijing CN=pki test Subject Public Key Info: Public Key Algorithm: RSA Public Key: rsaEncryption Jan 13 08: 57: 21 2004 GMT Jan 20 09: 07: 21 2005 GMT

(512 bit)

Modulus (512 bit): 00D41D1F … Exponent: X509v3 extensions: X509v3 Subject Alternative Name: DNS: hyf.-3com.com … … md5WithRSAEncryption 65537 (0x10001)

Signature Algorithm:

A3A5A447 4D08387D …

display pki crl

Syntax
display pki crl [ domain domain-name ]

View Any view Parameter
domain-name: represents the domain of the certificate about to be verified. It is

configured by using the pki domain command.

980

CHAPTER 9: SECURITY

Description Using the display pki crl command, you can display and browse through the locally saved CRL. For related commands, see pki retrieval crl, and pki domain. Example # Display a CRL
[RouterCA] display pki crl domain 1 Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: Issuer: C=CN O=h3c OU=soft CN=A Test Root Last Update: Next Update: Jan Jan 5 08: 44: 19 2004 GMT 5 21: 42: 13 2004 GMT sha1WithRSAEncryption

CRL extensions: X509v3 CRL Number: 2

X509v3 Authority Key Identifier: keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC Revoked Certificates: Serial Number: 05a234448E… Revocation Date: Sep 6 12:33:22 2004 GMT

CRL entry extensions:…… Serial Number: 05a278445E… Revocation Date: Sep 7 12:33:22 2004 GMT

CRL entry extensions:…

HWTACACS Configuration Commands
data-flow-format Syntax
data-flow-format data [ byte | giga-byte | kilo-byte | mega-byte ] data-flow-format packet [ giga-packet | kilo-packet | mega-packet | one-packet ] undo data-flow-format [ data | packet ]

View HWHWTACACS view Parameter
data: Sets data unit.

HWTACACS Configuration Commands

981

byte: Sets 'byte' as the unit of data flow. giga-byte: Sets 'giga-byte' as the unit of data flow. kilo-byte: Sets 'kilo-byte' as the unit of data flow. mega-byte: Sets 'mega-byte' as the unit of data flow. packet: Sets data packet unit. giga-packet: Sets 'giga-packet' as the unit of packet flow. kilo-packet: Sets 'kilo-packet' as the unit of packet flow. mega-packet: Sets 'mega-packet' as the unit of packet flow. one-packet: Sets 'one-packet' as the unit of packet flow.

Description Using the data-flow-format command, you can configure the unit of data flow that is sent to the HWHWTACACS server. Using the undo data-flow-format command, you can restore the default setting. By default, the data unit is byte and the data packet unit is one-packet. For the related command, see display HWHWTACACS. Example # Set the unit of data flow destined for the HWHWTACACS server "3com" to be kilo-byte and the data packet unit be kilo-packet.
[3com- HWHWTACACS-3com] data-flow-format data kilo-byte packet kilo-packet

debugging HWHWTACACS

Syntax
debugging HWHWTACACS { all | error | event | message | receive-packet | send-packet } undo debugging HWHWTACACS { all | error | event | message | receive-packet | send-packet }

View User view Parameter
all: Specifies all HWHWTACACS debugging. error: Specifies error debugging. event: Specifies event debugging. message: Specifies message debugging. receive-packet: Specifies incoming packet debugging.

982

CHAPTER 9: SECURITY

send-packet: Specifies outgoing packet debugging.

Description Using the debugging HWHWTACACS command, you can enable HWHWTACACS debugging. Using the undo debugging HWHWTACACS command, you can disable HWHWTACACS debugging. By default, HWHWTACACS debugging is disabled. Example # Enable the event debugging of HWHWTACACS.
<3com> debugging HWHWTACACS event

display HWHWTACACS

Syntax
display HWHWTACACS [ HWHWTACACS-scheme-name]

ViewHWHWTACACS Any view Parameter
HWHWTACACS-scheme-name: Scheme name of the HWHWTACACS server, a string

of 1 to 32 case-insensitive characters, excluding "/",":", "*", "?", "<" and ">". Void of this argument, configuration information of all HWHWTACACS schemes are displayed. Description Using the display HWHWTACACS command, you can view configuration information of one or all HWHWTACACS schemes. By default, configuration information of all HWHWTACACS schemes is displayed. For the related command, see HWHWTACACS scheme. Example # View configuration information of all HWHWTACACS schemes.
<3com> display HWHWTACACS

display stop-accounting-buffer

Syntax
display stop-accounting-buffer HWHWTACACS-scheme HWHWTACACS-scheme-name

View Any view Parameter
HWHWTACACS-scheme HWHWTACACS-scheme-name: Displays information on buffered stop-accounting requests related to the HWHWTACACS scheme specified by HWHWTACACS-scheme-name, a character string not exceeding 32 characters and excluding "/", ":", "*", "?", "<" and ">".

HWTACACS Configuration Commands

983

Description Using the display stop-accounting-buffer command, you can view information on the stop-accounting requests buffered in the router. For the related commands, see reset stop-accounting-buffer, stop-accounting-buffer enable, and retry stop-accounting. Example # Display information on the buffered stop-accounting requests related to the HWHWTACACS scheme "3com".
<3com> display stop-accounting-buffer HWHWTACACS-scheme 3com

HWHWTACACS scheme

Syntax
HWHWTACACS scheme HWHWTACACS-scheme-name undo HWHWTACACS scheme HWHWTACACS-scheme-name

View System view Parameter
HWHWTACACS-scheme-name: Specifies an HWHWTACACS server scheme, with a character string of 1 to 32 characters.

Description Using the HWHWTACACS scheme command, you can enter HWHWTACACS Server view. If the specified HWHWTACACS server scheme does not exist, you can create a new HWHWTACACS scheme. Using the undo HWHWTACACS scheme command, you can delete an HWHWTACACS scheme. Example # Create an HWHWTACACS scheme named "test1" and enter the relevant HWHWTACACS Server view.
[3com] HWHWTACACS scheme test1 [3com-HWHWTACACS-test1]

key

Syntax
key { accounting | authentication | authorization } string undo key { accounting | authentication | authorization } string

View HWHWTACACS view Parameter
accounting: Shared key of the accounting server. authentication: Shared key of the authentication server. authorization: Shared key of the authorization server.

984

CHAPTER 9: SECURITY

string: The shared key, a string up to 16 characters excluding the characters "/", ":", "*", "?", "<", and ">".

Description Using the key command, you can configure a shared key for HWHWTACACS authentication, authorization or accounting. Using the undo key command, you can delete the configuration. By default, no key is set. The HWHWTACACS client (the router system) and HWHWTACACS server use MD5 algorithm to encrypt the exchanged packets. The two ends verify packets using a shared key. Only when the same key is used can both ends accept the packets from each other and give responses. So it is necessary to ensure that the same key is set on the router and the HWHWTACACS server. If the authentication/authorization and accounting are performed on two server devices with different shared keys, you must set one shared key for each. For the related command, see display HWHWTACACS. Example # Use "hello" as the shared key for HWHWTACACS accounting.
[3com] HWHWTACACS scheme test1 [3com-HWHWTACACS-test1] key accounting hello

nas-ip

Syntax
nas-ip ip-address undo nas-ip

View HWHWTACACS view Parameter
ip-address: IP address in dotted decimal format.

Description Using the nas-ip command, you can have all the HWHWTACACS packets sent by the NAS (the router) carry the same source address. Using the undo nas-ip command, you can delete the setting. Specifying a source address for the HWHWTACACS packets to be transmitted can avoid the situation where the packets sent back by the HWHWTACACS server cannot be received as the result of a physical interface failure. The address of a loopback interface is usually used as the source address. By default, the source IP address of a HWHWTACACS packet sent by the NAS is the IP address of the output port. For the related command, see display HWHWTACACS.

HWTACACS Configuration Commands

985

Example # Set the source IP address carried in the HWHWTACACS packets that are sent by the NAS to 10.1.1.1.
[3com] HWHWTACACS scheme test1 [3com-HWHWTACACS-test1] nas-ip 10.1.1.1

primary accounting

Syntax
primary accounting ip-address [ port ] undo primary accounting

View HWHWTACACS view Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal

format.
port: Port number of the server, which is in the range 1 to 65535 and defaults to

49. Description Using the primary accounting command, you can configure a primary HWHWTACACS accounting server. Using the undo primary accounting command, you can delete the configured primary HWHWTACACS accounting server. By default, IP address of HWHWTACACS accounting server is all zeros. You are not allowed to assign the same IP address to both primary and secondary accounting servers. You can configure only one primary accounting server in a HWHWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one. You can remove an accounting server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards. Example # Configure a primary accounting server.
[3com] HWHWTACACS scheme test1 [3com-HWHWTACACS-test1] primary accouting 10.163.155.12 49

primary authentication

Syntax
primary authentication ip-address [ port ] undo primary authentication

986

CHAPTER 9: SECURITY

View HWHWTACACS view Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal

format.
port: Port number of the server, which is in the range 1 to 65535 and defaults to

49. Description Using the primary authentication command, you can configure a primary HWHWTACACS authentication server. Using the undo primary authentication command, you can delete the configured authentication server. By default, IP address of HWHWTACACS authentication server is all zeros. You are not allowed to assign the same IP address to both primary and secondary authentication servers. You can configure only one primary authentication server in a HWHWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one. You can remove an authentication server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards. For the related command, see display HWHWTACACS. Example # Configure a primary authentication server.
[3com] HWHWTACACS scheme test1 [3com-HWHWTACACS-test1] primary authentication 10.163.155.13 49

primary authorization

Syntax
primary authorization ip-address [ port ] undo primary authorization

View HWHWTACACS view Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal

format.
port: Port number of the server, which is in the range 1 to 65535 and defaults to

49.

HWTACACS Configuration Commands

987

Description Using the primary authorization command, you can configure a primary HWHWTACACS authorization server. Using the undo primary authorization command, you can delete the configured primary authorization server. By default, IP address of HWHWTACACS authorization server is all zeros. You are not allowed to assign the same IP address to both primary and secondary authorization servers. You can configure only one primary authorization server in a HWHWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one. You can remove an authorization server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards. For the related command, see display HWHWTACACS. Example # Configure a primary authorization server.
[3com] HWHWTACACS scheme test1 [3com-HWHWTACACS-test1] primary authorization 10.163.155.13 49

reset HWHWTACACS statistics

Syntax
reset HWHWTACACS statistics{accounting | authentication | authorization | all }

View User view Parameter
accounting: Clears all the HWHWTACACS accounting statistics. authentication: Clears all the HWHWTACACS authentication statistics. authorization: Clears all the HWHWTACACS authorization statistics. all: Clears all statistics.

Description Using the reset HWHWTACACS statistics command, you can clear HWHWTACACS protocol statistics. For the related command, see display HWHWTACACS. Example # Clear all HWHWTACACS protocol statistics.
<3com>reset HWHWTACACS statistics

988

CHAPTER 9: SECURITY

reset stop-accounting-buffer

Syntax
reset stop-accounting-buffer HWHWTACACS-scheme HWHWTACACS-scheme-name

View User view Parameter
HWHWTACACS-scheme HWHWTACACS-scheme-name: Configures to delete the stop-accounting requests from the buffer according to the specified HWHWTACACS scheme name. The HWHWTACACS-scheme-name specifies the HWHWTACACS scheme name with a character string not exceeding 32 characters, excluding "/", ":", "*", "?", "<" and ">".

Description Using the reset stop-accounting-buffer command, you can clear the stop-accounting requests that have no response and are buffered on the router. For the related commands, see stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer. Example # Delete the buffered stop-accounting requests that are related to the HWHWTACACS scheme "3com".
<3com> reset stop-accounting-buffer HWHWTACACS-scheme 3com

retry stop-accounting

Syntax
retry stop-accounting retry-times undo retry stop-accounting

View HWHWTACACS view Parameter
retry-times: The maximum number of real-time accounting request attempts. It

is in the range 1 to 300 and defaults to 100. Description Using the retry stop-accounting command, you can enable stop-accounting packet retransmission and configure the maximum number of stop-accounting request attempts. Using the undo retry stop-accounting command, you can restore the default setting. By default, stop-accounting packet retransmission is enabled and up to 100 packets are allowed to be transmitted for each request. For the related commands, see reset stop-accounting-buffer, HWHWTACACS scheme, and display stop-accounting-buffer.

HWTACACS Configuration Commands

989

Example # Enable stop-accounting packet retransmission and allow up to 50 packets to be transmitted for each request.
[3com] retry stop-accounting 50

secondary accounting

Syntax
secondary accounting ip-address [ port ] undo secondary accounting

View HWHWTACACS view Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal

format.
port: Port number of the server, which is in the range 1 to 65535 and defaults to

49. Description Using the secondary accounting command, you can configure a secondary HWHWTACACS accounting server. Using the undo secondary accounting command, you can delete the configured secondary HWHWTACACS accounting server. By default, IP address of HWHWTACACS accounting server is all zeros. You are not allowed to assign the same IP address to both primary and secondary accounting servers. You can configure only one secondary accounting server in a HWHWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one. You can remove an accounting server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards. Example # Configure a secondary accounting server.
[3com] HWHWTACACS scheme test1 [3com-HWHWTACACS-test1] secondary accounting 10.163.155.12 49

secondary authentication

Syntax
secondary authentication ip-address [ port ] undo secondary authentication

View HWTACACS view

990

CHAPTER 9: SECURITY

Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal

format.
port: Port number of the server, which is in the range 1 to 65535 and defaults to

49. Description Using the secondary authentication command, you can configure a secondary HWTACACS authentication server. Using the undo secondary authentication command, you can delete the configured secondary authentication server. By default, IP address of HWTACACS authentication server is all zeros. You are not allowed to assign the same IP address to both primary and secondary authentication servers. You can configure only one primary authentication server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one. You can remove an authentication server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards. For the related command, see display HWTACACS. Example # Configure a secondary authentication server.
[3com] HWTACACS scheme test1 [3com-HWTACACS-test1] secondary authentication 10.163.155.13 49

secondary authorization

Syntax
secondary authorization ip-address [ port ] undo secondary authorization

View HWTACACS view Parameter
ip-address: IP address of the server, a legal unicast address in dotted decimal

format.
port: Port number of the server, ranging from 1 to 65535. By default, it is 49.

Description Using the secondary authorization command, you can configure a secondary HWTACACS authorization server. Using the undo secondary authorization command, you can delete the configured secondary authorization server. By default, IP address of HWTACACS authorization server is all zeros.

HWTACACS Configuration Commands

991

You are not allowed to assign the same IP address to both primary and secondary authorization servers. You can configure only one primary authorization server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one. You can remove an authorization server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards. For the related command, see display HWTACACS. Example # Configure the secondary authorization server.
[3com] HWTACACS scheme test1 [3com-HWTACACS-test1] secondary authorization 10.163.155.13 49

HWTACACS nas-ip

Syntax
HWTACACS nas-ip ip-address undo HWTACACS nas-ip

View System view Parameter
ip-address: Specifies a source IP address, which must be the address of this device. It cannot be the address of all zeros, or a host/network address of class A, B, or C, or an address starting with 127.

Description Using the HWTACACS nas-ip command, you can specify the source address of the HWTACACS packet sent from NAS. Using the undo HWTACACS nas-ip command, you can restore the default setting.. By specifying the source address of the HWTACACS packet, you can avoid unreachable packets as returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.. By default, the source address is not specified, that is, the address of the interface sending the packet serves as the source address. This command specifies only one source address; therefore, the newly configured source address may overwrite the original one. Example # Configure the router to send HWTACACS packets from 129.10.10.1.
[3com] HWTACACS nas-ip 129.10.10.1

992

CHAPTER 9: SECURITY

timer quiet

Syntax
timer quiet minutes undo timer quiet

View HWTACACS view Parameter
minutes: Ranges from 1 to 255 minutes. By default, the primary server must wait five minutes before it resumes the active state.

Description Using the timer quiet command, you can set the duration that a primary server must wait before it can resume the active state. Using the undo timer quiet command, you can restore the default (five minutes). For the related command, see display hwtacac. Example # Set the quiet timer for the primary server to ten minutes.
[3com3com] HWTACACS scheme test1 [3com-HWTACACS-test1] timer quiet 10

timer realtime-accounting

Syntax timer realtime-accounting minutes
undo timer realtime-accounting

View HWTACACS view Parameter
minutes: Real-time accounting interval, which is a multiple of 3 in the range 3 to 60 minutes and defaults to 12.

Description Using the timer realtime-accounting command, you can configure a real-time accounting interval. Using the undo timer realtime-accounting command, you can restore the default interval. Real-time accounting interval is necessary for real-time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the HWTACACS accounting server at intervals of this value. The setting of real-time accounting interval depends somewhat on the performance of the NAS and the HWTACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.

HWTACACS Configuration Commands

993

Table 26 Recommended ratio of minutes to the number of users
Number of Users 1-99 100-499 500-999 >=1000 Real-time Accounting Interval (minute) 3 6 12 >=15

For the related commands, see retry realtime-accounting and radius scheme. Example # Set the real-time accounting interval in the HWTACACS scheme "3com" to 51 minutes.
[3com-HWTACACS-3com] timer realtime-accounting 51

timer response-timeout

Syntax
timer response-timeout seconds undo timer response-timeout

View HWTACACS view Parameter
seconds: Ranges from 1 to 300 seconds and defaults to five seconds.

Description Using the timer response-timeout command, you can set the response timeout timer of the HWTACACS server. Using the undo timer response-timeout command, you can restore the default (five seconds). As the HWTACACS is based on TCP, either the server response timeout and or the TCP timeout may cause disconnection to the HWTACACS server. For the related command, see display HWTACACS. Example # Set the response timeout time of the HWTACACS server to 30 seconds.
[3com] HWTACACS scheme test1 [3com-HWTACACS-test1] timer response-timeout 30

user-name-format

Syntax
user-name-format { with-domain | without-domain }

View HWTACACS view

994

CHAPTER 9: SECURITY

Parameter
with-domain: Specifies to send the username with domain name to the

HWTACACS server..
without-domain: Specifies to send the username without domain name to the HWTACACS server.

Description Using the user-name-format command, you can configure the username format sent to the HWTACACS server. By default, HWTACACS scheme acknowledges that the username sent to it includes ISP domain name.. The supplicants are generally named in "userid@isp-name" format. The part following "@" is the ISP domain name. The router will put the users into certain ISP domains according to the domain names. However, some earlier HWTACACS servers reject the username including ISP domain name. In this case, the username will be sent to the HWTACACS server after its domain name is removed. Accordingly, the router provides this command to decide whether the username to be sent to HWTACACS server carries ISP domain name or not. If a HWTACACS scheme is configured to reject usernames including ISP domain names, the HWTACACS scheme shall not be simultaneously used in more than one ISP domains. Otherwise, the HWTACACS server will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.) For the related commands, see HWTACACS scheme. Example # Specify to send the username without domain name to the HWTACACS scheme "3com".
[3com-HWTACACS-3com ] user-name-format without-domain

10
allow l2tp

L2TP CONFIGURATION COMMANDS

Syntax
allow l2tp virtual-template virtual-template-number remote remote-name[ domain domain-name ]

undo allow View L2TP group view Parameter virtual-template-number: Specifies the virtual-template used when creating new virtual access interface, an integer ranging from 0 to 1023. remote-name: Specifies the name of the peer end of the tunnel that initiates the connection request, case sensitive, a character string with length ranging from 1 to 30. domain-name: Specifies the name of the enterprise with length ranging from 1 to 30. Description Using the allow l2tp command, you can specify the name of the peer end of the tunnel on receiving call, and the Virtual-Template it uses. Using the undo allow command, you can remove the name of the peer end of the tunnel. By default, receiving call is disabled. This command is used on LNS side. For the multi-instance application of L2TP, the domain-name parameter must be configured. When using L2TP group number1 (the default L2TP group number), the name of the peer end of the tunnel remote-name can be unspecified. The format of the command in group 1 configuration mode is as follows:
allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ]

If the peer end name is still specified in L2TP group 1 configuration, L2TP group 1 is not served as the default L2TP group. For example, regarding Windows 2000 beta 2 version, the local name connected with VPN is NONE, so the peer end name that the router receives is NONE. In order to receive the tunnel connection request sent by this kind of nameless peer end, or for test application, a default L2TP group can be configured.

996

CHAPTER 10: L2TP CONFIGURATION COMMANDS

The allow l2tp command is used on LNS side. If the peer end name of the tunnel is configured, the name of the peer end of the tunnel should keep accordance with the name of the local end configured on LAC side. For the related command, see l2tp-group. Example # Receive L2TP tunnel connection request sent by LAC, the peer end of AS8010, and creates virtual-access interface on virtual-template 1.
[3Com-l2tp2] allow l2tp virtual-template 1 remote AS8010

# Make L2TP group 1 as the default L2TP group, receiving L2TP tunnel connection request sent by any peer end, and creates virtual-access interface according to virtual-template 1.
[3Com] l2tp-group 1 [3Com-l2tp1] allow l2tp virtual-template 1

debugging l2tp

Syntax
debugging l2tp { all | control | dump | error | event | hidden | payload | time-stamp } undo debugging l2tp { all | control | error | event | hidden | payload | time-stamp }

View System view Parameter all: Enables all L2TP debugging. control: Enables control packet debugging. dump: Enables PPP packet debugging. error: Enables error debugging. event: Enables event debugging. hidden: Enables hidden AVP debugging. payload: Enables L2TP payload debugging. time-stamp: Enables time-stamp debugging. Description Using the debugging l2tp command, you can enable L2TP debugging. Using the undo debugging l2tp command, you can disable L2TP debugging. Example # Enable all L2TP debugging.
<3Com> debugging l2tp all

997

display l2tp session

Syntax
display l2tp session

View Any view Parameter None Description Using the display l2tp session command, you can display the current L2TP session. The output information of the command assists the user in confirming the L2TP session information currently established. For the related command, see display l2tp tunnel. Example # Displays the current L2TP session.
<3Com> display l2tp session

LocalSIDRemoteSIDLocalTID
1 1 2

Table 1 Domain description in displayed information of the display L2tp session command
Domain Total session LocalSID RemoteSID LocalTID Description Number of sessions The number uniquely identifying the local session The number uniquely identifying the peer session The local ID number of the tunnel

display l2tp tunnel

Syntax
display l2tp tunnel

View Any view Parameter None Description Using the display l2tp tunnel command, you can display the information of the current L2TP tunnel. The output information of the command assists the user in confirming the L2TP tunnel information currently established. For the related command, see display l2tp session.

998

CHAPTER 10: L2TP CONFIGURATION COMMANDS

Example # Display the information of the current L2TP tunnel.
<3Com> display l2tp tunnel LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 2 22849 11.1.1.1 1701 1 lns

Total tunnel = 1

Table 2 Domain description in displayed information of the display L2tp tunnel command
Domain Total tunnels LocalTID RemoteTID Remote Name RemoteAddress Port Sessions Description Number of tunnels The number uniquely identifying the local tunnel The number uniquely identifying the peer tunnel Name of the peer end IP address of the peer end Port number of the peer end Number of sessions on the tunnel

interface virtual-template

Syntax
interface virtual-template virtual-template-number undo interface virtual-template virtual-template-number

View System view Parameter virtual-template-number: Identifies serial number of the virtual template, an integer ranging from 0 to 1023. Description Using the interface virtual-template command, you can create a virtual template. Using the undo interface virtual-template command, you can delete a virtual template. By default, no virtual template is created. The virtual template is mainly used to configure parameters of the virtual interfaces dynamically created by the router in operation, such as, the MP bundled logical interface and the L2TP logical interface, etc. For the related command, see allow l2tp. Example # Create virtual template 1 and enter its view.
[3Com] interface virtual-template 1

999

l2tp domain prefix-separator

Syntax
l2tp domain prefix-separator separator undo l2tp domain prefix-separator separator

View System view Parameter prefix-separator: Indicates that the specified delimiter is a prefix, such as 3Com.com#vpdnuser. separator: Identifies domain name delimiter, Valid domain name delimiters include:”%”, “@”, “#” and “/”. Description Using the l2tp domain prefix-separator command, you can specify the delimiter served as prefix. Using the undo l2tp domain prefix-separator command, you can delete the configured prefix delimiter. By default, domain name delimiter served as prefix does not exist. The l2tp domain prefix-separator command is used to specify one or more domain name delimiters served as prefix. Based on the first successful delimiter, domain name can be separated from username by domain name delimiter. In this case, the domain name specified by the start l2tp command can be used on VPDN to search for such a domain name. If there is such a domain name, it indicates that the user is a VPN user, and needs to establish a VPN tunnel connection with the LNS of the user. A character served as a prefix delimiter cannot be used as suffix delimiter any more, and vise versa. This means that one character cannot be served as prefix and suffix simultaneously. In L2TP multi-example application, the l2tp domain command must be configured on LNS side to separate the domain name of the enterprise from the username, so as to search with the domain name specified by the allow l2tp command on VPDN and check whether there is corresponding enterprise domain name before performing the related route forwarding. For the related command, see l2tp domain suffix-separator, start l2tp. Example # Specify the domain name as prefix and delimit the prefix and the username with “#”.
[3Com] l2tp domain prefix-separator #

# Sets the prefix to be delimited by three delimiters: “#”, “@”, and “%”.
[3Com] l2tp domain prefix-separator #@%

l2tp domain suffix-separator

Syntax
l2tp domain suffix-separator separator

1000

CHAPTER 10: L2TP CONFIGURATION COMMANDS

undo l2tp domain suffix-separator separator

View System view Parameter suffix-separator: Suffix delimiter, such as [email protected]. separator: Domain name delimiter, valid domain name delimiters include: “%”, “@”,”#”, and “/”. Description Using the l2tp domain suffix-separator command, you can specify delimiter used as suffix. Using the undo l2tp domain suffix-separator command, you can delete the configured suffix delimiter. By default, domain name delimiter does not exist. The l2tp domain suffix-separator command is used to specify one or more suffix delimiters, based on the first successful delimiter. Domain name can be separated from username by domain name delimiter. In this case, the domain name specified by the start l2tp command can be used on VPDN to search for such a domain name. If there is such a domain name, it indicates that the user is a VPN user, and needs to establish VPN tunnel connection with the LNS of the user. A character served as a prefix delimiter can not be used as suffix delimiter any more, and vise versa. This means that one character cannot be served as prefix and suffix simultaneously. In L2TP multi-example application, the l2tp domain command must be configured on LNS side to separate the domain name of the enterprise from the username, so as to search with the domain name specified by the allow l2tp command on VPDN and check whether there is a corresponding enterprise domain name before performing the related route forwarding. For the related command, see l2tp domain prefix-separator, start l2tp. Example # Specify the domain name as a suffix, separated from the username by “@”.
[3Com] l2tp domain suffix-separator @

# Sets the suffix to be delimited by two delimiters: “@”, and “%”.
[3Com] l2tp domain suffix-separator @%

l2tp enable

Syntax
l2tp enable undo l2tp enable

View System view

1001

Parameter None Description Using the l2tp enable command, you can enable the L2TP function. Using the undo l2tp enable command, you can disable the L2TP function. By default, the L2TP function is disabled. These commands are used to enable or disable the L2TP function. Only when this function is enabled can the L2TP service be implemented. For the related command, see l2tp-group. Example # Enable the L2TP function on the router.
[3Com] l2tp enable

l2tp match-order

Syntax
l2tp match-order { dnis-domain | dnis | domain-dnis | domain } undo l2tp match-order

View System view Parameter dnis-domain: Searches L2TP group according to the called number before according to the domain name. dnis: Searches L2TP group only according to the called number. domain-dnis: Searches L2TP group according to the domain name before according to the called number. domain: Searches L2TP group only according to the domain name. Description Using the l2tp match-order command, you can set the search order of the called number and domain name. Using the undo l2tp match-order command, you can reset the search order to default. By default, searching L2TP group according to the called number before according to the domain name, that is, the dnis-domain is adopted. In the multi-instance application, the domain search is the only option at the LNS side. In practical search, it is required to search according to full username before searching in turn according to the configured order.

1002

CHAPTER 10: L2TP CONFIGURATION COMMANDS

Delimiters fall into two types, prefix delimiter and suffix delimiter, and can be the four special characters of “@”, “#”, “%” and “/”. A user with prefix delimiter is as 3Com.com#vpdnuser, the one with a suffix delimiter is as [email protected]. The username and domain name will be separated on searching according to the prefix/suffix delimiter and search only according to the defined rule, so as to accelerate search speed greatly. In the multi-instance application of L2TP, many enterprises share a single LNS, and enterprises are distinguished with each other by their domain names. When the LNS receives a packet sent by LAC, the domain name will be chosen from the username in the packet, and the registered enterprise domain names in LNS are checked to find one matching the received domain name. Obviously, the l2tp match-order domain command must be used to set the search policy to accelerate search speed. Example # Search only according to domain name.
[3Com] l2tp match-order domain

l2tpmoreexam enable

Syntax
l2tpmoreexam enable undo l2tpmoreexam enable

View System view Parameter None Description This command serves the LNS side of L2TP. Using the l2tpmoreexam enable command, you can enable the multi-instance function of L2TP. Using the undo l2tpmoreexam enable command, you can disable the function. By default, L2TP multi-instance function is disabled. Only after the multi-instance function is enabled, can the service be deployed. The related command is l2tp enable. Example # Enable the multi-instance function at the LNS side.
[3Com] l2tpmoreexam enable

l2tp-group

Syntax
l2tp-group group-number undo l2tp-group group-number

1003

View System view Parameter group-number: Number of L2TP group, an integer ranging from 1 to 1000. Description Using the l2tp-group command, you can create L2TP group. Using the undo l2tp-group command, you can delete L2TP group. By default, L2TP group is not created. The l2tp-group command is used to create a L2TP group (L2TP group 1 can be the default L2TP group). After a L2TP group is deleted by the undo l2tp-group command, all configured information of the group will be deleted subsequently. For the related command, see allow l2tp, start l2tp. Example # Create L2TP group 2 and enter L2TP group 2 view.
[3Com] l2tp-group 2 [3Com-l2tp2]

mandatory-chap

Syntax
mandatory-chap undo mandatory-chap

View L2TP group view Parameter None Description Using the mandatory-chap command, you can force LNS to perform CHAP authentication again with the client. Using the undo mandatory-chap command, you can disable CHAP re-authentication. By default, CHAP re-authentication is not performed. After the agent authentication is performed to the client on LAC, LNS will perform authentication to the client again, so as to increase security. If the mandatory-chap command is used, the authentication will be performed twice to VPN client whose tunnel connection is initialized by access server: one is performed on access server, and another is performed on LNS side. Some PPP clients may not support the second authentication. In this case, CHAP authentication of the local end will fail. For the related command, see mandatory-lcp.

1004

CHAPTER 10: L2TP CONFIGURATION COMMANDS

Example # Force to perform CHAP authentication.
[3Com-l2tp1] mandatory-chap

1005

mandatory-lcp

Syntax
mandatory-lcp undo mandatory-lcp

View L2TP group view Parameter None Description Using the mandatory-lcp command, you can renegotiate the Link Control Protocol between LNS and the client. Using the undo mandatory-lcp command, you can disable LCP renegotiation. By default, the LCP is not renegotiated. Concerning NAS-Initialized VPN client, PPP negotiation will be first performed with NAS (Network Access Server) at the beginning of a PPP session. If the negotiation is passed, the tunnel connection will be initiated by the access server and transmit the information collected on negotiation with the client to LNS. LNS will judge whether the user is legal or not according to received agent authentication information. The mandatory-lcp command can be used to force LNS and the client to LCP renegotiate. In this case, NAS agent authentication information is ignored. If some PPP clients do not support LCP renegotiation, LCP renegotiation will fail. For the related command, see mandatory-chap. Example # Enable LCP renegotiation.
[3Com-l2tp1] mandatory-lcp

reset l2tp tunnel

Syntax
reset l2tp tunnel { remote-name | tunnel-id }

View user view Parameter remote-name: Name of the peer end of the tunnel, a character string with the length ranging from 1 to 30. tunnel-id: Local ID number of the tunnel. Description Using the reset l2tp tunnel command, you can clear the specified tunnel connection, and clear all session connections in the tunnel.

1006

CHAPTER 10: L2TP CONFIGURATION COMMANDS

The reset l2tp tunnel command is used to clear a tunnel connection compulsorily. When the peer end user calls in again, the tunnel connection can be reestablished. If there is no tunnel connection satisfies the requirement, it does not affect the current tunnel connection. If there are several tunnel connections satisfy the requirement (with the same name but different IP addresses), the all tunnel connections that satisfy the requirement will be cleared. When the tunnel-id is specified, only the corresponding tunnel connection is disconnected. For the related command, see display l2tp tunnel. Example # Clear the tunnel connection of the peer end named AS8010.
<3Com> reset l2tp tunnel AS8010

start l2tp

Syntax
start l2tp { ip ip-addr [ ip ip-addr ] [ ip ip-addr ] ... } { domain domain-name | dnis dialed-number | fullusername user-name }

undo start View L2TP group view Parameter ip ip-addr: IP address of the peer end of the tunnel (LNS), five of which can be set at most, forming backup LNS to each other. domain-name: Domain name triggering connection request, a character string with the length ranging from 1 to 30, case sensitive. dialed-number: Dialed number dialed by the user triggering connection request, a number character string with the length ranging from 1 to 64. user-name: Full username triggering connection request, a character string with the length ranging from 1 to 32, case sensitive. Description Using the start l2tp command, you can specify the trigger condition at which the local end to send requests as L2TP LAC side. Using the undo start l2tp command, you can delete the specified trigger condition. This command is used on LAC side to specify the IP address of LNS and support several trigger connection requests, for instance:


Initiating tunnel connection request according to the user’s domain name. For example, if the domain name of the user’s company is 3Com.com, the user with domain name of 3Com.com can be specified as a VPN user. Deciding whether the user is a VPN user according to the called number of the user. For example, if the number 8810188 is specified as a special service number, the access user who dials this number is a VPN user. Specifying the user as a VPN user through full username directly.





1007

If it is found to be a VPN user, the local end (LAC) will send L2TP tunnel connection request to a certain LNS according to the configured LNS priority or order. After receiving response from LNS, the LNS will serve as the peer end of the tunnel. Otherwise, LAC will send tunnel connection request to the next LNS. Conflicts may exist between these VPN user judgment ways. For example, LNS address specified according to full username is 1.1.1.1, while that according to domain name is 1.1.1.2. In this case, the order for search users is necessary to be specified. The search sequence is, first checking by full username whether L2TP group specified according to the username exists. If nothing is found, search according to the sequence of domain names and number dialed, which is set by the l2tp match-order command. For the related command, see l2tp domain prefix-separator,l2tp domain suffix-separator,l2tp match-order. Example # Judge VPN users according to domain name “3Com.com”, with the corresponding IP address of the L2TP access server of the headquarters being 202.38.168.1.
[3Com-l2tp1]start 12tp ip 202.38.168.1 domain 3Com.com

tunnel authentication

Syntax
tunnel authentication undo tunnel authentication

View L2TP group view Parameter None Description Using the l2tp tunnel authentication command, you can enable L2TP tunnel authentication function. Using the undo l2tp tunnel authentication command, you can disable L2TP tunnel authentication function. By default, L2TP tunnel authentication is performed. L2TP tunnel authentication is permitted by default. Generally speaking, authentication needs to be performed on both ends of the tunnel for security’s sake. In case of network consistency test or receiving connection sent by nameless peer end, tunnel authentication is not required. Example # Set not to authenticate the peer end of the tunnel. [3Com-l2tp1] undo tunnel authentication

1008

CHAPTER 10: L2TP CONFIGURATION COMMANDS

tunnel avp-hidden

Syntax
tunnel avp-hidden undo tunnel avp-hidden

View L2TP group view Parameter None Description Using the tunnel avp-hidden command, you can configure AVP (Attribute Value Pair) data to be transmitted in hidden format. Using the undo tunnel avp-hidden command, you can restore the default transmission way of AVP data. By default, the tunnel transmits AVP data in plaintext. Some parameters of L2TP protocol are transmitted by AVP data. If the user demands data of high security, this command can be used to configure AVP data to be transmitted in hidden. Example # Set AVP data to be transmitted in hidden.
[3Com-l2tp1] tunnel avp-hidden

tunnel flow-control

Syntax
tunnel flow-control undo tunnel flow-control

View L2TP group view Parameter None Description Using the tunnel flow-control command, you can enable L2TP tunnel flow-control function. Using the undo tunnel flow-control command, you can disable the flow-control function. By default, the L2TP tunnel flow-control function is not performed. Example # Enable the flow-control function.
[3Com-l2tp1] tunnel flow-control

1009

tunnel name

Syntax
tunnel name name undo tunnel name

View L2TP group view Parameter name: Local name of the tunnel, a character string with the length ranging from 1 to 30. Description Using the tunnel name command, you can specify the local name of the tunnel. Using the undo tunnel name command, you can restore the local name to the default value. By default, the local name is the router name. On creating a L2TP group, the local name will be initiated into the router name. For the related command, see sysname. Example # Set the local name of the tunnel as itsme.
[3Com-l2tp1] tunnel name itsme

tunnel password

Syntax
tunnel password { simple | cipher } password undo tunnel password

View L2TP group view Parameter simple: Password in plaintext. cipher: Password in ciphertext. password: Password used on tunnel authentication, a character string with the length ranging from 1 to 16. Description Using the tunnel password command, you can specify the password of tunnel authentication. Using the undo l2tp tunnel password command, you can remove the password of tunnel authentication. By default, The password of tunnel authentication is null. Example # Set the password of tunnel authentication as yougotit, displaying in cipher text.

1010

CHAPTER 10: L2TP CONFIGURATION COMMANDS

[3Com-l2tp1] tunnel password cipher yougotit

tunnel timer hello

Syntax
tunnel timer hello hello-interval undo tunnel timer hello

View L2TP group view Parameter hello-interval: Forwarding time interval of Hello packet when LAC or LNS has no packet to receive, an integer in second, ranging from 60 to 1000. Description Using the tunnel timer hello command, you can set the forwarding time interval of Hello packet. Using the undo tunnel timer hello command, you can restore the forwarding time interval of Hello packet in the tunnel to the default value. By default, Hello packet is forwarded in every 60 seconds. Different Hello packet time intervals can be configured on LNS and LAC side. The undo tunnel timer hello command is used to restore the time interval to the default value. Example # Set forwarding time interval of Hello packet to 99 seconds.
[3Com-l2tp1] tunnel timer hello 99

GRE Configuration Commands
debugging tunnel Syntax
debugging tunnel undo debugging tunnel

View User view Parameter None Description Using the debugging tunnel command, you can enable tunnel debugging. Using the undo debugging tunnel command, you can disable tunnel debugging. Example None

GRE Configuration Commands

1011

destination

Syntax
destination ip-addr undo destination

view Tunnel interface view Parameter ip-addr: IP address of the physical interface used by the peer end of the tunnel. Description Using the destination command, you can specify the filled destination IP address of added IP header by tunnel interface on encapsulation. Using the undo destination command, you can delete the set destination address. By default, the destination address of the tunnel is not specified in the system. The specified tunnel destination address is the IP address of the real physical interface receiving GRE packet, which should be the same as the specified source address in the tunnel interface of the peer end, and the route to the physical interface of the peer end should be ensured reachable. The source address and destination address, if they are exactly the same, cannot be configured on two or more tunnel interfaces using the same encapsulation protocol. For the related command, see interface tunnel, source. Example # Create tunnel connection between the interface serial 0/0/0 of the router 3Com1 (with IP address of 193.101.1.1) and the interface serial 1/0/0 of the router 3Com2 (with IP address of 192.100.1.1).
[3Com1-Tunnel0/0/0] source 193.101.1.1 [3Com1-Tunnel0/0/0] destination 192.100.1.1 [3Com2-Tunnel1/0/0] source 192.100.1.1 [3Com2-Tunnel1/0/0] destination 193.101.1.1

display interface tunnel

Syntax
display interface tunnel [number ]

view Any view Parameter number: Tunnel interface ID.

1012

CHAPTER 10: L2TP CONFIGURATION COMMANDS

Description Using the display interface tunnel command, you can display the working status of the tunnel interface. The display interface tunnel command is used to specify such information about the tunnel interface as the source address, destination address (the real physical interface address receiving/sending GRE packet), encapsulation mode, identification keyword and end-to-end check, etc. For the related command, see source, destination, gre key, gre checksum, tunnel-protocol. Example # Display the current tunnel interface.
<3Com> display interface tunnel 2/0/4

Tunnel2/0/4 is up, line protocol is up Description : 3Com, 3Com Series, Tunnel2/0/4 Interface The Maximum Transmit Unit is 1500 Internet Protocol processing is disable Encapsulation is TUNNEL, loopback not set Tunnel source 1.1.254.88 (Ethernet2/0/0), destination 1.1.254.11 Tunnel protocol/transport GRE/IP, key disabled Checksumming of packets disabled 5 minutes input rate 0 bytes/sec, 0 packets/sec 5 minutes output rate 0 bytes/sec, 0 packets/sec


0 packets input, 0 bytes 0 input error 0 packets output, 0 bytes 0 output error







Table 3 Domain description in displayed information by the display interface tunnel 2/0/4 command
Domain Tunnel2/0/4 is up line protocol is up Description 3Com Series Tunnel2/0/4 Interface Description The physical layer of the tunnel interface is up. The link layer of the tunnel interface is up. The description information of the tunnel interface, being 3Com in this example. The router is 3Com series Tunnel interface number

GRE Configuration Commands

1013

Table 3 Domain description in displayed information by the display interface tunnel 2/0/4 command
Domain Maximum Transmit Unit Encapsulation Loopback Description The size of MTU in the tunnel, being 1500 bytes in this example The tunnel formed by encapsulated GRE protocol Enable/disable loopback test. Because the tunnel interface does not support loopback test, disable loopback is the case in this example. Source address of the tunnel, being 1.1.254.88 here. The interface of tunnel source address is the interface Ethernet 2/0/0. Destination address of the tunnel, being 1.1.254.11 here. Encapsulation protocol and transmission protocol of the tunnel, being GRE and IP here. Identification keyword of the tunnel interface, which is not specified here. End-to-end check of the tunnel, being disabled here. Input rate in second within the last 5 minutes Input packet number in second within the last 5 minutes Total input packet number Total input byte number Number of error packet among all input packets. Number of error packet among all output packets.

Tunnel source Ethernet2/0/0 destination Tunnel protocol/transport key Checksumming of packets 5 minutes input rate packets/sec packets input bytes input error output error

gre checksum

Syntax
gre checksum undo gre checksum

view Tunnel interface view Parameter None Description Using the gre checksum command, you can set the two ends of the tunnel to perform end-to-end check so as to authenticate the correctness of the packet and discard the packet that does not pass the verification. Using the undo gre checksum command, you can cancel the check. By default, end-to-end check of the two ends of the tunnel is disabled. The two ends of the tunnel can be enabled or disabled checksum according to real application need. If the local end is enabled checksum, with the peer end disabled checksum, the local end will not perform checksum on the received packet, but perform checksum on the transmitted packet. On the contrary, the local end will perform checksum to the packet sent from the peer end, but will not perform checksum on the transmitted packet.

1014

CHAPTER 10: L2TP CONFIGURATION COMMANDS

For the related command, see interface tunnel. Example # Create a tunnel between interface serial 3/0/1 of the router 3Com1 and interface serial 2/1/1 of the router 3Com2 and sets check on both ends of the tunnel.
[3Com1-Tunnel3/0/1] gre checksum [3Com2-Tunnel2/1/1] gre checksum

gre key

Syntax
gre key key-number undo gre key

view Tunnel interface view Parameter key-number: Identification keyword of the two ends of the tunnel, an integer ranging from 0 to 4294967295. Description Using the gre key command, you can set identification keyword of the tunnel interface, and by this feeble security mechanism avoid incorrectly identifying or receiving packets from unexpected places. Using the undo gre key command, you can delete this configuration. By default, the identification keyword of the tunnel in use is not set in the system. If key-number is set on both the two ends of the tunnel, the same key-number is required to be specified on the two ends, or key-number is not set on either of the two ends. For the related command, see interface tunnel. Example # Create a tunnel between the router 3Com1 and the router 3Com2 and sets the identification keyword of the tunnel.
[3Com1-Tunnel3/1/0] gre key 123 [3Com2-Tunnel2/1/0] gre key 123

interface tunnel

Syntax
interface tunnel number undo interface tunnel number

view System view

GRE Configuration Commands

1015

Parameter Number: For centralized router, the number is one dimensional, ranging from 0 to 1023. When creating a tunnel interface on a distributed router, the slot parameter should keep in line with the slot number of the source end interface set by the source command. In other words, the slot number specified by slot is the same as the slot number of actual physical interface sending GRE packet. Description Using the interface tunnel command, you can create a tunnel interface and enters tunnel interface configuration view. Using the undo interface tunnel command, you can delete the specified tunnel interface. By default, there is no tunnel interface in the system. The interface tunnel command is used to enter interface configuration view of the specified tunnel. If the tunnel interface is not created, it will be created before entering interface configuration view. The interface number of the tunnel is only of local significance. Different or same interface numbers can be used on the two ends of the tunnel. For the related command, see source, destination, gre key, gre checksum, tunnel-protocol. Example # Create the tunnel interface with slot number/card number/interface number as 3/0/1.
[3Com] interface tunnel 3/0/1

source

Syntax
source { ip-addr | interface-type interface-num } undo source

view Tunnel interface view Parameter ip-addr: Specifies the IP address of the real interface sending GRE packet in the address form of A.B.C.D. interface-type interface-num: Specifies the real interface sending packets in the form of router interface name. These interfaces include: Ethernet, Serial, ATM, Tunnel and Loopback, etc. Description Using the tunnel source command, you can specify the filled source IP address of added IP header by tunnel interface on encapsulation. Using the undo tunnel source command, you can delete the set source address.

1016

CHAPTER 10: L2TP CONFIGURATION COMMANDS

By default, the source address of the tunnel is not specified in the system. The specified source address of the tunnel is the real interface address sending GRE packet, which should keep accordance with the specified destination address in the peer end of the tunnel. The source address and destination address, if they are exactly the same, cannot be configured on two or more tunnel interfaces using the same encapsulation protocol. For the related command, see interface tunnel, destination. Example # Configure the interface tunnel0/0/5 on the router 3Com1, on which the real outlet of the encapsulated packet is the interface serial 0/0/0 (with the IP address of the interface being 192.100.1.1.
[3Com1-Tunnel0/0/5] source 192.100.1.1

Otherwise the “interface-name” form will be used:
[3Com1-Tunnel0/0/5] source serial 0/0/0

tunnel-protocol gre

Syntax
tunnel-protocol gre undo tunnel-protocol

view Tunnel interface view Parameter gre: Encapsulation protocol of the tunnel. Description Using the tunnel mode command, you can set encapsulation mode of the tunnel interface to be GRE. By default, the encapsulation protocol of the tunnel interface is GRE. Under the GRE mode, users can execute and view the GRE related commands, whereas other relevant commands are available under other modes. For the related command, see interface tunnel. Example # Create a tunnel between the router 3Com1 and the router 3Com2, with encapsulation protocol being GRE and transmission protocol being IP.
[3Com1-Tunnel3/1/0] tunnel-protocol gre [3Com2-Tunnel2/1/0] tunnel-protocol gre

Dynamic VPN

1017

Dynamic VPN
debugging dvpn Command
debugging dvpn { all | error | event | hexadecimal | packet } undo debugging dvpn { all | error | event | hexadecimal | packet }

View User view Parameter all: Opens all debugging information. error: Opens DVPN error debugging information. event: Opens DVPN event debugging information, including register and other errors. hexadecimal: Displays debugging information in hexadecimal. packet: Opens DVPN packet debugging information. Description Using the debugging dvpn command, you can enable DVPN debugging. Example # Enable DVPN event debugging.
[3Com] debugging dvpn event

display dvpn map

Command
display dvpn map [ vpn-id vpn-id ] [ private-ip private-ip ]

View Any view Parameter vpn-id: Specifies vpn-id. private-IP: Specifies private IP address, that is, the IP address of a Tunnel interface. Description Using the display dvpn map command, you can view all of the Map information for current the node. Example # Display current map information.
[3Com] display dvpn map Public IP UDP port Private IP

1018

CHAPTER 10: L2TP CONFIGURATION COMMANDS

202.113.11.3 211.122.12.2

8001 8003

10.1.1.1 10.1.1.3

# Display map information of private IP 10.1.1.1.
[3Com] display dvpn map 10.1.1.1 Private IP: 10.1.1.1 Status: Active

Used public IP: 202.113.11.3 UDP port: 8001 Send : 123 Bytes, 9 Packets Receive : 120 Bytes, 10 Packets Error: 8 Bytes, 1 Packets

dvpn authenticate enable

Command
dvpn authenticate enable undo dvpn authenticate enable

View Tunnel interface view Parameter None Description Using the dvpn authenticate enable command, you can enable authentication at a tunnel interface. Using the undo dvpn authenticate enable command, you can disable authentication at a tunnel interface. Example # Enable Tunnel interface authentication.
[3Com-Tunnel0] dvpn authenticate enable

dvpn class

Command
dvpn class dvpn-class-name undo dvpn class dvpn-class-name

View System view Parameter dvpn-class-name: Name for a dvpn-class view, in a string of 1~30 bytes. Description Using the dvpn class command, you can create a dvpn-class view and enter it. In this view, you can configure destination server address and UDP port ID. Using the undo dvpn class command, you can delete a dvpn-class view.

Dynamic VPN

1019

Example # Create dvpn-class view “abc”.
[3Com] dvpn class abc

dvpn client

Command
dvpn client private-ip private-ip key key-value undo dvpn client private-ip private-ip key key-value

View Tunnel interface view Parameter Private-ip: Private IP address at client, that is, IP address of a Tunnel interface key-value: Private key of a client Description Using the dvpn client private-ip command, you can configure client authentication information at server. Using the undo dvpn client private-ip command, you can delete client authentication information. private-ip and key-value are used for client authentication at server. If no private key is configured for both the server and client, then authentication is not required in registration and establishing session links. Example # Configure private key of the client with the IP address 10.0.0.2 as 123.
[3Com] dvpn client private-ip 10.0.0.2 key 123

dvpn interface-type

Command
dvpn interface-type { client | server }

View Tunnel interface view Parameter client: Interface is client. server: Interface is server. Description Using the dvpn interface-type command, you can specify type for a tunnel interface. By default, a tunnel interface is set as client. Example # Set a Tunnel interface as server.
[3Com-Tunnel0] dvpn interface-type server

1020

CHAPTER 10: L2TP CONFIGURATION COMMANDS

dvpn key

Command
dvpn key key-value undo dvpn key key-value

View Tunnel interface view Parameter key-value: Encrypted value, in range of 0~4294967295. Description Using the dvpn key command, you can configure private key for a client (while public key for server is generated randomly). Using the undo dvpn key command, you can delete a private key configured. Keys are used in establishing session links between DVPN clients. When the authentication of a client succeeds, server encrypts its public key with a private key with the client, then puts the encrypted value into a node register success packet and transmits it back to the client. When the client decrypts the received value with its private key to get the public key, then it can use the public key to set up session links with other clients. Example # Set private key for a Tunnel interface as 123.
[3Com-Tunnel0] dvpn key 123

dvpn map

Command
dvpn map private-ip ip-address public-ip ip-address [ udp-port port-number] undo dvpn map private-ip ip-address public-ip ip-address [ udp-port port-number]

View Tunnel interface view Parameter ip-address: Specifies IP address for the peer, public IP address and private IP address (IP address for the tunnel interface) separately. port-number: Specifies UDP port ID for the peer. The parameter is unavailable for GRE encapsulation. Description Using the dvpn map private-ip command, you can create a static map, i.e. a static tunnel. Using the undo dvpn map command, you can delete an existing map. If you have already known the private IP, public IP and UDP port ID of other clients, you can use this command to create a static map. Note that the IP addresses and UDP port ID configured here should be consistent with the peer, otherwise, no correct static tunnel can be created.

Dynamic VPN

1021

Example # Configure a static map at the tunnel interface with the public IP address 211.122.12.2, UDP port ID 8008 and private IP address 10.1.1.3.
[3Com-tunnel0] dvpn map private-ip 10.1.1.3 public-ip 211.122.12.2 8008

dvpn register-type

Command dvpn register-type { forward | stable | undistributed | want | } undo dvpn register-type { forward | stable | undistributed | want | } View Tunnel interface view Parameter forward: Instructs server to forward all data packets at the client and not to send next hop redirect notify packets to the client. stable: Means the client has a fixed public IP address. undistributed: Instructs server not to send information about this client to other clients. want: Instructs server to send information about other clients to this client. Description Using the dvpn register-type command, you can configure the type of supplementary information for client registration at server. With the supplementary information type, server can judge if a client is configured with a fixed IP address and run further processing accordingly. Using the undo dvpn register-type command, you can restore supplementary information type to the default. By default, the supplementary information is configured as follows: no fixed public IP address; server does not distribute information about other clients to this client, while it does propagate information about this client to other clients; server does not forward data packets at the client. Example # Set client registration type as that server propagate information about this client to other clients.
[3Com-tunnel0] dvpn register-type undistributed

dvpn retry

Command
dvpn retry retry-times undo dvpn retry

View Tunnel interface view

1022

CHAPTER 10: L2TP CONFIGURATION COMMANDS

Parameter retry-times: The maximum trial times for redirect notification, session setup request and session keepalive request, in range of o1~10. By default, it is 3. Description Using the dvpn retry command, you can configure maximum trial times for redirect notification, session setup request and session keepalive request at client. Using the undo dvpn retry command, you can restore maximum trial times to the default value. Example # Set the maximum trial times to 5.
[3Com-Tunnel0] dvpn retry 5

dvpn server

Command
dvpn server dvpn-class-name undo dvpn server dvpn-class-name

View Tunnel interface view Parameter dvpn-class-name: Dvpn-class name for the Tunnel interface. Dvpn-class is a data structure which includes such information as public and private IP addresses and UDP port ID and it is created with the dvpn class command. Description Using the dvpn server command, you can specify dvpn-class name for a Tunnel interface at client. Using the undo dvpn server command, you can delete a dvpn-class name. If the dvpn-class view specified does not exist, this command will also create a dvpn-class configuration module. By default, no dvpn-class is created. Example # Set server name for a Tunnel interface as abc.
[3Com-Tunnel0] dvpn server abc

dvpn timer aging

Command
dvpn timer aging time-interval undo dvpn timer aging

View Tunnel interface view

Dynamic VPN

1023

Parameter time-interval: Time interval for map age_timer, in range of 10~3600 seconds. By default, it is 60 seconds. Description Using the dvpn timer aging command, you can define time interval for map age_timer. Using the undo dvpn timer aging command, you can restore the time interval of map age_timer to the default value. Example # Set the time interval of map age_timer for a Tunnel interface to 120 seconds.
[3Com-Tunnel0] dvpn timer aging 120

dvpn timer idle

Command
dvpn timer idle time-interval undo dvpn timer idle

View Tunnel interface view Parameter time-interval: Time interval for idle_timer, in range of 60~86400 seconds. By default, it is 600 seconds. Description Using the dvpn timer idle command, you can define time interval for idle_timer which works in disconnecting session links in case of timeout. Using the undo dvpn timer idle command, you can restore the time interval of idle_timer to the default value. Example # Set the time interval of idle_timer for session links to 300 seconds.
[3Com-Tunnel0] dvpn timer idle 300

dvpn timer keepalive

Command
dvpn timer keepalive time-interval undo dvpn timer keepalive

View Tunnel interface view Parameter time-interval: Time interval for map keepalive_timer, in range of 1~3600 seconds. By default, it is 10 seconds.

1024

CHAPTER 10: L2TP CONFIGURATION COMMANDS

Description Using the dvpn timer keepalive command, you can define time interval for map keepalive_timer. Using the undo dvpn timer keepalive command, you can restore the time interval of map keepalive_timer. Keepalive_Timer keeps normal session between clients. When a session link is set up successfully, a keepalive packet is sent to the peer and the keepalive_timer also is enabled. Once the timer times out, the client sends a keepalive packet to the peer and waits for response from the peer. Example # Set the time interval of map keepalive_timer to 30 seconds.
[3Com-Tunnel0] dvpn timer keepalive 30

dvpn timer redirect

Command
dvpn timer redirect time-interval undo dvpn timer redirect

View Tunnel interface view Parameter time-interval: Time interval for next hop redirect notify_timer, in range of 1~180 seconds. By default, it is 10 seconds. Description Using the dvpn timer redirect command, you can define time interval for next hop redirect notify_timer. Each time timeout occurs the node sends next hop redirect notification to the source client until it receives the acknowledgement packet. Using the undo dvpn timer redirect command, you can set the time interval of next hop redirect notify_timer to the default value. When server or a client finds the destination of a packet received is not itself, but another node in the VPN, it needs to forward this packet and send a next hop redirect notify packet to the source node of the packet. If no response is received from the source node within the preset time limit, it counts this as a trial action. Example # Set the time interval of next hop redirect notify_timer for a Tunnel interface to 30 seconds.
[3Com-Tunnel0] dvpn timer redirect 30

dvpn timer register

Command
dvpn timer register time-interval undo dvpn timer register

View Tunnel interface view

Dynamic VPN

1025

Parameter time-interval: Time interval for node register request_timer, in range of 1~600 seconds. By default, it is 30 seconds. Description Using the dvpn timer register command, you can define time interval for node register request_timer. Each time timeout occurs, a client should log into server again. Using the undo dvpn timer register command, you can restore the time interval of node register request_timer to the default value. Example # Set the time interval of node register request_timer for a Tunnel interface to 60 seconds.
[3Com-Tunnel0] dvpn timer register 60

dvpn timer setup

Command
dvpn timer setup time-interval undo dvpn timer setup

View Tunnel interface view Parameter time-interval: Time interval for session setup request_timer, in range of 1~180 seconds. By default, it is 10 seconds. Description Using the dvpn timer setup command, you can define time interval for session setup request_timer. Each time timeout occurs, a client sends session setup request packets. Using the undo dvpn timer setup command, you can restore the time interval of session setup request_timer to the default value. When a client sends a session setup request, it also enables session setup request_timer. If it receives no responses from the peer within the present time limit, it counts this as one trial action and another session setup request. Example # Set the time interval of session setup request_timer for a Tunnel interface to 30 seconds.
[3Com-Tunnel0] dvpn timer setup 30

dvpn udp-port

Command
dvpn udp-port udp-port undo dvpn udp-port

View Tunnel interface view

1026

CHAPTER 10: L2TP CONFIGURATION COMMANDS

Parameter udp-port: UDP port ID in DVPN, in range of 8000~8010. By default, it is 8000. Description Using the dvpn udp-port command, you can configure UDP port ID for a Tunnel interface. The command is available at a Tunnel interface where UDP encapsulation type is configured. Using the undo dvpn udp-port command, you can restore the default port ID. Example # Configure UDP port ID for a Tunnel interface.
[3Com-Tunnel0 ] dvpn udp-port 8001

dvpn vpn-id

Command
dvpn vpn-id vpn-id undo dvpn vpn-id

View Tunnel interface view Parameter vpn-id: VPN ID for a tunnel interface, in range of 1~4294967295. Description Using the dvpn vpn-id command, you can specify VPN for a Tunnel interface. Using the undo dvpn vpn-id command, you can delete VPN configuration for a Tunnel interface. Example # Set the VPN for a Tunnel interface as 100.
[3Com-Tunnel0] dvpn vpn-id 100

private-ip

Command
private-ip ip-address undo private-ip ip-address

View dvpn-class view Parameter ip-address: Specifies private IP address for a specific server, that is, the IP address of a Tunnel interface. Description Using the private-ip command, you can configure private IP address for a specific server. Using the undo private-ip command, you can delete the private IP address of a specific server.

Dynamic VPN

1027

By default, no private IP address is configured Example # Configure the private IP address of a server as 192.168.0.1.
[3Com-Dvpn-class-abc] private-ip 192.168.0.1

public-ip

Command
public-ip ip-address undo public-ip ip-address

View dvpn-class view Parameter ip-address: Specifies public IP address for a specific server. Description Using the public-ip command, you can configure public IP address for a specific server. Using the undo public-ip command, you can delete the public IP address of a specific server. By default, no public IP address is configured. Example # Configure the public IP address of a server as 61.18.3.66.
[3Com-dvpn-class-abc] public-ip 61.18.3.66

reset dvpn map

Command
reset dvpn map vpn-id

View User view Parameter vpn-id: Specifies vpn-id. Description Using the reset dvpn map command, you can clear sessions for a specific VPN. Example # Clear session links of VPN 100.
<3Com> reset dvpn map 100

tunnel-protocol dvpn

Command
tunnel-protocol [ gre | udp ] dvpn

1028

CHAPTER 10: L2TP CONFIGURATION COMMANDS

View Tunnel interface view Parameter gre dvpn: Creates tunnels in GRE DVPN encapsulation mode. udp dvpn: Creates tunnels in UDP DVPN encapsulation mode. Description Using the tunnel-protocol dvpn command, you can configure encapsulation mode for a Tunnel interface. DVPN attribute means the Tunnel interface is in DVPN mode, then the interface turns into Multipoint attribute and NBMA type. By default, GRE encapsulation mode is available at a Tunnel interface, that is, point-to-point tunnels are set up in GRE mode. Example # Set UDP DVPN encapsulation mode for a Tunnel interface.
[3Com-Tunnel0] tunnel-protocol udp dvpn

udp-port

Command
udp-port port-number undo udp-port

View dvpn-class view Parameter port-number: UDP port ID for a specific server, only available for UDP encapsulation mode. By default, it is 8000. Description Using the udp-port command, you can configure UDP port ID for server which is specified with the dvpn-class command. Using the undo udp-port command, you can restore the UDP port ID to the default value. Example # Configure UDP port ID for a server as 8010.
[3Com-Dvpn-class-abc] udp-port 8010

11
Traffic Policing (TP) Configuration Commands
display qos car interface

TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Syntax
display qos car interface [ interface-type interface-number ]

View Any view Parameter interface-type: Interface type. interface-number: Interface number. Description Using the display qos car interface command, you can view parameter configuration and operating statistics of TP at each or all interfaces. If no interface is specified, TP configuration and operating statistics of all interfaces will be displayed. Example # Display the TP parameter configuration information and running statistic information on each interface.
[3Com] display qos car interface Interface: Ethernet6/0/0 Direction: Inbound Rule(s): If-match CARL 1 CIR 8000(Bps), CBS 15000(Bit), EBS 0(Bit) Conform Action: remark ip-precedence 3 and pass Exceed Action: remark ip-precedence 4 and continue Conformed: 0/0 (Packets/Bytes)

Exceeded: 0/0 (Packets/Bytes) Direction: Outbound

1030

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Rule(s): If-match ACL 1 CIR 8000(Bps), CBS 15000(Bit), EBS 0(Bit) Conform Action: pass Exceed Action: discard Conformed: Exceeded: 0/0(Packets/Bytes) 0/0(Packets/Bytes)

display qos carl

Syntax
display qos carl [ carl-index ]

View Any view Parameter carl-index: Committed Access Rate List (CARL) number in the range of 1 to 199. Description Using the display qos carl command, you can view a certain rule or all the rules of CARL. If carl-index is not specified, all rules of CARL will be displayed. Example # Display the first rule of CAR list.
[3Com] display qos carl 1 [3Com] display qos carl 1 Current CARL Configuration: List Params -----------------------------------------------------1 2 Precedence 1 2 MAC Address 0050-ba27-bed3

qos car

Syntax
qos car { inbound | outbound } { any | acl acl-index | carl carl-index } cir committed-information-rate cbs committed-burst-size ebs excess-burst-size red action green action undo qos car { inbound | outbound } { any | acl acl-index | carl carl-index } cir committed-information-rate cbs committed-burst-size ebs excess-burst-size

View Interface view

Traffic Policing (TP) Configuration Commands

1031

Parameter inbound: Limit rate for the packets received by the interface. outbound: Limit rate for the packets sent by the interface. any: Limit rates for the packets that match any rules. acl acl-index: Specified to limit the rate of packets matching the ACL, with acl-index being the ACL number in the range of 1 to 199. carl carl-index: Specified to limit the rate of packets matching the CARL, with carl-index being the CARL number in the range of 1 to 199. cir committed-information-rate: Committed Information Rate(CIR) in the range of 8000 to 155000000 bits. cbs committed-burst-size: Committed Burst Size (CBS) in the range of 15000 to 155000000 bits. ebs excess-committed-burst-size: Excessive Burst Size (EBS) in the range of 0 to 155000000 bits. red: Action taken on the packets when the traffic rate conforms to CAR.. green: Action taken on the packets when the traffic rate does not conform to CAR. action: Action taken on a packet, which can be:


continue: to have it dealt with by the next TP strategy. discard: to dicard the packet. pass: to send the packet. remark-prec-continue new-precedence: to specify a new IP priority new-precedence and execute the next TP strategy. The value range is 0~7. remark-prec-pass new-precedence: to specify a new IP priority new-precedence and send the packet. The value range is 0~7.









Description Using the qos car command, you can implement TP strategy on an interface. Using the undo qos car command, you can remove a certain TP policy at the interface. This command is only used to process IP packets. The repeated use of this command will lead to setting several TP policies at an interface. The executing order of the policies is the same as the configuration order. Example # Configure traffic policing for output packets that conform to traffic at the interface Ethernet6/0/0. The normal traffic is 38400 bps. The burst size, twice of the normal traffic, can pass at the first time; then it is normally transmitted when

1032

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

the rate is less than or equal to 38400 bps. When it is larger than 38400 bps, it should be transmitted after the packet precedence is changed to 0.
[3Com-Ethernet6/0/0] qos car outbound any carl 1 cir 38400 cbs 76800 ebs 0 red pass green remark-prec-pass 0

qos carl

Syntax
qos carl carl-index { precedence precedence-value | mac mac-address } undo qos carl carl-index

View System view Parameter carl: Specifies TPL(Committed Access Rate List) configuration information. carl-index: TP list number in the range 1 to 199. precedence-value: Precedence in the range 0 to 7. mac-address: Hexadecimal MAC address. Description Using the qos carl command, you can establish or modify an access list for Traffic Policing (TP) policies (abbreviated to TP list). Using the undo qos carl command, you can delete TP list. You can establish an access list based on IP precedence or MAC address. For a different carl-index, the repeat execution of this command will create multiple CARLs, and for the same carl-index, such undertaking will modify the parameters of the CARL. You are allowed to define multiple precedence values but no more than eight. If the same precedence is specified several times, the system by default regards that only one precedence value has been specified. The precedence values are related to one another in the way of “OR”. Example # Configure rule 1 of TP list with packet precedence 1 and 7.
[3Com] qos carl 1 precedence 1 7

Traffic Shaping Configuration Commands
display qos gts interface Syntax
display qos gts interface [ interface-type interface-number ]

View Any view

Traffic Shaping Configuration Commands

1033

Parameter interface-type: Interface type. interface-number: Interface number. Description Using the display qos gts interface command, you can view TS configuration and accounting information of certain interface or all interfaces. If no interface is specified, the TS configuration and operating statistics of all interfaces will be displayed. Example # Display TS configuration and accounting information of all interfaces.
[3Com] display qos gts interface Interface: Ethernet6/0/0 Rule(s): If-match ACL 1 CIR 8000(Bps), CBS 15000(Bit), EBS 0(Bit) Queue Length: 1000 (Packet) Queue Size: 700 (Packet) Pass: 0/0 (Packets/Bytes) Discard : 0/0 (Packets/Bytes)

Delay : 0/0 (Packets/Bytes)

qos gts

Syntax
qos gts { any | acl acl-index } cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size [ queue-length queue-length ] ] ] undo qos gts { any | acl acl-index }

View Interface view Parameter any: Performs TP on all the IP packets. acl acl-index: Specified to limit the rate of packets matching the ACL, with acl-index being the ACL number in the range of 1 to 199. cir committed-information-rate: CIR in the range of 8000 to 155000000 bits. cbs committed-burst-size: Committed burst size in the range of 15000 to 155000000bits. By default, committed-burst-size is 1/2 of committed-information-rate. ebs excess-burst-size: Excess burst size in the range of 0 to 155000000bits. By default, excess-burst-size is 0, That is, only one token bucket is used to police.

1034

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

queue-length queue-length: The maximum length of the buffer in the range of 1 to 1024. By default, queue-length is 50. Description Using the qos gts command, you can set the shaping parameters for a certain type of traffic and perform the traffic shaping. Using the undo qos gts command, you can remove the shaping configuration for a certain type of traffic. qos gts acl is used to set shaping parameters for the packets that conform to a certain ACL. Different access-lists can be used to set shaping parameters for different packets. qos gts any is used to set shaping parameters for all packets. qos gts acl cannot be used together with the qos gts any. Repeated using qos gts will replace configuration set earlier. Example # Configure traffic shaping for the packets that conform to ACL rule 1 at Ethernet6/2/0 interface. The normal traffic is 38400bps. The burst size, twice of the normal traffic, can pass at the first time. Then it is normally transmitted when the traffic is less than or equal to 38400bps. When it is larger than 38400bps, it will be added to the buffer queue and the buffer queue length is 100.
[3Com-Ethernet6/2/0] qos gts acl 1 cir 38400 cbs 76800 ebs 0 queue-length 100

Physical Interface Rate-limit Configuration Commands
display qos lr interface Syntax
display qos lr interface [ interface-type interface-number ]

View Any view Parameter interface-type: Interface type. interface-number: Interface number. Description Using the display qos lr interface command, you can view LR configuration and statistics of an interface. If no interface is specified, the LR configuration and operating statistics of all interfaces will be displayed. Example # Display LR configuration and statistics information in serial 0/0/0.

Congestion Management Configuration Commands

1035

[3Com] display qos lr interface Interface: Ethernet6/0/0 CIR 8000 (Bps), CBS 15000 (Bit), EBS 0 (Bit) Pass: 0/0 (Packets/Bytes) Delay : 0/0 (Packets/Bytes)

Active Shaping : NO

qos lr

Syntax
qos lr cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ]] undo qos lr

View Interface view Parameter cir committed-information-rate: CIR in the range of 8000 to 155000000 bits. cbs committed-burst-size: Committed burst size in the range of 15000 to 155000000bits.By default, committed-burst-size is half of committed-information-rate, ebs excess-burst-size: Excess burst size in the range of 0 to 155000000bits.By default, excess-burst-size is 0. There is only one token bucket is used to police. Description Using the qos lr command, you can limit the bandwidth of a physical interface. Using the undo qos lr command, you can remove the limit. Example # Limit packet-forwarding rate of the physical interface Ethernet6/0/0.
[3Com-Ethernet6/0/0] qos lr cir 38400 cbs 76800 ebs 0

Congestion Management Configuration Commands FIFO Queue Configuration Commands
qos fifo queue-length Syntax
qos fifo queue-length queue-length

1036

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

undo fifo queue-length

View Interface view Parameter queue-length: Length limit of a queue in the range of 1 to 1024. Description Using the qos fifo queue-length command, you can set the length limit of FIFO queue. Using the undo qos fifo queue-length command, you can restore the default value of the queue length. By default, queue-length is 75. For the related command, see display interface. Example # Set the length of FIFO queue to 100.
[3Com-Ethernet3/0/0] qos fifo queue-length 100

PQ Configuration Commands
display qos pq interface Syntax
display qos pq interface [ interface-type interface-number ]

View Any view Parameter interface-type: Interface type. interface-number: Interface number. Description Using the display qos pq interface command, you can view the configuration and statistics of priority queues at interfaces. If interfaces are not specified when this command is used, the configuration and statistics of the priority queues at all interfaces will be displayed. For the related command, see qos pq. Example # Display the configuration and statistics of PQ at interface Ethernet 6/0/0.
[3Com] display qos pq interface ethernet 6/0/0 Interface: Ethernet6/0/0 Priority queueing: PQL 1 (Outbound queue:Size/Length/Discards)

PQ Configuration Commands

1037

Top: 0/20/0

Middle: 0/40/0

Normal: 0/60/0

Bottom: 0/80/0

display qos pql

Syntax
display qos pql

View Any view Parameter None Description Using the display qos pql command, you can view contents of priority lists. Default items are not displayed. For the related commands, see qos pq and qos pq pql. Example # Display priority lists.
[3Com] display qos pql Current PQL Configuration: List Queue Params -----------------------------------------------------1 2 2 3 Top Protocol ip less-than 1000

Normal Length 60 Bottom Length 40 Middle Inbound-interface Ethernet5/0/0

qos pq

Syntax
qos pq pql pql-index

undo qos pq View Interface view Parameter pql-index: Pql index of the priority list, ranging 1 to 16. Description Using the qos pq command, you can apply a group of priority list to an interface. Using the undo qos pq command, you can restore the congestion management policy at the interface to FIFO. By default, the congestion management policy at the interfaces is FIFO.

1038

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

All the physical interfaces can use the priority queue except ATM interface and interfaces with X.25 as the link layer. An interface can only use one group of priority lists. This command can configure multiple classification rules for each group in the priority list. During traffic classification, the system matches packets along the rule list. If matching a certain rule, a packet will be classified into the priority queue specified by this rule; or it will be put into the default priority queue. For the related commands, see qos pql, display qos pq interface, display qos pql, and display interface. Example # Apply the priority list 12 to the Ethernet 0/2/0.
[3Com-Ethernet0/2/0] qos pq pql 12

qos pql default-queue

Syntax
qos pql pql-index default-queue { top | middle | normal | bottom } undo qos pql pql-index default

View System view Parameter pql-index: Pql index of the priority list, ranging 1 to 16. top, middle, normal and bottom: Corresponding to the four levels of priority queue, with the priority reducing in turn. The queue defaults to normal. Description Using the qos pql default-queue command, you can designate the packets without corresponding rules to a default queue. Using the undo qos pql default-queue command, you can cancel the configuration and restore the default value. During traffic classification, if a packet does not match any rule, it will be put into the default priority queue. For the same pql-index, repeated use of this command will set new default queue. For the related command, see display qos pql. Example # Set the default queue of the packets without corresponding rules in group 12 of the priority list to be the bottom queue.
[3Com] qos pql 12 default-queue bottom

qos pql inbound-interface

Syntax
qos pql pql-index inbound-interface interface-type interface-number queue { top | middle | normal | bottom }

PQ Configuration Commands

1039

undo qos pql pql-index inbound-interface interface-type interface-number

View System view Parameter pql-index: Group number of the priority list, ranging 1 to 16. Interface-type: Interface type. Interface-number: Interface number. top, middle, normal and bottom: Corresponding to the four levels of priority queue, with the priority reducing in turn. By default, it is set to normal. Description Using the qos pql inbound-interface command, you can establish classification rules based on interfaces. Using the undo qos pql inbound-interface command, you can delete the corresponding classification rule. This command can match packets according to which interface the packet comes from. For the same pql-index, this command can be repeatedly used, establishing classification rules for packets that come from different interfaces. For the related commands, see qos pql default-queue, qos pql protocol, qos pql queue, and qos pq. Example # Display how to make packets from an interface Serial 0/0/0 be put into a middle queue.
[3Com] qos pql 12 inbound-interface Serial 0/0/0 middle

qos pql protocol

Syntax
qos pql pql-index protocol protocol-name queue-key key-value queue { top | middle | normal | bottom } undo qos pql pql-index protocol protocol-name queue-key key-value

View System view Parameter pql-index: Pql index of the priority list, ranging 1 to 16. top, middle, normal, bottom: Corresponding PQ queues, whose priority levels are in descending order. protocol-name: Protocol type, which can only be IP by far. When the protocol-name is IP, the values of queue-key and key-value are displayed in the following table:
Table 1 Descriptions of values of queue-key and key-value
queue-key fragments key-value Null Description Any IP packet that is fragmented will be classified.

1040

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Table 1 Descriptions of values of queue-key and key-value
queue-key acl key-value ACL group number, 1 to 999 Length, 0 to 65535 Length, 0 to 65535 Port number, 0 to 65535 Port number, 0 to 65535 Description Any IP packet that complies with an ACL will be classified. Any IP packet whose length is less than a certain value will be classified. Any IP packet whose length is greater than a certain value will be classified. Any IP packet whose source or destination TCP port number is the specified port number will be classified. Any IP packet whose source or destination UDP port number is the specified port number will be classified. All IP packets

less-than greater-than tcp

udp

-

When queue-key is tcp or udp, key-value can be port name or the associated port number. You can enter “?” to get the port numbers associated with port names.. Description Using the qos pql protocol command, you can establish classification rules based on the protocol type. Using the undo qos pql protocol command, you can delete the corresponding classification rule. The system matches a packet to a rule according to the set order. When the packet matches a certain rule, the search process is completed. For the same pql-index, this command can be repeatedly used, establishing multiple classification rules for IP packets. For the related command, see display qos pql. Example # Specify a rule to make IP packets be put into the top queue.
[3Com] qos pql 1 protocol ip acl 100 queue top

qos pql queue

Syntax
qos pql pql-index queue { top | middle | normal | bottom } queue-length queue-length undo qos pql pql-index queue { top | middle | normal | bottom } queue-length

View System view Parameter pql-index: Pql index of the priority list, ranging 1 to 16. queue-length: Four length values of priority queues ranging 1 to 1024. By default, the length values of the queues are displayed as follows:

CQ Configuration Commands

1041



The default length value of the top queue is 20. The default length value of the middle queue is 40. The default length value of the normal queue is 60. The default length value of the bottom queue is 80.







Description Using the qos pql queue command, you can specify the maximum number of packets that can wait in each of the priority queues, or the length of a PQ. Using the undo qos pql queue command, you can restore to the default value of each PQ length. If a queue is full, any newly incoming packet will be dropped. For the related commands, see qos pql default-queue, qos pql inbound-interface, qos pql protocol, and qos pq. Example # Specify the maximum number of packets waiting in the top priority queue 10 to 10.
[3Com] qos pql 10 queue top queue-length 10

CQ Configuration Commands
display qos cq interface Syntax
display qos cq interface [ interface-type interface-number ]

View Any view Parameter interface-type: Interface type. interface-number: Interface number. Description Using the display qos cq interface command, you can view configuration and statistics of customized queues at interfaces. If no interface is specified CQ configuration and statistics of all interfaces will be displayed. For the related command, see qos cq. Example # Display configuration and statistics of customized queues at interface Ethernet 6/0/0/.
[3Com] display qos cq interface 6/0/0 Interface: Ethernet6/0/0

1042

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Custom queueing: CQL 1 (Outbound queue:Size/Length/Discards) 0: 0/ 20/0 3: 0/ 20/0 6: 0/ 20/0 9: 0/ 20/0 12: 0/ 20/0 15: 0/ 20/0 1: 0/ 20/0 4: 0/ 20/0 7: 0/ 20/0 10: 0/ 20/0 13: 0/ 20/0 16: 0/ 20/0 2: 0/ 20/0 5: 0/ 20/0 8: 0/ 20/0 11: 0/ 20/0 14: 0/ 20/0

display qos cql

Syntax
display qos cql

View Any view Parameter None Description Using the display qos cql command, you can view contents of custom lists. Default values will not be displayed. For the related commands, see qos cq cql and qos cq. Example # Display information about a custom list.
[3Com] display qos cql Current CQL Configuration: List Queue Params 2 3 3 3 0 1 Protocol ip fragments Length 100 Inbound-interface Ethernet0

qos cq

Syntax
qos cq cql cql-index undo qos cq

View Interface view Parameter cql-index: Cql index number of a custom list, ranging 1 to 16.

CQ Configuration Commands

1043

Description Using the qos cq cql command, you can apply the customized queue to an interface. Using the undo qos cq command, you can restore the congestion management policy at the interface to FIFO. By default, the congestion management policy at the interfaces is FIFO. All the physical interfaces can use customized queues, except ATM interface and interfaces with X.25 as the link layer. One interface can only use one group of customized queues. This command can configure multiple classification rules for each group in the custom list. During traffic classification, the system matches packets along the rule link. If matching a certain rule, a packet will be classified into the corresponding priority queue specified by this rule. If not matching any rule, it will go to the default priority queue. For the related commands, see qos cql default-queue, qos cql inbound-interface, qos cql protocol, qos cql queue serving, and qos cql queue queue-length. Example # Apply the custom group 5 on the Ethernet 6/0/0.
[3Com-Ethernet6/0/0] qos cq cql 5

qos cql default-queue

Syntax
qos cql cql-index default-queue queue-number undo qos cql cql-index default-queue

View System view Parameter cql-index: Cql index of the custom list, ranging 1 to 16. queue-number: Queue number, ranging 0 to 16. By default, customized queue number is 1. Description Using the qos cql default-queue command, you can assign a default queue for those packets that do not match any rule in the custom list. Using the undo qos cql default-queue command, you can restore to the default queue. During traffic classification, if a packet does not match any rule, it will go to the default queue. For the related command, see qos cql inbound-interface, qos cql protocol, qos cql queue serving, and qos cql queue queue-length. Example # Assign default queue 2 to custom list 5.

1044

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

[3Com] qos cql 5 default-queue 2

qos cql inbound-interface

Syntax
qos cql cql-index inbound-interface interface-type interface-number queue queue-number undo qos cql cql-index inbound-interface interface-type interface-number

View System view Parameter cql-index: Group number of the custom list, ranging 1 to 16. Interface-type: Interface type. interface-number: Interface number. queue-number: Queue number, ranging 0 to 16. Description Using the qos cql inbound-interface command, you can establish classification rules based on interfaces. Using the undo qos cql inbound-interface command, you can delete corresponding classification rules. By default, no classification rules are configured. This command matches a packet to a rule according to the interface that the packet comes from. For the same group-number, this command can be repeatedly used, establishing different classification rules for packets from different interfaces. For the related commands, see qos cql protocol, qos cql queue serving, and qos cql queue queue-length. Example # Specify a rule to make a packet from tunnel 0/0/0 be put into queue 3.
[3Com] qos cql 5 inbound-interface tunnel 0 queue 3

qos cql protocol

Syntax
qos cql cql-index protocol protocol-name queue-key key-value queue queue-number undo qos cql cql-index protocol protocol-name queue-key key-value queue queue-number

View System view Parameter cql-index: Group number of the custom list, ranging 1 to 16. protocol-name: Protocol name, which can only be ip by far.

CQ Configuration Commands

1045

queue-number: Queue number, ranging 0 to 16. When protocol-name is IP, the values of queue-key and key-value are displayed in the following table:
Table 2 Descriptions of values of queue-key and key-value
queue-key fragments Acl Less-than Greater-than tcp udp key-value Null Description Any IP packet that is fragmented will be classified.

ACL group number, 1 Any IP packet that complies with ACL will to 999 be classified. Length, 0 to 65535 Length, 0to 65535 Port number, 0 to 65535 Port number, 0 to 65535 Any IP packet whose length is less than a certain value will be classified. Any IP packet whose length is greater than a certain value will be classified. IP packets are classified according to source or destination TCP port number. IP packets are classified according to source or destination UDP port number. All IP Packets

When queue-key is tcp or udp, key-value can be port name or the associated port number. You can enter “?” to get the port numbers associated with port names. Description Using the qos cql protocol command, you can establish classification rules based on the protocol type. Using the undo qos cql protocol command, you can delete corresponding classification rules. The system matches a packet to a rule according to the order that rules are configured. When the packet matches a certain rule, the search process is completed. For the same cql-index, this command can be repeatedly used, establishing multiple classification rules for IP packets. For the related commands, see qos cql inbound-interface, qos cql protocol, qos cql queue serving, and qos cql queue queue-length. Example # Specify a rule to make any IP packet that matches the access-list 100 be put into queue 3.
[3Com] qos cql 5 protocol ip acl 100 queue 3

qos cql queue

Syntax
qos cql cql-index queue queue-number queue-length queue-length undo qos cql cql-index queue queue-number queue-length

View System view

1046

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Parameter cql-index: Cql index of the custom list, ranging 1 to 16. queue-number: Queue number, ranging 0 to 16. queue-length: The maximum length of the queue, ranging 0 to 1024 packets. Description Using the qos cql queue command, you can specify a default queue for the packets without corresponding rules. Using the undo qos cql queue command, you can cancel the configuration and restore the default value. By default, queue-length is 20 packets. If a queue is full, any newly incoming packet will be dropped. For the related commands, see qos cql inbound-interface, qos cql protocol, and qos cql queue serving. Example # Specify the amount of packets in a queue 4 in custom list 5 to 40.
[3Com] qos cql 5 queue 4 queue-length 40

qos cql queue serving

Syntax
qos cql cql-index queue queue-number serving byte-count undo qos cql cql-index queue queue-number serving

View System view Parameter cql-index: Cql-index of the custom list, ranging 1 to 16. queue-number: Queue number, ranging 0 to 16. byte-count: number of bytes in packets that the given queue sends during each poll, ranging 0 to 16777215 bytes. Description Using the qos cql queue serving command, you can set the byte-count of the packets sent from a given queue during each poll. Using the undo qos cql queue serving command, you can restore the byte-count of sent packets to the default value. By default, byte-count is 1500. For the related commands, see qos cql inbound-interface, qos cql protocol, and qos cql queue queue-length. Example # Specify byte-count of queue 2 in the custom list 5 to 1400.
[3Com] qos cql 5 queue 2 serving 1400

WFQ Configuration Commands

1047

WFQ Configuration Commands
display qos wfq interface Syntax
display qos wfq interface [ interface-type interface-number ]

View Any view Parameter interface-type: Interface type. interface-number: Interface number. Description Using the display qos wfq interface command, you can view customized queue configuration and statistics of an interface. If no interface is specified, the customized queue configuration and statistics of all interfaces will be displayed. For the related command, see qos wfq. Example # Display the custom queue configuration and statistics of Ethernet 6/0/0 interface.
[3Com] display qos wfq interface ethernet 6/0/0 Interface: Ethernet6/0/0 Weighted Fair queueing: (Outbound queue:Size/Length/Discards) WFQ: 0/100/0 Hashed queues: 0/0/128 (Active/Max active/Total)

qos wfq

Syntax
qos wfq [ queue-length max-queue-length [ queue-number total-queue-number ] ] undo qos wfq

View Interface view Parameter max-queue-length: The maximum queue length in the range of 1 to 1024. It is the maximum number of packets in each queue. Packets out of the range will be discarded. total-queue-number: Total queue number. Available numbers are 16, 32, 64, 128, 256, 512, 1024, 2048 and 4096. By default, max-queue-length is 64; total-queue-number is 256.

1048

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Description Using the qos wfq command, you can apply weighed fair queue or modify WFQ parameters at an interface. Using the undo qos wfq command, you can restore the default congestion management mechanism FIFO. Except ATM interface and interfaces with X.25 as the link layer, all physical interfaces can use weighed fair queue. When an interface does not apply WFQ policy, this command can be used to apply WFQ policy at the interface as well as specifying WFQ parameters. If an interface has applied WFQ policy, this command can be used to modify WFQ parameters. For the related commands, see display interface and display qos wfq interface. Example # Apply WFQ at the Ehernet6/0/0 interface, set the queue length to 100 and set the total queue number to 512.
[3Com-Ethernet6/0/0] qos wfq queue-length100 queue-number 512

CBQ Configuration Commands
car Syntax
car cir committed-information-rate [ cbs committed-burst-size ebs excess-burst-size ] [ green action [ red action] ] undo car

View Traffic behavior view Parameter cir committed-information-rate: Committed information rate of traffic in the range of 8000 to 155000000bit. cbs committed-burst-size: Committed burst size, number of bits that can be sent in each interval in the range of 15000 to 155000000 bits. ebs excess-burst-size: Excessive burst size in the range of 0 to 155000000 bits. green: Action conducted to packets when traffic of packets conforms to the traffic convention. By default, the action of green is “pass". red: Action conducted to packets when traffic of packets does not conform to the traffic convention. By default, the action of red is “discard”. action: Action conducted on a packet. Divided into the following types:


discard: Drops the packet remark-dscp-pass new-dscp: Sets new-dscp and transmits the packet.



CBQ Configuration Commands

1049



remark-prec-pass new-precedence: Sets new-precedence of IP and transmit the packet. remark-mpls-exp-pass new-exp: Sets the new MPLS EXP and transmit the packet. pass: Transmits the packet.





Description Using the car command, you can configure traffic monitoring for a behavior. Using the undo car command, you can delete the configuration of traffic monitoring. The policy can be used in the input or output direction of the interface. Application of policy including of TP policy on an interface will cause the previous qos car command to be ineffective. If this command is frequently configured on classes of the same policy, the last configuration will overwrite the previous ones. For the related commands, see qos policy, traffic behavior, and classifier behavior. Example # Use traffic monitor for a behavior. The normal traffic of packets is 38400bps. Burst traffic twice of the normal traffic can pass initially and later the traffic is transmitted normally when the rate does not exceed 38400bps. When the rate exceeds 38400bps, the precedence of the packet turns to 0 and the packet is transmitted.
[3Com] traffic behavior database [3Com-behavior-database] car cir 38400 cbs 76800 ebs 0 green pass red remark-precedence-pass 0

classifier behavior

Syntax
classifier tcl-name behavior behavior-name undo classifier tcl-name

View Policy view Parameter tcl-name: Must be the name of the defined class, the system-defined or user-defined class. behavior–name: Must be the name of the defined behavior, the system-defined or user-defined behavior. Description Using the classifier behavior command, you can specify the behavior for the class in the policy. Using the undo classifier command, you can remove the application of the class in the policy.

1050

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Each class in the policy can only be associated with one behavior. The undo command is not used for the default class. For the related command, see qos policy. Example # Specify the behavior test for the class database in the policy 3Com.
[3Com] qos policy 3Com [3Com-qospolicy-3Com] classifier database behavior test

display qos cbq interface

Syntax
display qos cbq interface [ { interface-type interface-number } [ pvc { pvc-name [ vpi/vci ] | vpi/vci } ] ]

View Any view Parameter interface-type: Interface type. interface-number: Interface number. pvc: Used for ATM interface only, i.e., policy configuration of specified PVC on specified ATM interface can be displayed. pvc-name: PVC name. vpi/vci: VPI/VCI value pair. For detailed description, refer to the Parameter Description about pvc command. Description Using the display qos cbq interface command, you can view CBQ configuration information and operating status, the specified PVC on specified ATM interface or on all interfaces. Example
[3Com] display qos cbq interface Interface: Ethernet10/2/0 Class Based Queuing: (Outbound queue: Total Size/Discards) CBQ: 0/0 Queue Size: 0/0/0 (EF/AF/BE) BE Queues: 0/0/256 (Active/Max active/Total) AF Queues: 1 (Allocated) Bandwidth(Kbps): 74992/75000 (Available/Max reserve)

display qos policy

Syntax
display qos policy { system-defined | user-defined } [ policy-name [ classifier tcl-name ] ]

View Any view

CBQ Configuration Commands

1051

Parameter system-defined: Policy pre-defined by the system. user-defined: Policy pre-defined by the user. policy-name: Policy name. If it is not specified, the configuration information of all the policies pre-defined by the system or by the user will be displayed. tcl-name: Class name in the policy. Description Using the display qos policy command, you can display the configuration information of the specified class or all the classes and associated behaviors in the specified policy or all policies. Example
[3Com] display qos policy user-defined User Defined QoS Policy Information: Policy: test Classifier: default-class Behavior: be -noneClassifier: 3Com Behavior: 3Com Marking: Remark IP Precedence 3 Committed Access Rate: CIR 20000 (bps), CBS 15000 (bit), EBS 0 (bit) Conform Action: pass Exceed Action: discard Expedited Forwarding: Bandwidth 50 (Kbps) CBS 1500 (Bytes) Classifier: database Behavior: database Assured Forwarding: Bandwidth 30 (Kbps) Discard Method: Tail Queue Length : 64 (Packets) General Traffic Shape: CIR 30000 (bps), CBS 15000 (bit), EBS 0 (bit)

1052

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Queue length 50 (Packets) Marking: Remark MPLS EXP 3

display qos policy interface

Syntax
display qos policy interface [ { interface-type interface-number } [ inbound | outbound ] [ pvc { pvc-name [ vpi/vci ] | vpi/vci } ] ]

View Any view Parameter interface-type: Interface type. interface-number: Interface number.
pvc: Used for ATM interface only, i.e., policy configuration of specified PVC on specified ATM interface can be displayed.

pvc-name: PVC name. vpi/vci: VPI/VCI value pair. For details, refer to the parameter description about the pvc command. Description Using the display qos policy interface command, you can view configuration information and the operating status of the policy on the specified interface, the specified PVC on specified ATM interface or on all interfaces and PVC. Example # Display qos policy on Ethernet 10/2/0.
[3Com] display qos policy interface Ethernet 10/2/0 Interface: Ethernet10/2/0 Direction: Outbound Policy: test Classifier: default-class Matched : 0/0 (Packets/Bytes) Rule(s) : if-match any Behavior: be Default Queue: Flow Based Weighted Fair Queuing Max number of hashed queues: 256 Matched : 0/0 (Packets/Bytes) Enqueued : 0/0 (Packets/Bytes) Discarded: 0/0 (Packets/Bytes)

CBQ Configuration Commands

1053

Discard Method: Tail Classifier: 3Com Matched : 0/0 (Packets/Bytes) Operator: AND Rule(s) : if-match ip-precedence 5 Behavior: 3Com Marking: Remark IP Precedence 3 Remarked: 0 (Packets) Committed Access Rate: CIR 20000 (bps), CBS 15000 (bit), EBS 0 (bit) Conform Action: pass Exceed Action: discard Conformed: 0/0 (Packets/Bytes) Exceeded : 0/0 (Packets/Bytes) Expedited Forwarding: Bandwidth 50 (Kbps), CBS 1500 (Bytes) Matched : 0/0 (Packets/Bytes) Enqueued : 0/0 (Packets/Bytes) Discarded: 0/0 (Packets/Bytes) Classifier: database Matched : 0/0 (Packets/Bytes) Operator: AND Rule(s) : if-match acl 131 if-match inbound interface Ethernet10/2/0 Behavior: database General Traffic Shape: CIR 30000 (bps), CBS 15000 (bit), EBS 0 (bit) Queue Length: 50 (Packets) Queue size : 0 (Packets) Passed : 0/0 (Packets/Bytes) Discarded: 0/0 (Packets/Bytes) Delayed : 0/0 (Packets/Bytes)

1054

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Marking: Remark MPLS EXP 3 Remarked: 0 (Packets) Assured Forwarding: Bandwidth 30 (Kbps) Matched : 0/0 (Packets/Bytes) Enqueued : 0/0 (Packets/Bytes) Discarded: 0/0 (Packets/Bytes)

display traffic behavior

Command
display traffic behavior { system-defined | user-defined } [ behavior-name ]

View Any view Parameter system-defined: Behavior pre-defined by the system. user-defined: Behavior pre-defined by the user. behavior-name: Behavior name. If it is not specified, the information of the behaviors pre-defined by the system or by the user will be displayed. Description Using the display traffic behavior command, you can display the information of the traffic behavior configured on the router. Example
[3Com] display traffic behavior user-defined User Defined Behavior Information: Behavior: test Assured Forwarding: Bandwidth 30 (Kbps) Discard Method: Tail Queue Length : 64 (Packets) General Traffic Shape: CIR 30000 (bps), CBS 15000 (bit), EBS 0 (bit) Queue length 50 (Packets) Marking: Remark MPLS EXP 3 Behavior: 3Com Marking: Remark IP Precedence 3 Committed Access Rate: CIR 20000 (bps), CBS 15000 (bit), EBS 0 (bit)

CBQ Configuration Commands

1055

Conform Action: pass Exceed Action: discard Expedited Forwarding: Bandwidth 50 (Kbps) CBS 1500 (Bytes)

display traffic classifier

Syntax
display traffic classifier { system-defined | user-defined } [ tcl-name ]

View Any view Parameter system-defined: Class pre-defined by the system. user-defined: Class pre-defined by the user. tcl-name: Class name. If it is not specified, the information of all classes pre-defined by the system or by the user. Description Using the display traffic classifier command, you can view information about class of router configuration. Example
[3Com] display traffic classifier user-defined User Defined Classifier Information: Classifier: 3Com Operator: AND Rule(s) : if-match ip-precedence 5 Classifier: database Operator: AND Rule(s) : if-match acl 131 if-match inbound-interface Ethernet10/2/0

gts

Syntax
gts cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size [ queue-length queue-length ] ] ]

undo gts View Traffic behavior view Parameter cir committed-information-rate: Average rate of traffic in the range of 8000 to 155000000 bps. cbs committed-burst-size: Burst size in the range of 15000 to 155000000 bits. ebs excess-burst-size: Excessive burst size in the range of 0 to 155000000 bits.

1056

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

queue-length queue-length: The maximum length of a queue in the range of 1 to 1024. By default, committed-burst-size is a half of committed-information-rate, excess-burst-size is 0, and queue-length is 50. Description Using the gts command, you can configure traffic shaping for a behavior. Using the undo gts command, you can delete traffic shaping for a behavior. A policy in which shape is used on an interface can only be applied in the output direction of the interface. Application of policy including shape policy on an interface will cause the previously configured qos gts command to be ineffective. If this command is frequently configured on the same traffic behavior, the last configuration will overwrite the previous ones. For the related commands, see qos policy, traffic behavior, and classifier behavior. Example # Configure TS for a behavior. The normal traffic is 38400bps. Burst traffic twice of the normal traffic can pass initially and later the traffic is transmitted normally when the rate is less than or equal to 38400bps. When the rate exceeds 38400bps, the traffic will enter the queue buffer and the buffer queue length is 100.
[3Com] traffic behavior database [3Com-behavior-database] gts cir 38400 cbs 76800 ebs 0 queue-length 100

if-match

Syntax
if-match [ not ] match-criteria undo if-match [ not ] match-criteria

View Class view Parameter match-criteria: Match rule of a class, which can be acl, any, class-map, destination-mac, inbound-interface, ip-precedence, dscp, protocol, source-mac, mpls-exp. Description Using the if-match command, you can define the rule of all packets not satisfying the specified match rule. Using the undo if-match command, you can delete the rule of all packets not satisfying the specified match rule. For the related command, see traffic classifier.

CBQ Configuration Commands

1057

Example # Define the class to match packets which protocol is not IP.
[3Com] traffic classifier class1 [3Com-classifier-class1] if-match not protocol ip

if-match { destination-mac | source-mac }

Syntax
if-match [not ] { destination-mac | source-mac } mac-address undo if-match [not ] { destination-mac | source-mac } mac-address

View Class view Parameter mac-address: MAC address. Description Using the if-match { destination-mac | source-mac } command, you can define match rule of destination or source MAC address. Using the undo if-match { destination-mac | source-mac } command, you can delete the match rule of destination or source MAC address. The match rules of the destination MAC address are only meaningful for the policies of the output direction and the interface of Ethernet type. The match rules of the source MAC address are only meaningful for the policies of the input direction and the interface of Ethernet type. For the related command, see traffic classifier. Example # Define that the match rule of class2 is to match the packets with the destination MAC address 0050-ba27-bed3.
[3Com] traffic classifier class1 [3Com-classifier-class1] if-match destination-mac 0050-ba27-bed3 # Define the match rule of class2 as matching the packets with source MAC address 0050-ba27-bed2. [3Com] traffic classifier class2 [3Com-classifier-class2] if-match source mac 0050-ba27-bed2

if-match acl

Syntax
if-match [ not ] acl access-list-number undo if-match [ not ] acl access-list-number

View Class view

1058

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Parameter access-list-number: ACL number. Description Using the if-match acl command, you can define ACL match rule. Using the undo if-match acl command, you can delete ACL match rule. For the related command, see traffic classifier. Example # Define a class to match ACL101.
[3Com] traffic classifier class1 [3Com-classifier-class1] if-match acl 101

if-match any

Syntax
if-match [ not ] any undo if-match [ not ] any

View Class view Parameter none Description Using the if-match any command, you can define the rule matching all packets. Using the undo if-match any command, you can delete the rule matching all packets. For the related command, see traffic classifier. Example # Define the rule matching all packets.
[3Com] traffic classifier class1 [3Com-classifier-class1] if-match any

if-match classifier

Syntax
if-match [ not ] classifier tcl-name undo if-match [ not ] classifier tcl-name

View Class view Parameter tcl-name: Class name.

CBQ Configuration Commands

1059

Description Using the if-match classifier command, you can define class-map match rule. Using the undo if-match classifier command, you can delete the class-map match rule. This configuration method is the only one to match the traffic with both the match-all and match-any features. For example: classA need to match: rule1 & rule2 | rule3 traffic classifier classB operator and if-match rule1 if-match rule2 traffic classifier classA operator or if-match rule3 if-match classifier classB For the related command, see traffic classifier. Example # Define match rule of class2 and class1 should be used. Therefore, class1 is configured first. The match rule of class1 is ACL 101 and the IP precedence is 5.
[3Com] traffic classifier class1 [3Com-classifier-class1] if-match ip-precedence 5 # Define the packet whose class is class2, match rule is class1 and destination MAC address is 0050-BA27-BED3. [3Com] traffic classifier class2 [3Com-classifier-class2] if-match classifier class1 [3Com-classifier-class2] if-match destination-address mac 0050-BA27-BED3

if-match dscp

Syntax
if-match [ not ] dscp { dscp-value } undo if-match [ not ] dscp { dscp-value }

View Class view Parameter dscp-value: DSCP value in the range of 0 to 63. Description Using the if-match dscp command, you can define IP DSCP match rule. Using the undo if-match dscp command, you can delete IP DSCP match rule. More than one such command can be configured under a class. They do not overwrite one other. When each command is configured, the dscp-value will sort the values automatically in the ascending order. Only when the specified DSCP

1060

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

values are identical with those in the rule (sequence may be different) can the command be deleted. More than one DSCP value can be configured and the maximum number is 8. If multiple DSCPs of the same value are specified, the system regards them as one by default. Relation between different DSCP values is “or”. For the related command, see traffic classifier. Example # Define the match rule of class1 as matching the packets with the dscp value as 1, 6 or 9.
[3Com] traffic classifier class1 [3Com-classifier-class1] if-match dscp 1 6 9

if-match inbound-interface

Syntax
if-match [ not ] inbound-interface { interface-type interface-number } undo if-match [ not ] inbound-interface { interface-type interface-number }

View Class view Parameter interface-type: Interface type. interface-number: Interface number. Description Using the if-match inbound-interface command, you can define input interface match rule of a class. Using the undo if-match inbound-interface command, you can delete input interface match rule of a class. If the interface is deleted, the match rule will not exist. Supported interface type: ATM, Ethernet, Serial, Tunnel, VT etc. For the related command, see traffic classifier. Example # Define that the class matches the packets entering from Ethernet6/0/0.
[3Com] traffic classifier class1 [3Com-classifier-class1] if-match inbound-interface Ethernet6/0/0

if-match ip-precedence

Syntax
if-match [ not ] ip-precedence { ip-precedence-value } undo if-match [ not ] ip-precedence

View Class view

CBQ Configuration Commands

1061

Parameter ip-precedence-value: Precedence value in the range of 0 to 7. Multiple values can be specified and the maximum number is 8. If multiple precedence of the same value are specified, only one of them is taken. Relation between different DSCP values is “or”. Description Using the if-match ip-precedence command, you can define IP precedence match rule. Using the undo if-match ip-precedence command, you can delete IP precedence match rule. When any command is configured, the ip-precedence-value will be sorted automatically in ascending order. Multiple precedence values can be specified but the maximum number is 8. If the multiple precedence values specified are the same, the system regards them as one. Relation between different precedence values is “or”. For the related command, see traffic classifier. Example # Define the match rule of class1 as matching the packets with the precedence value as 1 or 6.
[3Com] traffic classifier class1 [3Com-classifier-class1] if-match ip-precedence 1 6

if-match protocol

Syntax
if-match [ not ] protocol protocol-name undo if-match [ not ] protocol protocol-name

View protocol-name Protocol name. IP is used. Parameter Class view Description Using the if-match protocol command, you can define protocol match rule. Using the undo if-match protocol command, you can delete protocol match rule. For the related command, see traffic classifier. Example # Define the packet whose class match protocol is IP.
[3Com] traffic classifier class1 [3Com-classifier-class1] if-match protocol ip

1062

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

if-match rtp

Syntax
if-match [ not ] rtp start-port starting-port-number end-port end-port-number undo if-match [ not ] rtp start-port starting-port-number end-port end-port-number

View Class view Parameter starting-port-number: Starting RTP port number in the range of 2000 to 65535. end-port-number: Ending RTP port numbers in the range of 2000 to 65535. Description Using the if-match rtp command, you can define port match rule of RTP. Using the undo if-match rtp command, you can delete the port match rule of RTP. This command can match RTP packets in the range of specified RTP port number, i.e., to match packets of even UDP port numbers between <starting-port-number> and < end-port-number >. If this command is frequently used under a class, the last configuration will overwrite the previous ones. For the related command, see traffic classifier. Example # Define the match rule of class1 as matching the packets whose RTP port number is the even UDP port number between 16384 and 32767.
[3Com] traffic classifier class1 [3Com-classifier-class1] if-match rtp start-port 16384 end-port 32767

qos apply policy

Syntax
qos apply policy policy-name [ inbound | outbound ] undo qos apply policy [ inbound | outbound ]

View Interface view Parameter inbound: Inbound direction. outbound: Outbound direction. policy-name: Policy name. Description Using the qos apply policy command, you can attach a service policy to the output interface. Using the undo qos apply policy command, you can delete associated policy on an interface. When applying the policy, the interface will be unavailable if the sum of bandwidth specified for the classes in the policy, to ensure forwarding and expedited forwarding, exceeds the available bandwidth on the interface. When the available bandwidth on the interface is modified, the policy will be deleted if

CBQ Configuration Commands

1063

the sum of bandwidth specified for the classes in the policy, to ensure forwarding and expedited forwarding, exceeds the available bandwidth on the interface. The configurations of queue af, queue ef and queue wfq and gts are not allowed in the input direction policy and the behaviors associated with the class. The application rule of the policy in the interface view is as follows.


The VT introduced by common physical interface and MP can apply the policy configured with various features, including remark, car, gts, queue af, queue ef, queue wfq, wred, etc. The policy configured with TS (e.g. gts) and queue (e.g. queue ef, queue af, queue wfq) features can not be applied on the inbound interface as the input direction policy. Only the output direction policy configured with queue (e.g. queue ef, queue af, queue wfq) feature can be applied on ATM PVC. The sub-interface does not support queue (e.g. queue ef, queue af, queue wfq) feature but support TS (e.g. gts) and TP (e.g. car). The policy configured with TS and TP can be applied on the sub-interface.







Example # Apply the policy 3Com in the output direction of interface Ethernet6/0/0.
[3Com-Ethernet6/0/0] qos apply policy 3Com outbound

qos policy

Syntax
qos policy policy-name undo qos policy policy-name

View System View Parameter policy-name: Policy name. Description Using the qos policy command, you can define a policy and enter policy view. Using the undo qos policy command, you can delete a policy. The policy cannot be deleted if it is applied on an interface. It is necessary to remove application of the policy on the current interface before deleting it via the undo qos policy command. Policy-name should not be that of the policies defined by the system. For the related commands, see classifier behavior and qos apply policy. Example # Define a policy named as 3Com.
[3Com] qos policy 3Com [3Com-qospolicy-3Com]

1064

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

queue af

Syntax
queue af bandwidth { bandwidth | pct percentage } undo queue af

View traffic behavior view Parameter bandwidth: Bandwidth in Kbps in the range of 8 to 1000000. pct percentage: Percentage of the available bandwidth configured in the range of 1 to 100. Description Using the queue af command, you can configure the class to perform the assured-forwarding and the minimum bandwidth used. Using the undo queue af command, you can cancel the configuration. When associating the class with the traffic behavior queue af belonging in the policy, the following must be satisfied:


The sum of the bandwidth specified for the classes in the same policy, to ensure forwarding (queue af) and expedited forwarding (queue ef), must be less than or equal to the available bandwidth of the interface where the policy is applied. The sum of percentages of the bandwidth specified for the classes in the same policy, to ensure forwarding (queue af) and expedited forwarding (queue ef), must be less than or equal to 100. The bandwidth configuration for the classes in the same policy, to ensure forwarding (queue af) and expedited forwarding (queue ef), must adopt the value of the same type. For example, they all adopt the absolute value form or the percentage form.





For the related commands, see qos policy, traffic behavior, and classifier behavior. Example # Configure traffic behavior named database and configure the minimum bandwidth of the traffic behavior to 200Kbps.
[3Com] traffic behavior database [3Com-behavior-database] queue af bandwidth 200

queue ef

Syntax
queue ef bandwidth { bandwidth [ cbs burst ] | pct percentage } undo queue ef

View Traffic behavior view

CBQ Configuration Commands

1065

Parameter bandwidth: Bandwidth in Kbps in the range of 8 to 1000000. percentage: Percentage of available bandwidth in the range of 1 to 100. burst: Specifies the allowed burst size in byte in the range of 32 to 2000000, By default, burst is bandwidth*25. Description Using the queue ef command, you can configure expedited-forwarding packets to the absolute priority queue and configure the maximum bandwidth. Using the undo queue ef command, you can cancel the configuration. The command can not be used together with queue af, queue-length, and wred in traffic behavior view. In the policy the default class default-class can not be associated with the traffic behavior, queue ef, which belongs to:


The sum of the bandwidth specified for the classes in the same policy, to ensure forwarding (queue af) and expedited forwarding (queue ef), must be less than or equal to the available bandwidth of the interface where the policy is applied. The sum of percentages of the bandwidth specified for the classes in the same policy, to ensure forwarding (queue af) and expedited forwarding (queue ef), must be less than or equal to 100. The bandwidth configuration for the classes in the same policy, to ensure forwarding (queue af) and expedited forwarding (queue ef), must adopt the value of the same type. For example, they all adopt the absolute value form or the percentage form.





For the related command, see qos policy, traffic behavior, and classifier behavior. Example # Configure packets to enter priority queue. The maximum bandwidth is 200Kbps and burst is 5000 bytes by default.
[3Com] traffic behavior database [3Com-behavior-database] queue ef bandwidth 200 cbs 5000

queue wfq

Syntax
queue wfq [ queue-number total-queue-number ] undo queue wfq

View traffic behavior view Parameter total-queue-number: Number of fair queue, which can be 16, 32, 64, 128, 256, 512, 1024, 2048 and 4096 and the default value is 64.

1066

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Description Using the queue wfq command, you can configure the default-class to use fair queue. Using the undo queue wfq command, you can .delete configuration. The traffic behavior configured with the command can only be associated with the default class. It can also be used together with commands like queue-length or wred. For the related command, see qos policy, traffic behavior, and classifier behavior. Example # Configure WFQ for default-class and the queue number is 16.
[3Com] traffic behavior test [3Com-behavior-test] queue wfq 16 [3Com] qos policy 3Com [3Com-qospolicy-3Com] classifier default-class behavior test

queue-length

Syntax
queue-length queue-length undo queue-length queue-length

View traffic behavior view Parameter queue-length: The maximum threshold value of the queue in the range of 1 to 512. The default drop mode is tail drop and the queue length is 64. Description Using the queue-length command, you can configure maximum queue length. Using the undo queue-length command, you can delete configuration. This command can be used only after the queue af or queue wfq command has been configured. The queue-length, which has been configured, will be deleted when the undo queue af or undo queue wfq command is executed. The queue-length, which has been configured, will be deleted when the random drop mode is configured via the wred command, and vise versa. By default, tail drop is configured. For the related commands, see qos policy, traffic behavior, and classifier behavior. Example # Configure tail drop and set the maximum queue length to 16.

CBQ Configuration Commands

1067

[3Com] traffic behavior database [3Com-behavior-database] queue af bandwidth 200 [3Com-behavior-database] queue-length 16

remark dscp

Syntax
remark dscp dscp-value undo remark dscp

View Traffic behavior view Parameter dscp-value: Preset DSCP value in the range of 0 to 63, which can be any of the following keys: ef, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, or cs7.
Table 3 DSCP key words and values
Key word ef af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 cs1 cs2 cs3 cs4 cs5 cs6 cs7 DSCP value(binary) 000000 001010 001100 001110 010010 010100 010110 011010 011100 011110 100010 100100 100110 001000 010000 011000 100000 101000 110000 111000 DSCP value(decimal) 0 10 12 14 18 20 22 26 28 30 34 36 38 8 16 24 32 40 48 56

Description Using the remark dscp command, you can configure or delete DSCP value for a class to identify matched packets. Using the undo remark dscp command, you can For the related commands, see qos policy, traffic behavior, and classifier behavior.

1068

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Example # Configure DSCP value to 6 to identify packets.
[3Com] traffic behavior database [3Com-behavior-database] remark dscp 6

remark fr-de

Command
remark fr-de fr-de-value undo remark fr-de

View Traffic behavior view Parameter fr-de-value: Value of the DE flag bit in the FR packet, ranging from 0 to 1. Description Using the remark fr-de command, you can configure the value of the DE flag bit in the FR packet. Using the undo remark fr-de command, you can remove cancel the value of the DE flag bit in the FR packet. For the related command, see qos policy, traffic behavior, and classifier behavior. Example # Configure the value of the DE flag bit in the FR packet as 1.
[3Com] traffic behavior database [3Com-behavior-database] remark fr-de 1

remark ip-precedence

Syntax
remark ip-precedence ip-precedence-value undo remark ip-precedence

View Traffic behavior view Parameter ip-precedence-value: Preset precedence value in the range of 0 to 7. Description Using the remark ip-precedence command, you can configure precedence value to identify matched packets. Using the undo set ip precedence command, you can delete precedence value set for a class to identify matched packets. For the related commands, see qos policy, traffic behavior, and classifier behavior.

CBQ Configuration Commands

1069

Example # Configure precedence value to 6 to identify packets.
[3Com] traffic behavior database [3Com-behavior-database] remark ip-precedence 6

traffic behavior

Command
traffic behavior behavior–name undo traffic behavior behavior–name

View System view. Parameter behavior-name: Behavior name. Description Using the traffic behavior command you can define a traffic behavior and enter the behavior view. Using the undo traffic behavior command, you can delete a traffic behavior. behavior-name shall not be that of the traffic behavior pre-defined by the system. For the related command, see qos policy, qos apply policy, and classifier behavior. Example # Define a traffic behavior named behavior1.
[3Com] traffic behavior behavior1 [3Com-behavior-behavior1]

traffic classifier

Syntax
traffic classifier tcl-name [ operator { and | or } ] undo traffic classifier tcl-name [ operator { and | or } ]

View System View Parameter operator and: Specifies the relation between the rules in the class as logic AND. That is, the packet that matches all the rules belongs to this class. operator or: Specifies the relation between the rules in the class as logic OR. That is, the packet that matches any one of the rules belongs to this class. tcl-name: Class name.

1070

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Description Using the traffic classifier command, you can define a class and enter the class view. Using the undo traffic classifier command, you can delete a class. By default, the relation is operator and. tcl-name shall not be that of the classes pre-defined by the system. For the related commands, see qos policy, qos apply policy, and classifier behavior. Example # Define a class named as gold.
[3Com] traffic classifier class1 [3Com-classifier-class1]

wred

Syntax
wred [ dscp | ip-precedence ] undo wred [ dscp | ip-precedence ]

View Traffic behavior view Parameter dscp: Uses DSCP value for calculating drop probability for a packet. ip-precedence: Uses IP precedence value for calculating drop probability for a packet. Description Using the wred command, you can configure drop mode as WRED. Using the undo wred command, you can delete the configuration. By default, ip-precedence is configured. This command can be used only after the queue af command has been configured. Wred command and queue-length command can not be used simultaneously. Other configurations under the random drop will be deleted when this command is deleted. When a policy is applied on an interface, the previous WRED configuration on interface level will become ineffective. When configuration is performed in default-class view, ip-precedence is configured, by default. The behavior associated with default-class can only use wred ip-precedence. For the related commands, see qos policy, traffic behavior, and classifier behavior.

CBQ Configuration Commands

1071

Example # Configure WRED for a traffic behavior named database and drop probability is calculated by IP precedence.
[3Com] traffic behavior database [3Com-behavior-database] wred

wred dscp

Syntax
wred dscp dscp-value low-limit low-limit high-limit high-limit [ discard-probability discard-prob ] undo wred dscp dscp-value

View Traffic behavior view Parameter dscp-value: DSCP value in the range of 0 to 63, which can be any of the following keys: ef, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, or cs7.
Table 4 DSCP key words and values
Key word ef af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 cs1 cs2 cs3 cs4 cs5 cs6 cs7


DSCP value(binary) 000000 001010 001100 001110 010010 010100 010110 011010 011100 011110 100010 100100 100110 001000 010000 011000 100000 101000 110000 111000

DSCP value(decimal) 0 10 12 14 18 20 22 26 28 30 34 36 38 8 16 24 32 40 48 56

low-limit low-limit: Lower threshold value in the range of 1 to 1024. It is 10 by default.

1072

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS



high-limit high-limit: Upper threshold value in the range of 1 to 1024. It is 30 by default. discard-probability discard-prob: Denominator of drop probability in the range of 1 to 255. It is 10 by default.



Description Using the wred dscp command, you can set DSCP lower-limit, upper-limit and drop probability denominator of WRED. Using the undo wred dscp command, you can delete the configuration. This command can be used only after the wred dscp command has been used to enable WRED drop mode based on DSCP. The configuration of wred dscp will be deleted if the configuration of qos wred is deleted. The configuration of drop parameter will be deleted if the configuration of queue af is deleted. For the related commands, see qos policy, traffic behavior, and classifier behavior. Example # Set the queue lower-limit to 20, upper-limit to 40 and discard probability to 15 for the packet whose DSCP is 3.
[3Com] traffic behavior database [3Com-behavior-database] wred dscp [3Com-behavior-database] wred dscp 3 low-limit 20 high-limit 40 discard-probability 15

wred ip-precedence

Syntax
wred ip-precedence precedence low-limit low-limit high-limit high-limit [ discard-probability discard-prob ] undo wred ip-precedence precedence

View Traffic behavior view Parameter precedence: Precedence of IP packet in the range of 0 to 7. low-limit low-limit: Lower threshold value in the range of 1 to 1024. It is 10 by default. high-limit high-limit: Upper threshold value in the range of 1 to 1024. It is 30 by default. discard-probability discard-prob: Denominator of drop probability in the range of 1 to 255. It is 10 by default.

CBQ Configuration Commands

1073

Description Using the wred ip-precedence command, you can set precedence lower-limit, upper-limit and drop probability denominator of WRED. If the wred ip-precedence command has been used to enable WRED drop mode based on the precedence, the configuration of wred ip-precedence will be deleted when wred is deleted. The configuration of drop parameters will be deleted if queue af is deleted. For the related commands, see qos policy, traffic behavior, and classifier behavior. Example # Set lower-limit to 20, upper-limit to 40 and discard probability to 40 for the packet with the precedence 3.
[3Com] traffic behavior database [3Com-behavior-database] wred [3Com-behavior-database] wred ip-precedence 3 low-limit 20 high-limit 40 discard-probability 15

1074

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

wred weighting-constant

Syntax
wred weighting-constant exponent undo wred weighting-constant

View Traffic behavior view Parameter exponent: Exponential in the range of 1 to 16. It is 6 by default. Description Using the wred weighting-constant command, you can set exponential for the calculation of average queue length by WRED. This command can be used only after the que af command has been configured and the wred command has been used to enable WRED drop mode. The configuration of wred weighting-constant will be deleted if random-detect is deleted. For the related commands, see qos policy, traffic behavior, and classifier behavior. Example # Configure exponential for calculating average queue to 6.
[3Com] traffic behavior database [3Com-behavior-database] queue af bandwidth 200 [3Com-behavior-database] wred ip-precedence [3Com-behavior-database] wred weighting-constant 6

RTP Priority Queue Configuration Commands
display qos rtpq interface Syntax
display qos rtpq interface [ interface-type | interface-number ]

View Any view Parameter interface-type: Interface type. interface-number: Interface number.

RTP Priority Queue Configuration Commands

1075

Description Using the display qos rtpq interface command, you can view the queue information of the current IP RTP Priority, including the current RTP queue depth and number of RTP dropping packets and display the RTP priority queue configuration and statistics on an interface or on all interfaces. Example # Display the queue information of the current IP RTP Priority.
[3Com] display qos rtpq interface Ethernet 10/2/0 Interface: Ethernet10/2/0 RTP Queueing: (Output queue: Size/Max/Outputs/Discards) RTPQ: 0/0/0/0

qos reserved-bandwidth

Syntax
qos reserved-bandwidth pct percent undo qos reserved-bandwidth

View Interface view Parameter percent: Percentage of the reserved bandwidth to the available bandwidth. It is in the range of 1 to 100 and the default value is 80. Description Using the qos reserved-bandwidth command, you can set the maximum reserved bandwidth percentage of the available bandwidth. Using the undo qos reserved-bandwidth command, you can restore the default value. Usually the bandwidth configured for the QoS queue is no more than 75 percent of the total bandwidth for the consideration that part of the bandwidth should be used for the controlling protocol packets, the layer 2 frame header and so on. You are recommended to use this command with caution while modifying the maximum preserved bandwidth. For the related command, see qos rtpq. Example # Set the maximum reserved bandwidth allocated for RTP priority queue and WFQ to be 80% of the available bandwidth.
[3Com-Serial1/0/0] qos reserved-bandwidth pct 80

qos rtpq

Syntax
qos rtpq start-port starting-rtp-port-number end-port end-rtp-port-number bandwidth bandwidth

undo qos rtpq

1076

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

View Interface view Parameter first-rtp-port: Specifies the first UDP port number to initiate RTP messages. last-rtp-port: Specifies the last UDP port number to initiate RTP messages. bandwidth: Bandwidth for RTP priority queue, which is part of the maximum reserved bandwidth in Kbps. Description Using the qos rtpq command, you can enable RTP queue feature on an interface so as to reserve a real-time service for the RTP packets sent to some UDP destination port range. Using the undo qos rtpq command, you can disable the RTP queue feature of the interface. By default, RTP queue feature is disabled. This command is applied to the delay-sensitive applications, for example, real-time voice transmission. Configured with the qos rtpq command, the system will serve the voice services first among all other services. The parameter "bandwidth" should be set greater than the service-required bandwidth so as to prevent conflict caused by the burst traffic. However, the bandwidth should be no greater than 75% of the total bandwidth. If you need to configure the bandwidth to be greater than 75% of the total bandwidth, please first change the max. reserved bandwidth via qos reserved-bandwidth command. In bandwidth allocation, the bandwidth for data load, IP header, UDP header and RTP header is allocated, except that for the Layer2 frame header. Therefore, it is obligatory to reserve 25% of the total bandwidth. By default, the IP RTP Priority is disabled. For the related command, see qos reserved-bandwidth. Example # Enable IP RTP Priority on Serial 1/0/0. The starting port number is 16384. The starting port number is 16383.The RTP packets in the range of 16384~32767 of the destination port use 64Kbps bandwidth. If network convergence happens, the packets will enter IP RTP Priority queue.
[3Com-Serial1/0/0] qos rtpq start-port 16384 end-port 32767 bandwidth 64

Weighted Random Early Detection Configuration Commands

1077

Weighted Random Early Detection Configuration Commands
display qos wred interface Syntax
display qos wred interface [ interface-type interface-number ]

View Any view Parameter interface-type: Interface type. interface-number: interface number. Description Using the display qos wred interface command, you can view WRED configuration and statistics of an interface. If no interface is specified, WRED configuration and statistics of all interfaces will be displayed. Example # Display WRED configuration and statistics about the specified interface.
[3Com] display qos wred interface ethernet 6/0/0 Interface: Ethernet6/0/0 Current WRED configuration: Exponent: 10 (1/1024) Precedence discard Random discard Tail Low limit limit High Discard

probability

------------------------------------------------------------------------0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10 100 10 10 10 10 10 10 30 1000 30 30 30 30 30 30 10 1 10 10 10 10 10 10

1078

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

qos wred

Syntax
qos wred undo qos wred

View Interface view Parameter None Description Using the qos wred command, you can apply WRED (weighed random early detection) at an interface. Using the undo qos wred command, you can restore the default dropping method. By default, the dropping method of a queue is tail drop. WRED can only be used together with WFQ and cannot be used alone or together with other queues. So before WRED is enabled at an interface, it is necessary to ensure that the WFQ has been applied at the interface. For the related commands, see qos wfq, qos wred, and display qos wred interface. Example # Apply WRED at Ethernet0/0/0 interface. (Provided that WFQ has already been applied at the interface).
[3Com-Ethernet0/0/0] qos wred

qos wred ip-precedence

Syntax
qos wred ip-precedence ip-precedence low-limit low-limit high-limit high-limit discard-probability discard-prob undo qos wred ip-precedence ip-precedence

View Interface view Parameter ip-precedence: Precedence of IP packets in the range 0 to 7; low-limit low-limit: The minimum threshold in the range 1 to 1024; by default, it is 10. high-limit high-limit: The maximum threshold in the range 1 to 1024; by default, it is 30. discard-probability discard-prob: Drop probability denominator, ranging 1 to 255; by default, it is 10.

Weighted Random Early Detection Configuration Commands

1079

Description Using the qos wred ip-precedence command, you can configure the minimum threshold, maximum threshold and drop probability denominator of each precedence in WRED. Using the undo qos wred ip-precedence command, you can restore the default value. WRED parameters can be set only after the command qos wred has been used to apply WRED at the interface. And it is the average amount of packets in queue that the threshold limits. For the related commands, see qos wred and display qos wred interface. Example # Display how to set minimum threshold of the packet of precedence 3 at an interface to 20, maximum threshold to 40 and discard probability to 15.
[3Com-Ethernet0/0/0] qos wred ip-precedence 3 low-limit 20 high-limit 40 discard-probability 15

qos wred weighting-constant

Syntax
qos wred weighting-constant exponent undo qos wred weighting-constant

View Interface view Parameter exponent: Exponential used to calculate the average amount of packets in queues, ranging 1 to 16. By default, exponent is 9. Description Using the qos wred weighting-constant command, you can set exponential used to calculate the average length of WRED queues. Using the undo qos wred weighting-constant command, you can restore the default value. The WRED parameters can be set only after the command random-detect is used to apply WRED at the interface. For the related commands, see qos wred, and display qos wred interface. Example # Set the exponential used to calculate the average amount of packets in queue to 6 at Ethernet6/0/0 interface, provided that WRED has already been applied on this interface.
[3Com-Ethernet0/0/0] qos wred weighting-constant 6

1080

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Link Efficiency Mechanism Configuration commands IP Header Compression Configuration Commands
debugging ppp compression iphc rtp Syntax
debugging ppp compression iphc rtp

View User view Parameter None Description Using the debugging ppp compression iphc rtp command, you can display the single packet information of the RTP header compression. Example
<3Com> debugging ppp compression iphc rtp

debugging ppp compression iphc tcp

Syntax
debugging ppp compression iphc tcp

View User view Parameter None Description Using the debugging ppp compression iphc tcp command, you can view the single packet information of the TCP header compression. Example
<3Com> debugging ppp compression iphc tcp

display ppp compression iphc rtp

Syntax
display ppp compression iphc rtp [ interface-type interface-number ]

View Any view

IP Header Compression Configuration Commands

1081

Parameter interface-type: Interface type. interface-number: Interface number. Description Using the display ppp compression iphc rtp command, you can view the statistic information of the RTP header compression. Example
[3Com] display ppp compression iphc rtp

display ppp compression iphc tcp

Syntax
display ppp compression iphc tcp [ interface-type interface-number ]

View Any view Parameter interface-type: Interface type. interface-number: Interface number. Description Using the display ppp compression iphc tcp command, you can view the statistic information of the TCP header compression. Example
[3Com] display ppp compression iphc tcp

ppp compression iphc

Syntax
ppp compression iphc [ nonstandard ] undo ppp compression iphc

View Interface view Parameter nonstandard: Nonstandard encapsulation mode. Description Using the ppp compression iphc command, you can enable RTP header compression on an interface. Using the undo ppp compression iphc command, you can disable RTP header compression. By default, RTP header compression on an interface is disabled.

1082

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

When the RTP header compression is enabled, the TCP header compression will also be enabled. When the RTP header compression is disabled, the TCP header compression will be disabled either. The configuration will take effect only when the shutdown and undo shutdown operations are performed on the interface. If the configuration is applied on MP, the shutdown and undo shutdown operations should be performed on all the MPs. For the related command, see ppp compression iphc rtc-connection. Example None ppp compression iphc rtp-connection Syntax
ppp compression iphc rtp-connection number undo ppp compression iphc rtp-connection

View Interface view Parameter number: The maximum connection number (from 3 to 256) of IP Header Compression mode on the interface. By default, the number is 16. Description Using the ppp compression iphc rtp-connection command, you can designate the connections number of IP Header Compression allowed on one interface. Using the undo ppp compression iphc rtp-connection command, you can cancel the configuration and restore the default value. The configuration will take effect after commands shutdown and undo shutdown have been executed on the interface. When configuring MP, commands shutdown and undo shutdown must be executed on all MPs. Example None ppp compression iphc tcp-connections Syntax
ppp compression iphc tcp-connection number undo ppp compression iphc tcp-connection

View Interface view Parameter number: The maximum connection number (from 3 to 256) of TCP compression mode on the interface. By default, the number is 16.

Configuration Commands of LFI

1083

Description Using the ppp compression iphc tcp-connection command, you can configure the connection number of TCP compression mode. Using the undo ppp compression iphc tcp-connection command, you can restore the default connection number of TCP compression mode. The configuration can become valid on an interface only after you perform the shutdown and then the undo shutdown operations on the interface. If the configuration is for MPs, you should perform the operations on all the MPs. Example None reset ppp compression iphc Syntax
reset ppp compression iphc [ interface-type interface-number ]

View User view Parameter Interface-type: Interface type. Interface-number: Interface number. Description Using the reset ppp compression iphc command, you can delete the invalid IP/UDP/RTP header compression or decompression context storage table and clear statistic information of IP/UDP/RTP header compression. If no parameter is specified, the storage table entries of IP header compression on all interfaces will be cleared. Example None

Configuration Commands of LFI
ppp mp lfi Syntax
ppp mp lfi undo ppp mp lfi

View Virtual template interface view, MP-GROUP view Parameter None

1084

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Description Using the ppp mp lfi command, you can enable LFI on the interface. Using the undo ppp mp lfi command, you can remove LFI on the interface. By default, the time delay of the fragment is 10ms after LFI is enabled on the Virtual Template interface. For the related command, see ppp mp lfi delay-per-frag. Example
[3Com-Virtual-Template1] ppp mp lfi

ppp mp lfi delayper-frag

Syntax
ppp mp lfi delay-per-frag time undo ppp mp lfi delay-per-frag

View Virtual template interface view, MP-GROUP view Parameter time: The maximum time delay of LFI fragment in ms in the range of 1 to 1000. Description Using the ppp mp lfi delay-per-frag command, you can set the maximum time delay for transmitting a LFI (link fragment and interleave) fragment. Using the undo ppp mp lfi delay-per-frag command, you can restore the default maximum time delay for transmitting an LFI fragment. By default, the time delay of the fragment is 10ms after LFI is enabled on the Virtual Template interface. For the related command, see ppp mp lfi. Example # Set the maximum time delay of LFI fragment of Virtual-Template 1 to 20ms.
[3Com-Virtual-Template1] ppp mp lfi delay-per-frag 20

qos max-bandwidth

Syntax
qos max-bandwidth kilobits undo qos max-bandwidth

View Interface view Parameter Kilobits : Available bandwidth of the interface in Kbps in the range of 1 to 1000000. By default, for physical interface the value is its speed or its baud rate and for virtual template interface the value is 64Kbps.

Frame Relay QoS

1085

Description Using the qos max-bandwidth command, you can configure the physical bandwidth binding the MP links. Using the undo qos max-bandwidth command, you can remove the configuration of the bandwidth. This command can configure the physical bandwidth binding the MP links. The command indicates the available bandwidth of the active interface, providing the information of the QoS module but not the actual bandwidth binding the MP links. For the related command, see ppp mp lfi delay-per-frag, ppp mp lfi. Example # Set the bandwidth of Virtual-Template 1 to 128kbps.
[3Com-Virtual-Template1] qos max-bandwidth 128

Frame Relay QoS
apply policy outbound Syntax
apply policy outbound policyname undo apply policy outbound

View Frame Relay class view Parameter policyname: Name of the applied policy. It is a string with 1 to 31 characters. Description Using the apply policy outbound command, you can set the Frame Relay virtual circuit queueing to CBQ (Class-Based Queueing). Using the undo apply policy outbound command, you can restore the Frame Relay virtual circuit queueing to FIFO. By default, FIFO queueing is adopted. Example # Define a classifier named “class 1”.
[3Com] traffic classifier class1 [3Com-classifier-class1]

# Define a traffic behavior named “behavior 1”.
[3Com] traffic behavior behavior1 [3Com-behavior-behavior1] queue af bandwidth 56

# Define a policy named “policy 1” and associate class 1 with behavior.
[3Com] qos policy policy1

1086

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

[3Com-qospolicy-policy1] classifier class1 behavior behavior1

# Apply a defined policy to the Frame Relay class named “test 1” and set the queueing of test 1 to CBQ.
[3Com] fr class test1 [3Com-fr-class-test1] apply policy policy1 outbound

cbs

Syntax
cbs [ inbound | outbound ] burst-size undo cbs [ inbound | outbound ]

View Frame relay class view Parameter inbound: Sets the inbound committed burst size of the packet, valid only when FRTP (frame relay traffic policing) is enabled on the interface. outbound: Sets the outbound committed burst size of the packet, valid only when FRTS (frame relay traffic shaping) is enabled on the interface. burst-size: Committed burst size, in bit, ranging from 300 to 16000000. By default, it is 56000 bits. Description Using the cbs command, you can set the committed burst size of frame relay virtual circuit. Using the undo cbs command, you can restore the default value. If the packet direction is not specified upon configuration, the parameter will be set in both inbound and outbound directions. The committed burst size is the packet traffic that is committed to send on a frame relay network within an interval of Tc. When there is no congestion on the network, the frame relay network ensures this part of traffic could be sent successfully. For the related commands, see ebs, cir allow, and cir. Example # Set the committed burst size of the frame relay class named test1 as 64000 bits.
[3Com] fr class test1 [3Com-fr-class-test1] cbs 64000

cir

Syntax
cir rate-limit undo cir

Frame Relay QoS

1087

View Frame relay class view Parameter rate-limit: The minimum Committed Information Rate, in bit/s, ranging from 1000 to 45000000. By default, it is 56000 bit/s. Description Using the cir command, you can set the Minimum Committed Information Rate of frame relay virtual circuit. Using the undo cir command, you can restore the default value. The Minimum Committed Information Rate is the minimum sending rate that can be provided by virtual circuit. It ensures that the user could still send data at this rate upon network congestion. Upon network congestion, DCE will send a packet with a BECN flag bit of 1 to DTE. After DTE receives this packet, it will gradually reduce the sending rate of virtual circuit from CIR to MinCIR. If DTE does not receive the packet with the BECN flag bit of 1 any more within a certain period of time, it will restore the sending rate of virtual circuit as CIR. During configuration, the Minimum Committed Information Rate (MinCIR) cannot exceed the Committed Information Rate (CIR). For the related commands, see cbs, ebs, and cir allow. Example # Set the MinCIR of the frame relay class named test1 as 32000 bit/s.
[3Com] fr class test1 [3Com-fr-class-test1] cir 32000

cir allow

Syntax
cir allow [ inbound | outbound ] rate-limit undo cir allow [ inbound | outbound ]

View Frame relay class view Parameter inbound: Sets the inbound Committed Information Rate (CIR) of a packet, valid only when FRTP is enabled on the interface. outbound: Sets the outbound CIR of a packet, valid only when FRTS is enabled on the interface. rate-limit: Committed information rate, in bit/s, ranging from 1 to 45000000. By default, it is 56000 bit/s.

1088

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Description Using the cir allow command, you can set the CIR of frame relay virtual circuit. Using the undo cir allow command, you can restore the default value. CIR is the sending rate that can be normally provided by a frame relay network. When there is no congestion on the network, it ensures the user could send data at this rate. If packet direction is not specified upon configuration, the parameter will be set in both inbound and outbound directions. For the related commands, see cbs, ebs, and cir. Example # Set the CIR of the frame relay class that is named test1 as 64000bit/s.
[3Com] fr class test1 [3Com-fr-class-test1] cir allow 64000

congestion-threshold

Syntax
congestion-threshold { de | ecn } queue-percentage undo congestion-threshold { de | ecn }

View Frame relay class view Parameter de: Discards the frame relay packet whose DE flag bit is 1 upon congestion. ecn: Processes the flag bits, BECN and FECN, of frame relay packet upon congestion. queue-percentage: Network congestion threshold, being the utility ratio of virtual circuit queue, namely the percentage of the current queue length of virtual circuit to the total queue length, ranging from 1 to 100. By default, it is 100. Description Using the congestion-threshold command, you can enable congestion management function of frame relay virtual circuit. Using the undo congestion-threshold command, you can disable this function. When the percentage of current queue length to the total queue length of virtual circuit exceeds the set congestion threshold, it will be regarded that congestion occurs on the virtual circuit and congestion management will be performed on packets on virtual circuit. For the related command, see fr congestion-threshold.

Frame Relay QoS

1089

Example # Set to begin to discard the frame relay packet whose DE flag bit is 1 concerning the frame relay class named test1 when the current queue length of virtual circuit exceeds 80% of the total length.
[3Com] fr class test1 [3Com-fr-class-test1] congestion-threshold de 80

cq

Syntax
cq cql list-number undo cq

View FR class view Parameter cql list-number: Number of custom queue, from 1 to 16 available. Description Using the cq command, you can set the queue type of the FR virtual circuit to be custom queue, while using undo cq, you can restore the type to be FIFO. By default, the queue type of the virtual circuit is FIFO. The value will be refreshed if this command is repeatedly applied to one same FR class. The related commands are wfq, pq, and fr pvc-pq. Example # Apply the custom queue 10 to the FR class test1:
[3Com] fr class test1 [3Com-fr-class-test1] cq cql 10

display fr fragment-info

Syntax
display fr fragment-info [ interface interface-type interface-number ] [ dlci-number ]

View Any view. Parameter interface-type: Interface type. interface-number: Interface number, in 3-dimension form: slot number/card number/interface number. dlci-number: DLCI number, ranging from 16 to 1007. The detailed information will be displayed when specifying the parameter.

1090

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Description Using the display fr fragment-info command, you can view the frame relay fragment information. For the related command, see fragment. Example # View frame relay fragment information of all the interfaces.
<3Com> display fr fragment-info interface serial 0/1/1:10: dlci 100 type size in/out/ drop 80 0/0/0

FRF12(ETE)

# View frame relay fragment information of a certain interfaces.
<3Com> display fr fragment-info serial0/1/1:10 100 Type : FRF11 Size : 80 Pre-fragment: out pkts : 0 Fragmented: in pkts : 0 in bytes: 0 Assembled : in pkts : 0 Dropped : in pkts : 0 in bytes: 0 out pkts :0 out bytes: 0 in bytes :0 out pkts : 0 out bytes: 0 out bytes :0

Out-of-sequence pkts: 0
Table 5 Output information description of the display fr fragment-info command
Item interface dlci type size in/out/drop Pre-fragment: Fragmented : Description Interface DLCI number Fragment type Fragment size Number of received fragment packets/number of sent fragment packets/number of discarded fragment packets Number of packets and bytes to send before fragmented Number of fragments received and sent counted in packet and byte.

Frame Relay QoS

1091

Table 5 Output information description of the display fr fragment-info command
Item Assembled : Out-of-sequence fragment : Description Number of assembled fragments Number of out-of-sequence fragments

display fr switch-table

Syntax
display fr switch-table { all | name switch-name }

View Any view Parameter interface-type: Interface type. all: All the VC information switch-name: VC information of a certain name. Description Using the display mfr command, you can view configuration and status information of the FR route to confirm the correctness of the configuration. For the related command, see fr switch. Example # View configuration and state information of all frame relay bundles and frame relay # To display all the charactors of the FR route.
[3Com] display fr switch-table all Switch-Name test Interface DLCI Interface 100 MFR4/0/101 DLCI State 101 UP

MFR4/0/100

The parameters given in the table is demonstrated in the table below:
Table 6 Information of FR route table
Item Switch-Name Interface DLCI State Description the name of PVC used for switching The first denotes local interface and the second denotes remote interface local and remote VC identifier Linkage status

display qos policy interface

Syntax
display qos policy interface [ interface-type interface-number [ dlci dlci-number [ outbound ] | inbound | outbound ] ]

1092

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

View Any view Parameter interface-type: Interface type. interface-number: Interface number. dlci dlci-number: Information about the specified DLCI applying CBQ. inbound: Information about inbound interface applying CBQ. outbound: Information about outbound interface applying CBQ. Description Using the display qos policy interface command, you can view information about CBQ application on the interface. Example # Display the information about CBQ application of the virtual circuit with DLCI of 10 on Serial1/0/0.
<3Com> display qos policy interface serial 1/0/0 dlci 100 MFR4/0/0, DLCI 25 Direction: Outbound Policy: xujin Class: default-class Matched : 1/133 (Packets/Bytes) Rule(s) : if-match any Behavior: Default Queue: Flow Based Weighted Fair Queueing Max number of hashed queues: 256 Matched : 0/0 (Packets/Bytes) Enqueued : 0/0 (Packets/Bytes) Discarded: 0/0 (Packets/Bytes) Discard Method: Tail Class: xujin Matched : 0/0 (Packets/Bytes) Operator: Logic AND Rule(s): if-match acl 1

Frame Relay QoS

1093

Behavior: Assured Forwarding: Bandwidth 10 (Kbps) Matched : 0/0 (Packets/Bytes) Enqueued : 0/0 (Packets/Bytes) Discarded: 0/0 (Packets/Bytes)

ebs

Syntax
ebs [ inbound | outbound ] excess-burst-size undo ebs [ inbound | outbound ]

View Frame relay class view Parameter inbound: Sets inbound excess burst size of the packet, valid only when FRTP is enabled on the interface. outbound: Sets outbound excess burst size of the packet, valid only when FRTS is enabled on the interface. excess-burst-size: Excess burst size, in bit, ranging from 0 to 16000000. By default, it is 0 bit. Description Using the ebs command, you can set excess burst size of frame relay virtual circuit. Using the undo ebs command, you can restore the default value. Excess burst size (EBS) is the maximum of the part that packet traffic exceeds the committed burst size (CBS) within an interval of Tc. When congestion occurs on the network, this part of excess traffic will be first discarded. When this command is used, the set EBS value will be valid in both inbound and outbound directions if the parameters inbound and outbound are not specified. For the related commands, see cbs, cir allow, and cir. Example # Set the excess burst size of the frame relay class named test1 as 32000 bits.
[3Com] fr class test1 [3Com-fr-class-test1] ebs 32000

fifo queue-length

Syntax
fifo queue-length queue-size undo fifo queue-length

1094

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

View Frame relay class view Parameter queue-size: FIFO queue length, namely, the maximum number of packets that can be held by the queue, ranging from 1 to 1024. By default, it is 40. Description Using the fifo queue-length command, you can set the FIFO queue length of frame relay virtual circuit. Using the undo fifo queue-length command, you can restore the default value. When the router serves as DCE for switching, the FIFO queue length of DLCI can be set if FRTS has been applied to DLCI. For the related command, see fr class. Example #Set the FIFO queue of the frame relay class named test1 to hold 80 packets at most.
[3Com] fr class test1 [3Com-fr-class-test1] fifo queue-length 80 [3Com] fr del 1 protocol ip

fr class

Syntax
fr class class-name undo fr class class-name

View System view Parameter class-name: Class name, with 30 characters at most. Description Using the fr class command, you can create a frame relay class and enter frame relay class view. Using the undo fr class command, you can delete a specified frame relay class. By default, no frame relay class is created. Only after associating a frame relay class with an interface or virtual circuit and enabling the frame relay QoS function on the corresponding interface, can the set frame relay class parameter take effect. When a frame relay class is deleted, the association between all interfaces or DLCIs and the frame relay class will be released. For the related command, see fr-class.

Frame Relay QoS

1095

Example # Create a frame relay class named test1.
[3Com] fr class test1 [3Com-fr-class-test1]

fr congestion-threshold

Syntax
fr congestion-threshold { de | ecn } queue-percentage undo fr congestion-threshold { de | ecn }

View Frame relay interface view, MFR interface view Parameter de: Discards the frame relay packet whose DE flag bit is 1 when congestion occurs. ecn: Processes the BECN and FECN flag bits of frame relay packets when congestion occurs. queue-percentage: Network congestion threshold, being the occupation ratio of the interface queue, equal to the percentage of current queue length to the total queue length of the interface, ranging from 1 to 100. By default, it is 100. Description Using the fr congestion-threshold command, you can enable congestion management function of a frame relay interface. Using the undo fr congestion-threshold command, you can disable this function. By default, the congestion management function of a frame relay interface is disabled. This command is similar to the congestion-threshold command. The difference is that this command is applied to frame relay interfaces, while the congestion-threshold command is applied to frame relay virtual circuit. The command can only be used for frame relay DCE interfaces or NNI interfaces. For the related command, see congestion-threshold. Example # Set to begin to process the flag bit of a frame relay packet when the interface queue length exceeds 80% of the total length.
[3Com-Serial4/1/2] fr congestion-threshold de 80

fr de del

Syntax
fr de del list-number dlci dlci-number undo fr de del list-number dlci dlci-number

1096

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

View Frame relay interface view, MFR interface view Parameter list-number: DE rule list number, ranging from 1 to 10. dlci-number: Frame relay virtual circuit number, ranging from 16 to 1007. Description Using the fr de del command, you can apply a DE rule list to the specified frame relay virtual circuit. Using the undo fr de del command, you can delete a DE rule list from virtual circuit. By default, no DE rule list is applied to frame relay virtual circuit. After a DE rule list is applied to frame relay virtual circuit, those packets that match the rule list will have their DE flag set to 1. For the related commands, see fr del inbound-interface and fr del protocol. Example # Apply DE rule list 3 to the DLCI 100 of the interface Serial 4/1/2.
[3Com-Serial4/1/2] fr de del 3 dlci 100

fr del inbound-interface

Syntax
fr del list-number inbound-interface interface-type interface-number undo fr del list-number inbound-interface interface-type interface-number

View System view Parameter list-number: Number of DE rule list, ranging from 1 to 10. interface-type: Interface type. interface-number: Interface number, in 3-dimension form (slot number/card number/interface number). Description Using the fr del inbound-interface command, you can configure an interface-based DE rule list. For the packet received from the specified interface, if it is forwarded from the router as a frame relay packet, its DE flag bit will be set as 1 before being forwarded. Using the undo fr del inbound-interface command, you can delete the specified DE rule from a DE rule list. By default, no DE rule list is created.

Frame Relay QoS

1097

New rules can be added to a DE rule list by using this command repeatedly. At most, 100 rules can be configured in a DE rule list. To delete a DE rule list, you should first delete all DE rules in it. For the related commands, see fr de del and fr del protocol. Example # Add a rule to DE rule list 1. For the packet received from the interface Serial 4/1/2, if it is needed to be forwarded by encapsulating frame relay protocol, flag the DE flag bit of the packet as 1 before forwarding.
[3Com] fr del 1 inbound-interface serial 4/1/2

fr del protocol ip

Syntax
fr del list-number protocol ip [ fragments | acl acl-number | less-than bytes | greater-than bytes | tcp ports | udp ports ] undo fr del list-number protocol ip [ fragments | acl acl-number | less-than bytes | greater-than bytes | tcp ports | udp ports ]

View System view Parameter list-number: DE rule list number, ranging from 1 to 10. protocol ip: IP. fragments: All fragmented IP packets. acl acl-number: IP packets meeting ACL matching requirement. acl-number ranges from 1 to 199. less-than bytes: IP packets whose length is less than bytes. bytes ranges from 0 to 65535. greater-than bytes: IP packets whose length is greater than bytes. bytes ranges from 0 to 65535. tcp ports: IP packets whose source or destination TCP port number are ports. udp ports: IP packets whose source or destination UDP port number are ports. If optional parameters are not used, it represents all IP packets. Description Using the fr del protocol ip command, you can configure an IP-based DE rule list. The DE flag bit of the frame relay packet encapsulated with an IP packet matching the specified rule will be flagged as 1. Using the undo fr del protocol ip command, you can delete the specified DE rule from a DE rule list. By default, no DE rule list is created.

1098

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

New rules can be added to a DE rule list by using this command repeatedly. At most, 100 rules can be configured in a DE rule list. The undo form of this command can once delete one DE rule only. To delete a DE rule list, you must delete all DE rules in it. For the related commands, see fr de del and fr del inbound-interface. Example # Add a rule to DE rule list 1. For all frame relay packets encapsulated with IP packets, flag their DE flag bits as 1.
[3Com] fr del 1 protocol ip

fr pvc-pq

Syntax
fr pvc-pq [ top-limit middle-limit normal-limit bottom-limit ] undo fr pvc-pq

View Frame relay interface view, MFR interface view Parameter top-limit: Length of top priority queue, ranging from 0 to 1024. By default, it is 20. middle-limit: Length of middle priority queue, ranging from 0 to 1024. By default, it is 40. normal-limit: Length of normal priority queue, ranging from 0 to 1024. By default, it is 60. bottom-limit: Length of bottom priority queue, ranging from 0 to 1024. By default, it is 80. Description Using the fr pvc-pq command, you can set the queue type of a frame relay interface as PVC PQ (PVC Priority Queueing) and set queue length, i.e. the maximum number of packets that can be held by a queue for each queue. Using the undo fr pvc-pq command, you can restore the queue type of the interface into FIFO. By default, the queue type of a frame relay interface is FIFO. After FRTS is enabled on an interface, the queue type of the interface can only be FIFO or PVC PQ. PVC PQ is a new queue mechanism of FRTS. Similar to PQ, it also has four queue types: top, middle, normal and bottom, with queue priority decreasing in turn. Configure the queue of PVC PQ that DLCI enters in frame relay class. When congestion occurs on an interface, different DLCIs enter different PVC PQs. When sending data, according to queue priority, data in higher priority queues will be sent before lower priority queues.

Frame Relay QoS

1099

For the related command, see pvc-pq. Example # Set the queue type of the interface Serial 2/0/0 as PVC PQ.
[3Com-Serial2/0/0] fr pvc-pq

fr traffic-policing

Syntax
fr traffic-policing undo fr traffic-policing

View Frame relay interface view, MFR interface view Parameter None Description Using the fr traffic-policing command, you can enable FRTP function. Using the undo fr traffic-policing command, you can disable FRTP function. FRTP function is applied to the inbound interface of frame relay packets on a router. Furthermore, it is only used at the DCE end of a frame relay network. When configuring traffic policing for an inbound interface, you must first set the DCE as a frame relay switching by using the fr switching command. For the related command, see fr class. Example # Enable the traffic policing function on the interface Serial 2/0/0.
[3Com-Serial2/0/0] fr traffic-policing

fr traffic-shaping

Syntax
fr traffic-shaping undo fr traffic-shaping

View Frame relay interface view, MFR interface view Parameter None Description Using the fr traffic-shaping command, you can enable FRTS function. Using the undo fr traffic-shaping command, you can disable FRTS function. By default, FRTS function is disabled.

1100

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

The FRTS function is applied to the outbound interface of a router, generally used at the DTE end of a frame relay network. For the related commands, see fr class, fr-class, and fr dlci. Example # Enable FRTS on the serial interface Serial 2/0/0. [3Com-Serial2/0/0] fr traffic-shaping fragment Syntax
fragment [ fragment-size ] undo fragment [ fragment-size ]

View Frame relay class view Parameter fragment-size: Size of a fragment, in byte, ranging from 16 to 1600. By default, the fragment size is of 45 bytes. Description Using the fragment command, you can enable the fragmentation function on frame relay virtual circuit. Using the undo fragment command, you can disable this function. By default, the fragmentation function on frame relay virtual circuit is disabled. For the related command, see fr class. Example # Configure fragment size as 128 in the frame relay class named test1.
[3Com] fr class test1 [3Com-fr-class-test1] fragment 128

fr-class

Syntax
fr-class class-name undo fr-class class-name

View Frame relay interface view, DLCI view Parameter class-name: Name of a frame relay class, in the form of character string, with a length ranging from 1 to 30.

Frame Relay QoS

1101

Description Using the fr-class command, you can associate a frame relay class with the current frame relay virtual circuit or frame relay interface. Using the undo fr-class command, you can remove the association between a frame relay class and the frame relay virtual circuit or frame relay interface. By default, there is no association between a frame relay class and the frame relay virtual circuit or frame relay interface. If the specified frame relay class does not exist, the command will first create a frame relay class before associating the frame relay class with the current virtual circuit or interface. If the specified frame relay class does exist, the command will associate the frame relay class with the current virtual circuit or interface without creating a new frame relay class. The undo form of this command only removes the association between a specified frame relay class and a virtual circuit or an interface rather than deleting the real frame relay class. To delete a frame relay class, use the undo fr class command. After a frame relay class is associated with an interface, all virtual circuits on the interface will inherit the frame relay QoS parameter of this frame relay class. For the related commands, see fr class and fr dlci. Example # Associate the frame relay class named test1 with the frame relay virtual circuit whose DLCI is 200.
[3Com] interface serial 4/0/1 [3Com-Serial4/0/1] fr dlci 200 [3Com-fr-dlci-Serial4/0/1-200] fr-class test1

pq

Syntax
pq pql list-number undo pq

View Frame relay class view Parameter pql list-number: Group number of Priority Queueing, ranging from 1 to 16. Description Using the pq command, you can set the queue type of frame relay virtual circuit as Priority Queueing. Using the undo pq command, you can restore the queue type of virtual circuit to FIFO. By default, the queue type of frame relay virtual circuit is FIFO. For the related commands, see cq,and pvc-pq.

1102

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Example # Apply the group10 of Priority Queueing to the frame relay class named test1.
[3Com] fr class test1 [3Com-fr-class-test1] pq pql 10

pvc-pq

Syntax
pvc-pq { top | middle | normal | bottom } undo pvc-pq

View Frame relay class view Parameter top: Sets the top PVC PQ , namely, top priority queue, to accept the packets from the VC. middle: Sets the middle PVC PQ , namely, middle priority queue, to accept the packets. normal: Sets the normal PVC PQ , namely, normal priority queue, to accept the packets. bottom: Sets the normal PVC PQ , namely, normal priority queue, to accept the packets. Description Using the pvc-pq command, you can set the type of the PVC PQ that packets sent by frame relay virtual circuit enter. Using the undo pvc-pq command, you can restore the default PVC PQ type. By default, the packets sent by frame relay virtual circuit enter into the normal PVC PQ. PVC PQ falls into four groups, top, middle, normal and bottom. PVC PQ is relative to DLCI. After the queue of an interface is set as PVC PQ, packets on each virtual circuit can enter only one type of PVC PQ. For the related command, see fr pvc-pq.

Frame Relay QoS

1103

Example # Set packets sent by virtual circuit which is associated with the frame relay class named test1 to enter top PVC PQ.
[3Com-fr-class-one] pvc-pq top

rtpq

Syntax
rtpq start-port min-dest-port end-port max-dest-port bandwidth bandwidth undo rtpq

Parameter min-dest-port: Lower limit of a destination UDP port, ranging from 2000 to 65535. max-dest-port: Upper limit of a destination UDP port, ranging from 2000 to 65535. bandwidth bandwidth: Bandwidth of a RTP queue, in kbit/s, ranging from 0 to 2000. View Frame relay class view Description Using the rtpq command, you can configure to apply Realtime Transport Protocol Priority Queue (RTP Priority Queue). Using the undo rtpq command, you can remove the application. The application of a frame relay class configured with RTPQ to a PVC results in the creation of a strict priority queue on the PVC. Packets in the port range specified by RTPQ of the destination UDP port will enter RTPQ. When congestion occurs in the virtual circuit the packets in the queue will be sent with preference without exceeding the configured bandwidth. When congestion does not occur in the virtual circuit, the RTP packets in the specified port range can occupy the available bandwidth on the virtual circuit. Generally, the UDP port range used by VoIP can be configured as from 16384 to 32767. Example # Configure RTP priority queue on the frame relay class named test1 with a bandwidth of 20kbit/s.
[3Com] fr class test1 [3Com-fr-class-test1] rtpq start-port 16383 end-port 16384 bandwidth 20

traffic-shaping adaptation

Syntax
traffic-shaping adaptation { becn percentage | interface-congestion number } undo traffic-shaping adaptation { becn | interface-congestion }

View FR class view

1104

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Parameter becn: Adjusts the packets with the BECN flag. percentage: Adjustment percentage, ranging from 1 to 30 percent. The default value is 25 percent. interface-congestion: Traffic shaping according to the number of the packets in the outbound queue. number: Number of packet in the queue, ranging from 1 to 40. Description Using the traffic-shaping adaptation command, you can enable the adaptive traffic shaping function of FR. Using the undo traffic-shaping adaptation command, you can disable this function. By default, the traffic-shaping adaptation function is disabled. Related commands are fr traffic-shaping, cir allow, and cir. Example # Enable the FR traffic shaping function, by adjusting the packets with the BECN flag.
[3Com] fr class test1 [3Com-fr-class-test1] traffic-shaping adaptation becn 20

wfq

Syntax
wfq [ congestive-discard-threshold [ dynamic-queues ] ] undo wfq

View FR class view Parameter congestive-discard-threshold: The maxium number of packets allowed in the queue. Packets exceeding this limitation will be discarded. The permitted value ranges from 1 to 1024, with a default of 64. dynamic-queues: Total number of queues, the value can be one of 16, 32, 64, 128, 256, 512, 1024, 2048 and 4096, with the defaut of 256. Description Using the wfq command, you can set the queue type of the VC to be WFQ. Using the undo wfq command, you can restore the queue type to FIFO. For the related commands, see cq, pq, and fr pvc-pq. Example # Apply WFQ to the FR class test1.

MPLS QoS Configuration Commands

1105

[3Com] fr class test1 [3Com-fr-class-test1] wfq 128 512

MPLS QoS Configuration Commands

if-match mpls-exp Syntax
if-match [ not ] mpls-exp { mpls-experimental-value } undo if-match [ not ] mpls-exp

View Class view Parameter mpls-experimental-value: EXP value in the range of 0 to 7. Description Using the if-match mpls-exp command, you can configure the rule of exp domain matching MPLS. Using the undo if-match mpls-exp command, you can delete the rule of exp domain matching MPLS. Multiple exp-values can be specified in the command. The maximum number is 8. If multiple exp-values of the same value are specified, the system only takes one. Relation between different values is “or”. If this command is frequently configured under one class, the last configuration will overwrite the previous ones. After this command is configured, the exp-value will be sorted automatically in ascending order. For the related command, see traffic classifier. Example # Define the class to match the packet whose exp is 3 or 4.
[3Com-classifier-database] if-match mpls-exp 3 4

qos cql protocol mpls-exp

Syntax
qos cql cql-index protocol mpls-exp queue-number { mpls-experimental-number } undo qos cql cql-index protocol mpls-exp queue-number { mpls-experimental-number }

View System view Parameter cql-index: Group number of precedence list in the range of 1 to 16. queue-number: Queue number in the range of 0 to 16. mpls-experimental-number: EXP domain of MPLS packet in the range of 0 to 7.

1106

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

Description Using the qos cql protocol mpls-exp command, you can configure classification rule based on the MPLS protocol, Using the undo qos cql protocol mpls-exp command, you can delete the corresponding classification rule. The system matches packets in the sequence that rules are configured. When the packet is found to match a rule, the entire searching process comes to an end. For the same group-number, this command can be used repeatedly to establish multiple types of classification rules for IP packets. For the related command, see qos cq. Example # Configure classification rule based on the MPLS protocol and sets EXP value of MPLS to 1.
[3Com] qos cql 10 protocol mpls-exp 1 experimental 1

qos pql protocol mpls-exp

Syntax
qos pql pql-index protocol mpls-exp { top | middle | normal | bottom } { mpls-experimental-value } undo qos pql pql-index protocol mpls-exp { top | middle | normal | bottom } { mpls-experimental-value }

View System view Parameter pql-index: Group number of priority list in the range of 1 to 16. mpls-experimental-value: EXP domain of MPLS packet in the range of 0 to 7. Description Using the qos pql protocol mpls-exp command, you can establish the classification rule based on MPLS protocol. Using the undo qos pql protocol mpls-exp command, you can delete corresponding classification rules. The system matches packets in the sequence that rules are configured. When the packet is found to match a rule, the entire searching process comes to an end. For the same group-number, this command can be used repeatedly to establish several types of classification rules for IP packets. For the related command, see qos pql protocol. Example # Establish the classification rule based on MPLS protocol and sets the EXP value of MPLS to 5.
[3Com] qos pql 10 protocol mpls-exp top 5

MPLS QoS Configuration Commands

1107

remark mpls-exp

Syntax
remark mpls-exp mpls-experimental-value undo remark mpls-exp

View Traffic behavior view Parameter mpls-experimental-value: Preset exp value of MPLS in the range of 0 to 7. Description Using the remark mpls-exp command, you can configure or delete MPLS EXP value to identify matched packets, Using the undo remark mpls-exp command, you can delete configuration. For the related commands, see traffic classifier, qos policy, and classifier behavior. Example # Configure a policy named as 3Com, configures traffic behavior named database in policy and set value of MPLS EXP 0.
[3Com] qos policy 3Com [3Com] traffic behavior database [3Com-behavior-database] remark mpls-exp 0

1108

CHAPTER 11: TRAFFIC POLICING AND SHAPING CONFIGURATION COMMANDS

12
Backup Center Configuration Commands
debugging standby event

BACKUP CENTER CONFIGURATION COMMANDS

Syntax
debugging standby event undo debugging standby event

View User view Parameter event: Enables the event information debugging. Description Using the debugging standby event command, you can enable the information debugging of backup center. Using the undo debugging standby event command, you can disable the information debugging of backup center. Example # Enable the event debugging of backup center.
[3Com] debugging standby event

display standby flow

Syntax
display standby flow

View Any view Description Using the display standby flow command, you can display the traffic statistics of the main interface participating in standby load balancing. Example # Set Serial1/0/0, Serial0/0/0 and Logic-channel0 to the standby interfaces of Serial3/0/0. # Configure standby load balancing on Serial3/0/0.

1110

CHAPTER 12: BACKUP CENTER CONFIGURATION COMMANDS

[3Com] interface serial3/0/0 [3Com-Serial3/0/0] standby interface serial1/0/0 10 [3Com-Serial3/0/0] standby interface serial0/0/0 30 [3Com-Serial3/0/0] standby interface logic-channel0 [3Com-Serial3/0/0] standby threshold 80 50 [3Com-Serial3/0/0] standby timer flow-check 100 [3Com-Serial3/0/0] standby bandwidth 9

# Display the traffic statistics of the main interface participating standby load balancing.
[3Com-Serial3/0/0] display standby flow Interfacename :Serial3/0/0 Flow-interval(s) : 100 LastInOctets : 868168 LastOutOctets : 1818667 InFlow(Octets) : 50070 OutFlow(Octets) : 100088 BandWidth(b/s) :9000 UsedBandWidth(b/s) : 8000

The contents of the display information are explained in the following table:
Table 1 Output information description of the display standby flow command
Field Flow-interval(s) LastInOctets LastOutOctets InFlow(Octets) OutFlow(Octets) BandWidth(b/s) UsedBandWidth(b/s) Description Interval at which traffic of the main interface is checked Accumulated octets received on the main interface until the time of last check. Accumulated octets sent on the main interface until the time of last check. Accumulated octets received on the main interface during last interval. Accumulated octets sent on the main interface during last interval. Bandwidth of the main interface Actual bandwidth of the interface during last interval

display standby state

Syntax
display standby state

View Any view

Backup Center Configuration Commands

1111

Description Using the display standby state command, you can display the interface state and standby state of the main interface and standby interfaces, and the priority, standby state flag and standby load state of the standby interfaces. The interface state of the main interface includes UP and DOWN. The interface state of a standby interface includes UP, DOWN and STANDBY. The standby state of the main interface includes MUP, MUPDELAY, MDOWN, MDOWNDELAY and MDESERT. The standby state of a standby interface includes UP, UPDELAY, DOWN, DOWNDELAY, STANDBY and DESERT. Standby state flag:


M---MAIN: the interface is a main interface. B---BACKUP: the interface is a standby interface. V---MOVED: the interface or its main interface or all standby interfaces of the interface has (have) been removed. U---USED: the interface is in use as a main interface or a standby interface. D---LOAD: the interface participates in standby load balancing as a main interface. P---PULLED: the interface card where this interface is located has been removed. G---LOGICCHANNEL: the interface is a logic channel interface.













Standby load state includes WAKE, TO-HYPNOTIZE, TO-WAKE and STABLE. Example # Set Serial1/0/0, Serial0/0/0 and Logic-channel0 to the standby interfaces of Serial3/0/0. # Configure standby load balancing on Serial3/0/0.
[3Com] interface Serial3/0/0 [3Com-Serial3/0/0] standby interface serial1/0/0 10 [3Com-Serial3/0/0] standby interface serial0/0/0 30 [3Com-Serial3/0/0] standby interface logic-channel0 [3Com-Serial3/0/0] standby threshold 80 50

# Display the interface state and standby state of the main interface and standby interfaces, and the priority, standby state flag and standby load state of the standby interfaces.
[3Com-Serial3/0/0] display standby state Interface Interfacestate Backupstate Backupflag Pri Loadstate

1112

CHAPTER 12: BACKUP CENTER CONFIGURATION COMMANDS

Serial3/0/0 Serial0/0/0

UP DOWN UP

MUP DOWN

MUD BU BU BU

TO-HYPNOTIZE 30 20 10

Logic-channel0 Serial1/0/0

UPDELAY STANDBY

STANDBY

Backup-flag meaning: M---MAIN B---BACKUP D---LOAD P---PULLED V---MOVED U---USED

G---LOGICCHANNEL

standby bandwidth

Syntax
standby bandwidth number undo standby bandwidth

View Interface view Parameter number: Interface bandwidth ranging from 0 to 4000000KB. By default, it is 0. Description When the main interface participates in standby load balancing, the backup center will use the main interface's standby bandwidth configured by the user preferentially. If not found, it gets the main interface bandwidth provided by the system automatically. If it fails, it will ask the user to configure a standby bandwidth for the main interface. Before executing this command, the standby interface (specifying a physical interface or a logic channel as the standby interface of the main interface) command must have been executed. Example # Set Serial1/0/0 to the standby interface of Serial0/0/0. # Configure the standby bandwidth of the main interface on Serial0/0/0.
[3Com] interface serial0/0/0 [3Com-Serial0/0/0] standby interface serial1/0/0 50 [3Com-Serial0/0/0] standby bandwidth 10000 [3Com-Serial0/0/0] standby threshold 80 50

standby interface

Syntax
standby interface type number [ priority ] undo standby interface type number

Backup Center Configuration Commands

1113

View Interface view Parameter type: Interface type. number: Interface number. priority: Priority of a standby interface, ranging from 0 to 255, being 0 by default. The greater the value is, the higher the priority is. Description Using the standby interface command, you can configure a certain physical interface as a standby interface for the main interface. Using the undo standby interface command, you can cancel a specified standby interface. By default, no standby interface is specified. A certain physical interface can be specified as a standby interface. One main interface can have multiple standby interfaces which will be used according to their priorities in case backup is needed, that is, the standby interface with higher priority is preferred to being used first. Example # Specify Serial 1/0/0 whose priority value is 50 as the standby interfaces for Serial 0/0/0.
[3Com-Serial0/0/0] standby interface serial1/0/0 50

standby threshold

Syntax
standby threshold enable-threshold disable-threshold undo standby threshold

View Interface view Parameter enable-threshold: Upper limit percentage of enabling standby interfaces and logic channels. This value ranges from 1 to 99. disable-threshold: Lower limit percentage of disabling standby interfaces and logic channels. This value ranges from 1 to 99. Description Using the standby threshold command, you can configure the standby load balancing for an interface or a logic channel. Using the undo standby threshold command, you can cancel the standby load balancing of an interface or a logic channel. By default, no standby load balancing is configured.

1114

CHAPTER 12: BACKUP CENTER CONFIGURATION COMMANDS

This command should be configured on the main interface of the backup center. When the traffic on all the active interfaces of the backup center reaches the set upper limit, the available standby interface with the highest priority will be enabled. When the total traffic on all the active interfaces of the backup center is lower than the set lower limit, the standby interface with the lowest priority will be disabled. The enable-threshold must not be less than disable-threshold. When undo standby threshold is being applied, if the existing standby interfaces are enabled, the command will shut down all the standby interfaces, and only the main interface works. For the related command, see standby interface. Example # Configure standby load balancing on interface Serial 0/0/0.
[3Com-Serial0/0/0] standby threshold 80 50

standby timer delay

Syntax
standby timer delay enable-delay disable-delay undo standby timer delay

View Interface view Parameter enable-delay: Delay for the standby interface to switch to the main interface. It ranges from 0 to 65535 seconds. enable-delay: Delay for the main interface to switch to a standby interface. It ranges from 0 to 65535 seconds. By default, enable-delay and enable-delay are 0, that is, immediate switchover. Description Using the standby timer delay command, you can set the delay for the main/standby interface switchover. Using the undo standby timer delay command, you can recover the default delay value. It is recommended to set the switching delay to prevent frequent main/standby interface switching due to the instability of the interface status. Before executing this command, the standby interface (specifying a physical interface or a logic channel as the standby interface of the main interface) command must have been executed. Example # Specify Serial0/0/0 to use Serial1/0/0 as its standby interface and set the delay for main/standby switchover to 10 seconds.

Backup Center Configuration Commands

1115

[3Com-Serial0/0/0] standby interface serial1/0/0 [3Com-Serial0/0/0] standby timer delay 10 10

standby timer flow-check

Syntax
standby timer flow-check interval-time undo standby timer flow-check

View Interface view Parameter interval-time: Interval at which the traffic is checked. It ranges from 30 seconds to 600 seconds and is defaulted to 30 seconds. Description Using the standby timer flow-check command, you can configure the interval at which the main interface's traffic is checked. Using the undo standby timer flow-check command, you can recover the default interval for traffic checking. When the main interface participates in standby load balancing, the backup center automatically checks the traffic of the main interface at the interval configured with this command. Before executing this command, the standby interface (specifying a physical interface or a logic channel as the standby interface of the main interface) command must have been executed. Example # Set Serial1/0/0 to the standby interface of Serial0/0/0. # Configure the standby bandwidth of the main interface on Serial0/0/0.
[3Com] interface serial 0/0/0 [3Com-Serial0/0/0] standby interface serial10/0/0 50 [3Com-Serial0/0/0] standby bandwidth 10000 [3Com-Serial0/0/0] standby threshold 80 50 [3Com-Serial0/0/0] standby timer flow-check 60

1116

CHAPTER 12: BACKUP CENTER CONFIGURATION COMMANDS

VRRP Configuration Commands
debugging vrrp Syntax
debugging vrrp { packet | state } undo debugging vrrp { packet | state }

View User view Parameter packet: Enable the VRRP packet debugging. state: Enable the VRRP state debugging. Description Using the debugging vrrp command, you can enable debugging for VRRP. Using the undo debugging vrrp command, you can disable VRRP debugging. By default, VRRP debugging is disabled. Example # Enable the VRRP packet debugging.
[3Com] debugging vrrp packet

display vrrp

Syntax
display vrrp [ interface interface-name [ virtual-router-ID ] ]

View Any view Parameter interface-name: Interface name that must be an Ethernet Interface. virtual-router-ID: Standby group number. Description Using the display vrrp command, you can view the status information of VRRP. This command is used to view the status information and configuration parameters of current VRRP. If the interface name and standby group number are not specified, the status information of all the standby groups on the router will be displayed. If the interface name is specified, the status information of all the standby groups on the interface will be displayed. If both parameters are specified, the status information of the standby group will be displayed.

VRRP Configuration Commands

1117

Example # Display all standby group information of the router.
<3Com> display vrrp Ethernet0/2/0 | Virtual Router 1 state Virtual IP Priority Preempt Timer Auth type : Master : 202.38.160.111 : 150 : YES Delay Time : 0 : 1 : NONE

Ethernet0/2/0 | Virtual Router 2 state Virtual IP Priority Preempt Timer Auth type : Backup : 202.38.160.100 : 100 : YES Delay Time : 0 : 1 : NONE

Ethernet1/2/0 | Virtual Router 1 state Virtual IP : Backup : 10.10.10.10 10.10.10.11 Priority Preempt Timer Auth type Track IF : 150 : YES Delay Time : 0 : 1 : SIMPLE TEXT : Ethernet0/2/0 Auth Key : 3Com Priority Reduced : 60

# Display the information of all the standby groups on the interface.
<3Com> display vrrp interface ethernet0/2/0 Ethernet0/2/0 | Virtual Router 1 state Virtual IP Priority Preempt : Master : 202.38.160.111 : 150 : YES Delay Time : 0

1118

CHAPTER 12: BACKUP CENTER CONFIGURATION COMMANDS

Timer Auth type

: 1 : NONE

Ethernet0/2/0 | Virtual Router 2 state Virtual IP Priority Preempt Timer Auth type : Backup : 202.38.160.100 : 100 : YES Delay Time : 0 : 1 : NONE

# Display the information of a specified standby group on the interface.
<3Com> display vrrp interface ethernet0/2/0 1 Ethernet0/2/0 | Virtual Router 1 state Virtual IP Priority Preempt Timer Auth type : Master : 202.38.160.111 : 150 : YES Delay Time : 0 : 1 : NONE

vrrp authentication-mode

Syntax
vrrp authentication-mode { md5 key | simple key } undo vrrp authentication-mode

View Interface view Parameter SIMPLE: Simple character authentication. MD5: AH authentication using MD5 algorithm. key: Authentication key. The length of the authentication key is 8 bytes or smaller. Description Using the vrrp authentication-mode command, you can configure authentication type and authentication key of VRRP standby group. Using the undo vrrp authentication-mode command, you can cancel the VRRP authentication. By default, no authentication is set.

VRRP Configuration Commands

1119

This command is used to set the authentication type and authentication key for all the VRRP standby groups on an interface, as the protocol requires the standby groups of an interface to use the same authentication type and authentication key. In addition, the members of a standby group should have the same authentication type and authentication key. Authentication type and authentication key are insensitive to case. Example # Set the authentication types and authentication keys of all VRRP standby groups on interface Ethernet 0/2/0.
[3Com-Ethernet0/2/0] vrrp authentication-mode simple 3Com

vrrp vrid preempt-mode

Syntax
vrrp vrid virtual-router-ID preempt-mode [ timer delay delay-value ] undo vrrp vrid virtual-router-ID preempt-mode

View Interface view Parameter virtual-router-ID: Virtual Router ID, namely, VRRP standby group number, ranging from 1 to 255. delay-value: Delay time in seconds with a value ranging from 0 to 255. By default, a router is in preemption mode with the delay as 0. Description Using the vrrp vrid preempt-mode command, you can configure the preemption mode and delay time of routers in a standby group. Using the undo vrrp vrid preempt-mode command, you can cancel the preemption mode and delay time of routers in a standby group. If a router with a higher priority is needed to actively preempt as the MASTER, the router should be set to preemption mode. If a longer time is needed for preemption, the delay time can be set. When a router is set to non-preemption mode, the delay value will be set to 0 automatically. Example # Set a standby group to preemption mode.
[3Com-Ethernet0/2/0] vrrp vrid 1 preempt-mode

# Set the preemption delay.
[3Com-Ethernet0/2/0] vrrp vrid 1 preempt-mode timer delay 5

# Cancel the preemption mode.
[3Com-Ethernet0/2/0] undo vrrp vrid 1 preempt-mode

1120

CHAPTER 12: BACKUP CENTER CONFIGURATION COMMANDS

vrrp vrid priority

Syntax
vrrp vrid virtual-router-ID priority priority-value undo vrrp vrid virtual-router-ID priority

View Interface view Parameter virtual-router-ID: VRRP standby group number, ranging from 1 to 255. priority-value: Priority value of the router in standby group, in the range from 1 to 254. By default, the priority is 100. Description Using the vrrp vrid priority command, you can configure the priority of a router in the standby group. Using the undo vrrp vrid priority command, you can restore the default value of priority. Priority determines the position of a router in the standby group. A higher priority means that the router has more possibility to become MASTER. Priority 0 is reserved for some special usage by the system and 255 is reserved for IP address owner. Example # Set the priority of a router in standby group 1 to 150.
[3Com-Ethernet0/2/0] vrrp vrid 1 priority 150

vrrp vrid timer-advertise

Syntax
vrrp vrid virtual-router-ID timer advertise adver-interval undo vrrp vrid virtual-router-ID timer advertise

View Interface view Parameter virtual-router-ID: VRRP standby group number, ranging from 1 to 255. adver-interval: Interval that MASTER in standby group sends VRRP packet in seconds with a value ranging from 1 to 255. By default, the seconds is 1 second. Description Using the vrrp vrid timer-advertise command, you can configure the timer of the standby group. Using the undo vrrp vrid timer-advertise command, you can restore the default value of the timer. This command can be used to set the interval at which the MASTER sends VRRP packets.

VRRP Configuration Commands

1121

Example # Set the interval at which the MASTER in standby group 1 sends VRRP packet to 5 seconds.
[3Com-Ethernet0/2/0] vrrp vrid 1 timer advertise 5

vrrp vrid track

Syntax
vrrp vrid virtual-router-ID track interface-name [ reduced value-reduced ] undo vrrp vrid virtual-router-ID track [ interface-name ]

View Interface view Parameter virtual-router-ID: VRRP standby group number, ranging from 1 to 255. interface-name: Interface being monitored. value-reduced: Value by which the priority is reduced. It ranges from 1 to 255 and is defaulted to 10. Description Using the vrrp vrid track command, you can configure an interface to be tracked. Using the undo vrrp vrid track command, you can cancel the tracking. Interface monitoring function of VRRP better expands the backup function so that the backup function can be provided not only when a router fails but also when certain network interface is DOWN. After this command is configured, if the monitored interface is DOWN, the priority of the router will reduce and the priority of other member in the standby group will become the highest. As a result, the router with the highest priority will become the new MASTER so as to achieve backup function. Configuration of monitored interface for a router as IP address owner is forbidden. Example # Set and monitor the interface Serial 0/0/0.
[3Com-Ethernet0/2/0] vrrp vrid 1 track serial0/0/0 reduced 50

# Cancel the tracking on Serial 0/0/0.
[3Com-Ethernet0/2/0] undo vrrp vrid 1 track serial0/0/0

vrrp vrid virtual-ip

Syntax
vrrp vrid virtual-router-ID virtual-ip virtual-address undo vrrp vrid virtual-router-ID virtual-ip [ virtual-address ]

View Interface view

1122

CHAPTER 12: BACKUP CENTER CONFIGURATION COMMANDS

Parameter virtual-router-ID: VRRP standby group number, ranging from 1 to 255. virtual-address: Virtual IP address. Description Using the vrrp vrid virtual-ip command, you can add a virtual IP address. Using the undo vrrp vrid virtual-ip command, you can cancel a virtual IP address. By default, there is no standby group in the system. This command is used to establish a standby group and can also be used to add virtual IP address to an existing standby group. At most 16 virtual IP addresses can be added to a standby group. The undo vrrp vrid virtual-ip command can be used to delete an existing standby group or delete a certain virtual address in the standby group. If the addresses of a standby group have all been deleted, the system will automatically delete the standby group. Example # Create a standby group.
[3Com-Ethernet0/2/0] vrrp vrid 1 virtual-ip 10.10.10.10

# Add a virtual IP address to an existent standby group.
[3Com-Ethernet0/2/0] vrrp vrid 1 virtual-ip 10.10.10.11

# Delete a virtual IP address
[3Com-Ethernet0/2/0] undo vrrp vrid 1 virtual-ip 10.10.10.10

# Delete a standby group.
[3Com-Ethernet0/2/0] undo vrrp vrid 1 virtual-ip

13
DCC Configuration Commands
debugging dialer

DCC CONFIGURATION COMMANDS

Syntax
debugging dialer { event | packet | all}

View Any view Parameter event: Enables DCC event debugging. packet: Enables DCC packet debugging. Description Using the debugging dialer command, you can enable DCC debugging. Example None dialer bundle Syntax
dialer bundle number undo dialer bundle

View Dialer interface view Parameter number: Number of dialer bundle, ranging from 1 to 255. Description Using the dialer bundle command, you can configure a dialer bundle used by a dialer interface. Using the undo dialer bundle command, you can disassociate the dialer bundle from the dialer interface. By default, the Resource-Shared DCC is not enabled, and the dialer bundle is not specified. This command can be applied only on a dialer interface for configuring the dialer bundle that the interface will use. Furthermore, a dialer interface can only use a

1124

CHAPTER 13: DCC CONFIGURATION COMMANDS

dialer bundle. This command can be used to specify a dialer bundle used by a dialer interface, no matter what link-protocol, PPP or Frame Relay, runs on the interface. For related commands, see dialer bundle-member. Example # Configure the interface Dialer1 to use dialer bundle3, in which the interface Serial0 is included.
[3Com-Dialer1] dialer bundle 3 [3Com-Serial0/0/0] dialer bundle-member 3

dialer bundle-member

Syntax
dialer bundle-member number [ priority priority | max-link max-num | min-link min-num] undo dialer bundle-member number

View Physical interface view Parameter number: Dialer bundle number ranging from 1 to 255. priority: Priority of the physical interface in the dialer bundle, ranges from 1 to 255. The physical interface with higher priority will be used first. This is an optional parameter. By default, priority is 1. max-num: The maximum number of channels that can be used. min-num: The minimum number of channels that can be used. Description Using the dialer bundle-member command, you can configure a physical interface included in a dialer bundle in the Resource-Shared DCC application. Using the undo dialer bundle-member command, you can remove the physical interface from the dialer bundle. By default, the physical interface is not assigned to any dialer bundle. This command can only be applied to a physical interface, which can be assigned to multiple dialer bundles. To enable the B channel of ISDN interface (BRI or PRI) to configure its link layer protocol dynamically in terms of the Dialer interface it belongs to, link layer protocol that the interface uses should be specified as PPP. For related command, see dialer bundle.

DCC Configuration Commands

1125

Example # Make Bri1/0/0 a member of dialer bundle1 and dialer bundle2, and assigns it a priority of 50.
[3Com] interface bri 1/0/0 [3Com-Bri1/0/0] dialer bundle-member 1 priority 50 [3Com-Bri1/0/0] dialer bundle-member 2 priority 50

dialer callback-center

Syntax
dialer callback-center [ user ] [ dial-number ] undo dialer callback-center

View Physical or dialer interface view Parameter user: Calls back according to the parameter user hostname configured in the dialer route command. dial-number: Calls back according to the parameter telephone-number configured in the local-user callback-number command. Description Using the dialer callback-center command, you can enable the callback server function. Using the undo dialer callback-center command, you can disable the callback server function of a router. By default, PPP callback server is not configured. This command must be configured at the server end when PPP is used to implement callback. The parameter user indicates that DCC will call back according to the parameter configured in the dialer route command. The parameter dial-number indicates that DCC will call back the remote end according to the callback-number configured in the local-user command. When both user and dial-number are applied concurrently, the router will first attempt to place a return call according to the first parameter. If the callback attempt fails, it will try the second parameter for callback. For related commands, see ppp callback, ppp authentication-mode. Example # Configure a remote username and set the router to call the user back.
[3Com] local-user 3Comb password simple 3Comb [3Com] interface serial0/0/0 [3Com-Serial0/0/0] dialer route ip 1.1.1.2 user 3Comb 8810052 [3Com-Serial0/0/0] dialer callback-center user

1126

CHAPTER 13: DCC CONFIGURATION COMMANDS

dialer call-in

Syntax
dialer call-in remote-number [ callback ] undo dialer call-in remote-number [ callback ]

View Physical or dialer interface view Parameter remote-number: Used for matching the remote incoming call number. The character “*” represents any character. callback: When calling back the server end, the incoming number will match with the dialer call-in command containing this keyword and originate a callback. Description Using the dialer call-in command, you can enable ISDN callback according to ISDN caller ID. Using the undo dialer call-in command, you can cancel the configuration. By default, ISDN callback according to ISDN caller ID is not configured. This command must be configured at the server end when ISDN caller ID is applied for callback. In Resource-Shared DCC, because both PPP and frame relay protocols are supported to be encapsulated on dialer interface, ISDN interface can encapsulate link layer protocol dynamically according to corresponding dialer interface. The caller first searches the corresponding dialer interface by matching the caller number with the dialer number command. The dialer call-in command is used to preprocess the ISDN call-in number so as to determine whether the user with this number can be permitted to access. If the PBX switch does not provide the caller number, refuse the call directly. For related command, see dialer callback-center. Example # Configure the router to call back the calling number 8810152.
[3Com-Bri0/0/0] dialer route ip 100.1.1.2 8810152 [3Com-Bri0/0/0] dialer call-in 8810152 callback

dialer circular-group

Syntax
dialer circular-group number undo dialer circular-group

View Physical interface view

DCC Configuration Commands

1127

Parameter number: Number of the dialer circular group, and a physical interface belongs to this specified group, ranges from 0 to 1023. This number is defined through the interface dialer command. Description Using the dialer circular-group command, you can add the physical interface to a dialer circular group specified here. Using the undo dialer circular-group command, you can cancel the configuration. By default, the physical interface is not a member of any dialer circular group. One physical interface can only be added to one dialer circular group, which may contain multiple physical interfaces. When a call is originated on a dialer interface, the highest priority physical interfaces in the circular group on the dialer interface will place the call. For related command, see interface dialer. Example # Assign Serial1/0/0 and Serial2/0/0 to dialer circular group1.
[3Com-Serial1/0/0] dialer circular-group 1 [3Com-Serial2/0/0] dialer circular-group 1

dialer enable-circular

Syntax
dialer enable-circular undo dialer enable-circular

View Physical or dialer interface view Parameter None Description Using the dialer enable-circular command, you can enable Circular DCC. Using the undo dialer enable-circular command, you can disable Circular DCC. By default, Circular DCC is enabled on the ISDN interfaces and disabled on other interfaces. The user must use this command to enable it before using Circular DCC. For related command, see dialer circular-group.

1128

CHAPTER 13: DCC CONFIGURATION COMMANDS

Example # Enable Circular DCC on Serial 0/0/0.
[3Com-Serial0/0/0] dialer enable-circular

dialer isdn-leased

Syntax
dialer isdn-leased number undo dialer isdn-leased number

View Physical or dialer interface view Parameter number: Number of the ISDN B channel configured to be a leased line. If the channel is on a BRI interface, the range is from 1 to 2. If it is on a CE1/PRI interface, the range is from 0 to 30. If it is on an E1/PRI interface, range is from 0 to 30. If it is on a CT1/PRI interface, range is from 0 to 23. Description Using the dialer isdn-leased command, you can configure an ISDN B channel (can be either the channel on a BRI or PRI interface) to be the leased line. Using the undo dialer isdn-leased command, you can cancel the setting. By default, no ISDN B channel is configured to be leased line. The user can configure any ISDN B channel to be the leased line without affecting the settings of other B channels. Example # Configure the first B channel on the interface Bri0/0/0 to be the leased line.
[3Com-Bri0/0/0] dialer isdn-leased 1

dialer listen-group

Syntax
dialer listen-group group-number undo dialer listen-group group-number

View Dialer interface view Parameter group-number: Dialer Listen group number, ranging from 1 to 255. Description Using the dialer listen-group command, you can enable the Dialer Listen function on the AUX interface. Using the undo dialer listen-group command, you can disable the Dialer Listen function on the AUX interface. Example # Enable Dialer Listen on Dialer0.

DCC Configuration Commands

1129

[3Com-Dialer0] dialer listen-group 12

dialer listen-rule

Syntax
dialer listen-rule group-number ip ip-address address-mask undo dialer listen-rule group-number

View Dialer interface view Parameter group-number: Dialer Listen group number, ranging from 1 to 255. ip-address: Destination network address to be monitored. address-mask: Subnet mask of the destination. Description Using the dialer listen-rule command, you can configure the destination network address to be monitored. Using the undo dialer listen-rule command, you can delete a listen rule, together with the network address. Example # Configure the destination network address to be monitored on Dialer0.
[3Com-Dialer0] dialer listen-rule 12 ip 202.38.160.1 255.255.255.0

dialer number

Syntax
dialer number dial-number undo dialer number

View Physical or dialer interface view Parameter dial-number: Dial number for calling a remote end. Description Using the dialer number command, you can configure a dial number for placing a call to a single remote end. Using the undo dialer number command, you can cancel the configured dial number. By default, no dial number is set for calling the remote end. This command is used when the dialer interface of Circular DCC serves as caller end and the dialer originates calls to only one destination address or the default address. This command is only valid after at least one of the following requirements is satisfied:


The dialer route command is not configured on the interface.

1130

CHAPTER 13: DCC CONFIGURATION COMMANDS



Or the next hop address that sends packets cannot be found in the corresponding dialer route command.

When dialer interfaces of Resource-Shared DCC run link protocol of PPP, the remote user names, which are obtained via PPP authentication and configured with dialer user respectively, will decide which dialer interface will receive the incoming call. In this case, dialer user must be configured, and dialer number can be configured optionally. When dialer interfaces run link protocol of Frame Relay, the calling numbers, which are received from the incoming call and configured with dialer number respectively, will decide which dialer interface will receive the incoming call. In this case, dialer number must be configured, and dialer user can be configured optionally. 1) If dialer-group command is not configured, DCC will not dial even if dialer number command is configured. 2) When using Resource-Shared DCC, the same dialer number can be configured on different dialer interfaces at the calling side; but it is not the case at the called side; otherwise, the call will fail. When using Circular DCC, the same dialer number can be configured on different dialer interfaces at the calling side, and it is the same to the called side. For related command, see dialer route. Example # Set the dialer number for dialer1 calling the remote end to “11111”.
[3Com] interface dialer 1 [3Com-Dialer1] dialer number 11111

dialer priority

Syntax
dialer priority priority undo dialer priority

View Physical interface view Parameter priority: Indicates the priority level for a physical interface which belongs to a dialer circular group, ranging from 1 to 127. By default, the priority is 1. Description Using the dialer priority command, you can configure a priority for a physical interface in a dialer circular group in the Circular DCC configuration. Using the undo dialer priority command, you can restore the default priority. This command sets the order in which the available physical interfaces in a dialer circular group are used. The physical interfaces with higher priority will be used first.

DCC Configuration Commands

1131

For related command, see dialer circular-group. Example # Set the priority of Serial 3/0/0 in dialer circular group0 to 5.
[3Com-Serial3/0/0] dialer circular-group 0 [3Com-Serial3/0/0] dialer priority 5

dialer queue-length

Syntax
dialer queue-length packets undo dialer queue-length

View Physical or dialer interface view Parameter packets: Indicates the packet numbers buffered on this interface, ranging from 1 to 100. By default, the value of max-threshold is 30. Description Using the dialer queue-length command, you can configure the number of packets, which comply with the "permit" statement, that can be buffered before a link is set up. Using the undo dialer queue-length command, you can restore the default number of the packets that can be buffered. In the link establishing process, the packets which comply with the "permit" statement are held in the buffer queue to wait for transmission as soon as the link is set up. The setting of packets decides the queue length. Example # Configure that 10 packets are buffered on Serial1/0/0.
[3Com-Serial1/0/0] dialer queue-length 10

dialer route

Syntax
dialer route protocol next-hop-address [ user hostname ] [ broadcast ] [ dial-number ] [ autodial ] [ logical-channel logic-channel-number ] undo dialer route protocol next-hop-address [ user hostname ] [ broadcast ] [ dial-number ] [ autodial ] [ logical-channel logic-channel-number ]

View Physical or dialer interface view Parameter protocol: Network protocol keyword, being ip or ipx. next-hop-address: Remote network address. user hostname: Remote user name, which is optionally specified for authentication implemented when receiving calls.

1132

CHAPTER 13: DCC CONFIGURATION COMMANDS

broadcast: An optional parameter indicating that the broadcast packets can be transmitted on this link. dial-number: Dial number of the remote end. autodial: If this parameter is defined in a dialer route, the router will automatically attempt to dial according to the dialer route at a certain interval. The interval is set in the dialer autodial-interval command, which is 300 seconds by default. logical-channel logic-channel-number: Number of the specified logic channel of the standby center. Description Using the dialer route command, you can configure to originate calls to one or multiple remote ends or to receive calls from multiple remote ends on a DCC interface. Using the undo dialer route command, you can cancel a dialer route. By default, the system does not define dialer route. To originate a call, the parameter dial-number should be used. If the user keyword is used, PPP authentication should be configured. The user can configure multiple dialer routes for a dial port or a destination address. If the dialer-group command is not configured, DCC will not dial. For related commands, see dialer enable-circular, dialer autodial-interval. Example # Set the remote end to be called on Serial 0/0/0.
[3Com-Serial0/0/0] dialer route ip 131.108.2.5 user ZZZ 14155553434

dialer threshold

Syntax
dialer threshold traffic-percentage [ in-out | in | out ] undo dialer threshold

View Dialer interface view Parameter traffic-percentage: Percentage of the actual traffic on the link over the bandwidth, ranges from 1 to 99. in-out: Calculates the larger one of the inbound traffic and the outbound traffic in the actual traffic calculation. in: Only the inbound traffic is calculated. out: Only the outbound traffic is calculated.

DCC Configuration Commands

1133

Description Using the dialer threshold command, you can configure the traffic threshold of a link on the DCC interface so that another link can be enabled to call the same destination address when the ratio of traffic on all connected links on the DCC interface to the available bandwidth exceeds the preset percentage. Using the undo dialer threshold command, you can restore the default value. By default, traffic control is not enabled. If the ratio of the traffic on a link of a DCC interface to the bandwidth exceeds a defined threshold, the second link will be enabled to implement MP binding with the first one. When the ratio of traffic on the two links to the bandwidth exceeds a defined threshold, the third link will be enabled, so on and so forth. On the contrary, when the ratio of the traffic on N (N is an integer greater than or equal to 2) links to the bandwidth of N-1 links is less than a defined threshold, a link will be disabled. In Circular DCC, this command is used on the interfaces corresponding to the dialer circular-group (including ISDN BRI/PRI interfaces and dialer interfaces). In Resource-Shared DCC, this dialer threshold command is applied to dialer interface only. In addition, this command must be used together with the ppp mp command. For related command, see ppp mp. Example # Set the traffic threshold on Dialer1 to 80%.
[3Com-Dialer1] dialer threshold 80

dialer timer autodial

Syntax
dialer timer autodial seconds undo dialer timer autodial

View Physical or dialer interface view Parameter seconds: Interval before the next call attempt, ranging from 1 to 604800 in units of second. The default interval is 300 seconds. Description Using the dialer timer autodial command, you can configure the automatic dialing interval of DCC. Using the undo dialer timer autodial command, you can resume the default interval. This command should be used together with the auto-dial keyword in the dialer route command. DCC will automatically attempt to dial every seconds secconds until the connection is established. The automatic dialing function is independent of the trigger with data packets. The established connection will not be automatically cut for timeout. That is, the configuration of the dialer timer idle command does not affect it. For related command, see dialer route.

1134

CHAPTER 13: DCC CONFIGURATION COMMANDS

Example # Set the DCC automatic calling interval on Serial0/0/0 to 60 seconds.
[3Com-Serial0/0/0] dialer timer autodial 60

dialer timer compete

Syntax
dialer timer compete seconds undo dialer timer compete

View Physical or dialer interface view Parameter Seconds: Idle interval when contention occurs, ranges from 0 to 65535 seconds. By default, the idle interval is 20 seconds. Description Using the dialer timer compete command, you can configure an idle interval for an interface after call contention occurs on the interface. Using the undo dialer timer compete command, you can restore the default interval. Contention occurs if no free channel is available when DCC tries to originate a call. Normally, after a link is set up, timer idle timing will take effect. However, if a call to a different destination address is to be originated on this interface under the contention circumastance, DCC replaces the timer idle timing with the timer compete timing. Example # Set timer idle and timer compete respectively to 50 seconds and 10 seconds on Serial 0/0/0.
[3Com-Serial0/0/0] dialer timer idle 50 [3Com-Serial0/0/0] dialer timer compete 10

dialer timer enable

Syntax
dialer timer enable seconds undo dialer timer enable

View Physical or dialer interface view Parameter seconds: Interval for originating the next call, ranges from 5 to 65535 seconds. By default, the interval is 20 seconds. Description Using the dialer timer enable command, you can configure an interval for the next call attempt on an interface after the link is disconnected. Using the undo dialer timer enable command, you can restore the default interval.

DCC Configuration Commands

1135

Example # Set the interval for DCC to make the next call attempt to 5 seconds.
[3Com-Serial0/0/0] dialer timer enable 5

dialer timer idle

Syntax
dialer timer idle seconds undo dialer timer idle

View Physical or dialer interface view Parameter seconds: Time that a link is allowed to be idle, ranges from 0 to 65535 seconds. By default, seconds is 120 seconds. Description Using the dialer timer idle command, you can configure the interval that a link is allowed to be idle (in other words, the interval, when there are no packets which comply with the “permit” statements transmitted) after a call has been set up on the interface. Using the undo dialer timer idle command, you can restore the default duration. After a link is set up, the timer idle timer will take effect. If no interesting packets are transmitted on the link within the specified time, DCC will automatically disconnect the link. If timer idle is set to 0, the link will never be disconnected, regardless of whether there are no packets which comply with the “permit” statements to be transmitted over the link or not. Example # Set the timer idle on the interface Serial 0/0/0 to 50 seconds.
[3Com-Serial0/0/0] dialer timer idle 50

dialer timer listen-disable

Syntax
dialer timer listen-disable seconds undo dialer timer listen-disable

View Physical or dialer interface view Parameter seconds: Delay for disconnecting the backup interface, ranging from 0 to 65535 in units of second. It defaults to 0 second (that is, cut the backup link without delay.) Description Using the dialer timer listen-disable command, you can set the delay for disconnecting the backup interface. Using the undo dialer timer listen-disable command, you can resume the default delay.

1136

CHAPTER 13: DCC CONFIGURATION COMMANDS

Example # Set the delay for disconnecting the backup interface on Serial0/0/0 to 5 seconds.
[3Com-Serial0/0/0] dialer timer listen-disable 5

dialer timer wait-carrier

Syntax
dialer timer wait-carrier seconds undo dialer timer wait-carrier

View Physical or dialer interface view Parameter seconds: Waiting time in seconds, ranges from 0 to 65535. By default, the time waiting for a call connection is 60 seconds. Description Using the dialer timer wait-carrier command, you can configure the timeout time of wait-carrier timer. Using the undo dialer timer wait-carrier command, you can restore the default time of the timer. Wait-carrier timer begins to time after the DCC call is initiated. If the call connection fails to be set up within the timeout time of this timer, the call will be terminated. If the connection for a call is not established within the specified time, DCC will terminate the call. Example # Set the maximum duration of the time that Serial 0/0/0 waits for call to establish to be 100 seconds.
[3Com-Serial0/0/0] dialer timer wait-carrier 100

dialer user

Syntax
dialer user username undo dialer user

View Dialer interface view Parameter username: Remote user name for PPP authentication, which is a string of 1 to 31 characters. Description Using the dialer user command, you can configure remote user name for authenticating the requests when calls are received. Using the undo dialer user command, you can cancel the remote user name.

DCC Configuration Commands

1137

By default, no remote user name is set. This command is only valid on dialer interfaces of Resource-Shared DCC. When dialer interfaces run link protocol of PPP, the remote user name, which are obtained via PPP authentication and configured with dialer user respectively, will decide which dialer interface will receive the incoming call. When dialer interfaces run link protocol of Frame Relay, the calling number, which are received from incoming call and configured with dialer number respectively, will decide which dialer interface will receive the incoming call. In this case, dialer number must be configured, and dialer user can be configured optionally. For related commands, see ppp pap local-user, ppp chap user. Example # Set the remote username to “RouterB”.
[3Com-Dialer3] dialer user RouterB

dialer-group

Syntax
dialer-group group-number undo dialer-group

View Physical or dialer interface view Parameter group-number: sequence number of dialer access number, ranges from 1 to 255. This group is set through the dialer-rule command. Description Using the dialer-group command, you can configure access control on the packets transmitted on a DCC interface and place the interface in an access control group. Using the undo dialer-group command, you can cancel the interface from united with the access control group. By default, this command is not configured. This command is used for associating a physical interface with an access control group. Through the dialer-rule command, the user can associate an access control group with the acl command. A DCC interface can only be the member of an access control group. If it is configured to be a member of another access control group, this configuration will replace the previous one. In the default configuration of the interface, dialer-group is not configured. The user must configure this command. Otherwise, DCC will be unable to transmit packets. For related command, see dialer-rule. Example # Add Serial0/0/0 interface to access control group 1.

1138

CHAPTER 13: DCC CONFIGURATION COMMANDS

[3Com] dialer-rule 1 acl 101 [3Com-Serial1/0/0] dialer-group 1

dialer-rule

Syntax
dialer-rule dialer-group { protocol-name { permit | deny } | acl acl-number } undo dialer-rule dialer-group

View System view Parameter dialer-group: Indicates the number of access control group, which is related to the parameter group-number in dialer-group command in the DCC interface view. protocol-name: Network protocol, the value can be ip alike. permit: Permits the packets of the specified protocol. deny: Denies the packets of the specified protocol. acl acl-number: Number of the access control list to which the access control group corresponds. Description Using the dialer-rule command, you can configure the conditions of the data packet that can trigger a DCC call. Using the undo dialer-rule command, you can cancel the setting. By default, no conditions of packet-triggering DCC calls are set for dial interfaces. This command is used to set the DCC call packet-triggering control to which an access control group corresponds. And a dial interface can be placed in an access control group through the dialer-group command. Thereby, the DCC call’s packet-triggering on the DCC interface can be controlled. If an access control group cannot find the corresponding dialer-rule, DCC will regard the packets as packets which do not comply with the “permit” conditions in ACL rule and just drop them. No DCC call will be originated. For related command, see dialer-group. Example # Set a dialer-rule.
[3Com] acl number 101 [3Com-acl-adv-101] rule permit ip source 0.0.0.0 255.255.255.255 destination 0.0.0.0 255.255.255.255 [3Com-acl-adv-101] quit [3Com] dialer-rule 1 acl 101

DCC Configuration Commands

1139

[3Com] interface serial1/0/0 [3Com-Serial1/0/0] dialer-group 1

display dialer interface

Syntax
display dialer interface [ interface-type interface-number ]

View Any view Parameter interface-type: Interface type. interface-number: Interface number. Description Using the display dialer interface command, you can view the information of DCC interface. By default, the information of all the DCC interfaces is displayed. For related commands, see dialer timer idle, dialer timer compete, dialer timer wait-for-carrier, dialer timer enable. Example # Display the information on the DCC interface Dialer 1.
[3Com] display dialer interface serial1/0/0 Dial Interface:Serial0/0 Dialer Route: NextHop_address Dialer_Numbers 131.108.2.5 Dialer Timers(Secs): Auto-dial:300 Idle:50 Compete:10 Enable:5 14155553434

Wait-for-Carrier:100

interface dialer

Syntax
interface dialer number undo interface dialer number

View Any view Parameter number: Interface number in the range of 0 to 1023.

1140

CHAPTER 13: DCC CONFIGURATION COMMANDS

Description Using the interface dialer command, you can create a dialer circular group for the Circular DCC, or configure a dialer interface for the Resource-Shared DCC. Using the undo interface dialer command, you can cancel the existing setting. By default, no dialer interface is defined. In Resource-Shared DCC, any dialer interface can use the services provided by multiple physical interfaces, and individual physical interfaces can provide services for multiple dialer interfaces at the same time. Therefore, authentication must be configured on these physical interfaces, so as to use the user name of a dial-in party to locate the corresponding dialer interface for the call. In this mode, physical interfaces and dialer interfaces are dynamically bound. Furthermore, a dialer interface can only call a destination address, which will be specified in the dialer number command. The physical interfaces in Circular DCC and Resource-Shared DCC do not use individual network addresses. Instead, they use the addresses of the corresponding dialer interfaces. Example # Define a dialer interface dialer 1.
[3Com] interface dialer 1

flow-interval

Syntax
flow-interval interval undo flow-interval

View System view Parameter interval: Flow-interval, in second, ranging from 1 to 1500. By default, it is 20 seconds. Description Using the flow-interval command, you can configure flow interval. Using the undo flow-interval command, you can restore the default value of flow interval. This command takes effect only on DCC flow trigger dial-up. Example # Configure the flow-interval to 3 seconds.
[3Com] flow-interval 3

ppp callback

Syntax
ppp callback { client | server } undo ppp callback { client | server }

DCC Configuration Commands

1141

View Physical or dialer interface view Parameter client: As the client end, sends callback requests. server: As the server end, accepts callback requests. Description Using the ppp callback command, you can enable an interface to send or accept PPP callback requests. Using the undo ppp callback command, you can disable the interface to send or accept PPP callback requests. By default, sending or receiving callback request is disabled. The callback function can be used to save the communication cost for the calling party in the case that the calling party pays the charge for calls. For related command, see ppp callback ntstring. Example # Enable accepting callback request on Serial0/0/0 interface.
[3Com-Serial0/0/0] ppp callback server

ppp callback ntstring

Syntax
ppp callback ntstring dial-number undo ppp callback ntstring

View Physical or dialer interface view Parameter dial-number: Dial number for a Windows NT server to call back the router. Description Using the ppp callback ntstring command, you can configure the dial number required for a Windows NT server to call back the router. Using the undo ppp callback ntstring command, you can cancel the configured callback dial number. By default, no callback dial number is set for the Windows NT server. When a router functions as the callback server to call a Windows NT server, this command should be configured if the server needs the router to send the callback number. For related command, see ppp callback. Example # Set the dial number for a Windows NT server to call back the router to “2489”.
[3Com-Dialer1] ppp callback NTString 2489

1142

CHAPTER 13: DCC CONFIGURATION COMMANDS

Modem Configuration Commands
debugging modem Syntax
debugging modem

View User views Parameter None Description Using the debugging modem command, you can enable Modem debugging. According to the information output after executing this command, the user can make sure whether the correct Modem script has been specified for a particular event. Example None modem Syntax
Modern [both/call-in] undo modern [both/call-in]

View User-interface view Parameter both: Permits incoming and outgoing calls. out: Permits only outgoing calls. Description Using the modem command, you can enable receiving incoming calls or sending outgoing calls on the interface. Using the undo modem command, you can disable receiving incoming calls or sending outgoing calls on the interface. By default, both incoming and outgoing Modem calls are permitted on the interfaces. This command can be used to set the authority of Modem dial-in and dial-out on an interface. Example # Enable receiving incoming Modem calls on interface u-tty1..
[3Com-ui-tty1] modem call-in

Modem Configuration Commands

1143

modem auto-answer

Syntax
modem auto-answer undo modem auto-answer

View User interface view Parameter None Description Using the modem auto-answer command, you can configure the external Modem connected to the asynchronous interface to operate in auto-answer mode. Using the undo modem auto-answer command, you can restore the external Modem connected to the asynchronous interface to operate in non-auto answer mode. By default, the system sets an external Modem to non-auto answer mode. Execute this command according to the current answer state of the Modem externally connected to the router. If the Modem is in auto-answer mode (AA LED of the Modem lights), the modem auto-answer command must be executed in the corresponding interface view. If it is in non-auto answer mode, execute the undo modem auto-answer command. Rather than changing the Modem state, the execution of this command only shows the answer mode of Modem. The user should determine whether to execute the modem auto-answer command according to the answer mode (AA LED) of the current external Modem. For related command, see modem. Example # Set the Modem externally connected to the asynchronous serial interface Serial0 to operate auto-answer mode.
[3Com-Serial0]modem auto-answer

script trigger connect

Syntax
script trigger connect script-name undo script trigger connect

View User interface view Parameter script-name: Name of Modem script.

1144

CHAPTER 13: DCC CONFIGURATION COMMANDS

Description Using the script trigger connect command, you can configure the Modem script that will be executed once an incoming call connection is established. Using the undo script trigger connect command, you can cancel this feature. By default, no Modem script is configured. If this command is configured, the specified script will be executed anytime when an incoming call connection is established. For related commands, see script-string, start-chat, script trigger login, script trigger connect, script trigger logout, script trigger dial, script trigger init. Example # Specify the script “example” to be executed anytime an incoming call connection is established.
[3Com-ui-tty1] script trigger connect example

script trigger dial

Syntax
script trigger dial script-name undo script trigger dial

View User interface view Parameter script-name: Name of Modem script. Description Using the script trigger dial command, you can configure the Modem script that is used for DCC dialing. Using the undo script trigger dial command, you can cancel the feature. By default, the system does not specify the script. If this command is configured, the specified script will be executed for DCC dialing. For related commands, see script-string, start-chat, script trigger login, script trigger connect, script trigger logout, script trigger init. Example # Specify the script “example” to be used for DCC dialing.
[3Com-ui-tty1] script trigger dial example

script trigger init

Syntax
script trigger init script-name undo script trigger init

Modem Configuration Commands

1145

View User interface view Parameter script-name: Name of Modem script. Description Using the script trigger init command, you can configure the Modem script that will be executed when the system is powered on or rebooted. Using the undo script trigger init command, you can cancel this feature. By default, the system does not specify the script. If this command is configured, the specified Modem script will be executed for initializing the asynchronous device connected to the interface when the system is powered on or rebooted. For related commands, see script-string, start-chat, script trigger login, script trigger connect, script trigger dial, script trigger logout. Example # Set the system to execute “example” when the system is powered on or rebooted.
[3Com-ui-tty1] script trigger init example

script trigger login

Syntax
script trigger login script-name undo script trigger login

View User interface view Parameter script-name: Name of Modem script. Description Using the script trigger login command, you can configure the Modem script that will be executed when an outgoing call connection is successfully established. Using the undo script trigger login command, you can cancel this feature. By default, no Modem script is configured. If this command is configured, the specified script will start to be executed anytime when an outgoing call connection is established. This script can be the registration information on a remote system. For example, when a router is connected to a remote UNIX server, we can log in to the remote UNIX server using this script through sending login information and password to the UNIX server. For related commands, see script-string, start-chat, script trigger connect, script trigger logout, script trigger dial, script trigger init.

1146

CHAPTER 13: DCC CONFIGURATION COMMANDS

Example # Specify the script “example” to be executed anytime an outgoing call connection is established.
[3Com-ui-tty1] script trigger login example

script trigger logout

Syntax
script trigger logout script-name undo script trigger logout

View User-interface view Parameter script-name: Name of Modem script. Description Using the script trigger logout command, you can configure the Modem script that is executed when a link is reset. Using the undo script trigger logout command, you can cancel this feature. By default, no Modem script is configured. If this command is configured, the specified Modem script will be executed when a link is reset. For example, reset the Modem when the call on the interface is down. For related commands, see script-string, start-chat, script trigger login, script trigger connect, script trigger dial, script trigger init. Example # Specify the Modem script that will be executed when the link is reset.
[3Com] script-string drop-line "" +++ OK ATH OK "ATS0=1" OK [3Com-ui-tty1] script trigger logout drop-line

script-string

Syntax
script-string script-name script-content undo script-string script-name

View System view Parameter script-name: Name of Modem script. script-content: Script content.

Modem Configuration Commands

1147

Description Using the script-string command, you can configure a Modem script. Using the undo script-string command, you can cancel the Modem script. By default, the system does not have a Modem script. 3Com series routers provide the Modem script, which is mainly used for:


Providing flexibility in controlling the Modems of different models. For example, using different initialization strings can make the Modem of different manufacturers or models to better interoperate with the 3Com series routers. And implementing the interactive login to remote systems. Interactive negotiation of the scripts can enable the systems to enter different link states. For example, after the asynchronous serial interfaces on the two routers set up a connection via the Modems, the routers can negotiate the protocol to be encapsulated with the physical link and its operating parameters.



The Modem script format in common use is as follows: send-string1 receive-string1 send-string2 receive-string2 ...... Among the above format are:


send-string indicates a sending string. receive-string indicates a receiving string. Normally, send-string and receive-string appear in pairs, and the script must begin with a sending string. For example, send-string1 receive-string1 …… represents the execution flow: Send send-string1 to the Modem and expect to receive receive-string1. If the string matching receive-string1 is received before timeout, the execution of the subsequent script, which will be otherwise terminated, will continue. If the last string is a sending string, it indicates that the execution of the script will be terminated after the string is sent without waiting for any receiving string. If the beginning of the script needs no sending string, but need to wait for receiving string directly, the first string can be set as “”, the meaning of which will be explained later. Except for ending with \c, the sending string will be automatically added with a return to its end whenever it is sent. A receiving string is matched via the location-independent matching method. That is, a match is considered successful as long as the received contents contain the expected string. Concerning the match of receiving string, there can be multiple expected receiving strings. The match operation on a receiving string will be considered successful if the receiving string is matched with any expected receiving strings which are separated by hyphens (“-“). The default timeout time waiting for a receiving string is 5 seconds. TIMEOUT seconds can be inserted into the script to adjust the timeout time

















1148

CHAPTER 13: DCC CONFIGURATION COMMANDS

waiting for the receiving string, which is valid till a new TIMEOUT is set in the same script. For its meanings, refer to the following table.
Table 1 Script keywords
Keyword ABORT receive-string Description The string following ABORT will be compared with the string sent from a Modem or a remote DTE device for a full match. Multiple ABORT entries can be configured for a script, and all of them take effect in the whole script execution period. The digit following TIMEOUT is used to set the timeout interval that the device waits for receiving strings. If no expected strings are received within the interval, the execution of the script will be failed. Once being set, the setting will be valid till a new TIMEOUT is set.

TIMEOUT seconds



All the strings and keywords in a script are case-sensitive. Both strings and keywords are separated by spaces. If a space is contained in a string, it should be put in the double quotation marks (" "). A pair of empty quotation marks (that is, "") has two possible meanings. Being a leading "" in a script, it means that no string needs to be sent and the system will directly wait for the receiving string. If "" is put at any other locations, the string content will be regarded to be "". ABORT receive-string can be inserted anywhere in a script to change the script execution flow. Its presence in the script indicates that the script execution will be terminated if a received string is fully matched to the receive-string set by ABORT receive-string. Multiple ABORT entries can be defined in a script, and they will take effect concurrently. Once a received string matches any of them, the script execution will be terminated. Regardless of where the ABORT receive-string is placed, it will take effect in the whole script execution process. Escape characters can be inserted in a script for the purpose of better controlling the script and increasing its flexibility. In addition, all the escape characters are the delimiters in the string at the same time. Refer to the following table for details.
Description It means that only the specified string can be sent and the character "Enter" will not be sent. The character of "\c" must be at the end of the sending strings. Otherwise, it is invalid at other location. Represents pausing 2 seconds. Represents the character "newline". Represents the character "Enter". Represents the character "Space". Represents the character "Tab". Represents the character "\". Represents telephone number







Table 2 Script escape characters
Escape character \c

\d \n \r \s \t \\ \T

For related commands, see sendat, start-chat, script trigger login, script trigger connect, script trigger logout, script trigger dial, script trigger init.

Modem Configuration Commands

1149

Example # Define a Modem script.
[3Com]script-string example "" AT OK ATS0=1 OK

start-script

Syntax
start-script script-namet-name

View User view Parameter script-name: Name of Modem script. number: Interface number of the script. Description Using the start-script command, you can configure executing the specified Modem script on an interface. This command provides the user with means of instantly executing the Modem script. If another script is being executed on the corresponding interface, this command will not be executed and an error will be reported. For related command, see script-string. Example # Execute the specified Modem script “example” on the interface 1.
<3Com> start-script example 1

1150

CHAPTER 13: DCC CONFIGURATION COMMANDS

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close