- Table of Contents
- 
                        - 06-Layer 3—IP Services Command Reference
- 00-Preface
- 01-ARP commands
- 02-IP addressing commands
- 03-DHCP commands
- 04-DNS commands
- 05-NAT commands
- 06-NAT66 commands
- 07-IP forwarding basics commands
- 08-Fast forwarding commands
- 09-Multi-CPU packet distribution commands
- 10-Adjacency table commands
- 11-IP performance optimization commands
- 12-UDP helper commands
- 13-IPv6 basics commands
- 14-DHCPv6 commands
- 15-IPv6 fast forwarding commands
- 16-AFT commands
- 17-Tunneling commands
- 18-GRE commands
- 19-ADVPN commands
- 20-WAAS commands
- 21-Web caching commands
- 22-HTTP proxy commands
 
- Related Documents
- 
                        
| Title | Size | Download | 
|---|---|---|
| 19-ADVPN commands | 340.00 KB | 
Contents
display vam server address-map
display vam server ipv6 address-map
display vam server ipv6 private-network
display vam server private-network
pre-shared-key (ADVPN domain view)
reset vam server ipv6 address-map
display vam client shortcut interest
display vam client shortcut ipv6 interest
pre-shared-key (VAM client view)
reset advpn ipv6 session statistics
reset advpn session statistics
ADVPN commands
VAM server commands
authentication-algorithm
Use authentication-algorithm to specify the algorithms for VAM protocol packet authentication and their priorities.
Use undo authentication-algorithm to restore the default.
Syntax
authentication-algorithm { aes-xcbc-mac | md5 | none | sha-1 | sha-256 } *
undo authentication-algorithm
Default
SHA-1 is used for protocol packet authentication.
Views
ADVPN domain view
Predefined user roles
network-admin
mdc-admin
Parameters
aes-xcbc-mac: Uses the AES-XCBC-MAC authentication algorithm.
md5: Uses the MD5 authentication algorithm.
none: Performs no authentication.
sha-1: Uses the SHA-1 authentication algorithm.
sha-256: Uses the SHA-256 authentication algorithm.
Usage guidelines
The VAM server and client use SHA-1 for connection request and response packet authentication, and use the negotiated algorithms for negotiation acknowledgment and subsequent VAM protocol packet authentication.
An authentication algorithm specified earlier by using this command has a higher priority during algorithm negotiation between a VAM server and a client. The VAM server compares its algorithms in descending order of priority with the algorithms sent by the client, and sends the matching algorithm with the highest priority to the client.
The configuration of this command does not affect registered VAM clients. It applies to subsequently registered VAM clients.
Examples
# Specify the authentication algorithms as MD5, SHA-1, and SHA-256 in descending order of priority for ADVPN domain 1.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] authentication-algorithm md5 sha-1 sha-256
authentication-method
Use authentication-method to specify an authentication mode that the VAM server uses to authenticate clients.
Use undo authentication-method to restore the default.
Syntax
authentication-method { none | { chap | pap } [ domain isp-name ] }
undo authentication-method
Default
The authentication method is CHAP, and the default domain is used.
Views
ADVPN domain view
Predefined user roles
network-admin
mdc-admin
Parameters
none: Performs no authentication on clients.
chap: Performs CHAP authentication.
pap: Performs PAP authentication.
domain isp-name: Specifies an ISP domain for authentication. The isp-name argument is a case-insensitive string of 1 to 24 characters. It cannot include back slashes (\), vertical bars (|), slashes (/), colons (:), asterisks (*), question marks (?), quotation marks ("), left angle brackets (<), right angle brackets (>), and at signs (@). If you do not specify this option, the default domain is used for authentication.
Usage guidelines
If the specified ISP domain does not exist, the authentication will fail.
A newly configured authentication method does not affect registered VAM clients. It applies to subsequently registered VAM clients.
Examples
# Configure the VAM server to use CHAP to authenticate clients.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] authentication-method chap
display vam server address-map
Use display vam server address-map to display IPv4 private-public address mapping information for VAM clients registered with the VAM server.
Syntax
display vam server address-map [ advpn-domain domain-name [ private-address private-ip-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
advpn-domain domain-name: Displays IPv4 address mapping information for VAM clients in the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays address mapping information for VAM clients in all ADVPN domains.
private-address private-ip-address: Displays IPv4 address mapping information for the VAM client with the specified private IPv4 address. If you do not specify this option, the command displays mapping information for VAM clients in the specified domain or all ADVPN domains.
verbose: Displays detailed address mapping information. If you do not specify this keyword, the command displays brief address mapping information.
Examples
# Display IPv4 address mapping information for VAM clients in all ADVPN domains.
<Sysname> display vam server address-map
ADVPN domain name: 1
Total private address mappings: 2
Group Private address Public address Type NAT Holding time
1 10.0.0.1 2001::1 Hub No 0H 13M 34S
1 10.0.0.3 74.125.128.102 Spoke Yes 0H 4M 21S
ADVPN domain name: 2
Total private address mappings: 0
ADVPN domain name: 3
Total private address mappings: 1
Group Private address Public address Type NAT Holding time
1 30.0.0.1 113.124.136.1 Hub No 0H 0M 2S
ADVPN domain name: 4
Total private address mappings: 1
Group Private address Public address Type NAT Holding time
1 40.0.0.1 4001::1 Hub No 1H 8M 22S
ADVPN domain name: 5
Total private address mappings: 1
Group Private address Public address Type NAT Holding time
1 50.0.0.1 115.194.156.1 Hub No 132H 41M 29S
# Display IPv4 address mapping information for VAM clients in ADVPN domain 1.
<Sysname> display vam server address-map advpn-domain 1
ADVPN domain name: 1
Total private address mappings: 2
Group Private address Public address Type NAT Holding time
1 10.0.0.1 2001::1 Hub No 0H 13M 34S
1 10.0.0.3 74.125.128.102 Spoke Yes 0H 4M 21S
# Display IPv4 address mapping information for the VAM client with private IPv4 address 10.0.0.1 in ADVPN domain 1.
<Sysname> display vam server address-map advpn-domain 1 private-address 10.0.0.1
Group Private address Public address Type NAT Holding time
1 10.0.0.1 2001::1 Hub No 0H 13M 34S
Table 1 Command output
| Field | Description | 
| Group | Hub group to which the VAM client belongs. | 
| Private address | Private address that the VAM client has registered with the VAM server. | 
| Public address | Public address that the VAM client has registered with the VAM server. | 
| Type | VAM client type: Hub or Spoke. | 
| NAT | Whether NAT traversal is used: No or Yes. | 
| Holding time | Duration time that elapses since the VAM client successfully registered with the server, in the format of xH yM zS. | 
# Display detailed IPv4 address mapping information for VAM clients in all ADVPN domains.
<Sysname> display vam server address-map verbose
ADVPN domain name : 1
Private address : 10.0.0.1
Type : Hub
Hub group : 1
Holding time : 0H 13M 34S
Link protocol : UDP
Public address : 2001::1
Public port : 10018
Registered address: 2001::1
Registered port : 10018
Behind NAT : No
ADVPN domain name : 1
Private address : 10.0.0.3
Type : Spoke
Hub group : 1
Holding time : 0H 4M 21S
Link protocol : UDP
Public address : 74.125.128.102
Public port : 11297
Registered address: 192.168.23.6
Registered port : 2158
Behind NAT : Yes
ADVPN domain name : 3
Private address : 30.0.0.1
Type : Hub
Hub group : 1
Holding time : 0H 0M 2S
Link protocol : GRE
Public address : 113.124.136.1
Registered address: 113.124.136.1
Behind NAT : No
ADVPN domain name : 4
Private address : 40.0.0.1
Hub group : 1
Holding time : 1H 8M 22S
Link protocol : IPsec-UDP
Public address : 4001::1
Registered address: 4001::1
Registered port : 4072
Behind NAT : No
ADVPN domain name : 5
Private address : 50.0.0.1
Type : Hub
Hub group : 1
Holding time : 132H 41M 29S
Link protocol : IPsec-GRE
Public address : 115.194.156.1
Registered address: 115.194.156.1
Behind NAT : No
# Display detailed IPv4 address mapping information for VAM clients in ADVPN domain 1.
<Sysname> display vam server address-map advpn-domain 1 verbose
ADVPN domain name : 1
Private address : 10.0.0.1
Type : Hub
Hub group : 1
Holding time : 0H 13M 34S
Link protocol : UDP
Public address : 2001::1
Public port : 10018
Registered address: 2001::1
Registered port : 10018
Behind NAT : No
ADVPN domain name : 1
Private address : 10.0.0.3
Type : Spoke
Hub group : 1
Holding time : 0H 4M 21S
Link protocol : UDP
Public address : 74.125.128.102
Public port : 11297
Registered address: 192.168.23.6
Registered port : 2158
Behind NAT : Yes
# Display detailed IPv4 address mapping information for the VAM client with private IPv4 address 10.0.0.1 in ADVPN domain 1.
<Sysname> display vam server address-map advpn-domain 1 private-address 10.0.0.1 verbose
ADVPN domain name : 1
Private address : 10.0.0.1
Type : Hub
Hub group : 1
Holding time : 0H 13M 34S
Link protocol : UDP
Public address : 2001::1
Public port : 10018
Registered address: 2001::1
Registered port : 10018
Behind NAT : No
Table 2 Command output
| Field | Description | 
| Private address | Private address that the VAM client has registered with the VAM server. | 
| Type | VAM client type: Hub or Spoke. | 
| Hub group | Hub group to which the VAM client belongs. | 
| Holding time | Duration time that elapses since the VAM client successfully registered with the server, in the format of xH yM zS. | 
| Link protocol | Link layer protocol used by the VAM client for ADVPN tunnel establishment: · UDP. · GRE. · IPsec-UDP. · IPsec-GRE. | 
| Public address | VAM client's public IP address that has been NATed. | 
| Public port | VAM client's ADVPN port number that has been NATed. This field is displayed when the Link protocol is UDP or IPsec-UDP. | 
| Registered address | Public address that the VAM client has registered with the VAM server. | 
| Registered port | ADVPN port number that the VAM client has registered with the VAM server. This field is displayed when the Link protocol is UDP or IPsec-UDP. | 
| IPsec address | IP address used by the VAM client for IPsec tunnel establishment. This field is displayed when the Link protocol is IPsec-UDP or IPsec-GRE. | 
| IPsec port | UDP port number used by the VAM client for IPsec tunnel establishment. This field is displayed when the Link protocol is IPsec-UDP or IPsec-GRE. | 
| Behind NAT | Whether NAT traversal is used: No or Yes. | 
Related commands
reset vam server address-map
display vam server ipv6 address-map
Use display vam server ipv6 address-map to display IPv6 private-public address mapping information for VAM clients registered with the VAM server.
Syntax
display vam server ipv6 address-map [ advpn-domain domain-name [ private-address private-ipv6-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
advpn-domain domain-name: Displays IPv6 address mapping information for VAM clients in the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays address mapping information for VAM clients in all ADVPN domains.
private-address private-ipv6-address: Displays IPv6 address mapping information for the VAM client with the specified private IPv6 address. If you do not specify this option, the command displays mapping information for VAM clients in the specified domain or all ADVPN domains.
verbose: Displays detailed address mapping information. If you do not specify this keyword, the command displays brief address mapping information.
Examples
# Display IPv6 address mapping information for VAM clients in all ADVPN domains.
<Sysname> display vam server ipv6 address-map
ADVPN domain name: 1
Total private address mappings: 2
Group Private address Public address Type NAT Holding time
1 1000::1:0:0:1 2001::1 Hub No 0H 13M 34S
2 1000::2:0:0:1 220.181.111.85 Spoke Yes 0H 4M 21S
ADVPN domain name: 2
Total private address mappings: 0
ADVPN domain name: 3
Total private address mappings: 1
Group Private address Public address Type NAT Holding time
1 1003::1:0:0:1 3001::1 Hub No 0H 0M 2S
ADVPN domain name: 4
Total private address mappings: 1
Group Private address Public address Type NAT Holding time
1 1004::1:0:0:1 202.108.231.125 Hub No 1H 8M 22S
ADVPN domain name: 5
Total private address mappings: 1
Group Private address Public address Type NAT Holding time
1 1005::1:0:0:1 5001::1 Hub No 132H 41M 29S
# Display IPv6 address mapping information for VAM clients in ADVPN domain 1.
<Sysname> display vam server ipv6 address-map advpn-domain 1
ADVPN domain name: 1
Total private address mappings: 2
Group Private address Public address Type NAT Holding time
1 1000::1:0:0:1 2001::1 Hub No 0H 13M 34S
2 1000::2:0:0:1 220.181.111.85 Spoke Yes 0H 4M 21S
# Display IPv6 address mapping information for the VAM client with private IPv6 address 1000::1:0:0:1 in ADVPN domain 1.
<Sysname> display vam server ipv6 address-map advpn-domain 1 private-address 1000::1:0:0:1
Group Private address Public address Type NAT Holding time
1 1000::1:0:0:1 2001::1 Hub No 0H 13M 34S
Table 3 Command output
| Field | Description | 
| Group | Hub group to which the VAM client belongs. | 
| Private address | Private address that the VAM client has registered with the VAM server. | 
| Public address | Public address that the VAM client has registered with the VAM server. | 
| Type | VAM client type: Hub or Spoke. | 
| NAT | Whether NAT traversal is used: No or Yes. | 
| Holding time | Duration time that elapses since the VAM client successfully registered with the server, in the format of xH yM zS. | 
# Display detailed IPv6 address mapping information for VAM clients in all ADVPN domains.
<Sysname> display vam server ipv6 address-map verbose
ADVPN domain name : 1
Private address : 1000::1:0:0:1
Link local address: FE80::50:4
Type : Hub
Hub group : 1
Holding time : 0H 13M 34S
Link protocol : UDP
Public address : 2001::1
Public port : 2098
Registered address: 2001::1
Registered port : 2098
Behind NAT : No
ADVPN domain name : 1
Private address : 1000::2:0:0:1
Link local address: FE80::60:4
Type : Spoke
Hub group : 2
Holding time : 0H 4M 21S
Link protocol : UDP
Public address : 220.181.111.85
Public port : 10018
Registered address: 10.158.26.14
Registered port : 2694
Behind NAT : Yes
ADVPN domain name : 3
Private address : 1003::1:0:0:1
Link local address: FE80::70:4
Type : Hub
Hub group : 1
Holding time : 0H 0M 2S
Link protocol : GRE
Public address : 3001::1
Registered address: 3001::1
Behind NAT : No
ADVPN domain name : 4
Private address : 1004::1:0:0:1
Link local address: FE80::80:4
Hub group : 1
Holding time : 1H 8M 22S
Link protocol : IPsec-UDP
Public address : 202.108.231.125
Registered address: 202.108.231.125
Registered port : 4072
Behind NAT : No
ADVPN domain name : 5
Private address : 1005::1:0:0:1
Link local address: FE80::90:4
Type : Hub
Hub group : 1
Holding time : 132H 41M 29S
Link protocol : IPsec-GRE
Public address : 5001::1
Registered address: 5001::1
Behind NAT : No
# Display detailed IPv6 address mapping information for VAM clients in ADVPN domain 1.
<Sysname> display vam server ipv6 address-map advpn-domain 1 verbose
ADVPN domain name : 1
Private address : 1000::1:0:0:1
Link local address: FE80::50:4
Type : Hub
Hub group : 1
Holding time : 0H 13M 34S
Link protocol : UDP
Public address : 2001::1
Public port : 2098
Registered address: 2001::1
Registered port : 2098
Behind NAT : No
ADVPN domain name : 1
Private address : 1000::2:0:0:1
Link local address: FE80::60:4
Type : Spoke
Hub group : 2
Holding time : 0H 4M 21S
Link protocol : UDP
Public address : 220.181.111.85
Public port : 10018
Registered address: 10.158.26.14
Registered port : 2694
Behind NAT : Yes
# Display detailed IPv6 address mapping information for the VAM client with private IPv6 address 1000::1:0:0:1 in ADVPN domain 1.
<Sysname> display vam server ipv6 address-map advpn-domain 1 ipv6 private-address 1000::1:0:0:1 verbose
ADVPN domain name : 1
Private address : 1000::1:0:0:1
Link local address: FE80::50:4
Type : Hub
Hub group : 1
Holding time : 0H 13M 34S
Link protocol : UDP
Public address : 2001::1
Public port : 2098
Registered address: 2001::1
Registered port : 2098
Behind NAT : No
Table 4 Command output
| Field | Description | 
| Private address | Private address that the VAM client has registered with the VAM server. | 
| Link local address | Link local address that the VAM client has registered with the VAM server. | 
| Type | VAM client type: Hub or Spoke. | 
| Hub group | Hub group to which the VAM client belongs. | 
| Holding time | Duration time that elapses since the VAM client successfully registered with the server, in the format of xH yM zS. | 
| Link protocol | Link layer protocol used by the VAM client for ADVPN tunnel establishment: · UDP. · GRE. · IPsec-UDP. · IPsec-GRE. | 
| Public address | VAM client's public IP address that has been NATed. | 
| Public port | VAM client's ADVPN port number that has been NATed. This field is displayed when the Link protocol is UDP or IPsec-UDP. | 
| Registered address | Public address that the VAM client has registered with the VAM server. | 
| Registered port | ADVPN port number that the VAM client has registered with the VAM server. This field is displayed when the Link protocol is UDP or IPsec-UDP. | 
| IPsec address | IP address used by the VAM client for IPsec tunnel establishment. This field is displayed when the Link protocol is IPsec-UDP or IPsec-GRE. | 
| IPsec port | UDP port number used by the VAM client for IPsec tunnel establishment. This field is displayed when the Link protocol is IPsec-UDP or IPsec-GRE. | 
| Behind NAT | Whether NAT traversal is used: No or Yes. | 
Related commands
reset vam server ipv6 address-map
display vam server ipv6 private-network
Use display vam server ipv6 private-network to display IPv6 private networks for VAM clients registered with the VAM server.
Syntax
display vam server ipv6 private-network [ advpn-domain domain-name [ private-address private-ipv6-address ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
advpn-domain domain-name: Displays IPv6 private networks for VAM clients in the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays IPv6 private networks for VAM clients in all ADVPN domains.
private-address private-ipv6-address: Displays IPv6 private networks for the VAM client with the specified private IPv6 address. If you do not specify this option, the command displays IPv6 private networks for VAM clients in the specified domain or all ADVPN domains.
Examples
# Display IPv6 private networks for VAM clients in all ADVPN domains.
<Sysname> display vam server ipv6 private-network
ADVPN domain name: 1
Total private networks: 5
Network/Prefix Private address Preference
1000::1:0:0:0/96 1000::1:0:0:2 80
1000::1:0:0:0/100 1000::1:0:0:1 80
1000::1:1:0:0/96 1000::1:0:0:1 80
1000::2:0:0:0/96 1000::1:0:0:2 80
1000::2:0:0:0/96 1000::2:0:0:2 80
ADVPN domain name: 2
Total private networks: 0
ADVPN domain name: 3
Total private networks: 1
Network/Prefix Private address Preference
1001::1:0:0:0/100 1001::1:0:0:1 80
# Display IPv6 private networks for VAM clients in ADVPN domain 1.
<Sysname> display vam server ipv6 private-network advpn-domain 1
ADVPN domain name: 1
Total private networks: 5
Network/Prefix Private address Preference
1000::1:0:0:0/96 1000::1:0:0:2 80
1000::1:0:0:0/100 1000::1:0:0:1 80
1000::1:1:0:0/96 1000::1:0:0:1 80
1000::2:0:0:0/96 1000::1:0:0:2 80
1000::2:0:0:0/96 1000::2:0:0:2 80
# Display IPv6 private networks for the VAM client with private IPv6 address 1000::1:0:0:1.
<Sysname> display vam server ipv6 private-network advpn-domain 1 private-address 1000::1:0:0:1
Total private networks: 2
Network/Prefix Private address Preference
1000::1:0:0:0/100 1000::1:0:0:1 80
1000::1:1:0:0/96 1000::1:0:0:1 80
Table 5 Command output
| Field | Description | 
| Network/Prefix | Private network address/prefix length for an ADVPN tunnel interface. | 
| Private address | Private address that the VAM client has registered with the VAM server. | 
| Preference | Preference of the private route that the VAM client has registered with the VAM server. | 
display vam server private-network
Use display vam server private-network to display IPv4 private networks for VAM clients registered with the VAM server.
Syntax
display vam server private-network [ advpn-domain domain-name [ private-address private-ip-address ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
advpn-domain domain-name: Displays IPv4 private networks for VAM clients in the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays IPv4 private networks for VAM clients in all ADVPN domains.
private-address private-ip-address: Displays IPv4 private networks for the VAM client with the specified private IPv4 address. If you do not specify this option, the command displays IPv6 private networks for VAM clients in the specified domain or all ADVPN domains.
Examples
# Display IPv4 private networks for VAM clients in all ADVPN domains.
<Sysname> display vam server private-network
ADVPN domain name: 1
Total private networks: 5
Network/Mask Private address Preference
192.168.0.0/24 10.0.0.2 80
192.168.0.0/28 10.0.0.1 80
192.168.1.0/24 10.0.0.1 80
192.168.100.0/24 10.0.0.2 80
192.168.100.0/24 10.0.0.3 80
ADVPN domain name: 2
Total private networks: 0
ADVPN domain name: 3
Total private networks: 1
Network/Mask Private address Preference
192.168.200.0/24 20.0.0.1 80
# Display IPv4 private networks for VAM clients in ADVPN domain 1.
<Sysname> display vam server private-network advpn-domain 1
ADVPN domain name: 1
Total private networks: 5
Network/Mask Private address Preference
192.168.0.0/24 10.0.0.2 80
192.168.0.0/28 10.0.0.1 80
192.168.1.0/24 10.0.0.1 80
192.168.100.0/24 10.0.0.2 80
192.168.100.0/24 10.0.0.3 80
# Display IPv4 private networks for the VAM client with private IPv4 address 10.0.0.1.
<Sysname> display vam server private-network advpn-domain 1 private-address 10.0.0.1
Total private networks: 5
Network/Mask Private address Preference
192.168.0.0/28 10.0.0.1 80
192.168.1.0/24 10.0.0.1 80
Table 6 Command output
| Field | Description | 
| Network/Mask | Private network address/mask length for an ADVPN tunnel interface. | 
| Private address | Private address that the VAM client has registered with the VAM server. | 
| Preference | Preference of the private route that the VAM client has registered with the VAM server. | 
display vam server statistics
Use display vam server statistics to display ADVPN domain statistics on the VAM server.
Syntax
display vam server statistics [ advpn-domain domain-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
advpn-domain domain-name: Displays statistics for the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays statistics for all ADVPN domains on the VAM server.
Examples
# Display statistics for all ADVPN domains.
<Sysname> display vam server statistics
Total ADVPN number: 3
Total spoke number: 121
Total hub number : 3
ADVPN domain name : 1
Server status : Enabled
Holding time : 0H 1M 47S
Registered spoke number: 98
Registered hub number : 2
Packets received:
Initialization request : 100
Initialization complete : 100
Register request : 100
Authentication information : 100
Address resolution request : 203
Network registration request : 59
Update request : 196
Logout request : 0
Hub information response : 2
Data flow information response: 0
Keepalive : 642
Error notification : 0
Unknown : 0
Packets sent:
Initialization response : 100
Initialization complete : 100
Authentication request : 100
Register response : 100
Address resolution response : 203
Network registration response: 59
Update response : 196
Hub information request : 2
Data flow information request: 0
Logout response : 0
Keepalive : 642
Error notification : 0
ADVPN domain name : 2
Server status : Disabled
ADVPN domain name : 3
Server status : Enabled
Holding time : 0H 33M 53S
Registered spoke number: 23
Registered hub number : 1
Packets received:
Initialization request : 24
Initialization complete : 24
Register request : 24
Authentication information : 24
Address resolution request : 23
Network registration request : 0
Update request : 5
Logout request : 0
Hub information response : 2
Data flow information response: 0
Keepalive : 362
Error notification : 0
Unknown : 0
Packets sent:
Initialization response : 24
Initialization complete : 24
Authentication request : 24
Register response : 24
Address resolution response : 23
Network registration response: 0
Update response : 0
Hub information request : 2
Data flow information request: 0
Logout response : 0
Keepalive : 362
Error notification : 0
# Display statistics for ADVPN domain 1.
<Sysname> display vam server statistics advpn-domain 1
ADVPN domain name : 1
Server status : Enabled
Holding time : 0H 1M 47S
Registered spoke number: 98
Registered hub number : 2
Packets received:
Initialization request : 100
Initialization complete : 100
Register request : 100
Authentication information : 100
Address resolution request : 203
Network registration request : 59
Update request : 196
Logout request : 0
Hub information response : 2
Data flow information response: 0
Keepalive : 642
Error notification : 0
Unknown : 0
Packets sent:
Initialization response : 100
Initialization complete : 100
Authentication request : 100
Register response : 100
Address resolution response : 203
Network registration response: 59
Update response : 196
Hub information request : 2
Data flow information request: 0
Logout response : 0
Keepalive : 642
Error notification : 0
Table 7 Command output
| Field | Description | 
| Server status | Whether the VAM server is enabled: Enabled or Disabled. | 
| Holding time | Duration time that elapses after the VAM service is enabled, in the format of xH yM zS. | 
Related commands
reset vam server statistics
encryption-algorithm
Use encryption-algorithm to specify the algorithms for VAM protocol packet encryption and their priorities.
Use undo encryption-algorithm to restore the default.
Syntax
encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | des-cbc | none } *
undo encryption-algorithm
Default
The following encryption algorithms are available (in descending order of priority):
· AES-CBC-256
· AES-CBC-192
· AES-CBC-128
· AES-CTR-256
· AES-CTR-192
· AES-CTR-128
· 3DES-CBC
· DES-CBC
Views
ADVPN domain view
Predefined user roles
network-admin
mdc-admin
Parameters
3des-cbc: Uses the 3DES-CBC encryption algorithm.
aes-cbc-128: Uses the AES-CBC encryption algorithm, with a key length of 128 bits.
aes-cbc-192: Uses the AES-CBC encryption algorithm, with a key length of 192 bits.
aes-cbc-256: Uses the AES-CBC encryption algorithm, with a key length of 256 bits.
aes-ctr-128: Uses the AES-CTR encryption algorithm, with a key length of 128 bits.
aes-ctr-192: Uses the AES-CTR encryption algorithm, with a key length of 192 bits.
aes-ctr-256: Uses the AES-CTR encryption algorithm, with a key length of 256 bits.
des-cbc: Uses the DES-CBC encryption algorithm.
none: Performs no encryption.
Usage guidelines
The VAM server and client use AES-CBC-128 for connection request and response packet encryption, and use the negotiated algorithms for negotiation acknowledgment and subsequent VAM protocol packet encryption.
An encryption algorithm specified earlier by using this command has a higher priority during algorithm negotiation between a VAM server and a client. The VAM server compares its algorithms in descending order of priority with the algorithms sent by the client, and sends the matching algorithm with the highest priority to the client.
The configuration of this command does not affect registered VAM clients. It applies to subsequently registered VAM clients.
Examples
# Specify the encryption algorithms as AES-CBC-128 and 3DES-CBC for ADVPN domain 1, where AES-CBC-128 has a higher priority.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] encryption-algorithm aes-cbc-128 3des-cbc
hub ipv6 private-address
Use hub ipv6 private-address to configure a hub private IPv6 address in a hub group.
Use undo hub ipv6 private-address to remove a hub private IPv6 address from a hub group.
Syntax
hub ipv6 private-address private-ipv6-address [ public-address { public-ipv4-address | public-ipv6-address } [ advpn-port port-number ] ]
undo hub ipv6 private-address private-ipv6-address
Default
No hub private IPv6 address is configured.
Views
Hub group view
Predefined user roles
network-admin
mdc-admin
Parameters
private-ipv6-address: Specifies the private IPv6 address of a hub. The address must be a global unicast address.
public-address: Specifies the public address of the hub. If you do not specify this keyword, the VAM server uses the public address registered by the hub.
public-ipv4-address: Specifies the public IPv4 address of the hub. The address must be a unicast address.
public-ipv6-address: Specifies the public IPv6 address of the hub. The address must be a global unicast address.
advpn-port port-number: Specifies the ADVPN port number of the hub, in the range of 1025 to 65535. If you do not specify this option, the VAM server uses the port number registered by the hub.
Usage guidelines
For a hub to traverse a NAT gateway, configure a static mapping between the hub's registered public address/ADVPN port number and a NATed address/port number on the NAT gateway. To use this command to add the hub to a hub group, specify the NATed address and port number as the public address and ADVPN port number.
You can configure multiple hub private IPv6 addresses for a hub group.
If you execute this command multiple times for a private IPv6 address, the most recent configuration takes effect.
Examples
# Add a hub to hub group 1 in ADVPN domain 1 with private IPv6 address 1000::1:0:0:1, public IPv6 address 2001::1, and ADVPN port number 8000.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1] hub ipv6 private-address 1000::1:0:0:1 public-address 2001::1 advpn-port 8000
hub private-address
Use hub private-address to configure a hub private IPv4 address in a hub group.
Use undo hub private-address to remove a hub private IPv4 address from a hub group.
Syntax
hub private-address private-ip-address [ public-address { public-ipv4-address | public-ipv6-address } [ advpn-port port-number ] ]
undo hub private-address private-ip-address
Default
No hub private IPv4 address is configured.
Views
Hub group view
Predefined user roles
network-admin
mdc-admin
Parameters
private-ip-address: Specifies the private IPv4 address of a hub. The address must be a unicast address.
public-address: Specifies the public address of the hub. If you do not specify this keyword, the VAM server uses the public address registered by the hub.
public-ipv4-address: Specifies the public IPv4 address of the hub. The address must be a unicast address.
public-ipv6-address: Specifies the public IPv6 address of the hub. The address must be a global unicast address.
advpn-port port-number: Specifies the ADVPN port number of the hub, in the range of 1025 to 65535. If you do not specify this option, the VAM server uses the port number registered by the hub.
Usage guidelines
For a hub to traverse a NAT gateway, configure a static mapping between the hub's registered public address/ADVPN port number and a NATed address/port number on the NAT gateway. To use this command to add the hub to a hub group, specify the NATed address and port number as the public address and ADVPN port number.
You can configure a maximum of four hub private IPv4 addresses for a hub group.
If you execute this command multiple times for a private IPv4 address, the most recent configuration takes effect.
Examples
# Add a hub to hub group 1 in ADVPN domain 1 with private IPv4 address 10.1.1.1, public IPv4 address 123.0.0.1, and ADVPN port number 8000.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1] hub private-address 10.1.1.1 public-address 123.0.0.1 advpn-port 8000
hub-group
Use hub-group to create a hub group and enter its view, or enter the view of an existing hub group.
Use undo hub-group to delete a hub group.
Syntax
hub-group group-name
undo hub-group group-name
Default
No hub groups exist.
Views
ADVPN domain view
Predefined user roles
network-admin
mdc-admin
Parameters
group-name: Specifies a group by its name. A group name is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.).
Usage guidelines
Hub groups apply to large ADVPN networks. You can classify spokes to different hub groups, and specify one or more hubs for each group.
When a VAM client registers with the VAM server, the VAM server selects a hub group for the client as follows:
1. The server matches the private address of the client against the private addresses of hubs in different hub groups in lexicographic order.
2. If a match is found, the server assigns the client to the hub group as a hub.
3. If no match is found, the server matches the client's private address against the private addresses of spokes in different hub groups in lexicographic order.
4. If a match is found, the server assigns the client to the hub group as a spoke.
5. If no match is found, the registration fails.
The VAM server only assigns hub information in the matching hub group to the client. The client only establishes permanent ADVPN tunnels to the hubs in the matching hub group.
Examples
# Create hub group 1 in ADVPN domain 1, and enter hub group view.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1]
keepalive
Use keepalive to set a keepalive interval and a maximum number of keepalive retries for VAM clients.
Use undo keepalive to restore the default.
Syntax
keepalive interval interval retry retries
undo keepalive
Default
The keepalive interval is 180 seconds and the maximum number of keepalive retries is 3.
Views
ADVPN domain view
Predefined user roles
network-admin
mdc-admin
Parameters
interval interval: Specifies the keepalive interval in the range of 5 to 65535 seconds.
retry retries: Specifies the maximum number of keepalive retries, in the range of 1 to 6.
Usage guidelines
The VAM server assigns the configured keepalive parameters to clients in the ADVPN domain.
A client sends keepalives to the server at the specified interval. If a client receives no responses from the server after maximum keepalive attempts (keepalive retries + 1), the client stops sending keepalives. If the VAM server receives no keepalives from a client before the timeout timer expires, the server removes information about the client and logs off the client. The timeout time is the product of the keepalive interval and keepalive attempts.
Newly configured keepalive parameters do not affect registered VAM clients. They apply to subsequently registered clients.
If a device configured with dynamic NAT exists between the VAM server and VAM clients, configure the keepalive interval to be shorter than the aging time of NAT entries.
Configure proper values for the keepalive parameters depending on the network condition.
Examples
# Set the keepalive interval for VAM clients in ADVPN domain 1 to 30 seconds, and the maximum number of keepalive retries to 5.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] keepalive interval 30 retry 5
pre-shared-key (ADVPN domain view)
Use pre-shared-key to configure a preshared key for the VAM server.
Use undo pre-shared-key to remove the configuration.
Syntax
pre-shared-key { cipher | simple } string
undo pre-shared-key
Default
No preshared key is configured.
Views
ADVPN domain view
Predefined user roles
network-admin
mdc-admin
Parameters
cipher: Specifies a preshared key in encrypted form.
simple: Specifies a preshared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the preshared key. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.
Usage guidelines
The preshared key is used to generate initial encryption and authentication keys during connection initialization. It is also used to generate encryption and authentication keys for subsequent packets if encryption and authentication are needed.
The VAM server and all clients in an ADVPN domain must have the same preshared key.
Examples
# Set the key to 123 in plaintext form for the VAM server in ADVPN domain 1.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] pre-shared-key simple 123
Related commands
pre-shared-key (VAM client view)
reset vam server address-map
Use reset vam server address-map to clear IPv4 private-public address mapping information for VAM clients registered with the VAM server.
Syntax
reset vam server address-map [ advpn-domain domain-name [ private-address private-ip-address ] ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
advpn-domain domain-name: Clears IPv4 address mapping information for VAM clients in the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command clears address mapping information for VAM clients in all ADVPN domains.
private-address private-ip-address: Clears IPv4 address mapping information for the VAM client with the specified private IPv4 address. If you do not specify this option, the command clears address mapping information for VAM clients in the specified domain or all ADVPN domains.
Usage guidelines
| CAUTION: When this command is executed, the system sends an error notification to VAM clients that have registered the private IPv4 addresses and logs off the clients. | 
Executing this command also clears IPv4 private network information for the private IPv4 addresses.
Examples
# Clear IPv4 address mapping information for clients in all ADVPN domains.
<Sysname> reset vam server address-map
# Clear IPv4 address mapping information for clients in ADVPN domain 1.
<Sysname> reset vam server address-map advpn-domain 1
# Clear IPv4 address mapping information for the client with private IPv4 address 10.0.0.1 in ADVPN domain 1.
<Sysname> reset vam server address-map advpn-domain 1 private-address 10.0.0.1
Related commands
display vam server address-map
reset vam server ipv6 address-map
Use reset vam server ipv6 address-map to clear IPv6 private-public address mapping information for VAM clients registered with the VAM server.
Syntax
reset vam server ipv6 address-map [ advpn-domain domain-name [ private-address private-ipv6-address ] ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
advpn-domain domain-name: Clears IPv6 address mapping information for VAM clients in the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command clears address mapping information for VAM clients in all ADVPN domains.
private-address private-ipv6-address: Clears IPv6 address mapping information for the VAM client with the specified private IPv6 address. If you do not specify this option, the command clears address mapping information for VAM clients in the specified domain or all ADVPN domains.
Usage guidelines
| CAUTION: When this command is executed, the system sends an error notification to VAM clients that have registered the private IPv6 addresses and logs off the clients. | 
Executing this command also clears IPv6 private network information for the private IPv6 addresses.
Examples
# Clear IPv6 address mapping information for clients in all ADVPN domains.
<Sysname> reset vam server ipv6 address-map
# Clear IPv6 address mapping information for clients in ADVPN domain 1.
<Sysname> reset vam server ipv6 address-map advpn-domain 1
# Clear IPv6 address mapping information for the client with private IPv6 address 1000::1:0:0:1 in ADVPN domain 1.
<Sysname> reset vam server ipv6 address-map advpn-domain 1 private-address 1000::1:0:0:1
Related commands
display vam server ipv6 address-map
reset vam server statistics
Use reset vam server statistics to clear ADVPN domain statistics on the VAM server.
Syntax
reset vam server statistics [ advpn-domain domain-name ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
advpn-domain domain-name: Clears statistics for the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command clears statistics for all ADVPN domains on the server.
Examples
# Clear statistics for ADVPN domain abc.
<Sysname> reset vam server statistics advpn-domain abc
# Clear statistics for all ADVPN domains.
<Sysname> reset vam server statistics
Related commands
display vam server statistics
retry interval
Use retry interval to set the retry timer for the VAM server.
Use undo retry interval to restore the default.
Syntax
retry interval interval
undo retry interval
Default
The retry timer is 5 seconds.
Views
ADVPN domain view
Predefined user roles
network-admin
mdc-admin
Parameters
interval: Specifies the retry timer in the range of 3 to 30 seconds.
Usage guidelines
The VAM server starts the retry timer after it sends a request to a client. If the server receives no response from the client before the retry timer expires, the server resends the request. The server stops sending the request after receiving a response from the client or after the timeout timer (product of the keepalive interval and keepalive attempts) expires.
Examples
# Set the retry timer to 20 seconds for the VAM server in ADVPN domain 1.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] retry interval 20
server enable
Use server enable to enable the VAM server for an ADVPN domain.
Use undo server enable to disable the VAM server for an ADVPN domain.
Syntax
server enable
undo server enable
Default
The VAM server is disabled for an ADVPN domain.
Views
ADVPN domain view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
You can also execute the vam server enable command in system view to enable the VAM server for one or all ADVPN domains.
Examples
# Enable the VAM server for ADVPN domain 1.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] server enable
Related commands
vam server enable
shortcut interest
Use shortcut interest to specify an ACL to control establishing IPv4 spoke-to-spoke tunnels.
Use undo shortcut interest to restore the default.
Syntax
shortcut interest { acl { acl-number | name acl-name } all }
undo shortcut interest
Default
Spokes are not allowed to establish direct tunnels.
Views
Hub group view
Predefined user roles
network-admin
mdc-admin
Parameters
acl: Specifies an ACL to control establishing IPv4 spoke-to-spoke tunnels.
acl-number: Specifies an IPv4 ACL by its number:
· 2000 to 2999 for IPv4 basic ACLs.
· 3000 to 3999 for IPv4 advanced ACLs.
name acl-name: Specifies an ACL by its name. An ACL name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
all: Allows establishing IPv4 spoke-to-spoke tunnels between all spokes in different hub groups.
Usage guidelines
The VAM server assigns the specified ACL to an online hub. When receiving an IPv4 spoke-to-spoke packet from a spoke, the hub sends a redirect packet to the spoke if all is specified or if the packet matches an ACL rule. Then, the spoke sends the VAM server the destination address of the packet, obtains the remote spoke information, and establishes a direct tunnel to the remote spoke.
After a spoke-spoke tunnel is established, the spokes directly exchange packets.
When you specify an IPv4 ACL, follow these guidelines:
· If the ACL does not exist, the configuration does not take effect. The hub does not send any redirect packets to the spoke.
· If the ACL is an IPv4 basic ACL, this command supports only rules that match source addresses.
· If the ACL is an IPv4 advanced ACL, this command supports rules that match protocol numbers, source/destination addresses, and source/destination ports. It does not support rules that exclude a source/destination port.
· If the ACL contains an unsupported rule, the rule does not take effect.
Examples
# Specify ACL 3000 to control establishing IPv4 spoke-to-spoke tunnels.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1] shortcut interest acl 3000
shortcut ipv6 interest
Use shortcut ipv6 interest to specify an ACL to control establishing IPv6 spoke-to-spoke tunnels.
Use undo shortcut ipv6 interest to restore the default.
Syntax
shortcut ipv6 interest { acl { ipv6-acl-number | name ipv6-acl-name } all }
undo shortcut ipv6 interest
Default
Spokes are not allowed to establish direct tunnels.
Views
Hub group view
Predefined user roles
network-admin
mdc-admin
Parameters
acl: Specifies an ACL to control establishing IPv6 spoke-to-spoke tunnels.
ipv6-acl-number: Specifies an IPv6 ACL by its number:
· 2000 to 2999 for IPv6 basic ACLs.
· 3000 to 3999 for IPv6 advanced ACLs.
name ipv6-acl-name: Specifies an IPv6 ACL by its name. An IPv6 ACL name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
all: Allows establishing IPv6 spoke-to-spoke tunnels between all spokes in different hub groups.
Usage guidelines
The VAM server assigns the specified ACL to an online hub. When receiving an IPv6 spoke-to-spoke packet from a spoke, the hub sends a redirect packet to the spoke if all is specified or if the packet matches an ACL rule. Then, the spoke sends the destination address of the packet to the VAM server, obtains the remote spoke information, and establishes a direct tunnel to the remote spoke.
After a spoke-spoke tunnel is established, the spokes directly exchange packets.
When you specify an IPv6 ACL, follow these guidelines:
· If the ACL does not exist, the configuration does not take effect. The hub does not send any redirect packets to the spoke.
· If the ACL is an IPv6 basic ACL, this command supports only rules that match source addresses.
· If the ACL is an IPv6 advanced ACL, this command supports rules that match protocol numbers, source/destination addresses, and source/destination ports. It does not support rules that exclude a source/destination port.
· If the ACL contains an unsupported rule, the rule does not take effect.
Examples
# Specify ACL 3000 to control establishing IPv6 spoke-to-spoke tunnels.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1] shortcut ipv6 interest acl 3000
spoke ipv6 private-address
Use spoke ipv6 private-address to configure a spoke private IPv6 address range in a hub group.
Use undo ipv6 spoke private-address to delete a spoke private IPv6 address range in a hub group.
Syntax
spoke ipv6 private-address { network prefix prefix-length | range start-ipv6-address end-ipv6-address }
undo spoke ipv6 private-address { network prefix prefix-length | range start-ipv6-address end-ipv6-address }
Default
No spoke private IPv6 address range is configured.
Views
Hub group view
Predefined user roles
network-admin
mdc-admin
Parameters
network prefix prefix-length: Specifies a prefix and prefix length. The value range for prefix-length is 0 to 128.
range start-ipv6-address end-ipv6-address: Specifies a start IPv6 address and an end IPv6 address.
Usage guidelines
If you specify a prefix and prefix length, the system automatically transforms them to a start address and an end address.
You can configure multiple spoke private IPv6 address ranges in a hub group. The ranges are listed from low to high.
The spoke private IPv6 address range to be deleted must be the same as the configured one.
Examples
# Configure a spoke private IPv6 address range in IPv6 network address format as 1000::/64 for hub group 1.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1] spoke ipv6 private-address network 1000:: 64
spoke private-address
Use spoke private-address to configure a spoke private IPv4 address range in a hub group.
Use undo spoke private-address to delete a spoke private IPv4 address range in a hub group.
Syntax
spoke private-address { network ip-address { mask-length | mask } | range start-ipv4-address end-ipv4-address }
undo spoke private-address { network ip-address { mask-length | mask } | range start-ipv4-address end-ipv4-address }
Default
No spoke private IPv4 address range is configured.
Views
Hub group view
Predefined user roles
network-admin
mdc-admin
Parameters
network ip-address { mask-length | mask }: Specifies an IPv4 address and its mask length (or mask). The value range for mask-length is 0 to 32.
range start-address end-address: Specifies a start IPv4 address and an end IPv4 address.
Usage guidelines
If you specify an IPv4 address and its mask length (or mask), the system automatically transforms them to a start address and an end address.
You can configure multiple spoke private IPv4 address ranges in a hub group. The ranges are listed from low to high.
The spoke private IPv4 address range to be deleted must be the same as the configured one.
Examples
# Configure a spoke private IPv4 address range in IPv4 network address format as 1.1.1.0/24 for hub group 1.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1] spoke private-address network 1.1.1.0 255.255.255.0
vam server advpn-domain
Use vam server advpn-domain to create an ADVPN domain and enter its view, or enter the view of an existing ADVPN domain.
Use undo vam server advpn-domain to remove an ADVPN domain.
Syntax
vam server advpn-domain domain-name [ id domain-id ]
undo vam server advpn-domain domain-name
Default
No ADVPN domains exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies an ADVPN domain by its name. An ADVPN domain name is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.).
id domain-id: Specifies the ID of an ADVPN domain, in the range of 1 to 65535.
Usage guidelines
An ADVPN domain ID is required only when you create the ADVPN domain.
You must specify a unique domain ID for an ADVPN domain.
Examples
# Create ADVPN domain 1 with domain ID 1, and enter its view.
<Sysname> system-view
[Sysname] vam server advpn-domain 1 id 1
[Sysname-vam-server-domain-1]
vam server enable
Use vam server enable to enable the VAM server for ADVPN domains.
Use undo vam server enable to disable the VAM server for ADVPN domains.
Syntax
vam server enable [ advpn-domain domain-name ]
undo vam server enable [ advpn-domain domain-name ]
Default
The VAM server is disabled for an ADVPN domain.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
advpn-domain domain-name: Enables the VAM server for the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command enables the VAM server for all ADVPN domains.
Usage guidelines
You can also execute the server enable command in ADVPN domain view to enable the VAM server for an ADVPN domain.
Examples
# Enable the VAM server for all ADVPN domains.
<Sysname> system-view
[Sysname] vam server enable
# Enable the VAM server for ADVPN domain 1.
<Sysname> system-view
[Sysname] vam server enable advpn-domain 1
Related commands
server enable
vam server listen-port
Use vam server listen-port to set the port number of the VAM server.
Use undo vam server listen-port to restore the default.
Syntax
vam server listen-port port-number
undo vam server listen-port
Default
The port number of the VAM server is 18000.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
port-number: Specifies the port number in the range of 1025 to 65535.
Usage guidelines
The port number of the VAM server must be the same as the port configured on the VAM clients.
Examples
# Set the port number to 10000.
<Sysname> system-view
[Sysname] vam server listen-port 10000
Related commands
server primary
server secondary
VAM client commands
advpn-domain
Use advpn-domain to specify an ADVPN domain for a VAM client.
Use undo advpn-domain to remove the ADVPN domain.
Syntax
advpn-domain domain-name
undo advpn-domain
Default
No ADVPN domain is specified for a VAM client.
Views
VAM client view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies an ADVPN domain by its name. An ADVPN domain name is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.).
Usage guidelines
An ADVPN domain can contain multiple VAM clients.
Examples
# Specify ADVPN domain 100 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] advpn-domain 100
client enable
Use client enable to enable a VAM client.
Use undo client enable to disable a VAM client.
Syntax
client enable
undo client enable
Default
The VAM client is disabled.
Views
VAM client view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
You can also execute the vam client enable command in system view to enable one or all VAM clients.
Examples
# Enable VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] client enable
Related commands
vam client enable
display vam client fsm
Use display vam client fsm to display FSM information for VAM clients.
Syntax
display vam client fsm [ name client-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
name client-name: Displays FSM information for the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays FSM information for all VAM clients.
Usage guidelines
This command only displays the configured parameters and dynamically obtained information.
Examples
# Display FSM information for all VAM clients.
<Sysname> display vam client fsm
Client name : abc
Status : Enabled
ADVPN domain name: 1
Primary server: abc.com (28.1.1.23)
Private address: 10.0.0.12
Interface : Tunnel1
Current state : Online (active)
Client type : Hub
Holding time : 9H 20M 30S
Encryption algorithm : AES-CBC-128
Authentication algorithm: SHA1
Keepalive : 30 seconds, 3 times
Number of hubs : 1
Private address: 1000::22
Interface : Tunnel2
Current state : Online (active)
Client type : Spoke
Holding time : 9H 20M 30S
Encryption algorithm : AES-CBC-128
Authentication algorithm: SHA1
Keepalive : 30 seconds, 3 times
Number of hubs : 1
Secondary server: 2811::24
Private address: 10.0.0.12
Interface : Tunnel1
Current state : Offline
Client type : Unknown
Holding time : 0H 0M 0S
Encryption algorithm : AES-CBC-128
Authentication algorithm: SHA1
Keepalive : 0 seconds, 0 times
Number of hubs : 0
Private address: 1000::22
Interface : Tunnel2
Current state : Offline
Client type : Unknown
Holding time : 0H 0M 0S
Encryption algorithm : AES-CBC-128
Authentication algorithm: SHA1
Keepalive : 0 seconds, 0 times
Number of hubs : 0
Client name : hub
Status : Enabled
ADVPN domain name: 2
Primary server: 202.159.36.24
Private address: 10.0.0.12
Interface : Tunnel20
Current state : Online (active)
Client type : Hub
Holding time : 0H 0M 47S
Encryption algorithm : AES-CBC-128
Authentication algorithm: SHA1
Keepalive : 30 seconds, 3 times
Number of hubs : 1
Client name : spoke
Status : Disabled
ADVPN domain name:
Table 8 Command output
| Field | Description | 
| Status | VAM client status: Enabled or Disabled. | 
| Primary server | Public address of the primary VAM server. | 
| Private address | Private address that the VAM client has registered with the VAM server. | 
| Interface | ADVPN tunnel interface for the VAM client. | 
| Current state | Current state of the VAM client: · Offline. · Init. · Reg. · Online. · Dumb. | 
| Client type | VAM client type: · Hub. · Spoke. · Unknown. | 
| Holding time | Duration time since the VAM client stayed in its current state, in the format of xH yM zS. | 
| Encryption algorithm | Negotiated encryption algorithm. | 
| Authentication algorithm | Negotiated authentication algorithm. | 
| Keepalive | Keepalive interval (in seconds) and number of retransmissions configured on the VAM server. | 
| Secondary server | Public address of the secondary VAM server. | 
Related commands
reset vam client fsm
display vam client shortcut interest
Use display vam client shortcut interest to display IPv4 spoke-to-spoke tunnel establishment rules for VAM clients.
Syntax
display vam client shortcut interest [ name client-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
name client-name: Displays IPv4 spoke-to-spoke tunnel establishment rules for the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays IPv4 spoke-to-spoke tunnel establishment rules for all VAM clients.
Usage guidelines
The VAM server assigns the rules for establishing IPv4 spoke-to-spoke tunnels only to hubs. If the specified VAM client is a spoke, the number of rules is displayed as 0.
Examples
# Display IPv4 spoke-to-spoke tunnel establishment rules for all VAM clients.
<Sysname> display vam client shortcut interest
Client name : abc
ADVPN domain name: 1
Client type : Spoke
ACL rules : 0
Client name : hub
ADVPN domain name: 2
Client type : Hub
ACL rules : 2
Rule 1: Permit
Protocol : 6 (TCP)
Source : Address 0.0.0.0-255.255.255.255, port 0-65535
Destination: Address 192.168.114.100-192.168.114.200, port 10000-20000
Rule 2: Deny
Protocol : 0 (IP)
Source : Address 0.0.0.0-255.255.255.255, port 0-65535
Destination: Address 0.0.0.0-255.255.255.255, port 0-65535
Client name : spoke
ADVPN domain name: 3
Client type : Unknown
ACL rules : 0
# Display IPv4 spoke-to-spoke tunnel establishment rules for VAM client abc.
<Sysname> display vam client shortcut interest name abc
Client name : abc
ADVPN domain name: 1
Client type : Spoke
ACL rules : 0
Table 9 Command output
| Field | Description | 
| Client type | VAM client type: · Hub. · Spoke. · Unknown. | 
| ACL rules | Number of ACL rules received by the VAM client. | 
| Rule n: Operation | n represents the number of an ACL rule. Rule operation: · Permit—Allows the spokes to establish direct tunnels. · Deny—Disallows the spokes to establish direct tunnels. · Discard—Discards packets. | 
| Protocol | Matching protocol number. | 
| Source | Matching source IP address range and port number range. | 
| Destination | Matching destination IP address range and port number range. | 
display vam client shortcut ipv6 interest
Use display vam client shortcut ipv6 interest to display IPv6 spoke-to-spoke tunnel establishment rules for VAM clients.
Syntax
display vam client shortcut ipv6 interest [ name client-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
name client-name: Displays IPv6 spoke-to-spoke tunnel establishment rules for the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays IPv6 spoke-to-spoke tunnel establishment rules for all VAM clients.
Usage guidelines
The VAM server assigns the rules for establishing IPv6 spoke-to-spoke tunnels only to hubs. If the specified VAM client is a spoke, the number of rules is displayed as 0.
Examples
# Display IPv6 spoke-to-spoke tunnel establishment rules for all VAM clients.
<Sysname> display vam client shortcut ipv6 interest
Client name : abc
ADVPN domain name: 1
Client type : Spoke
ACL rules : 0
Client name : hub
ADVPN domain name: 2
Client type : Hub
ACL rules : 2
Rule 1: Permit
Protocol : TCP
Start source address : 0::0
End source address : FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
Start source port : 0
End source port : 65535
Start destination address: 2000::0
End destination address : 2000:1::0
Start destination port : 0
End destination port : 65535
Rule 2: Deny
Protocol : All
Start source address : 0::0
End source address : FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
Start source port : 0
End source port : 65535
Start destination address: 0::0
End destination address : FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
Start destination port : 0
End destination port : 65535
Client name : spoke
ADVPN domain name:
Client type : Unknown
ACL rules : 0
# Display IPv6 spoke-to-spoke tunnel establishment rules for VAM client abc.
<Sysname> display vam client shortcut ipv6 interest name abc
Client name : spoke
ADVPN domain name:
Client type : Unknown
ACL rules : 0
Table 10 Command output
| Field | Description | 
| Client type | VAM client type: · Hub. · Spoke. · Unknown. | 
| ACL rules | Number of ACL rules received by the VAM client. | 
| Rule n: operation | n represents the number of an ACL rule. Rule operation: · Permit—Allows the spokes to establish direct tunnels. · Deny—Disallows the spokes to establish direct tunnels. · Discard—Discards packets. | 
| Protocol | Matching protocol number. | 
| Start source address | Matching start address of the source IPv6 address range. | 
| End source address | Matching end address of the source IPv6 address range. | 
| Start source port | Matching start port number of the source port number range. | 
| End source port | Matching end port number of the source port number range. | 
| Start destination address | Matching start address of the destination IPv6 address range. | 
| End destination address | Matching end address of the destination IPv6 address range. | 
| Start destination port | Matching start port number of the destination port number range. | 
| End destination port | Matching end port number of the destination port number range. | 
display vam client statistics
Use display vam client statistics to display VAM client statistics.
Syntax
display vam client statistics [ name client-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
name client-name: Displays statistics for the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays statistics for all VAM clients.
Examples
# Display statistics for all VAM clients.
<Sysname> display vam client statistics
Client name: abc
Status : Enabled
Primary server: abc.com
Packets sent:
Initialization request : 1
Initialization complete : 1
Register request : 1
Authentication information : 1
Address resolution request : 9
Network registration request : 0
Update request : 0
Logout request : 0
Hub information response : 0
Data flow information response: 0
Keepalive : 35
Error notification : 0
Packets received:
Initialization response : 1
Initialization complete : 1
Authentication request : 1
Register response : 1
Address resolution response : 9
Network registration response: 0
Update response : 0
Hub information request : 0
Data flow information request: 0
Logout response : 0
Keepalive : 35
Error notification : 0
Unknown : 0
Secondary server: 28.1.1.24
Packets sent:
Initialization request : 15
Initialization complete : 0
Register request : 0
Authentication information : 0
Address resolution request : 0
Network registration request : 0
Update request : 0
Logout request : 0
Hub information response : 0
Data flow information response: 0
Keepalive : 0
Error notification : 0
Packets received:
Initialization response : 0
Initialization complete : 0
Register response : 0
Authentication request : 0
Address resolution response : 0
Network registration response: 0
Update response : 0
Hub information request : 0
Data flow information request: 0
Logout response : 0
Keepalive : 0
Error notification : 0
Unknown : 0
Client name: hub
Status : Disabled
Client name: spoke
Status : Enabled
Primary server: test.com
Packets sent:
Initialization request : 3
Initialization complete : 3
Register request : 3
Authentication information : 3
Address resolution request : 0
Network registration request : 0
Update request : 0
Logout request : 0
Hub information response : 0
Data flow information response: 0
Keepalive : 124
Error notification : 0
Packets received:
Initialization response : 3
Initialization complete : 3
Authentication request : 3
Register response : 3
Address resolution response : 0
Network registration response: 0
Update response : 0
Hub information request : 0
Data flow information request: 0
Logout response : 0
Keepalive : 114
Error notification : 0
Unknown : 0
# Display statistics for VAM client abc.
<Sysname> display vam client statistics name abc
Client name: abc
Status : Enabled
Primary server: abc.com
Packets sent:
Initialization request : 1
Initialization complete : 1
Register request : 1
Authentication information : 1
Address resolution request : 9
Network registration request : 0
Update request : 0
Logout request : 0
Hub information response : 0
Data flow information response: 0
Keepalive : 35
Error notification : 0
Packets received:
Initialization response : 1
Initialization complete : 1
Authentication request : 1
Register response : 1
Address resolution response : 9
Network registration response: 0
Update response : 0
Hub information request : 0
Data flow information request: 0
Logout response : 0
Keepalive : 35
Error notification : 0
Unknown : 0
Secondary server: 28.1.1.24
Packets sent:
Initialization request : 15
Initialization complete : 0
Register request : 0
Authentication information : 0
Address resolution request : 0
Network registration request : 0
Update request : 0
Logout request : 0
Hub information response : 0
Data flow information response: 0
Keepalive : 0
Error notification : 0
Packets received:
Initialization response : 0
Initialization complete : 0
Register response : 0
Authentication request : 0
Address resolution response : 0
Network registration response: 0
Update response : 0
Hub information request : 0
Data flow information request: 0
Logout response : 0
Keepalive : 0
Error notification : 0
Unknown : 0
Table 11 Command output
| Field | Description | 
| Status | VAM client status: Enabled or Disabled. | 
| Primary server | Public address or domain name of the primary VAM server. | 
| Secondary server | Public address or domain name of the secondary VAM server. | 
Related commands
reset vam client statistics
dumb-time
Use dumb-time to set the dumb timer for a VAM client.
Use undo dumb-time to restore the default.
Syntax
dumb-time time-interval
undo dumb-time
Default
The dumb timer for a VAM client is 120 seconds.
Views
VAM client view
Predefined user roles
network-admin
mdc-admin
Parameters
time-interval: Specifies the dumb timer in the range of 10 to 600 seconds.
Usage guidelines
A VAM client starts the dumb timer after the timeout timer expires. The client does not process any packets during the dumb time. When the dumb timer expires, the client sends a new connection request to the VAM server.
Examples
# Set the dumb timer to 100 seconds.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] dumb-time 100
pre-shared-key (VAM client view)
Use pre-shared-key to configure a preshared key for a VAM client.
Use undo pre-shared-key to remove the configuration.
Syntax
pre-shared-key { cipher | simple } string
undo pre-shared-key
Default
No preshared key is configured for a VAM client.
Views
VAM client view
Predefined user roles
network-admin
mdc-admin
Parameters
cipher: Specifies a preshared key in encrypted form.
simple: Specifies a preshared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the preshared key. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.
Usage guidelines
The preshared key is used to generate initial encryption and authentication keys during connection initialization. It is also used to generate encryption and authentication keys for subsequent packets if encryption and authentication are needed.
All VAM clients and the VAM server in an ADVPN domain must have the same preshared key.
Examples
# Set the key to 123 in plaintext form for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] pre-shared-key simple 123
Related commands
pre-shared-key (ADVPN domain view)
vam client name
reset vam client fsm
Use reset vam client fsm to reset FSMs for VAM clients.
Syntax
reset vam client fsm [ name client-name ]
Views
User view
Predefined user roles
network-admin
Parameters
name client-name: Resets the FSM for the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command resets FSMs for all VAM clients.
Usage guidelines
| CAUTION: After you use the reset vam client fsm command to reset the FSM for a VAM client, the client will immediately try to come online. | 
Examples
# Reset the FSM for VAM client abc.
<Sysname> reset vam client fsm name abc
# Reset FSMs for all VAM clients.
<Sysname> reset vam client fsm
Related commands
display vam client fsm
reset vam client ipv6 fsm
Use reset vam client ipv6 fsm to reset FSMs for IPv6 VAM clients.
Syntax
reset vam client ipv6 fsm [ name client-name ]
Views
User view
Predefined user roles
network-admin
Parameters
name client-name: Resets the FSM for the specified IPv6 VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command resets FSMs for all IPv6 VAM clients.
Usage guidelines
| CAUTION: After you use the reset vam client ipv6 fsm command to reset the FSM for an IPv6 VAM client, the client will immediately try to come online. | 
Examples
# Reset the FSM for IPv6 VAM client abc.
<Sysname> reset vam client ipv6 fsm name abc
# Reset FSMs for all IPv6 VAM clients.
<Sysname> reset vam client ipv6 fsm
Related commands
display vam client fsm
reset vam client statistics
Use reset vam client statistics to clear VAM client statistics.
Syntax
reset vam client statistics [ name client-name ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
name client-name: Clears statistics for the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command clears statistics for all VAM clients.
Examples
# Clear statistics for VAM client abc.
<Sysname> reset vam client statistics name abc
# Clear statistics for all VAM clients.
<Sysname> reset vam client statistics
Related commands
display vam client statistics
retry
Use retry to set the retry interval and retry number for a VAM client.
Use undo retry to restore the default.
Syntax
retry interval interval count retries
undo retry
Default
The retry interval is 5 seconds and the retry number is 3.
Views
VAM client view
Predefined user roles
network-admin
mdc-admin
Parameters
interval interval: Specifies the retry interval in the range of 3 to 30 seconds.
count retries: Specifies the number of retries, in the range of 1 to 6.
Usage guidelines
After a VAM client sends a request to the server, it resends the request if it does not receive any responses within the retry interval. If the client fails to receive a response after maximum attempts (retry times + 1), the client determines that the server is unreachable.
The retry-times setting does not apply to register and update requests. The client sends those requests at the retry interval until it goes offline.
Examples
# Set the retry interval to 20 seconds and the retry number to 4 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] retry interval 20 count 4
server primary
Use server primary to specify a primary VAM server for a VAM client.
Use undo server primary to restore the default.
Syntax
server primary { ip-address ipv4-address | ipv6-address ipv6-address | name host-name } [ port port-number ]
undo server primary
Default
No primary VAM server is specified.
Views
VAM client view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address ipv4-address: Specifies a public IPv4 address for the primary VAM server. The address must be a unicast address.
ipv6-address ipv6-address: Specifies a public IPv6 address for the primary VAM server. The address must be a global unicast address.
name host-name: Specifies a domain name for the primary VAM server. It is a dot-separated, case-insensitive string that can include letters, digits, hyphens (-), and underscores (_). The domain name can include a maximum of 253 characters, and each separated string includes no more than 63 characters.
port port-number: Specifies a port number for the primary VAM server, in the range of 1025 to 65535. The default is 18000.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
The port number of a VAM server must be the same as the port number configured on the VAM server by using the vam server listen-port command.
If the specified primary and secondary VAM servers have the same address or name, only the primary VAM server takes effect.
Examples
# Specify the domain name of the primary VAM server as abc.com and port number as 2000 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] server primary name abc.com port 2000
# Specify the public IP address of the primary VAM server as 1.1.1.1 and port number as 2000 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] server primary ip-address 1.1.1.1 port 2000
# Specify the public IPv6 address of the primary VAM server as 1001::1 and port number as 2000 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] server primary ipv6-address 1001::1 port 2000
Related commands
server secondary
server secondary
Use server secondary to specify a secondary VAM server for a VAM client.
Use undo server secondary to restore the default.
Syntax
server secondary { ip-address ipv4-address | ipv6-address ipv6-address | name host-name } [ port port-number ]
undo server secondary
Default
No secondary VAM server is specified.
Views
VAM client view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address ipv4-address: Specifies a public IPv4 address for the secondary VAM server. The address must be a unicast address.
ipv6-address ipv6-address: Specifies a public IPv6 address for the secondary VAM server. The address must be a global unicast address.
name host-name: Specifies a domain name of a secondary VAM server. It is a dot-separated, case-insensitive string that can include letters, digits, hyphens (-), and underscores (_). The domain name can include a maximum of 253 characters, and each separated string includes no more than 63 characters.
port port-number: Specifies a port number for the secondary VAM server, in the range of 1025 to 65535. The default is 18000.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
The port number of a VAM server must be the same as the port number configured on the VAM server by using the vam server listen-port command.
If the specified primary and secondary VAM servers have the same address or name, only the primary VAM server takes effect.
Examples
# Specify the domain name of the secondary VAM server as abc.com and port number as 2000 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] server secondary name abc.com port 2000
# Specify the public IP address of the secondary VAM server as 1.1.1.2 and port number as 3000 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] server secondary ip-address 1.1.1.2 port 3000
# Specify the public IPv6 address of the primary VAM server as 1001::2 and port number as 3000 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] server secondary ipv6-address 1001::2 port 3000
Related commands
server primary
user
Use user to configure a username and password for a VAM client.
Use undo user to restore the default.
Syntax
user username password { cipher | simple } string
undo user
Default
No username or password is configured.
Views
VAM client view
Predefined user roles
network-admin
mdc-admin
Parameters
username: Specifies a username. The username is a case-sensitive string of 1 to 253 characters. It cannot include slashes (/), back slashes (\), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), quotation marks ("), vertical bars (|), and at signs (@).
password: Specifies a password.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
You can configure only one username for a VAM client.
Examples
# Configure the username as user and password as user in plaintext form for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] user user password simple user
vam client enable
Use vam client enable to enable VAM clients.
Use undo vam client enable to disable VAM clients.
Syntax
vam client enable [ name client-name ]
undo vam client enable [ name client-name ]
Default
The VAM client is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
name client-name: Enables the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command enables all VAM clients.
Usage guidelines
You can also execute the client enable command in VAM client view to enable a VAM client.
Examples
# Enable all VAM clients.
<Sysname> system-view
[Sysname] vam client enable
# Enable VAM client abc.
<Sysname> system-view
[Sysname] vam client enable name abc
Related commands
client enable
vam client name
Use vam client name to create a VAM client and enter its view, or enter the view of an existing VAM client.
Use undo vam client name to remove a VAM client.
Syntax
vam client name client-name
undo vam client name client-name
Default
No VAM clients exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
client-name: Specifies a VAM client by its name. A VAM client name is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.).
Examples
# Create VAM client abc and enter its view.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc]
ADVPN tunnel commands
advpn group
Use advpn group to configure an ADVPN group name.
Use undo advpn group to restore the default.
Syntax
advpn group group-name
undo advpn group
Default
No ADVPN group name is configured.
Views
Tunnel interface view
Predefined user roles
network-admin
mdc-admin
Parameters
group-name: Specifies the ADVPN group name. The group name is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.).
Usage guidelines
This command must be used on the tunnel interface of a spoke. The spoke sends the ADVPN group name in a hub-spoke tunnel establishment request to a hub. The hub looks for an ADVPN group-to-QoS policy mapping that matches the ADVPN group name. If a matching mapping is found, the hub applies the QoS policy in the mapping to the hub-spoke tunnel. If no match is found, the hub does not apply a QoS policy to the hub-spoke tunnel.
If you modify the ADVPN group name after the tunnel is established, the spoke will inform the hub of the modification. The hub will look for an ADVPN group-to-QoS policy mapping that matches the new ADVPN group name and apply the QoS policy in the new mapping.
As a best practice, do not configure an ADVPN group name and apply a QoS policy on the same tunnel interface.
Examples
# Configure aaa as the ADVPN group name.
<Sysname> system-view
[Sysname] interface tunnel1 mode advpn gre
[Sysname-Tunnel1] advpn group aaa
advpn ipv6 network
Use advpn ipv6 network to configure a private IPv6 network for an IPv6 ADVPN tunnel interface.
Use undo advpn ipv6 network to remove a private IPv6 network from an IPv6 ADVPN tunnel interface.
Syntax
advpn ipv6 network prefix prefix-length [ preference preference-value ]
undo advpn ipv6 network prefix prefix-length
Default
No private IPv6 network is configured.
Views
Tunnel interface view
Predefined user roles
network-admin
mdc-admin
Parameters
prefix prefix-length: Specifies the prefix and prefix length of the private IPv6 network address. The value range for prefix-length is 0 to 128.
preference preference-value: Specifies a preference for the route to the private network, in the range of 1 to 255. The default is 8.
Usage guidelines
This command is available only for IPv6 ADVPN tunnel interfaces.
Each VAM client registers the private networks for an ADVPN tunnel with the VAM server. If another VAM client receives a packet with the destination address resolved as a registered private address, the VAM server sends the registered VAM client information to the client.
This command takes effect on a tunnel interface that has been configured with an IPv6 address and bound to a VAM client by using the vam ipv6 client command.
You can configure multiple private IPv6 networks for a tunnel interface.
Set the preference of the private network route to be higher than other dynamic routing protocols, and lower than static routing. A higher preference value represents a lower priority.
Examples
# Configure private IPv6 network 1001::/64 for Tunnel 1, and set the route preference to 20.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp ipv6
[Sysname-Tunnel1] advpn ipv6 network 1001:: 64 preference 20
Related commands
vam ipv6 client
advpn logging enable
Use advpn logging enable to enable ADVPN logging.
Use undo advpn logging enable to disable ADVPN logging.
Syntax
advpn logging enable
undo advpn logging enable
Default
ADVPN logging is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This command enables the device to generate logs for the ADVPN module and send the logs to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable ADVPN logging.
<Sysname> system-view
[Sysname] advpn logging enable
advpn map group
Use advpn map group to configure a mapping between an ADVPN group and a QoS policy.
Use undo advpn map group to delete a mapping between an ADVPN group and a QoS policy.
Syntax
advpn map group group-name qos-policy policy-name outbound
undo advpn map group group-name
Default
No ADVPN group-to-QoS policy mappings are configured.
Views
Tunnel interface view
Predefined user roles
network-admin
mdc-admin
Parameters
group-name: Specifies the ADVPN group name. The group name is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.).
qos-policy policy-name: Specifies the QoS policy name, a case-sensitive string of 1 to 31 characters.
outbound: Applies the QoS policy to the outbound direction.
Usage guidelines
This command must be used on the tunnel interface of a hub. After receiving a hub-spoke tunnel establishment request from a spoke, the hub looks for an ADVPN group-to-QoS policy mapping that matches the ADVPN group name carried in the request. If a matching mapping is found, the hub applies the QoS policy in the mapping to the hub-spoke tunnel.
You can configure multiple ADVPN group-to-QoS policy mappings on a tunnel interface.
You can map multiple ADVPN groups to a QoS policy. You can map an ADVPN group to only one QoS policy.
As a best practice, do not configure an ADVPN group-to-QoS policy mapping and apply a QoS policy on the same tunnel interface.
Examples
# Configure a mapping between ADVPN group aaa and QoS policy bbb on Tunnel1.
<Sysname> system-view
[Sysname] interface Tunnel1 mode advpn gre
[Sysname-Tunnel1] advpn map group aaa qos-policy bbb outbound
advpn network
Use advpn network to configure a private IPv4 network for an IPv4 ADVPN tunnel interface.
Use undo advpn network to remove a private IPv4 network from an IPv4 ADVPN tunnel interface.
Syntax
advpn network ip-address { mask-length | mask } [ preference preference-value ]
undo advpn network ip-address { mask-length | mask }
Default
No private IPv4 network is configured.
Views
Tunnel interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address: Specifies the private IPv4 network address.
mask-length: Specifies the mask length of the private IPv4 network address, in the range of 0 to 32.
mask: Specifies the mask of the private IPv4 network address.
preference preference-value: Specifies a preference for the route to the private network, in the range of 1 to 255. The default is 8.
Usage guidelines
This command is available only for IPv4 ADVPN tunnel interfaces.
Each VAM client registers the private networks for an ADVPN tunnel with the VAM server. If another VAM client receives a packet with the destination address resolved as a registered private address, the VAM server sends the registered VAM client information to the client.
This command takes effect on a tunnel interface that has been configured with an IPv4 address and bound to a VAM client by using the vam client command.
You can configure multiple private IPv4 networks for a tunnel interface.
Set the preference of the private network route to be higher than other dynamic routing protocols, and lower than static routing. A higher preference value represents a lower priority.
Examples
# Configure private IPv4 network 10.0.5.0 with mask 255.255.255.0 for Tunnel 1, and set the route preference to 20.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp
[Sysname-Tunnel1] advpn network 10.0.5.0 255.255.255.0 preference 20
Related commands
vam client
advpn session dumb-time
Use advpn session dumb-time to set the dumb time for an ADVPN tunnel interface.
Use undo advpn session dumb-time to restore the default.
Syntax
advpn session dumb-time time-interval
undo advpn session dumb-time
Default
The dumb time is 120 seconds.
Views
Tunnel interface view
Predefined user roles
network-admin
mdc-admin
Parameters
time-interval: Specifies the dumb time in the range of 10 to 600 seconds.
Usage guidelines
This command is available only for ADVPN tunnel interfaces.
The new dumb time setting only applies to subsequently established tunnels.
Examples
# Set the dumb time to 100 seconds.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp
[Sysname-Tunnel1] advpn session dumb-time 100
advpn session idle-time
Use advpn session idle-time to set the idle timeout time for a spoke-spoke ADVPN tunnel.
Use undo advpn session idle-time to restore the default.
Syntax
advpn session idle-time time-interval
undo advpn session idle-time
Default
The idle timeout time is 600 seconds.
Views
Tunnel interface view
Predefined user roles
network-admin
mdc-admin
Parameters
time-interval: Specifies the idle timeout time in the range of 60 to 65535 seconds.
Usage guidelines
This command is available only for ADVPN tunnel interfaces.
The new idle timeout setting applies to both established and subsequently established spoke-spoke tunnels.
If no data is forwarded along a spoke-spoke tunnel during the idle timeout time, the tunnel will be removed automatically.
Examples
# Set the idle timeout time to 800 seconds.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp
[Sysname-tunnel1] advpn session idle-time 800
advpn source-port
Use advpn source-port to set the source UDP port number for ADVPN packets.
Use undo advpn source-port to restore the default.
Syntax
advpn source-port port-number
undo advpn source-port
Default
The source UDP port number is 18001.
Views
Tunnel interface view
Predefined user roles
network-admin
mdc-admin
Parameters
port-number: Specifies the UDP port number in the range of 1025 to 65535.
Usage guidelines
This command is available only for UDP-encapsulated ADVPN tunnels.
If the vam client command configured on the tunnel interface has the compatible keyword, the tunnel interface must have a different source UDP port number than other tunnel interfaces.
Examples
# Set the source UDP port number to 6000.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp
[Sysname-Tunnel1] advpn source-port 6000
Related commands
vam client
display advpn group-qos-map
Use display advpn group-qos-map to display ADVPN group-to-QoS policy mappings.
Syntax
display advpn group-qos-map [ interface tunnel number [ group group-name ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface tunnel number: Specifies an ADVPN tunnel interface by its tunnel interface number. The value range for the number argument is 0 to 1023. If you do not specify a tunnel interface, this command displays ADVPN group-to-QoS policy mappings for all ADVPN tunnel interfaces.
group group-name: Specifies an ADVPN group by its name. If you do not specify an ADVPN group, this command displays ADVPN group-to-QoS policy mappings for all ADVPN groups.
Examples
# Display ADVPN group-to-QoS policy mappings for all ADVPN tunnel interfaces.
<Sysname> display advpn group-qos-map
Interface: Tunnel1
ADVPN group: group1
QoS policy: policy1
Session list:
Private address Public address
10.0.0.3 192.168.180.136
10.0.1.4 192.168.180.137
ADVPN group: bb
QoS policy: bb-policy
No sessions match the ADVPN group-to-QoS policy mapping.
Interface: Tunnel2
ADVPN group: group2
QoS policy: policy2
Session list:
Private address Public address
20.0.0.3 200::3
Table 12 Command output
| Field | Description | 
| Interface | ADVPN tunnel interface. | 
| ADVPN group | ADVPN group name. | 
| QoS policy | QoS policy to which the ADVPN group is mapped. | 
| Session list | List of ADVPN tunnels that use the QoS policy on the tunnel interface. | 
| Private address | Private address of the ADVPN tunnel peer. | 
| Public address | Public address of the ADVPN tunnel peer. | 
| No sessions match the ADVPN group-to-QoS policy mapping | No ADVPN tunnels match the ADVPN group-to-QoS policy mapping on the tunnel interface. | 
Related commands
advpn group
advpn map group
display advpn ipv6 session
Use display advpn ipv6 session to display IPv6 ADVPN tunnel information.
Syntax
display advpn ipv6 session [ interface tunnel number [ private-address private-ipv6-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface tunnel number: Displays information about IPv6 ADVPN tunnels on an IPv6 ADVPN tunnel interface specified by the interface number. If you do not specify this option, the command displays information about all IPv6 ADVPN tunnels.
private-address private-ipv6-address: Displays information about the IPv6 ADVPN tunnel with the specified peer private IPv6 address. If you do not specify this option, the command displays information about the specified IPv6 ADVPN tunnel or all IPv6 ADVPN tunnels.
verbose: Displays detailed IPv6 ADVPN tunnel information. If you do not specify this keyword, the command displays brief IPv6 ADVPN tunnel information.
Examples
# Display brief information about all IPv6 ADVPN tunnels.
<Sysname> display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
1001::3 2000::180:136 1139 H-S Success 5H 38M 8S
1001::4 2000::180:137 3546 H-S Dumb 0H 0M 27S
Interface : Tunnel2
Number of sessions: 1
Private address Public address Port Type State Holding time
1002::4 202.0.180.137 -- S-H Establish 0H 0M 2S
Interface : Tunnel3
Number of sessions: 1
Private address Public address Port Type State Holding time
1003::4 2003::180:137 2057 S-S Success 1H 12M 26S
Interface : Tunnel4
Number of sessions: 1
Private address Public address Port Type State Holding time
1004::4 204.1.181:157 -- H-H Success 10H 48M 19S
Interface : Tunnel5
Number of sessions: 0
# Display brief information about IPv6 ADVPN tunnels on Tunnel 1.
<Sysname> display advpn ipv6 session interface tunnel 1
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
1001::3 2000::180:136 1139 H-S Success 5H 38M 8S
1001::4 2000::180:137 3546 H-S Dumb 0H 0M 27S
# Display brief information about the IPv6 ADVPN tunnel with peer private IPv6 address 1001::3 on Tunnel 1.
<Sysname> display advpn ipv6 session interface tunnel 1 private-address 1001::3
Private address Public address Port Type State Holding time
1001::3 2000::180:136 1139 H-S Success 5H 38M 8S
Table 13 Command output
| Field | Description | 
| Interface | ADVPN tunnel interface. | 
| Number of sessions | Number of ADVPN tunnels established on the tunnel interface. | 
| Private address | Private address of the ADVPN tunnel peer. | 
| Public address | Public address of the ADVPN tunnel peer. | 
| Port | Port number of the ADVPN tunnel peer. | 
| Type | ADVPN tunnel type: · H-H—Both the local end and the remote end are hubs. · H-S—The local end is a hub and the remote end is a spoke. · S-H—The local end is a spoke and the remote end is a hub. · S-S—Both the local end and the remote end are spokes. | 
| State | ADVPN tunnel state: · Success—The tunnel has been successfully established. · Establishing—The tunnel is being established. · Dumb—The tunnel failed to be established and is now quiet. | 
| Holding time | Duration time since the tunnel stayed in the current state, in the format of xH yM zS. | 
# Display detailed information about all IPv6 ADVPN tunnels.
<Sysname> display advpn ipv6 session verbose
Interface : Tunnel1
Client name : vpn1
ADVPN domain name : 1
Link protocol : UDP
Number of sessions: 2
Private address: 1001::3
Public address : 2000::180:136
ADVPN port : 1139
Session type : Hub-Spoke
State : Success
Holding time : 5H 38M 8S
Input : 2201 packets, 2198 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 216 data packets, 1 control packets
2163 multicasts, 0 errors
Private address: 1001::4
Public address : 2000::180:137
ADVPN port : 3546
Session type : Hub-Spoke
State : Dumb
Holding time : 0H 0M 27S
Input : 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Output: 16 packets, 0 data packets, 16 control packets
0 multicasts, 0 errors
Interface : Tunnel2
Client name : vpn2
ADVPN domain name : 2
Link protocol : GRE
Number of sessions: 1
Private address: 1002::4
Public address : 202.0.180.137
Session type : Spoke-Hub
State : Establish
Holding time : 0H 0M 2S
Input: 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Interface : Tunnel3
Client name : vpn3
ADVPN domain name : 3
Link protocol : IPsec-UDP
Number of sessions: 1
Private address: 1003::4
Public address : 2003::180:137
ADVPN port : 2057
SA's SPI :
Inbound : 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
Session type : Spoke-Spoke
State : Establish
Holding time : 0H 0M 2S
Input: 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Interface : Tunnel4
Client name : vpn4
ADVPN domain name : 4
Link protocol : IPsec-GRE
Number of sessions: 1
Private address: 1004::4
Public address : 204.1.181:157
SA's SPI :
Inbound: 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
Session type : Hub-Hub
State : Success
Holding time : 10H 48M 19S
Input : 2201 packets, 2198 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Interface : Tunnel5
Client name : vpn5
ADVPN domain name : 5
Link protocol : UDP
Number of sessions: 0
# Display detailed information about IPv6 ADVPN tunnels on Tunnel 1.
<Sysname> display advpn ipv6 session interface tunnel 1 verbose
Interface : Tunnel1
Client name : vpn1
ADVPN domain name : 1
Link protocol : UDP
Number of sessions: 2
Private address: 1001::3
Public address : 2000::180:136
ADVPN port : 1139
Session type : Hub-Spoke
State : Success
Holding time : 5H 38M 8S
Input : 2201 packets, 2198 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 216 data packets, 1 control packets
2163 multicasts, 0 errors
Private address: 1001::4
Public address : 2000::180:137
ADVPN port : 3546
Session type : Hub-Spoke
State : Dumb
Holding time : 0H 0M 27S
Input : 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Output: 16 packets, 0 data packets, 16 control packets
0 multicasts, 0 errors
# Display detailed information about the IPv6 ADVPN tunnel with peer private IPv6 address 1001::3 on Tunnel 1.
<Sysname> display advpn ipv6 session interface tunnel 1 private-address 1001::3 verbose
Private address: 1001::3
Public address : 2000::180:136
ADVPN port : 1139
Session type : Hub-Spoke
State : Success
Holding time : 5H 38M 8S
Input : 2201 packets, 2198 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 216 data packets, 1 control packets
2163 multicasts, 0 errors
Table 14 Command output
| Field | Description | 
| Interface | ADVPN tunnel interface. | 
| Client name | Name of the VAM client bound to the tunnel interface. | 
| Link protocol | Link layer protocol for the ADVPN tunnel: · UDP. · GRE. · IPsec-UDP. · IPsec-GRE. | 
| Number of sessions | Number of ADVPN tunnels established on the tunnel interface. | 
| Private address | Private address of the ADVPN tunnel peer. | 
| Public address | Public address of the ADVPN tunnel peer. | 
| ADVPN port | UDP port number for the ADVPN tunnel when the link layer protocol is UDP or IPsec-UDP. | 
| SA's SPI | SPIs for the inbound and outbound SAs when link layer protocol is IPsec-UDP or IPsec-GRE. | 
| Session type | ADVPN tunnel type: · Hub-Hub—Both the local end and the remote end are hubs. · Hub-Spoke—The local end is a hub and the remote end is a spoke. · Spoke-Hub—The local end is a spoke and the remote end is a hub. · Spoke-Spoke—Both the local end and the remote end are spokes. | 
| State | ADVPN tunnel state: · Success—The tunnel has been successfully established. · Establishing—The tunnel is being established. · Dumb—The tunnel failed to be established and is now quiet. | 
| Holding time | Duration time since the tunnel stayed in the current state, in the format of xH yM zS. | 
| Input | Statistics for incoming packets, including the numbers of all packets, data packets, control packets, multicast packets, and erroneous packets. | 
| Output | Statistics for outgoing packets, including the numbers of all packets, data packets, control packets, multicast packets, and erroneous packets. | 
Related commands
reset advpn ipv6 session
display advpn session
Use display advpn session to display IPv4 ADVPN tunnel information.
Syntax
display advpn session [ interface tunnel number [ private-address private-ip-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface tunnel number: Displays information about IPv4 ADVPN tunnels on an IPv4 ADVPN tunnel interface specified by the interface number. If you do not specify this option, the command displays information about all IPv4 ADVPN tunnels.
private-address private-ip-address: Displays information about the IPv4 ADVPN tunnel with the specified peer private IPv4 address. If you do not specify this option, the command displays information about the specified IPv4 ADVPN tunnel or all IPv4 ADVPN tunnels.
verbose: Displays detailed IPv4 ADVPN tunnel information. If you do not specify this keyword, the command displays brief IPv4 ADVPN tunnel information.
Examples
# Display brief information about all IPv4 ADVPN tunnels.
<Sysname> display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
10.0.0.3 192.168.180.136 1139 H-S Success 5H 38M 8S
10.0.1.4 192.168.180.137 3546 H-S Dumb 0H 0M 27S
Interface : Tunnel2
Number of sessions: 1
Private address Public address Port Type State Holding time
20.0.0.3 200::3 -- S-H Establish 0H 0M 2S
Interface : Tunnel3
Number of sessions: 1
Private address Public address Port Type State Holding time
30.0.0.3 192.168.200.22 2057 S-S Success 1H 12M 26S
Interface : Tunnel4
Number of sessions: 1
Private address Public address Port Type State Holding time
40.0.0.3 4::4 -- H-H Success 10H 48M 19S
Interface : Tunnel5
Number of sessions: 0
# Display brief information about IPv4 ADVPN tunnels on Tunnel 1.
<Sysname> display advpn session interface tunnel 1
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
10.0.0.3 192.168.180.136 1139 H-S Success 5H 38M 8S
10.0.1.4 192.168.180.137 3546 H-S Dumb 0H 0M 27S
# Display brief information about the IPv4 ADVPN tunnel with peer private IP address 10.0.1.3 on Tunnel 1.
<Sysname> display advpn session interface tunnel 1 private-address 10.0.1.3
Private address Public address Port Type State Holding time
10.0.0.3 192.168.180.136 1139 H-S Success 5H 38M 8S
Table 15 Command output
| Field | Description | 
| Interface | ADVPN tunnel interface. | 
| Number of sessions | Number of ADVPN tunnels established on the tunnel interface. | 
| Private address | Private address of the ADVPN tunnel peer. | 
| Public address | Public address of the ADVPN tunnel peer. | 
| Port | Port number of the ADVPN tunnel peer. | 
| Type | ADVPN tunnel type: · H-H—Both the local end and the remote end are hubs. · H-S—The local end is a hub and the remote end is a spoke. · S-H—The local end is a spoke and the remote end is a hub. · S-S—Both the local end and the remote end are spokes. | 
| State | ADVPN tunnel state: · Success—The tunnel has been successfully established. · Establishing—The tunnel is being established. · Dumb—The tunnel failed to be established and is now quiet. | 
| Holding time | Duration time since the tunnel stayed in the current state, in the format of xH yM zS. | 
# Display detailed information about all IPv4 ADVPN tunnels.
<Sysname> display advpn session verbose
Interface : Tunnel1
Client name : vpn1
ADVPN domain name : 1
Link protocol : UDP
Number of sessions: 2
Private address: 10.0.1.3
Public address : 192.168.180.136
ADVPN port : 1139
Behind NAT : No
Session type : Hub-Spoke
State : Success
Holding time : 5H 38M 8S
Input : 2201 packets, 218 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Private address: 10.0.1.4
Public address : 192.168.180.137
ADVPN port : 3546
Behind NAT : No
Session type : Hub-Spoke
State : Dumb
Holding time : 0H 0M 27S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Output: 16 packets, 0 data packets, 16 control packets
0 multicasts, 0 errors
Interface : Tunnel2
Client name : vpn2
ADVPN domain name : 2
Link protocol : GRE
Number of sessions: 1
Private address: 20.0.0.3
Public address : 200::3
Behind NAT : No
Session type : Spoke-Hub
State : Establish
Holding time : 0H 0M 2S
ADVPN group : group1
Outbound QoS policy: policy1
Input: 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Interface : Tunnel3
Client name : vpn3
ADVPN domain name : 3
Link protocol : IPsec-UDP
Number of sessions: 1
Private address: 30.0.0.3
Public address : 192.168.200.32
ADVPN port : 2057
SA's SPI :
Inbound: 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
Behind NAT : No
Session type : Spoke-Spoke
State : Establish
Holding time : 0H 0M 2S
Input: 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Interface : Tunnel4
Client name : vpn4
ADVPN domain name : 4
Link protocol : IPsec-GRE
Number of sessions: 1
Private address: 40.0.0.3
Public address : 4::4
SA's SPI :
Inbound: 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
Behind NAT : No
Session type : Hub-Hub
State : Success
Holding time : 10H 48M 19S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 2201 packets, 2198 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Interface : Tunnel5
Client name : vpn5
ADVPN domain name : 5
Link protocol : UDP
Number of sessions: 0
# Display detailed information about IPv4 ADVPN tunnels on Tunnel 1.
<Sysname> display advpn session interface tunnel 1 verbose
Interface : Tunnel1
Client name : vpn1
ADVPN domain name : 1
Link protocol : UDP
Number of sessions: 2
Private address: 10.0.1.3
Public address : 192.168.180.136
ADVPN port : 1139
Behind NAT : No
Session type : Hub-Spoke
State : Success
Holding time : 5H 38M 8S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 2201 packets, 218 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Private address: 10.0.1.4
Public address : 192.168.180.137
ADVPN port : 3546
Behind NAT : No
Session type : Hub-Spoke
State : Dumb
Holding time : 0H 0M 27S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Output: 16 packets, 0 data packets, 16 control packets
0 multicasts, 0 errors
# Display detailed information about the IPv4 ADVPN tunnel with peer private IP address 10.0.1.3 on Tunnel 1.
<Sysname> display advpn session verbose interface tunnel 1 private-address 10.0.1.3
Private address: 10.0.1.3
Public address : 192.168.180.136
ADVPN port : 1139
Behind NAT : No
Session type : Hub-Spoke
State : Success
Holding time : 5H 38M 8S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 2201 packets, 218 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Table 16 Command output
| Field | Description | 
| Interface | ADVPN tunnel interface. | 
| Client name | Name of the VAM client bound to the tunnel interface. | 
| Link protocol | Link layer protocol for the ADVPN tunnel: · UDP. · GRE. · IPsec-UDP. · IPsec-GRE. | 
| Number of sessions | Number of ADVPN tunnels established on the tunnel interface. | 
| Private address | Private address of the ADVPN tunnel peer. | 
| Public address | Public address of the ADVPN tunnel peer. | 
| ADVPN port | UDP port number for the ADVPN tunnel when the link layer protocol is UDP or IPsec-UDP. | 
| SA's SPI | SPIs for the inbound and outbound SAs when link layer protocol is IPsec-UDP or IPsec-GRE. | 
| Behind NAT | Whether NAT traversal is used. | 
| Session type | ADVPN tunnel type: · Hub-Hub—Both the local end and the remote end are hubs. · Hub-Spoke—The local end is a hub and the remote end is a spoke. · Spoke-Hub—The local end is a spoke and the remote end is a hub. · Spoke-Spoke—Both the local end and the remote end are spokes. | 
| State | ADVPN tunnel state: · Success—The tunnel has been successfully established. · Establishing—The tunnel is being established. · Dumb—The tunnel failed to be established and is now quiet. | 
| Holding time | Duration time since the tunnel stayed in the current state, in the format of xH yM zS. | 
| ADVPN group | ADVPN group name. | 
| Outbound QoS policy | QoS policy to which the ADVPN group is mapped. | 
| Input | Statistics for incoming packets, including the numbers of all packets, data packets, control packets, multicast packets, and erroneous packets. | 
| Output | Statistics for outgoing packets, including the numbers of all packets, data packets, control packets, multicast packets, and erroneous packets. | 
Related commands
reset advpn session
display advpn session count
Use display advpn session count to display the number of ADVPN sessions in different states.
Syntax
display advpn session count
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display the number of ADVPN sessions in different states.
<Sysname> display advpn session count
Total ADVPN sessions: 7
IPv4 sessions: 3
Success: 3
Establishing: 0
Dumb: 0
IPv6 sessions: 4
Success: 4
Establishing: 0
Dumb: 0
Table 17 Command output
| Field | Description | 
| IPv4 sessions: | Number of ADVPN sessions in IPv4 private networks. | 
| IPv6 sessions: | Number of ADVPN sessions in IPv6 private networks. | 
| Success | Number of ADVPN sessions that have been successfully established. | 
| Establishing | Number of ADVPN sessions that are being established. | 
| Dumb | Number of ADVPN sessions that failed to be established and are now quiet. | 
keepalive
Use keepalive to set the keepalive interval and the maximum number of keepalive attempts for an ADVPN tunnel interface.
Use undo keepalive to restore the default.
Syntax
keepalive interval interval retry retries
undo keepalive
Default
The keepalive interval is 180 seconds, and the maximum number of keepalive attempts is 3.
Views
Tunnel interface view
Predefined user roles
network-admin
mdc-admin
Parameters
interval interval: Sets the keepalive interval in the range of 1 to 32767 seconds.
retry retries: Sets the maximum number of keepalive attempts, in the range of 1 to 255.
Usage guidelines
This command is available only for ADVPN tunnel interfaces.
If no keepalives is received before the timeout timer (product of the keepalive interval and keepalive attempts) expires, the tunnel will be removed automatically.
The keepalive interval and the maximum number of keepalive attempts must be the same on the tunnel interfaces in an ADVPN domain.
After this command is executed, the keepalive timer does not start immediately. It starts until the ADVPN tunnel is established.
Examples
# Set the keepalive interval to 20 seconds and the maximum number of keepalive attempts to 5.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp
[Sysname-Tunnel1] keepalive interval 20 retry 5
reset advpn ipv6 session
Use reset advpn ipv6 session to delete IPv6 ADVPN tunnels.
Syntax
reset advpn ipv6 session [ interface tunnel number [ private-address private-ipv6-address ] ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
interface tunnel number: Deletes IPv6 ADVPN tunnels on an IPv6 ADVPN tunnel interface specified by the interface number. If you do not specify this option, the command deletes all IPv6 ADVPN tunnels.
private-address private-ipv6-address: Deletes the IPv6 ADVPN tunnel with the specified peer private IPv6 address. If you do not specify this option, the command deletes the specified IPv6 ADVPN tunnel or all IPv6 ADVPN tunnels.
Usage guidelines
If the remote tunnel end is a hub in the same group as the local end, the tunnel will be re-established after it is deleted.
Examples
# Delete all IPv6 ADVPN tunnels.
<Sysname> reset advpn ipv6 session
# Delete IPv6 ADVPN tunnels on Tunnel 1.
<Sysname> reset advpn ipv6 session interface tunnel 1
# Delete the IPv6 ADVPN tunnel with peer private IPv6 address 1000::1 on Tunnel 1.
<Sysname> reset advpn ipv6 session interface tunnel 1 private-address 1000::1
Related commands
display advpn ipv6 session
reset advpn ipv6 session statistics
Use reset advpn ipv6 session statistics to clear statistics for IPv6 ADVPN tunnels.
Syntax
reset advpn ipv6 session statistics [ interface tunnel number [ private-address private-ipv6-address ] ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
interface tunnel number: Clears statistics for IPv6 ADVPN tunnels on an IPv6 ADVPN tunnel interface specified by the interface number. If you do not specify this option, the command clears statistics for all IPv6 ADVPN tunnels.
private-address private-ipv6-address: Clears statistics for the IPv6 ADVPN tunnel with the specified peer private IPv6 address. If you do not specify this option, the command clears statistics for the specified IPv6 ADVPN tunnel or all IPv6 ADVPN tunnels.
Examples
# Clear statistics for all IPv6 ADVPN tunnels.
<Sysname> reset advpn ipv6 session statistics
# Clear statistics for IPv6 ADVPN tunnels on Tunnel 1.
<Sysname> reset advpn ipv6 session statistics interface tunnel 1
# Clear statistics for the IPv6 ADVPN tunnel with peer private IPv6 address 1::1 on Tunnel 1.
<Sysname> reset advpn ipv6 session statistics interface tunnel 1 private-address 1::1
reset advpn session
Use reset advpn session to delete IPv4 ADVPN tunnels.
Syntax
reset advpn session [ interface tunnel number [ private-address private-ip-address ] ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
interface tunnel number: Deletes IPv4 ADVPN tunnels on an IPv4 ADVPN tunnel interface specified by the interface number. If you do not specify this option, the command deletes all IPv4 ADVPN tunnels.
private-address private-ip-address: Deletes the IPv4 ADVPN tunnel with the specified peer private IPv4 address. If you do not specify this option, the command deletes the specified IPv4 ADVPN tunnel or all IPv4 ADVPN tunnels.
Usage guidelines
If the remote tunnel end is a hub in the same group as the local end, the tunnel will be re-established after it is deleted.
Examples
# Delete all IPv4 ADVPN tunnels.
<Sysname> reset advpn session
# Delete IPv4 ADVPN tunnels on Tunnel 1.
<Sysname> reset advpn session interface tunnel 1
# Delete the IPv4 ADVPN tunnel with peer private IPv4 address 169.254.0.1 on Tunnel 1.
<Sysname> reset advpn session interface tunnel 1 private-address 169.254.0.1
display advpn session
reset advpn session statistics
Use reset advpn session statistics to clear statistics for IPv4 ADVPN tunnels.
Syntax
reset advpn session statistics [ interface tunnel number [ private-address private-ip-address ] ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
interface tunnel number: Clears statistics for IPv4 ADVPN tunnels on an IPv4 ADVPN tunnel interface specified by the interface number. If you do not specify this option, the command clears statistics for all IPv4 ADVPN tunnels.
private-address private-ip-address: Clears statistics for the IPv4 ADVPN tunnel with the specified peer private IPv4 address. If you do not specify this option, the command clears statistics for the specified IPv4 ADVPN tunnel or all IPv4 ADVPN tunnels.
Examples
# Clear statistics for all IPv4 ADVPN tunnels.
<Sysname> reset advpn session statistics
# Clear statistics for IPv4 ADVPN tunnels on Tunnel 1.
<Sysname> reset advpn session statistics interface tunnel 1
# Clear statistics for the IPv4 ADVPN tunnel with peer private IPv4 address 169.254.0.1 on Tunnel 1.
<Sysname> reset advpn session statistics interface tunnel 1 private-address 169.254.0.1
vam client
Use vam client to bind a VAM client to an IPv4 ADVPN tunnel interface.
Use undo vam client to remove the binding.
Syntax
vam client client-name [ compatible advpn0 ]
undo vam client
Default
No VAM client is bound to an IPv4 ADVPN tunnel interface.
Views
Tunnel interface view
Predefined user roles
network-admin
mdc-admin
Parameters
client-name: Specifies a VAM client by its name. A VAM client name is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.).
compatible advpn0: Specifies ADVPN V0 packet format. If you do not specify this keyword, packets are not compatible with ADVPN V0 format.
Usage guidelines
This command is available only for IPv4 ADVPN tunnel interfaces.
After a VAM client is bound to an IPv4 ADVPN tunnel interface, the client registers IPv4 private networks for the tunnel interface with the VAM server.
A VAM client can be bound to only one IPv4 ADVPN tunnel interface.
The compatible keyword is required if a device that supports only ADVPN V0 packet format exists in the hub group for the bound VAM client. After the compatible keyword is specified, make sure the tunnel interface has a unique source UDP port number on the device.
Examples
# Bind VAM client abc to IPv4 ADVPN tunnel interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp
[Sysname-Tunnel1] vam client abc
Related commands
advpn source-port
vam ipv6 client
vam ipv6 client
Use vam ipv6 client to bind a VAM client to an IPv6 ADVPN tunnel interface.
Use undo vam ipv6 client to remove the binding.
Syntax
vam ipv6 client client-name
undo vam ipv6 client
Default
No VAM client is bound to an IPv6 ADVPN tunnel interface.
Views
Tunnel interface view
Predefined user roles
network-admin
mdc-admin
Parameters
client-name: Specifies a VAM client by its name. A VAM client name is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.).
Usage guidelines
This command is available only for IPv6 ADVPN tunnel interfaces.
After a VAM client is bound to an IPv6 ADVPN tunnel interface, the client registers IPv6 private networks for the tunnel interface with the VAM server.
A VAM client can be bound to only one IPv6 ADVPN tunnel interface.
Examples
# Bind VAM client abc to IPv6 ADVPN tunnel interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp ipv6
[Sysname-Tunnel1] vam ipv6 client abc
Related commands
vam client
 Login
Login




