interface-type interface-number1 to interface-type interface-number2: Assigns a range of interfaces to the context. The specified interfaces must be the same interface type and must belong to the same interface card.

share: Assigns the interfaces in shared mode. If you do not specify this keyword, the command assigns the interfaces exclusively to the context.

Usage guidelines

IMPORTANT:

· Do not assign IRF physical interfaces to a non-default context.

· If a subinterface of a Layer 3 interface is a member interface of a Reth interface, do not assign the Layer 3 interface to a non-default context.

· Logical interfaces support only shared mode, and physical interfaces support both exclusive mode and shared mode.

You can assign interfaces in exclusive or shared mode.

· Exclusive mode—You assign an interface exclusively to a context, and only the context can use the interface. The administrator of the context can see the interface and use all commands supported on the interface.

· Shared mode—You assign an interface to multiple contexts in shared mode, and the system creates a virtual interface for each context. The virtual interfaces use the same name as the physical interface but have different MAC addresses and IP addresses. They forward and receive packets through the physical interface. The shared mode improves interface usage.

You can see the physical interface and perform all commands supported on the interface from the default context. The administrator of a context can only see the context's virtual interface and use the shutdown, description, and network- and security-related commands.

Examples

# Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to context sub1 in shared mode.

<Sysname> system-view

[Sysname] context sub1

[Sysname-context-2-sub1] allocate interface gigabitethernet 1/0/1 gigabitethernet 1/0/3 share

allocate vlan

Use allocate vlan to assign VLANs to a context.

Use undo allocate vlan to reclaim VLANs assigned to a context.

Syntax

allocate vlan vlan-id&<1-24>

undo allocate vlan vlan-id&<1-24>

allocate vlan vlan-id1 to vlan-id2

undo allocate vlan vlan-id1 to vlan-id2

Default

No VLAN is assigned to a context.

Views

Context view

Predefined user roles

network-admin

Parameters

vlan-id&<1-24>: Specifies a space-seperated list of up to 24 VLAN IDs.

vlan-id1 to vlan-id2: Specifies a range of VLAN IDs.

Usage guidelines

You assign static VLANs except for VLAN 1 to contexts without the VLAN-unshared attribute. Before doing so, you must create the VLANs on the default context. A VLAN can be assigned only to one context. After the assignment to a context, you can use only the display commands on the context, but you can use all VLAN commands on the default context.

A context with the VLAN-unshared attribute has its own VLAN resources (VLAN 2 through VLAN 4094). It does not share VLAN resources with any other context. To create VLANs for the context, log in to the context and use the vlan command. VLAN 1 is system defined. You cannot create or delete VLAN 1.

Examples

# Assign VLAN 100 to context sub1.

<Sysname> system-view

[Sysname] context sub1

[Sysname-context-2-sub1] allocate vlan 100

Related commands

display context vlan

allocate vxlan

Use allocate vxlan to assign VXLANs to a context.

Use undo allocate vxlan to reclaim VXLANs assigned to a context.

Syntax

allocate vxlan vxlan-id&<1-24>

undo allocate vxlan vxlan-id&<1-24>

allocate vxlan vxlan-id1 to vxlan-id2

undo allocate vxlan vxlan-id1 to vxlan-id2

Default

No VXLANs are assigned to a context.

Views

Context view

Predefined user roles

network-admin

Parameters

vxlan-id&<1-24>: Specifies a space-seperated list of up to 24 VXLAN IDs. The value range for VXLAN IDs is 0 to 16777215.

vxlan-id1 to vxlan-id2: Specifies a range of VXLAN IDs. The value range for VXLAN IDs is 0 to 16777215.

Usage guidelines

VXLANs assigned to a context can be used or configured only on that context.

Examples

# Assign VXLAN 100 to context sub1.

<Sysname> system-view

[Sysname] context sub1

[Sysname-context-2-sub1] allocate vxlan 100

The VXLAN will be allocated to context sub1. Continue? [Y/N]:y

capability object-policy-rule maximum

Use capability object-policy-rule maximum to set the maximum number of object policy rules for a context.

Use undo capability object-policy-rule maximum to restore the default.

Syntax

capability object-policy-rule maximum max-number

undo capability object-policy-rule maximum

Default

The number of object policy rules is not limited for a context.

Views

Context view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of object policy rules for the context, in the range of 1 to 4294967295.

Usage guidelines

A large number of rules occupy too much memory, affecting other features on the context. This command sets the maximum number of object policy rules for a context. When the maximum number is reached, you cannot add new rules.

If the maximum number you set is smaller than the number of existing object policy rules, this setting takes effect. The context does not delete extra existing object policy rules and allows new object policy rules to be created only when the number of object policy rules drops below the maximum number.

Examples

# Set the maximum number of object policy rules to 1000 for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability object-policy-rule maximum 1000

Related commands

display object-policy ip (Security Command Reference)

capability security-policy-rule maximum

Use capability security-policy-rule maximum to set the maximum number of security policy rules for a context.

Use undo capability security-policy-rule maximum to restore the default.

Syntax

capability security-policy-rule maximum max-number

undo capability security-policy-rule maximum

Default

The number of security policy rules is not limited for a context.

Views

Context view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of security policy rules for the context, in the range of 1 to 4294967295.

Usage guidelines

A large number of rules occupy too much memory, affecting other features on the context. This command sets the maximum number of security policy rules for a context. When the maximum number is reached, you cannot add new rules.

If the maximum number you set is smaller than the number of existing security policy rules, this setting takes effect. The context does not delete extra existing security policy rules and allows new security policy rules to be created only when the number of security policy rules drops below the maximum number.

Examples

# Set the maximum number of security policy rules to 1000 for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability security-policy-rule maximum 1000

Related commands

display security-policy ip (Security Command Reference)

capability session maximum

Use capability session maximum to set the maximum number of concurrent unicast sessions for a context.

Use undo capability session maximum to restore the default.

Syntax

capability session maximum max-number

undo capability session maximum

Default

The number of concurrent unicast sessions is not limited for a context.

Views

Context view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of concurrent unicast sessions for the context. The value range is 1 to 4294967295.

Usage guidelines

A large number of concurrent unicast sessions occupy too much memory, affecting other features on the context. This command sets the maximum number of concurrent unicast sessions for a context. When the maximum number is reached, you cannot establish additional unicast sessions.

If the maximum number you set is smaller than the number of existing concurrent unicast sessions, this setting takes effect. The context does not delete extra existing concurrent unicast sessions and allows new unicast sessions to be created only when the number of concurrent unicast sessions drops below the maximum number.

This command does not affect local traffic, such as FTP traffic, Telnet traffic, SSH traffic, HTTP traffic, and HTTP-based load balancing traffic.

Examples

# Set the maximum number of concurrent unicast sessions to 1000000 for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability session maximum 1000000

Related commands

context

display session statistics (Security Command Reference)

capability session maximum threshold

Use capability session maximum threshold to set the alarm threshold for the ratio of the current concurrent unicast sessions to the maximum concurrent unicast sessions on a context.

Use undo capability session maximum threshold to restore the default.

Syntax

capability session maximum threshold threshold-value

undo capability session maximum threshold

Default

The alarm threshold is 95% for the ratio of the current concurrent unicast sessions to the maximum concurrent unicast sessions on a context.

Views

Context view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the alarm threshold, in percentage. The value range for this argument is 1 to 99.

Usage guidelines

When the ratio of the current concurrent unicast sessions to the maximum concurrent unicast sessions on a context exceeds the specified threshold, the system generates an alarm message to notify the threshold-crossing event. When the ratio of the current concurrent unicast sessions to the maximum concurrent unicast sessions drops to the specified threshold, the system generates an alarm message to notify that the threshold-crossing alarm is cleared.

Examples

# Set the alarm threshold to 80% for the ratio of the current concurrent unicast sessions to the maximum concurrent unicast sessions on context 1.

<Sysname> system-view

[Sysname] context 1

[Sysname-context-2-1] capability session maximum threshold 80

Related commands

context

capability session rate

Use capability session rate to set the upper limit of the session establishment rate for a context.

Use undo capability session rate to restore the default.

Syntax

capability session rate max-value

undo capability session rate

Default

The session establishment rate is not limited for a context.

Views

Context view

Predefined user roles

network-admin

Parameters

max-value: Specifies the maximum number of sessions that can be established per second.

Usage guidelines

Establishing sessions too frequently consumes too much CPU resources. If a context establishes sessions too frequently, other contexts in the same security engine will not be able to establish sessions. This command sets the number of sessions that can be established per second for a context. When the limit is reached, no additional sessions can be established.

This command does not affect local traffic, such as FTP traffic, Telnet traffic, SSH traffic, HTTP traffic, and HTTP-based load balancing traffic.

Examples

# Configure context cnt2 to establish a maximum of 20000 sessions per second.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability session rate 20000

Related commands

context

display session statistics (Security Command Reference)

capability session rate threshold

Use capability session rate threshold to set the alarm threshold for the ratio of the current session establishment rate to the maximum session establishment rate on a context.

Use undo capability session rate threshold to restore the default.

Syntax

capability session rate threshold threshold-value

undo capability session rate threshold

Default

The alarm threshold is 95% for the ratio of the current session establishment rate to the maximum session establishment rate on a context.

Views

Context view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the alarm threshold, in percentage. The value range for this argument is 1 to 99.

Usage guidelines

When the ratio of the current session establishment rate to the maximum session establishment rate on a context exceeds the specified threshold, the system generates an alarm message to notify the threshold-crossing event. When the ratio of the current session establishment rate to the maximum session establishment rate drops to the specified threshold, the system generates an alarm message to notify that the threshold-crossing alarm is cleared.

Examples

# Set the alarm threshold to 80% for the ratio of the current session establishment rate to the maximum session establishment rate on context 1.

<Sysname> system-view

[Sysname] context 1

[Sysname-context-2-1] capability session rate threshold 80

Related commands

context

capability sslvpn-user maximum

Use capability sslvpn-user maximum to set the maximum number of SSL VPN users for a context.

Use undo capability sslvpn-user maximum to restore the default.

Syntax

capability sslvpn-user maximum max-number

undo capability sslvpn-user maximum

Default

The number of SSL VPN users is not limited for a context. The number is determined by the usage of the SSL VPN licenses installed on the device.

Views

Context view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of SSL VPN users for the context. The value range is 1 to 1048575.

Usage guidelines

This command limits the number of SSL VPN users that can log in to a context. When the maximum number is reached, the context will reject the login requests of new SSL VPN users.

If the maximum number you set is smaller than the number of SSL VPN users that already have logged in to a context, this setting takes effect. The context does not log out the currently logged-in users and allows new users to log in only when the number of the logged-in users drops below the maximum number.

Examples

# Set the maximum number of SSL VPN users to 1000000 for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability sslvpn-user maximum 1000000

Related commands

context

capability throughput

Use capability throughput to set the outbound throughput threshold for a context.

Use undo capability throughput to restore the default.

Syntax

capability throughput { gbps | kbps | mbps | pps } threshold

undo capability throughput

Default

The outbound throughput of a context is not limited on a context.

Views

Context view

Predefined user roles

network-admin

Parameters

gbps threshold: Specifies the throughput threshold in gigabits per second. The value range for the threshold argument is 1 to 1000.

kbps threshold: Specifies the throughput threshold in kilobits per second. The value range for the threshold argument is 1000 to 1000000000.

mbps threshold: Specifies the throughput threshold in megabits per second. The value range for the threshold argument is 1 to 1000000.

pps threshold: Specifies the throughput threshold in number of packets per second. The value range for the threshold argument is 1000 to 1000000000.

Examples

# Set the outbound throughput threshold to 100000 kbps for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability throughput kbps 100000

# Set the outbound throughput threshold to 10000 pps for context cnt3.

<Sysname> system-view

[Sysname] context cnt3

[Sysname-context-3-cnt3] capability throughput pps 10000

context

Use context to create a context and enter its view, or enter the view of an existing context.

Use undo context to delete a context.

Syntax

context context-name [ id context-id ] [ vlan-unshared ]

undo context context-name

Default

A default context exists. The context name is Admin and the context ID is 1.

Views

System view

Predefined user roles

network-admin

Parameters

context-name: Specifies the context name, a case-sensitive string of 1 to 15 characters.

id context-id: Specifies the context ID. If you do not specify this option, the system assigns the lowest ID among the available IDs to the context.

The following compatibility matrix shows the value ranges for the context ID:

‌

Series	Models	Value range
F5000 series	F5000-AI160	1 to 33
	F5000-CN160	1 to 65
	F5000-CN-G85, F5000-CN-G65, F5000-CN-G55	1 to 17
	F5000-AI-40, F5000-AI-20	1 to 257
	F5000-AI-15	1 to 17
F1000 series	F1000-AI-25	1 to 9

‌

vlan-unshared: Configures the context to not share VLAN resources with any contexts. If you do not specify this keyword, the context shares the same VLAN resources with other contexts.

Usage guidelines

A context with the VLAN-unshared attribute has its own VLAN resources (VLAN 1 through VLAN 4094). It does not share VLAN resources with any other contexts. You log in to the context and use the vlan command to create VLANs for the context.

All contexts without the VLAN-unshared attribute share the same VLAN resources (VLAN 1 through VLAN 4094). You create VLANs on the default context and use the allocate vlan command to assign VLANs to the contexts. A VLAN can be assigned only to one context.

Examples

# Create a context named test.

<Sysname> system-view

[Sysname] context test

[Sysname-context-2-test]

# Create a context named test. Set its ID to 2.

<Sysname> system-view

[Sysname] context test id 2

[Sysname-context-2-test]

context start

Use context start to start a context.

Use undo context start to stop a context.

Syntax

context start [ force ]

undo context start [ force ]

Default

A context is not started.

Views

Context view

Predefined user roles

network-admin

Parameters

force: Forcibly starts or stops a context. If you do not specify this keyword, the command starts or stops a context through normal procedures.

Usage guidelines

CAUTION:

Stop a context with caution. Stopping a context stops all services on the context and logs out all users on the context. To avoid configuration data loss, save the running configuration of a context before you stop the context.

You must use this command to initiate a newly created context. You can configure a context only after it is started.

Examples

# Start context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] context start

context-capability inbound broadcast single

Use context-capability inbound broadcast single to set the inbound broadcast rate limit for a context.

Use undo context-capability inbound broadcast single to restore the default.

Syntax

context-capability inbound broadcast single pps threshold

undo context-capability inbound broadcast single

Default

The inbound broadcast rate limit for a context is the total inbound broadcast rate limit divided by the number of active contexts that share interfaces with other contexts.

Views

System view

Context view

Predefined user roles

network-admin

Parameters

pps threshold: Specifies the inbound broadcast rate limit in pps, in the range of 1000 to 100000.

Usage guidelines

The rate limit takes effect only on active contexts that share interfaces with other contexts on the device.

If you execute this command in system view, you set the limit for the default context. If you execute this command in context view, you set the limit for the non-default context.

When both a per-context inbound broadcast rate limit and the total inbound broadcast rate limit are reached, the device drops subsequent broadcast packets that arrive at the context. To set the total inbound broadcast rate limit, use the context-capability inbound broadcast total command.

Examples

# Set the inbound broadcast rate limit for the default context to 10000 pps for context ctx1.

<Sysname> system-view

[Sysname] context ctx1

[Sysname-context-1-ctx1] context-capability inbound broadcast single pps 10000

# Set the inbound broadcast rate limit to 10000 pps on context ctx1.

<Sysname> system-view

[Sysname] context ctx1

[Sysname-context-1-ctx1] context-capability inbound broadcast single pps 10000

Related commands

context-capability inbound broadcast total

Use context-capability inbound broadcast total to set the total inbound broadcast rate limit for all contexts.

Use undo context-capability inbound broadcast total to restore the default.

Syntax

context-capability inbound broadcast total pps threshold

undo context-capability inbound broadcast total

Default

The total inbound broadcast rate limit for all contexts is 20000 pps.

Views

System view

Predefined user roles

network-admin

Parameters

pps threshold: Specifies the total inbound broadcast rate limit in pps. The limit can be 0 or a value in the range of 1000 to 100000. Setting the limit to 0 disables inbound broadcast rate limiting.

Usage guidelines

The rate limit takes effect only on active contexts that share interfaces with other contexts.

The total inbound broadcast rate is the sum of the inbound broadcast rates on all active contexts that share interfaces with other contexts.

When both a per-context inbound broadcast rate limit and the total inbound broadcast rate limit are reached, the device drops subsequent broadcast packets that arrive at the context. To set the inbound broadcast rate limit for a context, use the context-capability inbound broadcast single command.

Examples

# Set the total inbound broadcast rate limit to 10000 pps.

<Sysname> system-view

[Sysname] context-capability inbound broadcast total pps 10000

Related commands

context-capability inbound broadcast single

context-capability inbound drop-logging enable

Use context-capability inbound drop-logging enable to enable logging for incoming packets dropped because of rate limiting on contexts.

Use undo context-capability inbound drop-logging enable to disable logging for incoming packets dropped because of rate limiting on contexts.

Syntax

context-capability inbound drop-logging enable

undo context-capability inbound drop-logging enable

Default

Logging is disabled for incoming packets that are dropped because of rate limiting on contexts.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This logging feature generates and sends a log message to the information center when an incoming packet is dropped because of broadcast or multicast rate limiting on contexts. For more information about how the information center manages log messages, see information center configuration in Network Management and Monitoring Configuration Guide.

Examples

# Enable logging for incoming packets dropped because of rate limiting on contexts.

<Sysname> system-view

[Sysname] context-capability inbound drop-logging enable

context-capability inbound multicast single

Use context-capability inbound multicast single to set the inbound multicast rate limit for a context.

Use undo context-capability inbound multicast single to restore the default.

Syntax

context-capability inbound multicast single pps threshold

undo context-capability inbound multicast single

Default

The inbound multicast rate limit for a context is the total inbound multicast rate limit divided by the number of active contexts that share interfaces with other contexts.

Views

System view

Context view

Predefined user roles

network-admin

Parameters

pps threshold: Specifies the inbound multicast rate limit in pps, in the range of 1000 to 100000.

Usage guidelines

The rate limit takes effect only on active contexts that share interfaces with other contexts on the device.

If you execute this command in system view, you set the limit for the default context. If you execute this command in context view, you set the limit for the non-default context.

When both a per-context inbound multicast rate limit and the total inbound multicast rate limit are reached, the device drops subsequent multicast packets that arrive at the context. To set the total inbound multicast rate limit, use the context-capability inbound multicast total command.

Examples

# Set the inbound multicast rate limit to 10000 pps for context ctx1.

<Sysname> system-view

[Sysname] context ctx1

[Sysname-context-1-ctx1] context-capability inbound multicast single pps 10000

# Set the inbound multicast rate limit to 10000 pps for context ctx1.

<Sysname> system-view

[Sysname] context ctx1

[Sysname-context-1-ctx1] context-capability inbound multicast single pps 10000

Related commands

context-capability inbound multicast total

Use context-capability inbound multicast total to set the total inbound multicast rate limit for all contexts.

Use undo context-capability inbound multicast total to restore the default.

Syntax

context-capability inbound multicast total pps threshold

undo context-capability inbound multicast total

Default

The total inbound multicast rate limit for all contexts is 0 pps.

Views

System view

Predefined user roles

network-admin

Parameters

pps threshold: Specifies the total inbound multicast rate limit in pps. The limit can be 0 or a value in the range of 1000 to 100000. Setting the limit to 0 disables inbound multicast rate limiting.

Usage guidelines

The rate limit takes effect only on active contexts that share interfaces with other contexts.

The total inbound multicast rate is the sum of the inbound multicast rates on all active contexts that share interfaces with other contexts.

When both a per-context inbound multicast rate limit and the total inbound multicast rate limit are reached, the device drops subsequent multicast packets that arrive at the context. To set the inbound multicast rate limit for a context, use the context-capability inbound multicast single command.

Examples

# Set the total inbound multicast rate limit to 10000 pps.

<Sysname> system-view

[Sysname] context-capability inbound multicast total pps 10000

Related commands

context-capability inbound multicast single

context-capability throughput drop-logging enable

Use context-capability throughput drop-logging enable to enable throughput-threshold-execeeded packet drop logging for all contexts.

Use undo context-capability throughput drop-logging enable to disable throughput-threshold-execeeded packet drop logging for all contexts.

Syntax

context-capability throughput drop-logging enable

undo context-capability throughput drop-logging enable

Default

The system does not log packet drop events that occur on any contexts when the outbound throughput threshold is exceeded.

Views

System view

Predefined user roles

network-admin

network-operator

Usage guidelines

This command enables the system to log packet drop events that occur on any contexts because the outbound throughput threshold is exceeded.

This command applies to all contexts. To have it take effect on a context, you must also use the capability throughput command to set an outbound throughput threshold for it.

These two commands enable the device to generate a packet drop event log when it starts dropping packets on a context because the outbound throughput of the context is exceeded. When the outbound throughput of the context decreases below the threshold, the device generates a recovery log.

The generated logs are sent to the information center. With the information center, you can configure log destinations and output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable throughput-threshold-execeeded packet drop logging for all contexts.

<Sysname> system-view

[Sysname] context-capability throughput drop-logging enable

Related commands

capability throughput

context-capability throughput alarm enable

Use context-capability throughput alarm enable to enable the outbound throughput usage alarm and set the throughput usage alarm threshold for contexts.

Use undo context-capability throughput alarm enable to disable the outbound throughput usage alarm for contexts.

Syntax

context-capability throughput alarm enable alarm-threshold alarm-threshold

undo context-capability throughput alarm enable

Default

Outbound throughput usage alarm is disabled for contexts.

Views

System view

Predefined user roles

network-admin

network-operator

Parameters

alarm-threshold usage-threshold: Specifies the throughput usage alarm threshold, in percentage. The value range for the usage-threshold argument is 1 to 99.

Usage guidelines

This command applies to all contexts. To have it take effect on a context, you must also use the capability throughput command to set an outbound throughput threshold for that context.

The system generates a throughput usage alarm for a context when the ratio of its actual outbound throughput to the outbound throughput threshold exceeds the throughput usage alarm threshold. When that ratio decreases below the throughput usage alarm threshold, the system generates a recovery log.

Examples

# Enable the throughput usage alarm and set the throughput usage alarm threshold to 80% for contexts.

<Sysname> system-view

[Sysname] context-capability throughput alarm enable alarm-threshold 80

Related commands

capability throughput

description

Use description to configure the description of the default context, or configure a description for a non-default context.

Use undo description to restore the default.

Syntax

description text

undo description

Default

The default context uses the description DefaultContext. A non-default context does not have a description.

Views

Context view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 255 characters.

Usage guidelines

You can configure a description for each context, which is useful when there are a number of contexts.

Examples

# Configure a description for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] description test

display context

Use display context to display contexts.

Syntax

display context [ name context-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

Usage guidelines

On the default context, this command displays the context specified by the name context-name option. Without the option, this command displays all contexts on the device.

Examples

# Display all contexts.

<Sysname> display context

ID Name Status Description

1 cnt1 active context1

2 cnt2 inactive context2

3 cnt3 inactive context3

Table 1 Command output

Field	Description
Status	Status of the context: · active—The context is operating correctly. · inactive—The context is not started. · starting—The context is starting up. · stopping—The context is being stopped.

Field

Description

Status

Status of the context:

· active—The context is operating correctly.

· inactive—The context is not started.

· starting—The context is starting up.

· stopping—The context is being stopped.

‌

display context capability

Use display context capability to display usage of allocable service resources on contexts.

Syntax

display context [ name context-name ] capability [ security-policy | { session | throughout } [ slot slot-number ] | sslvpn-user ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify a context, this command displays usage of allocable service resources on all contexts.

security-policy: Displays usage of allocable security policy rule resources.

session: Displays usage of allocable session resources.

sslvpn-user: Displays usage of allocable SSL VPN user resources.

throughout: Displays usage of allocable outbound throughput resources.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the usage on all member devices.

Usage guidelines

This command is supported only on the default context.

Examples

# Display usage of allocable service resources on all contexts.

<Sysname> display context capability

Session usage and establishment rate:

Slot 1 CPU 0:

ID Name Maximum Used Free Total(/s) Rate(/s) Usage(%)

1 Admin NA 500 NA NA 1000 NA

2 context1 10000 300 9700 1000 100 10

3 context2 2000 1000 1000 2000 1000 50

Security policy rule usage:

ID Name Maximum Used Free

1 Admin NA 500 NA

2 context1 10000 300 9700

3 context2 2000 1000 1000

Online SSL VPN users:

ID Name Maximum Used Free

1 Admin NA 0 NA

2 conetxt1 10000 3000 7000

3 context2 2000 0 2000

Throughout usage:

Slot 1 CPU 0:

ID Name Maximum Used Free Usage(%) Unit

1 Admin NA 500 NA NA kbps

2 conetxt1 10000 1000 9000 10 kbps

3 context2 200000 10000 10000 50 kbps

Table 2 Command output

Field	Description
ID	Context ID.
Name	Context name.
Maximum	Maximum number of allocable resources.
Used	Number of used resources.
Free	Number of available resources.
Total	Maximum session establishment rate, which is the maximum number of sessions that can be established in a second.
Rate	Current session establishment rate.
Usage	Ratio of the current session establishment rate to the maximum session establishment rate or ratio of the actual outbound throughput to the outbound throughput threshold, in percentage.
Unit	Unit of the outbound throughput resources.
Throughout usage	Usage of allocable outbound throughput resources.

Related commands

· capability security-policy-rule maximum

· capability session maximum

· capability session rate

· capability sslvpn-user maximum

· cpability throughput

display context capability inbound broadcast

Use display context capability inbound broadcast to display the inbound broadcast rate limit information about a context.

Syntax

display context name context-name capability inbound broadcast slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

slot slot-number: Specifies an IRF member device by its member ID.

Examples

# Display the inbound broadcast rate limit information about context abc on a slot.

<Sysname> display context name abc capability inbound broadcast slot 1

Context name: abc

Context ID: 2

Drop Rate: 1000 pps

Inbound throughput limit: 8000 pps

Total inbound throughput limit: 10000 pps

Table 3 Command output

Field	Description
Drop Rate	Broadcast packet drop rate of the context.
Inbound throughput limit	Inbound broadcast rate limit for the context.
Total inbound throughput limit	Total inbound broadcast rate limit.

‌

display context capability inbound multicast

Use display context capability inbound multicast to display the inbound multicast rate limit information about a context.

Syntax

display context name context-name capability inbound multicast slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

slot slot-number: Specifies an IRF member device by its member ID.

Examples

# Display the inbound multicast rate limit information about context abc on a slot.

<Sysname> display context name abc capability inbound multicast slot 1

Context name: abc

Context ID: 2

Drop Rate: 1000 pps

Inbound throughput limit: 8000 pps

Total inbound throughput limit: 10000 pps

Table 4 Command output

Field	Description
Drop Rate	Multicast packet drop rate of the context.
Inbound throughput limit	Inbound multicast rate limit for the context.
Total inbound throughput limit	Total inbound multicast rate limit.

‌

display context configuration

Use display context configuration to display or save context configuration information.

Syntax

display context [ name context-name ] configuration [ file filename ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays the configurations of all contexts.

file filename: Saves the information to a file. The filename argument specifies the file name, a case-insensitive string of 1 to 255 characters. The file name must use the .tar.gz extension, and cannot be ..tar.gz or …tar.gz. It cannot start with a hyphen (-) or contain any of the following characters: quote marks ("), forward slashes (/), colons (:), backward slashes (\), question marks (?), less than signs (<), greater than signs (>), vertical bars (|), and asterisks (*). If you do not specify this option, the system prompts you to choose whether to display or save the information.

Usage guidelines

This command is supported only on the default context.

This command does not take effect on contexts that have not started up.

Executing this command is equivalent to executing the display current-configuration command on the specified context or each context.

Examples

# Display the configurations of all contexts.

<Sysname> display context configuration

Save or display context configuration(Y=save, N=display)? [Y/N]:n

===========inner configuration of context Admin===========

============================================================

display current-configuration

version 7.1.064, Feature 9321

sysname Sysname

context Admin id 1

context cnt1 id 2

return

===========inner configuration of context cnt1===========

============================================================

display current-configuration

version 7.1.064, Feature 9321

sysname Sysname

context Admin id 1

context cnt1 id 2

---- More ----

# Save the configurations of all contexts to a file in interactive mode.

<Sysname> display context configuration

Save or display context configuration (Y=save, N=display)? [Y/N]:y

Please input the file name(*.tar.gz)[flash:/diag.tar.gz]: test.tar.gz

Saving context configuration to flash:/test.tar.gz. Please wait....

# Save the configurations of all contexts to a file by specifying a file name for the command.

<Sysname> display context configuration file test.tar.gz

Saving context configuration to flash:/test.tar.gz. Please wait...

display context interface

Use display context interface to display interfaces assigned to contexts.

Syntax

display context [ name context-name ] interface

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

Usage guidelines

This command cannot display interfaces created on non-default contexts.

On the default context, this command displays the interfaces allocated to the non-default context specified by using the name context-name option. If you do not specify the option, this command displays the interfaces allocated to all non-default contexts on the device.

Examples

# Display the interfaces allocated to all non-default contexts.

<Sysname> display context interface

Context stub1's interfaces:

GigabitEthernet1/0/2

Context stub2's interfaces:

GigabitEthernet1/0/3

Related commands

allocate interface

display context online-users sslvpn

Use display context online-users sslvpn to display the number of online SSL VPN users on all contexts.

Syntax

display context online-users sslvpn

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

The number of online SSL VPN users collected by this command equals to the number of SSL VPN sessions.

Examples

# Display the number of online SSL VPN users on all contexts.

<Sysname> display context online-users sslvpn

Total number of SSL VPN online users: 50

display context reboot

Use display context name reboot to display non-default context reboot information.

Syntax

display context name context-name reboot show-number [ offset ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a non-default context by its name, a case-sensitive string of 1 to 15 characters.

show-number: Specifies the number of non-default context reboot records to be displayed, in the range of 1 to 20.

offset: Specifies the offset of the first non-default context reboot record to be displayed, starting from the most recent record. The value range is 0 to 19. The default value is 0, which means starting from the most recent record.

Usage guidelines

To view the reboot information about the default context, execute the display version command and view the Last reboot reason field. For more information about this command, see Fundamentals Command Reference.

Examples

# Display the most recent reboot record of context test.

<Sysname> display context name test reboot 1

----------------- Reboot record 1 -----------------

Recorded at : 2019-05-01 11:16:00

Reason : 0x0

Process : comsh (PID: 120) from Context 3 on slot 1 cpu 0

Table 5 Command output

Field	Description
Reason	Reboot reason.
Process	Process that triggered the reboot, in the format of process-name (PID: process-ID) from Context context-ID on slot slot-number CPU CPU-number.

Related commands

display version (Fundamentals Command Reference)

reset context name reboot

display context resource

Use display context resource to display CPU and memory usage for contexts.

Syntax

display context [ name context-name ] resource [ cpu | memory ] [ slot slot-number cpu cpu-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays the usage for all contexts.

cpu: Displays the CPU usage.

memory: Displays the memory usage.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the usage on all member devices.

cpu cpu-number: Specifies a CPU by its number.

Usage guidelines

If you do not specify the cpu or memory keyword, the command displays the CPU and memory space usage.

Examples

# Display the CPU usage for all contexts on all member devices.

<Sysname> display context resource cpu

CPU usage:

Slot 1 CPU 0:

ID Name Weight Usage(%)

1 cnt1 10 24

2 cnt2 10 0

Slot 2 CPU 0:

ID Name Weight Usage(%)

1 cnt3 10 0

2 cnt4 10 0

Table 6 Command output

Field	Description
Memory usage	Memory usage statistics.
CPU usage	CPU usage statistics.
Used 238.1MB, Free 249.3MB, Total 487.4MB	Memory usage statistics: · Used—Used memory space, in MB. · Free—Available memory space, in MB. · Total—Total memory space, in MB. The Used field displays 0 if no context has started on the slot.
ID	Context ID.
name	Context name.
Weight	The CPU resource usage weight of the context.
Usage(%)	Actual CPU usage of the context, in percentage.
Quota(MB)	The maximum amount of memory space for the context, in MB.
Used(MB)	The amount of memory space that the context has used.
Free(MB)	The amount of memory space that is still available for the context.

‌

Related commands

limit-resource cpu

limit-resource memory

display context statistics

Use display context statistics to display or save resource statistics for contexts.

Syntax

display context [ name context-name ] statistics [ file filename ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays or saves resource statistics for all contexts.

file filename: Saves the information to a file. The filename argument specifies the file name, a case-insensitive string of 1 to 255 characters. The file name must use the .tar.gz extension, and cannot be ..tar.gz or …tar.gz. It cannot start with a hyphen (-) or contain any of the following characters: quote marks ("), forward slashes (/), colons (:), backward slashes (\), question marks (?), less than signs (<), greater than signs (>), vertical bars (|), and asterisks (*). If you do not specify this argument, the system prompts you to choose whether to display or save the information.

Usage guidelines

This command is supported only on the default context.

Executing this command is equivalent to executing the following commands:

· display context capability

· display counters inbound interface

· display counters outbound interface

· display counters rate inbound interface

· display counters rate outbound interface

· display interface

· display ip statistics

· display ipv6 statistics

· display nat statistics

· display session statistics

Examples

# Display resource statistics for all contexts.

<Sysname> display context statistics

Save or display context statistics (Y=save, N=display)? [Y/N]:n

========================================================

=============== display session statistics =================

Slot 1:

Current sessions: 0

TCP sessions: 0

UDP sessions: 0

ICMP sessions: 0

ICMPv6 sessions: 0

UDP-Lite sessions: 0

SCTP sessions: 0

DCCP sessions: 0

RAWIP sessions: 0

...

# Save resource statistics for all contexts to a file in interactive mode.

<Sysname> display context statistics

Save or display context statistics(Y=save, N=display)? [Y/N]:y

Please input the file name(*.tar.gz)[flash:/diag.tar.gz]: test.tar.gz

Saving context statistics to flash:/test.tar.gz. Please wait....

# Save resource statistics for all contexts to a file by specifying a file name for the command.

<Sysname> display context statistics file test.tar.gz

Saving context statistics to flash:/test.tar.gz. Please wait...

Related commands

display context capability

display counters inbound interface (Interface Command Reference)

display counters outbound interface (Interface Command Reference)

display counters rate inbound interface (Interface Command Reference)

display counters rate outbound interface (Interface Command Reference)

display interface (Interface Command Reference)

display ip statistics (Layer 3—IP Services Command Reference)

display ipv6 statistics (Layer 3—IP Services Command Reference)

display nat statistics (NAT Command Reference)

display session statistics (Security Command Reference)

display context vlan

Use display context vlan to display VLAN lists for contexts.

Syntax

display context [ name context-name ] vlan

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

Usage guidelines

On the default context, if you specify the name context-name option, this command displays the VLAN list for the specified context. If you do not specify the name context-name option, this command displays VLAN lists for all contexts.

Examples

# Display VLAN lists for all contexts.

<Sysname> display context vlan

Context stub1's VLAN(s):

Context stub2's VLAN(s):

2,4094

Context stub3's VLAN(s):

5,6,800-3000,3400

# Display the VLAN list for context sub1.

<Sysname> display context name sub1 vlan

Context stub1's VLAN(s):

5,6,11-23,3400

Related commands

allocate vlan

limit-resource cpu

Use limit-resource cpu to set a CPU weight for a context.

Use undo limit-resource cpu to restore the default.

Syntax

limit-resource cpu weight weight-value

undo limit-resource cpu

Default

Each context has a CPU weight of 10.

Views

Context view

Predefined user roles

network-admin

Parameters

weight weight-value: Specifies a CPU weight value in the range of 1 to 10.

Examples

# Set the CPU weight to 2 for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] limit-resource cpu weight 2

limit-resource memory

Use limit-resource memory to set a memory space percentage for a context. A memory space percentage defines the maximum memory space that the context can use.

Use undo limit-resource memory to restore the default.

Syntax

limit-resource memory slot slot-number cpu cpu-number ratio limit-ratio

undo limit-resource memory slot slot-number cpu cpu-number

Default

All contexts share the memory space in the system. A context can use all free memory space.

Views

Context view

Predefined user roles

network-admin

Parameters

slot slot-number cpu cpu-number: Specifies a security engine on an IRF member device. The slot-number argument represents the member ID of the IRF member device. The cpu-number argument represents the CPU number.

ratio limit-ratio: Specifies the ratio of the memory space that the context can use on the specified security engine to the total memory space of the engine. The value range is 1 to 100.

Usage guidelines

When you assign a context to a security engine group, the system automatically assigns memory space resources on the security engines to the context. All contexts residing on the same security engine share and compete for the engine's free memory resources. To prevent one context from occupying too many memory space resources, assign memory space resources to the contexts. When the limit for a context is reached, the context cannot apply for more memory space.

When you assign memory space to a context, follow these guidelines:

· Use the display context resource command to view the amount of memory space that has been used by the context before assigning memory space to the context.

· Assign an amount of memory space that is larger than the memory space used by the context to avoid the following problems:

¡ The context cannot apply for more memory space.

¡ The context cannot create, copy, or save additional folders or files.

Examples

# Configure context cnt2 to use up to 30% of the memory space on CPU 0 of member device 1.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] limit-resource memory slot 1 cpu 0 ratio 30

reset context capability inbound broadcast

Use reset context capability inbound broadcast to clear the inbound broadcast rate limit statistics for a context.

Syntax

reset context name context-name capability inbound broadcast slot slot-number

Views

User view

Predefined user roles

network-admin

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

slot slot-number: Specifies an IRF member device by its member ID.

Examples

# Clear the inbound broadcast rate limit statistics for context abc on a slot.

<Sysname> reset context name abc capability inbound broadcast slot 1

reset context capability inbound multicast

Use reset context capability inbound multicast to clear the inbound multicast rate limit statistics for a context.

Syntax

reset context name context-name capability inbound multicast slot slot-number

Views

User view

Predefined user roles

network-admin

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

slot slot-number: Specifies an IRF member device by its member ID.

Examples

# Clear the inbound multicast rate limit statistics for context abc on a slot.

<Sysname> reset context name abc capability inbound multicast slot 1

reset context reboot

Use reset context name reboot to clear non-default context reboot information.

Syntax

reset context [ name context-name ] reboot

Views

User view

Predefined user roles

network-admin

Parameters

name context-name: Specifies a non-default context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify a non-default context, this command clears reboot information for all non-default contexts.

Examples

# Clear reboot information about non-default context test.

<Sysname> reset context name test reboot

Related commands

display context name reboot

snmp-agent trap enable sib

Use snmp-agent trap enable sib to enable SNMP notifications for context outbound throughput events.

Use undo snmp-agent trap enable sib to disable SNMP notifications for context outbound throughput events.

Syntax

snmp-agent trap enable sib

undo snmp-agent trap enable sib

Default

SNMP notifications for context outbound throughput events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to generate SNMP notifications for the events logged by the following logging features:

· Throughput-threshold-exceeded packet drop event logging, enabled by using the context-capability throughput drop-logging enable command.

· Outbound throughput usage alarm, enabled by using the context-capability throughput alarm enable command.

For the SNMP notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

Examples

# Enable SNMP notifications for context outbound throughput events.

<Sysname> system-view

[Sysname] snmp-agent trap enable sib

Related commands

context-capability throughput drop-logging enable

context-capability throughput alarm enable

switchto context

Use switchto context to log in to a context.

Syntax

switchto context context-name

Views

System view

Predefined user roles

network-admin

network-operator

Parameters

context-name: Specifies a context that has been started.

Usage guidelines

Use this command to log in to a non-default context from the system view of the default context. The connection uses the internal interfaces between the physical device and the context.

Examples

# Log in to context test2.

<Sysname> system-view

[Sysname] switchto context test2

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

<H3C>

tar context log

Use tar context log to archive log messages for contexts.

Syntax

tar context [ name context-name ] log file filename

Views

User view

Predefined user roles

network-admin

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command archives log messages for all contexts.

file filename: Specifies a file name, a case-insensitive string of 1 to 255 characters. The file name must use the .tar.gz extension, and cannot be ..tar.gz or …tar.gz. It cannot start with a hyphen (-) or contain any of the following characters: quote marks ("), forward slashes (/), colons (:), backward slashes (\), question marks (?), less than signs (<), greater than signs (>), vertical bars (|), and asterisks (*).

Usage guidelines

This command is supported only on the default context.

This command does not take effect on contexts that have never started up.

This command archives all files in the logfile directory and diagfile directory.

Examples

# Archive log messages for all contexts to file test.tar.gz.

<Sysname> tar context log file test.tar.gz

Context commands for non-default contexts

This section describes the context commands that you can use after logging in to a non-default context.

display context interface

Use display context interface to display interfaces assigned to the current context.

Syntax

display context interface

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the interfaces assigned to the current context.

<Sysname> display context interface

Context stub1's interfaces:

GigabitEthernet1/0/2

Related commands

allocate interface

display context reboot

Use display context reboot to display reboot information about the current context.

Syntax

display context reboot show-number [ offset ]

Views

Any view

Predefined user roles

context-admin

context-operator

Parameters

show-number: Specifies the number of context reboot records to be displayed, in the range of 1 to 20.

offset: Specifies the offset of the first context reboot record to be displayed, starting from the most recent record. The value range is 0 to 19. The default value is 0, which means starting from the most recent record.

Examples

# Display the most recent reboot record of the current CONTEXT.

<Sysname> display context reboot 1

----------------- Reboot record 1 -----------------

Recorded at : 2019-05-01 11:16:00

Reason : 0x0

Process : comsh (PID: 120) from Context 3 on slot 1 cpu 0

For information about the command output fields, see Table 5.

Related commands

reset context reboot

Use reset context reboot to clear reboot information about the current context.

Syntax

reset context reboot

Views

User view

Predefined user roles

context-admin

Examples

# Clear reboot information about the current context.

<Sysname> reset context reboot

Related commands

display context reboot

02-Virtual Technologies Command Reference

Context commands

Context commands for the default context

display context online-users sslvpn

limit-resource cpu

switchto context

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

Company Information

News & Events

Contact Us