- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
03-Context commands | 259.46 KB |
Contents
Context commands for the default context
capability object-policy-rule maximum
capability security-policy-rule maximum
capability session maximum threshold
capability session rate threshold
capability sslvpn-user maximum
context-capability inbound broadcast single
context-capability inbound broadcast total
context-capability inbound drop-logging enable
context-capability inbound multicast single
context-capability inbound multicast total
context-capability throughput drop-logging enable
context-capability throughput alarm enable
display context capability inbound broadcast
display context capability inbound multicast
display context online-users sslvpn
reset context capability inbound broadcast
reset context capability inbound multicast
Context commands for non-default contexts
Context commands
Context commands for the default context
This section describes the context commands that you can use after logging in to the default context (the physical device).
allocate interface
Use allocate interface to assign interfaces to a context.
Use undo allocate interface to reclaim interfaces assigned to a context.
Syntax
allocate interface { interface-type interface-number }&<1-24> [ share ]
undo allocate interface { interface-type interface-number }&<1-24>
allocate interface interface-type interface-number1 to interface-type interface-number2 [ share ]
undo allocate interface interface-type interface-number1 to interface-type interface-number2
Default
All interfaces on the firewall belong to the default context. A non-default context cannot use any interfaces.
Views
Context view
Predefined user roles
network-admin
Parameters
{ interface-type interface-number }&<1-24>: Assigns 1 to 24 individual interfaces to the context.
interface-type interface-number1 to interface-type interface-number2: Assigns a range of interfaces to the context. The specified interfaces must be the same interface type and must belong to the same interface card.
share: Assigns the interfaces in shared mode. If you do not specify this keyword, the command assigns the interfaces exclusively to the context.
Usage guidelines
IMPORTANT: · Do not assign IRF physical interfaces to a non-default context. · If a subinterface of a Layer 3 interface is a member interface of a Reth interface, do not assign the Layer 3 interface to a non-default context. · Logical interfaces support only shared mode, and physical interfaces support both exclusive mode and shared mode. |
You can assign interfaces in exclusive or shared mode.
· Exclusive mode—You assign an interface exclusively to a context, and only the context can use the interface. The administrator of the context can see the interface and use all commands supported on the interface.
· Shared mode—You assign an interface to multiple contexts in shared mode, and the system creates a virtual interface for each context. The virtual interfaces use the same name as the physical interface but have different MAC addresses and IP addresses. They forward and receive packets through the physical interface. The shared mode improves interface usage.
You can see the physical interface and perform all commands supported on the interface from the default context. The administrator of a context can only see the context's virtual interface and use the shutdown, description, and network- and security-related commands.
Examples
# Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to context sub1 in shared mode.
<Sysname> system-view
[Sysname] context sub1
[Sysname-context-2-sub1] allocate interface gigabitethernet 1/0/1 gigabitethernet 1/0/3 share
allocate vlan
Use allocate vlan to assign VLANs to a context.
Use undo allocate vlan to reclaim VLANs assigned to a context.
Syntax
allocate vlan vlan-id&<1-24>
undo allocate vlan vlan-id&<1-24>
allocate vlan vlan-id1 to vlan-id2
undo allocate vlan vlan-id1 to vlan-id2
Default
No VLAN is assigned to a context.
Views
Context view
Predefined user roles
network-admin
Parameters
vlan-id&<1-24>: Specifies a space-seperated list of up to 24 VLAN IDs.
vlan-id1 to vlan-id2: Specifies a range of VLAN IDs.
Usage guidelines
You assign static VLANs except for VLAN 1 to contexts without the VLAN-unshared attribute. Before doing so, you must create the VLANs on the default context. A VLAN can be assigned only to one context. After the assignment to a context, you can use only the display commands on the context, but you can use all VLAN commands on the default context.
A context with the VLAN-unshared attribute has its own VLAN resources (VLAN 2 through VLAN 4094). It does not share VLAN resources with any other context. To create VLANs for the context, log in to the context and use the vlan command. VLAN 1 is system defined. You cannot create or delete VLAN 1.
Examples
# Assign VLAN 100 to context sub1.
<Sysname> system-view
[Sysname] context sub1
[Sysname-context-2-sub1] allocate vlan 100
display context vlan
allocate vxlan
Use allocate vxlan to assign VXLANs to a context.
Use undo allocate vxlan to reclaim VXLANs assigned to a context.
Syntax
allocate vxlan vxlan-id&<1-24>
undo allocate vxlan vxlan-id&<1-24>
allocate vxlan vxlan-id1 to vxlan-id2
undo allocate vxlan vxlan-id1 to vxlan-id2
Default
No VXLANs are assigned to a context.
Views
Context view
Predefined user roles
network-admin
Parameters
vxlan-id&<1-24>: Specifies a space-seperated list of up to 24 VXLAN IDs. The value range for VXLAN IDs is 0 to 16777215.
vxlan-id1 to vxlan-id2: Specifies a range of VXLAN IDs. The value range for VXLAN IDs is 0 to 16777215.
Usage guidelines
VXLANs assigned to a context can be used or configured only on that context.
Examples
# Assign VXLAN 100 to context sub1.
<Sysname> system-view
[Sysname] context sub1
[Sysname-context-2-sub1] allocate vxlan 100
The VXLAN will be allocated to context sub1. Continue? [Y/N]:y
capability object-policy-rule maximum
Use capability object-policy-rule maximum to set the maximum number of object policy rules for a context.
Use undo capability object-policy-rule maximum to restore the default.
Syntax
capability object-policy-rule maximum max-number
undo capability object-policy-rule maximum
Default
The number of object policy rules is not limited for a context.
Views
Context view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of object policy rules for the context, in the range of 1 to 4294967295.
Usage guidelines
A large number of rules occupy too much memory, affecting other features on the context. This command sets the maximum number of object policy rules for a context. When the maximum number is reached, you cannot add new rules.
If the maximum number you set is smaller than the number of existing object policy rules, this setting takes effect. The context does not delete extra existing object policy rules and allows new object policy rules to be created only when the number of object policy rules drops below the maximum number.
Examples
# Set the maximum number of object policy rules to 1000 for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability object-policy-rule maximum 1000
Related commands
display object-policy ip (Security Command Reference)
capability security-policy-rule maximum
Use capability security-policy-rule maximum to set the maximum number of security policy rules for a context.
Use undo capability security-policy-rule maximum to restore the default.
Syntax
capability security-policy-rule maximum max-number
undo capability security-policy-rule maximum
Default
The number of security policy rules is not limited for a context.
Views
Context view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of security policy rules for the context, in the range of 1 to 4294967295.
Usage guidelines
A large number of rules occupy too much memory, affecting other features on the context. This command sets the maximum number of security policy rules for a context. When the maximum number is reached, you cannot add new rules.
If the maximum number you set is smaller than the number of existing security policy rules, this setting takes effect. The context does not delete extra existing security policy rules and allows new security policy rules to be created only when the number of security policy rules drops below the maximum number.
Examples
# Set the maximum number of security policy rules to 1000 for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability security-policy-rule maximum 1000
Related commands
display security-policy ip (Security Command Reference)
capability session maximum
Use capability session maximum to set the maximum number of concurrent unicast sessions for a context.
Use undo capability session maximum to restore the default.
Syntax
capability session maximum max-number
undo capability session maximum
Default
The number of concurrent unicast sessions is not limited for a context.
Views
Context view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of concurrent unicast sessions for the context. The value range is 1 to 4294967295.
Usage guidelines
A large number of concurrent unicast sessions occupy too much memory, affecting other features on the context. This command sets the maximum number of concurrent unicast sessions for a context. When the maximum number is reached, you cannot establish additional unicast sessions.
If the maximum number you set is smaller than the number of existing concurrent unicast sessions, this setting takes effect. The context does not delete extra existing concurrent unicast sessions and allows new unicast sessions to be created only when the number of concurrent unicast sessions drops below the maximum number.
This command does not affect local traffic, such as FTP traffic, Telnet traffic, SSH traffic, HTTP traffic, and HTTP-based load balancing traffic.
Examples
# Set the maximum number of concurrent unicast sessions to 1000000 for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability session maximum 1000000
Related commands
context
display session statistics (Security Command Reference)
capability session maximum threshold
Use capability session maximum threshold to set the alarm threshold for the ratio of the current concurrent unicast sessions to the maximum concurrent unicast sessions on a context.
Use undo capability session maximum threshold to restore the default.
Syntax
capability session maximum threshold threshold-value
undo capability session maximum threshold
Default
The alarm threshold is 95% for the ratio of the current concurrent unicast sessions to the maximum concurrent unicast sessions on a context.
Views
Context view
Predefined user roles
network-admin
Parameters
threshold-value: Sets the alarm threshold, in percentage. The value range for this argument is 1 to 99.
Usage guidelines
When the ratio of the current concurrent unicast sessions to the maximum concurrent unicast sessions on a context exceeds the specified threshold, the system generates an alarm message to notify the threshold-crossing event. When the ratio of the current concurrent unicast sessions to the maximum concurrent unicast sessions drops to the specified threshold, the system generates an alarm message to notify that the threshold-crossing alarm is cleared.
Examples
# Set the alarm threshold to 80% for the ratio of the current concurrent unicast sessions to the maximum concurrent unicast sessions on context 1.
<Sysname> system-view
[Sysname] context 1
[Sysname-context-2-1] capability session maximum threshold 80
Related commands
context
capability session rate
Use capability session rate to set the upper limit of the session establishment rate for a context.
Use undo capability session rate to restore the default.
Syntax
capability session rate max-value
undo capability session rate
Default
The session establishment rate is not limited for a context.
Views
Context view
Predefined user roles
network-admin
Parameters
max-value: Specifies the maximum number of sessions that can be established per second.
Usage guidelines
Establishing sessions too frequently consumes too much CPU resources. If a context establishes sessions too frequently, other contexts in the same security engine will not be able to establish sessions. This command sets the number of sessions that can be established per second for a context. When the limit is reached, no additional sessions can be established.
This command does not affect local traffic, such as FTP traffic, Telnet traffic, SSH traffic, HTTP traffic, and HTTP-based load balancing traffic.
Examples
# Configure context cnt2 to establish a maximum of 20000 sessions per second.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability session rate 20000
Related commands
context
display session statistics (Security Command Reference)
capability session rate threshold
Use capability session rate threshold to set the alarm threshold for the ratio of the current session establishment rate to the maximum session establishment rate on a context.
Use undo capability session rate threshold to restore the default.
Syntax
capability session rate threshold threshold-value
undo capability session rate threshold
Default
The alarm threshold is 95% for the ratio of the current session establishment rate to the maximum session establishment rate on a context.
Views
Context view
Predefined user roles
network-admin
Parameters
threshold-value: Sets the alarm threshold, in percentage. The value range for this argument is 1 to 99.
Usage guidelines
When the ratio of the current session establishment rate to the maximum session establishment rate on a context exceeds the specified threshold, the system generates an alarm message to notify the threshold-crossing event. When the ratio of the current session establishment rate to the maximum session establishment rate drops to the specified threshold, the system generates an alarm message to notify that the threshold-crossing alarm is cleared.
Examples
# Set the alarm threshold to 80% for the ratio of the current session establishment rate to the maximum session establishment rate on context 1.
<Sysname> system-view
[Sysname] context 1
[Sysname-context-2-1] capability session rate threshold 80
Related commands
context
capability sslvpn-user maximum
Use capability sslvpn-user maximum to set the maximum number of SSL VPN users for a context.
Use undo capability sslvpn-user maximum to restore the default.
Syntax
capability sslvpn-user maximum max-number
undo capability sslvpn-user maximum
Default
The number of SSL VPN users is not limited for a context. The number is determined by the usage of the SSL VPN licenses installed on the device.
Views
Context view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of SSL VPN users for the context. The value range is 1 to 1048575.
Usage guidelines
This command limits the number of SSL VPN users that can log in to a context. When the maximum number is reached, the context will reject the login requests of new SSL VPN users.
If the maximum number you set is smaller than the number of SSL VPN users that already have logged in to a context, this setting takes effect. The context does not log out the currently logged-in users and allows new users to log in only when the number of the logged-in users drops below the maximum number.
Examples
# Set the maximum number of SSL VPN users to 1000000 for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability sslvpn-user maximum 1000000
Related commands
context
capability throughput
Use capability throughput to set the outbound throughput threshold for a context.
Use undo capability throughput to restore the default.
Syntax
capability throughput { gbps | kbps | mbps | pps } threshold
undo capability throughput
Default
The outbound throughput of a context is not limited on a context.
Views
Context view
Predefined user roles
network-admin
Parameters
gbps threshold: Specifies the throughput threshold in gigabits per second. The value range for the threshold argument is 1 to 1000.
kbps threshold: Specifies the throughput threshold in kilobits per second. The value range for the threshold argument is 1000 to 1000000000.
mbps threshold: Specifies the throughput threshold in megabits per second. The value range for the threshold argument is 1 to 1000000.
pps threshold: Specifies the throughput threshold in number of packets per second. The value range for the threshold argument is 1000 to 1000000000.
Examples
# Set the outbound throughput threshold to 100000 kbps for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability throughput kbps 100000
# Set the outbound throughput threshold to 10000 pps for context cnt3.
<Sysname> system-view
[Sysname] context cnt3
[Sysname-context-3-cnt3] capability throughput pps 10000
context
Use context to create a context and enter its view, or enter the view of an existing context.
Use undo context to delete a context.
Syntax
context context-name [ id context-id ] [ vlan-unshared ]
undo context context-name
Default
A default context exists. The context name is Admin and the context ID is 1.
Views
System view
Predefined user roles
network-admin
Parameters
context-name: Specifies the context name, a case-sensitive string of 1 to 15 characters.
id context-id: Specifies the context ID. If you do not specify this option, the system assigns the lowest ID among the available IDs to the context.
The following compatibility matrix shows the value ranges for the context ID:
Series |
Models |
Value range |
F5000 series |
F5000-AI160 |
1 to 33 |
F5000-CN160 |
1 to 65 |
|
F5000-CN-G85, F5000-CN-G65, F5000-CN-G55 |
1 to 17 |
|
F5000-AI-40, F5000-AI-20 |
1 to 257 |
|
F5000-AI-15 |
1 to 17 |
|
F1000 series |
F1000-AI-25 |
1 to 9 |
vlan-unshared: Configures the context to not share VLAN resources with any contexts. If you do not specify this keyword, the context shares the same VLAN resources with other contexts.
Usage guidelines
A context with the VLAN-unshared attribute has its own VLAN resources (VLAN 1 through VLAN 4094). It does not share VLAN resources with any other contexts. You log in to the context and use the vlan command to create VLANs for the context.
All contexts without the VLAN-unshared attribute share the same VLAN resources (VLAN 1 through VLAN 4094). You create VLANs on the default context and use the allocate vlan command to assign VLANs to the contexts. A VLAN can be assigned only to one context.
Examples
# Create a context named test.
<Sysname> system-view
[Sysname] context test
[Sysname-context-2-test]
# Create a context named test. Set its ID to 2.
<Sysname> system-view
[Sysname] context test id 2
[Sysname-context-2-test]
context start
Use context start to start a context.
Use undo context start to stop a context.
Syntax
context start [ force ]
undo context start [ force ]
Default
A context is not started.
Views
Context view
Predefined user roles
network-admin
Parameters
force: Forcibly starts or stops a context. If you do not specify this keyword, the command starts or stops a context through normal procedures.
Usage guidelines
CAUTION: Stop a context with caution. Stopping a context stops all services on the context and logs out all users on the context. To avoid configuration data loss, save the running configuration of a context before you stop the context. |
You must use this command to initiate a newly created context. You can configure a context only after it is started.
Examples
# Start context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] context start
context-capability inbound broadcast single
Use context-capability inbound broadcast single to set the inbound broadcast rate limit for a context.
Use undo context-capability inbound broadcast single to restore the default.
Syntax
context-capability inbound broadcast single pps threshold
undo context-capability inbound broadcast single
Default
The inbound broadcast rate limit for a context is the total inbound broadcast rate limit divided by the number of active contexts that share interfaces with other contexts.
Views
System view
Context view
Predefined user roles
network-admin
Parameters
pps threshold: Specifies the inbound broadcast rate limit in pps, in the range of 1000 to 100000.
Usage guidelines
The rate limit takes effect only on active contexts that share interfaces with other contexts on the device.
If you execute this command in system view, you set the limit for the default context. If you execute this command in context view, you set the limit for the non-default context.
When both a per-context inbound broadcast rate limit and the total inbound broadcast rate limit are reached, the device drops subsequent broadcast packets that arrive at the context. To set the total inbound broadcast rate limit, use the context-capability inbound broadcast total command.
Examples
# Set the inbound broadcast rate limit for the default context to 10000 pps for context ctx1.
<Sysname> system-view
[Sysname] context ctx1
[Sysname-context-1-ctx1] context-capability inbound broadcast single pps 10000
# Set the inbound broadcast rate limit to 10000 pps on context ctx1.
<Sysname> system-view
[Sysname] context ctx1
[Sysname-context-1-ctx1] context-capability inbound broadcast single pps 10000
Related commands
context-capability inbound broadcast total
context-capability inbound broadcast total
Use context-capability inbound broadcast total to set the total inbound broadcast rate limit for all contexts.
Use undo context-capability inbound broadcast total to restore the default.
Syntax
context-capability inbound broadcast total pps threshold
undo context-capability inbound broadcast total
Default
The total inbound broadcast rate limit for all contexts is 20000 pps.
Views
System view
Predefined user roles
network-admin
Parameters
pps threshold: Specifies the total inbound broadcast rate limit in pps. The limit can be 0 or a value in the range of 1000 to 100000. Setting the limit to 0 disables inbound broadcast rate limiting.
Usage guidelines
The rate limit takes effect only on active contexts that share interfaces with other contexts.
The total inbound broadcast rate is the sum of the inbound broadcast rates on all active contexts that share interfaces with other contexts.
When both a per-context inbound broadcast rate limit and the total inbound broadcast rate limit are reached, the device drops subsequent broadcast packets that arrive at the context. To set the inbound broadcast rate limit for a context, use the context-capability inbound broadcast single command.
Examples
# Set the total inbound broadcast rate limit to 10000 pps.
<Sysname> system-view
[Sysname] context-capability inbound broadcast total pps 10000
Related commands
context-capability inbound broadcast single
context-capability inbound drop-logging enable
Use context-capability inbound drop-logging enable to enable logging for incoming packets dropped because of rate limiting on contexts.
Use undo context-capability inbound drop-logging enable to disable logging for incoming packets dropped because of rate limiting on contexts.
Syntax
context-capability inbound drop-logging enable
undo context-capability inbound drop-logging enable
Default
Logging is disabled for incoming packets that are dropped because of rate limiting on contexts.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This logging feature generates and sends a log message to the information center when an incoming packet is dropped because of broadcast or multicast rate limiting on contexts. For more information about how the information center manages log messages, see information center configuration in Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for incoming packets dropped because of rate limiting on contexts.
<Sysname> system-view
[Sysname] context-capability inbound drop-logging enable
context-capability inbound multicast single
Use context-capability inbound multicast single to set the inbound multicast rate limit for a context.
Use undo context-capability inbound multicast single to restore the default.
Syntax
context-capability inbound multicast single pps threshold
undo context-capability inbound multicast single
Default
The inbound multicast rate limit for a context is the total inbound multicast rate limit divided by the number of active contexts that share interfaces with other contexts.
Views
System view
Context view
Predefined user roles
network-admin
Parameters
pps threshold: Specifies the inbound multicast rate limit in pps, in the range of 1000 to 100000.
Usage guidelines
The rate limit takes effect only on active contexts that share interfaces with other contexts on the device.
If you execute this command in system view, you set the limit for the default context. If you execute this command in context view, you set the limit for the non-default context.
When both a per-context inbound multicast rate limit and the total inbound multicast rate limit are reached, the device drops subsequent multicast packets that arrive at the context. To set the total inbound multicast rate limit, use the context-capability inbound multicast total command.
Examples
# Set the inbound multicast rate limit to 10000 pps for context ctx1.
<Sysname> system-view
[Sysname] context ctx1
[Sysname-context-1-ctx1] context-capability inbound multicast single pps 10000
# Set the inbound multicast rate limit to 10000 pps for context ctx1.
<Sysname> system-view
[Sysname] context ctx1
[Sysname-context-1-ctx1] context-capability inbound multicast single pps 10000
Related commands
context-capability inbound multicast total
context-capability inbound multicast total
Use context-capability inbound multicast total to set the total inbound multicast rate limit for all contexts.
Use undo context-capability inbound multicast total to restore the default.
Syntax
context-capability inbound multicast total pps threshold
undo context-capability inbound multicast total
Default
The total inbound multicast rate limit for all contexts is 0 pps.
Views
System view
Predefined user roles
network-admin
Parameters
pps threshold: Specifies the total inbound multicast rate limit in pps. The limit can be 0 or a value in the range of 1000 to 100000. Setting the limit to 0 disables inbound multicast rate limiting.
Usage guidelines
The rate limit takes effect only on active contexts that share interfaces with other contexts.
The total inbound multicast rate is the sum of the inbound multicast rates on all active contexts that share interfaces with other contexts.
When both a per-context inbound multicast rate limit and the total inbound multicast rate limit are reached, the device drops subsequent multicast packets that arrive at the context. To set the inbound multicast rate limit for a context, use the context-capability inbound multicast single command.
Examples
# Set the total inbound multicast rate limit to 10000 pps.
<Sysname> system-view
[Sysname] context-capability inbound multicast total pps 10000
Related commands
context-capability inbound multicast single
context-capability throughput drop-logging enable
Use context-capability throughput drop-logging enable to enable throughput-threshold-execeeded packet drop logging for all contexts.
Use undo context-capability throughput drop-logging enable to disable throughput-threshold-execeeded packet drop logging for all contexts.
Syntax
context-capability throughput drop-logging enable
undo context-capability throughput drop-logging enable
Default
The system does not log packet drop events that occur on any contexts when the outbound throughput threshold is exceeded.
Views
System view
Predefined user roles
network-admin
network-operator
Usage guidelines
This command enables the system to log packet drop events that occur on any contexts because the outbound throughput threshold is exceeded.
This command applies to all contexts. To have it take effect on a context, you must also use the capability throughput command to set an outbound throughput threshold for it.
These two commands enable the device to generate a packet drop event log when it starts dropping packets on a context because the outbound throughput of the context is exceeded. When the outbound throughput of the context decreases below the threshold, the device generates a recovery log.
The generated logs are sent to the information center. With the information center, you can configure log destinations and output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable throughput-threshold-execeeded packet drop logging for all contexts.
<Sysname> system-view
[Sysname] context-capability throughput drop-logging enable
Related commands
capability throughput
context-capability throughput alarm enable
Use context-capability throughput alarm enable to enable the outbound throughput usage alarm and set the throughput usage alarm threshold for contexts.
Use undo context-capability throughput alarm enable to disable the outbound throughput usage alarm for contexts.
Syntax
context-capability throughput alarm enable alarm-threshold alarm-threshold
undo context-capability throughput alarm enable
Default
Outbound throughput usage alarm is disabled for contexts.
Views
System view
Predefined user roles
network-admin
network-operator
Parameters
alarm-threshold usage-threshold: Specifies the throughput usage alarm threshold, in percentage. The value range for the usage-threshold argument is 1 to 99.
Usage guidelines
This command applies to all contexts. To have it take effect on a context, you must also use the capability throughput command to set an outbound throughput threshold for that context.
The system generates a throughput usage alarm for a context when the ratio of its actual outbound throughput to the outbound throughput threshold exceeds the throughput usage alarm threshold. When that ratio decreases below the throughput usage alarm threshold, the system generates a recovery log.
The generated logs are sent to the information center. With the information center, you can configure log destinations and output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable the throughput usage alarm and set the throughput usage alarm threshold to 80% for contexts.
<Sysname> system-view
[Sysname] context-capability throughput alarm enable alarm-threshold 80
Related commands
capability throughput
description
Use description to configure the description of the default context, or configure a description for a non-default context.
Use undo description to restore the default.
Syntax
description text
undo description
Default
The default context uses the description DefaultContext. A non-default context does not have a description.
Views
Context view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 255 characters.
Usage guidelines
You can configure a description for each context, which is useful when there are a number of contexts.
Examples
# Configure a description for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] description test
display context
Use display context to display contexts.
Syntax
display context [ name context-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.
Usage guidelines
On the default context, this command displays the context specified by the name context-name option. Without the option, this command displays all contexts on the device.
Examples
# Display all contexts.
<Sysname> display context
ID Name Status Description
1 cnt1 active context1
2 cnt2 inactive context2
3 cnt3 inactive context3
Table 1 Command output
Description |
|
· active—The context is operating correctly. · inactive—The context is not started. |
display context capability
Use display context capability to display usage of allocable service resources on contexts.
Syntax
display context [ name context-name ] capability [ security-policy | { session | throughout } [ slot slot-number ] | sslvpn-user ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify a context, this command displays usage of allocable service resources on all contexts.
security-policy: Displays usage of allocable security policy rule resources.
session: Displays usage of allocable session resources.
sslvpn-user: Displays usage of allocable SSL VPN user resources.
throughout: Displays usage of allocable outbound throughput resources.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the usage on all member devices.
Usage guidelines
This command is supported only on the default context.
Examples
# Display usage of allocable service resources on all contexts.
<Sysname> display context capability
Session usage and establishment rate:
Slot 1 CPU 0:
ID Name Maximum Used Free Total(/s) Rate(/s) Usage(%)
1 Admin NA 500 NA NA 1000 NA
2 context1 10000 300 9700 1000 100 10
3 context2 2000 1000 1000 2000 1000 50
Security policy rule usage:
ID Name Maximum Used Free
1 Admin NA 500 NA
2 context1 10000 300 9700
3 context2 2000 1000 1000
Online SSL VPN users:
ID Name Maximum Used Free
1 Admin NA 0 NA
2 conetxt1 10000 3000 7000
3 context2 2000 0 2000
Throughout usage:
Slot 1 CPU 0:
ID Name Maximum Used Free Usage(%) Unit
1 Admin NA 500 NA NA kbps
2 conetxt1 10000 1000 9000 10 kbps
3 context2 200000 10000 10000 50 kbps
Table 2 Command output
Field |
Description |
ID |
Context ID. |
Name |
Context name. |
Maximum |
Maximum number of allocable resources. |
Used |
Number of used resources. |
Free |
Number of available resources. |
Total |
Maximum session establishment rate, which is the maximum number of sessions that can be established in a second. |
Rate |
Current session establishment rate. |
Usage |
Ratio of the current session establishment rate to the maximum session establishment rate or ratio of the actual outbound throughput to the outbound throughput threshold, in percentage. |
Unit |
Unit of the outbound throughput resources. |
Throughout usage |
Usage of allocable outbound throughput resources. |
Related commands
· capability security-policy-rule maximum
· capability session maximum
· capability session rate
· capability sslvpn-user maximum
· cpability throughput
display context capability inbound broadcast
Use display context capability inbound broadcast to display the inbound broadcast rate limit information about a context.
Syntax
display context name context-name capability inbound broadcast slot slot-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.
slot slot-number: Specifies an IRF member device by its member ID.
Examples
# Display the inbound broadcast rate limit information about context abc on a slot.
<Sysname> display context name abc capability inbound broadcast slot 1
Context name: abc
Context ID: 2
Drop Rate: 1000 pps
Inbound throughput limit: 8000 pps
Total inbound throughput limit: 10000 pps
Table 3 Command output
Field |
Description |
Drop Rate |
Broadcast packet drop rate of the context. |
Inbound throughput limit |
Inbound broadcast rate limit for the context. |
Total inbound throughput limit |
Total inbound broadcast rate limit. |
display context capability inbound multicast
Use display context capability inbound multicast to display the inbound multicast rate limit information about a context.
Syntax
display context name context-name capability inbound multicast slot slot-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.
slot slot-number: Specifies an IRF member device by its member ID.
Examples
# Display the inbound multicast rate limit information about context abc on a slot.
<Sysname> display context name abc capability inbound multicast slot 1
Context name: abc
Context ID: 2
Drop Rate: 1000 pps
Inbound throughput limit: 8000 pps
Total inbound throughput limit: 10000 pps
Table 4 Command output
Field |
Description |
Drop Rate |
Multicast packet drop rate of the context. |
Inbound throughput limit |
Inbound multicast rate limit for the context. |
Total inbound throughput limit |
Total inbound multicast rate limit. |
display context configuration
Use display context configuration to display or save context configuration information.
Syntax
display context [ name context-name ] configuration [ file filename ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays the configurations of all contexts.
file filename: Saves the information to a file. The filename argument specifies the file name, a case-insensitive string of 1 to 255 characters. The file name must use the .tar.gz extension, and cannot be ..tar.gz or …tar.gz. It cannot start with a hyphen (-) or contain any of the following characters: quote marks ("), forward slashes (/), colons (:), backward slashes (\), question marks (?), less than signs (<), greater than signs (>), vertical bars (|), and asterisks (*). If you do not specify this option, the system prompts you to choose whether to display or save the information.
Usage guidelines
This command is supported only on the default context.
This command does not take effect on contexts that have not started up.
Executing this command is equivalent to executing the display current-configuration command on the specified context or each context.
Examples
# Display the configurations of all contexts.
<Sysname> display context configuration
Save or display context configuration(Y=save, N=display)? [Y/N]:n
===========inner configuration of context Admin===========
============================================================
display current-configuration
#
version 7.1.064, Feature 9321
#
sysname Sysname
#
context Admin id 1
#
context cnt1 id 2
#
return
<Sysname>
===========inner configuration of context cnt1===========
============================================================
display current-configuration
#
version 7.1.064, Feature 9321
#
sysname Sysname
#
context Admin id 1
#
context cnt1 id 2
---- More ----
# Save the configurations of all contexts to a file in interactive mode.
<Sysname> display context configuration
Save or display context configuration (Y=save, N=display)? [Y/N]:y
Please input the file name(*.tar.gz)[flash:/diag.tar.gz]: test.tar.gz
Saving context configuration to flash:/test.tar.gz. Please wait....
# Save the configurations of all contexts to a file by specifying a file name for the command.
<Sysname> display context configuration file test.tar.gz
Saving context configuration to flash:/test.tar.gz. Please wait...
display context interface
Use display context interface to display interfaces assigned to contexts.
Syntax
display context [ name context-name ] interface
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.
Usage guidelines
This command cannot display interfaces created on non-default contexts.
On the default context, this command displays the interfaces allocated to the non-default context specified by using the name context-name option. If you do not specify the option, this command displays the interfaces allocated to all non-default contexts on the device.
Examples
# Display the interfaces allocated to all non-default contexts.
<Sysname> display context interface
Context stub1's interfaces:
GigabitEthernet1/0/2
Context stub2's interfaces:
GigabitEthernet1/0/3
Related commands
allocate interface
display context online-users sslvpn
Use display context online-users sslvpn to display the number of online SSL VPN users on all contexts.
Syntax
display context online-users sslvpn
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
The number of online SSL VPN users collected by this command equals to the number of SSL VPN sessions.
Examples
# Display the number of online SSL VPN users on all contexts.
<Sysname> display context online-users sslvpn
Total number of SSL VPN online users: 50
display context reboot
Use display context name reboot to display non-default context reboot information.
Syntax
display context name context-name reboot show-number [ offset ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a non-default context by its name, a case-sensitive string of 1 to 15 characters.
show-number: Specifies the number of non-default context reboot records to be displayed, in the range of 1 to 20.
offset: Specifies the offset of the first non-default context reboot record to be displayed, starting from the most recent record. The value range is 0 to 19. The default value is 0, which means starting from the most recent record.
Usage guidelines
To view the reboot information about the default context, execute the display version command and view the Last reboot reason field. For more information about this command, see Fundamentals Command Reference.
Examples
# Display the most recent reboot record of context test.
<Sysname> display context name test reboot 1
----------------- Reboot record 1 -----------------
Recorded at : 2019-05-01 11:16:00
Reason : 0x0
Process : comsh (PID: 120) from Context 3 on slot 1 cpu 0
Field |
Description |
Reason |
Reboot reason. |
Process |
Process that triggered the reboot, in the format of process-name (PID: process-ID) from Context context-ID on slot slot-number CPU CPU-number. |
Related commands
display version (Fundamentals Command Reference)
reset context name reboot
display context resource
Use display context resource to display CPU and memory usage for contexts.
Syntax
display context [ name context-name ] resource [ cpu | memory ] [ slot slot-number cpu cpu-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays the usage for all contexts.
cpu: Displays the CPU usage.
memory: Displays the memory usage.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the usage on all member devices.
cpu cpu-number: Specifies a CPU by its number.
Usage guidelines
If you do not specify the cpu or memory keyword, the command displays the CPU and memory space usage.
Examples
# Display the CPU usage for all contexts on all member devices.
<Sysname> display context resource cpu
CPU usage:
Slot 1 CPU 0:
ID Name Weight Usage(%)
1 cnt1 10 24
2 cnt2 10 0
Slot 2 CPU 0:
ID Name Weight Usage(%)
1 cnt3 10 0
2 cnt4 10 0
Table 6 Command output
Field |
Description |
Memory usage |
Memory usage statistics. |
CPU usage |
CPU usage statistics. |
Used 238.1MB, Free 249.3MB, Total 487.4MB |
Memory usage statistics: · Used—Used memory space, in MB. · Free—Available memory space, in MB. · Total—Total memory space, in MB. The Used field displays 0 if no context has started on the slot. |
ID |
Context ID. |
name |
Context name. |
Weight |
The CPU resource usage weight of the context. |
Usage(%) |
Actual CPU usage of the context, in percentage. |
Quota(MB) |
The maximum amount of memory space for the context, in MB. |
Used(MB) |
The amount of memory space that the context has used. |
Free(MB) |
The amount of memory space that is still available for the context. |
Related commands
limit-resource cpu
limit-resource memory
display context statistics
Use display context statistics to display or save resource statistics for contexts.
Syntax
display context [ name context-name ] statistics [ file filename ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays or saves resource statistics for all contexts.
file filename: Saves the information to a file. The filename argument specifies the file name, a case-insensitive string of 1 to 255 characters. The file name must use the .tar.gz extension, and cannot be ..tar.gz or …tar.gz. It cannot start with a hyphen (-) or contain any of the following characters: quote marks ("), forward slashes (/), colons (:), backward slashes (\), question marks (?), less than signs (<), greater than signs (>), vertical bars (|), and asterisks (*). If you do not specify this argument, the system prompts you to choose whether to display or save the information.
Usage guidelines
This command is supported only on the default context.
Executing this command is equivalent to executing the following commands:
· display context capability
· display counters inbound interface
· display counters outbound interface
· display counters rate inbound interface
· display counters rate outbound interface
· display interface
· display ip statistics
· display ipv6 statistics
· display nat statistics
· display session statistics
Examples
# Display resource statistics for all contexts.
<Sysname> display context statistics
Save or display context statistics (Y=save, N=display)? [Y/N]:n
========================================================
=============== display session statistics =================
Slot 1:
Current sessions: 0
TCP sessions: 0
UDP sessions: 0
ICMP sessions: 0
ICMPv6 sessions: 0
UDP-Lite sessions: 0
SCTP sessions: 0
DCCP sessions: 0
RAWIP sessions: 0
...
# Save resource statistics for all contexts to a file in interactive mode.
<Sysname> display context statistics
Save or display context statistics(Y=save, N=display)? [Y/N]:y
Please input the file name(*.tar.gz)[flash:/diag.tar.gz]: test.tar.gz
Saving context statistics to flash:/test.tar.gz. Please wait....
# Save resource statistics for all contexts to a file by specifying a file name for the command.
<Sysname> display context statistics file test.tar.gz
Saving context statistics to flash:/test.tar.gz. Please wait...
Related commands
display context capability
display counters inbound interface (Interface Command Reference)
display counters outbound interface (Interface Command Reference)
display counters rate inbound interface (Interface Command Reference)
display counters rate outbound interface (Interface Command Reference)
display interface (Interface Command Reference)
display ip statistics (Layer 3—IP Services Command Reference)
display ipv6 statistics (Layer 3—IP Services Command Reference)
display nat statistics (NAT Command Reference)
display session statistics (Security Command Reference)
display context vlan
Use display context vlan to display VLAN lists for contexts.
Syntax
display context [ name context-name ] vlan
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.
Usage guidelines
On the default context, if you specify the name context-name option, this command displays the VLAN list for the specified context. If you do not specify the name context-name option, this command displays VLAN lists for all contexts.
Examples
# Display VLAN lists for all contexts.
<Sysname> display context vlan
Context stub1's VLAN(s):
Context stub2's VLAN(s):
2,4094
Context stub3's VLAN(s):
5,6,800-3000,3400
# Display the VLAN list for context sub1.
<Sysname> display context name sub1 vlan
Context stub1's VLAN(s):
5,6,11-23,3400
Related commands
allocate vlan
limit-resource cpu
Use limit-resource cpu to set a CPU weight for a context.
Use undo limit-resource cpu to restore the default.
Syntax
limit-resource cpu weight weight-value
undo limit-resource cpu
Default
Each context has a CPU weight of 10.
Views
Context view
Predefined user roles
network-admin
Parameters
weight weight-value: Specifies a CPU weight value in the range of 1 to 10.
Examples
# Set the CPU weight to 2 for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] limit-resource cpu weight 2
limit-resource memory
Use limit-resource memory to set a memory space percentage for a context. A memory space percentage defines the maximum memory space that the context can use.
Use undo limit-resource memory to restore the default.
Syntax
limit-resource memory slot slot-number cpu cpu-number ratio limit-ratio
undo limit-resource memory slot slot-number cpu cpu-number
Default
All contexts share the memory space in the system. A context can use all free memory space.
Views
Context view
Predefined user roles
network-admin
Parameters
slot slot-number cpu cpu-number: Specifies a security engine on an IRF member device. The slot-number argument represents the member ID of the IRF member device. The cpu-number argument represents the CPU number.
ratio limit-ratio: Specifies the ratio of the memory space that the context can use on the specified security engine to the total memory space of the engine. The value range is 1 to 100.
Usage guidelines
When you assign a context to a security engine group, the system automatically assigns memory space resources on the security engines to the context. All contexts residing on the same security engine share and compete for the engine's free memory resources. To prevent one context from occupying too many memory space resources, assign memory space resources to the contexts. When the limit for a context is reached, the context cannot apply for more memory space.
When you assign memory space to a context, follow these guidelines:
· Use the display context resource command to view the amount of memory space that has been used by the context before assigning memory space to the context.
· Assign an amount of memory space that is larger than the memory space used by the context to avoid the following problems:
¡ The context cannot apply for more memory space.
¡ The context cannot create, copy, or save additional folders or files.
Examples
# Configure context cnt2 to use up to 30% of the memory space on CPU 0 of member device 1.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] limit-resource memory slot 1 cpu 0 ratio 30
reset context capability inbound broadcast
Use reset context capability inbound broadcast to clear the inbound broadcast rate limit statistics for a context.
Syntax
reset context name context-name capability inbound broadcast slot slot-number
Views
User view
Predefined user roles
network-admin
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.
slot slot-number: Specifies an IRF member device by its member ID.
Examples
# Clear the inbound broadcast rate limit statistics for context abc on a slot.
<Sysname> reset context name abc capability inbound broadcast slot 1
reset context capability inbound multicast
Use reset context capability inbound multicast to clear the inbound multicast rate limit statistics for a context.
Syntax
reset context name context-name capability inbound multicast slot slot-number
Views
User view
Predefined user roles
network-admin
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.
slot slot-number: Specifies an IRF member device by its member ID.
Examples
# Clear the inbound multicast rate limit statistics for context abc on a slot.
<Sysname> reset context name abc capability inbound multicast slot 1
reset context reboot
Use reset context name reboot to clear non-default context reboot information.
Syntax
reset context [ name context-name ] reboot
Views
User view
Predefined user roles
network-admin
Parameters
name context-name: Specifies a non-default context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify a non-default context, this command clears reboot information for all non-default contexts.
Examples
# Clear reboot information about non-default context test.
<Sysname> reset context name test reboot
Related commands
display context name reboot
snmp-agent trap enable sib
Use snmp-agent trap enable sib to enable SNMP notifications for context outbound throughput events.
Use undo snmp-agent trap enable sib to disable SNMP notifications for context outbound throughput events.
Syntax
snmp-agent trap enable sib
undo snmp-agent trap enable sib
Default
SNMP notifications for context outbound throughput events is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command enables the device to generate SNMP notifications for the events logged by the following logging features:
· Throughput-threshold-exceeded packet drop event logging, enabled by using the context-capability throughput drop-logging enable command.
· Outbound throughput usage alarm, enabled by using the context-capability throughput alarm enable command.
For the SNMP notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable SNMP notifications for context outbound throughput events.
<Sysname> system-view
[Sysname] snmp-agent trap enable sib
Related commands
context-capability throughput drop-logging enable
context-capability throughput alarm enable
switchto context
Use switchto context to log in to a context.
Syntax
switchto context context-name
Views
System view
Predefined user roles
network-admin
network-operator
Parameters
context-name: Specifies a context that has been started.
Usage guidelines
Use this command to log in to a non-default context from the system view of the default context. The connection uses the internal interfaces between the physical device and the context.
Examples
# Log in to context test2.
<Sysname> system-view
[Sysname] switchto context test2
******************************************************************************
* Copyright (c) 2004-2018 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<H3C>
tar context log
Use tar context log to archive log messages for contexts.
Syntax
tar context [ name context-name ] log file filename
Views
User view
Predefined user roles
network-admin
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command archives log messages for all contexts.
file filename: Specifies a file name, a case-insensitive string of 1 to 255 characters. The file name must use the .tar.gz extension, and cannot be ..tar.gz or …tar.gz. It cannot start with a hyphen (-) or contain any of the following characters: quote marks ("), forward slashes (/), colons (:), backward slashes (\), question marks (?), less than signs (<), greater than signs (>), vertical bars (|), and asterisks (*).
Usage guidelines
This command is supported only on the default context.
This command does not take effect on contexts that have never started up.
This command archives all files in the logfile directory and diagfile directory.
Examples
# Archive log messages for all contexts to file test.tar.gz.
<Sysname> tar context log file test.tar.gz
Context commands for non-default contexts
This section describes the context commands that you can use after logging in to a non-default context.
display context interface
Use display context interface to display interfaces assigned to the current context.
Syntax
display context interface
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the interfaces assigned to the current context.
<Sysname> display context interface
Context stub1's interfaces:
GigabitEthernet1/0/2
Related commands
allocate interface
display context reboot
Use display context reboot to display reboot information about the current context.
Syntax
display context reboot show-number [ offset ]
Views
Any view
Predefined user roles
context-admin
context-operator
Parameters
show-number: Specifies the number of context reboot records to be displayed, in the range of 1 to 20.
offset: Specifies the offset of the first context reboot record to be displayed, starting from the most recent record. The value range is 0 to 19. The default value is 0, which means starting from the most recent record.
Examples
# Display the most recent reboot record of the current CONTEXT.
<Sysname> display context reboot 1
----------------- Reboot record 1 -----------------
Recorded at : 2019-05-01 11:16:00
Reason : 0x0
Process : comsh (PID: 120) from Context 3 on slot 1 cpu 0
For information about the command output fields, see Table 5.
Related commands
reset context reboot
reset context reboot
Use reset context reboot to clear reboot information about the current context.
Syntax
reset context reboot
Views
User view
Predefined user roles
context-admin
Examples
# Clear reboot information about the current context.
<Sysname> reset context reboot
Related commands
display context reboot