Chapter 1 AAA Configuration Commands
1.1 AAA
Configuration Commands
1.1.1 access-limit
Syntax
access-limit
{ disable | enable max-user-number }
undo access-limit
View
ISP domain view
Parameters
disable:
Specifies not to limit the number of access users that can be contained in
current ISP domain.
enable max-user-number: Specifies the maximum number of access users that can be contained
in current ISP domain. The max-user-number argument ranges from 1 to 2,072.
Description
Use the access-limit command to set
the maximum number of access users that can be contained in current ISP domain.
Use the undo access-limit
command to restore the default setting.
By default, there is no limit on the number
of access users in an ISP domain.
Because resource contention may occur among
access users, there is a need to limit the number of access users in an ISP
domain so as to provide reliable performance to the current users in the ISP
domain.
Examples
# Allow ISP domain aabbcc.net to contain at
most 500 access users.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] access-limit
enable 500
Syntax
accounting {
none | radius-scheme radius-scheme-name | hwtacacs-scheme
hwtacacs-scheme-name }
undo accounting
View
ISP domain view
Parameters
none:
Specifies not to perform user accounting.
radius-scheme radius-scheme-name: Specifies to use a RADIUS accounting scheme. Here, radius-scheme-name
is the name of a RADIUS scheme; it is a string of up to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an HWTACACS accounting scheme. Here, hwtacacs-scheme-name
is the name of an HWTACACS scheme; it is a string of up to 32 characters.
Description
Use the accounting command to
configure an accounting scheme for current ISP domain.
Use the undo accounting
command to cancel the accounting scheme configuration for current ISP domain.
By default, no separate accounting scheme
is configured for an ISP domain.
When you use the accounting command
to reference a RADIUS or HWTACACS scheme in current ISP domain, the RADIUS or HWTACACS
scheme must already exist.
The accounting command takes
precedence over the scheme command. If the accounting command is
used in ISP domain view, the system uses the scheme referenced in the accounting
command to charge the users in the domain. Otherwise, the system uses the
scheme referenced in the scheme command to charge the users.
Related commands: scheme, radius
scheme, hwtacacs scheme, accounting optional.
Examples
# Specify "radius" as the RADIUS
accounting scheme that will be referenced by ISP domain "aabbcc.net".
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] accounting
radius-scheme radius
Syntax
accounting optional
undo accounting optional
View
ISP domain view
Parameters
None
Description
Use the accounting optional
command to open the accounting-optional switch.
Use the undo accounting optional
command to close the accounting-optional switch so that the system performs
accounting for users unconditionally.
By default, the system performs accounting
for users unconditionally..
Note that:
l
If the system does not find any available
accounting server or fails to communicate with any accounting server when it
performs accounting for an online user, it will not disconnect the user as long
as the accounting optional command has been executed.
l
The accounting optional command is commonly
used in the cases where only authentication is needed and accounting is not needed.
l
If you configure the accounting optional
command in ISP domain view, it is effective to all users in the domain; if you
configure it in RADIUS scheme view, it is effective to users the RADIUS scheme
is used for.
Examples
# Open the accounting-optional switch for
the ISP domain named aabbcc.net.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] accounting
optional
Syntax
attribute {
ip ip-address | mac mac-address | idle-cut
second | access-limit max-user-number | vlan vlan-id
| location { nas-ip ip-address port port-number
| port port-number } }*
undo attribute { ip | mac | idle-cut | access-limit |
vlan | location }*
View
Local user view
Parameters
ip ip-address: Sets the IP address of the user.
mac mac-address: Sets the MAC address of the user. Here, mac-address is in H-H-H
format.
idle-cut second:
Enables the idle-cut function for the local user and sets the allowed idle time.
Here, second is the allowed idle time, which ranges from 60 to 7,200
seconds.
access-limit max-user-number: Sets the maximum number
of users who can access the switch with the current username. Here, max-user-number
ranges from 1 to 1,024.
vlan vlan-id: Sets the VLAN attribute of the user (that is, specifies to which
VLAN the user belongs). Here, vlan-id is an integer ranging from 1 to
4094.
location:
Sets the port binding attribute of the user.
nas-ip ip-address: Sets the IP address of an access server, so that the user can be
bound to a port on the server. Here, ip-address is in dotted decimal
notation and is 127.0.0.1 by default (representing this device). When binding
the user to a remote port, you must use nas-ip ip-address to
specify a remote access server IP address. When binding the user to a local
port, you need not use nas-ip ip-address.
port port-number: Sets the port to which you want to bind the user. Here, port-number
is in the format of device ID/slot number/port number; the device ID ranges
from 1 to 8, the slot number ranges from 0 to 15 (if the bound port has no slot
number, just input 0 for this item) and the port number ranges from 1 to 255.
Description
Use the attribute command to set the
attributes of a user whose service type is lan-access.
Use the undo attribute command to
cancel attribute settings of the user.
You may use display local-user
command to view the settings of the attributes.
Examples
# Create local user user1 and set the IP
address attribute of user1 to 10.110.50.1, allowing only the user using the IP
address of 10.110.50.1 to use the account user1 for authentication.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] local-user user1
New local user added.
[Sysname-luser- user1] password simple pass1
[Sysname-luser- user1] service-type lan-access
[Sysname-luser-user1] attribute ip
10.110.50.1
1.1.5 authentication
Syntax
authentication { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local | none }
undo authentication
View
ISP domain view
Parameters
radius-scheme radius-scheme-name: Specifies to use a
RADIUS authentication scheme. Here, radius-scheme-name is a string of up
to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an
HWTACACS authentication scheme. Here, hwtacacs-scheme-name is a string of up to 32 characters.
local:
Specifies to use local authentication scheme.
none:
Specifies not to perform authentication.
Description
Use the authentication command to
configure an authentication scheme for current ISP domain.
Use the undo authentication command
to restore the default authentication scheme setting of current ISP domain.
By default, no separate authentication
scheme is configured for an ISP domain.
Note that:
l
Before you can use the authentication
command to reference a RADIUS scheme in current ISP domain, the RADIUS scheme
must already exist.
l
If you execute the authentication
radius-scheme radius-scheme-name local command, the local
scheme is used as the secondary authentication scheme in case no RADIUS server is
available. That is, if the communication between the switch and a RADIUS server
is normal, no local authentication will be performed; otherwise, local
authentication will be performed.
l
If you execute the authentication
hwtacacs-scheme hwtacacs-scheme-name local command, the local
scheme is used as the secondary authentication scheme in case no TACACS server is
available. That is, if the communication between the switch and a TACACS server
is normal, no local authentication will be performed; otherwise, local
authentication will be performed.
l
If you execute the authentication local
command, the local scheme is used as the primary scheme. In this case, there is
no secondary authentication scheme.
l
If you execute the authentication none
command, no authentication will be performed.
l
The authentication command takes
precedence over the scheme command. If the authentication command
is configured in an ISP domain view, the system uses the authentication scheme
referenced in the command to authenticate the users in the domain; otherwise it
uses the scheme referenced in the scheme command to authenticate the
users.
Related commands: scheme, radius
scheme, hwtacacs scheme.
Examples
# Reference the RADIUS scheme "radius1"
as the authentication scheme of the ISP domain aabbcc.net.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net] authentication
radius-scheme radius1
# Reference the RADIUS scheme "rd"
as the authentication scheme and the local scheme as the secondary
authentication scheme of the ISP domain aabbcc.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain aabbcc
New Domain added.
[Sysname-isp-aabbcc] authentication
radius-scheme rd local
Syntax
authentication super hwtacacs-scheme hwtacacs-scheme-name
undo authentication super
View
ISP domain view
Parameters
hwtacacs-scheme-name: Name of the HWTACACS authentication scheme, a string of 1 to 32
characters.
Description
Use the authentication super command
to specify a HWTACACS authentication scheme for user level switching in the
current ISP domain.
Use the undo authentication super command
to remove the specified HWTACACS authentication scheme.
By default, no HWTACACS authentication
scheme is configured for user level switching.
When you execute the authentication
super command to specify a HWTACACS authentication scheme for user level switching,
the HWTACACS scheme must exist.
The S3100 series
switches adopt hierarchical protection for command lines so as to inhibit users
at lower levels from using higher level commands to configure the switches. For
details about configuring a HWTACACS authentication scheme for low-to-high user
level switching, refer to Switching User Level in the Command
Line Interface Operation.
Related commands: hwtacacs scheme.
Examples
# Set the
HWTACACS scheme to ht for user level switching in the current ISP domain
aabbcc.net.
<Sysname>
system-view
System
View: return to User View with Ctrl+Z.
[Sysname]
domain aabbcc.net
New
Domain added.
[Sysname-isp-aabbcc.net] authentication
super hwtacacs-scheme ht
Syntax
authorization { none | hwtacacs-scheme hwtacacs-scheme-name
}
undo authorization
View
ISP domain view
Parameters
none: Specifies
not to use any authorization scheme.
hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an
HWTACACS scheme. Here, hwtacacs-scheme-name is the name of an HWTACACS
scheme; it is a string of up to 32 characters.
Description
Use the authorization command to
configure an authorization scheme for current ISP domain.
Use the undo authorization command
to restore the default authorization scheme setting of the ISP domain.
By default, no separate authorization
scheme is configured for an ISP domain.
Related commands: scheme, radius
scheme, hwtacacs scheme.
Examples
# Allow users in ISP domain aabbcc.net to
access network services without being authorized.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net]
authorization none
Syntax
authorization vlan string
undo authorization vlan
View
Local user view
Parameters
string: Number or descriptor of the authorized VLAN for the current user, a
string of 1 to 32 characters. If it is a numeral string and there is a VLAN
with the number configured, it specifies the VLAN. If it is a numeral string
but no VLAN is present with the number, it specifies the VLAN using it as the VLAN
descriptor.
Description
Use the authorization vlan command
to specify an authorized VLAN for a local user. A user passing the
authentication of the local RADIUS server can access network resources in the authorized
VLAN.
Use the undo authorization vlan
command to remove the configuration.
By default, no authorized VLAN is specified
for a local user.
For local RADIUS
authentication to take effect, the VLAN assignment mode must be set to string
after you specify authorized VLANs for local users.
Examples
# Specify the authorized VLAN for local
user 00-14-22-2C-AA-69 as VLAN 2.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] local-user
00-14-22-2C-AA-69
[Sysname-luser-00-14-22-2C-AA-69] authorization
vlan 2
Syntax
cut connection { all | access-type { dot1x | mac-authentication
} | domain isp-name | interface interface-type
interface-number | ip ip-address | mac mac-address
| radius-scheme radius-scheme-name | vlan vlan-id |
ucibindex ucib-index | user-name user-name }
View
System view
Parameters
all: Cuts
down all user connections.
access-type
{ dot1x | mac-authentication }: Cuts down user connections of a
specified access type. dot1x is used to cut down all 802.1x user connections,
and mac-authentication is used to cut down all MAC authentication user
connections.
domain isp-name:
Cuts down all user connections in a specified ISP domain. Here, isp-name
is the name of an ISP domain, a string of up to 128 characters. You can only
specify an existing ISP domain.
interface interface-type
interface-number: Cuts down all user connections under a specified port.
Here, interface-type is a port type and interface-number is a
port number.
ip ip-address:
Cuts down all user connections with a specified IP address.
mac mac-address:
Cuts down the user connection with a specified MAC address. Here, mac-address
is in H-H-H format.
radius-scheme radius-scheme-name: Cuts down all user
connections using a specified RADIUS scheme. Here, radius-scheme-name is
a string of up to 32 characters.
vlan vlan-id:
Cuts down all user connections of a specified VLAN. Here, vlan-id ranges
from 1 to 4094.
ucibindex ucib-index:
Cuts down the user connection with a specified connection index. Here, ucib-index
ranges from 0 to 1047.
user-name user-name:
Cuts down the connection of a specified user. Here, user-name is a
string of up to 184 characters..
Description
Use the cut connection command to
forcibly cut down one user connection, one type of user connections, or all
user connections.
This command cannot cut down the
connections of Telnet and FTP users.
Related commands: display connection.
Examples
# Cut down all user connections under the
ISP domain aabbcc.net.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] cut connection domain aabbcc.net
Syntax
display connection [ access-type { dot1x | mac-authentication
} | domain isp-name | interface interface-type
interface-number | ip ip-address | mac mac-address
| radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name
| vlan vlan-id | ucibindex ucib-index | user-name
user-name ]
View
Any view
Parameters
access-type
{ dot1x | mac-authentication }: Displays user connections of a
specified access type. Here, dot1x is used to display all 802.1x user
connections, and mac-authentication is used to display all MAC
authentication user connections.
domain isp-name:
Displays all user connections under specified ISP domain. Here, isp-name
is the name of an ISP domain, a string of up to 128 characters. You can only
specify an existing ISP domain.
interface interface-type
interface-number: Displays all user connections on a specified port.
ip ip-address:
Displays all user connections with a specified IP address.
mac mac-address:
Displays the user connection with a specified MAC address. Here, mac-address
is in hexadecimal format (in the form of H-H-H).
radius-scheme radius-scheme-name: Displays all user connections using a specified RADIUS scheme. Here,
radius-scheme-name is a string of up to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Displays all user connections using a specified
RADIUS scheme. Here, hwtacacs-scheme-name is a string of up to 32
characters.
vlan vlan-id:
Displays all user connections of a specified VLAN. Here, vlan-id ranges
from 1 to 4094.
ucibindex ucib-index:
Displays the user connection with a specified connection index. Here, ucib-index
ranges from 0 to 1047.
user-name user-name:
Displays the connection of a specified user. Here, user-name is a
character string in the format of pure-username@domain-name. The pure-username
cannot be longer than 55 characters, the domain-name cannot be longer than 24
characters, and the entire user-name cannot be longer than 184 characters.
Description
Use the display
connection command to display information about specified or all user
connections.
If you
execute this command without specifying any parameter, all user connections
will be displayed.
This command
cannot display information about the connections of FTP users.
Related commands: cut connection.
Examples
# Display information about all user
connections.
<Sysname> display connection
------------------unit
1------------------------
Index=40 , Username=user1@domain1
MAC=000f-3d80-4ce5 , IP=0.0.0.0
On Unit 1: Total 1 connections
matched, 1 listed.
# Display information about the user
connection with index 0.
[Sysname] display connection
ucibindex 0
Index=0 , Username=user1@system
MAC=000f-3d80-4ce5 , IP=192.168.0.3
Access=8021X ,Auth=CHAP ,Port=Ether
,Port NO=0x10003001
Initial VLAN=1, Authorization VLAN=1
ACL Group=Disable
CAR=Disable
Priority=Disable
Start=2000-04-03 02:51:53
,Current=2000-04-03 02:52:22 ,Online=00h00m29s
On Unit 1:Total 1 connections
matched, 1 listed.
Total 1 connections matched, 1
listed.
Here, Port NO=0x10003001 means (by the
binary bits):
Table 1-1
Description of the Port NO field
|
31 to 28 bit
|
27 to 24 bit
|
23 to 20 bit
|
19 to 12 bit
|
11 to 0 bit
|
|
UNIT ID
|
Slot number
|
Sub-slot number
|
Port number
|
VLAN ID
|
Syntax
display domain [ isp-name ]
View
Any view
Parameters
isp-name:
Name of an ISP domain, a string of up to 128 characters. This must be the name
of an existing ISP domain.
Description
Use the display domain command to
display configuration information about one specific or all ISP domains.
Related commands: access-limit, domain,
scheme, state.
Examples
# Display configuration information about
all ISP domains.
<Sysname>
display domain
0 Domain = system
State = Active
Scheme = LOCAL
Access-limit = 512
Vlan-assignment-mode = Integer
Domain User Template:
Idle-cut = = Enable Time = 60(min)
Flow = 200(byte)
Self-service URL = http://aabbcc.net
Messenger
Time Maxlimit = 30(min) span = 10(min)
Default Domain Name: system
Total 1 domain(s).1 listed.
Table 1-2
Description on the fields of the display domain
command
|
Field
|
Description
|
|
Domain
|
Domain name
|
|
State
|
Status of the domain, which can be active
or block.
|
|
Scheme
|
AAA scheme that the domain uses
|
|
Access-Limit
|
Maximum number of local user connections
in the domain
|
|
Vlan-assignment-mode
|
VLAN assignment mode, which can be
Integer or String.
|
|
Domain User Template
|
Domain user template settings, that is,
attribute settings for all users in the domain.
|
|
Idle-Cut
|
Status of the idle-cut function
|
|
Self-service URL
|
Self-service URL for password changing
|
|
Messenger Time
|
Settings of the messenger time service,
which is for reminding online users of their remaining online time.
The setting in this example indicates
that the system starts to remind an online user (at an interval of 10
minutes) when the remaining online time is 30 minutes.
|
|
Default Domain Name
|
Default ISP domain of the system
|
Syntax
display local-user [ domain isp-name | idle-cut { disable
| enable } | vlan vlan-id | service-type { ftp
| lan-access | ssh | telnet | terminal } | state
{ active | block } | user-name user-name ]
View
Any view
Parameters
domain isp-name:
Displays all local users belonging to a specified ISP domain. Here, isp-name
is the name of an ISP domain, a string of up to 128 characters. You can only
specify an existing ISP domain.
idle-cut { disable
| enable }: Displays the local users who are inhibited from enabling the
idle-cut function, or the local users who are allowed to enable the idle-cut function.
Here, disable specifies the inhibited local users and enable
specifies the allowed local users.
vlan vlan-id:
Displays the local users belonging to a specified VLAN. Here, vlan-id
ranges from 1 to 4094.
service-type:
Displays the local users of a specified type. You can specify one of the
following user types: ftp, lan-access (generally, this type of
users are Ethernet access users, for example, 802.1x users), ssh, telnet,
and terminal (this type of user is a terminal user who logs into the
switch through the Console port).
state { active
| block }: Displays the local users in a specified state. Here active
represents the users allowed to request network services, and block
represents the users inhibited from requesting network services.
user-name user-name: Displays the local user with a specified username.
Here, user-name is a string of up to 184 characters.
Description
Use the display local-user command
to display information about specified or all local users.
Related commands: local-user.
Examples
# Display information about all local
users.
<Sysname> display local-user
0 The contents of local user test:
State:
Active ServiceType Mask: L
Idle-cut:
Enable Idle TimeOut: 3600 seconds
Access-limit:
Enable Current AccessNum: 1
Max AccessNum: 1024
Bind location:
127.0.0.1/1/0/2 (NAS/UNITID/SUBSLOT/PORT)
Vlan ID: 1
Authorization VLAN: 2
IP address: 192.168.0.108
MAC address:
000d-88f6-44c1
Total 1 local user(s) Matched, 1
listed.
ServiceType Mask Meaning:
C--Terminal F--FTP L--LanAccess S--SSH T--Telnet
Table 1-3 describes the fields in the above display output.
Table 1-3 Description on the fields of
the display local-user command
|
Field
|
Description
|
|
State
|
Status of the local user
|
|
ServiceType Mask
|
Service type mask:
T means Telnet service.
S means SSH service.
C means client service.
LM means lan-access service.
F means FTP service.
None means no defined service.
|
|
Idle-cut
|
Status of the idle-cut function
|
|
Access-limit
|
Limit on the number of access users
|
|
Current AccessNum
|
Number of current access users
|
|
Bind location
|
Whether or not bound to a port
|
|
Vlan ID
|
VLAN of the user
|
|
Authorization VLAN
|
Authorized VLAN of the user
|
|
IP address
|
IP address of the user
|
|
MAC address
|
MAC address of the user
|
Syntax
domain { isp-name
| default { disable | enable isp-name
} }
undo domain isp-name
View
System view
Parameters
isp-name:
Name of an ISP domain, a string of up to 128 characters. This string cannot
contain the following characters: /\:*?<>|. If the domain name includes
one or more “~” characters and the last “~” is followed
by numerals, it must be followed by at least five numerals to avoid confusion.
This is because any domain name longer than 16 characters will appear in the
form of “system prompt-the first 15 characters of the domain name~4-digit
index” in the view prompt to avoid word wrap.
default:
Manually changes the default ISP domain, which is "system" by
default. There is one and only one default ISP domain.
disable:
Disables the configured default ISP domain.
enable:
Enables the configured default ISP domain.
Description
Use the domain command to create an
ISP domain and enter its view, or enter the view of an existing ISP domain, or
configure the default ISP domain.
Use the undo domain command to
delete a specified ISP domain.
The ISP domain "system" is used
as the default ISP domain before you manually configure the default ISP domain,
and you can use the display domain command to check the settings of the
default ISP domain "system".
After you execute the domain
command, the system creates a new ISP domain if the specified ISP domain does
not exist. Once an ISP domain is created, it is in the active state. You
can manually specify an ISP domain as the default domain only when the
specified domain already exists.
Related commands: access-limit, scheme,
state, display domain.
Examples
# Create a new ISP domain named aabbcc.net.
<Sysname>
system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net]
# Create a new ISP domain named 01234567891234567
(note that it will appear as 012345678912345~0001 in the view prompt).
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname]domain 01234567891234567
New Domain added.
[Sysname-isp-012345678912345~0001]
1.1.14 domain delimiter
Syntax
domain delimiter
{ at | dot }
undo domain delimiter
View
System view
Parameters
at:
Specifies “@” as the delimiter between the username and the ISP
domain name.
dot: Specifies
“.” as the delimiter between the username and the ISP domain name.
Description
Use the domain delimiter command to
specify the delimiter form between the username and the ISP domain name.
Use the undo domain delimiter command
to restore the delimiter form to the default setting.
By default, the“@” character is
used as the delimiter between the username and the ISP domain name.
l
If you have configured to use "." as
the delimiter, for a username that contains multiple ".", the first
"." will be used as the domain delimiter.
l
If you have configured to use "@" as
the delimiter, the "@" must not appear more than once in the username.
If “.” is the delimiter, the username must not
contain any “@”.
Related commands: domain.
Examples
# Specify “.” as the delimiter
between the username and the ISP domain name.
<Sysname> system-view
Enter system view, return to user
view with Ctrl+Z.
[Sysname] domain delimiter dot
Syntax
idle-cut { disable
| enable minute flow }
View
ISP domain view
Parameters
disable: Disables
the idle-cut function for the domain.
enable: Enables
the idle-cut function for the domain.
minute:
Maximum idle time in minutes, ranging from 1 to 120.
flow:
Minimum traffic in bytes, ranging from 1 to 10,240,000.
Description
Use the idle-cut command to set the
user idle-cut function in current ISP domain. If a user’s traffic in the
specified period of time is less than the specified amount, the system will
disconnect the user.
By default, this function is disabled.
Note that if the authentication server
assigns the idle-cut settings, the assigned ones take precedence over the
settings configured here.
Related commands: domain.
Examples
# Enable the
idle-cut function for ISP domain aabbcc.net, setting the maximum idle time to 50
minutes and the minimum traffic to 500 bytes. After this configuration, if a
user in the domain has no traffic or has less than 500 bytes of traffic within
50 minutes, the system will tear down the user’s connection.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain aabb
