Use the display nat blacklist ip ip-address slot slot-no command to display the blacklist configurations and operation states for an IP address.

Example

# Display all the configurations of the blacklist.

<H3C> display nat blacklist all

Blacklist function global configuration:

Blacklist function is started.

Connection amount control is enabled.

Connection set-up rate control is enabled.

Amount control limit: 500 sessions.

Rate control limit: 40 session/s.

Special rate control limit: 30 session/s.

Altogether 2 IP addresses have special configuration:

Control limit configuration of IP 11.1.1.91:

Amount control upper limit: 50 sessions.

Rate control limit uses special configuration.

Control limit configuration of IP 10.1.1.91:

Amount control upper limit: 50 sessions.

Rate control limit uses special configuration.

# Display the blacklist configurations and operation states for IP address 1.1.1.1.

<H3C> display nat blacklist ip 1.1.1.1 slot 3

Blacklist function global configuration:

Blacklist function is started.

Connection amount control is enabled.

Connection set-up rate control is enabled.

Amount control limit: 500 sessions.

Rate control limit: 40 session/s.

Special rate control limit: 30 session/s.

Control limit configuration of IP 1.1.1.1:

Amount control upper limit: 50 sessions.

Rate control limit uses special configuration.

Blacklist running statistics of IP 1.1.1.1:

Amount of connection already set up: 0 sessions.

IP 1.1.1.1 is not in the blacklist!

1.1.4 display nat outbound

Syntax

display nat outbound

View

Any view

Parameter

None

Description

Use the display nat outbound command to display the information about all NAT mapping entries configured by the nat outbound command.

Example

# Display the information about all NAT mapping entries configured by the nat outbound command.

<H3C> display nat outbound

NAT outbound information:

Vlan-interface2: acl(2000) --- NAT address-group(1) [no-pat] slot:3

Vlan-interface2: acl( 2000) --- NAT address-group(0) slot:3

Vlan-interface3: acl( 2000) --- NAT address-group(1) [no-pat] slot:3

Vlan-interface3: acl( 2000) --- interface slot:3

1.1.5 display nat server

Syntax

display nat server

View

Any view

Parameter

None

Description

Use the display nat server command to display information about all the internal servers.

Example

# Display information about all the internal servers.

<H3C> display nat server

Server in private network information:

Interface GlobalAddr GlobalPort InsideAddr InsidePort Pro Slot

Vlan-interface2 1.1.1.1 80(www) 4.4.4.4 80(www) 6(tcp) 3

Vlan-interface2 2.2.2.2 53(dns) 3.3.3.3 53(dns) 17(udp) 3

Vlan-interface3 2.2.2.3 69(tftp) 4.4.4.5 69(tftp) 17(udp) 3

1.1.6 display nat statistics

Syntax

display nat statistics slot slotno

View

Any view

Parameter

slotno: Number of the slot in which the NAT service processor board currently functioning resides.

Description

Use the display nat statistics command to display the statistics of the current NAT information.

Example

# Display the statistics of the current NAT information.

<H3C> display nat statistics slot 3

Running information in slot 3:

active PAT session table count in CPU:0

active PAT session table count in NP:1

active NO-PAT session table count:0

active SERVER session table count:3

the number of good packet in NP:0

the number of bad packet in NP:0

Table 1-1 Description on the filed of the display nat statistics slot command

Field	Description
Running information in slot	Slot information
active PAT session table count in CPU	Number of NAPT entries in CPU
active PAT session table count in NP	Number of NAPT entries in NP
active NO-PAT session table count	Number of NAT entries in CPU
active SERVER session table count	Number of user-configured internal servers
the number of good packet in NP	Number of correct packets received by NP
the number of bad packet in NP	Number of wrong packets received by NP

1.1.7 nat address-group

Syntax

nat address-group group-number start-addr end-addr

undo nat address-group group-number

View

System view

Parameter

group-number: Group number of an address pool, in the range 0 to 319.

start-addr: Starting IP address of an address pool.

end-addr: Ending IP address of an address pool.

Description

Use the nat address-group command to configure an address pool.

Use the undo nat address-group command to delete an address pool.

An address pool is a group of some external IP addresses. If start-addr and end-addr are the same, there is only one address.

Caution:

l The number of addresses included in an address pool (the number of the public addresses in an address pool) must not exceed 256.

l You cannot configure network segment addresses and broadcast addresses as addresses in an address pool.

l The IP addresses configured in the NAT address pool must not be the same with the IP addresses in the internal network.

l You cannot delete an address pool that is associated to an ACL.

l When NAPT is enabled, there cannot be more than 3 addresses in an address pool.

Example

# Configure address pool 1 with addresses from 202.110.10.10 to 202.110.10.15.

[H3C] nat address-group 1 202.110.10.10 202.110.10.15

1.1.8 nat aging-time

Syntax

nat aging-time { alg time-value | np slow }

undo nat aging-time [ alg | np slow ]

View

System view

Parameter

alg time-value: Aging time of NAT entries requiring application level gateway (ALG) processing in seconds, in the range 10 to 86,400. ALG processing is different from NP hardware processing.

np: Sets aging time of NAT entries in NPs.

np slow: Sets the aging mode of NAT entries established by means of the NAPT method in NPs to slow aging.

Description

Use the nat aging-time command to set the aging time for NAT entries.

Use the undo nat aging-time command to restore the default value of the aging time for NAT entries.

The default aging mode of NAT entries is fast aging and cannot be changed.

By default, the aging time of NAT entries requiring application level gateway (ALG) processing is 120 seconds, and the aging time of NAT entries requiring FTP processing is 7,200 seconds, the aging time of H.323 and ILS is 600 seconds, the aging time of NP FAST is 300 seconds, and the aging time of NP SLOW is 660 seconds.

Example

# Set the aging time of NAT entries requiring ALG processing to 245 seconds.

[H3C] nat aging-time alg 245

1.1.9 nat b lacklist

Syntax

nat blacklist start

undo nat blacklist start

nat blacklist mode { all | amount | rate }

undo nat blacklist mode { all | amount | rate }

nat blacklist limit amount [ source user-ip ] amount-value

undo nat blacklist limit amount [ source user-ip ]

nat blacklist limit rate [ source ip ] { max max-rate | min min-rate } *

nat blacklist limit rate { source { ip limit-rate | ip-address } | limit-rate }

undo nat blacklist limit rate [ source { ip | ip-address } ]

View

System view

Parameter

start: Enable the NAT blacklist feature for the complete system.

mode { all | amount | rate }: Sets control modes. all indicates controlling both the number of connections and the setup rate; amount indicates controlling the number of connections; rate indicates controlling the setup rate.

Note that connections here refer to the address mapping relationships setup during NAT; setup rates refer to the rate for setting up the relationships, that is, the number of times for setting up the connections every second.

amount: Sets the upper threshold for total connections that can be set up.

rate: Sets the upper threshold rates at which connections are set up.

source: You can set different thresholds controlling the number of connections for source IP addresses in the previous range. All the thresholds controlling the setup rate for source IP addresses must be the same. Source specifies whether the thresholds are configured for all the addresses or an individual address in the address pool. source ip indicates the configuration of the maximum and minimum setup rates for an individual IP address.

amount-value: Sets the maximum threshold of the total number of NAT connections that the same user can establish.

ip: Source IP addresses.

limit-rate: Maximum or minimum setup rate.

ip-address: IP address.

user-ip: IP address. After this parameter is configured, switches set a control domain value for each specified IP address.

Description

Use the nat blacklist command to set the NAT blacklist attributes.

Use the undo nat blacklist command to disable a NAT blacklist attribute or function.

By default, the blacklist feature is disabled.

Use the nat blacklist start command to enable the NAT blacklist feature and start calculating blacklist users.

Use the undo nat blacklist start command to disable the NAT blacklist function.

Use the nat blacklist mode command to enable operations on blacklist users and set the thresholds for controlling setup rates or the number of connections.

Use the undo nat blacklist mode command to disable operations on blacklist users.

Use the nat blacklist limit amount command to set the thresholds for controlling the number of connections with all addresses or an individual source IP address.

Use the undo nat blacklist limit amount command to restore the default thresholds. If you do not specify an IP address, the command restores the default thresholds for all addresses. If you specify an IP address, the command restores the thresholds for the specified IP addresses to those for all addresses.

Use the nat blacklist limit rate command to set the thresholds for controlling the setup rates of the blacklist. Use the command to set the threshold for controlling the setup rates of all the addresses.

Use the nat blacklist limit rate source command to set the thresholds for controlling the setup rate of an individual IP address.

Use the undo nat blacklist limit rate command to restore the default thresholds. If you do not specify an IP address, the command restores the default thresholds for all addresses. If you specify an IP address, the command restores the thresholds for the specified IP addresses to those for all addresses.

By default, the threshold for global setup rate is 250 sessions and the threshold for controlling the number of connections is 500 sessions.

The default value of the threshold for setup rate of specified IP addresses are the same as the global threshold for setup rate.

Example

# Enable the NAT blacklist feature for all the system.

[H3C] nat blacklist start

# Select blacklist as the control mode for the number of connections.

[H3C] nat blacklist mode amount

# Set the thresholds for controlling the number of connections for all addresses.

[H3C] nat blacklist limit amount 222

# Set the threshold for controlling the number of connections with IP address 1.1.1.1.

[H3C] nat blacklist limit amount source 1.1.1.1 2222

# Set the thresholds for controlling the setup rate of all address.

[H3C] nat blacklist limit rate 200

#Select a special threshold for the setup rate of 2.2.2.2.

[H3C] nat blacklist limit rate source 2.2.2.2 nat outbound

1.1.10 nat ftp server global

Syntax

nat ftp server global global-addr global-port inside host-addr host-port slot slotno

undo nat ftp server global global-addr global-port inside host-addr host-port slot slotno

View

VLAN interface view

Parameter

global-addr: A valid IP address provided for external accesses.

global-port: The port number provided for the FTP service of external accesses, ranging from 0 to 12287, among which 21 can be replaced by FTP.

host-addr: The IP address of the server in internal LAN.

host-port: The service port number provided by nonstandard FTP servers, ranging from 0 to 65535, among which 21 can be replaced by FTP.

slotno: The number of the slot that the NAT board resides in.

Description

Use the nat ftp server global command to configure nonstandard internal servers. Use the undo nat ftp server global command to remove the configured nonstandard internal servers.

Related command: nat server.

Caution:

You can use the nat ftp server global command which is used to configure nonstandard internal servers and the nat server command which is used to configure normal internal servers together:

l The nat server command can be used to remove the internal servers configured by means of the nat ftp server global command;

l The nat ftp server global command can be used to remove the FTP internal servers configured by means of the nat server command;

l The nat server command can be used to configure the FTP internal server whose private network port is 21.

Example

# Configure nonstandard FTP servers:

<H3C>system-view

[H3C] interface Vlan-interface 3

[H3C-Vlan-interface3] nat ftp server global 202.100.100.1 11225 inside 1.1.1.3 1698 slot 3

1.1.11 nat outbound

Syntax

nat outbound acl-number [ address-group group-number [ no-pat ] ] slot slotno

undo nat outbound acl-number [ address-group group-number [ no-pat ] ] slot slotno

View

VLAN interface view

Parameter

address-group: Configure the NAT by using the address pool. If you do not specify the address pool, the IP address of the interface is used as the translated address, that is, the EASY IP feature.

no-pat: Specifies that only IP addresses included in data packets are translated while the port number information is left unused.

acl-number: ACL number, in the range 2,000 to 3,999.

group-number: Address pool number, in the range 0 to 319.

slotno: Numbers of slots where the NAT boards reside, in the range 0 to 13.

Description

Use the nat outbound command to associate an ACL with an address pool. After the association, the addresses meeting the criteria of acl-number can use address pool group-number for NAT. The NAT service processor card in which the address pool resides is specified for NAT.

Use the undo nat outbound command to delete the corresponding NAT rule. The system will execute the reset nat session command automatically after the undo nat outbound command is executed.

After configuring the association between the ACL and the address pool, the eligible source address of a data packet will be translated by either selecting an address from the address pool or using the IP address of the interface directly. Multiple NAT associations can be configured on a VLAN interface, which is normally connected to the ISP and acts as the egress of the internal network. You may use the corresponding undo command to delete a NAT association.

If you do not specify any value for the keyword address-group, the EASY IP feature is implemented for NAT, and the IP address of the interface is used as the translated address.

& Note:

As for the ACL associated with an address pool, only the source IP address and the destination IP address in it are used. They are also used to tell whether or not two rules conflict.

Example

# Allow hosts on segment 10.110.10.0/24 to be translated into addresses from 202.110.10.10 to 202.110.10.12. Suppose VLAN interface 2 is connected to the ISP.

[H3C] acl number 1

[H3C-acl-basic-1] rule permit source 10.110.10.0 0.0.0.255

[H3C-acl-basic-1] rule deny

# Configure the address pool.

[H3C] nat address-group 1 202.110.10.10 202.110.10.12

# Enable NAT on service processor card in slot 3 using addresses from address pool 1 and TCP/UDP port information.

[H3C-Vlan-interface2] nat outbound 1 address-group 1 slot 3

# Delete the corresponding configuration.

[H3C-Vlan-interface2] undo outbound 1 address-group 1 slot 3

# Configure to use one-to-one NAT (do not use TCP/UDP port information for NAT).

[H3C-Vlan-interface2] nat outbound 1 address-group 1 no-pat slot 3

# Delete the corresponding configuration.

[H3C-Vlan-interface2] undo nat outbound 1 address-group 1 no-pat slot 3

#Configure to directly use the IP address of vlan-interface 2.

[H3C-Vlan-interface2] nat outbound 1 slot 3

# Delete the corresponding configuration.

[H3C-Vlan-interface2] undo nat outbound 1 slot 3

1.1.12 nat server

Syntax

nat server protocol pro-type global global-addr [ global-port1 ] [ global-port2 ] inside host-addr1 [ host-addr2 ] [ host-port ] slot slotno

nat server protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ] slot slotno

undo nat server protocol pro-type global global-addr [ global-port1 ] [ global-port2 ] inside host-addr1 [ host-addr2 ] [ host-port ] slot slotno

undo nat server protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ] slot slotno

View

VLAN interface view

Parameter

global-addr: Server’s public IP address by which external devices can access servers.

global-port: External service port numbers of servers by which the external devices can access the services provided by servers. If external service port numbers are not specified, the service port numbers are used. When protocols are TCP and UDP, you must configure the external service port numbers.

host-addr: IP address of the server on the internal LAN.

host-port: Service port number provided by the server, in the range from 0 to 65,535. Value of 0 indicates the server can provide any type of services. You can use a keyword to indicate a frequently used port number. For example, you can use www for WWW service port number 80,ftp for ftp service port number 21.

Note that one command can be used to configure up to 128 internal servers.

global-addr [ global-port ]: Specifies a scope of external service port numbers that corresponds to the address range of internal hosts. global-port2 must be bigger than global-port1.

host-addr1 [ host-addr2 ]: Specifies an address scope of internal hosts that corresponds to the address range of external service port numbers. host-addr2 must be bigger than host-addr1. The number of the address scope must be the same as the number of external service ports.

pro-type: Indicates the type of the protocol that IP protocol carries. The protocol number ranges from 1 to 255. You can also use keys to replace. For example, 6 for tcp, 17 for udp, and 1 for icmp.

slotno: Specifies number of the slot in which the NAT board resides.

Description

Use the nat server command to define mapping relationships from external public addresses and external service port numbers to internal addresses and internal service port numbers.

Use the undo nat server command to cancel the mapping table.

The system will execute the reset nat session command automatically after the undo nat server command is executed.;

After the configuration, by using the address and port number defined by the global-addr and the global-port parameters, you can access the internal server with the address and port number specified by the host-addr and host-port parameters.

Caution:

Up to 256 internal server translation commands can be configured for a VLAN interface.

Up to 4096 internal servers can be configured for a VLAN interface.

Only the same LSBM1NATB board can be configured for a VLAN interface.

Up to 1024 internal server translation commands can be configured in a system.

The interface configured with this command should be connected to the ISP and acts as the egress of the internal network.

Example

# Specify the IP address of the internal WWW server to be 10.110.10.10, the IP address of the internal FTP server to be 10.110.10.11, and allow external hosts to access the WWW server and FTP server by http://202.110.10.10:8080 and ftp://202.110.10.10 respectively. Suppose that Vlanif2 is connected to the ISP.

[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.11 www slot 3

[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 ftp inside 10.110.10.11 ftp slot 3

# Specify an internal host 10.110.10.12 which can be successfully pinged by external hosts using the ping 202.110.10.11 command.

[H3C-Vlan-interface2] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 slot 2

# Delete the WWW server.

[H3C-Vlan-interface2] undo nat server protocol tcp global 202.110.10.10 8070 inside 10.110.10.10 www slot 3

# Delete the FTP server.

[H3C-Vlan-interface2] undo nat server protocol tcp global 202.110.10.11 ftp inside 10.110.10.11 ftp slot 3

# Specify an external address 202.110.10.10, let ports from 1001 to 1100 map to the TELNET service of internal hosts from 10.110.10.1 to 10.110.10.100, making 202.110.10.10:1001 map to 10.110.10.1, 202.110.10:1002 map to 10.110.10.2.

[H3C-Vlan-interface2] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet slot 3

1.1.13 reset nat

Syntax

reset nat session slot slotno

View

User view

Parameter

session: Clear the NAT mapping table.

slot slotno: Number of the slot where the NAT board resides.

Description

Use the reset nat session command to clear NAT mapping tables from the memory and NP.

Example

# Clear the NAT mapping table established by the NAT service processor board in slot 3.

<H3C> reset nat session slot 3

Caution:

If you disable NAT or NAPT and then want to enable them again, it is recommended that you execute the reset nat session slot command.

1.2 NAT Security Logging Configuration Commands

1.2.1 display ip userlog export

Syntax

display ip userlog export slot slotno

View

Any view

Parameter

None

Description

Use the display ip userlog export command to display configurations and statistics of system logging.

Example

# Display configurations of NAT logging.

[H3C] display ip userlog export slot 3

IP userlog export is not enable.

No ACL referenced as NAT userlog rule.

Version 1 is enabled.

Flow-begin mode stopped.

Uselog active time : 0 minutes

Exporting logs to 0.0.0.0 ( 0 ).

Export use source address 0.0.0.0.

1.2.2 ip userlog nat

Syntax

ip userlog nat acl acl-number

undo ip userlog nat

View

System view

Parameter

None

Description

Use the ip userlog nat acl command to enable NAT logging and configure NAT logging rules, which defines the packets to be logged.

By default, NAT logging is disabled for each LSBM1VPNB board.

Example

# Employ ACL 2000 as the logging rule, and enable NAT logging.

[H3C] ip userlog nat slot 3 acl 2000

1.2.3 ip userlog nat active-time

Syntax

ip userlog nat active-time minutes

undo ip userlog nat active-time

View

System view

Parameter

minutes: Time duration of an active NAT connection before a log record is created for it, ranging from 10 to 120, in minutes. The default time duration is 0, which indicates that this function is disabled.

Description

Use the ip userlog nat active-time command to set the time duration of an active NAT connection before a log record is created for it.

Use the undo ip userlog nat active-time command to cancel the threshold configured for logging.

If the NAT process performs logging only when a NAT connection is deleted, some connections may be active for a long time without being logged. Devices can record this type of connection regularly after this command is configured.

Example

# Set the active time of a connection after which a NAT log record is created to 30 minutes.

[H3C] ip userlog nat active-time 30

1.2.4 ip userlog nat export host

Syntax

ip userlog nat export host ip-address udp-port

undo ip userlog nat export host

View

System view

Parameter

ip-address: IP address of the log server, that is, the destination IP address for log packets.

udp-port: UDP port number of the log server, that is, the destination port number for log packets. The valid range is from 0 to 65,535. By default, it is 0.

Description

Use the ip userlog nat export host command to set the address and port number of the destination server of log packets.

Use the undo ip userlog nat export host command to remove the configuration.

Example

# Set the destination address and UDP port number of log packets to 169.254.1.1 and 200 respectively.

[H3C] ip userlog nat export host 169.254.1.1 200

1.2.5 ip userlog nat export source-ip

Syntax

ip userlog nat export source-ip src-address

undo ip userlog nat export source-ip

View

System view

Parameter

src-address: Source IP address of the log packets, which defaults to 0.0.0.0.

Description

Use the ip userlog nat export source-ip command to set the source IP address and port number of log packets.

Use the undo ip userlog nat export source-ip command to restore the default source IP address and port number of log packets.

Example

# Set the source IP address and port number of log packets to 169.254.1.1 and 200 respectively.

[H3C] ip userlog nat export source-ip 169.254.1.1 200

1.2.6 ip userlog nat export version

Syntax

ip userlog nat export version version-number

undo ip userlog nat export version

View

System view

Parameter

version-number: Version of the log packets, which defaults to 1.

Description

Use the ip userlog nat export version command to set the version of log packets.

Use the undo ip userlog nat export version command to restore the default version of log packets.

Example

# Set the version of the log packets to 1.

[H3C] ip userlog nat export version 1

1.2.7 ip userlog nat mode flow-begin

Syntax

ip userlog nat mode flow-begin

undo ip userlog nat mode flow-begin

View

System view

Parameter

None

Description

Use the ip userlog nat mode flow-begin command to enable the NAT server logging when an NAT connection is established and deleted.

Use the undo ip userlog nat mode flow-begin command to restore the default logging mode.

Use the corresponding commands to select the logging mode. There are three options:

l Perform logging only when a NAT connection is deleted.

l Perform logging when a NAT connection is established or deleted.

l Perform logging when the NAT connection is active.

By default, the NAT server performs logging only when a NAT connection is deleted.

Example

# Configure to make the NAT server log when a connection is established and deleted.

[H3C] ip userlog nat mode flow-begin

Chapter 2 URPF Configuration Commands

& Note:

The service processor cards mentioned in this chapter refer to LSBM1NATB boards.

2.1 URPF Configuration Commands

2.1.1 display urpf

Syntax

display urpf

View

VLAN interface view

Parameter

None

Description

Use the display urpf command to query that URPF is enabled on current VLAN ports. If URPF is enabled and the specified board with URPF function is enabled, you can view UPRF statistical data, that is, the sum of processed packets and discarded packets.

Example

# Query URPF enabling status and statistical data of VLAN interface 1001.

[H3C-Vlan-interface1001] display urpf

URPF is enabled to slot 2 on current vlan interface!

packet statistics related to URPF:

Number of received packets: 5000

Number of dropped packets: 200

# Following information appears when the service processor card is not installed.

[H3C-Vlan-interface1001] display urpf

URPF is enabled to slot 11 on current vlan interface!

2.1.2 reset urpf statistic

Syntax

reset urpf statistic

View

VLAN interface view

Parameter

None

Description

Use the reset urpf statistic command to clear URPF statistical counters to zero.

When a VLAN interface with URPF enabled runs for a long time, more statistical data enter the counter. Therefore you need to clear statistical data related to URPF on the port. To clear recording statistics of received and discarded data packets on the port, execute the reset urpf statistic command. As a result, the URPF statistical counter is cleared to zero.

Example

# Clear URPF statistical counters to zero.

[H3C-Vlan-interface100] reset urpf statistic

2.1.3 urpf enable

Syntax

urpf enable to slot slotid

undo urpf enable

View

VLAN interface view

Parameter

slotid: Numbers of the slot where service processor cards implementing URPF check is located.

Description

Use the urpf enable command to enable URPF on a certain VLAN port, and specify the corresponding service processor card for handling.

Use the undo urpf enable command to disable URPF on a certain VLAN port.

After the urpf enable command is configured, you need to configure packet redirection in Ethernet port view to redirect the packets needing URPF check to boards with URPF function (the LSBM1NATB board). Refer to Packet Redirection section of QACL part for more information.

Caution:

Because URPF and virtual private LAN service (VPLS) are mutually exclusive, you cannot simultaneously enable URPF and VPLS in the same VLAN interface view.

Example

# Enable URPF on VLAN ports, and specify the service processor card installed in slot 2 to implement URPF check.

[H3C-Vlan-interface1001] urpf enable to slot 2

Chapter 3 VPLS Configuration Commands

& Note:

The service processor cards mentioned in this chapter mainly refer to LSB1VPNB0 cards.

3.1 VPLS Configuration Commands

3.1.1 bandwidth

Syntax

bandwidth vpn-speed

View

VSI-LDP view

Parameter

vpn-speed: VSI rate limitation.

Description

Use the bandwidth command to configure VPN rate limitation in the range of 64 kbps to 4,194,303 kbps with the increment of 64. After the configuration, the system automatically takes the biggest number that can be exactly divided by 64 and is no more than the setting number as the rate limitation. The actually supported rate limitation ranges from 64 kbps to 2,097,152 kbps, and if the value you set is above 2,097,152 kbps, no rate limitation is performed. In the instance, the part of traffic beyond this bandwidth restriction is discarded by the system.

By default, the VSI (VPLS instance) rate limitation is 102,400 kbps.

Example

# Set the bandwidth restriction for the VPLS instance test to 10 Mbps.

[H3C-vsi-test-ldp] bandwidth 10240

3.1.2 broadcast-restrain

Syntax

broadcast-restrain restrain-number

View

VSI-LDP view

Parameter

restrain-number: VSI broadcast suppression percentage.

Description

Use the broadcast-restrain command to configure the VPN broadcast suppression percentage, which is in the range of 0 to 100. You cannot set the percentage to 0. In the VSI, the part of broadcast traffic (including broadcast, multicast, unknown unicast) beyond the suppression percentage is discarded.

By default, the broadcast suppression percentage is 5%.

Example

# Set the broadcast suppression percentage of the VPLS instance test to 10%.

[H3C-vsi-test-ldp] broadcast-restrain 10

3.1.3 description

Syntax

description TEXT

undo description

View

VSI-LDP view

Parameter

TEXT: Description text for the specified VPLS instance, an alphanumeric character string in length of 1 to 50.

Description

Use the description command to set the description of current VPLS instance.

Use the undo description command to remove the description.

Example

# Set the description of the VPLS instance test to Hangzhou H3C Technologies Co., Ltd.

[H3C-vsi-test-ldp] description Hangzhou H3C Technologies Co., Ltd.

3.1.4 debugging mpls l2vpn

Syntax

debugging mpls l2vpn { advertisement | all | connections | error | event }

undo debugging mpls l2vpn { advertisement | all | connections | error | event }

View

User view

Parameter

advertisement: Enables debugging for L2VPN signaling protocol.

all: Enables all types of debugging concerning L2VPN module.

connections: Enables debugging for MPLS layer 2 VC connections.

error: Enables debugging for L2VPN errors.

event: Enables debugging for event notification among modules.

Description

Use the debugging mpls l2vpn command to enable individual kinds of L2VPN debugging.

Use the undo debugging mpls l2vpn command to disable the corresponding debugging.

By default, all L2VPN debugging is disabled.

Example

# Enable debugging for L2VPN errors.

<H3C> debugging mpls l2vpn error

3.1.5 display mac-address vsi

Syntax

display mac-address vsi [ vsi-name ] [ peer peer-address | local | [ dynamic | static ] [ count ] | count ]*

View

Any view

Parameter

peer peer-address: Specifies the peer IP address.

local: Local PE.

vsi-name: Name of a VPLS instance, whose VPLS MAC forwarding entries will be displayed.

dynamic: Displays only dynamic VPLS MAC forwarding entries.

static: Displays only static VPLS MAC forwarding entries.

count: Displays only the number of the VPLS MAC forwarding entries.

Description

Use the display mac-address vsi command to display the layer 2 VPLS forwarding information. You can view the forwarding entry information of all VPLS instances or one specific VPLS instance.

Related command: vsi, mac-address static.

Example

# View the forwarding entries of the VPLS instance test.

[H3C] display mac-address vsi test

MAC ADDR STATE VPN ID PEER IP AGING TIME

0004-0000-005b dynamic 150 LOCAL AGING

--- 1 mac address(es) found ---

3.1.6 display mpls l2vc

Syntax

display mpls l2vc [ verbose | interface Vlan-interface interface-num } | { [ vsi vsi-name ] [ peer peer-ip ] [ up | down | block ] }]

View

Any view

Parameter

verbose: Displays details about all layer 2 virtual connections (L2VCs).

Interface Vlan-interface: Displays information about the virtual connections corresponding to the VSIs bound to the specified VLAN interface.

interface-num: Interface number of the specified VLAN interface.

vsi: Displays the L2VC information of the specified VSI.

vsi-name: Name of a VPLS instance, whose L2VC information will be displayed.

peer: Displays the information about L2VC to the specified peer PE.

peer-ip: IP address of a peer PE.

up: Displays the information about L2VC in Up state.

down: Displays the information about L2VC in Down state.

block: Displays the information about L2VC in Block state.

Description

Use the display mpls l2vc command to display the information about MPLS-based L2VCs. You specify an interface to view the L2VC information about the VSI bound to the interface. You can also specify a VPLS instance or a virtual connection status to view the corresponding L2VC information.

Related command: vsi, l2 binding vsi.

Example

# View the L2VC information about the VPLS instance test.

[H3C] display mpls l2vc

Total l2vc : 3

l2vc : 1 up

l2vc : 0 block

l2vc : 2 down

Interface: Vlan-interface1024, Encapsulation: ethernet, Service: VPLS

VSI name : test, vsi-id : 1024 , Service Status : Open

VC-ID Destination State Lcl-Label/Rmt-Label Tunnel/Index

1024 6.6.6.6 down 131072/0 ---/0

1024 8.8.8.8 up 131075/131076 LSP/0

1024 3.3.3.3 down 131074/0 ---/0

3.1.7 display vsi

Syntax

display vsi vsi-name

View

Any view

Parameter

vsi-name: Name of a VPLS instance.

Description

Use the display vsi command to display the information about one specific or all VPLS instances.

Related command: vsi.

Example

# View the configuration information about the VPLS instance test.

[H3C] display vsi test

VPLS-Instance : test

VSI service status : Open

Vsi ID : 100

Vpn ID : 1

MTU : 1500

Description : none

VPLS Peers : 2

3.3.3.3 npe

7.7.7.7 npe

Interface :

Vlan-interface101

Bandwidth: 102400kbps

Broadcast-restrain: 5%

Qos-class : 0

Qos-table : [0 0 0 1 1 1 1 2]

Mac-table limit : 128

3.1.8 l2 binding vsi

Syntax

l2 binding vsi vsi-name [ encapsulation { vlan | ethernet } ]

undo l2 binding vsi vsi-name [ encapsulation { vlan | ethernet } ]

View

VLAN interface view

Parameter

vsi-name: Name of a VPLS instance.

encapsulation: Specifies the user access encapsulation mode. By default, the mode is Ethernet.

ethernet: Specifies the user access encapsulation mode as Ethernet.

vlan: Specifies the user access encapsulation mode as VLAN.

Description

Use the l2 binding vsi command to bind a VPLS instance to a VLAN interface. The services provided by the VLAN will be regarded as the VPN internal services of the specified VSI.

Use the undo l2 binding vsi command to remove the binding relation between a VLAN and a VSI.

The port configuration on a VLAN interface differs depending on user access modes. If user gets access by Ethernet, you must enable VLAN-VPN on the access port of the VLAN. If user makes H-VPLS access by VLAN, or user's convergence multi-tenant unit (MTU) makes H-VPLS access by VLAN-VPN, you need not enable VLAN-VPN on the access port; instead, you must configure the port as Trunk; in this case, the VLAN Tag (VLAN ID currently configured for the user) carried in uplink packets must be consistent with that of the VLAN bound with the Trunk. If convergence UPE makes H-VPLS access by LSP, you can bind a VPLS instance to a VLAN containing no port. Additionally, you cannot bind one instance to multiple VLANs.

Related command: vsi, peer.

Example

# Bind the VPLS instance test to VLAN 100 in VLAN view. Enabled VLAN VPN on the port of the VLAN indicates the VSI can be accessed through Ethernet.

[H3C] interface GigabitEthernet3/1/4

[H3C-GigabitEthernet3/1/4] vlan-vpn enable

[H3C-GigabitEthernet3/1/4] port access vlan 100

[H3C-GigabitEthernet3/1/4] interface vlan-interface 100

[H3C-Vlan-interface100] undo ip address

[H3C-Vlan-interface100] L2 binding vsi test

Caution:

l If you have enabled GVRP, STP or 802.1x protocol for a port, you are prohibited from enabling VLAN VPN feature for the port.

l If you have enabled IGMP Snooping or IGMP for the VLAN which the port belongs to, you are prohibited to enable VLAN VPN feature for the port. Similarly, if you have enabled VLAN VPN feature for the port, you are prohibited from enabling IGMP Snooping or IGMP for the VLAN which the port belongs to.

l IF you want to add the ports with VLAN VPN enabled to a VLAN, you cannot enable IGMP Snooping in the VLAN and enable IGMP for the VLAN interface.

l You cannot configure an IP address for a VLAN interface with VPLS instances bound to it. Similarly, you cannot bind a VPLS instance to a VLAN interface with an IP address configured.

l You can bind one VPLS instance to up to eight VLANs.

l You cannot bind any VSI to Vlan-interface1.

3.1.9 mac-address

Syntax

mac-address { static H-H-H } vsi vsi-name { peer peer-ip | vlan-interface vlan-interface-number }

undo mac-address { static H-H-H } vsi vsi-name

View

System view

Parameter

static: Specifies a static MAC address. Only static VSI MAC addresses are allowed at present.

H-H-H: Value of the static MAC address.

vsi: Specifies a VSI name.

vsi-name: Name of a VPLS instance.

peer: Specifies the virtual connection peer of the static MAC address.

peer-ip: IP address of the virtual connection peer of the static MAC address.

vlan-interface: The VLAN interface that is bound to corresponding local VSI of the specified static MAC address.

vlan-interface-number: The number of the specified VLAN interface

Description

Use the mac-address command to configure a static MAC address for a VPLS instance. The address you configured can be either a MAC address on a local CE or a MAC address on a remote CE.

Use the undo mac-address command to disable the configuration.

Note that when configuring the static MAC address of a VPLS instance with the peer keyword specified, if the VLAN-interface is specified, the command configures the MAC address of the corresponding VLAN interface which is bound to a local CE.

Related command: vsi, display mac-address vsi.

Example

# Configure static MAC address entries for a local CE and a CE connecting to a remote peer PE of the VPLS instance test and bind VLAN interface 10 to the local CE of VPLS instance test.

[H3C] mac-address static 0000-fc39-a9b5 vsi test vlan-interface 10

[H3C] mac-address static 0000-fc39-a9b4 vsi test peer 2.2.2.2

3.1.10 mac-table limit

Syntax

mac-table limit mac-limit-num

View

VSI-LDP view

Parameter

mac-limit-num: Maximum number of the MAC addresses of a specific VSI.

Description

Use the mac-table limit command to configure the maximum number of the MAC addresses in the VPN. This number ranges from 0 to 65,535 and defaults to 128. When the total number of the MAC addresses of the VSI exceeds this number, the system no longer learns any new source MAC address; instead, it directly broadcasts the packet in the VSI.

Example

# Set the maximum number of the MAC addresses of the VPLS instance test to 1,024.

[H3C-vsi-test-ldp] mac-table limit 1024

3.1.11 mtu

Syntax

mtu mtu

View

VSI-LDP view

Parameter

mtu: Value of the access maximum transmission unit (MTU) of a VPLS instance, in the range of 128 bytes to 8192 bytes. By defaults, MTU is 1,500 bytes.

Description

Use the mtu command to specify the MTU value for user access packets of this VPLS instance. This mtu value is also the mtu value for PW.

MTU value is a global characteristic of a VPLS instance, and all the MTU values of the peer PEs of the instance must be consistent.

Example

# Set the MTU value for the VPLS instance test to 1,400 bytes.

[H3C-vsi-test-ldp] mtu 1400

3.1.12 peer

Syntax

peer peer-ip [ vc-id vc-id ] [ upe ] [ { backup-peer | primary-peer } alternatepeer-ip ] [ trans-mode { raw | tagged } ]

undo peer peer-ip

View

VSI-LDP View

Parameter

peer-ip: IP address of a VPLS remote peer PE.

vc-id: ID of the VC to the VLPS peer PE. It defaults to VSI-ID.

upe: Specifies that the type of the VPLS peer is UPE, that is, the peer is a user convergence node UPE in hierarchical VPLS architecture.

trans-mode: Specifies the VC encapsulation mode.

raw: Specifies that the VC encapsulation mode is Ethernet Raw.

tagged: Specifies that the VC encapsulation mode is Ethernet Tagged.

backup-peer: Specifies the IP address of the backup PE corresponding to the primary PE of the UPE.

primary-peer: Specifies the IP address of the primary PE corresponding to the backup PE of the UPE.

alternatepeer-ip: Specifies the IP address of the corresponding backup peer PE in hierarchical VPLS architecture as the IP address of the VPLS peer.

Description

Use the peer command to create a VPLS peer PE contained in an instance. When you create a VPLS peer PE, you must specify an IP address and peer type for the peer PE. Use the undo peer command to remove the specified VPLS peer PE.

By default, the peer type is NPE. When you specify UPE as the peer type, it indicates the peer is a user convergence node UPE in hierarchical VPLS architecture. You can also specify an ID for a VC to the peer, and the ID must be consistent with that of the remote. Multipoint-to-multipoint connections are needed among specified multiple remote peer NPEs, but not needed between UPEs and NPEs.

By default, VC-ID is VSI-ID.

Related command: vsi, vsi-id.

Example

# In VPLS-LDP view, create a user convergence node PE in hierarchical VPLS architecture with the IP address 4.4.4.4, and set the VC ID for the UPE to 200.

[H3C-VPLS-test-ldp] peer 4.4.4.4 vc-id 200 upe

# Configure 4.4.4.4 as the IP address of the primary PE (primary link) and 5.5.5.5 as the IP address of backup PE (backup link) in the beginning. When primary PE is not available, the backup PE will be switched to the available state.

[H3C-vsi-vpn1-ldp]peer 4.4.4.4 backup-peer 5.5.5.5

[H3C-vsi-vpn1-ldp]peer 5.5.5.5 primary-peer 4.4.4.4

3.1.13 pwsignal

Syntax

pwsignal [ ldp ]

View

VSI view

Parameter

ldp: Makes the VPLS uses the martini mode.

Description

Use the pwsignal command to specify a PW signaling protocol for VPLS and enter VPLS protocol view.

When you specify Martini as the VPLS connection mode, you will enter VSI-LDP view at the same time.

By default, Martini is used for the VPLS connection mode.

Example

# Set the connection mode of the VPLS instance test to Martini and enter VSI-LDP view.

[H3C-vsi-test] pwsignal ldp

[H3C-vsi-test-ldp]

3.1.14 qos

Syntax

qos { 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | { user-define-table p p p p p p p p } }

View

VSI-LDP view

Parameter

0: Specifies QoS level 0 for user.

1: Specifies QoS level 1 for user.

2: Specifies QoS level 2 for user.

3: Specifies QoS level 3 for user.

4: Specifies QoS level 4 for user.

5: Specifies QoS level 5 for user.

6: Specifies QoS level 6 for user.

7: Specifies QoS level 7 for user.

p p p p p p p p: Mapping table of VSI QoS priority.

Description

Use the qos command to configure the QoS level for the VSI, which is in the range of 0 to 7 and defaults to 0. When configuring the QoS level, you can either use the QoS mapping table suggested by protocol, or the user-defined QoS table and set p-p-p-p-p-p-p-p with this command.

The following is the QoS classifying table suggested by protocol:

Table 3-1 QoS classifying table

User Priority	of available classes of service
User Priority	1	2	3	4	5	6	7	8
0 Best Effort (Default)	0	0	0	1	1	1	1	2
1 Background	0	0	0	0	0	0	0	0
2 Spare	0	0	0	0	0	0	0	1
3 Excellent Effort	0	0	0	1	1	2	2	3
4 Controlled Load	0	1	1	2	2	3	3	4
5 Interactive Multimedia	0	1	1	2	3	4	4	5
6 Interactive Voice	0	1	2	3	4	5	5	6
7 Network Control	0	1	2	3	4	5	6	7

Example

# Set the QoS level for the VPLS instance test to 3.

[H3C-vsi-test-ldp] qos 3

3.1.15 shut

Syntax

shut

undo shut

View

VSI-LDP view

Parameter

None

Description

Use the shut command to shut down the VPN service of the VPLS instance. When the service of the VSI is shut down, the system does not process any traffic for this VSI.

Use the undo shut command to restore the VPLS service of the VSI.

Example

# Disable VPLS for the VPLS instance test.

[H3C-vsi-test-ldp] shut

# Enable VPLS for the VPLS instance test.

H3C-vsi-test-ldp] undo shut

3.1.16 vsi

Syntax

vsi vsi-name [ static ]

undo vsi vsi-name

View

System view

Parameter

vsi-name: Name for a VPLS instance, an alphanumeric character string in the length of 1 to 20.

static: Indicates that the peer discovery mechanism is static manual configuration,.

Description

Use the vsi command to create a VPLS instance or enter VSI view. When creating a VPLS instance, you must specify a locally unique VPLS instance name, and choose automatic discovery or manual configuration as peer discovery mechanism (manual configure is the default).

Use the undo vsi command to remove the configuration.

Related command: display vsi.

Example

# Create a VPLS instance named test. Specify the peer discovery of the instance as manual configuration, the encapsulation for users is VLAN access.

[H3C] vsi test static

[H3C-vsi-test]

3.1.17 vsi-id

Syntax

vsi-id vsi-id

View

VSI-LDP view

Parameter

vsi-id: ID for the VPLS instance, in the range of 1 to 1,024. The ID of a VPLS instance must be locally unique. For the VC of this VPLS, the VC-ID defaults to the VSI-ID.

Description

Use the vsi-id command to specify the ID of the VPLS instance. The VC-ID argument ranges from 1 to 4,294,967,295. By default, the VSI-ID is used as the VS-ID.

Example

# Set the VSI-ID of the VPLS instance test to 100.

[H3C-vsi-test-ldp] vsi-id 100

H3C S9500 Series Routing Switches Command Manual-(V1.01)

1.1.2 display nat aging-time

1.1.3 display nat blacklist

1.1.4 display nat outbound

1.1.5 display nat server

1.1.8 nat aging-time

1.1.9 nat blacklist

Chapter 2 URPF Configuration Commands

3.1.13 pwsignal

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us

1.1.9 nat b lacklist