H3C S3100-52P Command Manual-Release 1602(V1.01)

HomeSupportSwitchesH3C S3100 Switch SeriesReference GuidesCommand ReferencesH3C S3100-52P Command Manual-Release 1602(V1.01)
17-802.1x and System Guard Command
Title Size Download
17-802.1x and System Guard Command 173.97 KB

Table of Contents

Chapter 1 802.1x Configuration Commands. 1-1

1.1 802.1x Configuration Commands. 1-1

1.1.1 display dot1x. 1-1

1.1.2 dot1x. 1-5

1.1.3 dot1x authentication-method. 1-7

1.1.4 dot1x dhcp-launch. 1-8

1.1.5 dot1x guest-vlan. 1-9

1.1.6 dot1x handshake. 1-10

1.1.7 dot1x handshake secure. 1-11

1.1.8 dot1x max-user 1-12

1.1.9 dot1x port-control 1-13

1.1.10 dot1x port-method. 1-14

1.1.11 dot1x quiet-period. 1-15

1.1.12 dot1x retry. 1-16

1.1.13 dot1x retry-version-max. 1-17

1.1.14 dot1x re-authenticate. 1-18

1.1.15 dot1x supp-proxy-check. 1-19

1.1.16 dot1x timer 1-21

1.1.17 dot1x timer reauth-period. 1-23

1.1.18 dot1x version-check. 1-24

1.1.19 reset dot1x statistics. 1-25

Chapter 2 Quick EAD Deployment Configuration Commands. 2-1

2.1 Quick EAD Deployment Configuration Commands. 2-1

2.1.1 dot1x free-ip. 2-1

2.1.2 dot1x timer acl-timeout 2-2

2.1.3 dot1x url 2-2

Chapter 3 HABP Configuration Commands. 3-1

3.1 HABP Configuration Commands. 3-1

3.1.1 display habp. 3-1

3.1.2 display habp table. 3-2

3.1.3 display habp traffic. 3-2

3.1.4 habp enable. 3-3

3.1.5 habp server vlan. 3-4

3.1.6 habp timer 3-5

Chapter 4 System Guard Configuration Commands. 4-1

4.1 System Guard Configuration Commands. 4-1

4.1.1 display system-guard ip state. 4-1

4.1.2 display system-guard ip-record. 4-2

4.1.3 display system-guard l3err state. 4-3

4.1.4 display system-guard tcn state. 4-3

4.1.5 system-guard ip detect-maxnum.. 4-4

4.1.6 system-guard ip detect-threshold. 4-4

4.1.7 system-guard ip enable. 4-6

4.1.8 system-guard l3err enable. 4-7

4.1.9 system-guard tcn enable. 4-8

4.1.10 system-guard tcn rate-threshold. 4-8

 


Chapter 1  802.1x Configuration Commands

 

&  Note:

l      The online user handshaking configuration is added. See dot1x handshake for related information.

l      The configuration of 802.1x re-authentication is added. See dot1x re-authenticate.

l      The configuration of the 802.1x re-authentication interval is added. See dot1x timer reauth-period.

l      The configuration of quick EAD deployment is added. See Quick EAD Deployment Configuration Commands.

 

1.1  802.1x Configuration Commands

1.1.1  display dot1x

Syntax

display dot1x [ sessions | statistics ] [ interface interface-list ]

View

Any view

Parameters

sessions: Displays the information about 802.1x sessions.

statistics: Displays the statistics on 802.1x.

interface: Display the 802.1x-related information about a specified port.

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the display dot1x command to display 802.1x-related information, such as configuration information, operation information (session information), and statistics.

When the interface-list argument is not provided, this command displays 802.1x-related information about all the ports.

The output information can be used to verify 802.1 x-related configurations and to troubleshoot.

Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, dot1x timer.

Examples

# Display 802.1x-related information.

<Sysname> display dot1x

Global 802.1X protocol is enabled

 CHAP authentication is enabled

 DHCP-launch is disabled

 Handshake is enabled     

 Proxy trap checker is disabled

 Proxy logoff checker is disabled

 EAD Quick Deploy is enabled

 

 Configuration: Transmit Period     30 s,  Handshake Period       15 s

                ReAuth Period     3600 s,  ReAuth MaxTimes        2  

                Quiet Period        60 s,  Quiet Period Timer is disabled

                Supp Timeout        30 s,  Server Timeout         100 s

                Interval between version requests is 30s

                Maximal request times for version information is 3

                The maximal retransmitting times          2

  EAD Quick Deploy configuration:

                Url: http: //192.168.19.23

                Free-ip: 192.168.19.0 255.255.255.0

                Acl-timeout:   30 m 

 

 Total maximum 802.1x user resource number is 1024

 Total current used 802.1x resource number is 1

 

 Ethernet1/0/1  is link-up

   802.1X protocol is enabled

   Proxy trap checker is disabled

   Proxy logoff checker is disabled

   Version-Check is disabled

   The port is an authenticator

   Authentication Mode is Auto

   Port Control Type is Port-based

   ReAuthenticate is disabled

   Max number of on-line users is 256

 

   Authentication Success: 4, Failed: 2

   EAPOL Packets: Tx 7991, Rx 14

   Sent EAP Request/Identity Packets : 7981

        EAP Request/Challenge Packets: 0

   Received EAPOL Start Packets : 5

            EAPOL LogOff Packets: 1

            EAP Response/Identity Packets : 4

            EAP Response/Challenge Packets: 4

            Error Packets: 0

 1. Authenticated user : MAC address: 000d-88f6-44c1

 

   Controlled User(s) amount to 1                  

 

Ethernet1/0/2

……

Table 1-1 Description on the fields of the display dot1x command

Field

Description

Equipment 802.1X protocol is enabled

802.1x protocol (802.1x for short) is enabled on the switch.

CHAP authentication is enabled

CHAP authentication is enabled.

DHCP-launch is disabled

DHCP-triggered. 802.1x authentication is disabled.

Handshake is enabled

The online user handshaking function is enabled.

Proxy trap checker is disabled

Whether or not to send Trap packets when detecting a supplicant system logs in through a proxy.

l      Disable means the switch does not send Trap packets when it detects that a supplicant system logs in through a proxy.

l      Enable means the switch sends Trap packets when it detects that a supplicant system logs in through a proxy.

Proxy logoff checker is disabled

Whether or not to disconnect a supplicant system when detecting it logs in through a proxy.

l      Disable means the switch does not disconnect a supplicant system when it detects that the latter logs in through a proxy.

l      Enable means the switch disconnects a supplicant system when it detects that the latter logs in through a proxy.

EAD Quick Deploy is enabled

Quick EAD deployment is enabled.

Transmit Period

Setting of the Transmission period timer (the tx-period)

Handshake Period

Setting of the handshake period timer (the handshake-period)

ReAuth Period

Re-authentication interval

ReAuth MaxTimes

Maximum times of re-authentications

Quiet Period

Setting of the quiet period timer (the quiet-period)

Quiet Period Timer is disabled

The quiet period timer is disabled here. It can also be configured as enabled when necessary.

Supp Timeout

Setting of the supplicant timeout timer (supp-timeout)

Server Timeout

Setting of the server-timeout timer (server-timeout)

The maximal retransmitting times

The maximum number of times that a switch can send authentication request packets to a supplicant system

Url

URL for HTTP redirection

Free-ip

Free IP range that users can access before passing authentication

Acl-timeout

ACL timeout period

Total maximum 802.1x user resource number

The maximum number of 802.1x users that a switch can accommodate

Total current used 802.1x resource number

The number of online supplicant systems

Ethernet1/0/1 is link-down

Ethernet 1/0/1 port is down.

802.1X protocol is disabled

802.1x is disabled on the port

Proxy trap checker is disabled

Whether or not to send Trap packets when detecting a supplicant system in logging in through a proxy.

l      Disable means the switch does not send Trap packets when it detects that a supplicant system logs in through a proxy.

l      Enable means the switch sends Trap packets when it detects that a supplicant system logs in through a proxy.

Proxy logoff checker is disabled

Whether or not to disconnect a supplicant system when detecting it in logging in through a proxy.

l      Disable means the switch does not disconnect a supplicant system when it detects that the latter logs in through a proxy.

l      Enable means the switch disconnects a supplicant system when it detects that the latter logs in through a proxy.

Version-Check is disabled

Whether or not the client version checking function is enabled:

l      Disable means the switch does not checks client version.

l      Enable means the switch checks client version.

The port is an authenticator

The port acts as an authenticator system.

Authentication Mode is Auto

The port access control mode is Auto.

Port Control Type is Mac-based

The access control method of the port is MAC-based. That is, supplicant systems are authenticated based on their MAC addresses.

ReAuthenticate is disabled 

802.1x re-authentication is disabled on the port.

Max number of on-line users

The maximum number of online users that the port can accommodate

Information omitted here

 

1.1.2  dot1x

Syntax

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

View

System view, Ethernet port view

Parameters

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x command to enable 802.1x globally or for specified Ethernet ports.

Use the undo dot1x command to disable 802.1x globally or for specified Ethernet ports.

By default, 802.1x is disabled globally and also on all ports.

In system view:

l           If you do not provide the interface-list argument, the dot1x command enables 802.1x globally.

l           If you specify the interface-list argument, the dot1x command enables 802.1x for the specified Ethernet ports.

In Ethernet port view, the interface-list argument is not available and the command enables 802.1x for only the current Ethernet port.

802.1x-related configurations take effect on a port only after 802.1x is enabled both globally and on the port.

 

&  Note:

l      The settings of 802.1x and MAC address learning limit are mutually exclusive. Enabling 802.1x on a port will prevent you from setting the limit on MAC address learning on the port and vice versa.

l      The settings of 802.1x and aggregation group member are mutually exclusive. Enabling 802.1x on a port will prevent you from adding the port to an aggregation group and vice versa.

 

Related commands: display dot1x.

Examples

# Enable 802.1x for Ethernet 1/0/1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x interface Ethernet 1/0/1

# Enable 802.1x globally.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x

1.1.3  dot1x authentication-method

Syntax

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

View

System view

Parameters

chap: Authenticates using challenge handshake authentication protocol (CHAP).

pap: Authenticates using password authentication protocol (PAP).

eap: Authenticates using extensible authentication protocol (EAP).

Description

Use the dot1x authentication-method command to set the 802.1x authentication method.

Use the undo dot1x authentication-method command to revert to the default 802.1x authentication method.

The default 802.1x authentication method is CHAP.

PAP applies a two-way handshaking procedure. In this method, passwords are transmitted in plain text.

CHAP applies a three-way handshaking procedure. In this method, user names are transmitted rather than passwords. Therefore this method is safer.

In EAP authentication, a switch authenticates supplicant systems by encapsulating 802.1x authentication information in EAP packets and sending the packets to the RADIUS server, instead of converting the packets into RADIUS packets before forwarding to the RADIUS server. You can use EAP authentication in one of the four sub-methods: PEAP, EAP-TLS, EAP-TTLS and EAP-MD5.

Related commands: display dot1x.

 

&  Note:

When the current device operates as the authentication server, EAP authentication is unavailable.

 

Examples

# Specify the authentication method to PAP.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x authentication-method pap

1.1.4  dot1x dhcp-launch

Syntax

dot1x dhcp-launch

undo dot1x dhcp-launch

View

System view

Parameters

None

Description

Use the dot1x dhcp-launch command to specify an 802.1x-enabled switch to launch the process to authenticate a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.

Use the undo dot1x dhcp-launch command to disable an 802.1x-enabled switch from authenticating a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.

By default, an 802.1x-enabled switch does not authenticate a supplicant system when the latter applies for a dynamic IP address through DHCP.

Related commands: display dot1x.

Examples

# Configure to authenticate a supplicant system when it applies for a dynamic IP address through DHCP.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x dhcp-launch

1.1.5  dot1x guest-vlan

Syntax

dot1x guest-vlan vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

View

System view, Ethernet port view

Parameters

vlan-id: VLAN ID of a guest VLAN, in the range 1 to 4094.

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x guest-vlan command to enable the guest VLAN function for ports.

Use the undo dot1x guest-vlan command to disable the guest VLAN function for ports.

After 802.1x and guest VLAN are properly configured on a port:

l           If the switch receives no response from the port after sending EAP-Request/Identity packets to the port for the maximum number of times, the switch will add the port to the guest VLAN.

l           Users in a guest VLAN can access the guest VLAN resources without 802.1x authentication. However, they have to pass the 802.1x authentication to access the external resources.

In system view,

l           If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l           If you specify the interface-list argument, these two commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and these two commands apply to only the current Ethernet port.

 

  Caution:

l      The guest VLAN function is available only when the switch operates in the port-based authentication mode.

l      Only one guest VLAN can be configured on a switch.

l      The guest VLAN function is unavailable when the dot1x dhcp-launch command is executed on the switch, because the switch does not send authentication request packets in this case.

 

Examples

# Configure the switch to operate in the port-based authentication mode.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-method portbased

# Enable the guest VLAN function for all the ports.

[Sysname] dot1x guest-vlan 1

1.1.6  dot1x handshake

Syntax

dot1x handshake enable

undo dot1x handshake enable

View

System view

Parameters

None

Description

Use the dot1x handshake enable command to enable the online user handshaking function.

Use the undo dot1x handshake enable command to disable the online user handshaking function.

By default, the online user handshaking function is enabled.

 

  Caution:

l      To enable the proxy detecting function, you need to enable the online user handshaking function first.

l      With the support of H3C proprietary clients, handshaking packets can be used to test whether or not a user is online.

l      As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshaking acknowledgement packets from them in handshaking periods. To prevent users being falsely considered offline, you need to disable the online user handshaking function in this case.

 

Examples

# Enable the online user handshaking function.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x handshake enable

1.1.7  dot1x handshake secure

Syntax

dot1x handshake secure

undo dot1x handshake secure

View

Ethernet port view

Parameters

None

Description

Use the dot1x handshake secure command to enable the handshaking packet protection function, protecting the device against attacks from fake clients.

Use the undo dot1x handshake secure command to disable the handshaking packet protection function.

By default, the handshaking packet protection function is disabled.

 

  Caution:

The handshaking packet protection function requires the cooperation of the client and the authentication server. If either of the two ends does not support the function, you need to disable it on the other one.

 

Examples

# Enable the handshaking packet protection function.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x handshake secure

1.1.8  dot1x max-user

Syntax

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

View

System view, Ethernet port view

Parameters

user-number: Maximum number of users a port can accommodate, in the range 1 to 256.

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x max-user command to set the maximum number of users an Ethernet port can accommodate.

Use the undo dot1x max-user command to revert to the default maximum user number.

By default, a port can accommodate up to 256 users.

In system view:

l           If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l           If you specify the interface-list argument, these two commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current port.

Related commands: display dot1x.

Examples

# Configure the maximum number of users that Ethernet 1/01 port can accommodate to be 32.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x max-user 32 interface Ethernet 1/0/1

1.1.9  dot1x port-control

Syntax

dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

View

System view, Ethernet port view

Parameters

auto: Specifies to operate in auto access control mode. When a port operates in this mode, all the unauthenticated hosts connected to it are unauthorized. In this case, only EAPoL packets can be exchanged between the switch and the hosts. And the hosts connected to the port are authorized to access the network resources after the hosts pass the authentication. Normally, a port operates in this mode.

authorized-force: Specifies to operate in authorized-force access control mode. When a port operates in this mode, all the hosts connected to it can access the network resources without being authenticated.

unauthorized-force: Specifies to operate in unauthorized-force access control mode. When a port operates in this mode, the hosts connected to it cannot access the network resources.

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x port-control command to specify the access control mode for specified Ethernet ports.

Use the undo dot1x port-control command to revert to the default access control mode.

The default access control mode is auto.

Use the dot1x port-control command to configure the access control mode for specified 802.1x-enabled ports.

In system view:

l           If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l           If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Related commands: display dot1x.

Examples

# Specify Ethernet 1/0/1 to operate in unauthorized-force access control mode.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-control unauthorized-force interface Ethernet 1/0/1

1.1.10  dot1x port-method

Syntax

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

View

System view, Ethernet port view

Parameters

macbased: Performs MAC-based authentication.

portbased: Performs port-based authentication.

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x port-method command to specify the access control method for specified Ethernet ports.

Use the undo dot1x port-method command to revert to the default access control method.

By default, the access control method is macbased.

This command specifies the way in which the users are authenticated.

l           In MAC-based authentication mode, the users connected to the port are authenticated separately. Thus, log-off of a user will not affect other users.

l           In port-based authentication mode, all the users connected to the port can access the network without being authenticated if a user among them passes the authentication. When the user logs off, the network is inaccessible to all other supplicant systems too.

l           Changing the access control method on a port by the dot1x port-method command will forcibly log out the online 802.1x users on the port.

In system view:

l           If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l           If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Related commands: display dot1x.

Examples

# Specify to authenticate users connected to Ethernet 1/0/1 by port numbers.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-method portbased interface Ethernet 1/0/1

1.1.11  dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Parameters

None

Description

Use the dot1x quiet-period command to enable the quiet-period timer.

Use the undo dot1x quiet-period command to disable the quiet-period timer.

When a user fails to pass the authentication, the authenticator system (such as a H3C series Ethernet switch) will stay quiet for a period (determined by the quiet-period timer) before it performs another authentication. During the quiet period, the authenticator system performs no 802.1x authentication of the user.

By default, the quiet-period timer is disabled.

Related commands: display dot1x, dot1x timer.

Examples

# Enable the quiet-period timer.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x quiet-period

1.1.12  dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Parameters

max-retry-value: Maximum number of times that a switch sends authentication request packets to a user. This argument ranges from 1 to 10.

Description

Use the dot1x retry command to specify the maximum number of times that a switch sends authentication request packets to a user.

Use the undo dot1x retry command to revert to the default value.

By default, a switch sends authentication request packets to a user for up to 2 times.

After a switch sends an authentication request packet to a user, it sends another authentication request packet if it does not receive response from the user after a specific period of time. If the switch still receives no response when the configured maximum number of authentication request transmission attempts is reached, it stops sending requests to the user. This command applies to all ports.

Related commands: display dot1x.

Examples

# Specify the maximum number of times that the switch sends authentication request packets to be 9.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x retry 9

1.1.13  dot1x retry-version-max

Syntax

dot1x retry-version-max max-retry-version-value

undo dot1x retry-version-max

View

System view

Parameters

max-retry-version-value: Maximum number of times that a switch sends version request packets to a user. This argument ranges from 1 to 10.

Description

Use the dot1x retry-version-max command to set the maximum number of times that a switch sends version request packets to a user.

Use the undo dot1x retry-version-max command to revert to the default value.

By default, a switch sends version request packets to a user for up to 3 times.

After a switch sends a version request packet to a user, it sends another version request packet if it does receive response from the user after a specific period of time (as determined by the client version request timer). When the number set by this command has reached and there is still no response from the user, the switch continues the following authentication procedures without sending version requests. This command applies to all the ports with the version checking function enabled.

Related commands: display dot1x, dot1x timer.

Examples

# Configure the maximum number of times that the switch sends version request packets to 6.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x retry-version-max 6

1.1.14  dot1x re-authenticate

Syntax

dot1x re-authenticate [ interface interface-list ]

undo dot1x re-authenticate [ interface interface-list ]

View

System view, Ethernet port view

Parameters

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x re-authenticate command to enable 802.1x re-authentication on specific ports or on all ports of the switch.

Use the undo dot1x re-authenticate command to disable 802.1x re-authentication on specific ports or on all ports of the switch.

By default, 802.1x re-authentication is disabled on all ports.

In system view:

l           If you do not specify the interface-list argument, this command will enable 802.1x re-authentication on all ports.

l           If you specify the interface-list argument, the command will enable 802.1x on the specified ports.

In Ethernet port view, the interface-list argument is not available and 8021.x re-authentication is enabled on the current port only.

 

&  Note:

802.1x must be enabled globally and on the current port before 802.1x re-authentication can be configured on a port.

 

Examples

# Enable 802.1x re-authentication on port Ethernet 1/0/1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x

 802.1X is enabled globally.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x

 802.1X is enabled on port Ethernet1/0/1 already.

[Sysname-Ethernet1/0/1] dot1x re-authenticate

 Re-authentication is enabled on port Ethernet1/0/1

1.1.15  dot1x supp-proxy-check

Syntax

dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

View

System view, Ethernet port view

Parameters

logoff: Disconnects a user upon detecting it logging in through a proxy or through multiple network adapters.

trap: Sends Trap packets upon detecting a user logging in through a proxy or through multiple network adapters.

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x supp-proxy-check command to enable 802.1x proxy checking for specified ports.

Use the undo dot1x supp-proxy-check command to disable 802.1x proxy checking for specified ports.

By default, 802.1x proxy checking is disabled on all Ethernet ports.

In system view:

l           If you do not specify the interface-list argument, the configurations performed by these two commands are global.

l           If you specify the interface-list argument, these two commands apply to the specified Ethernet ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

The proxy checking function takes effect on a port only when the function is enabled both globally and on the port.

802.1x proxy checking checks for:

l           Users logging in through proxies

l           Users logging in through IE proxies

l           Whether or not a user logs in through multiple network adapters (that is, when the user attempts to log in, it contains more than one active network adapters.)

A switch can optionally take the following actions in response to any of the above three cases:

l           Only disconnects the user but sends no Trap packets, which can be achieved by using the dot1x supp-proxy-check logoff command.

l           Sends Trap packets without disconnecting the user, which can be achieved by using the dot1x supp-proxy-check trap command.

This function needs the cooperation of 802.1x clients and the CAMS server:

l           Multiple network adapter checking, proxy checking, and IE proxy checking are enabled on the 802.1x client.

l           The CAMS server is configured to disable the use of multiple network adapters, proxies, and IE proxy.

By default, proxy checking is disabled on 802.1x client. In this case, if you configure the CAMS server to disable the use of multiple network adapters, proxies, and IE proxy, it sends messages to the 802.1x client to ask the latter to disable the use of multiple network adapters, proxies, and IE proxy after the user passes the authentication.

 

&  Note:

l      The 802.1x proxy checking function needs the cooperation of H3C's 802.1x client program.

l      The proxy checking function takes effect only after the client version checking function is enabled on the switch (using the dot1x version-check command).

 

Related commands: display dot1x.

Examples

# Configure to disconnect the users connected to Ethernet 1/0/1 through Ethernet 1/0/8 ports if they are detected logging in through proxies.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x supp-proxy-check logoff

[Sysname] dot1x supp-proxy-check logoff interface Ethernet 1/0/1 to Ethernet 1/0/8

# Configure the switch to send Trap packets if the users connected to Ethernet 1/0/9 port is detected logging in through proxies.

[Sysname] dot1x supp-proxy-check trap

[Sysname] dot1x supp-proxy-check trap interface Ethernet 1/0/9

1.1.16  dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value | ver-period ver-period-value }

undo dot1x timer { handshake-period | quiet-period | server-timeout | supp-timeout | tx-period | ver-period }

View

System view

Parameters

handshake-period handshake-period-value: Sets the handshake timer. This timer sets the handshake-period and is triggered after a supplicant system passes the authentication. It sets the interval for a switch to send handshake request packets to online users. If you set the number of retries to N by using the dot1x retry command, an online user is considered offline when the switch does not receive response packets from it in a period N times of the handshake-period.

The handshake-period-value argument ranges from 5 to 1,024 (in seconds). By default, the handshake timer is set to 15 seconds.

quiet-period quiet-period-value: Sets the quiet-period timer. This timer sets the quiet-period. When a supplicant system fails to pass the authentication, the switch quiets for the set period (set by the quiet-period timer) before it processes another authentication request re-initiated by the supplicant system. During this quiet period, the switch does not perform any 802.1x authentication-related actions for the supplicant system.

The quiet-period-value argument ranges from 10 to 120 (in seconds). By default, the quiet-period timer is set to 60 seconds.

server-timeout server-timeout-value: Sets the RADIUS server timer. This timer sets the server-timeout period. After sending an authentication request packet to the RADIUS server, a switch sends another authentication request packet if it does not receive the response from the RADIUS server when this timer times out.

The server-timeout-value argument ranges from 100 to 300 (in seconds). By default, the RADIUS server timer is set to 100 seconds.

supp-timeout supp-timeout-value: Sets the supplicant system timer. This timer sets the supp-timeout period and is triggered by the switch after the switch sends a request/challenge packet to a supplicant system (The packet is used to request the supplicant system for the MD5 encrypted string.) The switch sends another request/challenge packet to the supplicant system if the switch does not receive the response from the supplicant system when this timer times out..

The supp-timeout-value argument ranges from 10 to 120 (in seconds). By default, the supplicant system timer is set to 30 seconds.

tx-period tx-period-value: Sets the transmission timer. This timer sets the tx-period and is triggered in two cases. The first case is when the client requests for authentication. The switch sends a unicast request/identity packet to a supplicant system and then triggers the transmission timer. The switch sends another request/identity packet to the supplicant system if it does not receive the reply packet from the supplicant system when this timer times out. The second case is when the switch authenticates the 802.1x client who cannot request for authentication actively. The switch sends multicast request/identity packets periodically through the port enabled with 802.1x function. In this case, this timer sets the interval to send the multicast request/identity packets.

The tx-period-value argument ranges from 1 to 120 (in seconds). By default, the transmission timer is set to 30 seconds.

ver-period ver-period-value: Sets the client version request timer. This timer sets the version period and is triggered after a switch sends a version request packet. The switch sends another version request packet if it does receive version response packets from the supplicant system when the timer expires.

The ver-period-value argument ranges from 1 to 30 (in seconds). By default, the client version request timer is set to 30 seconds.

Description

Use the dot1x timer command to set a specified 802.1x timer.

Use the undo dot1x timer command to restore a specified 802.1x timer to the default setting.

During an 802.1x authentication process, multiple timers are triggered to ensure that the supplicant systems, the authenticator systems, and the Authentication servers interact with each other in an orderly way. To make authentications being processed in the desired way, you can use the dot1x timer command to set the timers as needed. This may be necessary in some special situations or in tough network environments. Normally, the defaults are recommended. (Note that some timers cannot be adjusted.)

Related commands: display dot1x.

Examples

# Set the RADIUS server timer to 150 seconds.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x timer server-timeout 150

1.1.17  dot1x timer reauth-period

Syntax

dot1x timer reauth-period reauth-period-value

undo dot1x timer reauth-period

View

System view

Parameters

reauth-period reauth-period-value: Specifies re-authentication interval, in seconds. After this timer expires, the switch initiates 802.1x re-authentication. The value of the reauth-period-value argument ranges from 60 to 7,200.

Description

Use the dot1x timer reauth-period command to configure the interval for 802.1x re-authentication.

Use the undo dot1x timer reauth-period command to restore the default 802.1x re-authentication interval.

By default, the 802.1x re-authentication interval is 3,600 seconds.

Examples

# Set the 802.1x re-authentication interval to 150 seconds.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x timer reauth-period 150

1.1.18  dot1x version-check

Syntax

dot1x version-check [ interface interface-list ]

undo dot1x version-check [ interface interface-list ]

View

System view, Ethernet port view

Parameters

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x version-check command to enable 802.1x client version checking for specified Ethernet ports.

Use the undo dot1x version-check command to disable 802.1x client version checking for specified Ethernet ports.

By default, 802.1x client version checking is disabled on all the Ethernet ports.

 In system view:

l           If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l           If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Examples

# Configure Ethernet 1/0/1 to check the version of the 802.1x client upon receiving authentication packets.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x version-check

1.1.19  reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Parameters

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the reset dot1x statistics command to clear 802.1x-related statistics.

To retrieve the latest 802.1x-related statistics, you can use this command to clear the existing 802.1x-related statistics first.

When you execute this command,

If the interface-list argument is not specified, this command clears the global 802.1x statistics and the 802.1x statistics on all the ports.

If the interface-list argument is specified, this command clears the 802.1x statistics on the specified ports.

Related commands: display dot1x.

Examples

# Clear 802.1x statistics on Ethernet 1/0/1.

<Sysname> reset dot1x statistics interface Ethernet 1/0/1

 


Chapter 2  Quick EAD Deployment Configuration Commands

2.1  Quick EAD Deployment Configuration Commands

2.1.1  dot1x free-ip

Syntax

dot1x free-ip ip-address { mask-address | mask-length }

undo dot1x free-ip [ ip-address { mask-address | mask-length } ]

View

System view

Parameters

ip-address: Free IP address, in dotted decimal notation.

mask-address: Subnet mask of the free IP address, in dotted decimal notation.

mask-length: Length of the subnet mask of the free IP address, in the range 0 to 32.

Description

Use the dot1x free-ip command to configure a free IP range. A free IP range is an IP range that users can access before passing 802.1x authentication.

Use the undo dot1x free-ip command to remove a specified free IP range or all free IP ranges.

By default, no free IP range is configured.

 

&  Note:

l      You must configure the URL for HTTP redirection before configuring a free IP range.

l      The device supports up to two free IP ranges.

 

Examples

# Configure a free IP range for users to access before passing authentication.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x free-ip 192.168.19.23 24

2.1.2  dot1x timer acl-timeout

Syntax

dot1x timer acl-timeout acl-timeout-value

undo dot1x timer acl-timeout

View

System view

Parameters

acl-timeout-value: ACL timeout period (in minutes), in the range of 1 to 1440.

Description

Use the dot1x timer acl-timeout command to configure the ACL timeout period.

Use the undo dot1x timer acl-timeout command to restore the default.

By default, the ACL timeout period is 30 minutes.

Related commands: dot1x configuration commands.

Examples

# Set the ACL timeout period to 40 minutes.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x timer acl-timeout 40

2.1.3  dot1x url

Syntax

dot1x url url-string

undo dot1x url

View

System view

Parameters

url-string: URL for HTTP redirection, in the format of http://x.x.x.x.

Description

Use the dot1x url command to configure the URL for HTTP redirection.

Use the undo dot1x url command to remove the configuration.

By default, no URL is configured for HTTP redirection.

Related commands: dot1x configuration commands.

Examples

# Configure the URL for HTTP redirection.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x url http://192.168.19.23

 


Chapter 3  HABP Configuration Commands

3.1  HABP Configuration Commands

3.1.1  display habp

Syntax

display habp

View

Any view

Parameters

None

Description

Use the display habp command to display HABP configuration and status.

Examples

# Display HABP configuration and status.

<Sysname> display habp

Global HABP information:

        HABP Mode: Server

        Sending HABP request packets every 20 seconds

        Bypass VLAN: 2

Table 3-1 Description on the fields of the display habp command

Field

Description

HABP Mode

Indicates the HABP mode of the switch. A switch can operate as an HABP server (displayed as Server) or an HABP client (displayed as Client).

Sending HABP request packets every 20 seconds

The HABP request packet transmission interval is 20 seconds.

Bypass VLAN

Indicates the IDs of the VLANs to which HABP request packets are sent.

 

3.1.2  display habp table

Syntax

display habp table

View

Any view

Parameters

None

Description

Use the display habp table command to display the MAC address table maintained by HABP.

Examples

# Display the MAC address table maintained by HABP.

<Sysname> display habp table

MAC             Holdtime  Receive Port

001f-3c00-0030  53        Ethernet1/0/1

Table 3-2 Description on the fields of the display habp table command

Field

Description

MAC

MAC addresses contained in the HABP MAC address table.

Holdtime

Hold time of the entries in the HABP MAC address table. An entry is removed from the table if it is not updated in a period determined by the hold time.

Receive Port

The port from which a MAC address is learned

 

3.1.3  display habp traffic

Syntax

display habp traffic

View

Any view

Parameters

None

Description

Use the display habp traffic command to display the statistics on HABP packets.

Examples

# Display the statistics on HABP packets.

<Sysname> display habp traffic

HABP counters :

        Packets output: 0, Input: 0

        ID error: 0, Type error: 0, Version error: 0

        Sent failed: 0

Table 3-3 Description on the fields of the display habp traffic command

Field

Description

Packets output

Number of the HABP packets sent

Input

Number of the HABP packets received

ID error

Number of the HABP packets with ID errors

Type error

Number of the HABP packets with type errors

Version error

Number of the HABP packets with version errors

Sent failed

Number of the HABP packets that failed to be sent

 

3.1.4  habp enable

Syntax

habp enable

undo habp enable

View

System view

Parameters

None

Description

Use the habp enable command to enable HABP for a switch.

Use the undo habp enable command to disable HABP for a switch.

By default, HABP is enabled on a switch.

If an 802.1x-enabled switch does not have HABP enabled, it cannot manage the switches attached to it. So, you need to enable HABP on specific switches in a network with 802.1x enabled.

Examples

# Enable HABP.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] habp enable

3.1.5  habp server vlan

Syntax

habp server vlan vlan-id

undo habp server

View

System view

Parameters

vlan-id: VLAN ID, ranging from 1 to 4094.

Description

Use the habp server vlan command to configure a switch to operate as an HABP server. This command also specifies the VLAN where HABP packets are broadcast.

Use the undo habp server vlan command to revert to the default HABP mode.

By default, a switch operates as an HABP client.

To specify a switch to operate as an HABP server, you need to enable HABP (using the habp enable command) for the switch first. When HABP is not enabled, the habp server vlan command cannot take effect.

Examples

# Specify the switch to operate as an HABP server and the HABP packets to be broadcast in VLAN 2. (Assume that HABP is enabled.)

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] habp server vlan 2

3.1.6  habp timer

Syntax

habp timer interval

undo habp timer

View

System view

Parameters

interval: Interval (in seconds) to send HABP request packets. This argument ranges from 5 to 600.

Description

Use the habp timer command to set the interval for a switch to send HABP request packets.

Use the undo habp timer command to revert to the default interval.

The default interval for a switch to send HABP request packets is 20 seconds.

Use these two commands on switches operating as HABP servers only.

Examples

# Configure the switch to send HABP request packets once in every 50 seconds <Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] habp timer 50

 


Chapter 4  System Guard Configuration Commands

4.1  System Guard Configuration Commands

4.1.1  display system-guard ip state

Syntax

display system-guard ip state

View

Any view

Parameters

None

Description

Use the display system-guard ip state command to view the monitoring result and parameter settings of System Guard against IP attacks.

Examples

# View the monitoring result and parameter settings of System Guard against IP attacks.

<Sysname> display system-guard ip state

System-guard IP is running!

IP-record threshold: 30

Deny threshold: 1

Isolated times of aging time: 3

Number of suspicious hosts that can be detected: 30

Number of suspicious hosts detected: 0

Disable destination IP address learning from all ip address in the list

Table 4-1 Description on the fields of the display system-guard ip state command

Field

Description

System-guard IP is running

System Guard against IP attacks is running

IP-record threshold

Threshold of the number of IP addresses that can be learnt within 10 seconds

Deny threshold

The maximum number of times an address can be learnt for it to be blocked

Isolated times of aging time

Isolation time (the number of multiples of MAC address aging time)

Number of suspicious hosts that can be detected

The maximum number of hosts to be monitored

Number of suspicious hosts detected

The number of infected hosts detected

Disable destination IP address learning from all ip address in the list

Destination address learning is disabled for the source IP addresses list below.

 

4.1.2  display system-guard ip-record

Syntax

display system-guard ip-record

View

Any view

Parameters

None

Description

Use the display system-guard ip-record command to view the information about IP packets received by the CPU in the current monitoring cycle.

Examples

# View the information about IP packets received by the CPU in the current monitoring cycle.

<Sysname> display system-guard ip-record

'M':  Master port of link aggregation

Index     Source IP     Destination IP   Port

--------------------------------------------------

   1   000.000.000.000  000.000.000.000  0/0/0

   2   000.000.000.000  000.000.000.000  0/0/0

   3   000.000.000.000  000.000.000.000  0/0/0

   4   000.000.000.000  000.000.000.000  0/0/0

 

   5   000.000.000.000  000.000.000.000  0/0/0

……

Table 4-2 Description on the fields of the display system-guard ip-record command

Field

Description

Index

Index

Source IP

Source IP address

Destination IP

Destination IP address

Port

Incoming port

 

4.1.3  display system-guard l3err state

Syntax

display system-guard l3err state

View

Any view

Parameters

None

Description

Use the display system-guard l3err state command to view the status of Layer 3 error control.

Examples

# View the status of Layer 3 error control.

<Sysname> display system-guard l3err state

System-guard l3err status:  enabled  

4.1.4  display system-guard tcn state

Syntax

display system-guard tcn state

View

Any view

Parameters

None

Description

Use the display system-guard tcn state command to view the status of TCN.

Examples

# View the status of TCN System Guard.

<Sysname> display system-guard tcn state

System-guard TCN state:  enabled  

4.1.5  system-guard ip detect-maxnum

Syntax

system-guard ip detect-maxnum number

undo system-guard ip detect-maxnum

View

System view

Parameters

number: Maximum number of hosts that can be monitored, in the range of 1 to 100.

Description

Use the system-guard ip detect-maxnum command to set the maximum number of infected hosts that can be monitored currently.

Use the undo system-guard ip detect-maxnum command to restore the maximum number of infected hosts that can be monitored to the default setting.

By default, System Guard can monitor a maximum of 30 infected hosts.

Examples

# Set the maximum number of infected hosts that can be concurrently monitored to 50.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] system-guard ip detect-maxnum 50

4.1.6  system-guard ip detect-threshold

Syntax

system-guard ip detect-threshold ip-record-threshold record-times-threshold isolate-time

undo system-guard ip detect-threshold

View

System view

Parameters

ip-record-threshold: Maximum number of IP addresses that can be learnt within a 10-second cycle, in the range of 1 to 100.

record-times-threshold: Maximum number of times an IP address must be hit before an action can be taken, in the range of 1 to 10.

isolate-time: Isolation time, in the range of 3 to 100. After System Guard takes an action on an suspected IP address, the system will wait isolate-time before it learns destination address(es) again for that source IP address.

Description

Use the system-guard ip detect-threshold command to set the maximum number of addresses that the system can learn, the maximum number of times an address can be hit and the address isolation time.

Use the undo system-guard ip detect-threshold command to set the maximum number of addresses that the system can learn, the maximum number of times an address can be hit and the address isolation time to the default settings.

By default, ip-record-threshold, record-times-threshold and isolate-time are set to 30, 1 and 3 respectively.

 

&  Note:

The correlations among the arguments of the system-guard ip detect-threshold command can be clearly described with this example: If you set ip-record-threshold, record-times-threshold and isolate-time to 30, 1 and 3 respectively, when the system detects successively three times that over 50 IP packets (destined for an address other that an IP address of the switch) from a source IP address are received within a period of 10 seconds, the system considers to be attacked — the system sorts out that source IP address and waits a period of 5 times the MAC address aging time before learning the destination IP address(es) of packets from that source IP address again.

 

Examples

# Set the maximum number of addresses that the system can learn to 50, set the maximum number of times an address can be hit to 3, and set the address isolation time to 5 times the MAC address aging time.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] system-guard ip detect-threshold 50 3 5

4.1.7  system-guard ip enable

Syntax

system-guard ip enable

undo system-guard ip enable

View

System view

Parameters

None

Description

Use the system-guard ip enable command to enable System Guard against IP attacks.

Use the undo system-guard ip enable command to disable System Guard against IP attacks.

By default, System Guard against IP attacks is disabled.

The System Guard feature monitors the IP packets delivered to the CPU within 10 seconds, finds out the source IP addresses of the IP packets with attack characteristics within the 10 seconds and counts these packets. Once the packets from such a source IP address hit the preset threshold, System Guard will take the corresponding control measure, as follows:

l           When a source IP address characterized by an attack is detected, the switch logs out the host corresponding to this sauce IP address (hereafter referred to infected host) by automatically applying an ACL and waits a certain period of time before resuming forwarding packets from that host.

l           When a source IP address characterized by an attack is detected and if the packets from the infected host need processing by the CPU, the switch decreases the precedence of such packets and discards the packets already delivered to the CPU.

Examples

# Enable System Guard against IP attacks.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] system-guard ip enable

4.1.8  system-guard l3err enable

Syntax

system-guard l3err enable

undo system-guard l3err enable

View

System view

Parameters

None

Description

Use the system-guard l3err enable command to enable Layer 3 error control.

Use the undo system-guard l3err enable command to disable Layer 3 error control.

By default, this feature is enabled.

The Layer 3 error control feature determines how the switch disposes of Layer packets which the switch considers to be error packets:

With the Layer 3 error control feature disabled, the switch delivers all Layer 3 packets which the switch considers to be error packets (including IP packets with the options field) to the CPU for further processing;

With the Layer 3 error control feature enabled, the switch directly discards all Layer 3 packets which the switch considers to be error packets without delivering them to the CPU.

 

&  Note:

In normal situations, we recommend that you enable this feature. Because the switch cannot forward error packets and IP packets with the Options field set, delivering all these packets to the CPU will affect the normal work of the CPU.

 

Examples

# Enable Layer 3 error control.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] system-guard l3err enable

4.1.9  system-guard tcn enable

Syntax

system-guard tcn enable

undo system-guard tcn enable

View

System view

Parameters

None

Description

Use the system-guard tcn enable command to enable System Guard against TCN attacks.

Use the undo system-guard tcn enable command to disable System Guard against TCN attacks.

With this feature enabled, System Guard monitors the TCN/TC packet receiving rate on the ports. If the rate exceeds the preset threshold, the system will output trap and log information to notify the user and starts to send only on TCN/TC packet to the CPU in a 10-second cycle. This can prevent MAC and ARP entries from being frequently deleted by STP or RSTP; in addition, when the TCN/TC packet rate exceeds the preset threshold, proper measures can be taken based on the output trap and log information.

By default, this feature is disabled.

Examples

# Enable System Guard against TCN attacks.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] system-guard tcn enable

4.1.10  system-guard tcn rate-threshold

Syntax

system-guard tcn rate-threshold rate-threshold

undo system-guard tcn rate-threshold

View

System view

Parameters

rate-threshold: TCN/TC packet receiving rate in packets per second (pps), with an effective range of 1 to 20.

Description

Use the system-guard tcn rate-threshold command to set the threshold of TCN/TC packet receiving rate, which will trigger the output of trap and log information.

Use the undo system-guard tcn rate-threshold command to restore the default threshold of TCN/TC packet receiving rate.

By default, the default threshold of TCN/TC packet receiving rate is 1 pps.

As the system monitoring cycle is 10 seconds, the system sends trap or log information, by default, if more than 10 TCN/TC packets are received within 10 seconds.

 

&  Note:

If the TCN/TC packet receiving rate is lower than the set threshold within a 10-second monitoring cycle, the system will not send trap or log information in the next 10-second monitoring cycle.

 

Examples

# Sets the threshold of TCN/TC receiving rate to 20 pps.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] system-guard tcn rate-threshold 20

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网