06 Layer 3 - IP Services

HomeSupportReference GuidesCommand ReferencesH3C Access Controllers Command References(R5228P01)-6W10206 Layer 3 - IP Services
Table of Contents
Related Documents
01-Text
Title Size Download
01-Text 1.47 MB

Contents

ARP commands· 1

arp check enable· 1

arp check log enable· 1

arp max-learning-num·· 2

arp max-learning-number 3

arp static· 5

arp timer aging· 6

display arp· 6

display arp ip-address· 8

display arp timer aging· 9

reset arp· 9

Gratuitous ARP commands· 11

arp ip-conflict log prompt 11

arp send-gratuitous-arp· 11

gratuitous-arp-learning enable· 12

gratuitous-arp-sending enable· 13

Proxy ARP commands· 14

display local-proxy-arp· 14

display proxy-arp· 14

local-proxy-arp enable· 15

proxy-arp enable· 16

ARP fast-reply commands· 17

arp fast-reply enable· 17

IP addressing commands· 18

display ip interface· 18

display ip interface brief 20

ip address· 22

DHCP commands· 23

Common DHCP commands· 23

dhcp client-detect 23

dhcp dscp· 23

dhcp enable· 24

dhcp log enable· 24

dhcp select 25

DHCP server commands· 26

address range· 26

bims-server 27

bootfile-name· 28

class ip-pool 28

class option-group· 29

class range· 30

default ip-pool 31

dhcp apply-policy· 32

dhcp class· 32

dhcp option-group· 33

dhcp policy· 34

dhcp server always-broadcast 35

dhcp server apply ip-pool 35

dhcp server bootp ignore· 36

dhcp server bootp reply-rfc-1048· 37

dhcp server database filename· 37

dhcp server database update interval 39

dhcp server database update now· 39

dhcp server database update stop· 40

dhcp server forbidden-ip· 40

dhcp server ip-pool 41

dhcp server ping packets· 42

dhcp server ping timeout 43

dhcp server relay information enable· 43

dhcp server reply-exclude-option60· 44

display dhcp server conflict 45

display dhcp server database· 45

display dhcp server expired· 46

display dhcp server free-ip· 47

display dhcp server ip-in-use· 48

display dhcp server pool 49

display dhcp server statistics· 51

dns-list 53

domain-name· 54

expired· 54

forbidden-ip· 55

gateway-list 56

if-match· 57

ip-in-use threshold· 59

nbns-list 60

netbios-type· 61

network· 61

next-server 63

option· 63

reset dhcp server conflict 64

reset dhcp server expired· 65

reset dhcp server ip-in-use· 65

reset dhcp server statistics· 66

static-bind· 66

tftp-server domain-name· 67

tftp-server ip-address· 68

valid class· 69

verify class· 69

voice-config· 70

DHCP relay agent commands· 71

dhcp relay check mac-address· 71

dhcp relay check mac-address aging time· 72

dhcp relay client-information record· 72

dhcp relay client-information refresh· 73

dhcp relay client-information refresh enable· 74

dhcp relay gateway· 74

dhcp relay information circuit-id· 75

dhcp relay information enable· 77

dhcp relay information remote-id· 78

dhcp relay information strategy· 79

dhcp relay release ip· 80

dhcp relay server-address· 80

dhcp smart-relay enable· 81

display dhcp relay check mac-address· 82

display dhcp relay client-information· 82

display dhcp relay information· 83

display dhcp relay server-address· 85

display dhcp relay statistics· 85

gateway-list 86

remote-server 87

reset dhcp relay client-information· 88

reset dhcp relay statistics· 88

DHCP client commands· 89

dhcp client dad enable· 89

dhcp client dscp· 89

dhcp client identifier 90

display dhcp client 91

ip address dhcp-alloc· 93

DHCP snooping commands· 94

dhcp snooping binding database filename· 94

dhcp snooping binding database update interval 96

dhcp snooping binding database update now· 96

dhcp snooping binding record· 97

dhcp snooping check mac-address· 97

dhcp snooping check request-message· 98

dhcp snooping deny· 99

dhcp snooping enable· 99

dhcp snooping information circuit-id· 100

dhcp snooping information enable· 101

dhcp snooping information remote-id· 102

dhcp snooping information strategy· 103

dhcp snooping log enable· 104

dhcp snooping max-learning-num·· 105

dhcp snooping rate-limit 105

dhcp snooping trust 106

display dhcp snooping binding· 107

display dhcp snooping binding database· 107

display dhcp snooping information· 108

display dhcp snooping packet statistics· 109

display dhcp snooping trust 110

reset dhcp snooping binding· 110

reset dhcp snooping packet statistics· 111

BOOTP client commands· 111

display bootp client 111

ip address bootp-alloc· 112

DNS commands· 114

display dns domain· 114

display dns host 114

display dns server 116

display ipv6 dns server 116

dns domain· 117

dns dscp· 118

dns proxy enable· 119

dns server 119

dns source-interface· 120

dns spoofing· 120

dns trust-interface· 121

ip host 122

ipv6 dns dscp· 123

ipv6 dns server 123

ipv6 dns spoofing· 124

ipv6 host 125

reset dns host 125

DDNS commands· 127

ddns apply policy· 127

ddns dscp· 128

ddns policy· 128

display ddns policy· 129

interval 130

method· 131

password· 132

ssl-client-policy· 133

url 134

username· 136

NAT commands· 137

address· 137

block-size· 137

display nat alg· 138

display nat all 139

display nat address-group· 144

display nat dns-map· 146

display nat eim·· 147

display nat inbound· 148

display nat log· 149

display nat no-pat 150

display nat outbound· 152

display nat outbound port-block-group· 153

display nat port-block· 154

display nat port-block-group· 155

display nat port-block-usage· 157

display nat server 157

display nat server-group· 159

display nat session· 160

display nat static· 162

display nat statistics· 164

global-ip-pool 165

inside ip· 166

local-ip-address· 166

nat address-group· 167

nat alg· 168

nat dns-map· 169

nat hairpin enable· 170

nat icmp-error reply· 171

nat inbound· 171

nat inbound rule move· 173

nat log alarm·· 174

nat log enable· 175

nat log flow-active· 176

nat log flow-begin· 176

nat log flow-end· 177

nat log port-block-assign· 178

nat log port-block-withdraw· 178

nat mapping-behavior 179

nat outbound· 180

nat outbound port-block-group· 183

nat outbound rule move· 183

nat port-block global-share enable· 184

nat port-block-group· 185

nat log port-block usage threshold· 186

nat server 186

nat server-group· 190

nat server rule move· 191

nat static enable· 192

nat static inbound· 193

nat static inbound net-to-net 194

nat static inbound rule move· 196

nat static outbound· 196

nat static outbound net-to-net 198

nat static outbound rule move· 200

port-block· 201

port-range· 202

reset nat session· 202

Load sharing commands· 204

ip load-sharing mode· 204

IP performance optimization commands· 206

display icmp statistics· 206

display ip statistics· 206

display rawip· 208

display rawip verbose· 209

display tcp· 211

display tcp statistics· 212

display tcp verbose· 214

display tcp-proxy· 217

display tcp-proxy port-info· 219

display udp· 220

display udp statistics· 221

display udp verbose· 221

ip forward-broadcast 224

ip icmp error-interval 225

ip icmp source· 226

ip mtu· 226

ip reassemble local enable· 227

ip redirects enable· 228

ip ttl-expires enable· 228

ip unreachables enable· 229

reset ip statistics· 230

reset tcp statistics· 230

reset udp statistics· 231

tcp mss· 231

tcp path-mtu-discovery· 232

tcp syn-cookie enable· 233

tcp timer fin-timeout 233

tcp timer syn-timeout 234

tcp window· 235

IPv6 basics commands· 236

display ipv6 fib· 236

display ipv6 icmp statistics· 237

display ipv6 interface· 238

display ipv6 interface prefix· 242

display ipv6 neighbors· 243

display ipv6 neighbors count 245

display ipv6 pathmtu· 245

display ipv6 prefix· 246

display ipv6 rawip· 248

display ipv6 rawip verbose· 248

display ipv6 statistics· 252

display ipv6 tcp· 253

display ipv6 tcp-proxy· 254

display ipv6 tcp-proxy port-info· 255

display ipv6 tcp verbose· 256

display ipv6 udp· 260

display ipv6 udp verbose· 261

ipv6 address· 264

ipv6 address anycast 265

ipv6 address auto· 265

ipv6 address auto link-local 266

ipv6 address eui-64· 267

ipv6 address prefix-number 268

ipv6 address link-local 269

ipv6 option drop enable· 270

ipv6 hop-limit 270

ipv6 hoplimit-expires enable· 271

ipv6 icmpv6 error-interval 271

ipv6 icmpv6 multicast-echo-reply enable· 272

ipv6 icmpv6 source· 273

ipv6 mtu· 273

ipv6 nd autoconfig managed-address-flag· 274

ipv6 nd autoconfig other-flag· 275

ipv6 nd dad attempts· 275

ipv6 nd mode uni 276

ipv6 nd ns retrans-timer 277

ipv6 nd nud reachable-time· 278

ipv6 nd ra halt 278

ipv6 nd ra hop-limit unspecified· 279

ipv6 nd ra interval 279

ipv6 nd ra no-advlinkmtu· 280

ipv6 nd ra prefix· 281

ipv6 nd ra router-lifetime· 282

ipv6 nd router-preference· 282

ipv6 neighbor 283

ipv6 neighbor link-local minimize· 284

ipv6 neighbor stale-aging· 285

ipv6 neighbors max-learning-num·· 285

ipv6 pathmtu· 287

ipv6 pathmtu age· 287

ipv6 prefer temporary-address· 288

ipv6 prefix· 289

ipv6 reassemble local enable· 289

ipv6 redirects enable· 290

ipv6 temporary-address· 290

ipv6 unreachables enable· 292

local-proxy-nd enable· 292

proxy-nd enable· 293

reset ipv6 neighbors· 293

reset ipv6 pathmtu· 294

reset ipv6 statistics· 295

DHCPv6 commands· 296

Common DHCPv6 commands· 296

display ipv6 dhcp duid· 296

ipv6 dhcp dscp· 296

ipv6 dhcp log enable· 297

ipv6 dhcp select 297

DHCPv6 server commands· 298

address range· 298

class pool 299

default pool 300

display ipv6 dhcp option-group· 301

display ipv6 dhcp pool 303

display ipv6 dhcp prefix-pool 305

display ipv6 dhcp server 306

display ipv6 dhcp server conflict 307

display ipv6 dhcp server database· 308

display ipv6 dhcp server expired· 309

display ipv6 dhcp server ip-in-use· 310

display ipv6 dhcp server pd-in-use· 312

display ipv6 dhcp server statistics· 314

dns-server 315

domain-name· 316

if-match· 317

ipv6 dhcp apply-policy· 319

ipv6 dhcp class· 319

ipv6 dhcp option-group· 320

ipv6 dhcp policy· 321

ipv6 dhcp pool 321

ipv6 dhcp prefix-pool 322

ipv6 dhcp server 323

ipv6 dhcp server apply pool 324

ipv6 dhcp server database filename· 325

ipv6 dhcp server database update interval 327

ipv6 dhcp server database update now· 327

ipv6 dhcp server database update stop· 328

ipv6 dhcp server forbidden-address· 329

ipv6 dhcp server forbidden-prefix· 329

network· 330

option· 332

option-group· 333

prefix-pool 333

reset ipv6 dhcp server conflict 334

reset ipv6 dhcp server expired· 335

reset ipv6 dhcp server ip-in-use· 335

reset ipv6 dhcp server pd-in-use· 336

reset ipv6 dhcp server statistics· 337

sip-server 337

static-bind· 338

temporary address range· 339

DHCPv6 relay agent commands· 340

display ipv6 dhcp relay server-address· 340

display ipv6 dhcp relay statistics· 341

gateway-list 343

ipv6 dhcp relay gateway· 344

ipv6 dhcp relay interface-id· 344

ipv6 dhcp relay server-address· 345

remote-server 346

reset ipv6 dhcp relay statistics· 347

DHCPv6 client commands· 347

display ipv6 dhcp client 347

display ipv6 dhcp client statistics· 350

ipv6 address dhcp-alloc· 351

ipv6 dhcp client dscp· 352

ipv6 dhcp client duid· 352

ipv6 dhcp client pd· 353

ipv6 dhcp client stateless enable· 354

ipv6 dhcp client stateful 354

reset ipv6 dhcp client statistics· 355

DHCPv6 snooping commands· 356

display ipv6 dhcp snooping binding· 356

display ipv6 dhcp snooping binding database· 357

display ipv6 dhcp snooping packet statistics· 358

display ipv6 dhcp snooping trust 358

ipv6 dhcp snooping binding database filename· 359

ipv6 dhcp snooping binding database update interval 360

ipv6 dhcp snooping binding database update now· 361

ipv6 dhcp snooping binding record· 361

ipv6 dhcp snooping check request-message· 362

ipv6 dhcp snooping deny· 363

ipv6 dhcp snooping enable· 363

ipv6 dhcp snooping log enable· 364

ipv6 dhcp snooping max-learning-num·· 364

ipv6 dhcp snooping option interface-id enable· 365

ipv6 dhcp snooping option interface-id string· 365

ipv6 dhcp snooping option remote-id enable· 366

ipv6 dhcp snooping option remote-id string· 367

ipv6 dhcp snooping rate-limit 367

ipv6 dhcp snooping trust 368

reset ipv6 dhcp snooping binding· 369

reset ipv6 dhcp snooping packet statistics· 369

GRE commands· 371

bandwidth· 371

default 371

description· 372

destination· 372

display interface tunnel 373

gre checksum·· 377

gre key· 377

interface tunnel 378

keepalive· 379

mtu· 380

reset counters interface· 380

shutdown· 381

source· 382

tunnel dfbit enable· 382

tunnel tos· 383

tunnel ttl 384

Index· 385

 


ARP commands

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

arp check enable

Use arp check enable to enable dynamic ARP entry check.

Use undo arp check enable to disable dynamic ARP entry check.

Syntax

arp check enable

undo arp check enable

Default

Dynamic ARP entry check is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Dynamic ARP entry check disables a device from supporting dynamic ARP entries with multicast MAC addresses. The device cannot learn dynamic ARP entries containing multicast MAC addresses. You cannot manually add static ARP entries that contain multicast MAC addresses.

When dynamic ARP entry check is disabled, ARP entries containing multicast MAC addresses are supported. The device can learn dynamic ARP entries containing multicast MAC addresses obtained from the ARP packets sourced from a unicast MAC address. You can also manually add static ARP entries containing multicast MAC addresses.

Examples

# Enable dynamic ARP entry check.

<Sysname> system-view

[Sysname] arp check enable

arp check log enable

Use arp check log enable to enable the ARP logging feature.

Use undo arp check log enable to disable the ARP logging feature.

Syntax

arp check log enable

undo arp check log enable

Default

ARP logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables a device to log ARP events when ARP cannot resolve IP addresses correctly. The device can log the following ARP events:

·          On a proxy ARP-disabled interface, the target IP address of a received ARP packet is not one of the following IP addresses:

?  The IP address of the receiving interface.

?  The public IP address after NAT.

·          The sender IP address of a received ARP reply conflicts with one of the following IP addresses:

?  The IP address of the receiving interface.

?  The public IP address after NAT.

The device sends ARP log messages to the information center. You can use the info-center source command to specify the log output rules for the information center. For more information about information center, see Network Management and Monitoring Configuration Guide.

The device can generate a large amount of ARP logs. To conserve system resources, enable ARP logging only when you are troubleshooting or debugging ARP events.

Examples

# Enable ARP logging.

<Sysname> system-view

[Sysname] arp check log enable

arp max-learning-num

Use arp max-learning-num to set the maximum number of dynamic ARP entries that an interface can learn.

Use undo arp max-learning-num to restore the default.

Syntax

arp max-learning-num number

undo arp max-learning-num

Default

The following matrix shows the default values for the number argument:

 

Hardware series

Model

Default

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

512: WX1804H

2048:

·         WX1810H

·         WX1820H

·         WX1840H

WX3800H series

WX3820H

WX3840H

32768: WX3820H

40960: WX3840H

WX5800H series

WX5860H

65536

 

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Layer 3 Ethernet interface/subinterface view

VLAN interface view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of dynamic ARP entries for an interface.

The following matrix shows the value ranges for the number argument:

 

Hardware series

Model

Value range

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

0 to 512: WX1804H

0 to 2048:

·         WX1810H

·         WX1820H

·         WX1840H

WX3800H series

WX3820H

WX3840H

0 to 32768: WX3820H

0 to 40960: WX3840H

WX5800H series

WX5860H

0 to 65536

 

Usage guidelines

An interface can dynamically learn ARP entries. To prevent an interface from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the interface can learn. When the maximum number is reached, the interface stops learning ARP entries.

When the number argument is set to 0, the interface is disabled from learning dynamic ARP entries.

Examples

# Specify VLAN-interface 40 to learn a maximum of 500 dynamic ARP entries.

<Sysname> system-view

[Sysname] interface vlan-interface 40

[Sysname-Vlan-interface40] arp max-learning-num 500

# Specify GigabitEthernet 1/0/1 to learn a maximum of 1000 dynamic ARP entries.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] arp max-learning-num 1000

# Specify Layer 2 aggregate interface Bridge-Aggregation 1 to learn a maximum of 1000 dynamic ARP entries.

<Sysname> system-view

[Sysname] interface bridge-aggregation 1

[Sysname-Bridge-Aggregation1] arp max-learning-num 1000

arp max-learning-number

Use arp max-learning-number to set the maximum number of dynamic ARP entries that a device can learn.

Use undo arp max-learning-number to restore the default.

Syntax

arp max-learning-number number slot slot-number

undo arp max-learning-number slot slot-number

Default

The following matrix shows the default values for the number argument:

 

Hardware series

Model

Default

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

512: WX1804H

2048:

·         WX1810H

·         WX1820H

·         WX1840H

WX3800H series

WX3820H

WX3840H

32768: WX3820H

40960: WX3840H

WX5800H series

WX5860H

65536

 

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of dynamic ARP entries for a device.

The following matrix shows the value ranges for the number argument:

 

Hardware series

Model

Value range

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

0 to 512: WX1804H

0 to 2048:

·         WX1810H

·         WX1820H

·         WX1840H

WX3800H series

WX3820H

WX3840H

0 to 32768: WX3820H

0 to 40960: WX3840H

WX5800H series

WX5860H

0 to 65536

 

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

A device can dynamically learn ARP entries. To prevent a device from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the device can learn. When the maximum number is reached, the device stops learning ARP entries.

When the number argument is set to 0, the device is disabled from learning dynamic ARP entries.

Examples

# Set IRF member device 1 to learn a maximum of 64 dynamic ARP entries.

<Sysname> system-view

[Sysname] arp max-learning-number 64 slot 1

arp static

Use arp static to configure a static ARP entry.

Use undo arp to delete an ARP entry.

Syntax

arp static ip-address mac-address [ vlan-id interface-type interface-number ]

undo arp ip-address

Default

No static ARP entries are configured.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies an IP address for the static ARP entry.

mac-address: Specifies a MAC address for the static ARP entry, in the format of H-H-H.

vlan-id: Specifies the ID of a VLAN to which the static ARP entry belongs. The value range is 1 to 4094.

interface-type interface-number: Specifies an interface by its type and number. The interface can be an Ethernet interface or an aggregate interface.

Usage guidelines

A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry.

A static ARP entry is effective when the device operates correctly.

When the VLAN or VLAN interface is deleted, long static ARP entries in the VLAN are deleted, and resolved short static ARP entries in the VLAN become unresolved.

A resolved short static ARP entry becomes unresolved upon certain events. For example, it is unresolved if the output interface is down.

A long static ARP entry is ineffective when the corresponding VLAN interface or output interface is down. An ineffective long static ARP entry cannot be used to forward packets.

If you specify the vlan-id argument, the following requirements must be met:

·          The VLAN and VLAN interface must already exist.

·          The IP address of the VLAN interface and the IP address specified by the ip-address argument must be on the same network.

·          The specified Ethernet interface or aggregate interface belongs to the specified VLAN.

Examples

# Configure a long static ARP entry that contains IP address 202.38.10.2, MAC address 00e0-fc01-0000, and output interface GigabitEthernet 1/0/1 in VLAN 10.

<Sysname> system-view

[Sysname] arp static 202.38.10.2 00e0-fc01-0000 10 gigabitethernet 1/0/1

Related commands

·          display arp

·          reset arp

arp timer aging

Use arp timer aging to set the aging timer for dynamic ARP entries.

Use undo arp timer aging to restore the default.

Syntax

arp timer aging aging-time

undo arp timer aging

Default

The aging timer for dynamic ARP entries is 20 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

aging-time: Sets the aging timer for dynamic ARP entries, in the range of 1 to 1440 minutes.

Usage guidelines

Each dynamic ARP entry in the ARP table has a limited lifetime, called an aging timer. The aging timer of a dynamic ARP entry is reset each time the dynamic ARP entry is updated. Dynamic ARP entries that are not updated before their aging timers expire are deleted from the ARP table.

Set the aging timer for dynamic ARP entries as needed. For example, when you configure proxy ARP, set a short aging time so that invalid dynamic ARP entries can be deleted in time.

Examples

# Set the aging timer for dynamic ARP entries to 10 minutes.

<Sysname> system-view

[Sysname] arp timer aging 10

Related commands

display arp timer aging

display arp

Use display arp to display ARP entries.

Syntax

display arp [ [ all | dynamic |static ] [ slot slot-number ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays all ARP entries.

dynamic: Displays dynamic ARP entries.

static: Displays static ARP entries.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ARP entries for the master device.

vlan vlan-id: Specifies a VLAN by its VLAN ID. The VLAN ID is in the range of 1 to 4094.

interface interface-type interface-number: Specifies an interface by its type and number.

count: Displays the number of ARP entries.

verbose: Displays detailed information about ARP entries.

Usage guidelines

This command displays information about ARP entries, including the IP address, MAC address, VLAN ID, output interface, entry type, and aging timer.

Examples

# Display all ARP entries.

<Sysname> display arp all

Type: S-Static    D-Dynamic    O-Openflow   R-Rule   I-Invalid

IP address      MAC address    SVID     Interface                Aging Type

192.168.100.1   5cdd-7081-2a2d 1        GE1/0/1                  11    D

192.168.100.3   6805-ca17-4a5e 1        GE1/0/1                  14    D

192.168.100.4   a036-9f42-b774 1        GE1/0/1                  17    D

192.168.100.8   7446-a08f-0ca2 1        GE1/0/1                  16    D

192.168.100.18  f092-1cef-677f 1        GE1/0/1                  10    D

192.168.100.40  2c41-389f-9b97 1        GE1/0/1                  2     D

192.168.100.66  000f-e212-510e 1        GE1/0/1                  2     D

192.168.100.197 3ce5-a618-e6a8 1        GE1/0/1                  11    D

192.168.100.199 2222-1111-baaa 1        GE1/0/1                  11    D

192.168.100.201 000f-1e2e-0a11 1        GE1/0/1                  11    D

# Display detailed information about all ARP entries.

<Sysname> display arp all verbose

  Type: S-Static   D-Dynamic   O-Openflow   R-Rule     I-Invalid

IP Address       : 1.1.1.1          SVID/CVID: 1/--    Aging   : --

MAC Address      : 02e0-f102-0023   Type     : S       Nickname: 0x0000

Interface        : GE1/0/1

VPN Instance     : [No Vrf]

# Display the number of all ARP entries.

<Sysname> display arp all count

 Total number of entries : 10

Table 1 Command output

Field

Description

IP Address

IP address in an ARP entry.

MAC Address

MAC address in an ARP entry.

SVID

ID of the outer VLAN to which the ARP entry belongs. This field displays hyphens (--) in either of the following situations:

·         The ARP entry is an unresolved short static ARP entry.

·         The output interface of the ARP entry does not belong to any outer VLAN.

This field is not supported in the current software version.

SVID/CVID

ID of the outer VLAN or inner VLAN to which the ARP entry belongs. This field displays hyphens (--) in either of the following situations:

·         The ARP entry is an unresolved short static ARP entry.

·         The output interface of the ARP entry does not belong to any outer VLAN or inner VLAN.

Interface

Output interface in an ARP entry. This field displays N/A in either of the following situations:

·         The ARP entry is an unresolved short static ARP entry.

·         The ARP entry is a multiport ARP entry. (Multiport ARP entry is not supported in the current software version.)

·         The ARP entry has no output interface information.

Aging

Aging time for a dynamic ARP entry in minutes. N/A means unknown aging time or no aging time.

Type

ARP entry type:

·         D—Dynamic.

·         S—Static.

·         O—OpenFlow. This type is not supported in the current software version.

·         RRule. This type is not supported in the current software version.

·         I—Invalid.

VPN Instance

Name of VPN instance. [No Vrf] is displayed if no VPN instance is configured for the ARP entry. This field is not supported in the current software version.

NickName

Nickname of the ARP entry. The nickname is a string of four hexadecimal digits, for example, 0x012a.

This field is not supported in the current software version.

Total number of entries

Number of ARP entries.

 

Related commands

·          arp static

·          reset arp

display arp ip-address

Use display arp ip-address to display the ARP entry for an IP address.

Syntax

display arp ip-address [ slot slot-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip-address: Displays the ARP entry for the specified IP address.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information for the master device.

verbose: Displays the detailed information about the specified ARP entry.

Usage guidelines

The ARP entry information includes the IP address, MAC address, VLAN ID, output interface, entry type, and aging timer.

Examples

# Display the ARP entry for the IP address 192.168.100.1.

<Sysname> display arp 192.168.100.1

   Type: S-Static    D-Dynamic    O-Openflow   R-Rule   I-Invalid

IP address      MAC address    SVID     Interface                Aging Type

192.168.100.1   5cdd-7081-2a2d 1        GE1/0/1                  3     D

Related commands

·          arp static

·          reset arp

display arp timer aging

Use display arp timer aging to display the aging timer of dynamic ARP entries.

Syntax

display arp timer aging

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the aging timer of dynamic ARP entries.

<Sysname> display arp timer aging

Current ARP aging time is 10 minute(s)

Related commands

arp timer aging

reset arp

Use reset arp to clear ARP entries from the ARP table.

Syntax

reset arp { all | dynamic | interface interface-type interface-number | slot slot-number | static }

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all ARP entries.

dynamic: Clears all dynamic ARP entries.

static: Clears all static ARP entries.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears ARP entries for the master device.

interface interface-type interface-number: Specifies an interface by its type and number.

Examples

# Clear all static ARP entries.

<Sysname> reset arp static

Related commands

·          arp static

·          display arp


Gratuitous ARP commands

arp ip-conflict log prompt

Use arp ip-conflict log prompt to enable IP conflict notification without conflict confirmation.

Use undo arp ip-conflict log prompt to restore the default.

Syntax

arp ip-conflict log prompt

undo arp ip-conflict log prompt

Default

IP conflict notification is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

By default, the device performs the following operations if it is using the sender IP address of a received ARP packet:

·          Sends a gratuitous ARP request.

·          Displays an error message after the device receives an ARP reply about the conflict.

Examples

# Enable IP conflict notification on the device.

<Sysname> system-view

[Sysname] arp ip-conflict log prompt

arp send-gratuitous-arp

Use arp send-gratuitous-arp to enable periodic sending of gratuitous ARP packets on an interface.

Use undo arp send-gratuitous-arp to disable the interface from periodically sending gratuitous ARP packets.

Syntax

arp send-gratuitous-arp [ interval milliseconds ]

undo arp send-gratuitous-arp

Default

Periodic sending of gratuitous ARP packets is disabled.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

VLAN interface view

Predefined user roles

network-admin

Parameters

interval milliseconds: Specifies the sending interval in the range of 200 to 200000 milliseconds. The default value is 2000 milliseconds.

Usage guidelines

This feature takes effect on an interface only when the interface has an IP address and the data link layer state of the interface is up.

This feature can send gratuitous ARP requests only for the sending interface's primary IP address or manually configured secondary IP address. The primary IP address can be configured manually or automatically, whereas the secondary IP address must be configured manually.

If you change the sending interval for gratuitous ARP packets, the configuration takes effect at the next sending interval.

The sending interval for gratuitous ARP packets might be much longer than the set interval when any of the following conditions exist:

·          This feature is enabled on multiple interfaces.

·          Each interface is configured with multiple secondary IP addresses.

·          A small sending interval is configured in the preceding cases.

Examples

# Enable VLAN-interface 2 to send gratuitous ARP packets every 300 milliseconds.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp send-gratuitous-arp interval 300

gratuitous-arp-learning enable

Use gratuitous-arp-learning enable to enable learning of gratuitous ARP packets.

Use undo gratuitous-arp-learning enable to disable learning of gratuitous ARP packets.

Syntax

gratuitous-arp-learning enable

undo gratuitous-arp-learning enable

Default

Learning of gratuitous ARP packets is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The learning of gratuitous ARP packets feature allows a device to maintain its ARP table by creating or updating ARP entries based on received gratuitous ARP packets.

When this feature is disabled, the device uses received gratuitous ARP packets to update existing ARP entries only. ARP entries are not created based on the received gratuitous ARP packets, which saves ARP table space.

Examples

# Enable learning of gratuitous ARP packets.

<Sysname> system-view

[Sysname] gratuitous-arp-learning enable

gratuitous-arp-sending enable

Use gratuitous-arp-sending enable to enable sending gratuitous ARP packets upon receiving ARP requests whose sender IP address is on a different subnet.

Use undo gratuitous-arp-sending enable to restore the default.

Syntax

gratuitous-arp-sending enable

undo gratuitous-arp-sending enable

Default

A device does not send gratuitous ARP packets when it receives ARP requests whose sender IP address is on a different subnet.

Views

System view

Predefined user roles

network-admin

Examples

# Disable a device from sending gratuitous ARP packets upon receiving ARP requests whose sender IP address is on a different subnet.

<Sysname> system-view

[Sysname] undo gratuitous-arp-sending enable


Proxy ARP commands

display local-proxy-arp

Use display local-proxy-arp to display the local proxy ARP status.

Syntax

display local-proxy-arp [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

The local ARP proxy status can be enabled or disabled.

If an interface is specified, this command displays the local proxy ARP status for the specified interface.

If no interface is specified, this command displays the local proxy ARP status for all interfaces.

Examples

# Display the local proxy ARP status for VLAN-interface 2.

<Sysname> display local-proxy-arp interface vlan-interface 2

Interface Vlan-interface2

 Local Proxy ARP status: enabled

Related commands

local-proxy-arp enable

display proxy-arp

Use display proxy-arp to display the proxy ARP status.

Syntax

display proxy-arp [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

The proxy ARP status can be enabled or disabled.

If an interface is specified, this command displays proxy ARP status for the specified interface.

If no interface is specified, this command displays proxy ARP status for all interfaces.

Examples

# Display the proxy ARP status on VLAN-interface 2.

<Sysname> display proxy-arp interface vlan-interface 2

Interface Vlan-interface2

 Proxy ARP status: disabled

Related commands

proxy-arp enable

local-proxy-arp enable

Use local-proxy-arp enable to enable local proxy ARP.

Use undo local-proxy-arp enable to disable local proxy ARP.

Syntax

local-proxy-arp enable [ ip-range startIP to endIP ]

undo local-proxy-arp enable

Default

Local proxy ARP is disabled.

Views

VLAN interface view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Predefined user roles

network-admin

Parameters

ip-range startIP to endIP: Specifies the IP address range for which local proxy ARP is enabled. The start IP address must be lower than or equal to the end IP address.

Usage guidelines

Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts in different broadcast domains can communicate with each other as they do on the same network.

Proxy ARP includes common proxy ARP and local proxy ARP.

Common proxy ARP allows communication between hosts that connect to different Layer 3 interfaces and reside in different broadcast domains.

Local proxy ARP allows communication between hosts that connect to the same Layer 3 interface and reside in different broadcast domains.

Only one IP address range can be specified by using the ip-range keyword on an interface.

Examples

# Enable local proxy ARP on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] local-proxy-arp enable

# Enable local proxy ARP on VLAN-interface 2 for an IP address range.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] local-proxy-arp enable ip-range 1.1.1.1 to 1.1.1.20

Related commands

display local-proxy-arp

proxy-arp enable

Use proxy-arp enable to enable proxy ARP.

Use undo proxy-arp enable to disable proxy ARP.

Syntax

proxy-arp enable

undo proxy-arp enable

Default

Proxy ARP is disabled.

Views

VLAN interface view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Predefined user roles

network-admin

Usage guidelines

Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts in different broadcast domains can communicate with each other as they do on the same network.

Proxy ARP includes common proxy ARP and local proxy ARP.

Common proxy ARP allows communication between hosts that connect to different Layer 3 interfaces and reside in different broadcast domains.

Local proxy ARP allows communication between hosts that connect to the same Layer 3 interface and reside in different broadcast domains.

Examples

# Enable proxy ARP on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] proxy-arp enable

Related commands

display proxy-arp


ARP fast-reply commands

arp fast-reply enable

Use arp fast-reply enable to enable ARP fast-reply for a VLAN.

Use undo arp fast-reply enable to disable ARP fast-reply for a VLAN.

Syntax

arp fast-reply enable

undo arp fast-reply enable

Default

ARP fast-reply is disabled on a VLAN.

Views

VLAN view

Predefined user roles

network-admin

Examples

# Enable ARP fast-reply for VLAN 2.

<Sysname> system-view

[Sysname] vlan 2


IP addressing commands

display ip interface

Use display ip interface to display IP configuration and statistics for Layer 3 interfaces.

Syntax

display ip interface [ interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, the command displays information about all Layer 3 interfaces.

Usage guidelines

Use the display ip interface command to display IP configuration and statistics for the specified Layer 3 interface. The statistics include the following information:

·          The number of unicast packets, bytes, and multicast packets the interface has sent and received.

·          The number of TTL-invalid packets and ICMP packets the interface has received.

The packet statistics helps you locate a possible attack on the network.

Examples

# Display IP configuration and statistics for VLAN-interface 10.

<Sysname> display ip interface vlan-interface 10

Vlan-interface10 current state : DOWN

Line protocol current state : DOWN

Internet Address is 1.1.1.1/8 Primary

Broadcast address : 1.255.255.255

The Maximum Transmit Unit : 1500 bytes

input packets : 0, bytes : 0, multicasts : 0

output packets : 0, bytes : 0, multicasts : 0

TTL invalid packet number:         0

ICMP packet input number:          0

  Echo reply:                      0

  Unreachable:                     0

  Source quench:                   0

  Routing redirect:                0

  Echo request:                    0

  Router advert:                   0

  Router solicit:                  0

  Time exceed:                     0

  IP header bad:                   0

  Timestamp request:               0

  Timestamp reply:                 0

  Information request:             0

  Information reply:               0

  Netmask request:                 0

  Netmask reply:                   0

  Unknown type:                    0

Table 2 Command output

Field

Description

current state

Current physical state of the interface:

·         Administrative DOWN—The interface is shut down with the shutdown command.

·         DOWN—The interface is administratively up but its physical state is down, which might be caused by a connection or link failure.

·         UP—Both the administrative and physical states of the interface are up.

Line protocol current state

Current state of the link layer protocol:

·         DOWN—The protocol state of the interface is down.

·         UP—The protocol state of the interface is up.

·         UP (spoofing)—The protocol state of the interface pretends to be up. However, no corresponding link is present, or the corresponding link is not present permanently but is established as needed.

Internet Address

IP address of an interface followed by:

·         Primary—A primary IP address.

·         Sub—A secondary IP address.

·         MTunnel—An MTunnel interface IP address. The device does not support this field in the current software version.

·         SSLVPN—An SSL VPN interface IP address. The device does not support this field in the current software version.

·         PPP-Negotiated—A PPP negotiated IP address.

·         Unnumbered—An unnumbered IP address. The device does not support this field in the current software version.

·         DHCP-Allocated—An IP address obtained through DHCP.

·         BOOTP-Allocated—An IP address obtained through BOOTP.

·         Cluster—An IP address of an IRF fabric.

·         Mad—A MAD IP address. The device does not support this field in the current software version.

Broadcast address

Broadcast address of the subnet attached to an interface.

The Maximum Transmit Unit

Maximum transmission units on the interface, in bytes.

input packets, bytes, multicasts

output packets, bytes, multicasts

Unicast packets, bytes, and multicast packets received on an interface (statistics start at the device startup).

TTL invalid packet number

Number of TTL-invalid packets received on the interface (statistics start at the device startup).

ICMP packet input number:

  Echo reply:

  Unreachable:

  Source quench:

  Routing redirect:

  Echo request:

  Router advert:

  Router solicit:

  Time exceed:

  IP header bad:

  Timestamp request:

  Timestamp reply:

  Information request:

  Information reply:

  Netmask request:

  Netmask reply:

  Unknown type:

Total number of ICMP packets received on the interface (statistics start at the device startup):

·         Echo reply packets.

·         Unreachable packets.

·         Source quench packets.

·         Routing redirect packets.

·         Echo request packets.

·         Router advertisement packets.

·         Router solicitation packets.

·         Time exceeded packets.

·         IP header bad packets.

·         Timestamp request packets.

·         Timestamp reply packets.

·         Information request packets.

·         Information reply packets.

·         Netmask request packets.

·         Netmask reply packets.

·         Unknown type packets.

 

Related commands

·          display ip interface brief

·          ip address

display ip interface brief

Use display ip interface brief to display brief IP configuration for Layer 3 interfaces.

Syntax

display ip interface [ interface-type [ interface-number ] ] brief [ description ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type: Specifies the interface type.

interface-number: Specifies the interface number.

description: Displays complete interface descriptions. If you do not specify this keyword, the command displays a maximum of 16 characters for each interface description. If the description is longer than 16 characters, the first 14 characters are displayed, followed by an ellipsis (...).

Usage guidelines

Information displayed by the command includes the state of the physical and link layer protocols, IP address, and interface descriptions.

If you do not specify the interface type and interface number, the command displays brief IP configuration for all Layer 3 interfaces.

If you specify only the interface type, the command displays brief IP configuration for all Layer 3 interfaces of the specified type.

If you specify both the interface type and interface number, the command displays brief IP configuration for the specified interface.

Examples

# Display brief IP configuration for VLAN interfaces.

<Sysname> display ip interface vlan-interface brief

*down: administratively down

(s): spoofing  (l): loopback

Interface                Physical Protocol IP Address      Description    

Vlan10                   down     down     6.6.6.1         --

Vlan2                    down     down     7.7.7.1         --

<Sysname> display ip interface vlan-interface brief description

*down: administratively down

(s): spoofing  (l): loopback

Interface                Physical Protocol IP Address      Description

Vlan10                   down     down     6.6.6.1         --

Vlan2                    down     down     7.7.7.1         --

Table 3 Command output

Field

Description

*down: administratively down

The interface is administratively shut down with the shutdown command.

(s) : spoofing

Spoofing attribute of the interface. It indicates that an interface might have no link present even when its link layer protocol is up or the link is established only on demand.

Interface

Interface name.

Physical

Physical state of the interface:

·         *down—The interface is administratively shut down with the shutdown command.

·         down—The interface is administratively up but its physical state is down (possibly because of poor connection or line failure).

·         up—Both the administrative and physical states of the interface are up.

Protocol

Link layer protocol state of the interface:

·         down—The protocol state of the interface is down.

·         down(l)—The protocol state of the interface is down (loopback).

·         up—The protocol state of the interface is up.

·         up(l)—The protocol state of the interface is up (loopback).

·         up(s)—The protocol state of the interface is up (spoofing).

IP Address

IP address of the interface. If no IP address is configured, this field displays hyphens (--).

Description

Interface description information. If no description is configured, this field displays hyphens (--).

 

Related commands

·          display ip interface

·          ip address

ip address

Use ip address to assign an IP address to the interface.

Use undo ip address to remove the IP address from the interface.

Syntax

ip address ip-address { mask-length | mask } [ sub ]

undo ip address [ ip-address { mask-length | mask } [ sub ] ]

Default

No IP address is assigned to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of the interface, in dotted decimal notation.

mask-length: Specifies the subnet mask length in the range of 1 to 31. For a loopback interface, the value range is 1 to 32.

mask: Specifies the subnet mask in dotted decimal notation.

sub: Assigns a secondary IP address to the interface.

Usage guidelines

Use the command to configure a primary IP address for an interface. If the interface connects to multiple subnets, configure primary and secondary IP addresses on the interface so the subnets can communicate with each other through the interface.

An interface can have only one primary IP address. A newly configured primary IP address overwrites the previous address.

You cannot assign secondary IP addresses to an interface that obtains an IP address through BOOTP, DHCP, or PPP address negotiation.

The undo ip address command removes all IP addresses from the interface. The undo ip address ip-address { mask | mask-length } command removes the primary IP address. The undo ip address ip-address { mask | mask-length } sub command removes a secondary IP address.

The primary and secondary IP addresses assigned to the interface can be located on the same network segment. Different interfaces on your device must reside on different network segments.

Examples

# Assign VLAN-interface 10 a primary IP address 129.12.0.1 and a secondary IP address 202.38.160.1, with subnet masks both 255.255.255.0.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ip address 129.12.0.1 255.255.255.0

[Sysname-Vlan-interface10] ip address 202.38.160.1 255.255.255.0 sub

Related commands

·          display ip interface

·          display ip interface brief


DHCP commands

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

Common DHCP commands

dhcp client-detect

Use dhcp client-detect to enable client offline detection on the DHCP server or DHCP relay agent.

Use undo dhcp client-detect to disable client offline detection.

Syntax

dhcp client-detect

undo dhcp client-detect

Default

Client offline detection is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

The client offline detection feature on the DHCP server reclaims an assigned IP address and deletes the binding entry when the ARP entry ages out for the IP address.

This feature on the DHCP relay agent deletes the related relay entry and sends a RELEASE message to the DHCP server when an ARP entry ages out.

This feature does not function if an ARP entry is manually deleted.

Examples

# Enable client offline detection.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp client-detect

dhcp dscp

Use dhcp dscp to set the DSCP value for DHCP packets sent by the DHCP server or the DHCP relay agent.

Use undo dhcp dscp to restore the default.

Syntax

dhcp dscp dscp-value

undo dhcp dscp

Default

The DSCP value in DHCP packets is 56.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Sets the DSCP value for DHCP packets, in the range of 0 to 63.

Usage guidelines

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value for DHCP packets to 30.

<Sysname> system-view

[Sysname] dhcp dscp 30

dhcp enable

Use dhcp enable to enable DHCP.

Use undo dhcp enable to disable DHCP.

Syntax

dhcp enable

undo dhcp enable

Default

DHCP is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Enable DHCP before you configure the DHCP server or relay agent.

Examples

# Enable DHCP.

<Sysname> system-view

[Sysname] dhcp enable

dhcp log enable

Use dhcp log enable to enable DHCP logging.

Use undo dhcp log enable to restore the default.

Syntax

dhcp log enable

undo dhcp log enable

Default

DHCP logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the DHCP server to generate DHCP logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Disable this feature when the log generation affects the device performance or reduces the address allocation efficiency. For example, this situation might occur when a large number of clients frequently come online or go offline.

Examples

# Enable DHCP logging.

<Sysname> system-view

[Sysname] dhcp log enable

dhcp select

Use dhcp select to enable the DHCP server or DHCP relay agent on an interface.

Use undo dhcp select to disable the DHCP server or DHCP relay agent on an interface. The interface discards DHCP packets.

Syntax

dhcp select { relay [ proxy ] | server }

undo dhcp select { relay | server }

Default

The interface operates in DHCP server mode and responds to DHCP requests with configuration parameters.

Views

Interface view

Predefined user roles

network-admin

Parameters

relay: Enables the DHCP relay agent on the interface.

proxy: Enables DHCP server proxy on the relay agent.

server: Enables the DHCP server on the interface.

Usage guidelines

Before enabling the DHCP relay agent on an interface, use the reset dhcp server ip-in-use command to remove address bindings and authorized ARP entries. These authorized ARP entries might conflict with ARP entries that are created after the DHCP relay agent is enabled.

When DHCP server proxy is enabled on the relay agent, the proxy forwards packets between the DHCP clients and DHCP server.

·          When receiving DHCP packets from DHCP clients, the proxy forwards them to the DHCP server.

·          When receiving DHCP responses from the DHCP server, the proxy modified the server's IP address in these responses as its own IP address.

Examples

# Enable the DHCP relay agent on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] dhcp select relay

Related commands

·          dhcp smart-relay enable

·          reset dhcp server ip-in-use

DHCP server commands

address range

Use address range to configure an IP address range in a DHCP address pool for dynamic allocation.

Use undo address range to remove the IP address range in the address pool.

Syntax

address range start-ip-address end-ip-address

undo address range

Default

No IP address range is configured.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address.

end-ip-address: Specifies the end IP address.

Usage guidelines

If no IP address range is specified, all IP addresses in the subnet specified by the network command in address pool view are assignable. If an IP address range is specified, only the IP addresses in the IP address range are assignable.

After you use the address range command, you cannot use the network secondary command to specify a secondary subnet in the address pool.

If you use the command multiple times, the most recent configuration takes effect.

The address range specified by the address range command must be within the subnet specified by the network command. The addresses out of the address range cannot be assigned.

Examples

# Specify an address range of 192.168.8.1 through 192.168.8.150 in address pool 1.

<Sysname> system-view

[Sysname] dhcp server ip-pool 1

[Sysname-dhcp-pool-1] address range 192.168.8.1 192.168.8.150

Related commands

·          class

·          dhcp class

·          display dhcp server pool

·          network

bims-server

Use bims-server to specify the IP address, port number, and shared key of the BIMS server in a DHCP address pool.

Use undo bims-server to remove the specified BIMS server information.

Syntax

bims-server ip ip-address [ port port-number ] sharekey { cipher | simple } key

undo bims-server

Default

No BIMS server information is specified.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

ip ip-address: Specifies the IP address of the BIMS server.

port port-number: Specifies the port number of the BIMS server, in the range of 1 to 65534.

cipher: Sets a ciphertext key.

simple: Sets a plaintext key.

key: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters. The DHCP client uses the shared key to encrypt packets sent to the BIMS server.

Usage guidelines

If you use this command multiple times, the most recent configuration takes effect.

For security purposes, all passwords, including those configured in plain text, are saved in cipher text.

Examples

# Specify the BIMS server IP address 1.1.1.1, port number 80, and shared key aabbcc in address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] bims-server ip 1.1.1.1 port 80 sharekey simple aabbcc

Related commands

display dhcp server pool

bootfile-name

Use bootfile-name to specify a configuration file name.

Use undo bootfile-name to remove the configuration file name.

Syntax

bootfile-name bootfile-name

undo bootfile-name

Default

No configuration file name is specified.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

bootfile-name: Specifies the configuration file name, a case-sensitive string of 1 to 63 characters.

Usage guidelines

If you use the bootfile-name command multiple times, the most recent configuration takes effect.

If the configuration file is on a TFTP server, specify the configuration file name, and the IP address or name of the TFTP server.

Examples

# Specify the configuration file name boot.cfg in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] bootfile-name boot.cfg

Related commands

·          display dhcp server pool

·          next-server

·          tftp-server domain-name

·          tftp-server ip-address

class ip-pool

Use class ip-pool to specify a DHCP address pool for a DHCP user class.

Use undo class ip-pool to restore the default.

Syntax

class class-name ip-pool pool-name

undo class class-name ip-pool

Default

No DHCP address pool is specified for a DHCP user class.

Views

DHCP policy view

Predefined user roles

network-admin

Parameters

class-name: Specifies a DHCP user class by its name, a case-insensitive string of 1 to 63 characters.

pool-name: Specifies a DHCP address pool by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can specify only one DHCP address pool for a DHCP user class in a DHCP policy. If you use this command multiple times for a user class, the most recent configuration takes effect.

Examples

# Specify DHCP address pool pool1 for DHCP user class test in DHCP policy 1.

<Sysname> system-view

[Sysname] dhcp policy 1

[Sysname-dhcp-policy-1] class test ip-pool pool1

Related commands

·          default ip-pool

·          dhcp policy

·          dhcp server ip-pool

class option-group

Use class option-group to specify a DHCP option group for a DHCP user class.

Use undo class option-group to remove the configuration.

Syntax

class class-name option-group option-group-number

undo class class-name option-group

Default

No DHCP option group is specified for a DHCP user class.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

class-name: Specifies a DHCP user class by its name, a case-insensitive string of 1 to 63 characters.

option-group-number: Specifies a DHCP option group by its number in the range of 1 to 32768.

Usage guidelines

When receiving a DHCP-DISCOVER message, the server compares the client against the user classes in the order that they are specified by this command. If a match is found, the server assigns the client the DHCP options in the option group. If multiple matches are found, the server selects option groups by using the following methods:

·          If the option groups have options in common, the server selects the option group specified for the first matching user class.

·          If the option groups have different options, the server selects all the matching option groups.

You can specify only one option group for a DHCP user class in a DHCP address pool. If you use this command multiple times for a user class, the most recent configuration takes effect.

Examples

# Specify DHCP option group 1 for user class user in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] class user option-group 1

Related commands

dhcp option group

class range

Use class range to specify an IP address range for a DHCP user class.

Use undo class range to remove the IP address range for the DHCP user class.

Syntax

class class-name range start-ip-address end-ip-address

undo class class-name range

Default

No IP address range is specified for a DHCP user class.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

class-name: Specifies a DHCP user class by its name, a case-insensitive string of 1 to 63 characters. If the specified user class does not exist, the DHCP server will not assign the addresses in the address range specified for the user class to any client.

start-ip-address: Specifies the start IP address.

end-ip-address: Specifies the end IP address.

Usage guidelines

The class range command allows you to divide an address range into multiple address ranges for different DHCP user classes. The address range for a user class must be within the primary subnet specified by the network command. If the DHCP client does not match any DHCP user class, the DHCP server selects an address in the IP address range specified by the address range command. If the address range has no assignable IP addresses or no address range is configured, the address allocation fails.

You can specify only one address range for a DHCP user class in an address pool. If you use the class range command multiple times for a DHCP user class, the most recent configuration takes effect.

After you specify an address range for a user class, you cannot use the network secondary command to specify a secondary subnet in the address pool.

Examples

# Specify an IP address range of 192.168.8.1 through 192.168.8.150 for the DHCP user class user in DHCP address pool 1.

<Sysname> system-view

[Sysname] dhcp server ip-pool 1

[Sysname-dhcp-pool-1] class user range 192.168.8.1 192.168.8.150

Related commands

·          address range

·          dhcp class

·          display dhcp server pool

default ip-pool

Use default ip-pool to specify the default DHCP address pool.

Use undo default ip-pool to restore the default.

Syntax

default ip-pool pool-name

undo default ip-pool

Default

No default DHCP address pool is specified.

Views

DHCP policy view

Predefined user roles

network-admin

Parameters

pool-name: Specifies a DHCP address pool by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

In a DHCP policy, the DHCP server uses the default DHCP address pool to assign IP addresses and other parameters to clients that do not match any user class.

You can specify only one default address pool in a DHCP policy.

If you use this command multiple times, the most recent configuration takes effect.

Examples

# Specify DHCP address pool pool1 as the default DHCP address pool in DHCP policy 1.

<Sysname> system-view

[Sysname] dhcp policy 1

[Sysname-dhcp-policy-1] default ip-pool pool1

Related commands

·          class ip-pool

·          dhcp policy

dhcp apply-policy

Use dhcp apply-policy to apply a DHCP policy to an interface.

Use undo dhcp apply-policy to restore the default.

Syntax

dhcp apply-policy policy-name

undo dhcp apply-policy

Default

No DHCP policy is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a DHCP policy by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can apply only one DHCP policy to an interface.

If you use this command multiple times, the most recent configuration takes effect.

Examples

# Apply DHCP policy test to interface GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp apply-policy test

Related commands

dhcp policy

dhcp class

Use dhcp class to create a DHCP user class and enter the DHCP user class view.

Use undo dhcp class to remove the specified DHCP user class.

Syntax

dhcp class class-name

undo dhcp class class-name

Default

No DHCP user class exists.

Views

System view

Predefined user roles

network-admin

Parameters

class-name: Specifies the name of a DHCP user class, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can also use this command to enter the view of an existing DHCP user class.

In the DHCP user class view, you can use the if-match command to configure match rules to group clients to the user class.

Examples

# Create a DHCP user class test and enter DHCP user class view.

<Sysname> system-view

[Sysname] dhcp class test

[Sysname-dhcp-class-test]

Related commands

·          address range

·          class ip-pool

·          class option-group

·          class range

·          dhcp policy

·          if-match

dhcp option-group

Use dhcp option-group to create a DHCP option group and enter DHCP option group view.

Use undo dhcp option-group to delete a DHCP option group.

Syntax

dhcp option-group option-group-number

undo dhcp option-group option-group-number

Default

No DHCP option group exists.

Views

System view

Predefined user roles

network-admin

Parameters

option-group-number: Assigns a number to the DHCP option group, in the range of 1 to 32768.

Usage guidelines

You can use this command to enter the view of an existing DHCP option group.

Examples

# Create DHCP option group 1 and enter DHCP option group view.

<Sysname> system-view

[Sysname] dhcp option-group 1

[Sysname-dhcp-option-group-1]

Related commands

·          class option-group

·          option

dhcp policy

Use dhcp policy to create a DHCP policy and enter DHCP policy view.

Use undo dhcp policy to delete a DHCP policy.

Syntax

dhcp policy policy-name

undo dhcp policy policy-name

Default

No DHCP policy exists.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Assigns a name to the DHCP policy. The policy name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can also use this command to enter the view of an existing DHCP policy.

In DHCP policy view, you can specify address pools for different user classes. Clients matching a user class will obtain IP addresses and other parameters from the specified address pool.

For a DHCP policy to take effect, you must apply it to an interface.

Examples

# Create DHCP policy test and enter its view.

<Sysname> system-view

[Sysname] dhcp policy test

[Sysname-dhcp-policy-test]

Related commands

·          class ip-pool

·          default ip-pool

·          dhcp apply-policy

·          dhcp class

dhcp server always-broadcast

Use dhcp server always-broadcast to enable the DHCP server to broadcast all responses.

Use undo dhcp server always-broadcast to restore the default.

Syntax

dhcp server always-broadcast

undo dhcp server always-broadcast

Default

The DHCP server reads the broadcast flag in a DHCP request to decide whether to broadcast or unicast the response.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the DHCP server to ignore the broadcast flag in DHCP requests and broadcast all responses.

The DHCP server always unicasts a response in the following situations, regardless of whether this command is executed:

·          The DHCP request is from a DHCP client that has an IP address (the ciaddr field is not 0).

·          The DHCP request is forwarded by a DHCP relay agent from a DHCP client (the giaddr field is not 0).

Examples

# Enable the DHCP server to broadcast all responses.

<Sysname> system-view

[Sysname] dhcp server always-broadcast

dhcp server apply ip-pool

Use dhcp server apply ip-pool to apply an address pool on an interface.

Use undo dhcp server apply ip-pool to remove the configuration.

Syntax

dhcp server apply ip-pool pool-name

undo dhcp server apply ip-pool

Default

No address pool is applied on an interface

Views

Interface view

Predefined user roles

network-admin

Parameters

pool-name: Specifies the name of a DHCP address pool, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Upon receiving a DHCP request from the interface, the DHCP server searches for a static binding for the client from all address pools. If no static binding is found, the server assigns configuration parameters from the address pool applied on the interface to the client. If the address pool has no assignable IP address or does not exist, the DHCP client cannot obtain an IP address.

If you use the command multiple times, the most recent configuration takes effect.

Examples

# Apply DHCP address pool 0 on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] dhcp server apply ip-pool 0

Related commands

dhcp server ip-pool

dhcp server bootp ignore

Use dhcp server bootp ignore to configure the DHCP server to ignore BOOTP requests.

Use undo dhcp server bootp ignore to restore the default.

Syntax

dhcp server bootp ignore

undo dhcp server bootp ignore

Default

The DHCP server does not ignore BOOTP requests.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The lease duration of IP addresses obtained by BOOTP clients is unlimited. For scenarios that do not allow unlimited leases, you can configure the DHCP server to ignore BOOTP requests.

Examples

# Configure the DHCP server to ignore BOOTP requests.

<Sysname> system-view

[Sysname] dhcp server bootp ignore

dhcp server bootp reply-rfc-1048

Use dhcp server bootp reply-rfc-1048 to enable the sending of BOOTP responses in RFC 1048 format.

Use undo dhcp server bootp reply-rfc-1048 to disable this feature.

Syntax

dhcp server bootp reply-rfc-1048

undo dhcp server bootp reply-rfc-1048

Default

This feature is disabled. The DHCP server does not process the Vend field of RFC 1048-incompliant requests but copies the Vend field into responses.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Not all BOOTP clients can send requests compliant with RFC 1048. This command enables the DHCP server to fill the Vend field in RFC 1048-compliant format in DHCP responses to RFC 1048-incompliant requests sent by BOOTP clients.

This command takes effect only when the BOOTP clients request statically bound addresses.

Examples

# Enable the sending of BOOTP responses in RFC 1048 format on the DHCP server.

<Sysname> system-view

[Sysname] dhcp server bootp reply-rfc-1048

dhcp server database filename

Use dhcp server database filename to configure the DHCP server to back up the bindings to a file.

Use undo dhcp server database filename to disable the auto backup and remove the backup file.

Syntax

dhcp server database filename { filename | url url [ username username [ password { cipher | simple } key ] ] }

undo dhcp server database filename

Default

The DHCP server does not back up the DHCP bindings.

Views

System view

Predefined user roles

network-admin

Parameters

filename: Specifies the name of a local backup file. For information about the filename argument, see Fundamentals Configuration Guide.

url url: Specifies the URL of a remote backup file. Do not include a username or password in the URL.

username username: Specifies the username for logging in to the remote device.

cipher: Sets a ciphertext password.

simple: Sets a plaintext password.

key: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 32 characters. If cipher is specified, it must be a string of 1 to 73 characters.

Usage guidelines

For security purposes, all passwords, including those configured in plain text, are saved in cipher text.

The command automatically creates the file if you specify a non-existent file.

With this command executed, the DHCP server backs up its bindings immediately and runs auto backup. The server, by default, waits 300 seconds after a binding change to update the backup file. You can use the dhcp server database update interval command to change the waiting time. If no DHCP binding changes, the backup file is not updated.

H3C recommends that you back up the bindings to a remote file. If you use the local storage medium, the frequent erasing and writing might damage the medium and then cause the DHCP server malfunction.

When the backup file is on a remote device, follow these restrictions and guidelines to specify the URL, username, and password:

·          If the file is on an FTP server, enter URL in the following format: ftp://server address:port/file path, where the port number is optional.

·          If the file is on a TFTP server, enter URL in the following format: tftp://server address:port/file path, where the port number is optional.

·          The username and password must be the same as those configured on the FTP or TFTP server. If the server authenticates only the username, the password can be omitted. For example, enter URL ftp://1.1.1.1/database.dhcp username admin to specify the URL and username options at the CLI.

·          If the IP address of the server is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[1::1]/database.dhcp.

·          You can also specify the DNS domain name for the server address field, for example, ftp://company/database.dhcp.

Examples

# Configure the DHCP server to back up its bindings to the file database.dhcp.

<Sysname> system-view

[Sysname] dhcp server database filename database.dhcp

# Configure the DHCP server to back up its bindings to the file database.dhcp in the working directory of the FTP server at 10.1.1.1.

<Sysname> system-view

[Sysname] dhcp server database filename url ftp://10.1.1.1/database.dhcp username 1 password simple 1

Related commands

·          dhcp server database update interval

·          dhcp server database update now

·          dhcp server database update stop

dhcp server database update interval

Use dhcp server database update interval to set the waiting time after a DHCP binding change for the DHCP server to update the backup file.

Use undo dhcp server database update interval to restore the default.

Syntax

dhcp server database update interval seconds

undo dhcp server database update interval

Default

The DHCP server waits 300 seconds after a DHCP binding change to update the backup file. If no DHCP binding changes, the backup file is not updated.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Sets the waiting time in seconds in the range of 60 to 864000.

Usage guidelines

The waiting time takes effect only after you configure the DHCP binding auto backup by using the dhcp server database filename command.

When a DHCP binding is created, updated, or removed, the waiting period starts. The DHCP server updates the backup file when the waiting period is reached. All bindings changed during the period will be saved to the backup file.

Examples

# Set the waiting time to 10 minutes for the DHCP server to update the backup file.

<Sysname> system-view

[Sysname] dhcp server database update interval 600

Related commands

·          dhcp server database filename

·          dhcp server database update now

·          dhcp server database update stop

dhcp server database update now

Use dhcp server database update now to manually save the DHCP bindings to the backup file.

Syntax

dhcp server database update now

Views

System view

Predefined user roles

network-admin

Usage guidelines

For this command to take effect, you must configure the DHCP auto backup by using the dhcp server database filename command.

Examples

# Manually save the DHCP bindings to the backup file.

<Sysname> system-view

[Sysname] dhcp server database update now

Related commands

·          dhcp server database filename

·          dhcp server database update interval

·          dhcp server database update stop

dhcp server database update stop

Use dhcp server database update stop to terminate the download of DHCP bindings from the backup file.

Syntax

dhcp server database update stop

Views

System view

Predefined user roles

network-admin

Usage guidelines

The DHCP server does not provide services during the binding download process. If the connection disconnects during the process, the waiting timeout timer is 60 minutes. When the timer expires, the DHCP server stops waiting and starts providing address allocation services.

To enable the DHCP server to provide services without waiting for the connection to be repaired, use this command to terminate the download immediately. The IP addresses associated with the undownloaded bindings will be assigned to clients. Address conflicts might occur.

Examples

# Terminate the download of the backup DHCP bindings.

<Sysname> system-view

[Sysname] dhcp server database update stop

Related commands

·          dhcp server database filename

·          dhcp server database update interval

·          dhcp server database update now

dhcp server forbidden-ip

Use dhcp server forbidden-ip to exclude specific IP addresses from dynamic allocation.

Use undo dhcp server forbidden-ip to remove the configuration.

Syntax

dhcp server forbidden-ip start-ip-address [ end-ip-address ]

undo dhcp server forbidden-ip start-ip-address [ end-ip-address ]

Default

No IP addresses are excluded from dynamic allocation.

Views

System view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address.

end-ip-address: Specifies the end IP address, which cannot be lower than the start-ip-address. If you do not specify this argument, only the start-ip-address is excluded from dynamic allocation.

Usage guidelines

The IP addresses of some devices such as the gateway and FTP server cannot be assigned to clients. Use this command to exclude such addresses from dynamic allocation.

You can use this command multiple times to exclude multiple IP address ranges from dynamic allocation.

If the excluded IP address is in a static binding, the address can be still assigned to the client.

The address or address range specified in the undo dhcp server forbidden-ip command must be the same as that specified in the dhcp server forbidden-ip command. To remove an IP address from the specified address range, you must remove the entire address range.

Examples

# Exclude the IP addresses of 10.110.1.1 through 10.110.1.63 from dynamic allocation.

<Sysname> system-view

[Sysname] dhcp server forbidden-ip 10.110.1.1 10.110.1.63

Related commands

·          forbidden-ip

·          static-bind

dhcp server ip-pool

Use dhcp server ip-pool to create a DHCP address pool and enter its view.

Use undo dhcp server ip-pool to remove the specified DHCP address pool.

Syntax

dhcp server ip-pool pool-name

undo dhcp server ip-pool pool-name

Default

No DHCP address pool is created.

Views

System view

Predefined user roles

network-admin

Parameters

pool-name: Specifies the name for the DHCP address pool, a case-insensitive string of 1 to 63 characters used to uniquely identify this pool.

Usage guidelines

You can also use this command to enter the view of an existing DHCP address pool.

A DHCP address pool is used to store the configuration parameters to be assigned to DHCP clients.

Examples

# Create a DHCP address pool named pool1.

<Sysname> system-view

[Sysname] dhcp server ip-pool pool1

[Sysname-dhcp-pool-pool1]

Related commands

·          class ip-pool

·          dhcp server apply ip-pool

·          display dhcp server pool

dhcp server ping packets

Use dhcp server ping packets to set the maximum number of ping packets.

Use undo dhcp server ping packets to restore the default.

Syntax

dhcp server ping packets number

undo dhcp server ping packets

Default

The maximum number of ping packets is 1.

Views

System view

Predefined user roles

network-admin

Parameters

number: Sets the maximum number of ping packets, in the range of 0 to 10. To disable the address conflict detection, set the value to 0.

Usage guidelines

To avoid IP address conflicts, the DHCP server pings an IP address before assigning it to a DHCP client.

If a ping attempt succeeds, the server considers that the IP address is in use and picks a new IP address. If all the ping attempts are failed, the server assigns the IP address to the requesting DHCP client.

Examples

# Set the maximum number of ping packets to 10.

<Sysname> system-view

[Sysname] dhcp server ping packets 10

Related commands

·          dhcp server ping timeout

·          display dhcp server conflict

·          reset dhcp server conflict

dhcp server ping timeout

Use dhcp server ping timeout to set the ping response timeout time on the DHCP server.

Use undo dhcp server ping timeout to restore the default.

Syntax

dhcp server ping timeout milliseconds

undo dhcp server ping timeout

Default

The ping response timeout time is 500 milliseconds.

Views

System view

Predefined user roles

network-admin

Parameters

milliseconds: Sets the timeout time in the range of 0 to 10000 milliseconds. To disable the ping operation for address conflict detection, set the value to 0 milliseconds.

Usage guidelines

To avoid IP address conflicts, the DHCP server pings an IP address before assigning it to a DHCP client.

If a ping attempt succeeds, the server considers that the IP address is in use and picks a new IP address. If all the ping attempts are failed, the server assigns the IP address to the requesting DHCP client.

Examples

# Set the response timeout time to 1000 milliseconds.

<Sysname> system-view

[Sysname] dhcp server ping timeout 1000

Related commands

·          dhcp server ping packets

·          display dhcp server conflict

·          reset dhcp server conflict

dhcp server relay information enable

Use dhcp server relay information enable to enable the DHCP server to handle Option 82.

Use undo dhcp server relay information enable to configure the DHCP server to ignore Option 82.

Syntax

dhcp server relay information enable

undo dhcp server relay information enable

Default

The DHCP server handles Option 82.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Upon receiving a DHCP request that contains Option 82, the server copies the original Option 82 into the response. If the server is configured to ignore Option 82, the response will not contain Option 82.

Examples

# Configure the DHCP server to ignore Option 82.

<Sysname> system-view

[Sysname] undo dhcp server relay information enable

dhcp server reply-exclude-option60

Use dhcp server reply-exclude-option60 to disable the DHCP server from encapsulating Option 60 in DHCP replies.

Use undo dhcp server reply-exclude-option60 to restore the default.

Syntax

dhcp server reply-exclude-option60

undo dhcp server reply-exclude-option60

Default

The DHCP server can encapsulate Option 60 in DHCP replies.

Views

System view

Predefined user roles

network-admin

Usage guidelines

If you do not disable the capability, the DHCP server encapsulates Option 60 in a DHCP reply in the following situations:

·          The received DHCP packet contains Option 60.

·          Option 60 is configured for the address pool.

If you disable the capability, the DHCP server does not encapsulate Option 60 in DHCP replies.

Examples

# Disable the DHCP server from encapsulating Option 60 in DHCP replies.

<Sysname> system-view

[Sysname] dhcp server reply-exclude-option60

display dhcp server conflict

Use display dhcp server conflict to display information about IP address conflicts.

Syntax

display dhcp server conflict [ ip ip-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip ip-address: Displays conflict information about the specified IP address. If you do not specify this option, this command displays information about all IP address conflicts.

Usage guidelines

The DHCP server generates IP address conflict information in the following situations:

·          Before assigning an IP address to a DHCP client, the DHCP server pings the IP address and discovers that another host is using the address.

·          The DHCP client sends a DECLINE packet to the DHCP server to inform the server of an IP address conflict.

·          The DHCP server discovers that the only assignable address in the address pool is its own IP address.

Examples

# Display information about all IP address conflicts.

<Sysname> display dhcp server conflict

IP address          Detect time

4.4.4.1             Apr 25 16:57:20 2007

4.4.4.2             Apr 25 17:00:10 2007

Table 4 Command output

Field

Description

 

IP address

Conflicted IP address.

Detect time

Time when the conflict was discovered.

 

Related commands

reset dhcp server conflict

display dhcp server database

Use display dhcp server database to display information about DHCP binding auto backup.

Syntax

display dhcp server database

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about DHCP binding auto backup.

<Sysname> display dhcp server database

 File name               :   database.dhcp

 Username                :  

 Password                :  

 Update interval         :   600 seconds

 Latest write time       :   Feb  8 16:09:53 2014

 Status                  :   Last write succeeded.

Table 5 Command output

Field

Description

 

File name

Name of the DHCP binding backup file.

Username

Username for logging in to the remote device.

Password

Password for logging in to the remote device. This field displays ****** if a password is configured.

Update interval

Waiting time in seconds after a DHCP binding change for the DHCP server to update the backup file.

Latest write time

Time of the latest update.

Status

Status of the update:

·         Writing—The backup file is being updated.

·         Last write succeeded—The backup file was successfully updated.

·         Last write failed—The backup file failed to be updated.

 

display dhcp server expired

Use display dhcp server expired to display the lease expiration information.

Syntax

display dhcp server expired [ ip ip-address | pool pool-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip ip-address: Displays lease expiration information about the specified IP address.

pool pool-name: Displays lease expiration information about the specified address pool. The pool name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command displays lease expiration information about all address pools.

DHCP assigns these expired IP addresses to DHCP clients when all available addresses have been assigned.

Examples

# Display all lease expiration information.

<Sysname> display dhcp server expired

IP address       Client-identifier/Hardware address    Lease expiration

4.4.4.6          3030-3066-2e65-3230-302e-3130-3234    Apr 25 17:10:47 2007

                 -2d45-7468-6572-6e65-7430-2f31

Table 6 Command output

Field

Description

IP address

Expired IP address.

Client-identifier/Hardware address

Client ID or MAC address.

Lease expiration

Time when the lease expired.

 

Related commands

reset dhcp server expired

display dhcp server free-ip

Use display dhcp server free-ip to display information about assignable IP addresses.

Syntax

display dhcp server free-ip [ pool pool-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pool pool-name: Displays assignable IP addresses in the specified address pool. The pool name is a case-insensitive string of 1 to 63 characters. If you do not specify an address pool, this command displays all assignable IP addresses for all address pools.

Examples

# Display assignable IP addresses in all address pools.

<Sysname> display dhcp server free-ip

Pool name: 1

  Network: 10.0.0.0 mask 255.0.0.0

    IP ranges from 10.0.0.10 to 10.0.0.100

    IP ranges from 10.0.0.105 to 10.0.0.255

  Secondary networks:

    10.1.0.0 mask 255.255.0.0

      IP ranges from 10.1.0.0 to 10.1.0.255

    10.2.0.0 mask 255.255.0.0

      IP Ranges from 10.2.0.0 to 10.2.0.255

 

Pool name: 2

  Network: 20.1.1.0 mask 255.255.255.0

    IP ranges from 20.1.1.0 to 20.1.1.255

Table 7 Command output

Field

Description

Pool name

Name of the address pool.

Network

Assignable network.

IP ranges

Assignable IP address range.

Secondary networks

Assignable secondary networks.

 

Related commands

·          address range

·          dhcp server ip-pool

·          network

display dhcp server ip-in-use

Use display dhcp server ip-in-use to display binding information about assigned IP addresses.

Syntax

display dhcp server ip-in-use [ ip ip-address | pool pool-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip ip-address: Displays binding information about the specified IP address.

pool pool-name: Displays binding information about the specified IP address pool. The pool name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command displays binding information about all assigned DHCP addresses.

If the lease deadline exceeds the year 2100, the lease expiration time is displayed as After 2100.

The binding information can be used by other security modules such as IP source guard only when the DHCP server is configured on the gateway of DHCP clients.

Examples

# Display binding information about all assigned DHCP addresses.

<Sysname> display dhcp server ip-in-use

IP address       Client identifier/    Lease expiration      Type

                 Hardware address

10.1.1.1         652e-3030-2e34        Not used              Static(F)

10.1.1.2         3030-3030-2e30        May 1 14:02:49 2015   Auto(C)

10.1.1.3         652e-3030-2e54        After 2100            Static(C)

Table 8 Command output

Field

Description

IP address

IP address assigned.

 

Client identifier/Hardware address

Client ID or hardware address.

 

Lease expiration

Lease expiration time:

·         Exact time (May 1 14:02:49 2015 in this example)Time when the lease will expire.

·         Not usedThe IP address of the static binding has not been assigned to the specific client.

·         UnlimitedInfinite lease expiration time.

·         After 2100—The lease will expire after 2100.

 

Type

Binding types:

·         Static(F)—A free static binding whose IP address has not been assigned.

·         Static(O)—An offered  static binding whose IP address has been selected and sent by the DHCP server in a DHCP-OFFER packet to the client. Static(C)—A committed static binding whose IP address has been assigned to the DHCP client.

·         Auto(O)—An offered temporary dynamic binding whose IP address has been dynamically selected by the DHCP server and sent in a DHCP-OFFER packet to the DHCP client.

·         Auto(C)—A committed dynamic binding whose IP address has been dynamically assigned to the DHCP client.

 

 

Related commands

reset dhcp server ip-in-use

display dhcp server pool

Use display dhcp server pool to display information about a DHCP address pool.

Syntax

display dhcp server pool [ pool-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pool-name: Displays information about the specified address pool. The pool name is a case-insensitive string of 1 to 63 characters. If you do not specify the pool-name argument, this command displays information about all address pools.

Examples

# Display information about all DHCP address pools.

<Sysname> display dhcp server pool

Pool name: 0

  Network 20.1.1.0 mask 255.255.255.0

  class a range 20.1.1.50 20.1.1.60

  bootfile-name abc.cfg

  dns-list 20.1.1.66 20.1.1.67 20.1.1.68

  domain-name www.aabbcc.com

  bims-server ip 192.168.0.51 sharekey cipher $c$3$K13OmQPi791YvQoF2Gs1E+65LOU=

  option 2 ip-address 1.1.1.1

  expired 1 2 3 0

 

Pool name: 1

  Network 20.1.1.0 mask 255.255.255.0

  secondary networks:

    20.1.2.0 mask 255.255.255.0

    20.1.3.0 mask 255.255.255.0

  bims-server ip 192.168.0.51 port 50 sharekey cipher $c$3$K13OmQPi791YvQoF2Gs1E+65LOU=

  forbidden-ip 20.1.1.22 20.1.1.36 20.1.1.37

  forbidden-ip 20.1.1.22 20.1.1.23 20.1.1.24

  gateway-list 10.1.1.3 11.2.2.2 12.4.4.4

  nbns-list 11.5.5.5 12.6.6.4 13.7.7.7

  netbios-type m-node

  option 2 ip-address 10.1.1.3

  expired 1 0 0 0

 

Pool name: 2

  Network 20.1.1.0 mask 255.255.255.0

  address range 20.1.1.1 to 20.1.1.15

  class departmentA range 20.1.1.20 to 20.1.1.29

  class departmentB range 20.1.1.30 to 20.1.1.40

  next-server 20.1.1.33

  tftp-server domain-name www.dian.org.cn

  tftp-server ip-address 192.168.0.120

  voice-config ncp-ip 10.1.1.2

  voice-config as-ip 10.1.1.5

  voice-config voice-vlan 3 enable

  voice-config fail-over 10.1.1.1 123*

  option 2 ip-address 1.1.1.3

  expired 1 0 0 0

 

Pool name: 3

  static bindings:

    ip-address 10.10.1.2 mask 255.0.0.0

      hardware-address 00e0-00fc-0001 ethernet

    ip-address 10.10.1.3 mask 255.0.0.0

      client-identifier aaaa-bbbb

  expired unlimited

Table 9 Command output

Field

Description

Pool name

Name of an address pool.

Network

Assignable network.

secondary networks

Assignable secondary networks.

address range

Assignable address range.

class class-name range

DHCP user class and its address range.

static bindings

Static IP-to-MAC/client ID bindings.

option

Customized DHCP option.

expired

Lease duration: 1 2 3 4 in this example refers to 1 day 2 hours 3 minutes 4 seconds.

bootfile-name

Boot file name

dns-list

DNS server IP address.

domain-name

Domain name suffix.

bims-server

BIMS server information.

forbidden-ip

IP addresses excluded from dynamic allocation.

gateway-list

Gateway addresses.

nbns-list

WINS server addresses.

netbios-type

NetBIOS node type.

next-server

Next server IP address.

tftp-server domain-name

TFTP server name.

tftp-server ip-address

TFTP server address.

voice-config ncp-ip

Primary network calling processor address.

voice-config as-ip

Backup network calling processor address.

voice-config voice-vlan

Voice VLAN.

voice-config fail-over

Failover route.

 

display dhcp server statistics

Use display dhcp server statistics to display the DHCP server statistics.

Syntax

display dhcp server statistics [ pool pool-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pool pool-name: Specifies an address pool by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, this command displays information about all address pools.

Examples

# Display the DHCP server statistics.

<Sysname> display dhcp server statistics

    Pool number:                       1

    Pool utilization:                  0.39%

    Bindings:

      Automatic:                       1

      Manual:                          0

      Expired:                         0

    Conflict:                          1

    Messages received:                10

      DHCPDISCOVER:                    5

      DHCPREQUEST:                     3

      DHCPDECLINE:                     0

      DHCPRELEASE:                     2

      DHCPINFORM:                      0

      BOOTPREQUEST:                    0

    Messages sent:                     6

      DHCPOFFER:                       3

      DHCPACK:                         3

      DHCPNAK:                         0

      BOOTPREPLY:                      0

    Bad Messages:                      0

Table 10 Command output

Field

Description

 

Pool number

Total number of address pools. This field is not displayed when you display statistics for a specific address pool.

Pool utilization

Pool usage rate:

·         If you display statistics for all address pools, this field displays the usage rate of all address pools.

·         If you display statistics for an address pool, this field displays the pool usage rate of the specified address pool.

Bindings

Bindings include the following types:

·         Automatic—Number of dynamic bindings.

·         Manual—Number of static bindings.

·         Expired—Number of expired bindings.

Conflict

Total number of conflict addresses. This field is not displayed if you display statistics for a specific address pool.

Messages received

DHCP packets received from clients:

·         DHCPDISCOVER.

·         DHCPREQUEST.

·         DHCPDECLINE.

·         DHCPRELEASE.

·         DHCPINFORM.

·         BOOTPREQUEST.

This field is not displayed if you display statistics for a specific address pool.

Messages sent

DHCP packets sent to clients:

·         DHCPOFFER.

·         DHCPACK.

·         DHCPNAK.

·         BOOTPREPLY.

This field is not displayed if statistics about a specific address pool are displayed.

Bad Messages

Number of bad messages. This field is not displayed if you display statistics for a specific address pool.

 

Related commands

reset dhcp server statistics

dns-list

Use dns-list to specify DNS server addresses in a DHCP address pool.

Use undo dns-list to remove DNS server addresses from a DHCP address pool.

Syntax

dns-list ip-address&<1-8>

undo dns-list [ ip-address&<1-8> ]

Default

No DNS server address is specified.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

ip-address&<1-8>: Specifies a space-separated list of up to eight DNS servers.

Usage guidelines

If you use the dns-list command multiple times, the most recent configuration takes effect.

If you do not specify any parameters, the undo dns-list command deletes all DNS server addresses in the DHCP address pool.

Examples

# Specify the DNS server address 10.1.1.254 in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] dns-list 10.1.1.254

Related commands

display dhcp server pool

domain-name

Use domain-name to specify a domain name in a DHCP address pool.

Use undo domain-name to remove the specified domain name.

Syntax

domain-name domain-name

undo domain-name

Default

No domain name suffix is specified.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the domain name, a case-sensitive string of 1 to 50 characters.

Usage guidelines

If you use the command multiple times, the most recent configuration takes effect.

Examples

# Specify the domain name company.com in address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] domain-name company.com

Related commands

display dhcp server pool

expired

Use expired to set the lease duration in a DHCP address pool.

Use undo expired to restore the default lease duration for a DHCP address pool.

Syntax

expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }

undo expired

Default

The lease duration of a dynamic address pool is one day.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

day day: Sets the number of days, in the range of 0 to 365.

hour hour: Sets the number of hours, in the range of 0 to 23.

minute minute: Sets the number of minutes, in the range of 0 to 59.

second second: Sets the number of seconds, in the range of 0 to 59.

unlimited: Specifies the unlimited lease duration, which is actually 136 years.

Usage guidelines

The DHCP server assigns an IP address together with the lease duration to the DHCP client. Before the lease expires, the DHCP client must extend the lease duration.

·          If the lease extension operation succeeds, the DHCP client can continue to use the IP address.

·          If the lease extension operation does not succeed, both of the following events occur:

?  The DHCP client cannot use the IP address after the lease duration expires.

?  The DHCP server will label the IP address as an expired address.

Examples

# Set the lease duration to 1 day, 2 hours, 3 minutes, and 4 seconds in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] expired day 1 hour 2 minute 3 second 4

Related commands

·          display dhcp server expired

·          display dhcp server pool

·          reset dhcp server expired

forbidden-ip

Use forbidden-ip to exclude IP addresses from dynamic allocation in an address pool.

Use undo forbidden-ip to cancel the configuration.

Syntax

forbidden-ip ip-address&<1-8>

undo forbidden-ip [ ip-address&<1-8> ]

Default

No IP addresses are excluded from dynamic allocation in an address pool.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

ip-address&<1-8>: Specifies a space-separated list of up to eight excluded IP addresses.

Usage guidelines

The excluded IP addresses in an address pool are still assignable in other address pools.

You can exclude a maximum of 4096 IP addresses in an address pool.

If you do not specify any parameters, the undo forbidden-ip command deletes all excluded IP addresses.

Examples

# Exclude IP addresses 192.168.1.3 and 192.168.1.10 from dynamic allocation in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] forbidden-ip 192.168.1.3 192.168.1.10

Related commands

·          dhcp server forbidden-ip

·          display dhcp server pool

gateway-list

Use gateway-list to specify gateway addresses in a DHCP address pool or a DHCP secondary subnet.

Use undo gateway-list to remove the specified gateway addresses from a DHCP address pool or a DHCP secondary subnet.

Syntax

gateway-list ip-address&<1-64> [ export-route ]

undo gateway-list [ ip-address&<1-64> ] [ export-route ]

Default

No gateway address is configured in a DHCP address pool or a DHCP secondary subnet.

Views

DHCP address pool view

DHCP secondary subnet view

Predefined user roles

network-admin

Parameters

ip-address&<1-64>: Specifies a space-separated list of up to 64 gateway addresses. Gateway addresses must reside on the same subnet as the assignable IP addresses.

export-route: Binds the gateways to the device's MAC address in the address management module. The ARP module will use the entries to reply to ARP requests from the DHCP clients. This feature ensures the clients to obtain different gateway IP addresses but the same MAC address.

Usage guidelines

If you do not specify any parameters, the undo gateway-list command deletes all gateway addresses.

The DHCP server assigns gateway addresses to clients on a secondary subnet in the following ways:

·          If gateways are specified in both address pool view and secondary subnet view, DHCP assigns those specified in the secondary subnet view.

·          If gateways are specified in address pool view but not in secondary subnet view, DHCP assigns those specified in address pool view.

Examples

# Specify the gateway address 10.1.1.1 in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] gateway-list 10.1.1.1

Related commands

display dhcp server pool

if-match

Use if-match to configure a match rule for a DHCP user class.

Use undo if-match to delete a match rule for a DHCP user class.

Syntax

if-match rule rule-number { hardware-address hardware-address mask hardware-address-mask | option option-code [ ascii ascii-string [ offset offset | partial ] | hex hex-string [ mask mask | offset offset length length | partial ] ] | relay-agent gateway-address }

undo if-match rule rule-number

Default

No match rule is configured for the DHCP user class.

Views

DHCP user class view

Predefined user roles

network-admin

Parameters

rule rule-number: Assigns the match rule an ID in the range of 1 to 16. A smaller ID represents a higher match priority.

hardware-address hardware-address: Specifies a hardware address, a string of 4 to 39 characters. The string contains hyphen-separated hexadecimal numbers. The last hexadecimal number can be a two-digit or four-digit number, and the other hexadecimal numbers must be four-digit numbers. For example, aabb-ccdd-ee is valid, and aabb-c-dddd or aabb-cc-dddd is invalid.

mask hardware-address-mask: Specifies the mask for the match operation. The length of the mask must be the same as that of the hardware address.

option option-code: Specifies a DHCP option by its number in the range of 1 to 254.

ascii ascii-string: Specifies an ASCII string of 1 to 128 characters.

offset offset: Specifies the offset in bytes after which the match operation starts. The value range is 0 to 254. If you specify an ASCII string, a packet matches the rule if the option content after the offset is the same as the ASCII string. If you specify a hexadecimal string, a packet matches the rule if the option content of the specified length after the offset is the same as the hexadecimal string.

partial: Enables partial match. A packet matches a rule if the specified option in the packet contains the ASCII or hexadecimal string specified in the rule. For example, if the specified string is abc, option content xabc, xyzabca, xabcyz, and abcxyz all match the rule.

hex hex-string: Specifies a hexadecimal string. The length of the hexadecimal string must be an even number in the range of 2 to 256.

mask mask: Specifies the mask for the match operation. The mask is a hexadecimal string whose length is an even number in the range of 2 to 256 and must be the same as the hex-string length. The DHCP server selects a string of the mask length from the start of the option, and ANDs the selected string and the specified hexadecimal string with the mask. The packet matches the rule if the two AND operation results are the same.

length length: Specifies the length of the option content to be matched, in the range of 1 to 128 bytes. The length must be the same as the hex-string length.

relay-agent gateway-address: Specifies a giaddr field value. The value is an IPv4 address in the dotted decimal notation. A packet match the rule if its giaddr field value is the same as that in the rule.

Usage guidelines

You can configure multiple match rules for a DHCP user class. Each match rule is uniquely identified by a rule ID within its type (hardware address, option, or relay agent address). The DHCP server compares the hardware address, option content, or relay agent address in the DHCP requests against the match rules. If a match is found, the DHCP client matches the DHCP user class.

H3C recommends you not configure rules of different types to use the same ID. Two rules cannot have the same content.

·          If the rule that you are configuring has the same ID and type as an existing rule, the new rule overwrites the existing rule.

·          If the rule that you are configuring has the same ID as an existing rule but a different type, the new rule takes effect and coexists with the existing rule.

When you configure an if-match hardware-address rule, follow these guidelines:

·          A rule applies only to clients with MAC addresses. It does not match clients with hardware addresses of other types.

·          The specified hardware address must be of the same length as the client hardware addresses to be matched. To match MAC addresses, the specified hardware address must be six bytes long.

·          The fs and 0s in the mask for the hardware match operation can be noncontiguous. For example, the rule if-match rule 1 hardware-address 0094-0000-1100 mask ffff-0000-ff00 matches hardware addresses in which the first two bytes are 0094 and the fifth byte is 11.

When you configure an if-match option rule, follow these guidelines:

·          To match packets that contain an option, specify only the option code.

·          To match a hexadecimal string by AND operations, specify the option option-code hex hex-string mask mask options.

·          To match a hexadecimal string directly, specify the option option-code hex hex-string [ offset offset length length | partial ] options.

If you do not specify the optional parameters, a packet matches a rule if the option content starts with the hexadecimal string.

·          To match an ASCII string, specify the option option-code ascii ascii-string [ offset offset | partial ] options.

If you do not specify the optional parameters, a packet matches a rule if the option content starts with the ASCII string.

Examples

# Configure match rule 1 for the DHCP user class exam to match DHCP requests in which the hardware address is six bytes long and begins with 0094.

<Sysname> system-view

[Sysname] dhcp class exam

[Sysname-dhcp-class-exam] if-match rule 1 hardware-address 0094-0000-0101 mask ffff-0000-0000

# Configure match rule 2 for the DHCP user class exam to match DHCP requests that contain Option 82.

<Sysname> system-view

[Sysname] dhcp class exam

[Sysname-dhcp-class-exam] if-match rule 2 option 82

# Configure match rule 3 for the DHCP user class exam to match DHCP requests in which the highest bit of the fourth byte in Option 82 is 1.

<Sysname> system-view

[Sysname] dhcp class exam

[Sysname-dhcp-class-exam] if-match rule 3 option 82 hex 00000080 mask 00000080

# Configure match rule 4 for the DHCP user class exam to match DHCP requests in which the first three bytes of Option 82 are 0x13ae92.

<Sysname> system-view

[Sysname] dhcp class exam

[Sysname-dhcp-class-exam] if-match rule 4 option 82 hex 13ae92 offset 0 length 3

# Configure match rule 5 for the DHCP user class exam to match DHCP requests in which the Option 82 contains the string 0x13ae.

<Sysname> system-view

[Sysname] dhcp class exam

[Sysname-dhcp-class-exam] if-match rule 5 option 82 hex 13ae partial

# Configure match rule 6 for the DHCP user class exam to match DHCP requests in which the giaddr field is 10.1.1.1.

<Sysname> system-view

[Sysname] dhcp class exam

[Sysname-dhcp-class-exam] if-match rule 6 relay-agent 10.1.1.1

Related commands

dhcp class

ip-in-use threshold

Use ip-in-use threshold to set a threshold for the address pool usage alarming.

Use undo ip-in-use threshold to restore the default.

Syntax

ip-in-use threshold threshold-value

undo ip-in-use threshold

Default

The address pool usage threshold is 100%.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the threshold for the address pool usage percentage. The value range is 1 to 100.

Usage guidelines

If you use this command in the same address pool view multiple times, the most recent configuration takes effect.

When the address pool usage exceeds the threshold, the system sends log messages to the information center. According to the log information, you can optimize the address pool configuration. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Set the address pool usage threshold to 85%.

<Sysname> system-view

[Sysname] dhcp server ip-pool p1

[Sysname-dhcp-pool-p1] ip-in-use threshold 85

nbns-list

Use nbns-list to specify WINS server addresses in a DHCP address pool.

Use undo nbns-list to remove the specified WINS server addresses.

Syntax

nbns-list ip-address&<1-8>

undo nbns-list [ ip-address&<1-8> ]

Default

No WINS server address is specified.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

ip-address&<1-8>: Specifies a space-separated list of up to eight WINS server IP addresses.

Usage guidelines

If you use this command multiple times, the most recent configuration takes effect.

If you do not specify any parameters, the undo nbns-list command deletes all WINS server addresses.

Examples

# Specify the WINS server IP address 10.1.1.1 in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] nbns-list 10.1.1.1

Related commands

·          display dhcp server pool

·          netbios-type

netbios-type

Use netbios-type to specify the NetBIOS node type in a DHCP address pool.

Use undo netbios-type to remove the specified NetBIOS node type.

Syntax

netbios-type { b-node | h-node | m-node | p-node }

undo netbios-type

Default

No NetBIOS node type is specified.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

b-node: Specifies the broadcast node. A b-node client sends the destination name in a broadcast message to get the name-to-IP mapping from a server.

h-node: Specifies the hybrid node. An h-node client unicasts the destination name to a WINS server. If it does not receive a response, the h-node client broadcasts the destination name to get the mapping from a server.

m-node: Specifies the mixed node. An m-node client broadcasts the destination name. If it does not receive a response, the m-node client unicasts the destination name to the WINS server to get the mapping.

p-node: Specifies the peer-to-peer node. A p-node client sends the destination name in a unicast message to get the mapping from the WINS server.

Usage guidelines

If you use the command multiple times, the most recent configuration takes effect.

Examples

# Specify the NetBIOS node type as p-node in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] netbios-type p-node

Related commands

·          display dhcp server pool

·          nbns-list

network

Use network to specify the subnet for dynamic allocation in a DHCP address pool.

Use undo network to remove the specified subnet.

Syntax

network network-address [ mask-length | mask mask ] [ export-route ] [ secondary ]

undo network network-address [ mask-length | mask mask ] [ secondary ]

Default

No subnet is specified in a DHCP address pool.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

network-address: Specifies the subnet for dynamic allocation. If no mask length or mask is specified, the natural mask will be used.

mask-length: Specifies the mask length in the range of 1 to 30.

mask mask: Specifies the mask in dotted decimal format.

export-route: Advertises the subnet assigned to DHCP clients. This feature ensures symmetric routing for traffic of the same client.

secondary: Specifies the subnet as a secondary subnet. If you do not specify this keyword, this command specifies the primary subnet. If the addresses in the primary subnet are used up, the DHCP server can select addresses from a secondary subnet for clients.

Usage guidelines

You can use the secondary keyword to specify a secondary subnet and enter its view. In secondary subnet view, you can specify gateways by using the gateway-list command for DHCP clients in the secondary subnet.

You can specify only one primary subnet for a DHCP address pool. If you use the network command multiple times, the most recent configuration takes effect.

You can specify up to 32 secondary subnets for a DHCP address pool.

The primary subnet and secondary subnets in a DHCP address pool must not have the same network address and mask.

If you have used the address range or class command in an address pool, you cannot specify a secondary subnet in the same address pool.

Modifying or removing the network configuration deletes the assigned addresses from the current address pool.

If you use the network export-route command multiple times, the most recent configuration takes effect.

Examples

# Specify primary subnet 192.168.8.0/24 and secondary subnet 192.168.10.0/24 in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] network 192.168.8.0 mask 255.255.255.0

[Sysname-dhcp-pool-0] network 192.168.10.0 mask 255.255.255.0 secondary

[Sysname-dhcp-pool-0-secondary]

Related commands

·          display dhcp server pool

·          gateway-list

next-server

Use next-server to specify the IP address of a server in a DHCP address pool.

Use undo next-server to remove the server's IP address from the DHCP address pool.

Syntax

next-server ip-address

undo next-server

Default

No server's IP address is specified in a DHCP address pool.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of a server.

Usage guidelines

Upon startup, the DHCP client obtains an IP address and the specified server IP address. Then it contacts the specified server, such as a TFTP server, to get other boot information.

If you use the next-server command multiple times, the most recent configuration takes effect.

Examples

# Specify a server's IP address 10.1.1.254 in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] next-server 10.1.1.254

Related commands

display dhcp server pool

option

Use option to customize a DHCP option.

Use undo option to remove a customized DHCP option.

Syntax

option code { ascii ascii-string | hex hex-string | ip-address ip-address&<1-8> }

undo option code

Default

No DHCP option is customized.

Views

DHCP address pool view

DHCP option group view

Predefined user roles

network-admin

Parameters

code: Specifies the number of the customized option, in the range of 2 to 254.

ascii ascii-string: Specifies an ASCII string of 1 to 255 characters as the option content.

hex hex-string: Specifies a hexadecimal string as the option content. The string length must be an even number in the range of 2 to 256.

ip-address ip-address&<1-8>: Specifies a space-separated list of up to eight IP addresses as the option content.

Usage guidelines

The DHCP server fills the customized option with the specified ASCII string, hexadecimal string, or IP addresses, and sends it in a response to the client.

If you use the option command with the same code specified, the most recent configuration takes effect.

You can customize options for the following purposes:

·          Add newly released options.

·          Add options for which the vendor defines the contents, for example, Option 43.

·          Add options for which the CLI does not provide a dedicated configuration command. For example, you can use the option 4 ip-address 1.1.1.1 command to define the time server address 1.1.1.1 for DHCP clients.

·          Add all option values if the actual requirement exceeds the limit for a dedicated option configuration command. For example, the dns-list command can specify up to eight DNS servers. To specify more than eight DNS server, you must use the option 6 command to define all DNS servers.

DHCP options specified by dedicated commands take precedence over those specified by the option commands. For example, if a DNS server address is specified by both the dns-list command and the option 6 command, the server uses the address specified by the dns-list command.

DHCP options specified in DHCP option groups take precedence over those specified in DHCP address pools.

Examples

# Configure Option 7 to specify the log server address 2.2.2.2 in address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] option 7 ip-address 2.2.2.2

Related commands

display dhcp server pool

reset dhcp server conflict

Use reset dhcp server conflict to clear IP address conflict information.

Syntax

reset dhcp server conflict [ ip ip-address ]

Views

User view

Predefined user roles

network-admin

Parameters

ip ip-address: Clears conflict information about the specified IP address. If you do not specify this option, this command clears all address conflict information.

Usage guidelines

Address conflicts occur when dynamically assigned IP addresses have been statically configured for other hosts. After you modify the address pool configuration, the conflicted addresses might become assignable. To assign these addresses, use the reset dhcp server conflict command to clear the conflict information first.

Examples

# Clear all IP address conflict information.

<Sysname> reset dhcp server conflict

Related commands

display dhcp server conflict

reset dhcp server expired

Use reset dhcp server expired to clear binding information about expired IP addresses.

Syntax

reset dhcp server expired [ ip ip-address | pool pool-name ]

Views

User view

Predefined user roles

network-admin

Parameters

ip ip-address: Clears binding information about the specified expired IP address.

pool pool-name: Clears binding information about the expired IP addresses in the specified address pool. The pool name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command clears binding information about all expired IP addresses.

Examples

# Clear binding information about all expired IP addresses.

<Sysname> reset dhcp server expired

Related commands

display dhcp server expired

reset dhcp server ip-in-use

Use reset dhcp server ip-in-use to clear binding information about assigned IP addresses.

Syntax

reset dhcp server ip-in-use [ ip ip-address | pool pool-name ]

Views

User view

Predefined user roles

network-admin

Parameters

ip ip-address: Clears binding information about the specified assigned IP address.

pool pool-name: Clears binding information about the specified address pool. The pool name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command clears binding information about all assigned IP addresses.

If you use this command to clear information about an assigned static binding, the static binding becomes an unassigned static binding.

Examples

# Clear binding information about the IP address 10.110.1.1.

<Sysname> reset dhcp server ip-in-use ip 10.110.1.1

Related commands

display dhcp server ip-in-use

reset dhcp server statistics

Use reset dhcp server statistics to clear DHCP server statistics.

Syntax

reset dhcp server statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear DHCP server statistics.

<Sysname> reset dhcp server statistics

Related commands

display dhcp server statistics

static-bind

Use static-bind to statically bind a client ID or MAC address to an IP address.

Use undo static-bind to remove a static binding.

Syntax

static-bind ip-address ip-address [ mask-length | mask mask ] { client-identifier client-identifier | hardware-address hardware-address [ ethernet | token-ring ] }

undo static-bind ip-address ip-address

Default

No static binding is specified in a DHCP address pool.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

ip-address ip-address: Specifies the IP address of the static binding. The natural mask is used if no mask length or mask is specified.

mask-length: Specifies the mask length in the range of 1 to 30.

mask mask: Specifies the mask, in dotted decimal format.

client-identifier client-identifier: Specifies the client ID of the static binding, a string of 4 to 254 characters. The string can contain only hexadecimal numbers and hyphen (-), in the format of H-H-H…. The last H can be a two-digit or four-digit hexadecimal number while the other Hs must be all four-digit hexadecimal numbers. For example, aabb-cccc-dd is correct, and aabb-c-dddd and aabb-cc-dddd are not correct.

hardware-address hardware-address: Specifies the client hardware address of the static binding, a string of 4 to 39 characters. The string can contain only hexadecimal numbers and hyphen (-), in the format of H-H-H…. The last H can be a two-digit or four-digit hexadecimal number while the other Hs must be all four-digit hexadecimal numbers. For example, aabb-cccc-dd is correct, and aabb-c-dddd and aabb-cc-dddd are not correct.

ethernet: Specifies the client hardware address type as Ethernet. The default type is Ethernet.

token-ring: Specifies the client hardware address type as token ring.

Usage guidelines

The IP address of a static binding must not be an interface address of the DHCP server. Otherwise, an IP address conflict occurs, and the bound client cannot obtain the IP address.

You can specify multiple static bindings in an address pool. The total number of static bindings in all address pools cannot exceed 8192.

You cannot modify bindings. To change the binding for a DHCP client, you must delete the existing binding first and create a new binding.

Examples

# Bind the IP address 10.1.1.1/24 to the client ID 00aa-aabb in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0 client-identifier 00aa-aabb

Related commands

display dhcp server pool

tftp-server domain-name

Use tftp-server domain-name to specify a TFTP server name in a DHCP address pool.

Use undo tftp-server domain-name to remove the TFTP server name from a DHCP address pool.

Syntax

tftp-server domain-name domain-name

undo tftp-server domain-name

Default

No TFTP server name is specified.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the TFTP server name, a case-sensitive string of 1 to 63 characters.

Usage guidelines

If you use this command multiple times, the most recent configuration takes effect.

Examples

# Specify the TFTP server name aaa in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] tftp-server domain-name aaa

Related commands

·          display dhcp server pool

·          tftp-server ip-address

tftp-server ip-address

Use tftp-server ip-address to specify a TFTP server address in a DHCP address pool.

Use undo tftp-server ip-address to remove the TFTP server address from a DHCP address pool.

Syntax

tftp-server ip-address ip-address

undo tftp-server ip-address

Default

No TFTP server address is specified.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of a TFTP server.

Usage guidelines

If you use this command multiple times, the most recent configuration takes effect.

Examples

# Specify the TFTP server address 10.1.1.1 in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] tftp-server ip-address 10.1.1.1

Related commands

·          display dhcp server pool

·          tftp-server domain-name

valid class

Use valid class to add DHCP user classes to the whitelist.

Use undo valid class to remove DHCP user classes from the whitelist.

Syntax

valid class class-name&<1-8>

undo valid class class-name&<1-8>

Default

No DHCP user class is listed on the whitelist.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

class-name&<1-8>: Specifies a space-separated list of up to eight DHCP user classes by their names, a case-insensitive string of 1 to 63 characters.

Usage guidelines

For this command to take effect, you must enable the DHCP user class whitelist.

Examples

# Add DHCP user classes test1 and test2 to the whitelist in DHCP address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] valid class test1 test2

Related commands

·          dhcp class

·          verify class

verify class

Use verify class to enable the DHCP user class whitelist.

Use undo verify class to disable the DHCP user class whitelist.

Syntax

verify class

undo verify class

Default

The DHCP user class whitelist is disabled.

Views

DHCP address pool view

Predefined user roles

network-admin

Usage guidelines

After you enable the DHCP user class whitelist, the DHCP user classes on the whitelist take effect. The DHCP server processes requests only from clients on the DHCP user class whitelist.

The DHCP user class whitelist does not take effect on clients that request static IP addresses, and the server always processes their requests.

Examples

# Enable the DHCP user class whitelist in DHCP address pool 0.

[Sysname] system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] verify class

Related commands

valid class

voice-config

Use voice-config to configure the content for Option 184 in a DHCP address pool.

Use undo voice-config to remove the Option 184 content from a DHCP address pool.

Syntax

voice-config { as-ip ip-address | fail-over ip-address dialer-string | ncp-ip ip-address | voice-vlan vlan-id { disable | enable } }

undo voice-config [ as-ip | fail-over | ncp-ip | voice-vlan ]

Default

No Option 184 content is configured in a DHCP address pool.

Views

DHCP address pool view

Predefined user roles

network-admin

Parameters

as-ip ip-address: Specifies the IP address of the backup network calling processor.

fail-over ip-address dialer-string: Specifies the failover IP address and dialer string. The dialer-string is a string of 1 to 39 characters, which can include numbers 0 through 9 and asterisk (*).

ncp-ip ip-address: Specifies the IP address of the primary network calling processor.

voice-vlan vlan-id: Specifies the voice VLAN ID in the range of 2 to 4094.

·          disable: Disables the specified VLAN. DHCP clients will not take this VLAN as their voice VLAN.

·          enable: Enables the specified VLAN. DHCP clients will take this VLAN as their voice VLAN.

Usage guidelines

If you use the command multiple times, the most recent configuration takes effect.

Examples

# Configure Option 184 in DHCP address pool 0. The primary and backup network calling processors are at 10.1.1.1 and 10.2.2.2, respectively. The voice VLAN 3 is enabled. The failover IP address is 10.3.3.3. The dialer string is 99*.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] voice-config ncp-ip 10.1.1.1

[Sysname-dhcp-pool-0] voice-config as-ip 10.2.2.2

[Sysname-dhcp-pool-0] voice-config voice-vlan 3 enable

[Sysname-dhcp-pool-0] voice-config fail-over 10.3.3.3 99*

Related commands

display dhcp server pool

DHCP relay agent commands

dhcp relay check mac-address

Use dhcp relay check mac-address to enable MAC address check on the relay agent.

Use undo dhcp relay check mac-address to disable MAC address check on the relay agent.

Syntax

dhcp relay check mac-address

undo dhcp relay check mac-address

Default

The MAC address check feature is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

This feature enables the DHCP relay agent to compare the chaddr field of a received DHCP request with the source MAC address in the frame header. If they are the same, the DHCP relay agent forwards the request to the DHCP server. If they are not the same, the DHCP relay agent discards the request.

The MAC address check feature takes effect only when the dhcp select relay command has already been configured on the interface.

Enable the MAC address check feature only on the DHCP relay agent directly connected to the DHCP clients. A DHCP relay agent changes the source MAC address of DHCP packets before sending them.

Examples

# Enable MAC address check on the relay agent.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] dhcp relay check mac-address

Related commands

dhcp select relay

dhcp relay check mac-address aging time

Use dhcp relay check mac-address aging time to set the aging time for MAC address check entries on the DHCP relay agent.

Use undo dhcp relay check mac-address aging time to restore the default.

Syntax

dhcp relay check mac-address aging-time time

undo dhcp relay check mac-address aging-time

Default

The aging time is 30 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time: Sets the aging time for MAC address check entries in seconds, in the range of 30 to 600.

Usage guidelines

This command takes effect only after you execute the dhcp relay check mac-address command.

Examples

# Set the aging time to 60 seconds for MAC address check entries on the DHCP relay agent.

<Sysname> system-view

[Sysname] dhcp relay check mac-address aging-time 60

dhcp relay client-information record

Use dhcp relay client-information record to enable recording client information in relay entries. A relay entry contains information about a client such as the client's IP and MAC addresses.

Use undo dhcp relay client-information record to disable the feature.

Syntax

dhcp relay client-information record

undo dhcp relay client-information record

Default

The DHCP relay agent does not record client information in relay entries.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Disabling recording of client information deletes all recorded relay entries.

Client information is recorded only when the DHCP relay agent is configured on the gateway of DHCP clients.

Examples

# Enable recording of relay entries on the relay agent.

<Sysname> system-view

[Sysname] dhcp relay client-information record

Related commands

·          dhcp relay client-information refresh

·          dhcp relay client-information refresh enable

dhcp relay client-information refresh

Use dhcp relay client-information refresh to set the interval at which the DHCP relay agent periodically refreshes relay entries.

Use undo dhcp relay client-information refresh to restore the default.

Syntax

dhcp relay client-information refresh [ auto | interval interval ]

undo dhcp relay client-information refresh

Default

The refresh interval is automatically calculated based on the number of relay entries.

Views

System view

Predefined user roles

network-admin

Parameters

auto: Automatically calculates the refresh interval. The more the entries, the shorter the refresh interval. The shortest interval is 50 ms.

interval interval: Sets the refresh interval in the range of 1 to 120 seconds.

Usage guidelines

If you use this command multiple times, the most recent configuration takes effect.

Examples

# Set the refresh interval to 100 seconds.

<Sysname> system-view

[Sysname] dhcp relay client-information refresh interval 100

Related commands

·          dhcp relay client-information record

·          dhcp relay client-information refresh enable

dhcp relay client-information refresh enable

Use dhcp relay client-information refresh enable to enable the DHCP relay agent to periodically refresh dynamic relay entries.

Use undo dhcp relay client-information refresh enable to disable the DHCP relay agent to periodically refresh dynamic relay entries.

Syntax

dhcp relay client-information refresh enable

undo dhcp relay client-information refresh enable

Default

The DHCP relay agent periodically refreshes relay entries.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The DHCP relay agent conveys the message to the DHCP server and does not remove the IP-to-MAC entry of the client.

With this feature, the DHCP relay agent uses a client's IP address and the relay interface's MAC address to periodically send a DHCP-REQUEST message to the DHCP server.

·          If the server returns a DHCP-ACK message or does not return any message within an interval, the DHCP relay agent performs the following operations:

?  Removes the relay entry.

?  Sends a DHCP-RELEASE message to the DHCP server to release the IP address.

·          If the server returns a DHCP-NAK message, the relay agent keeps the entry.

With this feature disabled, the DHCP relay agent does not remove relay entries automatically. After a DHCP client releases its IP address, you must use the reset dhcp relay client-information on the relay agent to remove the corresponding relay entry.

Examples

# Disable periodic refresh of relay entries.

<Sysname> system-view

[Sysname] undo dhcp relay client-information refresh enable

Related commands

·          dhcp relay client-information record

·          dhcp relay client-information refresh

·          reset dhcp relay client-information

dhcp relay gateway

Use dhcp relay gateway to specify a gateway address for DHCP clients on the DHCP relay interface.

Use undo dhcp relay gateway to restore the default.

Syntax

dhcp relay gateway ip-address

undo dhcp relay gateway

Default

The primary IP address of the DHCP relay interface is used as the gateway address for DHCP clients.

Views

Interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies a gateway address. The IP address must be the primary or secondary IP address of the relay interface.

Usage guidelines

The DHCP relay agent uses the specified IP address instead of the primary IP address of the relay interface as the gateway address for DHCP clients.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify 10.1.1.1 as the gateway address for DHCP clients on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] dhcp relay gateway 10.1.1.1

Related commands

gateway-list

dhcp relay information circuit-id

Use dhcp relay information circuit-id to configure the padding mode and padding format for the Circuit ID sub-option of Option 82.

Use undo dhcp relay information circuit-id to restore the default.

Syntax

dhcp relay information circuit-id { bas | string circuit-id | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] [ interface ] } [ format { ascii | hex } ] }

undo dhcp relay information circuit-id

Default

The padding mode is normal and the padding format is hex.

Views

Interface view

Predefined user roles

network-admin

Parameters

bas: Specifies the bas mode for padding the Circuit ID sub-option.

string circuit-id: Specifies the string mode that uses a case-sensitive string of 3 to 63 characters as the content of the Circuit ID sub-option.

normal: Specifies the normal mode, in which the padding content consists of the VLAN ID and port number.

verbose: Specifies the verbose mode. The padding content includes the node identifier, interface information, and VLAN ID.

node-identifier { mac | sysname | user-defined node-identifier }: Specifies the access node identifier.

·          mac: Uses the MAC address of the access node as the node identifier. It is the default node identifier.

·          sysname: Uses the device name as the node identifier. You can set the device name by using the sysname command in system view. The padding format for the device name is always ASCII regardless of the specified padding format.

 

 

NOTE:

If sysname is used as the node identifier, do not include any spaces when you set the device name. Otherwise, the DHCP relay agent fails to add or replace Option 82.

 

·          user-defined node-identifier: Uses a case-sensitive string of 1 to 50 characters as the node identifier. The padding format for the specified character string is always ASCII regardless of the specified padding format.

interface: Uses the interface name as the interface information. The padding format for the interface name is always ASCII regardless of the specified padding format. The default interface information consists of the Ethernet type (fixed to eth), chassis number, slot number, sub-slot number, and interface number.

format: Sets the padding format for the Circuit ID sub-option.

ascii: Sets the padding format to ASCII.

hex: Sets the padding format to hex.

Usage guidelines

The Circuit ID sub-option cannot carry information about interface splitting or subinterfaces. For more information about interface splitting and subinterfaces, see Interface Configuration Guide.

If you use this command multiple times, the most recent configuration takes effect.

The padding format for the user-defined string, the normal mode, or the verbose mode varies by command configuration. Table 11 shows how the padding format is determined for different modes.

Table 11 Padding format for different modes

Keyword (mode)

If no padding format is set

If the padding format is ascii

If the padding format is hex

string circuit-id

You cannot set a padding format, and the padding format is always ASCII.

N/A

N/A

normal

Hex.

ASCII.

Hex.

verbose

Hex for the VLAN ID.

ASCII for the node identifier, Ethernet type, chassis number, slot number, sub-slot number, and interface number.

ASCII.

ASCII for the node identifier and Ethernet type.

Hex for the chassis number, slot number, sub-slot number, interface number, and VLAN ID.

 

Examples

# Specify the content mode as verbose, node identifier as the device name, and the padding format as ASCII for the Circuit ID sub-option.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] dhcp relay information enable

[Sysname-Vlan-interface10] dhcp relay information strategy replace

[Sysname-Vlan-interface10] dhcp relay information circuit-id verbose node-identifier sysname format ascii

Related commands

·          dhcp relay information enable

·          dhcp relay information strategy

·          display dhcp relay information

dhcp relay information enable

Use dhcp relay information enable to enable the DHCP relay agent to support Option 82.

Use undo dhcp relay information enable to disable Option 82 support.

Syntax

dhcp relay information enable

undo dhcp relay information enable

Default

The DHCP relay agent does not support Option 82.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

This command enables the DHCP relay agent to add Option 82 to DHCP requests that do not contain Option 82 before forwarding the requests to the DHCP server. The content of Option 82 is determined by the dhcp relay information circuit-id and dhcp relay information remote-id commands. If the DHCP requests contain Option 82, the relay agent handles the requests according to the strategy configured with the dhcp relay information strategy command.

If this feature is disabled, the relay agent forwards requests that contain or do not contain Option 82 to the DHCP server.

Examples

# Enable Option 82 support on the relay agent.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] dhcp relay information enable

Related commands

·          dhcp relay information circuit-id

·          dhcp relay information remote-id

·          dhcp relay information strategy

·          display dhcp relay information

dhcp relay information remote-id

Use dhcp relay information remote-id to configure the padding mode and padding format for the Remote ID sub-option of Option 82.

Use undo dhcp relay information remote-id to restore the default.

Syntax

dhcp relay information remote-id { { ap-mac | ap-mac-ssid | normal } [ format { ascii | hex } ] | ap-name | ap-name-ssid | string remote-id | sysname }

undo dhcp relay information remote-id

Default

The padding mode is normal and the padding format is hex.

Views

Interface view

Predefined user roles

network-admin

Parameters

ap-mac: Specifies to pad the Remote ID sub-option with the MAC address of an AP.

ap-mac-ssid: Specifies to pad the Remote ID sub-option with the MAC address and SSID of an AP, which are separated by the colon (:). For more information about the SSID, see WLAN access configuration in WLAN Configuration Guide.

normal: Specifies the normal mode in which the padding content is the MAC address of the receiving interface.

format: Sets the padding format for the Remote ID sub-option. The default padding format is hex.

ascii: Sets the padding format to ASCII.

hex: Sets the padding format to Hex.

ap-name: Specifies to pad the Remote ID sub-option with the name of an AP. For more information about AP names, see AP management in WLAN Configuration Guide.

ap-name-ssid: Specifies to pad the Remote ID sub-option with the name and SSID of an AP, which are separated by the colon (:).

string remote-id: Specifies the string mode that uses a case-sensitive string of 1 to 63 characters as the content of the Remote ID sub-option.

sysname: Specifies the sysname mode that uses the device name as the content of the Remote ID sub-option. You can set the device name by using the sysname command.

Usage guidelines

The padding format is always ASCII for the AP name (ap-name), AP name and SSID (ap-name-ssid), the specified character string (string), and the device name (sysname).

The padding format for the AP MAC address (ap-mac), AP MAC address and SSID (ap-mac-ssid), and the normal mode is determined by the command.

If you use the command multiple times, the most recent configuration takes effect.

Examples

# Specify the padding content for the Remote ID sub-option of Option 82 as device001.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] dhcp relay information enable

[Sysname-Vlan-interface10] dhcp relay information strategy replace

[Sysname-Vlan-interface10] dhcp relay information remote-id string device001

Related commands

·          dhcp relay information enable

·          dhcp relay information strategy

·          display dhcp relay information

dhcp relay information strategy

Use dhcp relay information strategy to configure the strategy for the DHCP relay agent to handle messages containing Option 82.

Use undo dhcp relay information strategy to restore the default handling strategy.

Syntax

dhcp relay information strategy { drop | keep | replace }

undo dhcp relay information strategy

Default

The handling strategy for messages that contain Option 82 is replace.

Views

Interface view

Predefined user roles

network-admin

Parameters

drop: Drops DHCP messages that contain Option 82 messages.

keep: Keeps the original Option 82 intact.

replace: Replaces the original Option 82 with the configured Option 82.

Usage guidelines

This command takes effect only on DHCP requests that contain Option 82.

For DHCP requests that do not contain Option 82, the DHCP relay agent always adds Option 82 to the requests before forwarding the requests to the DHCP server.

If the handling strategy is replace, configure a padding mode and padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure any padding mode or padding format. The settings do not take effect even if you configure them.

Examples

# Specify the handling strategy for Option 82 as keep.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] dhcp relay information enable

[Sysname-Vlan-interface10] dhcp relay information strategy keep

Related commands

·          dhcp relay information enable

·          display dhcp relay information

dhcp relay release ip

Use dhcp relay release ip to release a specific client IP address.

Syntax

dhcp relay release ip client-ip

Views

System view

Predefined user roles

network-admin

Parameters

client-ip: Specifies the IP address to be released.

Usage guidelines

After you execute this command, the relay agent sends a DHCP-RELEASE packet to the DHCP server and removes the relay entry of the IP address. Upon receiving the packet, the server removes binding information about the specified IP address to release the IP address.

Examples

# Release the IP address 1.1.1.1.

<Sysname> system-view

[Sysname] dhcp relay release ip 1.1.1.1

dhcp relay server-address

Use dhcp relay server-address to specify DHCP servers on the DHCP relay agent.

Use undo dhcp relay server-address to remove DHCP servers.

Syntax

dhcp relay server-address ip-address

undo dhcp relay server-address [ ip-address ]

Default

No DHCP server is specified on the relay agent.

Views

Interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of a DHCP server. The DHCP relay agent forwards DHCP packets received from DHCP clients to this DHCP server.

Usage guidelines

The specified IP address of the DHCP server must not reside on the same subnet as the IP address of the DHCP relay agent interface. Otherwise, the DHCP clients might fail to obtain IP addresses.

You can specify a maximum of eight DHCP servers on an interface. The DHCP relay agent forwards the packets from the clients to all the specified DHCP servers.

If you do not specify an IP address, the undo dhcp relay server-address command removes all DHCP servers on the interface.

Examples

# Specify the DHCP server 1.1.1.1 on the relay agent interface VLAN-interface 10.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] dhcp relay server-address 1.1.1.1

Related commands

·          dhcp select relay

·          display dhcp relay interface

dhcp smart-relay enable

Use dhcp smart-relay enable to enable the DHCP smart relay feature.

Use undo dhcp smart-relay enable to restore the default.

Syntax

dhcp smart-relay enable

undo dhcp smart-relay enable

Default

The DHCP smart relay feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the smart relay feature on interfaces that are configured as the relay agent on the device.

The smart relay feature allows the relay agent to use secondary IP addresses as the gateway address when the DHCP server does not reply the DHCP-OFFER message. Without this feature, the relay agent always uses the primary IP address as the gateway address.

Examples

# Enable the DHCP smart relay feature.

<Sysname> system-view

[Sysname] dhcp smart-relay enable

Related commands

·          dhcp select

·          gateway-list

display dhcp relay check mac-address

Use display dhcp relay check mac-address to display MAC address check entries on the relay agent.

Syntax

display dhcp relay check mac-address

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display MAC address check entries on the DHCP relay agent.

<Sysname> display dhcp relay check mac-address

Source-MAC        Interface                 Aging-time

00f3-1122-adf1    GE1/0/1                   10

00f3-1122-2230    GE1/0/2                   30

Table 12 Command output

Field

Description

Source MAC

Source MAC address of the attacker.

Interface

Interface where the attack comes from.

Aging-time

Aging time of the MAC address check entry, in seconds.

 

display dhcp relay client-information

Use display dhcp relay client-information to display relay entries on the relay agent.

Syntax

display dhcp relay client-information [ interface interface-type interface-number | ip ip-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Displays relay entries on the specified interface.

ip ip-address: Displays the relay entry for the specified IP address.

Usage guidelines

The DHCP relay agent records relay entries only when the dhcp relay client-information record command has been issued.

If you do not specify any parameters, the display dhcp relay client-information command displays all relay entries on the relay agent.

Examples

# Display all relay entries on the relay agent.

<Sysname> display dhcp relay client-information

Total number of client-information items: 2

Total number of dynamic items: 1

Total number of temporary items: 1

IP address       MAC address      Type        Interface            VPN name

10.1.1.1         00e0-0000-0001   Dynamic     GE1/0/1              N/A

10.1.1.5         00e0-0000-0000   Temporary   Vlan2                N/A

Table 13 Command output

Field

Description

Total number of client-information items

Total number of relay entries.

Total number of dynamic items

Total number of dynamic relay entries.

Total number of temporary items

Total number of temporary relay entries.

IP address

IP address of the DHCP client.

MAC address

MAC address of the DHCP client.

Type

Relay entry type:

·         Dynamic—The relay agent creates a dynamic relay entry upon receiving an ACK response from the DHCP server.

·         Temporary—The relay agent creates a temporary relay entry upon receiving a REQUEST packet from a DHCP client.

Interface

Layer 3 interface connected to the DHCP client. N/A is displayed for relay entries without interface information.

VPN name

Name of the VPN instance to which the DHCP client belongs. If the DHCP client does not belong to any VPN, this field displays N/A.

The device does not support this field in the current software version.

 

Related commands

·          dhcp relay client-information record

·          reset dhcp relay client-information

display dhcp relay information

Use display dhcp relay information to display Option 82 configuration information for the DHCP relay agent.

Syntax

display dhcp relay information [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Displays Option 82 configuration information for the specified interface. If you do not specify an interface, this command displays Option 82 configuration information about all interfaces.

Examples

# Display Option 82 configuration information for all interfaces.

<Sysname> display dhcp relay information

Interface: Vlan-interface100

   Status: Enable

   Strategy: Replace

   Circuit ID Pattern: Verbose

   Remote ID Pattern: Sysname

   Circuit ID format-type: Undefined

   Remote ID format-type: ASCII

   Node identifier: aabbcc

Interface: Vlan-interface200

   Status: Enable

   Strategy: Replace

   Circuit ID Pattern: User Defined

   Remote ID Pattern: User Defined

   Circuit ID format-type: ASCII

   Remote ID format-type: ASCII

   User defined:

   Circuit ID: vlan100

   Remote ID: device001

Table 14 Command output

Field

Description

 

Interface

Interface name.

 

Status

Option 82 states:

·         EnableDHCP relay agent support for Option 82 is enabled.

·         DisableDHCP relay agent support for Option 82 is disabled.

Strategy

Handling strategy for request messages containing Option 82, Drop, Keep, or Replace.

Circuit ID Pattern

Padding content mode of the Circuit ID sub-option, Verbose, Normal, or User Defined.

Remote ID Pattern

Padding content mode of the Remote ID sub-option, Sysname, Normal, or User Defined.

Circuit ID format-type

Padding format of the Circuit ID sub-option, ASCII, Hex, or Undefined.

Remote ID format-type

Padding format of the Remote ID sub-option, ASCII, Hex, or Undefined.

Node identifier

Access node identifier.

User defined

Content of the user-defined sub-options.

Circuit ID

User-defined content of the Circuit ID sub-option.

Remote ID

User-defined content of the Remote ID sub-option.

 

display dhcp relay server-address

Use display dhcp relay server-address to display DHCP server addresses configured on an interface.

Syntax

display dhcp relay server-address [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Displays DHCP server addresses on the specified interface. If you do not specify an interface, this command displays DHCP server addresses on all interfaces.

Examples

# Display DHCP server addresses on all interfaces.

<Sysname> display dhcp relay server-address

Interface name                 Server IP address

GE1/0/1                        2.2.2.2

Table 15 Command output

Field

Description

Interface name

Interface name.

Server IP address

DHCP server IP address.

 

Related commands

dhcp relay server-address

display dhcp relay statistics

Use display dhcp relay statistics to display DHCP packet statistics on the DHCP relay agent.

Syntax

display dhcp relay statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Displays DHCP packet statistics on the specified interface. If you do not specify an interface, this command displays all DHCP packet statistics on the DHCP relay agent.

Examples

# Display all DHCP packet statistics on the DHCP relay agent.

<Sysname> display dhcp relay statistics

DHCP packets dropped:                  0

DHCP packets received from clients:    0

   DHCPDISCOVER:                       0

   DHCPREQUEST:                        0

   DHCPINFORM:                         0

   DHCPRELEASE:                        0

   DHCPDECLINE:                        0

   BOOTPREQUEST:                       0

DHCP packets received from servers:    0

   DHCPOFFER:                          0

   DHCPACK:                            0

   DHCPNAK:                            0

   BOOTPREPLY:                         0

DHCP packets relayed to servers:       0

   DHCPDISCOVER:                       0

   DHCPREQUEST:                        0

   DHCPINFORM:                         0

   DHCPRELEASE:                        0

   DHCPDECLINE:                        0

   BOOTPREQUEST:                       0

DHCP packets relayed to clients:       0

   DHCPOFFER:                          0

   DHCPACK:                            0

   DHCPNAK:                            0

   BOOTPREPLY:                         0

DHCP packets sent to servers:          0

   DHCPDISCOVER:                       0

   DHCPREQUEST:                        0

   DHCPINFORM:                         0

   DHCPRELEASE:                        0

   DHCPDECLINE:                        0

   BOOTPREQUEST:                       0

DHCP packets sent to clients:          0

   DHCPOFFER:                          0

   DHCPACK:                            0

   DHCPNAK:                            0

   BOOTPREPLY:                         0

Related commands

reset dhcp relay statistics

gateway-list

Use gateway-list to specify a list of gateways for DHCP clients in the relay address pool.

Use undo gateway-list to remove the specified gateway addresses from a DHCP relay address pool.

Syntax

gateway-list ip-address&<1-64> [ export-route ]

undo gateway-list [ ip-address&<1-64> ] [ export-route ]

Default

No gateway address is specified in a DHCP relay address pool.

Views

DHCP relay address pool view

Predefined user roles

network-admin

Parameters

ip-address&<1-64>: Specifies a space-separated list of up to 64 addresses. Gateway IP addresses must reside on the same subnet as the IP addresses assigned to the DHCP clients.

export-route: Binds the gateway to the device's MAC address in the address management module. The ARP module will use the entry to reply to ARP requests from the DHCP clients.

Usage guidelines

DHCP clients of the same access type can be classified into different types by their locations. In this case, the relay interface typically has no IP address configured. You can use the gateway-list command to specify the gateway for clients matching the same relay address pool and bind the gateway address to the device's MAC address.

Upon receiving a DHCP DISCOVER or REQUEST from a client that matches a relay address pool, the relay agent processes the packet as follows:

·          Fills the giaddr field of the packet with the specified gateway address.

·          Forwards the packet to all DHCP servers in the matching relay address pool.

The DHCP servers select an address pool according to the gateway address.

Examples

# Specify the gateway address 10.1.1.1 in DHCP relay address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] gateway-list 10.1.1.1

Related commands

dhcp smart-relay enable

remote-server

Use remote-server to specify a list of DHCP servers for a DHCP relay address pool.

Use undo remote-server to remove the configuration.

Syntax

remote-server ip-address&<1-8>

undo remote-server [ ip-address&<1-8> ]

Default

No DHCP server is specified for the DHCP relay address pool.

Views

DHCP relay address pool view

Predefined user roles

network-admin

Parameters

ip-address&<1-8>: Specifies a space-separated list of up to eight DHCP server addresses.

Usage guidelines

If you use this command multiple times, the most recent configuration takes effect.

If you do not specify a DHCP server address, the undo remote-server command removes all DHCP servers in the relay address pool.

Examples

# Specify DHCP server 10.1.1.1 for DHCP relay address pool 0.

<Sysname> system-view

[Sysname] dhcp server ip-pool 0

[Sysname-dhcp-pool-0] remote-server 10.1.1.1

reset dhcp relay client-information

Use reset dhcp relay client-information to clear relay entries on the DHCP relay agent.

Syntax

reset dhcp relay client-information [ interface interface-type interface-number | ip ip-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Clears relay entries on the specified interface.

ip ip-address: Clears the relay entry for the specified IP address.

Usage guidelines

If you do not specify any parameters, this command clears all relay entries on the DHCP relay agent.

Examples

# Clear all relay entries on the DHCP relay agent.

<Sysname> reset dhcp relay client-information

Related commands

display dhcp relay client-information

reset dhcp relay statistics

Use reset dhcp relay statistics to clear relay agent statistics.

Syntax

reset dhcp relay statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Clears DHCP relay agent statistics on the specified interface. If you do not specify an interface, this command clears all DHCP relay agent statistics.

Examples

# Clear all DHCP relay agent statistics.

<Sysname> reset dhcp relay statistics

Related commands

display dhcp relay statistics

DHCP client commands

dhcp client dad enable

Use dhcp client dad enable to enable duplicate address detection.

Use undo dhcp client dad enable to disable duplicate address detection.

Syntax

dhcp client dad enable

undo dhcp client dad enable

Default

The duplicate address detection feature is enabled on an interface.

Views

System view

Predefined user roles

network-admin

Usage guidelines

DHCP client detects IP address conflict through ARP packets. An attacker can act as the IP address owner to send an ARP reply. This makes the client unable to use the IP address assigned by the server. H3C recommends that you disable duplicate address detection when ARP attacks exist on the network.

Examples

# Disable the duplicate address.

<Sysname> system-view

[Sysname] undo dhcp client dad enable

dhcp client dscp

Use dhcp client dscp to set the DSCP value for DHCP packets sent by the DHCP client.

Use undo dhcp client dscp to restore the default.

Syntax

dhcp client dscp dscp-value

undo dhcp client dscp

Default

The DSCP value in DHCP packets is 56.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Sets the DSCP value for DHCP packets, in the range of 0 to 63.

Usage guidelines

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value to 30 for DHCP packets sent by the DHCP client.

<Sysname> system-view

[Sysname] dhcp client dscp 30

dhcp client identifier

Use dhcp client identifier to configure a DHCP client ID for an interface.

Use undo dhcp client identifier to restore the default.

Syntax

dhcp client identifier { ascii string | hex string | mac interface-type interface-number }

undo dhcp client identifier

Default

An interface generates the DHCP client ID based on its MAC address. If the interface has no MAC address, it uses the MAC address of the first Ethernet interface to generate its client ID.

Views

Interface view

Predefined user roles

network-admin

Parameters

ascii string: Specifies a case-sensitive ASCII string of 1 to 63 characters as the client ID.

hex string: Specifies a hexadecimal string of 4 to 64 characters as the client ID.

mac interface-type interface-number: Uses the MAC address of the specified interface as a DHCP client ID. The interface-type interface-number argument specifies an interface by its type and number.

Usage guidelines

A DHCP client ID is added to the DHCP option 61. A DHCP server can specify IP addresses for clients based on the DHCP client ID. You can specify a DHCP client ID by performing one of the following operations:

·          Naming an ASCII string or hexadecimal string as the client ID.

·          Using the MAC address of an interface to generate a client ID.

Whichever method you use, make sure the IDs for different DHCP clients are unique.

Examples

# Specify the hexadecimal string of FFFFFFF as the client ID for VLAN-interface 10.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] dhcp client identifier hex FFFFFFFF

Related commands

display dhcp client

display dhcp client

Use display dhcp client to display DHCP client information.

Syntax

display dhcp client [ verbose ] [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

verbose: Displays verbose DHCP client information.

interface interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

If you do not specify an interface, this command displays DHCP client information about all interfaces.

Examples

# Display DHCP client information about all interfaces.

<Sysname> display dhcp client

Vlan-interface10 DHCP client information:

 Current state: BOUND

 Allocated IP: 40.1.1.20 255.255.255.0

 Allocated lease: 259200 seconds, T1: 129600 seconds, T2: 226800 seconds

 DHCP server: 40.1.1.2

# Display verbose DHCP client information.

<Sysname> display dhcp client verbose

Vlan-interface10 DHCP client information:

 Current state: BOUND

 Allocated IP: 40.1.1.20 255.255.255.0

 Allocated lease: 259200 seconds, T1: 129600 seconds, T2: 226800 seconds

 Lease from May 21 19:00:29 2012   to   May 24 19:00:29 2012

 DHCP server: 40.1.1.2

 Transaction ID: 0x1c09322d

 Default router: 40.1.1.2

 Classless static routes:

   Destination: 1.1.0.1, Mask: 255.0.0.0, NextHop: 192.168.40.16

   Destination: 10.198.122.63, Mask: 255.255.255.255, NextHop: 192.168.40.16

 DNS servers: 44.1.1.11 44.1.1.12

 Domain name: ddd.com

 Boot servers: 200.200.200.200  1.1.1.1

 ACS parameter:

   URL: http://192.168.1.1:7547/acs

   Username: bims

   Password: ******

 Client ID type: acsii(type value=00)

 Client ID value: 000c.29d3.8659-GE1/0/1

 Client ID (with type) hex: 0030-3030-632e-3239-

                            6433-2e38-3635-392d-

                            4574-6830-2f30-2f32

 T1 will timeout in 1 day 11 hours 58 minutes 52 seconds.

Table 16 Command output

Field

Description

Vlan-interface10 DHCP client information

Information about the interface that acts as the DHCP client.

Current state

Current state of the DHCP client:

·         HALT—The client stops applying for an IP address.

·         INIT—The initialization state.

·         SELECTING—The client has sent out a DHCP-DISCOVER message in search for a DHCP server and is waiting for the response from DHCP servers.

·         REQUESTING—The client has sent out a DHCP-REQUEST message requesting for an IP address and is waiting for the response from DHCP servers.

·         BOUND—The client has received the DHCP-ACK message from a DHCP server and obtained an IP address successfully.

·         RENEWING—The T1 timer expires.

·         REBOUNDING—The T2 timer expires.

Allocated IP

IP address allocated by the DHCP server.

Allocated lease

Allocated lease time.

T1

1/2 lease time (in seconds) of the DHCP client IP address.

T2

7/8 lease time (in seconds) of the DHCP client IP address.

Lease from….to….

Start and end time of the lease.

DHCP server

DHCP server IP address that assigned the IP address.

Transaction ID

Transaction ID, a random number chosen by the client to identify an IP address allocation.

Default router

Gateway address assigned to the client.

Classless static routes

Classless static routes assigned to the client.

Static routes

Classful static routes assigned to the client.

DNS servers

DNS server address assigned to the client.

Domain name

Domain name suffix assigned to the client.

Boot servers

PXE server addresses (up to 16 addresses) specified for the DHCP client, which are obtained through Option 43.

ACS parameter

Parameters about the ACS.

URL

URL of the ACS.

Username

Username for logging in to the ACS.

Password

Password for logging in to the ACS. If a password is configured, this field displays ******. If no password is configured, this field is not displayed.

Client ID type

DHCP client ID type:

·         If an ASCII string is used as the client ID value, the type value is 00.

·         If the MAC address of a specific interface is used as the client ID value, the type value is 01.

·         If a hexadecimal string is used as the client ID value, the type value is the first two characters in the string.

Client ID value

Value of the DHCP client ID.

Client ID (with type) hex

DHCP client ID with the type field, a hexadecimal string.

T1 will timeout in 1 day 11 hours 58 minutes 52 seconds.

How long the T1 (1/2 lease time) timer will timeout.

 

Related commands

·          dhcp client identifier

·          ip address dhcp-alloc

ip address dhcp-alloc

Use ip address dhcp-alloc to configure an interface to use DHCP for IP address acquisition.

Use undo ip address dhcp-alloc to cancel an interface from using DHCP.

Syntax

ip address dhcp-alloc

undo ip address dhcp-alloc

Default

An interface does not use DHCP for IP address acquisition.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

When you execute the undo ip address dhcp-alloc command, the interface sends a DHCP-RELEASE message to release the IP address obtained through DHCP. If the interface is down, the message cannot be sent out. This situation can occur when a subinterface obtained an IP address through DHCP, and the shutdown command is executed on its primary interface. The subinterface will fail to send a DHCP-RELEASE message.

Examples

# Configure VLAN-interface 10 to use DHCP for IP address acquisition.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ip address dhcp-alloc

Related commands

display dhcp client

DHCP snooping commands

DHCP snooping works between the DHCP client and the DHCP server or between the DHCP client and the relay agent. DHCP snooping does not work between the DHCP server and the DHCP relay agent.

dhcp snooping binding database filename

Use dhcp snooping binding database filename to configure the DHCP snooping device to back up DHCP snooping entries to a file.

Use undo dhcp snooping binding database filename to restore the default.

Syntax

dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }

undo dhcp snooping binding database filename

Default

The DHCP snooping device does not back up DHCP snooping entries.

Views

System view

Predefined user roles

network-admin

Parameters

filename: Specifies the name of a local backup file. For information about the filename argument, see Fundamentals Configuration Guide.

url url: Specifies the URL of a remote backup file, a case-sensitive string of 1 to 255 characters. Do not include a username or password in the URL. Case sensitivity and the supported path format type vary by server.

username username: Specifies the username for accessing the URL of the remote backup file, a case-sensitive string of 1 to 32 characters. Do not specify this option if a username is not required for accessing the URL.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters. Do not specify this argument if a password is not required for accessing the URL of the remote backup file.

Usage guidelines

This command automatically creates the file if you specify a nonexistent file.

With this command executed, the DHCP snooping device backs up DHCP snooping entries immediately and runs auto backup. The DHCP snooping device, by default, waits 300 seconds after a DHCP snooping entry change to update the backup file. To change the waiting period, use the dhcp snooping binding database update interval command. If no DHCP snooping entry changes, the backup file is not updated.

As a best practice, back up the DHCP snooping entries to a remote file. If you use the local storage medium, the frequent erasing and writing might damage the medium and then cause the DHCP snooping device to malfunction.

When the file is on a remote device, follow these restrictions and guidelines to specify the URL, username, and password:

·          If the file is on an FTP server, enter URL in the following format: ftp://server address:port/file path, where the port number is optional.

·          If the file is on a TFTP server, enter URL in the following format: tftp://server address:port/file path, where the port number is optional.

·          The username and password must be the same as those configured on the FTP server. If the server authenticates only the username, the password can be omitted.

·          If the IP address of the server is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[1::1]/database.dhcp.

·          You can also specify the DNS domain name for the server address field, for example, ftp://company/database.dhcp.

Examples

# Configure the DHCP snooping device to back up DHCP snooping entries to the file database.dhcp.

<Sysname> system-view

[Sysname] dhcp snooping binding database filename database.dhcp

# Configure the DHCP snooping device to back up DHCP snooping entries to the file database.dhcp in the working directory of the FTP server at 10.1.1.1.

<Sysname> system-view

[Sysname] dhcp snooping binding database filename url ftp://10.1.1.1/database.dhcp username 1 password simple 1

# Configure the DHCP snooping device to back up DHCP snooping entries to the file database.dhcp in the working directory of the TFTP server at 10.1.1.1.

<Sysname> system-view

[Sysname] dhcp snooping binding database filename tftp://10.1.1.1/database.dhcp

Related commands

dhcp snooping binding database update interval

dhcp snooping binding database update interval

Use dhcp snooping binding database update interval to set the waiting time for the DHCP snooping device to update the backup file after a DHCP snooping entry change.

Use undo dhcp snooping binding database update interval to restore the default.

Syntax

dhcp snooping binding database update interval interval

undo dhcp snooping binding database update interval

Default

The DHCP snooping device waits 300 seconds to update the backup file after a DHCP snooping entry change. If no DHCP snooping entry changes, the backup file is not updated.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the waiting time in seconds, in the range of 60 to 864000.

Usage guidelines

When a DHCP snooping entry is learned, updated, or removed, the waiting period starts. The DHCP snooping device updates the backup file when the waiting period is reached. All changed entries during the period will be saved to the backup file.

The waiting time takes effect only after you configure the DHCP snooping entry auto backup by using the dhcp snooping binding database filename command.

Examples

# Set the waiting time to 600 seconds for the DHCP snooping device to update the backup file.

<Sysname> system-view

[Sysname] dhcp snooping binding database update interval 600

Related commands

dhcp snooping binding database filename

dhcp snooping binding database update now

Use dhcp snooping binding database update now to manually save DHCP snooping entries to the backup file.

Syntax

dhcp snooping binding database update now

Views

System view

Predefined user roles

network-admin

Usage guidelines

Each time this command is executed, the DHCP snooping entries are saved to the backup file.

This command takes effect only after you configure the DHCP snooping auto backup by using the dhcp snooping binding database filename command.

Examples

# Manually save DHCP snooping entries to the backup file.

<Sysname> system-view

[Sysname] dhcp snooping binding database update now

Related commands

dhcp snooping binding database filename

dhcp snooping binding record

Use dhcp snooping binding record to enable recording of client information in DHCP snooping entries.

Use undo dhcp snooping binding record to disable recording of client information in DHCP snooping entries.

Syntax

dhcp snooping binding record

undo dhcp snooping binding record

Default

DHCP snooping does not record client information.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command enables DHCP snooping on the port directly connecting to the clients to record client information in DHCP snooping entries.

Examples

# Enable recording of client information in DHCP snooping entries on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping binding record

dhcp snooping check mac-address

Use dhcp snooping check mac-address to enable MAC address check for DHCP snooping.

Use undo dhcp snooping check mac-address to disable MAC address check for DHCP snooping.

Syntax

dhcp snooping check mac-address

undo dhcp snooping check mac-address

Default

MAC address check for DHCP snooping is disabled.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

With MAC address check enabled, DHCP snooping compares the chaddr field of a received DHCP request with the source MAC address field in the frame header. If they are the same, DHCP snooping considers this request valid and forwards it to the DHCP server. If they are not the same, DHCP snooping discards the DHCP request.

Examples

# Enable MAC address check for DHCP snooping.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping check mac-address

dhcp snooping check request-message

Use dhcp snooping check request-message to enable DHCP-REQUEST check for DHCP snooping.

Use undo dhcp snooping check request-message to disable DHCP-REQUEST check for DHCP snooping.

Syntax

dhcp snooping check request-message

undo dhcp snooping check request-message

Default

DHCP-REQUEST check for DHCP snooping is disabled.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

DHCP-REQUEST packets include lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This feature prevents unauthorized clients that forge DHCP-REQUEST packets from attacking the DHCP server.

With this feature enabled, DHCP snooping looks for a matching DHCP snooping entry for each received DHCP-REQUEST message.

·          If a match is found, DHCP snooping compares the entry with the message. If they have consistent information, DHCP snooping considers the packet valid and forwards it to the DHCP server. If they have different information, DHCP snooping considers the message invalid and discards it.

·          If no match is found, DHCP snooping forwards the message to the DHCP server.

Examples

# Enable DHCP-REQUEST check for DHCP snooping.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping check request-message

dhcp snooping deny

Use dhcp snooping deny to configure a port as DHCP packet blocking port.

Use undo dhcp snooping deny to restore the default.

Syntax

dhcp snooping deny

undo dhcp snooping deny

Default

A port does not block DHCP requests.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

A DHCP packet blocking port drops all incoming DHCP requests.

Examples

# Configure GigabitEthernet 1/0/1 as a DHCP packet blocking port.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-gigabitethernet 1/0/1] dhcp snooping deny

dhcp snooping enable

Use dhcp snooping enable to enable DHCP snooping.

Use undo dhcp snooping enable to disable DHCP snooping.

Syntax

dhcp snooping enable

undo dhcp snooping enable

Default

DHCP snooping is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use the DHCP snooping feature together with trusted port configuration. Before trusted ports are configured, all ports on the DHCP snooping device are untrusted and the device discards all responses sent from DHCP servers.

When DHCP snooping is disabled, the device forwards all responses from DHCP servers.

Examples

# Enable DHCP snooping.

<Sysname> system-view

[Sysname] dhcp snooping enable

dhcp snooping information circuit-id

Use dhcp snooping information circuit-id to configure the padding mode and padding format for the Circuit ID sub-option.

Use undo dhcp snooping information circuit-id to restore the default.

Syntax

dhcp snooping information circuit-id { [ vlan vlan-id ] string circuit-id | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } [ format { ascii | hex } ] }

undo dhcp snooping information circuit-id [ vlan vlan-id ]

Default

The padding mode is normal and the padding format is hex.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Pads the Circuit ID sub-option for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the Circuit ID sub-option for packets received from the default VLAN.

string circuit-id: Specifies the string mode, in which the padding content for the Circuit ID sub-option is a case-sensitive string of 3 to 63 characters.

normal: Specifies the normal mode. The padding content includes the VLAN ID and interface number.

verbose: Specifies the verbose mode.

node-identifier { mac | sysname | user-defined node-identifier }: Specifies the access node identifier. The padding content includes the node identifier, Ethernet type (fixed to eth), chassis number, slot number, sub-slot number, interface number, and VLAN ID. The node identifier varies by keyword mac, sysname, and user-defined.

·          mac: Uses the MAC address of the access node as the node identifier. It is the default node identifier.

·          sysname: Uses the device name as the node identifier. You can set the device name by using the sysname command in system view. The padding format for the device name is always ASCII regardless of the specified padding format.

 

 

NOTE:

If sysname is used as the node identifier, do not include any spaces when you set the device name. Otherwise, the DHCP snooping device fails to add or replace the Option 82.

 

·          user-defined node-identifier: Uses a case-sensitive string of 1 to 50 characters as the node identifier. The padding format for the specified character string is always ASCII regardless of the specified padding format.

format: Specifies the padding format for the Circuit ID sub-option.

ascii: Specifies the ASCII padding format.

hex: Specifies the hex padding format.

Usage guidelines

The Circuit ID sub-option cannot carry information about interface splitting or subinterfaces. For more information about interface splitting and subinterfaces, see Interface Configuration Guide.

If you execute this command multiple times, the most recent configuration takes effect.

The padding format for the user-defined string, the normal mode, or the verbose mode varies by command configuration. Table 17 shows how the padding format is determined for different modes.

Table 17 Padding format for different modes

Keyword (mode)

If no padding format is set

If the padding format is ascii

If the padding format is hex

string circuit-id

You cannot set a padding format, and the padding format is always ASCII.

N/A

N/A

normal

Hex.

ASCII.

Hex.

verbose

Hex for the VLAN ID.

ASCII for the node identifier, Ethernet type, chassis number, slot number, sub-slot number, and interface number.

ASCII.

ASCII for the node identifier and Ethernet type.

Hex for the chassis number, slot number, sub-slot number, interface number, and VLAN ID.

 

Examples

# Configure verbose as the padding mode, device name as the node identifier, and ASCII as the padding format for the Circuit ID sub-option.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable

[Sysname-GigabitEthernet1/0/1] dhcp snooping information strategy replace

[Sysname-GigabitEthernet1/0/1] dhcp snooping information circuit-id verbose node-identifier sysname format ascii

Related commands

dhcp snooping information enable

dhcp snooping information strategy

display dhcp snooping information

dhcp snooping information enable

Use dhcp snooping information enable to enable DHCP snooping to support Option 82.

Use undo dhcp snooping information enable to disable this feature.

Syntax

dhcp snooping information enable

undo dhcp snooping information enable

Default

DHCP snooping does not support Option 82.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command enables DHCP snooping to add Option 82 into DHCP requests that do not contain Option 82 before forwarding the requests to the DHCP server. The content of Option 82 is determined by the dhcp snooping information circuit-id and dhcp snooping information remote-id commands. If the received DHCP request packets contain Option 82, DHCP snooping handles the packets according to the strategy configured with the dhcp snooping information strategy command.

If this feature is disabled, DHCP snooping forwards requests that contain or do not contain Option 82 to the DHCP server.

Examples

# Enable DHCP snooping to support Option 82.

<Sysname> system-view

[Sysname] interface gigabitethernet1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable

Related commands

dhcp snooping information circuit-id

dhcp snooping information remote-id

dhcp snooping information strategy

dhcp snooping information remote-id

Use dhcp snooping information remote-id to configure the padding mode and padding format for the Remote ID sub-option.

Use undo dhcp snooping information remote-id to restore the default.

Syntax

dhcp snooping information remote-id { normal [ format { ascii | hex } ] | [ vlan vlan-id ] { string remote-id | sysname } }

undo dhcp snooping information remote-id [ vlan vlan-id ]

Default

The padding mode is normal and the padding format is hex.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Pads the Remote ID sub-option for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the Remote ID sub-option for packets received from the default VLAN.

string remote-id: Specifies the string mode that uses a case-sensitive string of 1 to 63 characters as the content of the Remote ID sub-option.

sysname: Specifies the sysname mode that uses the device name as the Remote ID sub-option. You can configure the device name by using the sysname command in system view.

normal: Specifies the normal mode. The padding content is the MAC address of the receiving interface.

format: Specifies the padding format for the Remote ID sub-option. The default padding format is hex.

ascii: Specifies the ASCII padding format.

hex: Specifies the hex padding format.

Usage guidelines

DHCP snooping uses ASCII to pad the specified string or device name for the Remote ID sub-option. The padding format for the normal padding mode is determined by the command configuration.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Pad the Remote ID sub-option with the character string device001.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable

[Sysname-GigabitEthernet1/0/1] dhcp snooping information strategy replace

[Sysname-GigabitEthernet1/0/1] dhcp snooping information remote-id string device001

Related commands

dhcp snooping information enable

dhcp snooping information strategy

display dhcp snooping information

dhcp snooping information strategy

Use dhcp snooping information strategy to configure the handling strategy for Option 82 in request messages.

Use undo dhcp snooping information strategy to restore the default.

Syntax

dhcp snooping information strategy { drop | keep | replace }

undo dhcp snooping information strategy

Default

The handling strategy for Option 82 in request messages is replace.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

drop: Drops DHCP messages that contain Option 82.

keep: Keeps the original Option 82 intact and forwards the DHCP messages.

replace: Replaces the original Option 82 with the configured Option 82 before forwarding the DHCP messages.

Usage guidelines

This command takes effect only on DHCP requests that contain Option 82. For DHCP requests that do not contain Option 82, the DHCP snooping device always adds Option 82 into the requests before forwarding them to the DHCP server.

If the handling strategy is replace, configure a padding mode and padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure any padding mode or padding format for Option 82. The settings do not take effect even if you configure them.

Examples

# Specify the handling strategy for Option 82 in request messages as keep.

<Sysname> system-view

[Sysname] interface gigabitethernet1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable

[Sysname-GigabitEthernet1/0/1] dhcp snooping information strategy keep

Related commands

dhcp snooping information circuit-id

dhcp snooping information remote-id

dhcp snooping log enable

Use dhcp snooping log enable to enable DHCP snooping logging.

Use undo dhcp snooping log enable to disable DHCP snooping logging.

Syntax

dhcp snooping log enable

undo dhcp snooping log enable

Default

DHCP snooping logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the DHCP snooping device to generate DHCP snooping logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

As a best practice, disable this feature if the log generation affects the device performance.

Examples

# Enable DHCP snooping logging.

<Sysname> system-view

[Sysname] dhcp snooping log enable

dhcp snooping max-learning-num

Use dhcp snooping max-learning-num to set the maximum number of DHCP snooping entries that an interface can learn.

Use undo dhcp snooping max-learning-num to restore the default.

Syntax

dhcp snooping max-learning-num max-number

undo dhcp snooping max-learning-num

Default

The maximum number of DHCP snooping entries for an interface to learn is unlimited.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of DHCP snooping entries for an interface to learn. The value range is 1 to 4294967295.

Examples

# Allow the Layer 2 Ethernet interface GigabitEthernet 1/0/1 to learn a maximum of 10 DHCP snooping entries.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping max-learning-num 10

dhcp snooping rate-limit

Use dhcp snooping rate-limit to enable DHCP snooping packet rate limit on an interface and set the limit value.

Use undo dhcp snooping rate-limit to disable DHCP snooping packet rate limit.

Syntax

dhcp snooping rate-limit rate

undo dhcp snooping rate-limit

Default

The DHCP snooping packet rate limit is disabled on an interface.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

rate: Specifies the maximum rate in Kbps. The value range is 64 to 512.

Usage guidelines

This command takes effect only when DHCP snooping is enabled.

With the rate limit feature, the interface discards DHCP packets that exceed the maximum rate.

The rate configured on a Layer 2 aggregate interface applies to all members of the aggregate interface. If a member interface leaves the aggregation group, it uses the rate configured on its Ethernet interface view.

Due to the chip capability, the maximum rate that takes effect can only be an integer multiple of a certain value. For example, if the chip-supported rate is an integer multiple of 8, and you set the rate to 67, the value 64 or 72 takes effect.

Examples

# Set the maximum rate to 64 Kbps at which the Layer 2 Ethernet interface GigabitEthernet 1/0/1 can receive DHCP packet.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping rate-limit 64

dhcp snooping trust

Use dhcp snooping trust to configure a port as a trusted port.

Use undo dhcp snooping trust to restore the default state of a port.

Syntax

dhcp snooping trust

undo dhcp snooping trust

Default

After you enable DHCP snooping, all ports are untrusted.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

Specify the ports facing the DHCP server as trusted ports and specify the other ports as untrusted ports so DHCP clients can obtain valid IP addresses.

Examples

# Specify the Layer 2 Ethernet interface GigabitEthernet 1/0/1 as a trusted port.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping trust

Related commands

display dhcp snooping trust

display dhcp snooping binding

Use display dhcp snooping binding to display DHCP snooping entries.

Syntax

display dhcp snooping binding [ ip ip-address [ vlan vlan-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip ip-address: Displays the DHCP snooping entry for the specified IP address. If you do not specify an IP address, this command displays DHCP snooping entries for all IP addresses.

vlan vlan-id: Specifies the VLAN ID where the IP address resides. If you do not specify a VLAN, this command displays DHCP snooping entries for the IP address in all VLANs.

Examples

# Display all DHCP snooping entries.

<Sysname> display dhcp snooping binding

 2 DHCP snooping entries found

 IP address      MAC address    Lease        VLAN  SVLAN Interface

 =============== ============== ============ ===== ===== =================

 1.1.1.7         0000-0101-0107 16907533     2     N/A   GE1/0/1

 1.1.1.11        0000-0101-010b 16907537     2     N/A   GE1/0/3

Table 18 Command output

Field

Description

DHCP snooping entries found

Number of DHCP snooping entries.

IP address

IP address assigned to the DHCP client.

MAC address

MAC address of the DHCP client.

Lease

Remaining lease duration in seconds.

VLAN

VLAN where the port connecting the DHCP client resides.

SVLAN

This field displays N/A.

Interface

Port connected to the DHCP client.

 

Related commands

dhcp snooping enable

reset dhcp snooping binding

display dhcp snooping binding database

Use display dhcp snooping binding database to display information about DHCP snooping entry auto backup.

Syntax

display dhcp snooping binding database

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about DHCP snooping entry auto backup.

<Sysname> display dhcp snooping binding database

File name               :   database.dhcp

Username                :  

Password                :  

Update interval         :   600 seconds

Latest write time       :   Feb 27 18:48:04 2012

Status                  :   Last write succeeded.

Table 19 Command output

Field

Description

File name

Name of the DHCP snooping entry backup file.

Username

Username for accessing the URL of the remote backup file.

Password

Password for accessing the URL of the remote backup file. This field displays ****** if a password is configured.

Update interval

Waiting time in seconds after a DHCP snooping entry change for the DHCP snooping device to update the backup file.

Latest write time

Time of the latest update.

Status

Status of the update:

·         Writing—The backup file is being updated.

·         Last write succeeded—The backup file was successfully updated.

·         Last write failed—The backup file failed to be updated.

 

display dhcp snooping information

Use display dhcp snooping information to display Option 82 configuration on the DHCP snooping device.

Syntax

display dhcp snooping information { all | interface interface-type interface-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays Option 82 configuration on all Layer 2 Ethernet interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

Examples

# Display Option 82 configuration on all interfaces.

<Sysname> display dhcp snooping information all

Interface: Bridge-Aggregation1

   Status: Disable

   Strategy: Drop

   Circuit ID:

     Padding format: User Defined

       User defined: abcd

     Format: ASCII

   Remote ID:

     Padding format: Normal

     Format: ASCII

   VLAN 10:

     Circuit ID: abcd

     Remote ID: company

Table 20 Command output

Field

Description

Interface

Interface name.

Status

Option 82 status, Enable or Disable.

Strategy

Handling strategy for DHCP requests that contain Option 82, Drop, Keep, or Replace.

Circuit ID

Content of the Circuit ID sub-option.

Padding format

Padding format of Option 82:

·         For Circuit ID sub-option, the padding format can be Normal, User Defined, Verbose (sysname), Verbose (MAC), or Verbose (user defined).

·         For Remote ID sub-option, the padding format can be Normal, Sysname, or User Defined.

Node identifier

Access node identifier.

User defined

Content of the user-defined sub-option.

Format

Code type of Option 82 sub-option:

·         For Circuit ID sub-option, the code type can be ASCII, Default, or Hex.

·         For Remote ID sub-option, the code type can be ASCII or Hex.

Remote ID

Content of the Remote ID sub-option.

VLAN

Pads Circuit ID sub-option and Remote ID sub-option in the DHCP packets received in the specified VLAN.

 

display dhcp snooping packet statistics

Use display dhcp snooping packet statistics to display DHCP packet statistics for DHCP snooping.

Syntax

display dhcp snooping packet statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays DHCP packet statistics for the master device.

Examples

# Display DHCP packet statistics for DHCP snooping.

<Sysname> display dhcp snooping packet statistics

 DHCP packets received                  : 100

 DHCP packets sent                      : 200

 Invalid DHCP packets dropped           : 0

Related commands

reset dhcp snooping packet statistics

display dhcp snooping trust

Use display dhcp snooping trust to display information about trusted ports.

Syntax

display dhcp snooping trust

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about trusted ports.

<Sysname> display dhcp snooping trust

 DHCP snooping is enabled.

 Interface                                       Trusted

 =========================                       ============

 GigabitEthernet1/0/1                            Trusted

Related commands

dhcp snooping trust

reset dhcp snooping binding

Use reset dhcp snooping binding to clear DHCP snooping entries.

Syntax

reset dhcp snooping binding { all | ip ip-address [ vlan vlan-id ] }

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all DHCP snooping entries.

ip ip-address: Clears the DHCP snooping entry for the specified IP address.

vlan vlan-id: Clears DHCP snooping entries for the specified VLAN. If you do not specify a VLAN, this command clears DHCP snooping entries for the default VLAN.

Examples

# Clear all DHCP snooping entries.

<Sysname> reset dhcp snooping binding all

Related commands

display dhcp snooping binding

reset dhcp snooping packet statistics

Use reset dhcp snooping packet statistics to clear DHCP packet statistics for DHCP snooping.

Syntax

reset dhcp snooping packet statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears DHCP packet statistics for the master device.

Examples

# Clear DHCP packet statistics for DHCP snooping.

<Sysname> reset dhcp snooping packet statistics

Related commands

display dhcp snooping packet statistics

BOOTP client commands

display bootp client

Use display bootp client to display information about a BOOTP client.

Syntax

display bootp client [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

If you do not specify an interface, this command displays BOOTP client information about all interfaces.

Examples

# Display BOOTP client information about VLAN-interface 10.

<Sysname> display bootp client interface vlan-interface 10

Vlan-interface10 BOOTP client information:

Allocated IP: 169.254.0.2 255.255.0.0

Transaction ID: 0x3d8a7431

MAC Address: 00e0-fc0a-c3ef

Table 21 Command output

Field

Description

Vlan-interface10 BOOTP client information

Information about the interface that acts as a BOOTP client.

Allocated IP

BOOTP client's IP address allocated by the BOOTP server.

Transaction ID

Value of the XID field in a BOOTP message. The BOOTP client chooses a random number for the XID field when sending a BOOTP request to the BOOTP server. It is used to match a response message from the BOOTP server. If the values of the XID field are different in the BOOTP response and request, the BOOTP client drops the BOOTP response.

Mac Address

MAC address of a BOOTP client.

 

Related commands

ip address bootp-alloc

ip address bootp-alloc

Use ip address bootp-alloc to configure an interface to use BOOTP for IP address acquisition.

Use undo ip address bootp-alloc to cancel an interface from using BOOTP.

Syntax

ip address bootp-alloc

undo ip address bootp-alloc

Default

An interface does not use BOOTP for IP address acquisition.

Views

Interface view

Predefined user roles

network-admin

Examples

# Configure VLAN-interface 10 to use BOOTP for IP address acquisition.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ip address bootp-alloc

Related commands

display bootp client


DNS commands

display dns domain

Use display dns domain to display the domain name suffixes.

Syntax

display dns domain [ dynamic ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dynamic: Displays the domain name suffixes dynamically obtained through DHCP or other protocols. If you do not specify this keyword, the command displays the statically configured and dynamically obtained domain name suffixes.

Examples

# Display domain name suffixes on the public network.

<Sysname> display dns domain

Type:

  D: Dynamic    S: Static

 

No.    Type   Domain suffix

1      S      com

2      D      net

Table 22 Command output

Field

Description

No.

Sequence number.

Type

Domain name suffix type:

·         SA statically configured domain name suffix.

·         DA domain name suffix dynamically obtained through DHCP or other protocols.

Domain suffix

Domain name suffixes.

 

Related commands

dns domain

display dns host

Use display dns host to display information about domain name-to-IP address mappings.

Syntax

display dns host [ ip | ipv6 ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip: Specifies type A queries. A type A query resolves a domain name to the mapped IPv4 address.

ipv6: Specifies type AAAA queries. A type AAAA query resolves a domain name to the mapped IPv6 address.

Usage guidelines

If you do not specify the ip and ipv6 keywords, this command displays domain name-to-IP address mappings of all query types.

Examples

# Display domain name-to-IP address mappings of all query types.

<Sysname> display dns host

Type:

  D: Dynamic    S: Static

 

Total number: 3

No.  Host name         Type  TTL        Query type   IP addresses

1    sample.com        D     3132       A            192.168.10.1

                                                     192.168.10.2

                                                     192.168.10.3

2    zig.sample.com    S     -          A            192.168.1.1

3    sample.net        S     -          AAAA         FE80::4904:4448

Table 23 Command output

Field

Description

 

No.

Sequence number.

 

Host name

Domain name.

 

Type

Domain name-to-IP address mapping type:

·         S—A static mapping configured by the ip host or ipv6 host command.

·         DA mapping dynamically obtained through dynamic domain name resolution.

TTL

Time in seconds that a mapping can be stored in the cache.

For a static mapping, a hyphen (-) is displayed.

 

Query type

Query type, type A or type AAAA.

 

IP addresses

Replied IP address:

·         For type A query, the replied IP address is an IPv4 address.

·         For type AAAA query, the replied IP address is an IPv6 address.

 

 

Related commands

·          ip host

·          ipv6 host

·          reset dns host

display dns server

Use display dns server to display IPv4 DNS server information.

Syntax

display dns server [ dynamic ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dynamic: Displays IPv4 DNS server information dynamically obtained through DHCP or other protocols. If you do not specify this keyword, the command displays statically configured and dynamically obtained IPv4 DNS server addresses.

Examples

# Display IPv4 DNS server information about the public network.

<Sysname> display dns server

Type:

  D: Dynamic    S: Static

 

No. Type  IP address

1   S     202.114.0.124

2   S     169.254.65.125

Table 24 Command output

Field

Description

No.

Sequence number.

 

Type

DNS server type:

·         S—A manually configured DNS server.

·         D—DNS server information dynamically obtained through DHCP or other protocols.

 

IP address

IPv4 address of the DNS server.

 

 

Related commands

dns server

display ipv6 dns server

Use display ipv6 dns server to display IPv6 DNS server information.

Syntax

display ipv6 dns server [ dynamic ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dynamic: Displays IPv6 DNS server information dynamically obtained through DHCP or other protocols. If you do not specify this keyword, the command displays the statically configured and dynamically obtained IPv6 DNS server information.

Examples

# Display IPv6 DNS server information about the public network.

<Sysname> display ipv6 dns server

Type:

  D: Dynamic    S: Static

 

No. Type  IPv6 address                             Outgoing Interface

1   S     2::2

Table 25 Command output

Field

Description

No.

Sequence number.

Type

DNS server type:

·         S—A manually configured DNS server.

·         D—DNS server information dynamically obtained through DHCP or other protocols.

IPv6 address

IPv6 address of the DNS server.

Outgoing Interface

Output interface.

 

Related commands

ipv6 dns server

dns domain

Use dns domain to configure a domain name suffix.

Use undo dns domain to delete the specified domain name suffix.

Syntax

dns domain domain-name

undo dns domain domain-name

Default

No domain name suffix is configured. Only the provided domain name is resolved.

Views

System view

Predefined user roles

network-admin

Parameters

domain-name: Specifies a domain name suffix. It is a dot-separated, case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.), for example, aabbcc.com. The domain name suffix can include a maximum of 253 characters, and each separated string includes no more than 63 characters.

Usage guidelines

A domain name suffix applies to both IPv4 DNS and IPv6 DNS.

You can specify a maximum of 16 domain name suffixes.

The system automatically adds the suffixes in the order they are configured to the domain name string received from a host for resolution.

Examples

# Configure the domain name suffix com for the public network.

<Sysname> system-view

[Sysname] dns domain com

Related commands

display dns domain

dns dscp

Use dns dscp to set the DSCP value for DNS packets sent by a DNS client or DNS proxy.

Use undo dns dscp to restore the default.

Syntax

dns dscp dscp-value

undo dns dscp

Default

The DSCP value in DNS packets is 0.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Sets the DSCP value in the range of 0 to 63.

Usage guidelines

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value to 30 for outgoing DNS packets.

<Sysname> system-view

[Sysname] dns dscp 30

dns proxy enable

Use dns proxy enable to enable DNS proxy.

Use undo dns proxy enable to restore the default.

Syntax

dns proxy enable

undo dns proxy enable

Default

DNS proxy is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This configuration applies to both IPv4 DNS and IPv6 DNS.

Examples

# Enable DNS proxy.

<Sysname> system-view

[Sysname] dns proxy enable

dns server

Use dns server to specify the IPv4 address of a DNS server.

Use undo dns server to remove the specified IPv4 address of a DNS server.

Syntax

dns server ip-address

undo dns server [ ip-address ]

Default

No DNS server is specified.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies an IPv4 address of a DNS server.

Usage guidelines

The device sends DNS query request to the DNS servers in the order their IPv4 addresses are specified.

You can specify a maximum of six DNS server IPv4 addresses.

If you do not specify an IPv4 address, the undo dns server command removes all DNS server IPv4 addresses.

Examples

# Specify the IPv4 address of a DNS server as 172.16.1.1.

<Sysname> system-view

[Sysname] dns server 172.16.1.1

Related commands

display dns server

dns source-interface

Use dns source-interface to specify the source interface for DNS packets.

Use undo dns source-interface to restore the default.

Syntax

dns source-interface interface-type interface-number

undo dns source-interface interface-type interface-number

Default

No source interface for DNS packets is specified. The device uses the primary IP address of the output interface of the matching route as the source IP address for a DNS request.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

This configuration applies to both IPv4 and IPv6.

·          In IPv4 DNS, the device uses the primary IPv4 address of the specified source interface as the source IP address of DNS query.

·          In IPv6 DNS, the device selects an IPv6 address of the source interface as the source IP address for DNS query. The method of selecting the IPv6 address is defined in RFC 3484.

You can specify only one source interface. If you use the command multiple times, the most recent configuration takes effect.

Examples

# Specify VLAN-interface 2 as the source interface for DNS packets on the public network.

<Sysname> system-view

[Sysname] dns source-interface vlan-interface 2

dns spoofing

Use dns spoofing to enable DNS spoofing and specify the IPv4 address to spoof DNS requests.

Use undo dns spoofing to disable DNS spoofing.

Syntax

dns spoofing ip-address

undo dns spoofing ip-address

Default

DNS spoofing is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IPv4 address used to spoof DNS requests.

Usage guidelines

Use the dns spoofing command together with the dns proxy enable command. DNS spoofing enables the DNS proxy to send a spoofed reply with a configured IP address even if it cannot reach the DNS server because no dial-up connection is available. Without DNS spoofing, the proxy does not answer or forward a DNS request if it cannot find a local matching DNS entry or reach the DNS server.

You can specify only one replied IPv4 address on the DNS spoofing device. If you use the command multiple times, the most recent configuration takes effect.

Examples

# Enable DNS spoofing on the public network and specify the IPv4 address 1.1.1.1 to spoof DNS requests.

<Sysname> system-view

[Sysname] dns proxy enable

[Sysname] dns spoofing 1.1.1.1

Related commands

dns proxy enable

dns trust-interface

Use dns trust-interface to specify the DNS trusted interface.

Use undo dns trust-interface to remove the specified DNS trusted interface.

Syntax

dns trust-interface interface-type interface-number

undo dns trust-interface [ interface-type interface-number ]

Default

No trusted interface is specified.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

By default, an interface obtains DNS suffix and DNS server information from DHCP. A network attacker might act as the DHCP server to assign a wrong DNS suffix and DNS server address to the device. As a result, the device fails to obtain the resolved IP address or might get the wrong IP address. With the DNS trusted interface specified, the device only uses the DNS suffix and DNS server information obtained through the trusted interface to avoid attack.

This configuration is applicable to both IPv4 and IPv6.

You can configure up to 128 DNS trusted interfaces on the device.

If you do not specify an interface, the undo dns trust-interface command removes all DNS trusted interfaces.

Examples

# Specify VLAN-interface 2 as the DNS trusted interface.

<Sysname> system-view

[Sysname] dns trust-interface vlan-interface 2

ip host

Use ip host to create a host name-to-IPv4 address mapping.

Use undo ip host to remove a mapping.

Syntax

ip host host-name ip-address

undo ip host host-name ip-address

Default

No host name-to-IPv4 address mappings are created.

Views

System view

Predefined user roles

network-admin

Parameters

host-name: Specifies a host name, a case-insensitive string of 1 to 253 characters. It can include letters, digits, hyphens (-), underscores (_), and dots (.).

ip-address: Specifies the IPv4 address of the host.

Usage guidelines

You can configure a maximum of 1024 host name-to-IPv4 address mappings.

Each host name maps to only one IPv4 address. If you use the command multiple times, the most recent configuration takes effect.

Do not use the ping command parameter ip, -a, -c, -f, -h, -i, -m, -n, -p, -q, -r, -s, -t, -tos, or -v as the host name. For more information about the ping command parameters, see Network Management and Monitoring Command Reference.

Examples

# Map the IPv4 address 10.110.0.1 to the host name aaa on the public network.

<Sysname> system-view

[Sysname] ip host aaa 10.110.0.1

Related commands

display dns host

ipv6 dns dscp

Use ipv6 dns dscp to set the DSCP value for IPv6 DNS packets sent by an IPv6 DNS client or DNS proxy.

Use undo ipv6 dns dscp to restore the default.

Syntax

ipv6 dns dscp dscp-value

undo ipv6 dns dscp

Default

The DSCP value for IPv6 DNS packets is 0.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Sets the DSCP value in the range of 0 to 63.

Usage guidelines

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value to 30 for outgoing IPv6 DNS packets.

<Sysname> system-view

[Sysname] ipv6 dns dscp 30

ipv6 dns server

Use ipv6 dns server to specify the IPv6 address of a DNS server.

Use undo ipv6 dns server to remove the specified DNS server IPv6 address.

Syntax

ipv6 dns server ipv6-address [ interface-type interface-number ]

undo ipv6 dns server [ ipv6-address [ interface-type interface-number ] ]

Default

No DNS server IPv6 address is specified.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address of a DNS server.

interface-type interface-number: Specifies the output interface by its type and number. If you do not specify an interface, the device forwards DNS packets out of the output interface of the matching route. Specify this argument if the IPv6 address of the DNS server is a link-local address. Do not specify this argument if the IPv6 address of the DNS server is a global unicast address.

Usage guidelines

For dynamic DNS, the device sends DNS query request to the IPv6 DNS servers in the order their IPv6 addresses are specified.

You can specify a maximum of six DNS server IPv6 addresses.

If you do not specify an IPv6 address, the undo ipv6 dns server command removes all DNS server IPv6 addresses.

Examples

# Specify the DNS server IPv6 address as 2002::1 for the public network.

<Sysname> system-view

[Sysname] ipv6 dns server 2002::1

Related commands

display ipv6 dns server

ipv6 dns spoofing

Use ipv6 dns spoofing to enable DNS spoofing and specify the IPv6 address to spoof DNS requests.

Use undo ipv6 dns spoofing to disable DNS spoofing.

Syntax

ipv6 dns spoofing ipv6-address

undo ipv6 dns spoofing ipv6-address

Default

DNS spoofing is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address used to spoof DNS requests.

Usage guidelines

Use the ipv6 dns spoofing command together with the dns proxy enable command.

DNS spoofing enables the DNS proxy on the device to send a spoofed reply with an IPv6 address in response to a type AAAA DNS request. Without DNS spoofing, the device does not forward or answer a request if no DNS server is specified or no DNS server is reachable.

You can specify only one replied IPv6 address. If you use the command multiple times, the most recent configuration takes effect.

Examples

# Enable DNS spoofing on the public network and specify the IPv6 address 2001::1 to spoof DNS requests.

<Sysname> system-view

[Sysname] dns proxy enable

[Sysname] ipv6 dns spoofing 2001::1

Related commands

dns proxy enable

ipv6 host

Use ipv6 host to create a host name-to-IPv6 address mapping.

Use undo ipv6 host to remove a mapping.

Syntax

ipv6 host host-name ipv6-address

undo ipv6 host host-name ipv6-address

Default

No host name-to-IPv6 address mappings are created.

Views

System view

Predefined user roles

network-admin

Parameters

host-name: Specifies a host name, a case-insensitive string of 1 to 253 characters. It can include letters, digits, hyphens (-), underscores (_), and dots (.).

ipv6-address: Specifies the IPv6 address of the host.

Usage guidelines

You can configure a maximum of 1024 host name-to-IPv6 address mappings.

Each host name maps to only one IPv6 address. If you use the command multiple times, the most recent configuration takes effect.

Do not use the ping ipv6 command parameter -a, -c, -i, -m, -q, -s, -t, -tc, or -v as the host name. For more information about the ping ipv6 command parameters, see Network Management and Monitoring Command Reference.

Examples

# Map IPv6 address 2001::1 to host name aaa on the public network.

<Sysname> system-view

[Sysname] ipv6 host aaa 2001::1

Related commands

ip host

reset dns host

Use reset dns host to clear information about the dynamic DNS cache.

Syntax

reset dns host [ ip | ipv6 ]

Views

User view

Predefined user roles

network-admin

Parameters

ip: Specifies type A queries. A type A query resolves a domain name to the mapped IPv4 address.

ipv6: Specifies type AAAA queries. A type AAAA query resolves a domain name to the mapped IPv6 address.

Usage guidelines

If you do not specify the ip and ipv6 keywords, the reset dns host command clears dynamic DNS cache information about all query types.

Examples

# Clear dynamic DNS cache information about all query types on the public network.

<Sysname> reset dns host

Related commands

display dns host


DDNS commands

The following matrix shows the feature and hardware compatibility:

 

Hardware series

Model

DDNS compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

Yes

WX3800H series

WX3820H

WX3840H

No

WX5800H series

WX5860H

No

 

ddns apply policy

Use ddns apply policy to apply the specified DDNS policy to the interface, update the mapping between the specified FQDN and the primary IP address of the interface, and enable DDNS update.

Use undo ddns apply policy to remove the DDNS policy applied to the interface and stop DDNS update.

Syntax

ddns apply policy policy-name [ fqdn domain-name ]

undo ddns apply policy policy-name

Default

No DDNS policy and FQDN for update are specified on the interface, and DDNS update is disabled.

Views

Interface view

Predefined user roles

network-admin

Parameters

policy-name: Specifies the DDNS policy name, a case-insensitive string of 1 to 32 characters.

fqdn domain-name: Specifies the FQDN to replace <h> in the URL for DDNS update. The domain-name argument specifies a case-insensitive string of 1 to 253 characters. It can include letters, digits, hyphens (-), underscores (_), and dots (.).

Usage guidelines

You can apply up to four DDNS policies to an interface.

If you use the ddns apply policy command multiple times with the same DDNS policy name but different FQDNs, both of the following occur:

·          The most recent configuration takes effect.

·          The device initiates a DDNS update request immediately.

Examples

# Apply the DDNS policy steven_policy to VLAN-interface 2 to update the domain name to IP address mapping for FQDN www.whatever.com and enable DDNS update.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] ddns apply policy steven_policy fqdn www.whatever.com

Related commands

·          ddns policy

·          display ddns policy

ddns dscp

Use ddns dscp to set the DSCP value for outgoing DDNS packets.

Use undo ddns dscp to restore the default.

Syntax

ddns dscp dscp-value

undo ddns dscp

Default

The DSCP value for outgoing DDNS packets is 0.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Sets the DSCP value in the range of 0 to 63.

Usage guidelines

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value to 30 for outgoing DDNS packets.

<Sysname> system-view

[Sysname] ddns dscp 30

ddns policy

Use ddns policy to create a DDNS policy and enter its view.

Use undo ddns policy to delete a DDNS policy.

Syntax

ddns policy policy-name

undo ddns policy policy-name

Default

No DDNS policy is created.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies the DDNS policy name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can create up to 16 DDNS policies on the device.

Examples

# Create a DDNS policy steven_policy and enter its view.

<Sysname> system-view

[Sysname] ddns policy steven_policy

Related commands

·          ddns apply policy

·          display ddns policy

display ddns policy

Use display ddns policy to display information about DDNS policies.

Syntax

display ddns policy [ policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies the DDNS policy name, a case-insensitive string of 1 to 32 characters. If you do not specify a DDNS policy, this command displays information about all DDNS policies.

Examples

# Display information about the DDNS policy steven_policy.

<Sysname> display ddns policy steven_policy

DDNS policy: steven_policy

  URL              : http://members.3322.org/dyndns/update?

                     system=dyndns&hostname=<h>&myip=<a>

  Username         : steven

  Password         : ******

  Method           : GET

  SSL client policy:

  Interval         : 1 days 0 hours 1 minutes

# Display information about all DDNS policies.

<Sysname> display ddns policy

DDNS policy: steven_policy

  URL              : http://members.3322.org/dyndns/update?system=

                     dyndns&hostname=<h>&myip=<a>

  Username         : steven

  Password         : ******

  Method           : GET

  SSL client policy:

  Interval         : 0 days 0 hours 30 minutes 

 

DDNS policy: tom-policy

  URL              : http://members.3322.org/dyndns/update?system=

                     dyndns&hostname=<h>&myip=<a>

  Username         :

  Password         :

  Method           : GET

  SSL client policy:

  Interval         : 0 days 0 hours 15 minutes

 

DDNS policy: u-policy

  URL              : oray://phservice2.oray.net

  Username         : username

  Password         :

  Method           : -

  SSL client policy:

  Interval         : 0 days 0 hours 15 minutes

 

Table 26 Command output

Field

Description

DDNS policy

DDNS policy name.

URL

URL address for a DDNS update request. This field is blank if no URL address is configured.

Username

Username for logging in to the DDNS server. This field is blank if no username is configured.

 

Password

Password for logging in to the DDNS server. This field is blank if no password is configured and displays ****** if a password is configured.

 

Method

Parameter transmission method used to send HTTP/HTTPS-based DDNS update requests.

Method types include GET and POST.

 

SSL client policy

Name of the associated SSL client policy. This field is blank if no SSL client policy is associated.

Interval

Interval for sending DDNS update requests.

 

Related commands

ddns policy

interval

Use interval to set the interval for sending DDNS update requests after DDNS update is enabled.

Use undo interval to restore the default value.

Syntax

interval days [ hours [ minutes ] ]

undo interval

Default

The DDNS update request interval is one hour.

Views

DDNS policy view

Predefined user roles

network-admin

Parameters

days: Days in the range of 0 to 365.

hours: Hours in the range of 0 to 23.

minutes: Minutes in the range of 0 to 59.

Usage guidelines

A DDNS update request is initiated immediately if either of the following conditions occurs:

·          The primary IP address of the interface changes.

·          The link state of the interface changes from down to up.

If you set the interval to 0, the device does not periodically initiate any DDNS update request. However, it initiates a DDNS update request in either of the following situations:

·          The primary IP address of the interface changes.

·          The link state of the interface changes from down to up.

If you use the interval command multiple times with different time intervals, the most recent configuration takes effect. If you change the interval for an applied DDNS policy, the device immediately initiates a DDNS update request and sets the interval as the update interval.

Examples

# Set the interval to one day and one minute for sending DDNS update requests for the DDNS policy steven_policy.

<Sysname> system-view

[Sysname] ddns policy steven_policy

[Sysname-ddns-policy-steven_policy] interval 1 0 1

Related commands

·          ddns policy

·          display ddns policy

method

Use method to specify the parameter transmission method for sending DDNS update requests to HTTP/HTTPS-based DDNS servers.

Use undo method to restore the default.

Syntax

method { http-get | http-post }

undo method

Default

The method http-get applies.

Views

DDNS policy view

Predefined user roles

network-admin

Parameters

http-get: Uses the get operation.

http-post: Uses the post operation.

Usage guidelines

This command applies to DDNS updates in HTTP/HTTPS. If the DDNS server uses HTTP or HTTPS service, choose a parameter transmission method compatible with the DDNS server. For example, a DHS server supports the http-post method.

If the DDNS policy has been applied to an interface, a DDNS update is sent immediately after the parameter transmission is changed.

Examples

# Specify the parameter transmission method as http-post for DDNS update request for DDNS policy steven_policy.

<Sysname> system-view

[Sysname] ddns policy steven_policy

[Sysname-ddns-policy-steven_policy] method http-post

Related commands

·          ddns policy

·          display ddns policy

password

Use password to specify the password for logging in to the DDNS server.

Use undo password to delete the password.

Syntax

password { cipher | simple } password

undo password

Default

No password is specified.

Views

DDNS policy view

Predefined user roles

network-admin

Parameters

cipher: Sets a ciphertext password.

simple: Sets a plaintext password.

password: Specifies a case-sensitive password string. If simple is specified, it must be a string of 1 to 32 characters. If cipher is specified, it must be a string of 1 to 73 characters.

Usage guidelines

For security purposes, all passwords, including passwords configured in plain text, are saved in cipher text.

Examples

# In the DDNS policy steven_policy, specify nevets as the password for logging in to the DDNS server.

<Sysname> system-view

[Sysname] ddns policy steven_policy

[Sysname-ddns-policy-steven_policy] password simple nevets

Related commands

·          ddns policy

·          display ddns policy

·          url

·          username

ssl-client-policy

Use ssl-client-policy to associate an SSL client policy with a DDNS policy.

Use undo ssl-client-policy to cancel the association of an SSL client policy with a DDNS policy.

Syntax

ssl-client-policy policy-name

undo ssl-client-policy

Default

No SSL client policy is associated with any DDNS policy.

Views

DDNS policy view

Predefined user roles

network-admin

Parameters

policy-name: Specifies the SSL client policy name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

The SSL client policy is effective only for HTTPS-based DDNS update requests.

If you use the ssl-client-policy command multiple times with different SSL client policies, the most recent configuration takes effect.

Examples

# Associate the SSL client policy ssl_policy with the DDNS policy steven_policy.

<Sysname> system-view

[Sysname] ddns policy steven_policy

[Sysname-ddns-policy-steven_policy] ssl-client-policy ssl_policy

Related commands

·          ddns policy

·          display ddns policy

·          ssl-client-policy (Security Command Reference)

url

Use url to specify the URL address for DDNS update requests.

Use undo url to delete the URL address.

Syntax

url request-url

undo url

Default

No URL address is specified for DDNS update requests.

Views

DDNS policy view

Predefined user roles

network-admin

Parameters

request-url: Specifies the URL address, a case-sensitive string of 1 to 240 characters.

Usage guidelines

The URL addresses configured for update requests vary by DDNS server. Common DDNS server URL address format are shown in Table 27.

Table 27 Common URL addresses for DDNS update request

DDNS server

URL addresses for DDNS update requests

www.3322.org

http://members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>

DYNDNS

http://members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

DYNS

http://www.dyns.cx/postscript.php?host=<h>&ip=<a>

ZONEEDIT

http://dynamic.zoneedit.com/auth/dynamic.html?host=<h>&dnsto=<a>

TZO

http://cgi.tzo.com/webclient/signedon.html?TZOName=<h>IPAddress=<a>

EASYDNS

http://members.easydns.com/dyn/ez-ipupdate.php?action=edit&myip=<a>&host_id=<h>

HEIPV6TB

http://dyn.dns.he.net/nic/update?hostname=<h>&myip=<a>

CHANGE-IP

http://nic.changeip.com/nic/update?hostname=<h>&offline=1

NO-IP

http://dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>

DHS

http://members.dhs.org/nic/hosts?domain=dyn.dhs.org&hostname=<h>&hostscmd=edit&hostscmdstage=2&type=1&ip=<a>

HP

https://server-name/nic/update?group=group-name&myip=<a>

ODS

ods://update.ods.org

GNUDIP

gnudip://server-name

PeanutHull

oray://phservice2.oray.net

 

No username or password is included in the URL address. To configure the username and password, use the username command and the password command.

HP and GNUDIP are common DDNS update protocols. The server-name parameter is the domain name or IP address of the service provider's server using one of the update protocols.

The URL address for an update request can start with:

·          http://The HTTP-based DDNS server.

·          https://The HTTPS-based DDNS server.

·          ods://The TCP-based ODS server.

·          gnudip://The TCP-based GNUDIP server.

·          oray://The TCP-based DDNS server.

The domain names of DDNS servers are members.3322.org and phservice2.oray.net. The domain names of PeanutHull DDNS servers can be phservice2.oray.net, phddns60.oray.net, client.oray.net, ph031.oray.net, and so on. Determine the domain name in the URL according to the actual situation.

The port number in the URL address is optional. If you do not specify a port number, the default port number is used. HTTP uses port 80, HTTPS uses port 443, and the PeanutHull server uses port 6060.

The system automatically performs the following tasks:

·          Fills <h> with the FQDN that is specified when the DDNS policy is applied to the interface.

·          Fills <a> with the primary IP address of the interface to which the DDNS policy is applied.

You might also manually specify an FQDN and an IP address in <h> and <a>, respectively. After that, the FQDN that is specified when the DDNS policy is applied becomes ineffective. However, manual configuration of <h> and <a> is not recommended.

You cannot specify an FQDN and IP address in the URL address for contacting the PeanutHull server. Alternatively, you can specify an FQDN when applying the DDNS policy to an interface. The system automatically uses the primary IP address of the interface to which the DDNS policy is applied as the IP address for DDNS update.

To avoid misinterpretation, do not include colons (:), at signs (@), and question marks (?) in your login ID or password, even if you can do so.

If you use the url command multiple times with different URL addresses, the most recent configuration takes effect.

Examples

# Specify the URL address for DDNS update requests for DDNS policy steven_policy. The device contacts www.3322.org for DDNS update.

<Sysname> system-view

[Sysname] ddns policy steven_policy

[Sysname-ddns-policy-steven_policy] url http://members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>

Related commands

·          ddns policy

·          display ddns policy

·          password

·          username

username

Use username to specify the username for logging in to the DDNS server.

Use undo username to delete the username.

Syntax

username username

undo username

Default

No username is specified.

Views

DDNS policy view

Predefined user roles

network-admin

Parameters

username: Specifies the username, a case-sensitive string of 1 to 32 characters.

Examples

# In the DDNS policy steven_policy, specify steven as the username for logging in to the DDNS server.

<Sysname> system-view

[Sysname] ddns policy steven_policy

[Sysname-ddns-policy-steven_policy] username steven

Related commands

·          ddns policy

·          display ddns policy

·          password

·          url


NAT commands

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

address

Use address to add an address range to a NAT address group.

Use undo address to remove an address range from a NAT address group.

Syntax

address start-address end-address

undo address start-address end-address

Default

No address range exists.

Views

NAT address group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start and end IP addresses of the address range. The end address must not be lower than the start address. If they are the same, the address range has only one IP address.

Usage guidelines

A NAT address group is a set of address ranges. The source address in a packet destined for an external network is translated into an address in one of the group ranges.

Each address range can contain a maximum of 65535 addresses.

If you add multiple address ranges, make sure they do not overlap.

Examples

# Add two group ranges to an address group.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] address 10.1.1.1 10.1.1.15

[Sysname-address-group-2] address 10.1.1.20 10.1.1.30

Related commands

nat address-group

block-size

Use block-size to set the port block size.

Use undo block-size to restore the default.

Syntax

block-size block-size

undo block-size

Default

The port block size is 256.

Views

NAT port block group view

Predefined user roles

network-admin

Parameters

block-size: Sets the number of ports for a port block. The value range for this argument is 1 to 65535.

Usage guidelines

When you set a port block size, make sure the port block size is not larger than the number of ports in the port range.

Examples

# Set the port block size to 1024 for port block group 1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] block-size 1024

Related commands

nat port-block-group

display nat alg

Use display nat alg to display the NAT with ALG status for all supported protocols.

Syntax

display nat alg

Views

User view

Predefined user roles

network-admin

network-operator

Examples

# Display the NAT with ALG status for all supported protocols.

<Sysname> display nat alg

NAT ALG:

  DNS        : Enabled

  FTP        : Disabled

  H323       : Disabled

  ICMP-ERROR : Disabled

  ILS        : Disabled

  MGCP       : Disabled

  NBT        : Disabled

  PPTP       : Disabled

  RTSP       : Disabled

  RSH        : Disabled

  SCCP       : Disabled

  SIP        : Disabled

  SQLNET     : Disabled

  TFTP       : Disabled

  XDMCP      : Disabled

Related commands

display nat all

display nat all

Use display nat all to display all NAT configuration information.

Syntax

display nat all

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display all NAT configuration information.

<Sysname> display nat all

NAT address group information:

  Totally 3 NAT address groups.

  Address group 1:

    Port range: 1-65535

    Address information:

      Start address         End address

      202.110.10.10         202.110.10.15

  Address group 2:

    Port range: 10001-65535

    Port block size: 500

    Extended block number: 1

    Address information:

      Start address         End address

      202.110.10.60         202.110.10.65

  Address group 3:

    Port range: 1-65535

    Address information:

      Start address         End address

      ---                   ---

NAT server group information:

  Totally 3 NAT server groups.

  Group Number        Inside IP             Port        Weight

  1                   192.168.0.26          23          100

                      192.168.0.27          23          500

  2                   ---                   ---         ---

  3                   192.168.0.26          69          100

NAT inbound information:

  Totally 1 NAT inbound rules.

  Interface: Vlan-interface20

    ACL: 2038

   Address group ID: 2

   Add route: Y         NO-PAT:Y         Reversible: N

    Rule name: a

    Priority: 1000

    Config status: Active

NAT outbound information:

  Totally 2 NAT outbound rules.

  Interface: Vlan-interface10

    ACL: 2036    

    Address group ID: 1 

    Port-preserved: Y    NO-PAT: N         Reversible: N

    Rule name: b

    Priority: 22

    Config status: Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: address group, and ACL.

  Interface: Vlan-interface10

    ACL: 2037    

    Address group ID: 1 

    Port-preserved: N    NO-PAT: Y         Reversible: Y

    Rule name: c

    Priority: 100

    Config status: Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: ACL.

NAT internal server information:

  Totally 5 internal servers.

  Interface: Vlan-interface30

    Global ACL    : 2000

    Local IP/port : 192.168.10.1/23

    Rule name     : cdefgab

    Priority      : 1000

    Config status : Active

  Interface: Vlan-interface40

    Protocol: 255(Reserved)

    Global IP/port: 50.1.1.100/---

    Local IP/port : 192.168.10.150/---

    ACL           : 3000

    Rule name     : red

    Config status : Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: ACL.

  Interface: Vlan-interface50

    Protocol: 17(UDP)

    Global IP/port: 50.1.1.2/23

    Local IP/port : server group 1

                    1.1.1.1/21            (Connections: 10)

                    192.168.100.200/80    (Connections: 20)

    Config status : Active

Static NAT mappings:

  Totally 2 inbound static NAT mappings.

  Net-to-net:

    Global IP    : 2.2.2.1 – 2.2.2.255

    Local IP     : 1.1.1.0

    Netmask      : 255.255.255.0

    ACL          : 3000

    Reversible   : Y

    Rule name    : green

    Priority     : 4

    Config status: Active

  IP-to-IP:

    Global IP    : 5.5.5.5

    Local IP     : 4.4.4.4

    ACL          : 2001

    Reversible   : Y

    Rule name    : blue

    Priority     : 4

    Config status: Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: ACL.

  Totally 2 outbound static NAT mappings.

  Net-to-net:

    Local IP     : 1.1.1.1 - 1.1.1.255

    Global IP    : 2.2.2.0

    Netmask      : 255.255.255.0

    ACL          : 3000

    Reversible   : Y

    Rule name    : yellow

    Priority     : 5

    Config status: Active

  IP-to-IP:

    Local IP     : 4.4.4.4

    Global IP    : 5.5.5.5

    ACL:         : 2001

    Reversible   : Y

    Rule name    : pink

    Priority     : 6

    Config status: Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: ACL.

Interfaces enabled with static NAT:

  Totally 2 interfaces enabled with static NAT.

  Interface: Vlan-interface20

    Config status: Active

  Interface: Vlan-interface30

    Config status: Active

NAT DNS mappings:

  Totally 2 NAT DNS mappings.

  Domain name  : www.server.com

  Global IP    : 6.6.6.6

  Global port  : 23

  Protocol     : TCP(6)

  Config status: Active

  Domain name  : www.service.com

  Global IP    : ---

  Global port  : 12

  Protocol     : TCP(6)

  Config status: Inactive

  Reasons for inactive status:

    The following items don't exist or aren't effective: interface IP address.

NAT logging:

  Log enable          : Enabled(ACL 2000)

  Flow-begin          : Disabled

  Flow-end            : Disabled

  Flow-active         : Enabled(10 minutes)

  Port-block-assign   : Disabled

  Port-block-withdraw : Disabled

  Alarm               : Disabled

 

NAT hairpinning:                                                               

  Totally 1 interfaces enabled with NAT hairpinning.                           

  Interface: Vlan-interface100                                                 

    Config status: Active

 

NAT mapping behavior:

  Mapping mode : Endpoint-Independent

  ACL          : 2050

  Config status: Active

NAT ALG:

  DNS        : Enabled

  FTP        : Disabled

  H323       : Enabled

  ICMP-ERROR : Enabled

  ILS        : Enabled

  MGCP       : Enabled

  NBT        : Enabled

  PPTP       : Enabled

  RSH        : Enabled

  RTSP       : Enabled

  SCCP       : Enabled

  SIP        : Disabled

  SQLNET     : Enabled

  TFTP       : Enabled

  XDMCP      : Enabled

NAT port block group information:

  Totally 2 NAT port block groups.

  Port block group 1:

    Port range: 1-65535

    Block size: 256

    Local IP address information:

      Start address        End address          VPN instance

      172.16.1.1           172.16.1.254         ---

      192.168.1.1          192.168.1.254        ---

      192.168.3.1          192.168.3.254        ---

    Global IP pool information:

      Start address        End address

      201.1.1.1            201.1.1.10

      201.1.1.21           201.1.1.25

  Port block group 2:

    Port range: 10001-30000

    Block size: 500

    Local IP address information:

      Start address        End address          VPN instance

      10.1.1.1             10.1.10.255          ---

    Global IP pool information:

      Start address        End address

      202.10.10.101        202.10.10.120

NAT outbound port block group information:

  Totally 2 outbound port block group items.

  Interface: Vlan-interface20

    Port block group: 2

    Rule name       : red

    Priority        : 4

    Config status   : Active

  Interface: Vlan-interface20

    Port block group: 10

    Rule name       : tigger

    Priority        : 6

    Config status   : Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: port block group.

 

The output shows all NAT configuration information. Table 28 describes only the fields for the output of the nat mapping-behavior and nat alg commands.

Table 28 Command output

Field

Description

NAT address group information

Information about the NAT address group. See Table 29 for output description.

NAT server group information

Information about the internal server group. See Table 41 for output description.

NAT inbound information:

Inbound dynamic NAT configuration. See Table 32 for output description.

NAT outbound information

Outbound dynamic NAT configuration. See Table 35 for output description.

NAT internal server information

NAT Server configuration. See Table 40 for output description.

Static NAT mappings

Static NAT mappings. See Table 43 for output description.

NAT DNS mappings

NAT with DNS mappings. See Table 30 for output description.

NAT logging

NAT logging configuration. See Table 33 for output description.

NAT hairpinning

NAT hairpin configuration.

Totally n interfaces enabled NAT hairpinning

Number of interfaces with NAT hairpin enabled.

Interface

NAT hairpin-enabled interface.

Config status

Status of NAT hairpin configuration: Active or Inactive.

NAT mapping behavior

Mapping behavior mode of PAT: Endpoint-Independent or Address and Port-Dependent.

ACL

ACL number or name. If no ACL is specified for NAT, this field displays hyphens (---).

Rule name

Name of the NAT rule.

Priority

Priority of the NAT rule.

Config status

Status of NAT mapping behavior configuration: Active or Inactive.

Reasons for inactive status

Reasons why the NAT mapping behavior configuration does not take effect. This field is available when the Config status is Inactive.

NAT ALG

NAT with ALG configuration for different protocols.

NAT port block group information

Configuration information about NAT port block groups. See Table 38 for output description.

NAT outbound port block group information

Information about port block group application. See Table 36 for output description.

 

display nat address-group

Use display nat address-group to display NAT address group information.

Syntax

display nat address-group [ group-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-number: Specifies the ID of a NAT address group. The value range for this argument is 0 to 65535. If you do not specify the group-number argument, this command displays information about all NAT address groups.

Examples

# Display information about all NAT address groups.

<Sysname> display nat address-group

NAT address group information:

  Totally 5 NAT address groups.

  Address group 1:

    Port range: 1-65535

    Address information:

      Start address         End address

      202.110.10.10         202.110.10.15

 

  Address group 2:

    Port range: 1-65535

    Address information:

      Start address         End address

      202.110.10.20         202.110.10.25

      202.110.10.30         202.110.10.35

 

  Address group 3:

    Port range: 1024-65535

    Address information:

      Start address         End address

      202.110.10.40         202.110.10.50

 

  Address group 4:

    Port range: 10001-65535

    Port block size: 500

    Extended block number: 1

    Address information:

      Start address         End address

      202.110.10.60         202.110.10.65

 

  Address group 6:

    Port range: 1-65535

    Address information:

      Start address         End address

      ---                   ---

 

# Display information about NAT address group 1.

<Sysname> display nat address-group 1

  Address group 1:

    Port range: 1-65535

    Address information:

      Start address         End address

      202.110.10.10         202.110.10.15

 

Table 29 Command output

Field

Description

Address group

ID of the NAT address group.

Port range

Port range for public IP addresses.

Block size

Number of ports in a port block. This field is not displayed if the port block size is not set.

Extended block number

Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set.

Address information

Information about the public IP addresses in the address group.

Start address

Start IP address of an address range. If you do not specify a start address for the range, this field displays hyphens (---).

End address

End IP address of an address range. If you do not specify an end address for the range, this field displays hyphens (---).

 

Related commands

nat address-group

display nat dns-map

Use display nat dns-map to display NAT with DNS mapping configuration.

Syntax

display nat dns-map

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT with DNS mapping configuration.

<Sysname> display nat dns-map

NAT DNS mapping information:

  Totally 2 NAT DNS mappings.

  Domain name  : www.server.com

  Global IP    : 6.6.6.6

  Global port  : 23

  Protocol     : TCP(6)

  Config status: Active

 

  Domain name  : www.service.com

  Global IP    : ---

  Global port  : 12

  Protocol     : TCP(6)

  Config status: Inactive

  Reasons for inactive status:

    The following items don't exist or aren't effective: interface IP address.

 

Table 30 Command output

Field

Description

NAT DNS mapping information

Information about NAT with DNS mappings.

Domain-name

Domain name of the internal server.

Global IP

Public IP address of the internal server.

·         If Easy IP is configured, this field displays the IP address of the specified interface.

·         If you do not specify a public IP address, this field displays hyphens (---).

Global port

Public port number of the internal server.

Protocol

Protocol type and number of the internal server.

Config status

Status of the DNS mapping configuration: Active or Inactive.

Reasons for inactive status

Reasons why the DNS mapping configuration does not take effect. This field is available when the Config status is Inactive.

 

Related commands

nat dns-map

display nat eim

Use display nat eim to display information about NAT Endpoint-Independent Mapping (EIM) entries.

Syntax

display nat eim [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays EIM entry information for all member devices.

Usage guidelines

A NAT device with PAT EIM configured performs the following tasks:

1.        Creates a NAT session entry.

2.        Creates an EIM entry for recording the mapping between a private address/port and a public address/port.

The EIM entry ensures the following:

·          The same EIM entry applies to subsequent connections originating from the same source IP and port.

·          The EIM entries allow reverse translation for connections initiated by external hosts to internal hosts.

Examples

# Display information about NAT EIM entries for IRF member device 1.

<Sysname> display nat eim slot 1

Slot 1:

Local  IP/port: 192.168.100.100/1024

Global IP/port: 200.100.1.100/2048

Protocol: TCP(6)

 

Local  IP/port: 192.168.100.200/2048

Global IP/port: 200.100.1.200/4096

Protocol: UDP(17)

 

Total entries found: 2

Table 31 Command output

Field

Description

Local IP/port

Private IP address and port number.

Global IP/port

Public IP address and port number.

Protocol

Protocol type and number.

Total entries found

Total number of EIM entries.

 

Related commands

·          nat mapping-behavior

·          nat outbound

display nat inbound

Use display nat inbound to display information about inbound dynamic NAT.

Syntax

display nat inbound

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about inbound dynamic NAT.

<Sysname> display nat inbound

NAT inbound information:

  Totally 2 NAT inbound rules.

  Interface: Vlan-interface20

    ACL: 2038     

    Address group ID: 2      Address group name: b

    Add route: Y    NO-PAT: Y         Reversible: N

    Rule name: abcd

    Priority: 1000

    Config status: Active

 

Interface: Vlan-interface30

    ACL: 2037     

    Address group ID: 1      Address group name: a

    Add route: Y    NO-PAT: Y         Reversible: N

    Rule name: eif

    Priority: 1000

    Config status: Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: ACL.

Table 32 Command output

Field

Description

NAT inbound information

Information about inbound dynamic NAT.

Interface

Interface where inbound dynamic NAT is configured.

ACL

ACL number or name.

Address group

NAT address group used by inbound dynamic NAT rule.

Add route

Whether to add a route when a packet matches the inbound dynamic NAT rule.

NO-PAT

Whether NO-PAT or PAT is used:

·         YNO-PAT is used.

·         NPAT is used.

Reversible

Whether reverse address translation is allowed.

Rule name

Name of the NAT rule.

Priority

Priority of the NAT rule.

Config status

Status of the inbound dynamic NAT configuration: Active or Inactive.

Reasons for inactive status

Reasons why the inbound dynamic NAT configuration does not take effect. This field is available when the Config status is Inactive.

 

Related commands

nat inbound

display nat log

Use display nat log to display NAT logging configuration.

Syntax

display nat log

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT logging configuration.

<Sysname> display nat log

NAT logging:

  Log enable          : Enabled(ACL 2000)

  Flow-begin          : Disabled

  Flow-end            : Disabled

  Flow-active         : Enabled(10 minutes)

  Port-block-assign   : Disabled

  Port-block-withdraw : Disabled

  Alarm               : Disabled

Table 33 Command output

Field

Description

NAT logging

NAT logging configuration.

Log enable

Whether NAT logging is enabled.

If an ACL is specified for NAT logging, this field also displays the ACL number or name.

Flow-begin

Whether logging is enabled for NAT session establishment events.

Flow-end

Whether logging is enabled for NAT session removal events.

Flow-active

Whether logging is enabled for active NAT flows. If it is, this field also displays the interval in minutes at which active flow logging is generated.

Port-block-assign

Whether logging is enabled for NAT444 port block assignment.

Port-block-withdraw

Whether logging is enabled for NAT444 port block withdrawal.

Alarm

Whether logging is enabled for NAT444 alarms.

 

Related commands

·          nat log enable

·          nat log flow-active

·          nat log flow-begin

display nat no-pat

Use display nat no-pat command to display information about NAT NO-PAT entries.

Syntax

display nat no-pat [ slot slot-number ]

Views

Any view

Default user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NO-PAT entry information for all member devices.

Usage guidelines

If a NAT device has a NO-PAT translation method configured, the device creates the following items:

·          A NAT session entry.

·          A NO-PAT entry for recording the mapping between a private address and a public address.

A NO-PAT entry can also be created during the ALG process for NAT.

The NO-PAT entry ensures the following:

·          The same entry applies to subsequent connections originating from the same source IP address.

·          The NO-PAT entries allow reverse translation for connections initiated by external hosts to internal hosts.

Outbound and inbound NO-PAT address translations create their own NO-PAT tables. These two types of tables are displayed separately.

Examples

# Display information about NO-PAT entries.

<Sysname> display nat no-pat

Slot 1:

Global  IP: 200.100.1.100

Local   IP: 192.168.100.100

Reversible: N

Type      : Inbound

 

Local   IP: 192.168.100.200

Global  IP: 200.100.1.200

Reversible: Y

Type      : Outbound

 

Total entries found: 2

Table 34 Command output

Field

Description

Local IP

Private IP address.

Global IP

Public IP address.

Reversible

Whether reverse address translation is allowed.

Type

Type of the NO-PAT entry:

·         Inbound—NO-PAT entries are created during inbound dynamic NAT.

·         Outbound—NO-PAT entries are created during outbound dynamic NAT.

Total entries found

Total number of NO-PAT entries.

 

Related commands

·          nat inbound

·          nat outbound

display nat outbound

Use display nat outbound to display information about outbound dynamic NAT.

Syntax

display nat outbound

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about outbound dynamic NAT.

<Sysname> display nat outbound

NAT outbound information:

  Totally 2 NAT outbound rules.

  Interface: Vlan-interface10

    ACL: 2036

    Address group ID: 1            Address group name: a

    Port-preserved: Y    NO-PAT: N         Reversible: N

    Rule name: abcd

    Priority: 1000

    Config status: Active

 

  Interface: Vlan-interface10

    ACL: 2037

    Address group ID: ---

    Port-preserved: N    NO-PAT: Y         Reversible: Y

    Rule name: abcd

    Priority: 1000

    Config status: Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: ACL

 

Table 35 Command output

Field

Description

NAT outbound information

Information about outbound dynamic NAT.

Interface

Interface where outbound dynamic NAT is configured.

ACL

IPv4 ACL number or name. If no IPv4 ACL is specified for outbound dynamic NAT, this field displays hyphens (---).

Address group

Address group used by inbound dynamic NAT. If no address group is specified for address translation, the field displays hyphens (---).

Port-preserved

Whether to try to preserve the port numbers for PAT.

NO-PAT

Whether NO-PAT is used:

·         YNO-PAT is used.

·         NPAT is used.

Reversible

Whether reverse address translation is allowed.

Rule name

Name of the NAT rule.

Priority

Priority of the NAT rule.

Config status

Status of the outbound dynamic NAT configuration: Active or Inactive.

Reasons for inactive status

Reasons why the outbound dynamic NAT configuration does not take effect. This field is available when the Config status is Inactive.

 

Related commands

nat outbound

display nat outbound port-block-group

Use display nat outbound port-block-group to display information about port block group application for NAT444.

Syntax

display nat outbound port-block-group

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about port block group application for NAT444.

<Sysname> display nat outbound port-block-group

NAT outbound port block group information:

  Totally 2 outbound port block group items.

  Interface: Vlan-interface20

    Port block group: 2

    Rule name: abcdefg

    Config status   : Active

 

  Interface: Vlan-interface20

    Port block group: 10

    Rule name: abcfg

    Config status   : Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: port block group.

 

Table 36 Command output

Field

Description

Interface

Interface to which a port block group is applied.

Port block group

ID of the port block group.

Rule name

Name of the NAT rule.

Config status

Status of the port block group application: Active or Inactive.

Reasons for inactive status

Reasons why the port block group application fails. This field is available when the Config status is Inactive.

 

Related commands

nat outbound port-block-group

display nat port-block

Use display nat port-block to display NAT444 mappings.

Syntax

display nat port-block { dynamic | static } [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dynamic: Displays dynamic NAT444 mappings.

static: Displays static NAT444 mappings.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT444 mappings for all member devices.

Examples

# Display static NAT444 mappings.

<Sysname> display nat port-block static

Slot 1:

Local VPN     Local IP         Global IP        Port block   Connections

---           100.100.100.111  202.202.100.101  10001-10256  0

---           100.100.100.112  202.202.100.101  10257-10512  0

---           100.100.100.113  202.202.100.101  10513-10768  0

---           100.100.100.113  202.202.100.101  10769-11024  0

Total mappings found: 4

# Display dynamic NAT444 mappings.

<Sysname> display nat port-block dynamic

Slot 1:

Local VPN     Local IP         Global IP        Port block   Connections

---           101.1.1.12       192.168.135.201  10001-11024  1

Total mappings found: 1

Table 37 Command output

Field

Description

Local VPN

VPN to which the private IP address belongs.

The device does not support this field in the current software version.

Local IP

Private IP address.

Global IP

Public IP address.

Port block

Port block defined by a start port and an end port.

Connections

Number of connections established by using the ports in the port block.

 

display nat port-block-group

Use display nat port-block-group to display information about NAT port block groups.

Syntax

display nat port-block-group [ group-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-number: Specifies the ID of a port block group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays information about all port block groups.

Examples

# Display information about all port block groups.

<Sysname> display nat port-block-group

NAT port block group information:

  Totally 3 NAT port block groups.

  Port block group 1:

    Port range: 1-65535

    Block size: 256

    Local IP address information:

      Start address        End address          VPN instance

      172.16.1.1           172.16.1.254         ---

      192.168.1.1          192.168.1.254        ---

      192.168.3.1          192.168.3.254        ---

    Global IP pool information:

      Start address        End address

      201.1.1.1            201.1.1.10

      201.1.1.21           201.1.1.25

 

  Port block group 2:

    Port range: 10001-30000

    Block size: 500

    Local IP address information:

      Start address        End address          VPN instance

      10.1.1.1             10.1.10.255          ---

    Global IP pool information:

      Start address        End address

      202.10.10.101        202.10.10.120

 

  Port block group 3:

    Port range: 1-65535

    Block size: 256

    Local IP address information:

      Start address        End address          VPN instance

      ---                  ---                  ---

    Global IP pool information:

      Start address        End address

      ---                  ---

# Display information about port block group 1.

<Sysname> display nat port-block-group 1

  Port block group 1:

    Port range: 1-65535

    Block size: 256

    Local IP address information:

      Start address        End address          VPN instance

      172.16.1.1           172.16.1.254         ---

      192.168.1.1          192.168.1.254        ---

      192.168.3.1          192.168.3.254        ---

    Global IP pool information:

      Start address        End address

      201.1.1.1            201.1.1.10

      201.1.1.21           201.1.1.25

Table 38 Command output

Field

Description

Port block group

ID of the NAT port block group.

Port range

Port range for the public IP addresses.

Block size

Number of ports in a port block.

Local IP address information

Information about private IP addresses.

Global IP pool information

Information about public IP addresses.

Start address

Start IP address of a private or public IP address range. If no start IP address is specified for the address range, this field displays hyphens (---).

End address

End IP address of a private or public IP address range. If no end IP address is specified for the address range, this field displays hyphens (---).

VPN instance

VPN to which the private IP address range belongs.

The device does not support this field in the current software version.

 

Related commands

nat port-block-group

display nat port-block-usage

Use display nat port-block-usage to display the port block usage for dynamic NAT444 address groups.

Syntax

display nat port-block-usage [ address-group group-id ] [ slot slot-number ]

Views

System view

Predefined user roles

network-admin

network-operator

Parameters

address-group group-id: Specifies the ID of an address group. The value range is 0 to 65535. If you do not specify an address group, this command displays the port block usage for all address groups.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the port block usage for all member devices.

Examples

# Display the port block usage for dynamic NAT444 address groups in slot 1.

<Sysname> display nat port-block-usage slot 1

Slot 1:

Total NAT address groups found: 1

Table 39 Command output

Field

Description

Total NAT address groups found

Number of address groups.

 

display nat server

Use display nat server to display NAT Server configuration.

Syntax

display nat server

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NAT Server configuration.

<Sysname> display nat server

NAT internal server information:

  Totally 5 internal servers.

  Interface: Vlan-interface30

    Global ACL    : 2000

    Local IP/port : 192.168.10.1/23

    Rule name     : cdefgab

    Priority      : 1000

    Config status : Active

 

  Interface: Vlan-interface40

    Protocol: 255(Reserved)

    Global IP/port: 50.1.1.100/---

    Local IP/port : 192.168.10.150/---

    Rule name     : abcg

    Config status : Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: interface IP address.

 

  Interface: Vlan-interface50

    Protocol: 17(UDP)

    Global IP/port: 50.1.1.2/23

    Local IP/port : server group 1

                    1.1.1.1/21            (Connections: 10)

                    192.168.100.200/80    (Connections: 20)

    Rule name     : cdefg

    Config status : Active

 

Table 40 Command output

Field

Description

NAT internal server information

Information about NAT Server configuration.

Interface

Interface where NAT Server is configured.

Protocol

Protocol number and type of the internal server.

Global IP/port

Public IP address and port number of the internal server.

·         Global IPA single IP address or an address pool of consecutive addresses. If you use Easy IP, this field displays the address of the specified interface. If you do not specify an address for the interface, the Global IP field displays hyphens (---).

·         port—A single port number or a port pool of consecutive port numbers. If no port number is in the specified protocol, the port field displays hyphens (---).

Local IP/port

For common NAT Server, this field displays the private IP address and port number of the server.

·         Local IP—A single IP address or an address pool of consecutive addresses.

·         port—A single port number or a port pool of consecutive port numbers. If no port number is in the specified protocol, the port field displays hyphens (---).

For load sharing NAT Server, this field displays the internal server group name, IP address, port number, and number of connections of each member.

ACL

ACL number or name. If no ACL is specified, this field is not displayed.

Rule name

Name of the NAT rule.

Config status

Status of the NAT Server configuration: Active or Inactive.

Reasons for inactive status

Reasons why the NAT Server configuration does not take effect. This field is available when the Config status is Inactive.

 

Related commands

nat server

display nat server-group

Use display nat server-group to display internal server group configuration.

Syntax

display nat server-group [ group-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-number: Specifies the ID of the internal server group. The value range for this argument is 0 to 65535. If you do not specify this argument, this command displays configuration about all internal server groups.

Examples

# Display configuration about all internal server groups.

<Sysname> display nat server-group

NAT server group information:

  Totally 3 NAT server groups.

  Group Number        Inside IP             Port        Weight

  1                   192.168.0.26          23          100

                      192.168.0.27          23          500

  2                   ---                   ---         ---

  3                   192.168.0.26          69          100

 

# Display configuration about the specified internal server group.

<Sysname> display nat server-group 1

  Group Number        Inside IP             Port        Weight

  1                   192.168.0.26          23          100

                      192.168.0.27          23          500

 

Table 41 Command output

Field

Description

Group Number

ID of the internal server group.

Inside IP

Private IP address of a member in an internal server group. If no address is specified, this field displays hyphens (---).

Port

Private port number of a member in an internal server group. If no port number is specified, this field displays hyphens (---).

Weight

Weight of a member in an internal server. If no weight value is specified, this field displays hyphens (---).

 

Related commands

nat server-group

display nat session

Use display nat session to display sessions that have been NATed.

Syntax

display nat session [ { source-ip source-ip | destination-ip destination-ip } * ] [ slot slot-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source-ip source-ip: Displays NAT sessions for the source IP address specified by the source-ip argument. The IP address must be the real source IP address of the packet that triggers the session establishment.

destination-ip destination-ip: Displays NAT sessions for the destination IP address specified by the destination-ip argument. The IP address must be the destination IP address of the packet that triggers the session establishment.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT sessions for all member devices.

verbose: Display detailed information about NAT sessions. If you do not specify this keyword, this command displays brief information about NAT sessions.

Usage guidelines

If you do not specify any parameters, this command displays all NAT sessions.

Examples

# Display detailed information about NAT sessions.

<Sysname> display nat session verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Vlan-interface10

Responder:

  Source      IP/port: 192.168.1.55/22

  Destination IP/port: 192.168.1.10/1877

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Vlan-interface20

State: TCP_SYN_SENT

Application: SSH

Start time: 2011-07-29 19:12:36  TTL: 28s

Initiator->Responder:         1 packets         48 bytes

Responder->Initiator:         0 packets          0 bytes

 

Total sessions found: 1

Table 42 Command output

Field

Description

Initiator

Session information about an initiator.

Responder

Session information about a responder.

DS-Lite tunnel peer

Destination address of the DS-Lite tunnel interface. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).

The device does not support this field in the current software version.

VPN instance/VLAN ID/Inline ID

MPLS L3VPN instance to which the session belongs. The device does not support this field in the current software version.

VLAN ID to which the session belongs for Layer 2 forwarding.

INLINE to which the session belongs for Layer 2 forwarding.

If a setting is not specified, this field displays a hyphen (-).

Protocol

Transport layer protocol type, DCCP, ICMP, Raw IP, SCTP, TCP, UDP, or UDP-Lite.

Inbound interface

Input interface.

State

NAT session status.

Application

Application layer protocol type, such as FTP and DNS.

This field displays OTHER for the protocol types identified by non-well-known ports.

Start time

Time when the session starts.

TTL

NAT session lifetime in seconds.

Initiator->Responder

Number of packets and packet bytes from the initiator to the responder.

Responder->Initiator

Number of packets and packet bytes from the responder to the initiator.

Total sessions found

Total number of session tables.

 

Related commands

reset nat session

display nat static

Use display nat static to display static NAT mappings.

Syntax

display nat static

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display static NAT mappings.

<Sysname> display nat static

Static NAT mappings:

  Totally 2 inbound static NAT mappings.

  Net-to-net:

    Global IP    : 1.1.1.1 - 1.1.1.255

    Local IP     : 2.2.2.0

    Netmask      : 255.255.255.0

    ACL          : 3000

    Reversible   : Y

    Rule name    : abcdefg

    Priority     : 1000

    Config status: Active

 

  IP-to-IP:

    Global IP    : 5.5.5.5

    Local IP     : 4.4.4.4

    ACL          : 3000

    Reversible   : Y

    Rule name    : abefg

    Priority     : 1000

   Config status: Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: ACL.

 

Totally 2 outbound static NAT mappings.

  Net-to-net:

    Local IP     : 1.1.1.1 - 1.1.1.255

    Global IP    : 2.2.2.0

    Netmask      : 255.255.255.0

    ACL          : 3000

    Reversible   : Y

    Config status: Active

 

  IP-to-IP:

    Local IP     : 4.4.4.4

    Global IP    : 5.5.5.5

    ACL:         : 3001

    Reversible   : Y

    Config status: Inactive

    Reasons for inactive status:

      The following items don't exist or aren't effective: ACL.

 

Interfaces enabled with static NAT:

  Totally 2 interfaces enabled with static NAT.

  Interface: Vlan-interface20

    Config status: Active

 

  Interface: Vlan-interface30

    Config status: Active

 

Table 43 Command output

Field

Description

Net-to-net

Net-to-net static NAT mapping.

IP-to-IP

One-to-one static NAT mapping.

Local IP

Private IP address or address pool.

Global IP

Public IP address or address pool.

Netmask

Network mask.

ACL

ACL number or name. If no ACL is specified, this field is not displayed.

Reversible

Whether reverse address translation is allowed. If this feature is not configured, this field is not displayed.

Rule name

Name of the NAT rule.

Priority

Priority of the NAT rule.

Config status

Status of the static NAT mapping configuration: Active or Inactive.

Reasons for inactive status

Reasons why the static NAT mapping configuration does not take effect. This field is available when the Config status is Inactive.

 

Related commands

·          nat static

·          nat static net-to-net

·          nat static enable

display nat statistics

Use display nat statistics to display NAT statistics.

Syntax

display nat statistics [ summary ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

summary: Displays NAT statistics summary. If you do not specify this keyword, this command displays detailed NAT statistics.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT statistics for all member devices.

Examples

# Display detailed information about all NAT statistics.

<Sysname> display nat statistics

Slot 1:

  Total session entries: 100

  Total EIM entries: 1

  Total inbound NO-PAT entries: 0

  Total outbound NO-PAT entries: 0

  Total static port block entries: 10

  Total dynamic port block entries: 15

  Active static port block entries: 0

  Active dynamic port block entries: 0

Table 44 Command output

Field

Description

Total session entries

Number of NAT session entries.

Total EIM entries

Number of EIM entries.

Total inbound NO-PAT entries

Number of inbound NO-PAT entries.

Total outbound NO-PAT entries

Number of outbound NO-PAT entries.

Total static port block entries

Number of static NAT444 mappings.

Total dynamic port block entries

Number of dynamic NAT444 mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks.

Active static port block entries

Number of static NAT444 mappings that are in use.

Active dynamic port block entries

Number of dynamic NAT444 mappings that have been created. It equals the number of dynamically assigned port blocks.

 

# Display summary information about all NAT statistics.

<Sysname> display nat statistics summary

EIM: Total EIM entries.

SPB: Total static port block entries.

DPB: Total dynamic port block entries.

ASPB: Active static port block entries.

ADPB: Active dynamic port block entries.

Slot Sessions  EIM       SPB       DPB       ASPB      ADPB

1    0         0         0         1572720   0         0

Table 45 Command output

Field

Description

Slot

Member ID of the IRF member device.

Sessions

Number of NAT session entries.

EIM

Number of EIM entries.

SPB

Number of static NAT444 mappings.

DPB

Number of dynamic NAT444 mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks.

ASPB

Number of static NAT444 mappings in use.

ADPB

Number of dynamic NAT444 mappings that have been created. It equals the number of dynamically assigned port blocks.

 

global-ip-pool

Use global-ip-pool to add a public IP address range to a NAT port block group.

Use undo global-ip-pool to delete a public IP address range from a NAT port block group.

Syntax

global-ip-pool start-address end-address

undo global-ip-pool start-address

Default

No public IP address range exists in the NAT port block group.

Views

NAT port block group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start IP address and end IP address of a public IP address range. The end IP address cannot be smaller than the start IP address. If the start and end IP addresses are the same, only one public IP address is specified.

Usage guidelines

You can add multiple public IP address ranges to a port block group, but they cannot overlap.

Public IP address ranges in different port block groups can overlap. But the port ranges for overlapped ranges in different port block groups cannot overlap.

The number of port blocks that a public IP address can assign is determined by dividing the number of ports in the port range by the port block size.

Examples

# Add a public IP address range to the port block group 1. The public IP address range consists of IP addresses from 202.10.1.1 to 202.10.1.10.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] global-ip-pool 202.10.1.1 202.10.1.10

Related commands

nat port-block-group

inside ip

Use inside ip to add a member to an internal server group.

Use undo inside ip to remove a member from an internal server group.

Syntax

inside ip inside-ip port port-number [ weight weight-value ]

undo inside ip inside-ip port port-number

Default

An internal server group does not contain any member.

Views

Internal server group view

Predefined user roles

network-admin

Parameters

inside-ip: Specifies the IP address of an internal server.

port port-number: Specifies the port number of an internal server, in the range of 1 to 65535, excluding FTP port 20.

weight weight-value: Specifies the weight of the internal server. The value range is 1 to 1000, and the default value is 100. An internal server with a larger weight receives a larger percentage of connections in the internal server group.

Examples

# Add a member with IP address 10.1.1.2 and port number 30 to internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

[Sysname-nat-server-group-1] inside ip 10.1.1.2 port 30

Related commands

nat server-group

local-ip-address

Use local-ip-address to add a private IP address range to a NAT port block group.

Use undo local-ip-address to delete a private IP address range from a NAT port block group.

Syntax

local-ip-address start-address end-address

undo local-ip-address start-address

Default

No private IP address range exists in a NAT port block group.

Views

NAT port block group view

Predefined user roles

network-admin

Parameters

start-address end-address: Specifies the start IP address and end IP address of a private IP address range. The end IP address cannot be smaller than the start IP address. If the start and end IP addresses are the same, only one private IP address is specified.

Usage guidelines

You can add multiple private IP address ranges to a port block group, but they cannot overlap.

Private IP address ranges in different port block groups can overlap.

For static NAT444 mappings in one port block group, the number of private IP addresses cannot be larger than the number of assignable port blocks. Otherwise, some private IP addresses cannot obtain port blocks.

Examples

# Add a private IP address range to the port block group 1. The private IP address range consists of IP addresses from 172.16.1.1 to 172.16.1.255.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] local-ip-address 172.16.1.1 172.16.1.255

Related commands

nat port-block-group

nat address-group

Use nat address-group to create a NAT address group and enter its view.

Use undo nat address-group to remove a NAT address group.

Syntax

nat address-group group-number [ name group-name ]

undo nat address-group group-number

Default

No NAT address group exists.

Views

System view

Predefined user roles

network-admin

Parameters

group-number: Assigns an ID to the NAT address group. The value range for this argument is 0 to 65535.

name group-name: Assigns a name to the NAT address group. The group-name argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

A NAT address group consists of multiple address ranges. Use the address command to specify an address range.

Examples

# Create a NAT address group numbered 1 and named abc.

<Sysname> system-view

[Sysname] nat address-group 1 name abc

Related commands

·          address

·          display nat address-group

·          display nat all

·          nat inbound

·          nat outbound

nat alg

Use nat alg to enable NAT with ALG for the specified or all supported protocols.

Use undo nat alg to disable NAT with ALG for the specified or all supported protocols.

Syntax

nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

undo nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet |tftp | xdmcp }

Default

NAT with ALG is enabled for DNS, FTP, ICMP error messages, RTSP, and PPTP, and is disabled for the other supported protocols.

Views

System view

Predefined user roles

network-admin

Parameters

all: Enables NAT with ALG for all supported protocols.

dns: Enables NAT with ALG for DNS.

ftp: Enables NAT with ALG for FTP.

h323: Enables NAT with ALG for H.323.

icmp-error: Enables NAT with ALG for ICMP error packets.

ils: Enables NAT with ALG for ILS.

mgcp: Enables NAT with ALG for MGCP.

nbt: Enables NAT with ALG for NBT.

pptp: Enables NAT with ALG for PPTP.

rsh: Enables NAT with ALG for RSH.

rtsp: Enables NAT with ALG for RTSP.

sccp: Enables NAT with ALG for SCCP.

sip: Enables NAT with ALG for SIP.

sqlnet: Enables NAT with ALG for SQLNET.

tftp: Enables NAT with ALG for TFTP.

xdmcp: Enables NAT with ALG for XDMCP.

Usage guidelines

NAT with ALG translates address or port information in the application layer payload to ensure connection establishment.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT with ALG to translate the address and port information to establish data connection.

Examples

# Enable NAT with ALG for FTP.

<Sysname> system-view

[Sysname] nat alg ftp

Related commands

display nat all

nat dns-map

Use nat dns-map to configure a DNS mapping for NAT. The mapping maps the domain name of an internal server to the public IP address, public port number, and protocol type of the internal server.

Use undo nat dns-map to remove a DNS mapping for NAT.

Syntax

nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port

undo nat dns-map domain domain-name

Default

No DNS mapping for NAT exists.

Views

System view

Predefined user roles

network-admin

Parameters

domain domain-name: Specifies the domain name of an internal server. A domain name is a dot-separated, case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.) (for example, aabbcc.com). The domain name suffix can contain a maximum of 253 characters, and each separated string contains no more than 63 characters.

protocol pro-type: Specifies the type of the protocol used by the internal server, tcp or udp.

interface interface-type interface-number: Enables Easy IP to use the IP address of the interface specified by its type and number as the public address of the internal server.

ip global-ip: Specifies the public IP address used by the internal server to provide services for the external network.

port global-port: Specifies the public port number used by the internal server to provide services for the external network. The port number format can be one of the following:

·          A number in the range of 1 to 65535.

·          A protocol name, a string of 1 to 15 characters. For example, ftp and telnet.

Usage guidelines

NAT with DNS mapping must operate with the NAT Server feature. NAT with DNS mapping maps the domain name of the internal server to the public IP address, public port number, and protocol type of the server. NAT Server maps the public IP and port to the private IP and port of the internal server. This allows an internal host to access an internal server on the same private network by using the domain name of the internal server when the DNS server is on the public network.

You can configure multiple NAT with DNS mappings.

Examples

# Configure a NAT with DNS mapping between the domain name www.server.com, the public IP address 202.112.0.1, and the public port number 12345. Specify the protocol type as TCP.

<Sysname> system-view

[Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port 12345

Related commands

·          display nat all

·          display nat dns-map

·          nat server

nat hairpin enable

Use nat hairpin enable to enable NAT hairpin.

Use undo nat hairpin enable to disable NAT hairpin.

Syntax

nat hairpin enable

undo nat hairpin enable

Default

NAT hairpin is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

NAT hairpin allows internal hosts to access each other or allows internal hosts to access internal servers. It must cooperate with NAT Server, outbound dynamic NAT, or outbound static NAT. The source and destination IP addresses of the packets are translated on the interface connected to the internal network.

Examples

# Enable NAT hairpin on interface GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] nat hairpin enable

Related commands

display nat all

nat icmp-error reply

Use nat icmp-error reply to enable sending ICMP error messages for NAT failures.

Use undo nat icmp-error reply to restore the default.

Syntax

nat icmp-error reply

undo nat icmp-error reply

Default

No ICMP error messages are sent for NAT failures.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Disabling sending ICMP error messages for NAT failures reduces useless packets, saves bandwidth, and avoids exposing the firewall IP address to the public network.

This command is required for traceroute.

Examples

# Enable sending ICMP error messages for NAT failures.

<Sysname> system-view

[Sysname] nat icmp-error reply

nat inbound

Use nat inbound to configure an inbound dynamic NAT rule on an interface.

Use undo nat inbound to remove the specified inbound dynamic NAT rule on an interface.

Syntax

nat inbound { acl-number | name acl-name } address-group { group-number | name group-name } [ no-pat [ reversible ] [ add-route ] ] [ rule rule-name ] [ priority priority ] [ disable ] [ description text ]

undo nat inbound { acl-number | name acl-name }

Default

No inbound dynamic NAT rule is configured.

Views

Interface view

Predefined user roles

network-admin

Parameters

acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

address-group group-number: Specifies an address group for address translation. The value for the group-number argument is 0 to 65535.

group-name: Specifies the name of a NAT address group. The group-name argument is a case-insensitive string of 1 to 63 characters.

no-pat: Uses NO-PAT for inbound NAT. If you do not specify this keyword, PAT is used. PAT supports only TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.

reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal hosts to external hosts. It uses existing NO-PAT entries to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.

add-route: Automatically adds a route to the private address when address translation is performed for a packet. The output interface is the NAT interface and the next-hop is the source address before translation. If you do not specify this keyword, you must manually add the route. Because automatic route adding is slow, H3C recommends that you add routes manually.

rule rule-name: Specifies the name of a NAT rule. The rule name is a case-insensitive string of 1 to 63 characters. If you do not specify a rule name, the specified NAT rule does not have a name.

priority priority: Specifies the priority of a NAT rule. The value range for the priority argument is 0 to 65535. The smaller the priority value, the higher the priority. If you do not specify a priority, the priority value is 65535, which is the lowest. For NAT rules of the same type and the same priority, the device uses them to match packets in the order as they are configured.

disable: Disables the inbound dynamic NAT rule. If you do not specify this keyword, the rule is enabled.

description text: Specifies a description for the inbound dynamic NAT rule. The text argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

Inbound dynamic NAT translates the source IP addresses of incoming packets permitted by the ACL into IP addresses in the address group.

Inbound dynamic NAT supports the PAT and NO-PAT modes.

·          PAT—Performs port translation in addition to IP address translation.

·          NO-PAT—Performs only IP address translation.

The NO-PAT mode supports reverse address translation. Reverse address translation uses ACL reverse matching to identify packets to be translated. ACL reverse matching works as follows:

·          Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

·          Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Inbound dynamic NAT typically operates with one of the following to implement bidirectional NAT:

·          Outbound dynamic NAT (the nat outbound command).

·          The NAT Server feature (the nat server command).

·          Outbound static NAT (the nat static command).

An address group cannot be used by both the nat inbound and nat outbound commands. It cannot be used by the nat inbound command in both PAT and NO-PAT modes.

Do not specify the add-route keyword if the internal and external networks are on the same subnet.

An ACL can be used by only one inbound dynamic NAT rule on an interface.

You can configure multiple inbound dynamic NAT rules on an interface.

The vpn-instance parameter is required if you deploy inbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure ACL 2001, and create a rule to permit packets only from subnet 10.110.10.0/24 to pass through.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-ipv4-basic-2001] rule deny

[Sysname-acl-ipv4-basic-2001] quit

# Create address group 1 and add an address range to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

[Sysname-address-group-1] quit

# Configure an inbound NO-PAT rule on interface VLAN-interface 10, and specify the name and the priority of the rule as abc and 0, respectively. NAT translates the source addresses of incoming packets into the addresses in address group 1, and automatically adds a route for translated packets.

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] nat inbound 2001 address-group 1 no-pat add-route rule abc priority 0

Related commands

·          display nat all

·          display nat inbound

·          display nat no-pat

nat inbound rule move

Use nat inbound rule move to modify the priority of an inbound dynamic NAT rule.

Syntax

nat inbound rule move nat-rule-name1 { after | before } nat-rule-name2

Views

Interface view

Predefined user roles

network-admin

Parameters

nat-rule-name1: Specifies the name of a NAT rule to be moved.

after: Moves NAT rule nat-rule-name1 to appear behind NAT rule nat-rule-name2.

before: Moves NAT rule nat-rule-name1 to appear in front of NAT rule nat-rule-name2.

nat-rule-name2: Specifies the name of a NAT rule to be moved.

Usage guidelines

This command takes effect only on an inbound dynamic NAT rule that has a name.

After you change the order of the inbound dynamic NAT rules by executing this command, the priorities of these NAT rules also changes.

·          If you execute the nat inbound rule move nat-rule-name1 after nat-rule-name2 command, the priority value of NAT rule nat-rule-name2 does not change. The priority value of NAT rule nat-rule-name1 changes to be greater than that of NAT rule nat-rule-name2 by 1.

·          If you execute the nat inbound rule move nat-rule-name1 before nat-rule-name2 command, the priority value of NAT rule nat-rule-name2 does not change. The priority value of NAT rule nat-rule-name1 changes to be smaller than that of NAT rule nat-rule-name2 by 1.

A rule with a high priority takes precedence over a rule with a low priority for packet matching.

Examples

# Move inbound dynamic NAT rule abc to appear in front of inbound dynamic NAT rule def.

<Sysname> nat inbound rule move abc before def

Related commands

nat inbound

nat log alarm

Use nat log alarm to enable NAT444 alarm logging.

Use undo nat log alarm to disable NAT444 alarm logging.

Syntax

nat log alarm

undo nat log alarm

Default

NAT alarm logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Enable NAT logging before you enable NAT444 alarm logging. The alarm logs are informational.

The NAT444 gateway generates alarm logs in the following situations:

·          The ports in the selected port block of a static NAT444 mapping are all occupied.

·          The ports in the selected port blocks (including extended ones) of a dynamic NAT444 mapping are all occupied.

·          The public IP addresses and port blocks for dynamic NAT444 are all assigned.

Examples

# Enable NAT444 alarm logging.

<Sysname> system-view

[Sysname] nat log alarm

Related commands

·          display nat all

·          display nat log

·          nat log enable

nat log enable

Use nat log enable to enable NAT logging.

Use undo nat log enable to disable NAT logging.

Syntax

nat log enable [ acl { acl-number | name acl-name } ]

undo nat log enable

Default

NAT logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

acl: Specifies an ACL.

acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You must enable NAT logging before you enable NAT session logging, NAT444 user logging, or NAT444 alarm logging.

The acl keyword takes effect only for NAT session logging. If an ACL is specified, flows matching the permit rule might trigger NAT session logs. If you do not specify an ACL, all flows processed by NAT might trigger NAT session logs.

Examples

# Enable NAT logging.

<Sysname> system-view

[Sysname] nat log enable

Related commands

·          display nat all

·          display nat log

·          nat log alarm

·          nat log flow-active

·          nat log flow-begin

·          nat log flow-end

·          nat log port-block-assign

·          nat log port-block-withdraw

nat log flow-active

Use nat log flow-active to log active NAT flows and set the logging interval.

Use undo nat log flow-active to disable the logging feature for active NAT flows.

Syntax

nat log flow-active time-value

undo nat log flow-active

Default

Logging for active NAT flows is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the interval for logging active NAT flows, in the range of 10 to 120 minutes.

Usage guidelines

This feature helps track active NAT flows.

Logging for active flows takes effect only after you enable NAT logging.

Examples

# Enable logging for active NAT flows and set the logging interval to 10 minutes.

<Sysname> system-view

[Sysname] nat log flow-active 10

Related commands

·          display nat all

·          display nat log

·          nat log enable

nat log flow-begin

Use nat log flow-begin to enable logging for NAT session establishment events.

Use undo nat log flow-begin to disable logging for NAT session establishment events.

Syntax

nat log flow-begin

undo nat log flow-begin

Default

Logging for NAT session establishment events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Logging for NAT session establishment events takes effect only after you enable NAT logging.

Examples

# Enable logging for NAT session establishment events.

<Sysname> system-view

[Sysname] nat log flow-begin

Related commands

·          display nat all

·          display nat log

·          nat log enable

nat log flow-end

Use nat log flow-end to enable logging for NAT session removal events.

Use undo nat log flow-end to disable logging for NAT session removal events.

Syntax

nat log flow-end

undo nat log flow-end

Default

Logging for NAT session removal events is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Logging for NAT session removal events takes effect only after you enable NAT logging.

Examples

# Enable logging for NAT session removal events.

<Sysname> system-view

[Sysname] nat log flow-end

Related commands

·          display nat all

·          display nat log

·          nat log enable

nat log port-block-assign

Use nat log port-block-assign to enable NAT444 user logging for port block assignment.

Use undo nat log port-block-assign to disable NAT444 user logging for port block assignment.

Syntax

nat log port-block-assign

undo nat log port-block-assign

Default

NAT444 user logging is disabled for port block assignment.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Enable NAT logging before you enable NAT444 user logging for port block assignment.

For static NAT444, the NAT444 gateway generates a user log when it translates the first connection from a private IP address.

For dynamic NAT444, the NAT444 gateway generates a user log when it assigns or extends a port block for a private IP address.

Examples

# Enable NAT444 user logging for port block assignment.

<Sysname> system-view

[Sysname] nat log port-block-assign

Related commands

·          display nat all

·          display nat log

·          nat log enable

nat log port-block-withdraw

Use nat log port-block-withdraw to enable NAT444 user logging for port block withdrawal.

Use undo nat log port-block-withdraw to disable NAT444 user logging for port block withdrawal.

Syntax

nat log port-block-withdraw

undo nat log port-block-withdraw

Default

NAT444 user logging is disabled for port block withdrawal.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Enable NAT logging before you enable NAT444 user logging for port block withdrawal.

For static NAT444, the NAT444 gateway generates a user log when all connections from a private IP address are disconnected.

For dynamic NAT444, the NAT444 gateway generates a user log when all the following conditions are met:

·          All connections from a private IP address are disconnected.

·          The port blocks (including the extended ones) assigned to the private IP address are withdrawn.

·          The corresponding mapping entry is deleted.

Examples

# Enable NAT444 user logging for port block withdrawal.

<Sysname> system-view

[Sysname] nat log port-block-withdraw

Related commands

·          display nat all

·          display nat log

·          nat log enable

nat mapping-behavior

Use nat mapping-behavior to configure the mapping behavior mode for PAT.

Use undo nat mapping-behavior to restore the default.

Syntax

nat mapping-behavior endpoint-independent [ acl { acl-number | name acl-name } ]

undo nat mapping-behavior endpoint-independent

Default

Address and Port-Dependent Mapping applies.

Views

System view

Predefined user roles

network-admin

Parameters

acl: Specifies an ACL to apply the NAT mapping behavior to packets that are permitted by the ACL. If you do not specify an ACL, the Endpoint-Independent Mapping applies to all packets.

acl acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

PAT supports the following types of NAT mappings:

·          Endpoint-Independent Mapping—Uses the same IP and port mapping (EIM entry) for packets from the same source and port to any destination. EIM allows external hosts to access the internal hosts by using the translated IP address and port. It allows internal hosts behind different NAT gateways to access each other.

·          Address and Port-Dependent Mapping—Uses different IP and port mappings for packets with the same source IP and port to different destination IP addresses and ports. APDM allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host. It is secure, but it does not allow internal hosts behind different NAT gateways to access each other.

This command takes effect only on outbound PAT. Address and Port-Dependent Mapping always applies to inbound PAT.

Examples

# Apply the Endpoint-Independent Mapping mode to all packets for address translation.

<Sysname> system-view

[Sysname] nat mapping-behavior endpoint-independent

# Apply the Endpoint-Independent Mapping to FTP and HTTP packets, and the Address and Port-Dependent Mapping to other packets for address translation.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule permit tcp destination-port eq 80

[Sysname-acl-ipv4-adv-3000] rule permit tcp destination-port eq 21

[Sysname-acl-ipv4-adv-3000] quit

[Sysname] nat mapping-behavior endpoint-independent acl 3000

Related commands

·          nat outbound

·          display nat eim

nat outbound

Use nat outbound to configure an outbound dynamic NAT rule on an interface.

Use undo nat outbound to remove the specified outbound dynamic NAT rule.

Syntax

NO-PAT:

nat outbound [ acl-number | name acl-name ] address-group { group-number | name group-name } no-pat [ reversible ] [ rule rule-name ] [ priority priority ] [ disable ] [ description text ]

undo nat outbound [ acl-number | name acl-name ]

PAT:

nat outbound [ acl-number | name acl-name ] [ address-group { group-number | name group-name } ] [ port-preserved ] [ rule rule-name ] [ priority priority ] [ disable ] [ description text ]

undo nat outbound [ acl-number | name acl-name ]

Default

No outbound dynamic NAT rule is configured.

Views

Interface view

Predefined user roles

network-admin

Parameters

acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

address-group group-number: Specifies an address group for NAT. The value range for the group-number argument is 0 to 65535. If you do not specify an address group, the IP address of the interface is used as the NAT address. Easy IP is used.

group-name: Specifies the name of a NAT address group. The group-name argument is a case-insensitive string of 1 to 63 characters.

no-pat: Uses NO-PAT for outbound NAT. If you do not specify this keyword, PAT is used. PAT only supports TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.

reversible: Allows reverse address translation. Reverse address translation uses existing NO-PAT entries to translate destination addresses for packets of connections actively initiated by external hosts to internal hosts.

port-preserved: Tries to preserve port number for PAT.

rule rule-name: Specifies the name of a NAT rule. The rule name is a case-insensitive string of 1 to 63 characters. If you do not specify a rule name, the specified NAT rule does not have a name.

priority priority: Specifies the priority of a NAT rule. The value range for the priority argument is 0 to 65535. The smaller the priority value, the higher the priority. If you do not specify a priority, the priority value is 65535, which is the lowest. For NAT rules of the same type and the same priority, the device uses them to match packets in the order as they are configured.

disable: Disables the outbound dynamic NAT rule. If you do not specify this keyword, the rule is enabled.

description text: Specifies a description for the outbound dynamic NAT rule. The text argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

Outbound dynamic NAT is typically configured on the interface connected to the external network. NAT translates the source IP addresses of outgoing packets permitted by the ACL into IP addresses in the address group. If you do not specify an ACL, NAT translates all packets.

Outbound dynamic NAT supports the following modes:

·          PAT—Performs port translation in addition to IP address translation.

·          NO-PAT—Performs only IP address translation.

The NO-PAT mode supports reverse address translation. If an ACL is specified, reverse address translation only applies to packets permitted by ACL reverse matching. ACL reverse matching works as follows:

·          Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

·          Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Dynamic NAT444 does not support the NO-PAT mode.

An address group cannot be used by both the nat inbound and nat outbound commands. It cannot be used by the nat outbound command in both PAT and NO-PAT modes.

An ACL can be used by only one outbound dynamic NAT rule an interface.

You can configure multiple outbound dynamic NAT rules on an interface.

Outbound dynamic NAT rules with ACLs configured on an interface takes precedence over those without ACLs. The priority for the ACL-based dynamic NAT rules depends on ACL number. A higher ACL number represents a higher priority.

When a port range and port block parameters are specified in the NAT address group, this command configures a dynamic NAT444 rule. Packets matching the ACL permit rule are processed by dynamic NAT444.

The port-preserved keyword does not take effect on dynamic NAT444.

The vpn-instance parameter is required if you deploy outbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure ACL 2001, and create a rule to permit packets only from segment 10.110.10.0/24 to pass through.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Sysname-acl-ipv4-basic-2001] rule deny

[Sysname-acl-ipv4-basic-2001] quit

# Create address group 1 and add an address range to the group.

[Sysname] nat address-group 1

[Sysname-address-group-1] address 202.110.10.10 202.110.10.12

[Sysname-address-group-1] quit

# Configure an outbound dynamic PAT rule on interface VLAN-interface 10 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] nat outbound 2001 address-group 1

[Sysname-Vlan-interface10] quit

Or

# Configure an outbound NO-PAT rule on interface VLAN-interface 10 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address pool 1.

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] nat outbound 2001 address-group 1 no-pat

[Sysname-Vlan-interface10] quit

Or

# Enable Easy IP to use the IP address of VLAN-interface 10 as translated address.

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] nat outbound 2001

[Sysname-Vlan-interface10] quit

Or

# Enable reverse address translation and use addresses in address pool 1 as NAT addresses.

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] nat outbound 2001 address-group 1 no-pat reversible

Related commands

·          display nat eim

·          display nat outbound

·          nat mapping-behavior

nat outbound port-block-group

Use nat outbound port-block-group to apply a port block group to the outbound direction of an interface.

Use undo nat outbound port-block-group to remove a port block group application.

Syntax

nat outbound port-block-group group-number [ rule rule-name ]

undo nat outbound port-block-group group-number

Default

No port block group is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

group-number: Specifies a port block group by its ID. The value range for this argument is 0 to 65535.

rule rule-name: Specifies the name of a NAT rule. The rule name is a case-insensitive string of 1 to 63 characters. If you do not specify a rule name, the specified NAT rule does not have a name.

Usage guidelines

You can apply multiple port block groups to one interface.

After you apply a port block group to an interface, the system automatically computes the NAT444 mappings and creates entries for them. When a private IP address accesses the public network, the private IP address is translated to the mapped public IP address, and the ports are translated to ports in the selected port block.

Examples

# Apply port block group 1 to the outbound direction of VLAN-interface 10, and specify the name of the port block group mapping rule as abc.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] nat outbound port-block-group 1 rule abc

Related commands

·          display nat all

·          display nat outbound port-block-group

·          display nat port-block

·          nat port-block-group

nat outbound rule move

Use nat outbound rule move to modify the priority of an outbound dynamic NAT rule.

Syntax

nat outbound rule move nat-rule-name1 { after | before } nat-rule-name2

Views

Interface view

Predefined user roles

network-admin

Parameters

nat-rule-name1: Specifies the name of a NAT rule to be moved.

after: Moves NAT rule nat-rule-name1 to appear behind NAT rule nat-rule-name2.

before: Moves NAT rule nat-rule-name1 to appear in front of NAT rule nat-rule-name2.

nat-rule-name2: Specifies the name of a NAT rule to be moved.

Usage guidelines

This command takes effect only on an outbound dynamic NAT rule that has a name.

After you change the order of the outbound dynamic NAT rules by executing this command, the priorities of these NAT rules also changes.

·          If you execute the nat outbound rule move nat-rule-name1 after nat-rule-name2 command, the priority value of NAT rule nat-rule-name2 does not change. The priority value of NAT rule nat-rule-name1 changes to be greater than that of NAT rule nat-rule-name2 by 1.

·          If you execute the nat outbound rule move nat-rule-name1 before nat-rule-name2 command, the priority value of NAT rule nat-rule-name2 does not change. The priority value of NAT rule nat-rule-name1 changes to be smaller than that of NAT rule nat-rule-name2 by 1.

A rule with a high priority takes precedence over a rule with a low priority for packet matching.

Examples

# Move outbound dynamic NAT rule abc to appear in front of outbound dynamic NAT rule def.

<Sysname> nat outbound rule move abc before def

Related commands

nat outbound

nat port-block global-share enable

Use nat port-block global-share enable to enable global mapping sharing for dynamic NAT444.

Use undo nat port-block global-share enable to disable global mapping sharing for dynamic NAT444.

Syntax

nat port-block global-share enable

undo nat port-block global-share enable

Default

Global mapping sharing is disabled for Dynamic NAT444.

Views

System view

Predefined user roles

network-admin

Usage guidelines

When multiple interfaces have dynamic NAT444 configured, the interfaces might create different NAT444 mappings for packets from the same IP address. You can use this command to configure the interfaces to share the same NAT444 mapping for translating packets from the same IP address.

Examples

# Enable global mapping sharing for dynamic NAT444.

<Sysname> system-view

[Sysname] nat port-block global-share enable

Related commands

port-block

nat port-block-group

Use nat port-block-group to create a port block group and enter its view.

Use undo nat port-block-group to delete a port block group.

Syntax

nat port-block-group group-number

undo nat port-block-group group-number

Default

No port block group exists.

Views

System view

Predefined user roles

network-admin

Parameters

group-number: Assigns an ID to the NAT port block group. The value range for this argument is 0 to 65535.

Usage guidelines

A port block group is configured to implement static NAT444.

You must configure the following items for a port block group:

·          A minimum of one private IP address range (see the local-ip-address command).

·          A minimum of one public IP address range (see the global-ip-address command).

·          A port range (see the port-range command).

·          A port block size (see the block-size command).

The system computes static NAT444 mappings according to the port block group configuration, and creates entries for the mappings.

Examples

# Create NAT port block group 1.

<Sysname>system-view

[Sysname]nat port-block-group 1

[Sysname-port-block-group-1]

Related commands

·          block-size

·          display nat all

·          display nat port-block-group

·          global-ip-pool

·          local-ip-address

·          nat outbound port-block-group

·          port-range

nat log port-block usage threshold

Use nat log port-block usage threshold to set the port block usage threshold for dynamic NAT444.

Use undo nat log port-block usage threshold to restore the default.

Syntax

nat log port-block usage threshold threshold-value

undo nat log port-block usage threshold

Default

The port block usage threshold for dynamic NAT444 is 90%.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the port block usage threshold in percentage, in the range of 40 to 100.

Usage guidelines

The system generates alarm logs if the port block usage exceeds the threshold.

Examples

# Set the port block usage threshold for dynamic NAT444 to 60%.

<Sysname> system-view

[Sysname] nat log port-block usage threshold 60

nat server

Use nat server to create a mapping from the private IP address and port of an internal server to a public address and port for an internal server.

Use undo nat server to remove a mapping.

Syntax

Common NAT Server:

·          A single public address with no or a single public port:

nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] inside local-address [ local-port ] [ acl { acl-number | name acl-name } ] [ reversible ] [ rule rule-name ] [ disable ]

undo nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ]

·          A single public address with consecutive public ports:

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 inside { { local-address | local-address1 local-address2 } local-port | local-address local-port1 local-port2 } [ acl { acl-number | name acl-name } ] [ rule rule-name ] [ disable ]

undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2

·          Consecutive public addresses with no or a single public port:

nat server protocol pro-type global global-address1 global-address2 [ global-port ] inside { local-address | local-address1 local-address2 } [ local-port ] [ acl { acl-number | name acl-name } ] [ rule rule-name ] [ disable ]

undo nat server protocol pro-type global global-address1 global-address2 [ global-port ]

·          Consecutive public addresses with a single public port:

nat server protocol pro-type global global-address1 global-address2 global-port inside local-address local-port1 local-port2 [ acl { acl-number | name acl-name } ] [ rule rule-name ] [ disable ]

undo nat server protocol pro-type global global-address1 global-address2 global-port

Load sharing NAT Server:

nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } inside server-group group-number [ acl { acl-number | name acl-name } ] [ rule rule-name ] [ disable ]

undo nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port }

ACL-based NAT Server:

nat server global { global-acl-number | name global-acl-name } inside local-address [ local-port ] [ rule rule-name ] [ priority priority ] [ disable ]

undo nat server global { global-acl-number | name global-acl-name } inside local-address [ local-port ]

Default

The NAT Server feature is not configured.

Views

Interface view

Predefined user roles

network-admin

Parameters

protocol pro-type: Specifies a protocol type. When the protocol is TCP or UDP, NAT Server can be configured with port information. If you do not specify a protocol type, the command applies to packets of all protocols. The protocol type format can be one of the following:

·          A number in the range of 1 to 255.

·          A protocol name of icmp, tcp, or udp.

global-address: Specifies the public address of an internal server.

global-address1 global address2: Specifies a public IP address range, which can include a maximum number of 65535 addresses. The global-address1 argument specifies the start address, and global address2 specifies the end address that must be greater than the start address.

global: Specifies an ACL. The destination IP addresses of packets permitted by the ACL can be translated.

global-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name global-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

current-interface: Enables Easy IP on the current interface. The IP address of the interface is used as the public address for the internal server.

interface interface-type interface-number: Enables Easy IP on the interface specified by its type and number. The IP address of the interface is used as the public address for the internal server. Only loopback interfaces are supported.

global-port1 global-port2: Specifies a public port number range, which can include a maximum of 256 ports. The global-port1 argument specifies the start port, and global-port2 specifies the end port that must be greater than the start port. The public port number format can be one of the following:

·          A number in the range of 1 to 65535. Both the start port and the end port support this format.

·          A protocol name, a string of 1 to 15 characters. For example, http and telnet. Only the start port supports this format.

local-address1 local-address2: Specifies a private IP address range. The local-address1 argument specifies the start address, and local-address2 specifies the end address that must be greater than the start address. The number of addresses in the range must equal the number of ports in the public port number range.

local-port: Specifies the private port number. The private port number format can be one of the following:

·          A number in the range of 1 to 65535, excluding FTP port 20. Both the start port and the end port support this format.

·          A protocol name, a string of 1 to 15 characters. For example, http and telnet.

global-port: Specifies the public port number. The default value and value range are the same as those for the local-port argument.

local-address: Specifies the private IP address.

server-group group-number: Specifies the internal server group to which the internal server belongs. With this parameter, the load sharing NAT Server feature is configured. The group-number argument specifies the internal server group number. The value range for this argument is 0 to 65535.

acl: Specifies an ACL to identify packets that can be translated by using the mapping.

acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal servers to the external network. It translates the private IP addresses of the internal servers to their public IP addresses.

rule rule-name: Specifies the name of a NAT rule. The rule name is a case-insensitive string of 1 to 63 characters. If you do not specify a rule name, the specified NAT rule does not have a name.

priority priority: Specifies the priority of a NAT rule. The value range for the priority argument is 0 to 65535. The smaller the priority value, the higher the priority. If you do not specify a priority, the priority value is 65535, which is the lowest. For NAT rules of the same type and the same priority, the device uses them to match packets in the order as they are configured.

disable: Disables the NAT Server mapping. If you do not specify this keyword, the mapping is enabled.

Usage guidelines

You can configure the NAT Server feature to allow internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) in the internal network to provide services for external users.

NAT Server is usually configured on the interface connected to the external network on a NAT device. By using the global-address and global-port arguments, external users can access the internal server at local-address and local-port. The following table describes the address-port mappings between an external network and an internal network for NAT Server.

Table 46 Address-port mappings for NAT Server

External network

Internal network

One public address

One private address

One public address and one public port number

One private address and one private port number

One public address and N consecutive public port numbers

One private address and one private port number

N consecutive private addresses and one private port number

One private address and N consecutive private port numbers

N consecutive public addresses

One private address

N consecutive private addresses

N consecutive public addresses and one public port number

One private address and one private port number

N consecutive private addresses and one private port number

One private address and N consecutive private port numbers

One public address and one public port number

One private server group

One public address and N consecutive public port numbers

N consecutive public addresses and one public port number

Public addresses matching an ACL

One private address

One private address and one private port

 

The number of internal servers that each command can define equals the number of public ports in the specified public port range.

When the protocol type is not udp (protocol number 17) or tcp (protocol number 6), you can configure only one-to-one IP address mapping.

The mapping of the protocol type, public address, and public port number must be unique for an internal server on an interface.

If the IP address of an interface used by Easy IP changes and conflicts with the IP address of an internal server not using Easy IP, the Easy IP configuration becomes invalid. If the conflicted address is modified to an unconflicted address or the internal server configuration without Easy IP is removed, the Easy IP configuration takes effect.

The vpn-instance parameter is required if you deploy NAT Server for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Allow external users to access the internal Web server at 10.110.10.10 on the LAN through http://202.110.10.10:8080.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 http

[Sysname-Vlan-interface10] quit

# Allow external users to access the internal FTP server at 10.110.10.11 through ftp://202.110.10.10.

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11

[Sysname-Vlan-interface10] quit

# Allow external hosts to ping the host at 10.110.10.12 by using the ping 202.110.10.11 command.

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12

[Sysname-Vlan-interface10] quit

# Allow external hosts to access the Telnet services of internal servers at 10.110.10.1 to 10.110.10.100 through the public address 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can Telnet to 202.110.10.10:1001 to access 10.110.10.1, Telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet

# Configure ACL-based NAT Server to allow users to use IP addresses in subnet 192.168.0.0/24 to access the internal server at 10.0.0.172.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule 5 permit ip destination 192.168.0.0 0.0.0.255

[Sysname-acl-ipv4-adv-3000] quit

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] nat server global 3000 inside 10.0.0.172

Related commands

·          display nat all

·          display nat server

·          nat server-group

nat server-group

Use nat server-group to create an internal server group.

Use undo nat server-group to remove an internal server group.

Syntax

nat server-group group-number

undo nat server-group group-number

Default

No internal server group exists.

Views

System view

Predefined user roles

network-admin

Parameters

group-number: Assigns an ID to the internal server group. The value range for this argument is 0 to 65535.

Usage guidelines

An internal server group can contain multiple members configured by the inside ip command.

Examples

# Create internal server group 1.

<Sysname> system-view

[Sysname] nat server-group 1

Related commands

·          display nat all

·          display nat server-group

·          inside ip

·          nat server

nat server rule move

Use nat server rule move to modify the priority of an ACL-based NAT server rule.

Syntax

nat server rule move nat-rule-name1 { after | before } nat-rule-name2

Views

Interface view

Predefined user roles

network-admin

Parameters

nat-rule-name1: Specifies the name of a NAT rule to be moved.

after: Moves NAT rule nat-rule-name1 to appear behind NAT rule nat-rule-name2.

before: Moves NAT rule nat-rule-name1 to appear in front of NAT rule nat-rule-name2.

nat-rule-name2: Specifies the name of a NAT rule to be moved.

Usage guidelines

This command takes effect only on an ACL-based NAT server rule that has a name.

After you change the order of the ACL-based NAT server rules by executing this command, the priorities of these NAT rules also changes.

·          If you execute the nat server rule move nat-rule-name1 after nat-rule-name2 command, the priority value of NAT rule nat-rule-name2 does not change. And the priority value of NAT rule nat-rule-name1 changes to be greater than that of NAT rule nat-rule-name2 by 1.

·          If you execute the nat server rule move nat-rule-name1 before nat-rule-name2 command, the priority value of NAT rule nat-rule-name2 does not change. And the priority value of NAT rule nat-rule-name1 changes to be smaller than that of NAT rule nat-rule-name2 by 1.

A rule with a high priority takes precedence over a rule with a low priority for packet matching.

Examples

# Move ACL-based NAT server rule abc to appear in front of ACL-based NAT server rule def.

<Sysname> nat server rule move abc before def

Related commands

nat server

nat static enable

Use nat static enable to enable static NAT on an interface.

Use undo nat static enable to disable static NAT on an interface.

Syntax

nat static enable

undo nat static enable

Default

Static NAT is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Static NAT mappings take effect on an interface only after static NAT is enabled on the interface.

Examples

# Configure an outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2, and enable static NAT on interface VLAN-interface 10.

<Sysname> system-view

[Sysname] nat static outbound 192.168.1.1 2.2.2.2

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] nat static enable

Related commands

·          display nat all

·          display nat static

·          nat static

·          nat static net-to-net

nat static inbound

Use nat static inbound to configure a one-to-one mapping for inbound static NAT.

Use undo nat static inbound to remove a one-to-one mapping for inbound static NAT.

Syntax

nat static inbound global-ip [ acl { acl-number | name acl-name } [ reversible ] ] local-ip [ rule rule-name ] [ priority priority ] [ disable ]

undo nat static inbound global-ip [ acl { acl-number | name acl-name } ]

Default

No NAT mapping exists.

Views

System view

Predefined user roles

network-admin

Parameters

global-ip: Specifies a public IP address.

acl: Specifies an ACL to identify packets that can be translated by using the mapping.

acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal hosts to the external host. It uses the mapping to translate the destination address for packets of these connections if the packets are permitted by ACL reverse matching.

local-ip: Specifies a private IP address.

rule rule-name: Specifies the name of a NAT rule. The rule name is a case-insensitive string of 1 to 63 characters. If you do not specify a rule name, the specified NAT rule does not have a name.

priority priority: Specifies the priority of a NAT rule. The value range for the priority argument is 0 to 65535. The smaller the priority value, the higher the priority. If you do not specify a priority, the priority value is 65535, which is the lowest. For NAT rules of the same type and the same priority, the device uses them to match packets in the order as they are configured.

disable: Disables the one-to-one inbound static mapping. If you do not specify this keyword, the mapping is enabled.

Usage guidelines

When the source IP address of a packet from the public network to the private network matches the global-ip, the source IP address is translated into the local-ip. When the destination IP address of a packet from the private network to the public network matches the local-ip, the destination IP address is translated into the global-ip.

·          If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.

·          If you specify an ACL and do not specify the reversible keyword, the source address of incoming packets permitted by the ACL is translated. The destination address of packets is not translated for connections actively initiated by internal hosts to the external host.

·          If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated by internal hosts to the external host are permitted by ACL reverse matching, the destination address is translated.

ACL reverse matching works as follows:

·          Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

·          Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP address/port in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.

The vpn-instance parameter is required if you deploy inbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an inbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static inbound 2.2.2.2 192.168.1.1

Related commands

·          display nat all

·          display nat static

·          nat static enable

nat static inbound net-to-net

Use nat static inbound net-to-net to configure a net-to-net mapping for inbound static NAT.

Use undo nat static inbound net-to-net to remove a net-to-net mapping for inbound static NAT.

Syntax

nat static inbound net-to-net global-start-address global-end-address [ acl { acl-number | name acl-name } [ reversible ] ] local local-network { mask-length | mask } [ rule rule-name ] [ priority priority ] [ disable ]

undo nat static inbound net-to-net global-start-address global-end-address [ acl { acl-number | name acl-name } ]

Default

No NAT mapping exists.

Views

System view

Predefined user roles

network-admin

Parameters

global-start-address global-end-address: Specifies a public address range which can contain a maximum of 255 addresses. The global-end-address must not be lower than global-start-address. If they are the same, only one public address is specified.

acl: Specifies an ACL to identify packets that can use NAT rules for address translation.

acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal hosts to the external hosts. It uses the mapping to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.

local-network: Specifies a private network address.

mask-length: Specifies the mask length of the private network address, in the range of 8 to 31.

mask: Specifies the mask of the private network address.

rule rule-name: Specifies the name of a NAT rule. The rule name is a case-insensitive string of 1 to 63 characters. If you do not specify a rule name, the specified NAT rule does not have a name.

priority priority: Specifies the priority of a NAT rule. The value range for the priority argument is 0 to 65535. The smaller the priority value, the higher the priority. If you do not specify a priority, the priority value is 65535, which is the lowest. For NAT rules of the same type and the same priority, the device uses them to match packets in the order as they are configured.

disable: Disables the net-to-net inbound static mapping. If you do not specify this keyword, the mapping is enabled.

Usage guidelines

Specify a public network through a start address and an end address, and a private network through a private address and a mask.

The public end address cannot be greater than the greatest IP address in the subnet determined by the public start address and the private network mask. For example, if the private address is 2.2.2.0 with a mask 255.255.255.0 and the public start address is 1.1.1.100, the public end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When the source IP address of an incoming packet matches the public address range, the source IP address is translated into a private address in the private address range. When the destination IP address of a packet from the private network matches the private address range, the destination IP address is translated into a public address in the public address range.

·          If you do not specify an ACL, the source addresses of all incoming packets and the destination addresses of all outgoing packets are translated.

·          If you specify an ACL and do not specify the reversible keyword, the source addresses of incoming packets permitted by the ACL are translated. The destination addresses of packets are not translated for connections actively initiated by internal hosts to the external hosts.

·          If you specify both an ACL and the reversible keyword, the source addresses of incoming packets permitted by the ACL are translated. If packets of connections actively initiated by internal hosts to the external hosts are permitted by ACL reverse matching, the destination addresses are translated.

ACL reverse matching works as follows:

·          Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

·          Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.

The vpn-instance parameter is required if you deploy inbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an inbound static NAT between public network address 202.100.1.0/24 and private network address 192.168.1.0/24.

<Sysname> system-view

[Sysname] nat static inbound net-to-net 202.100.1.1 202.100.1.255 local 192.168.1.0 24

Related commands

·          display nat all

·          display nat static

·          nat static enable

nat static inbound rule move

Use nat static inbound rule move to modify the priority of a one-to-one static inbound NAT rule.

Syntax

nat static inbound rule move nat-rule-name1 { after | before } nat-rule-name2

Views

System view

Predefined user roles

network-admin

Parameters

nat-rule-name1: Specifies the name of a NAT rule to be moved.

after: Moves NAT rule nat-rule-name1 to appear behind NAT rule nat-rule-name2.

before: Moves NAT rule nat-rule-name1 to appear in front of NAT rule nat-rule-name2.

nat-rule-name2: Specifies the name of a NAT rule to be moved.

Usage guidelines

This command takes effect only on a one-to-one static inbound NAT rule that has a name.

After you change the order of the one-to-one static inbound NAT rules by executing this command, the priorities of these NAT rules also changes.

·          If you execute the nat static inbound rule move nat-rule-name1 after nat-rule-name2 command, the priority value of NAT rule nat-rule-name2 does not change. And the priority value of NAT rule nat-rule-name1 changes to be greater than that of NAT rule nat-rule-name2 by 1.

·          If you execute the nat static inbound rule move nat-rule-name1 before nat-rule-name2 command, the priority value of NAT rule nat-rule-name2 does not change. And the priority value of NAT rule nat-rule-name1 changes to be smaller than that of NAT rule nat-rule-name2 by 1.

A rule with a high priority takes precedence over a rule with a low priority for packet matching.

Examples

# Move one-to-one static inbound NAT rule abc to appear in front of one-to-one static inbound NAT rule def.

<Sysname> nat static inbound rule move abc before def

Related commands

nat static inbound

nat static outbound

Use nat static outbound to configure a one-to-one mapping for outbound static NAT.

Use undo nat static outbound to remove a one-to-one mapping for outbound static NAT.

Syntax

nat static outbound local-ip [ acl { acl-number | name acl-name } [ reversible ] ] global-ip [ rule rule-name ] [ priority priority ] [ disable ]

undo nat static outbound local-ip [ acl { ipv4-acl-number | name ipv4-acl-name } ]

Default

No NAT mapping exists.

Views

System view

Predefined user roles

network-admin

Parameters

local-ip: Specifies a private IP address.

acl: Specifies an ACL to identify packets that can use NAT rules for address translation.

acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by external hosts to the internal host. It uses the mapping to translate the destination address for packets of these connections if the packets are permitted by ACL reverse matching.

global-ip: Specifies a public IP address.

rule rule-name: Specifies the name of a NAT rule. The rule name is a case-insensitive string of 1 to 63 characters. If you do not specify a rule name, the specified NAT rule does not have a name.

priority priority: Specifies the priority of a NAT rule. The value range for the priority argument is 0 to 65535. The smaller the priority value, the higher the priority. If you do not specify a priority, the priority value is 65535, which is the lowest. For NAT rules of the same type and the same priority, the device uses them to match packets in the order as they are configured.

disable: Disables the one-to-one outbound static mapping. If you do not specify this keyword, the mapping is enabled.

Usage guidelines

When the source IP address of an outgoing packet matches the local-ip, the IP address is translated into the global-ip. When the destination IP address of an incoming packet matches the global-ip, the destination IP address is translated into the local-ip.

·          If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.

·          If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address of packets is not translated for connections actively initiated by external hosts to the internal host.

·          If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated by external hosts to the internal host are permitted by ACL reverse matching, the destination address is translated.

ACL reverse matching works as follows:

·          Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

·          Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP address/port in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an inbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.

<Sysname> system-view

[Sysname] nat static inbound 2.2.2.2 192.168.1.1

# Configure outbound static NAT, and allow the internal user 192.168.1.1 to access the external network 3.3.3.0/24 by using the public IP address 2.2.2.2.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound 192.168.1.1 acl 3001 2.2.2.2

Related commands

·          display nat all

·          display nat static

·          nat static enable

nat static outbound net-to-net

Use nat static outbound net-to-net to configure a net-to-net outbound static NAT mapping.

Use undo nat static outbound net-to-net to remove the specified net-to-net outbound static NAT mapping.

Syntax

nat static outbound net-to-net local-start-address local-end-address [ acl { acl-number | name acl-name } [ reversible ] ] global global-network { mask-length | mask } [ rule rule-name ] [ priority priority ] [ disable ]

undo nat static outbound net-to-net local-start-address local-end-address [ acl { acl-number | name acl-name }

Default

No NAT mapping exists.

Views

System view

Predefined user roles

network-admin

Parameters

local-start-address local-end-address: Specifies a private address range which can contain a maximum of 255 addresses. The local-end-address must not be lower than local-start-address. If they are the same, only one private address is specified.

acl: Specifies an ACL to identify packets that can use NAT rules for address translation.

acl-number: Specifies an ACL number in the range of 3000 to 3999.

name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by external hosts to the internal hosts. It uses the mapping to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.

global-network: Specifies a public network address.

mask-length: Specifies the mask length of the public network address, in the range of 8 to 31.

mask: Specifies the mask of the public network address.

rule rule-name: Specifies the name of a NAT rule. The rule name is a case-insensitive string of 1 to 63 characters. If you do not specify a rule name, the specified NAT rule does not have a name.

priority priority: Specifies the priority of a NAT rule. The value range for the priority argument is 0 to 65535. The smaller the priority value, the higher the priority. If you do not specify a priority, the priority value is 65535, which is the lowest. For NAT rules of the same type and the same priority, the device uses them to match packets in the order as they are configured.

disable: Disables the net-to-net outbound static mapping. If you do not specify this keyword, the mapping is enabled.

Usage guidelines

Specify a private network through a start address and an end address, and a public network through a public address and a mask.

The private end address cannot be greater than the greatest IP address in the subnet determined by the private start address and the public network mask. For example, the public address is 2.2.2.0 with a mask 255.255.255.0, and the private start address is 1.1.1.100. The private end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.

When the source IP address of a packet from the private network matches the private address range, the source IP address is translated into a public address in the public address range. When the destination IP address of a packet from the public network matches the public address range, the destination IP address is translated into a private address in the private address range.

·          If you do not specify an ACL, the source addresses of all outgoing packets and the destination addresses of all incoming packets are translated.

·          If you specify an ACL and do not specify the reversible keyword, the source addresses of outgoing packets permitted by the ACL are translated. The destination addresses of packets are not translated for connections actively initiated by external hosts to the internal hosts.

·          If you specify both an ACL and the reversible keyword, the source addresses of outgoing packets permitted by the ACL are translated. If packets of connections actively initiated by external hosts to the internal hosts are permitted by ACL reverse matching, the destination addresses are translated.

ACL reverse matching works as follows:

·          Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.

·          Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.

Static NAT takes precedence over dynamic NAT when both are configured on an interface.

You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.

The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.

Examples

# Configure an outbound static NAT mapping between private network address 192.168.1.0/24 and public network address 2.2.2.0/24.

<Sysname> system-view

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24

# Configure outbound static NAT. Allow internal users on subnet 192.168.1.0/24 to access the external subnet 3.3.3.0/24 by using public IP addresses on subnet 2.2.2.0/24.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 acl 3001 global 2.2.2.0 24

Related commands

·          display nat all

·          display nat static

·          nat static enable

nat static outbound rule move

Use nat static outbound rule move to modify the priority of a one-to-one static outbound NAT rule.

Syntax

nat static outbound rule move nat-rule-name1 { after | before } nat-rule-name2

Views

System view

Predefined user roles

network-admin

Parameters

nat-rule-name1: Specifies the name of a NAT rule to be moved.

after: Moves NAT rule nat-rule-name1 to appear behind NAT rule nat-rule-name2.

before: Moves NAT rule nat-rule-name1 to appear in front of NAT rule nat-rule-name2.

nat-rule-name2: Specifies the name of a NAT rule to be moved.

Usage guidelines

This command takes effect only on a one-to-one static outbound NAT rule that has a name.

After you change the order of the one-to-one static outbound NAT rules by executing this command, the priorities of these NAT rules also changes.

·          If you execute the nat static outbound rule move nat-rule-name1 after nat-rule-name2 command, the priority value of NAT rule nat-rule-name2 does not change. And the priority value of NAT rule nat-rule-name1 changes be greater than that of NAT rule nat-rule-name2 by 1.

·          If you execute the nat static outbound rule move nat-rule-name1 before nat-rule-name2 command, the priority value of NAT rule nat-rule-name2 does not change. And the priority value of NAT rule nat-rule-name1 changes to be smaller than that of NAT rule nat-rule-name2 by 1.

A rule with a high priority takes precedence over a rule with a low priority for packet matching.

Examples

# Move one-to-one static outbound NAT rule abc to appear in front of one-to-one static outbound NAT rule def.

<Sysname> nat static outbound rule move abc before def

Related commands

nat static outbound

port-block

Use port block to configure port block parameters for a NAT address group.

Use undo port block to remove port block configuration from a NAT address group.

Syntax

port block block-size block-size [ extended-block-number extended-block-number ]

undo port block

Default

Port block parameters are not configured for a NAT address group.

Views

NAT address group view

Predefined user roles

network-admin

Parameters

block-size block-size: Sets the port block size. The value range for this argument is 1 to 65535. In a NAT address group, the port block size cannot be larger than the number of ports in the port range.

extended-block-number extended-block-number: Specifies the number of extended port blocks, in the range of 1 to 5. When a private IP address accesses the public network, but the ports in the selected port block are all occupied, the NAT444 gateway extends port blocks one by one for the private IP address.

Usage guidelines

With dynamic NAT444 configured, when a private IP address initiates a connection to the public network, the NAT444 gateway assigns it a public IP address and a port block, and creates an entry for the mapping. For subsequent connections from the private IP address, the NAT444 gateway translates the private IP address to the mapped public IP address and the ports to ports in the selected port block.

Examples

# Set the port block size to 256 and the number of extended port blocks to 1 for NAT address group 2.

<Sysname> system-view

[Sysname] nat address-group 2

[Sysname-address-group-2] port-block block-size 256 extended-block-number 1

Related commands

nat address-group

port-range

Use port-range to specify a port range for public IP addresses.

Use undo port-range to restore the default.

Syntax

port-range start-port-number end-port-number

undo port-range

Default

The port range for public IP addresses is 1 to 65535.

Views

NAT address group view

NAT port block group view

Predefined user roles

network-admin

Parameters

start-port-number end-port-number: Specifies the start port number and end port number for the port range. The end port number cannot be smaller than the start port number.

Usage guidelines

The port range must include all ports that a public IP address uses for address translation.

The number of ports in a port range cannot be smaller than the port block size.

Examples

# Specify the port range as 1024 to 65535 for NAT address group 1.

<Sysname> system-view

[Sysname] nat address-group 1

[Sysname-address-group-1] port-range 1024 65535

# Specify the port range as 30001 to 65535 for NAT port block group 1.

<Sysname> system-view

[Sysname] nat port-block-group 1

[Sysname-port-block-group-1] port-range 30001 65535

Related commands

·          nat address-group

·          nat port-block-group

reset nat session

Use reset nat session to clear NAT sessions.

Syntax

reset nat session [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears NAT sessions for all member devices.

Usage guidelines

After you remove the NAT session, the corresponding NAT EIM table and NO-PAT table are removed at the same time.

Examples

# Clear all NAT sessions.

<Sysname> reset nat session

Related commands

display nat session

 


Load sharing commands

The following matrix shows the feature and hardware compatibility:

 

Hardware series

Model

Load sharing compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

Yes

WX3800H series

WX3820H

WX3840H

No

WX5800H series

WX5860H

No

 

ip load-sharing mode

Use ip load-sharing mode to configure the load sharing mode.

Use undo ip load-sharing mode to restore the default.

Syntax

ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * | per-packet } global

undo ip load-sharing mode global

Default

The device performs per-flow load sharing.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

per-flow: Implements per-flow load sharing.

dest-ip: Identifies flows by destination IP address.

dest-port: Identifies flows by destination port.

ip-pro: Identifies flows by protocol number.

src-ip: Identifies flows by source IP address.

src-port: Identifies flows by source port.

global: Configures the load sharing mode globally.

per-packet: Implements per-packet load sharing.

Examples

# Configure per-packet load sharing.

<Sysname> system-view

[Sysname] ip load-sharing mode per-packet


IP performance optimization commands

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

display icmp statistics

Use display icmp statistics to display ICMP statistics.

Syntax

display icmp statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ICMP statistics for all member devices.

Usage guidelines

ICMP statistics include information about received and sent ICMP packets.

Examples

# Display ICMP statistics.

<Sysname> display icmp statistics

  Input: bad formats   0                   bad checksum            0

         echo          175                 destination unreachable 0

         source quench 0                   redirects               0

         echo replies  201                 parameter problem       0

         timestamp     0                   information requests    0

         mask requests 0                   mask replies            0

         time exceeded 0                   invalid type            0

         router advert 0                   router solicit          0

         broadcast/multicast echo requests ignored            0

         broadcast/multicast timestamp requests ignored       0

 Output: echo          0                   destination unreachable 0

         source quench 0                   redirects               0

         echo replies  175                 parameter problem       0

         timestamp     0                   information replies     0

         mask requests 0                   mask replies            0

         time exceeded 0                   bad address             0

         packet error  1442                router advert           3

display ip statistics

Use display ip statistics to display IP packet statistics.

Syntax

display ip statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IP packet statistics for all member devices.

Usage guidelines

IP statistics include information about received and sent packets and reassembly.

Examples

# Display IP packet statistics.

<Sysname> display ip statistics

  Input:   sum            7120             local             112

           bad protocol   0                bad format        0

           bad checksum   0                bad options       0

           dropped        0

  Output:  forwarding     0                local             27

           dropped        0                no route          2

           compress fails 0

  Fragment:input          0                output            0

           dropped        0

           fragmented     0                couldn't fragment 0

  Reassembling:sum        0                timeouts          0

Table 47 Command output

Field

Description

Input

sum

Total number of packets received.

local

Total number of packets destined for the device.

bad protocol

Total number of unknown protocol packets.

bad format

Total number of packets with incorrect format.

bad checksum

Total number of packets with incorrect checksum.

bad options

Total number of packets with incorrect option.

dropped

Total number of dropped packets.

Output

forwarding

Total number of packets forwarded.

local

Total number of packets locally sent.

dropped

Total number of packets discarded.

no route

Total number of packets for which no route is available.

compress fails

Total number of packets failed to be compressed.

Fragment

input

Total number of fragments received.

output

Total number of fragments sent.

dropped

Total number of fragments dropped.

fragmented

Total number of packets successfully fragmented.

couldn't fragment

Total number of packets failed to be fragmented.

Reassembling

sum

Total number of packets reassembled.

timeouts

Total number of reassembly timeouts.

 

Related commands

·          display ip interface

·          reset ip statistics

display rawip

Use display rawip to display brief information about RawIP connections.

Syntax

display rawip [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about RawIP connections for all member devices.

Usage guidelines

Brief RawIP connection information includes local and peer addresses, protocol, and PCB.

Examples

# Display brief information about RawIP connections.

<Sysname> display rawip

 Local Addr       Foreign Addr     Protocol  Slot  PCB

 0.0.0.0          0.0.0.0          1         1     0x0000000000000009

 0.0.0.0          0.0.0.0          1         1     0x0000000000000008

Table 48 Command output

Field

Description

Local Addr

Local IP address.

Foreign Addr

Peer IP address.

Protocol

Protocol number.

Slot

ID of the IRF member device.

PCB

Protocol control block.

 

display rawip verbose

Use display rawip verbose to display detailed information about RawIP connections.

Syntax

display rawip verbose [ slot slot-number [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pcb pcb-index: Displays detailed RawIP connection information for the specified PCB. The pcb-index argument specifies the index of the PCB. The value range for the pcb-index argument is 1 to 16.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about RawIP connections for all member devices.

Usage guidelines

The detailed information includes socket creator, state, option, type, protocol number, and the source and destination IP addresses of RawIP connections.

Examples

# Display detailed information about RawIP connections.

<Sysname> display rawip verbose

Total RawIP socket number: 1

 

 Location: slot 1

 Creator: ping[320]

 State: N/A

 Options: N/A

 Error: 0

 Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 9216 / 1 / 0 / N/A

 Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A

 Type: 3

 Protocol: 1

 Connection info: src = 0.0.0.0, dst = 0.0.0.0

 Inpcb flags: N/A

 Inpcb extflag: N/A

 Inpcb vflag: INP_IPV4

 TTL: 255(minimum TTL: 0)

 Send VRF: 0xffff

 Receive VRF: 0xffff

Table 49 Command output

Field

Description

Total RawIP socket number

Total number of RawIP sockets.

Location

Location of the device.

Slot

ID of the IRF member device.

Creator

Name of the operation that created the socket. The number in brackets is the process number of the creator.

State

State of the socket.

Options

Socket options.

Error

Error code.

Receiving buffer (cc/hiwat/lowat/drop/state)

Displays receive buffer information in the following order:

·         cc—Used space.

·         hiwat—Maximum space.

·         lowat—Minimum space.

·         drop—Number of dropped packets.

·         state—Buffer state:

?  CANTSENDMORE—Unable to send data to the peer.

?  CANTRCVMORE—Unable to receive data from the peer.

?  RCVATMARK—Receiving tag.

?  N/A—None of the above states.

Sending buffer (cc/hiwat/lowat/state)

Displays send buffer information in the following order:

·         cc—Used space.

·         hiwat—Maximum space.

·         lowat—Minimum space.

·         state—Buffer state:

?  CANTSENDMORE—Unable to send data to the peer.

?  CANTRCVMORE—Unable to receive data from the peer.

?  RCVATMARK—Receiving tag.

?  N/A—None of the above states.

Type

Socket type:

·         1SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams.

·         2SOCK_DGRAM. This socket uses UDP to provide datagram transmission.

·         3SOCK_RAW. This socket allows an application to change the next upper-layer protocol header.

·         N/A—None of the above types.

Protocol

Number of the protocol using the socket.

Connection info

Source IP address and destination IP address.

Inpcb flags

Flags in the Internet PCB:

·         INP_RECVOPTS—Receives IP options.

·         INP_RECVRETOPTS—Receives replied IP options.

·         INP_RECVDSTADDR—Receives destination IP address.

·         INP_HDRINCL—Provides the entire IP header.

·         INP_REUSEADDR—Reuses the IP address.

·         INP_REUSEPORT—Reuses the port number.

·         INP_ANONPORTPort number not specified.

·         INP_RECVIF—Records the input interface of the packet.

·         INP_RECVTTLReceives TTL of the packet. Only UDP and RawIP support this flag.

·         INP_DONTFRAG—Sets the Don't Fragment flag.

·         INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag.

·         INP_PROTOCOL_PACKET—Identifies a protocol packet.

·         INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag.

·         INP_RCVMACADDR—Receives the MAC address of the frame.

·         INP_SNDBYLSPV—Sends through MPLS.

·         INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag.

·         INP_USEICMPSRC—Uses the specified IP address as the source IP address for outgoing ICMP packets.

·         INP_SYNCPCB—Waits until Internet PCB is synchronized.

·         N/ANone of the above flags.

Inpcb extflag

Extension flags in the Internet PCB:

·         INP_EXTRCVPVCIDXRecords the PVC index of the received packet.

·         INP_RCVPWIDRecords the PW ID of the received packet.

·         N/ANone of the above flags.

Inpcb vflag

IP version flags in the Internet PCB:

·         INP_IPV4IPv4 protocol.

·         INP_TIMEWAIT—In TIMEWAIT state.

·         INP_ONESBCAST—Sends broadcast packets.

·         INP_DROPPEDProtocol dropped flag.

·         INP_SOCKREFStrong socket reference.

·         INP_DONTBLOCKDo not block synchronization of the Internet PCB.

·         N/ANone of the above flags.

TTL

TTL value in the Internet PCB.

 

display tcp

Use display tcp to display brief information about TCP connections.

Syntax

display tcp [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about TCP connections for all member devices.

Usage guidelines

Brief TCP connection information includes local IP address, local port number, peer IP address, peer port number, and TCP connection state.

Examples

# Display brief information about TCP connections.

<Sysname> display tcp

 *: TCP MD5 Connection

 Local Addr:port       Foreign Addr:port     State       Slot  PCB

*0.0.0.0:21            0.0.0.0:0             LISTEN      1     0x000000000000c387

 192.168.20.200:23     192.168.20.14:1284    ESTABLISHED 1     0x0000000000000009

 192.168.20.200:23     192.168.20.14:1283    ESTABLISHED 1     0x0000000000000002

Table 50 Command output

Field

Description

*

Indicates that the TCP connection uses MD5 authentication.

Local Addr:port

Local IP address and port number.

Foreign Addr:port

Peer IP address and port number.

State

TCP connection state.

Slot

ID of the IRF member device.

PCB

PCB index.

 

display tcp statistics

Use display tcp statistics to display TCP traffic statistics.

Syntax

display tcp statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays TCP traffic statistics for all member devices.

Usage guidelines

TCP traffic statistics include information about received and sent TCP packets and Syncache/syncookie.

Examples

# Display TCP traffic statistics.

<Sysname> display tcp statistics

Received packets:

    Total: 4150

    packets in sequence: 1366 (134675 bytes)

    window probe packets: 0, window update packets: 0

    checksum error: 0, offset error: 0, short error: 0

    packets dropped for lack of memory: 0

    packets dropped due to PAWS: 0

    duplicate packets: 12 (36 bytes), partially duplicate packets: 0 (0 bytes)

    out-of-order packets: 0 (0 bytes)

    packets with data after window: 0 (0 bytes)

    packets after close: 0

    ACK packets: 3531 (795048 bytes)

    duplicate ACK packets: 33, ACK packets for unsent data: 0

 

Sent packets:

    Total: 4058

    urgent packets: 0

    control packets: 50

    window probe packets: 3, window update packets: 11

    data packets: 3862 (795012 bytes), data packets retransmitted: 0 (0 bytes)

    ACK-only packets: 150 (52 delayed)

    unnecessary packet retransmissions: 0

 

Syncache/syncookie related statistics:

    entries added to syncache: 12

    syncache entries retransmitted: 0

    duplicate SYN packets: 0

    reply failures: 0

    successfully build new socket: 12

    bucket overflows: 0

    zone failures: 0

    syncache entries removed due to RST: 0

    syncache entries removed due to timed out: 0

    ACK checked by syncache or syncookie failures: 0

    syncache entries aborted: 0

    syncache entries removed due to bad ACK: 0

    syncache entries removed due to ICMP unreachable: 0

    SYN cookies sent: 0

    SYN cookies received: 0

 

SACK related statistics:

    SACK recoveries: 1

    SACK retransmitted segments: 0 (0 bytes)

    SACK blocks (options) received: 0

    SACK blocks (options) sent: 0

    SACK scoreboard overflows: 0

 

Other statistics:

    retransmitted timeout: 0, connections dropped in retransmitted timeout: 0

    persist timeout: 0

    keepalive timeout: 21, keepalive probe: 0

    keepalive timeout, so connections disconnected: 0

    fin_wait_2 timeout, so connections disconnected: 0

    initiated connections: 29, accepted connections: 12, established connections:

23

    closed connections: 50051 (dropped: 0, initiated dropped: 0)

    bad connection attempt: 0

    ignored RSTs in the window: 0

    listen queue overflows: 0

    RTT updates: 3518(attempt segment: 3537)

    correct ACK header predictions: 0

    correct data packet header predictions: 568

    resends due to MTU discovery: 0

    packets dropped with MD5 authentication: 0

    packets permitted with MD5 authentication: 0

Related commands

reset tcp statistics

display tcp verbose

Use display tcp verbose to display detailed information about TCP connections.

Syntax

display tcp verbose [ slot slot-number [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pcb pcb-index: Displays detailed TCP connection information for the specified PCB. The index range is 1 to 16.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about TCP connections for all member devices.

Usage guidelines

The detailed TCP connection information includes socket creator, state, option, type, protocol number, source IP address and port number, destination IP address and port number, and connection state.

Examples

# Display detailed information about TCP connections.

<Sysname> display tcp verbose

TCP inpcb number: 1(tcpcb number: 1)

 

 Location: slot 1

 NSR standby: N/A

 Creator: telnetd[439]

 State: N/A

 Options: SO_ACCEPTCONN SO_REUSEADDR

 Error: 0

 Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 65700 / 1 / 0 / N/A

 Sending buffer(cc/hiwat/lowat/state): 0 / 65700 / 512 / N/A

 Type: 1

 Protocol: 6

 Connection info: src = 192.168.20.200:179 ,  dst = 192.168.20.14:4181

 Inpcb flags: INP_REUSEADDR INP_PROTOCOL_PACKET INP_SYNCPCB

 Inpcb extflag: N/A

 Inpcb vflag: INP_IPV4

 TTL: 255(minimum TTL: 0)

 Connection state: ESTABLISHED

 TCP options: TF_REQ_SCALE TF_REQ_TSTMP TF_SACK_PERMIT

 NSR state: CLOSED(M)

 Send VRF: 0xffff

 Receive VRF: 0xffff

Table 51 Command output

Field

Description

TCP inpcb number

Number of TCP IP PCBs.

tcpcb number

Number of TCP PCBs.

Location

Location of the device.

Slot

ID of the IRF member device.

NSR standby:

ID of the IRF member device and number of the slot where the NSR standby card resides. This field displays N/A if no NSR standby card is present.

Creator

Name of the operation that created the socket. The number in brackets is the process number of the creator.

State

State of the socket.

Options

Socket options.

Error

Error code.

Receiving buffer (cc/hiwat/lowat/drop/state)

Displays receive buffer information in the following order:

·         cc—Used space.

·         hiwat—Maximum space.

·         lowat—Minimum space.

·         drop—Number of dropped packets.

·         state—Buffer state:

?  CANTSENDMORE—Unable to send data to the peer.

?  CANTRCVMORE—Unable to receive data from the peer.

?  RCVATMARK—Receiving tag.

?  N/A—None of the above states.

Sending buffer (cc/hiwat/lowat/state)

Displays send buffer information in the following order:

·         cc—Used space.

·         hiwat—Maximum space.

·         lowat—Minimum space.

·         state—Buffer state:

?  CANTSENDMORE—Unable to send data to the peer.

?  CANTRCVMORE—Unable to receive data from the peer.

?  RCVATMARK—Receiving tag.

?  N/A—None of the above states.

Type

Socket type:

·         1SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams.

·         2SOCK_DGRAM. This socket uses UDP to provide datagram transmission.

·         3SOCK_RAW. This socket allows an application to change the next upper-layer protocol header.

·         N/A—None of the above types.

Protocol

Number of the protocol using the socket.

Connection info

Source IP address and destination IP address.

Inpcb flags

Flags in the Internet PCB:

·         INP_RECVOPTS—Receives IP options.

·         INP_RECVRETOPTS—Receives replied IP options.

·         INP_RECVDSTADDR—Receives destination IP address.

·         INP_HDRINCL—Provides the entire IP header.

·         INP_REUSEADDR—Reuses the IP address.

·         INP_REUSEPORT—Reuses the port number.

·         INP_ANONPORTPort number not specified.

·         INP_RECVIF—Records the input interface of the packet.

·         INP_RECVTTLReceives TTL of the packet. Only UDP and RawIP support this flag.

·         INP_DONTFRAG—Sets the Don't Fragment flag.

·         INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag.

·         INP_PROTOCOL_PACKET—Identifies a protocol packet.

·         INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag.

·         INP_RCVMACADDR—Receives the MAC address of the frame.

·         INP_SNDBYLSPV—Sends through MPLS.

·         INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag.

·         INP_SYNCPCB—Waits until Internet PCB is synchronized.

·         N/ANone of the above flags.

Inpcb extflag

Extension flags in the Internet PCB:

·         INP_EXTRCVPVCIDXRecords the PVC index of the received packet.

·         INP_RCVPWIDRecords the PW ID of the received packet.

·         N/ANone of the above flags.

Inpcb vflag

IP version flags in the Internet PCB:

·         INP_IPV4IPv4 protocol.

·         INP_TIMEWAIT—In TIMEWAIT state.

·         INP_ONESBCAST—Sends broadcast packets.

·         INP_DROPPEDProtocol dropped flag.

·         INP_SOCKREFStrong socket reference.

·         INP_DONTBLOCKDo not block synchronization of the Internet PCB.

·         N/ANone of the above flags.

TTL

TTL value in the Internet PCB.

NSR state

State of the TCP connections.

Between the parentheses is the role of the connection:

·         M—Main connection.

·         S—Standby connection.

 

display tcp-proxy

Use display tcp-proxy to display brief information about TCP proxy.

Syntax

display tcp-proxy slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

The following matrix shows the command and hardware compatibility:

 

Hardware series

Model

Command compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

Yes

WX3800H series

WX3820H

WX3840H

Yes

WX5800H series

WX5860H

No

 

TCP proxy splits every TCP connection that passes through it into two TCP connections to relay data packets between clients and servers. The split is transparent to the servers and clients. This feature reduces bandwidth use and improves TCP performance. It is used for services such as load balancing.

Examples

# Display brief information about TCP proxy.

<Sysname> display tcp-proxy

Local Addr:port       Foreign Addr:port     State        Service type

192.168.56.25:1111    111.111.111.125:8080  ESTABLISHED  WAAS

111.111.111.125:8080  192.168.56.25:1111    ESTABLISHED  WAAS

Table 52 Command output

Field

Description

Local Addr:port

Local IP address and port number.

Foreign Addr:port

Peer IP address and port number.

State

TCP connection state.

Service type

Type of services that the TCP proxy is used for:

·         LB—Load balancing services. This field is not supported in the current software version.

·         WAAS—Wide area application services. This field is not supported in the current software version.

 

display tcp-proxy port-info

Use display tcp-proxy port-info to display the usage of non-well known ports for TCP proxy.

Syntax

display tcp-proxy port-info slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

The following matrix shows the command and hardware compatibility:

 

Hardware series

Model

Command compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

Yes

WX3800H series

WX3820H

WX3840H

Yes

WX5800H series

WX5860H

No

 

The TCP ports are divided into well known ports (port numbers from 0 through 1023) and non-well known ports (port numbers from 1024 through 65535).

·          Well known ports are for certain services, for example, port 23 for Telnet service, ports 20 and 21 for FTP service, and port 80 for HTTP service.

·          Non-well known ports are available for various services. You can use the display tcp-proxy port-info command to display the usage of these ports.

Examples

# Display the usage of non-well known ports for TCP proxy.

<Sysname> display tcp-proxy port-info

Index  Range            State

16     [1024, 1087]     USABLE

17     [1088, 1151]     USABLE

18     [1152, 1215]     USABLE

19     [1216, 1279]     USABLE

20     [1280, 1343]     USABLE

...

1020   [65280, 65343]   USABLE

1021   [65344, 65407]   USABLE

1022   [65408, 65471]   USABLE

1023   [65472, 65535]   USABLE

Table 53 Command output

Field

Description

Index

Index of the port range.

Range

Start port number and end port number.

State

State of the port range:

·         USABLE—The ports are assignable.

·         ASSIGNED—Some ports are dynamically assigned and some ports are not.

·         ALLASSIGNED—All ports are dynamically assigned. The assigned ports can be reclaimed.

·         TO RECLAIM—Some ports are statically assigned. The assigned ports can be reclaimed.

·         RESERVED—The ports are reserved. The reserved ports cannot be dynamically assigned.

 

display udp

Use display udp to display brief information about UDP connections.

Syntax

display udp [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about UDP connections for all member devices.

Usage guidelines

Brief UDP connection information includes local IP address and port number, and peer IP address and port number.

Examples

# Display brief information about UDP connections.

<Sysname> display udp

 Local Addr:port        Foreign Addr:port     Slot  PCB

 0.0.0.0:69             0.0.0.0:0             1     0x0000000000000003

 192.168.20.200:1024    192.168.20.14:69      1     0x0000000000000002

Table 54 Command output

Field

Description

Local Addr:port

Local IP address and port number.

Foreign Addr:port

Peer IP address and port number.

Slot

ID of the IRF member device.

PCB

PCB index.

 

display udp statistics

Use display udp statistics to display UDP traffic statistics.

Syntax

display udp statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays UDP traffic statistics for all member devices.

Usage guidelines

UDP traffic statistics include information about received and sent UDP packets.

Examples

# Display UDP traffic statistics.

<Sysname> display udp statistics

Received packets:

     Total: 240

     checksum error: 0, no checksum: 0

     shorter than header: 0, data length larger than packet: 0

     no socket on port(unicast): 0

     no socket on port(broadcast/multicast): 240

     not delivered, input socket full: 0

Sent packets:

     Total: 0

Related commands

reset udp statistics

display udp verbose

Use display udp verbose to display detailed information about UDP connections.

Syntax

display udp verbose [ slot slot-number [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pcb pcb-index: Displays detailed UDP connection information for the specified PCB. The value range for the pcb-index argument is 1 to 16.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about UDP connections for all member devices.

Usage guidelines

The detailed information includes socket creator, status, option, type, protocol number, source IP address and port number, and destination IP address and port number for UDP connections.

Examples

# Display detailed UDP connection information.

<Sysname> display udp verbose

Total UDP socket number: 1

 

 Location: slot 1

 Creator: sock_test_mips[250]

 State: N/A

 Options: N/A

 Error: 0

 Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 41600 / 1 / 0 / N/A

 Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A

 Type: 2

 Protocol: 17

 Connection info: src = 0.0.0.0:69, dst = 0.0.0.0:0

 Inpcb flags: N/A

 Inpcb extflag: N/A

 Inpcb vflag: INP_IPV4

 TTL: 255(minimum TTL: 0)

 Send VRF: 0xffff

 Receive VRF: 0xffff

Table 55 Command output

Field

Description

Total UDP socket number

Total number of UDP sockets.

Location

Location of the device.

Slot

ID of the IRF member device.

Creator

Name of the operation that created the socket. The number in brackets is the process number of the creator.

State

Socket state.

Options

Socket option.

Error

Error code.

Receiving buffer(cc/hiwat/lowat/drop/state)

Displays receive buffer information in the following order:

·         cc—Used space.

·         hiwat—Maximum space.

·         lowat—Minimum space.

·         drop—Number of dropped packets.

·         state—Buffer state:

?  CANTSENDMORE—Unable to send data to the peer.

?  CANTRCVMORE—Unable to receive data from the peer.

?  RCVATMARK—Receiving tag.

?  N/A—None of the above states.

Sending buffer(cc/hiwat/lowat/state)

Displays send buffer information in the following order:

·         cc—Used space.

·         hiwat—Maximum space.

·         lowat—Minimum space.

·         state—Buffer state:

?  CANTSENDMORE—Unable to send data to the peer.

?  CANTRCVMORE—Unable to receive data from the peer.

?  RCVATMARK—Receiving tag.

?  N/A—None of the above states.

Type

Socket type:

·         1SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams.

·         2SOCK_DGRAM. This socket uses UDP to provide datagram transmission.

·         3SOCK_RAW. This socket allows an application to change the next upper-layer protocol header.

·         N/A—None of the above types.

Protocol

Number of the protocol using the socket.

Inpcb flags

Flags in the Internet PCB:

·         INP_RECVOPTS—Receives IP options.

·         INP_RECVRETOPTS—Receives replied IP options.

·         INP_RECVDSTADDR—Receives destination IP address.

·         INP_HDRINCL—Provides the entire IP header.

·         INP_REUSEADDR—Reuses the IP address.

·         INP_REUSEPORT—Reuses the port number.

·         INP_ANONPORTPort number not specified.

·         INP_RECVIF—Records the input interface of the packet.

·         INP_RECVTTLReceives TTL of the packet. Only UDP and RawIP support this flag.

·         INP_DONTFRAG—Sets the Don't Fragment flag.

·         INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag.

·         INP_PROTOCOL_PACKET—Identifies a protocol packet.

·         INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag.

·         INP_RCVMACADDR—Receives the MAC address of the frame.

·         INP_SNDBYLSPV—Sends through MPLS.

·         INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag.

·         INP_SYNCPCB—Waits until Internet PCB is synchronized.

·         N/ANone of the above flags.

Inpcb extflag

Extension flags in the Internet PCB:

·         INP_EXTRCVPVCIDXRecords the PVC index of the received packet.

·         INP_RCVPWIDRecords the PW ID of the received packet.

·         N/ANone of the above flags.

Inpcb vflag

IP version flags in the Internet PCB:

·         INP_IPV4IPv4 protocol.

·         INP_TIMEWAIT—In TIMEWAIT state.

·         INP_ONESBCAST—Sends broadcast packets.

·         INP_DROPPEDProtocol dropped flag.

·         INP_SOCKREFStrong socket reference.

·         INP_DONTBLOCKDo not block synchronization of the Internet PCB.

·         N/ANone of the above flags.

TTL

TTL value in the Internet PCB.

 

ip forward-broadcast

Use ip forward-broadcast to enable an interface to forward directed broadcast packets destined for the directly connected network.

Use undo ip forward-broadcast to disable an interface from forwarding directed broadcast packets destined for the directly connected network.

Syntax

ip forward-broadcast

undo ip forward-broadcast

Default

An interface cannot forward directed broadcasts destined for the directly connected network.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.

Examples

# Enable VLAN-interface 2 to forward directed broadcast packets destined for the directly connected network.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] ip forward-broadcast

ip icmp error-interval

Use ip icmp error-interval to set the bucket size and the interval for tokens to arrive in the bucket for ICMP error messages.

Use undo ip icmp error-interval to restore the default.

Syntax

ip icmp error-interval milliseconds [ bucketsize ]

undo ip icmp error-interval

Default

The bucket allows a maximum of 10 tokens, and a token is placed in the bucket every 100 milliseconds.

Views

System view

Predefined user roles

network-admin

Parameters

milliseconds: Specifies the interval for tokens to arrive in the bucket. The value range is 0 to 2147483647 milliseconds, and the default is 100 milliseconds. To disable the ICMP rate limit, set the value to 0.

bucketsize: Specifies the maximum number of tokens allowed in the bucket. The value range is 1 to 200, and the default is 10.

Usage guidelines

This command limits the rate at which ICMP error messages are sent. Use this command to avoid sending excessive ICMP error messages within a short period that might cause network congestion. A token bucket algorithm is used with one token representing one ICMP error message.

A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.

A token is removed from the bucket when an ICMP error message is sent. When the bucket is empty, ICMP error messages are not sent until a new token is placed in the bucket.

Examples

# Set the bucket size to 40 tokens and the interval for tokens to arrive in the bucket to 200 milliseconds for ICMP error messages.

<Sysname> system-view

[Sysname] ip icmp error-interval 200 40

ip icmp source

Use ip icmp source to enable specifying the source address for outgoing ICMP packets.

Use undo ip icmp source to restore the default.

Syntax

ip icmp source ip-address

undo ip icmp source

Default

The device uses the IP address of the sending interface as the source IP address for outgoing ICMP packets.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies an IP address.

Usage guidelines

It is a good practice to specify the IP address of the loopback interface as the source IP address for outgoing ping echo request and ICMP error messages. This feature helps users to locate the sending device easily.

Examples

# Specify 1.1.1.1 as the source address for outgoing ICMP packets.

<Sysname> system-view

[Sysname] ip icmp source 1.1.1.1

ip mtu

Use ip mtu to set an MTU for an interface.

Use undo ip mtu to restore the default.

Syntax

ip mtu mtu-size

undo ip mtu

Default

No MTU is set for an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

mtu-size: Specifies an MTU in bytes. The value range for a WAN interface is 128 to 1560. The value range for a VLAN interface is 128 to 1748.

Usage guidelines

When a packet exceeds the MTU of the output interface, the device processes it in one of the following ways:

·          If the packet disallows fragmentation, the device discards it.

·          If the packet allows fragmentation, the device fragments it and forwards the fragments.

Fragmentation and reassembling consume system resources, so set an appropriate MTU for an interface to avoid fragmentation.

If an interface supports both the mtu and ip mtu commands, the device fragments a packet based on the MTU set by the ip mtu command.

Examples

# Set the MTU of VLAN-interface 100 to 1280 bytes.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ip mtu 1280

ip reassemble local enable

Use ip reassemble local enable to enable IPv4 local fragment reassembly.

Use undo ip reassemble local enable to restore the default.

Syntax

ip reassemble local enable

undo ip reassemble local enable

Default

IPv4 local fragment reassembly is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

In a multichassis IRF fabric, this feature enables the receiving subordinate to reassemble the received IPv4 fragments instead of delivering them to the master for reassembly. It improves the fragment reassembly performance. This feature applies only to fragments received by the same subordinate in the IRF fabric.

Examples

# Enable IPv4 local fragment reassembly.

<Sysname> system-view

[Sysname] ip reassemble local enable

ip redirects enable

Use ip redirects enable to enable sending ICMP redirect messages.

Use undo ip redirects enable to disable sending ICMP redirect messages.

Syntax

ip redirects enable

undo ip redirects enable

Default

Sending ICMP redirect messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing tables.

A host that has only one route destined for the default gateway sends all packets to the default gateway. The default gateway sends an ICMP redirect message to inform the host of a correct next hop by following these rules:

·          The receiving and sending interfaces are the same.

·          The selected route is not created or modified by any ICMP redirect messages.

·          The selected route is not destined for 0.0.0.0.

·          There is no source route option in the received packet.

Examples

# Enable sending ICMP redirect messages.

<Sysname> system-view

[Sysname] ip redirects enable

ip ttl-expires enable

Use ip ttl-expires enable to enable sending ICMP time exceeded messages.

Use undo ip ttl-expires enable to disable sending ICMP time exceeded messages.

Syntax

ip ttl-expires enable

undo ip ttl-expires enable

Default

Sending ICMP time exceeded messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A device sends ICMP time exceeded messages by following these rules:

·          The device sends an ICMP TTL exceeded in transit message to the source when the following conditions are met:

?  The received packet is not destined for the device.

?  The TTL field of the packet is 1.

·          When the device receives the first fragment of an IP datagram destined for the device itself, it starts a timer. If the timer expires before all the fragments of the datagram are received, the device sends an ICMP fragment reassembly time exceeded message to the source.

A device disabled from sending ICMP time exceeded messages does not send ICMP TTL exceeded in transit messages but can still send ICMP fragment reassembly time exceeded messages.

Examples

# Enable sending ICMP time exceeded messages.

<Sysname> system-view

[Sysname] ip ttl-expires enable

ip unreachables enable

Use ip unreachables enable to enable sending ICMP destination unreachable messages.

Use undo ip unreachables enable to disable sending ICMP destination unreachable messages.

Syntax

ip unreachables enable

undo ip unreachables enable

Default

Sending ICMP destination unreachable messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A device sends ICMP destination unreachable messages by following these rules:

·          The device sends the source an ICMP network unreachable message when the following conditions are met:

?  The received packet does not match any route.

?  No default route exists in the routing table.

·          The device sends the source an ICMP protocol unreachable message when the following conditions are met:

?  The received packet is destined for the device.

?  The transport layer protocol of the packet is not supported by the device.

·          The device sends the source an ICMP port unreachable message when the following conditions are met:

?  The received UDP packet is destined for the device.

?  The packet's port number does not match the running process.

·          The device sends the source an ICMP source route failed message when the following conditions are met:

?  The source uses Strict Source Routing to send packets.

?  The intermediate device finds that the next hop specified by the source is not directly connected.

·          The device sends the source an ICMP fragmentation needed and DF set message when the following conditions are met:

?  The MTU of the sending interface is smaller than the packet.

?  The packet has Don't Fragment set.

Examples

# Enable sending ICMP destination unreachable messages.

<Sysname> system-view

[Sysname] ip unreachables enable

reset ip statistics

Use reset ip statistics to clear IP traffic statistics.

Syntax

reset ip statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears IP traffic statistics for all member devices.

Usage guidelines

Use this command to clear history IP traffic statistics before you collect IP traffic statistics for a time period.

Examples

# Clear IP traffic statistics.

<Sysname> reset ip statistics

 Related commands

·          display ip interface

·          display ip statistics

reset tcp statistics

Use reset tcp statistics to clear TCP traffic statistics.

Syntax

reset tcp statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear TCP traffic statistics.

<Sysname> reset tcp statistics

 Related commands

display tcp statistics

reset udp statistics

Use reset udp statistics to clear UDP traffic statistics.

Syntax

reset udp statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear UDP traffic statistics.

<Sysname> reset udp statistics

Related commands

display udp statistics

tcp mss

Use tcp mss to set the TCP maximum segment size (MSS).

Use undo tcp mss to restore the default.

Syntax

tcp mss value

undo tcp mss

Default

The TCP MSS is not set.

Views

Interface view

Predefined user roles

network-admin

Parameters

value: Specifies the TCP MSS in bytes. The value range for a WAN interface is 128 to 1520. The value range for a VLAN interface is 128 to 1708.

Usage guidelines

This configuration takes effect only on TCP connections that are established after the configuration and not on the TCP connections that already exist.

This configuration is effective only on IP packets.

The MSS option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment.

If the size of a TCP segment is smaller than the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, it fragments the segment according to the receiver's MSS.

If you set the TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.

Examples

# Set the TCP MSS to 300 bytes on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] tcp mss 300

tcp path-mtu-discovery

Use tcp path-mtu-discovery to enable TCP path MTU discovery.

Use undo tcp path-mtu-discovery to disable TCP path MTU discovery.

Syntax

tcp path-mtu-discovery [ aging age-time | no-aging ]

undo tcp path-mtu-discovery

Default

TCP path MTU discovery is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

aging age-time: Specifies the aging time for the path MTU, in the range of 10 to 30 minutes. The default aging time is 10 minutes.

no-aging: Does not age out the path MTU.

Usage guidelines

After you enable TCP path MTU discovery, all new TCP connections detect the path MTU. The device uses the path MTU to calculate the MSS to avoid IP fragmentation.

After you disable TCP path MTU discovery, the system stops all path MTU timers. The TCP connections established later do not detect the path MTU, but the TCP connections previously established still can detect the path MTU.

Examples

# Enable TCP path MTU discovery and set the path MTU aging time to 20 minutes.

<Sysname> system-view

[Sysname] tcp path-mtu-discovery aging 20

tcp syn-cookie enable

Use tcp syn-cookie enable to enable SYN Cookie to protect the device from SYN flood attacks.

Use undo tcp syn-cookie enable to disable SYN Cookie.

Syntax

tcp syn-cookie enable

undo tcp syn-cookie enable

Default

SYN Cookie is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A TCP connection is established through a three-way handshake:

1.        The sender sends a SYN packet to the server.

2.        The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state, and replies with a SYN ACK packet to the sender.

3.        The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP connection is established.

An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large number of SYN packets, but they do not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and cannot handle normal services.

SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet, it responds to the request with a SYN ACK packet without establishing a TCP semi-connection.

The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the sender.

Examples

# Enable SYN Cookie.

<Sysname> system-view

[Sysname] tcp syn-cookie enable

tcp timer fin-timeout

Use tcp timer fin-timeout to set the TCP FIN wait timer.

Use undo tcp timer fin-timeout to restore the default.

Syntax

tcp timer fin-timeout time-value

undo tcp timer fin-timeout

Default

The TCP FIN wait timer is 675 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the TCP FIN wait timer in the range of 76 to 3600 seconds.

Usage guidelines

TCP starts the FIN wait timer when the state changes to FIN_WAIT_2. If no FIN packet is received within the timer interval, the TCP connection is terminated.

If a FIN packet is received, TCP changes the connection state to TIME_WAIT. If a non-FIN packet is received, TCP restarts the timer and tears down the connection when the timer expires.

Examples

# Set the TCP FIN wait timer to 800 seconds.

<Sysname> system-view

[Sysname] tcp timer fin-timeout 800

tcp timer syn-timeout

Use tcp timer syn-timeout to set the TCP SYN wait timer.

Use undo tcp timer syn-timeout to restore the default.

Syntax

tcp timer syn-timeout time-value

undo tcp timer syn-timeout

Default

The TCP SYN wait timer is 75 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the TCP SYN wait timer in the range of 2 to 600 seconds.

Usage guidelines

TCP starts the SYN wait timer after sending a SYN packet. Within the SYN wait timer if no response is received or the upper limit on TCP connection tries is reached, TCP fails to establish the connection.

Examples

# Set the TCP SYN wait timer to 80 seconds.

<Sysname> system-view

[Sysname] tcp timer syn-timeout 80

tcp window

Use tcp window to set the size of the TCP receive/send buffer.

Use undo tcp window to restore the default.

Syntax

tcp window window-size

undo tcp window

Default

The size of the TCP receive/send buffer is 64 KB.

Views

System view

Predefined user roles

network-admin

Parameters

window-size: Specifies the size of the TCP receive/send buffer in KB, in the range of 1 to 64.

Examples

# Set the size of the TCP receive/send buffer to 3 KB.

<Sysname> system-view

[Sysname] tcp window 3


IPv6 basics commands

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

display ipv6 fib

Use display ipv6 fib to display IPv6 FIB entries.

Syntax

display ipv6 fib [ ipv6-address [ prefix-length ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6-address: Specifies an IPv6 address.

prefix-length: Specifies a prefix length for the IPv6 address, in the range of 0 to 128.

Usage guidelines

If you do not specify the prefix length, this command displays the IPv6 FIB entry longest matching the IPv6 address. If you specify a prefix, this command displays the IPv6 FIB entry that exactly matches the IPv6 address and prefix length.

If you do not specify any parameters, this command displays all IPv6 FIB entries for the public network.

Examples

# Display all IPv6 FIB entries for the public network.

<Sysname> display ipv6 fib

 

Destination count: 1 FIB entry count: 1

 

Flag:

  U:Useable   G:Gateway   H:Host   B:Blackhole   D:Dynamic   S:Static

  R:Relay     F:FRR

 

Destination: ::1                                            Prefix length: 128

Nexthop     : ::1                                            Flags: UH

Time stamp : 0x1                                            Label: Null

Interface  : InLoop0                                        Token: Invalid

Table 56 Command output

Field

Description

Destination count

Total number of destination addresses.

FIB entry count

Total number of IPv6 FIB entries.

Destination

Destination address.

Prefix length

Prefix length of the destination address.

Nexthop

Next hop.

Flags

Route flag:

·         UUsable route.

·         GGateway route.

·         HHost route.

·         BBlack hole route.

·         DDynamic route.

·         SStatic route.

·         RRecursive route.

·         FFast re-route.

Time stamp

Time when the IPv6 FIB entry was generated.

Label

Inner MPLS label. This field is not supported in the current software version.

Interface

Outgoing interface.

Token

Label switched path index number.

 

display ipv6 icmp statistics

Use display ipv6 icmp statistics to display ICMPv6 packet statistics.

Syntax

display ipv6 icmp statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ICMPv6 packet statistics for all member devices.

Usage guidelines

This command displays statistics about received and sent ICMPv6 packets.

Examples

# Display ICMPv6 packet statistics.

<Sysname> display ipv6 icmp statistics

  Input: bad code                0           too short                    0

         checksum error          0           bad length                   0

         path MTU changed        0          destination unreachable    0

         too big                   0           parameter problem          0

         echo request             0           echo reply                   0

         neighbor solicit        0           neighbor advertisement    0

         router solicit           0           router advertisement      0

         redirect                  0           router renumbering         0

 output: parameter problem      0           echo request                0

         echo reply                0           unreachable no route      0

         unreachable admin        0           unreachable beyond scope  0

         unreachable address     0           unreachable no port         0

         too big                    0           time exceed transit        0

         time exceed reassembly  0           redirect                     0

         ratelimited                0           other errors                0

display ipv6 interface

Use display ipv6 interface to display IPv6 interface information.

Syntax

display ipv6 interface [ interface-type [ interface-number ] ] [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type: Specifies an interface by its type.

interface-number: Specifies an interface by its number.

brief: Displays brief information.

Usage guidelines

If you specify the brief keyword, this command displays brief IPv6 interface information, including physical status, link-layer protocols, and IPv6 address.

If you do not specify the brief keyword, this command displays detailed IPv6 interface information, including IPv6 configuration and operating information, and IPv6 packet statistics.

If you do not specify an interface, this command displays IPv6 information about all interfaces.

If you specify only the interface-type argument, this command displays IPv6 information about the interfaces of the specified type.

If you specify both the interface-type and the interface-number arguments, this command displays IPv6 information about the specified interface.

Examples

# Display IPv6 information about VLAN-interface 2.

<Sysname> display ipv6 interface vlan-interface 2

Vlan-interface2 current state: UP

Line protocol current state: UP

IPv6 is enabled, link-local address is FE80::1234:56FF:FE65:4322 [TENTATIVE]

  Global unicast address(es):

    10::1234:56FF:FE65:4322, subnet is 10::/64 [TENTATIVE] [AUTOCFG]

      [valid lifetime 4641s/preferred lifetime 4637s]

    20::1234:56ff:fe65:4322, subnet is 20::/64 [TENTATIVE] [EUI-64]

    30::1, subnet is 30::/64 [TENTATIVE] [ANYCAST]

    40::2, subnet is 40::/64 [TENTATIVE] [DHCP]

    50::3, subnet is 50::/64 [TENTATIVE]

  Joined group address(es):

    FF02::1

    FF02::2

    FF02::1:FF00:1

    FF02::1:FF65:4322

  MTU is 1500 bytes

  ND DAD is enabled, number of DAD attempts: 1

  ND reachable time is 30000 milliseconds

  ND retransmit interval is 1000 milliseconds

  Hosts use stateless autoconfig for addresses

IPv6 Packet statistics:

  InReceives:                     0

  InTooShorts:                    0

  InTruncatedPkts:                0

  InHopLimitExceeds:              0

  InBadHeaders:                   0

  InBadOptions:                   0

  ReasmReqds:                     0

  ReasmOKs:                           0

  InFragDrops:                    0

  InFragTimeouts:                 0

  OutFragFails:                   0

  InUnknownProtos:                0

  InDelivers:                     0

  OutRequests:                    0

  OutForwDatagrams:               0

  InNoRoutes:                    0

  InTooBigErrors:                 0

  OutFragOKs:                     0

  OutFragCreates:                 0

  InMcastPkts:                    0

  InMcastNotMembers:              0

  OutMcastPkts:                   0

  InAddrErrors:                   0

  InDiscards:                    0

  OutDiscards:                   0

Table 57 Command output

Field

Description

Vlan-interface2 current state

Physical state of the interface:

·         Administratively DOWN—The VLAN interface has been administratively shut down by using the shutdown command.

·         DOWN—The VLAN interface is administratively up but its physical state is down because all ports in the VLAN are down.

·         UP—The administrative and physical states of the VLAN interface are both up.

Line protocol current state

Link layer protocol state of the interface:

·         DOWN—The link layer protocol state of the VLAN interface is down.

·         UP—The link layer protocol state of the VLAN interface is up.

IPv6 is enabled

IPv6 is enabled on the interface. This feature is automatically enabled after an IPv6 address is configured for an interface.

link-local address

Link-local address of the interface.

Global unicast address(es)

Global unicast addresses of the interface.

IPv6 address states:

·         TENTATIVEInitial state. DAD is being performed or is to be performed on the address.

·         DUPLICATE—The address is not unique on the link.

·         PREFERRED—The address is preferred and can be used as the source or destination address of a packet. If an address is in this state, the command does not display the address state.

·         DEPRECATED—The address is beyond the preferred lifetime but in the valid lifetime. It is valid, but it cannot be used as the source address for a new connection. Packets destined to the address are processed correctly.

If a global unicast address is not manually configured, the following indicates how the address is obtained:

·         AUTOCFG—Stateless autoconfigured.

·         DHCPAssigned by a DHCPv6 server.

·         EUI-64Manually configured EUI-64 IPv6 address.

·         RANDOM—Random address automatically generated.

If the address is a manually configured anycast address, ANYCAST is marked.

valid lifetime

Specifies how long autoconfigured global unicast addresses using a prefix are valid.

preferred lifetime

Specifies how long autoconfigured global unicast addresses using a prefix are preferred.

Joined group address(es)

Addresses of multicast groups that the interface has joined.

MTU

Maximum transmission unit (MTU) of the interface.

ND DAD is enabled, number of DAD attempts

DAD is enabled.

·         If DAD is enabled, this field displays the number of attempts to send an NS message for DAD (set by using the ipv6 nd dad attempts command).

·         If DAD is disabled, this field displays ND DAD is disabled. To disable DAD, set the number of attempts to 0.

ND reachable time

Time during which a neighboring device is reachable.

ND retransmit interval

Interval for retransmitting an NS message.

Hosts use stateless autoconfig for addresses

Hosts obtained IPv6 addresses through stateless autoconfiguration.

InReceives

Received IPv6 packets, including error messages.

InTooShorts

Received IPv6 packets that are too short. For example, the received IPv6 packet is less than 40 bytes.

InTruncatedPkts

Received IPv6 packets with a length less than the payload length field specified in the packet header.

InHopLimitExceeds

Received IPv6 packets with a hop count exceeding the hop limit field specified in the packet header.

InBadHeaders

Received IPv6 packets with incorrect basic headers.

InBadOptions

Received IPv6 packets with incorrect extension headers.

ReasmReqds

Received IPv6 fragments.

ReasmOKs

Number of reassembled IPv6 packets.

InFragDrops

Received IPv6 fragments that are discarded because of certain errors.

InFragTimeouts

Received IPv6 fragments that are discarded because the amount of time they stay in the system buffer exceeds the specified interval.

OutFragFails

IPv6 packets that fail to be fragmented on the output interface.

InUnknownProtos

Received IPv6 packets with unknown or unsupported protocol type.

InDelivers

Received IPv6 packets that are delivered to user protocols (such as ICMPv6, TCP, and UDP).

OutRequests

Local IPv6 packets sent by IPv6 user protocols.

OutForwDatagrams

IPv6 packets forwarded by the output interface.

InNoRoutes

Received IPv6 packets that are discarded because no matching route can be found.

InTooBigErrors

Received IPv6 packets that fail to be forwarded because they exceeded the Path MTU.

OutFragOKs

Fragmented IPv6 packets on the output interface.

OutFragCreates

Number of IPv6 fragments on the output interface.

InMcastPkts

Received IPv6 multicast packets.

InMcastNotMembers

Received IPv6 multicast packets that are discarded because the interface is not in the multicast group.

OutMcastPkts

IPv6 multicast packets sent by the interface.

InAddrErrors

Received IPv6 packets that are discarded due to invalid destination addresses.

InDiscards

Received IPv6 packets that are discarded due to resource problems rather than packet errors.

OutDiscards

IPv6 packets that fail to be sent due to resource problems rather than packet errors.

 

# Display brief IPv6 information about all interfaces.

<Sysname> display ipv6 interface brief

*down: administratively down

(s): spoofing

Interface                                 Physical Protocol IPv6 Address

Vlan-interface1                          down      down      Unassigned

Vlan-interface2                          up         up        2001::1

Vlan-interface100                        up         up        Unassigned

Table 58 Command output

Field

Description

*down: administratively down

The interface has been administratively shut down by using the shutdown command.

(s): spoofing

Spoofing attribute of the interface.

The link protocol state of the interface is up, but the link is temporarily established on demand or does not exist.

Interface

Name of the interface.

Physical

Physical state of the interface:

·         *down—The interface has been shut down by using the shutdown command.

·         down—The interface is up but its physical state is down because all ports in the VLAN are down.

·         up—The administrative and physical states of the interface are both up.

Protocol

Link layer protocol state of the interface:

·         down—The network layer protocol state of the interface is down.

·         up—The network layer protocol state of the interface is up.

IPv6 Address

IPv6 address of the interface.

·         If multiple global unicast addresses are configured, this field displays the lowest address.

·         If no global unicast address is configured, this field displays the link-local address.

·         If no address is configured, this field displays Unassigned.

 

display ipv6 interface prefix

Use display ipv6 interface prefix to display IPv6 prefix information for an interface.

Syntax

display ipv6 interface interface-type interface-number prefix

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Examples

# Display IPv6 prefix information for VLAN-interface 10.

<Sysname> display ipv6 interface vlan-interface10 prefix

Prefix: 1001::/65                                          Origin: ADDRESS

Age:    -                                                     Flag:   AL

Lifetime(Valid/Preferred): 2592000/604800

 

Prefix: 2001::/64                                          Origin: STATIC

Age:    -                                                     Flag:   L

Lifetime(Valid/Preferred): 3000/2000

 

Prefix: 3001::/64                                          Origin: RA

Age:    600                                                   Flag:   A

Lifetime(Valid/Preferred): -

Table 59 Command output

Filed

Description

Prefix

IPv6 address prefix.

Origin

How the prefix is generated:

·         STATICManually configured by using the ipv6 nd ra prefix command.

·         RA—Advertised in RA messages after stateless autoconfiguration is enabled.

·         ADDRESSGenerated by a manually configured address.

Age

Aging time in seconds. If the prefix does not age out, this field displays a hyphen (-).

Flag

Flags advertised in RA messages. If no flags are available, this field displays a hyphen (-).

·         L—The address with the prefix is directly reachable on the link.

·         A—The prefix is used for stateless autoconfiguration.

Lifetime

Lifetime in seconds advertised in RA messages. If the prefix does not need to be advertised, this field displays a hyphen (-).

·         ValidValid lifetime of the prefix.

·         PreferredPreferred lifetime of the prefix.

 

Related commands

ipv6 nd ra prefix

display ipv6 neighbors

Use display ipv6 neighbors to display IPv6 neighbor information.

Syntax

display ipv6 neighbors { { ipv6-address | all | dynamic | static } [ slot slot-number ] | interface interface-type interface-number | vlan vlan-id } [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6-address: Specifies the IPv6 address of a neighbor whose information is displayed.

all: Displays information about all neighbors, including neighbors acquired dynamically and configured statically on the public network and all private networks.

dynamic: Displays information about all neighbors acquired dynamically.

static: Displays information about all neighbors configured statically.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6 neighbor information for all member devices.

interface interface-type interface-number: Specifies an interface by its type and number.

vlan vlan-id: Displays information about neighbors in the specified VLAN. The value range for VLAN ID is 1 to 4094.

verbose: Displays detailed neighbor information.

Usage guidelines

You can use the reset ipv6 neighbors command to clear IPv6 neighbor information.

Examples

# Display all neighbor information.

<Sysname> display ipv6 neighbors all

Type: S-Static    D-Dynamic    O-Openflow    R-Rule    I-Invalid

IPv6 Address                   Link Layer       VID    Interface          State T  Age

FE80::200:5EFF:FE32:B800    0000-5e32-b800   1      WLAN-BSS1/0/1     REACH D  10

# Display detailed information about all neighbors.

<Sysname> display ipv6 neighbors all verbose

          Type: S-Static    D-Dynamic    O-Openflow    R-Rule    I-Invalid

IPv6 Address : 1::30

Link Layer   : 70f9-6d81-1327       VID : 1    Interface: GE1/0/2

State         : STALE                  Type: D    Age      : 2508

Vpn-instance: [No Vrf]

NickName     : 0x0

Table 60 Command output

Field

Description

IPv6 Address

IPv6 address of a neighbor.

Link Layer

Link layer address (MAC address) of a neighbor.

VID

VLAN to which the interface connected to a neighbor belongs.

Interface

Interface connected to a neighbor.

State

State of a neighbor:

·         INCMPThe address is being resolved. The link layer address of the neighbor is unknown.

·         REACHThe neighbor is reachable.

·         STALEWhether the neighbor is reachable is unknown. The device does not verify the reachability any longer unless data is sent to the neighbor.

·         DELAYWhether the neighbor is reachable is unknown. The device sends an NS message after a delay.

·         PROBEWhether the neighbor is reachable is unknown. The device sends an NS message to verify the reachability of the neighbor.

Type

Neighbor information type:

·         SStatically configured.

·         DDynamically obtained.

·         O—Learned from the OpenFlow module. This field is not supported in the current software version.

·         R—Learned from the IPoE or Portal module. This field is not supported in the current software version.

·         IInvalid.

Age

A hyphen (-) indicates a static entry.

For a dynamic entry, this field displays the elapsed time in seconds. If the neighbor is never reachable, this field displays a pound sign (#).

Vpn-instance

Name of a VPN or [No Vrf] with no VPN configured. The device does not support this field in the current software version.

NickName

Nickname of a neighboring entry. The name is a 4-bit hexadecimal number. This field is not supported in the current software version.

 

Related commands

·          ipv6 neighbor

·          reset ipv6 neighbors

display ipv6 neighbors count

Use display ipv6 neighbors count to display the number of neighbor entries.

Syntax

display ipv6 neighbors { { all | dynamic | static } [ slot slot-number ] | interface interface-type interface-number | vlan vlan-id } count

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays the total number of all neighbor entries, including neighbor entries created dynamically and configured statically.

dynamic: Displays the total number of neighbor entries created dynamically.

static: Displays the total number of neighbor entries configured statically.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the number of neighbor entries for all member devices.

interface interface-type interface-number: Specifies an interface by its type and number.

vlan vlan-id: Displays the total number of neighbor entries in the specified VLAN. The value range for VLAN ID is 1 to 4094.

Examples

# Display the total number of neighbor entries created dynamically.

<Sysname> display ipv6 neighbors dynamic count

 Total number of dynamic entries: 2

display ipv6 pathmtu

Use the display ipv6 pathmtu command to display IPv6 Path MTU information.

Syntax

display ipv6 pathmtu { ipv6-address | { all | dynamic | static } [ count ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6-address: Specifies the destination IPv6 address for which the Path MTU information is to be displayed.

all: Displays all Path MTU information for the public network.

dynamic: Displays all dynamic Path MTU information.

static: Displays all static Path MTU information.

count: Displays the total number of Path MTU entries.

Usage guidelines

Use display ipv6 pathmtu to display the IPv6 Path MTU information, including the dynamic Path MTUs and the static Path MTUs.

Examples

# Display all Path MTU information.

<Sysname> display ipv6 pathmtu all

IPv6 destination address                PathMTU   Age   Type

1:2::3:2                                   1800       -      Static

1:2::4:2                                   1400       10     Dynamic

1:2::5:2                                   1280       10     Dynamic

# Displays the total number of Path MTU entries.

<Sysname> display ipv6 pathmtu all count

Total number of entries: 3

Table 61  Command output

Field

Description

PathMTU

Path MTU value on the network path to an IPv6 address.

Age

Time for a Path MTU to live. For a static Path MTU, this field displays a hyphen (-).

Type

Whether the Path MTU is dynamically negotiated or statically configured.

Total number of entries

Total number of Path MTU entries.

 

Related commands

·          ipv6 pathmtu

·          reset ipv6 pathmtu

display ipv6 prefix

Use display ipv6 prefix to display information about IPv6 prefixes, including dynamic and static prefixes.

Syntax

display ipv6 prefix [ prefix-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

prefix-number: Specifies the ID of an IPv6 prefix, in the range of 1 to 1024. If this argument is not specified, the command displays information about all IPv6 prefixes.

Usage guidelines

A static IPv6 prefix is configured by using the ipv6 prefix command.

A dynamic IPv6 prefix is obtained from the DHCPv6 server, and its prefix ID is configured by using the ipv6 dhcp client pd command.

Examples

# Display information about all IPv6 prefixes.

<Sysname> display ipv6 prefix

Number  Prefix                                     Type

1        1::/16                                     Static

2        11:77::/32                                Dynamic

# Display information about the IPv6 prefix with prefix ID 1.

<Sysname> display ipv6 prefix 1

Number: 1

Type  : Dynamic

Prefix: ABCD:77D8::/32

Preferred lifetime 90 sec, valid lifetime 120 sec

Table 62 Command output

Field

Description

Number

Prefix ID.

Type

Prefix type:

·         Static—Static IPv6 prefix.

·         Dynamic—Dynamic IPv6 prefix.

Prefix

Prefix and its length. If no prefix is obtained, this field displays Not-available.

Preferred lifetime 90 sec

Preferred lifetime in seconds. For a static IPv6 prefix, this field is not displayed.

valid lifetime 120 sec

Valid lifetime in seconds. For a static IPv6 prefix, this field is not displayed.

 

Related commands

·          ipv6 dhcp client pd

·          ipv6 prefix

display ipv6 rawip

Use display ipv6 rawip to display brief information about IPv6 RawIP connections.

Syntax

display ipv6 rawip [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about IPv6 RawIP connections for all member devices.

Usage guidelines

Brief information about IPv6 RawIP connections includes the local and peer IPv6 addresses, protocol number, and PCB.

Examples

# Display brief information about IPv6 RawIP connections.

<Sysname> display ipv6 rawip

Local Addr            Foreign Addr        Protocol Slot  PCB

2001:2002:2003:2     3001:3002:3003:3   58        1      0x0000000000000009

004:2005:2006:20     004:3005:3006:30

07:2008                07:3008

Table 63 Command output

Field

Description

Local Addr

Local IPv6 address.

Foreign Addr

Peer IPv6 address.

Protocol

Protocol number.

Slot

ID of the IRF member device.

PCB

PCB index.

 

display ipv6 rawip verbose

Use display ipv6 rawip verbose to display detailed information about IPv6 RawIP connections.

Syntax

display ipv6 rawip verbose [ slot slot-number [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pcb pcb-index: Displays detailed information about IPv6 RawIP connections of the specified PCB. The value range for the pcb-index argument is 1 to 16.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about IPv6 RawIP connections for all member devices.

Usage guidelines

Detailed information about an IPv6 RawIP connection includes socket's creator, state, option, type, and protocol number, and source and destination IPv6 addresses of the connection.

Examples

# Display detailed information about an IPv6 RawIP connection.

<Sysname> display ipv6 rawip verbose

Total RawIP socket number: 1

 

 Location: slot: 1

 Creator: ip6stackd[430]

 State: N/A

 Options: N/A

 Error: 0

 Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 9216 / 1 / 0 / N/A

 Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A

 Type: 3

 Protocol: 58

 Connection info: src = ::, dst = ::

 Inpcb flags: N/A

 Inpcb extflag: N/A

 Inpcb vflag: INP_IPV6

 Hop limit: 255 (minimum hop limit: 0)

 Send VRF: 0xffff

 Receive VRF: 0xffff

Table 64 Command output

Field

Description

Total RawIP socket number

Total number of IPv6 RawIP sockets.

Location

Location of the device.

Slot

ID of the IRF member device.

Creator

Task name of the socket. The process number is in the square brackets.

State

Socket state.

Options

Socket options.

Receiving buffer (cc/hiwat/lowat/drop/state)

Displays receive buffer information in the following order:

·         cc—Used space.

·         hiwat—Maximum space.

·         lowat—Minimum space.

·         dropNumber of dropped packets.

·         state—Buffer state:

?  CANTSENDMOREUnable to send data to the peer.

?  CANTRCVMOREUnable to receive data from the peer.

?  RCVATMARKReceiving tag.

?  N/ANone of the above states.

Sending buffer(cc/hiwat/lowat/state)

Displays send buffer information in the following order:

·         cc—Used space.

·         hiwat—Maximum space.

·         lowat—Minimum space.

·         state—Buffer state:

?  CANTSENDMOREUnable to send data to the peer.

?  CANTRCVMOREUnable to receive data from the peer.

?  RCVATMARKReceiving tag.

?  N/ANone of the above states.

Type

Socket type:

·         1SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams.

·         2SOCK_DGRAM. This socket uses UDP to provide datagram transmission.

·         3SOCK_RAW. This socket allows an application to change the next upper-layer protocol header.

·         N/ANone of the above types.

Protocol

Number of protocol using the socket. 58 represents ICMP.

Connection info

Connection information, including the source and destination IPv6 addresses.

Inpcb flags

Flags in the Internet PCB:

·         INP_RECVOPTSReceives IPv6 options.

·         INP_RECVRETOPTSReceives replied IPv6 options.

·         INP_RECVDSTADDRReceives destination IPv6 address.

·         INP_HDRINCLProvides the entire IPv6 header.

·         INP_REUSEADDR—Reuses the IPv6 address.

·         INP_REUSEPORT—Reuses the port number.

·         INP_ANONPORTPort number not specified.

·         INP_PROTOCOL_PACKET—Identifies a protocol packet.

·         INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag.

·         IN6P_IPV6_V6ONLY—Only supports IPv6 protocol stack.

·         IN6P_PKTINFO—Receives the source IPv6 address and input interface of the packet.

·         IN6P_HOPLIMIT—Receives the hop limit.

·         IN6P_HOPOPTSReceives the hop-by-hop options extension header.

·         IN6P_DSTOPTSReceives the destination options extension header.

·         IN6P_RTHDRReceives the routing extension header.

·         IN6P_RTHDRDSTOPTSReceives the destination options extension header preceding the routing extension header.

·         IN6P_TCLASSReceives the traffic class of the packet.

·         IN6P_AUTOFLOWLABELAttaches a flow label automatically.

·         IN6P_RFC2292Uses the API specified in RFC 2292.

·         IN6P_MTUDiscovers differences in the MTU size of every link along a given data path. TCP does not support this flag.

·         INP_RCVMACADDR—Receives the MAC address of the frame.

·         INP_USEICMPSRC—Uses the specified IPv6 address as the source IPv6 address for outgoing ICMP packets.

·         INP_SYNCPCB—Waits until Internet PCB is synchronized.

·         INP_EXTDONTDROP—Does not drop the received packet.

·         N/ANone of the above flags.

Inpcb extflag

Extension flags in the Internet PCB:

·         INP_EXTRCVPVCIDXRecords the PVC index of the received packet.

·         INP_RCVPWIDRecords the PW ID of the received packet.

·         N/ANone of the above flags.

Inpcb vflag

IP version flag in the Internet PCB:

·         INP_IPV4—IPv4 protocol.

·         INP_IPV6IPv6 protocol.

·         INP_IPV6PROTO—Creates an Internet PCB based on IPv6 protocol.

·         INP_TIMEWAIT—In TIMEWAIT state.

·         INP_ONESBCAST—Sends broadcast packets.

·         INP_DROPPEDProtocol dropped flag.

·         INP_SOCKREFStrong socket reference.

·         INP_DONTBLOCKDo not block synchronization of the Internet PCB.

·         N/ANone of the above flags.

Hop limit(minimum hop limit)

Hop limit in the Internet PCB. The minimum number of hops is displayed in the parentheses.

Send VRF

Sent instances.

Receive VRF

Received instances.

 

display ipv6 statistics

Use display ipv6 statistics to display IPv6 and ICMPv6 packet statistics.

Syntax

display ipv6 statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6 and ICMPv6 packet statistics for all member devices.

Usage guidelines

This command displays statistics about received and sent IPv6 and ICMPv6 packets.

Use the reset ipv6 statistics command to clear the statistics of all IPv6 and ICMPv6 packets.

Examples

# Display IPv6 and ICMPv6 packet statistics.

<Sysname> display ipv6 statistics

  IPv6 statistics:

 

    Sent packets:

      Total:      0

        Sent locally:         0            Forwarded:              0

        Raw packets:          0            Discarded:              0

        Fragments:             0            Fragments failed:     0

        Routing failed:       0

 

    Received packets:

      Total:      0

        Received locally:     0            Hop limit exceeded:   0

        Fragments:              0            Reassembled:           0

        Reassembly failures:  0            Reassembly timeout:   0

        Format errors:         0            Option errors:         0

        Protocol errors:       0

 

  ICMPv6 statistics:

 

    Sent packets:

      Total:      0

        Unreachable:           0             Too big:                0

        Hop limit exceeded:   0             Reassembly timeouts: 0

        Parameter problems:   0

        Echo requests:         0             Echo replies:          0

        Neighbor solicits:    0             Neighbor adverts:     0

        Router solicits:      0             Router adverts:        0

        Redirects:             0              Router renumbering:   0

      Send failed:

        Rate limitation:      0             Other errors:          0

 

    Received packets:

      Total:      0

        Checksum errors:      0             Too short:               0

        Bad codes:             0

        Unreachable:           0             Too big:                  0

        Hop limit exceeded:   0             Reassembly timeouts:   0

        Parameter problems:   0             Unknown error types:   0

        Echo requests:         0             Echo replies:            0

        Neighbor solicits:    0             Neighbor adverts:       0

        Router solicits:       0             Router adverts:         0

        Redirects:              0             Router renumbering:    0

        Unknown info types:   0

      Deliver failed:

        Bad length:           0

Related commands

reset ipv6 statistics

display ipv6 tcp

Use display ipv6 tcp to display brief information about IPv6 TCP connections.

Syntax

display ipv6 tcp [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about IPv6 TCP connections for all member devices.

Usage guidelines

Brief information about IPv6 TCP connections includes the local IPv6 address and port number, peer IPv6 address and port number, and TCP connection state.

Examples

# Display brief information about IPv6 TCP connections.

<Sysname> display ipv6 tcp

*: TCP MD5 Connection

 LAddr->port         FAddr->port       State        Slot  PCB

*2001:2002:2003:2   3001:3002:3003:3 ESTABLISHED 1     0x000000000000c387

004:2005:2006:20    004:3005:3006:30

07:2008->1200        07:3008->1200

Table 65 Command output

Field

Description

*

Indicates that the TCP connection uses MD5 authentication.

LAddr->port

Local IPv6 address and port number.

FAddr->port

Peer IPv6 address and port number.

State

IPv6 TCP connection state.

Slot

ID of the IRF member device.

PCB

PCB index.

 

display ipv6 tcp-proxy

Use display ipv6 tcp-proxy to display brief information about IPv6 TCP proxy.

Syntax

display ipv6 tcp-proxy slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

The following matrix shows the command and hardware compatibility:

 

Hardware series

Model

Command compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

Yes

WX3800H series

WX3820H

WX3840H

Yes

WX5800H series

WX5860H

No

 

IPv6 TCP proxy splits every IPv6 TCP connection that passes through it into two IPv6 TCP connections to relay data packets between servers and clients. The split is transparent to the servers and client. This feature reduces bandwidth use and improves IPv6 TCP performance. It is used for services such as load balancing.

Examples

# Display brief information about IPv6 TCP proxy.

<Sysname> display ipv6 tcp-proxy

LAddr->port            FAddr->port              State        Service type

2001::1->45            11:22:33:44->54602      ESTABLISHED WAAS

11:22:33:44->54602    2001::1->45              ESTABLISHED WAAS

Table 66 Command output

Field

Description

Local Addr:port

Local IPv6 address and port number.

Foreign Addr:port

Peer IPv6 address and port number.

State

IPv6 TCP connection state.

Service type

Type of services that the IPv6 TCP proxy is used for:

·         LB—Load balancing services. This field is not supported in the current software version.

·         WAAS—Wide area application services. This field is not supported in the current software version.

 

display ipv6 tcp-proxy port-info

Use display ipv6 tcp-proxy port-info to display the usage of non-well known ports for IPv6 TCP proxy.

Syntax

display ipv6 tcp-proxy port-info slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

The following matrix shows the command and hardware compatibility:

 

Hardware series

Model

Command compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

Yes

WX3800H series

WX3820H

WX3840H

Yes

WX5800H series

WX5860H

No

 

The TCP ports are divided into well-known ports (port numbers from 0 through 1023) and non-well known ports (port numbers from 1024 through 65535).

·          Well known ports are for certain services, for example, port 23 for Telnet service, ports 20 and 21 for FTP service, and port 80 for HTTP service.

·          Non-well known ports are available for various services. You can use the display ipv6 tcp-proxy port-info command to display the usage of these ports.

Examples

# Display the usage of non-well known ports for IPv6 TCP proxy.

<Sysname> display ipv6 tcp-proxy port-info

Index  Range            State

16     [1024, 1087]     USABLE

17     [1088, 1151]     USABLE

18     [1152, 1215]     USABLE

19     [1216, 1279]     USABLE

20     [1280, 1343]     USABLE

...

1020   [65280, 65343]   USABLE

1021   [65344, 65407]   USABLE

1022   [65408, 65471]   USABLE

1023   [65472, 65535]   USABLE

Table 67 Command output

Field

Description

Index

Index of the port range.

Range

Start port number and end port number.

State

State of the port range:

·         USABLE—The ports are assignable.

·         ASSIGNED—Some ports are dynamically assigned and some ports are not.

·         ALLASSIGNED—All ports are dynamically assigned. The assigned ports can be reclaimed.

·         TO RECLAIM—Some ports are statically assigned. The assigned ports can be reclaimed.

·         RESERVED—The ports are reserved. The reserved ports cannot be dynamically assigned.

 

display ipv6 tcp verbose

Use display ipv6 tcp verbose to display detailed information about IPv6 TCP connections.

Syntax

display ipv6 tcp verbose [ slot slot-number [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pcb pcb-index: Displays detailed information about IPv6 TCP connections of the specified PCB. The value range for the pcb-index argument is 1 to 16.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about IPv6 TCP connections for all member devices.

Usage guidelines

The detailed information includes socket's creator, state, option, type, protocol number, source IPv6 address and port number, destination IPv6 address and port number, and the connection state.

Examples

# Display detailed information about an IPv6 TCP connection.

<Sysname> display ipv6 tcp verbose

TCP inpcb number: 1(tcpcb number: 1)

 

 Location: slot: 1

 NSR standby: N/A

 Creator: bgpd[199]

 State: ISCONNECTED

 Options: N/A

 Error: 0

 Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 65536 / 1 / 0 / N/A

 Sending buffer(cc/hiwat/lowat/state): 0 / 65536 / 512 / N/A

 Type: 1

 Protocol: 6

 Connection info: src = 2001::1->179 ,  dst = 2001::2->4181

 Inpcb flags: N/A

 Inpcb extflag: N/A

 Inpcb vflag: INP_IPV6

 Hop limit: 255 (minimum hop limit: 0)

 Connection state: ESTABLISHED

 TCP options: TF_REQ_SCALE TF_REQ_TSTMP TF_SACK_PERMIT TF_NSR

 NSR state: READY(M)

 Send VRF: 0x0

 Receive VRF: 0x0

Table 68 Command output

Field

Description

TCP inpcb number

Number of IPv6 TCP Internet PCBs.

tcpcb number

Number of IPv6 TCP PCBs (excluding PCBs of TCP in TIME_WAIT state).

Location

Location of the device.

Slot

ID of the IRF member device.

NSR standby:

ID of the IRF member device and number of the slot where the NSR standby card resides. This field displays N/A if no NSR standby card is present.

Creator

Task name of the socket. The process number is in the square brackets.

State

Socket state.

Options

Socket options.

Error

Error code.

Receiving buffer(cc/hiwat/lowat/drop/state)

Displays receive buffer information in the following order:

·         cc—Used space.

·         hiwat—Maximum space.

·         lowat—Minimum space.

·         drop—Number of dropped packets.

·         state—Buffer state:

?  CANTSENDMOREUnable to send data to the peer.

?  CANTRCVMOREUnable to receive data from the peer.

?  RCVATMARKReceiving tag.

?  N/ANone of the above states.

Sending buffer(cc/hiwat/lowat/state)

Displays send buffer information in the following order:

·         cc—Used space.

·         hiwat—Maximum space.

·         lowat—Minimum space.

·         state—Buffer state:

?  CANTSENDMOREUnable to send data to the peer.

?  CANTRCVMOREUnable to receive data from the peer.

?  RCVATMARKReceiving tag.

?  N/ANone of the above states.

Type

Socket type:

·         1SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams.

·         2SOCK_DGRAM. This socket uses UDP to provide datagram transmission.

·         3SOCK_RAW. This socket allows an application to change the next upper-layer protocol header.

·         N/ANone of the above types.

Protocol

Number of the protocol using the socket. 6 represents TCP.

Connection info

Connection information, including source IPv6 address and port number, and destination IPv6 address and port number.

Inpcb flags

Flags in the Internet PCB:

·         INP_RECVOPTSReceives IPv6 options.

·         INP_RECVRETOPTSReceives replied IPv6 options.

·         INP_RECVDSTADDRReceives destination IPv6 address.

·         INP_HDRINCLProvides the entire IPv6 header.

·         INP_REUSEADDR—Reuses the IPv6 address.

·         INP_REUSEPORT—Reuses the port number.

·         INP_ANONPORTPort number not specified.

·         INP_PROTOCOL_PACKET—Identifies a protocol packet.

·         INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag.

·         IN6P_IPV6_V6ONLY—Only supports IPv6 protocol stack.

·         IN6P_PKTINFO—Receives the source IPv6 address and input interface of the packet.

·         IN6P_HOPLIMIT—Receives the hop limit.

·         IN6P_HOPOPTSReceives the hop-by-hop options extension header.

·         IN6P_DSTOPTSReceives the destination options extension header.

·         IN6P_RTHDRReceives the routing extension header.

·         IN6P_RTHDRDSTOPTSReceives the destination options extension header preceding the routing extension header.

·         IN6P_TCLASSReceives the traffic class of the packet.

·         IN6P_AUTOFLOWLABELAttaches a flow label automatically.

·         IN6P_RFC2292Uses the API specified in RFC 2292.

·         IN6P_MTUDiscovers differences in the MTU size of every link along a given data path. TCP does not support this flag.

·         INP_RCVMACADDR—Receives the MAC address of the frame.

·         INP_SYNCPCB—Waits until Internet PCB is synchronized.

·         N/ANone of the above flags.

Inpcb extflag

Extension flags in the Internet PCB:

·         INP_EXTRCVPVCIDXRecords the PVC index of the received packet.

·         INP_RCVPWIDRecords the PW ID of the received packet.

·         N/ANone of the above flags.

Inpcb vflag

IP version flags in the Internet PCB:

·         INP_IPV4—IPv4 protocol.

·         INP_IPV6IPv6 protocol.

·         INP_IPV6PROTO—Creates an Internet PCB based on IPv6 protocol.

·         INP_TIMEWAIT—In TIMEWAIT state.

·         INP_ONESBCAST—Sends broadcast packets.

·         INP_DROPPEDProtocol dropped flag.

·         INP_SOCKREFStrong socket reference.

·         INP_DONTBLOCKDo not block synchronization of the Internet PCB.

·         N/ANone of the above flags.

Hop limit(minimum hop limit)

Hop limit in the Internet PCB. The minimum number of hops is in the parentheses.

Connection state

TCP connection state:

·         CLOSED—The server receives a disconnection request's reply from the client.

·         LISTEN—The server is waiting for connection requests.

·         SYN_SENT—The client is waiting for the server to reply to the connection request.

·         SYN_RCVD—The server receives a connection request.

·         ESTABLISHED—The server and client have established connections and can transmit data bidirectionally.

·         CLOSE_WAITThe server receives a disconnection request from the client.

·         FIN_WAIT_1The client is waiting for the server to reply to a disconnection request.

·         CLOSING—The server and client are waiting for peer's disconnection reply when receiving disconnection requests from each other.

·         LAST_ACKThe server is waiting for the client to reply to a disconnection request.

·         FIN_WAIT_2The client receives a disconnection reply from the server.

·         TIME_WAIT—The client receives a disconnection request from the server.

NSR state

State of the TCP connections.

Between the parentheses is the role of the connection:

·         M—Main connection.

·         S—Standby connection.

Send VRF

Sent instances.

Receive VRF

Received instances.

 

display ipv6 udp

Use display ipv6 udp to display brief information about IPv6 UDP connections.

Syntax

display ipv6 udp [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about IPv6 UDP connections for all member devices.

Usage guidelines

Brief information about an IPv6 UDP connection includes local IPv6 address and port number, and peer IPv6 address and port number.

Examples

# Displays brief information about IPv6 UDP connections.

<Sysname> display ipv6 udp

 LAddr->port         FAddr->port         Slot  PCB

 2001:2002:2003:2   3001:3002:3003:3   1      0x000000000000c387

 004:2005:2006:20   004:3005:3006:30

 07:2008->1200      07:3008->1200

Table 69 Command output

Field

Description

LAddr->port

Local IPv6 address and port number.

FAddr->port

Peer IPv6 address and port number.

Slot

ID of the IRF member device.

PCB

PCB index.

 

display ipv6 udp verbose

Use display ipv6 udp verbose to display detailed information about IPv6 UDP connections.

Syntax

display ipv6 udp verbose [ slot slot-number [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pcb pcb-index: Displays detailed information about IPv6 UDP connections of the specified PCB. The value range for the pcb-index argument is 1 to 16.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about IPv6 UDP connections for all member devices.

Usage guidelines

The detailed information includes socket's creator, state, option, type, protocol number, source IPv6 address and port number, destination IPv6 address and port number, and connection state.

Examples

# Display detailed information about an IPv6 UDP connection.

<Sysname> display ipv6 udp verbose

Total UDP socket number: 1

 

 Location: slot:1

 Creator: sock_test_mips[250]

 State: N/A

 Options: N/A

 Error: 0

 Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 41600 / 1 / 0 / N/A

 Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A

 Type: 2

 Protocol: 17

 Connection info: src = ::->69, dst = ::->0

 Inpcb flags: N/A

 Inpcb extflag: N/A

 Inpcb vflag: INP_IPV6

 Hop limit: 255 (minimum hop limit: 0)

 Send VRF: 0xffff

 Receive VRF: 0xffff

Table 70 Command output

Field

Description

Total UDP socket number

Total number of IPv6 UDP sockets.

Location

Location of the device.

Slot

ID of the IRF member device.

Creator

Task name of the socket. The progress number is in the square brackets.

State

Socket state.

Options

Socket options.

Error

Error code.

Receiving buffer(cc/hiwat/lowat/drop/state)

Displays receive buffer information in the following order:

·         cc—Used space.

·         hiwat—Maximum space.

·         lowat—Minimum space.

·         dropNumber of dropped packets.

·         state—Buffer state:

?  CANTSENDMOREUnable to send data to the peer.

?  CANTRCVMOREUnable to receive data from the peer.

?  RCVATMARKReceiving tag.

?  N/ANone of the above states.

Sending buffer(cc/hiwat/lowat/state)

Displays send buffer information in the following order:

·         cc—Used space.

·         hiwat—Maximum space.

·         lowat—Minimum space.

·         state—Buffer state:

?  CANTSENDMOREUnable to send data to the peer.

?  CANTRCVMOREUnable to receive data from the peer.

?  RCVATMARKReceiving tag.

?  N/ANone of the above states.

Type

Socket type:

·         1SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams.

·         2SOCK_DGRAM. This socket uses UDP to provide datagram transmission.

·         3SOCK_RAW. This socket allows an application to change the next upper-layer protocol header.

·         N/ANone of the above types.

Protocol

Number of the protocol using the socket. 17 represents UDP.

Connection info

Connection information, including source IPv6 address and port number, and destination IPv6 address and port number.

Inpcb flags

Flags in the Internet PCB:

·         INP_RECVOPTSReceives IPv6 options.

·         INP_RECVRETOPTSReceives replied IPv6 options.

·         INP_RECVDSTADDRReceives destination IPv6 address.

·         INP_HDRINCLProvides the entire IPv6 header.

·         INP_REUSEADDR—Reuses the IPv6 address.

·         INP_REUSEPORT—Reuses the port number.

·         INP_ANONPORTPort number not specified.

·         INP_PROTOCOL_PACKET—Identifies a protocol packet.

·         INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag.

·         IN6P_IPV6_V6ONLY—Only supports IPv6 protocol stack.

·         IN6P_PKTINFO—Receives the source IPv6 address and input interface of the packet.

·         IN6P_HOPLIMIT—Receives the hop limit.

·         IN6P_HOPOPTSReceives the hop-by-hop options extension header.

·         IN6P_DSTOPTSReceives the destination options extension header.

·         IN6P_RTHDRReceives the routing extension header.

·         IN6P_RTHDRDSTOPTSReceives the destination options extension header preceding the routing extension header.

·         IN6P_TCLASSReceives the traffic class of the packet.

·         IN6P_AUTOFLOWLABELAttaches a flow label automatically.

·         IN6P_RFC2292Uses the API specified in RFC 2292.

·         IN6P_MTUDiscovers differences in the MTU size of every link along a given data path. TCP does not support this flag.

·         INP_RCVMACADDR—Receives the MAC address of the frame.

·         INP_SYNCPCB—Waits until Internet PCB is synchronized.

·         N/ANone of the above flags.

Inpcb extflag

Extension flags in the Internet PCB:

·         INP_EXTRCVPVCIDXRecords the PVC index of the received packet.

·         INP_RCVPWIDRecords the PW ID of the received packet.

·         N/ANone of the above flags.

Inpcb vflag

IP version flags in the Internet PCB:

·         INP_IPV4—IPv4 protocol.

·         INP_IPV6IPv6 protocol.

·         INP_IPV6PROTO—Creates an Internet PCB based on IPv6 protocol.

·         INP_TIMEWAIT—In TIMEWAIT state.

·         INP_ONESBCAST—Sends broadcast packets.

·         INP_DROPPEDProtocol dropped flag.

·         INP_SOCKREFStrong socket reference.

·         INP_DONTBLOCKDo not block synchronization of the Internet PCB.

·         N/ANone of the above flags.

Hop limit(minimum hop limit)

Hop limit in the Internet PCB. The minimum number of hops is in the parentheses.

Send VRF

Sent instances.

Receive VRF

Received instances.

 

ipv6 address

Use ipv6 address to configure an IPv6 global unicast address for an interface.

Use undo ipv6 address to remove an IPv6 address of the interface.

Syntax

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

undo ipv6 address [ ipv6-address prefix-length | ipv6-address/prefix-length ]

Default

No IPv6 global unicast address is configured for an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies an IPv6 address.

prefix-length: Specifies a prefix length in the range of 1 to 128.

Usage guidelines

Like public IPv4 addresses, IPv6 global unicast addresses are assigned to ISPs. This type of address allows for prefix aggregation to reduce the number of global routing entries.

If you do not specify any parameters, the undo ipv6 address command removes all IPv6 addresses of an interface.

Examples

# Set the IPv6 global unicast address of VLAN-interface 100 to 2001::1 with prefix length 64.

Method 1:

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 address 2001::1/64

Method 2:

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 address 2001::1 64

ipv6 address anycast

Use ipv6 address anycast to configure an IPv6 anycast address for an interface.

Use undo ipv6 address anycast to remove the IPv6 anycast address of the interface.

Syntax

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast

undo ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast

Default

No IPv6 anycast address is configured for an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies an IPv6 anycast address.

prefix-length: Specifies a prefix length in the range of 1 to 128.

Examples

# Set the IPv6 anycast address of VLAN-interface 100 to 2001::1 with prefix length 64.

Method 1:

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 address 2001::1/64 anycast

Method 2:

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 address 2001::1 64 anycast

ipv6 address auto

Use ipv6 address auto to enable the stateless address autoconfiguration feature on an interface, so that the interface can automatically generate a global unicast address.

Use undo ipv6 address auto to disable this feature.

Syntax

ipv6 address auto

undo ipv6 address auto

Default

The stateless address autoconfiguration feature is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

After a global unicast address is generated through stateless autoconfiguration, a link-local address is generated automatically.

To remove the global unicast address and the link-local address that are automatically generated, use either of the following commands:

·          undo ipv6 address auto

·          undo ipv6 address

Examples

# Enable stateless address autoconfiguration on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 address auto

ipv6 address auto link-local

Use ipv6 address auto link-local to automatically generate a link-local address for an interface.

Use undo ipv6 address auto link-local to remove the automatically generated link-local address for the interface.

Syntax

ipv6 address auto link-local

undo ipv6 address auto link-local

Default

No link-local address is configured on an interface. A link-local address is automatically generated after an IPv6 global unicast address is configured for the interface.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Link-local addresses are used for neighbor discovery and stateless autoconfiguration on the local link. Packets using link-local addresses as the source or destination addresses cannot be forwarded to other links.

After an IPv6 global unicast address is configured for an interface, a link-local address is automatically generated. This link-local address is the same as the one generated by using the ipv6 address auto link-local command.

The undo ipv6 address auto link-local command removes only the link-local addresses generated through the ipv6 address auto link-local command. If the undo command is executed on an interface with an IPv6 global unicast address configured the interface still has a link-local address.

You can also manually assign an IPv6 link-local address for an interface by using the ipv6 address link-local command. Manual assignment takes precedence over automatic generation for IPv6 link-local addresses.

·          If you first use automatic generation and then manual assignment, the manually assigned link-local address overwrites the automatically generated address.

·          If you first use manual assignment and then automatic generation, both of the following occur:

?  The automatically generated link-local address does not take effect.

?  The link-local address of an interface is still the manually assigned address.

If you delete the manually assigned address, the automatically generated link-local address takes effect.

Examples

# Configure VLAN-interface 100 to automatically generate a link-local address.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 address auto link-local

Related commands

ipv6 address link-local

ipv6 address eui-64

Use ipv6 address eui-64 to configure an EUI-64 IPv6 address for an interface.

Use undo ipv6 address eui-64 to remove the EUI-64 IPv6 address of the interface.

Syntax

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

undo ipv6 address [ ipv6-address prefix-length | ipv6-address/prefix-length ] eui-64

Default

No EUI-64 IPv6 address is configured for an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-address/prefix-length: Specifies an IPv6 address and IPv6 prefix length. The ipv6-address and prefix-length arguments jointly specify the prefix of an EUI-64 IPv6 address. The value range for the prefix-length argument is 1 to 64.

Usage guidelines

An EUI-64 IPv6 address is generated based on the specified prefix and the automatically generated interface ID. To display the EUI-64 IPv6 address, use the display ipv6 interface command.

The prefix length of an EUI-64 IPv6 address cannot be greater than 64.

Examples

# Configure an EUI-64 IPv6 address for VLAN-interface 100. The prefix of the address is the same as that of 2001::1/64, and the interface ID is generated based on the MAC address of the device.

Method 1:

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 address 2001::1/64 eui-64

Method 2:

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 address 2001::1 64 eui-64

Related commands

display ipv6 interface

ipv6 address prefix-number

Use ipv6 address prefix-number to specify an IPv6 prefix for an interface to automatically generate an IPv6 global unicast address and advertise the prefix.

Use undo ipv6 address prefix-number to restore the default.

Syntax

ipv6 address prefix-number sub-prefix/prefix-length

undo ipv6 address prefix-number

Default

No IPv6 prefix is specified for IPv6 address autoconfiguration.

Views

Interface view

Predefined user roles

network-admin

Parameters

prefix-number: Specifies an IPv6 prefix by its ID in the range of 1 to 1024. The specified IPv6 prefix can be manually configured or obtained through DHCPv6.

sub-prefix: Specifies the sub-prefix bit and host bit for the IPv6 global unicast address.

prefix-length: Specifies the sub-prefix length in the range of 1 to 128.

Usage guidelines

This command enables an interface to automatically generate an IPv6 global unicast address based on the specified IPv6 prefix, sub-prefix bit, and host bit.

An interface can generate only one IPv6 global unicast address based on the prefix specified by using the ipv6 address command. To configure the interface to generate a new IPv6 address, use the undo ipv6 address command and specify a new IPv6 prefix for the interface.

Examples

# Configure a static IPv6 prefix AAAA::/16 and assign ID 1 to the prefix. Configure VLAN-interface 100 to use this prefix to generate the IPv6 address AAAA:CCCC:DDDD::10/32 and advertise this prefix.

<Sysname> system-view

[Sysname] ipv6 prefix 1 AAAA::/16

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 address 1 BBBB:CCCC:DDDD::10/32

# Configure VLAN-interface 10 to obtain an IPv6 prefix through DHCPv6 and assign ID 2 to the obtained prefix. Configure VLAN-interface 100 to use the obtained prefix to generate an IPv6 address and advertise the prefix.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 dhcp client pd 2 rapid-commit option-group 1

[Sysname-Vlan-interface10] quit

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 address 2 BBBB:CCCC:DDDD::10/32

Related commands

·          ipv6 prefix

·          ipv6 dhcp client pd

ipv6 address link-local

Use ipv6 address link-local to configure a link-local address for the interface.

Use undo ipv6 address link-local to remove the link-local address of the interface.

Syntax

ipv6 address ipv6-address link-local

undo ipv6 address ipv6-address link-local

Default

No link-local address is configured for the interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies an IPv6 link-local address. The first 10 bits of an address must be 1111111010 (binary). The first group of hexadecimals in the address must be FE80 to FEBF.

Usage guidelines

Manual assignment takes precedence over automatic generation.

If you use automatic generation, and then use manual assignment, the manually assigned link-local address overwrites the one that is automatically generated.

If you use manual assignment and then use automatic generation, both of the following occur:

·          The automatically generated link-local address does not take effect.

·          The manually assigned link-local address of an interface remains.

After you delete the manually assigned address, the automatically generated link-local address takes effect. For automatic generation of an IPv6 link-local address, see the ipv6 address auto link-local command.

Examples

# Configure a link-local address for VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 address fe80::1 link-local

Related commands

ipv6 address auto link-local

ipv6 option drop enable

Use ipv6 extension-header drop enable to enable a device to discard IPv6 packets that contain extension headers.

Use undo ipv6 extension-header drop enable to restore the default.

Syntax

ipv6 extension-header drop enable

undo ipv6 extension-header drop enable

Default

A device does not discard IPv6 packets that contain extension headers.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables a device to discard a received IPv6 packet in which the extension headers cannot be processed by the device.

Examples

# Enable the device to discard IPv6 packets that contain extension headers.

<Sysname> system-view

[Sysname] ipv6 extension-header drop enable

ipv6 hop-limit

Use ipv6 hop-limit to set the Hop Limit field in the IPv6 header.

Use undo ipv6 hop-limit to restore the default.

Syntax

ipv6 hop-limit value

undo ipv6 hop-limit

Default

The hop limit is 64.

Views

System view

Predefined user roles

network-admin

Parameters

value: Specifies the number of hops, in the range of 1 to 255.

Usage guidelines

The hop limit determines the number of hops that an IPv6 packet generated by the device can travel.

The device advertises the hop limit in RA messages. All RA message receivers use the advertised value to fill in the Hop Limit field for IPv6 packets to be sent. To disable the device from advertising the hop limit, use the ipv6 nd ra hop-limit unspecified command.

Examples

# Set the maximum number of hops to 100.

<Sysname> system-view

[Sysname] ipv6 hop-limit 100

Related commands

ipv6 nd ra hop-limit unspecified

ipv6 hoplimit-expires enable

Use ipv6 hoplimit-expires enable to enable sending ICMPv6 time exceeded messages.

Use undo ipv6 hoplimit-expires to disable sending ICMPv6 time exceeded messages.

Syntax

ipv6 hoplimit-expires enable

undo ipv6 hoplimit-expires enable

Default

Sending ICMPv6 time exceeded messages is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

ICMPv6 time exceeded messages are sent to the source of IPv6 packets after the device discards IPv6 packets because hop or reassembly times out.

To prevent too many ICMPv6 error messages from affecting device performance, disable this feature. Even with the feature disabled, the device still sends fragment reassembly time exceeded messages.

Examples

# Disable sending ICMPv6 time exceeded messages.

<Sysname> system-view

[Sysname] undo ipv6 hoplimit-expires enable

ipv6 icmpv6 error-interval

Use ipv6 icmpv6 error-interval to set the bucket size and the interval for tokens to arrive in the bucket for ICMPv6 error messages.

Use undo ipv6 icmpv6 error-interval to restore the default.

Syntax

ipv6 icmpv6 error-interval milliseconds [ bucketsize ]

undo ipv6 icmpv6 error-interval

Default

The bucket allows a maximum of 10 tokens, and a token is placed in the bucket every 100 milliseconds.

Views

System view

Predefined user roles

network-admin

Parameters

milliseconds: Specifies the interval for tokens to arrive in the bucket. The value range is 0 to 2147483647 milliseconds, and the default is 100 milliseconds. To disable the ICMPv6 rate limit, set the value to 0.

bucketsize: Specifies the maximum number of tokens allowed in the bucket. The value range is 1 to 200, and the default is 10.

Usage guidelines

This command limits the rate at which ICMPv6 error messages are sent. Use this command to prevent network congestion caused by excessive ICMPv6 error messages generated within a short period. A token bucket algorithm is used with one token representing one ICMPv6 error message.

A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.

A token is removed from the bucket when an ICMPv6 error message is sent. When the bucket is empty, ICMPv6 error messages are not sent until a new token is placed in the bucket.

Examples

# Set the bucket size to 40 tokens and the interval for tokens to arrive in the bucket to 200 milliseconds for ICMPv6 error messages.

<Sysname> system-view

[Sysname] ipv6 icmpv6 error-interval 200 40

ipv6 icmpv6 multicast-echo-reply enable

Use ipv6 icmpv6 multicast-echo-reply enable to enable replying to multicast echo requests.

Use undo ipv6 icmpv6 multicast-echo-reply to disable replying to multicast echo requests.

Syntax

ipv6 icmpv6 multicast-echo-reply enable

undo ipv6 icmpv6 multicast-echo-reply enable

Default

The device is disabled from replying to multicast echo requests.

Views

System view

Predefined user roles

network-admin

Usage guidelines

If a host is configured to reply to multicast echo requests, an attacker can use this mechanism to attack the host. For example, the attacker can send an echo request to a multicast address with Host A as the source. All hosts in the multicast group will send echo replies to Host A.

To prevent attacks, do not enable the device to reply to multicast echo requests unless necessary.

Examples

# Enable replying to multicast echo requests.

<Sysname> system-view

[Sysname] ipv6 icmpv6 multicast-echo-reply enable

ipv6 icmpv6 source

Use ipv6 icmpv6 source to specify an IPv6 address as the source address for outgoing ICMPv6 packets.

Use undo ipv6 icmpv6 source to restore the default.

Syntax

ipv6 icmpv6 source ipv6-address

undo ipv6 icmpv6 source

Default

The device uses the IPv6 address of the sending interface as the source IPv6 address for outgoing ICMPv6 packets.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies an IPv6 address.

Usage guidelines

It is a good practice to specify the IPv6 address of the loopback interface as the source IPv6 address for outgoing ping echo request and ICMPv6 error messages. This feature helps users to easily locate the sending device.

Examples

# Specify IPv6 address 1::1 as the source address for outgoing ICMPv6 packets.

<Sysname> system-view

[Sysname] ipv6 icmpv6 source 1::1

ipv6 mtu

Use ipv6 mtu to set the MTU of IPv6 packets sent over an interface.

Use undo ipv6 mtu to restore the default MTU.

Syntax

ipv6 mtu mtu-size

undo ipv6 mtu

Default

No MTU is configured for an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

mtu-size: Specifies the size of the MTUs of an interface, in the range of 1280 to 1748 bytes.

Usage guidelines

IPv6 routers do not support packet fragmentation. After an IPv6 router receives an IPv6 packet, if the packet size is greater than the MTU of the forwarding interface, the router discards the packet. Meanwhile, the router sends the MTU to the source host through an ICMPv6 packet — Packet Too Big message. The source host fragments the packet according to the MTU and resends it. To reduce the extra flow overhead resulting from packet drops, set an appropriate interface MTU for your network.

Examples

# Set the MTU of IPv6 packets sent over VLAN-interface 100 to 1280 bytes.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 mtu 1280

ipv6 nd autoconfig managed-address-flag

Use ipv6 nd autoconfig managed-address-flag to set the managed address configuration flag (M) to 1 in RA advertisements to be sent.

Use undo ipv6 nd autoconfig managed-address-flag to restore the default.

Syntax

ipv6 nd autoconfig managed-address-flag

undo ipv6 nd autoconfig managed-address-flag

Default

The M flag is set to 0 in RA advertisements. Hosts receiving the advertisements will obtain IPv6 addresses through stateless autoconfiguration.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

The M flag in RA advertisements determines whether receiving hosts use stateful autoconfiguration to obtain IPv6 addresses.

·          If the M flag is set to 1 in RA advertisements, receiving hosts use stateful autoconfiguration (for example, from an DHCPv6 server) to obtain IPv6 addresses.

·          If the M flag is set to 0 in RA advertisements, receiving hosts use stateless autoconfiguration. Stateless autoconfiguration generates IPv6 addresses according to link-layer addresses and the prefix information in the RA advertisements.

Examples

# Set the M flag to 1 in RA advertisements to be sent.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 nd autoconfig managed-address-flag

ipv6 nd autoconfig other-flag

Use ipv6 nd autoconfig other-flag to set the other stateful configuration flag (O) to 1 in RA advertisements to be sent.

Use undo ipv6 nd autoconfig other-flag to restore the default.

Syntax

ipv6 nd autoconfig other-flag

undo ipv6 nd autoconfig other-flag

Default

The O flag is set to 0 in RA advertisements. Hosts receiving the advertisements will acquire other information through stateless autoconfiguration.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

The O flag in RA advertisements determines whether receiving hosts use stateful autoconfiguration to obtain configuration information other than IPv6 addresses.

·          If the O flag is set to 1 in RA advertisements, receiving hosts use stateful autoconfiguration (for example, from a DHCPv6 server) to obtain configuration information other than IPv6 addresses.

·          If the O flag is set to 0 in RA advertisements, receiving hosts use stateless autoconfiguration to obtain configuration information other than IPv6 addresses.

Examples

# Set the O flag to 0 in RA advertisements to be sent.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] undo ipv6 nd autoconfig other-flag

ipv6 nd dad attempts

Use ipv6 nd dad attempts to set the number of attempts to send an NS message for DAD.

Use undo ipv6 nd dad attempts to restore the default.

Syntax

ipv6 nd dad attempts value

undo ipv6 nd dad attempts

Default

The number of attempts to send an NS message for DAD is 1.

Views

Interface view

Predefined user roles

network-admin

Parameters

value: Specifies the number of attempts to send an NS message for DAD, in the range of 0 to 600. If it is set to 0, DAD is disabled.

Usage guidelines

An interface sends an NS message for DAD after obtaining an IPv6 address.

If the interface does not receive a response within the time specified by using ipv6 nd ns retrans-timer, it resends an NS message.

If the interface receives no response after making the maximum sending attempts (set by using ipv6 nd dad attempts), the interface uses the obtained address.

Examples

# Set the number of attempts to send an NS message for DAD to 20.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 nd dad attempts 20

Related commands

·          display ipv6 interface

·          ipv6 nd ns retrans-timer

ipv6 nd mode uni

Use ipv6 nd mode uni to configure a port as a customer-side port.

Use undo ipv6 nd mode to restore the default.

Syntax

ipv6 nd mode uni

undo ipv6 nd mode

Default

A port acts as a network-side port.

Views

VLAN interface view

Predefined user roles

network-admin

Usage guidelines

The following matrix shows the command and hardware compatibility:

 

Hardware series

Model

Command compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

Yes

WX3800H series

WX3820H

WX3840H

No

WX5800H series

WX5860H

No

 

By default, the device associates an ND entry with routing information when the device learns an ND entry. The ND entry provides the next hop information for routing. To save hardware resources, you can use this command to specify a port that connects to a user terminal as a customer-side port. The device will not associate the routing information with the learned ND entries.

Examples

# Specify VLAN-interface 2 as a customer-side port.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] ipv6 nd mode uni

ipv6 nd ns retrans-timer

Use ipv6 nd ns retrans-timer to set the interval for retransmitting an NS message.

Use undo ipv6 nd ns retrans-timer to restore the default.

Syntax

ipv6 nd ns retrans-timer value

undo ipv6 nd ns retrans-timer

Default

The local interface sends NS messages at every an interval of 1000 milliseconds, and the Retrans Timer field in the RA messages sent is 0. The interval for retransmitting an NS message is determined by the receiving device.

Views

Interface view

Predefined user roles

network-admin

Parameters

value: Specifies the interval value in the range of 1000 to 4294967295 milliseconds.

Usage guidelines

If a device does not receive a response from the peer within the specified interval, the device resends an NS message. The device retransmits an NS message at the specified interval and uses the interval value to fill the Retrans Timer field in RA messages to be sent.

Examples

# Specify VLAN-interface 100 to retransmit NS messages every 10000 milliseconds.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 nd ns retrans-timer 10000

Related commands

display ipv6 interface

ipv6 nd nud reachable-time

Use ipv6 nd nud reachable-time to set the neighbor reachable time on an interface.

Use undo ipv6 nd nud reachable-time to restore the default.

Syntax

ipv6 nd nud reachable-time value

undo ipv6 nd nud reachable-time

Default

The neighbor reachable time on the local interface is 30000 milliseconds, and the value of the Reachable Time field in RA messages is 0. The reachable time is determined by the receiving device.

Views

Interface view

Predefined user roles

network-admin

Parameters

value: Specifies the neighbor reachable time in the range of 1 to 3600000 milliseconds.

Usage guidelines

If the neighbor reachability detection shows that a neighbor is reachable, the device considers the neighbor reachable within the specified reachable time. If the device must send a packet to the neighbor after the specified reachable time expires, the device reconfirms whether the neighbor is reachable. The device sets the specified value as the neighbor reachable time on the local interface and uses the value to fill the Reachable Time field in RA messages to be sent.

Examples

# Set the neighbor reachable time on VLAN-interface 100 to 10000 milliseconds.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 nd nud reachable-time 10000

Related commands

display ipv6 interface

ipv6 nd ra halt

Use ipv6 nd ra halt to suppress an interface from advertising RA messages.

Use undo ipv6 nd ra halt to disable this feature.

Syntax

ipv6 nd ra halt

undo ipv6 nd ra halt

Default

An interface is suppressed from sending RA messages.

Views

Interface view

Predefined user roles

network-admin

Examples

# Disable RA message suppression on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] undo ipv6 nd ra halt

ipv6 nd ra hop-limit unspecified

Use ipv6 nd ra hop-limit unspecified to specify unlimited hops in RA messages.

Use undo ipv6 nd ra hop-limit unspecified to restore the default.

Syntax

ipv6 nd ra hop-limit unspecified

undo ipv6 nd ra hop-limit unspecified

Default

The maximum number of hops in the RA messages is limited to 64.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

To set the maximum number of hops to a value rather than the default setting, use the ipv6 hop-limit command.

Examples

# Specify unlimited hops in the RA messages on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 nd ra hop-limit unspecified

Related commands

ipv6 hop-limit

ipv6 nd ra interval

Use ipv6 nd ra interval to set the maximum and minimum intervals for advertising RA messages.

Use undo ipv6 nd ra interval to restore the default.

Syntax

ipv6 nd ra interval max-interval-value min-interval-value

undo ipv6 nd ra interval

Default

The maximum interval between RA messages is 600 seconds, and the minimum interval is 200 seconds.

Views

Interface view

Predefined user roles

network-admin

Parameters

max-interval-value: Specifies the maximum interval value in seconds, in the range of 4 to 1800.

min-interval-value: Specifies the minimum interval value in the range of 3 seconds to three-fourths of the maximum interval.

Usage guidelines

The device advertises RA messages randomly between the maximum interval and the minimum interval.

The maximum interval for sending RA messages should be less than or equal to the router lifetime in RA messages.

Examples

# Set the maximum interval for advertising RA messages to 1000 seconds and the minimum interval to 700 seconds.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 nd ra interval 1000 700

Related commands

ipv6 nd ra router-lifetime

ipv6 nd ra no-advlinkmtu

Use ipv6 nd ra no-advlinkmtu to turn off the MTU option in RA messages.

Use undo ipv6 nd ra no-advlinkmtu to restore the default.

Syntax

ipv6 nd ra no-advlinkmtu

undo ipv6 nd ra no-advlinkmtu

Default

RA messages contain the MTU option.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

The MTU option in the RA messages specifies the link MTU to ensure that all nodes on the link use the same MTU.

Examples

# Turn off the MTU option in RA messages on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 nd ra no-advlinkmtu

ipv6 nd ra prefix

Use ipv6 nd ra prefix to configure the prefix information in RA messages.

Use undo ipv6 nd ra prefix to remove the prefix information from RA messages.

Syntax

ipv6 nd ra prefix { ipv6-prefix prefix-length | ipv6-prefix/prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig | off-link ] *

undo ipv6 nd ra prefix { ipv6-prefix | ipv6-prefix/prefix-length }

Default

No prefix information is configured for RA messages. Instead, the IPv6 address of the interface sending RA messages is used as the prefix information.

If the IPv6 address is manually configured, the prefix uses the fixed valid lifetime 2592000 seconds (30 days) and preferred lifetime 604800 seconds (7 days).

If the IPv6 address is automatically obtained (through DHCP, for example), the prefix uses the valid and preferred lifetime of the IPv6 address.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-prefix: Specifies the IPv6 prefix.

prefix-length: Specifies the prefix length of the IPv6 address.

valid-lifetime: Specifies the valid lifetime of a prefix, in the range of 0 to 4294967295 seconds.

preferred-lifetime: Specifies the preferred lifetime of a prefix used for stateless autoconfiguration, in the range of 0 to 4294967295 seconds. The preferred lifetime cannot be greater than the valid lifetime.

no-autoconfig: Specifies a prefix not to be used for stateless autoconfiguration. If you do not specify this keyword, the prefix is used for stateless autoconfiguration.

off-link: Indicates that the address with the prefix is not directly reachable on the link. If you do not specify this keyword, the address with the prefix is directly reachable on the link.

Usage guidelines

After hosts on the same link receive RA messages, they can use the prefix information in the RA messages for stateless autoconfiguration.

Examples

# Configure the prefix information in RA messages on VLAN-interface 100.

Method 1:

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 nd ra prefix 2001:10::100/64 100 10

Method 2:

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 nd ra prefix 2001:10::100 64 100 10

ipv6 nd ra router-lifetime

Use ipv6 nd ra router-lifetime to set the router lifetime in RA messages.

Use undo ipv6 nd ra router-lifetime to restore the default.

Syntax

ipv6 nd ra router-lifetime value

undo ipv6 nd ra router-lifetime

Default

The router lifetime in RA messages is 1800 seconds.

Views

Interface view

Predefined user roles

network-admin

Parameters

value: Specifies the router lifetime in the range of 0 to 9000 seconds. If the value is set to 0, the router does not act as the default router.

Usage guidelines

The router lifetime in RA messages specifies how long the router sending the RA messages acts as the default router. Hosts receiving the RA messages check this value to determine whether to use the sending router as the default router. If the router lifetime is 0, the router cannot be used as the default router.

The router lifetime in RA messages must be greater than or equal to the advertising interval.

Examples

# Set the router lifetime in RA messages on VLAN-interface 100 to 1000 seconds.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 nd ra router-lifetime 1000

Related commands

ipv6 nd ra interval

ipv6 nd router-preference

Use ipv6 nd router-preference to set a router preference in RA messages.

Use undo ipv6 nd router-preference to restore the default.

Syntax

ipv6 nd router-preference { high | low | medium }

undo ipv6 nd router-preference

Default

The router preference is medium.

Views

Interface view

Predefined user roles

network-admin

Parameters

high: Sets the router preference to the highest setting.

low: Sets the router preference to the lowest setting.

medium: Sets the router preference to the medium setting.

Usage guidelines

A hosts selects a router with the highest preference as the default router.

When router preferences are the same in RA messages, a host selects the router corresponding to the first received RA message as the default gateway.

Examples

# Set the router preference in RA messages to the highest on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 nd router-preference high

ipv6 neighbor

Use ipv6 neighbor to configure a static neighbor entry.

Use undo ipv6 neighbor to remove a static neighbor entry.

Syntax

ipv6 neighbor ipv6-address mac-address { vlan-id port-type port-number | interface interface-type interface-number }

undo ipv6 neighbor ipv6-address interface-type interface-number

Default

No static neighbor entry is configured.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address of the static neighbor entry.

mac-address: Specifies the MAC address (48 bits) of the static neighbor entry, in the format of H-H-H.

vlan-id: Specifies the VLAN ID of the static neighbor entry, in the range of 1 to 4094.

port-type port-number: Specifies a Layer 2 port of the static neighbor entry by its type and number.

interface interface-type interface-number: Specifies a Layer 3 interface of the static neighbor entry by its type and number.

Usage guidelines

A neighbor entry stores information about a link-local node. The entry can be created dynamically through NS and NA messages, or configured statically.

The device uniquely identifies a static neighbor entry by using the neighbor's IPv6 address and the number of the Layer 3 interface that connects to the neighbor. You can configure a static neighbor entry by using either of the following methods:

·          Method 1—Associate a neighbor IPv6 address and link-layer address with the Layer 3 interface of the local node.

·          Method 2—Associate a neighbor IPv6 address and link-layer address with a Layer 2 port in a VLAN containing the local node.

You can use either of the previous configuration methods to configure a static neighbor entry for a VLAN interface.

·          If Method 1 is used, the neighbor entry is in INCMP state. After the device obtains the corresponding Layer 2 port information, the neighbor entry goes into REACH state.

·          If Method 2 is used, the port specified by port-type port-number must belong to the VLAN specified by vlan-id and the corresponding VLAN interface must already exist. After the static neighbor entry is configured, the device associates the VLAN interface with the IPv6 address to uniquely identify the static neighbor entry. The entry will be in REACH state.

To remove a static neighbor entry for a VLAN interface, specify only the corresponding VLAN interface.

Examples

# Configure a static neighbor entry for VLAN-interface 1.

<Sysname> system-view

[Sysname] ipv6 neighbor 2000::1 fe-e0-89 interface Vlan-interface 1

Related commands

·          display ipv6 neighbors

·          reset ipv6 neighbors

ipv6 neighbor link-local minimize

Use ipv6 neighbor link-local minimize to minimize link-local ND entries.

Use undo ipv6 neighbor link-local minimize to restore the default.

Syntax

ipv6 neighbor link-local minimize

undo ipv6 neighbor link-local minimize

Default

All ND entries are assigned to the driver.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Perform this command to minimize link-local ND entries assigned to the driver. Link-local ND entries refer to ND entries that contain link-local addresses.

By default, the device assigns all ND entries to the driver. With this feature enabled, the device does not add newly learned link-local ND entries whose link local addresses are not the next hop of any route to the driver. This saves driver resources.

This feature affects only newly learned link-local ND entries rather than existing ND entries.

Examples

# Minimize link-local ND entries.

<Sysname> system-view

[Sysname] ipv6 neighbor link-local minimize

ipv6 neighbor stale-aging

Use ipv6 neighbor stale-aging to set the aging timer for ND entries in stale state.

Use undo ipv6 neighbor stale-aging to restore the default.

Syntax

ipv6 neighbor stale-aging aging-time

undo ipv6 neighbor stale-aging

Default

The aging timer for ND entries in stale state is 240 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

aging-time: Specifies the aging timer for ND entries in stale state, in the range of 1 to 1440 minutes.

Usage guidelines

This aging time applies to all ND entries in stale state. If an ND entry in stale state is not updated before the timer expires, it moves to the delay state. If it is still not updated in 5 seconds, the ND entry moves to the probe state. The device sends an NS message for detection a maximum of three times. If no response is received, the device deletes the ND entry.

Examples

# Set the aging timer for ND entries in stale state to 120 minutes.

<Sysname> system-view

[Sysname] ipv6 neighbor stale-aging 120

ipv6 neighbors max-learning-num

Use ipv6 neighbors max-learning-num to set the maximum number of dynamic neighbor entries that an interface can learn. This prevents the interface from occupying too many neighbor table resources.

Use undo ipv6 neighbors max-learning-num to restore the default.

Syntax

ipv6 neighbors max-learning-num number

undo ipv6 neighbors max-learning-num

Default

The following matrix shows the default values for the maximum number of dynamic neighbor entries that an interface can learn:

 

Hardware series

Model

Default

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

512: WX1804H

2048:

·         WX1810H

·         WX1820H

·         WX1840H

WX3800H series

WX3820H

32768

WX3840H

40960

WX5800H series

WX5860H

65536

 

Views

Layer 2/Layer 3 interface view

Layer 2/Layer 3 aggregate interface view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of dynamic neighbor entries that an interface can learn. The following matrix shows the value ranges for the number argument:

 

Hardware series

Model

Value range

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

1 to 512: WX1804H

1 to 2048:

·         WX1810H

·         WX1820H

1 to 2560: WX1840H

WX3800H series

WX3820H

1 to 32768

WX3840H

1 to 40960

WX5800H series

WX5860H

1 to 65536

 

Usage guidelines

The device can dynamically acquire the link-layer address of a neighboring node through NS and NA messages and add it into the neighbor table.

When the number of dynamic neighbor entries reaches the threshold, the interface stops learning neighbor information.

Examples

# Set the maximum number of dynamic neighbor entries that VLAN-interface 100 can learn to 10.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 neighbors max-learning-num 10

ipv6 pathmtu

Use ipv6 pathmtu to set a static Path MTU for an IPv6 address.

Use undo ipv6 pathmtu to remove the Path MTU configuration for an IPv6 address.

Syntax

ipv6 pathmtu ipv6-address value

undo ipv6 pathmtu ipv6-address

Default

No static Path MTU is set.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies an IPv6 address.

value: Specifies the Path MTU of the specified IPv6 address, in the range of 1280 to 10240 bytes.

Usage guidelines

You can set a static Path MTU for a destination IPv6 address. When a source host sends a packet through an interface, it compares the interface MTU with the static Path MTU of the specified destination IPv6 address. If the packet size is larger than the smaller one of the two values, the host fragments the packet according to the smaller value.

Examples

# Set a static Path MTU for an IPv6 address.

<Sysname> system-view

[Sysname] ipv6 pathmtu fe80::12 1300

Related commands

·          display ipv6 pathmtu

·          reset ipv6 pathmtu

ipv6 pathmtu age

Use ipv6 pathmtu age to set the aging time for a dynamic Path MTU.

Use undo ipv6 pathmtu age to restore the default.

Syntax

ipv6 pathmtu age age-time

undo ipv6 pathmtu age

Default

The aging time for dynamic Path MTU is 10 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

age-time: Specifies the aging time for Path MTU in minutes, in the range of 10 to 100.

Usage guidelines

After the path MTU from a source host to a destination host is dynamically determined, the source host sends subsequent packets to the destination host based on this MTU. After the aging time expires, the following events occur:

·          The dynamic Path MTU is removed.

·          The source host determines a dynamic path MTU through the Path MTU mechanism again.

The aging time is invalid for a static Path MTU.

Examples

# Set the aging time for a dynamic Path MTU to 40 minutes.

<Sysname> system-view

[Sysname] ipv6 pathmtu age 40

Related commands

display ipv6 pathmtu

ipv6 prefer temporary-address

Use ipv6 prefer temporary-address to enable the system to preferentially use the temporary IPv6 address of the sending interface as the source address of a packet.

Use undo ipv6 prefer temporary-address to restore the default.

Syntax

ipv6 prefer temporary-address

undo ipv6 prefer temporary-address

Default

The system does not preferentially use the temporary IPv6 address of the sending interface as the source address of a packet.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The temporary address feature enables the system to generate and preferentially use the temporary IPv6 address of the sending interface as the source address of a packet. If the temporary IPv6 address cannot be used because of a DAD conflict, the system uses the public IPv6 address.

Examples

# Enable the system to preferentially use the temporary IPv6 address of the sending interface as the source address of the packet.

<Sysname> system-view

[Sysname] ipv6 prefer temporary-address

Related commands

·          ipv6 address auto

·          ipv6 nd ra prefix

·          ipv6 temporary-address

ipv6 prefix

Use ipv6 prefix to configure a static IPv6 prefix.

Use undo ipv6 prefix to remove a static IPv6 prefix.

Syntax

ipv6 prefix prefix-number ipv6-prefix/prefix-length

undo ipv6 prefix prefix-number

Default

No static IPv6 prefix is configured on the device.

Views

System view

Predefined user roles

network-admin

Parameters

prefix-number: Specifies a prefix ID in the range of 1 to 1024.

ipv6-prefix/prefix-length: Specifies a prefix and its length. The value range for the prefix-length argument is 1 to 128.

Usage guidelines

You cannot use the ipv6 prefix command to modify an existing static prefix.

Dynamic IPv6 prefixes obtained from DHCPv6 servers cannot be manually removed or modified.

A static IPv6 prefix can have the same prefix ID with a dynamic IPv6 prefix, but the static one takes precedence over the dynamic one.

Examples

# Create static IPv6 prefix 2001:0410::/32 with prefix ID 1.

<Sysname> system-view

[Sysname] ipv6 prefix 1 2001:0410::/32

Related commands

display ipv6 prefix

ipv6 reassemble local enable

Use ipv6 reassemble local enable to enable IPv6 local fragment reassembly.

Use undo ipv6 reassemble local enable to restore the default.

Syntax

ipv6 reassemble local enable

undo ipv6 reassemble local enable

Default

IPv6 local fragment reassembly is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

In a multichassis IRF fabric, this feature enables the receiving subordinate to reassemble the received IPv6 fragments instead of delivering them to the master for reassembly. It improves the fragment reassembly performance. This feature applies only to fragments received by the same subordinate in the IRF fabric.

ipv6 redirects enable

Use ipv6 redirects enable to enable sending ICMPv6 redirect messages.

Use undo ipv6 redirects enable to disable sending ICMPv6 redirect messages.

Syntax

ipv6 redirects enable

undo ipv6 redirects enable

Default

Sending ICMPv6 redirect messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The default gateway sends an ICMPv6 redirect message to the source of an IPv6 packet to inform the source of a better first hop.

Sending ICMPv6 redirect messages enables hosts that hold few routes to establish routing tables and find the best route. Because this feature adds host routes into the routing tables, host performance degrades when there are too many host routes. As a result, sending ICMPv6 redirect messages is disabled by default.

Examples

# Enable sending ICMPv6 redirect messages.

<Sysname> system-view

[Sysname] ipv6 redirects enable

ipv6 temporary-address

Use ipv6 temporary-address to enable the temporary IPv6 address feature.

Use undo ipv6 temporary-address to disable temporary IPv6 address generation and remove the existing temporary addresses.

Syntax

ipv6 temporary-address [ valid-lifetime preferred-lifetime ]

undo ipv6 temporary-address

Default

The system does not generate any temporary IPv6 address.

Views

System view

Predefined user roles

network-admin

Parameters

valid-lifetime: Specifies the valid lifetime for temporary IPv6 addresses, in the range of 600 to 4294967295 seconds. The default valid lifetime is 604800 seconds (7 days). The valid lifetime must be greater than or equal to the preferred lifetime.

preferred-lifetime: Specifies the preferred lifetime for temporary IPv6 addresses, in the range of 600 to 4294967295 seconds. The default preferred lifetime is 86400 seconds (1 day).

Usage guidelines

You must enable stateless autoconfiguration before enabling the temporary address feature.

In stateless address autoconfiguration, an interface automatically generates an IPv6 global unicast address by using the address prefix in the received RA message and the interface ID. On an IEEE 802 interface (such as an Ethernet interface or a VLAN interface), the interface ID is generated based on the interface's MAC address and is globally unique. An attacker can exploit this rule to easily identify the sending device.

To fix the vulnerability, you can enable the temporary address feature. An IEEE 802 interface generates the following addresses:

·          Public IPv6 address—Includes an address prefix in the RA message and a fixed interface ID generated based on the interface's MAC address.

·          Temporary IPv6 address—Includes an address prefix in the RA message and a random interface ID generated through MD5.

When the valid lifetime of a temporary IPv6 address expires, the system removes the address and generates a new one. This enables the system to send packets with different source addresses through the same interface. The preferred lifetime and valid lifetime for a temporary IPv6 address are determined as follows:

·          The preferred lifetime of a temporary IPv6 address takes the smaller of the following values:

?  The preferred lifetime of the address prefix in the RA message.

?  The preferred lifetime configured for temporary IPv6 addresses minus DESYNC_FACTOR (a random number in the range of 0 to 600 seconds).

·          The valid lifetime of a temporary IPv6 address takes the smaller of the following values:

?  The valid lifetime of the address prefix.

?  The valid lifetime configured for temporary IPv6 addresses.

Examples

# Enable the system to generate a temporary IPv6 address.

<Sysname> system-view

[Sysname] ipv6 temporary-address

Related commands

·          ipv6 address auto

·          ipv6 nd ra prefix

·          ipv6 prefer temporary-address

ipv6 unreachables enable

Use ipv6 unreachables enable to enable sending ICMPv6 destination unreachable messages.

Use undo ipv6 unreachables to disable sending ICMPv6 destination unreachable messages.

Syntax

ipv6 unreachables enable

undo ipv6 unreachables enable

Default

Sending ICMPv6 destination unreachable messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

If the device fails to forward a received IPv6 packet because of a destination unreachable error, it performs the following operations:

·          Drops the packet.

·          Sends an ICMPv6 destination unreachable message to the source.

If the device is generating ICMPv6 destination unreachable messages incorrectly, disable sending ICMPv6 destination unreachable messages to prevent attack risks.

Examples

# Enable sending ICMPv6 destination unreachable messages.

<Sysname> system-view

[Sysname] ipv6 unreachables enable

local-proxy-nd enable

Use local-proxy-nd enable to enable local ND proxy.

Use undo local-proxy-nd enable to restore the default.

Syntax

local-proxy-nd enable

undo local-proxy-nd enable

Default

Local ND proxy is disabled.

Views

VLAN interface view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Predefined user roles

network-admin

Examples

# Enable local ND proxy on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] local-proxy-nd enable

Related commands

proxy-nd enable

proxy-nd enable

Use proxy-nd enable to enable common ND proxy.

Use undo proxy-nd enable to restore the default.

Syntax

proxy-nd enable

undo proxy-nd enable

Default

Common ND proxy is disabled.

Views

VLAN interface view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Predefined user roles

network-admin

Examples

# Enable common ND proxy on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] proxy-nd enable

Related commands

local-proxy-nd enable

reset ipv6 neighbors

Use reset ipv6 neighbors to clear IPv6 neighbor information.

Syntax

reset ipv6 neighbors { all | dynamic | interface interface-type interface-number | slot slot-number | static }

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears static and dynamic neighbor information for all interfaces.

dynamic: Clears dynamic neighbor information for all interfaces.

interface interface-type interface-number: Clears dynamic neighbor information for the interface specified by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears dynamic neighbor information for all member devices.

static: Clears static neighbor information for all interfaces.

Usage guidelines

You can use the display ipv6 neighbors command to display IPv6 neighbor information.

Examples

# Clear neighbor information for all interfaces.

<Sysname> reset ipv6 neighbors all

This will delete all the entries. Continue? [Y/N]:Y

# Clear dynamic neighbor information for all interfaces.

<Sysname> reset ipv6 neighbors dynamic

This will delete all the dynamic entries. Continue? [Y/N]:Y

# Clear all neighbor information for GigabitEthernet 1/0/1.

<Sysname> reset ipv6 neighbors interface gigabitethernet 1/0/1

This will delete all the dynamic entries by the interface you specified. Continue? [Y/N]:Y

Related commands

·          display ipv6 neighbors

·          ipv6 neighbor

reset ipv6 pathmtu

Use reset ipv6 pathmtu to clear the Path MTU information.

Syntax

reset ipv6 pathmtu { all | dynamic | static }

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all Path MTUs.

dynamic: Clears all dynamic Path MTUs.

static: Clears all static Path MTUs.

Examples

# Clear all Path MTUs.

<Sysname> reset ipv6 pathmtu all

Related commands

display ipv6 pathmtu

reset ipv6 statistics

Use reset ipv6 statistics to clear IPv6 and ICMPv6 packet statistics.

Syntax

reset ipv6 statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears IPv6 and ICMPv6 packet statistics for all member devices.

Examples

# Clear IPv6 and ICMPv6 packet statistics.

<Sysname> reset ipv6 statistics

Related commands

display ipv6 statistics


DHCPv6 commands

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

Common DHCPv6 commands

display ipv6 dhcp duid

Use display ipv6 dhcp duid to display the DUID of the local device.

Syntax

display ipv6 dhcp duid

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent). A DHCPv6 device adds its DUID in a sent packet.

Examples

# Display the DUID of the local device.

<Sysname> display ipv6 dhcp duid

The DUID of this device: 0003000100e0fc005552.

ipv6 dhcp dscp

Use ipv6 dhcp dscp to set the DSCP value for the DHCPv6 packets sent by the DHCPv6 server or the DHCPv6 relay agent.

Use undo ipv6 dhcp dscp to restore the default.

Syntax

ipv6 dhcp dscp dscp-value

undo ipv6 dhcp dscp

Default

The DSCP value in DHCPv6 packets is 56.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Sets the DSCP value for DHCPv6 packets, in the range of 0 to 63.

Usage guidelines

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value to 30 for DHCPv6 packets sent by the DHCPv6 server or the DHCPv6 relay agent.

<Sysname> system-view

[Sysname] ipv6 dhcp dscp 30

ipv6 dhcp log enable

Use ipv6 dhcp log enable to enable DHCPv6 logging.

Use undo ipv6 dhcp log enable to disable DHCPv6 logging.

Syntax

ipv6 dhcp log enable

undo ipv6 dhcp log enable

Default

DHCPv6 logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the DHCPv6 server to generate DHCPv6 logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Disable this feature when the log generation affects the device performance or reduces the address and prefix allocation efficiency. For example, this situation might occur when a large number of clients frequently come online or go offline.

Examples

# Enable DHCPv6 logging.

<Sysname> system-view

[Sysname] ipv6 dhcp log enable

ipv6 dhcp select

Use ipv6 dhcp select to enable the DHCPv6 server or DHCPv6 relay agent on an interface.

Use undo ipv6 dhcp select to restore the default.

Syntax

ipv6 dhcp select { relay | server }

undo ipv6 dhcp select

Default

An interface discards DHCPv6 packets from DHCPv6 clients.

Views

Interface view

Predefined user roles

network-admin

Parameters

relay: Enables the DHCPv6 relay agent on the interface.

server: Enables the DHCPv6 server on the interface.

Usage guidelines

Before changing the DHCPv6 server mode to the DHCPv6 relay agent mode on an interface, use the following commands to remove IPv6 address/prefix bindings:

·          reset ipv6 dhcp server ip-in-use

·          reset ipv6 dhcp server pd-in-use

Do not configure the DHCPv6 client on the interface that has been configured as the DHCPv6 relay agent or DHCPv6 server.

Examples

# Enable the DHCPv6 server on VLAN-interface 10.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 dhcp select server

# Enable the DHCPv6 relay agent on VLAN-interface 20.

<Sysname> system-view

[Sysname] interface vlan-interface 20

[Sysname-Vlan-interface20] ipv6 dhcp select relay

Related commands

·          display ipv6 dhcp relay server-address

·          display ipv6 dhcp server

DHCPv6 server commands

address range

Use address range to specify a non-temporary IPv6 address range in a DHCPv6 address pool for dynamic allocation.

Use undo address range to remove the non-temporary IPv6 address range in the address pool.

Syntax

address range start-ipv6-address end-ipv6-address [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

undo address range

Default

No non-temporary IPv6 address range is configured.

Views

DHCPv6 address pool view

Predefined user roles

network-admin

Parameters

start-ipv6-address: Specifies the start IPv6 address.

end-ipv6-address: Specifies the end IPv6 address.

preferred-lifetime preferred-lifetime: Specifies the preferred lifetime for the non-temporary IPv6 addresses. The value range is 60 to 4294967295 seconds, and the default is 604800 seconds (7 days).

valid-lifetime valid-lifetime: Specifies the valid lifetime for the non-temporary IPv6 addresses. The value range is 60 to 4294967295 seconds, and the default is 2592000 seconds (30 days). The valid lifetime cannot be shorter than the preferred lifetime.

Usage guidelines

If you do not specify a non-temporary IPv6 address range, all unicast addresses on the subnet specified by the network command in address pool view are assignable. If you specify a non-temporary IPv6 address range, only the IPv6 addresses in the specified IPv6 address range are assignable.

You can specify only one non-temporary IPv6 address range in an address pool. If you use the address range command multiple times, the most recent configuration takes effect.

The non-temporary IPv6 address range specified by the address range command must be on the subnet specified by the network command.

Examples

# Configure a non-temporary IPv6 address range from 3ffe:501:ffff:100::10 through 3ffe:501:ffff:100::31 in address pool 1.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] network 3ffe:501:ffff:100::/64

[Sysname-dhcp6-pool-1] address range 3ffe:501:ffff:100::10 3ffe:501:ffff:100::31

Related commands

·          display ipv6 dhcp pool

·          network

·          temporary address range

class pool

Use class pool to specify a DHCPv6 address pool for a DHCPv6 user class.

Use undo class pool to restore the default.

Syntax

class class-name pool pool-name

undo class class-name pool

Default

No DHCPv6 address pool is specified for a DHCPv6 user class.

Views

DHCPv6 policy view

Predefined user roles

network-admin

Parameters

class-name: Specifies a DHCPv6 user class by its name, a case-insensitive string of 1 to 63 characters.

pool-name: Specifies a DHCPv6 address pool by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can specify only one DHCPv6 address pool for a DHCPv6 user class in a DHCPv6 policy. If you use this command multiple times for a user class, the most recent configuration takes effect.

Examples

# Specify DHCPv6 address pool pool1 for DHCPv6 user class test in DHCPv6 policy 1.

<Sysname> system-view

[Sysname] ipv6 dhcp policy 1

[Sysname-dhcp6-policy-1] class test pool pool1

Related commands

·          default pool

·          ipv6 dhcp policy

·          ipv6 dhcp pool

default pool

Use default pool to specify the default DHCPv6 address pool.

Use undo default pool to restore the default.

Syntax

default pool pool-name

undo default pool

Default

No default DHCPv6 address pool is specified.

Views

DHCPv6 policy view

Predefined user roles

network-admin

Parameters

pool-name: Specifies a DHCPv6 address pool by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

In a DHCPv6 policy, the DHCPv6 server uses the default address pool to assign IPv6 address, IPv6 prefix, or other parameters to clients that do not match any user class.

You can specify only one default address pool in a DHCPv6 policy.

If you use this command multiple times, the most recent configuration takes effect.

Examples

# Specify DHCPv6 address pool pool1 as the default DHCPv6 address pool in DHCPv6 policy 1.

<Sysname> system-view

[Sysname] ipv6 dhcp policy 1

[Sysname-dhcp6-policy-1] default pool pool1

Related commands

·          class pool

·          ipv6 dhcp policy

display ipv6 dhcp option-group

Use display ipv6 dhcp option-group to display information about a DHCPv6 option group.

Syntax

display ipv6 dhcp option-group [ option-group-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

option-group-number: Specifies a static or dynamic DHCPv6 option group by its ID. The value range for the option group ID is 1 to 100. If you do not specify an option group, this command displays information about all DHCPv6 option groups.

Usage guidelines

A static DHCPv6 option group is created by using the ipv6 dhcp option-group command.

A dynamic DHCPv6 option group is created automatically by a DHCPv6 client after it obtains the DHCPv6 configuration parameters. Dynamic option groups cannot be manually modified or removed.

Examples

# Display information about all DHCPv6 option groups.

<Sysname> display ipv6 dhcp option-group

DHCPv6 option group: 1

  DNS server addresses:

    Type: Static

    Interface: N/A

    1::1

  DNS server addresses:

    Type: Dynamic (DHCPv6 address allocation)

    Interface: GigabitEthernet1/0/1

    1::1

  Domain name:

    Type: Static

    Interface: N/A

    aaa.com

  Domain name:

    Type: Dynamic (DHCPv6 address allocation)

    Interface: GigabitEthernet1/0/1

    aaa.com

  Options:

    Code: 23

      Type: Dynamic (DHCPv6 prefix allocation)

      Interface: GigabitEthernet1/0/1

      Length: 2 bytes

      Hex: ABCD

DHCPv6 option group: 20

  DNS server addresses:

    Type: Static

    Interface: N/A

    1::1

  DNS server addresses:

    Type: Dynamic (DHCPv6 address allocation)

    Interface: GigabitEthernet1/0/1

    1::1

  Domain name:

    Type: Static

    Interface: N/A

    aaa.com

  Domain name:

    Type: Dynamic (DHCPv6 address allocation)

    Interface: GigabitEthernet1/0/1

    aaa.com

  Options:

    Code: 23

      Type: Dynamic (DHCPv6 prefix allocation)

      Interface: GigabitEthernet1/0/1

      Length: 2 bytes

      Hex: ABCD

Table 71 Command output

Field

Description

DHCPv6 option group

ID of the DHCPv6 option group.

Type

Types of the DHCPv6 option:

·         StaticParameter in a static DHCPv6 option group.

·         Dynamic (DHCPv6 address allocation)—Parameter in a dynamic DHCPv6 option group created during IPv6 address acquisition.

·         Dynamic (DHCPv6 prefix allocation)—Parameters in a dynamic DHCPv6 option group created during IPv6 prefix acquisition.

·         Dynamic (DHCPv6 address and prefix allocation)—Parameters in a dynamic DHCPv6 option group created during IPv6 address and prefix acquisition.

Interface

Interface name.

DNS server addresses

IPv6 address of the DNS server.

Domain name

Domain name suffix.

SIP server addresses

IPv6 address of the SIP server.

SIP server domain names

Domain name of the SIP server.

Options

Self-defined options.

Code

Code of the self-defined option.

Length

Self-defined option length in bytes.

Hex

Self-defined option content represented by a hexadecimal string.

 

Related commands

ipv6 dhcp option-group

display ipv6 dhcp pool

Use display ipv6 dhcp pool to display information about a DHCPv6 address pool.

Syntax

display ipv6 dhcp pool [ pool-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pool-name: Displays information about the specified DHCPv6 address pool. The pool name is a case-insensitive string of 1 to 63 characters. If you do not specify a DHCPv6 address pool, this command displays information about all DHCPv6 address pools.

Examples

# Display information about DHCPv6 address pool 1.

<Sysname> display ipv6 dhcp pool 1

DHCPv6 pool: 1

  Network: 3FFE:501:FFFF:100::/64

    Preferred lifetime 604800, valid lifetime 2592000

  Prefix pool: 1

    Preferred lifetime 24000, valid lifetime 36000

  Addresses:

    Range: from 3FFE:501:FFFF:100::1

           to 3FFE:501:FFFF:100::99

    Preferred lifetime 70480, valid lifetime 200000

    Total address number: 153

    Available: 153

    In-use: 0

  Temporary addresses:

    Range: from 3FFE:501:FFFF:100::200

           to 3FFE:501:FFFF:100::210

    Preferred lifetime 60480, valid lifetime 259200

    Total address number: 17

    Available: 17

    In-use: 0

  Static bindings:

    DUID: 0003000100e0fc000001

    IAID: 0000003f

    Prefix: 3FFE:501:FFFF:200::/64

      Preferred lifetime 604800, valid lifetime 2592000

    DUID: 0003000100e0fc00cff1

    IAID: 00000001

    Address: 3FFE:501:FFFF:2001::1/64

      Preferred lifetime 604800, valid lifetime 2592000

  DNS server addresses:

    2::2

  Domain name:

    aaa.com

  SIP server addresses:

    5::1

  SIP server domain names:

    bbb.com     

# Display information about DHCPv6 address pool 1.

<Sysname> display ipv6 dhcp pool 1

DHCPv6 pool: 1

  Network: Not-available

    Preferred lifetime 604800, valid lifetime 2592000

# Display information about DHCPv6 address pool 1.

<Sysname> display ipv6 dhcp pool 1

DHCPv6 pool: 1

  Network: 1::/64(Zombie)

    Preferred lifetime 604800, valid lifetime 2592000

Table 72 Command output

Field

Description

DHCPv6 pool

Name of the DHCPv6 address pool.

Network

IPv6 subnet for dynamic IPv6 address allocation.

If the subnet prefix is ineffective, this field displays Not-available. If the subnet prefix becomes ineffective after a configuration recovery (for example, a switchover from the backup to the master), the prefix is marked (Zombie).

Prefix pool

Prefix pool referenced by the address pool.

Preferred lifetime

Preferred lifetime in seconds.

valid lifetime

Valid lifetime in seconds.

Addresses

Non-temporary IPv6 address range.

Range

IPv6 address range for dynamic allocation.

Total address number

Total number of IPv6 addresses.

Available

Total number of available IPv6 addresses.

In-use

Total number of assigned IPv6 addresses.

Temporary addresses

Temporary IPv6 address range for dynamic allocation.

Static bindings

Static bindings configured in the address pool.

DUID

Client DUID.

IAID

Client IAID. If no IAID is configured, this field displays Not configured.

Prefix

IPv6 address prefix.

Address

Static IPv6 address.

DNS server addresses

DNS server address.

Domain name

Domain name.

SIP server addresses

SIP server address.

SIP server domain names

Domain name of the SIP server.

 

display ipv6 dhcp prefix-pool

Use display ipv6 dhcp prefix-pool to display information about a prefix pool.

Syntax

display ipv6 dhcp prefix-pool [ prefix-pool-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

prefix-pool-number: Displays detailed information about a prefix pool specified by its number in the range of 1 to 128. If you do not specify a prefix pool, this command displays brief information about all prefix pools.

Examples

# Display brief information about all prefix pools.

<Sysname> display ipv6 dhcp prefix-pool

Prefix-pool Prefix                                      Available In-use Static

1           5::/64                                      64        0      0

# Display brief information about all prefix pools.

<Sysname> display ipv6 dhcp  prefix-pool

Prefix-pool Prefix                                      Available In-use Static

2           Not-available                               0         0      0

# Display brief information about all prefix pools.

<Sysname> display ipv6 dhcp  prefix-pool

Prefix-pool Prefix                                      Available In-use Static

11          21::/112(Zombie)                            0         64     0

# Display detailed information about prefix pool 1.

<Sysname> display ipv6 dhcp prefix-pool 1

Prefix: 5::/64

Assigned length: 70

Total prefix number: 64

Available: 64

In-use: 0

Static: 0

# Display detailed information about prefix pool 1.

<Sysname> display ipv6 dhcp prefix-pool 1

Prefix: Not-available

Assigned length: 70

Total prefix number: 0

Available: 0

In-use: 0

Static: 0

# Display detailed information about prefix pool 1.

<Sysname> display ipv6 dhcp prefix-pool 1

Prefix: 5::/64(Zombie)

Assigned length: 70

Total prefix number: 10

Available: 0

In-use: 10

Static: 0

Table 73 Command output

Field

Description

Prefix-pool

Prefix pool number.

Prefix

Prefix specified in the prefix pool.

If the prefix is ineffective, this field displays Not-available. If the prefix becomes ineffective after a configuration recovery (for example, a switchover from the backup to the master), the prefix is marked (Zombie).

Available

Number of available prefixes.

In-use

Number of assigned prefixes.

Static

Number of statically bound prefixes.

Assigned length

Length of assigned prefixes.

Total prefix number

Number of prefixes.

 

display ipv6 dhcp server

Use display ipv6 dhcp server to display DHCPv6 server configuration information.

Syntax

display ipv6 dhcp server [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Displays DHCPv6 server configuration information for the specified interface. If you do not specify an interface, this command displays DHCPv6 server configuration information for all interfaces.

Examples

# Display DHCPv6 server configuration information for all interfaces.

<Sysname> display ipv6 dhcp server

Interface             Pool

Vlan-interface2       1

Vlan-interface3       global

# Display DHCPv6 server configuration information for the interface VLAN-interface 2.

<Sysname> display ipv6 dhcp server interface vlan-interface 2

Using pool: 1

Preference value: 0

Allow-hint: Enabled

Rapid-commit: Disabled

Table 74 Command output

Field

Description

Interface

Interface enabled with DHCPv6 server.

Pool

Address pool applied to the interface.

If no address pool is applied to the interface, global is displayed. The DHCPv6 server selects a global address pool to assign a prefix, an address, and other configuration parameters to a client.

Using pool

Address pool applied to the interface.

If no address pool is applied to the interface, global is displayed. The DHCPv6 server selects a global address pool to assign a prefix, an address, and other configuration parameters to a client.

Preference value

Server preference in the DHCPv6 Advertise message. The value range is 0 to 255. The bigger the value is, the higher preference the server has.

Allow-hint

Indicates whether desired address/prefix assignment is enabled.

Rapid-commit

Indicates whether rapid address/prefix assignment is enabled.

 

display ipv6 dhcp server conflict

Use display ipv6 dhcp server conflict to display information about IPv6 address conflicts.

Syntax

display ipv6 dhcp server conflict [ address ipv6-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

address ipv6-address: Displays conflict information for the specified IPv6 address. If you do not specify an IPv6 address, this command displays information about all IPv6 address conflicts.

Usage guidelines

The DHCPv6 server creates IP address conflict information in the following conditions:

·          The DHCPv6 client sends a DECLINE packet to the DHCPv6 server to inform the server of an IPv6 address conflict.

·          The DHCPv6 server discovers that the only assignable address in the address pool is its own IPv6 address.

Examples

# Display information about all address conflicts.

<Sysname> display ipv6 dhcp server conflict

IPv6 address                                 Detect time

2001::1                                      Apr 25 16:57:20 2007

1::1:2                                       Apr 25 17:00:10 2007

Table 75 Command output

Field

Description

IPv6 address

Conflicted IPv6 address.

Detect time

Time when the conflict was discovered.

 

Related commands

reset ipv6 dhcp server conflict

display ipv6 dhcp server database

Use display ipv6 dhcp server database to display information about DHCPv6 binding auto backup.

Syntax

display ipv6 dhcp server database

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about DHCPv6 binding auto backup.

<Sysname> display ipv6 dhcp server database

 File name               :   database.dhcp

 Username                :  

 Password                :  

 Update interval         :   600 seconds

 Latest write time       :   Feb  8 16:02:23 2014

 Status                  :   Last write succeeded.

Table 76 Command output

Field

Description

 

File name

Name of the DHCPv6 binding backup file.

Username

Username for logging in to the remote device.

Password

Password for logging in to the remote device. This field displays ****** if a password is configured.

Update interval

Waiting time in seconds after a DHCPv6 binding change for the DHCPv6 server to update the backup file.

Latest write time

Time of the latest update.

Status

Status of the update:

·         Writing—The backup file is being updated.

·         Last write succeeded—The backup file was successfully updated.

·         Last write failed—The backup file failed to be updated.

 

display ipv6 dhcp server expired

Use display ipv6 dhcp server expired to display lease expiration information.

Syntax

display ipv6 dhcp server expired [ address ipv6-address | pool pool-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

address ipv6-address: Displays lease expiration information for the specified IPv6 address.

pool pool-name: Displays lease expiration information for the address pool specified by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command displays lease expiration information for all IPv6 address pools.

DHCPv6 assigns the expired IPv6 addresses to DHCPv6 clients when all available addresses have been assigned.

Examples

# Display all lease expiration information.

<Sysname> display ipv6 dhcp server expired

IPv6 address           DUID                            Lease expiration

2001:3eff:fe80:4caa:   3030-3066-2e65-3230-302e-       Apr 25 17:10:47 2007

37ee:7::1              3130-3234-2d45-7468-6572-

                       6e65-7430-2f31

Table 77 Command output

Field

Description

IPv6 address

Expired IPv6 address.

DUID

Client DUID bound to the expired IPv6 address.

Lease expiration

Time when the lease expired.

 

Related commands

reset ipv6 dhcp server expired

display ipv6 dhcp server ip-in-use

Use display ipv6 dhcp server ip-in-use to display binding information for assigned IPv6 addresses.

Syntax

display ipv6 dhcp server ip-in-use [ address ipv6-address | pool pool-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

address ipv6-address: Displays binding information for the specified IPv6 address.

pool pool-name: Displays binding information for the IPv6 address pool specified by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command displays binding information for all assigned IPv6 addresses.

Examples

# Display binding information for all assigned IPv6 address.

<Sysname> display ipv6 dhcp server ip-in-use

Pool: 1

 IPv6 address                                Type     Lease expiration

 2:1::1                                      Auto(O)  Jul 10 19:45:01 2008

Pool: 2

 IPv6 address                                Type      Lease expiration

 1:1::2                                      Static(F) Not available

Pool: 3

 IPv6 address                                Type      Lease expiration

 1:2::1F1                                    Static(O) Oct  9 09:23:31 2008

Pool: 4

 IPv6 address                                Type      Lease expiration

 1:2::2                                      Auto(Z)   Oct  11 09:23:31 2008

# Display binding information for all assigned IPv6 addresses for the specified DHCPv6 address pool.

<Sysname> display ipv6 dhcp server ip-in-use pool 1

Pool: 1

 IPv6 address                                Type      Lease expiration

 2:1::1                                      Auto(O)   Jul 10 22:22:22 2008

 3:1::2                                      Static(C) Jan  1 11:11:11 2008

# Display binding information for the specified IPv6 address.

<Sysname> display ipv6 dhcp server ip-in-use address 2:1::3

Pool: 1

Client: FE80::C800:CFF0:FE18:0

Type: Auto(O)

DUID: 00030001CA000C180000

IAID: 0x00030001

  IPv6 address: 2:1::3

  Preferred lifetime 400, valid lifetime 500

  Expires at Jul 10 09:45:01 2008 (288 seconds left)

Table 78 Command output

Field

Description

Pool

DHCPv6 address pool.

IPv6 address

IPv6 address assigned.

Type

IPv6 address binding types:

·         Static(F)Free static binding whose IPv6 address has not been assigned.

·         Static(O)Offered static binding whose IPv6 address has been selected and sent by the DHCPv6 server in a DHCPv6-OFFER packet to the client.

·         Static(C)—Committed static binding whose IPv6 address has been assigned to the client.

·         Auto(O)—Offered dynamic binding whose IPv6 address has been dynamically selected by the DHCPv6 server and sent in a DHCPv6-OFFER packet to the DHCPv6 client.

·         Auto(C)—Committed dynamic binding whose IPv6 address has been dynamically assigned to the DHCPv6 client.

·         Auto(Z)Zombie dynamic binding whose IPv6 address has been dynamically assigned to the DHCPv6 client. The binding becomes zombie because the subnet prefix goes invalid for address allocation after a configuration recovery, for example, after a switchover from the backup to the master.

Lease-expiration

Time when the lease of the IPv6 address will expire. If the lease expires after the year 2100, this field displays Expires after 2100. For an unassigned static binding, this field displays Not available.

Client

IPv6 address of the DHCPv6 client. For an unassigned static binding, this field is blank.

DUID

Client DUID.

IAID

Client IAID. For an unassigned static binding without IAID specified, this field displays N/A.

Preferred lifetime

Preferred lifetime in seconds of the IPv6 address.

valid lifetime

Valid lifetime in seconds of the IPv6 address.

Expires at

Time when the lease of an IPv6 address will expire. If the lease expires after the year 2100, this field displays Expires after 2100.

 

Related commands

reset ipv6 dhcp server ip-in-use

display ipv6 dhcp server pd-in-use

Use display ipv6 dhcp server pd-in-use to display binding information for the assigned IPv6 prefixes.

Syntax

display ipv6 dhcp server pd-in-use [ pool pool-name | prefix prefix/prefix-len ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pool pool-name: Displays IPv6 prefix binding information for the DHCPv6 address pool specified by its name, a case-insensitive string of 1 to 63 characters.

prefix prefix/prefix-len: Displays binding information for the specified IPv6 prefix. The value range for the prefix length is 1 to 128.

Usage guidelines

If you do not specify any parameters, this command displays all IPv6 prefix binding information.

Examples

# Display all IPv6 prefix binding information.

<Sysname> display ipv6 dhcp server pd-in-use

Pool: 1

 IPv6 prefix                                 Type      Lease expiration

 2:1::/24                                    Auto(O)   Jul 10 19:45:01 2008

Pool: 2

 IPv6 prefix                                 Type      Lease expiration

 1:1::/64                                    Static(F) Not available

Pool: 3

 IPv6 prefix                                 Type      Lease expiration

 1:2::/64                                    Static(O) Oct  9 09:23:31 2008

Pool: 4

 IPv6 prefix                                 Type      Lease expiration

 12::/80                                     Auto(Z)   Oct 17 09:34:59 2008

# Display IPv6 prefix binding information for DHCPv6 address pool 1.

<Sysname> display ipv6 dhcp server pd-in-use pool 1

Pool: 1

 IPv6 prefix                                 Type      Lease expiration

 2:1::/24                                    Auto(O)   Jul 10 22:22:22 2008

 3:1::/64                                    Static(C) Jan  1 11:11:11 2008

# Display binding information for the IPv6 prefix 2:1::3/24.

<Sysname> display ipv6 dhcp server pd-in-use prefix 2:1::3/24

Pool: 1

Client: FE80::C800:CFF:FE18:0

Type: Auto(O)

DUID: 00030001CA000C180000

IAID: 0x00030001

  IPv6 prefix: 2:1::/24

  Preferred lifetime 400, valid lifetime 500

  Expires at Jul 10 09:45:01 2008 (288 seconds left)

Table 79 Command output

Field

Description

IPv6 prefix

IPv6 prefix assigned.

Type

Prefix binding types:

·         Static(F)—Free static binding whose IPv6 prefix has not been assigned.

·         Static(O)—Offered static binding whose IPv6 prefix has been selected and sent by the DHCPv6 server in a DHCPv6-OFFER packet to the client.

·         Static(C)—Committed static binding whose IPv6 prefix has been assigned to the client.

·         Auto(O)—Offered dynamic binding whose IPv6 prefix has been dynamically selected by the DHCPv6 server and sent in a DHCPv6-OFFER packet to the DHCPv6 client.

·         Auto(C)—Committed dynamic binding whose IPv6 prefix has been dynamically assigned to the DHCPv6 client.

·         Auto(Z)Zombie dynamic binding whose IPv6 prefix has been dynamically assigned to the DHCPv6 client. The binding becomes zombie because the prefix in the prefix pool goes invalid after a configuration recovery, for example, after a switchover from the backup to the master.

Pool

Address pool.

Lease-expiration

Time when the lease of the IPv6 prefix will expire. If the lease will expire after the year 2100, this field displays Expires after 2100. For an unassigned static binding, this field displays Not available.

Client

IPv6 address of the DHCPv6 client. For an unassigned static binding, this field is blank.

DUID

Client DUID.

IAID

Client IAID. For an unassigned static binding without IAID, this field displays N/A.

Preferred lifetime

Preferred lifetime in seconds of the IPv6 prefix.

valid lifetime

Valid lifetime in seconds of the IPv6 prefix.

Expires at

Time when the lease of the prefix will expire. If the lease expires after the year 2100, this field displays Expires after 2100.

 

Related commands

reset ipv6 dhcp server pd-in-use

display ipv6 dhcp server statistics

Use display ipv6 dhcp server statistics to display DHCPv6 packet statistics on the DHCPv6 server.

Syntax

display ipv6 dhcp server statistics [ pool pool-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pool pool-name: Displays DHCPv6 packet statistics for the DHCPv6 address pool specified by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an address pool, this command displays DHCPv6 packet statistics for all address pools.

Examples

# Display all DHCPv6 packet statistics on the DHCPv6 server.

<Sysname> display ipv6 dhcp server statistics

Bindings:

    Ip-in-use                 :  1

    Pd-in-use                 :  0

    Expired                   :  0

Conflict                      :  0

Packets received              :  1

    Solicit                   :  1

    Request                   :  0

    Confirm                   :  0

    Renew                     :  0

    Rebind                    :  0

    Release                   :  0

    Decline                   :  0

    Information-request       :  0

    Relay-forward             :  0

Packets dropped               :  0

Packets sent                  :  0

    Advertise                 :  0

    Reconfigure               :  0

    Reply                     :  0

    Relay-reply               :  0

Table 80 Command output

Field

Description

Bindings

Number of bindings:

·         Ip-in-use—Total number of address bindings.

·         Pd-in-use—Total number of prefix bindings.

·         Expired—Total number of expired address bindings.

Conflict

Total number of conflicted addresses. If statistics about an address pool are displayed, this field is not displayed.

Packets received

Number of messages received by the DHCPv6 server. The message types include:

·         Solicit.

·         Request.

·         Confirm.

·         Renew.

·         Rebind.

·         Release.

·         Decline.

·         Information-request.

·         Relay-forward.

If statistics about an address pool are displayed, this field is not displayed.

Packets dropped

Number of packets discarded. If statistics about an address pool are displayed, this field is not displayed.

Packets sent

Number of messages sent by the DHCPv6 server. The message types include:

·         Advertise.

·         Reconfigure.

·         Reply.

·         Relay-reply.

If statistics about an address pool are displayed, this field is not displayed.

 

Related commands

reset ipv6 dhcp server statistics

dns-server

Use dns-server to specify a DNS server in a DHCPv6 address pool.

Use undo dns-server to remove the specified DNS server from a DHCPv6 address pool.

Syntax

dns-server ipv6-address

undo dns-server ipv6-address

Default

No DNS server address is specified.

Views

DHCPv6 address pool view

DHCPv6 option group view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address of a DNS server.

Usage guidelines

You can use the dns-server command to specify up to eight DNS servers in an address pool. A DNS server specified earlier has a higher preference.

Examples

# Specify the DNS server address 2:2::3 in DHCPv6 address pool 1.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] dns-server 2:2::3

Related commands

display ipv6 dhcp pool

domain-name

Use domain-name to specify a domain name suffix in a DHCPv6 address pool.

Use undo domain-name to remove the domain name suffix.

Syntax

domain-name domain-name

undo domain-name

Default

No domain name suffix is specified.

Views

DHCPv6 address pool view

DHCPv6 option group view

Predefined user roles

network-admin

Parameters

domain-name: Specifies a domain name suffix, a case-sensitive string of 1 to 50 characters.

Usage guidelines

You can configure only one domain name suffix in an address pool.

If you use the domain-name command multiple times, the most recent configuration takes effect.

Examples

# Specify the domain name aaa.com in DHCPv6 address pool 1.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] domain-name aaa.com

Related commands

display ipv6 dhcp pool

if-match

Use if-match to configure a match rule for a DHCPv6 user class.

Use undo if-match to delete a match rule for a DHCP user class.

Syntax

if-match rule rule-number { option option-code [ ascii ascii-string [ offset offset | partial ] | hex hex-string [ mask mask | offset offset length length | partial ] ] | relay-agent gateway-ipv6-address }

undo if-match rule rule-number

Default

No match rule is configured for the DHCPv6 user class.

Views

DHCPv6 user class view

Predefined user roles

network-admin

Parameters

rule rule-number: Assigns the match rule an ID in the range of 1 to 16. A smaller ID represents a higher match priority.

option option-code: Specifies a DHCPv6 option by its number in the range of 1 to 65535.

ascii ascii-string: Specifies an ASCII string of 1 to 128 characters.

offset offset: Specifies the offset in bytes after which the match operation starts. The value range is 0 to 65534. If you specify an ASCII string, a packet matches the rule if the option content after the offset is the same as the ASCII string. If you specify a hexadecimal string, a packet matches the rule if the option content of the specified length after the offset is the same as the hexadecimal string.

partial: Enables partial match. A packet matches the rule if the specified option in the packet contains the ASCII or hexadecimal string specified in the rule. For example, if the specified string is abc, option content xabc, xyzabca, xabcyz, and abcxyz all match the rule.

hex hex-string: Specifies a hexadecimal string. The length of the hexadecimal string must be an even number in the range of 2 to 256.

mask mask: Specifies the mask for the match operation. The mask is a hexadecimal string whose length is an even number in the range of 2 to 256 and must be the same as the hex-string length. The DHCP server selects a string of the mask length from the start of the option, and ANDs the selected string and the specified hexadecimal string with the mask. The packet matches the rule if the two AND operation results are the same.

length length: Specifies the length of the option content to be matched, in the range of 1 to 128 bytes. The length must be the same as the hex-string length.

relay-agent gateway-ipv6-address: Specifies a link-address field value. The value is an IPv6 address. A packet matches the rule if its link-address field value is the same as that in the rule.

Usage guidelines

You can configure multiple match rules for a DHCPv6 user class. Each match rule is uniquely identified by a rule ID within its type (option or relay agent address). The DHCPv6 server compares the option content or relay agent address in the DHCPv6 requests against the match rules. If a match is found, the DHCPv6 client matches the DHCPv6 user class.

H3C recommends you not configure rules of different types to use the same ID. Any two rules cannot have the same content.

·          If the rule that you are configuring has the same ID and type as an existing rule, the new rule overwrites the existing rule.

·          If the rule that you are configuring has the same ID as an existing rule but a different type, the new rule takes effect and coexists with the existing rule.

When you configure an if-match option rule, follow these guidelines:

·          To match packets that contain an option, specify only the option code.

·          To match a hexadecimal string by AND operations, specify the option option-code hex hex-string mask mask options.

·          To match a hexadecimal string directly, specify the option option-code hex hex-string [ offset offset length length | partial ] options.

If you do not specify the optional parameters, a packet matches a rule if the option content starts with the hexadecimal string.

·          To match an ASCII string, specify the option option-code ascii ascii-string [ offset offset | partial ] options.

If you do not specify the optional parameters, a packet matches a rule if the option content starts with the ASCII string.

Examples

# Configure match rule 1 for the DHCPv6 user class exam to match DHCPv6 requests that contain Option 16.

<Sysname> system-view

[Sysname] ipv6 dhcp class exam

[Sysname-dhcp6-class-exam] if-match rule 1 option 16

# Configure match rule 2 for the DHCPv6 user class exam to match DHCPv6 requests in which the highest bit of the fourth byte in Option 16 is 1.

<Sysname> system-view

[Sysname] ipv6 dhcp class exam

[Sysname-dhcp6-class-exam] if-match rule 2 option 16 hex 00000080 mask 00000080

# Configure match rule 3 for the DHCPv6 user class exam to match DHCPv6 requests in which the first three bytes of Option 16 are 0x13ae92.

<Sysname> system-view

[Sysname] ipv6 dhcp class exam

[Sysname-dhcp6-class-exam] if-match rule 3 option 16 hex 13ae92 offset 0 length 3

# Configure match rule 4 for the DHCPv6 user class exam to match DHCPv6 requests in which the Option 16 contains the hexadecimal string 0x13ae.

<Sysname> system-view

[Sysname] ipv6 dhcp class exam

[Sysname-dhcp6-class-exam] if-match rule 5 option 16 hex 13ae partial

# Configure match rule 5 for the DHCPv6 user class exam to match DHCPv6 requests in which the link-address field is 2001::1.

<Sysname> system-view

[Sysname] ipv6 dhcp class exam

[Sysname-dhcp6-class-exam] if-match rule 5 relay-agent 2001::1

Related commands

ipv6 dhcp class

ipv6 dhcp apply-policy

Use ipv6 dhcp apply-policy to apply a DHCPv6 policy to an interface.

Use undo ipv6 dhcp apply-policy to restore the default.

Syntax

ipv6 dhcp apply-policy policy-name

undo ipv6 dhcp apply-policy

Default

No DHCPv6 policy is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a DHCPv6 policy by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can apply only one DHCPv6 policy to an interface. If you use this command multiple times, the most recent configuration takes effect.

Examples

# Apply DHCPv6 policy test to VLAN-interface 1.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] ipv6 dhcp apply-policy test

Related commands

ipv6 dhcp class

ipv6 dhcp class

Use ipv6 dhcp class to create a DHCPv6 user class and enter the DHCPv6 user class view.

Use undo ipv6 dhcp class to delete the specified DHCPv6 user class.

Syntax

ipv6 dhcp class class-name

undo ipv6 dhcp class class-name

Default

No DHCPv6 user class exists.

Views

System view

Predefined user roles

network-admin

Parameters

class-name: Specifies a name for the DHCPv6 user class, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can also use this command to enter the view of an existing DHCPv6 user class.

In the DHCPv6 user class view, you can use the if-match command to configure match rules for user classification.

Examples

# Create a DHCPv6 user class test and enter DHCPv6 user class view.

<Sysname> system-view

[Sysname] ipv6 dhcp class test

[Sysname-dhcp6-class-test]

Related commands

·          class pool

·          ipv6 dhcp policy

·          if-match

ipv6 dhcp option-group

Use ipv6 dhcp option-group to create a static DHCPv6 option group and enter its view.

Use undo ipv6 dhcp option-group to delete the specified static DHCPv6 option group.

Syntax

ipv6 dhcp option-group option-group-number

undo ipv6 dhcp option-group option-group-number

Default

No static DHCPv6 option group exists on the device.

Views

System view

Predefined user roles

network-admin

Parameters

option-group-number: Assigns an ID to the static option group, in the range of 1 to 100.

Usage guidelines

A static DHCPv6 option group can use the same ID as a dynamic DHCPv6 option group. If a static DHCPv6 option group and a dynamic DHCPv6 option group use the same ID, the static one takes precedence over the dynamic one.

Examples

# Create static DHCPv6 option group 1 and enter its view.

<Sysname> system-view

[Sysname] ipv6 dhcp option-group 1

[Sysname-dhcp6-option-group1]

Related commands

display ipv6 dhcp option-group

ipv6 dhcp policy

Use ipv6 dhcp policy to create a DHCPv6 policy and enter DHCPv6 policy view.

Use undo ipv6 dhcp policy to delete a DHCPv6 policy.

Syntax

ipv6 dhcp policy policy-name

undo ipv6 dhcp policy policy-name

Default

No DHCPv6 policy exists.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Assigns a name to the DHCPv6 policy. The policy name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can also use this command to enter the view of an existing DHCPv6 policy.

In DHCPv6 policy view, you can specify address pools for different user classes. Clients matching a user class will obtain IPv6 addresses and other parameters from the specified address pool.

For a DHCPv6 policy to take effect, you must apply it to an interface.

Examples

# Create DHCPv6 policy test and enter its view.

<Sysname> system-view

[Sysname] ipv6 dhcp policy test

[Sysname-dhcp6-policy-test]

Related commands

·          class pool

·          default pool

·          ipv6 dhcp apply-policy

·          ipv6 dhcp class

ipv6 dhcp pool

Use ipv6 dhcp pool to create a DHCPv6 address pool and enter its view.

Use undo ipv6 dhcp pool to remove the specified DHCPv6 address pool.

Syntax

ipv6 dhcp pool pool-name

undo ipv6 dhcp pool pool-name

Default

No DHCPv6 address pool is configured.

Views

System view

Predefined user roles

network-admin

Parameters

pool-name: Specifies a name for the DHCPv6 address pool, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can also use this command to enter the view of an existing DHCPv6 address pool.

A DHCPv6 address pool stores IPv6 address/prefix and other configuration parameters to be assigned to DHCPv6 clients.

When you remove a DHCPv6 address pool, binding information for the assigned IPv6 addresses and prefixes in the address pool is also removed.

Examples

# Create a DHCPv6 address pool named pool1 and enter its view.

<Sysname> system-view

[Sysname] ipv6 dhcp pool pool1

[Sysname-dhcp6-pool-pool1]

Related commands

·          class pool

·          display ipv6 dhcp pool

·          ipv6 dhcp server apply pool

ipv6 dhcp prefix-pool

Use ipv6 dhcp prefix-pool to create a prefix pool and specify the prefix and the assigned prefix length for the pool.

Use undo ipv6 dhcp prefix-pool to remove the specified prefix pool.

Syntax

ipv6 dhcp prefix-pool prefix-pool-number prefix { prefix-number | prefix/prefix-len } assign-len assign-len

undo ipv6 dhcp prefix-pool prefix-pool-number

Default

No prefix pool is configured.

Views

System view

Predefined user roles

network-admin

Parameters

prefix-pool-number: Specifies a prefix pool number in the range of 1 to 128.

prefix { prefix-number | prefix/prefix-len }: Specifies a prefix by its ID or in the format of prefix/prefix length. The value range for the prefix-number argument is 1 to 1024. The value range for the prefix-len argument is 1 to 128.

assign-len assign-len: Specifies the assigned prefix length. The value range is 1 to 128, and the value must be greater than or equal to prefix-len. The difference between assign-len and prefix-len must be no more than 16.

Usage guidelines

Different prefix pools cannot overlap.

You cannot modify an existing prefix pool. To change the prefix pool settings, you must delete the prefix pool first.

Removing a prefix pool clears all prefix bindings from the prefix pool.

When you specify a prefix by its ID, follow these restrictions and guidelines:

·          This command does not take effect if the prefix does not exist. This command takes effect after the prefix is created.

·          If the prefix that the ID represents is changed, the prefix range in the prefix pool accordingly changes.

Examples

# Create IPv6 prefix 88:99::/32 with the ID 3. Configure prefix pool 2 with IPv6 prefix 3 and assigned prefix length 42. Prefix pool 2 contains 1024 prefixes from 88:99::/42 to 88:99:FFC0::/42.

<Sysname> system-view

[Sysname] ipv6 prefix 3 88:99::/32

[Sysname] ipv6 dhcp prefix-pool 2 prefix 3 assign-len 42

# Create prefix pool 1, and specify the prefix 2001:0410::/32 with the assigned prefix length 42. Prefix pool 1 contains 1024 prefixes from 2001:0410::/42 to 2001:0410:FFC0::/42.

<Sysname> system-view

[Sysname] ipv6 dhcp prefix-pool 1 prefix 2001:0410::/32 assign-len 42

Related commands

·          display ipv6 dhcp prefix-pool

·          prefix-pool

ipv6 dhcp server

Use ipv6 dhcp server to configure global address assignment on an interface. The server on the interface uses a global address pool to assign configuration information to a client.

Use undo ipv6 dhcp server to restore the default.

Syntax

ipv6 dhcp server { allow-hint | preference preference-value | rapid-commit } *

undo ipv6 dhcp server

Default

The server does not support desired address/prefix assignment or rapid address/prefix assignment. The server preference is set to 0.

Views

Interface view

Predefined user roles

network-admin

Parameters

allow-hint: Enables desired address/prefix assignment.

preference preference-value: Specifies the server preference in Advertise messages, in the range of 0 to 255. The default value is 0. A greater value specifies a higher preference.

rapid-commit: Enables rapid address/prefix assignment involving two messages.

Usage guidelines

The allow-hint keyword enables the server to assign the desired address or prefix to the requesting client. If the desired address or prefix is not included in any global address pool, or is already assigned to another client, the server assigns the client a free address or a prefix. If the allow-hint keyword is not specified, the server ignores the desired address or prefix, and selects an address or prefix from a global address pool.

If you use the ipv6 dhcp server and ipv6 dhcp server apply pool commands on the same interface, the ipv6 dhcp server apply pool command takes effect.

Examples

# Configure global address assignment on the interface VLAN-interface 2. Use the desired address/prefix assignment and rapid address/prefix assignment, and set the server preference to the highest 255.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] ipv6 dhcp server allow-hint preference 255 rapid-commit

Related commands

·          display ipv6 dhcp server

·          ipv6 dhcp select

ipv6 dhcp server apply pool

Use ipv6 dhcp server apply pool to apply a DHCPv6 address pool to an interface.

Use undo ipv6 dhcp server apply pool to remove the DHCPv6 address pool from the interface.

Syntax

ipv6 dhcp server apply pool pool-name [ allow-hint | preference preference-value | rapid-commit ] *

undo ipv6 dhcp server apply pool

Default

No DHCPv6 address pool is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

pool-name: Specifies a DHCPv6 address pool by its name, a case-insensitive string of 1 to 63 characters.

allow-hint: Enables desired address/prefix assignment.

preference preference-value: Specifies the server preference in Advertise messages, in the range of 0 to 255. The default value is 0. A greater value specifies a higher preference.

rapid-commit: Enables rapid address/prefix assignment involving two messages.

Usage guidelines

Upon receiving a DHCPv6 request, the DHCPv6 server selects an IPv6 address or prefix from the address pool applied to the receiving interface. If no address pool is applied, the server selects an IPv6 address or prefix from a global address pool that matches the IPv6 address of the receiving interface or the DHCPv6 relay agent.

The allow-hint keyword enables the server to assign the desired address or prefix to the client. If the desired address or prefix does not exist or is already assigned to another client, the server assigns a free address or prefix. If allow-hint is not specified, the server ignores the desired address or prefix, and assigns a free address or prefix.

Only one address pool can be applied to an interface. If you use the command multiple times, the most recent configuration takes effect.

A non-existing address pool can be applied to an interface, but the server cannot assign any prefix, address, or other configuration information from the address pool until the address pool is created.

Examples

# Apply address pool 1 to VLAN-interface 2, configure the address pool to support desired address/prefix assignment and address/prefix rapid assignment, and set the preference to 255.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit

Related commands

·          display ipv6 dhcp server

·          ipv6 dhcp pool

·          ipv6 dhcp select

ipv6 dhcp server database filename

Use ipv6 dhcp server database filename to configure the DHCPv6 server to back up the bindings to a file.

Use undo ipv6 dhcp server database filename to disable the auto backup and remove the backup file.

Syntax

ipv6 dhcp server database filename { filename | url url [ username username [ password { cipher | simple } key ] ] }

undo ipv6 dhcp server database filename

Default

The DHCPv6 server does not back up the DHCPv6 bindings.

Views

System view

Predefined user roles

network-admin

Parameters

filename: Specifies the name of a local backup file. For information about the filename argument, see Fundamentals Configuration Guide.

url url: Specifies the URL of a remote backup file. Do not include a username or password in the URL.

username username: Specifies the username for logging in to the remote device.

cipher: Sets a ciphertext password.

simple: Sets a plaintext password.

key: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 32 characters. If cipher is specified, it must be a string of 1 to 73 characters.

Usage guidelines

For security purposes, all passwords, including those configured in plain text, are saved in cipher text.

The command automatically creates the file if you specify a non-existent file.

With this command executed, the DHCPv6 server backs up its bindings immediately and runs auto backup. The server, by default, waits 300 seconds after a binding change to update the backup file. You can use the ipv6 dhcp server database update interval command to change the waiting time. If no DHCPv6 binding changes, the backup file is not updated.

H3C recommends that you back up the bindings to a remote file. If you use the local storage medium, the frequent erasing and writing might damage the medium and then cause the DHCPv6 server malfunction.

When the backup file is on a remote device, follow these restrictions and guidelines to specify the URL, username, and password:

·          If the file is on an FTP server, enter URL in the format of ftp://server address:port/file path, where the port number is optional.

·          If the file is on a TFTP server, enter URL in the format of tftp://server address:port/file path, where the port number is optional.

·          The username and password must be the same as those configured on the FTP or TFTP server. If the server authenticates only the username, the password can be omitted. For example, enter URL ftp://1.1.1.1/database.dhcp username admin at the CLI to specify the URL and username for the file on an FTP server.

·          If the IP address of the server is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[1::1]/database.dhcp.

·          You can also specify the DNS domain name for the server address field, for example, ftp://company/database.dhcp.

Examples

# Configure the DHCPv6 server to back up its bindings to the file database.dhcp

<Sysname> system-view

[Sysname] ipv6 dhcp server database filename database.dhcp

# Configure the DHCPv6 server to back up its bindings to the file database.dhcp in the working directory of the FTP server at 10::1.

<Sysname> system-view

[Sysname] ipv6 dhcp server database filename url ftp://[10::1]/database.dhcp username 1 password simple 1

Related commands

·          ipv6 dhcp server database update interval

·          ipv6 dhcp server database update now

·          ipv6 dhcp server database update stop

ipv6 dhcp server database update interval

Use ipv6 dhcp server database update interval to set the waiting time after a DHCPv6 binding change for the DHCPv6 server to update the backup file.

Use undo ipv6 dhcp server database update interval to restore the default.

Syntax

ipv6 dhcp server database update interval seconds

undo ipv6 dhcp server database update interval

Default

The DHCPv6 server waits 300 seconds after a DHCPv6 binding change to update the backup file. If no DHCPv6 binding changes, the backup file is not updated.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Sets the waiting time in seconds in the range of 60 to 864000.

Usage guidelines

The waiting time takes effect only after you configure the DHCPv6 binding auto backup by using the ipv6 dhcp server database filename command.

When a DHCPv6 binding is created, updated, or removed, the waiting period starts. The DHCPv6 server updates the backup file when the waiting period is reached. All bindings changed during the period will be saved to the backup file.

Examples

# Set the waiting time to 10 minutes for the DHCPv6 server to update the backup file.

<Sysname> system-view

[Sysname] ipv6 dhcp server database update interval 600

Related commands

·          ipv6 dhcp server database filename

·          ipv6 dhcp server database update now

·          ipv6 dhcp server database update stop

ipv6 dhcp server database update now

Use ipv6 dhcp server database update now to manually save the DHCPv6 bindings to the backup file.

Syntax

ipv6 dhcp server database update now

Views

System view

Predefined user roles

network-admin

Usage guidelines

For this command to take effect, you must configure the DHCPv6 auto backup by using the ipv6 dhcp server database filename command.

Examples

# Manually save the DHCPv6 bindings to the backup file.

<Sysname> system-view

[Sysname] ipv6 dhcp server database update now

Related commands

·          ipv6 dhcp server database filename

·          ipv6 dhcp server database update interval

·          ipv6 dhcp server database update stop

ipv6 dhcp server database update stop

Use ipv6 dhcp server database update stop to terminate the download of DHCPv6 bindings from the backup file.

Syntax

ipv6 dhcp server database update stop

Views

System view

Predefined user roles

network-admin

Usage guidelines

The DHCPv6 server does not provide services during the binding download process. If the connection breaks up during the process, the waiting timeout timer is 60 minutes. When the timer expires, the DHCPv6 server stops waiting and starts providing address allocation services. You can use this command to terminate the download immediately. Manual termination allows the DHCPv6 server to provide services without waiting for the connection to be repaired. The IPv6 addresses and prefixes associated with the undownloaded bindings will be assigned to clients and address conflicts might occur.

Examples

# Terminate the download of the backup DHCPv6 bindings.

<Sysname> system-view

[Sysname] ipv6 dhcp server database update stop

Related commands

·          ipv6 dhcp server database filename

·          ipv6 dhcp server database update interval

·          ipv6 dhcp server database update now

ipv6 dhcp server forbidden-address

Use ipv6 dhcp server forbidden-address to exclude specified IPv6 addresses from dynamic allocation.

Use undo ipv6 dhcp server forbidden-address to remove the configuration.

Syntax

ipv6 dhcp server forbidden-address start-ipv6-address [ end-ipv6-address ]

undo ipv6 dhcp server forbidden-address start-ipv6-address [ end-ipv6-address ]

Default

Except for the DHCPv6 server address, all IPv6 addresses in a DHCPv6 address pool are assignable.

Views

System view

Predefined user roles

network-admin

Parameters

start-ipv6-address: Specifies the start IPv6 address.

end-ipv6-address: Specifies the end IPv6 address, which cannot be lower than start-ipv6-address. If you do not specify an end IPv6 address, only the start IPv6 address is excluded from dynamic allocation. If you specify an end IPv6 address, the IP addresses from start-ipv6-address through end-ipv6-address are all excluded from dynamic allocation.

Usage guidelines

You can exclude multiple IP address ranges from dynamic allocation.

The IPv6 addresses of some devices such as the gateway and FTP server cannot be assigned to clients. Use this command to exclude such addresses from dynamic allocation.

If the excluded IPv6 address is in a static binding, the address can still be assigned to the client.

The address or address range specified in the undo form of the command must be the same as the address or address range specified in the command. To remove an IP address that has been specified as part of an address range, you must remove the entire address range.

Examples

# Exclude IPv6 addresses of 2001:10:110::1 through 2001:10:110::20 from dynamic assignment.

<Sysname> system-view

[Sysname] ipv6 dhcp server forbidden-address 2001:10:110::1 2001:10:110::20

Related commands

·          ipv6 dhcp server forbidden-prefix

·          static-bind

ipv6 dhcp server forbidden-prefix

Use ipv6 dhcp server forbidden-prefix to exclude specific IPv6 prefixes from dynamic allocation.

Use undo ipv6 dhcp server forbidden-prefix to remove the configuration.

Syntax

ipv6 dhcp server forbidden-prefix start-prefix/prefix-len [ end-prefix/prefix-len ]

undo ipv6 dhcp server forbidden-prefix start-prefix/prefix-len [ end-prefix/prefix-len ]

Default

No IPv6 prefixes in the DHCPv6 prefix pool are excluded from dynamic allocation.

Views

System view

Predefined user roles

network-admin

Parameters

start-prefix/prefix-len: Specifies the start IPv6 prefix. The prefix-len argument specifies the prefix length in the range of 1 to 128.

end-prefix/prefix-len: Specifies the end IPv6 prefix. The prefix-len argument specifies the prefix length in the range of 1 to 128. The value for end-prefix cannot be lower than that for start-prefix. If you do not specify this argument, only the start-prefix/prefix-len is excluded from dynamic allocation. If you specify this argument, the prefixes from start-prefix/prefix-len to end-prefix/prefix-len are all excluded.

Usage guidelines

You can exclude multiple IPv6 prefix ranges from dynamic allocation.

If the excluded IPv6 prefix is in a static binding, the prefix can still be assigned to the client.

The prefix or prefix range specified in the undo form of the command must be the same as the prefix or prefix range specified in the command. To remove a prefix that has been specified as part of a prefix range, you must remove the entire prefix range.

Examples

# Exclude IPv6 prefixes from 2001:3e11::/32 through 2001:3eff::/32 from dynamic allocation.

<Sysname> system-view

[Sysname] ipv6 dhcp server forbidden-prefix 2001:3e11::/32 2001:3eff::/32

Related commands

·          ipv6 dhcp server forbidden-address

·          static-bind

network

Use network to specify an IPv6 subnet for dynamic allocation in a DHCPv6 address pool.

Use undo network to remove the specified IPv6 subnet.

Syntax

network { prefix/prefix-length | prefix prefix-number [ sub-prefix/sub-prefix-length ] } [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] [ export-route ]

undo network

Default

No IPv6 subnet is specified in a DHCPv6 address pool.

Views

DHCPv6 address pool view

Predefined user roles

network-admin

Parameters

prefix/prefix-length: Specifies the IPv6 subnet for dynamic allocation. The value range for the prefix-length argument is 1 to 128.

prefix prefix-number: Specifies an IPv6 prefix by its ID in the range of 1 to 1024.

sub-prefix/sub-prefix-length: Specifies an IPv6 sub-prefix and its length. The value range for the sub-prefix-length argument is 1 to 128.

preferred-lifetime preferred-lifetime: Sets the preferred lifetime. The value range is 60 to 4294967295 seconds, and the default is 604800 seconds (7 days).

valid-lifetime valid-lifetime: Sets the valid lifetime. The value range is 60 to 4294967295 seconds, and the default is 2592000 seconds (30 days). The valid lifetime must be longer than or equal to the preferred lifetime.

export-route: Advertises the subnet assigned to DHCPv6 clients. This feature ensures symmetric routing for traffic of the same client.

Usage guidelines

You can specify only one subnet for a DHCPv6 address pool.

If you use this command multiple times, the most recent configuration takes effect.

Modifying or removing the network configuration removes assigned addresses in the current address pool.

The IPv6 subnets cannot be the same in different DHCPv6 address pools.

When you configure the network prefix command, follow these restrictions and guidelines:

·          The IPv6 subnet is determined by the specified IPv6 prefix, IPv6 sub-prefix, and IPv6 sub-prefix length. The prefix of the IPv6 subnet is the IPv6 prefix suffixed with the IPv6 sub-prefix from the IPv6 prefix length+1 bit to the sub-prefix length bit. The prefix length of the IPv6 subnet is the sub-prefix length. If the IPv6 sub-prefix is not longer than the IPv6 prefix or if you do not specify an IPv6 sub-prefix, the IPv6 subnet defined by the IPv6 prefix is used for dynamic allocation.

·          This command does not take effect if the specified IPv6 prefix does not exist. This command takes effect after the IPv6 prefix is created.

·          If the prefix that the ID represents is changed, the IPv6 subnet in this command accordingly changes, and the assigned prefix and address bindings are cleared.

Examples

# Specify the subnet 3ffe:501:ffff:100::/64 in DHCPv6 address pool 1.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] network 3ffe:501:ffff:100::/64

# Create IPv6 prefix 88:99::/32 with the prefix ID 3. Create DHCPv6 address pool 1 and use the IPv6 subnet defined by the IPv6 prefix for dynamic allocation.

<Sysname> system-view

[Sysname] ipv6 prefix 3 88:99::/32

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] network prefix 3

# Create IPv6 prefix 88:99::/32 with the prefix ID 3. Create DHCPv6 address pool 1 and use IPv6 subnet 88:99:ffff:100::/64 defined by IPv6 prefix 3 and IPv6 sub-prefix 3ffe:501:ffff:100::/64 for dynamic allocation.

<Sysname> system-view

[Sysname] ipv6 prefix 3 88:99::/32

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] network prefix 3 3ffe:501:ffff:100::/64

Related commands

·          address range

·          display ipv6 dhcp pool

·          temporary address range

option

Use option to configure a self-defined DHCPv6 option in a DHCPv6 address pool.

Use undo option to remove a self-defined DHCPv6 option from a DHCPv6 address pool.

Syntax

option code hex hex-string

undo option code

Default

No self-defined DHCPv6 option is configured in a DHCPv6 address pool.

Views

DHCPv6 address pool view

DHCPv6 option group view

Predefined user roles

network-admin

Parameters

code: Specifies a number for the self-defined option, in the range of 21 to 65535, excluding 25 through 26, 37 through 40, and 43 through 48.

hex hex-string: Specifies the content of the option, a hexadecimal string of even numbers from 2 to 256.

Usage guidelines

The DHCPv6 server fills the self-defined option with the specified hexadecimal string and sends it in a response to the client.

If you use the option command multiple times with the same code specified, the most recent configuration takes effect.

You can self-define options for the following purposes:

·          Add newly released options.

·          Add options for which the vendor defines the contents, for example, Option 43.

·          Add options for which the CLI does not provide a dedicated configuration command like dns-server. For example, you can use the option 31 hex 00c80000000000000000000000000001 command to define the NTP server address 200::1 for DHCP clients.

If a DHCPv6 option is specified by both the dedicated command and the option command, the DHCPv6 server preferentially assigns the content specified by the dedicated command. For example, if a DNS server address is specified by the dns-server command and the option 23 command, the server uses the address specified by dns-server command.

Examples

# Configure Option 23 that specifies a DNS server address 2001:f3e0::1 in DHCPv6 address pool 1.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] option 23 hex 2001f3e0000000000000000000000001

Related commands

·          display ipv6 dhcp pool

·          dns-server

·          domain-name

·          sip-server

option-group

Use option-group to specify a DHCPv6 option group for a DHCPv6 address pool.

Use undo option-group to remove the configuration.

Syntax

option-group option-group-number

undo option-group

Default

No DHCPv6 option group is specified for a DHCPv6 address pool.

Views

DHCPv6 address pool view

Predefined user roles

network-admin

Parameters

option-group--number: Specifies a DHCPv6 option group by its number in the range of 1 to 100.

Examples

# Specify DHCPv6 option group 1 for DHCPv6 address pool 1.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] option-group 1

Related commands

·          display ipv6 dhcp pool

·          ipv6 dhcp option-group

prefix-pool

Use prefix-pool to apply a prefix pool to a DHCPv6 address pool, so the DHCPv6 server can dynamically select a prefix from the prefix pool for a client.

Use undo prefix-pool to remove the configuration.

Syntax

prefix-pool prefix-pool-number [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

undo prefix-pool prefix-pool-number

Default

No prefix pool is applied to a DHCPv6 address pool.

Views

DHCPv6 address pool view

Predefined user roles

network-admin

Parameters

prefix-pool-number: Specifies a prefix pool by its number in the range of 1 to 128.

preferred-lifetime preferred-lifetime: Sets the preferred lifetime in the range of 60 to 4294967295 seconds. The default value is 604800 seconds (7 days).

valid-lifetime valid-lifetime: Sets the valid lifetime in the range of 60 to 4294967295 seconds. The default value is 2592000 seconds (30 days). The valid lifetime must be longer than or equal to the preferred lifetime.

Usage guidelines

Only one prefix pool can be applied to an address pool.

You can apply a prefix pool that has not been created to an address pool. The setting takes effect after the prefix pool is created.

You cannot modify prefix pools that have been applied. To change the prefix pool for an address pool, you must remove the prefix pool application first.

Examples

# Apply prefix pool 1 to address pool 1, and use the default preferred lifetime and valid lifetime.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] prefix-pool 1

# Apply prefix pool 2 to address pool 2, and set the preferred lifetime to one day and the valid lifetime to three days.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 2

[Sysname-dhcp6-pool-2] prefix-pool 2 preferred-lifetime 86400 valid-lifetime 259200

Related commands

·          display ipv6 dhcp pool

·          ipv6 dhcp prefix-pool

reset ipv6 dhcp server conflict

Use reset ipv6 dhcp server conflict to clear IPv6 address conflict information.

Syntax

reset ipv6 dhcp server conflict [ address ipv6-address ]

Views

User view

Predefined user roles

network-admin

Parameters

address ipv6-address: Clears conflict information for the specified IPv6 address. If you do not specify an IPv6 address, this command clears all IPv6 address conflict information.

Usage guidelines

Address conflicts occur when dynamically assigned IP addresses have been statically configured for other hosts. After the conflicts are resolved, you can use the reset ipv6 dhcp server conflict command to clear conflict information so that the conflicted addresses can be assigned to clients.

Examples

# Clear all IPv6 address conflict information.

<Sysname> reset ipv6 dhcp server conflict

Related commands

display ipv6 dhcp server conflict

reset ipv6 dhcp server expired

Use reset ipv6 dhcp server expired to clear binding information for lease-expired IPv6 addresses.

Syntax

reset ipv6 dhcp server expired [ address ipv6-address | pool pool-name ]

Views

User view

Predefined user roles

network-admin

Parameters

address ipv6-address: Clears binding information for the specified lease-expired IPv6 address.

pool pool-name: Clears binding information for lease-expired IPv6 addresses in the address pool specified by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command clears binding information for all lease-expired IPv6 addresses.

Examples

# Clear binding information for expired IPv6 address 2001:f3e0::1.

<Sysname> reset ipv6 dhcp server expired address 2001:f3e0::1

Related commands

display ipv6 dhcp server expired

reset ipv6 dhcp server ip-in-use

Use reset ipv6 dhcp server ip-in-use to clear binding information for assigned IPv6 addresses.

Syntax

reset ipv6 dhcp server ip-in-use [ address ipv6-address | pool pool-name ]

Views

User view

Predefined user roles

network-admin

Parameters

address ipv6-address: Clears binding information for the assigned IPv6 address.

pool pool-name: Clears binding information for assigned IPv6 addresses in the address pool specified by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command clears binding information for all IPv6 addresses.

If you use this command to clear information about an assigned static binding, the static binding becomes an unassigned static binding.

Examples

# Clear binding information for all assigned IPv6 addresses.

<Sysname> reset ipv6 dhcp server ip-in-use

# Clears binding information for assigned IPv6 addresses in DHCPv6 address pool 1.

<Sysname> reset ipv6 dhcp server ip-in-use pool 1

# Clears binding information for the assigned IPv6 address 2001:0:0:1::1.

<Sysname> reset ipv6 dhcp server ip-in-use address 2001:0:0:1::1

Related commands

display ipv6 dhcp server ip-in-use

reset ipv6 dhcp server pd-in-use

Use reset ipv6 dhcp server pd-in-use to clear binding information for assigned IPv6 prefixes.

Syntax

reset ipv6 dhcp server pd-in-use [ pool pool-name | prefix prefix/prefix-len ]

Views

User view

Predefined user roles

network-admin

Parameters

pool pool-name: Clears binding information for assigned IPv6 prefixes in the address pool specified by its name, a case-insensitive string of 1 to 63 characters.

prefix prefix/prefix-len: Clears binding information for the specified IPv6 prefix. The value range for the prefix length is 1 to 128.

Usage guidelines

If you do not specify any parameters, this command clears binding information for all assigned IPv6 prefixes.

If you use this command to clear information about an assigned static binding, the static binding becomes an unassigned static binding.

Examples

# Clear binding information for all assigned IPv6 prefixes.

<Sysname> reset ipv6 dhcp server pd-in-use

# Clears binding information for assigned IPv6 prefixes in DHCPv6 address pool 1.

<Sysname> reset ipv6 dhcp server pd-in-use pool 1

# Clears binding information for the assigned IPv6 prefix 2001:0:0:1::/64.

<Sysname> reset ipv6 dhcp server pd-in-use prefix 2001:0:0:1::/64

Related commands

display ipv6 dhcp server pd-in-use

reset ipv6 dhcp server statistics

Use reset ipv6 dhcp server statistics to clear DHCPv6 server statistics.

Syntax

reset ipv6 dhcp server statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear DHCPv6 server statistics.

<Sysname> reset ipv6 dhcp server statistics

Related commands

display ipv6 dhcp server statistics

sip-server

Use sip-server to specify the IPv6 address or domain name of a SIP server in the DHCPv6 address pool.

Use undo sip-server to remove a SIP server.

Syntax

sip-server { address ipv6-address | domain-name domain-name }

undo sip-server { address ipv6-address | domain-name domain-name }

Default

No SIP server address or domain name is specified.

Views

DHCPv6 address pool view

DHCPv6 option group view

Predefined user roles

network-admin

Parameters

address ipv6-address: Specifies the IPv6 address of a SIP server.

domain-name domain-name: Specifies the domain name of a SIP server, a case-insensitive string of 1 to 50 characters.

Usage guidelines

You can specify up to eight SIP server addresses and eight SIP server domain names in an address pool. A SIP server that is specified earlier has a higher preference.

Examples

# Specify the SIP server address 2:2::4 in DHCPv6 address pool 1.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] sip-server address 2:2::4

# Specify the SIP server domain name bbb.com in DHCPv6 address pool 1.

[Sysname-dhcp6-pool-1] sip-server domain-name bbb.com

Related commands

display ipv6 dhcp pool

static-bind

Use static-bind to statically bind a client DUID or client IAID to an IPv6 address or prefix in the DHCPv6 address pool.

Use undo static-bind to remove a static binding.

Syntax

static-bind { address ipv6-address/addr-prefix-length | prefix prefix/prefix-len } duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

undo static-bind { address ipv6-address/addr-prefix-length | prefix prefix/prefix-len }

Default

No static binding is configured in a DHCPv6 address pool.

Views

DHCPv6 address pool view

Predefined user roles

network-admin

Parameters

address ipv6-address/addr-prefix-length: Specifies the IPv6 address and prefix length. The value range for the prefix length is 1 to 128.

prefix prefix/prefix-len: Specifies the prefix and prefix length. The value range for the prefix length is 1 to 128.

duid duid: Specifies a client DUID. The value is an even hexadecimal number in the range of 2 to 256.

iaid iaid: Specifies a client IAID. The value is a hexadecimal number in the range of 0 to FFFFFFFF. If you do not specify an IAID, the server does not match the client IAID for prefix assignment.

preferred-lifetime preferred-lifetime: Sets the preferred lifetime of the address or prefix. The value range is 60 to 4294967295 seconds, and the default is 604800 seconds (7 days).

valid-lifetime valid-lifetime: Sets the valid lifetime of the address or prefix. The value range is 60 to 4294967295 seconds, and the default is 2592000 seconds (30 days). The valid lifetime cannot be shorter than the preferred lifetime.

Usage guidelines

You can specify multiple static bindings in a DHCPv6 address pool.

An IPv6 address or prefix can be bound to only one DHCPv6 client. You cannot modify bindings that have been created. To change the binding for a DHCPv6 client, you must delete the existing binding first.

Examples

# In address pool 1, bind IPv6 address 2001:0410::/35 to the client DUID 0003000100e0fc005552 and IAID A1A1A1A1.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] static-bind address 2001:0410::/35 duid 0003000100e0fc005552 iaid A1A1A1A1

# In address pool 1, bind prefix 2001:0410::/35 to the client DUID 00030001CA0006A400 and IAID A1A1A1A1.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] static-bind prefix 2001:0410::/35 duid 00030001CA0006A400 iaid A1A1A1A1

Related commands

display ipv6 dhcp pool

temporary address range

Use temporary address range to configure a temporary IPv6 address range in a DHCPv6 address pool for dynamic allocation.

Use undo temporary address range to remove the temporary IPv6 address range from the DHCPv6 address pool.

Syntax

temporary address range start-ipv6-address end-ipv6-address [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

undo temporary address range

Default

No temporary IPv6 address range is configured in a DHCPv6 address pool.

Views

DHCPv6 address pool view

Predefined user roles

network-admin

Parameters

start-ipv6-address: Specifies the start IPv6 address.

end-ipv6-address: Specifies the end IPv6 address.

preferred-lifetime preferred-lifetime: Sets the preferred lifetime. The value range is 60 to 4294967295 seconds, and the default is 604800 seconds (7 days).

valid-lifetime valid-lifetime: Sets the valid lifetime. The value range is 60 to 4294967295 seconds, and the default is 2592000 seconds (30 days). The valid lifetime cannot be shorter than the preferred lifetime.

Usage guidelines

If you do not execute the temporary address range command, the DHCPv6 server does not support temporary address assignment.

You can configure only one temporary IPv6 address range in an address pool. If you use the command multiple times, the most recent configuration takes effect.

Examples

# In DHCPv6 address pool 1, configure a temporary IPv6 address range from 3ffe:501:ffff:100::50 to 3ffe:501:ffff:100::60.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 1

[Sysname-dhcp6-pool-1] network 3ffe:501:ffff:100::/64

[Sysname-dhcp6-pool-1] temporary address range 3ffe:501:ffff:100::50 3ffe:501:ffff:100::60

Related commands

·          display ipv6 dhcp pool

·          address range

·          network

DHCPv6 relay agent commands

display ipv6 dhcp relay server-address

Use display ipv6 dhcp relay server-address to display DHCPv6 server addresses specified on the DHCPv6 relay agent.

Syntax

display ipv6 dhcp relay server-address [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays DHCPv6 server addresses on all interfaces enabled with DHCPv6 relay agent.

Examples

# Display DHCPv6 server addresses on all interfaces enabled with DHCPv6 relay agent.

<Sysname> display ipv6 dhcp relay server-address

Interface: Vlan-interface2

 Server address                             Outgoing Interface

 2::3

 3::4                                       Vlan-interface4    

 

Interface: Vlan-interface3

 Server address                             Outgoing Interface

 2::3

 3::4                                       Vlan-interface4  

# Display DHCPv6 server addresses on VLAN-interface 2.

<Sysname> display ipv6 dhcp relay server-address interface vlan-interface 2

Interface: Vlan-interface2

 Server address                             Outgoing Interface

 2::3

 3::4                                       Vlan-interface4    

Table 81 Command output

Field

Description

Server address

DHCPv6 server address specified on the DHCP relay agent.

Outgoing Interface

Output interface of DHCPv6 packets. If no output interface is specified, the device searches the routing table for the output interface.

 

Related commands

·          ipv6 dhcp relay server-address

·          ipv6 dhcp select

display ipv6 dhcp relay statistics

Use display ipv6 dhcp relay statistics to display DHCPv6 packet statistics on the DHCPv6 relay agent.

Syntax

display ipv6 dhcp relay statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays DHCPv6 packets statistics on all interfaces enabled with DHCPv6 relay agent.

Examples

# Display DHCPv6 packet statistics on all interfaces enabled with DHCPv6 relay agent.

<Sysname> display ipv6 dhcp relay statistics

Packets dropped               :  4

Packets received              :  14

    Solicit                   :  0

    Request                   :  0

    Confirm                   :  0

    Renew                     :  0

    Rebind                    :  0

    Release                   :  0

    Decline                   :  0

    Information-request       :  7

    Relay-forward             :  0

    Relay-reply               :  7

Packets sent                  :  14

    Advertise                 :  0

    Reconfigure               :  0

    Reply                     :  7

    Relay-forward             :  7

    Relay-reply               :  0

# Display DHCPv6 packet statistics on the DHCPv6 relay agent on VLAN-interface 2.

<Sysname> display ipv6 dhcp relay statistics interface vlan-interface 2

Packets dropped               :  4

Packets received              :  16

    Solicit                   :  0

    Request                   :  0

    Confirm                   :  0

    Renew                     :  0

    Rebind                    :  0

    Release                   :  0

    Decline                   :  0

    Information-request       :  8

    Relay-forward             :  0

    Relay-reply               :  8

Packets sent                  :  16

    Advertise                 :  0

    Reconfigure               :  0

    Reply                     :  8

    Relay-forward             :  8

    Relay-reply               :  0

Table 82 Command output

Field

Description

Packets dropped

Number of discarded packets.

Packets received

Number of received packets.

Solicit

Number of received solicit packets.

Request

Number of received request packets.

Confirm

Number of received confirm packets.

Renew

Number of received renew packets.

Rebind

Number of received rebind packets.

Release

Number of received release packets.

Decline

Number of received decline packets.

Information-request

Number of received information request packets.

Relay-forward

Number of received relay-forward packets.

Relay-reply

Number of received relay-reply packets.

Packets sent

Number of sent packets.

Advertise

Number of sent advertise packets.

Reconfigure

Number of sent reconfigure packets.

Reply

Number of sent reply packets.

Relay-forward

Number of sent Relay-forward packets.

Relay-reply

Number of sent Relay-reply packets.

 

Related commands

reset ipv6 dhcp relay statistics

gateway-list

Use gateway-list to specify a list of gateway addresses for DHCPv6 clients in the relay address pool.

Use undo gateway-list to remove the specified gateway addresses from a DHCPv6 relay address pool.

Syntax

gateway-list ipv6-address&<1-8>

undo gateway-list [ ipv6-address&<1-8> ]

Default

No gateway address is specified in a DHCPv6 relay address pool.

Views

DHCPv6 relay address pool view

Predefined user roles

network-admin

Parameters

ipv6-address&<1-8>: Specifies a space-separated list of up to eight addresses. Only the first gateway address takes effect and it must reside on the same subnet assigned to the DHCP clients.

Usage guidelines

DHCPv6 clients of the same access type can be classified into different types by their locations. In this case, the relay interface typically has no IPv6 address configured. You can use the gateway-list command to specify the gateway for clients matching the same relay address pool.

Upon receiving a DHCPv6 Solicit or Request from a client that matches a relay address pool, the relay agent processes the packet as follows:

·          Fills the link-address field of the packet with the specified gateway address.

·          Forwards the packet to all DHCPv6 servers in the matching relay address pool.

The DHCPv6 servers select an address pool according to the gateway address.

Examples

# Specify the gateway address 10::1 in DHCPv6 relay address pool p1.

<Sysname> system-view

[Sysname] ipv6 dhcp pool p1

[Sysname-dhcp6-pool-p1] gateway-list 10::1

ipv6 dhcp relay gateway

Use ipv6 dhcp relay gateway to specify a gateway address for DHCPv6 clients on the DHCPv6 relay interface.

Use undo ipv6 dhcp relay gateway to restore the default.

Syntax

ipv6 dhcp relay gateway ipv6-address

undo ipv6 dhcp relay gateway

Default

The first IPv6 address of the relay interface is used as the gateway address for DHCPv6 clients.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies a gateway address. The IPv6 address must be an IPv6 address of the relay interface.

Usage guidelines

The DHCPv6 relay agent uses the specified IPv6 address instead of the first IPv6 address of the relay interface as the gateway address for DHCPv6 clients.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify 10::1 as the gateway address for DHCPv6 clients on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] ipv6 dhcp relay gateway 10::1

Related commands

gateway-list

ipv6 dhcp relay interface-id

Use ipv6 dhcp relay interface-id to specify a padding mode for the Interface-ID option.

Use undo ipv6 dhcp relay interface-id to restore the default.

Syntax

ipv6 dhcp relay interface-id { bas | interface }

undo ipv6 dhcp relay interface-id

Default

The DHCPv6 relay agent fills the Interface-ID option with the interface index of the interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

bas: Specifies the BAS mode.

interface: Specifies the interface name mode. This mode pads the Interface-ID option in ASCII code with the interface name and VLAN ID of the interface.

Usage guidelines

Before executing this command, enable the DHCPv6 relay agent on the interface.

Examples

# Specify the BAS mode as the padding mode for the Interface-ID option on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp relay interface-id bas

# Specify the interface name mode as the padding mode for the Interface-ID option on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp relay interface-id interface

ipv6 dhcp relay server-address

Use ipv6 dhcp relay server-address to specify a DHCPv6 server on the DHCPv6 relay agent.

Use undo ipv6 dhcp relay server-address to remove DHCPv6 server addresses.

Syntax

ipv6 dhcp relay server-address ipv6-address [ interface interface-type interface-number ]

undo ipv6 dhcp relay server-address [ ipv6-address [ interface interface-type interface-number ] ]

Default

No DHCPv6 server address is specified on the DHCPv6 relay agent.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address of a DHCPv6 server.

interface interface-type interface-number: Specifies an output interface through which the relay agent forwards the DHCPv6 requests to the DHCPv6 server. If you do not specify an output interface, the relay agent looks up the routing table for an output interface.

Usage guidelines

Upon receiving a request from a DHCPv6 client, the interface encapsulates the request into a Relay-forward message and forwards the message to the specified DHCPv6 server.

You can specify a maximum of eight DHCPv6 servers on an interface. The DHCPv6 relay agent forwards DHCP requests to all the specified DHCPv6 servers.

If the DHCPv6 server address is a link-local address or multicast address, you must specify an output interface. If you do not specify an output interface, DHCPv6 packets might fail to reach the DHCPv6 server.

If you do not specify an IPv6 address, the undo ipv6 dhcp relay server-address command removes all DHCPv6 server addresses specified on the interface.

Do not enable the DHCPv6 client and the DHCPv6 relay agent on the same interface.

Examples

# Enable the DHCPv6 relay agent on VLAN-interface 2 and specify the DHCPv6 server address 2001:1::3.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] ipv6 dhcp select relay

[Sysname-Vlan-interface2] ipv6 dhcp relay server-address 2001:1::3

Related commands

·          display ipv6 dhcp relay server-address

·          ipv6 dhcp select

remote-server

Use remote-server to specify DHCPv6 servers for a DHCPv6 relay address pool.

Use undo remote-server to remove the configuration.

Syntax

remote-server ipv6-address [ interface interface-type interface-number ]

undo remote-server [ ipv6-address [ interface interface-type interface-number ] ]

Default

No DHCPv6 server is specified for the DHCPv6 relay address pool.

Views

DHCPv6 relay address pool view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies a DHCPv6 server address.

interface interface-type interface-number: Specifies the outgoing interface by its type and number for the DHCPv6 relay agent to forward packets to the DHCPv6 server. If you do not specify an outgoing interface, the DHCPv6 relay agent performs a routing table lookup.

Usage guidelines

You can specify a maximum of eight DHCPv6 servers in one DHCPv6 relay address pool.

If you do not specify any parameters, the undo remote-server command removes all DHCPv6 servers in the relay address pool.

If a DHCPv6 server address is a link-local address, you must specify an outgoing interface by using the interface keyword in this command. Otherwise, DHCPv6 packets might fail to reach the DHCPv6 server.

Examples

# Specify DHCPv6 server 10::1 for DHCPv6 relay address pool 0.

<Sysname> system-view

[Sysname] ipv6 dhcp pool 0

[Sysname-dhcp6-pool-0] remote-server 10::1

reset ipv6 dhcp relay statistics

Use reset ipv6 dhcp relay statistics to clear packets statistics on the DHCPv6 relay agent.

Syntax

reset ipv6 dhcp relay statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears all relay agent statistics.

Examples

# Clear packet statistics on the DHCPv6 relay agent.

<Sysname> reset ipv6 dhcp relay statistics

Related commands

display ipv6 dhcp relay statistics

DHCPv6 client commands

display ipv6 dhcp client

Use display ipv6 dhcp client to display DHCPv6 client information.

Syntax

display ipv6 dhcp client [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information about all DHCPv6 clients.

Examples

# Display the DHCPv6 client information on VLAN-interface 2.

<Sysname> display ipv6 dhcp client interface vlan-interface 2

Vlan-interface2:

  Type: Stateful client requesting address and prefix

    State: OPEN

    Client DUID: 0003000100e002000000

    Preferred server:

      Reachable via address: FE80::2E0:1FF:FE00:18

      Server DUID: 0003000100e001000000

    IA_NA: IAID 0x00000642, T1 50 sec, T2 80 sec

      Address: 1:1::2/128

        Preferred lifetime 100 sec, valid lifetime 200 sec

        Will expire on Feb 4 2014 at 15:37:20(288 seconds left)

    IA_PD: IAID 0x00000642, T1 50 sec, T2 80 sec

      Prefix: 12:34::/48

        Preferred lifetime 100 sec, valid lifetime 200 sec

        Will expire on Mar 27 2014 at 08:13:24 (199 seconds left)

    DNS server addresses:

      2:2::3

    Domain name:

      aaa.com

    SIP server addresses:

      2:2::4

    SIP server domain names:

      bbb.com

    Options:

      Code: 88

        Length: 3 bytes

        Hex: AABBCC

Table 83 Command output

Field

Description

Type

Types of DHCPv6 client:

·         Stateful client requesting address—A DHCPv6 client that requests an IPv6 address.

·         Stateful client requesting prefix—A DHCPv6 client that requests an IPv6 prefix.

·         Stateful client requesting address and prefix—A DHCPv6 client that requests an IPv6 address and prefix.

·         Stateless client—A DHCPv6 client that requests configuration parameters other than an IPv6 address and prefix through stateless DHCPv6.

State

Current states of the DHCPv6 client:

·         IDLE—The client is in idle state.

·         SOLICIT—The client is locating a DHCPv6 server.

·         REQUEST—The client is requesting an IPv6 address or prefix.

·         OPEN—The client has obtained an IPv6 address or prefix.

·         RENEW—The client is extending the lease (after T1 and before T2).

·         REBIND—The client is extending the lease (after T2 and before the lease expires).

·         RELEASE—The client is releasing an IPv6 address or prefix.

·         DECLINE—The client is declining an IPv6 address or prefix because of an address or prefix conflict.

·         INFO-REQUESTING—The client is requesting configuration parameters through stateless DHCPv6.

Client DUID

DUID of the DHCPv6 client.

Preferred server

Information about the DHCPv6 server selected by the DHCPv6 client.

Reachable via address

Reachable address for the DHCPv6 client. It is the link local address of the DHCPv6 server or DHCPv6 relay agent.

Server DUID

DUID of the DHCPv6 server.

IA_NA

IA_NA information.

IA_PD

IA_PD information.

IAID

IA identifier.

T1

T1 value in seconds.

T2

T2 value in seconds.

Address

IPv6 address obtained. This field is displayed only when the DHCPv6 client type is Stateful client requesting address.

Prefix

IPv6 prefix obtained. This field is displayed only when the DHCPv6 client type is Stateful client requesting prefix.

Preferred lifetime

Preferred lifetime in seconds.

valid lifetime

Valid lifetime in seconds.

Will expire on Feb 4 2014 at 15:37:20 (288 seconds left)

Time when the lease expires and the remaining time of the lease.

If the lease expires after the year 2100, this field displays Will expire after 2100.

DNS server addresses

IPv6 address of the DNS server.

Domain name

Domain name suffix.

SIP server addresses

IPv6 address of the SIP server.

SIP server domain names

Domain name of the SIP server.

Options

Self-defined options.

Code

Code of the self-defined option.

Length

Self-defined option length in bytes.

Hex

Self-defined option content represented by a hexadecimal string.

 

Related commands

·          ipv6 address dhcp-alloc

·          ipv6 dhcp client duid

·          ipv6 dhcp client pd

display ipv6 dhcp client statistics

Use display ipv6 dhcp client statistics to display DHCPv6 client statistics.

Syntax

display ipv6 dhcp client statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays statistics for all DHCPv6 clients.

Examples

# Display DHCPv6 client statistics on VLAN-interface 2.

<Sysname> display ipv6 dhcp client statistics interface vlan-interface 2

Interface                    :  Vlan-interface2

Packets received             :  1

         Reply               :  1

         Advertise           :  0

         Reconfigure         :  0

         Invalid             :  0

Packets sent                 :  5

         Solicit             :  0

         Request             :  0

         Renew               :  0

         Rebind              :  0

         Information-request :  5

         Release             :  0

         Decline             :  0

Table 84 Command output

Field

Description

Interface

Interface that acts as the DHCPv6 client.

Packets Received

Number of received packets.

Reply

Number of received reply packets.

Advertise

Number of received advertise packets.

Reconfigure

Number of received reconfigure packets.

Invalid

Number of invalid packets.

Packets sent

Number of sent packets.

Solicit

Number of sent solicit packets.

Request

Number of sent request packets.

Renew

Number of sent renew packets.

Rebind

Number of sent rebind packets.

Information-request

Number of sent information request packets.

Release

Number of sent release packets.

Decline

Number of sent decline packets.

 

Related commands

reset ipv6 dhcp client statistics

ipv6 address dhcp-alloc

Use ipv6 address dhcp-alloc to configure an interface to use DHCPv6 for IPv6 address acquisition.

Use undo ipv6 address dhcp-alloc to cancel an interface from using DHCPv6, and clear the obtained IPv6 address and other configuration parameters.

Syntax

ipv6 address dhcp-alloc [ option-group option-group-number | rapid-commit ] *

undo ipv6 address dhcp-alloc

Default

An interface does not use DHCPv6 for IPv6 address acquisition.

Views

Layer 3 Ethernet interface/subinterface view

VLAN interface view

Predefined user roles

network-admin

Parameters

option-group option-group-number: Enables the DHCPv6 client to create a dynamic DHCPv6 option group for saving the configuration parameters, and assigns an ID to the option group. The value range for the ID is 1 to 100. If you do not specify this option, the DHCPv6 client does not create any dynamic DHCPv6 option groups.

rapid-commit: Supports rapid address or prefix assignment.

Examples

# Configure VLAN-interface 10 to use DHCPv6 for IPv6 address acquisition. Configure the DHCPv6 client to support rapid address assignment and create dynamic DHCPv6 option group 1 for the configuration parameters obtained.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 address dhcp-alloc rapid-commit option-group 1

Related commands

display ipv6 dhcp client

ipv6 dhcp client dscp

Use ipv6 dhcp client dscp to set the DSCP value for DHCPv6 packets sent by the DHCPv6 client.

Use undo ipv6 dhcp client dscp to restore the default value.

Syntax

ipv6 dhcp client dscp dscp-value

undo ipv6 dhcp client dscp

Default

The DSCP value in DHCPv6 packets is 56.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Sets the DSCP value for DHCP packets, in the range of 0 to 63.

Usage guidelines

The DSCP value is carried in the Traffic class field of a DHCPv6 packet. It specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value to 30 for DHCPv6 packets sent by the DHCPv6 client.

<Sysname> system-view

[Sysname] ipv6 dhcp client dscp 30

ipv6 dhcp client duid

Use ipv6 dhcp client duid to configure the DHCPv6 client DUID for an interface.

Use undo ipv6 dhcp client duid to restore the default.

Syntax

ipv6 dhcp client duid { ascii string | hex string | mac interface-type interface-number }

undo ipv6 dhcp client duid

Default

The interface uses the device bridge MAC address to generate its DHCPv6 client DUID.

Views

Layer 3 Ethernet interface/subinterface view

VLAN interface view

Predefined user roles

network-admin

Parameters

ascii string: Specifies a case-sensitive ASCII string of 1 to 130 characters as the DHCPv6 client DUID.

hex string: Specifies a hexadecimal string of 2 to 260 characters as the DHCPv6 client DUID.

mac interface-type interface-number: Specifies the MAC address of the specified interface as the DHCPv6 client DUID. The interface-type interface-number arguments specify an interface by its type and number.

Usage guidelines

The DUID of a DHCPv6 client is the globally unique identifier of the client, so make sure the DUID that you configure is unique.

A DHCPv6 client pads its DUID into the Option 1 of the DHCPv6 packet that it sends to the DHCPv6 server. The DHCPv6 server can assign specific IPv6 addresses or prefixes to DHCPv6 clients with specific DUIDs.

Examples

# Specify the hexadecimal string FFFFFFF as the DHCPv6 client DUID for VLAN-interface 10.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 dhcp client duid hex fffffff

Related commands

display ipv6 dhcp client

ipv6 dhcp client pd

Use ipv6 dhcp client pd to configure an interface to use DHCPv6 for IPv6 prefix acquisition.

Use undo ipv6 dhcp client pd to cancel an interface from using DHCPv6, and clear the obtained IPv6 prefix and other configuration parameters.

Syntax

ipv6 dhcp client pd prefix-number [ option-group option-group-number | rapid-commit ]*

undo ipv6 dhcp client pd

Default

An interface does not use DHCPv6 for IPv6 prefix acquisition.

Views

Layer 3 Ethernet interface/subinterface view

VLAN interface view

Predefined user roles

network-admin

Parameters

prefix-number: Specifies an IPv6 prefix ID in the range of 1 to 1024. After obtaining an IPv6 prefix, the client assigns the ID to the IPv6 prefix.

rapid-commit: Supports rapid address or prefix assignment.

option-group option-group-number: Enables the DHCPv6 client to create a dynamic DHCPv6 option group for saving the configuration parameters, and assigns an ID to the option group. The value range for the ID is 1 to 100. If you do not specify this option, the DHCPv6 client does not create any dynamic DHCPv6 option groups.

Examples

# Configure VLAN-interface10 to use DHCPv6 for IPv6 prefix acquisition. Specify IDs for the dynamic IPv6 prefix and dynamic DHCPv6 option group, and configure the client to support rapid prefix assignment.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 dhcp client pd 1 rapid-commit option-group 1

Related commands

display ipv6 dhcp client

ipv6 dhcp client stateless enable

Use ipv6 dhcp client stateless enable to enable stateless DHCPv6 on an interface.

Use undo ipv6 dhcp client stateless enable to restore the default.

Syntax

ipv6 dhcp client stateless enable

undo ipv6 dhcp client stateless enable

Default

Stateless DHCPv6 is disabled.

Views

Layer 3 Ethernet interface/subinterface view

VLAN interface view

Predefined user roles

network-admin

Usage guidelines

Stateless DHCPv6 enables the interface to send an Information-request message to the multicast address of all DHCPv6 servers and DHCPv6 relay agents for configuration parameters.

Examples

# Enable stateless DHCPv6 on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] ipv6 dhcp client stateless enable

ipv6 dhcp client stateful

Use ipv6 dhcp client stateful to configure an interface to use DHCPv6 for IPv6 address and prefix acquisition.

Use undo ipv6 dhcp client stateful to cancel an interface from using DHCPv6, and clear the obtained IPv6 address, prefix, and other configuration parameters.

Syntax

ipv6 dhcp client stateful prefix prefix-number [ option-group option-group-number | rapid-commit ] *

undo ipv6 dhcp client stateful

Default

An interface does not use DHCPv6 for IPv6 address and prefix acquisition.

Views

Layer 3 Ethernet interface/subinterface view

VLAN interface view

Predefined user roles

network-admin

Parameters

prefix prefix-number: Specifies an IPv6 prefix ID in the range of 1 to 1024. After obtaining an IPv6 prefix, the client assigns the ID to the IPv6 prefix.

rapid-commit: Supports rapid address and prefix assignment.

option-group option-group-number: Enables the DHCPv6 client to create a dynamic DHCPv6 option group for saving the configuration parameters, and assigns an ID to the option group. The value range for the ID is 1 to 100. If you do not specify this option, the DHCPv6 client does not create any dynamic DHCPv6 option groups.

Usage guidelines

The ipv6 dhcp client stateful command takes effect if it is configured with the ipv6 address dhcp-alloc and ipv6 dhcp client pd commands on an interface. You must execute the undo ipv6 dhcp client stateful command to have the ipv6 address dhcp-alloc and ipv6 dhcp client pd commands take effect.

Examples

# Configure VLAN-interface 10 to use DHCPv6 for IPv6 address and prefix acquisition. Specify IDs for the dynamic IPv6 prefix and dynamic DHCPv6 option group, and configure the client to support rapid address and prefix assignment.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 dhcp client stateful prefix 1 rapid-commit option-group 1

Related commands

·          ipv6 address dhcp-alloc

·          ipv6 dhcp client pd

reset ipv6 dhcp client statistics

Use reset ipv6 dhcp client statistics to clear DHCPv6 client statistics.

Syntax

reset ipv6 dhcp client statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears all DHCPv6 client statistics.

Examples

# Clear all DHCPv6 client statistics.

<Sysname> reset ipv6 dhcp client statistics

Related commands

display ipv6 dhcp client statistics

DHCPv6 snooping commands

DHCPv6 snooping works between the DHCPv6 client and the DHCPv6 server or between the DHCPv6 client and DHCPv6 the relay agent. DHCPv6 snooping does not work between the DHCPv6 server and the DHCPv6 relay agent.

display ipv6 dhcp snooping binding

Use display ipv6 dhcp snooping binding to display DHCPv6 snooping entries.

Syntax

display ipv6 dhcp snooping binding [ address ipv6-address [ vlan vlan-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

address ipv6-address: Displays the DHCPv6 snooping entry for the specified IPv6 address. If you do not specify an IPv6 address, this command displays DHCPv6 snooping entries for all IPv6 addresses.

vlan vlan-id: Specifies the ID of the VLAN where the IPv6 address resides. If you do not specify a VLAN, this command displays DHCPv6 snooping entries for the IPv6 address in all VLANs.

Examples

# Display all DHCPv6 snooping entries.

<Sysname> display ipv6 dhcp snooping binding

1 DHCPv6 snooping entries found.

 IPv6 address     MAC address    Lease       VLAN SVLAN Interface

 ================ ============== =========== ==== ===== ========================

 2::1             00e0-fc00-0006 54          2    N/A   GigabitEthernet1/0/1

Table 85 Command output

Field

Description

IPv6 Address

IPv6 address assigned to the DHCPv6 client.

MAC Address

MAC address of the DHCPv6 client.

Lease

Remaining lease duration in seconds.

VLAN

VLAN where the port connecting the DHCPv6 client resides.

SVLAN

This field displays N/A.

Interface

Port connecting to the DHCPv6 client.

 

Related commands

ipv6 dhcp snooping binding record

reset ipv6 dhcp snooping binding

display ipv6 dhcp snooping binding database

Use display ipv6 dhcp snooping binding database to display information about DHCPv6 snooping entry auto backup.

Syntax

display ipv6 dhcp snooping binding database

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about DHCPv6 snooping entry auto backup.

<Sysname> display ipv6 dhcp snooping binding database

File name              :   database.dhcp

Username               :  

Password               :  

Update interval        :   600 seconds

Latest write time      :   Feb 27 18:48:04 2016

Status                 :   Last write succeeded.

Table 86 Command output

Field

Description

File name

Name of the DHCPv6 snooping entry backup file.

Username

Username for accessing the URL of the remote backup file.

Password

Password for accessing the URL of the remote backup file. This field displays ****** if a password is configured.

Update interval

Waiting time in seconds after a DHCPv6 snooping entry change for the DHCPv6 snooping device to update the backup file.

Latest write time

Time of the latest update.

Status

Status of the update:

·         Writing—The backup file is being updated.

·         Last write succeeded—The backup file was successfully updated.

·         Last write failed—The backup file failed to be updated.

 

display ipv6 dhcp snooping packet statistics

Use display ipv6 dhcp snooping packet statistics to display DHCPv6 packet statistics for DHCPv6 snooping.

Syntax

display ipv6 dhcp snooping packet statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays DHCPv6 packet statistics for the master device.

Examples

# Display DHCPv6 packet statistics for DHCPv6 snooping.

<Sysname> display ipv6 dhcp snooping packet statistics

 DHCPv6 packets received                 : 100

 DHCPv6 packets sent                     : 200

 Invalid DHCPv6 packets dropped          : 0

Related commands

reset ipv6 dhcp snooping packet statistics

display ipv6 dhcp snooping trust

Use display ipv6 dhcp snooping trust to display information about trusted ports.

Syntax

display ipv6 dhcp snooping trust

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about trusted ports.

<Sysname> display ipv6 dhcp snooping trust

DHCPv6 snooping is enabled.

 Interface                                       Trusted

 =========================                       ============

 GigabitEthernet1/0/1                            Trusted

The output shows that DHCPv6 snooping is enabled and GigabitEthernet 1/0/1 is the trusted port.

Related commands

ipv6 dhcp snooping trust

ipv6 dhcp snooping binding database filename

Use ipv6 dhcp snooping binding database filename to configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to a file.

Use undo ipv6 dhcp snooping binding database filename to disable the auto backup and remove the backup file.

Syntax

ipv6 dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }

undo ipv6 dhcp snooping binding database filename

Default

The DHCPv6 snooping device does not back up DHCPv6 snooping entries.

Views

System view

Predefined user roles

network-admin

Parameters

filename: Specifies the name of a local backup file. For information about the filename argument, see Fundamentals Configuration Guide.

url url: Specifies the URL of a remote backup file. The URL is a case-sensitive string of 1 to 255 characters. Do not include a username or password in the URL. Case sensitivity and the supported path format type vary by server.

username username: Specifies the username for accessing the URL of the remote backup file. The username is a case-sensitive string of 1 to 32 characters. Do not specify this option if a username is not required for accessing the URL.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters. Do not specify this argument if a password is not required for accessing the URL of the remote backup file.

Usage guidelines

This command automatically creates the file if you specify a nonexistent file.

With this command executed, the DHCPv6 snooping device backs up its snooping entries immediately and runs auto backup. The snooping device, by default, waits 300 seconds after a DHCPv6 snooping entry change to update the backup file. You can use the ipv6 dhcp snooping binding database update interval command to change the waiting time. If no DHCPv6 snooping entry changes, the backup file is not updated.

As a best practice, back up the DHCPv6 snooping entries to a remote file. If you use the local storage medium, the frequent erasing and writing might damage the medium and then cause the DHCPv6 snooping device malfunction.

When the file is on a remote device, follow these restrictions and guidelines to specify the URL, username, and password:

·          If the file is on an FTP server, enter URL in the format of ftp://server address:port/file path, where the port number is optional.

·          If the file is on a TFTP server, enter URL in the format of tftp://server address:port/file path, where the port number is optional.

·          The username and password must be the same as those configured on the FTP server. If the server authenticates only the username, the password can be omitted.

·          If the IP address of the server is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[1::1]/database.dhcp.

·          You can also specify the DNS domain name for the server address field, for example, ftp://company/database.dhcp.

Examples

# Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the file database.dhcp.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping binding database filename database.dhcp

# Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the file database.dhcp in the working directory of the FTP server at 1::1.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping binding database filename url ftp://[1::1]/database.dhcp username 1 password simple 1

# Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the file database.dhcp in the working directory of the TFTP server at 2::1.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping binding database filename tftp://[2::1]/database.dhcp

Related commands

ipv6 dhcp snooping binding database update interval

ipv6 dhcp snooping binding database update interval

Use ipv6 dhcp snooping binding database update interval to set the waiting time for the DHCPv6 snooping device to update the backup file after a DHCPv6 snooping entry change.

Use undo ipv6 dhcp snooping binding database update interval to restore the default.

Syntax

ipv6 dhcp snooping binding database update interval interval

undo ipv6 dhcp snooping binding database update interval

Default

The DHCPv6 snooping device waits 300 seconds to update the backup file after a DHCPv6 snooping entry change. If no DHCPv6 snooping entry changes, the backup file is not updated.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Sets the waiting time in seconds, in the range of 60 to 864000.

Usage guidelines

When a DHCPv6 snooping entry is learned, updated, or removed, the waiting period starts. The DHCPv6 snooping device updates the backup file when the waiting period is reached. All snooping entries changed during the period will be saved to the backup file.

The waiting time takes effect only after you configure the DHCPv6 snooping entry auto backup by using the ipv6 dhcp snooping binding database filename command.

Examples

# Set the waiting time to 600 seconds for the DHCPv6 snooping device to update the backup file.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping binding database update interval 600

Related commands

ipv6 dhcp snooping binding database filename

ipv6 dhcp snooping binding database update now

Use ipv6 dhcp snooping binding database update now to manually save DHCPv6 snooping entries to the backup file.

Syntax

ipv6 dhcp snooping binding database update now

Views

System view

Predefined user roles

network-admin

Usage guidelines

Each time this command is executed, the DHCPv6 snooping entries are saved to the backup file.

This command takes effect only after you configure the DHCPv6 snooping entry auto backup by using the ipv6 dhcp snooping binding database filename command.

Examples

# Manually save DHCPv6 snooping entries to the backup file.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping binding database update now

Related commands

ipv6 dhcp snooping binding database filename

ipv6 dhcp snooping binding record

Use ipv6 dhcp snooping binding record to enable recording of client information in DHCPv6 snooping entries.

Use undo ipv6 dhcp snooping binding record to disable the feature.

Syntax

ipv6 dhcp snooping binding record

undo ipv6 dhcp snooping binding record

Default

DHCPv6 snooping does not record client information.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command enables DHCPv6 snooping on the port directly connected to the clients to record client information in DHCPv6 snooping entries.

Examples

# Enable recording of client information in DHCPv6 snooping entries on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping binding record

ipv6 dhcp snooping check request-message

Use ipv6 dhcp snooping check request-message to enable the DHCPv6-REQUEST check feature for the received DHCPv6-RENEW, DHCPv6-DECLINE, and DHCPv6-RELEASE messages.

Use undo ipv6 dhcp snooping check request-message to disable the DHCPv6-REQUEST check feature.

Syntax

ipv6 dhcp snooping check request-message

undo ipv6 dhcp snooping check request-message

Default

The DHCPv6-REQUEST check feature is disabled.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

Use the DHCPv6-REQUEST check feature to protect the DHCPv6 server against DHCPv6 client spoofing attacks. The feature enables the DHCPv6 snooping device to check every received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries.

·          If any criterion in an entry is matched, the device compares the entry with the message information.

?  If they are consistent, the device considers the message valid and forwards it to the DHCPv6 server.

?  If they are different, the device considers the message forged and discards it.

·          If no matching entry is found, the device forwards the message to the DHCPv6 server.

Examples

# Enable DHCPv6-REQUEST check.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping check request-message

ipv6 dhcp snooping deny

Use ipv6 dhcp snooping deny to configure a port as DHCPv6 packet blocking port.

Use undo ipv6 dhcp snooping deny to restore the default.

Syntax

ipv6 dhcp snooping deny

undo ipv6 dhcp snooping deny

Default

A port does not block DHCPv6 requests.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

A DHCPv6 packet blocking port drops all incoming DHCPv6 requests.

Examples

# Configure GigabitEthernet 1/0/1 as a DHCPv6 packet blocking port.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-gigabitethernet 1/0/1] ipv6 dhcp snooping deny

ipv6 dhcp snooping enable

Use ipv6 dhcp snooping enable to enable DHCPv6 snooping.

Use undo ipv6 dhcp snooping enable to disable DHCPv6 snooping.

Syntax

ipv6 dhcp snooping enable

undo ipv6 dhcp snooping enable

Default

DHCPv6 snooping is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use the DHCPv6 snooping feature together with trusted port configuration. Before trusted ports are configured, all ports on the DHCPv6 snooping device are untrusted and discard all responses sent from DHCPv6 servers.

When DHCPv6 snooping is disabled, the device forwards all responses from DHCPv6 servers.

Examples

# Enable DHCPv6 snooping.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping enable

ipv6 dhcp snooping log enable

Use ipv6 dhcp snooping log enable to enable DHCPv6 snooping logging.

Use undo ipv6 dhcp snooping log enable to disable DHCPv6 snooping logging.

Syntax

ipv6 dhcp snooping log enable

undo ipv6 dhcp snooping log enable

Default

DHCPv6 snooping logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the DHCPv6 snooping device to generate DHCPv6 snooping logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

As a best practice, disable this feature if the log generation affects the device performance.

Examples

# Enable DHCPv6 snooping logging.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping log enable

ipv6 dhcp snooping max-learning-num

Use ipv6 dhcp snooping max-learning-num to set the maximum number of DHCPv6 snooping entries for an interface to learn.

Use undo ipv6 dhcp snooping max-learning-num to restore the default.

Syntax

ipv6 dhcp snooping max-learning-num max-number

undo ipv6 dhcp snooping max-learning-num

Default

The number of DHCPv6 snooping entries for an interface to learn is not limited.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

max-number: Sets the maximum number of DHCPv6 snooping entries for an interface to learn. The value range is 1 to 4294967295.

Examples

# Configure the Layer 2 Ethernet interface GigabitEthernet 1/0/1 to learn a maximum of 10 DHCPv6 snooping entries.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping max-learning-num 10

ipv6 dhcp snooping option interface-id enable

Use ipv6 dhcp snooping option interface-id enable to enable support for the interface-ID option (also called Option 18).

Use undo ipv6 dhcp snooping option interface-id enable to disable support for the interface-ID option.

Syntax

ipv6 dhcp snooping option interface-id enable

undo ipv6 dhcp snooping option interface-id enable

Default

Option 18 is not supported.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only when DHCPv6 snooping is globally enabled.

Examples

# Enable support for Option 18.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option interface-id enable

Related commands

ipv6 dhcp snooping enable

ipv6 dhcp snooping option interface-id string

ipv6 dhcp snooping option interface-id string

Use ipv6 dhcp snooping option interface-id string to specify the content as the interface ID for Option 18.

Use undo ipv6 dhcp snooping option interface-id string to restore the default.

Syntax

ipv6 dhcp snooping option interface-id [ vlan vlan-id ] string interface-id

undo ipv6 dhcp snooping option interface-id [ vlan vlan-id ]

Default

The DHCPv6 snooping device uses its DUID as the content for Option 18.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Pads the interface ID for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the interface ID for packets received from the default VLAN.

interface-id: Specifies a string of 1 to 128 characters as the interface ID.

Examples

# Specify company001 as the interface ID.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option interface-id enable

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option interface-id string company001

Related commands

ipv6 dhcp snooping enable

ipv6 dhcp snooping option interface-id enable

ipv6 dhcp snooping option remote-id enable

Use ipv6 dhcp snooping option remote-id enable to enable support for the remote-ID option (also called Option 37).

Use undo ipv6 dhcp snooping option remote-id enable to restore the default.

Syntax

ipv6 dhcp snooping option remote-id enable

undo ipv6 dhcp snooping option remote-id enable

Default

Option 37 is not supported.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only when DHCPv6 snooping is globally enabled.

Examples

# Enable support for Option 37.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option remote-id enable

Related commands

ipv6 dhcp snooping enable

ipv6 dhcp snooping option remote-id string

ipv6 dhcp snooping option remote-id string

Use ipv6 dhcp snooping option remote-id string to specify the content as the remote ID for Option 37.

Use undo ipv6 dhcp snooping option remote-id string to restore the default.

Syntax

ipv6 dhcp snooping option remote-id [ vlan vlan-id ] string remote-id

undo ipv6 dhcp snooping option remote-id [ vlan vlan-id ]

Default

The DHCPv6 snooping device uses its DUID as the content for Option 37.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Pads the remote ID for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the remote ID for packets received from the default VLAN.

remote-id: Specifies the a string of 1 to 128 characters as the remote ID.

Examples

# Specify device001 as the remote ID.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option remote-id enable

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option remote-id string device001

Related commands

ipv6 dhcp snooping enable

ipv6 dhcp snooping option remote-id enable

ipv6 dhcp snooping rate-limit

Use ipv6 dhcp snooping rate-limit to enable DHCPv6 snooping packet rate limit on an interface and set the limit value.

Use undo ipv6 dhcp snooping rate-limit to disable DHCPv6 snooping packet rate limit.

Syntax

ipv6 dhcp snooping rate-limit rate

undo ipv6 dhcp snooping rate-limit

Default

The DHCPv6 snooping packet rate limit is disabled on an interface.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

rate: Specifies the maximum rate in Kbps. The value range is 64 to 512.

Usage guidelines

This command takes effect only when DHCPv6 snooping is enabled.

The DHCPv6 packet rate limit feature enables the interface to discard DHCPv6 packets that exceed the maximum rate.

If you configure this command on a Layer 2 Ethernet interface that is a member port of a Layer 2 aggregate interface, the Layer 2 Ethernet interface uses the DHCP packet maximum rate configured on the Layer 2 aggregate interface. If the Layer 2 Ethernet interface leaves the aggregation group, it uses its own DHCP packet maximum rate.

Due to the limited chip capability, the maximum rate that actually takes effect can only be an integer multiple of a certain value. For example, if the chip-supported rate is an integer multiple of 8, when you set the rate to 67, the value 64 or 72 takes effect.

Examples

# Configure GigabitEthernet 1/0/1 to receive DHCPv6 packets at a maximum rate of 64 Kbps.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping rate-limit 64

ipv6 dhcp snooping trust

Use ipv6 dhcp snooping trust to configure a port as a trusted port.

Use undo ipv6 dhcp snooping trust to restore the default state of a port.

Syntax

ipv6 dhcp snooping trust

undo ipv6 dhcp snooping trust

Default

After you enable DHCPv6 snooping, all ports are untrusted.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

Specify the port facing the DHCP server as trusted and specify the other ports as untrusted so DHCP clients can obtain valid IP addresses.

Examples

# Specify GigabitEthernet 1/0/1 as a trusted port.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping trust

Related commands

display ipv6 dhcp snooping trust

reset ipv6 dhcp snooping binding

Use reset ipv6 dhcp snooping binding to clear DHCPv6 snooping entries.

Syntax

reset ipv6 dhcp snooping binding { all | address ipv6-address [ vlan vlan-id ] }

Views

User view

Predefined user roles

network-admin

Parameters

address ipv6-address: Clears the DHCPv6 snooping entry for the specified IPv6 address.

vlan vlan-id: Clears DHCPv6 snooping entries for the specified VLAN. If you do not specify a VLAN, this command clears DHCPv6 snooping entries for the default VLAN.

all: Clears all DHCPv6 snooping entries.

Examples

# Clear all DHCPv6 snooping entries.

<Sysname> reset ipv6 dhcp snooping binding all

Related commands

display ipv6 dhcp snooping binding

reset ipv6 dhcp snooping packet statistics

Use reset ipv6 dhcp snooping packet statistics to clear DHCPv6 packet statistics for DHCPv6 snooping.

Syntax

reset ipv6 dhcp snooping packet statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears DHCPv6 packet statistics for the master device.

Examples

# Clear DHCPv6 packet statistics for DHCPv6 snooping.

<Sysname> reset ipv6 dhcp snooping packet statistics

Related commands

display ipv6 dhcp snooping packet statistics


GRE commands

bandwidth

Use bandwidth to set the expected bandwidth for an interface.

Use undo bandwidth to restore the default.

Syntax

bandwidth bandwidth-value

undo bandwidth

Default

The expected bandwidth (in kbps) is the interface maximum rate divided by 1000.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

bandwidth-value: Specifies the expected bandwidth in the range of 1 to 400000000 kbps.

Usage guidelines

The expected bandwidth for an interface affects the link costs.

Examples

# Set the expected bandwidth for Tunnel 1 to 100 kbps.

<Sysname> system-view

[Sysname] interface tunnel 1

[Sysname-Tunnel1] bandwidth 100

default

Use default to restore the default settings for a tunnel interface.

Syntax

default

Views

Tunnel interface view

Predefined user roles

network-admin

Usage guidelines

The default command might interrupt ongoing network services. Make sure you are fully aware of the impacts of this command when you use it on a live network.

This command might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands. Use their undo forms or follow the command reference to restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.

Examples

# Restore the default settings of interface tunnel 1.

<Sysname> system-view

[Sysname] interface tunnel 1

[Sysname-Tunnel1] default

description

Use description to configure a description for a tunnel interface.

Use undo description to restore the default.

Syntax

description text

undo description

Default

The description for a tunnel interface is Tunnelnumber Interface, for example, Tunnel1 Interface.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

text: Configures a description for the interface, a case-sensitive string of 1 to 255 characters.

Usage guidelines

Configure descriptions for different interfaces for identification and management purposes.

You can use the display interface command to display the configured interface description.

Examples

# Configure the description for interface Tunnel 1 as tunnel1.

<Sysname> system-view

[Sysname] interface tunnel 1

[Sysname-Tunnel1] description tunnel1

Related commands

display interface tunnel

destination

Use destination to specify the destination address for a tunnel interface.

Use undo destination to remove the configured tunnel destination address.

Syntax

destination { ip-address | ipv6-address }

undo destination

Default

No tunnel destination address is configured.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the tunnel destination IPv4 address.

ipv6-address: Specifies the tunnel destination IPv6 address.

Usage guidelines

The tunnel destination address must be the address of the receiving interface on the tunnel peer. It is used as the destination address of tunneled packets.

The destination address of the local tunnel interface must be the source address of the peer tunnel interface, and vice versa.

Examples

# VLAN-interface 1 on Sysname 1 uses the IP address 193.101.1.1 and VLAN-interface 1 on Sysname 2 uses the IP address 192.100.1.1. Configure the source address 193.101.1.1 and destination address 192.100.1.1 for the tunnel interface on Sysname 1.

<Sysname1> system-view

[Sysname1] interface tunnel 1 mode gre

[Sysname1-Tunnel1] source 193.101.1.1

[Sysname1-Tunnel1] destination 192.100.1.1

# Configure the source address 192.100.1.1 and destination address 193.101.1.1 for the tunnel interface on Sysname 2.

<Sysname2> system-view

[Sysname2] interface tunnel 1 mode gre

[Sysname2-Tunnel1] source 192.100.1.1

[Sysname2-Tunnel1] destination 193.101.1.1

Related commands

·          display interface tunnel

·          interface tunnel

·          source

display interface tunnel

Use display interface tunnel to display information about tunnel interfaces, including the source address, destination address, and tunnel mode.

Syntax

display interface [ tunnel [ number ] ] [ brief [ description | down ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

number: Specifies the number of an existing tunnel interface.

brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.

description: Displays complete interface descriptions. If you do not specify this keyword, the command displays only the first 27 characters of interface descriptions.

down: Displays information about interfaces in the physical state of DOWN and the causes. If you do not specify this keyword, the command displays information about interfaces in all states.

Usage guidelines

If you do not specify the tunnel keyword, this command displays information about all interfaces on the device.

If you specify the tunnel keyword without the number argument, this command displays information about all existing tunnel interfaces.

Examples

# Display detailed information about interface Tunnel 1.

<Sysname> display interface tunnel 1

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64kbps

Maximum transmission unit: 64000

Internet address: 10.1.2.1/24 (primary)

Tunnel source 2002::1:1 (Vlan-interface10), destination 2001::2:1

Tunnel keepalive enabled, Period(50 s), Retries(3)

Tunnel TOS 0xC8, Tunnel TTL 255

Tunnel protocol/transport GRE/IPv6

    GRE key value is 1

    Checksumming of GRE packets disabled

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

Table 87 Command output

Field

Description

Tunnel1

Information about the tunnel interface Tunnel 1.

Current state

State of the tunnel interface:

·         Administratively DOWN—The interface has been shut down by using the shutdown command.

·         DOWN—The interface is administratively up but its physical state is down.

·         DOWN (Tunnel-Bundle administratively down)—The tunnel bundle interface to which the interface belongs has been shut down by using the shutdown command.

·         UP—Both the administrative and physical states of the interface are up.

Line protocol state

Link layer protocol state of the tunnel interface. The value is determined by parameter negotiation on the link layer.

·         UP—The protocol state of the interface is up.

·         UP (spoofing)The link protocol state of the interface is up, but the link is temporarily set up on demand or does not exist. This attribute is available for null interfaces and loopback interfaces.

·         DOWN—The protocol state of the interface is down.

Description

Description for the tunnel interface.

Bandwidth

Expected bandwidth for the tunnel interface.

Maximum transmission unit

MTU of the tunnel interface.

Internet address

IP address of the tunnel interface.

If no IP address is assigned to the interface, this field displays Internet protocol processing: Disabled, and the tunnel interface cannot process packets.

If (primary) is displayed, the IP address is the primary IP address of the interface.

Tunnel source

Source address of the tunnel. If a source interface is specified for the tunnel interface, this field also displays the source interface in parentheses.

destination

Destination address of the tunnel.

Tunnel keepalive enabled, Period(50 s), Retries(3)

Keepalive is enabled to detect the state of the tunnel interface. In this example, keepalive packets are sent every 50 seconds, and the maximum sending attempts are three.

Tunnel TOS

ToS of tunneled packets.

Tunnel TTL

TTL of tunneled packets.

Tunnel protocol/transport

Tunnel mode and transport protocol:

·         GRE/IPGRE/IPv4 tunnel mode.

·         GRE/IPv6GRE/IPv6 tunnel mode.

GRE key value is 1

The GRE tunnel interface key is 1.

Checksumming of GRE packets disabled

The GRE packet checksum feature is disabled.

Last clearing of counters

Last time when counters were cleared.

Last 300 seconds input:  0 bytes/sec, 0 packets/sec

Average input rate in the last 300 seconds.

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Average output rate in the last 300 seconds.

 

# Display brief information about interface Tunnel 1.

<Sysname> display interface tunnel 1 brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface            Link Protocol Primary IP     Description

Tun1                 UP   UP       1.1.1.1        tunnel1

# Display brief information about interface Tunnel 1, including the complete interface description.

<Sysname> display interface tunnel 1 brief description

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface            Link Protocol Primary IP     Description

Tun1                 UP   UP       1.1.1.1        tunnel1

# Display information about interfaces in DOWN state and the causes.

<Sysname> display interface tunnel brief down

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Interface            Link Cause

Tun0                 DOWN Not connected

Tun1                 DOWN Not connected

Table 88 Command output

Field

Description

Brief information on interfaces in route mode

Brief information about Layer 3 interfaces.

Link: ADM - administratively down; Stby - standby

Link status:

·         ADMThe interface has been administratively shut down. To bring it up, use the undo shutdown command.

·         StbyThe interface is a backup interface. To show the primary interface, use the display interface-backup state command.

Protocol: (s) - spoofing

(s) indicates that the data link layer protocol state is UP, but the link is temporarily set up on demand or does not exist. This attribute is available for null interfaces and loopback interfaces.

Interface

Abbreviated interface name.

Link

Physical link state of the interface:

·         UP—The link is physically up.

·         DOWN—The link is physically down.

·         ADM—The link has been administratively shut down. To bring it up, use the undo shutdown command.

·         Stby—The interface is a backup interface.

Protocol

Data link layer protocol state of the interface:

·         UPThe data link protocol state of the interface is up.

·         DOWN—The data link protocol state of the interface is down.

·         UP(s)—The data link protocol state of the interface is up, but the link is temporarily set up on demand or does not exist. This attribute is available for null interfaces and loopback interfaces.

Primary IP

Primary IP address of the interface.

Description

Description for the interface.

Cause

Causes for the physical state of DOWN:

·         Administratively—The link has been shut down by using the shutdown command. To bring it up, use the undo shutdown command.

·         Not connected—The tunnel is not established.

·         DOWN (Tunnel-Bundle administratively down)—The tunnel bundle interface to which the tunnel interface belongs has been shut down by using the shutdown command.

 

Related commands

·          destination

·          interface tunnel

·          source

gre checksum

Use gre checksum to enable GRE checksum.

Use undo gre checksum to disable GRE checksum.

Syntax

gre checksum

undo gre checksum

Default

GRE checksum is disabled.

Views

Tunnel interface view

Predefined user roles

network-admin

Usage guidelines

GRE checksum verifies packet integrity.

You can enable or disable GRE checksum at each end of a tunnel as needed. After GRE checksum is enabled, the sender does the following:

·          Calculates the checksum for the GRE header and the payload.

·          Sends the packet containing the checksum information to the peer.

The receiver calculates the checksum for the received packet and compares it with that carried in the packet. If the checksums are the same, the receiver processes the packet. If the checksums are different, the receiver discards the packet.

If a packet carries a GRE checksum, the receiver checks the checksum whether or not the receiver is enabled with GRE checksum.

Examples

# Enable GRE checksum.

<Sysname> system-view

[Sysname] interface tunnel 2 mode gre

[Sysname-Tunnel2] gre checksum

gre key

Use gre key to configure a key for a GRE tunnel interface.

Use undo gre key to remove the configuration.

Syntax

gre key key-number

undo gre key

Default

No key is configured for a GRE tunnel interface.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

key-number: Specifies the key for the GRE tunnel interface, in the range of 0 to 4294967295.

Usage guidelines

You can configure a GRE key to check for the validity of packets received on a GRE tunnel interface.

When a GRE key is configured, the sender puts the GRE key into each sent packet. The receiver compares the GRE key in the received packet with its own GRE key. If the two keys are the same, the receiver accepts the packet. If the two keys are different, the receiver drops the packet.

Both ends of a GRE tunnel must have the same key or no key.

Examples

# Configure the GRE key as 123 for the GRE tunnel interface.

<Sysname> system-view

[Sysname] interface tunnel 2 mode gre

[Sysname-Tunnel2] gre key 123

interface tunnel

Use interface tunnel to create a tunnel interface, specify the tunnel mode, and enter tunnel interface view.

Use undo interface tunnel to delete a tunnel interface.

Syntax

interface tunnel number [ mode gre [ ipv6 ] ]

undo interface tunnel number

Default

No tunnel interface is created on the device.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the number of the tunnel interface. The value range for this argument is 0 to 1023. The number of tunnel interfaces that can be created is restricted by the total number of interfaces and the memory.

mode gre: Specifies the GRE/IPv4 tunnel mode.

mode gre ipv6: Specifies the GRE/IPv6 tunnel mode.

Usage guidelines

To create a new tunnel interface, you must specify the tunnel mode in this command. To enter the view of an existing tunnel interface, you do not need to specify the tunnel mode.

A tunnel interface number is locally significant. The tunnel interfaces on the two ends of a tunnel can use the same or different interface numbers.

Examples

# Create the GRE/IPv4 tunnel interface Tunnel 1 and enter tunnel interface view.

<Sysname> system-view

[Sysname] interface tunnel 1 mode gre

[Sysname-Tunnel1]

Related commands

·          destination

·          display interface tunnel

·          source

keepalive

Use keepalive to enable GRE keepalive and set the keepalive interval and the keepalive number.

Use undo keepalive to disable GRE keepalive.

Syntax

keepalive [ interval [ times ] ]

undo keepalive

Default

GRE keepalive is disabled.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

interval: Sets the keepalive interval in the range of 1 to 32767 seconds. The default value is 10.

times: Sets the keepalive number in the range of 1 to 255. The default value is 3.

Usage guidelines

This command enables the tunnel interface to send keepalive packets at the specified interval. If the device receives no response from the peer within the timeout time, it shuts down the local tunnel interface. The device brings the local tunnel interface up if it receives a keepalive acknowledgment packet from the peer. The timeout time is the result of multiplying the keepalive interval by the keepalive number.

The device always acknowledges the keepalive packets it receives whether or not GRE keepalive is enabled.

GRE/IPv6 mode tunnel interfaces do not support this command.

Examples

# Enable GRE keepalive, set the keepalive interval to 20 seconds, and set the keepalive number to 5.

<Sysname> system-view

[Sysname] interface tunnel 2 mode gre

[Sysname-Tunnel2] keepalive 20 5

mtu

Use mtu to set the MTU on a tunnel interface.

Use undo mtu to restore the default.

Syntax

mtu size

undo mtu

Default

If the tunnel interface has never been up, the MTU is 64000 bytes.

If the tunnel interface is up, its MTU is identical to the outgoing interface's MTU minus the length of the tunnel headers. The outgoing interface is automatically obtained through routing table lookup based on the tunnel destination address.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

size: Specifies the MTU in the range of 100 to 64000 bytes.

Usage guidelines

After you configure an MTU for a tunnel interface, the configured MTU applies regardless of the tunnel interface status (up/down) and the outgoing interface MTU.

To avoid fragmentation after tunnel encapsulation, set the tunnel interface MTU no greater than the value of the outgoing interface MTU minus the length of the tunnel headers.

Examples

# Set the MTU on interface Tunnel 1 to 10000 bytes.

<Sysname> system-view

[Sysname] interface tunnel 1

[Sysname-Tunnel1] mtu 10000

Related commands

display interface tunnel

reset counters interface

Use reset counters interface to clear interface statistics.

Syntax

reset counters interface [ tunnel [ number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

tunnel: Specifies a tunnel interface.

number: Specifies the number of an existing tunnel interface.

Usage guidelines

Use this command to clear old statistics so you can observe new traffic statistics on a tunnel interface.

·          If you do not specify any parameters, this command clears statistics for all interfaces.

·          If you specify only the tunnel keyword, this command clears statistics for all tunnel interfaces.

·          If you specify both the tunnel keyword and the number argument, this command clears statistics for the specified tunnel interface.

Examples

# Clear statistics for interface Tunnel 1.

<Sysname> reset counters interface tunnel 1

Related commands

display interface tunnel

shutdown

Use shutdown to shut down a tunnel interface.

Use undo shutdown to bring up a tunnel interface.

Syntax

shutdown

undo shutdown

Default

The tunnel interface is not in the Administratively DOWN state.

Views

Tunnel interface view

Predefined user roles

network-admin

Usage guidelines

This command disconnects all links set up on the interface. Make sure you fully understand the impact of the command on your network.

Examples

# Shut down interface Tunnel 1.

<Sysname> system-view

[Sysname] interface tunnel 1

[Sysname-Tunnel1] shutdown

Related commands

display interface tunnel

source

Use source to specify the source address or source interface for the tunnel interface.

Use undo source to restore the default.

Syntax

source { ip-address | ipv6-address | interface-type interface-number }

undo source

Default

No source address or source interface is specified for the tunnel interface.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the tunnel source IPv4 address.

ipv6-address: Specifies the tunnel source IPv6 address.

interface-type interface-number: Specifies the source interface. The interface must be up and must have an IP address.

Usage guidelines

The specified source address or the address of the specified source interface is used as the source address of tunneled packets. To display the configured tunnel source address, use the display interface tunnel command.

The source address of the local tunnel interface must be the destination address of the peer tunnel interface, and vice versa.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify VLAN-interface 10 as the source interface of interface Tunnel 1.

<Sysname> system-view

[Sysname] interface tunnel 1 mode gre

[Sysname-Tunnel1] source vlan-interface 10

# Specify 192.100.1.1 as the source address of interface Tunnel 1.

<Sysname> system-view

[Sysname] interface tunnel 1 mode gre

[Sysname-Tunnel1] source 192.100.1.1

Related commands

·          destination

·          display interface tunnel

·          interface tunnel

tunnel dfbit enable

Use tunnel dfbit enable to set the Don't Fragment (DF) bit for tunneled packets.

Use undo tunnel dfbit enable to restore the default.

Syntax

tunnel dfbit enable

undo tunnel dfbit enable

Default

The DF bit is not set for tunneled packets.

Views

Tunnel interface view

Predefined user roles

network-admin

Usage guidelines

To avoid fragmentation and delay, set the DF bit for tunneled packets. Make sure the path MTU is larger than the tunneled packet length. To avoid discarding tunneled packets whose length is larger than the path MTU, do not set the DF bit.

This command is not supported on a GRE/IPv6 tunnel interface.

Examples

# Set the DF bit for tunneled packets on interface Tunnel 1.

<Sysname> system-view

[Sysname] interface tunnel 1 mode gre

[Sysname-Tunnel1] tunnel dfbit enable

tunnel tos

Use tunnel tos to set the ToS of tunneled packets.

Use undo tunnel tos to restore the default.

Syntax

tunnel tos tos-value

undo tunnel tos

Default

The ToS of tunneled packets is the same as the ToS of the original packets.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

tos-value: Specifies the ToS of tunneled packets, in the range of 0 to 255.

Usage guidelines

After you configure this command, all the tunneled packets of different services sent on the tunnel interface will use the same configured ToS. For more information about ToS, see ACL and QoS Configuration Guide.

Examples

# Set the ToS of tunneled packets to 20 on interface Tunnel 1.

<Sysname> system-view

[Sysname] interface tunnel 1 mode gre

[Sysname-Tunnel1] tunnel tos 20

Related commands

display interface tunnel

tunnel ttl

Use tunnel ttl to set the Time to Live (TTL) of tunneled packets.

Use undo tunnel ttl to restore the default.

Syntax

tunnel ttl ttl-value

undo tunnel ttl

Default

The TTL of tunneled packets is 255.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

ttl-value: Specifies the TTL of tunneled packets, in the range of 1 to 255.

Usage guidelines

The TTL determines the maximum number of hops that the tunneled packets can pass. When the TTL expires, the tunneled packets are discarded to avoid loops.

Examples

# Set the TTL of tunneled packets to 100 on interface Tunnel 1.

<Sysname> system-view

[Sysname] interface tunnel 1 mode gre

[Sysname-Tunnel1] tunnel ttl 100

Related commands

display interface tunnel

 


Index

A B C D E F G I K L M N O P R S T U V


A

address,137

address range,298

address range,26

arp check enable,1

arp check log enable,1

arp fast-reply enable,17

arp ip-conflict log prompt,11

arp max-learning-num,2

arp max-learning-number,3

arp send-gratuitous-arp,11

arp static,5

arp timer aging,6

B

bandwidth,371

bims-server,27

block-size,137

bootfile-name,28

C

class ip-pool,28

class option-group,29

class pool,299

class range,30

D

ddns apply policy,127

ddns dscp,128

ddns policy,128

default,371

default ip-pool,31

default pool,300

description,372

destination,372

dhcp apply-policy,32

dhcp class,32

dhcp client dad enable,89

dhcp client dscp,89

dhcp client identifier,90

dhcp client-detect,23

dhcp dscp,23

dhcp enable,24

dhcp log enable,24

dhcp option-group,33

dhcp policy,34

dhcp relay check mac-address,71

dhcp relay check mac-address aging time,72

dhcp relay client-information record,72

dhcp relay client-information refresh,73

dhcp relay client-information refresh enable,74

dhcp relay gateway,74

dhcp relay information circuit-id,75

dhcp relay information enable,77

dhcp relay information remote-id,78

dhcp relay information strategy,79

dhcp relay release ip,80

dhcp relay server-address,80

dhcp select,25

dhcp server always-broadcast,35

dhcp server apply ip-pool,35

dhcp server bootp ignore,36

dhcp server bootp reply-rfc-1048,37

dhcp server database filename,37

dhcp server database update interval,39

dhcp server database update now,39

dhcp server database update stop,40

dhcp server forbidden-ip,40

dhcp server ip-pool,41

dhcp server ping packets,42

dhcp server ping timeout,43

dhcp server relay information enable,43

dhcp server reply-exclude-option60,44

dhcp smart-relay enable,81

dhcp snooping binding database filename,94

dhcp snooping binding database update interval,96

dhcp snooping binding database update now,96

dhcp snooping binding record,97

dhcp snooping check mac-address,97

dhcp snooping check request-message,98

dhcp snooping deny,99

dhcp snooping enable,99

dhcp snooping information circuit-id,100

dhcp snooping information enable,101

dhcp snooping information remote-id,102

dhcp snooping information strategy,103

dhcp snooping log enable,104

dhcp snooping max-learning-num,105

dhcp snooping rate-limit,105

dhcp snooping trust,106

display arp,6

display arp ip-address,8

display arp timer aging,9

display bootp client,111

display ddns policy,129

display dhcp client,91

display dhcp relay check mac-address,82

display dhcp relay client-information,82

display dhcp relay information,83

display dhcp relay server-address,85

display dhcp relay statistics,85

display dhcp server conflict,45

display dhcp server database,45

display dhcp server expired,46

display dhcp server free-ip,47

display dhcp server ip-in-use,48

display dhcp server pool,49

display dhcp server statistics,51

display dhcp snooping binding,107

display dhcp snooping binding database,107

display dhcp snooping information,108

display dhcp snooping packet statistics,109

display dhcp snooping trust,110

display dns domain,114

display dns host,114

display dns server,116

display icmp statistics,206

display interface tunnel,373

display ip interface,18

display ip interface brief,20

display ip statistics,206

display ipv6 dhcp client,347

display ipv6 dhcp client statistics,350

display ipv6 dhcp duid,296

display ipv6 dhcp option-group,301

display ipv6 dhcp pool,303

display ipv6 dhcp prefix-pool,305

display ipv6 dhcp relay server-address,340

display ipv6 dhcp relay statistics,341

display ipv6 dhcp server,306

display ipv6 dhcp server conflict,307

display ipv6 dhcp server database,308

display ipv6 dhcp server expired,309

display ipv6 dhcp server ip-in-use,310

display ipv6 dhcp server pd-in-use,312

display ipv6 dhcp server statistics,314

display ipv6 dhcp snooping binding,356

display ipv6 dhcp snooping binding database,357

display ipv6 dhcp snooping packet statistics,358

display ipv6 dhcp snooping trust,358

display ipv6 dns server,116

display ipv6 fib,236

display ipv6 icmp statistics,237

display ipv6 interface,238

display ipv6 interface prefix,242

display ipv6 neighbors,243

display ipv6 neighbors count,245

display ipv6 pathmtu,245

display ipv6 prefix,246

display ipv6 rawip,248

display ipv6 rawip verbose,248

display ipv6 statistics,252

display ipv6 tcp,253

display ipv6 tcp verbose,256

display ipv6 tcp-proxy,254

display ipv6 tcp-proxy port-info,255

display ipv6 udp,260

display ipv6 udp verbose,261

display local-proxy-arp,14

display nat address-group,144

display nat alg,138

display nat all,139

display nat dns-map,146

display nat eim,147

display nat inbound,148

display nat log,149

display nat no-pat,150

display nat outbound,152

display nat outbound port-block-group,153

display nat port-block,154

display nat port-block-group,155

display nat port-block-usage,157

display nat server,157

display nat server-group,159

display nat session,160

display nat static,162

display nat statistics,164

display proxy-arp,14

display rawip,208

display rawip verbose,209

display tcp,211

display tcp statistics,212

display tcp verbose,214

display tcp-proxy,217

display tcp-proxy port-info,219

display udp,220

display udp statistics,221

display udp verbose,221

dns domain,117

dns dscp,118

dns proxy enable,119

dns server,119

dns source-interface,120

dns spoofing,120

dns trust-interface,121

dns-list,53

dns-server,315

domain-name,54

domain-name,316

E

expired,54

F

forbidden-ip,55

G

gateway-list,56

gateway-list,86

gateway-list,343

global-ip-pool,165

gratuitous-arp-learning enable,12

gratuitous-arp-sending enable,13

gre checksum,377

gre key,377

I

if-match,317

if-match,57

inside ip,166

interface tunnel,378

interval,130

ip address,22

ip address bootp-alloc,112

ip address dhcp-alloc,93

ip forward-broadcast,224

ip host,122

ip icmp error-interval,225

ip icmp source,226

ip load-sharing mode,204

ip mtu,226

ip reassemble local enable,227

ip redirects enable,228

ip ttl-expires enable,228

ip unreachables enable,229

ip-in-use threshold,59

ipv6 address,264

ipv6 address anycast,265

ipv6 address auto,265

ipv6 address auto link-local,266

ipv6 address dhcp-alloc,351

ipv6 address eui-64,267

ipv6 address link-local,269

ipv6 address prefix-number,268

ipv6 dhcp apply-policy,319

ipv6 dhcp class,319

ipv6 dhcp client dscp,352

ipv6 dhcp client duid,352

ipv6 dhcp client pd,353

ipv6 dhcp client stateful,354

ipv6 dhcp client stateless enable,354

ipv6 dhcp dscp,296

ipv6 dhcp log enable,297

ipv6 dhcp option-group,320

ipv6 dhcp policy,321

ipv6 dhcp pool,321

ipv6 dhcp prefix-pool,322

ipv6 dhcp relay gateway,344

ipv6 dhcp relay interface-id,344

ipv6 dhcp relay server-address,345

ipv6 dhcp select,297

ipv6 dhcp server,323

ipv6 dhcp server apply pool,324

ipv6 dhcp server database filename,325

ipv6 dhcp server database update interval,327

ipv6 dhcp server database update now,327

ipv6 dhcp server database update stop,328

ipv6 dhcp server forbidden-address,329

ipv6 dhcp server forbidden-prefix,329

ipv6 dhcp snooping binding database filename,359

ipv6 dhcp snooping binding database update interval,360

ipv6 dhcp snooping binding database update now,361

ipv6 dhcp snooping binding record,361

ipv6 dhcp snooping check request-message,362

ipv6 dhcp snooping deny,363

ipv6 dhcp snooping enable,363

ipv6 dhcp snooping log enable,364

ipv6 dhcp snooping max-learning-num,364

ipv6 dhcp snooping option interface-id enable,365

ipv6 dhcp snooping option interface-id string,365

ipv6 dhcp snooping option remote-id enable,366

ipv6 dhcp snooping option remote-id string,367

ipv6 dhcp snooping rate-limit,367

ipv6 dhcp snooping trust,368

ipv6 dns dscp,123

ipv6 dns server,123

ipv6 dns spoofing,124

ipv6 hop-limit,270

ipv6 hoplimit-expires enable,271

ipv6 host,125

ipv6 icmpv6 error-interval,271

ipv6 icmpv6 multicast-echo-reply enable,272

ipv6 icmpv6 source,273

ipv6 mtu,273

ipv6 nd autoconfig managed-address-flag,274

ipv6 nd autoconfig other-flag,275

ipv6 nd dad attempts,275

ipv6 nd mode uni,276

ipv6 nd ns retrans-timer,277

ipv6 nd nud reachable-time,278

ipv6 nd ra halt,278

ipv6 nd ra hop-limit unspecified,279

ipv6 nd ra interval,279

ipv6 nd ra no-advlinkmtu,280

ipv6 nd ra prefix,281

ipv6 nd ra router-lifetime,282

ipv6 nd router-preference,282

ipv6 neighbor,283

ipv6 neighbor link-local minimize,284

ipv6 neighbor stale-aging,285

ipv6 neighbors max-learning-num,285

ipv6 option drop enable,270

ipv6 pathmtu,287

ipv6 pathmtu age,287

ipv6 prefer temporary-address,288

ipv6 prefix,289

ipv6 reassemble local enable,289

ipv6 redirects enable,290

ipv6 temporary-address,290

ipv6 unreachables enable,292

K

keepalive,379

L

local-ip-address,166

local-proxy-arp enable,15

local-proxy-nd enable,292

M

method,131

mtu,380

N

nat address-group,167

nat alg,168

nat dns-map,169

nat hairpin enable,170

nat icmp-error reply,171

nat inbound,171

nat inbound rule move,173

nat log alarm,174

nat log enable,175

nat log flow-active,176

nat log flow-begin,176

nat log flow-end,177

nat log port-block usage threshold,186

nat log port-block-assign,178

nat log port-block-withdraw,178

nat mapping-behavior,179

nat outbound,180

nat outbound port-block-group,183

nat outbound rule move,183

nat port-block global-share enable,184

nat port-block-group,185

nat server,186

nat server rule move,191

nat server-group,190

nat static enable,192

nat static inbound,193

nat static inbound net-to-net,194

nat static inbound rule move,196

nat static outbound,196

nat static outbound net-to-net,198

nat static outbound rule move,200

nbns-list,60

netbios-type,61

network,330

network,61

next-server,63

O

option,332

option,63

option-group,333

P

password,132

port-block,201

port-range,202

prefix-pool,333

proxy-arp enable,16

proxy-nd enable,293

R

remote-server,346

remote-server,87

reset arp,9

reset counters interface,380

reset dhcp relay client-information,88

reset dhcp relay statistics,88

reset dhcp server conflict,64

reset dhcp server expired,65

reset dhcp server ip-in-use,65

reset dhcp server statistics,66

reset dhcp snooping binding,110

reset dhcp snooping packet statistics,111

reset dns host,125

reset ip statistics,230

reset ipv6 dhcp client statistics,355

reset ipv6 dhcp relay statistics,347

reset ipv6 dhcp server conflict,334

reset ipv6 dhcp server expired,335

reset ipv6 dhcp server ip-in-use,335

reset ipv6 dhcp server pd-in-use,336

reset ipv6 dhcp server statistics,337

reset ipv6 dhcp snooping binding,369

reset ipv6 dhcp snooping packet statistics,369

reset ipv6 neighbors,293

reset ipv6 pathmtu,294

reset ipv6 statistics,295

reset nat session,202

reset tcp statistics,230

reset udp statistics,231

S

shutdown,381

sip-server,337

source,382

ssl-client-policy,133

static-bind,66

static-bind,338

T

tcp mss,231

tcp path-mtu-discovery,232

tcp syn-cookie enable,233

tcp timer fin-timeout,233

tcp timer syn-timeout,234

tcp window,235

temporary address range,339

tftp-server domain-name,67

tftp-server ip-address,68

tunnel dfbit enable,382

tunnel tos,383

tunnel ttl,384

U

url,134

username,136

V

valid class,69

verify class,69

voice-config,70


 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网