interface-type interface-number1 to interface-type interface-number2: Assigns a range of interfaces to the context. The specified interfaces must be the same interface type and must belong to the same interface card.

share: Assigns the interfaces in shared mode. If you do not specify this keyword, the command assigns the interfaces exclusively to the context.

Usage guidelines

IMPORTANT:

· Do not assign IRF physical interfaces to a non-default context.

· If a subinterface of a Layer 3 interface is a member interface of a Reth interface, do not assign the Layer 3 interface to a non-default context.

· Logical interfaces support only shared mode, and physical interfaces support both exclusive mode and shared mode.

You can assign interfaces in exclusive or shared mode.

· Exclusive mode—You assign an interface exclusively to a context, and only the context can use the interface. The administrator of the context can see the interface and use all commands supported on the interface.

· Shared mode—You assign an interface to multiple contexts in shared mode, and the system creates a virtual interface for each context. The virtual interfaces use the same name as the physical interface but have different MAC addresses and IP addresses. They forward and receive packets through the physical interface. The shared mode improves interface usage.

You can see the physical interface and perform all commands supported on the interface from the default context. The administrator of a context can only see the context's virtual interface and use the shutdown, description, and network- and security-related commands.

Examples

# Assign GigabitEthernet 1/2/5/1 through GigabitEthernet 1/2/5/3 to context sub1 in shared mode.

<Sysname> system-view

[Sysname] context sub1

[Sysname-context-2-sub1] allocate interface gigabitethernet 1/2/5/1 gigabitethernet 1/2/5/3 share

allocate vlan

Use allocate vlan to assign VLANs to a context.

Use undo allocate vlan to reclaim VLANs assigned to a context.

Syntax

allocate vlan vlan-id&<1-24>

undo allocate vlan vlan-id&<1-24>

allocate vlan vlan-id1 to vlan-id2

undo allocate vlan vlan-id1 to vlan-id2

Default

No VLAN is assigned to a context.

Views

Context view

Predefined user roles

network-admin

Parameters

vlan-id&<1-24>: Assigns 1 to 24 individual VLANs to the context.

vlan-id1 to vlan-id2: Assigns a range of VLANs to the context.

Usage guidelines

You assign static VLANs except for VLAN 1 to contexts without the VLAN-unshared attribute. Before doing so, you must create the VLANs on the default context. A VLAN can be assigned only to one context. After the assignment to a context, you can use only the display commands on the context, but you can use all VLAN commands on the default context.

A context with the VLAN-unshared attribute has its own VLAN resources (VLAN 2 through VLAN 4094). It does not share VLAN resources with any other context. To create VLANs for the context, log in to the context and use the vlan command. VLAN 1 is system defined. You cannot create or delete VLAN 1.

Examples

# Assign VLAN 100 to context sub1.

<Sysname> system-view

[Sysname] context sub1

[Sysname-context-2-sub1] allocate vlan 100

Related commands

display context vlan

capability object-policy-rule maximum

Use capability object-policy-rule maximum to set the maximum number of object policy rules for a context.

Use undo capability object-policy-rule maximum to restore the default.

Syntax

capability object-policy-rule maximum max-number

undo capability object-policy-rule maximum

Default

The number of object policy rules is not limited for a context.

Views

Context view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of object policy rules for the context, in the range of 1 to 4294967295.

Usage guidelines

A large number of rules occupy too much memory, affecting other features on the context. This command sets the maximum number of object policy rules for a context. When the maximum number is reached, you cannot add new rules.

If the setting of this command is greater than the number of existing rules, the device does not delete rules but you cannot add additional rules.

The number of object policy rules for a context is counted as per security engine. Each security engine to which the context is assigned can have the specified maximum number of object policy rules.

Examples

# Set the maximum number of object policy rules to 1000 for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability object-policy-rule maximum 1000

Related commands

display object-policy ip (Security Command Reference)

capability security-policy-rule maximum

Use capability security-policy-rule maximum to set the maximum number of security policy rules for a context.

Use undo capability security-policy-rule maximum to restore the default.

Syntax

capability security-policy-rule maximum max-number

undo capability security-policy-rule maximum

Default

The number of security policy rules is not limited for a context.

Views

Context view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of security policy rules for the context, in the range of 1 to 4294967295.

Usage guidelines

A large number of rules occupy too much memory, affecting other features on the context. This command sets the maximum number of security policy rules for a context. When the maximum number is reached, you cannot add new rules.

If the setting of this command is greater than the number of existing rules, the device does not delete rules but you cannot add additional rules.

The number of security policy rules for a context is counted as per security engine. Each security engine to which the context is assigned can have the specified maximum number of security policy rules.

Examples

# Set the maximum number of security policy rules to 1000 for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability security-policy-rule maximum 1000

Related commands

display security-policy ip (Security Command Reference)

capability session maximum

Use capability session maximum to set the maximum number of concurrent unicast sessions for a context.

Use undo capability session maximum to restore the default.

Syntax

capability session maximum max-number

undo capability session maximum

Default

The number of concurrent unicast sessions is not limited for a context.

Views

Context view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of concurrent unicast sessions for the context. The value range is 1 to 4294967295.

Usage guidelines

A large number of concurrent unicast sessions occupy too much memory, affecting other features on the context. This command sets the maximum number of concurrent unicast sessions for a context. When the maximum number is reached, you cannot establish additional unicast sessions.

If the setting of this command is greater than the number of existing unicast sessions, the device does not close existing unicast sessions but you cannot establish additional unicast sessions.

The number of unicast sessions for a context is counted as per security engine. Each security engine to which the context is assigned can have the specified maximum number of concurrent unicast sessions.

This command does not affect local traffic, such as FTP traffic, Telnet traffic, SSH traffic, HTTP traffic, and HTTP-based load balancing traffic.

Examples

# Set the maximum number of concurrent unicast sessions to 1000000 for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability session maximum 1000000

Related commands

context

display session statistics (Security Command Reference)

capability session rate

Use capability session rate to set the upper limit of the session establishment rate for a context.

Use undo capability session rate to restore the default.

Syntax

capability session rate max-value

undo capability session rate

Default

The session establishment rate is not limited for a context.

Views

Context view

Predefined user roles

network-admin

Parameters

max-value: Specifies the maximum number of sessions that can be established per second.

Usage guidelines

Establishing sessions too frequently consumes too much CPU resources. If a context establishes sessions too frequently, other contexts in the same security engine will not be able to establish sessions. This command sets the number of sessions that can be established per second for a context. When the limit is reached, no additional sessions can be established.

The session establishment rate is calculated as per security engine. Each security engine to which the context is assigned can establish sessions at the specified rate.

This command does not affect local traffic, such as FTP traffic, Telnet traffic, SSH traffic, HTTP traffic, and HTTP-based load balancing traffic.

Examples

# Configure context cnt2 to establish a maximum of 20000 sessions per second.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability session rate 20000

Related commands

context

display session statistics (Security Command Reference)

capability sslvpn-user maximum

Use capability sslvpn-user maximum to set the maximum number of SSL VPN users for a context.

Use undo capability sslvpn-user maximum to restore the default.

Syntax

capability sslvpn-user maximum max-number

undo capability sslvpn-user maximum

Default

The number of SSL VPN users is not limited for a context. The number is determined by the usage of the SSL VPN licenses installed on the device.

Views

Context view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of SSL VPN users for the context. The value range is 1 to 1048575.

Usage guidelines

This command limits the number of SSL VPN users that can log in to a context. When the maximum number is reached, the context will reject the login requests of new SSL VPN users.

This command takes effect even if the configured maximum number is smaller than the number of existing SSL VPN users in a context. The existing SSL VPN users are not affected. The system does not accept login requests until the number of SSL VPN users in the context drops below the configured maximum number.

Examples

# Set the maximum number of SSL VPN users to 1000000 for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability sslvpn-user maximum 1000000

Related commands

context

capability throughput

Use capability throughput to set the outbound throughput threshold for a context.

Use undo capability throughput to restore the default.

Syntax

capability throughput { kbps | pps } threshold

undo capability throughput

Default

The outbound throughput of a context is not limited.

Views

Context view

Predefined user roles

network-admin

Parameters

kbps: Specifies the throughput in kilobits per second.

pps: Specifies the throughput in number of packets per second.

threshold: Specifies the throughput threshold in the range of 1000 to 100000000.

Usage guidelines

This command imposes the same throughput threshold on every security engine to which the context is assigned.

Examples

# Set the outbound throughput threshold to 100000 kbps for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability throughput kbps 100000

# Set the outbound throughput threshold to 10000 pps for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] capability throughput pps 10000

context

Use context to create a context and enter its view, or enter the view of an existing context.

Use undo context to delete a context.

Syntax

context context-name [ id context-id ] [ vlan-unshared ]

undo context context-name

Default

A default context exists. The context name is Admin and the context ID is 1.

Views

System view

Predefined user roles

network-admin

Parameters

context-name: Specifies the context name, a case-sensitive string of 1 to 15 characters.

id context-id: Specifies the context ID, in the range of 1 to 65279. If you do not specify this option, the system assigns the lowest ID among the available IDs to the context.

vlan-unshared: Configures the context to not share VLAN resources with any contexts. If you do not specify this keyword, the context shares the same VLAN resources with other contexts.

Usage guidelines

A context with the VLAN-unshared attribute has its own VLAN resources (VLAN 1 through VLAN 4094). It does not share VLAN resources with any other contexts. You log in to the context and use the vlan command to create VLANs for the context.

All contexts without the VLAN-unshared attribute share the same VLAN resources (VLAN 1 through VLAN 4094). You create VLANs on the default context and use the allocate vlan command to assign VLANs to the contexts. A VLAN can be assigned only to one context.

Examples

# Create a context named test.

<Sysname> system-view

[Sysname] context test

[Sysname-context-2-test]

# Create a context named test. Set its ID to 2.

<Sysname> system-view

[Sysname] context test id 2

[Sysname-context-2-test]

context start

Use context start to start a context.

Use undo context start to stop a context.

Syntax

context start [ force ]

undo context start [ force ]

Default

A context is not started.

Views

Context view

Predefined user roles

network-admin

Parameters

force: Forcibly starts or stops a context. If you do not specify this keyword, the command starts or stops a context through normal procedures.

Usage guidelines

CAUTION:

Stop a context with caution. Stopping a context stops all services on the context and logs out all users on the context. To avoid configuration data loss, save the running configuration of a context before you stop the context.

You must use this command to initiate a newly created context. You can configure a context only after it is started.

Examples

# Start context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] context start

context-capability inbound broadcast single

Use context-capability inbound broadcast single to set the inbound broadcast rate limit for a context.

Use undo context-capability inbound broadcast single to restore the default.

Syntax

context-capability inbound broadcast single pps threshold

undo context-capability inbound broadcast single

Default

The inbound broadcast rate limit for a context is the total inbound broadcast rate limit divided by the number of active contexts that share interfaces with other contexts.

Views

System view

Context view

Predefined user roles

network-admin

Parameters

pps threshold: Specifies the inbound broadcast rate limit in pps, in the range of 1000 to 100000.

Usage guidelines

The rate limit takes effect only on active contexts that share interfaces with other contexts.

If you execute this command in system view, you set the limit for the default context. If you execute this command in context view, you set the limit for the non-default context.

When both a per-context inbound broadcast rate limit and the total inbound broadcast rate limit are reached, the device drops subsequent broadcast packets that arrive at the context. To set the total inbound broadcast rate limit, use the context-capability inbound broadcast total command.

The incoming packet rate of a context is independently calculated on each security engine where the context resides. The inbound broadcast rate limit for the context independently applies to each of the security engines. If broadcast packets of the context are processed by multiple security engines, the actual broadcast packet rate might be greater than the inbound broadcast rate limit you set.

Examples

# Set the inbound broadcast rate limit to 10000 pps for the default context.

<Sysname> system-view

[Sysname] context-capability inbound broadcast single pps 10000

# Set the inbound broadcast rate limit for the default context to 10000 pps for context ctx1.

<Sysname> system-view

[Sysname] context ctx1

[Sysname-context-1-ctx1] context-capability inbound broadcast single pps 10000

Related commands

context-capability inbound broadcast total

Use context-capability inbound broadcast total to set the total inbound broadcast rate limit for all contexts.

Use undo context-capability inbound broadcast total to restore the default.

Syntax

context-capability inbound broadcast total pps threshold

undo context-capability inbound broadcast total

Default

The total inbound broadcast rate limit for all contexts is 20000 pps.

Views

System view

Predefined user roles

network-admin

Parameters

pps threshold: Specifies the total inbound broadcast rate limit in pps. The limit can be 0 or a value in the range of 1000 to 100000. Setting the limit to 0 disables inbound broadcast rate limiting.

Usage guidelines

The rate limit takes effect only on active contexts that share interfaces with other contexts.

The total inbound broadcast rate is the sum of the inbound broadcast rates on all active contexts that share interfaces with other contexts.

When both a per-context inbound broadcast rate limit and the total inbound broadcast rate limit are reached, the device drops subsequent broadcast packets that arrive at the context. To set the inbound broadcast rate limit for a context, use the context-capability inbound broadcast single command.

Examples

# Set the total inbound broadcast rate limit to 10000 pps.

<Sysname> system-view

[Sysname] context-capability inbound broadcast total pps 10000

Related commands

context-capability inbound broadcast single

context-capability inbound drop-logging enable

Use context-capability inbound drop-logging enable to enable logging for incoming packets dropped because of rate limiting on contexts.

Use undo context-capability inbound drop-logging enable to disable logging for incoming packets dropped because of rate limiting on contexts.

Syntax

context-capability inbound drop-logging enable

undo context-capability inbound drop-logging enable

Default

Logging is disabled for incoming packets that are dropped because of rate limiting on contexts.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This logging feature generates and sends a log message to the information center when an incoming packet is dropped because of broadcast or multicast rate limiting on contexts. For more information about how the information center manages log messages, see information center configuration in Network Management and Monitoring Configuration Guide.

Examples

# Enable logging for incoming packets dropped because of rate limiting on contexts.

<Sysname> system-view

[Sysname] context-capability inbound drop-logging enable

context-capability inbound multicast single

Use context-capability inbound multicast single to set the inbound multicast rate limit for a context.

Use undo context-capability inbound multicast single to restore the default.

Syntax

context-capability inbound multicast single pps threshold

undo context-capability inbound multicast single

Default

The inbound multicast rate limit for a context is the total inbound multicast rate limit divided by the number of active contexts that share interfaces with other contexts.

Views

System view

Context view

Predefined user roles

network-admin

Parameters

pps threshold: Specifies the inbound multicast rate limit in pps, in the range of 1000 to 100000.

Usage guidelines

The rate limit takes effect only on active contexts that share interfaces with other contexts.

If you execute this command in system view, you set the limit for the default context. If you execute this command in context view, you set the limit for the non-default context.

When both a per-context inbound multicast rate limit and the total inbound multicast rate limit are reached, the device drops subsequent multicast packets that arrive at the context. To set the total inbound multicast rate limit, use the context-capability inbound multicast total command.

The incoming packet rate of a context is independently calculated on each security engine where the context resides. The inbound multicast rate limit for the context independently applies to each of the security engines. If multicast packets of the context are processed by multiple security engines, the actual multicast packet rate might be greater than the inbound multicast rate limit you set.

Examples

# Set the inbound multicast rate limit to 10000 pps for the default context.

<Sysname> system-view

[Sysname] context-capability inbound multicast single pps 10000

# Set the inbound multicast rate limit to 10000 pps for context ctx1.

<Sysname> system-view

[Sysname] context ctx1

[Sysname-context-1-ctx1] context-capability inbound multicast single pps 10000

Related commands

context-capability inbound multicast total

Use context-capability inbound multicast total to set the total inbound multicast rate limit for all contexts.

Use undo context-capability inbound multicast total to restore the default.

Syntax

context-capability inbound multicast total pps threshold

undo context-capability inbound multicast total

Default

The total inbound multicast rate limit for all contexts is 0 pps.

Views

System view

Predefined user roles

network-admin

Parameters

pps threshold: Specifies the total inbound multicast rate limit in pps. The limit can be 0 or a value in the range of 1000 to 100000. Setting the limit to 0 disables inbound multicast rate limiting.

Usage guidelines

The rate limit takes effect only on active contexts that share interfaces with other contexts.

The total inbound multicast rate is the sum of the inbound multicast rates on all active contexts that share interfaces with other contexts.

When both a per-context inbound multicast rate limit and the total inbound multicast rate limit are reached, the device drops subsequent multicast packets that arrive at the context. To set the inbound multicast rate limit for a context, use the context-capability inbound multicast single command.

Examples

# Set the total inbound multicast rate limit to 10000 pps.

<Sysname> system-view

[Sysname] context-capability inbound multicast total pps 10000

Related commands

context-capability inbound multicast single

context-capability inbound unicast single

Use context-capability inbound unicast single to set the CPU usage limit for inbound unicast packets on a context.

Use undo context-capability inbound unicast single to restore the default.

Syntax

context-capability inbound unicast single cpu-usage threshold

undo context-capability inbound unicast single

Default

The CPU usage limit on a context is the total CPU usage limit divided by the number of contexts in the security engine group where the context resides.

Views

System view

Predefined user roles

network-admin

Parameters

cpu-usage threshold: Specifies the CPU usage limit for inbound unicast packets, in percentage. The value range for the threshold argument is 1 to 100.

Usage guidelines

The rate limit takes effect only on active contexts on the device.

If you execute this command in system view, you set the limit for the default context. If you execute this command in context view, you set the limit for the non-default context.

When both a per-context CPU usage limit and the total CPU usage limit are reached, the device drops subsequent multicast packets that arrive at the context. To set the total CPU usage limit, use the context-capability inbound unicast total command.

The incoming packet rate of a context is independently calculated on each security engine where the context resides. The inbound unicast rate limit for the context independently applies to each of the security engines. If unicast packets of the context are processed by multiple security engines, the actual unicast packet rate might be greater than the inbound unicast rate limit you set.

Examples

# Set the CPU usage limit to 70% for inbound unicast packets on the default context.

<Sysname> system-view

[Sysname] context-capability inbound unicast single cpu-usage 70

Related commands

context-capability inbound unicast total

Use context-capability inbound unicast total to set the total CPU usage limit for inbound unicast packets on all contexts.

Use undo context-capability inbound unicast total to restore the default.

Syntax

context-capability inbound unicast total cpu-usage threshold

undo context-capability inbound unicast total

Default

No limit is placed on the total CPU usage of the device.

Views

System view

Predefined user roles

network-admin

Parameters

cpu-usage threshold: Specifies the total CPU usage limit for inbound unicast packets, in percentage. The value range for the threshold argument is 1 to 100.

Usage guidelines

The rate limit takes effect only on active contexts.

The total CPU usage for inbound unicast packets is the sum of the CPU usage limits of inbound unicast packets on all active contexts that share interfaces with other contexts in a security engine group.

When both a per-context CPU usage limit and the total CPU usage limit are reached, the device drops subsequent multicast packets that arrive at the context. To set the CPU usage limit for a context, use the context-capability inbound unicast single command.

Examples

# Set the total CPU usage limit for inbound unicast packets to 70%.

<Sysname> system-view

[Sysname] context-capability inbound unicast total cpu-usage 70

Related commands

context-capability inbound unicast single

description

Use description to configure the description of the default context, or configure a description for a non-default context.

Use undo description to restore the default.

Syntax

description text

undo description

Default

The default context uses the description DefaultContext. A non-default context does not have a description.

Views

Context view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 255 characters.

Usage guidelines

You can configure a description for each context, which is useful when there are a number of contexts.

Examples

# Configure a description for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] description test

display blade-controller-team

Use display blade-controller-team to display security engine groups.

Syntax

display blade-controller-team [ blade-controller-team-name | id blade-controller-team-id | all ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

blade-controller-team-name: Specifies the name of the security engine group, a case-sensitive string of 1 to 31 characters.

id blade-controller-team-id: Specifies the ID of the security engine group, which is fixed at 1.

all: Displays detailed information about all security engine groups.

Usage guidelines

If you do not specify any parameters, the command displays brief information about all security engine groups.

Examples

# Display brief information about all security engine groups.

<Sysname> display blade-controller-team

ID Name

1 Default

# Display detailed information about all security engine groups.

<Sysname> display blade-controller-team all

ID: 1 Name: Default

Chassis Slot CPU Status LBGroupID

* 1 2 0 Normal 1

* : Primary blade controller of the team.

Table 1 Command output

Field	Description
Status	Status of the security engine: · Absent—No security engine is installed in the slot. · Fault—The security engine is not operating correctly. · Normal—The security engine is operating correctly.
LBGroupID	ID of the load balancing group that is associated with the security engine group. The ID is assigned automatically by the system.
* : Primary blade controller of the team.	Main security engine of the security engine group.
Name (under Load balancing group information for the blade controller team)	Name of the load balancing group that is associated with the security engine group. The name is predefined by the system in the form of security engine type + security engine group ID. For more information, see the link-aggregation blade command in Layer 2—LAN Switching Command Reference.

display context

Use display context to display contexts.

Syntax

display context [ name context-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context name, a case-sensitive string of 1 to 15 characters.

Usage guidelines

On the default context, this command displays the context specified by the name context-name option. Without the option, this command displays all contexts on the device.

Examples

# Display all contexts.

<Sysname> display context

ID Name Status Description

1 cnt1 active context1

2 cnt2 inactive context2

3 cnt3 inactive context3

Table 2 Command output

Field	Description
Status	Status of the context: · active—The context is operating correctly. · inactive—The context is not started. · starting—The context is starting up. · updating—The context is being assigned to a security engine group. · stopping—The context is being stopped.

Field

Description

Status

Status of the context:

· active—The context is operating correctly.

· inactive—The context is not started.

· starting—The context is starting up.

· updating—The context is being assigned to a security engine group.

· stopping—The context is being stopped.

display context capability

Use display context capability to display usage of allocable service resources on contexts.

Syntax

display context [ name context-name ] capability [ security-policy | session [ chassis chassis-number slot slot-number ] | sslvpn-user ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays information for all contexts.

security-policy: Displays usage of allocable security policy rule resources.

session: Displays usage of allocable session resources.

sslvpn-user: Displays usage of allocable SSL VPN user resources.

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command displays the usage on all cards in the IRF fabric.

Usage guidelines

This command is supported only on the default context.

Examples

# Display usage of allocable service resources on all contexts.

<Sysname> display context capability

Session usage and establishment rate:

Chassis 1 Slot 1 CPU 0:

ID Name Maximum Used Free Total(/s) Rate(/s) Usage(%)

1 Admin NA 500 NA NA 1000 NA

2 context1 10000 300 9700 1000 100 10

3 context2 2000 1000 1000 2000 1000 50

Security policy rule usage:

ID Name Maximum Used Free

1 Admin NA 500 NA

2 context1 10000 300 9700

3 context2 2000 1000 1000

Online SSL VPN users:

ID Name Maximum Used Free

1 Admin NA 0 NA

2 conetxt1 10000 3000 7000

3 context2 2000 0 2000

Table 3 Command output

Field	Description
ID	Context ID.
Name	Context name.
Maximum	Maximum number of allocable resources.
Used	Number of used resources.
Free	Number of available resources.
Total	Maximum session establishment rate, which is the maximum number of sessions that can be established in a second.
Rate	Current session establishment rate.
Usage	Ratio of the current session establishment rate to the maximum session establishment rate, in percentage.

Related commands

· capability security-policy-rule maximum

· capability session maximum

· capability session rate

· capability sslvpn-user maximum

display context capability inbound broadcast

Use display context capability inbound broadcast to display the inbound broadcast rate limit information about a context.

Syntax

display context name context-name capability inbound broadcast chassis chassis-number slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

Examples

# Display the inbound broadcast rate limit information about context abc on a slot.

<Sysname> display context name abc capability inbound broadcast chassis 1 slot 1

Context name: abc

Context ID: 2

Drop Rate: 1000 pps

Inbound throughput limit: 8000 pps

Total inbound throughput limit: 10000 pps

Table 4 Command output

Field	Description
Drop Rate	Broadcast packet drop rate of the context.
Inbound throughput limit	Inbound broadcast rate limit for the context.
Total inbound throughput limit	Total inbound broadcast rate limit.

‌

display context capability inbound multicast

Use display context capability inbound multicast to display the inbound multicast rate limit information about a context.

Syntax

display context name context-name capability inbound multicast chassis chassis-number slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

Examples

# Display the inbound multicast rate limit information about context abc on a slot.

<Sysname> display context name abc capability inbound multicast chassis 1 slot 1

Context name: abc

Context ID: 2

Drop Rate: 1000 pps

Inbound throughput limit: 8000 pps

Total inbound throughput limit: 10000 pps

Table 5 Command output

Field	Description
Drop Rate	Multicast packet drop rate of the context.
Inbound throughput limit	Inbound multicast rate limit for the context.
Total inbound throughput limit	Total inbound multicast rate limit.

‌

display context capability inbound unicast

Use display context capability inbound unicast to display the inbound unicast rate limit information about a context.

Syntax

display context name context-name capability inbound unicast chassis chassis-number slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

Examples

# Display the inbound unicast rate limit information about context abc on a slot.

<Sysname> display context name abc capability inbound unicast chassis 1 slot 1

Context Name: abc

Context ID: 2

The Total Threshold is 0

The Context Threshold is 100

The Total Drop Num is 0

CPUID Pper Dper Prate Pcycle Drate Dcycle HDrate TotalDrate

CPU0 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU1 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU2 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU3 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU4 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU5 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU6 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU7 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU8 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU9 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU10 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU11 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU12 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU13 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU14 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

CPU15 0.0% 0.0% 0/s 0 0/s 0 0/s 0/s

Table 6 Command output

Field	Description
The Total Threshold	Total CPU usage limit for inbound unicast packets, in percentage.
The Context Threshold	CPU usage limit for inbound unicast packets on the context, in percentage.
The Total Drop Num	Total number of packets dropped by inbound unicast rate limit.
CPUID	CPU ID.
Pper	Cycle usage ratio for permitted unicast packets, in percentage.
Dper	Cycle usage ratio for dropped unciast packets, in percentage.
Prate	Permitted unicast packet ratio.
Pcycle	Number of cycles used by permitted unicast packets.
Drate	Unicast packet drop rate.
Dcycle	Number of cycles used by dropped unicast packets.
HDrate	Hardware unicast packet drop rate.
TotalDrate	Total unicast packet drop rate.

display context configuration

Use display context configuration to display or save context configuration information.

Syntax

display context [ name context-name ] configuration [ file filename ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays the configurations of all contexts.

file filename: Saves the information to a file. The filename argument specifies the file name, a case-insensitive string of 1 to 255 characters. The file name must use the .tar.gz extension, and cannot be ..tar.gz or …tar.gz. It cannot start with a hyphen (-) or contain any of the following characters: quote marks ("), forward slashes (/), colons (:), backward slashes (\), question marks (?), less than signs (<), greater than signs (>), vertical bars (|), and asterisks (*). If you do not specify this option, the system prompts you to choose whether to display or save the information.

Usage guidelines

This command is supported only on the default context.

This command does not take effect on contexts that have not started up.

Executing this command is equivalent to executing the display current-configuration command on the specified context or each context.

Examples

# Display the configurations of all contexts.

<Sysname> display context configuration

Save or display context configuration(Y=save, N=display)? [Y/N]:n

===========inner configuration of context Admin===========

============================================================

display current-configuration

version 7.1.064, Feature 9321

sysname Sysname

context Admin id 1

context cnt1 id 2

return

===========inner configuration of context cnt1===========

============================================================

display current-configuration

version 7.1.064, Feature 9321

sysname Sysname

context Admin id 1

context cnt1 id 2

---- More ----

# Save the configurations of all contexts to a file in interactive mode.

<Sysname> display context configuration

Save or display context configuration (Y=save, N=display)? [Y/N]:y

Please input the file name(*.tar.gz)[flash:/diag.tar.gz]: test.tar.gz

Saving context configuration to flash:/test.tar.gz. Please wait....

# Save the configurations of all contexts to a file by specifying a file name for the command.

<Sysname> display context configuration file test.tar.gz

Saving context configuration to flash:/test.tar.gz. Please wait...

display context interface

Use display context interface to display interfaces assigned to contexts.

Syntax

display context [ name context-name ] interface

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context name, a case-sensitive string of 1 to 15 characters.

Usage guidelines

On the default context, this command displays the interfaces for the context specified by the name context-name option. Without the option, this command displays the interfaces for all contexts on the device.

Examples

# Display the interfaces for all contexts.

<Sysname> display context interface

Context stub1's interfaces:

GigabitEthernet1/2/5/2

Context stub2's interfaces:

GigabitEthernet1/2/5/3

Related commands

allocate interface

display context online-users sslvpn

Use display context online-users sslvpn to display the number of online SSL VPN users on all contexts.

Syntax

display context online-users sslvpn

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

The number of online SSL VPN users collected by this command equals to the number of SSL VPN sessions.

Examples

# Display the number of online SSL VPN users on all contexts.

<Sysname> display context online-users sslvpn

Total number of SSL VPN online users: 50

display context resource

Use display context resource to display CPU, disk space, and memory usage for contexts.

Syntax

display context [ name context-name ] resource [ cpu | disk | memory ] [ chassis chassis-number slot slot-number cpu cpu-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays the usage for all contexts.

cpu: Displays the CPU usage.

disk: Displays the disk space usage.

memory: Displays the memory usage.

chassis chassis-number slot slot-number cpu cpu-number: Specifies a security engine on a card of an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. The cpu-number argument represents the CPU number. If you do not specify this option, the command displays the usage on all security engines in the IRF fabric.

Usage guidelines

If a context is not started, its CPU, disk space, and memory space usages are all 0.

If you do not specify the cpu, disk, or memory keyword, the command displays the CPU, disk space, and memory space usage.

Examples

# Display the CPU usage for the contexts on all cards.

<Sysname> display context resource cpu

CPU usage:

Chassis 1 slot 2 CPU 0:

ID Name Weight Usage(%)

1 cnt1 10 24

2 cnt2 10 0

Related commands

limit-resource cpu

limit-resource disk

limit-resource memory

display context statistics

Use display context statistics to display or save resource statistics for contexts.

Syntax

display context [ name context-name ] statistics [ file filename ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays or saves resource statistics for all contexts.

file filename: Saves the information to a file. The filename argument specifies the file name, a case-insensitive string of 1 to 255 characters. The file name must use the .tar.gz extension, and cannot be ..tar.gz or …tar.gz. It cannot start with a hyphen (-) or contain any of the following characters: quote marks ("), forward slashes (/), colons (:), backward slashes (\), question marks (?), less than signs (<), greater than signs (>), vertical bars (|), and asterisks (*). If you do not specify this argument, the system prompts you to choose whether to display or save the information.

Usage guidelines

This command is supported only on the default context.

Executing this command is equivalent to executing the following commands:

· display context capability

· display counters inbound interface

· display counters outbound interface

· display counters rate inbound interface

· display counters rate outbound interface

· display interface

· display ip statistics

· display ipv6 statistics

· display nat statistics

· display session statistics

Examples

# Display resource statistics for all contexts.

<Sysname> display context statistics

Save or display context statistics (Y=save, N=display)? [Y/N]:n

========================================================

=============== display session statistics =================

Slot 0 in chassis 1:

Current sessions: 0

TCP sessions: 0

UDP sessions: 0

ICMP sessions: 0

ICMPv6 sessions: 0

UDP-Lite sessions: 0

SCTP sessions: 0

DCCP sessions: 0

RAWIP sessions: 0

...

# Save resource statistics for all contexts to a file in interactive mode.

<Sysname> display context statistics

Save or display context statistics(Y=save, N=display)? [Y/N]:y

Please input the file name(*.tar.gz)[flash:/diag.tar.gz]: test.tar.gz

Saving context statistics to flash:/test.tar.gz. Please wait....

# Save resource statistics for all contexts to a file by specifying a file name for the command.

<Sysname> display context statistics file test.tar.gz

Saving context statistics to flash:/test.tar.gz. Please wait...

Related commands

display context capability

display counters inbound interface (Interface Command Reference)

display counters outbound interface (Interface Command Reference)

display counters rate inbound interface (Interface Command Reference)

display counters rate outbound interface (Interface Command Reference)

display interface (Interface Command Reference)

display ip statistics (Layer 3—IP Services Command Reference)

display ipv6 statistics (Layer 3—IP Services Command Reference)

display nat statistics (NAT Command Reference)

display session statistics (Security Command Reference)

display context vlan

Use display context vlan to display VLAN lists for contexts.

Syntax

display context [ name context-name ] vlan

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

Usage guidelines

On the default context, if you specify the name context-name option, this command displays the VLAN list for the specified context. If you do not specify the name context-name option, this command displays VLAN lists for all contexts.

Examples

# Display VLAN lists for all contexts.

<Sysname> display context vlan

Context stub1's VLAN(s):

Context stub2's VLAN(s):

2,4094

Context stub3's VLAN(s):

5,6,800-3000,3400

# Display the VLAN list for context sub1.

<Sysname> display context name sub1 vlan

Context stub1's VLAN(s):

5,6,11-23,3400

Related commands

allocate vlan

limit-resource cpu

Use limit-resource cpu to set a CPU weight for a context.

Use undo limit-resource cpu to restore the default.

Syntax

limit-resource cpu weight weight-value

undo limit-resource cpu

Default

Each context has a CPU weight of 10.

Views

Context view

Predefined user roles

network-admin

Parameters

weight weight-value: Specifies a CPU weight value in the range of 1 to 10.

Usage guidelines

This command imposes the same CPU weight on every security engine to which the context is assigned.

Examples

# Set the CPU weight to 2 for context cnt2.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] limit-resource cpu weight 2

limit-resource disk

Use limit-resource disk to set a disk space percentage for a context. A disk space percentage defines the maximum disk space that the context can use.

Use undo limit-resource disk to restore the default.

Syntax

limit-resource disk chassis chassis-number slot slot-number cpu cpu-number ratio limit-ratio

undo limit-resource disk chassis chassis-number slot slot-number cpu cpu-number

Default

All contexts on a security engine share the disk space on the engine. A context can use all free disk space on the engine.

Views

Context view

Predefined user roles

network-admin

Parameters

ratio limit-ratio: Specifies the ratio of the disk space that the context can use to the total disk space of the device. The value range is 1 to 100.

Usage guidelines

When you assign a context to a security engine group, the system automatically assigns disk space resources on the security engines to the context. All contexts residing on the same security engine share and compete for the engine's free disk resources. To prevent one context from occupying too many disk space resources, assign disk space resources to the contexts.

When you assign disk space to a context, follow these guidelines:

· Use the display context resource command to view the amount of disk space that has been used by the context before assigning disk space to the context.

· Assign disk space larger than the disk space used by the context to avoid the following problems:

¡ The context cannot apply for more disk space.

¡ The context cannot create, copy, or save additional folders or files.

The disk space percentage setting takes effect on all the storage media.

Examples

# Configure context cnt2 to use up to 30% of the disk space on the security engine for CPU 1 in slot 2 of member device 1.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] limit-resource disk chassis 1 slot 2 cpu 0 ratio 30

limit-resource memory

Use limit-resource memory to set a memory space percentage for a context. A memory space percentage defines the maximum memory space that the context can use.

Use undo limit-resource memory to restore the default.

Syntax

limit-resource memory chassis chassis-number slot slot-number cpu cpu-number ratio limit-ratio

undo limit-resource memory chassis chassis-number slot slot-number cpu cpu-number

Default

All contexts on a security engine share the memory space on the engine. A context can use all free memory space on the engine.

Views

Context view

Predefined user roles

network-admin

Parameters

ratio limit-ratio: Specifies the ratio of the memory space that the context can use on the specified security engine to the total memory space of the engine. The value range is 1 to 100.

Usage guidelines

When you assign a context to a security engine group, the system automatically assigns memory space resources on the security engines to the context. All contexts residing on the same security engine share and compete for the engine's free memory resources. To prevent one context from occupying too many memory space resources, assign memory space resources to the contexts. When the limit for a context is reached, the context cannot apply for more memory space.

When you assign memory space to a context, follow these guidelines:

· Use the display context resource command to view the amount of memory space that has been used by the context before assigning memory space to the context.

· Assign an amount of memory space that is larger than the memory space used by the context to avoid the following problems:

¡ The context cannot apply for more memory space.

¡ The context cannot create, copy, or save additional folders or files.

Examples

# Configure context cnt2 to use up to 30% of the memory space on the security engine for CPU 1 in slot 2 of member device 1.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] limit-resource memory chassis 1 slot 2 cpu 0 ratio 30

location blade-controller-team

Use location blade-controller-team to assign a context to a security engine group.

Use undo location blade-controller-team to reclaim a context from a security engine group.

Syntax

location blade-controller-team team-id

undo location blade-controller-team team-id

Default

The default context resides on all security engine groups. A non-default context does not reside on any security engine groups.

Views

Context view

Predefined user roles

network-admin

Parameters

team-id: Specifies a security engine group by its ID. The security engine group must already exist.

Usage guidelines

To run and provide services, a context must be assigned to a security engine group. After you assign a context to a security engine group, the context can use the CPU, disk space, and memory space resources on the security engines in the group.

You can assign multiple contexts to a security engine group.

You can add a security engine to a security engine group before or after assigning a context to the security engine group.

Examples

# Assign context cnt2 to the default security engine group.

<Sysname> system-view

[Sysname] context cnt2

[Sysname-context-2-cnt2] location blade-controller-team 1

Related commands

blade-controller-team

reset context capability inbound broadcast

Use reset context capability inbound broadcast to clear the inbound broadcast rate limit statistics for a context.

Syntax

reset context name context-name capability inbound broadcast chassis chassis-number slot slot-number

Views

User view

Predefined user roles

network-admin

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

Examples

# Clear the inbound broadcast rate limit statistics for context abc on a slot.

<Sysname> reset context name abc capability inbound broadcast chassis 1 slot 1

reset context capability inbound multicast

Use reset context capability inbound multicast to clear the inbound multicast rate limit statistics for a context.

Syntax

reset context name context-name capability inbound multicast chassis chassis-number slot slot-number

Views

User view

Predefined user roles

network-admin

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

Examples

# Clear the inbound multicast rate limit statistics for context abc on a slot.

<Sysname> reset context name abc capability inbound multicast chassis 1 slot 1

reset context capability inbound unicast

Use reset context capability inbound unicast to clear the inbound unicast rate limit statistics for a context.

Syntax

reset context name context-name capability inbound unicast chassis chassis-number slot slot-number

Views

User view

Predefined user roles

network-admin

Parameters

name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.

Examples

# Clear the inbound unicast rate limit statistics for context abc on a slot.

<Sysname> reset context name abc capability inbound unicast chassis 1 slot 1

switchto context

Use switchto context to log in to a context.

Syntax

switchto context context-name

Views

System view

Predefined user roles

network-admin

network-operator

Parameters

context-name: Specifies a context that has been started.

Usage guidelines

Use this command to log in to a non-default context from the system view of the default context. The connection uses the internal interfaces between the physical device and the context.

Examples

# Log in to context test2.

<Sysname> system-view

[Sysname] switchto context test2

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

<H3C>

tar context log

Use tar context log to archive log messages for contexts.

Syntax

tar context [ name context-name ] log file filename

Views

User view

Predefined user roles

network-admin

Parameters

name context-name: Specifies a context name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command archives log messages for all contexts.

file filename: Specifies a file name, a case-insensitive string of 1 to 255 characters. The file name must use the .tar.gz extension, and cannot be ..tar.gz or …tar.gz. It cannot start with a hyphen (-) or contain any of the following characters: quote marks ("), forward slashes (/), colons (:), backward slashes (\), question marks (?), less than signs (<), greater than signs (>), vertical bars (|), and asterisks (*).

Usage guidelines

This command is supported only on the default context.

This command does not take effect on contexts that have never started up.

This command archives all files in the logfile directory and diagfile directory.

Examples

# Archive log messages for all contexts to file test.tar.gz.

<Sysname> tar context log file test.tar.gz

02-Virtual Technologies Command Reference

Context commands

display context online-users sslvpn

limit-resource cpu

switchto context

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us