- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
02-Context commands | 215.91 KB |
Contents
capability object-policy-rule maximum
capability security-policy-rule maximum
capability sslvpn-user maximum
context-capability inbound broadcast single
context-capability inbound broadcast total
context-capability inbound drop-logging enable
context-capability inbound multicast single
context-capability inbound multicast total
context-capability inbound unicast total
display context capability inbound broadcast
display context capability inbound multicast
display capability inbound unicast
display context online-users sslvpn
hardware fast-forwarding vpc enable
location blade-controller-team
reset context capability inbound broadcast
reset context capability inbound multicast
Context commands
The following compatibility matrix shows the support of hardware platforms for context configuration:
Hardware platform |
Module type |
Context compatibility |
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
Blade V firewall module |
Yes |
|
NAT module |
Yes |
|
Application delivery engine (ADE) module |
Yes |
|
Anomaly flow cleaner (AFC) module |
No |
|
M9010-GM |
Encryption module |
Yes |
M9016-V |
Blade V firewall module |
Yes |
M9008-S M9012-S |
Blade IV firewall module |
Yes |
Application delivery engine (ADE) module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
Video network gateway module |
Yes |
|
Anomaly flow cleaner (AFC) module |
No |
|
M9008-S-6GW |
IPv6 module |
Yes |
M9008-S-V |
Blade IV firewall module |
Yes |
M9000-AI-E8 |
Blade V firewall module |
Yes |
Application delivery engine (ADE) module |
Yes |
|
M9000-AI-E16 |
Blade V firewall module |
Yes |
All commands in this chapter are supported on the default context. On a non-default context, only the following commands are supported:
· display context interface
· context-capability inbound broadcast single
· context-capability inbound multicast single
· context-capability inbound unicast single
allocate interface
Use allocate interface to assign interfaces to a context.
Use undo allocate interface to reclaim interfaces assigned to a context.
Syntax
allocate interface { interface-type interface-number }&<1-24> [ share ]
undo allocate interface { interface-type interface-number }&<1-24>
allocate interface interface-type interface-number1 to interface-type interface-number2 [ share ]
undo allocate interface interface-type interface-number1 to interface-type interface-number2
Default
All interfaces on the firewall belong to the default context. A non-default context cannot use any interfaces.
Views
Context view
Predefined user roles
network-admin
Parameters
{ interface-type interface-number }&<1-24>: Assigns 1 to 24 individual interfaces to the context.
interface-type interface-number1 to interface-type interface-number2: Assigns a range of interfaces to the context. The specified interfaces must be the same interface type and must belong to the same interface card.
share: Assigns the interfaces in shared mode. If you do not specify this keyword, the command assigns the interfaces exclusively to the context.
Usage guidelines
IMPORTANT: · Do not assign IRF physical interfaces to a non-default context. · If a subinterface of a Layer 3 interface is a member interface of a Reth interface, do not assign the Layer 3 interface to a non-default context. · Logical interfaces support only shared mode, and physical interfaces support both exclusive mode and shared mode. |
You can assign interfaces in exclusive or shared mode.
· Exclusive mode—You assign an interface exclusively to a context, and only the context can use the interface. The administrator of the context can see the interface and use all commands supported on the interface.
· Shared mode—You assign an interface to multiple contexts in shared mode, and the system creates a virtual interface for each context. The virtual interfaces use the same name as the physical interface but have different MAC addresses and IP addresses. They forward and receive packets through the physical interface. The shared mode improves interface usage.
You can see the physical interface and perform all commands supported on the interface from the default context. The administrator of a context can only see the context's virtual interface and use the shutdown, description, and network- and security-related commands.
Examples
# Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to context sub1 in shared mode.
<Sysname> system-view
[Sysname] context sub1
[Sysname-context-2-sub1] allocate interface gigabitethernet 1/0/1 gigabitethernet 1/0/3 share
allocate vlan
Use allocate vlan to assign VLANs to a context.
Use undo allocate vlan to reclaim VLANs assigned to a context.
Syntax
allocate vlan vlan-id&<1-24>
undo allocate vlan vlan-id&<1-24>
allocate vlan vlan-id1 to vlan-id2
undo allocate vlan vlan-id1 to vlan-id2
Default
No VLAN is assigned to a context.
Views
Context view
Predefined user roles
network-admin
Parameters
vlan-id&<1-24>: Assigns 1 to 24 individual VLANs to the context.
vlan-id1 to vlan-id2: Assigns a range of VLANs to the context.
Usage guidelines
You assign static VLANs except for VLAN 1 to contexts without the VLAN-unshared attribute. Before doing so, you must create the VLANs on the default context. A VLAN can be assigned only to one context. After the assignment to a context, you can use only the display commands on the context, but you can use all VLAN commands on the default context.
A context with the VLAN-unshared attribute has its own VLAN resources (VLAN 2 through VLAN 4094). It does not share VLAN resources with any other context. To create VLANs for the context, log in to the context and use the vlan command. VLAN 1 is system defined. You cannot create or delete VLAN 1.
Examples
# Assign VLAN 100 to context sub1.
<Sysname> system-view
[Sysname] context sub1
[Sysname-context-2-sub1] allocate vlan 100
display context vlan
blade-controller-team
Use blade-controller-team to create a security engine group and enter its view, or enter the view of an existing security engine group.
Use undo blade-controller-team to delete a security engine group.
Syntax
blade-controller-team blade-controller-team-name [ id blade-controller-team-id ]
undo blade-controller-team { blade-controller-team-name | id blade-controller-team-id }
Default
A default security engine group exists. The group name is Default and group ID is 1.
Views
System view
Predefined user roles
network-admin
Parameters
blade-controller-team-name: Specifies the security engine group name, a case-sensitive string of 1 to 31 characters.
id blade-controller-team-id: Specifies the security engine group ID in the range of 2 to 256. If you do not specify this option, the system assigns the lowest ID among the available IDs to the security engine group.
Usage guidelines
The default security engine group cannot be modified or deleted, and you cannot enter its view.
To delete a security engine group, first use the undo location blade-controller command to remove all security engines in the security engine group.
Examples
# Create a security engine named abc and enter its view.
<Sysname> system-view
[Sysname] blade-controller-team abc
[Sysname-blade-controller-team-3-abc]
capability object-policy-rule maximum
Use capability object-policy-rule maximum to set the maximum number of object policy rules for a context.
Use undo capability object-policy-rule maximum to restore the default.
Syntax
capability object-policy-rule maximum max-number
undo capability object-policy-rule maximum
Default
The number of object policy rules is not limited for a context.
Views
Context view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of object policy rules for the context, in the range of 1 to 4294967295.
Usage guidelines
A large number of rules occupy too much memory, affecting other features on the context. This command sets the maximum number of object policy rules for a context. When the maximum number is reached, you cannot add new rules.
If the maximum number you set is smaller than the number of existing object policy rules, this setting takes effect. The context does not delete extra existing object policy rules and allows new object policy rules to be created only when the number of object policy rules drops below the maximum number.
The number of object policy rules for a context is counted as per security engine. Each security engine to which the context is assigned can have the specified maximum number of object policy rules.
Examples
# Set the maximum number of object policy rules to 1000 for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability object-policy-rule maximum 1000
Related commands
display object-policy ip (Security Command Reference)
capability security-policy-rule maximum
Use capability security-policy-rule maximum to set the maximum number of security policy rules for a context.
Use undo capability security-policy-rule maximum to restore the default.
Syntax
capability security-policy-rule maximum max-number
undo capability security-policy-rule maximum
Default
The number of security policy rules is not limited for a context.
Views
Context view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of security policy rules for the context, in the range of 1 to 4294967295.
Usage guidelines
A large number of rules occupy too much memory, affecting other features on the context. This command sets the maximum number of security policy rules for a context. When the maximum number is reached, you cannot add new rules.
If the maximum number you set is smaller than the number of existing security policy rules, this setting takes effect. The context does not delete extra existing security policy rules and allows new security policy rules to be created only when the number of security policy rules drops below the maximum number.
The number of security policy rules for a context is counted as per security engine. Each security engine to which the context is assigned can have the specified maximum number of security policy rules.
Examples
# Set the maximum number of security policy rules to 1000 for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability security-policy-rule maximum 1000
Related commands
display security-policy ip (Security Command Reference)
capability session maximum
Use capability session maximum to set the maximum number of concurrent unicast sessions for a context.
Use undo capability session maximum to restore the default.
Syntax
capability session maximum max-number
undo capability session maximum
Default
The number of concurrent unicast sessions is not limited for a context.
Views
Context view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of concurrent unicast sessions for the context. The value range is 1 to 4294967295.
Usage guidelines
A large number of concurrent unicast sessions occupy too much memory, affecting other features on the context. This command sets the maximum number of concurrent unicast sessions for a context. When the maximum number is reached, you cannot establish additional unicast sessions.
If the maximum number you set is smaller than the number of existing concurrent unicast sessions, this setting takes effect. The context does not delete extra existing concurrent unicast sessions and allows new unicast sessions to be created only when the number of concurrent unicast sessions drops below the maximum number.
The number of unicast sessions for a context is counted as per security engine. Each security engine to which the context is assigned can have the specified maximum number of concurrent unicast sessions.
This command does not affect local traffic, such as FTP traffic, Telnet traffic, SSH traffic, HTTP traffic, and HTTP-based load balancing traffic.
Examples
# Set the maximum number of concurrent unicast sessions to 1000000 for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability session maximum 1000000
Related commands
context
display session statistics (Security Command Reference)
capability session rate
Use capability session rate to set the upper limit of the session establishment rate for a context.
Use undo capability session rate to restore the default.
Syntax
capability session rate max-value
undo capability session rate
Default
The session establishment rate is not limited for a context.
Views
Context view
Predefined user roles
network-admin
Parameters
max-value: Specifies the maximum number of sessions that can be established per second.
Usage guidelines
Establishing sessions too frequently consumes too much CPU resources. If a context establishes sessions too frequently, other contexts in the same security engine will not be able to establish sessions. This command sets the number of sessions that can be established per second for a context. When the limit is reached, no additional sessions can be established.
The session establishment rate is calculated as per security engine. Each security engine to which the context is assigned can establish sessions at the specified rate.
This command does not affect local traffic, such as FTP traffic, Telnet traffic, SSH traffic, HTTP traffic, and HTTP-based load balancing traffic.
Examples
# Configure context cnt2 to establish a maximum of 20000 sessions per second.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability session rate 20000
Related commands
context
display session statistics (Security Command Reference)
capability sslvpn-user maximum
Use capability sslvpn-user maximum to set the maximum number of SSL VPN users for a context.
Use undo capability sslvpn-user maximum to restore the default.
Syntax
capability sslvpn-user maximum max-number
undo capability sslvpn-user maximum
Default
The number of SSL VPN users is not limited for a context. The number is determined by the usage of the SSL VPN licenses installed on the device.
Views
Context view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of SSL VPN users for the context. The value range is 1 to 1048575.
Usage guidelines
This command limits the number of SSL VPN users that can log in to a context. When the maximum number is reached, the context will reject the login requests of new SSL VPN users.
If the maximum number you set is smaller than the number of SSL VPN users that already have logged in to a context, this setting takes effect. The context does not log out the currently logged-in users and allows new users to log in only when the number of the logged-in users drops below the maximum number.
Examples
# Set the maximum number of SSL VPN users to 1000000 for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability sslvpn-user maximum 1000000
Related commands
context
capability throughput
Use capability throughput to set the outbound throughput threshold for a context.
Use undo capability throughput to restore the default.
Syntax
capability throughput { kbps | pps } threshold
undo capability throughput
Default
The outbound throughput of a context is not limited.
Views
Context view
Predefined user roles
network-admin
Parameters
kbps: Specifies the throughput in kilobits per second.
pps: Specifies the throughput in number of packets per second.
threshold: Specifies the throughput threshold in the range of 1000 to 1000000000.
Usage guidelines
This command imposes the same throughput threshold on every security engine to which the context is assigned.
Examples
# Set the outbound throughput threshold to 100000 kbps for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability throughput kbps 100000
# Set the outbound throughput threshold to 10000 pps for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] capability throughput pps 10000
context
Use context to create a context and enter its view, or enter the view of an existing context.
Use undo context to delete a context.
Syntax
context context-name [ id context-id ] [ vlan-unshared ]
undo context context-name
Default
A default context exists. The context name is Admin and the context ID is 1.
Views
System view
Predefined user roles
network-admin
Parameters
context-name: Specifies the context name, a case-sensitive string of 1 to 15 characters.
id context-id: Specifies the context ID in the range of 1 to 65279. If you do not specify this option, the system assigns the lowest ID among the available IDs to the context.
vlan-unshared: Configures the context to not share VLAN resources with any contexts. If you do not specify this keyword, the context shares the same VLAN resources with other contexts.
Usage guidelines
A context with the VLAN-unshared attribute has its own VLAN resources (VLAN 1 through VLAN 4094). It does not share VLAN resources with any other contexts. You log in to the context and use the vlan command to create VLANs for the context.
All contexts without the VLAN-unshared attribute share the same VLAN resources (VLAN 1 through VLAN 4094). You create VLANs on the default context and use the allocate vlan command to assign VLANs to the contexts. A VLAN can be assigned only to one context.
Examples
# Create a context named test.
<Sysname> system-view
[Sysname] context test
[Sysname-context-2-test]
# Create a context named test. Set its ID to 2.
<Sysname> system-view
[Sysname] context test id 2
[Sysname-context-2-test]
context start
Use context start to start a context.
Use undo context start to stop a context.
Syntax
context start [ force ]
undo context start [ force ]
Default
A context is not started.
Views
Context view
Predefined user roles
network-admin
Parameters
force: Forcibly starts or stops a context. If you do not specify this keyword, the command starts or stops a context through normal procedures.
Usage guidelines
CAUTION: Stop a context with caution. Stopping a context stops all services on the context and logs out all users on the context. To avoid configuration data loss, save the running configuration of a context before you stop the context. |
You must use this command to initiate a newly created context. You can configure a context only after it is started.
Examples
# Start context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] context start
context-capability inbound broadcast single
Use context-capability inbound broadcast single to set the inbound broadcast rate limit for a context.
Use undo context-capability inbound broadcast single to restore the default.
Syntax
context-capability inbound broadcast single pps threshold
undo context-capability inbound broadcast single
Default
The inbound broadcast rate limit for a context is the total inbound broadcast rate limit divided by the number of active contexts that share interfaces with other contexts.
Views
System view
Context view
Predefined user roles
network-admin
Parameters
pps threshold: Specifies the inbound broadcast rate limit in pps, in the range of 1000 to 100000.
Usage guidelines
The rate limit takes effect only on active contexts that share interfaces with other contexts.
If you execute this command in system view, you set the limit for the default context. If you execute this command in context view, you set the limit for the non-default context.
When both a per-context inbound broadcast rate limit and the total inbound broadcast rate limit are reached, the device drops subsequent broadcast packets that arrive at the context. To set the total inbound broadcast rate limit, use the context-capability inbound broadcast total command.
The incoming packet rate of a context is independently calculated on each security engine where the context resides. The inbound broadcast rate limit for the context independently applies to each of the security engines. If broadcast packets of the context are processed by multiple security engines, the actual broadcast packet rate might be greater than the inbound broadcast rate limit you set.
Examples
# Set the inbound broadcast rate limit to 10000 pps for the default context.
<Sysname> system-view
[Sysname] context-capability inbound broadcast single pps 10000
# Set the inbound broadcast rate limit for the default context to 10000 pps for context ctx1.
<Sysname> system-view
[Sysname] context ctx1
[Sysname-context-1-ctx1] context-capability inbound broadcast single pps 10000
Related commands
context-capability inbound broadcast total
context-capability inbound broadcast total
Use context-capability inbound broadcast total to set the total inbound broadcast rate limit for all contexts.
Use undo context-capability inbound broadcast total to restore the default.
Syntax
context-capability inbound broadcast total pps threshold
undo context-capability inbound broadcast total
Default
The total inbound broadcast rate limit for all contexts is 20000 pps.
Views
System view
Predefined user roles
network-admin
Parameters
pps threshold: Specifies the total inbound broadcast rate limit in pps. The limit can be 0 or a value in the range of 1000 to 100000. Setting the limit to 0 disables inbound broadcast rate limiting.
Usage guidelines
The rate limit takes effect only on active contexts that share interfaces with other contexts.
The total inbound broadcast rate is the sum of the inbound broadcast rates on all active contexts that share interfaces with other contexts.
When both a per-context inbound broadcast rate limit and the total inbound broadcast rate limit are reached, the device drops subsequent broadcast packets that arrive at the context. To set the inbound broadcast rate limit for a context, use the context-capability inbound broadcast single command.
Examples
# Set the total inbound broadcast rate limit to 10000 pps.
<Sysname> system-view
[Sysname] context-capability inbound broadcast total pps 10000
Related commands
context-capability inbound broadcast single
context-capability inbound drop-logging enable
Use context-capability inbound drop-logging enable to enable logging for incoming packets dropped because of rate limiting on contexts.
Use undo context-capability inbound drop-logging enable to disable logging for incoming packets dropped because of rate limiting on contexts.
Syntax
context-capability inbound drop-logging enable
undo context-capability inbound drop-logging enable
Default
Logging is enabled for incoming packets that are dropped because of rate limiting on contexts.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This logging feature generates and sends a log message to the information center when an incoming packet is dropped because of broadcast or multicast rate limiting on contexts. For more information about how the information center manages log messages, see information center configuration in Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for incoming packets dropped because of rate limiting on contexts.
<Sysname> system-view
[Sysname] context-capability inbound drop-logging enable
context-capability inbound multicast single
Use context-capability inbound multicast single to set the inbound multicast rate limit for a context.
Use undo context-capability inbound multicast single to restore the default.
Syntax
context-capability inbound multicast single pps threshold
undo context-capability inbound multicast single
Default
The inbound multicast rate limit for a context is the total inbound multicast rate limit divided by the number of active contexts that share interfaces with other contexts.
Views
System view
Context view
Predefined user roles
network-admin
Parameters
pps threshold: Specifies the inbound multicast rate limit in pps, in the range of 1000 to 100000.
Usage guidelines
The rate limit takes effect only on active contexts that share interfaces with other contexts.
If you execute this command in system view, you set the limit for the default context. If you execute this command in context view, you set the limit for the non-default context.
When both a per-context inbound multicast rate limit and the total inbound multicast rate limit are reached, the device drops subsequent multicast packets that arrive at the context. To set the total inbound multicast rate limit, use the context-capability inbound multicast total command.
The incoming packet rate of a context is independently calculated on each security engine where the context resides. The inbound multicast rate limit for the context independently applies to each of the security engines. If multicast packets of the context are processed by multiple security engines, the actual multicast packet rate might be greater than the inbound multicast rate limit you set.
Examples
# Set the inbound multicast rate limit to 10000 pps for the default context.
<Sysname> system-view
[Sysname] context-capability inbound multicast single pps 10000
# Set the inbound multicast rate limit to 10000 pps for context ctx1.
<Sysname> system-view
[Sysname] context ctx1
[Sysname-context-1-ctx1] context-capability inbound multicast single pps 10000
Related commands
context-capability inbound multicast total
context-capability inbound multicast total
Use context-capability inbound multicast total to set the total inbound multicast rate limit for all contexts.
Use undo context-capability inbound multicast total to restore the default.
Syntax
context-capability inbound multicast total pps threshold
undo context-capability inbound multicast total
Default
The total inbound multicast rate limit for all contexts is 30000 pps
Views
System view
Predefined user roles
network-admin
Parameters
pps threshold: Specifies the total inbound multicast rate limit in pps. The limit can be 0 or a value in the range of 1000 to 100000. Setting the limit to 0 disables inbound multicast rate limiting.
Usage guidelines
The rate limit takes effect only on active contexts that share interfaces with other contexts.
The total inbound multicast rate is the sum of the inbound multicast rates on all active contexts that share interfaces with other contexts.
When both a per-context inbound multicast rate limit and the total inbound multicast rate limit are reached, the device drops subsequent multicast packets that arrive at the context. To set the inbound multicast rate limit for a context, use the context-capability inbound multicast single command.
Examples
# Set the total inbound multicast rate limit to 10000 pps.
<Sysname> system-view
[Sysname] context-capability inbound multicast total pps 10000
Related commands
context-capability inbound multicast single
context-capability inbound unicast total
Use context-capability inbound unicast total to set the CPU usage threshold per CPU core for all inbound packets from all contexts.
Use undo context-capability inbound unicast total to restore the default.
Syntax
context-capability inbound unicast total cpu-usage threshold
undo context-capability inbound unicast total
Default
The CPU usage threshold per CPU core is 95%.
Views
System view
Predefined user roles
network-admin
Parameters
cpu-usage threshold: Specifies the CPU usage threshold per CPU core for inbound packets, in percentage. The value range for the threshold argument is 1 to 100.
Usage guidelines
The threshold set by using this command applies to all inbound packets, including broadcast, unicast, and multicast packets.
If the shared queue in the driver is full when the total usage of a CPU core reaches the specified threshold, the system determines that an attack risk is present. Then, it takes the attack prevention action configured by using the attack-defense cpu-core action command until the attack risk is eliminated. For more information about the attack-defense cpu-core action command, see attack detection and prevention commands in Security Command Reference.
Examples
# Set the CPU usage threshold per CPU core for all inbound packets to 70%.
<Sysname> system-view
[Sysname] context-capability inbound unicast total cpu-usage 70
Related commands
attack-defense cpu-core action (Security Command Reference)
description
Use description to configure the description of the default context, or configure a description for a non-default context.
Use undo description to restore the default.
Syntax
description text
undo description
Default
The default context uses the description DefaultContext. A non-default context does not have a description.
Views
Context view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 255 characters.
Usage guidelines
You can configure a description for each context, which is useful when there are a number of contexts.
Examples
# Configure a description for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] description test
display blade-controller-team
Use display blade-controller-team to display security engine groups.
Syntax
display blade-controller-team [ blade-controller-team-name | id blade-controller-team-id | all ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
blade-controller-team-name: Specifies the name of the security engine group, a case-sensitive string of 1 to 31 characters.
id blade-controller-team-id: Specifies the ID of the security engine group, in the range of 1 to 256.
all: Displays detailed information about all security engine groups.
Usage guidelines
If you do not specify any parameters, the command displays brief information about all security engine groups.
Examples
# Display brief information about all security engine groups.
<Sysname> display blade-controller-team
ID Name
1 Default
2 abc
# (In standalone mode.) Display detailed information about security engine group abc.
<Sysname> display blade-controller-team abc
ID: 2 Name: abc
Slot CPU Status LBGroupID
* 3 1 Normal 2
* : Primary blade controller of the team.
Load balancing group information for the blade controller team:
LBGroupID Name BLAGG
2 Blade3fw2 Blade-Aggregation258
# (In IRF mode.) Display detailed information about security engine group abc.
<Sysname> display blade-controller-team abc
ID: 2 Name: abc
Chassis Slot CPU Status LBGroupID
* 1 3 1 Normal 2
* : Primary blade controller of the team.
Load balancing group information for the blade controller team:
LBGroupID Name BLAGG
2 Blade3fw2 Blade-Aggregation258
# (In standalone mode.) Display detailed information about all security engine groups.
<Sysname> display blade-controller-team all
ID: 1 Name: Default
Slot CPU Status LBGroupID
* 4 1 Normal 1
* : Primary blade controller of the team.
Load balancing group information for the blade controller team:
LBGroupID Name BLAGG
1 Blade3fw1 Blade-Aggregation257
ID: 2 Name: abc
Slot CPU Status LBGroupID
* 3 1 Normal 2
* : Primary blade controller of the team.
Load balancing group information for the blade controller team:
LBGroupID Name BLAGG
2 Blade3fw2 Blade-Aggregation258
# (In IRF mode.) Display detailed information about all security engine groups.
<Sysname> display blade-controller-team all
ID: 1 Name: Default
Chassis Slot CPU Status LBGroupID
* 1 4 1 Normal 1
* : Primary blade controller of the team.
Load balancing group information for the blade controller team:
LBGroupID Name BLAGG
1 Blade3fw1 Blade-Aggregation257
ID: 2 Name: abc
Chassis Slot CPU Status LBGroupID
* 1 3 1 Normal 2
* : Primary blade controller of the team.
Load balancing group information for the blade controller team:
LBGroupID Name BLAGG
2 Blade3fw2 Blade-Aggregation258
Table 1 Command output
Description |
|
Status of the security engine: · Absent—No security engine is installed in the slot. |
|
LBGroupID |
ID of the load balancing group that is associated with the security engine group. The ID is assigned automatically by the system. |
Main security engine of the security engine group. |
|
Name (under Load balancing group information for the blade controller team) |
Name of the load balancing group that is associated with the security engine group. The name is predefined by the system in the form of security engine type + security engine group ID. For more information, see the link-aggregation blade command in Layer 2—LAN Switching Command Reference. |
BLAGG |
Name of the Blade aggregate interface for the load balancing group. The interface type is Blade-Aggregation. The interface number equals the LBGroupID plus 256. |
display context
Use display context to display contexts.
Syntax
display context [ name context-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context name, a case-sensitive string of 1 to 15 characters.
Usage guidelines
On the default context, this command displays the context specified by the name context-name option. Without the option, this command displays all contexts on the device.
Examples
# Display all contexts.
<Sysname> display context
ID Name Status Description
1 cnt1 active context1
2 cnt2 inactive context2
3 cnt3 inactive context3
Table 2 Command output
display context capability
Use display context capability to display usage of allocable service resources on contexts.
Syntax
In standalone mode:
display context [ name context-name ] capability [ security-policy | session [ slot slot-number cpu cpu-number ] | sslvpn-user ]
In IRF mode:
display context [ name context-name ] capability [ security-policy | session [ chassis chassis-number slot slot-number cpu cpu-number ] | sslvpn-user ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays information for all contexts.
security-policy: Displays usage of allocable security policy rule resources.
session: Displays usage of allocable session resources.
sslvpn-user: Displays usage of allocable SSL VPN user resources.
slot slot-number: Specifies a card by its slot number. If you do not specify this option, the command displays the usage on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command displays the usage on all cards in the IRF fabric. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is supported only if multiple CPUs are available on the specified slot.
Usage guidelines
This command is supported only on the default context.
Examples
# Display usage of allocable service resources on all contexts.
<Sysname> display context capability
Session usage and establishment rate:
Slot 1 CPU 0:
ID Name Maximum Used Free Total(/s) Rate(/s) Usage(%)
1 Admin NA 500 NA NA 1000 NA
2 context1 10000 300 9700 1000 100 10
3 context2 2000 1000 1000 2000 1000 50
Security policy rule usage:
ID Name Maximum Used Free
1 Admin NA 500 NA
2 context1 10000 300 9700
3 context2 2000 1000 1000
Online SSL VPN users:
ID Name Maximum Used Free
1 Admin NA 0 NA
2 conetxt1 10000 3000 7000
3 context2 2000 0 2000
Table 3 Command output
Field |
Description |
ID |
Context ID. |
Name |
Context name. |
Maximum |
Maximum number of allocable resources. |
Used |
Number of used resources. |
Free |
Number of available resources. |
Total |
Maximum session establishment rate, which is the maximum number of sessions that can be established in a second. |
Rate |
Current session establishment rate. |
Usage |
Ratio of the current session establishment rate to the maximum session establishment rate, in percentage. |
Related commands
· capability security-policy-rule maximum
· capability session maximum
· capability session rate
· capability sslvpn-user maximum
display context capability inbound broadcast
Use display context capability inbound broadcast to display the inbound broadcast rate limit statistics about a context.
Syntax
In standalone mode:
display context name context-name capability inbound broadcast slot slot-number cpu cpu-number
In IRF mode:
display context name context-name capability inbound broadcast chassis chassis-number slot slot-number cpu cpu-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Display the inbound broadcast rate limit statistics about context abc on a slot.
<Sysname> display context name abc capability inbound broadcast slot 1 cpu 1
Context name: abc
Context ID: 2
Drop Rate: 1000 pps
Inbound throughput limit: 8000 pps
Total inbound throughput limit: 10000 pps
Table 4 Command output
Field |
Description |
Drop Rate |
Broadcast packet drop rate of the context. |
Inbound throughput limit |
Inbound broadcast rate limit for the context. |
Total inbound throughput limit |
Total inbound broadcast rate limit. |
display context capability inbound multicast
Use display context capability inbound multicast to display the inbound multicast rate limit statistics about a context.
Syntax
In standalone mode:
display context name context-name capability inbound multicast slot slot-number cpu cpu-number
In IRF mode:
display context name context-name capability inbound multicast chassis chassis-number slot slot-number cpu cpu-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Display the inbound multicast rate limit statistics about context abc on a slot.
<Sysname> display context name abc capability inbound multicast slot 1 cpu 1
Context name: abc
Context ID: 2
Drop Rate: 1000 pps
Inbound throughput limit: 8000 pps
Total inbound throughput limit: 10000 pps
Table 5 Command output
Field |
Description |
Drop Rate |
Multicast packet drop rate of the context. |
Inbound throughput limit |
Inbound multicast rate limit for the context. |
Total inbound throughput limit |
Total inbound multicast rate limit. |
display capability inbound unicast
Use display capability inbound unicast to display attack prevention statistics for CPU cores.
Syntax
In standalone mode:
display capability inbound unicast slot slot-number cpu cpu-number
In IRF mode:
display capability inbound unicast chassis chassis-number slot slot-number cpu cpu-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Display attack prevention statistics for CPU cores on a slot.
<Sysname> display capability inbound unicast slot 1 cpu 1
CPU usage threshold: 95%
Current attack-defense cpu-core action: Per-packet-balance
CPU ID Up rate Packet rate CPU usage Effective percentage
CPU0 0/s 0/s 1% 95%
CPU1 0/s 0/s 2% 95%
CPU2 0/s 0/s 1% 95%
CPU3 0/s 0/s 3% 95%
CPU4 0/s 0/s 1% 95%
CPU5 0/s 0/s 2% 95%
CPU6 0/s 0/s 1% 95%
CPU7 50000/s 40000/s 90% 70%
CPU8 0/s 0/s 1% 95%
CPU9 0/s 0/s 5% 95%
CPU10 0/s 0/s 2% 95%
CPU11 0/s 0/s 1% 95%
CPU12 0/s 0/s 6% 95%
CPU13 0/s 0/s 1% 95%
CPU14 0/s 0/s 3% 95%
CPU15 0/s 0/s 1% 95%
Table 6 Command output
Field |
Description |
CPU usage threshold |
Total CPU usage threshold per CPU core for all inbound broadcast, multicast, and unicast packets from all contexts, in percentage. When this threshold is reached, attack prevention action will be taken on excessive packets to protect the CPU core. |
Current attack-defense cpu-core action |
Attack prevention action on excessive packets for CPU core protection. Options: · Drop—Drops the packets in the driver. · Per-packet-balance—Distributes the packets across CPU cores on a per-packet basis in the driver. · Isolate—Puts the packets in the isolation queue in hardware for future processing. |
CPU ID |
CPU core ID. |
Pass rate |
Number of packets permitted per second when the attack prevention action is drop or isolate. |
Drop rate |
Number of packets dropped per second when the attack prevention action is drop or isolate. |
Up rate |
Number of packets sent to the CPU core per second when the attack prevention action is per-packet-balance. |
Balance rate |
Number of packets sent to other CPU cores per second when the attack prevention action is per-packet-balance. |
CPU usage |
Current usage of the CPU core, in percentage. When this value reaches the CPU usage threshold per CPU core, the attack prevention action is triggered. |
Effective percentage |
Maximum percentage of CPU time available for packet processing. The CPU core will use all its available processing capability to process packets after the attack prevention action is triggered, in order to minimize the impact of the action and decrease the CPU usage as quickly as possible. The attack prevention action will take on a packet only if it is beyond the maximum available capability of the CPU core. |
display context configuration
Use display context configuration to display or save context configuration information.
Syntax
display context [ name context-name ] configuration [ file filename ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays the configurations of all contexts.
file filename: Saves the information to a file. The filename argument specifies the file name, a case-insensitive string of 1 to 255 characters. The file name must use the .tar.gz extension, and cannot be ..tar.gz or …tar.gz. It cannot start with a hyphen (-) or contain any of the following characters: quote marks ("), forward slashes (/), colons (:), backward slashes (\), question marks (?), less than signs (<), greater than signs (>), vertical bars (|), and asterisks (*). If you do not specify this option, the system prompts you to choose whether to display or save the information.
Usage guidelines
This command is supported only on the default context.
This command does not take effect on contexts that have not started up.
Executing this command is equivalent to executing the display current-configuration command on the specified context or each context.
Examples
# Display the configurations of all contexts.
<Sysname> display context configuration
Save or display context configuration(Y=save, N=display)? [Y/N]:n
===========inner configuration of context Admin===========
============================================================
display current-configuration
#
version 7.1.064, Feature 9321
#
sysname Sysname
#
context Admin id 1
#
context cnt1 id 2
#
return
<Sysname>
===========inner configuration of context cnt1===========
============================================================
display current-configuration
#
version 7.1.064, Feature 9321
#
sysname Sysname
#
context Admin id 1
#
context cnt1 id 2
---- More ----
# Save the configurations of all contexts to a file in interactive mode.
<Sysname> display context configuration
Save or display context configuration (Y=save, N=display)? [Y/N]:y
Please input the file name(*.tar.gz)[flash:/diag.tar.gz]: test.tar.gz
Saving context configuration to flash:/test.tar.gz. Please wait....
# Save the configurations of all contexts to a file by specifying a file name for the command.
<Sysname> display context configuration file test.tar.gz
Saving context configuration to flash:/test.tar.gz. Please wait...
display context interface
Use display context interface to display interfaces assigned to contexts.
Syntax
display context [ name context-name ] interface
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context name, a case-sensitive string of 1 to 15 characters.
Usage guidelines
This command cannot display interfaces created on non-default contexts.
On the default context, this command displays the interfaces allocated to the non-default context specified by using the name context-name option. If you do not specify the option, this command displays the interfaces allocated to all non-default contexts on the device.
Examples
# Display the interfaces allocated to all non-default contexts.
<Sysname> display context interface
Context stub1's interfaces:
GigabitEthernet1/0/2
Context stub2's interfaces:
GigabitEthernet1/0/3
Related commands
allocate interface
display context online-users sslvpn
Use display context online-users sslvpn to display the number of online SSL VPN users on all contexts.
Syntax
display context online-users sslvpn
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
The number of online SSL VPN users collected by this command equals to the number of SSL VPN sessions.
Examples
# Display the number of online SSL VPN users on all contexts.
<Sysname> display context online-users sslvpn
Total number of SSL VPN online users: 50
display context resource
Use display context resource to display CPU, disk space, and memory usage for contexts.
Syntax
In standalone mode:
display context [ name context-name ] resource [ cpu | disk | memory ] [ slot slot-number cpu cpu-number ]
In IRF mode:
display context [ name context-name ] resource [ cpu | disk | memory ] [ chassis chassis-number slot slot-number cpu cpu-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays the usage for all contexts.
cpu: Displays the CPU usage.
disk: Displays the disk space usage.
memory: Displays the memory usage.
slot slot-number cpu cpu-number: Specifies a security engine on a card. The slot-number argument represents the slot number of the card. The cpu-number argument represents the CPU number. If you do not specify this option, the command displays the usage on all security engines. (In standalone mode.)
chassis chassis-number slot slot-number cpu cpu-number: Specifies a security engine on a card of an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. The cpu-number argument represents the CPU number. If you do not specify this option, the command displays the usage on all security engines in the IRF fabric. (In IRF mode.)
Usage guidelines
If a context is not started, its CPU, disk space, and memory space usages are all 0.
If you do not specify the cpu, disk, or memory keyword, the command displays the CPU, disk space, and memory space usage.
Examples
# (In standalone mode.) Display the CPU usage for the contexts on all cards.
<Sysname> display context resource cpu
CPU usage:
Slot 2 CPU 1:
ID Name Weight Usage(%)
1 cnt1 10 24
2 cnt2 10 0
Related commands
limit-resource cpu
limit-resource disk
limit-resource memory
display context statistics
Use display context statistics to display or save resource statistics for contexts.
Syntax
display context [ name context-name ] statistics [ file filename ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command displays or saves resource statistics for all contexts.
file filename: Saves the information to a file. The filename argument specifies the file name, a case-insensitive string of 1 to 255 characters. The file name must use the .tar.gz extension, and cannot be ..tar.gz or …tar.gz. It cannot start with a hyphen (-) or contain any of the following characters: quote marks ("), forward slashes (/), colons (:), backward slashes (\), question marks (?), less than signs (<), greater than signs (>), vertical bars (|), and asterisks (*). If you do not specify this argument, the system prompts you to choose whether to display or save the information.
Usage guidelines
This command is supported only on the default context.
Executing this command is equivalent to executing the following commands:
· display context capability
· display counters inbound interface
· display counters outbound interface
· display counters rate inbound interface
· display counters rate outbound interface
· display interface
· display ip statistics
· display ipv6 statistics
· display nat statistics
· display session statistics
Examples
# Display resource statistics for all contexts.
<Sysname> display context statistics
Save or display context statistics (Y=save, N=display)? [Y/N]:n
========================================================
=============== display session statistics =================
Slot 1:
Current sessions: 0
TCP sessions: 0
UDP sessions: 0
ICMP sessions: 0
ICMPv6 sessions: 0
UDP-Lite sessions: 0
SCTP sessions: 0
DCCP sessions: 0
RAWIP sessions: 0
...
# Save resource statistics for all contexts to a file in interactive mode.
<Sysname> display context statistics
Save or display context statistics(Y=save, N=display)? [Y/N]:y
Please input the file name(*.tar.gz)[flash:/diag.tar.gz]: test.tar.gz
Saving context statistics to flash:/test.tar.gz. Please wait....
# Save resource statistics for all contexts to a file by specifying a file name for the command.
<Sysname> display context statistics file test.tar.gz
Saving context statistics to flash:/test.tar.gz. Please wait...
Related commands
display context capability
display counters inbound interface (Interface Command Reference)
display counters outbound interface (Interface Command Reference)
display counters rate inbound interface (Interface Command Reference)
display counters rate outbound interface (Interface Command Reference)
display interface (Interface Command Reference)
display ip statistics (Layer 3—IP Services Command Reference)
display ipv6 statistics (Layer 3—IP Services Command Reference)
display nat statistics (NAT Command Reference)
display session statistics (Security Command Reference)
display context vlan
Use display context vlan to display VLAN lists for contexts.
Syntax
display context [ name context-name ] vlan
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.
Usage guidelines
On the default context, if you specify the name context-name option, this command displays the VLAN list for the specified context. If you do not specify the name context-name option, this command displays VLAN lists for all contexts.
Examples
# Display VLAN lists for all contexts.
<Sysname> display context vlan
Context stub1's VLAN(s):
Context stub2's VLAN(s):
2,4094
Context stub3's VLAN(s):
5,6,800-3000,3400
# Display the VLAN list for context sub1.
<Sysname> display context name sub1 vlan
Context stub1's VLAN(s):
5,6,11-23,3400
Related commands
allocate vlan
hardware fast-forwarding vpc enable
Use hardware fast-forwarding vpc enable to enable inter-VPC fast forwarding.
Use undo hardware fast-forwarding vpc enable to disable inter-VPC fast forwarding.
Syntax
In standalone mode:
hardware fast-forwarding vpc enable [ slot slot-number [ cpu cpu-number ] ]
undo hardware fast-forwarding vpc enable [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
hardware fast-forwarding vpc enable [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
undo hardware fast-forwarding vpc enable [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Default
Inter-VPC fast forwarding is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command enables inter-VPC fast forwarding on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command enables inter-VPC fast forwarding on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
For this command to take effect, you must enable fast forwarding by using the hardware fast-forwarding enable command. For more information about this command, see fast forwarding commands in Layer 3—IP Services Command Reference.
This command takes effect on all contexts.
Examples
# Enable inter-VPC fast forwarding.
<Sysname> system-view
[Sysname] hardware fast-forwarding vpc enable
Related commands
hardware fast-forwarding enable (Layer 3—IP Services Command Reference)
limit-resource cpu
Use limit-resource cpu to set a CPU weight for a context.
Use undo limit-resource cpu to restore the default.
Syntax
limit-resource cpu weight weight-value
undo limit-resource cpu
Default
Each context has a CPU weight of 10.
Views
Context view
Predefined user roles
network-admin
Parameters
weight weight-value: Specifies a CPU weight value in the range of 1 to 10.
Usage guidelines
This command imposes the same CPU weight on every security engine to which the context is assigned.
Examples
# Set the CPU weight to 2 for context cnt2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] limit-resource cpu weight 2
limit-resource disk
Use limit-resource disk to set a disk space percentage for a context. A disk space percentage defines the maximum disk space that the context can use.
Use undo limit-resource disk to restore the default.
Syntax
In standalone mode:
limit-resource disk slot slot-number cpu cpu-number ratio limit-ratio
undo limit-resource disk slot slot-number cpu cpu-number
In IRF mode:
limit-resource disk chassis chassis-number slot slot-number cpu cpu-number ratio limit-ratio
undo limit-resource disk chassis chassis-number slot slot-number cpu cpu-number
Default
All contexts on a security engine share the disk space on the engine. A context can use all free disk space on the engine.
Views
Context view
Predefined user roles
network-admin
Parameters
slot slot-number cpu cpu-number: Specifies a security engine on a card. The slot-number argument represents the slot number of the card. The cpu-number argument represents the CPU number. (In standalone mode.)
chassis chassis-number slot slot-number cpu cpu-number: Specifies a security engine on a card of an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. The cpu-number argument represents the CPU number. (In IRF mode.)
ratio limit-ratio: Specifies the ratio of the disk space that the context can use to the total disk space of the device. The value range is 1 to 100.
Usage guidelines
When you assign a context to a security engine group, the system automatically assigns disk space resources on the security engines to the context. All contexts residing on the same security engine share and compete for the engine's free disk resources. To prevent one context from occupying too many disk space resources, assign disk space resources to the contexts.
When you assign disk space to a context, follow these guidelines:
· Use the display context resource command to view the amount of disk space that has been used by the context before assigning disk space to the context.
· Assign disk space larger than the disk space used by the context to avoid the following problems:
¡ The context cannot apply for more disk space.
¡ The context cannot create, copy, or save additional folders or files.
The disk space percentage setting takes effect on all the storage media.
Examples
# (In standalone mode.) Configure context cnt2 to use up to 20% of the disk space on the security engine for CPU 1 in slot 3.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] limit-resource disk slot 3 cpu 1 ratio 20
# (In IRF mode.) Configure context cnt2 to use up to 30% of the disk space on the security engine for CPU 1 in slot 2 of member device 1.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] limit-resource disk chassis 1 slot 2 cpu 1 ratio 30
limit-resource memory
Use limit-resource memory to set a memory space percentage for a context. A memory space percentage defines the maximum memory space that the context can use.
Use undo limit-resource memory to restore the default.
Syntax
In standalone mode:
limit-resource memory slot slot-number cpu cpu-number ratio limit-ratio
undo limit-resource memory slot slot-number cpu cpu-number
In IRF mode:
limit-resource memory chassis chassis-number slot slot-number cpu cpu-number ratio limit-ratio
undo limit-resource memory chassis chassis-number slot slot-number cpu cpu-number
Default
All contexts on a security engine share the memory space on the engine. A context can use all free memory space on the engine.
Views
Context view
Predefined user roles
network-admin
Parameters
slot slot-number cpu cpu-number: Specifies a security engine on a card. The slot-number argument represents the slot number of the card. The cpu-number argument represents the CPU number. (In standalone mode.)
chassis chassis-number slot slot-number cpu cpu-number: Specifies a security engine on a card of an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. The cpu-number argument represents the CPU number. (In IRF mode.)
ratio limit-ratio: Specifies the ratio of the memory space that the context can use on the specified security engine to the total memory space of the engine. The value range is 1 to 100.
Usage guidelines
When you assign a context to a security engine group, the system automatically assigns memory space resources on the security engines to the context. All contexts residing on the same security engine share and compete for the engine's free memory resources. To prevent one context from occupying too many memory space resources, assign memory space resources to the contexts. When the limit for a context is reached, the context cannot apply for more memory space.
When you assign memory space to a context, follow these guidelines:
· Use the display context resource command to view the amount of memory space that has been used by the context before assigning memory space to the context.
· Assign an amount of memory space that is larger than the memory space used by the context to avoid the following problems:
¡ The context cannot apply for more memory space.
¡ The context cannot create, copy, or save additional folders or files.
Examples
# (In standalone mode.) Configure context cnt2 to use up to 30% of the memory space on the security engine for CPU 1 in slot 3.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] limit-resource memory slot 3 cpu 1 ratio 30
# (In IRF mode.) Configure context cnt2 to use up to 30% of the memory space on the security engine for CPU 1 in slot 2 of member device 1.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] limit-resource memory chassis 1 slot 2 cpu 1 ratio 30
location blade-controller
Use location blade-controller to add a security engine to a security engine group.
Use undo location blade-controller to restore the default.
Syntax
In standalone mode:
location blade-controller slot slot-number cpu cpu-number
undo location blade-controller slot slot-number cpu cpu-number
In IRF mode:
location blade-controller chassis chassis-number slot slot-number cpu cpu-number
undo location blade-controller chassis chassis-number slot slot-number cpu cpu-number
Default
A security engine joins the default security engine group when it is installed.
Views
Security engine group view
Predefined user roles
network-admin
Parameters
slot slot-number cpu cpu-number: Specifies a security engine by its CPU number and the slot number. (In standalone mode.)
chassis chassis-number slot slot-number cpu cpu-number: Specifies a security engine by its CPU number, the slot number, and the member ID. (In IRF mode.)
Usage guidelines
CAUTION: For the device to process services, make sure the default security engine group has a minimum of one security engine. |
If the security engine is in position, the location blade-controller command takes effect immediately.
If the security engine is not in position, the location blade-controller command takes effect after the security engine is installed.
You can add security engines to security engine groups before installing the security engines. Make a security engine deployment plan before doing so, and install security engines as planned. If you install a non-security engine card in a slot for a security engine, the system automatically deletes the location blade-controller command from the running configuration.
You can add as many security engines to a security engine group as you like. However, one security engine can be added only to one security engine group.
Examples
# (In standalone mode.) Add the security engine on CPU 1 in slot 2 to security engine group abc.
<sysname> system-view
[sysname] blade-controller-team abc
[Sysname-blade-controller-team-2-abc] location blade-controller slot 2 cpu 1
This operation will also reboot the blade controller. Continue? [Y/N]:y
# (In IRF mode.) Add the security engine on CPU 1 in slot 2 of member device 2 to security engine group abc.
<sysname> system-view
[sysname] blade-controller-team abc
[Sysname-blade-controller-team-2-abc] location blade-controller chassis 2 slot 2 cpu 1
This operation will also reboot the blade controller. Continue? [Y/N]:y
# (In standalone mode.) Add the security engine on CPU 1 in slot 3 to security engine group abc. The security engine is not in position.
[sysname] blade-controller-team abc
[Sysname-blade-controller-team-2-abc] location blade-controller slot 3 cpu 1
Operation succeeded, but the blade controller is absent.
# (In IRF mode.) Add the security engine on CPU 1 in slot 3 of member device 2 to security engine group abc. The security engine is not in position.
<sysname> system-view
[sysname] blade-controller-team abc
[Sysname-blade-controller-team-2-abc] location blade-controller chassis 2 slot 3 cpu 1
Operation succeeded, but the blade controller is absent.
location blade-controller-team
Use location blade-controller-team to assign a context to a security engine group.
Use undo location blade-controller-team to reclaim a context from a security engine group.
Syntax
location blade-controller-team team-id
undo location blade-controller-team team-id
Default
The default context resides on all security engine groups. A non-default context does not reside on any security engine groups.
Views
Context view
Predefined user roles
network-admin
Parameters
team-id: Specifies a security engine group by its ID. The security engine group must already exist.
Usage guidelines
To run and provide services, a context must be assigned to a security engine group. After you assign a context to a security engine group, the context can use the CPU, disk space, and memory space resources on the security engines in the group.
A context can be assigned only to one security engine group. To change an assignment, you must reclaim the context before assigning it to the new security engine group.
You can assign multiple contexts to a security engine group.
You can add a security engine to a security engine group before or after assigning a context to the security engine group.
Examples
# Assign context cnt2 to security engine group 2.
<Sysname> system-view
[Sysname] context cnt2
[Sysname-context-2-cnt2] location blade-controller-team 2
Related commands
blade-controller-team
reset blade-controller-team
Use reset blade-controller-team to clear information for an absent security engine in a security engine group.
Syntax
In standalone mode:
reset blade-controller-team team-id member slot slot-number cpu cpu-number
In IRF mode:
reset blade-controller-team team-id member chassis chassis-number slot slot-number cpu cpu-number
Views
User view
Predefined user roles
network-admin
Parameters
team-id: Specifies a security engine group by its ID. The value range is 1 to 256. To view the engine ID, use the display blade-controller-team command.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
Examples
# (In standalone mode.) Clear information for an absent security engine (CPU 1 in slot 2) in security engine group abc.
<sysname> reset blade-controller-team 1 member slot 2 cpu 1
# (In IRF mode.) Clear information for an absent security engine (CPU 1 in slot 2 of member device 1) in security engine group abc.
<sysname> reset blade-controller-team 1 member chassis 1 slot 2 cpu 1
reset context capability inbound broadcast
Use reset context capability inbound broadcast to clear the inbound broadcast rate limit statistics for a context.
Syntax
In standalone mode:
reset context name context-name capability inbound broadcast slot slot-number cpu cpu-number
In IRF mode:
reset context name context-name capability inbound broadcast chassis chassis-number slot slot-number cpu cpu-number
Views
User view
Predefined user roles
network-admin
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Clear the inbound broadcast rate limit statistics for context abc on a slot.
<Sysname> reset context name abc capability inbound broadcast slot 1 cpu 1
reset context capability inbound multicast
Use reset context capability inbound multicast to clear the inbound multicast rate limit statistics for a context.
Syntax
In standalone mode:
reset context name context-name capability inbound multicast slot slot-number cpu cpu-number
In IRF mode:
reset context name context-name capability inbound multicast chassis chassis-number slot slot-number cpu cpu-number
Views
User view
Predefined user roles
network-admin
Parameters
name context-name: Specifies a context by its name, a case-sensitive string of 1 to 15 characters.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Clear the inbound multicast rate limit statistics for context abc on a slot.
<Sysname> reset context name abc capability inbound multicast slot 1 cpu 1
switchto context
Use switchto context to log in to a context.
Syntax
switchto context context-name
Views
System view
Predefined user roles
network-admin
network-operator
Parameters
context-name: Specifies a context that has been started.
Usage guidelines
Use this command to log in to a non-default context from the system view of the default context. The connection uses the internal interfaces between the physical device and the context.
Examples
# Log in to context test2.
<Sysname> system-view
[Sysname] switchto context test2
******************************************************************************
* Copyright (c) 2004-2018 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<H3C>
tar context log
Use tar context log to archive log messages for contexts.
Syntax
tar context [ name context-name ] log file filename
Views
User view
Predefined user roles
network-admin
Parameters
name context-name: Specifies a context name, a case-sensitive string of 1 to 15 characters. If you do not specify this option, the command archives log messages for all contexts.
file filename: Specifies a file name, a case-insensitive string of 1 to 255 characters. The file name must use the .tar.gz extension, and cannot be ..tar.gz or …tar.gz. It cannot start with a hyphen (-) or contain any of the following characters: quote marks ("), forward slashes (/), colons (:), backward slashes (\), question marks (?), less than signs (<), greater than signs (>), vertical bars (|), and asterisks (*).
Usage guidelines
This command is supported only on the default context.
This command does not take effect on contexts that have never started up.
This command archives all files in the logfile directory and diagfile directory.
Examples
# Archive log messages for all contexts to file test.tar.gz.
<Sysname> tar context log file test.tar.gz