- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
01-Text | 2.95 MB |
Contents
gratuitous-arp-learning enable
display arp suppression xconnect-group
reset arp suppression xconnect-group
ARP direct route advertisement commands
dhcp server bootp reply-rfc-1048
dhcp server database update interval
dhcp server database update now
dhcp server database update stop
dhcp server relay information enable
dhcp server reply-exclude-option60
display dhcp server statistics
dhcp relay check mac-address aging time
dhcp relay client-information record
dhcp relay client-information refresh
dhcp relay client-information refresh enable
dhcp relay forward reply by-option82
dhcp relay information circuit-id
dhcp relay information remote-id
dhcp relay information strategy
display dhcp relay check mac-address
display dhcp relay client-information
display dhcp relay information
display dhcp relay server-address
reset dhcp relay client-information
dhcp snooping binding database filename
dhcp snooping binding database update interval
dhcp snooping binding database update now
dhcp snooping check mac-address
dhcp snooping check request-message
dhcp snooping information circuit-id
dhcp snooping information enable
dhcp snooping information remote-id
dhcp snooping information strategy
dhcp snooping max-learning-num
display dhcp snooping binding database
display dhcp snooping information
display dhcp snooping packet statistics
reset dhcp snooping packet statistics
display nat outbound port-block-group
nat log port-block usage threshold
nat port-block global-share enable
nat static inbound object-group
nat static outbound net-to-net
nat static outbound object-group
display ip fast-forwarding aging-time
display ip fast-forwarding cache
display ip fast-forwarding fragcache
ip fast-forwarding load-sharing
reset ip fast-forwarding cache
IP performance optimization commands
display ipv6 nd suppression xconnect-group
display ipv6 neighbors vpn-instance
display ipv6 router-renumber statistics
display ipv6 tcp-proxy port-info
ipv6 extension-header drop enable
ipv6 icmpv6 multicast-echo-reply enable
ipv6 nd autoconfig managed-address-flag
ipv6 nd ra hop-limit unspecified
ipv6 nd route-direct advertise
ipv6 nd suppression push interval
ipv6 neighbor link-local minimize
ipv6 neighbors max-learning-num
reset ipv6 nd suppression xconnect-group
reset ipv6 router-renumber statistics
display ipv6 dhcp option-group
display ipv6 dhcp server conflict
display ipv6 dhcp server database
display ipv6 dhcp server expired
display ipv6 dhcp server ip-in-use
display ipv6 dhcp server pd-in-use
display ipv6 dhcp server statistics
ipv6 dhcp server database filename
ipv6 dhcp server database update interval
ipv6 dhcp server database update now
ipv6 dhcp server database update stop
ipv6 dhcp server forbidden-address
ipv6 dhcp server forbidden-prefix
reset ipv6 dhcp server conflict
reset ipv6 dhcp server expired
reset ipv6 dhcp server ip-in-use
reset ipv6 dhcp server pd-in-use
reset ipv6 dhcp server statistics
display ipv6 dhcp relay server-address
display ipv6 dhcp relay statistics
ipv6 dhcp relay server-address
reset ipv6 dhcp relay statistics
display ipv6 dhcp client statistics
ipv6 dhcp client stateless enable
reset ipv6 dhcp client statistics
display ipv6 dhcp snooping binding
display ipv6 dhcp snooping binding database
display ipv6 dhcp snooping packet statistics
display ipv6 dhcp snooping trust
ipv6 dhcp snooping binding database filename
ipv6 dhcp snooping binding database update interval
ipv6 dhcp snooping binding database update now
ipv6 dhcp snooping binding record
ipv6 dhcp snooping check request-message
ipv6 dhcp snooping max-learning-num
ipv6 dhcp snooping option interface-id enable
ipv6 dhcp snooping option interface-id string
ipv6 dhcp snooping option remote-id enable
ipv6 dhcp snooping option remote-id string
reset ipv6 dhcp snooping binding
reset ipv6 dhcp snooping packet statistics
display ipv6 fast-forwarding aging-time
display ipv6 fast-forwarding cache
ipv6 fast-forwarding aging-time
ipv6 fast-forwarding load-sharing
reset ipv6 fast-forwarding cache
display ds-lite b4 information
tunnel discard ipv4-compatible-packet
display vam server address-map
display vam server ipv6 address-map
display vam server ipv6 private-network
display vam server private-network
pre-shared-key (ADVPN domain view)
reset vam server ipv6 address-map
display vam client shortcut interest
display vam client shortcut ipv6 interest
pre-shared-key (VAM client view)
reset advpn ipv6 session statistics
reset advpn session statistics
display waas tfo auto-discovery blacklist
reset waas tfo auto-discovery blacklist
waas tfo auto-discovery blacklist enable
waas tfo auto-discovery blacklist hold-time
waas tfo base-congestion-window
ARP commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
arp check enable
Use arp check enable to enable dynamic ARP entry check.
Use undo arp check enable to disable dynamic ARP entry check.
Syntax
arp check enable
undo arp check enable
Default
Dynamic ARP entry check is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Dynamic ARP entry check disables a device from supporting dynamic ARP entries with multicast MAC addresses. The device cannot learn dynamic ARP entries containing multicast MAC addresses. You cannot manually add static ARP entries that contain multicast MAC addresses.
When dynamic ARP entry check is disabled, ARP entries containing multicast MAC addresses are supported. The device can learn dynamic ARP entries containing multicast MAC addresses obtained from the ARP packets sourced from a unicast MAC address. You can also manually add static ARP entries containing multicast MAC addresses.
Examples
# Enable dynamic ARP entry check.
<Sysname> system-view
[Sysname] arp check enable
arp check log enable
Use arp check log enable to enable the ARP logging feature.
Use undo arp check log enable to disable the ARP logging feature.
Syntax
arp check log enable
undo arp check log enable
Default
ARP logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables a device to log ARP events when ARP cannot resolve IP addresses correctly. The device can log the following ARP events:
· On a proxy ARP-disabled interface, the target IP address of a received ARP packet is not one of the following IP addresses:
¡ The IP address of the receiving interface.
¡ The virtual IP address of the VRRP group.
¡ The public IP address after NAT.
· The sender IP address of a received ARP reply conflicts with one of the following IP addresses:
¡ The IP address of the receiving interface.
¡ The virtual IP address of the VRRP group.
¡ The public IP address after NAT.
The device sends ARP log messages to the information center. You can use the info-center source command to specify the log output rules for the information center. For more information about information center, see Network Management and Monitoring Configuration Guide.
The device can generate a large number of ARP logs. To conserve system resources, enable ARP logging only when you are troubleshooting or debugging ARP events.
Examples
# Enable ARP logging.
<Sysname> system-view
[Sysname] arp check log enable
arp max-learning-num
Use arp max-learning-num to set the maximum number of dynamic ARP entries that an interface can learn.
Use undo arp max-learning-num to restore the default.
Syntax
arp max-learning-num max-number
undo arp max-learning-num
Default
The following matrix shows the default values for the max-number argument:
Hardware |
Default |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
4096 |
MSR2600-6-X1/2600-10-X1 |
4096 |
MSR 2630 |
4096 |
MSR3600-28/3600-51 |
4096 |
MSR3600-28-SI/3600-51-SI |
4096 |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
4096 |
MSR 3610/3620/3620-DP/3640/3660 |
4096 |
MSR5620/5660/5680 |
16384 |
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/aggregate subinterface view
VLAN interface view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of dynamic ARP entries for an interface.
The following matrix shows the value ranges for the max-number argument:
Hardware |
Value range |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
0 to 4096 |
MSR2600-6-X1/2600-10-X1 |
0 to 4096 |
MSR 2630 |
0 to 4096 |
MSR3600-28/3600-51 |
0 to 4096 |
MSR3600-28-SI/3600-51-SI |
0 to 4096 |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
0 to 4096 |
MSR 3610/3620/3620-DP/3640/3660 |
0 to 4096 |
MSR5620/5660/5680 |
0 to 16384 |
Usage guidelines
An interface can dynamically learn ARP entries. To prevent an interface from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the interface can learn. When the maximum number is reached, the interface stops learning ARP entries.
When the number argument is set to 0, the interface is disabled from learning dynamic ARP entries.
Examples
# Specify VLAN-interface 40 to learn a maximum of 10 dynamic ARP entries.
<Sysname> system-view
[Sysname] interface vlan-interface 40
[Sysname-Vlan-interface40] arp max-learning-num 10
# Specify GigabitEthernet 1/0/1 to learn a maximum of 10 dynamic ARP entries.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp max-learning-num 10
# Specify Layer 2 aggregate interface Bridge-Aggregation 1 to learn a maximum of 10 dynamic ARP entries.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] arp max-learning-num 10
# Specify Layer 3 aggregate interface Route-Aggregation 1 to learn a maximum of 10 dynamic ARP entries.
<Sysname> system-view
[Sysname] interface route-aggregation 1
[Sysname-Route-Aggregation1] arp max-learning-num 10
arp max-learning-number
Use arp max-learning-number to set the maximum number of dynamic ARP entries that a device can learn.
Use undo arp max-learning-number to restore the default.
Syntax
Centralized devices in standalone mode:
arp max-learning-number max-number
undo arp max-learning-number
Distributed devices in standalone mode/centralized devices in IRF mode:
arp max-learning-number max-number slot slot-number
undo arp max-learning-number slot slot-number
Distributed devices in IRF mode:
arp max-learning-number max-number chassis chassis-number slot slot-number
undo arp max-learning-number chassis chassis-number slot slot-number
Default
The following matrix shows the default values for the max-number argument:
Hardware |
Default |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
4096 |
MSR2600-6-X1/2600-10-X1 |
4096 |
MSR 2630 |
4096 |
MSR3600-28/3600-51 |
4096 |
MSR3600-28-SI/3600-51-SI |
4096 |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
4096 |
MSR 3610/3620/3620-DP/3640/3660 |
4096 |
MSR5620/5660/5680 |
16384 |
Views
System view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of dynamic ARP entries for a device.
The following matrix shows the value ranges for the max-number argument:
Hardware |
Value range |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
0 to 4096 |
MSR2600-6-X1/2600-10-X1 |
0 to 4096 |
MSR 2630 |
0 to 4096 |
MSR3600-28/3600-51 |
0 to 4096 |
MSR3600-28-SI/3600-51-SI |
0 to 4096 |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
0 to 4096 |
MSR 3610/3620/3620-DP/3640/3660 |
0 to 4096 |
MSR5620/5660/5680 |
0 to 16384 |
slot slot-number: Specifies a card by its slot number. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (Distributed devices in IRF mode.)
Usage guidelines
A device can dynamically learn ARP entries. To prevent a device from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the device can learn. When the maximum number is reached, the device stops learning ARP entries.
When the number argument is set to 0, the device is disabled from learning dynamic ARP entries.
Examples
# Set the card in slot 1 to learn a maximum of 64 dynamic ARP entries.
<Sysname> system-view
[Sysname] arp max-learning-number 64 slot 1
arp static
Use arp static to configure a static ARP entry.
Use undo arp to delete an ARP entry.
Syntax
arp static ip-address mac-address [ vlan-id interface-type interface-number | vsi-interface vsi-interface-id tunnel number vsi vsi-name ] [ vpn-instance vpn-instance-name ]
undo arp ip-address [ vpn-instance-name ]
Default
No static ARP entries exist.
Views
System view
Predefined user roles
network-admin
Parameters
ip-address: Specifies an IP address for the static ARP entry.
mac-address: Specifies a MAC address for the static ARP entry, in the format of H-H-H.
vlan-id: Specifies the ID of a VLAN to which the static ARP entry belongs. The value range is 1 to 4094.
interface-type interface-number: Specifies an interface by its type and number.
vsi-interface vsi-interface-id: Specifies a VSI interface by its number. The value range for the following matrix shows the value ranges for the vsi-interface-id argument:
Hardware |
Default |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
0 to 8191 |
MSR2600-6-X1/2600-10-X1 |
0 to 8191 |
MSR 2630 |
0 to 8191 |
MSR3600-28/3600-51 |
0 to 8191 |
MSR3600-28-SI/3600-51-SI |
0 to 8191 |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
0 to 8191 |
MSR 3610/3620/3620-DP/3640/3660 |
0 to 8191 |
MSR5620/5660/5680 |
0 to 8191 |
tunnel number: Specifies a tunnel interface by its number. The value range for the following matrix shows the value ranges for the number argument:
Hardware |
Default |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
0 to 10239 |
MASR810-LMS/810-LUS |
0 to 1023 |
MSR2600-6-X1/2600-10-X1 |
0 to 10239 |
MSR 2630 |
0 to 10239 |
MSR3600-28/3600-51 |
0 to 10239 |
MSR3600-28-SI/3600-51-SI |
0 to 10239 |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
0 to 10239 |
MSR 3610/3620/3620-DP/3640/3660 |
0 to 10239 |
MSR5620/5660/5680 |
0 to 10239 |
Hardware |
Default |
MSR810-LM-GL |
0 to 10239 |
MSR810-W-LM-GL |
0 to 10239 |
MSR830-6EI-GL |
0 to 10239 |
MSR830-10EI-GL |
0 to 10239 |
MSR830-6HI-GL |
0 to 10239 |
MSR830-10HI-GL |
0 to 10239 |
MSR2600-6-X1-GL |
0 to 10239 |
MSR3600-28-SI-GL |
0 to 10239 |
vsi vsi-name: Specifies a VSI by its name, a case-sensitive string of 1 to 31 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN for the static ARP entry. The VPN instance name is a case-sensitive string of 1 to 31 characters. The VPN instance must already exist. To specify a static ARP entry on the public network, do not specify this option.
Usage guidelines
A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry.
Static ARP entries can be short or long. A resolved short static ARP entry becomes unresolved upon certain events, for example, when the resolved output interface goes down, or the corresponding VLAN or VLAN interface is deleted.
Long static ARP entries are effective or ineffective. Ineffective long static ARP entries cannot be used for packet forwarding. A long static ARP entry is ineffective when any of the following conditions exists:
· The corresponding VLAN interface or output interface is down.
· The IP address in the entry conflicts with a local IP address.
· No local interface has an IP address in the same subnet as the IP address in the ARP entry.
A long static ARP entry for a VLAN is deleted if the VLAN or VLAN interface is deleted.
If you specify the vlan-id interface-type interface-number argument, follow these restrictions and guidelines:
· The interface must be an Ethernet interface.
· The VLAN and VLAN interface must already exist. The specified Ethernet interface must belong to the specified VLAN.
· The IP address of the VLAN interface and the IP address specified by the ip-address argument must be on the same network.
On a VXLAN IP gateway that forwards traffic among VXLANs through VXLAN tunnels, a VSI interface can act as the gateway for multiple VXLANs. The VSI interface (input interface) might be connected to multiple VXLAN tunnel interfaces (output interfaces). In this case, you must specify the vsi-interface vsi-interface-id tunnel number vsi vsi-name parameters to identify a VSI interface-VSI-VXLAN tunnel interface binding. For more information about VSI interfaces, VSI, and VXLAN tunnel interfaces, see VXLAN Configuration Guide.
Examples
# Configure a long static ARP entry that contains IP address 202.38.10.2, MAC address 00e0-fc01-0000, and output interface GigabitEthernet 1/0/1 in VLAN 10.
<Sysname> system-view
[Sysname] arp static 202.38.10.2 00e0-fc01-0000 10 gigabitethernet 1/0/1
# Configure a long static ARP entry that contains IP address 1.1.1.1, MAC address 00e0-fc01-0000, input interface VSI-interface 1, output interface Tunnel 1, and VSI a.
<Sysname> system-view
[Sysname] arp static 1.1.1.1 00e0-fc01-0000 vsi-interface 1 tunnel 1 vsi a
Related commands
display arp
reset arp
arp timer aging
Use arp timer aging to set the aging timer for dynamic ARP entries.
Use undo arp timer aging to restore the default.
Syntax
arp timer aging aging-time
undo arp timer aging
Default
The aging timer for dynamic ARP entries is 20 minutes.
Views
System view
Predefined user roles
network-admin
Parameters
aging-time: Sets the aging timer for dynamic ARP entries, in the range of 1 to 1440 minutes.
Usage guidelines
Each dynamic ARP entry in the ARP table has a limited lifetime, called an aging timer. The aging timer of a dynamic ARP entry is reset each time the dynamic ARP entry is updated. Dynamic ARP entries that are not updated before their aging timers expire are deleted from the ARP table.
Set the aging timer for dynamic ARP entries as needed. For example, when you configure proxy ARP, set a short aging time so that invalid dynamic ARP entries can be deleted in a timely manner.
Examples
# Set the aging timer for dynamic ARP entries to 10 minutes.
<Sysname> system-view
Related commands
display arp timer aging
display arp
Use display arp to display ARP entries.
Syntax
Centralized devices in standalone mode:
display arp [ [ all | dynamic | static ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display arp [ [ all | dynamic | static ] [ slot slot-number ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ]
Distributed devices in IRF mode:
display arp [ [ all | dynamic | static ] [ chassis chassis-number slot slot-number ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Displays all ARP entries.
dynamic: Displays dynamic ARP entries.
static: Displays static ARP entries.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ARP entries for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ARP entries for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays ARP entries for the global active MPU. (Distributed devices in IRF mode.)
vlan vlan-id: Specifies a VLAN by its VLAN ID. The VLAN ID is in the range of 1 to 4094.
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays ARP entries for all interfaces.
count: Displays the number of ARP entries.
verbose: Displays detailed information about ARP entries.
Usage guidelines
This command displays information about ARP entries, including the IP address, MAC address, VLAN ID, output interface, entry type, and aging timer.
Examples
# Display all ARP entries.
Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid
IP Address MAC Address SVLAN/VSI Interface/Link ID Aging Type
1.1.1.1 02e0-f102-0023 1 GE1/0/1 -- S
1.1.1.2 00e0-fc00-0001 12 GE1/0/2 16 D
1.1.1.3 00e0-fe50-6503 12 Tunnel1 15 D
1.1.1.4 000d-88f7-9f7d 12 0x1 16 D
# Display detailed information about all ARP entries.
<Sysname> display arp all verbose
Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid
IP Address: 1.1.1.1 SVLAN/CVLAN: 1000/1001 Aging: --
MAC Address: 02e0-f102-0023 Type: S Nickname: 0x0000
Interface/Link ID: GE1/0/1
VPN Instance: --
VXLAN ID: --
VSI Name: --
VSI Interface: --
MPLS PW ID: --
MPLS peer PE address: --
IP Address: 1.1.1.2 SVLAN/CVLAN: --/-- Aging: --
MAC Address: 0015-e944-adc5 Type: D Nickname: 0x0000
Interface/Link ID: GE1/0/2
VPN Instance: --
VXLAN ID: --
VSI Name: --
VSI Interface: --
MPLS PW ID: --
MPLS peer PE address: --
# Display the number of all ARP entries.
<Sysname> display arp all count
Total number of entries : 5
Table 1 Command output
Field |
Description |
IP Address |
IP address in an ARP entry. |
MAC Address |
MAC address in an ARP entry. |
SVLAN/VSI |
ID of the SVLAN or index of the VSI to which the ARP entry belongs. This field displays hyphens (--) in either of the following situations: · The ARP entry is an unresolved short static ARP entry. · The output interface of the ARP entry does not belong to the VLAN. |
SVLAN/CVLAN |
ID of the SVLAN or CVLAN to which the ARP entry belongs. This field displays hyphens (--) in either of the following situations: · The ARP entry is an unresolved short static ARP entry. · The output interface of the ARP entry does not belong to a specific SVLAN or CVLAN. |
Interface/Link ID |
Output interface or the link ID in the ARP entry. This field displays hyphens (--) in either of the following situations: · The ARP entry is an unresolved short static ARP entry. · The ARP entry is a multiport ARP entry and has
no output interface information. |
Aging |
Aging time for a dynamic ARP entry in minutes. If the aging time of the ARP entry is unknown or the ARP entry does not age out, this field displays hyphens (--). |
Type |
ARP entry type: · D—Dynamic. · S—Static. · O—OpenFlow. · R—Rule. · M—Multiport · I—Invalid. |
Nickname |
This field is not supported in the current software version. Nickname of the ARP entry. The nickname is a string of four hexadecimal numbers, for example, 0x012a. |
VPN Instance |
Name of VPN instance. If no VPN instance is configured for the ARP entry, this field displays hyphens (--). |
VXLAN ID |
VXLAN ID (also called VNI). This field displays hyphens (--) if the ARP entry does not belong to any VXLAN. |
VSI Name |
Name of the VSI to which the ARP entry belongs. This field displays hyphens (--) if the ARP entry does not belong to a specific VSI. |
VSI Interface |
VSI interface specified for the VSI. This field displays hyphens (--) if no VSI interface is specified for the VSI. |
MPLS PW ID |
ID of the PW to which the ARP entry belongs. This field displays two hyphens (--) if the ARP entry does not belong to a PW. |
MPLS peer PE address |
IP address of the remote PE on the PW. This field displays two hyphens (--) if the ARP entry does not belong to a PW. |
Total number of entries |
Total number of ARP entries. |
Related commands
arp static
reset arp
display arp ip-address
Use display arp ip-address to display the ARP entry for an IP address.
Syntax
Centralized devices in standalone mode:
display arp ip-address [ verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display arp ip-address [ slot slot-number ] [ verbose ]
Distributed devices in IRF mode:
display arp ip-address [ chassis chassis-number slot slot-number ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip-address: Displays the ARP entry for the specified IP address.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information for the global active MPU. (Distributed devices in IRF mode.)
verbose: Displays the detailed information about the specified ARP entry.
Usage guidelines
The ARP entry information includes the IP address, MAC address, VLAN ID, output interface, entry type, and aging timer.
Examples
# Display the ARP entry for the IP address 20.1.1.1.
<Sysname> display arp 20.1.1.1
Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid
IP address MAC address SVID Interface Aging Type
20.1.1.1 00e0-fc00-0001 -- -- -- S
Related commands
arp static
reset arp
display arp timer aging
Use display arp timer aging to display the aging timer of dynamic ARP entries.
Syntax
display arp timer aging
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the aging timer of dynamic ARP entries.
<Sysname> display arp timer aging
Current ARP aging time is 10 minute(s)
Related commands
arp timer aging
display arp vpn-instance
Use display arp vpn-instance to display the ARP entries for a VPN instance.
Syntax
display arp vpn-instance vpn-instance-name [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN instance name cannot contain any spaces.
count: Displays the number of ARP entries.
Usage guidelines
This command displays information about ARP entries for a VPN instance, including the IP address, MAC address, VLAN ID, output interface, entry type, and aging timer.
Examples
# Display ARP entries for the VPN instance named test.
<Sysname> display arp vpn-instance test
Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid
IP address MAC address SVID Interface Aging Type
20.1.1.1 00e0-fc00-0001 -- -- -- S
arp static
reset arp
reset arp
Use reset arp to clear ARP entries from the ARP table.
Syntax
Centralized devices in standalone mode:
reset arp { all | dynamic | interface interface-type interface-number | static }
Distributed devices in standalone mode/centralized devices in IRF mode:
reset arp { all | dynamic | interface interface-type interface-number | slot slot-number | static }
Distributed devices in IRF mode:
reset arp { all | chassis chassis-number slot slot-number | dynamic | interface interface-type interface-number | static }
Views
User view
Predefined user roles
network-admin
Parameters
all: Clears all ARP entries.
dynamic: Clears all dynamic ARP entries.
static: Clears all static ARP entries.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears ARP entries for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears ARP entries for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears ARP entries for the global active MPU. (Distributed devices in IRF mode.)
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears ARP entries for all interfaces.
Examples
# Clear all static ARP entries.
<Sysname> reset arp static
arp static
display arp
Gratuitous ARP commands
arp ip-conflict log prompt
Use arp ip-conflict log prompt to enable IP conflict notification.
Use undo arp ip-conflict log prompt to restore the default.
Syntax
arp ip-conflict log prompt
undo arp ip-conflict log prompt
Default
IP conflict notification is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
By default, the device performs the following operations if it is using the sender IP address of a received ARP packet:
· Sends a gratuitous ARP request.
· Displays an error message after the device receives an ARP reply about the conflict.
Examples
# Enable IP conflict notification on the device.
<Sysname> system-view
[Sysname] arp ip-conflict log prompt
arp send-gratuitous-arp
Use arp send-gratuitous-arp to enable periodic sending of gratuitous ARP packets on an interface.
Use undo arp send-gratuitous-arp to disable the interface from periodically sending gratuitous ARP packets.
Syntax
arp send-gratuitous-arp [ interval interval ]
undo arp send-gratuitous-arp
Default
Periodic sending of gratuitous ARP packets is disabled.
Views
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
VLAN interface view
Predefined user roles
network-admin
Parameters
interval interval: Specifies the sending interval in the range of 200 to 200000 milliseconds. The default value is 2000 milliseconds.
Usage guidelines
This feature takes effect on an interface only when the interface has an IP address and the data link layer state of the interface is up.
This feature can send gratuitous ARP requests only for a VRRP virtual IP address, or the sending interface's primary IP address or manually configured secondary IP address. The primary IP address can be configured manually or automatically, whereas the secondary IP address must be configured manually.
If you change the sending interval for gratuitous ARP packets, the configuration takes effect at the next sending interval.
The sending interval for gratuitous ARP packets might be much longer than the set interval when any of the following conditions exist:
· This feature is enabled on multiple interfaces.
· Each interface is configured with multiple secondary IP addresses.
· A small sending interval is configured in the preceding cases.
Examples
# Enable GigabitEthernet 1/0/1 to send gratuitous ARP packets every 300 milliseconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp send-gratuitous-arp interval 300
gratuitous-arp-learning enable
Use gratuitous-arp-learning enable to enable learning of gratuitous ARP packets.
Use undo gratuitous-arp-learning enable to disable learning of gratuitous ARP packets.
Syntax
gratuitous-arp-learning enable
undo gratuitous-arp-learning enable
Default
Learning of gratuitous ARP packets is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The learning of gratuitous ARP packets feature allows a device to maintain its ARP table by creating or updating ARP entries based on received gratuitous ARP packets.
When this feature is disabled, the device uses received gratuitous ARP packets to update existing ARP entries only. ARP entries are not created based on the received gratuitous ARP packets, which saves ARP table space.
Examples
# Enable learning of gratuitous ARP packets.
<Sysname> system-view
[Sysname] gratuitous-arp-learning enable
gratuitous-arp-sending enable
Use gratuitous-arp-sending enable to enable sending gratuitous ARP packets upon receiving ARP requests whose sender IP address is on a different subnet.
Use undo gratuitous-arp-sending enable to disable sending gratuitous ARP packets upon receiving ARP requests whose sender IP address is on a different subnet.
Syntax
gratuitous-arp-sending enable
undo gratuitous-arp-sending enable
Default
A device does not send gratuitous ARP packets when it receives ARP requests whose sender IP address is on a different subnet.
Views
System view
Predefined user roles
network-admin
Examples
# Disable a device from sending gratuitous ARP packets upon receiving ARP requests whose sender IP address is on a different subnet.
<Sysname> system-view
[Sysname] undo gratuitous-arp-sending enable
Proxy ARP commands
display local-proxy-arp
Use display local-proxy-arp to display the local proxy ARP status.
Syntax
display local-proxy-arp [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the local proxy ARP status for all interfaces.
Usage guidelines
You can use this command to check whether local proxy ARP is enabled or disabled.
Examples
# Display the local proxy ARP status for VLAN-interface 2.
<Sysname> display local-proxy-arp interface vlan-interface 2
Interface Vlan-interface2
Local Proxy ARP status: enabled
Related commands
local-proxy-arp enable
display proxy-arp
Use display proxy-arp to display the proxy ARP status.
Syntax
display proxy-arp [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the proxy ARP status for all interfaces.
Usage guidelines
You can use this command to check whether proxy ARP is enabled or disabled.
Examples
# Display the proxy ARP status on GigabitEthernet 1/0/1.
<Sysname> display proxy-arp interface gigabitethernet 1/0/1
Interface GigabitEthernet1/0/1
Proxy ARP status: disabled
Related commands
proxy-arp enable
local-proxy-arp enable
Use local-proxy-arp enable to enable local proxy ARP.
Use undo local-proxy-arp enable to disable local proxy ARP.
Syntax
local-proxy-arp enable [ ip-range start-ip-address to end-ip-address ]
undo local-proxy-arp enable
Default
Local proxy ARP is disabled.
Views
VLAN interface view
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
Predefined user roles
network-admin
Parameters
ip-range start-ip-address to end-ip-address: Specifies the IP address range for which local proxy ARP is enabled. The start IP address must be lower than or equal to the end IP address.
Usage guidelines
Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts in different broadcast domains can communicate with each other as they do on the same network.
Proxy ARP includes common proxy ARP and local proxy ARP.
Common proxy ARP allows communication between hosts that connect to different Layer 3 interfaces and reside in different broadcast domains.
Local proxy ARP allows communication between hosts that connect to the same Layer 3 interface and reside in different broadcast domains.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable local proxy ARP on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] local-proxy-arp enable
# Enable local proxy ARP on GigabitEthernet 1/0/1 for an IP address range.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] local-proxy-arp enable ip-range 1.1.1.1 to 1.1.1.20
Related commands
display local-proxy-arp
proxy-arp enable
Use proxy-arp enable to enable proxy ARP.
Use undo proxy-arp enable to disable proxy ARP.
Syntax
proxy-arp enable
undo proxy-arp enable
Default
Proxy ARP is disabled.
Views
VLAN interface view
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
Predefined user roles
network-admin
Usage guidelines
Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts in different broadcast domains can communicate with each other as they do on the same network.
Proxy ARP includes common proxy ARP and local proxy ARP.
Common proxy ARP allows communication between hosts that connect to different Layer 3 interfaces and reside in different broadcast domains.
Local proxy ARP allows communication between hosts that connect to the same Layer 3 interface and reside in different broadcast domains.
Examples
# Enable proxy ARP on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] proxy-arp enable
Related commands
display proxy-arp
ARP snooping commands
The following matrix shows the feature and hardware compatibility:
Hardware |
ARP snooping compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/MSR810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
Yes |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
ARP snooping compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
No |
MSR830-10EI-GL |
No |
MSR830-6HI-GL |
No |
MSR830-10HI-GL |
No |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
Yes |
arp snooping enable
Use arp snooping enable to enable ARP snooping.
Use undo arp snooping enable to disable ARP snooping.
Syntax
arp snooping enable
undo arp snooping enable
Default
ARP snooping is disabled.
Views
VLAN view
Predefined user roles
network-admin
Examples
# Enable ARP snooping for VLAN 2.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] arp snooping enable
display arp snooping
Use display arp snooping to display ARP snooping entries.
Syntax
Centralized devices in standalone mode:
display arp snooping [ vlan vlan-id ] [ count ]
display arp snooping ip ip-address
Distributed devices in standalone mode/centralized devices in IRF mode:
display arp snooping [ vlan vlan-id ] [ slot slot-number ] [ count ]
display arp snooping ip ip-address [ slot slot-number ]
Distributed devices in IRF mode:
display arp snooping [ vlan vlan-id ] [ chassis chassis-number slot slot-number ] [ count ]
display arp snooping ip ip-address [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
vlan vlan-id: Displays ARP snooping entries for a VLAN. The vlan-id argument is in the range of 1 to 4094.
count: Displays the number of the ARP snooping entries.
ip ip-address: Displays the ARP snooping entry for the specified IP address.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ARP snooping entries for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ARP snooping entries for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays ARP snooping entries for the global active MPU. (Distributed devices in IRF mode.)
Examples
# Display ARP snooping entries for VLAN 2.
<Sysname> display arp snooping vlan 2
IP Address MAC Address VLAN ID Interface Aging Status
3.3.3.3 0003-0003-0003 2 GE1/0/1 20 Valid
3.3.3.4 0004-0004-0004 2 GE1/0/2 5 Invalid
# Display the number of the ARP snooping entries.
<Sysname> display arp snooping count
Total entries: 2
Table 2 Command output
Field |
Description |
IP Address |
IP address in an ARP snooping entry. |
MAC Address |
MAC address in an ARP snooping entry. |
VLAN ID |
ID of the VLAN to which the ARP snooping entry belongs. |
Interface |
Input interface in an ARP snooping entry. |
Aging |
Aging time for an ARP snooping entry in minutes. If the card learns an ARP snooping entry from another card, the card cannot learn the aging time of the entry, and this field displays N/A. |
Status |
Status of an ARP snooping entry: Valid, Invalid, Collision. |
Total entries |
Number of ARP snooping entries. |
Related commands
reset arp snooping
reset arp snooping
Use reset arp snooping to delete ARP snooping entries.
Syntax
reset arp snooping [ ip ip-address | vlan vlan-id ]
Views
User view
Predefined user roles
network-admin
Parameters
ip ip-address: Deletes the ARP snooping entry for the specified IP address.
vlan vlan-id: Deletes ARP snooping entries for the specified VLAN. The value range for the vlan-id argument is 1 to 4094.
Usage guidelines
If you do not specify any option, the command deletes all ARP snooping entries.
Examples
# Delete ARP snooping entries for VLAN 2.
<Sysname> reset arp snooping vlan 2
Related commands
display arp snooping
ARP fast-reply commands
The following matrix shows the feature and hardware compatibility:
Hardware |
ARP fast-reply compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
ARP fast-reply compatibility |
MSR810-LM-GL |
No |
MSR810-W-LM-GL |
No |
MSR830-6EI-GL |
No |
MSR830-10EI-GL |
No |
MSR830-6HI-GL |
No |
MSR830-10HI-GL |
No |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
arp fast-reply enable
Use arp fast-reply enable to enable ARP fast-reply for a VLAN.
Use undo arp fast-reply enable to disable ARP fast-reply for a VLAN.
Syntax
arp fast-reply enable
undo arp fast-reply enable
Default
ARP fast-reply is disabled on a VLAN.
Views
VLAN view
Predefined user roles
network-admin
Examples
# Enable ARP fast-reply for VLAN 2.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] arp fast-reply enable
ARP PnP commands
arp pnp
Use arp pnp to enable the ARP plug and play (PnP) feature.
Use undo arp pnp to disable the ARP PnP feature.
Syntax
arp pnp
undo arp pnp
Default
The ARP PnP feature is disabled.
Views
Layer 3 Ethernet interface view
Layer 3 Ethernet subinterface view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
No |
|
MSR810-LMS/810-LUS |
Yes |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
No |
MSR810-W-LM-GL |
No |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
No |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
Yes |
This command is typically configured on a gateway. The ARP PnP feature allows end users to access the gateway without changing their IP addresses on subnets different from the subnet where the gateway resides.
The ARP PnP feature generates agent IP addresses based on the primary IP address and mask length of the interface. The maximum number of agent IP addresses allowed on an interface is the smaller value of the following items:
· The device's limit on the maximum number of agent IP addresses on the interface.
· The maximum number of host IP addresses allowed by the mask length. The interface's primary IP address is excluded. For example, if the mask length is 24, a maximum of 253 agent IP addresses can be generated.
To make ARP PnP operate correctly on an interface, make sure the following requirements are met:
· The interface has a primary IP address.
· NAT is configured on the interface that connects to the external network.
· ARP entries on the interface are all deleted by using the reset arp command before you enable the ARP PnP feature.
Features that use ARP entries, for example, static routes and proxy ARP, cannot operate correctly when the ARP PnP feature is enabled.
Examples
# Enable the ARP PnP feature.
<Sysname> system-view
[sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp pnp
display arp pnp
Use display arp pnp to display ARP PnP mappings.
Syntax
display arp pnp [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, the command displays ARP PnP mappings for all interfaces.
Examples
# Display all ARP PnP mappings.
<Sysname> display arp pnp
Total number of entries : 5
Agent IP address User IP address MAC address Interface Aging
1.1.1.2 20.1.1.1 00e0-fc00-0001 GE1/0/1 10
1.1.1.3 193.1.1.70 00e0-fe50-6503 GE1/0/1 5
2.2.2.2 192.168.0.115 000d-88f7-9f7d GE1/0/2 11
3.3.3.3 192.168.0.39 0012-a990-2241 GE1/0/3 5
3.3.3.4 22.1.1.1 000c-299d-c041 GE1/0/3 14
# Display ARP PnP mappings on GigabitEthernet 1/0/1.
<Sysname> display arp pnp interface gigabitethernet 1/0/1
Total number of entries : 2
Agent IP address User IP address MAC address Interface Aging
1.1.1.2 20.1.1.1 00e0-fc00-0001 GE1/0/1 10
1.1.1.3 193.1.1.70 00e0-fe50-6503 GE1/0/1 5
Table 3 Command output
Field |
Description |
Agent IP address |
Agent IP address the ARP PnP feature generates for the user. |
User IP address |
IP address of the user. |
MAC address |
MAC address of the user. |
Interface |
Interface that connects to the user. |
Aging |
Remaining aging time of the mapping, in minutes. |
ARP suppression commands
The following matrix shows the feature and hardware compatibility:
Hardware |
ARP suppression compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/MSR810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
ARP suppression compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
No |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
arp suppression enable
Use arp suppression enable to enable ARP suppression.
Use undo arp suppression enable to disable ARP suppression.
Syntax
arp suppression enable
undo arp suppression enable
Default
ARP suppression is disabled.
Views
Cross-connect view
Predefined user roles
network-admin
Usage guidelines
You must enable L2VPN before you enter cross-connect view.
Examples
# Enable ARP suppression for cross-connect 2 in cross-connect group 1.
<Sysname> system-view
[Sysname] xconnect-group 1
[Sysname-xcg-1] connection 2
[Sysname-xcg-1-2] arp suppression enable
Related commands
arp suppression push interval
Use arp suppression push interval to enable the ARP suppression push feature and set a push interval.
Use undo arp suppression push interval to disable the ARP suppression push feature.
Syntax
arp suppression push interval interval
undo arp suppression push interval
Default
The ARP suppression push feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies a push interval for ARP suppression, in the range of 1 to 1440 minutes.
Usage guidelines
The ARP suppression push feature regularly pushes ARP suppression entries by broadcasting gratuitous ARP packets.
Examples
# Configure the device to push ARP suppression entries every 2 minutes.
<Sysname> system-view
[Sysname] arp suppression push interval 2
Related commands
arp suppression enable
display arp suppression xconnect-group
Use display arp suppression xconnect-group to display ARP suppression entries.
Syntax
Centralized devices in standalone mode:
display arp suppression xconnect-group [ name group-name ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display arp suppression xconnect-group [ name group-name ] [ slot slot-number ] [ count ]
Distributed devices in IRF mode:
display arp suppression xconnect-group [ name group-name ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name group-name: Specifies a cross-connect group by its name, a case-sensitive string of 1 to 31 characters excluding hyphens (-). If you do not specify a cross-connect group, this command display ARP suppression entries for all cross-connect groups.
count: Displays the total number of ARP suppression entries.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ARP suppression entries for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ARP suppression entries for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays ARP suppression entries for the global active MPU. (Distributed devices in IRF mode.)
Examples
# Display ARP suppression entries for all cross-connect groups.
<Sysname> display arp suppression xconnect-group
IP address MAC address Xconnect-group Connection Aging
100.1.1.1 000c-29fe-5a8f vpna svc 12
100.1.1.2 000c-29fe-5aa3 vpna svc 25
# Display the total number of ARP suppression entries.
<Sysname> display arp suppression xconnect-group count
Total entries: 2
Table 4 Command output
Field |
Description |
IP address |
IP address in the ARP suppression entry. |
MAC address |
MAC address in the ARP suppression entry. |
Xconnect-group |
Name of the cross-connect group to which the ARP suppression entry belongs. |
Connection |
Name of the cross-connect to which the ARP suppression entry belongs. |
Aging |
Remaining aging time of the ARP suppression entry, in minutes. |
Related commands
reset arp suppression xconnect-group
reset arp suppression xconnect-group
Use reset arp suppression xconnect-group to clear ARP suppression entries.
Syntax
reset arp suppression xconnect-group [ name group-name ]
Views
User view
Predefined user roles
network-admin
Parameters
name group-name: Specifies a cross-connect group by its name, a case-sensitive string of 1 to 31 characters excluding hyphens (-). If you do not specify a cross-connect group, this command clears ARP suppression entries for all cross-connect groups.
Examples
# Clear ARP suppression entries for all cross-connect groups.
<Sysname> reset arp suppression xconnect-group
Related commands
display arp suppression xconnect-group
ARP direct route advertisement commands
arp route-direct advertise
Use arp route-direct advertise to enable ARP direct route advertisement.
Use undo arp route-direct advertise to disable ARP direct route advertisement.
Syntax
arp route-direct advertise
undo arp route-direct advertise
Default
ARP direct route advertisement is disabled.
Views
L3VE interface view
Predefined user roles
network-admin
Examples
# Enable ARP direct route advertisement on L3VE interface VE-L3VPN 1.
<Sysname> system-view
[Sysname] interface ve-l3vpn 1
[Sysname-VE-L3VPN1] arp route-direct advertise
IP addressing commands
display ip interface
Use display ip interface to display IP configuration and statistics for Layer 3 interfaces.
Syntax
display ip interface [ interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays IP configuration and statistics for all Layer 3 interfaces except VA interfaces.
Usage guidelines
Use the display ip interface command to display IP configuration and statistics for the specified Layer 3 interface. The statistics include the following information:
· The number of unicast packets, bytes, and multicast packets the interface has sent and received.
· The number of TTL-invalid packets and ICMP packets the interface has received.
The packet statistics helps you locate a possible attack on the network.
Examples
# Display IP configuration and statistics for GigabitEthernet 1/0/1.
<Sysname> display ip interface gigabitethernet 1/0/1
GigabitEthernet1/0/1 current state : DOWN
Line protocol current state : DOWN
Internet Address is 1.1.1.1/8 Primary
Broadcast address : 1.255.255.255
The Maximum Transmit Unit : 1500 bytes
input packets : 0, bytes : 0, multicasts : 0
output packets : 0, bytes : 0, multicasts : 0
TTL invalid packet number: 0
ICMP packet input number: 0
Echo reply: 0
Unreachable: 0
Source quench: 0
Routing redirect: 0
Echo request: 0
Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 0
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 0
Netmask reply: 0
Unknown type: 0
Table 5 Command output
Field |
Description |
current state |
Current physical state of the interface: · Administrative DOWN—The interface is shut down by using the shutdown command. · DOWN—The interface is administratively up but its physical state is down, possibly because of a connection or link failure. · UP—Both the administrative and physical states of the interface are up. |
Line protocol current state |
Current state of the link layer protocol: · DOWN—The protocol state of the interface is down. · UP—The protocol state of the interface is up. · UP (spoofing)—The link protocol state of the interface is up, but the link is temporarily established on demand or does not exist. |
Internet Address |
IP address of an interface followed by: · Primary—A primary IP address. · Sub—A secondary IP address. · MTunnel—An MTunnel interface IP address. · SSLVPN—An SSL VPN interface IP address. · PPP-Negotiated—A PPP negotiated IP address. · Unnumbered—An unnumbered IP address. · DHCP-Allocated—An IP address obtained through DHCP. · BOOTP-Allocated—An IP address obtained through BOOTP. · Cluster—A cluster IP address. · Mad—A MAD IP address. |
Broadcast address |
Broadcast address of the subnet attached to an interface. |
The Maximum Transmit Unit |
Maximum transmission unit on the interface, in bytes. |
input packets, bytes, multicasts output packets, bytes, multicasts |
Unicast packets, bytes, and multicast packets received on an interface (statistics start at the device startup). |
TTL invalid packet number |
Number of TTL-invalid packets received on the interface (statistics start at the device startup). |
ICMP packet input number: Echo reply: Unreachable: Source quench: Routing redirect: Echo request: Router advert: Router solicit: Time exceed: IP header bad: Timestamp request: Timestamp reply: Information request: Information reply: Netmask request: Netmask reply: Unknown type: |
Total number of ICMP packets received on the interface (statistics start at the device startup): · Echo reply packets. · Unreachable packets. · Source quench packets. · Routing redirect packets. · Echo request packets. · Router advertisement packets. · Router solicitation packets. · Time exceeded packets. · IP header bad packets. · Timestamp request packets. · Timestamp reply packets. · Information request packets. · Information reply packets. · Netmask request packets. · Netmask reply packets. · Unknown type packets. |
Related commands
display ip interface brief
ip address
display ip interface brief
Use display ip interface brief to display brief IP configuration for Layer 3 interfaces.
Syntax
display ip interface [ interface-type [ interface-number ] ] brief [ description ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface-type: Specifies an interface type. If you do not specify an interface type, this command displays brief IP configuration for all Layer 3 interfaces except VA interfaces.
interface-number: Specifies an interface number. If you do not specify an interface number, this command displays brief IP configuration for all Layer 3 interfaces of the specified type.
description: Displays complete interface descriptions. If you do not specify this keyword, the command displays a maximum of 16 characters for each interface description. If the description is longer than 16 characters, the first 14 characters are displayed, followed by an ellipsis (...).
Usage guidelines
Information displayed by the command includes the state of the physical and link layer protocols, IP address, and interface descriptions.
Examples
# Display brief IP configuration for GigabitEthernet interfaces.
<Sysname> display ip interface gigabitethernet brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP Address Description
GE1/0/1 up up 5.5.5.1 Link to CoreRo...
<Sysname> display ip interface gigabitethernet brief description
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP Address Description
GE1/0/1 up up 5.5.5.1 Link to CoreRouter
Table 6 Command output
Field |
Description |
*down: administratively down |
The interface is administratively shut down by using the shutdown command. |
(s) : spoofing |
Spoofing attribute of the interface. The link protocol state of the interface is up, but the link is temporarily established on demand or does not exist. |
Interface |
Interface name. |
Physical |
Physical state of the interface: · *down—The interface is administratively shut down by using the shutdown command. · down—The interface is administratively up but its physical state is down, possibly because of a connection or link failure. · up—Both the administrative and physical states of the interface are up. |
Protocol |
Link layer protocol state of the interface: · down—The protocol state of the interface is down. · down(l)—The protocol state of the interface is down (loopback). · up—The protocol state of the interface is up. · up(l)—The protocol state of the interface is up (loopback). · up(s)—The protocol state of the interface is up (spoofing). |
IP Address |
IP address of the interface. If no IP address is configured, this field displays hyphens (--). |
Description |
Interface description information. If no description is configured, this field displays hyphens (--). |
Related commands
display ip interface
ip address
ip address
Use ip address to assign an IP address to the interface.
Use undo ip address to remove the IP address from the interface.
Syntax
ip address ip-address { mask-length | mask } [ sub ]
undo ip address [ ip-address { mask-length | mask } [ sub ] ]
Default
No IP address is assigned to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address of the interface, in dotted decimal notation.
mask-length: Specifies the subnet mask length in the range of 1 to 31. For a loopback interface, the value range is 1 to 32.
mask: Specifies the subnet mask in dotted decimal notation.
sub: Assigns a secondary IP address to the interface.
Usage guidelines
Use the command to assign a primary or secondary IP address to an interface.
An interface can have only one primary IP address. A newly configured primary IP address overwrites the previous address. If the interface connects to multiple subnets, configure primary and secondary IP addresses on the interface so the subnets can communicate with each other through the interface.
You cannot assign secondary IP addresses to an interface that obtains an IP address through BOOTP, DHCP, PPP address negotiation, or IP unnumbered.
If you do not specify any parameters, the undo ip address command removes all IP addresses from the interface. The undo ip address ip-address { mask | mask-length } command removes the primary IP address. The undo ip address ip-address { mask | mask-length } sub command removes a secondary IP address.
The primary and secondary IP addresses assigned to the interface can be located on the same network segment. Different interfaces on your device must reside on different network segments.
Examples
# Assign GigabitEthernet 1/0/1 a primary IP address 129.102.0.1 and a secondary IP address 202.38.160.1, with the subnet masks both 255.255.255.0.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip address 129.102.0.1 255.255.255.0
[Sysname-GigabitEthernet1/0/1] ip address 202.38.160.1 255.255.255.0 sub
Related commands
display ip interface
display ip interface brief
ip address unnumbered
Use ip address unnumbered to configure the current interface as IP unnumbered to borrow an IP address from the specified interface.
Use undo ip address unnumbered to restore the default.
Syntax
ip address unnumbered interface interface-type interface-number
undo ip address unnumbered
Default
The interface does not borrow IP addresses from other interfaces.
Views
Interface view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface from which the current interface can borrow an IP address.
Usage guidelines
Typically, you assign an IP address to an interface either manually or through DHCP. If the IP addresses are not enough, or the interface is used only occasionally, you can configure an interface to borrow an IP address from other interfaces. This is called IP unnumbered, and the interface borrowing the IP address is called IP unnumbered interface.
Loopback interfaces cannot borrow IP addresses of other interfaces, but other interfaces can borrow IP addresses of loopback interfaces.
Multiple interfaces can use the same unnumbered IP address. If an interface has multiple manually configured IP addresses, only the primary IP address manually configured can be borrowed.
You cannot enable a dynamic routing protocol on the interface that has no IP address configured. To enable the interface to communicate with other devices, you must configure a static route to the peer device on the interface.
Examples
# Configure the tunnel interface Tunnel 0 to borrow the IP address of the interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface tunnel 0 mode gre
[Sysname-Tunnel0] ip address unnumbered interface gigabitethernet 1/0/1
DHCP commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
Common DHCP commands
dhcp client-detect
Use dhcp client-detect to enable client offline detection on the DHCP server or DHCP relay agent.
Use undo dhcp client-detect to disable client offline detection on the DHCP server or DHCP relay agent.
Syntax
dhcp client-detect
undo dhcp client-detect
Default
Client offline detection is disabled on the DHCP server or DHCP relay agent.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
The client offline detection feature on the DHCP server reclaims an assigned IP address and deletes the binding entry when the ARP entry ages out for the IP address.
This feature on the DHCP relay agent deletes the related relay entry and sends a RELEASE message to the DHCP server when an ARP entry ages out.
Examples
# Enable client offline detection.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp client-detect
dhcp dscp
Use dhcp dscp to set the DSCP value for DHCP packets sent by the DHCP server or the DHCP relay agent.
Use undo dhcp dscp to restore the default.
Syntax
dhcp dscp dscp-value
undo dhcp dscp
Default
The DSCP value is 56 in DHCP packets sent by the DHCP server or the DHCP relay agent.
Views
System view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies the DSCP value for DHCP packets, in the range of 0 to 63.
Usage guidelines
The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Examples
# Set the DSCP value to 30 for DHCP packets sent by the DHCP server or the DHCP relay agent.
<Sysname> system-view
[Sysname] dhcp dscp 30
dhcp enable
Use dhcp enable to enable DHCP.
Use undo dhcp enable to disable DHCP.
Syntax
dhcp enable
undo dhcp enable
Default
DHCP is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
DHCP related configuration takes effect only after you enable DHCP.
Enable DHCP before you configure the DHCP server or relay agent.
Examples
# Enable DHCP.
<Sysname> system-view
[Sysname] dhcp enable
dhcp log enable
Use dhcp log enable to enable DHCP server logging.
Use undo dhcp log enable to disable DHCP server logging.
Syntax
dhcp log enable
undo dhcp log enable
Default
DHCP server logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command enables the DHCP server to generate DHCP logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.
As a best practice, disable this feature if the log generation affects the device performance or reduces the address allocation efficiency. For example, this situation might occur when a large number of clients frequently come online or go offline.
Examples
# Enable DHCP server logging.
<Sysname> system-view
[Sysname] dhcp log enable
dhcp select
Use dhcp select to enable the DHCP server or DHCP relay agent on an interface.
Use undo dhcp select to disable the DHCP server or DHCP relay agent on an interface. The interface discards incoming DHCP packets.
Syntax
dhcp select { relay [ proxy ] | server }
undo dhcp select { relay | server }
Default
The interface operates in DHCP server mode and responds to DHCP requests with configuration parameters.
Views
Interface view
Predefined user roles
network-admin
Parameters
relay: Enables the DHCP relay agent on the interface.
proxy: Enables DHCP server proxy on the relay agent.
server: Enables the DHCP server on the interface.
Usage guidelines
Before enabling the DHCP relay agent on an interface, use the reset dhcp server ip-in-use command to remove address bindings and authorized ARP entries. These authorized ARP entries might conflict with ARP entries that are created after the DHCP relay agent is enabled.
When DHCP server proxy is enabled on the relay agent, the proxy forwards packets between the DHCP clients and DHCP server.
· When receiving DHCP packets from DHCP clients, the proxy forwards them to the DHCP server.
· When receiving DHCP responses from the DHCP server, the proxy modified the server's IP address in these responses as its own IP address.
Examples
# Enable the DHCP relay agent on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp select relay
Related commands
dhcp smart-relay enable
reset dhcp server ip-in-use
DHCP server commands
address range
Use address range to configure an IP address range in a DHCP address pool for dynamic allocation.
Use undo address range to restore the default.
Syntax
address range start-ip-address end-ip-address
undo address range
Default
No IP address range exists.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
start-ip-address: Specifies the start IP address.
end-ip-address: Specifies the end IP address.
Usage guidelines
If no IP address range is specified, all IP addresses in the subnet specified by the network command in address pool view are assignable. If an IP address range is specified, only the IP addresses in the IP address range are assignable.
After you use the address range command, you cannot use the network secondary command to specify a secondary subnet in the address pool.
If you execute this command multiple times, the most recent configuration takes effect.
The address range specified by the address range command must be within the subnet specified by the network command. The addresses out of the address range cannot be assigned.
Examples
# Specify an address range of 192.168.8.1 through 192.168.8.150 in address pool 1.
<Sysname> system-view
[Sysname] dhcp server ip-pool 1
[Sysname-dhcp-pool-1] address range 192.168.8.1 192.168.8.150
Related commands
class
dhcp class
display dhcp server pool
network
bims-server
Use bims-server to specify the IP address, port number, and shared key of the BIMS server in a DHCP address pool.
Use undo bims-server to restore the default.
Syntax
bims-server ip ip-address [ port port-number ] sharekey { cipher | simple } string
undo bims-server
Default
No BIMS server information is specified.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
ip ip-address: Specifies the IP address of the BIMS server.
port port-number: Specifies the port number of the BIMS server, in the range of 1 to 65534.
cipher: Specifies a key in encrypted form.
simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key string. Its plaintext form is a case-sensitive string of 1 to 16 characters. Its encrypted form is a case-sensitive string of 1 to 53 characters. The DHCP client uses the shared key to encrypt packets sent to the BIMS server.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the BIMS server IP address 1.1.1.1, port number 80, and shared key aabbcc in address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] bims-server ip 1.1.1.1 port 80 sharekey simple aabbcc
display dhcp server pool
bootfile-name
Use bootfile-name to specify a configuration file name or URL.
Use undo bootfile-name to restore the default.
Syntax
bootfile-name { bootfile-name | url }
undo bootfile-name
Default
No configuration file name or URL is specified.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
bootfile-name: Specifies the configuration file name, a case-sensitive string of 1 to 63 characters.
url: Specifies the HTTP URL of the configuration file. It is a case-sensitive string of 1 to 63 characters.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
To specify a configuration file on a TFTP server, use the bootfile-name argument.
To specify a configuration file on an HTTP server, use the url argument.
Examples
# Specify the configuration file name boot.cfg in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] bootfile-name boot.cfg
# Specify the configuration file URL http://10.1.1.1/boot.cfg in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] bootfile-name http://10.1.1.1/boot.cfg
display dhcp server pool
next-server
tftp-server domain-name
tftp-server ip-address
class ip-pool
Use class ip-pool to specify a DHCP address pool for a DHCP user class.
Use undo class ip-pool to remove the DHCP address pool specified for a DHCP user class.
Syntax
class class-name ip-pool pool-name
undo class class-name ip-pool
Default
No DHCP address pool is specified for a DHCP user class.
Views
DHCP policy view
Predefined user roles
network-admin
Parameters
class-name: Specifies a DHCP user class by its name, a case-insensitive string of 1 to 63 characters.
pool-name: Specifies a DHCP address pool by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can specify only one DHCP address pool for a DHCP user class in a DHCP policy. If you execute this command multiple times for a user class, the most recent configuration takes effect.
Examples
# Specify DHCP address pool pool1 for DHCP user class test in DHCP policy 1.
<Sysname> system-view
[Sysname] dhcp policy 1
[Sysname-dhcp-policy-1] class test ip-pool pool1
Related commands
default ip-pool
dhcp policy
dhcp server ip-pool
class option-group
Use class option-group to specify a DHCP option group for a DHCP user class.
Use undo class option-group to remove the configuration.
Syntax
class class-name option-group option-group-number
undo class class-name option-group
Default
No DHCP option group is specified for a DHCP user class.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
class-name: Specifies a DHCP user class by its name, a case-insensitive string of 1 to 63 characters.
option-group-number: Specifies a DHCP option group by its number in the range of 1 to 32768.
Usage guidelines
When receiving a DHCP-DISCOVER message, the server compares the client against the user classes in the order that they are specified by this command. If a match is found, the server assigns the client the DHCP options in the option group. If multiple matches are found, the server selects option groups by using the following methods:
· If the option groups have options in common, the server selects the option group specified for the first matching user class.
· If the option groups have different options, the server selects all the matching option groups.
You can specify only one option group for a DHCP user class in a DHCP address pool. If you execute this command multiple times for a user class, the most recent configuration takes effect.
Examples
# Specify DHCP option group 1 for user class user in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] class user option-group 1
Related commands
dhcp option group
class range
Use class range to specify an IP address range for a DHCP user class.
Use undo class range to remove the IP address range for the DHCP user class.
Syntax
class class-name range start-ip-address end-ip-address
undo class class-name range
Default
No IP address range is specified for a DHCP user class.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
class-name: Specifies a DHCP user class name, a case-insensitive string of 1 to 63 characters. If the specified user class does not exist, the DHCP server will not assign the addresses in the address range specified for the user class to any clients.
start-ip-address: Specifies the start IP address.
end-ip-address: Specifies the end IP address.
Usage guidelines
The class range command allows you to divide an address range into multiple address ranges for different DHCP user classes. The address range for a user class must be within the primary subnet specified by the network command. If the DHCP client does not match any DHCP user class, the DHCP server selects an address in the IP address range specified by the address range command. If the address range has no assignable IP addresses or no address range is configured, the address allocation fails.
After you specify an address range for a user class, you cannot use the network secondary command to specify a secondary subnet in the address pool.
You can specify only one address range for a DHCP user class in an address pool. If you execute this command multiple times for a DHCP user class, the most recent configuration takes effect.
Examples
# Specify an IP address range of 192.168.8.1 through 192.168.8.150 for the DHCP user class user in DHCP address pool 1.
<Sysname> system-view
[Sysname] dhcp server ip-pool 1
[Sysname-dhcp-pool-1] class user range 192.168.8.1 192.168.8.150
Related commands
address range
dhcp class
display dhcp server pool
default ip-pool
Use default ip-pool to specify the default DHCP address pool.
Use undo default ip-pool to restore the default.
Syntax
default ip-pool pool-name
undo default ip-pool
Default
No default DHCP address pool is specified.
Views
DHCP policy view
Predefined user roles
network-admin
Parameters
pool-name: Specifies a DHCP address pool by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In a DHCP policy, the DHCP server uses the default DHCP address pool to assign IP addresses and other parameters to clients that do not match any user class.
You can specify only one default address pool in a DHCP policy. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify DHCP address pool pool1 as the default DHCP address pool in DHCP policy 1.
<Sysname> system-view
[Sysname] dhcp policy 1
[Sysname-dhcp-policy-1] default ip-pool pool1
Related commands
class ip-pool
dhcp policy
dhcp apply-policy
Use dhcp apply-policy to apply a DHCP policy to an interface.
Use undo dhcp apply-policy to restore the default.
Syntax
dhcp apply-policy policy-name
undo dhcp apply-policy
Default
No DHCP policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a DHCP policy by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can apply only one DHCP policy to an interface. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply the DHCP policy test to GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp apply-policy test
Related commands
dhcp policy
dhcp class
Use dhcp class to create a DHCP user class and enter its view, or enter the view of an existing DHCP user class.
Use undo dhcp class to delete the specified DHCP user class.
Syntax
dhcp class class-name
undo dhcp class class-name
Default
No DHCP user classes exist.
Views
System view
Predefined user roles
network-admin
Parameters
class-name: Specifies the name of a DHCP user class, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In the DHCP user class view, you can use the if-match command to configure match rules to group clients to the user class.
Examples
# Create a DHCP user class test and enter DHCP user class view.
<Sysname> system-view
[Sysname] dhcp class test
[Sysname-dhcp-class-test]
Related commands
address range
class ip-pool
class option-group
class range
dhcp policy
if-match
dhcp option-group
Use dhcp option-group to create a DHCP option group and enter its view, or enter the view of an existing DHCP option group.
Use undo dhcp option-group to delete a DHCP option group.
Syntax
dhcp option-group option-group-number
undo dhcp option-group option-group-number
Default
No DHCP option groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
option-group-number: Assigns a number to the DHCP option group, in the range of 1 to 32768.
Examples
# Create DHCP option group 1 and enter DHCP option group view.
<Sysname> system-view
[Sysname] dhcp option-group 1
[Sysname-dhcp-option-group-1]
Related commands
class option-group
option
dhcp policy
Use dhcp policy to create a DHCP policy and enter its view, or enter the view of an existing DHCP policy.
Use undo dhcp policy to delete a DHCP policy.
Syntax
dhcp policy policy-name
undo dhcp policy policy-name
Default
No DHCP policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Assigns a name to the DHCP policy. The policy name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
In DHCP policy view, you can specify address pools for different user classes. Clients matching a user class will obtain IP addresses and other parameters from the specified address pool.
For a DHCP policy to take effect, you must apply it to an interface.
Examples
# Create DHCP policy test and enter its view.
<Sysname> system-view
[Sysname] dhcp policy test
[Sysname-dhcp-policy-test]
Related commands
class ip-pool
default ip-pool
dhcp apply-policy
dhcp class
dhcp server always-broadcast
Use dhcp server always-broadcast to enable the DHCP server to broadcast all responses.
Use undo dhcp server always-broadcast to restore the default.
Syntax
dhcp server always-broadcast
undo dhcp server always-broadcast
Default
The DHCP server reads the broadcast flag in a DHCP request to decide whether to broadcast or unicast the response.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command enables the DHCP server to ignore the broadcast flag in DHCP requests and broadcast all responses.
The DHCP server always unicasts a response in the following situations, regardless of whether this command is executed:
· The DHCP request is from a DHCP client that has an IP address (the ciaddr field is not 0).
· The DHCP request is forwarded by a DHCP relay agent from a DHCP client (the giaddr field is not 0).
Examples
# Enable the DHCP server to broadcast all responses.
<Sysname> system-view
[Sysname] dhcp server always-broadcast
dhcp server apply ip-pool
Use dhcp server apply ip-pool to apply an address pool to an interface.
Use undo dhcp server apply ip-pool to restore the default.
Syntax
dhcp server apply ip-pool pool-name
undo dhcp server apply ip-pool
Default
No address pool is applied to an interface
Views
Interface view
Predefined user roles
network-admin
Parameters
pool-name: Specifies the name of a DHCP address pool, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Upon receiving a DHCP request from the interface, the DHCP server searches for a static binding for the client from all address pools. If no static binding is found, the server assigns configuration parameters from the address pool applied on the interface to the client. If the address pool has no assignable IP address or does not exist, the DHCP client cannot obtain an IP address.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply DHCP address pool 0 to GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp server apply ip-pool 0
dhcp server ip-pool
dhcp server bootp ignore
Use dhcp server bootp ignore to configure the DHCP server to ignore BOOTP requests.
Use undo dhcp server bootp ignore to restore the default.
Syntax
dhcp server bootp ignore
undo dhcp server bootp ignore
Default
The DHCP server does not ignore BOOTP requests.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The lease duration of IP addresses obtained by BOOTP clients is unlimited. For scenarios that do not allow unlimited leases, you can configure the DHCP server to ignore BOOTP requests.
Examples
# Configure the DHCP server to ignore BOOTP requests.
<Sysname> system-view
[Sysname] dhcp server bootp ignore
dhcp server bootp reply-rfc-1048
Use dhcp server bootp reply-rfc-1048 to enable the sending of BOOTP responses in RFC 1048 format.
Use undo dhcp server bootp reply-rfc-1048 to disable this feature.
Syntax
dhcp server bootp reply-rfc-1048
undo dhcp server bootp reply-rfc-1048
Default
This feature is disabled. The DHCP server does not process the Vend field of RFC 1048-incompliant requests but copies the Vend field into responses.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Not all BOOTP clients can send requests compliant with RFC 1048. This command enables the DHCP server to fill the Vend field in RFC 1048-compliant format in DHCP responses to RFC 1048-incompliant requests sent by BOOTP clients.
This command takes effect only when the BOOTP clients request statically bound addresses.
Examples
# Enable the sending of BOOTP responses in RFC 1048 format on the DHCP server.
<Sysname> system-view
[Sysname] dhcp server bootp reply-rfc-1048
dhcp server database filename
Use dhcp server database filename to configure the DHCP server to back up the DHCP bindings to a file.
Use undo dhcp server database filename to restore the default.
Syntax
dhcp server database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }
undo dhcp server database filename
Default
The DHCP server does not back up the DHCP bindings.
Views
System view
Predefined user roles
network-admin
Parameters
filename: Specifies the name of a local backup file. For information about the filename argument, see Fundamentals Configuration Guide.
url url: Specifies the URL of a remote backup file, a case-sensitive string of 1 to 255 characters. Do not include a username or password in the URL.
username username: Specifies the username for accessing the URL of the remote backup file, a case-sensitive string of 1 to 32 characters. Do not specify this option if a username is not required for accessing the URL of the remote backup file.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters. Do not specify this argument if a password is not required for accessing the URL of the remote backup file.
Usage guidelines
The command automatically creates the file if you specify a nonexistent file.
With this command executed, the DHCP server backs up its bindings immediately and runs auto backup. The server, by default, waits 300 seconds after a binding change to update the backup file. You can use the dhcp server database update interval command to change the waiting time. If no DHCP binding changes, the backup file is not updated.
As a best practice, back up the bindings to a remote file. If you use the local storage medium, the frequent erasing and writing might damage the medium and then cause the DHCP server to malfunction.
When the backup file is on a remote device, follow these restrictions and guidelines to specify the URL, username, and password:
· If the file is on an FTP server, enter URL in the following format: ftp://server address:port/file path, where the port number is optional.
· If the file is on a TFTP server, enter URL in the following format: tftp://server address:port/file path, where the port number is optional.
· The username and password must be the same as those configured on the FTP server. If the server authenticates only the username, the password can be omitted.
· If the IP address of the server is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[1::1]/database.dhcp.
· You can also specify the DNS domain name for the server address field, for example, ftp://company/database.dhcp.
Examples
# Configure the DHCP server to back up its bindings to the file database.dhcp.
<Sysname> system-view
[Sysname] dhcp server database filename database.dhcp
# Configure the DHCP server to back up its bindings to the file database.dhcp in the working directory of the FTP server at 10.1.1.1.
<Sysname> system-view
[Sysname] dhcp server database filename url ftp://10.1.1.1/database.dhcp username 1 password simple 1
Related commands
dhcp server database update interval
dhcp server database update now
dhcp server database update stop
dhcp server database update interval
Use dhcp server database update interval to set the waiting time for the DHCP server to update the backup file after a DHCP binding change.
Use undo dhcp server database update interval to restore the default.
Syntax
dhcp server database update interval interval
undo dhcp server database update interval
Default
The DHCP server waits 300 seconds to update the backup file after a DHCP binding change. If no DHCP binding changes, the backup file is not updated.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the waiting time in the range of 60 to 864000 seconds.
Usage guidelines
The waiting time takes effect only after you configure the DHCP binding auto backup by using the dhcp server database filename command.
When a DHCP binding is created, updated, or removed, the waiting period starts. The DHCP server updates the backup file when the waiting period is reached. All bindings changed during the period will be saved to the backup file.
Examples
# Set the waiting time to 10 minutes for the DHCP server to update the backup file.
<Sysname> system-view
[Sysname] dhcp server database update interval 600
Related commands
dhcp server database filename
dhcp server database update now
dhcp server database update stop
dhcp server database update now
Use dhcp server database update now to manually save the DHCP bindings to the backup file.
Syntax
dhcp server database update now
Views
System view
Predefined user roles
network-admin
Usage guidelines
Each time this command is executed, the DHCP bindings are saved to the backup file.
For this command to take effect, you must configure the DHCP auto backup by using the dhcp server database filename command.
Examples
# Manually save the DHCP bindings to the backup file.
<Sysname> system-view
[Sysname] dhcp server database update now
Related commands
dhcp server database filename
dhcp server database update interval
dhcp server database update stop
dhcp server database update stop
Use dhcp server database update stop to terminate the download of DHCP bindings from the backup file.
Syntax
dhcp server database update stop
Views
System view
Predefined user roles
network-admin
Usage guidelines
The DHCP server does not provide services during the binding download process. If the connection disconnects during the process, the waiting timeout timer is 60 minutes. When the timer expires, the DHCP server stops waiting and starts providing address allocation services.
To enable the DHCP server to provide services without waiting for the connection to be repaired, use this command to terminate the download immediately. The IP addresses associated with the undownloaded bindings will be assigned to clients. Address conflicts might occur.
Examples
# Terminate the download of the backup DHCP bindings.
<Sysname> system-view
[Sysname] dhcp server database update stop
Related commands
dhcp server database filename
dhcp server database update interval
dhcp server database update now
dhcp server forbidden-ip
Use dhcp server forbidden-ip to exclude specific IP addresses from dynamic allocation.
Use undo dhcp server forbidden-ip to remove the configuration.
Syntax
dhcp server forbidden-ip start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]
undo dhcp server forbidden-ip start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]
Default
No IP addresses are excluded from dynamic allocation.
Views
System view
Predefined user roles
network-admin
Parameters
start-ip-address: Specifies the start IP address.
end-ip-address: Specifies the end IP address, which cannot be lower than the start-ip-address. If you do not specify this argument, only the start-ip-address is excluded from dynamic allocation.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To specify an IP address on the public network, do not specify this option.
Usage guidelines
The IP addresses of some devices such as the gateway and FTP server cannot be assigned to clients. Use this command to exclude such addresses from dynamic allocation.
You can execute this command multiple times to exclude multiple IP address ranges from dynamic allocation.
If the excluded IP address is in a static DHCP binding, the address can be still assigned to the client.
The address or address range specified in the undo dhcp server forbidden-ip command must be the same as that specified in the dhcp server forbidden-ip command. To remove an IP address from the specified address range, you must remove the entire address range.
You can execute this command multiple times to exclude multiple IP address ranges from dynamic allocation.
Examples
# Exclude the IP addresses of 10.110.1.1 through 10.110.1.63 from dynamic allocation.
<Sysname> system-view
[Sysname] dhcp server forbidden-ip 10.110.1.1 10.110.1.63
forbidden-ip
static-bind
dhcp server ip-pool
Use dhcp server ip-pool to create a DHCP address pool and enter its view, or enter the view of an existing DHCP address pool.
Use undo dhcp server ip-pool to delete the specified DHCP address pool.
Syntax
dhcp server ip-pool pool-name
undo dhcp server ip-pool pool-name
Default
No DHCP address pools exist.
Views
System view
Predefined user roles
network-admin
Parameters
pool-name: Specifies a DHCP address pool name, a case-insensitive string of 1 to 63 characters. The pool name uniquely identifies an address pool.
Usage guidelines
A DHCP address pool is used to store the configuration parameters to be assigned to DHCP clients.
Examples
# Create a DHCP address pool named pool1.
<Sysname> system-view
[Sysname] dhcp server ip-pool pool1
[Sysname-dhcp-pool-pool1]
class ip-pool
dhcp server apply ip-pool
display dhcp server pool
dhcp server ping packets
Use dhcp server ping packets to set the maximum number of ping packets.
Use undo dhcp server ping packets to restore the default.
Syntax
dhcp server ping packets number
undo dhcp server ping packets
Default
The maximum number of ping packets is 1.
Views
System view
Predefined user roles
network-admin
Parameters
number: Sets the maximum number of ping packets, in the range of 0 to 10. To disable the address conflict detection, set the value to 0.
Usage guidelines
To avoid IP address conflicts, the DHCP server pings an IP address before assigning it to a DHCP client.
If a ping attempt succeeds, the server determines that the IP address is in use and picks a new IP address. If all the ping attempts fail, the server assigns the IP address to the requesting DHCP client.
Examples
# Set the maximum number of ping packets to 10.
<Sysname> system-view
[Sysname] dhcp server ping packets 10
dhcp server ping timeout
display dhcp server conflict
reset dhcp server conflict
dhcp server ping timeout
Use dhcp server ping timeout to set the ping response timeout time on the DHCP server.
Use undo dhcp server ping timeout to restore the default.
Syntax
dhcp server ping timeout milliseconds
undo dhcp server ping timeout
Default
The ping response timeout time is 500 milliseconds.
Views
System view
Predefined user roles
network-admin
Parameters
milliseconds: Specifies the timeout time in the range of 0 to 10000 milliseconds. To disable the ping operation for address conflict detection, set the value to 0 milliseconds.
Usage guidelines
To avoid IP address conflicts, the DHCP server pings an IP address before assigning it to a DHCP client.
If a ping attempt succeeds, the server determines that the IP address is in use and picks a new IP address. If all the ping attempts fail, the server assigns the IP address to the requesting DHCP client.
Examples
# Set the response timeout time to 1000 milliseconds.
<Sysname> system-view
[Sysname] dhcp server ping timeout 1000
dhcp server ping packets
display dhcp server conflict
reset dhcp server conflict
dhcp server relay information enable
Use dhcp server relay information enable to enable the DHCP server to handle Option 82.
Use undo dhcp server relay information enable to configure the DHCP server to ignore Option 82.
Syntax
dhcp server relay information enable
undo dhcp server relay information enable
Default
The DHCP server handles Option 82.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Upon receiving a DHCP request that contains Option 82, the server copies the original Option 82 into the response. If the server is configured to ignore Option 82, the response will not contain Option 82.
Examples
# Configure the DHCP server to ignore Option 82.
[Sysname] undo dhcp server relay information enable
dhcp server reply-exclude-option60
Use dhcp server reply-exclude-option60 to disable the DHCP server from encapsulating Option 60 in DHCP replies.
Use undo dhcp server reply-exclude-option60 to restore the default.
Syntax
dhcp server reply-exclude-option60
undo dhcp server reply-exclude-option60
Default
The DHCP server can encapsulate Option 60 in DHCP replies.
Views
System view
Predefined user roles
network-admin
Usage guidelines
If you do not disable the capability, the DHCP server encapsulates Option 60 in a DHCP reply in the following situations:
· The received DHCP packet contains Option 60.
· Option 60 is configured for the address pool.
If you disable the capability, the DHCP server does not encapsulate Option 60 in DHCP replies.
Examples
# Disable the DHCP server from encapsulating Option 60 in DHCP replies.
<Sysname> system-view
[Sysname] dhcp server reply-exclude-option60
display dhcp server conflict
Use display dhcp server conflict to display information about IP address conflicts.
Syntax
display dhcp server conflict [ ip ip-address ] [ vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip ip-address: Displays conflict information about the specified IP address. If you do not specify this option, this command displays information about all IP address conflicts.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display conflict information about IP addresses on the public network, do not specify this option.
Usage guidelines
The DHCP server generates IP address conflict information in the following situations:
· Before assigning an IP address to a DHCP client, the DHCP server pings the IP address and discovers that another host is using the address.
· The DHCP client sends a DECLINE packet to the DHCP server to inform the server of an IP address conflict.
· The DHCP server discovers that the only assignable address in the address pool is its own IP address.
Examples
# Display information about all IP address conflicts.
<Sysname> display dhcp server conflict
IP address Detect time
4.4.4.1 Apr 25 16:57:20 2007
4.4.4.2 Apr 25 17:00:10 2007
Table 7 Command output
Field |
Description |
|
IP address |
Conflicted IP address. |
|
Detect time |
Time when the conflict was discovered. |
reset dhcp server conflict
display dhcp server database
Use display dhcp server database to display information about DHCP binding auto backup.
Syntax
display dhcp server database
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about DHCP binding auto backup.
<Sysname> display dhcp server database
File name : database.dhcp
Username :
Password :
Update interval : 600 seconds
Latest write time : Feb 8 16:09:53 2014
Status : Last write succeeded.
Table 8 Command output
Field |
Description |
|
File name |
Name of the DHCP binding backup file. |
|
Username |
Username for accessing the URL of the remote backup file. |
|
Password |
Password for accessing the URL of the remote backup file. This field displays ****** if a password is configured. |
|
Update interval |
Waiting time in seconds after a DHCP binding change for the DHCP server to update the backup file. |
|
Latest write time |
Time of the latest update. |
|
Status |
Status of the update: · Writing—The backup file is being updated. · Last write succeeded—The backup file was successfully updated. · Last write failed—The backup file failed to be updated. |
display dhcp server expired
Use display dhcp server expired to display the lease expiration information.
Syntax
display dhcp server expired [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip ip-address: Displays lease expiration information about the specified IP address. If you do not specify an IP address, this command displays lease expiration information about all IP addresses.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display lease expiration information about IP addresses on the public network, do not specify this option.
pool pool-name: Displays lease expiration information about the specified address pool. The pool name is a case-insensitive string of 1 to 63 characters. If you do not specify an address pool, this command displays lease expiration information about all address pools.
Usage guidelines
DHCP assigns these expired IP addresses to DHCP clients when all available addresses have been assigned.
Examples
# Display all lease expiration information.
<Sysname> display dhcp server expired
IP address Client-identifier/Hardware address Lease expiration
4.4.4.6 3030-3066-2e65-3230-302e-3130-3234 Apr 25 17:10:47 2007
-2d45-7468-6572-6e65-7430-2f31
Table 9 Command output
Field |
Description |
IP address |
Expired IP address. |
Client-identifier/Hardware address |
Client ID or MAC address. For the client ID: · If an ASCII string is used as the client ID value, the type value is 00. · If the MAC address of an interface is used as the client ID value, the type value is 01. · If a hexadecimal string is used as the client ID value, the type value is the first two digits of the string. |
Lease expiration |
Time when the lease expired. |
reset dhcp server expired
display dhcp server free-ip
Use display dhcp server free-ip to display information about assignable IP addresses.
Syntax
display dhcp server free-ip [ pool pool-name | vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pool pool-name: Displays assignable IP addresses in the specified address pool. The pool name is a case-insensitive string of 1 to 63 characters. If you do not specify an address pool, this command displays all assignable IP addresses for all address pools.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display assignable IP addresses in address pools for the public network, do not specify this option.
Examples
# Display assignable IP addresses in all address pools.
<Sysname> display dhcp server free-ip
Pool name: 1
Network: 10.0.0.0 mask 255.0.0.0
IP ranges from 10.0.0.10 to 10.0.0.100
IP ranges from 10.0.0.105 to 10.0.0.255
Secondary networks:
10.1.0.0 mask 255.255.0.0
IP ranges from 10.1.0.0 to 10.1.0.255
10.2.0.0 mask 255.255.0.0
IP Ranges from 10.2.0.0 to 10.2.0.255
Pool name: 2
Network: 20.1.1.0 mask 255.255.255.0
IP ranges from 20.1.1.0 to 20.1.1.255
Table 10 Command output
Field |
Description |
Pool name |
Name of the address pool. |
Network |
Assignable network. |
IP ranges |
Assignable IP address range. |
Secondary networks |
Assignable secondary networks. |
Related commands
address range
dhcp server ip-pool
network
display dhcp server ip-in-use
Use display dhcp server ip-in-use to display binding information about assigned IP addresses.
Syntax
display dhcp server ip-in-use [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip ip-address: Displays binding information about the specified assigned IP address. If you do not specify an IP address, this command displays binding information about all assigned IP addresses.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display binding information on the public network, do not specify this option.
pool pool-name: Displays binding information about assigned IP addresses in the specified address pool. The pool name is a case-insensitive string of 1 to 63 characters. If you do not specify an address pool, this command displays binding information about assigned IP addresses in all address pools.
Usage guidelines
The binding information can be used by other security modules only when the DHCP server is configured on the gateway of DHCP clients.
If the lease deadline exceeds the year 2100, the lease expiration time is displayed as After 2100.
Examples
# Display binding information about all assigned DHCP addresses.
<Sysname> display dhcp server ip-in-use
IP address Client identifier/ Lease expiration Type
Hardware address
10.1.1.1 652e-3030-2e34 Not used Static(F)
10.1.1.2 3030-3030-2e30 May 1 14:02:49 2015 Auto(C)
10.1.1.3 652e-3030-2e54 After 2100 Static(C)
Field |
Description |
|
IP address |
IP address assigned. |
|
Client identifier/Hardware address |
Client ID or hardware address. |
|
Lease expiration |
Lease expiration time: · Exact time (May 1 14:02:49 2015 in this example)—Time when the lease will expire. · Not used—The IP address of the static binding has not been assigned to the specific client. · Unlimited—Infinite lease expiration time. · After 2100—The lease will expire after 2100. |
|
Type |
Binding types: · Static(F)—A free static binding whose IP address has not been assigned. · Static(O)—An offered static binding whose IP address has been selected and sent by the DHCP server in a DHCP-OFFER packet to the client. Static(C)—A committed static binding whose IP address has been assigned to the DHCP client. · Auto(O)—An offered temporary dynamic binding whose IP address has been dynamically selected by the DHCP server and sent in a DHCP-OFFER packet to the DHCP client. · Auto(C)—A committed dynamic binding whose IP address has been dynamically assigned to the DHCP client. |
|
Related commands
reset dhcp server ip-in-use
display dhcp server pool
Use display dhcp server pool to display information about a DHCP address pool.
Syntax
display dhcp server pool [ pool-name | vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pool-name: Displays information about the specified address pool. The pool name is a case-insensitive string of 1 to 63 characters. If you do not specify the pool-name argument, this command displays information about all address pools.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display information about address pools for the public network, do not specify this option.
Examples
# Display information about all DHCP address pools.
<Sysname> display dhcp server pool
Pool name: 0
Network 20.1.1.0 mask 255.255.255.0
class a range 20.1.1.50 20.1.1.60
bootfile-name abc.cfg
dns-list 20.1.1.66 20.1.1.67 20.1.1.68
domain-name www.aabbcc.com
bims-server ip 192.168.0.51 sharekey cipher $c$3$K13OmQPi791YvQoF2Gs1E+65LOU=
option 2 ip-address 1.1.1.1
expired 1 2 3 0
Pool name: 1
Network 20.1.1.0 mask 255.255.255.0
secondary networks:
20.1.2.0 mask 255.255.255.0
20.1.3.0 mask 255.255.255.0
bims-server ip 192.168.0.51 port 50 sharekey cipher $c$3$K13OmQPi791YvQoF2Gs1E+65LOU=
forbidden-ip 20.1.1.22 20.1.1.36 20.1.1.37
forbidden-ip 20.1.1.22 20.1.1.23 20.1.1.24
gateway-list 10.1.1.3 11.2.2.2 12.4.4.4
nbns-list 11.5.5.5 12.6.6.4 12.7.7.7
netbios-type m-node
option 2 ip-address 1.1.1.1
expired 1 0 0 0
Pool name: 2
Network 20.1.1.0 mask 255.255.255.0
address range 20.1.1.1 to 20.1.1.15
class departmentA range 20.1.1.20 to 20.1.1.29
class departmentB range 20.1.1.30 to 20.1.1.40
next-server 20.1.1.33
tftp-server domain-name www.dian.org.cn
tftp-server ip-address 192.168.0.120
voice-config ncp-ip 10.1.1.2
voice-config as-ip 10.1.1.5
voice-config voice-vlan 3 enable
voice-config fail-over 10.1.1.1 123*
option 2 ip-address 1.1.1.3
expired 1 0 0 0
Pool name: 3
static bindings:
ip-address 10.10.1.2 mask 255.0.0.0
hardware-address 00e0-00fc-0001 ethernet
ip-address 10.10.1.3 mask 255.0.0.0
client-identifier aaaa-bbbb
expired unlimited
Table 12 Command output
Field |
Description |
Pool name |
Name of an address pool. |
Network |
Assignable network. |
secondary networks |
Assignable secondary networks. |
address range |
Assignable address range. |
class class-name range |
DHCP user class and its address range. |
static bindings |
Static IP-to-MAC/client ID bindings. |
option |
Customized DHCP option. |
expired |
Lease duration: 1 2 3 4 in this example refers to 1 day 2 hours 3 minutes 4 seconds. |
bootfile-name |
Boot file name |
dns-list |
DNS server IP address. |
domain-name |
Domain name suffix. |
bims-server |
BIMS server information. |
forbidden-ip |
IP addresses excluded from dynamic allocation. |
gateway-list |
Gateway addresses. |
nbns-list |
WINS server addresses. |
netbios-type |
NetBIOS node type. |
next-server |
Next server IP address. |
tftp-server domain-name |
TFTP server name. |
tftp-server ip-address |
TFTP server address. |
voice-config ncp-ip |
Primary network calling processor address. |
voice-config as-ip |
Backup network calling processor address. |
voice-config voice-vlan |
Voice VLAN. |
voice-config fail-over |
Failover route. |
display dhcp server statistics
Use display dhcp server statistics to display the DHCP server statistics.
Syntax
display dhcp server statistics [ pool pool-name | vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pool pool-name: Specifies an address pool by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, this command displays information about all address pools.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display DHCP server statistics for the public network, do not specify this option.
Examples
# Display the DHCP server statistics.
<Sysname> display dhcp server statistics
Pool number: 1
Pool utilization: 0.39%
Bindings:
Automatic: 1
Manual: 0
Expired: 0
Conflict: 1
Messages received: 10
DHCPDISCOVER: 5
DHCPREQUEST: 3
DHCPDECLINE: 0
DHCPRELEASE: 2
DHCPINFORM: 0
BOOTPREQUEST: 0
Messages sent: 6
DHCPOFFER: 3
DHCPACK: 3
DHCPNAK: 0
BOOTPREPLY: 0
Bad Messages: 0
Table 13 Command output
Field |
Description |
|
Pool number |
Total number of address pools. This field is not displayed when you display statistics for a specific address pool. |
|
Pool utilization |
Pool usage rate: · If you display statistics for all address pools, this field displays the usage rate of all address pools. · If you display statistics for an address pool, this field displays the pool usage rate of the specified address pool. |
|
Bindings |
Bindings include the following types: · Automatic—Number of dynamic bindings. · Manual—Number of static bindings. · Expired—Number of expired bindings. |
|
Conflict |
Total number of conflict addresses. This field is not displayed if you display statistics for a specific address pool. |
|
Messages received |
DHCP packets received from clients: · DHCPDISCOVER. · DHCPREQUEST. · DHCPDECLINE. · DHCPRELEASE. · DHCPINFORM. · BOOTPREQUEST. This field is not displayed if you display statistics for a specific address pool. |
|
Messages sent |
DHCP packets sent to clients: · DHCPOFFER. · DHCPACK. · DHCPNAK. · BOOTPREPLY. This field is not displayed if statistics about a specific address pool are displayed. |
|
Bad Messages |
Number of bad messages. This field is not displayed if you display statistics for a specific address pool. |
reset dhcp server statistics
dns-list
Use dns-list to specify DNS server addresses in a DHCP address pool.
Use undo dns-list to remove DNS server addresses from a DHCP address pool.
Syntax
dns-list ip-address&<1-8>
undo dns-list [ ip-address&<1-8> ]
Default
No DNS server address is specified.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
ip-address&<1-8>: Specifies a space-separated list of up to eight DNS servers.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
If you do not specify any parameters, the undo dns-list command deletes all DNS server addresses in the DHCP address pool.
Examples
# Specify the DNS server address 10.1.1.254 in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] dns-list 10.1.1.254
Related commands
display dhcp server pool
domain-name
Use domain-name to specify a domain name in a DHCP address pool.
Use undo domain-name to restore the default.
Syntax
domain-name domain-name
undo domain-name
Default
No domain name is specified.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the domain name, a case-sensitive string of 1 to 50 characters.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the domain name company.com in address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] domain-name company.com
Related commands
display dhcp server pool
expired
Use expired to set the lease duration in a DHCP address pool.
Use undo expired to restore the default lease duration for a DHCP address pool.
Syntax
expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }
undo expired
Default
The lease duration of a dynamic DHCP address pool is one day.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
day day: Specifies the number of days, in the range of 0 to 365.
hour hour: Specifies the number of hours, in the range of 0 to 23. The default is 0.
minute minute: Specifies the number of minutes, in the range of 0 to 59. The default is 0.
second second: Specifies the number of seconds, in the range of 0 to 59. The default is 0.
unlimited: Specifies the unlimited lease duration, which is actually 136 years.
Usage guidelines
The DHCP server assigns an IP address together with the lease duration to the DHCP client. Before the lease expires, the DHCP client must extend the lease duration.
· If the lease extension operation succeeds, the DHCP client can continue to use the IP address.
· If the lease extension operation does not succeed, both of the following events occur:
¡ The DHCP client cannot use the IP address after the lease duration expires.
¡ The DHCP server will label the IP address as an expired address.
Examples
# Set the lease duration to 1 day, 2 hours, 3 minutes, and 4 seconds in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] expired day 1 hour 2 minute 3 second 4
display dhcp server expired
display dhcp server pool
reset dhcp server expired
forbidden-ip
Use forbidden-ip to exclude IP addresses from dynamic allocation in an address pool.
Use undo forbidden-ip to cancel the configuration.
Syntax
forbidden-ip ip-address&<1-8>
undo forbidden-ip [ ip-address&<1-8> ]
Default
No IP addresses are excluded from dynamic allocation in an address pool.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
ip-address&<1-8>: Specifies a space-separated list of up to eight excluded IP addresses.
Usage guidelines
The excluded IP addresses in an address pool are still assignable in other address pools.
You can exclude a maximum of 4096 IP addresses in an address pool.
If you do not specify any parameters, the undo forbidden-ip command deletes all excluded IP addresses.
Examples
# Exclude IP addresses 192.168.1.3 and 192.168.1.10 from dynamic allocation in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] forbidden-ip 192.168.1.3 192.168.1.10
dhcp server forbidden-ip
display dhcp server pool
gateway-list
Use gateway-list to specify gateway addresses in a DHCP address pool or a DHCP secondary subnet.
Use undo gateway-list to remove the specified gateway addresses from a DHCP address pool or a DHCP secondary subnet.
Syntax
gateway-list ip-address&<1-64> [ export-route ]
undo gateway-list [ ip-address&<1-64> ] [ export-route ]
Default
No gateway address is configured in a DHCP address pool or a DHCP secondary subnet.
Views
DHCP address pool view
DHCP secondary subnet view
Predefined user roles
network-admin
Parameters
ip-address&<1-64>: Specifies a space-separated list of up to 64 gateway addresses. Gateway addresses must reside on the same subnet as the assignable IP addresses.
export-route: Binds the gateways to the device's MAC address in the address management module. The ARP module will use the entries to reply to ARP requests from the DHCP clients. If you do not specify this keyword, the gateways will not be bound to the device's MAC address.
Usage guidelines
If you do not specify any parameters, the undo gateway-list command deletes all gateway addresses.
The DHCP server assigns gateway addresses to clients on a secondary subnet in the following ways:
· If gateways are specified in both address pool view and secondary subnet view, DHCP assigns those specified in the secondary subnet view.
· If gateways are specified in address pool view but not in secondary subnet view, DHCP assigns those specified in address pool view.
Examples
# Specify the gateway address 10.1.1.1 in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] gateway-list 10.1.1.1
display dhcp server pool
if-match
Use if-match to configure a match rule for a DHCP user class.
Use undo if-match to delete a match rule for a DHCP user class.
Syntax
if-match rule rule-number { hardware-address hardware-address mask hardware-address-mask | option option-code [ ascii ascii-string [ offset offset | partial ] | hex hex-string [ mask mask | offset offset length length | partial ] ] | relay-agent gateway-address }
undo if-match rule rule-number
Default
No match rules are configured for the DHCP user class.
Views
DHCP user class view
Predefined user roles
network-admin
Parameters
rule rule-number: Assigns the match rule an ID in the range of 1 to 128. A smaller ID represents a higher match priority.
hardware-address hardware-address: Specifies a hardware address, a string of 4 to 39 characters. The string contains hyphen-separated hexadecimal numbers. The last hexadecimal number can be a two-digit or four-digit number, and the other hexadecimal numbers must be four-digit numbers. For example, aabb-ccdd-ee is valid, and aabb-c-dddd or aabb-cc-dddd is invalid.
mask hardware-address-mask: Specifies the mask for the match operation. The length of the mask must be the same as that of the hardware address.
option option-code: Specifies a DHCP option by its number in the range of 1 to 254.
ascii ascii-string: Specifies an ASCII string of 1 to 128 characters.
offset offset: Specifies the offset in bytes after which the match operation starts. The value range is 0 to 254. If you specify an ASCII string, a packet matches the rule if the option content after the offset is the same as the ASCII string. If you specify a hexadecimal string, a packet matches the rule if the option content of the specified length after the offset is the same as the hexadecimal string.
partial: Enables partial match. A packet matches a rule if the specified option in the packet contains the ASCII or hexadecimal string specified in the rule. For example, if the specified string is abc, option content xabc, xyzabca, xabcyz, and abcxyz all match the rule.
hex hex-string: Specifies a hexadecimal string. The length of the hexadecimal string must be an even number in the range of 2 to 256.
mask mask: Specifies the mask for the match operation. The mask is a hexadecimal string whose length is an even number in the range of 2 to 256 and must be the same as the hex-string length. The DHCP server selects a string of the mask length from the start of the option, and ANDs the selected string and the specified hexadecimal string with the mask. The packet matches the rule if the two AND operation results are the same.
length length: Specifies the length of the option content to be matched, in the range of 1 to 128 bytes. The length must be the same as the hex-string length.
relay-agent gateway-address: Specifies a giaddr field value. The value is an IPv4 address in the dotted decimal notation. A packet matches the rule if its giaddr field value is the same as that in the rule.
Usage guidelines
You can configure multiple match rules for a DHCP user class. Each match rule is uniquely identified by a rule ID within its type (hardware address, option, or relay agent address). The DHCP server compares the hardware address, option content, or relay agent address in the DHCP requests against the match rules. If a match is found, the DHCP client matches the DHCP user class.
As a best practice, do not configure rules of different types to use the same ID. Two rules cannot have the same content.
· If the rule that you are configuring has the same ID and type as an existing rule, the new rule overwrites the existing rule.
· If the rule that you are configuring has the same ID as an existing rule but a different type, the new rule takes effect and coexists with the existing rule.
When you configure an if-match hardware-address rule, follow these guidelines:
· A rule applies only to clients with MAC addresses. It does not match clients with hardware addresses of other types.
· The specified hardware address must be of the same length as the client hardware addresses to be matched. To match MAC addresses, the specified hardware address must be six bytes long.
· The fs and 0s in the mask for the hardware match operation can be noncontiguous. For example, the rule if-match rule 1 hardware-address 0094-0000-1100 mask ffff-0000-ff00 matches hardware addresses in which the first two bytes are 0094 and the fifth byte is 11.
When you configure an if-match option rule, follow these guidelines:
· To match packets that contain an option, specify only the option code.
· To match a hexadecimal string by AND operations, specify the option option-code hex hex-string mask mask options.
· To match a hexadecimal string directly, specify the option option-code hex hex-string [ offset offset length length | partial ] options.
If you do not specify the optional parameters, a packet matches a rule if the option content starts with the hexadecimal string.
· To match an ASCII string, specify the option option-code ascii ascii-string [ offset offset | partial ] options.
If you do not specify the optional parameters, a packet matches a rule if the option content starts with the ASCII string.
Examples
# Configure match rule 1 for the DHCP user class exam to match DHCP requests in which the hardware address is six bytes long and begins with 0094.
<Sysname> system-view
[Sysname] dhcp class exam
[Sysname-dhcp-class-exam] if-match rule 1 hardware-address 0094-0000-0101 mask ffff-0000-0000
# Configure match rule 2 for the DHCP user class exam to match DHCP requests that contain Option 82.
<Sysname> system-view
[Sysname] dhcp class exam
[Sysname-dhcp-class-exam] if-match rule 2 option 82
# Configure match rule 3 for the DHCP user class exam to match DHCP requests in which the highest bit of the fourth byte in Option 82 is 1.
<Sysname> system-view
[Sysname] dhcp class exam
[Sysname-dhcp-class-exam] if-match rule 3 option 82 hex 00000080 mask 00000080
# Configure match rule 4 for the DHCP user class exam to match DHCP requests in which the first three bytes of Option 82 are 0x13ae92.
<Sysname> system-view
[Sysname] dhcp class exam
[Sysname-dhcp-class-exam] if-match rule 4 option 82 hex 13ae92 offset 0 length 3
# Configure match rule 5 for the DHCP user class exam to match DHCP requests in which the Option 82 contains the string 0x13ae.
<Sysname> system-view
[Sysname] dhcp class exam
[Sysname-dhcp-class-exam] if-match rule 5 option 82 hex 13ae partial
# Configure match rule 6 for the DHCP user class exam to match DHCP requests in which the giaddr field is 10.1.1.1.
<Sysname> system-view
[Sysname] dhcp class exam
[Sysname-dhcp-class-exam] if-match rule 6 relay-agent 10.1.1.1
Related commands
dhcp class
ip-in-use threshold
Use ip-in-use threshold to set a threshold for the address pool usage alarming.
Use undo ip-in-use threshold to restore the default.
Syntax
ip-in-use threshold threshold-value
undo ip-in-use threshold
Default
The address pool usage threshold is 100%.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold for the address pool usage percentage. The value range is 1 to 100.
Usage guidelines
If you execute this command in the same address pool view multiple times, the most recent configuration takes effect.
When the address pool usage exceeds the threshold, the system sends log messages to the information center. According to the log information, you can optimize the address pool configuration. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Set the address pool usage threshold to 85%.
<Sysname> system-view
[Sysname] dhcp server ip-pool p1
[Sysname-dhcp-pool-p1] ip-in-use threshold 85
nbns-list
Use nbns-list to specify WINS server addresses in a DHCP address pool.
Use undo nbns-list to remove the specified WINS server addresses.
Syntax
nbns-list ip-address&<1-8>
undo nbns-list [ ip-address&<1-8> ]
Default
No WINS server address is specified.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
ip-address&<1-8>: Specifies a space-separated list of up to eight WINS server IP addresses.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
If you do not specify any parameters, the undo nbns-list command deletes all WINS server addresses.
Examples
# Specify the WINS server IP address 10.1.1.1 in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] nbns-list 10.1.1.1
display dhcp server pool
netbios-type
netbios-type
Use netbios-type to specify the NetBIOS node type in a DHCP address pool.
Use undo netbios-type to restore the default.
Syntax
netbios-type { b-node | h-node | m-node | p-node }
undo netbios-type
Default
No NetBIOS node type is specified.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
b-node: Specifies the broadcast node. A b-node client sends the destination name in a broadcast message to get the name-to-IP mapping from a server.
h-node: Specifies the hybrid node. An h-node client unicasts the destination name to a WINS server. If it does not receive a response, the h-node client broadcasts the destination name to get the mapping from a server.
m-node: Specifies the mixed node. An m-node client broadcasts the destination name. If it does not receive a response, the m-node client unicasts the destination name to the WINS server to get the mapping.
p-node: Specifies the peer-to-peer node. A p-node client sends the destination name in a unicast message to get the mapping from the WINS server.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the NetBIOS node type as p-node in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] netbios-type p-node
Related commands
display dhcp server pool
nbns-list
network
Use network to specify the subnet for dynamic allocation in a DHCP address pool.
Use undo network to remove the specified subnet.
Syntax
network network-address [ mask-length | mask mask ] [ export-route ] [ secondary ]
undo network network-address [ mask-length | mask mask ] [ secondary ]
Default
No subnet is specified in a DHCP address pool.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
network-address: Specifies the subnet for dynamic allocation. If no mask length or mask is specified, the natural mask will be used.
mask-length: Specifies the mask length in the range of 1 to 30.
mask mask: Specifies the mask in dotted decimal format.
export-route: Advertises the subnet assigned to DHCP clients. If you do not specify this keyword, the subnet will not be advertised.
secondary: Specifies the subnet as a secondary subnet. If you do not specify this keyword, this command specifies the primary subnet. If the addresses in the primary subnet are used up, the DHCP server can select addresses from a secondary subnet for clients.
Usage guidelines
You can use the secondary keyword to specify a secondary subnet and enter its view. In secondary subnet view, you can specify gateways by using the gateway-list command for DHCP clients in the secondary subnet.
You can specify only one primary subnet for a DHCP address pool. If you execute the network command multiple times, the most recent configuration takes effect.
You can specify up to 32 secondary subnets for a DHCP address pool.
The primary subnet and secondary subnets in a DHCP address pool must not have the same network address and mask.
If you have used the address range or class command in an address pool, you cannot specify a secondary subnet in the same address pool.
Modifying or removing the network configuration deletes the assigned addresses from the current address pool.
If you execute the network export-route command multiple times, the most recent configuration takes effect.
Examples
# Specify primary subnet 192.168.8.0/24 and secondary subnet 192.168.10.0/24 in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] network 192.168.8.0 mask 255.255.255.0
[Sysname-dhcp-pool-0] network 192.168.10.0 mask 255.255.255.0 secondary
[Sysname-dhcp-pool-0-secondary]
Related commands
display dhcp server pool
gateway-list
next-server
Use next-server to specify the IP address of a server in a DHCP address pool.
Use undo next-server to restore the default.
Syntax
next-server ip-address
undo next-server
Default
No server's IP address is specified in a DHCP address pool.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address of a server.
Usage guidelines
Upon startup, the DHCP client obtains an IP address and the specified server IP address. Then it contacts the specified server, such as a TFTP server, to get other boot information.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify a server's IP address 10.1.1.254 in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] next-server 10.1.1.254
display dhcp server pool
option
Use option to customize a DHCP option.
Use undo option to remove a customized DHCP option.
option code { ascii ascii-string | hex hex-string | ip-address ip-address&<1-8> }
undo option code
Default
No DHCP option is customized.
Views
DHCP address pool view
DHCP option group view
Predefined user roles
network-admin
Parameters
code: Specifies the number of the customized option, in the range of 2 to 254, excluding 50 through 54, 56, 58, 59, 61, and 82.
ascii ascii-string: Specifies a case-sensitive ASCII string of 1 to 255 characters as the option content.
hex hex-string: Specifies a hexadecimal string as the option content. The string length must be an even number in the range of 2 to 256.
ip-address ip-address&<1-8>: Specifies a space-separated list of up to eight IP addresses as the option content.
Usage guidelines
The DHCP server fills the customized option with the specified ASCII string, hexadecimal string, or IP addresses, and sends it in a response to the client.
You can customize options for the following purposes:
· Add newly released options.
· Add options for which the vendor defines the contents, for example, Option 43.
· Add options for which the CLI does not provide a dedicated configuration command. For example, you can use the option 4 ip-address 1.1.1.1 command to define the time server address 1.1.1.1 for DHCP clients.
· Add all option values if the actual requirement exceeds the limit for a dedicated option configuration command. For example, the dns-list command can specify up to eight DNS servers. To specify more than eight DNS server, you must use the option 6 command to define all DNS servers.
DHCP options specified by dedicated commands take precedence over those specified by the option commands. For example, if a DNS server address is specified by both the dns-list command and the option 6 command, the server uses the address specified by the dns-list command.
DHCP options specified in DHCP option groups take precedence over those specified in DHCP address pools.
If you execute the option command multiple times with the same code specified, the most recent configuration takes effect.
Examples
# Configure Option 7 to specify the log server address 2.2.2.2 in address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] option 7 ip-address 2.2.2.2
Related commands
display dhcp server pool
reset dhcp server conflict
Use reset dhcp server conflict to clear IP address conflict information.
Syntax
reset dhcp server conflict [ ip ip-address ] [ vpn-instance vpn-instance-name ]
Views
User view
Predefined user roles
network-admin
Parameters
ip ip-address: Clears conflict information about the specified IP address. If you do not specify this option, this command clears all address conflict information.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To clear conflict information about IP addresses on the public network, do not specify this option.
Usage guidelines
Address conflicts occur when dynamically assigned IP addresses have been statically configured for other hosts. After you modify the address pool configuration, the conflicted addresses might become assignable. To assign these addresses, use the reset dhcp server conflict command to clear the conflict information first.
Examples
# Clear all IP address conflict information.
<Sysname> reset dhcp server conflict
Related commands
display dhcp server conflict
reset dhcp server expired
Use reset dhcp server expired to clear binding information about expired IP addresses.
Syntax
reset dhcp server expired [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]
Views
User view
Predefined user roles
network-admin
Parameters
ip ip-address: Clears binding information about the specified expired IP address. If you do not specify an IP address, this command clears binding information about all expired IP addresses.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To clear lease expiration information about IP addresses on the public network, do not specify this option.
pool pool-name: Clears binding information about the expired IP addresses in the specified address pool. The pool name is a case-insensitive string of 1 to 63 characters. If you do not specify an address pool, this command clears binding information about expired IP addresses in all address pools.
Examples
# Clear binding information about all expired IP addresses.
<Sysname> reset dhcp server expired
Related commands
display dhcp server expired
reset dhcp server ip-in-use
Use reset dhcp server ip-in-use to clear binding information about assigned IP addresses.
Syntax
reset dhcp server ip-in-use [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]
Views
User view
Predefined user roles
network-admin
Parameters
ip ip-address: Clears binding information about the specified assigned IP address. If you do not specify an IP address, this command clears binding information about all assigned IP addresses.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To clear binding information on the public network, do not specify this option.
pool pool-name: Clears binding information about assigned IP addresses in the specified address pool. The pool name is a case-insensitive string of 1 to 63 characters. If you do not specify an address pool, this command clears binding information about assigned IP addresses in all address pools.
Usage guidelines
If you use this command to clear information about an assigned static binding, the static binding becomes an unassigned static binding.
Examples
# Clear binding information about the IP address 10.110.1.1.
<Sysname> reset dhcp server ip-in-use ip 10.110.1.1
display dhcp server ip-in-use
reset dhcp server statistics
Use reset dhcp server statistics to clear DHCP server statistics.
Syntax
reset dhcp server statistics [ vpn-instance vpn-instance-name ]
Views
User view
Predefined user roles
network-admin
Parameters
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To clear DHCP server statistics for the public network, do not specify this option.
Examples
# Clear DHCP server statistics.
<Sysname> reset dhcp server statistics
Related commands
display dhcp server statistics
static-bind
Use static-bind to statically bind a client ID or MAC address to an IP address.
Use undo static-bind to remove a static binding.
Syntax
static-bind ip-address ip-address [ mask-length | mask mask ] { client-identifier client-identifier | hardware-address hardware-address [ ethernet | token-ring ] }
undo static-bind ip-address ip-address
Default
No static binding is specified in a DHCP address pool.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
ip-address ip-address: Specifies the IP address of the static binding. The natural mask is used if no mask length or mask is specified.
mask-length: Specifies the mask length in the range of 1 to 30.
mask mask: Specifies the mask, in dotted decimal format.
client-identifier client-identifier: Specifies the client ID of the static binding, a string of 4 to 254 characters. The string can contain only hexadecimal numbers and hyphen (-), in the format of H-H-H…. The last H can be a two-digit or four-digit hexadecimal number while the other Hs must be all four-digit hexadecimal numbers. For example, aabb-cccc-dd is correct, and aabb-c-dddd and aabb-cc-dddd are not correct.
hardware-address hardware-address: Specifies the client hardware address of the static binding, a string of 4 to 39 characters. The string can contain only hexadecimal numbers and hyphen (-), in the format of H-H-H…. The last H can be a two-digit or four-digit hexadecimal number while the other Hs must be all four-digit hexadecimal numbers. For example, aabb-cccc-dd is correct, and aabb-c-dddd and aabb-cc-dddd are not correct.
ethernet: Specifies the client hardware address type as Ethernet. The default type is Ethernet.
token-ring: Specifies the client hardware address type as token ring.
Usage guidelines
The IP address of a static binding must not be an interface address of the DHCP server. Otherwise, an IP address conflict occurs, and the bound client cannot obtain the IP address.
You can specify multiple static bindings in an address pool. The total number of static bindings in all address pools cannot exceed 8192.
An IP address can be bound to only one DHCP client. To modify the binding for a DHCP client, first execute the undo form of the command to delete the existing binding and then create a new binding.
Examples
# Bind the IP address 10.1.1.1/24 to the client ID 00aa-aabb in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0 client-identifier 00aa-aabb
Related commands
display dhcp server pool
tftp-server domain-name
Use tftp-server domain-name to specify a TFTP server name in a DHCP address pool.
Use undo tftp-server domain-name to restore the default.
Syntax
tftp-server domain-name domain-name
undo tftp-server domain-name
Default
No TFTP server name is specified.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the TFTP server name, a case-sensitive string of 1 to 63 characters.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the TFTP server name aaa in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] tftp-server domain-name aaa
display dhcp server pool
tftp-server ip-address
tftp-server ip-address
Use tftp-server ip-address to specify a TFTP server address in a DHCP address pool.
Use undo tftp-server ip-address to restore the default.
Syntax
tftp-server ip-address ip-address
undo tftp-server ip-address
Default
No TFTP server address is specified.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address of a TFTP server.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the TFTP server address 10.1.1.1 in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] tftp-server ip-address 10.1.1.1
display dhcp server pool
tftp-server domain-name
valid class
Use valid class to add DHCP user classes to the whitelist.
Use undo valid class to remove DHCP user classes from the whitelist.
Syntax
valid class class-name&<1-8>
undo valid class class-name&<1-8>
Default
No DHCP user class is listed on the whitelist.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
class-name&<1-8>: Specifies a space-separated list of up to eight DHCP user classes by their names, a case-insensitive string of 1 to 63 characters.
Usage guidelines
For this command to take effect, you must enable the DHCP user class whitelist.
Examples
# Add DHCP user classes test1 and test2 to the whitelist in DHCP address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] valid class test1 test2
Related commands
dhcp class
verify class
verify class
Use verify class to enable the DHCP user class whitelist.
Use undo verify class to disable the DHCP user class whitelist.
Syntax
verify class
undo verify class
Default
The DHCP user class whitelist is disabled.
Views
DHCP address pool view
Predefined user roles
network-admin
Usage guidelines
After you enable the DHCP user class whitelist, the DHCP server processes requests only from clients on the DHCP user class whitelist.
The DHCP user class whitelist does not take effect on clients that request static IP addresses, and the server always processes their requests.
Examples
# Enable the DHCP user class whitelist in DHCP address pool 0.
[Sysname] system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] verify class
Related commands
valid class
voice-config
Use voice-config to configure the content for Option 184 in a DHCP address pool.
Use undo voice-config to remove the Option 184 content from a DHCP address pool.
Syntax
voice-config { as-ip ip-address | fail-over ip-address dialer-string | ncp-ip ip-address | voice-vlan vlan-id { disable | enable } }
undo voice-config [ as-ip | fail-over | ncp-ip | voice-vlan ]
Default
No Option 184 content is configured in a DHCP address pool.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
as-ip ip-address: Specifies the IP address of the backup network calling processor.
fail-over ip-address dialer-string: Specifies the failover IP address and dialer string. The dialer-string is a string of 1 to 39 characters. Valid characters are digits and asterisk (*).
ncp-ip ip-address: Specifies the IP address of the primary network calling processor.
voice-vlan vlan-id: Specifies the voice VLAN ID in the range of 2 to 4094.
· disable: Disables the specified VLAN. DHCP clients will not take this VLAN as their voice VLAN.
· enable: Enables the specified VLAN. DHCP clients will take this VLAN as their voice VLAN.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure Option 184 in DHCP address pool 0. The primary and backup network calling processors are at 10.1.1.1 and 10.2.2.2, respectively. The voice VLAN 3 is enabled. The failover IP address is 10.3.3.3. The dialer string is 99*.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] voice-config ncp-ip 10.1.1.1
[Sysname-dhcp-pool-0] voice-config as-ip 10.2.2.2
[Sysname-dhcp-pool-0] voice-config voice-vlan 3 enable
[Sysname-dhcp-pool-0] voice-config fail-over 10.3.3.3 99*
Related commands
display dhcp server pool
vpn-instance
Use vpn-instance to apply a DHCP address pool to a VPN instance.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The DHCP address pool is not applied to any VPN instance.
Views
DHCP address pool view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters.
Usage guidelines
If a DHCP address pool is applied to a VPN instance, the DHCP server assigns IP addresses in this address pool to clients in the specified VPN instance.
The DHCP server identifies the VPN instance to which a DHCP client belongs according to the following information:
· The client's VPN information stored in authentication modules.
· The VPN information of the DHCP server's interface that receives DHCP packets from the client.
The VPN information from authentication modules takes priority over the VPN information of the receiving interface.
Examples
# Apply address pool 0 to VPN instance abc.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] vpn-instance abc
DHCP relay agent commands
dhcp relay check mac-address
Use dhcp relay check mac-address to enable MAC address check on the relay agent.
Use undo dhcp relay check mac-address to disable MAC address check on the relay agent.
Syntax
dhcp relay check mac-address
undo dhcp relay check mac-address
Default
The MAC address check feature is disabled.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
After you enable this feature, the DHCP relay agent processes a DHCP request as follows:
· Directly forwards the DHCP request if the giaddr field is not zero.
· Compares the chaddr field in the DHCP request with the source MAC address in the frame header if the giaddr field is zero. If they are the same, the DHCP relay agent forwards the request to the DHCP server. If they are not the same, the DHCP relay agent discards the request.
The MAC address check feature takes effect only when the dhcp select relay command has already been configured on the interface.
A DHCP relay agent changes the source MAC address of DHCP packets before sending them. You can enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients.
Examples
# Enable MAC address check on the relay agent.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp relay check mac-address
dhcp select relay
dhcp relay check mac-address aging time
Use dhcp relay check mac-address aging time to set the aging time for MAC address check entries on the DHCP relay agent.
Use undo dhcp relay check mac-address aging time to restore the default.
Syntax
dhcp relay check mac-address aging-time time
undo dhcp relay check mac-address aging-time
Default
The aging time is 30 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
time: Specifies the aging time for MAC address check entries, in the range of 30 to 600 seconds.
Usage guidelines
This command takes effect only after you execute the dhcp relay check mac-address command.
Examples
# Set the aging time to 60 seconds for MAC address check entries on the DHCP relay agent.
<Sysname> system-view
[Sysname] dhcp relay check mac-address aging-time 60
dhcp relay client-information record
Use dhcp relay client-information record to enable recording client information in relay entries.
Use undo dhcp relay client-information record to disable the feature.
Syntax
dhcp relay client-information record
undo dhcp relay client-information record
Default
The DHCP relay agent does not record client information in relay entries.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Client information is recorded only when the DHCP relay agent is configured on the gateway of DHCP clients. A relay entry contains information about a client such as the client's IP and MAC addresses.
Disabling recording of client information deletes all recorded relay entries.
Examples
# Enable recording of relay entries on the relay agent.
<Sysname> system-view
[Sysname] dhcp relay client-information record
Related commands
dhcp relay client-information refresh
dhcp relay client-information refresh enable
dhcp relay client-information refresh
Use dhcp relay client-information refresh to set the interval at which the DHCP relay agent refreshes relay entries.
Use undo dhcp relay client-information refresh to restore the default.
Syntax
dhcp relay client-information refresh [ auto | interval interval ]
undo dhcp relay client-information refresh
Default
The refresh interval is automatically calculated based on the number of relay entries.
Views
System view
Predefined user roles
network-admin
Parameters
auto: Automatically calculates the refresh interval. The more the entries, the shorter the refresh interval. The shortest interval is 50 ms.
interval interval: Specifies the refresh interval in the range of 1 to 120 seconds.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the refresh interval to 100 seconds.
<Sysname> system-view
[Sysname] dhcp relay client-information refresh interval 100
Related commands
dhcp relay client-information record
dhcp relay client-information refresh enable
dhcp relay client-information refresh enable
Use dhcp relay client-information refresh enable to enable the DHCP relay agent to periodically refresh dynamic relay entries.
Use undo dhcp relay client-information refresh enable to disable the DHCP relay agent to periodically refresh dynamic relay entries.
Syntax
dhcp relay client-information refresh enable
undo dhcp relay client-information refresh enable
Default
The DHCP relay agent periodically refreshes relay entries.
Views
System view
Predefined user roles
network-admin
Usage guidelines
A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The DHCP relay agent conveys the message to the DHCP server and does not remove the IP-to-MAC entry of the client.
With this feature, the DHCP relay agent uses a client's IP address and the relay interface's MAC address to periodically send a DHCP-REQUEST message to the DHCP server.
· If the server returns a DHCP-ACK message or does not return any message within an interval, the DHCP relay agent performs the following operations:
¡ Removes the relay entry.
¡ Sends a DHCP-RELEASE message to the DHCP server to release the IP address.
· If the server returns a DHCP-NAK message, the relay agent keeps the entry.
With this feature disabled, the DHCP relay agent does not remove relay entries automatically. After a DHCP client releases its IP address, you must use the reset dhcp relay client-information on the relay agent to remove the corresponding relay entry.
Examples
# Disable periodic refresh of relay entries.
<Sysname> system-view
[Sysname] undo dhcp relay client-information refresh enable
Related commands
dhcp relay client-information record
dhcp relay client-information refresh
reset dhcp relay client-information
dhcp relay forward reply by-option82
Use dhcp relay forward reply by-option82 to configure the DHCP relay agent to forward DHCP replies based on Option 82.
Use undo dhcp relay forward reply by-option82 to restore the default.
Syntax
dhcp relay forward reply by-option82
undo dhcp relay forward reply by-option82
Default
The DHCP relay agent does not forward DHCP replies based on Option 82.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
This command takes effect only after you execute the dhcp relay information enable and dhcp relay information circuit-id commands.
Examples
# Configure the DHCP relay agent to forward DHCP replies based on Option 82.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp relay forward reply by-option82
Related commands
dhcp relay information circuit-id
dhcp relay information enable
dhcp relay gateway
Use dhcp relay gateway to specify a gateway address for DHCP clients on the DHCP relay interface.
Use undo dhcp relay gateway to restore the default.
Syntax
dhcp relay gateway ip-address
undo dhcp relay gateway
Default
The primary IP address of the DHCP relay interface is used as the gateway address for DHCP clients.
Views
Interface view
Predefined user roles
network-admin
Parameters
ip-address: Specifies a gateway address. The IP address must be the IP address of the relay interface.
Usage guidelines
The DHCP relay agent uses the specified IP address instead of the primary IP address of the relay interface as the gateway address for DHCP clients.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify 10.1.1.1 as the gateway address for DHCP clients on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp relay gateway 10.1.1.1
Related commands
gateway-list
dhcp relay information circuit-id
Use dhcp relay information circuit-id to configure the padding mode and padding format for the Circuit ID sub-option of Option 82.
Use undo dhcp relay information circuit-id to restore the default.
Syntax
dhcp relay information circuit-id { bas [ sub-interface-vlan ] | string circuit-id | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] [ interface ] } [ sub-interface-vlan ] [ format { ascii | hex } ] }
undo dhcp relay information circuit-id
Default
The padding mode is normal and the padding format is hex.
Views
Interface view
Predefined user roles
network-admin
Parameters
bas: Specifies the bas mode that uses the interface and VLAN information to pad the Circuit ID sub-option.
sub-interface-vlan: Specifies the VLAN ID of the L2VE subinterface as the content for the Circuit ID sub-option. If you do not specify this keyword, the VLAN ID of the interface on which you configure this command is written to the sub-option. This keyword is available only for L3VE interfaces.
string circuit-id: Specifies the string mode that uses a case-sensitive string of 3 to 63 characters as the content of the Circuit ID sub-option.
normal: Specifies the normal mode, in which the padding content consists of the VLAN ID and port number.
verbose: Specifies the verbose mode. The padding content includes the node identifier, interface information, and VLAN ID. The default node identifier is the MAC address of the access node. The default interface information consists of the Ethernet type (fixed to eth), chassis number, slot number, sub-slot number, and interface number.
node-identifier { mac | sysname | user-defined node-identifier }: Specifies the access node identifier.
· mac: Uses the MAC address of the access node as the node identifier.
· sysname: Uses the device name as the node identifier. You can set the device name by using the sysname command in system view. The padding format for the device name is always ASCII regardless of the specified padding format.
|
NOTE: If sysname is used as the node identifier, do not include any spaces when you set the device name. Otherwise, the DHCP relay agent fails to add or replace Option 82. |
· user-defined node-identifier: Uses a case-sensitive string of 1 to 50 characters as the node identifier. The padding format for the specified character string is always ASCII regardless of the specified padding format.
interface: Uses the interface name as the interface information. The padding format for the interface name is always ASCII regardless of the specified padding format.
format: Specifies the padding format for the Circuit ID sub-option.
ascii: Specifies the ASCII padding format.
hex: Specifies the hex padding format.
Usage guidelines
The Circuit ID sub-option cannot carry information about interface splitting or subinterfaces. For more information about interface splitting and subinterfaces, see Interface Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
The padding format for the normal mode or the verbose mode varies by command configuration. Table 14 shows how the padding format is determined for different modes.
Table 14 Padding format for different modes
Keyword (mode) |
If no padding format is set |
If the padding format is ascii |
If the padding format is hex |
normal |
Hex. |
ASCII. |
Hex. |
verbose |
Hex for the VLAN ID. ASCII for the node identifier, Ethernet type, chassis number, slot number, sub-slot number, and interface number. |
ASCII. |
ASCII for the node identifier and Ethernet type. Hex for the chassis number, slot number, sub-slot number, interface number, and VLAN ID. |
Examples
# Specify the content mode as verbose, node identifier as the device name, and the padding format as ASCII for the Circuit ID sub-option.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp relay information enable
[Sysname-GigabitEthernet1/0/1] dhcp relay information strategy replace
[Sysname-GigabitEthernet1/0/1] dhcp relay information circuit-id verbose node-identifier sysname format ascii
Related commands
dhcp relay forward reply by-option82
dhcp relay information enable
dhcp relay information strategy
display dhcp relay information
dhcp relay information enable
Use dhcp relay information enable to enable the DHCP relay agent to support Option 82.
Use undo dhcp relay information enable to disable Option 82 support.
Syntax
dhcp relay information enable
undo dhcp relay information enable
Default
The DHCP relay agent does not support Option 82.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
This command enables the DHCP relay agent to add Option 82 to DHCP requests that do not contain Option 82 before forwarding the requests to the DHCP server. The content of Option 82 is determined by the dhcp relay information circuit-id and dhcp relay information remote-id commands. If the DHCP requests contain Option 82, the relay agent handles the requests according to the strategy configured with the dhcp relay information strategy command.
If this feature is disabled, the relay agent forwards requests that contain or do not contain Option 82 to the DHCP server.
Examples
# Enable Option 82 support on the relay agent.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp relay information enable
Related commands
dhcp relay forward reply by-option82
dhcp relay information circuit-id
dhcp relay information remote-id
dhcp relay information strategy
display dhcp relay information
dhcp relay information remote-id
Use dhcp relay information remote-id to configure the padding mode and padding format for the Remote ID sub-option of Option 82.
Use undo dhcp relay information remote-id to restore the default.
Syntax
dhcp relay information remote-id { normal [ format { ascii | hex } ] | string remote-id | sysname }
undo dhcp relay information remote-id
Default
The padding mode is normal and the padding format is hex.
Views
Interface view
Predefined user roles
network-admin
Parameters
normal: Specifies the normal mode in which the padding content is the MAC address of the receiving interface.
format: Specifies the padding format for the Remote ID sub-option. The default padding format is hex.
ascii: Specifies the ASCII padding format.
hex: Specifies the Hex padding format.
string remote-id: Specifies the string mode that uses a case-sensitive string of 1 to 63 characters as the content of the Remote ID sub-option.
sysname: Specifies the sysname mode that uses the device name as the content of the Remote ID sub-option. You can set the device name by using the sysname command.
Usage guidelines
The padding format for the specified character string (string) or the device name (sysname) is always ASCII. The padding format for the normal mode is determined by the command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the padding content for the Remote ID sub-option of Option 82 as device001.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp relay information enable
[Sysname-GigabitEthernet1/0/1] dhcp relay information strategy replace
[Sysname-GigabitEthernet1/0/1] dhcp relay information remote-id string device001
Related commands
dhcp relay information enable
dhcp relay information strategy
display dhcp relay information
dhcp relay information strategy
Use dhcp relay information strategy to configure the strategy for the DHCP relay agent to handle messages containing Option 82.
Use undo dhcp relay information strategy to restore the default handling strategy.
Syntax
dhcp relay information strategy { drop | keep | replace }
undo dhcp relay information strategy
Default
The handling strategy for messages that contain Option 82 is replace.
Views
Interface view
Predefined user roles
network-admin
Parameters
drop: Drops DHCP messages that contain Option 82 messages.
keep: Keeps the original Option 82 intact and forwards the DHCP messages.
replace: Replaces the original Option 82 with the configured Option 82 before forwarding the DHCP messages.
Usage guidelines
This command takes effect only on DHCP requests that contain Option 82.
For DHCP requests that do not contain Option 82, the DHCP relay agent always adds Option 82 to the requests before forwarding the requests to the DHCP server.
If the handling strategy is replace, configure a padding mode and padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure any padding mode or padding format. The settings do not take effect even if you configure them.
Examples
# Specify the handling strategy for Option 82 as keep.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp relay information enable
[Sysname-GigabitEthernet1/0/1] dhcp relay information strategy keep
Related commands
dhcp relay forward reply by-option82
dhcp relay information enable
display dhcp relay information
dhcp relay release ip
Use dhcp relay release ip to release a client IP address.
Syntax
dhcp relay release ip ip-address [ vpn-instance vpn-instance-name ]
Views
System view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address to be released.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance of the IP address. The vpn-instance-name is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command releases the IP address in the public network.
Usage guidelines
After you execute this command, the relay agent sends a DHCP-RELEASE packet to the DHCP server and removes the relay entry of the IP address. Upon receiving the packet, the server removes binding information about the specified IP address to release the IP address.
Examples
# Release the IP address 1.1.1.1.
<Sysname> system-view
[Sysname] dhcp relay release ip 1.1.1.1
dhcp relay server-address
Use dhcp relay server-address to specify DHCP servers on the DHCP relay agent.
Use undo dhcp relay server-address to remove DHCP servers.
Syntax
dhcp relay server-address ip-address
undo dhcp relay server-address [ ip-address ]
Default
No DHCP server is specified on the DHCP relay agent.
Views
Interface view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address of a DHCP server. The DHCP relay agent forwards DHCP packets received from DHCP clients to this DHCP server.
Usage guidelines
The specified IP address of the DHCP server must not reside on the same subnet as the IP address of the DHCP relay agent interface. Otherwise, the DHCP clients might fail to obtain IP addresses.
You can specify a maximum of eight DHCP servers on an interface. The DHCP relay agent forwards the packets from the clients to all the specified DHCP servers.
If you do not specify an IP address, the undo dhcp relay server-address command removes all DHCP servers on the interface.
Examples
# Specify the DHCP server 1.1.1.1 on the relay agent interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp relay server-address 1.1.1.1
Related commands
dhcp select relay
dhcp relay source-address
Use dhcp relay source-address to specify the source IP address for relayed DHCP requests.
Use undo dhcp relay source-address to restore the default.
Syntax
dhcp relay source-address { ip-address | gateway | relay-interface }
undo dhcp relay source-address
Default
The DHCP relay agent uses the IP address of the interface that connects to the DHCP server as the source IP address for relayed DHCP requests.
Views
Interface view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the source IP address for relayed DHCP requests.
gateway: Uses the IP address in the giaddr field as the source IP address of the relayed DHCP requests. If the giaddr field is empty, the relay agent follows the default rule to specify the source IP address for relayed DHCP requests.
relay-interface: Uses the primary IP address of the relay interface as the source IP address. If this interface does not have an IP address, the relay agent follows the default rule to specify the source IP address for relayed DHCP requests.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify 1.1.1.1 as the source IP address for relayed DHCP requests on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp relay source-address 1.1.1.1
dhcp smart-relay enable
Use dhcp smart-relay enable to enable the DHCP smart relay feature.
Use undo dhcp smart-relay enable to disable the DHCP smart relay feature.
Syntax
dhcp smart-relay enable
undo dhcp smart-relay enable
Default
The DHCP smart relay feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command enables the smart relay feature on interfaces that are configured as the relay agent on the device.
The smart relay feature allows the relay agent to use secondary IP addresses as the gateway address when the DHCP server does not reply the DHCP-OFFER message. Without this feature, the relay agent always uses the primary IP address as the gateway address.
Examples
# Enable the DHCP smart relay feature.
<Sysname> system-view
[Sysname] dhcp smart-relay enable
Related commands
dhcp select
gateway-list
display dhcp relay check mac-address
Use display dhcp relay check mac-address to display MAC address check entries on the relay agent.
Syntax
display dhcp relay check mac-address
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display MAC address check entries on the DHCP relay agent.
<Sysname> display dhcp relay check mac-address
Source-MAC Interface Aging-time
23f3-1122-adf1 GE1/0/1 10
23f3-1122-2230 GE1/0/2 30
Table 15 Command output
Field |
Description |
Source MAC |
Source MAC address of the attacker. |
Interface |
Interface where the attack comes from. |
Aging-time |
Aging time of the MAC address check entry, in seconds. |
display dhcp relay client-information
Use display dhcp relay client-information to display relay entries on the relay agent.
Syntax
display dhcp relay client-information [ interface interface-type interface-number | ip ip-address [ vpn-instance vpn-instance-name ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Displays relay entries on the specified interface. If you do not specify an interface, this command displays relay entries on all interfaces.
ip ip-address: Displays the relay entry for the specified IP address. If you do not specify an IP address, this command displays relay entries for all IP addresses.
vpn-instance vpn-instance-name: Displays the relay entry for the specified IP address in the specified MPLS L3VPN instance. The vpn-instance-name is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays relay entries in the public network.
Usage guidelines
The DHCP relay agent records relay entries only when the dhcp relay client-information record command has been issued.
Examples
# Display all relay entries on the relay agent.
<Sysname> display dhcp relay client-information
Total number of client-information items: 2
Total number of dynamic items: 1
Total number of temporary items: 1
IP address MAC address Type Interface VPN name
10.1.1.1 00e0-0000-0001 Dynamic GE1/0/1 VPN1
10.1.1.5 00e0-0000-0000 Temporary Vlan2 VPN2
Table 16 Command output
Field |
Description |
Total number of client-information items |
Total number of relay entries. |
Total number of dynamic items |
Total number of dynamic relay entries. |
Total number of temporary items |
Total number of temporary relay entries. |
IP address |
IP address of the DHCP client. |
MAC address |
MAC address of the DHCP client. |
Type |
Relay entry type: · Dynamic—The relay agent creates a dynamic relay entry upon receiving an ACK response from the DHCP server. · Temporary—The relay agent creates a temporary relay entry upon receiving a REQUEST packet from a DHCP client. |
Interface |
Layer 3 interface connected to the DHCP client. N/A is displayed for relay entries without interface information. |
VPN name |
Name of the VPN instance to which the DHCP client belongs. If the DHCP client does not belong to any VPN, this field displays N/A. |
Related commands
dhcp relay client-information record
reset dhcp relay client-information
display dhcp relay information
Use display dhcp relay information to display Option 82 configuration information for the DHCP relay agent.
Syntax
display dhcp relay information [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Displays Option 82 configuration information for the specified interface. If you do not specify an interface, this command displays Option 82 configuration information about all interfaces.
Examples
# Display Option 82 configuration information for all interfaces.
<Sysname> display dhcp relay information
Interface: GigabitEthernet1/0/1
Status: Enable
Strategy: Replace
Circuit ID Pattern: Verbose
Remote ID Pattern: Sysname
Circuit ID format: Undefined
Remote ID format: ASCII
Node identifier: aabbcc
Interface: GigabitEthernet1/0/2
Status: Enable
Strategy: Replace
Circuit ID Pattern: User Defined
Remote ID Pattern: User Defined
Circuit ID format: ASCII
Remote ID format: ASCII
User defined:
Circuit ID: vlan100
Remote ID: device001
Table 17 Command output
Field |
Description |
|
|||
Interface |
Interface name. |
|
|||
Status |
Option 82 states: · Enable—DHCP relay agent support for Option 82 is enabled. · Disable—DHCP relay agent support for Option 82 is disabled. |
||||
Strategy |
Handling strategy for request messages containing Option 82, Drop, Keep, or Replace. |
||||
Circuit ID Pattern |
Padding content mode of the Circuit ID sub-option, Verbose, Normal, or User Defined. |
||||
Remote ID Pattern |
Padding content mode of the Remote ID sub-option, Sysname, Normal, or User Defined. |
||||
Circuit ID format-type |
Padding format of the Circuit ID sub-option, ASCII, Hex, or Undefined. |
||||
Remote ID format-type |
Padding format of the Remote ID sub-option, ASCII, Hex, or Undefined. |
||||
Node identifier |
Access node identifier. |
||||
User defined |
Content of the user-defined sub-options. |
||||
Circuit ID |
User-defined content of the Circuit ID sub-option. |
||||
Remote ID |
User-defined content of the Remote ID sub-option. |
||||
display dhcp relay server-address
Use display dhcp relay server-address to display DHCP server addresses configured on an interface.
Syntax
display dhcp relay server-address [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Displays DHCP server addresses on the specified interface. If you do not specify an interface, this command displays DHCP server addresses on all interfaces.
Examples
# Display DHCP server addresses on all interfaces.
<Sysname> display dhcp relay server-address
Interface name Server IP address
GE1/0/1 2.2.2.2
Table 18 Command output
Field |
Description |
Interface name |
Interface name. |
Server IP address |
DHCP server IP address. |
Related commands
dhcp relay server-address
display dhcp relay statistics
Use display dhcp relay statistics to display DHCP packet statistics on the DHCP relay agent.
Syntax
display dhcp relay statistics [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Displays DHCP packet statistics on the specified interface. If you do not specify an interface, this command displays all DHCP packet statistics on the DHCP relay agent.
Examples
# Display all DHCP packet statistics on the DHCP relay agent.
<Sysname> display dhcp relay statistics
DHCP packets dropped: 0
DHCP packets received from clients: 0
DHCPDISCOVER: 0
DHCPREQUEST: 0
DHCPINFORM: 0
DHCPRELEASE: 0
DHCPDECLINE: 0
BOOTPREQUEST: 0
DHCP packets received from servers: 0
DHCPOFFER: 0
DHCPACK: 0
DHCPNAK: 0
BOOTPREPLY: 0
DHCP packets relayed to servers: 0
DHCPDISCOVER: 0
DHCPREQUEST: 0
DHCPINFORM: 0
DHCPRELEASE: 0
DHCPDECLINE: 0
BOOTPREQUEST: 0
DHCP packets relayed to clients: 0
DHCPOFFER: 0
DHCPACK: 0
DHCPNAK: 0
BOOTPREPLY: 0
DHCP packets sent to servers: 0
DHCPDISCOVER: 0
DHCPREQUEST: 0
DHCPINFORM: 0
DHCPRELEASE: 0
DHCPDECLINE: 0
BOOTPREQUEST: 0
DHCP packets sent to clients: 0
DHCPOFFER: 0
DHCPACK: 0
DHCPNAK: 0
BOOTPREPLY: 0
gateway-list
Use gateway-list to specify a list of gateways for DHCP clients in the relay address pool.
Use undo gateway-list to remove the specified gateway addresses from a DHCP relay address pool.
Syntax
gateway-list ip-address&<1-64> [ export-route ]
undo gateway-list [ ip-address&<1-64> ] [ export-route ]
Default
No gateway address is specified in a DHCP relay address pool.
Views
DHCP relay address pool view
Predefined user roles
network-admin
Parameters
ip-address&<1-64>: Specifies a space-separated list of up to 64 addresses. Gateway IP addresses must reside on the same subnet as the IP addresses assigned to the DHCP clients.
export-route: Binds the gateways to the device's MAC address in the address management module. The ARP module will use the entry to reply to ARP requests from the DHCP clients. If you do not specify this keyword, the gateways will not be bound to the device's MAC address.
Usage guidelines
DHCP clients of the same access type can be classified into different types by their locations. In this case, the relay interface typically has no IP address configured. You can use the gateway-list command to specify the gateway for clients matching the same relay address pool and bind the gateway address to the device's MAC address.
Upon receiving a DHCP DISCOVER or REQUEST from a client that matches a relay address pool, the relay agent processes the packet as follows:
1. Fills the giaddr field of the packet with the specified gateway address.
2. Forwards the packet to all DHCP servers in the matching relay address pool.
The DHCP servers select an address pool according to the gateway address.
Examples
# Specify the gateway address 10.1.1.1 in DHCP relay address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] gateway-list 10.1.1.1
Related commands
dhcp smart-relay enable
remote-server
Use remote-server to specify a list of DHCP servers for a DHCP relay address pool.
Use undo remote-server to remove the configuration.
Syntax
remote-server ip-address&<1-8>
undo remote-server [ ip-address&<1-8> ]
Default
No DHCP server is specified for the DHCP relay address pool.
Views
DHCP relay address pool view
Predefined user roles
network-admin
Parameters
ip-address&<1-8>: Specifies a space-separated list of up to eight DHCP server addresses.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
If you do not specify a DHCP server address, the undo remote-server command removes all DHCP servers in the relay address pool.
Examples
# Specify DHCP server 10.1.1.1 for DHCP relay address pool 0.
<Sysname> system-view
[Sysname] dhcp server ip-pool 0
[Sysname-dhcp-pool-0] remote-server 10.1.1.1
reset dhcp relay client-information
Use reset dhcp relay client-information to clear relay entries on the DHCP relay agent.
Syntax
reset dhcp relay client-information [ interface interface-type interface-number | ip ip-address [ vpn-instance vpn-instance-name ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Clears relay entries on the specified interface. If you do not specify an interface, this command clears relay entries on all interfaces.
ip ip-address: Clears the relay entry for the specified IP address. If you do not specify an IP address, this command clears relay entries for all IP addresses.
vpn-instance vpn-instance-name: Clears the relay entry for the specified IP address in the specified MPLS L3VPN instance. The vpn-instance-name is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command clears the relay entry in the public network.
Examples
# Clear all relay entries on the DHCP relay agent.
<Sysname> reset dhcp relay client-information
Related commands
display dhcp relay client-information
reset dhcp relay statistics
Use reset dhcp relay statistics to clear relay agent statistics.
Syntax
reset dhcp relay statistics [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears all DHCP relay agent statistics.
Examples
# Clear all DHCP relay agent statistics.
<Sysname> reset dhcp relay statistics
Related commands
display dhcp relay statistics
DHCP client commands
dhcp client dad enable
Use dhcp client dad enable to enable duplicate address detection.
Use undo dhcp client dad enable to disable duplicate address detection.
Syntax
dhcp client dad enable
undo dhcp client dad enable
Default
Duplicate address detection is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
DHCP client detects IP address conflict through ARP packets. An attacker can act as the IP address owner to send an ARP reply. This makes the client unable to use the IP address assigned by the server. As a best practice, disable duplicate address detection when ARP attacks exist on the network.
Examples
# Disable the duplicate address.
<Sysname> system-view
[Sysname] undo dhcp client dad enable
dhcp client dscp
Use dhcp client dscp to set the DSCP value for DHCP packets sent by the DHCP client.
Use undo dhcp client dscp to restore the default.
Syntax
dhcp client dscp dscp-value
undo dhcp client dscp
Default
The DSCP value is 56 in DHCP packets sent by the DHCP client.
Views
System view
Predefined user roles
network-admin
Parameters
dscp-value: Sets the DSCP value for DHCP packets, in the range of 0 to 63.
Usage guidelines
The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Examples
# Set the DSCP value to 30 for DHCP packets sent by the DHCP client.
<Sysname> system-view
[Sysname] dhcp client dscp 30
dhcp client identifier
Use dhcp client identifier to configure a DHCP client ID for an interface.
Use undo dhcp client identifier to restore the default.
Syntax
dhcp client identifier { ascii ascii-string | hex hex-string | mac interface-type interface-number }
undo dhcp client identifier
Default
An interface generates the DHCP client ID based on its MAC address. If the interface has no MAC address, it uses the MAC address of the first Ethernet interface to generate its client ID.
Views
Interface view
Predefined user roles
network-admin
Parameters
ascii ascii-string: Specifies a case-sensitive ASCII string of 1 to 63 characters as the client ID.
hex hex-string: Specifies a hexadecimal string of 4 to 64 characters as the client ID.
mac interface-type interface-number: Uses the MAC address of the specified interface as a DHCP client ID. The interface-type interface-number argument specifies an interface by its type and number.
Usage guidelines
A DHCP client ID is added to the DHCP option 61. A DHCP server can specify IP addresses for clients based on the DHCP client ID. You can specify a DHCP client ID by performing one of the following operations:
· Naming an ASCII string or hexadecimal string as the client ID.
· Using the MAC address of an interface to generate a client ID.
Whichever method you use, make sure the IDs for different DHCP clients are unique.
Examples
# Use the MAC address of GigabitEthernet 1/0/2 as the DHCP client ID for GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp client identifier mac gigabitethernet 1/0/2
Related commands
display dhcp client
display dhcp client
Use display dhcp client to display DHCP client information.
Syntax
display dhcp client [ verbose ] [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
verbose: Displays detailed DHCP client information. If you do not specify this keyword, the command displays summary DHCP client information.
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays DHCP client information on all interfaces.
Examples
# Display DHCP client information on all interfaces.
<Sysname> display dhcp client
GigabitEthernet1/0/1 DHCP client information:
Current state: BOUND
Allocated IP: 40.1.1.20 255.255.255.0
Allocated lease: 259200 seconds, T1: 129600 seconds, T2: 226800 seconds
DHCP server: 40.1.1.2
# Display verbose DHCP client information on all interfaces.
<Sysname> display dhcp client verbose
GigabitEthernet1/0/1 DHCP client information:
Current state: BOUND
Allocated IP: 40.1.1.20 255.255.255.0
Allocated lease: 259200 seconds, T1: 129600 seconds, T2: 226800 seconds
Lease from May 21 19:00:29 2012 to May 31 19:00:29 2012
DHCP server: 40.1.1.2
Transaction ID: 0x1c09322d
Default router: 40.1.1.2
Classless static routes:
Destination: 1.1.0.1, Mask: 255.0.0.0, NextHop: 192.168.40.16
Destination: 10.198.122.63, Mask: 255.255.255.255, NextHop: 192.168.40.16
DNS servers: 44.1.1.11 44.1.1.12
Domain name: ddd.com
Boot servers: 200.200.200.200 1.1.1.1
ACS parameter:
URL: http://192.168.1.1:7547/acs
Username: bims
Password: ******
Client ID type: acsii(type value=00)
Client ID value: 000c.29d3.8659-GE1/0/1
Client ID (with type) hex: 0030-3030-632e-3239-
6433-2e38-3635-392d-
4574-6830-2f30-2f32
T1 will timeout in 1 day 11 hours 58 minutes 52 seconds.
Table 19 Command output
Field |
Description |
DHCP client information |
Information about the interface that acts as the DHCP client. |
Current state |
Current state of the DHCP client: · HALT—The client stops applying for an IP address. · INIT—The initialization state. · SELECTING—The client has sent out a DHCP-DISCOVER message in search for a DHCP server and is waiting for the response from DHCP servers. · REQUESTING—The client has sent out a DHCP-REQUEST message requesting for an IP address and is waiting for the response from DHCP servers. · BOUND—The client has received the DHCP-ACK message from a DHCP server and obtained an IP address successfully. · RENEWING—The T1 timer expires. · REBOUNDING—The T2 timer expires. |
Allocated IP |
IP address allocated by the DHCP server. |
Allocated lease |
Allocated lease time. |
T1 |
1/2 lease time (in seconds) of the DHCP client IP address. |
T2 |
7/8 lease time (in seconds) of the DHCP client IP address. |
Lease from….to…. |
Start and end time of the lease. |
DHCP server |
DHCP server IP address that assigned the IP address. |
Transaction ID |
Transaction ID, a random number chosen by the client to identify an IP address allocation. |
Default router |
Gateway address assigned to the client. |
Classless static routes |
Classless static routes assigned to the client. |
Static routes |
Classful static routes assigned to the client. |
DNS servers |
DNS server address assigned to the client. |
Domain name |
Domain name suffix assigned to the client. |
Boot servers |
PXE server addresses (up to 16 addresses) specified for the DHCP client, which are obtained through Option 43. |
ACS parameter |
Parameters about the ACS. |
URL |
URL of the ACS. |
Username |
Username for logging in to the ACS. |
Password |
Password for logging in to the ACS. If a password is configured, this field displays ******. If no password is configured, this field is not displayed. |
Client ID type |
DHCP client ID type: · If an ASCII string is used as the client ID value, the type value is 00. · If the MAC address of a specific interface is used as the client ID value, the type value is 01. · If a hexadecimal string is used as the client ID value, the type value is the first two characters in the string. |
Client ID value |
Value of the DHCP client ID. |
Client ID (with type) hex |
DHCP client ID with the type field, a hexadecimal string. |
T1 will timeout in 1 day 11 hours 58 minutes 52 seconds. |
How long the T1 (1/2 lease time) timer will timeout. |
Related commands
dhcp client identifier
ip address dhcp-alloc
ip address dhcp-alloc
Use ip address dhcp-alloc to configure an interface to use DHCP for IP address acquisition.
Use undo ip address dhcp-alloc to cancel an interface from using DHCP.
Syntax
ip address dhcp-alloc
undo ip address dhcp-alloc
Default
An interface does not use DHCP for IP address acquisition.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
When you execute the undo ip address dhcp-alloc command, the interface sends a DHCP-RELEASE message to release the IP address obtained through DHCP. If the interface is down, the message cannot be sent out. This situation can occur when a subinterface obtained an IP address through DHCP, and the shutdown command is executed on its primary interface. The subinterface will fail to send a DHCP-RELEASE message.
Examples
# Configure interface GigabitEthernet 1/0/1 to use DHCP for IP address acquisition.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip address dhcp-alloc
Related commands
display dhcp client
DHCP snooping commands
DHCP snooping works between the DHCP client and the DHCP server or between the DHCP client and the relay agent. DHCP snooping does not work between the DHCP server and the DHCP relay agent.
The following matrix shows the feature and hardware compatibility:
Hardware |
DHCP snooping compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE /810-LM-HK/MSR810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
Yes |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR 5620/5660/5680 |
Yes |
dhcp snooping binding database filename
Use dhcp snooping binding database filename to configure the DHCP snooping device to back up DHCP snooping entries to a file.
Use undo dhcp snooping binding database filename to restore the default.
Syntax
dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }
undo dhcp snooping binding database filename
Default
The DHCP snooping device does not back up DHCP snooping entries.
Views
System view
Predefined user roles
network-admin
Parameters
filename: Specifies the name of a local backup file. For information about the filename argument, see Fundamentals Configuration Guide.
url url: Specifies the URL of a remote backup file, a case-sensitive string of 1 to 255 characters. Do not include a username or password in the URL. Case sensitivity and the supported path format type vary by server.
username username: Specifies the username for accessing the URL of the remote backup file, a case-sensitive string of 1 to 32 characters. Do not specify this option if a username is not required for accessing the URL.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters. Do not specify this argument if a password is not required for accessing the URL of the remote backup file.
Usage guidelines
This command automatically creates the file if you specify a nonexistent file.
With this command executed, the DHCP snooping device backs up DHCP snooping entries immediately and runs auto backup. The DHCP snooping device, by default, waits 300 seconds after a DHCP snooping entry change to update the backup file. To change the waiting period, use the dhcp snooping binding database update interval command. If no DHCP snooping entry changes, the backup file is not updated.
As a best practice, back up the DHCP snooping entries to a remote file. If you use the local storage medium, the frequent erasing and writing might damage the medium and then cause the DHCP snooping device to malfunction.
When the file is on a remote device, follow these restrictions and guidelines to specify the URL, username, and password:
· If the file is on an FTP server, enter URL in the following format: ftp://server address:port/file path, where the port number is optional.
· If the file is on a TFTP server, enter URL in the following format: tftp://server address:port/file path, where the port number is optional.
· The username and password must be the same as those configured on the FTP server. If the server authenticates only the username, the password can be omitted.
· If the IP address of the server is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[1::1]/database.dhcp.
· You can also specify the DNS domain name for the server address field, for example, ftp://company/database.dhcp.
Examples
# Configure the DHCP snooping device to back up DHCP snooping entries to the file database.dhcp.
<Sysname> system-view
[Sysname] dhcp snooping binding database filename database.dhcp
# Configure the DHCP snooping device to back up DHCP snooping entries to the file database.dhcp in the working directory of the FTP server at 10.1.1.1.
<Sysname> system-view
[Sysname] dhcp snooping binding database filename url ftp://10.1.1.1/database.dhcp username 1 password simple 1
# Configure the DHCP snooping device to back up DHCP snooping entries to the file database.dhcp in the working directory of the TFTP server at 10.1.1.1.
<Sysname> system-view
[Sysname] dhcp snooping binding database filename tftp://10.1.1.1/database.dhcp
dhcp snooping binding database update interval
dhcp snooping binding database update interval
Use dhcp snooping binding database update interval to set the waiting time for the DHCP snooping device to update the backup file after a DHCP snooping entry change.
Use undo dhcp snooping binding database update interval to restore the default.
Syntax
dhcp snooping binding database update interval interval
undo dhcp snooping binding database update interval
Default
The DHCP snooping device waits 300 seconds to update the backup file after a DHCP snooping entry change. If no DHCP snooping entry changes, the backup file is not updated.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the waiting time in seconds, in the range of 60 to 864000.
Usage guidelines
When a DHCP snooping entry is learned, updated, or removed, the waiting period starts. The DHCP snooping device updates the backup file when the waiting period is reached. All changed entries during the period will be saved to the backup file.
The waiting time takes effect only after you configure the DHCP snooping entry auto backup by using the dhcp snooping binding database filename command.
Examples
# Set the waiting time to 600 seconds for the DHCP snooping device to update the backup file.
<Sysname> system-view
[Sysname] dhcp snooping binding database update interval 600
Related commands
dhcp snooping binding database filename
dhcp snooping binding database update now
Use dhcp snooping binding database update now to manually save DHCP snooping entries to the backup file.
Syntax
dhcp snooping binding database update now
Views
System view
Predefined user roles
network-admin
Usage guidelines
Each time this command is executed, the DHCP snooping entries are saved to the backup file.
This command takes effect only after you configure the DHCP snooping auto backup by using the dhcp snooping binding database filename command.
Examples
# Manually save DHCP snooping entries to the backup file.
<Sysname> system-view
[Sysname] dhcp snooping binding database update now
Related commands
dhcp snooping binding database filename
dhcp snooping binding record
Use dhcp snooping binding record to enable recording of client information in DHCP snooping entries.
Use undo dhcp snooping binding record to disable recording of client information in DHCP snooping entries.
Syntax
dhcp snooping binding record
undo dhcp snooping binding record
Default
DHCP snooping does not record client information.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
This command enables DHCP snooping on the port directly connecting to the clients to record client information in DHCP snooping entries.
Examples
# Enable recording of client information in DHCP snooping entries on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp snooping binding record
dhcp snooping check mac-address
Use dhcp snooping check mac-address to enable MAC address check for DHCP snooping.
Use undo dhcp snooping check mac-address to disable MAC address check for DHCP snooping.
Syntax
dhcp snooping check mac-address
undo dhcp snooping check mac-address
Default
MAC address check for DHCP snooping is disabled.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
With MAC address check enabled, DHCP snooping compares the chaddr field of a received DHCP request with the source MAC address field in the frame header. If they are the same, DHCP snooping considers this request valid and forwards it to the DHCP server. If they are not the same, DHCP snooping discards the DHCP request.
Examples
# Enable MAC address check for DHCP snooping.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp snooping check mac-address
dhcp snooping check request-message
Use dhcp snooping check request-message to enable DHCP-REQUEST check for DHCP snooping.
Use undo dhcp snooping check request-message to disable DHCP-REQUEST check for DHCP snooping.
Syntax
dhcp snooping check request-message
undo dhcp snooping check request-message
Default
DHCP-REQUEST check for DHCP snooping is disabled.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
DHCP-REQUEST packets include lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This feature prevents unauthorized clients that forge DHCP-REQUEST packets from attacking the DHCP server.
With this feature enabled, DHCP snooping looks for a matching DHCP snooping entry for each received DHCP-REQUEST message.
· If a match is found, DHCP snooping compares the entry with the message. If they have consistent information, DHCP snooping considers the packet valid and forwards it to the DHCP server. If they have different information, DHCP snooping considers the message invalid and discards it.
· If no match is found, DHCP snooping forwards the message to the DHCP server.
Examples
# Enable DHCP-REQUEST check for DHCP snooping.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp snooping check request-message
dhcp snooping deny
Use dhcp snooping deny to configure a port as DHCP packet blocking port.
Use undo dhcp snooping deny to restore the default.
Syntax
dhcp snooping deny
undo dhcp snooping deny
Default
A port does not block DHCP requests.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
A DHCP packet blocking port drops all incoming DHCP requests.
Examples
# Configure GigabitEthernet 1/0/1 as a DHCP packet blocking port.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-gigabitethernet 1/0/1] dhcp snooping deny
dhcp snooping enable
Use dhcp snooping enable to enable DHCP snooping.
Use undo dhcp snooping enable to disable DHCP snooping.
Syntax
dhcp snooping enable
undo dhcp snooping enable
Default
DHCP snooping is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use the DHCP snooping feature together with trusted port configuration. Before trusted ports are configured, all ports on the DHCP snooping device are untrusted and the device discards all responses sent from DHCP servers.
When DHCP snooping is disabled, the device forwards all responses from DHCP servers.
Examples
# Enable DHCP snooping.
<Sysname> system-view
[Sysname] dhcp snooping enable
dhcp snooping information circuit-id
Use dhcp snooping information circuit-id to configure the padding mode and padding format for the Circuit ID sub-option.
Use undo dhcp snooping information circuit-id to restore the default.
Syntax
dhcp snooping information circuit-id { [ vlan vlan-id ] string circuit-id | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } [ format { ascii | hex } ] }
undo dhcp snooping information circuit-id [ vlan vlan-id ]
Default
The padding mode is normal and the padding format is hex.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
vlan vlan-id: Pads the Circuit ID sub-option for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the Circuit ID sub-option for packets received from the default VLAN.
string circuit-id: Specifies the string mode, in which the padding content for the Circuit ID sub-option is a case-sensitive string of 3 to 63 characters.
normal: Specifies the normal mode. The padding content includes the VLAN ID and interface number.
verbose: Specifies the verbose mode.
node-identifier { mac | sysname | user-defined node-identifier }: Specifies the access node identifier. The padding content includes the node identifier, Ethernet type (fixed to eth), chassis number, slot number, sub-slot number, interface number, and VLAN ID. The node identifier varies by keyword mac, sysname, and user-defined.
· mac: Uses the MAC address of the access node as the node identifier. It is the default node identifier.
· sysname: Uses the device name as the node identifier. You can set the device name by using the sysname command in system view. The padding format for the device name is always ASCII regardless of the specified padding format.
|
NOTE: If sysname is used as the node identifier, do not include any spaces when you set the device name. Otherwise, the DHCP snooping device fails to add or replace the Option 82. |
· user-defined node-identifier: Uses a case-sensitive string of 1 to 50 characters as the node identifier. The padding format for the specified character string is always ASCII regardless of the specified padding format.
format: Specifies the padding format for the Circuit ID sub-option.
ascii: Specifies the ASCII padding format.
hex: Specifies the hex padding format.
Usage guidelines
The Circuit ID sub-option cannot carry information about interface splitting or subinterfaces. For more information about interface splitting and subinterfaces, see Interface Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
The padding format for the user-defined string, the normal mode, or the verbose mode varies by command configuration. Table 20 shows how the padding format is determined for different modes.
Table 20 Padding format for different modes
Keyword (mode) |
If no padding format is set |
If the padding format is ascii |
If the padding format is hex |
string circuit-id |
You cannot set a padding format, and the padding format is always ASCII. |
N/A |
N/A |
normal |
Hex. |
ASCII. |
Hex. |
verbose |
Hex for the VLAN ID. ASCII for the node identifier, Ethernet type, chassis number, slot number, sub-slot number, and interface number. |
ASCII. |
ASCII for the node identifier and Ethernet type. Hex for the chassis number, slot number, sub-slot number, interface number, and VLAN ID. |
Examples
# Configure verbose as the padding mode, device name as the node identifier, and ASCII as the padding format for the Circuit ID sub-option.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable
[Sysname-GigabitEthernet1/0/1] dhcp snooping information strategy replace
[Sysname-GigabitEthernet1/0/1] dhcp snooping information circuit-id verbose node-identifier sysname format ascii
Related commands
dhcp snooping information enable
dhcp snooping information strategy
display dhcp snooping information
dhcp snooping information enable
Use dhcp snooping information enable to enable DHCP snooping to support Option 82.
Use undo dhcp snooping information enable to disable this feature.
Syntax
dhcp snooping information enable
undo dhcp snooping information enable
Default
DHCP snooping does not support Option 82.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
This command enables DHCP snooping to add Option 82 into DHCP requests that do not contain Option 82 before forwarding the requests to the DHCP server. The content of Option 82 is determined by the dhcp snooping information circuit-id and dhcp snooping information remote-id commands. If the received DHCP request packets contain Option 82, DHCP snooping handles the packets according to the strategy configured with the dhcp snooping information strategy command.
If this feature is disabled, DHCP snooping forwards requests that contain or do not contain Option 82 to the DHCP server.
Examples
# Enable DHCP snooping to support Option 82.
<Sysname> system-view
[Sysname] interface gigabitethernet1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable
Related commands
dhcp snooping information circuit-id
dhcp snooping information remote-id
dhcp snooping information strategy
dhcp snooping information remote-id
Use dhcp snooping information remote-id to configure the padding mode and padding format for the Remote ID sub-option.
Use undo dhcp snooping information remote-id to restore the default.
Syntax
dhcp snooping information remote-id { normal [ format { ascii | hex } ] | [ vlan vlan-id ] { string remote-id | sysname } }
undo dhcp snooping information remote-id [ vlan vlan-id ]
Default
The padding mode is normal and the padding format is hex.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
vlan vlan-id: Pads the Remote ID sub-option for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the Remote ID sub-option for packets received from the default VLAN.
string remote-id: Specifies the string mode that uses a case-sensitive string of 1 to 63 characters as the content of the Remote ID sub-option.
sysname: Specifies the sysname mode that uses the device name as the Remote ID sub-option. You can configure the device name by using the sysname command in system view.
normal: Specifies the normal mode. The padding content is the MAC address of the receiving interface.
format: Specifies the padding format for the Remote ID sub-option. The default padding format is hex.
ascii: Specifies the ASCII padding format.
hex: Specifies the hex padding format.
Usage guidelines
DHCP snooping uses ASCII to pad the specified string or device name for the Remote ID sub-option. The padding format for the normal padding mode is determined by the command configuration.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Pad the Remote ID sub-option with the character string device001.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable
[Sysname-GigabitEthernet1/0/1] dhcp snooping information strategy replace
[Sysname-GigabitEthernet1/0/1] dhcp snooping information remote-id string device001
Related commands
dhcp snooping information enable
dhcp snooping information strategy
display dhcp snooping information
dhcp snooping information strategy
Use dhcp snooping information strategy to configure the handling strategy for Option 82 in request messages.
Use undo dhcp snooping information strategy to restore the default.
Syntax
dhcp snooping information strategy { drop | keep | replace }
undo dhcp snooping information strategy
Default
The handling strategy for Option 82 in request messages is replace.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
drop: Drops DHCP messages that contain Option 82.
keep: Keeps the original Option 82 intact and forwards the DHCP messages.
replace: Replaces the original Option 82 with the configured Option 82 before forwarding the DHCP messages.
Usage guidelines
This command takes effect only on DHCP requests that contain Option 82. For DHCP requests that do not contain Option 82, the DHCP snooping device always adds Option 82 into the requests before forwarding them to the DHCP server.
If the handling strategy is replace, configure a padding mode and padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure any padding mode or padding format for Option 82. The settings do not take effect even if you configure them.
Examples
# Specify the handling strategy for Option 82 in request messages as keep.
<Sysname> system-view
[Sysname] interface gigabitethernet1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable
[Sysname-GigabitEthernet1/0/1] dhcp snooping information strategy keep
Related commands
dhcp snooping information circuit-id
dhcp snooping information remote-id
dhcp snooping log enable
Use dhcp snooping log enable to enable DHCP snooping logging.
Use undo dhcp snooping log enable to disable DHCP snooping logging.
Syntax
dhcp snooping log enable
undo dhcp snooping log enable
Default
DHCP snooping logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command enables the DHCP snooping device to generate DHCP snooping logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.
As a best practice, disable this feature if the log generation affects the device performance.
Examples
# Enable DHCP snooping logging.
<Sysname> system-view
[Sysname] dhcp snooping log enable
dhcp snooping max-learning-num
Use dhcp snooping max-learning-num to set the maximum number of DHCP snooping entries that an interface can learn.
Use undo dhcp snooping max-learning-num to restore the default.
Syntax
dhcp snooping max-learning-num max-number
undo dhcp snooping max-learning-num
Default
The maximum number of DHCP snooping entries for an interface to learn is unlimited.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of DHCP snooping entries for an interface to learn. The value range is 1 to 4294967295.
Examples
# Allow the Layer 2 Ethernet interface GigabitEthernet 1/0/1 to learn a maximum of 10 DHCP snooping entries.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp snooping max-learning-num 10
dhcp snooping trust
Use dhcp snooping trust to configure a port as a trusted port.
Use undo dhcp snooping trust to restore the default state of a port.
Syntax
dhcp snooping trust
undo dhcp snooping trust
Default
After you enable DHCP snooping, all ports are untrusted.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
Specify the ports facing the DHCP server as trusted ports and specify the other ports as untrusted ports so DHCP clients can obtain valid IP addresses.
Examples
# Specify the Layer 2 Ethernet interface GigabitEthernet 1/0/1 as a trusted port.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp snooping trust
display dhcp snooping trust
display dhcp snooping binding
Use display dhcp snooping binding to display DHCP snooping entries.
Syntax
display dhcp snooping binding [ ip ip-address [ vlan vlan-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip ip-address: Displays the DHCP snooping entry for the specified IP address. If you do not specify an IP address, this command displays DHCP snooping entries for all IP addresses.
vlan vlan-id: Specifies the VLAN ID where the IP address resides. If you do not specify a VLAN, this command displays DHCP snooping entries for the IP address in all VLANs.
Examples
# Display all DHCP snooping entries.
<Sysname> display dhcp snooping binding
2 DHCP snooping entries found
IP address MAC address Lease VLAN SVLAN Interface
=============== ============== ============ ===== ===== =================
1.1.1.7 0000-0101-0107 16907533 2 3 GE1/0/1
1.1.1.11 0000-0101-010b 16907537 2 3 GE1/0/3
Table 21 Command output
Field |
Description |
DHCP snooping entries found |
Number of DHCP snooping entries. |
IP address |
IP address assigned to the DHCP client. |
MAC address |
MAC address of the DHCP client. |
Lease |
Remaining lease duration in seconds. |
VLAN |
When both DHCP snooping and QinQ are enabled or the DHCP packet contains two VLAN tags, this field identifies the outer VLAN tag. Otherwise, it identifies the VLAN where the port connecting the DHCP client resides. |
SVLAN |
When both DHCP snooping and QinQ are enabled or the DHCP packet contains two VLAN tags, this field identifies the inner VLAN tag. Otherwise, it displays N/A. |
Interface |
Port connected to the DHCP client. |
dhcp snooping enable
reset dhcp snooping binding
display dhcp snooping binding database
Use display dhcp snooping binding database to display information about DHCP snooping entry auto backup.
Syntax
display dhcp snooping binding database
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about DHCP snooping entry auto backup.
<Sysname> display dhcp snooping binding database
File name : database.dhcp
Username :
Password :
Update interval : 600 seconds
Latest write time : Feb 27 18:48:04 2012
Status : Last write succeeded.
Table 22 Command output
Field |
Description |
File name |
Name of the DHCP snooping entry backup file. |
Username |
Username for accessing the URL of the remote backup file. |
Password |
Password for accessing the URL of the remote backup file. This field displays ****** if a password is configured. |
Update interval |
Waiting time in seconds after a DHCP snooping entry change for the DHCP snooping device to update the backup file. |
Latest write time |
Time of the latest update. |
Status |
Status of the update: · Writing—The backup file is being updated. · Last write succeeded—The backup file was successfully updated. · Last write failed—The backup file failed to be updated. |
display dhcp snooping information
Use display dhcp snooping information to display Option 82 configuration on the DHCP snooping device.
Syntax
display dhcp snooping information { all | interface interface-type interface-number }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Displays Option 82 configuration on all Layer 2 Ethernet interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
Examples
# Display Option 82 configuration on all interfaces.
<Sysname> display dhcp snooping information all
Interface: Bridge-Aggregation1
Status: Disable
Strategy: Drop
Circuit ID:
Padding format: User Defined
User defined: abcd
Format: ASCII
Remote ID:
Padding format: Normal
Format: ASCII
VLAN 10:
Circuit ID: abcd
Remote ID: company
Table 23 Command output
Field |
Description |
Interface |
Interface name. |
Status |
Option 82 status, Enable or Disable. |
Strategy |
Handling strategy for DHCP requests that contain Option 82, Drop, Keep, or Replace. |
Circuit ID |
Content of the Circuit ID sub-option. |
Padding format |
Padding format of Option 82: · For Circuit ID sub-option, the padding format can be Normal, User Defined, Verbose (sysname), Verbose (MAC), or Verbose (user defined). · For Remote ID sub-option, the padding format can be Normal, Sysname, or User Defined. |
Node identifier |
Access node identifier. |
User defined |
Content of the user-defined sub-option. |
Format |
Code type of Option 82 sub-option: · For Circuit ID sub-option, the code type can be ASCII, Default, or Hex. · For Remote ID sub-option, the code type can be ASCII or Hex. |
Remote ID |
Content of the Remote ID sub-option. |
VLAN |
Pads Circuit ID sub-option and Remote ID sub-option in the DHCP packets received in the specified VLAN. |
display dhcp snooping packet statistics
Use display dhcp snooping packet statistics to display DHCP packet statistics for DHCP snooping.
Syntax
Centralized devices in standalone mode:
display dhcp snooping packet statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
display dhcp snooping packet statistics [ slot slot-number ]
Distributed devices in IRF mode:
display dhcp snooping packet statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by the slot number. If you do not specify a card, this command displays DHCP packet statistics for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays DHCP packet statistics for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays DHCP packet statistics for the global active MPU. (Distributed devices in IRF mode.)
Examples
# Display DHCP packet statistics for DHCP snooping.
<Sysname> display dhcp snooping packet statistics
DHCP packets received : 100
DHCP packets sent : 200
Invalid DHCP packets dropped : 0
reset dhcp snooping packet statistics
display dhcp snooping trust
Use display dhcp snooping trust to display information about trusted ports.
Syntax
display dhcp snooping trust
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about trusted ports.
<Sysname> display dhcp snooping trust
DHCP snooping is enabled.
Interface Trusted
=====================================
GigabitEthernet1/0/1 Trusted
dhcp snooping trust
reset dhcp snooping binding
Use reset dhcp snooping binding to clear DHCP snooping entries.
Syntax
reset dhcp snooping binding { all | ip ip-address [ vlan vlan-id ] }
Views
User view
Predefined user roles
network-admin
Parameters
all: Clears all DHCP snooping entries.
ip ip-address: Clears the DHCP snooping entry for the specified IP address.
vlan vlan-id: Clears DHCP snooping entries for the specified VLAN. If you do not specify a VLAN, this command clears DHCP snooping entries for the default VLAN.
Usage guidelines
This command applies to all slots on a distributed device.
Examples
# Clear all DHCP snooping entries.
<Sysname> reset dhcp snooping binding all
display dhcp snooping binding
reset dhcp snooping packet statistics
Use reset dhcp snooping packet statistics to clear DHCP packet statistics for DHCP snooping.
Syntax
Centralized devices in standalone mode:
reset dhcp snooping packet statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
reset dhcp snooping packet statistics [ slot slot-number ]
Distributed devices in IRF mode:
reset dhcp snooping packet statistics [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by the slot number. If you do not specify a card, this command clears DHCP packet statistics for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears DHCP packet statistics for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears DHCP packet statistics for the global active MPU. (Distributed devices in IRF mode.)
Examples
# Clear DHCP packet statistics for DHCP snooping.
<Sysname> reset dhcp snooping packet statistics
Related commands
display dhcp snooping packet statistics
BOOTP client commands
display bootp client
Use display bootp client to display information about a BOOTP client.
Syntax
display bootp client [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays BOOTP client information on all interfaces.
Examples
# Display BOOTP client information on GigabitEthernet 1/0/1.
<Sysname> display bootp client interface gigabitethernet 1/0/1
GigabitEthernet1/0/1 BOOTP client information:
Allocated IP: 169.254.0.2 255.255.0.0
Transaction ID: 0x3d8a7431
MAC Address: 00e0-fc0a-c3ef
Table 24 Command output
Field |
Description |
GigabitEthernet1/0/1 BOOTP client information |
Information about the interface that acts as a BOOTP client. |
Allocated IP |
BOOTP client's IP address allocated by the BOOTP server. |
Transaction ID |
Value of the XID field in a BOOTP message. The BOOTP client chooses a random number for the XID field when sending a BOOTP request to the BOOTP server. It is used to match a response message from the BOOTP server. If the values of the XID field are different in the BOOTP response and request, the BOOTP client drops the BOOTP response. |
Mac Address |
MAC address of a BOOTP client. |
ip address bootp-alloc
ip address bootp-alloc
Use ip address bootp-alloc to configure an interface to use BOOTP for IP address acquisition.
Use undo ip address bootp-alloc to cancel an interface from using BOOTP.
Syntax
ip address bootp-alloc
undo ip address bootp-alloc
Default
An interface does not use BOOTP for IP address acquisition.
Views
Interface view
Predefined user roles
network-admin
Examples
# Configure GigabitEthernet 1/0/1 to use BOOTP for IP address acquisition.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip address bootp-alloc
Related commands
display bootp client
DNS commands
IPv6-related features are not supported on the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR3600-28-SI/3600-51-SI.
display dns domain
Use display dns domain to display the domain name suffixes.
Syntax
display dns domain [ dynamic ] [ vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dynamic: Displays the domain name suffixes dynamically obtained through DHCP or other protocols. If you do not specify this keyword, the command displays the statically configured and dynamically obtained domain name suffixes.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display domain name suffixes on the public network, do not use this option.
Examples
# Display the statically configured and dynamically obtained domain name suffixes on the public network.
<Sysname> display dns domain
Type:
D: Dynamic S: Static
No. Type Domain suffix
1 S com
Table 25 Command output
Field |
Description |
No. |
Sequence number. |
Type |
Domain name suffix type: · S—A statically configured domain name suffix. · D—A domain name suffix dynamically obtained through DHCP or other protocols. |
Domain suffix |
Domain name suffixes. |
dns domain
display dns host
Use display dns host to display information about domain name-to-IP address mappings.
Syntax
display dns host [ ip | ipv6 ] [ vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip: Specifies type A queries. A type A query resolves a domain name to the mapped IPv4 address.
ipv6: Specifies type AAAA queries. A type AAAA query resolves a domain name to the mapped IPv6 address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display domain name-to-IP address mappings for the public network, do not use this option.
Usage guidelines
If you do not specify the ip or ipv6 keyword, this command displays domain name-to-IP address mappings of all query types.
Examples
# Display domain name-to-IP address mappings of all query types.
<Sysname> display dns host
Type:
D: Dynamic S: Static
Total number: 3
No. Host name Type TTL Query type IP addresses
1 sample.com D 3132 A 192.168.10.1
192.168.10.2
192.168.10.3
2 zig.sample.com S - A 192.168.1.1
3 sample.net S - AAAA FE80::4904:4448
Table 26 Command output
Field |
Description |
|
No. |
Sequence number. |
|
Host name |
Domain name. |
|
Type |
Domain name-to-IP address mapping type: · S—A static mapping configured by the ip host or ipv6 host command. · D—A mapping dynamically obtained through dynamic domain name resolution. |
|
TTL |
Time in seconds that a mapping can be stored in the cache. For a static mapping, a hyphen (-) is displayed. |
|
Query type |
Query type, A or AAAA. |
|
IP addresses |
Replied IP address: · For a type A query, the replied IP address is an IPv4 address. · For a type AAAA query, the replied IP address is an IPv6 address. |
|
ip host
ipv6 host
reset dns host
display dns server
Use display dns server to display IPv4 DNS server information.
Syntax
display dns server [ dynamic ] [ vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dynamic: Displays IPv4 DNS server information dynamically obtained through DHCP or other protocols. If you do not specify this keyword, the command displays statically configured and dynamically obtained IPv4 DNS server information.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display IPv4 DNS server information for the public network, do not use this option.
Examples
# Display IPv4 DNS server information for the public network.
<Sysname> display dns server
Type:
D: Dynamic S: Static
No. Type IP address
1 S 202.114.0.124
2 S 169.254.65.125
Table 27 Command output
Field |
Description |
No. |
Sequence number. |
Type |
DNS server type: · S—A manually configured DNS server. · D—DNS server information dynamically obtained through DHCP or other protocols. |
IP address |
IPv4 address of the DNS server. |
Related commands
dns server
display ipv6 dns server
Use display ipv6 dns server to display IPv6 DNS server information.
Syntax
display ipv6 dns server [ dynamic ] [ vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dynamic: Displays IPv6 DNS server information dynamically obtained through DHCP or other protocols. If you do not specify this keyword, the command displays the statically configured and dynamically obtained IPv6 DNS server information.
vpn-instance vpn-instance-name : Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display IPv6 DNS server information for the public network, do not use this option.
Examples
# Display IPv6 DNS server information for the public network.
<Sysname> display ipv6 dns server
Type:
D: Dynamic S: Static
No. Type IPv6 address Outgoing Interface
1 S 2::2
Table 28 Command output
Field |
Description |
No. |
Sequence number. |
Type |
DNS server type: · S—A manually configured DNS server. · D—DNS server information dynamically obtained through DHCP or other protocols. |
IPv6 address |
IPv6 address of the DNS server. |
Outgoing Interface |
Output interface. |
Related commands
ipv6 dns server
dns domain
Use dns domain to configure a domain name suffix.
Use undo dns domain to delete the specified domain name suffix.
Syntax
dns domain domain-name [ vpn-instance vpn-instance-name ]
undo dns domain domain-name [ vpn-instance vpn-instance-name ]
Default
No domain name suffix is configured. Only the provided domain name is resolved.
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a domain name suffix. It is a dot-separated case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.), for example, aabbcc.com. The domain name suffix can include a maximum of 253 characters, and each separated string includes no more than 63 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To specify a domain name suffix on the public network, do not use this option.
Usage guidelines
The resolver automatically uses the suffix list to supply the missing part of an incomplete name entered by a user for domain name resolution.
A domain name suffix applies to both IPv4 DNS and IPv6 DNS.
You can specify domain name suffixes for both public network and VPN instances.
The system allows a maximum of 16 domain name suffixes for the public network or each VPN instance.
Examples
# Configure the domain name suffix com for the public network.
<Sysname> system-view
[Sysname] dns domain com
Related commands
display dns domain
dns dscp
Use dns dscp to set the DSCP value for DNS packets sent by a DNS client or DNS proxy.
Use undo dns dscp to restore the default.
Syntax
dns dscp dscp-value
undo dns dscp
Default
The DSCP value in DNS packets is 0.
Views
System view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies the DSCP value in the range of 0 to 63.
Usage guidelines
The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Examples
# Set the DSCP value to 30 for outgoing DNS packets.
<Sysname> system-view
[Sysname] dns dscp 30
dns proxy enable
Use dns proxy enable to enable DNS proxy.
Use undo dns proxy enable to disable DNS proxy.
Syntax
dns proxy enable
undo dns proxy enable
Default
DNS proxy is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This configuration applies to both IPv4 DNS and IPv6 DNS.
Examples
# Enable DNS proxy.
<Sysname> system-view
[Sysname] dns proxy enable
dns server
Use dns server to specify the IPv4 address of a DNS server.
Use undo dns server to remove the IPv4 address of a DNS server.
Syntax
dns server ip-address [ vpn-instance vpn-instance-name ]
undo dns server [ ip-address ] [ vpn-instance vpn-instance-name ]
Default
No DNS server IPv4 address is specified.
Views
System view
Interface view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IPv4 address of a DNS server. When you execute the undo form of the command in interface view, you must specify this argument.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To specify an IPv4 address on the public network, do not use this option.
Usage guidelines
In system view, you can specify a maximum of six DNS server IPv4 addresses for the public network or each VPN instance. You can specify DNS server IPv4 addresses for both public network and VPN instances.
In interface view, you can specify a maximum of six DNS server IPv4 addresses for the public network or each VPN instance. You can specify DNS server IPv4 addresses for both public network and VPN instances.
A DNS server IPv4 address specified in system view takes priority over a DNS server IPv4 address specified in interface view. A DNS server IPv4 address specified earlier has a higher priority. A DNS server IPv4 address manually specified takes priority over a DNS server IPv4 address dynamically obtained, for example, through DHCP. The device first sends a DNS query to the DNS server IPv4 address of the highest priority. If the first query fails, it sends the DNS query to the DNS server IPv4 address of the second highest priority, and so on.
If you do not specify an IPv4 address, the undo dns server command removes all DNS server IPv4 addresses on the public network or the specified VPN instance.
Examples
# Specify DNS server IPv4 address 172.16.1.1.
<Sysname> system-view
[Sysname] dns server 172.16.1.1
# Specify DNS server IPv4 address 172.16.1.1 on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dns server 172.16.1.1
Related commands
display dns server
dns source-interface
Use dns source-interface to specify the source interface for DNS packets.
Use undo dns source-interface to restore the default.
Syntax
dns source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]
undo dns source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]
Default
No source interface is specified for DNS packets. The device uses the primary IP address of the output interface of the matching route as the source IP address for a DNS request.
Views
System view
Predefined user roles
network-admin
Parameters
interface-type interface-number: Specifies an interface by its type and number.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To specify a source interface on the public network, do not use this option.
Usage guidelines
This configuration applies to both IPv4 and IPv6.
· In IPv4 DNS, the device uses the primary IPv4 address of the specified source interface as the source IP address of a DNS query.
· In IPv6 DNS, the device selects an IPv6 address of the source interface as the source IP address of a DNS query. The method of selecting the IPv6 address is defined in RFC 3484.
If you execute this command multiple times, the most recent configuration takes effect.
You can specify source interfaces for both public network and VPN instances.
The system allows only one source interface for the public network or each VPN instance.
This command takes effect whether the source interface belongs to the VPN instance or not. As a best practice, specify an interface that belongs to the VPN instance as the source interface.
Examples
# Specify GigabitEthernet 1/0/1 as the source interface for DNS packets on the public network.
<Sysname> system-view
[Sysname] dns source-interface gigabitethernet 1/0/1
dns spoofing
Use dns spoofing to enable DNS spoofing and specify the IPv4 address to spoof DNS requests.
Use undo dns spoofing to disable DNS spoofing.
Syntax
dns spoofing ip-address [ vpn-instance vpn-instance-name ]
undo dns spoofing ip-address [ vpn-instance vpn-instance-name ]
Default
DNS spoofing is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IPv4 address used to spoof DNS requests.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To enable DNS spoofing on the public network, do not use this option.
Usage guidelines
Use the dns spoofing command together with the dns proxy enable command.
DNS spoofing enables the DNS proxy to send a spoofed reply with a configured IP address even if it cannot reach the DNS server because no dial-up connection is available. Without DNS spoofing, the proxy does not answer or forward a DNS request if it cannot find a local matching DNS entry or reach the DNS server.
You can configure DNS spoofing for both public network and VPN instances.
The system allows only one replied IPv4 address for the public network or each VPN instance. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable DNS spoofing on the public network and specify the IPv4 address 1.1.1.1 to spoof DNS requests.
<Sysname> system-view
[Sysname] dns proxy enable
[Sysname] dns spoofing 1.1.1.1
Related commands
dns proxy enable
dns spoofing track
Use dns spoofing track to configure the DNS spoofing device to track the network mode of an output interface.
Use undo dns spoofing track to restore the default.
Syntax
dns spoofing track controller interface-type interface-number
undo dns spoofing track
Default
The DNS spoofing device does not track the network mode of an output interface.
Views
System view
Predefined user roles
network-admin
Parameters
controller interface-type interface-number: Specifies an output interface by its type and number.
Usage guidelines
The DNS spoofing device spoofs DNS requests if the network mode of the output interface is 2G. This command takes effect on the cellular interface when the interface acts as the output interface to reach the DNS server.
Enable DNS spoofing by using the dns spoofing or ipv6 dns spoofing command before you configure this command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the device to spoof DNS requests by using the IP address 192.168.1.10, and to track the network mode of the output interface Cellular 0/1.
<Sysname> system-view
[Sysname] dns proxy enable
[Sysname] dns spoofing 192.168.1.10
[Sysname] dns spoofing track controller cellular 0/1
Related commands
dns spoofing
ipv6 dns spoofing
dns trust-interface
Use dns trust-interface to specify a DNS trusted interface.
Use undo dns trust-interface to remove a DNS trusted interface.
Syntax
dns trust-interface interface-type interface-number
undo dns trust-interface [ interface-type interface-number ]
Default
No DNS trusted interface is specified.
Views
System view
Predefined user roles
network-admin
Parameters
interface-type interface-number: Specifies an interface by its type and number.
Usage guidelines
By default, an interface obtains DNS suffix and DNS server information from DHCP. A network attacker might act as the DHCP server to assign a wrong DNS suffix and DNS server address to the device. As a result, the device fails to obtain the resolved IP address or might get the wrong IP address. With the DNS trusted interface specified, the device only uses the DNS suffix and DNS server information obtained through the trusted interface to avoid attack.
This configuration applies to both IPv4 DNS and IPv6 DNS.
You can configure a maximum of 128 DNS trusted interfaces on the device.
If you do not specify an interface, the undo dns trust-interface command removes all DNS trusted interfaces and restores the default.
Examples
# Specify GigabitEthernet 1/0/1 as the DNS trusted interface.
<Sysname> system-view
[Sysname] dns trust-interface gigabitethernet 1/0/1
ip host
Use ip host to create a host name-to-IPv4 address mapping.
Use undo ip host to remove a host name-to-IPv4 address mapping.
Syntax
ip host host-name ip-address [ vpn-instance vpn-instance-name ]
undo ip host host-name ip-address [ vpn-instance vpn-instance-name ]
Default
No host name-to-IPv4 address mappings exist.
Views
System view
Predefined user roles
network-admin
Parameters
host-name: Specifies a host name, a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, hyphens (-), underscores (_), and dots (.).
ip-address: Specifies the IPv4 address of the host.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To create a host name-to-IP address mapping on the public network, do not specify this option.
Usage guidelines
You can configure host name-to-IPv4 address mappings for both public network and VPN instances.
The system allows a maximum of 1024 host name-to-IPv4 address mappings for the public network or each VPN instance.
For the public network or a VPN instance, each host name maps to only one IPv4 address. If you execute this command multiple times, the most recent configuration takes effect.
Do not use the ping command parameter ip, -a, -c, -f, -h, -i, -m, -n, -p, -q, -r, -s, -t, -tos, -v, or -vpn-instance as the host name. For more information about the ping command parameters, see Network Management and Monitoring Command Reference.
Examples
# Map the IPv4 address 10.110.0.1 to the host name aaa on the public network.
<Sysname> system-view
[Sysname] ip host aaa 10.110.0.1
display dns host
ipv6 dns dscp
Use ipv6 dns dscp to set the DSCP value for IPv6 DNS packets sent by an IPv6 DNS client or DNS proxy.
Use undo ipv6 dns dscp to restore the default.
Syntax
ipv6 dns dscp dscp-value
undo ipv6 dns dscp
Default
The DSCP value for IPv6 DNS packets is 0.
Views
System view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies the DSCP value in the range of 0 to 63.
Usage guidelines
The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Examples
# Set the DSCP value to 30 for outgoing IPv6 DNS packets.
<Sysname> system-view
[Sysname] ipv6 dns dscp 30
ipv6 dns server
Use ipv6 dns server to specify the IPv6 address of a DNS server.
Use undo ipv6 dns server to remove the IPv6 address of a DNS server.
Syntax
ipv6 dns server ipv6-address [ interface-type interface-number ] [ vpn-instance vpn-instance-name ]
undo ipv6 dns server [ ipv6-address [ interface-type interface-number ] ] [ vpn-instance vpn-instance-name ]
Default
No DNS server IPv6 address is specified.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the IPv6 address of a DNS server.
interface-type interface-number: Specifies the output interface by its type and number. If you do not specify an interface, the device forwards DNS packets out of the output interface of the matching route. Specify this argument if the IPv6 address of the DNS server is a link-local address. Do not specify this argument if the IPv6 address of the DNS server is a global unicast address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To specify a DNS server IPv6 address on the public network, do not use this option.
Usage guidelines
For dynamic DNS, the device sends a DNS query request to the DNS servers in the order their IPv6 addresses are specified.
You can specify DNS server IPv6 addresses for both public network and VPN instances.
The system allows a maximum of six DNS server IPv6 addresses for the public network or each VPN instance.
If you do not specify an IPv6 address, the undo ipv6 dns server command removes all DNS server IPv6 addresses on the public network or the specified VPN instance.
Examples
# Specify the DNS server IPv6 address 2002::1 for the public network.
<Sysname> system-view
[Sysname] ipv6 dns server 2002::1
Related commands
display ipv6 dns server
ipv6 dns spoofing
Use ipv6 dns spoofing to enable DNS spoofing and specify the IPv6 address to spoof DNS requests.
Use undo ipv6 dns spoofing to disable DNS spoofing.
Syntax
ipv6 dns spoofing ipv6-address [ vpn-instance vpn-instance-name ]
undo ipv6 dns spoofing ipv6-address [ vpn-instance vpn-instance-name ]
Default
DNS spoofing is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the IPv6 address used to spoof DNS requests.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To enable DNS spoofing on the public network, do not use this option.
Usage guidelines
Use the ipv6 dns spoofing command together with the dns proxy enable command.
DNS spoofing enables the DNS proxy on the device to send a spoofed reply with an IPv6 address in response to a type AAAA DNS request. Without DNS spoofing, the device does not forward or answer a request if no DNS server is specified or no DNS server is reachable.
You can configure DNS spoofing for both public network and VPN instances.
The system allows only one replied IPv6 address for the public network or each VPN instance. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable DNS spoofing on the public network and specify the IPv6 address 2001::1 to spoof DNS requests.
<Sysname> system-view
[Sysname] dns proxy enable
[Sysname] ipv6 dns spoofing 2001::1
Related commands
dns proxy enable
ipv6 host
Use ipv6 host to create a host name-to-IPv6 address mapping.
Use undo ipv6 host to remove a host name-to-IPv6 address mapping.
Syntax
ipv6 host host-name ipv6-address [ vpn-instance vpn-instance-name ]
undo ipv6 host host-name ipv6-address [ vpn-instance vpn-instance-name ]
Default
No host name-to-IPv6 address mappings exist.
Views
System view
Predefined user roles
network-admin
Parameters
host-name: Specifies a host name, a case-insensitive string of 1 to 253 characters. It can include letters, digits, hyphens (-), underscores (_), and dots (.).
ipv6-address: Specifies the IPv6 address of the host.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To create a host name-to-IPv6 address mapping on the public network, do not use this option.
Usage guidelines
You can configure host name-to-IPv6 address mappings for both public network and VPN instances.
The system allows a maximum of 1024 host name-to-IPv6 address mappings for the public network or each VPN instance.
For the public network or a VPN instance, each host name maps to only one IPv6 address. If you execute this command multiple times, the most recent configuration takes effect.
Do not use the ping ipv6 command parameter -a, -c, -i, -m, -q, -s, -t, -tc, -v, or -vpn-instance as the host name. For more information about the ping ipv6 command parameters, see Network Management and Monitoring Command Reference.
Examples
# Map the IPv6 address 2001::1 to the host name aaa on the public network.
<Sysname> system-view
[Sysname] ipv6 host aaa 2001::1
Related commands
ip host
reset dns host
Use reset dns host to clear dynamic DNS entries.
Syntax
reset dns host [ ip | ipv6 ] [ vpn-instance vpn-instance-name ]
Views
User view
Predefined user roles
network-admin
Parameters
ip: Specifies type A queries. A type A query resolves a domain name to the mapped IPv4 address.
ipv6: Specifies type AAAA queries. A type AAAA query resolves a domain name to the mapped IPv6 address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN, this command clears the dynamic DNS entries for the public network.
Usage guidelines
If you do not specify the ip or ipv6 keyword, the reset dns host command clears dynamic DNS entries of all query types.
Examples
# Clear dynamic DNS entries of all query types for the public network.
<Sysname> reset dns host
Related commands
display dns host
DDNS commands
The following matrix shows the feature and hardware compatibility:
Hardware |
DDNS compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE /810-LM-HK/MSR810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR 5620/5660/5680 |
Yes |
Hardware |
DDNS compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
ddns apply policy
Use ddns apply policy to apply a DDNS policy to an interface for updating the mapping between the an FQDN and the primary IP address of the interface, and enable DDNS update.
Use undo ddns apply policy to remove the application of a DDNS policy from an interface and stop DDNS update.
Syntax
ddns apply policy policy-name [ fqdn domain-name ]
undo ddns apply policy policy-name
Default
No DDNS policy and FQDN for update are specified on the interface, and DDNS update is disabled.
Views
Interface view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a DDNS policy by its name, a case-insensitive string of 1 to 32 characters.
fqdn domain-name: Specifies the FQDN to replace <h> in the URL for DDNS update. The domain-name argument specifies a case-insensitive string of 1 to 253 characters. It can include letters, digits, hyphens (-), underscores (_), and dots (.).
Usage guidelines
You can apply a maximum of four DDNS policies to an interface.
If you execute this command multiple times with the same DDNS policy name but different FQDNs, both of the following occur:
· The most recent configuration takes effect.
· The device initiates a DDNS update request immediately.
Examples
# Apply the DDNS policy steven_policy to GigabitEthernet 1/0/1 to update the domain name-to-IP address mapping for FQDN www.whatever.com and enable DDNS update.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ddns apply policy steven_policy fqdn www.whatever.com
ddns policy
display ddns policy
ddns dscp
Use ddns dscp to set the DSCP value for outgoing DDNS packets.
Use undo ddns dscp to restore the default.
Syntax
ddns dscp dscp-value
undo ddns dscp
Default
The DSCP value for outgoing DDNS packets is 0.
Views
System view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies the DSCP value in the range of 0 to 63.
Usage guidelines
The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Examples
# Set the DSCP value to 30 for outgoing DDNS packets.
<Sysname> system-view
[Sysname] ddns dscp 30
ddns policy
Use ddns policy to create a DDNS policy and enter its view, or enter the view of an existing DDNS policy.
Use undo ddns policy to delete a DDNS policy.
Syntax
ddns policy policy-name
undo ddns policy policy-name
Default
No DDNS policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies the DDNS policy name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can create a maximum of 16 DDNS policies on the device.
Examples
# Create a DDNS policy named steven_policy and enter its view.
<Sysname> system-view
[Sysname] ddns policy steven_policy
Related commands
ddns apply policy
display ddns policy
Use display ddns policy to display information about DDNS policies.
Syntax
display ddns policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies a DDNS policy by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a DDNS policy, this command displays information about all DDNS policies.
Examples
# Display information about the DDNS policy steven_policy.
<Sysname> display ddns policy steven_policy
DDNS policy: steven_policy
URL : http://members.3322.org/dyndns/update?
system=dyndns&hostname=<h>&myip=<a>
Username : steven
Password : ******
Method : GET
SSL client policy:
Interval : 1 days 0 hours 1 minutes
# Display information about all DDNS policies.
<Sysname> display ddns policy
DDNS policy: steven_policy
URL : http://members.3322.org/dyndns/update?system=
dyndns&hostname=<h>&myip=<a>
Username : steven
Password : ******
Method : GET
SSL client policy:
Interval : 0 days 0 hours 30 minutes
DDNS policy: tom-policy
URL : http://members.3322.org/dyndns/update?system=
dyndns&hostname=<h>&myip=<a>
Username :
Password :
Method : GET
SSL client policy:
Interval : 0 days 0 hours 15 minutes
DDNS policy: u-policy
URL : oray://phservice2.oray.net
Username : username
Password :
Method : -
SSL client policy:
Interval : 0 days 0 hours 15 minutes
Table 29 Command output
Field |
Description |
|
DDNS policy |
DDNS policy name. |
|
URL |
URL address for a DDNS update request. This field is empty if no URL address is configured. |
|
Username |
Username for logging in to the DDNS server. This field is empty if no username is configured. |
|
Password |
Password for logging in to the DDNS server. This field is empty if no password is configured and displays ****** if a password is configured. |
|
Method |
Parameter transmission method used to send HTTP/HTTPS-based DDNS update requests. Method types include GET and POST. |
|
SSL client policy |
Name of the associated SSL client policy. This field is empty if no SSL client policy is associated. |
|
Interval |
Interval for sending DDNS update requests. |
ddns policy
interval
Use interval to set the interval for sending DDNS update requests.
Use undo interval to restore the default.
Syntax
interval days [ hours [ minutes ] ]
undo interval
Default
The DDNS update request interval is one hour.
Views
DDNS policy view
Predefined user roles
network-admin
Parameters
days: Days in the range of 0 to 365.
hours: Hours in the range of 0 to 23.
minutes: Minutes in the range of 0 to 59.
Usage guidelines
Whether the interval is reached or not, a DDNS update request is initiated immediately if either of the following conditions occurs:
· The primary IP address of the interface changes.
· The link state of the interface changes from down to up.
If you set the interval to 0, the device does not periodically initiate DDNS update requests. However, it initiates a DDNS update request in either of the following situations:
· The primary IP address of the interface changes.
· The link state of the interface changes from down to up.
If you execute this command multiple times, the most recent configuration takes effect. If you change the interval for an applied DDNS policy, the device immediately initiates a DDNS update request and sets the interval as the update interval.
Examples
# Set the interval to one day and one minute for sending DDNS update requests for the DDNS policy steven_policy.
<Sysname> system-view
[Sysname] ddns policy steven_policy
[Sysname-ddns-policy-steven_policy] interval 1 0 1
ddns policy
display ddns policy
method
Use method to specify the parameter transmission method for sending DDNS update requests to HTTP/HTTPS-based DDNS servers.
Use undo method to restore the default.
Syntax
method { http-get | http-post }
undo method
Default
The method http-get applies.
Views
DDNS policy view
Predefined user roles
network-admin
Parameters
http-get: Uses the get operation.
http-post: Uses the post operation.
Usage guidelines
This command applies to DDNS updates in HTTP/HTTPS. If the DDNS server uses HTTP or HTTPS service, choose a parameter transmission method compatible with the DDNS server. For example, a DHS server supports the http-post method.
If the DDNS policy has been applied to an interface, a DDNS update is sent immediately after the parameter transmission is changed.
Examples
# Specify the parameter transmission method as http-post for DDNS update requests for DDNS policy steven_policy.
<Sysname> system-view
[Sysname] ddns policy steven_policy
[Sysname-ddns-policy-steven_policy] method http-post
Related commands
ddns policy
display ddns policy
password
Use password to specify the password for logging in to the DDNS server.
Use undo password to restore the default.
Syntax
password { cipher | simple } string
undo password
Default
No password is specified for logging in to the DDNS server.
Views
DDNS policy view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.
Examples
# In the DDNS policy steven_policy, specify nevets as the password for logging in to the DDNS server.
<Sysname> system-view
[Sysname] ddns policy steven_policy
[Sysname-ddns-policy-steven_policy] password simple nevets
Related commands
ddns policy
display ddns policy
url
username
ssl-client-policy
Use ssl-client-policy to associate an SSL client policy with a DDNS policy.
Use undo ssl-client-policy to restore the default.
Syntax
ssl-client-policy policy-name
undo ssl-client-policy
Default
No SSL client policy is associated with a DDNS policy.
Views
DDNS policy view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a SSL client policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
The SSL client policy is effective only for HTTPS-based DDNS update requests.
If you execute this command multiple times with different SSL client policies, the most recent configuration takes effect.
Examples
# Associate the SSL client policy ssl_policy with the DDNS policy steven_policy.
<Sysname> system-view
[Sysname] ddns policy steven_policy
[Sysname-ddns-policy-steven_policy] ssl-client-policy ssl_policy
ddns policy
display ddns policy
ssl-client-policy (Security Command Reference)
url
Use url to specify the URL address for DDNS update requests.
Use undo url to restore the default.
Syntax
url request-url
undo url
Default
No URL address is specified for DDNS update requests.
Views
DDNS policy view
Predefined user roles
network-admin
Parameters
request-url: Specifies the URL address, a case-sensitive string of 1 to 240 characters.
Usage guidelines
The URL addresses configured for update requests vary by DDNS server. Common DDNS server URL address formats are shown in Table 30.
Table 30 Common URL addresses for DDNS update request
DDNS server |
URL addresses for DDNS update requests |
www.3322.org |
http://members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a> |
DYNDNS |
http://members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a> |
DYNS |
http://www.dyns.cx/postscript.php?host=<h>&ip=<a> |
ZONEEDIT |
http://dynamic.zoneedit.com/auth/dynamic.html?host=<h>&dnsto=<a> |
TZO |
http://cgi.tzo.com/webclient/signedon.html?TZOName=<h>IPAddress=<a> |
EASYDNS |
http://members.easydns.com/dyn/ez-ipupdate.php?action=edit&myip=<a>&host_id=<h> |
HEIPV6TB |
http://dyn.dns.he.net/nic/update?hostname=<h>&myip=<a> |
CHANGE-IP |
http://nic.changeip.com/nic/update?hostname=<h>&offline=1 |
NO-IP |
http://dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a> |
DHS |
http://members.dhs.org/nic/hosts?domain=dyn.dhs.org&hostname=<h>&hostscmd=edit&hostscmdstage=2&type=1&ip=<a> |
HP |
https://server-name/nic/update?group=group-name&myip=<a> |
ODS |
ods://update.ods.org |
GNUDIP |
gnudip://server-name |
PeanutHull |
oray://phservice2.oray.net |
Do not include the username or password in the URL address. To configure the username and password, use the username command and the password command.
HP and GNUDIP are common DDNS update protocols. The server-name parameter is the domain name or IP address of the service provider's server using one of the update protocols.
The URL address for an update request can start with:
· http://—The HTTP-based DDNS server.
· https://—The HTTPS-based DDNS server.
· ods://—The TCP-based ODS server.
· gnudip://—The TCP-based GNUDIP server.
· oray://—The TCP-based DDNS server.
The domain names of DDNS servers are members.3322.org and phservice2.oray.net. The domain names of PeanutHull DDNS servers can be phservice2.oray.net, phddns60.oray.net, client.oray.net, ph031.oray.net, and so on. Determine the domain name in the URL according to the actual situation.
The port number in the URL address is optional. If you do not specify a port number, the default port number is used. HTTP uses port 80, HTTPS uses port 443, and the PeanutHull server uses port 6060.
The system automatically performs the following tasks:
· Fills <h> with the FQDN that is specified when the DDNS policy is applied to the interface.
· Fills <a> with the primary IP address of the interface to which the DDNS policy is applied.
You can also manually specify an FQDN and an IP address in <h> and <a>, respectively. In this case, the FQDN that is specified when the DDNS policy is applied to an interface will not take effect. As a best practice, do not manually change the <h> and <a> because your configuration might be incorrect.
You cannot specify an FQDN and IP address in the URL address for contacting the PeanutHull server. Alternatively, you can specify an FQDN when applying the DDNS policy to an interface. The system automatically uses the primary IP address of the interface to which the DDNS policy is applied as the IP address for DDNS update.
To avoid misinterpretation, do not include colons (:), at signs (@), and question marks (?) in your login username or password, even if you can do so.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the URL address for DDNS update requests for the DDNS policy steven_policy. The device contacts www.3322.org for DDNS update.
<Sysname> system-view
[Sysname] ddns policy steven_policy
[Sysname-ddns-policy-steven_policy] url http://members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>
Related commands
ddns policy
display ddns policy
password
username
username
Use username to specify the username for logging in to the DDNS server.
Use undo username to restore the default.
Syntax
username username
undo username
Default
No username is specified for logging in to the DDNS server.
Views
DDNS policy view
Predefined user roles
network-admin
Parameters
username: Specifies the username, a case-sensitive string of 1 to 32 characters.
Examples
# In the DDNS policy steven_policy, specify steven as the username for logging in to the DDNS server.
<Sysname> system-view
[Sysname] ddns policy steven_policy
[Sysname-ddns-policy-steven_policy] username steven
Related commands
ddns policy
display ddns policy
password
url
NAT commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
address
Use address to add an address range to a NAT address group.
Use undo address to remove an address range from a NAT address group.
Syntax
address start-address end-address
undo address start-address end-address
Default
No address ranges exist.
Views
NAT address group view
Predefined user roles
network-admin
Parameters
start-address end-address: Specifies the start and end IP addresses of the address range. The end address must not be lower than the start address. If they are the same, the address range has only one IP address.
Usage guidelines
A NAT address group is a set of address ranges. The source address in a packet destined for an external network is translated into an address in one of the address ranges.
Each address range can contain a maximum of 65535 addresses.
Make sure the address ranges do not overlap.
Examples
# Add two address ranges to an address group.
<Sysname> system-view
[Sysname] nat address-group 2
[Sysname-address-group-2] address 10.1.1.1 10.1.1.15
[Sysname-address-group-2] address 10.1.1.20 10.1.1.30
Related commands
nat address-group
block-size
Use block-size to set the port block size.
Use undo block-size to restore the default.
Syntax
block-size block-size
undo block-size
Default
The port block size is 256.
Views
NAT port block group view
Predefined user roles
network-admin
Parameters
block-size: Specifies the number of ports in a port block. The value range for this argument is 1 to 65535.
Usage guidelines
Set an appropriate port block size based on the number of private IP addresses, the number of public IP addresses, and the port range in the port block group.
The port block size cannot be larger than the number of ports in the port range.
Examples
# Set the port block size to 1024 for port block group 1.
<Sysname> system-view
[Sysname] nat port-block-group 1
[Sysname-port-block-group-1] block-size 1024
Related commands
nat port-block-group
display nat alg
Use display nat alg to display the NAT ALG status for all supported protocols.
Syntax
display nat alg
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the NAT ALG status for all supported protocols.
<Sysname> display nat alg
NAT ALG:
DNS : Enabled
FTP : Disabled
H323 : Disabled
ICMP-ERROR : Disabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Disabled
RTSP : Disabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
Related commands
display nat all
display nat all
Use display nat all to display all NAT configuration information.
Syntax
display nat all
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# (Centralized devices in standalone mode.) Display all NAT configuration information.
<Sysname> display nat all
NAT address group information:
Totally 5 NAT address groups.
Address group 1:
Port range: 1-65535
Address information:
Start address End address
202.110.10.10 202.110.10.15
Address group 2:
Port range: 1-65535
Address information:
Start address End address
202.110.10.20 202.110.10.25
202.110.10.30 202.110.10.35
Address group 3:
Port range: 1024-65535
Address information:
Start address End address
202.110.10.40 202.110.10.50
Address group 4:
Port range: 10001-65535
Port block size: 500
Extended block number: 1
Address information:
Start address End address
202.110.10.60 202.110.10.65
Address group 6:
Port range: 1-65535
Address information:
Start address End address
--- ---
NAT server group information:
Totally 3 NAT server groups.
Group Number Inside IP Port Weight
1 192.168.0.26 23 100
192.168.0.27 23 500
2 --- --- ---
3 192.168.0.26 69 100
NAT inbound information:
Totally 1 NAT inbound rules.
Interface: GigabitEthernet0/2
ACL: 2038
Address group ID: 2
Add route: Y NO-PAT:Y Reversible: N
VPN instance: vpn_nat
Rule name: abc
Priority: 1000
Config status: Active
NAT outbound information:
Totally 2 NAT outbound rules.
Interface: GigabitEthernet0/1
ACL: 2036
Address group ID: 1
Port-preserved: Y NO-PAT: N Reversible: N
Rule name: def
Priority: 1000
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: address group, and ACL.
Interface: GigabitEthernet0/1
ACL: 2037
Address group ID: 1
Port-preserved: N NO-PAT: Y Reversible: Y
VPN instance: vpn_nat
Rule name: rabbit
Priority: 100
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: ACL.
NAT internal server information:
Totally 5 internal servers.
Interface: GigabitEthernet0/1
Global ACL : 2000
Local IP/port : 192.168.10.1/23
Rule name : sept
Priority : 1000
Config status : Active
Interface: GigabitEthernet0/3
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23
Local IP/port : 192.168.10.15/23
ACL : 2000
Rule name : blue
Config status : Active
Interface: GigabitEthernet0/4
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23-30
Local IP/port : 192.168.10.15-192.168.10.22/23
Global VPN : vpn1
Local VPN : vpn3
Rule name : hat
Config status : Active
Interface: GigabitEthernet0/4
Protocol: 255(Reserved)
Global IP/port: 50.1.1.100/---
Local IP/port : 192.168.10.150/---
Global VPN : vpn2
Local VPN : vpn4
ACL : 3000
Rule name : hat
Priority : 3
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, and ACL.
Interface: GigabitEthernet0/5
Protocol: 17(UDP)
Global IP/port: 50.1.1.2/23
Local IP/port : server group 1
1.1.1.1/21 (Connections: 10)
192.168.100.200/80 (Connections: 20)
Global VPN : vpn1
Local VPN : vpn3
Config status : Active
Static NAT mappings:
Totally 2 inbound static NAT mappings.
Net-to-net:
Global IP : 2.2.2.1 – 2.2.2.255
Local IP : 1.1.1.0
Netmask : 255.255.255.0
Global VPN : vpn2
Local VPN : vpn1
ACL : 3000
Reversible : Y
Rule name : green
Priority : 4
Config status: Active
IP-to-IP:
Global IP : 5.5.5.5
Local IP : 4.4.4.4
Global VPN : vpn3
Local VPN : vpn4
ACL : 2001
Reversible : Y
Rule name : blue
Priority : 4
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, global VPN, and ACL.
Totally 2 outbound static NAT mappings.
Net-to-net:
Local IP : 1.1.1.1 - 1.1.1.255
Global IP : 2.2.2.0
Netmask : 255.255.255.0
Local VPN : vpn1
Global VPN : vpn2
ACL : 3000
Reversible : Y
Rule name : yellow
Priority : 5
Config status: Active
IP-to-IP:
Local IP : 4.4.4.4
Global IP : 5.5.5.5
Local VPN : vpn1
Global VPN : vpn2
ACL: : 2001
Reversible : Y
Rule name : pink
Priority : 6
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: ACL.
Interfaces enabled with static NAT:
Totally 2 interfaces enabled with static NAT.
Interface: GigabitEthernet0/2
Config status: Active
Interface: GigabitEthernet0/3
Config status: Active
NAT DNS mappings:
Totally 2 NAT DNS mappings.
Domain name : www.server.com
Global IP : 6.6.6.6
Global port : 23
Protocol : TCP(6)
Config status: Active
Domain name : www.service.com
Global IP : ---
Global port : 12
Protocol : TCP(6)
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: interface IP address.
NAT logging:
Log enable : Enabled(ACL 2000)
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Enabled(10 minutes)
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
NAT hairpinning:
Totally 2 interfaces enabled with NAT hairpinning.
Interface: GigabitEthernet0/1
Config status: Active
Interface: GigabitEthernet0/2
Config status: Active
NAT mapping behavior:
Mapping mode : Endpoint-Independent
ACL : 2050
Config status: Active
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Enabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
NAT port block group information:
Totally 3 NAT port block groups.
Port block group 1:
Port range: 1-65535
Block size: 256
Local IP address information:
Start address End address VPN instance
172.16.1.1 172.16.1.254 ---
192.168.1.1 192.168.1.254 vpna
192.168.3.1 192.168.3.254 vpna
Global IP pool information:
Start address End address
201.1.1.1 201.1.1.10
201.1.1.21 201.1.1.25
Port block group 2:
Port range: 10001-30000
Block size: 500
Local IP address information:
Start address End address VPN instance
10.1.1.1 10.1.10.255 vpnb
Global IP pool information:
Start address End address
202.10.10.101 202.10.10.120
Port block group 3:
Port range: 1-65535
Block size: 256
Local IP address information:
Start address End address VPN instance
--- --- ---
Global IP pool information:
Start address End address
--- ---
NAT outbound port block group information:
Totally 2 outbound port block group items.
Interface: GigabitEthernet0/2
port-block-group: 2
Rule name : red
Priority : 4
Config status : Active
Interface: GigabitEthernet0/2
port-block-group: 10
Rule name: lee
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: port block group.
Static NAT load balancing: Disabled
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display all NAT configuration information.
<Sysname> display nat all
NAT address group information:
Totally 5 NAT address groups.
Address group 1:
Port range: 1-65535
Address information:
Start address End address
202.110.10.10 202.110.10.15
Address group 2:
Port range: 1-65535
Address information:
Start address End address
202.110.10.20 202.110.10.25
202.110.10.30 202.110.10.35
Address group 3:
Port range: 1024-65535
Address information:
Start address End address
202.110.10.40 202.110.10.50
Address group 4:
Port range: 10001-65535
Port block size: 500
Extended block number: 1
Address information:
Start address End address
202.110.10.60 202.110.10.65
Address group 6:
Port range: 1-65535
Address information:
Start address End address
--- ---
NAT server group information:
Totally 3 NAT server groups.
Group Number Inside IP Port Weight
1 192.168.0.26 23 100
192.168.0.27 23 500
2 --- --- ---
3 192.168.0.26 69 100
NAT inbound information:
Totally 1 NAT inbound rules.
Interface: GigabitEthernet2/0/1
ACL: 2038
Address group ID: 2
Add route: Y NO-PAT: Y Reversible: N
VPN instance: vpn_nat
Rule name: abcdefg
Priority: 1000
Config status: Active
NAT outbound information:
Totally 2 NAT outbound rules.
Interface: GigabitEthernet2/0/2
ACL: 2036
Address group ID: 1
Port-preserved: Y NO-PAT: N Reversible: N
Rule name: cdefg
Priority: 1001
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: address group, and ACL.
Interface: GigabitEthernet2/0/2
ACL: 2037
Address group ID: 1
Port-preserved: N NO-PAT: Y Reversible: Y
VPN instance: vpn_nat
Rule name: blue
Priority: 1002
Config status: Inactive
Reasons for inactive status:
NAT internal server information:
Totally 5 internal servers.
Interface: GigabitEthernet2/0/1
Global ACL : 2000
Local IP/port : 192.168.10.1/23
Rule name : cdefgab
Priority : 1000
Config status : Active
Interface: GigabitEthernet2/0/3
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23
Local IP/port : 192.168.10.15/23
ACL : 2000
Rule name : green
Config status : Active
Interface: GigabitEthernet2/0/4
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23-30
Local IP/port : 192.168.10.15-192.168.10.22/23
Global VPN : vpn1
Local VPN : vpn3
Rule name : blue
Config status : Active
Interface: GigabitEthernet2/0/4
Protocol: 255(Reserved)
Global IP/port: 50.1.1.100/---
Local IP/port : 192.168.10.150/---
Global VPN : vpn2
Local VPN : vpn4
ACL : 3000
Rule name : white
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, and ACL.
Interface: GigabitEthernet2/0/5
Protocol: 17(UDP)
Global IP/port: 50.1.1.2/23
Local IP/port : server group 1
192.168.0.26/23 (Connections: 10)
192.168.0.27/23 (Connections: 20)
Global VPN : vpn1
Local VPN : vpn3
Rule name : black
Config status : Active
Static NAT mappings:
Totally 2 inbound static NAT mappings.
Net-to-net:
Global IP : 2.2.2.1 – 2.2.2.255
Local IP : 1.1.1.0
Netmask : 255.255.255.0
Global VPN : vpn2
Local VPN : vpn1
ACL : 2000
Reversible : Y
Rule name : pink
Priority : 1000
Config status: Active
IP-to-IP:
Global IP : 5.5.5.5
Local IP : 4.4.4.4
Global VPN : vpn3
Local VPN : vpn4
ACL : 2001
Reversible : Y
Rule name : yellow
Priority : 1000
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, global VPN, and ACL.
Totally 2 outbound static NAT mappings.
Net-to-net:
Local IP : 1.1.1.1 - 1.1.1.255
Global IP : 2.2.2.0
Netmask : 255.255.255.0
Local VPN : vpn1
Global VPN : vpn2
ACL : 2000
Reversible : Y
Rule name : grey
Priority : 1000
Config status: Active
IP-to-IP:
Local IP : 4.4.4.4
Global IP : 5.5.5.5
Local VPN : vpn1
Global VPN : vpn2
ACL: : 2001
Reversible : Y
Rule name : orange
Priority : 10000
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: ACL.
Interfaces enabled with static NAT:
Totally 2 interfaces enabled with static NAT.
Interface: GigabitEthernet2/0/4
Config status: Active
Interface: GigabitEthernet2/0/6
Config status: Inactive
Reasons for inactive status:
NAT DNS mappings:
Totally 2 NAT DNS mappings.
Domain name : www.server.com
Global IP : 6.6.6.6
Global port : 23
Protocol : TCP(6)
Config status: Active
Domain name : www.service.com
Global IP : ---
Global port : 12
Protocol : TCP(6)
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: interface IP address.
NAT logging:
Log enable : Enabled(ACL 2000)
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Enabled(10 minutes)
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
NAT hairpinning:
Totally 2 interfaces enabled with NAT hairpinning.
Interface: GigabitEthernet2/0/4
Config status: Active
Interface: GigabitEthernet2/0/6
Config status: Active
NAT mapping behavior:
Mapping mode : Endpoint-Independent
ACL : 2050
Config status: Active
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Enabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
NAT port block group information:
Totally 3 NAT port block groups.
Port block group 1:
Port range: 1-65535
Block size: 256
Local IP address information:
Start address End address VPN instance
172.16.1.1 172.16.1.254 ---
192.168.1.1 192.168.1.254 vpna
192.168.3.1 192.168.3.254 vpna
Global IP pool information:
Start address End address
201.1.1.1 201.1.1.10
201.1.1.21 201.1.1.25
Port block group 2:
Port range: 10001-30000
Block size: 500
Local IP address information:
Start address End address VPN instance
10.1.1.1 10.1.10.255 vpnb
Global IP pool information:
Start address End address
202.10.10.101 202.10.10.120
Port block group 3:
Port range: 1-65535
Block size: 256
Local IP address information:
Start address End address VPN instance
--- --- ---
Global IP pool information:
Start address End address
--- ---
NAT outbound port block group information:
Totally 2 outbound port block group items.
Interface: GigabitEthernet2/0/2
port-block-group: 2
Rule name: stone
Config status : Active
Interface: GigabitEthernet2/0/2
port-block-group: 10
Rule name: brown
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: port block group.
Static NAT load balancing: Disabled
# (Distributed devices in IRF mode.) Display all NAT configuration information.
<Sysname> display nat all
NAT address group information:
Totally 5 NAT address groups.
Address group 1:
Port range: 1-65535
Address information:
Start address End address
202.110.10.10 202.110.10.15
Address group 2:
Port range: 1-65535
Address information:
Start address End address
202.110.10.20 202.110.10.25
202.110.10.30 202.110.10.35
Address group 3:
Port range: 1024-65535
Address information:
Start address End address
202.110.10.40 202.110.10.50
Address group 4:
Port range: 10001-65535
Port block size: 500
Extended block number: 1
Address information:
Start address End address
202.110.10.60 202.110.10.65
Address group 6:
Port range: 1-65535
Address information:
Start address End address
--- ---
NAT server group information:
Totally 3 NAT server groups.
Group Number Inside IP Port Weight
1 192.168.0.26 23 100
192.168.0.27 23 500
2 --- --- ---
3 192.168.0.26 69 100
NAT inbound information:
Totally 1 NAT inbound rules.
Interface: GigabitEthernet1/2/0/1
ACL: 2038
Address group ID: 2
Add route: Y NO-PAT: Y Reversible: N
VPN instance: vpn_nat
Rule name: black
Priority: 1000
Config status: Active
NAT outbound information:
Totally 2 NAT outbound rules.
Interface: GigabitEthernet1/2/0/2
ACL: 2036
Address group ID: 1
Port-preserved: Y NO-PAT: N Reversible: N
Rule name: white
Priority: 1000
Config status: Inactive
Reasons for inactive status:
Interface: GigabitEthernet1/2/0/2
ACL: 2037
Address group ID: 1
Port-preserved: N NO-PAT: Y Reversible: Y
VPN instance: vpn_nat
Rule name: blue
Priority: 1000
Config status: Inactive
Reasons for inactive status:
NAT internal server information:
Totally 5 internal servers.
Interface: GigabitEthernet1/3/0/1
Global ACL : 2000
Local IP/port : 192.168.10.1/23
Rule name : cdefgab
Priority : 1000
Config status : Active
Interface: GigabitEthernet1/2/0/3
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23
Local IP/port : 192.168.10.15/23
ACL : 2000
Rule name : green
Config status : Active
Interface: GigabitEthernet1/2/0/4
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23-30
Local IP/port : 192.168.10.15-192.168.10.22/23
Global VPN : vpn1
Local VPN : vpn3
Rule name : grey
Config status : Active
Interface: GigabitEthernet1/2/0/4
Protocol: 255(Reserved)
Global IP/port: 50.1.1.100/---
Local IP/port : 192.168.10.150/---
Global VPN : vpn2
Local VPN : vpn4
ACL : 3000
Rule name : pink
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, and ACL.
Interface: GigabitEthernet1/2/0/5
Protocol: 17(UDP)
Global IP/port: 50.1.1.2/23
Local IP/port : server group 1
192.168.0.26/23 (Connections: 10)
192.168.0.27/23 (Connections: 20)
Global VPN : vpn1
Local VPN : vpn3
Rule name : red
Config status : Active
Static NAT mappings:
Totally 2 inbound static NAT mappings.
Net-to-net:
Global IP : 2.2.2.1 – 2.2.2.255
Local IP : 1.1.1.0
Netmask : 255.255.255.0
Global VPN : vpn2
Local VPN : vpn1
ACL : 2000
Reversible : Y
Rule name : cream
Priority : 1000
Config status : Active
IP-to-IP:
Global IP : 5.5.5.5
Local IP : 4.4.4.4
Global VPN : vpn3
Local VPN : vpn4
ACL : 2001
Reversible : Y
Rule name : plum
Priority : 1000
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, global VPN, and ACL.
Totally 2 outbound static NAT mappings.
Net-to-net:
Local IP : 1.1.1.1 - 1.1.1.255
Global IP : 2.2.2.0
Netmask : 255.255.255.0
Local VPN : vpn1
Global VPN : vpn2
ACL : 2000
Reversible : Y
Rule name : chanel
Priority : 1226
Config status: Active
IP-to-IP:
Local IP : 4.4.4.4
Global IP : 5.5.5.5
Local VPN : vpn1
Global VPN : vpn2
ACL: : 2001
Reversible : Y
Rule name : brown
Priority : 1000
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: ACL.
Interfaces enabled with static NAT:
Totally 2 interfaces enabled with static NAT.
Interface: GigabitEthernet1/2/0/4
Config status: Active
Interface: GigabitEthernet1/2/0/6
Config status: Inactive
Reasons for inactive status:
NAT DNS mappings:
Totally 2 NAT DNS mappings.
Domain name : www.server.com
Global IP : 6.6.6.6
Global port : 23
Protocol : TCP(6)
Config status: Active
Domain name : www.service.com
Global IP : ---
Global port : 12
Protocol : TCP(6)
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: interface IP address.
NAT logging:
Log enable : Enabled(ACL 2000)
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Enabled(10 minutes)
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
NAT hairpinning:
Totally 2 interfaces enabled with NAT hairpinning.
Interface: GigabitEthernet1/2/0/1
Config status: Active
Interface: GigabitEthernet1/2/0/2
Config status: Active
NAT mapping behavior:
Mapping mode : Endpoint-Independent
ACL : 2050
Config status: Active
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Enabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
NAT port block group information:
Totally 3 NAT port block groups.
Port block group 1:
Port range: 1-65535
Block size: 256
Local IP address information:
Start address End address VPN instance
172.16.1.1 172.16.1.254 ---
192.168.1.1 192.168.1.254 vpna
192.168.3.1 192.168.3.254 vpna
Global IP pool information:
Start address End address
201.1.1.1 201.1.1.10
201.1.1.21 201.1.1.25
Port block group 2:
Port range: 10001-30000
Block size: 500
Local IP address information:
Start address End address VPN instance
10.1.1.1 10.1.10.255 vpnb
Global IP pool information:
Start address End address
202.10.10.101 202.10.10.120
Port block group 3:
Port range: 1-65535
Block size: 256
Local IP address information:
Start address End address VPN instance
--- --- ---
Global IP pool information:
Start address End address
--- ---
NAT outbound port block group information:
Totally 2 outbound port block group items.
Interface: GigabitEthernet1/2/0/2
port-block-group: 2
Rule name: rubine
Config status : Active
Interface: GigabitEthernet1/2/0/2
port-block-group: 10
Rule name: snow
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: port block group.
Static NAT load balancing: Disabled
The output shows all NAT configuration information. Table 31 describes only the fields for the output of the nat hairpin enable, nat mapping-behavior, and nat alg commands.
Field |
Description |
NAT address group information |
Information about the NAT address group. See Table 32 for output description. |
NAT server group information |
Information about the internal server group. See Table 44 for output description. |
NAT inbound information: |
Inbound dynamic NAT configuration. See Table 35 for output description. |
NAT outbound information |
Outbound dynamic NAT configuration. See Table 38 for output description. |
NAT internal server information |
NAT Server configuration. See Table 43 for output description. |
Static NAT mappings |
Static NAT mappings. See Table 46 for output description. |
NAT DNS mappings |
NAT DNS mappings. See Table 33 for output description. |
NAT logging |
NAT logging configuration. See Table 36 for output description. |
NAT hairpinning |
NAT hairpin configuration. |
Totally n interfaces enabled NAT hairpinning |
Number of the interfaces with NAT hairpin enabled. |
Interface |
NAT hairpin-enabled interface. |
Rule name |
Name of the NAT rule. |
Priority |
Priority of the NAT rule. |
Config status |
Status of the NAT hairpin configuration: Active or Inactive. |
Reasons for inactive status |
Reasons why the NAT hairpin configuration does not take effect. This field is available when the Config status is Inactive. |
NAT mapping behavior |
Mapping behavior mode of PAT: Endpoint-Independent or Address and Port-Dependent. |
ACL |
ACL number or name. If no ACL is specified for NAT, this field displays hyphens (---). |
Config status |
Status of the NAT mapping behavior configuration: Active or Inactive. |
Reasons for inactive status |
Reasons why the NAT mapping behavior configuration does not take effect. This field is available when the Config status is Inactive. |
NAT ALG |
NAT ALG configuration for different protocols. |
NAT port block group information |
Configuration information about NAT port block groups. See Table 41 for output description. |
NAT outbound port block group information |
Configuration information about static NAT444. See Table 39 for output description. |
display nat address-group
Use display nat address-group to display NAT address group information.
Syntax
display nat address-group [ group-id ]
Views
Predefined user roles
network-admin
network-operator
Parameters
group-id: Specifies the ID of a NAT address group. The value range for this argument is 0 to 65535. If you do not specify the group-id argument, this command displays information about all NAT address groups.
Examples
# Display information about all NAT address groups.
<Sysname> display nat address-group
NAT address group information:
Totally 5 NAT address groups.
Address group ID: 1 Address group name: a
Port range: 1-65535
Address information:
Start address End address
202.110.10.10 202.110.10.15
Address group ID: 2
Port range: 1-65535
Address information:
Start address End address
202.110.10.20 202.110.10.25
202.110.10.30 202.110.10.35
Address group ID: 3
Port range: 1024-65535
Address information:
Start address End address
202.110.10.40 202.110.10.50
Address group ID: 4
Port range: 10001-65535
Port block size: 500
Extended block number: 1
Address information:
Start address End address
202.110.10.60 202.110.10.65
Address group ID: 6
Port range: 1-65535
Address information:
Start address End address
--- ---
# Display information about NAT address group 1.
<Sysname> display nat address-group 1
Address group ID: 1 Address group name: a
Port range: 1-65535
Address information:
Start address End address
202.110.10.10 202.110.10.15
Field |
Description |
Address group ID |
ID of the NAT address group. |
Address group name |
Name of the NAT address group. If no name is configured, this field is not displayed. |
Port range |
Port range for public IP addresses. |
Block size |
Number of ports in a port block. This field is not displayed if the port block size is not set. |
Extended block number |
Number of extended port blocks. This field is not displayed if the number of extended port blocks is not set. |
Address information |
Information about the IP addresses in the address group. |
Start address |
Start IP address of an address range. If you do not specify a start address for the range, this field displays hyphens (---). |
End address |
End IP address of an address range. If you do not specify an end address for the range, this field displays hyphens (---). |
Related commands
nat address-group
display nat dns-map
Use display nat dns-map to display NAT DNS mapping configuration.
Syntax
display nat dns-map
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display NAT DNS mapping configuration.
<Sysname> display nat dns-map
NAT DNS mapping information:
Totally 2 NAT DNS mappings.
Domain name : www.server.com
Global IP : 6.6.6.6
Global port : 23
Protocol : TCP(6)
Config status: Active
Domain name : www.service.com
Global IP : ---
Global port : 12
Protocol : TCP(6)
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: interface IP address.
Field |
Description |
NAT DNS mapping information |
Information about NAT DNS mappings. |
Domain name |
Domain name of the internal server. |
Global IP |
Public IP address of the internal server. · If Easy IP is configured, this field displays the IP address of the specified interface. · If you do not specify a public IP address, this field displays hyphens (---). |
Global port |
Public port number of the internal server. |
Protocol |
Protocol name and number of the internal server. |
Config status |
Status of the NAT DNS mapping configuration: Active or Inactive. |
Reasons for inactive status |
Reasons why the NAT DNS mapping configuration does not take effect. This field is available when the Config status is Inactive. |
Related commands
nat dns-map
display nat eim
Use display nat eim to display information about NAT Endpoint-Independent Mapping (EIM) entries.
Syntax
Centralized devices in standalone mode:
display nat eim
Distributed devices in standalone mode/centralized devices in IRF mode:
display nat eim [ slot slot-number ]
Distributed devices in IRF mode:
display nat eim [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays EIM entry information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays EIM entry information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays EIM entry information for all cards. (Distributed devices in IRF mode.)
Usage guidelines
EIM entries are created when PAT operates in EIM mode. An EIM entry records the mapping between a private address/port and a public address/port.
The EIM entry ensures the following functions:
· The same EIM entry applies to subsequent connections initiated from the same source IP and port.
· The EIM entries allow reverse translation for connections initiated from external hosts to internal hosts.
Examples
# (Centralized devices in standalone mode.) Display information about NAT EIM entries.
<Sysname> display nat eim
Slot 0:
Local IP/port: 192.168.100.100/1024
Global IP/port: 200.100.1.100/2048
Local VPN: vpn1
Global VPN: vpn2
Protocol: TCP(6)
Local IP/port: 192.168.100.200/2048
Global IP/port: 200.100.1.200/4096
Protocol: UDP(17)
Total entries found: 2
# (Distributed devices in standalone mode.) Display information about EIM entries for the card in slot 1.
<Sysname> display nat eim slot 1
Slot 1:
Local IP/port: 192.168.100.100/1024
Global IP/port: 200.100.1.100/2048
Local VPN: vpn1
Global VPN: vpn2
Protocol: TCP(6)
Local IP/port: 192.168.100.200/2048
Global IP/port: 200.100.1.200/4096
Protocol: UDP(17)
Total entries found: 2
# (Centralized devices in IRF mode.) Display information about NAT EIM entries for IRF member device 1.
<Sysname> display nat eim slot 1
Slot 1:
Local IP/port: 192.168.100.100/1024
Global IP/port: 200.100.1.100/2048
Local VPN: vpn1
Global VPN: vpn2
Protocol: TCP(6)
Local IP/port: 192.168.100.200/2048
Global IP/port: 200.100.1.200/4096
Protocol: UDP(17)
Total entries found: 2
# (Distributed devices in IRF mode.) Display information about NAT EIM entries for the card in slot 1 on IRF member device 1.
<Sysname> display nat eim chassis 1 slot 1
Slot 1 in chassis 1:
Local IP/port: 192.168.100.100/1024
Global IP/port: 200.100.1.100/2048
Local VPN: vpn1
Global VPN: vpn2
Protocol: TCP(6)
Local IP/port: 192.168.100.200/2048
Global IP/port: 200.100.1.200/4096
Protocol: UDP(17)
Total entries found: 2
Table 34 Command output
Field |
Description |
Local IP/port |
Private IP address and port number. |
Global IP/port |
Public IP address and port number. |
Local VPN |
MPLS L3VPN instance to which the private IP address belongs. If no VPN is specified, this field is not displayed. |
Global VPN |
MPLS L3VPN instance to which the public IP address belongs. If no VPN is specified, this field is not displayed. |
Protocol |
Protocol name and number. |
Total entries found |
Total number of EIM entries. |
Related commands
nat mapping-behavior
nat outbound
display nat inbound
Use display nat inbound to display information about inbound dynamic NAT.
Syntax
display nat inbound
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# (Centralized devices in standalone mode.) Display information about inbound dynamic NAT.
<Sysname> display nat inbound
NAT inbound information:
Totally 2 NAT inbound rules.
Interface: GigabitEthernet0/2
ACL: 2038
Address group ID: 2 Address group name: b
Add route: Y NO-PAT: Y Reversible: N
VPN instance: vpn1
Rule name: abcd
Priority: 1000
NAT counting: 0
Config status: Active
Interface: GigabitEthernet0/3
ACL: 2037
Address group ID: 1 Address group name: a
Add route: Y NO-PAT: Y Reversible: N
VPN instance: vpn2
Rule name: eif
Priority: 1000
NAT counting: 0
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, and ACL.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about inbound dynamic NAT.
<Sysname> display nat inbound
NAT inbound information:
Totally 2 NAT inbound rules.
Interface: GigabitEthernet2/0/2
ACL: 2038
Address group ID: 2 Address group name: b
Add route: Y NO-PAT: Y Reversible: N
VPN instance: vpn1
Rule name: abcd
Priority: 1000
NAT counting: 0
Config status: Active
Interface: GigabitEthernet2/0/3
ACL: 2037
Address group: 1 Address group name: a
Add route: Y NO-PAT: Y Reversible: N
VPN instance: vpn2
Rule name: eif
Priority: 1001
NAT counting: 0
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, and ACL.
# (Distributed devices in IRF mode.) Display information about inbound dynamic NAT.
<Sysname> display nat inbound
NAT inbound information:
Totally 2 NAT inbound rules.
Interface: GigabitEthernet1/2/0/2
ACL: 2038
Address group ID: 2 Address group name: b
Add route: Y NO-PAT: Y Reversible: N
VPN instance: vpn1
Rule name: abcd
Priority: 1001
NAT counting: 0
Config status: Active
Interface: GigabitEthernet1/2/0/3
ACL: 2037
Address group ID: 1 Address group name: a
Add route: Y NO-PAT: Y Reversible: N
VPN instance: vpn2
Rule name: eif
Priority: 1001
NAT counting: 0
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, and ACL.
Field |
Description |
NAT inbound information |
Information about inbound dynamic NAT. |
Interface |
Interface where the inbound dynamic NAT rule is configured. |
ACL |
ACL number or name. |
Address group ID |
ID of the NAT address group used by the inbound dynamic NAT rule. |
Address group name |
Name of the NAT address group used by the inbound dynamic NAT rule. If the group has no name, this field is not displayed. |
Add route |
Whether to add a route when a packet matches the inbound dynamic NAT rule. |
NO-PAT |
Whether NO-PAT or PAT is used: · Y—NO-PAT is used. · N—PAT is used. |
Reversible |
Whether reverse address translation is allowed. |
VPN instance |
MPLS L3VPN instance to which the NAT address group belongs. If the group does not belong to any VPN, the field is not displayed. |
Rule name |
Name of the NAT rule. |
Priority |
Priority of the NAT rule. |
NAT counting |
Number of flows that match the inbound dynamic NAT rule. |
Config status |
Status of the inbound dynamic NAT configuration: Active or Inactive. |
Reasons for inactive status |
Reasons why the inbound dynamic NAT configuration does not take effect. This field is available when the Config status is Inactive. |
nat inbound
display nat log
Use display nat log to display NAT logging configuration.
Syntax
display nat log
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display NAT logging configuration.
<Sysname> display nat log
NAT logging:
Log enable : Enabled(ACL 2000)
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Enabled(10 minutes)
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
Field |
Description |
NAT logging |
NAT logging configuration. |
Log enable |
Whether NAT logging is enabled. If an ACL is specified for NAT logging, this field also displays the ACL number or name. |
Flow-begin |
Whether logging is enabled for NAT session establishment events. |
Flow-end |
Whether logging is enabled for NAT session removal events. |
Flow-active |
Whether logging is enabled for active NAT flows. If logging for active NAT flows is enabled, this field also displays the interval in minutes at which active flow logs are generated. |
Port-block-assign |
Whether logging is enabled for NAT444 port block assignment. |
Port-block-withdraw |
Whether logging is enabled for NAT444 port block withdrawal. |
Alarm |
Whether logging is enabled for NAT444 alarms. |
Related commands
nat log enable
nat log flow-active
nat log flow-begin
display nat no-pat
Use display nat no-pat command to display information about NAT NO-PAT entries.
Syntax
Centralized devices in standalone mode:
display nat no-pat
Distributed devices in standalone mode/centralized devices in IRF mode:
display nat no-pat [ slot slot-number ]
Distributed devices in IRF mode:
display nat no-pat [ chassis chassis-number slot slot-number ]
Views
Any view
Default user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NO-PAT entry information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NO-PAT entry information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays NO-PAT entry information for all cards. (Distributed devices in IRF mode.)
Usage guidelines
A NO-PAT entry records the mapping between a private address and a public address.
The NO-PAT entry ensures the following functions:
· The same entry applies to subsequent connections initiated from the same source IP address.
· The NO-PAT entries allow reverse translation for connections initiated from external hosts to internal hosts.
Outbound and inbound NO-PAT address translations create their own NO-PAT tables. These two types of tables are displayed separately.
Examples
# (Centralized devices in standalone mode.) Display information about NO-PAT entries for all cards.
<Sysname> display nat no-pat
Slot 0:
Global IP: 200.100.1.100
Local IP: 192.168.100.100
Global VPN: vpn2
Local VPN: vpn1
Reversible: N
Type : Inbound
Local IP: 192.168.100.200
Global IP: 200.100.1.200
Reversible: Y
Type : Outbound
Total entries found: 2
# (Distributed devices in standalone mode.) Display information about NO-PAT entries for the card in slot 1.
<Sysname> display nat no-pat slot 1
Slot 1:
Global IP: 200.100.1.100
Local IP: 192.168.100.100
Global VPN: vpn2
Local VPN: vpn1
Reversible: N
Type : Inbound
Local IP: 192.168.100.200
Global IP: 200.100.1.200
Reversible: Y
Type : Outbound
Total entries found: 2
# (Centralized devices in IRF mode.) Display information about NO-PAT entries for IRF member device 1.
<Sysname> display nat no-pat slot 1
Slot 1:
Global IP: 200.100.1.100
Local IP: 192.168.100.100
Global VPN: vpn2
Local VPN: vpn1
Reversible: N
Type : Inbound
Local IP: 192.168.100.200
Global IP: 200.100.1.200
Reversible: Y
Type : Outbound
Total entries found: 2
# (Distributed devices in IRF mode.) Display information about NO-PAT entries for the card in slot 1 on IRF member device 1.
<Sysname> display nat no-pat chassis 1 slot 1
Slot 1 in chassis 1:
Global IP: 200.100.1.100
Local IP: 192.168.100.100
Global VPN: vpn2
Local VPN: vpn1
Reversible: N
Type : Inbound
Local IP: 192.168.100.200
Global IP: 200.100.1.200
Reversible: Y
Type : Outbound
Total entries found: 2
Table 37 Command output
Field |
Description |
Local IP |
Private IP address. |
Global IP |
Public IP address. |
Local VPN |
MPLS L3VPN instance to which the private IP address belongs. If the IP address does not belong to any VPN, this field is not displayed. |
Global VPN |
MPLS L3VPN instance to which the public IP address belongs. If the IP address does not belong to any VPN instance, this field is not displayed. |
Reversible |
Whether reverse address translation is allowed. |
Type |
Type of the NO-PAT entry: · Inbound—A NO-PAT entry created during inbound dynamic NAT. · Outbound—A NO-PAT entry created during outbound dynamic NAT. |
Total entries found |
Total number of NO-PAT entries. |
Related commands
nat inbound
nat outbound
display nat outbound
Use display nat outbound to display information about outbound dynamic NAT.
Syntax
display nat outbound
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# (Centralized devices in standalone mode.) Display information about outbound dynamic NAT.
<Sysname> display nat outbound
NAT outbound information:
Totally 2 NAT outbound rules.
Interface: GigabitEthernet0/1
ACL: 2036
Address group ID: 1 Address group name: a
Port-preserved: Y NO-PAT: N Reversible: N
Rule name: acdefg
Priority: 1000
NAT counting: 0
Config status: Active
Interface: GigabitEthernet0/1
ACL: 2037
Address group ID: ---
Port-preserved: N NO-PAT: Y Reversible: Y
VPN instance: vpn_nat
Rule name: abefg
Priority: 1000
NAT counting: 0
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: global VPN, and ACL
Interface: GigabitEthernet0/1
DS-Lite B4 ACL: 2100
Address group ID: 0 Address group name: b
Port-preserved: N NO-PAT: N Reversible: N
Priority: 0
NAT counting: 0
Config status: Active
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about outbound dynamic NAT.
<Sysname> display nat outbound
NAT outbound information:
Totally 2 NAT outbound rules.
Interface: GigabitEthernet2/0/1
ACL: 2036
Address group ID: 1 Address group name: a
Port-preserved: Y NO-PAT: N Reversible: N
Rule name: abefg
Priority: 1000
NAT counting: 0
Config status: Active
Interface: GigabitEthernet2/0/2
ACL: 2037
Address group ID: 2 Address group name: b
Port-preserved: N NO-PAT: Y Reversible: Y
VPN instance: vpn_nat
Rule name: cdefg
Priority: 1001
NAT counting: 0
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: global VPN, and ACL.
Interface: GigabitEthernet2/0/1
DS-Lite B4 ACL: 2100
Address group ID: 2 Address group name: b
Port-preserved: N NO-PAT: N Reversible: N
Priority: 0
NAT counting: 0
Config status: Active
# (Distributed devices in IRF mode.) Display information about outbound dynamic NAT.
<Sysname> display nat outbound
NAT outbound information:
Totally 2 NAT outbound rules.
Interface: GigabitEthernet1/2/0/1
ACL: 2036
Address group ID: 1 Address group name: a
Port-preserved: Y NO-PAT: N Reversible: N
Rule name: abcd
Priority: 1001
NAT counting: 0
Config status: Active
Interface: GigabitEthernet1/2/0/2
ACL: 2037
Address group ID: 1 Address group name: a
Port-preserved: N NO-PAT: Y Reversible: Y
VPN instance: vpn_nat
Rule name: eif
Priority: 1001
NAT counting: 0
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: global VPN, and ACL.
Field |
Description |
NAT outbound information |
Information about outbound dynamic NAT. |
Interface |
Interface where the outbound dynamic NAT rule is configured. |
ACL |
IPv4 ACL number or name. If no IPv4 ACL is specified for outbound dynamic NAT, this field displays hyphens (---). |
DS-Lite B4 ACL |
Number or name of the IPv6 ACL used by DS-Lite NAT444. |
Address group ID |
ID of the address group used by the outbound dynamic NAT rule. If no address group is specified for address translation, the field displays hyphens (---). |
Address group name |
Name of the address group used by the outbound dynamic NAT rule. If the group has no name, the field is not displayed. |
Port-preserved |
Whether to try to preserve the port numbers for PAT. |
NO-PAT |
Whether NO-PAT is used: · Y—NO-PAT is used. · N—PAT is used. |
Reversible |
Whether reverse address translation is allowed. |
VPN instance |
MPLS L3VPN instance to which the NAT address group belongs. If the group does not belong to any VPN instance, the field is not displayed. |
Rule name |
Name of the NAT rule. |
Priority |
Priority of the NAT rule. |
NAT counting |
Number of flows that match the outbound dynamic NAT rule. |
Config status |
Status of the outbound dynamic NAT configuration: Active or Inactive. |
Reasons for inactive status |
Reasons why the outbound dynamic NAT configuration does not take effect. This field is available when the Config status is Inactive. |
Related commands
nat outbound
display nat outbound port-block-group
Use display nat outbound port-block-group to display information about port block group application for NAT444.
Syntax
display nat outbound port-block-group
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about port block group application for NAT444.
<Sysname> display nat outbound port-block-group
NAT outbound port block group information:
Totally 2 outbound port block group items.
Interface: GigabitEthernet2/0/2
port-block-group: 2
Rule name: abcdefg
NAT counting: 0
Config status : Active
Interface: GigabitEthernet2/0/2
port-block-group: 10
Rule name: abcfg
NAT counting: 0
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: port block group
Field |
Description |
Interface |
Interface to which a port block group is applied. |
Port block group |
ID of the port block group. |
Rule name |
Name of the static outbound port block mapping rule |
NAT counting |
Number of flows that match the static outbound port block mapping rule. |
Config status |
Status of the port block group application: Active or Inactive. |
Reasons for inactive status |
Reasons why the port block group application fails. This field is available when the Config status is Inactive. |
Related commands
nat outbound port-block-group
display nat port-block
Use display nat port-block to display NAT444 mappings.
Syntax
Centralized devices in standalone mode:
display nat port-block { dynamic [ address-group { group-id | name group-name } ] [ ds-lite-b4 ] | static [ port-block-group group-id ] }
Distributed devices in standalone mode/centralized devices in IRF mode:
display nat port-block { dynamic [ address-group { group-id | name group-name } ] [ ds-lite-b4 ] | static [ port-block-group group-id ] } [ slot slot-number ]
Distributed devices in IRF mode:
display nat port-block { dynamic [ address-group { group-id | name group-name } ] [ ds-lite-b4 ] | static [ port-block-group group-id ] } [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dynamic: Displays dynamic NAT444 mappings.
address-group: Displays port block mappings for the specified address group. If you do not specify a NAT address group, this command displays port block mappings for all address groups.
group-id: Specifies the ID of the address group. The value range depends on the device model.
name group-name: Specifies the name of the address group. The name is a case-insensitive string of 1 to 63 characters.
ds-lite-b4: Displays DS-Lite NAT444 mappings.
static: Displays static NAT444 mappings.
port-block-group group-id: Displays port block mappings for the specified port block group. The group-id argument specifies the ID of the port block group. The value range for the argument depends on the device model. If you do not specify a port block group, this command displays port block mappings for all port block groups.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT444 mappings for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT444 mappings for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays NAT444 mappings for all cards. (Distributed devices in IRF mode.)
Examples
# Display static NAT444 mappings.
<Sysname> display nat port-block static
Slot 0:
Local VPN Local IP Global IP Port block Connections
--- 100.100.100.111 202.202.100.101 10001-10256 0
--- 100.100.100.112 202.202.100.101 10257-10512 0
--- 100.100.100.113 202.202.100.101 10513-10768 0
vpn012345678 100.100.100.113 202.202.100.101 10769-11024 0
901234567890
1234567
Total mappings found: 4
# Display dynamic NAT444 mappings.
<Sysname> display nat port-block dynamic
Slot 0:
Local VPN Local IP Global IP Port block Connections
--- 101.1.1.12 192.168.135.201 10001-11024 1
Total mappings found: 1
# Display DS-Lite NAT444 mappings.
<Sysname> display nat port-block dynamic ds-lite-b4
Slot 0:
Local VPN DS-Lite B4 addr Global IP Port block Connections
--- 2000::2 192.168.135.201 10001-11024 1
Total mappings found: 1
Table 40 Command output
Field |
Description |
Local VPN |
VPN to which the private IP address belongs. If the private IP address does not belong to any VPN, this field displays hyphens (---). |
Local IP |
Private IP address. |
DS-Lite B4 addr |
IPv6 address of the DS-Lite B4 element. |
Global IP |
Public IP address. |
Port block |
Port block defined by a start port and an end port. |
Connections |
Number of connections established by using the ports in the port block. |
display nat port-block-group
Use display nat port-block-group to display information about NAT port block groups.
Syntax
display nat port-block-group [ group-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
group-id: Specifies the ID of a NAT port block group. The value range for this argument is 0 to 65535. If you do not specify this argument, the command displays information about all NAT port block groups.
Examples
# Display information about all NAT port block groups.
<Sysname> display nat port-block-group
NAT port block group information:
Totally 3 NAT port block groups.
Port block group 1:
Port range: 1-65535
Block size: 256
Local IP address information:
Start address End address VPN instance
172.16.1.1 172.16.1.254 ---
192.168.1.1 192.168.1.254 vpna
192.168.3.1 192.168.3.254 vpna
Global IP pool information:
Start address End address
201.1.1.1 201.1.1.10
201.1.1.21 201.1.1.25
Port block group 2:
Port range: 10001-30000
Block size: 500
Local IP address information:
Start address End address VPN instance
10.1.1.1 10.1.10.255 vpnb
Global IP pool information:
Start address End address
202.10.10.101 202.10.10.120
Port block group 3:
Port range: 1-65535
Block size: 256
Local IP address information:
Start address End address VPN instance
--- --- ---
Global IP pool information:
Start address End address
--- ---
# Display information about NAT port block group 1.
<Sysname> display nat port-block-group 1
Port block group 1:
Port range: 1-65535
Block size: 256
Local IP address information:
Start address End address VPN instance
172.16.1.1 172.16.1.254 ---
192.168.1.1 192.168.1.254 vpna
192.168.3.1 192.168.3.254 vpna
Global IP pool information:
Start address End address
201.1.1.1 201.1.1.10
201.1.1.21 201.1.1.25
Field |
Description |
Port block group |
ID of the NAT port block group. |
Port range |
Port range for the public IP addresses. |
Block size |
Number of ports in a port block. |
Local IP address information |
Information about private IP addresses. |
Global IP pool information |
Information about public IP addresses. |
Start address |
Start IP address of a private or public IP address range. If no start IP address is specified for the address range, this field displays hyphens (---). |
End address |
End IP address of a private or public IP address range. If no end IP address is specified for the address range, this field displays hyphens (---). |
VPN instance |
VPN to which the private IP address range belongs. If no VPN instance is specified for the address range, this field displays hyphens (---). |
Related commands
nat port-block-group
display nat port-block-usage
Use display nat port-block-usage to display the port block usage for dynamic NAT444 address groups.
Syntax
Centralized devices in standalone mode:
display nat port-block-usage [ address-group group-id ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display nat port-block-usage [ address-group group-id ] [ slot slot-number ]
Distributed devices in IRF mode:
display nat port-block-usage [ address-group group-id ] [ chassis chassis-number slot slot-number ]
Views
System view
Predefined user roles
network-admin
network-operator
Parameters
address-group group-id: Specifies the ID of an address group. The value range for this argument is 0 to 65535. If you do not specify an address group, this command displays the port block usage for all address groups.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the port block usage for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the port block usage for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays the port block usage for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display the port block usage for dynamic NAT444 address groups.
<Sysname> display nat port-block-usage
Slot 0:
Address group 0 on channel 0:
Total port block entries :10
Active port block entries:9
Current port block usage :90%
Total NAT address groups found: 1
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the port block usage for dynamic NAT444 address groups in slot 1.
<Sysname> display nat port-block-usage slot 1
Slot 1:
Address group 0 on channel 0:
Total port block entries :10
Active port block entries:9
Current port block usage :90%
Total NAT address groups found: 1
# (Distributed devices in IRF mode.) Display the port block usage for dynamic NAT444 address groups in slot 1 chassis 1.
<Sysname> display nat port-block-usage chassis 1 slot 1
Slot 1 in chassis 1:
Address group 0 on channel 0:
Total port block entries :10
Active port block entries:9
Current port block usage :90%
Total NAT address groups found: 1
Table 42 Command output
Description |
|
Address group |
|
channel |
Number of field-programmable gate array. |
Total port block entries |
Number of port blocks in the address group. |
Active port block entries |
Number of assigned port blocks in the address group. |
Current port block usage |
Port block usage in the address group. |
Total NAT address groups found |
Number of address groups. |
display nat server
Use display nat server to display NAT Server configuration.
Syntax
display nat server
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# (Centralized devices in standalone mode.) Display NAT Server configuration.
<Sysname> display nat server
NAT internal server information:
Totally 5 internal servers.
Interface: GigabitEthernet0/1
Global ACL : 2000
Local IP/port : 192.168.10.1/23
Rule name : cdefgab
Priority : 1000
NAT counting : 0
Config status : Active
Interface: GigabitEthernet0/3
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23
Local IP/port : 192.168.10.15/23
NAT counting : 0
Config status : Active
Interface: GigabitEthernet0/4
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23-30
Local IP/port : 192.168.10.15-192.168.10.22/23
Global VPN : vpn1
Local VPN : vpn3
Rule name : abcg
NAT counting : 0
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN.
Interface: GigabitEthernet0/4
Protocol: 255(Reserved)
Global IP/port: 50.1.1.100/---
Local IP/port : 192.168.10.150/---
Global VPN : vpn2
Local VPN : vpn4
Rule name : abcdefg
NAT counting : 0
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: interface IP address.
Interface: GigabitEthernet0/5
Protocol: 17(UDP)
Global IP/port: 50.1.1.2/23
Local IP/port : server group 1
1.1.1.1/21 (Connections: 10)
192.168.100.200/80 (Connections: 20)
Global VPN : vpn1
Local VPN : vpn3
Rule name : cdefg
NAT counting : 0
Config status : Active
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display NAT Server configuration.
<Sysname> display nat server
NAT internal server information:
Totally 5 internal servers.
Interface: GigabitEthernet1/0/1
Global ACL : 2000
Local IP/port : 192.168.10.1/23
Rule name : cdefgab
Priority : 1000
NAT counting : 0
Config status : Active
Interface: GigabitEthernet2/0/3
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23
Local IP/port : 192.168.10.15/23
Config status : Active
Interface: GigabitEthernet2/0/4
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23-30
Local IP/port : 192.168.10.15-192.168.10.22/23
Global VPN : vpn1
Local VPN : vpn3
Rule name : abcdef
NAT counting : 0
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN.
Interface: GigabitEthernet2/0/4
Protocol: 255(Reserved)
Global IP/port: 50.1.1.100/---
Local IP/port : 192.168.10.150/---
Global VPN : vpn2
Local VPN : vpn4
Rule name : cdefg
NAT counting : 0
Config status : Active
Interface: GigabitEthernet2/0/5
Protocol: 17(UDP)
Global IP/port: 50.1.1.2/23
Local IP/port : server group 1
1.1.1.1/21 (Connections: 10)
192.168.100.200/80 (Connections: 20)
Global VPN : vpn1
Local VPN : vpn10
Rule name : white
NAT counting : 0
Config status : Active
# (Distributed devices in IRF mode.) Display NAT Server configuration.
<Sysname> display nat server
NAT internal server information:
Totally 5 internal servers.
Interface: GigabitEthernet1/3/0/1
Global ACL : 2000
Local IP/port : 192.168.10.1/23
Rule name : cdefgab
Priority : 1000
Config status : Active
Interface: GigabitEthernet1/2/0/3
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23
Local IP/port : 192.168.10.15/23
NAT counting : 0
Config status : Active
Interface: GigabitEthernet1/2/0/4
Protocol: 6(TCP)
Global IP/port: 50.1.1.1/23-30
Local IP/port : 192.168.10.15-192.168.10.22/23
Global VPN : vpn1
Local VPN : vpn3
Rule name : abcdefg
NAT counting : 0
Config status : Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN.
Interface: GigabitEthernet1/2/0/4
Protocol: 255(Reserved)
Global IP/port: 50.1.1.100/---
Local IP/port : 192.168.10.150/---
Global VPN : vpn2
Local VPN : vpn4
Rule name : cdefg
NAT counting : 0
Config status : Active
Interface: GigabitEthernet1/2/0/5
Protocol: 17(UDP)
Global IP/port: 50.1.1.2/23
Local IP/port : server group 1
1.1.1.1/21 (Connections: 10)
192.168.100.200/80 (Connections: 20)
Global VPN : vpn1
Local VPN : vpn3
Rule name : white
NAT counting : 0
Config status : Active
Field |
Description |
|
NAT internal server information |
Information about NAT Server configuration. |
|
Interface |
Interface where NAT Server is configured. |
|
Protocol |
Protocol number and name of the internal server. |
|
Global IP/port |
Public IP address and port number of the internal server. · Global IP—A single IP address or an IP address range. If you use Easy IP, this field displays the IP address of the specified interface. If you do not specify an address for the interface, the Global IP field displays hyphens (---). · port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---). |
|
Local IP/port |
For common NAT Server, this field displays the private IP address and port number of the server. · Local IP—A single IP address or an IP address range. · port—A single port number or a port number range. If no port number is in the specified protocol, the port field displays hyphens (---). For load sharing NAT Server, this field displays the internal server group ID, IP address, port number, and number of connections of each member. |
|
Global VPN |
MPLS L3VPN instance to which the public IP addresses belong. If you do not specify a VPN instance, this field is not displayed. |
|
Local VPN |
MPLS L3VPN instance to which the private IP addresses belong. If you do not specify a VPN instance, this field is not displayed. |
|
ACL |
ACL number or name. If no ACL is specified, this field is not displayed. |
|
Rule name |
Name of the NAT server mapping. |
|
NAT counting |
Number of flows that match the NAT server mapping. |
|
Config status |
Status of the NAT Server configuration: Active or Inactive. |
|
Reasons for inactive status |
Reasons why the NAT Server configuration does not take effect. This field is available when the Config status is Inactive. |
|
nat server
display nat server-group
Use display nat server-group to display internal server group configuration.
Syntax
display nat server-group [ group-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
group-id: Specifies the ID of the internal server group. The value range is 0 to 65535. If you do not specify this argument, the command displays configuration about all internal server groups.
Examples
# Display configuration about all internal server groups.
<Sysname> display nat server-group
NAT server group information:
Totally 3 NAT server groups.
Group Number Inside IP Port Weight
1 192.168.0.26 23 100
192.168.0.27 23 500
2 --- --- ---
3 192.168.0.26 69 100
# Display configuration about internal server group 1.
<Sysname> display nat server-group 1
Group Number Inside IP Port Weight
1 192.168.0.26 23 100
192.168.0.27 23 500
Field |
Description |
Group Number |
ID of the internal server group. |
Inside IP |
Private IP address of a member in the internal server group. If no address is specified, this field displays hyphens (---). |
Port |
Private port number of a member in the internal server group. If no port number is specified, this field displays hyphens (---). |
Weight |
Weight of a member in the internal server group. If no weight value is specified, this field displays hyphens (---). |
Related commands
nat server-group
display nat session
Use display nat session to display NAT sessions.
Syntax
Centralized devices in standalone mode:
display nat session [ [ responder ] { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display nat session [ [ responder ] { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ verbose ]
Distributed devices in IRF mode:
display nat session [ [ responder ] { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
responder: Displays NAT sessions by responder. If you do not specify this keyword, this command displays NAT sessions by initiator.
source-ip source-ip: Displays NAT sessions for the source IP address specified by the source-ip argument. The IP address must be the source IP address of the packet that triggers the session establishment.
destination-ip destination-ip: Displays NAT sessions for the destination IP address specified by the destination-ip argument. The IP address must be the destination IP address of the packet that triggers the session establishment.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN must be the VPN inside the packet. To display NAT sessions for the public network, do not specify this option.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT sessions for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT sessions for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays NAT sessions for all cards. (Distributed devices in IRF mode.)
verbose: Display detailed information about NAT sessions. If you do not specify this keyword, the command displays brief information about NAT sessions.
Usage guidelines
If you do not specify any parameters, this command displays all NAT sessions.
Examples
# (Centralized devices in standalone mode.) Display detailed information about NAT sessions.
<Sysname> display nat session verbose
Slot 0:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.10/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet0/2
Source security zone: DestZone
State: TCP_SYN_SENT
Application: SSH
Rule ID: -/-/-
Rule name:
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
# (Distributed devices in standalone mode.) Display detailed information about NAT sessions for the card in slot 1.
<Sysname> display nat session slot 1 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.10/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0/2
Source security zone: DestZone
State: TCP_SYN_SENT
Application: SSH
Rule ID: -/-/-
Rule name:
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
# (Centralized devices in IRF mode.) Display detailed information about NAT sessions for the IRF member device 1.
<Sysname> display nat session slot 1 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.10/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0/2
Source security zone: DestZone
State: TCP_SYN_SENT
Application: SSH
Rule ID: -/-/-
Rule name:
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
# (Distributed devices in IRF mode.) Display detailed information about NAT sessions for the card in slot 1 on IRF member device 1.
<Sysname> display nat session chassis 1 slot 1 verbose
Slot 1 in chassis 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.10/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0/2
Source security zone: DestZone
State: TCP_SYN_SENT
Application: SSH
Rule ID: -/-/-
Rule name:
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
Table 45 Command output
Field |
Description |
Initiator |
Session information about the initiator. |
Responder |
Session information about the responder. |
Source IP/port |
Source IP address and port number. |
Destination IP/port |
Destination IP address and port number. |
DS-Lite tunnel peer |
Destination address of the DS-Lite tunnel interface. If the session does not belong to any DS-Lite tunnel, this field displays a hyphen (-). |
VPN instance/VLAN ID/Inline ID |
MPLS L3VPN instance to which the session belongs. VLAN ID to which the session belongs for Layer 2 forwarding. Inline to which the session belongs for Layer 2 forwarding. If a setting is not specified, this field displays a hyphen (-). |
Protocol |
Transport layer protocol type, DCCP, ICMP, Raw IP, SCTP, TCP, UDP, or UDP-Lite. |
Inbound interface |
Input interface. |
Source security zone |
Security zone to which the input interface belongs. If the input interface does not belong to any security zone, this field displays a hyphen (-). |
State |
NAT session status. |
Application |
Application layer protocol type, such as FTP and DNS. This field displays OTHER for the protocol types identified by non-well-known ports. |
Rule ID |
ID of the security policy rule. |
Rule name |
Name of the security policy rule. |
Start time |
Time when the session starts. |
TTL |
Remaining NAT session lifetime in seconds. |
Initiator->Responder |
Number of packets and packet bytes from the initiator to the responder. |
Responder->Initiator |
Number of packets and packet bytes from the responder to the initiator. |
Total sessions found |
Total number of session tables. |
reset nat session
display nat static
Use display nat static to display static NAT mappings.
Syntax
display nat static
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# (Centralized devices in standalone mode.) Display static NAT mappings.
<Sysname> display nat static
Static NAT mappings:
Totally 2 inbound static NAT mappings.
Net-to-net:
Global IP : 1.1.1.1 - 1.1.1.255
Local IP : 2.2.2.0
Netmask : 255.255.255.0
Global VPN : vpn2
Local VPN : vpn1
ACL : 2000
Reversible : Y
Rule name : abcdefg
Priority : 1000
NAT counting : 0
Config status: Active
IP-to-IP:
Global IP : 5.5.5.5
Local IP : 4.4.4.4
Global VPN : vpn2
Local VPN : vpn1
ACL : 2000
Reversible : Y
Rule name : abefg
Priority : 1000
NAT counting : 0
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, global VPN, and ACL.
Totally 2 outbound static NAT mappings.
Net-to-net:
Local IP : 1.1.1.1 - 1.1.1.255
Global IP : 2.2.2.0
Netmask : 255.255.255.0
Local VPN : vpn1
Global VPN : vpn2
ACL : 2000
Reversible : Y
Rule name : abefg
Priority : 1000
NAT counting : 0
Config status: Active
IP-to-IP:
Local IP : 4.4.4.4
Global IP : 5.5.5.5
Local VPN : vpn1
Global VPN : vpn2
ACL: : 2001
Reversible : Y
Rule name : abcd
Priority : 1000
NAT counting : 0
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, and global VPN.
Interfaces enabled with static NAT:
Totally 2 interfaces enabled with static NAT.
Interface: GigabitEthernet0/2
Config status: Active
Interface: GigabitEthernet0/3
Config status: Active
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display static NAT mappings.
<Sysname> display nat static
Static NAT mappings:
Totally 2 inbound static NAT mappings.
Net-to-net:
Global IP : 1.1.1.1 - 1.1.1.255
Local IP : 2.2.2.0
Netmask : 255.255.255.0
Global VPN : vpn2
Local VPN : vpn1
ACL : 2000
Reversible : Y
Rule name : adefg
Priority : 1000
NAT counting : 0
Config status: Active
IP-to-IP:
Global IP : 5.5.5.5
Local IP : 4.4.4.4
Global VPN : vpn3
Local VPN : vpn4
ACL : 2001
Reversible : Y
Rule name : abefg
Priority : 1000
NAT counting : 0
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, global VPN, and ACL.
Totally 2 outbound static NAT mappings.
Net-to-net:
Local IP : 1.1.1.1 - 1.1.1.255
Global IP : 2.2.2.0
Netmask : 255.255.255.0
Local VPN : vpn1
Global VPN : vpn2
ACL : 2000
Reversible : Y
Rule name : abcd
Priority : 1000
NAT counting : 0
Config status: Active
IP-to-IP:
Local IP : 4.4.4.4
Global IP : 5.5.5.5
Local VPN : vpn4
Global VPN : vpn3
ACL: : 2000
Reversible : Y
Rule name : defg
Priority : 1000
NAT counting : 0
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, and global VPN.
Interfaces enabled with static NAT:
Totally 2 interfaces enabled with static NAT.
Interface: GigabitEthernet2/0/2
Config status: Active
Interface: GigabitEthernet2/0/3
Config status: Inactive
Reasons for inactive status:
# (Distributed devices in IRF mode.) Display static NAT mappings.
<Sysname> display nat static
Static NAT mappings:
Totally 2 inbound static NAT mappings.
Net-to-net:
Global IP : 1.1.1.1 - 1.1.1.255
Local IP : 2.2.2.0
Netmask : 255.255.255.0
Global VPN : vpn2
Local VPN : vpn1
ACL : 2000
Reversible : Y
Rule name : cdefg
Priority : 1000
NAT counting : 0
Config status: Active
IP-to-IP:
Global IP : 5.5.5.5
Local IP : 4.4.4.4
Global VPN : vpn3
Local VPN : vpn4
ACL : 2001
Reversible : Y
Rule name : cefg
Priority : 1000
NAT counting : 0
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, global VPN, and ACL.
Totally 2 outbound static NAT mappings.
Net-to-net:
Local IP : 1.1.1.1 - 1.1.1.255
Global IP : 2.2.2.0
Netmask : 255.255.255.0
Local VPN : vpn1
Global VPN : vpn2
ACL : 2000
Reversible : Y
Rule name : abcg
Priority : 1000
NAT counting : 0
Config status: Active
IP-to-IP:
Local IP : 4.4.4.4
Global IP : 5.5.5.5
Local VPN : vpn4
Global VPN : vpn3
ACL: : 2000
Reversible : Y
Rule name : acdeg
Priority : 1000
NAT counting : 0
Config status: Inactive
Reasons for inactive status:
The following items don't exist or aren't effective: local VPN, and global VPN.
Interfaces enabled with static NAT:
Totally 2 interfaces enabled with static NAT.
Interface: GigabitEthernet1/2/0/2
Config status: Active
Interface: GigabitEthernet1/2/0/3
Config status: Active
Field |
Description |
Net-to-net |
Net-to-net static NAT mapping. |
IP-to-IP |
One-to-one static NAT mapping. |
Local IP |
Private IP address or address range. |
Global IP |
Public IP address or address range. |
Netmask |
Network mask. |
Local VPN |
MPLS L3VPN instance to which the private IP addresses belong. If no VPN instance is specified, this field is not displayed. |
Global VPN |
MPLS L3VPN instance to which the public IP addresses belong. If no VPN instance is specified, this field is not displayed. |
ACL |
ACL number or name. If no ACL is specified, this field is not displayed. |
Reversible |
Whether reverse address translation is allowed. If reverse address translation is allowed, this field displays Y. If reverse address translation is not allowed, this field is not displayed. |
Rule name |
Name of the NAT rule. |
Priority |
Priority of the NAT rule. |
NAT counting |
Number of flows that match the static NAT rule. |
Config status |
Status of the static NAT mapping configuration: Active or Inactive. |
Reasons for inactive status |
Reasons why the static NAT mapping configuration does not take effect. This field is available when the Config status is Inactive. |
Related commands
nat static
nat static net-to-net
nat static enable
display nat statistics
Use display nat statistics to display NAT statistics.
Syntax
Centralized devices in standalone mode:
display nat statistics [ summary ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display nat statistics [ summary ] [ slot slot-number ]
Distributed devices in IRF mode:
display nat statistics [ summary ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
summary: Displays NAT statistics summary. If you do not specify this keyword, this command displays detailed NAT statistics.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays NAT statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays NAT statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays NAT statistics for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display detailed information about all NAT statistics.
<Sysname> display nat statistics
Slot 0:
Total session entries: 100
Total EIM entries: 1
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 10
Total dynamic port block entries: 15
Active static port block entries: 0
Active dynamic port block entries: 0
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about all NAT statistics.
<Sysname> display nat statistics
Slot 1:
Total session entries: 100
Total EIM entries: 1
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 10
Total dynamic port block entries: 15
Active static port block entries: 0
Active dynamic port block entries: 0
# (Distributed devices in IRF mode.) Display detailed information about all NAT statistics.
<Sysname> display nat statistics
Slot 1 in chassis 1:
Total session entries: 100
Total EIM entries: 1
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 10
Total dynamic port block entries: 15
Active static port block entries: 0
Active dynamic port block entries: 0
Table 47 Command output
Field |
Description |
Total session entries |
Number of NAT session entries. |
Total EIM entries |
Number of EIM entries. |
Total inbound NO-PAT entries |
Number of inbound NO-PAT entries. |
Total outbound NO-PAT entries |
Number of outbound NO-PAT entries. |
Total static port block entries |
Number of static NAT444 mappings. |
Total dynamic port block entries |
Number of dynamic NAT444 mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks. |
Active static port block entries |
Number of static NAT444 mappings that are in use. |
Active dynamic port block entries |
Number of dynamic NAT444 mappings that have been created. It equals the number of dynamically assigned port blocks. |
# (Centralized devices in standalone mode.) Display summary information about all NAT statistics.
<Sysname> display nat statistics summary
EIM: Total EIM entries.
SPB: Total static port block entries.
DPB: Total dynamic port block entries.
ASPB: Active static port block entries.
ADPB: Active dynamic port block entries.
Sessions EIM SPB DPB ASPB ADPB
100 1 10 15 0 0
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display summary information about all NAT statistics.
<Sysname> display nat statistics summary
EIM: Total EIM entries.
SPB: Total static port block entries.
DPB: Total dynamic port block entries.
ASPB: Active static port block entries.
ADPB: Active dynamic port block entries.
Slot Sessions EIM SPB DPB ASPB ADPB
2 0 0 0 1572720 0 0
# (Distributed devices in IRF mode.) Display summary information about all NAT statistics.
<Sysname> display nat statistics summary
EIM: Total EIM entries.
SPB: Total static port block entries.
DPB: Total dynamic port block entries.
ASPB: Active static port block entries.
ADPB: Active dynamic port block entries.
Chassis Slot Sessions EIM SPB DPB ASPB ADPB
1 2 0 0 0 1572720 0 0
Table 48 Command output
Field |
Description |
Chassis |
Member ID of the IRF member device (distributed devices in IRF mode). |
Slot |
Number of the slot that holds the card (distributed devices in standalone mode). Member ID of the IRF member device (centralized devices in IRF mode). |
Sessions |
Number of NAT session entries. |
EIM |
Number of EIM entries. |
SPB |
Number of static NAT444 mappings. |
DPB |
Number of dynamic NAT444 mappings that can be created. It equals the number of port blocks for dynamic assignment, including the assigned and unassigned port blocks. |
ASPB |
Number of static NAT444 mappings in use. |
ADPB |
Number of dynamic NAT444 mappings that have been created. It equals the number of dynamically assigned port blocks. |
global-ip-pool
Use global-ip-pool to add a public IP address range to a NAT port block group.
Use undo global-ip-pool to remove a public IP address range from a NAT port block group.
Syntax
global-ip-pool start-address end-address
undo global-ip-pool start-address
Default
No public IP address ranges exist.
Views
NAT port block group view
Predefined user roles
network-admin
Parameters
start-address end-address: Specifies the start IP address and end IP address of a public IP address range. The end IP address cannot be lower than the start IP address. If the start and end IP addresses are the same, only one public IP address is specified.
Usage guidelines
Static NAT444 maps a public IP address to multiple private IP addresses and assigns a unique port block to each private IP address. The number of port blocks that a public IP address can assign is determined by dividing the number of ports in the port range by the port block size.
You can add multiple public IP address ranges to a port block group, but they cannot overlap.
Public IP address ranges in different port block groups can overlap. The port ranges for overlapped public IP address ranges cannot overlap.
Examples
# Add a public IP address range to the port block group 1. The public IP address range consists of IP addresses from 202.10.1.1 to 202.10.1.10.
<Sysname> system-view
[Sysname] nat port-block-group 1
[Sysname-port-block-group-1] global-ip-pool 202.10.1.1 202.10.1.10
Related commands
nat port-block-group
inside ip
Use inside ip to add a member to an internal server group.
Use undo inside ip to remove a member from an internal server group.
Syntax
inside ip inside-ip port port-number [ weight weight-value ]
undo inside ip inside-ip port port-number
Default
No members exist in an internal server group.
Views
Internal server group view
Predefined user roles
network-admin
Parameters
inside-ip: Specifies the IP address of an internal server.
port port-number: Specifies the port number of an internal server, in the range of 1 to 65535, excluding FTP port 20.
weight weight-value: Specifies the weight of the internal server. The value range is 1 to 1000, and the default value is 100. An internal server with a larger weight receives a larger percentage of connections in the internal server group.
Examples
# Add a member with IP address 10.1.1.2 and port number 30 to internal server group 1.
<Sysname> system-view
[Sysname] nat server-group 1
[Sysname-server-group-1] inside ip 10.1.1.2 port 30
nat server-group
local-ip-address
Use local-ip-address to add a private IP address range to a NAT port block group.
Use undo local-ip-address to remove a private IP address range from a NAT port block group.
Syntax
local-ip-address start-address end-address [ vpn-instance vpn-instance-name ]
undo local-ip-address start-address end-address [ vpn-instance vpn-instance-name ]
Default
No private IP address ranges exist in a NAT port block group.
Views
NAT port block group view
Predefined user roles
network-admin
Parameters
start-address end-address: Specifies the start IP address and end IP address of a private IP address range. The end IP address cannot be lower than the start IP address. If the start and end IP addresses are the same, only one private IP address is specified.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the private IP address range belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this parameter if the private IP address range does not belong to any VPN.
Usage guidelines
Static NAT444 maps one public IP address to multiple private IP addresses and assigns a unique port block to each private IP address.
You can add multiple private IP address ranges to a port block group, but they cannot overlap.
Private IP address ranges in different port block groups can overlap.
In a NAT port block group, the number of private IP addresses cannot be larger than the number of assignable port blocks. Otherwise, some private IP addresses cannot obtain port blocks. The number of port blocks that a public IP address can assign is determined by dividing the number of ports in the port range by the port block size.
Examples
# Add a private IP address range to the port block group 1. The private IP address range consists of IP addresses from 172.16.1.1 to 172.16.1.255 in the VPN instance vpn1.
<Sysname> system-view
[Sysname] nat port-block-group 1
[Sysname-port-block-group-1] local-ip-address 172.16.1.1 172.16.1.255 vpn-instance vpn1
Related commands
nat port-block-group
nat address-group
Use nat address-group to create a NAT address group and enter its view, or enter the view of an existing NAT address group.
Use undo nat address-group to delete a NAT address group.
Syntax
nat address-group group-id [ name group-name ]
undo nat address-group group-id
Default
No NAT address groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-id: Assigns an ID to the NAT address group. The value range for this argument is 0 to 65535.
name group-name: Assigns a name to the NAT address group. The group-name argument is a case-sensitive string of 1 to 63 characters.
Usage guidelines
A NAT address group consists of multiple address ranges. Use the address command to add an address range to a NAT address group.
Examples
# Create a NAT address group numbered 1 and named abc.
<Sysname> system-view
[Sysname] nat address-group 1 name abc
address
display nat address-group
display nat all
nat inbound
nat outbound
nat alg
Use nat alg to enable NAT ALG for the specified or all supported protocols.
Use undo nat alg to disable NAT ALG for the specified or all supported protocols.
Syntax
nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }
undo nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet |tftp | xdmcp }
Default
NAT ALG is enabled for DNS, FTP, ICMP error messages, RTSP, and PPTP, and is disabled for the other supported protocols.
Views
System view
Predefined user roles
network-admin
Parameters
all: Enables NAT ALG for all supported protocols.
dns: Enables NAT ALG for DNS.
ftp: Enables NAT ALG for FTP.
H323: Enables NAT ALG for H.323.
icmp-error: Enables NAT ALG for ICMP error packets.
ils: Enables NAT ALG for ILS.
mgcp: Enables NAT ALG for MGCP.
nbt: Enables NAT ALG for NBT.
pptp: Enables NAT ALG for PPTP.
rsh: Enables NAT ALG for RSH.
rtsp: Enables NAT ALG for RTSP.
sccp: Enables NAT ALG for SCCP.
sip: Enables NAT ALG for SIP.
sqlnet: Enables NAT ALG for SQLNET.
tftp: Enables NAT ALG for TFTP.
xdmcp: Enables NAT ALG for XDMCP.
Usage guidelines
NAT ALG translates address or port information in the application layer payload to ensure connection establishment.
For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT ALG to translate the address and port information to establish the data connection.
Examples
# Enable NAT ALG for FTP.
<Sysname> system-view
[Sysname] nat alg ftp
Related commands
display nat all
nat dns-map
Use nat dns-map to configure a DNS mapping for NAT.
Use undo nat dns-map to remove a DNS mapping for NAT.
Syntax
nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port
undo nat dns-map domain domain-name
Default
No DNS mappings for NAT exist.
Views
System view
Predefined user roles
network-admin
Parameters
domain domain-name: Specifies the domain name of an internal server. A domain name is a dot-separated case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.) (for example, aabbcc.com). The domain name can contain a maximum of 253 characters, and each separated string contains no more than 63 characters.
protocol pro-type: Specifies the type of the protocol used by the internal server, tcp or udp.
interface interface-type interface-number: Enables Easy IP to use the IP address of the interface specified by its type and number as the public address of the internal server. Only the loopback interfaces are supported.
ip global-ip: Specifies the public IP address used by the internal server to provide services for the external network.
port global-port: Specifies the public port number used by the internal server to provide services for the external network. The port number format can be one of the following:
· A number in the range of 1 to 65535.
· A protocol name, a string of 1 to 15 characters. For example, ftp and telnet.
Usage guidelines
NAT DNS mapping must cooperate with the NAT Server feature. NAT DNS mapping maps the domain name of an internal server to the public IP address, public port number, and protocol type of the internal server. NAT Server maps the public IP and port to the private IP and port of the internal server. The cooperation allows an internal host to access an internal server on the same private network by using the domain name of the internal server when the DNS server is on the public network. The DNS reply from the external DNS server contains only the domain name and public IP address of the internal server in the payload. The NAT interface might have multiple internal servers configured with the same public IP address but different private IP addresses. DNS ALG might find an incorrect internal server by using only the public IP address. If a DNS mapping is configured, DNS ALG can obtain the public IP address, public port number, and protocol type of the internal server by using the domain name. Then it can find the correct internal server by using the public IP address, public port number, and protocol type of the internal server.
You can configure multiple NAT DNS mappings.
Examples
# Configure a NAT DNS mapping to map the domain name www.server.com to the public IP address 202.112.0.1, public port number 12345, and protocol type TCP.
<Sysname> system-view
[Sysname] nat dns-map domain www.server.com protocol tcp ip 202.112.0.1 port 12345
Related commands
display nat all
display nat dns-map
nat server
nat hairpin enable
Use nat hairpin enable to enable NAT hairpin.
Use undo nat hairpin enable to disable NAT hairpin.
Syntax
nat hairpin enable
undo nat hairpin enable
Default
NAT hairpin is disabled.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
NAT hairpin allows internal hosts to access each other or allows internal hosts to access internal servers. It must cooperate with NAT Server, outbound dynamic NAT, or outbound static NAT. The source and destination IP addresses of the packets are translated on the interface connected to the internal network.
Examples
# Enable NAT hairpin on interface GigabitEthernet 2/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat hairpin enable
Related commands
display nat all
nat icmp-error reply
Use nat icmp-error reply to enable sending ICMP error messages for NAT failures.
Use undo nat icmp-error reply to restore the default.
Syntax
nat icmp-error reply
undo nat icmp-error reply
Default
No ICMP error messages are sent for NAT failures.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Disabling sending ICMP error messages for NAT failures reduces useless packets, saves bandwidth, and avoids exposing the firewall IP address to the public network.
This command is required for traceroute.
Examples
# Enable sending ICMP error messages for NAT failures.
<Sysname> system-view
[Sysname] nat icmp-error reply
nat inbound
Use nat inbound to configure an inbound dynamic NAT rule.
Use undo nat inbound to delete an inbound dynamic NAT rule.
Syntax
nat inbound { ipv4-acl-number | name ipv4-acl-name } address-group { group-id | name group-name } [ vpn-instance vpn-instance-name ] [ no-pat [ reversible ] [ add-route ] ] [ rule rule-name ] [ priority priority ] [ disable ] [ description text ] [ counting ]
undo nat inbound { ipv4-acl-number | name ipv4-acl-name }
Default
No inbound dynamic NAT rules exist.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
address-group: Specifies an address group for address translation.
group-id: Specifies the address group ID. The value range for this argument is 0 to 65535.
name group-name: Specifies the address group name, a case-insensitive string of 1 to 63 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the address group belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the addresses in the address group belong to the public network, do not use this option.
no-pat: Uses NO-PAT for inbound NAT. If you do not specify this keyword, PAT is used. PAT supports only TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal hosts to external hosts. It uses existing NO-PAT entries to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.
add-route: Automatically adds a route to the source address after translation. The output interface is the NAT interface and the next-hop is the source address before translation. If you do not specify this keyword, you must manually add the route. As a best practice, add routes manually because automatic route adding is slow. Do not specify this keyword if the subnets where the internal and external networks reside overlap.
rule rule-name: Specifies a name for the rule, a case-sensitive string of 1 to 63 characters. It cannot contain backward slashes (\), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), vertical bars (|), quotation marks ("), or at signs (@). If you do not specify this option, the rule does not have a name.
priority priority: Specifies a priority for the rule, in the range of 0 to 2147483647. A smaller value represents a higher priority. If you do not specify this option, the rule has the lowest priority among the same type of NAT rules.
disable: Disables the inbound dynamic NAT rule. If you do not specify this keyword, the rule is enabled.
description text: Specifies a description for the inbound dynamic NAT rule. The text argument is a case-insensitive string of 1 to 63 characters.
counting: Enables NAT counting. The number of flows that use the address mapping is counted.
Usage guidelines
Inbound dynamic NAT translates the source IP addresses of incoming packets permitted by the ACL into IP addresses in the address group.
Inbound dynamic NAT supports the PAT and NO-PAT modes.
· PAT—Performs both IP address translation and port translation.
· NO-PAT—Performs only IP address translation.
The NO-PAT mode supports reverse address translation. Reverse address translation uses ACL reverse matching to identify packets to be translated. ACL reverse matching works as follows:
· Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
· Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Inbound dynamic NAT typically cooperates with one of the following to implement bidirectional NAT:
· Outbound dynamic NAT (the nat outbound command).
· NAT Server (the nat server command).
· Outbound static NAT (the nat static command).
An address group cannot be used by both the nat inbound and nat outbound commands. It cannot be used by the nat inbound command in both PAT and NO-PAT modes.
An ACL can be used by only one inbound dynamic NAT rule on an interface.
You can configure multiple inbound dynamic NAT rules on an interface.
The vpn-instance parameter is required if you deploy inbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Inbound dynamic NAT rules configured with the same priority value are matched by using their ACLs.
· NAT rules with named ACLs have higher priorities than NAT rules with unnamed ACLs.
· NAT rules with named ACLs are matched in alphabetical order of their ACL names.
· NAT rules with unnamed ACLs are matched in descending order of their ACL numbers.
Examples
# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 in VPN vpn10 to pass through.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit vpn-instance vpn10 source 10.110.10.0 0.0.0.255
[Sysname-acl-ipv4-basic-2001] rule deny
[Sysname-acl-ipv4-basic-2001] quit
# Configure the MPLS L3VPN instance named vpn10.
[Sysname] ip vpn-instance vpn10
[Sysname-vpn-instance-vpn10] route-distinguisher 100:001
[Sysname-vpn-instance-vpn10] vpn-target 100:1 export-extcommunity
[Sysname-vpn-instance-vpn10] vpn-target 100:1 import-extcommunity
[Sysname-vpn-instance-vpn10] quit
# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.
[Sysname] nat address-group 1
[Sysname-address-group-1] address 202.110.10.10 202.110.10.12
[Sysname-address-group-1] quit
# Configure an inbound NO-PAT rule on interface GigabitEthernet 2/0/1. NAT translates the source addresses of incoming packets into the addresses in address group 1, and automatically adds routes for translated packets. Set the rule name to abc, and the priority to 0.
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat inbound 2001 address-group 1 vpn-instance vpn10 no-pat add-route rule abc priority 0
display nat all
display nat inbound
display nat no-pat
nat inbound rule move
Use nat inbound rule move to change the priority of an inbound dynamic NAT rule.
Syntax
nat inbound rule move nat-rule-name1 { after | before } nat-rule-name2
Views
Interface view
Predefined user roles
network-admin
Parameters
nat-rule-name1: Specifies the name of the rule be moved.
after: Places nat-rule-name1 behind nat-rule-name2 to set the priority of nat-rule-name1 to the priority of nat-rule-name2 plus 1.
before: Places nat-rule-name1 before nat-rule-name2 to set the priority of nat-rule-name1 to the priority of nat-rule-name2 minus 1.
nat-rule-name2: Specifies the name of the reference rule.
Usage guidelines
This command applies only to inbound dynamic NAT rules that have names.
A smaller priority value represents a higher priority.
Examples
# Place inbound dynamic NAT rule abc before def.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat inbound rule move abc before def
Related commands
nat inbound
nat log alarm
Use nat log alarm to enable NAT alarm logging.
Use undo nat log alarm to disable NAT alarm logging.
Syntax
nat log alarm
undo nat log alarm
Default
NAT alarm logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Before configuring NAT alarm logging for NAT444, you must configure the custom NAT444 log generation and outputting features. For more information about information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable NAT alarm logging.
<Sysname> system-view
[Sysname] nat log alarm
Related commands
display nat all
display nat log
nat log enable
nat log enable
Use nat log enable to enable NAT logging.
Use undo nat log enable to disable NAT logging.
Syntax
nat log enable [ acl { ipv4-acl-number | name ipv4-acl-name } ]
undo nat log enable
Default
NAT logging is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
acl: Specifies an ACL.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
You must enable NAT logging before you enable NAT session logging, NAT444 user logging, or NAT alarm logging. NAT444 user logging records log information about NAT444 port block assignment and withdrawal.
The acl keyword takes effect only for NAT session logging. If an ACL is specified, flows matching the permit rule might trigger NAT session logs. If you do not specify an ACL, all flows processed by NAT might trigger NAT session logs.
Examples
# Enable NAT logging.
<Sysname> system-view
[Sysname] nat log enable
Related commands
display nat all
display nat log
nat log alarm
nat log flow-active
nat log flow-begin
nat log flow-end
nat log port-block-assign
nat log port-block-withdraw
nat log flow-active
Use nat log flow-active to enable logging for active NAT flows and set the logging interval.
Use undo nat log flow-active to disable logging for active NAT flows.
Syntax
nat log flow-active time-value
undo nat log flow-active
Default
Logging for active NAT flows is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
time-value: Specifies the interval for logging active NAT flows, in the range of 10 to 120 minutes.
Usage guidelines
Active NAT flows are NAT sessions that last for a long time. The logging feature helps track active NAT flows by periodically logging the active NAT flows.
Logging for active NAT flows takes effect only after you enable NAT logging.
Examples
# Enable logging for active NAT flows and set the logging interval to 10 minutes.
<Sysname> system-view
[Sysname] nat log flow-active 10
Related commands
display nat all
display nat log
nat log enable
nat log flow-begin
Use nat log flow-begin to enable logging for NAT session establishment events.
Use undo nat log flow-begin to disable logging for NAT session establishment events.
Syntax
nat log flow-begin
undo nat log flow-begin
Default
Logging for NAT session establishment events is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Logging for NAT session establishment events takes effect only after you enable NAT logging.
Examples
# Enable logging for NAT session establishment events.
<Sysname> system-view
[Sysname] nat log flow-begin
Related commands
display nat all
display nat log
nat log enable
nat log flow-end
Use nat log flow-end to enable logging for NAT session removal events.
Use undo nat log flow-end to disable logging for NAT session removal events.
Syntax
nat log flow-end
undo nat log flow-end
Default
Logging for NAT session removal events is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Logging for NAT session removal events takes effect only after you enable NAT logging.
Examples
# Enable logging for NAT session removal events.
<Sysname> system-view
[Sysname] nat log flow-end
Related commands
display nat all
display nat log
nat log enable
nat log port-block usage threshold
Use nat log port-block usage threshold to set the port block usage threshold for dynamic NAT444.
Use undo nat log port-block usage threshold to restore the default.
Syntax
nat log port-block usage threshold threshold-value
undo nat log port-block usage threshold
Default
The port block usage threshold for dynamic NAT444 is 90%.
Views
System view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the port block usage threshold in percentage, in the range of 40 to 100.
Usage guidelines
The system generates alarm logs if the port block usage exceeds the threshold.
Examples
# Set the port block usage threshold for dynamic NAT444 to 60%.
<Sysname> system-view
[Sysname] nat log port-block usage threshold 60
nat log port-block-assign
Use nat log port-block-assign to enable NAT444 user logging for port block assignment.
Use undo nat log port-block-assign to disable NAT444 user logging for port block assignment.
Syntax
nat log port-block-assign
undo nat log port-block-assign
Default
NAT444 user logging is disabled for port block assignment.
Views
System view
Predefined user roles
network-admin
Usage guidelines
For static NAT444, the NAT444 gateway generates a user log when it translates the first connection from a private IP address.
For dynamic NAT444, the NAT444 gateway generates a user log when it assigns or extends a port block for a private IP address.
Enable NAT logging before you enable NAT444 user logging for port block assignment.
Examples
# Enable NAT444 user logging for port block assignment.
<Sysname> system-view
[Sysname] nat log port-block-assign
Related commands
display nat all
display nat log
nat log enable
nat log port-block-withdraw
Use nat log port-block-withdraw to enable NAT444 user logging for port block withdrawal.
Use undo nat log port-block-withdraw to disable NAT444 user logging for port block withdrawal.
Syntax
nat log port-block-withdraw
undo nat log port-block-withdraw
Default
NAT444 user logging is disabled for port block withdrawal.
Views
System view
Predefined user roles
network-admin
Usage guidelines
For static NAT444, the NAT444 gateway generates a user log when all connections from a private IP address are disconnected.
For dynamic NAT444, the NAT444 gateway generates a user log when all the following conditions are met:
· All connections from a private IP address are disconnected.
· The port blocks (including the extended ones) assigned to the private IP address are withdrawn.
· The corresponding mapping entry is deleted.
Enable NAT logging before you enable NAT444 user logging for port block withdrawal.
Examples
# Enable NAT444 user logging for port block withdrawal.
<Sysname> system-view
[Sysname] nat log port-block-withdraw
Related commands
display nat all
display nat log
nat log enable
nat mapping-behavior
Use nat mapping-behavior to configure the mapping behavior mode for PAT.
Use undo nat mapping-behavior to restore the default.
Syntax
nat mapping-behavior endpoint-independent [ acl { ipv4-acl-number | name ipv4-acl-name } ]
undo nat mapping-behavior endpoint-independent
Default
Address and Port-Dependent Mapping applies.
Views
System view
Predefined user roles
network-admin
Parameters
acl: Specifies an ACL. Endpoint-Independent Mapping applies to packets that are permitted by the ACL. If you do not specify an ACL, Endpoint-Independent Mapping applies to all packets.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
PAT supports the following types of NAT mappings:
· Endpoint-Independent Mapping—Uses the same IP and port mapping (EIM entry) for packets from the same source and port to any destination. EIM allows external hosts to access the internal hosts by using the translated IP address and port. It allows internal hosts behind different NAT gateways to access each other.
· Address and Port-Dependent Mapping—Uses different IP and port mappings for packets with the same source IP and port to different destination IP addresses and ports. APDM allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host. It is secure, but it does not allow internal hosts behind different NAT gateways to access each other.
This command takes effect only on outbound PAT. Address and Port-Dependent Mapping always applies to inbound PAT.
Examples
# Apply the Endpoint-Independent Mapping mode to all packets for address translation.
<Sysname> system-view
[Sysname] nat mapping-behavior endpoint-independent
# Apply the Endpoint-Independent Mapping to FTP and HTTP packets, and the Address and Port-Dependent Mapping to other packets for address translation.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000] rule permit tcp destination-port eq 80
[Sysname-acl-ipv4-adv-3000] rule permit tcp destination-port eq 21
[Sysname-acl-ipv4-adv-3000] quit
[Sysname] nat mapping-behavior endpoint-independent acl 3000
Related commands
nat outbound
display nat eim
nat outbound
Use nat outbound to configure an outbound dynamic NAT rule.
Use undo nat outbound to delete an outbound dynamic NAT rule.
Syntax
NO-PAT:
nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group { group-id | name group-name } [ vpn-instance vpn-instance-name ] no-pat [ reversible ] [ rule rule-name ] [ priority priority ] [ disable ] [ description text ] [ counting ]
undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]
PAT:
nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group { group-id | name group-name } ] [ vpn-instance vpn-instance-name ] [ port-preserved ] [ rule rule-name ] [ priority priority ] [ disable ] [ description text ]
undo nat outbound [ ipv4-acl-number | name ipv4-acl-name ]
Default
No outbound dynamic NAT rules exist.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
address-group group-id: Specifies an address group for NAT. If you do not specify an address group, the IP address of the interface is used as the NAT address. Easy IP is used.
group-id: Specifies the address group ID. The value range for this argument is 0 to 65535.
name group-name: Specifies the address group name, a case-insensitive string of 1 to 63 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the addresses in the address group belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the addresses in the address group belong to the public network, do not use this option.
no-pat: Uses NO-PAT for outbound NAT. If you do not specify this keyword, PAT is used. PAT only supports TCP, UDP, and ICMP query packets. For an ICMP packet, the ICMP ID is used as its source port number.
reversible: Allows reverse address translation. Reverse address translation uses existing NO-PAT entries to translate destination addresses for packets of connections actively initiated by external hosts to internal hosts.
port-preserved: Tries to preserve port number for PAT. This keyword does not take effect on dynamic NAT444.
rule rule-name: Specifies a name for the rule, a case-sensitive string of 1 to 63 characters. It cannot contain backward slashes (\), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), vertical bars (|), quotation marks ("), or at signs (@). If you do not specify this option, the rule does not have a name.
priority priority: Specifies a priority for the rule, in the range of 0 to 2147483647. A smaller value represents a higher priority. If you do not specify this option, the rule has the lowest priority among the same type of NAT rules.
disable: Disables the outbound dynamic NAT rule. If you do not specify this keyword, the rule is enabled.
description text: Specifies a description for the outbound dynamic NAT rule. The text argument is a case-insensitive string of 1 to 63 characters.
counting: Enables NAT counting. The number of flows that use the address mapping is counted.
Usage guidelines
Outbound dynamic NAT is typically configured on the interface connected to the external network. You can configure multiple outbound dynamic NAT rules on an interface.
Outbound dynamic NAT supports the following modes:
· PAT—Performs both IP address translation and port translation. The PAT mode allows external hosts to actively access the internal hosts if the Endpoint-Independent Mapping behavior is used.
· NO-PAT—Performs only IP address translation. The NO-PAT mode allows external hosts to actively access the internal hosts if you specify the reversible keyword. If an ACL is specified, reverse address translation only applies to packets permitted by ACL reverse matching. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the matching NO-PAT entry, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Dynamic NAT444 does not support the NO-PAT mode.
When you specify a NAT address group, follow these restrictions and guidelines:
· An address group cannot be used by both the nat inbound and nat outbound commands.
· An address group cannot be used by the nat outbound command in both PAT and NO-PAT modes.
· When a port range and port block parameters are specified in the NAT address group, this command configures a dynamic NAT444 rule. Packets matching the ACL permit rule are processed by dynamic NAT444.
When you specify an ACL, follow these restrictions and guidelines:
· An ACL can be used by only one outbound dynamic NAT rule on an interface.
· If you configure multiple outbound dynamic NAT rules, only one outbound dynamic NAT rule can contain no ACL.
· If you specify an ACL, NAT translates the source IP addresses of outgoing packets permitted by the ACL into IP addresses in the address group. If you do not specify an ACL, NAT translates all packets.
· Outbound dynamic NAT rules with ACLs configured on an interface takes precedence over those without ACLs. The priority for the ACL-based dynamic NAT rules depends on ACL number. A higher ACL number represents a higher priority.
The vpn-instance parameter is required if you deploy outbound dynamic NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Outbound dynamic NAT rules configured with the same priority value and an ACL are matched by using the ACLs in the rule.
· NAT rules with named ACLs have higher priorities than NAT rules with unnamed ACLs.
· NAT rules with named ACLs are matched in alphabetical order of their ACL names.
· NAT rules with unnamed ACLs are matched in descending order of their ACL numbers.
Examples
# Configure ACL 2001 to permit packets only from subnet 10.110.10.0/24 to pass through.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Sysname-acl-ipv4-basic-2001] rule deny
[Sysname-acl-ipv4-basic-2001] quit
# Create address group 1 and add the address range of 202.110.10.10 to 202.110.10.12 to the group.
[Sysname] nat address-group 1
[Sysname-address-group-1] address 202.110.10.10 202.110.10.12
[Sysname-address-group-1] quit
# Configure an outbound dynamic PAT rule on interface GigabitEthernet 2/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat outbound 2001 address-group 1
[Sysname-GigabitEthernet2/0/1] quit
Or
# Configure an outbound NO-PAT rule on interface GigabitEthernet 2/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1.
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat outbound 2001 address-group 1 no-pat
[Sysname-GigabitEthernet2/0/1] quit
Or
# Enable Easy IP to use the IP address of GigabitEthernet 2/0/1 as the translated address.
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat outbound 2001
[Sysname-GigabitEthernet2/0/1] quit
Or
# Configure an outbound NO-PAT rule on GigabitEthernet 2/0/1 to translate the source addresses of outgoing packets permitted by ACL 2001 into the addresses in address group 1. Enable reverse address translation.
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat outbound 2001 address-group 1 no-pat reversible
Related commands
display nat eim
display nat outbound
nat mapping-behavior
nat outbound ds-lite-b4
Use nat outbound ds-lite-b4 to configure DS-Lite NAT444.
Use undo nat outbound ds-lite-b4 to remove the DS-Lite NAT444 configuration.
Syntax
nat outbound ds-lite-b4 { ipv6-acl-number | name ipv6-acl-name } address-group group-id
undo nat outbound ds-lite-b4 { ipv6-acl-number | name ipv6-acl-name }
Default
No DS-Lite NAT444 configuration exists.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-acl-number: Specifies the number of an IPv6 ACL to match the IPv6 addresses of B4 elements. The value range for the argument is 2000 to 2999.
name ipv6-acl-name: Specifies the name of an IPv6 ACL to match the IPv6 addresses of B4 elements. The ACL name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
address-group group-id: Specifies an address group by its ID. The value range for the group-id argument is 0 to 65535. Port block parameters are required in the address group for DS-Lite NAT444.
Usage guidelines
DS-Lite NAT444 applies to the scenario where a DS-Lite tunnel connects an IPv6 network to an IPv4 network. DS-Lite NAT444 is configured on the AFTR's interface connected to the external IPv4 network and performs dynamic NAT444 based on the B4 element. The B4 element refers to a B4 router or a DS-Lite host.
DS-Lite NAT444 dynamically maps a public IPv4 address and a port block to the IPv6 address of the B4 element. The DS-Lite host or hosts behind the B4 router use the mapped public IPv4 address and port block to access the public IPv4 network.
Examples
# Configure IPv6 ACL 2100 to identify packets from subnet 2000::/64.
<Sysname> system-view
[Sysname] acl ipv6 basic 2100
[Sysname-acl-ipv6-basic-2100] rule permit source 2000::/64
[Sysname-acl-ipv6-basic-2100] quit
# Create address group 1 and add public addresses 202.110.10.10 through 202.110.10.12 to the group.
[Sysname] nat address-group 1
[Sysname-address-group-1] address 202.110.10.10 202.110.10.12
# Set the port block size to 256.
[Sysname-address-group-1] port-block block-size 256
[Sysname-address-group-1] quit
# Configure DS-Lite NAT444 on GigabitEthernet 2/0/1 to use address group 1 to translate packets permitted by ACL 2100.
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat outbound ds-lite-b4 2100 address-group 1
Related commands
display nat outbound
nat outbound port-block-group
Use nat outbound port-block-group to apply a NAT port block group to the outbound direction of an interface.
Use undo nat outbound port-block-group to remove a NAT port block group application.
Syntax
nat outbound port-block-group group-id [ rule rule-name ] [ counting ]
undo nat outbound port-block-group group-id
Default
No NAT port block group is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
group-id: Specifies a NAT port block group by its ID. The value range for this argument is 0 to 65535.
rule rule-name: Specifies a name for the rule, a case-sensitive string of 1 to 63 characters. It cannot contain backward slashes (\), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), vertical bars (|), quotation marks ("), or at signs (@). If you do not specify this option, the rule does not have a name.
counting: Enables NAT counting. The number of flows that use the address mapping is counted.
Usage guidelines
After you apply a NAT port block group to an interface, the system automatically computes the NAT444 mappings and creates entries for them. When a private IP address accesses the public network, the private IP address is translated to the mapped public IP address, and the ports are translated to ports in the selected port block.
You can apply multiple NAT port block groups to an interface.
Examples
# Apply NAT port block group 1 to the outbound direction of GigabitEthernet 2/0/1, and specify the mapping rule name as abc.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat outbound port-block-group 1 rule abc
Related commands
display nat all
display nat outbound port-block-group
display nat port-block
nat port-block-group
nat outbound rule move
Use nat outbound rule move to change the priority of an outbound dynamic NAT rule.
Syntax
nat outbound rule move nat-rule-name1 { after | before } nat-rule-name2
Views
Interface view
Predefined user roles
network-admin
Parameters
nat-rule-name1: Specifies the name of the rule be moved.
after: Places nat-rule-name1 behind nat-rule-name2 to set the priority of nat-rule-name1 to the priority of nat-rule-name2 plus 1.
before: Places nat-rule-name1 before nat-rule-name2 to set the priority of nat-rule-name1 to the priority of nat-rule-name2 minus 1.
nat-rule-name2: Specifies the name of the reference rule.
Usage guidelines
This command applies only to outbound dynamic NAT rules that have names.
A smaller priority value represents a higher priority.
Examples
# Place outbound dynamic NAT rule abc before def.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] nat outbound rule move abc before def
Related commands
nat outbound
nat port-block global-share enable
Use nat port-block global-share enable to enable global mapping sharing for dynamic NAT444.
Use undo nat port-block global-share enable to disable global mapping sharing for dynamic NAT444.
Syntax
nat port-block global-share enable
undo nat port-block global-share enable
Default
Global mapping sharing is disabled for Dynamic NAT444.
Views
System view
Predefined user roles
network-admin
Usage guidelines
When multiple interfaces have dynamic NAT444 configured, the interfaces might create different NAT444 mappings for packets from the same IP address. You can use this command to configure the interfaces to share the same NAT444 mapping for translating packets from the same IP address.
Examples
# Enable global mapping sharing for dynamic NAT444.
<Sysname> system-view
[Sysname] nat port-block global-share enable
Related commands
port-block
nat port-block-group
Use nat port-block-group to create a NAT port block group and enter its view, or enter the view of an existing NAT port block group.
Use undo nat port-block-group to delete a NAT port block group.
Syntax
nat port-block-group group-id
undo nat port-block-group group-id
Default
No NAT port block groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-id: Assigns an ID to the NAT port block group. The value range for this argument is 0 to 65535.
Usage guidelines
A NAT port block group is configured to implement static NAT444.
You must configure the following items for a NAT port block group:
· A minimum of one private IP address range (see the local-ip-address command).
· A minimum of one public IP address range (see the global-ip-address command).
· A port range (see the port-range command).
· A port block size (see the block-size command).
The system computes static NAT444 mappings according to the port block group configuration, and creates entries for the mappings.
In an IRF fabric, you must configure load sharing by the ip fast-forwarding load-sharing command to avoid port allocation collisions.
Examples
# Create NAT port block group 1.
<Sysname>system-view
[Sysname]nat port-block-group 1
[Sysname-port-block-group-1]
Related commands
block-size
display nat all
display nat port-block-group
global-ip-pool
local-ip-address
nat outbound port-block-group
port-range
nat server
Use nat server to create a mapping from the private IP address and port of an internal server to a public address and port for an internal server.
Use undo nat server to delete a mapping.
Syntax
Common NAT Server:
· A single public address with no or a single public port:
nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ reversible ] [ rule rule-name ] [ disable ] [ counting ]
undo nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ]
· A single public address with consecutive public ports:
nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ] inside { { local-address | local-address1 local-address2 } local-port | local-address local-port1 local-port2 } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ rule rule-name ] [ disable ] [ counting ]
undo nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ]
· Consecutive public addresses with no or a single public port:
nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-vpn-instance-name ] inside { local-address | local-address1 local-address2 } [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ rule rule-name ] [ disable ] [ counting ]
undo nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-vpn-instance-name ]
· Consecutive public addresses with a single public port:
nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ] inside local-address local-port1 local-port2 [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ rule rule-name ] [ disable ] [ counting ]
undo nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ]
Load sharing NAT Server:
nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ] inside server-group group-id [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ rule rule-name ] [ disable ] [ counting ]
undo nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ]
ACL-based NAT Server:
nat server global { ipv4-acl-number | name ipv4-acl-name } inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ rule rule-name ] [ priority priority ] [ disable ] [ description text ] [ counting ]
undo nat server global { ipv4-acl-number | name ipv4-acl-name }
Default
No NAT Server mappings exist.
Views
Interface view
Predefined user roles
network-admin
Parameters
protocol pro-type: Specifies a protocol type. When the protocol is TCP or UDP, NAT Server can be configured with port information. If you do not specify a protocol type, the command applies to packets of all protocols. The protocol type format can be one of the following:
· A number in the range of 1 to 255.
· A protocol name of icmp, tcp, or udp.
global-address: Specifies the public address of an internal server.
global-address1 global address2: Specifies a public IP address range, which can include a maximum of 10000 addresses. The global-address1 argument specifies the start address, and the global address2 argument specifies the end address that must be greater than the start address.
global: Specifies an ACL. The destination IP addresses of packets permitted by the ACL can be translated.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
current-interface: Enables Easy IP on the current interface. The primary IP address of the interface is used as the public address for the internal server.
interface interface-type interface-number: Enables Easy IP on the interface specified by its type and number. The primary IP address of the interface is used as the public address for the internal server. Only loopback interfaces are supported.
global-port1 global-port2: Specifies a public port number range, which can include a maximum of 10000 ports. The global-port1 argument specifies the start port, and the global-port2 argument specifies the end port that must be greater than the start port. The public port number format can be one of the following:
· A number in the range of 1 to 65535. Both the start port and the end port support this format.
· A protocol name, a string of 1 to 15 characters. For example, http and telnet. Only the start port supports this format.
local-address1 local-address2: Specifies a private IP address range. The local-address1 argument specifies the start address, and the local-address2 argument specifies the end address that must be greater than the start address. The number of addresses in the range must equal the number of ports in the public port number range.
local-port: Specifies the private port number. The private port number format can be one of the following:
· A number in the range of 1 to 65535, excluding FTP port 20.
· A protocol name, a string of 1 to 15 characters. For example, http and telnet.
global-port: Specifies the public port number. The default value and value range are the same as those for the local-port argument.
local-address: Specifies the private IP address.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the advertised public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the public IP addresses do not belong to any VPN instance.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the internal server belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the internal server does not belong to any VPN instance.
server-group group-id: Specifies the internal server group to which the internal server belongs. With this parameter, the load sharing NAT Server feature is configured. The group-id argument specifies the internal server group ID. The value range for this argument is 0 to 65535.
acl: Specifies an ACL. If you specify an ACL, only packets permitted by the ACL can be translated by using the mapping.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal servers to the external network. It translates the private IP addresses of the internal servers to their public IP addresses.
rule rule-name: Specifies a name for the mapping, a case-sensitive string of 1 to 63 characters. It cannot contain backward slashes (\), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), vertical bars (|), quotation marks ("), or at signs (@). If you do not specify this option, the mapping does not have a name.
priority priority: Specifies a priority for the mapping, in the range of 0 to 2147483647. A smaller value represents a higher priority. If you do not specify this option, the mapping has the lowest priority among the same type of NAT rules.
disable: Disables the NAT Server mapping. If you do not specify this keyword, the mapping is enabled.
description text: Specifies a description for the mapping. The text argument is a case-insensitive string of 1 to 63 characters.
counting: Enables NAT counting. The number of flows that use the address mapping is counted.
Usage guidelines
You can configure the NAT Server feature to allow internal servers (such as Web, FTP, Telnet, POP3, and DNS servers) in the internal network or an MPLS VPN instance to provide services for external users.
NAT Server is usually configured on the interface connected to the external network on a NAT device. By using the global-address and global-port arguments, external users can access the internal server at local-address and local-port. When the protocol type is not udp (protocol number 17) or tcp (protocol number 6), you can configure only one-to-one IP address mappings. The following table describes the address-port mappings between an external network and an internal network for NAT Server.
Table 49 Address-port mappings for NAT Server
External network |
Internal network |
One public address |
One private address |
One public address and one public port number |
One private address and one private port number |
One public address and N consecutive public port numbers |
One private address and one private port number |
N consecutive private addresses and one private port number |
|
One private address and N consecutive private port numbers |
|
N consecutive public addresses |
One private address |
N consecutive private addresses |
|
N consecutive public addresses and one public port number |
One private address and one private port number |
N consecutive private addresses and one private port number |
|
One private address and N consecutive private port numbers |
|
One public address and one public port number |
One private server group |
One public address and N consecutive public port numbers |
|
N consecutive public addresses and one public port number |
|
Public addresses matching an ACL |
One private address |
One private address and one private port |
You can configure a maximum of 256 nat server commands on an interface. The mapping of the protocol type, public address, and public port number must be unique for an internal server on an interface. This restriction also applies when Easy IP is used. The number of internal servers that each command can define equals the number of public ports in the specified public port range.
As a best practice, do not configure Easy IP for multiple internal servers by using the same interface.
If the IP address of an interface used by Easy IP changes and conflicts with the IP address of an internal server not using Easy IP, the Easy IP configuration becomes invalid. If the conflicted address is modified to an unconflicted address or the internal server configuration without Easy IP is removed, the Easy IP configuration takes effect.
The vpn-instance parameter is required if you deploy NAT Server for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
When you configure load shared internal servers, you must make sure a user uses the same public address and public port to access the same service on an internal server. For this purpose, make sure value N in the following mappings is equal to or less than the number of servers in the internal server group:
· One public address and N consecutive public port numbers are mapped to one internal server group.
· N consecutive public addresses and a public port number are mapped to one internal server group.
ACL-based NAT server mappings that are configured with the same priority value are matched by using the ACLs in their rules:
· Mappings with named ACLs have higher priorities than mappings with unnamed ACLs.
· Mappings with named ACLs are matched in alphabetical order of their ACL names.
· Mappings with unnamed ACLs are matched in descending order of their ACL numbers.
Examples
# Allow external users to access the internal Web server at 10.110.10.10 through http://202.110.10.10:8080.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 http
[Sysname-GigabitEthernet2/0/1] quit
# Allow external users to access the internal FTP server at 10.110.10.11 in the MPLS VPN vrf10 through ftp://202.110.10.10.
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat server protocol tcp global 202.110.10.10 21 inside 10.110.10.11 vpn-instance vrf10
[Sysname-GigabitEthernet2/0/1] quit
# Allow external hosts to ping the host at 10.110.10.12 in the VPN vrf10 by using the ping 202.110.10.11 command.
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12 vpn-instance vrf10
[Sysname-GigabitEthernet2/0/1] quit
# Allow external hosts to access the Telnet services of internal servers at 10.110.10.1 to 10.110.10.100 in the MPLS VPN vrf10 through the public address 202.110.10.10 and port numbers from 1001 to 1100. As a result, a user can Telnet to 202.110.10.10:1001 to access 10.110.10.1, Telnet to 202.110.10.10:1002 to access 10.110.10.2, and so on.
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet vpn-instance vrf10
# Configure ACL-based NAT Server to allow users to use IP addresses in subnet 192.168.0.0/24 to access the internal server at 10.0.0.172.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000] rule 5 permit ip destination 192.168.0.0 0.0.0.255
[Sysname-acl-ipv4-adv-3000] quit
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat server global 3000 inside 10.0.0.172
Related commands
display nat all
display nat server
nat server-group
nat server rule move
Use nat server rule move to change the priority of a NAT rule for ACL-based NAT Server.
Syntax
nat server rule move nat-rule-name1 { after | before } nat-rule-name2
Views
Interface view
Predefined user roles
network-admin
Parameters
nat-rule-name1: Specifies the name of the rule be moved.
after: Places nat-rule-name1 behind nat-rule-name2 to set the priority of nat-rule-name1 to the priority of nat-rule-name2 plus 1.
before: Places nat-rule-name1 before nat-rule-name2 to set the priority of nat-rule-name1 to the priority of nat-rule-name2 minus 1.
nat-rule-name2: Specifies the name of the reference rule.
Usage guidelines
This command applies only to NAT rules for ACL-based NAT Server that have names.
A smaller priority value represents a higher priority.
Examples
# Place NAT rule abc before def for ACL-based NAT Server.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] nat server rule move abc before def
Related commands
nat server
nat server-group
Use nat server-group to create an internal server group and enter its view, or enter the view of an existing internal server group.
Use undo nat server-group to delete an internal server group.
Syntax
nat server-group group-id
undo nat server-group group-id
Default
No internal server groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-id: Assigns an ID to the internal server group. The value range is 0 to 65535.
Usage guidelines
An internal server group can contain multiple members configured by the inside ip command.
Examples
# Create internal server group 1.
<Sysname> system-view
[Sysname] nat server-group 1
Related commands
display nat all
display nat server-group
inside ip
nat server
nat static enable
Use nat static enable to enable static NAT on an interface.
Use undo nat static enable to disable static NAT on an interface.
Syntax
nat static enable
undo nat static enable
Default
Static NAT is disabled.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
Static NAT mappings take effect on an interface only after static NAT is enabled on the interface.
Examples
# Configure an outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2, and enable static NAT on interface GigabitEthernet 2/0/1.
<Sysname> system-view
[Sysname] nat static outbound 192.168.1.1 2.2.2.2
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] nat static enable
display nat all
display nat static
nat static
nat static net-to-net
nat static inbound
Use nat static inbound to configure a one-to-one mapping for inbound static NAT.
Use undo nat static inbound to delete a one-to-one mapping for inbound static NAT.
Syntax
nat static inbound global-ip [ vpn-instance global-vpn-instance-name ] local-ip [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ rule rule-name ] [ priority priority ] [ disable ] [ counting ]
undo nat static inbound global-ip [ vpn-instance global-vpn-instance-name ] local-ip [ vpn-instance local-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
Parameters
global-ip: Specifies a public IP address.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.
local-ip: Specifies a private IP address.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to identify the packets that can use the mapping.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal hosts to the external host. It uses the mapping to translate the destination address for packets of these connections if the packets are permitted by ACL reverse matching.
rule rule-name: Specifies a name for the mapping, a case-sensitive string of 1 to 63 characters. It cannot contain backward slashes (\), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), vertical bars (|), quotation marks ("), or at signs (@). If you do not specify this option, the mapping does not have a name.
priority priority: Specifies a priority for the mapping, in the range of 0 to 2147483647. A smaller value represents a higher priority. If you do not specify this option, the mapping has the lowest priority among the same type of NAT rules.
disable: Disables the one-to-one inbound static mapping. If you do not specify this keyword, the mapping is enabled.
counting: Enables NAT counting. The number of flows that use the address mapping is counted.
Usage guidelines
When the source IP address of a packet from the public network to the private network matches the global-ip, the source IP address is translated into the local-ip. When the destination IP address of a packet from the private network to the public network matches the local-ip, the destination IP address is translated into the global-ip.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source address of all incoming packets and the destination address of all outgoing packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source address of incoming packets permitted by the ACL is translated. The destination address of packets is not translated for connections actively initiated by internal hosts to the external host.
· If you specify both an ACL and the reversible keyword, the source address of incoming packets permitted by the ACL is translated. If packets of connections actively initiated by internal hosts to the external host are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP address/port in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.
The vpn-instance parameter is required if you deploy inbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
One-to-one mappings for inbound static NAT that are configured with the same priority value and an ACL are matched by using the ACLs in the mappings.
· Mappings with named ACLs have higher priorities than mappings with unnamed ACLs.
· Mappings with named ACLs are matched in alphabetical order of their ACL names.
· Mappings with unnamed ACLs are matched in descending order of their ACL numbers.
Examples
# Configure an inbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.
<Sysname> system-view
[Sysname] nat static inbound 2.2.2.2 192.168.1.1
Related commands
display nat all
display nat static
nat static enable
nat static inbound net-to-net
Use nat static inbound net-to-net to configure a net-to-net mapping for inbound static NAT.
Use undo nat static inbound net-to-net to remove a net-to-net mapping for inbound static NAT.
Syntax
nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ] local local-network { mask-length | mask } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ rule rule-name ] [ priority priority ] [ disable ] [ counting ]
undo nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global-vpn-instance-name ] local local-network { mask-length | mask } [ vpn-instance local-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
Parameters
global-start-address global-end-address: Specifies a public address range which can contain a maximum of 255 addresses. The global-end-address must not be lower than global-start-address. If they are the same, only one public address is specified.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.
local-network: Specifies a private network address.
mask-length: Specifies the mask length of the private network address, in the range of 8 to 31.
mask: Specifies the mask of the private network address.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private network address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private network address does not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to identify the packets that can use the mapping.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal hosts to the external hosts. It uses the mapping to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.
rule rule-name: Specifies a name for the mapping, a case-sensitive string of 1 to 63 characters. It cannot contain backward slashes (\), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), vertical bars (|), quotation marks ("), or at signs (@). If you do not specify this option, the mapping does not have a name.
priority priority: Specifies a priority for the mapping, in the range of 0 to 2147483647. A smaller value represents a higher priority. If you do not specify this option, the mapping has the lowest priority among the same type of NAT rules.
disable: Disables the net-to-net inbound static mapping. If you do not specify this keyword, the mapping is enabled.
counting: Enables NAT counting. The number of flows that use the address mapping is counted.
Usage guidelines
Specify a public network through a start address and an end address, and a private network through a private address and a mask.
When the source address of a packet from the public network matches the public address range, the source address is translated into a private address in the private address range. When the destination address of a packet from the private network matches the private address range, the destination address is translated into a public address in the public address range.
The public end address cannot be greater than the greatest IP address in the subnet determined by the public start address and the private network mask. For example, if the private address is 2.2.2.0 with a mask 255.255.255.0 and the public start address is 1.1.1.100, the public end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source addresses of all incoming packets and the destination addresses of all outgoing packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source addresses of incoming packets permitted by the ACL are translated. The destination addresses of packets are not translated for connections actively initiated by internal hosts to the external hosts.
· If you specify both an ACL and the reversible keyword, the source addresses of incoming packets permitted by the ACL are translated. If packets of connections actively initiated by internal hosts to the external hosts are permitted by ACL reverse matching, the destination addresses are translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple inbound static NAT mappings by using the nat static inbound command and the nat static inbound net-to-net command.
The vpn-instance parameter is required if you deploy inbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Net-to-net mappings for inbound static NAT that are configured with the same priority value and an ACL are matched by using the ACLs in the mappings.
· Mappings with named ACLs have higher priorities than mappings with unnamed ACLs.
· Mappings with named ACLs are matched in alphabetical order of their ACL names.
· Mappings with unnamed ACLs are matched in descending order of their ACL numbers.
Examples
# Configure an inbound static NAT mapping between public network address 202.100.1.0/24 and private network address 192.168.1.0/24.
<Sysname> system-view
[Sysname] nat static inbound net-to-net 202.100.1.1 202.100.1.255 local 192.168.1.0 24
Related commands
display nat all
display nat static
nat static enable
nat static inbound object-group
Use nat static inbound object-group to configure an object group-based inbound static NAT mapping.
Use undo nat static inbound object-group to remove an object group-based inbound static NAT mapping.
Syntax
nat static inbound object-group global-object-group-name [ vpn-instance global-vpn-instance-name ] object-group local-object-group-name [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ disable ] [ counting ]
undo nat static inbound object-group global-object-group-name [ vpn-instance global-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
Parameters
object-group global-object-group-name: Specifies an object group of public IPv4 addresses. The global-object-group-name argument is a case-insensitive string of 1 to 31 characters.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.
object-group local-object-group-name: Specifies an object group of private IPv4 addresses. The local-object-group-name argument is a case-insensitive string of 1 to 31 characters.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to identify the packets that can use the mapping.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by internal hosts to the external hosts. It uses the mapping to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.
disable: Disables the object group based inbound static mapping. If you do not specify this keyword, the mapping is enabled.
counting: Enables NAT counting. The number of flows that use the address mapping is counted.
Usage guidelines
This command specifies public and private IP addresses through IPv4 address object groups.
When the source address of a packet from the public network matches the public address object group, the source address is translated into a private address in the private address object group. When the destination address of a packet from the private network matches the private address object group, the destination address is translated into a public address in the public address object group.
When you specify object groups, follow these restrictions and guidelines:
· The public or private IPv4 address object group can contain only one IPv4 address object.
· The quantity of IPv4 addresses in the private IPv4 address object group cannot be smaller than that in the public IPv4 address object group.
· The object in the private IPv4 address object group cannot be an address range.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source addresses of all incoming packets and the destination addresses of all outgoing packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source addresses of incoming packets permitted by the ACL are translated. The destination addresses of packets are not translated for connections actively initiated by internal hosts to the external hosts.
· If you specify both an ACL and the reversible keyword, the source addresses of incoming packets permitted by the ACL are translated. If packets of connections actively initiated by internal hosts to the external hosts are permitted by ACL reverse matching, the destination addresses are translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple inbound static NAT mappings by using the nat static inbound , nat static inbound net-to-net , and nat static inbound object-group commands.
The vpn-instance parameter is required if you deploy inbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
An IPv4 address object group used by an object group-based inbound static NAT mapping can only contain a host object or a subnet object. Otherwise, the configuration does not take effect.
Examples
# Configure an object group-based inbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.
<Sysname> system-view
[Sysname] object-group ip address global
[Sysname-obj-grp-ip-global] network host address 2.2.2.2
[Sysname-obj-grp-ip-global] quit
[Sysname] object-group ip address local
[Sysname-obj-grp-ip-local] network host address 192.168.1.1
[Sysname-obj-grp-ip-local] quit
[Sysname] nat static inbound object-group global object-group local
Related commands
display nat all
display nat static
nat static enable
nat static inbound rule move
Use nat static inbound rule move to change the priority of a one-to-one mapping for inbound static NAT.
Syntax
nat static inbound rule move nat-rule-name1 { after | before } nat-rule-name2
Views
System view
Predefined user roles
network-admin
Parameters
nat-rule-name1: Specifies the name of the mapping be moved.
after: Places nat-rule-name1 behind nat-rule-name2 to set the priority of nat-rule-name1 to the priority of nat-rule-name2 plus 1.
before: Places nat-rule-name1 before nat-rule-name2 to set the priority of nat-rule-name1 to the priority of nat-rule-name2 minus 1.
nat-rule-name2: Specifies the name of the reference mapping.
Usage guidelines
This command applies only to one-to-one mapping for inbound static NAT that have names.
A smaller priority value represents a higher priority.
Examples
# Place one-to-one mapping for inbound static NAT abc before def.
<Sysname> system-view
[Sysname] nat static inbound rule move abc before def
Related commands
nat static inbound
nat static outbound
Use nat static outbound to configure a one-to-one mapping for outbound static NAT.
Use undo nat static outbound to remove a one-to-one mapping for outbound static NAT.
Syntax
nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ rule rule-name ] [ priority priority ] [ disable ] [ counting ]
undo nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
Parameters
local-ip: Specifies a private IP address.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP address belongs. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP address does not belong to any VPN instance, do not specify this option.
global-ip: Specifies a public IP address.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP address does not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to identify the packets that can use the mapping.
ipv4-acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by external hosts to the internal host. It uses the mapping to translate the destination address for packets of these connections if the packets are permitted by ACL reverse matching.
rule rule-name: Specifies a name for the mapping, a case-sensitive string of 1 to 63 characters. It cannot contain backward slashes (\), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), vertical bars (|), quotation marks ("), or at signs (@). If you do not specify this option, the mapping does not have a name.
priority priority: Specifies a priority for the mapping, in the range of 0 to 2147483647. A smaller value represents a higher priority. If you do not specify this option, the mapping has the lowest priority among the same type of NAT rules.
disable: Disables the one-to-one outbound static mapping. If you do not specify this keyword, the mapping is enabled.
counting: Enables NAT counting. The number of flows that use the address mapping is counted.
Usage guidelines
When the source IP address of an outgoing packet matches the local-ip, the IP address is translated into the global-ip. When the destination IP address of an incoming packet matches the global-ip, the destination IP address is translated into the local-ip.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source address of all outgoing packets and the destination address of all incoming packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. The destination address of packets is not translated for connections actively initiated by external hosts to the internal host.
· If you specify both an ACL and the reversible keyword, the source address of outgoing packets permitted by the ACL is translated. If packets of connections actively initiated by external hosts to the internal host are permitted by ACL reverse matching, the destination address is translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP address/port in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.
The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
One-to-one mappings for outbound static NAT that are configured with the same priority value and an ACL are matched by using the ACLs in the mappings.
· Mappings with named ACLs have higher priorities than mappings with unnamed ACLs.
· Mappings with named ACLs are matched in alphabetical order of their ACL names.
· Mappings with unnamed ACLs are matched in descending order of their ACL numbers.
Examples
# Configure an outbound static NAT mapping between public IP address 2.2.2.2 and private IP address 192.168.1.1.
<Sysname> system-view
[Sysname] nat static outbound 192.168.1.1 2.2.2.2
# Configure outbound static NAT, and allow the internal user 192.168.1.1 to access the external network 3.3.3.0/24 by using the public IP address 2.2.2.2.
<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] quit
[Sysname] nat static outbound 192.168.1.1 2.2.2.2 acl 3001
Related commands
display nat all
display nat static
nat static enable
nat static outbound net-to-net
Use nat static outbound net-to-net to configure a net-to-net outbound static NAT mapping.
Use undo nat static outbound net-to-net to remove the specified net-to-net outbound static NAT mapping.
Syntax
nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ rule rule-name ] [ priority priority ] [ disable ] [ counting ]
undo nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
Parameters
local-start-address local-end-address: Specifies a private address range which can contain a maximum of 255 addresses. The local-end-address must not be lower than local-start-address. If they are the same, only one private address is specified.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.
global-network: Specifies a public network address.
mask-length: Specifies the mask length of the public network address, in the range of 8 to 31.
mask: Specifies the mask of the public network address.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public network address belongs. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public network address does not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to identify the packets that can use the mapping.
ipv4-acl-number: Specifies an ACL number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by external hosts to the internal hosts. It uses the mapping to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.
rule rule-name: Specifies a name for the mapping, a case-sensitive string of 1 to 63 characters. It cannot contain backward slashes (\), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), vertical bars (|), quotation marks ("), or at signs (@). If you do not specify this option, the mapping does not have a name.
priority priority: Specifies a priority for the mapping, in the range of 0 to 2147483647. A smaller value represents a higher priority. If you do not specify this option, the mapping has the lowest priority among the same type of NAT rules.
disable: Disables the net-to-net outbound static mapping. If you do not specify this keyword, the mapping is enabled.
counting: Enables NAT counting. The number of flows that use the address mapping is counted.
Usage guidelines
Specify a private network through a start address and an end address, and a public network through a public address and a mask.
When the source IP address of a packet from the private network matches the private address range, the source IP address is translated into a public address in the public address range. When the destination IP address of a packet from the public network matches the public address range, the destination IP address is translated into a private address in the private address range.
The private end address cannot be greater than the greatest IP address in the subnet determined by the private start address and the public network mask. For example, the public address is 2.2.2.0 with a mask 255.255.255.0, and the private start address is 1.1.1.100. The private end address cannot be greater than 1.1.1.255, the greatest IP address in the subnet 1.1.1.0/24.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source addresses of all outgoing packets and the destination addresses of all incoming packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source addresses of outgoing packets permitted by the ACL are translated. The destination addresses of packets are not translated for connections actively initiated by external hosts to the internal hosts.
· If you specify both an ACL and the reversible keyword, the source addresses of outgoing packets permitted by the ACL are translated. If packets of connections actively initiated by external hosts to the internal hosts are permitted by ACL reverse matching, the destination addresses are translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple outbound static NAT mappings by using the nat static outbound command and the nat static outbound net-to-net command.
The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
Net-to-net mappings for outbound static NAT that are configured with the same priority value and an ACL are matched by using the ACLs in the mappings.
· Mappings with named ACLs have higher priorities than mappings with unnamed ACLs.
· Mappings with named ACLs are matched in alphabetical order of their ACL names.
· Mappings with unnamed ACLs are matched in descending order of their ACL numbers.
Examples
# Configure an outbound static NAT mapping between private network address 192.168.1.0/24 and public network address 2.2.2.0/24.
<Sysname> system-view
[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24
# Configure outbound static NAT. Allow internal users on subnet 192.168.1.0/24 to access the external subnet 3.3.3.0/24 by using public IP addresses on subnet 2.2.2.0/24.
<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule permit ip destination 3.3.3.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] quit
[Sysname] nat static outbound net-to-net 192.168.1.1 192.168.1.255 global 2.2.2.0 24 acl 3001
Related commands
display nat all
display nat static
nat static enable
nat static outbound object-group
Use nat static outbound object-group to configure an object group-based outbound static NAT mapping.
Use undo nat static outbound object-group to remove an object group-based outbound static NAT mapping.
Syntax
nat static outbound object-group local-object-group-name [ vpn-instance local-vpn-instance-name ] object-group global-object-group-name [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ disable ] [ counting ]
undo nat static outbound object-group local-object-group-name [ vpn-instance local-vpn-instance-name ]
Default
No NAT mappings exist.
Views
System view
Predefined user roles
network-admin
Parameters
object-group local-object-group-name: Specifies an object group of private IPv4 addresses. The local-object-group-name argument is a case-insensitive string of 1 to 31 characters.
vpn-instance local-vpn-instance-name: Specifies the MPLS L3VPN instance to which the private IP addresses belong. The local-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the private IP addresses do not belong to any VPN instance, do not specify this option.
object-group global-object-group-name: Specifies an object group of public IPv4 addresses. The global-object-group-name argument is a case-insensitive string of 1 to 31 characters.
vpn-instance global-vpn-instance-name: Specifies the MPLS L3VPN instance to which the public IP addresses belong. The global-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the public IP addresses do not belong to any VPN instance, do not specify this option.
acl: Specifies an ACL to identify the packets that can use the mapping.
ipv4-acl-number: Specifies an ACL number in the range of 2000 to 3999.
name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.
reversible: Allows reverse address translation. Reverse address translation applies to connections actively initiated by external hosts to the internal hosts. It uses the mapping to translate destination addresses for packets of these connections if the packets are permitted by ACL reverse matching.
disable: Disables the object group based outbound static mapping. If you do not specify this keyword, the mapping is enabled.
counting: Enables NAT counting. The number of flows that use the address mapping is counted.
Usage guidelines
This command specifies public and private IP addresses through IPv4 address object groups.
When the source address of a packet from the private network matches the private address object group, the source address is translated into a public address in the public address object group. When the destination address of a packet from the public network matches the public address object group, the destination address is translated into a private address in the private address object group.
When you specify object groups, follow these restrictions and guidelines:
· The public or private IPv4 address object group can contain only one IPv4 address object.
· The quantity of IPv4 addresses in the private IPv4 address object group cannot be larger than that in the public IPv4 address object group.
· The object in the public IPv4 address object group cannot be an address range.
When you specify an ACL, follow these restrictions and guidelines:
· If you do not specify an ACL, the source addresses of all outgoing packets and the destination addresses of all incoming packets are translated.
· If you specify an ACL and do not specify the reversible keyword, the source addresses of outgoing packets permitted by the ACL are translated. The destination addresses of packets are not translated for connections actively initiated by external hosts to the internal hosts.
· If you specify both an ACL and the reversible keyword, the source addresses of outgoing packets permitted by the ACL are translated. If packets of connections actively initiated by external hosts to the internal hosts are permitted by ACL reverse matching, the destination addresses are translated. ACL reverse matching works as follows:
¡ Compares the source IP address/port of a packet with the destination IP addresses/ports in the ACL.
¡ Translates the destination IP address of the packet according to the mapping, and then compares the translated destination IP address/port with the source IP addresses/ports in the ACL.
Static NAT takes precedence over dynamic NAT when both are configured on an interface.
You can configure multiple outbound static NAT mappings by using the nat static outbound, nat static outbound net-to-net, and nat static outbound object-group commands.
The vpn-instance parameter is required if you deploy outbound static NAT for VPNs. The specified VPN instance must be the VPN instance to which the NAT interface belongs.
An IPv4 address object group used by an object group-based outbound static NAT mapping can only contain a host object or a subnet object. Otherwise, the configuration does not take effect.
Examples
# Configure an object group-based outbound static NAT mapping between private IP address 192.168.1.1 and public IP address 2.2.2.2.
<Sysname> system-view
[Sysname] object-group ip address global
[Sysname-obj-grp-ip-global] network host address 2.2.2.2
[Sysname-obj-grp-ip-global] quit
[Sysname] object-group ip address local
[Sysname-obj-grp-ip-local] network host address 192.168.1.1
[Sysname-obj-grp-ip-local] quit
[Sysname] nat static outbound object-group local object-group global
Related commands
display nat all
display nat static
nat static outbound rule move
Use nat static outbound rule move to change the priority of a one-to-one mapping for outbound static NAT.
Syntax
nat static outbound rule move nat-rule-name1 { after | before } nat-rule-name2
Views
System view
Predefined user roles
network-admin
Parameters
nat-rule-name1: Specifies the name of the mapping be moved.
after: Places nat-rule-name1 behind nat-rule-name2 to set the priority of nat-rule-name1 to the priority of nat-rule-name2 plus 1.
before: Places nat-rule-name1 before nat-rule-name2 to set the priority of nat-rule-name1 to the priority of nat-rule-name2 minus 1.
nat-rule-name2: Specifies the name of the reference mapping.
Usage guidelines
This command applies only to one-to-one mapping for outbound static NAT that have names.
A smaller priority value represents a higher priority.
Examples
# Place one-to-one mapping for outbound static NAT abc before def.
<Sysname> system-view
[Sysname] nat static outbound rule move abc before def
Related commands
nat static outbound
nat timestamp delete
Use nat timestamp delete to enable the deletion of timestamps in TCP SYN and SYN ACK packets.
Use undo nat timestamp delete to restore the default.
Syntax
nat timestamp delete [ vpn-instance vpn-instance-name ]
undo nat timestamp delete [ vpn-instance vpn-instance-name ]
Default
The TCP SYN and SYN ACK packets carry the timestamp.
Views
System view
Predefined user roles
network-admin
Parameters
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the TCP SYN and SYN ACK packets belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify this option, this command applies to TCP SYN and SYN ACK packets on the public network.
Usage guidelines
With this feature configured, the system deletes the timestamps from the TCP SYN and SYN ACK packets after dynamic address translation.
If PAT mode is configured on an interface by using nat inbound or nat outbound, and the tcp_timestams and tcp_tw_recycle function is configured on the TCP server, TCP connections might not be established. To solve the problem, you can shut down the tcp_tw_recycle function or configure the nat timestamp delete command.
You can enable this feature for multiple VPN instances by repeating the command with different VPN parameters.
Examples
# Enable the deletion of the timestamp for TCP SYN and SYN ACK packets on the public network.
<Sysname> system-view
[Sysname] nat timestamp delete
# Enable the deletion of the timestamp for TCP SYN and SYN ACK packets on the VPN instance aa.
<Sysname> system-view
[Sysname] nat timestamp delete vpn-instance aa
Related commands
nat outbound
nat inbound
nat redirect reply-route
Use nat redirect reply-route enable to enable NAT reply redirection.
Use undo nat redirect reply-route enable to disable NAT reply redirection.
Syntax
nat redirect reply-route enable
undo nat redirect reply-route enable
Default
NAT reply redirection is disabled.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
NAT reply redirection allows an interface to use the NAT session entry information to translate the destination IP addresses for NAT reply packets and find the output interfaces for the NATed reply packets.
Examples
# Enable NAT reply redirection on GigabitEthernet 1/0/2.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/2
[Sysname-GigabitEthernet1/0/2] nat redirect reply-route enable
port-block
Use port block to configure port block parameters for a NAT address group.
Use undo port block to restore the default.
Syntax
port block block-size block-size [ extended-block-number extended-block-number ]
undo port block
Default
Port block parameters are not configured for a NAT address group.
Views
NAT address group view
Predefined user roles
network-admin
Parameters
block-size block-size: Specifies the port block size. The value range for this argument is 1 to 65535. In a NAT address group, the port block size cannot be larger than the number of ports in the port range.
extended-block-number extended-block-number: Specifies the number of extended port blocks, in the range of 1 to 5. When a private IP address accesses the public network, but the ports in the selected port block are all occupied, the NAT444 gateway extends port blocks one by one for the private IP address.
Usage guidelines
To configure dynamic NAT444, port block parameters are required in the NAT address group. When a private IP address initiates a connection to the public network, the NAT444 gateway assigns it a public IP address and a port block, and creates an entry for the mapping. For subsequent connections from the private IP address, the NAT444 gateway translates the private IP address to the mapped public IP address and the ports to ports in the selected port block.
Examples
# Set the port block size to 256 and the number of extended port blocks to 1 in NAT address group 2.
<Sysname> system-view
[Sysname] nat address-group 2
[Sysname-address-group-2] port-block block-size 256 extended-block-number 1
Related commands
nat address-group
port-range
Use port-range to specify a port range for public IP addresses.
Use undo port-range to restore the default.
Syntax
port-range start-port-number end-port-number
undo port-range
Default
The port range for public IP addresses is 1 to 65535.
Views
NAT address group view
NAT port block group view
Predefined user roles
network-admin
Parameters
start-port-number end-port-number: Specifies the start port number and end port number for the port range. The end port number cannot be smaller than the start port number.
Usage guidelines
The port range must include all ports that public IP addresses use for address translation.
The number of ports in a port range cannot be smaller than the port block size.
Examples
# Specify the port range as 1024 to 65535 for NAT address group 1.
<Sysname> system-view
[Sysname] nat address-group 1
[Sysname-address-group-1] port-range 1024 65535
# Specify the port range as 30001 to 65535 for NAT port block group 1.
<Sysname> system-view
[Sysname] nat port-block-group 1
[Sysname-port-block-group-1] port-range 30001 65535
Related commands
nat address-group
nat port-block-group
reset nat count statistics
Use reset nat count statistics to clear NAT counting statistics.
Syntax
reset nat count statistics { all | dynamic | server | static | static-port-block }
Views
User view
Predefined user roles
network-admin
Parameters
all: Clears all counting statistics for NAT mappings.
dynamic: Clears counting statistics for dynamic NAT mappings.
server: Clears counting statistics for NAT server mappings.
static: Clears counting statistics for static NAT mappings.
static-port-block: Clears counting statistics for NAT444 mappings.
Examples
# Clear all counting statistics for static NAT mappings.
<Sysname> reset nat count statistics all
Related commands
display nat inbound
display nat outbound
display nat outbound port-block-group
display nat port-block
display nat static
display nat server
reset nat session
Use reset nat session to clear NAT sessions.
Syntax
Centralized devices in standalone mode:
reset nat session
Distributed devices in standalone mode/centralized devices in IRF mode:
reset nat session [ slot slot-number ]
Distributed devices in IRF mode:
reset nat session [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears NAT sessions for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears NAT sessions for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears NAT sessions for all cards. (Distributed devices in IRF mode.)
Usage guidelines
After you clear the NAT sessions, the corresponding NAT EIM table and NO-PAT table are cleared at the same time.
Examples
# (Centralized devices in standalone mode.) Clear all NAT sessions.
<Sysname> reset nat session
# (Distributed devices in standalone mode.) Clear NAT sessions of slot 1.
<Sysname> reset nat session slot 1
# (Centralized devices in IRF mode.) Clear NAT sessions of slot 1.
<Sysname> reset nat session slot 1
# (Distributed devices in IRF mode.) Clear NAT sessions of slot 0 on chassis 1.
<Sysname> reset nat session chassis 1 slot 0
Related commands
display nat session
Basic IP forwarding commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display fib
Use display fib to display FIB entries. Each FIB entry contains a destination IP address/mask, next hop, and output interface.
Syntax
display fib [ topology topology-name | vpn-instance vpn-instance-name ] [ ip-address [ mask | mask-length ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
topology topology-name: Specifies a topology by its name, a case-sensitive string of 1 to 31 characters. To specify a public topology, use base as the topology name. To display FIB entries for the public network, do not specify this option.
vpn-instance vpn-instance-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display the FIB entries for the public network, do not specify any VPN.
ip-address: Displays the FIB entry that matches the specified destination IP address.
mask: Specifies the mask for the IP address.
mask-length: Specifies the mask length for the IP address. The value range is 0 to 32.
Usage guidelines
The following matrix shows the topology topology-name option and hardware compatibility:
Hardware |
Option compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Option compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
If you specify an IP address without a mask or mask length, this command displays the longest matching FIB entry.
If you specify an IP address and a mask or mask length, this command displays the exactly matching FIB entry.
Examples
# Display FIB entries for the topology mt.
<Sysname> display fib topology mt
Destination count: 8 FIB entry count: 8
Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay F:FRR
Destination/Mask Nexthop Flag OutInterface/Token Label
0.0.0.0/32 127.0.0.1 UH InLoop0 Null
127.0.0.0/8 127.0.0.1 U InLoop0 Null
127.0.0.0/32 127.0.0.1 UH InLoop0 Null
127.0.0.1/32 127.0.0.1 UH InLoop0 Null
127.255.255.255/32 127.0.0.1 UH InLoop0 Null
224.0.0.0/4 0.0.0.0 UB NULL0 Null
224.0.0.0/24 0.0.0.0 UB NULL0 Null
255.255.255.255/32 127.0.0.1 UH InLoop0 Null
# Display all FIB entries of the public network.
<Sysname> display fib
Destination count: 5 FIB entry count: 5
Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay F:FRR
Destination/Mask Nexthop Flag OutInterface/Token Label
0.0.0.0/32 127.0.0.1 UH InLoop0 Null
1.1.1.0/24 192.168.126.1 USGF M-GE0/0/0 Null
127.0.0.0/8 127.0.0.1 U InLoop0 Null
127.0.0.0/32 127.0.0.1 UH InLoop0 Null
127.0.0.1/32 127.0.0.1 UH InLoop0 Null
# Display the FIB entries for VPN vpn1.
<Sysname> display fib vpn-instance vpn1
Destination count: 6 FIB entry count: 6
Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay F:FRR
Destination/Mask Nexthop Flag OutInterface/Token Label
0.0.0.0/32 127.0.0.1 UH InLoop0 Null
20.20.20.0/24 20.20.20.25 U M-GE0/0/0 Null
20.20.20.0/32 20.20.20.25 UBH M-GE0/0/0 Null
20.20.20.25/32 127.0.0.1 UH InLoop0 Null
20.20.20.25/32 20.20.20.25 H M-GE0/0/0 Null
20.20.20.255/32 20.20.20.25 UBH M-GE0/0/0 Null
# Display the FIB entries matching the destination IP address 10.2.1.1.
<Sysname> display fib 10.2.1.1
Destination count: 1 FIB entry count: 1
Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay F:FRR
Destination/Mask Nexthop Flag OutInterface/Token Label
10.2.1.1/32 127.0.0.1 UH InLoop0 Null
Table 50 Command output
Field |
Description |
Destination count |
Total number of destination addresses. |
FIB entry count |
Total number of FIB entries. |
Destination/Mask |
Destination address and the mask length. |
Nexthop |
Next hop address. |
Flag |
Flags of routes: · U—Usable route. · G—Gateway route. · H—Host route. · B—Blackhole route. · D—Dynamic route. · S—Static route. · R—Relay route. · F—Fast reroute. |
OutInterface/Token |
Output interface/LSP index number. |
Label |
Inner label. |
ip last-hop hold
Use ip last-hop hold to enable last hop holding.
Use undo ip last-hop hold to disable last hop holding.
Syntax
ip last-hop hold
undo ip last-hop hold
Default
Last hop holding is disabled.
Views
Layer 3 Ethernet interface view
Layer 3 Ethernet subinterface view
Predefined user roles
network-admin
Usage guidelines
Last hop holding implements symmetric routing. It tracks the last hop MAC address for the first incoming IP packet of a connection, and it sends the return packets to the hop that transmits the request.
Lost hop holding is based on fast forwarding entries. If the MAC address of a last hop changes, this feature can function correctly only after the fast forwarding entry is updated for the MAC address.
This command is not applicable to an MPLS network.
Examples
# Enable the last hop holding feature.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip last-hop hold
Load sharing commands
bandwidth-based-sharing
Use bandwidth-based-sharing to enable IPv4 load sharing based on bandwidth.
Use undo bandwidth-based-sharing to disable IPv4 load sharing based on bandwidth.
Syntax
bandwidth-based-sharing
undo bandwidth-based-sharing
Default
The IPv4 load sharing based on bandwidth is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature load shares flow traffic among multiple output interfaces based on their load percentages. The device calculates the load percentage for each output interface in terms of their expected bandwidths.
Devices that run load sharing protocols, such as Locator/ID Separation Protocol (LISP), implement load sharing based on the ratios defined by these protocols.
Examples
# Enable IPv4 load sharing based on bandwidth.
[Sysname] bandwidth-based-sharing
ip load-sharing mode
Use ip load-sharing mode to configure the load sharing mode.
Use undo ip load-sharing mode to restore the default.
Syntax
Centralized devices in standalone mode:
ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * | per-packet } global
undo ip load-sharing mode global
Distributed devices in standalone mode/centralized devices in IRF mode:
ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * | per-packet } { global | slot slot-number }
undo ip load-sharing mode { global | slot slot-number }
Distributed devices in IRF mode:
ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * | per-packet } { chassis chassis-number slot slot-number | global }
undo ip load-sharing mode { chassis chassis-number slot slot-number | global }
Default
The device does not perform load sharing.
Views
System view
Predefined user roles
network-admin
Parameters
per-flow: Implements per-flow load sharing.
dest-ip: Identifies flows by destination IP address.
dest-port: Identifies flows by destination port.
ip-pro: Identifies flows by protocol number.
src-ip: Identifies flows by source IP address.
src-port: Identifies flows by source port.
global: Configures the load sharing mode globally.
per-packet: Implements per-packet load sharing.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command configures the load sharing mode for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command configures the load sharing mode for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command configures the load sharing mode for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Configure per-packet load sharing.
<Sysname> system-view
[Sysname] ip load-sharing mode per-packet
# (Distributed devices in standalone mode.) Configure per-packet load sharing for the card in slot 2.
<Sysname> system-view
[Sysname] ip load-sharing mode per-packet slot 2
# (Centralized devices in IRF mode.) Configure per-packet load sharing for IRF member device 2.
<Sysname> system-view
[Sysname] ip load-sharing mode per-packet slot 2
# (Distributed devices in IRF mode.) Configure per-packet load sharing for the card in slot 2 of IRF member device 1.
<Sysname> system-view
[Sysname] ip load-sharing mode per-packet chassis 1 slot 2
Fast forwarding commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display ip fast-forwarding aging-time
Use display ip fast-forwarding aging-time to display the aging time of fast forwarding entries.
Syntax
display ip fast-forwarding aging-time
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the aging time of fast forwarding entries.
<Sysname> display ip fast-forwarding aging-time
Aging time: 30s
Related commands
ip fast-forwarding aging-time
display ip fast-forwarding cache
Use display ip fast-forwarding cache to display fast forwarding entries.
Syntax
Centralized devices in standalone mode:
display ip fast-forwarding cache [ ip-address ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ip fast-forwarding cache [ ip-address ] [ slot slot-number ]
Distributed devices in IRF mode:
display ip fast-forwarding cache [ ip-address ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip-address: Specifies an IP address. If you do not specify an IP address, this command displays all fast forwarding entries.
slot slot-number: Specifies a card by the slot number. If you do not specify a card, this command displays fast forwarding entries for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays fast forwarding entries for all member devices. (Centralized devices, in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card in an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number represents the slot number of the card. If you do not specify a card, this command displays fast forwarding entries for all cards.(Distributed devices in IRF mode.)
Usage guidelines
Each fast forwarding entry includes the following information for a data flow:
· Source IP address.
· Source port number.
· Destination IP address.
· Destination port number.
· Protocol number.
· Input and output interfaces.
· Internal tag.
Examples
# Display all fast forwarding entries.
<Sysname> display ip fast-forwarding cache
Total number of fast-forwarding entries: 3
SIP SPort DIP DPort Pro Input_If Output_If Flg
7.0.0.13 68 8.0.0.1 67 17 GE1/0/3 GE1/0/1 5
8.0.0.1 67 7.0.0.13 68 17 GE1/0/1 GE1/0/3 5
8.0.0.1 8 7.0.0.13 0 1 GE1/0/2 GE1/0/3 5
Table 51 Command output
Field |
Description |
SIP |
Source IP address. |
SPort |
Source port number. |
DIP |
Destination IP address. |
DPort |
Destination port number. |
Pro |
Protocol number. |
Input_If |
Input interface type and number. If no interface is involved in fast forwarding, this field displays N/A. If the input interface does not exist, this field displays a hyphen (-). |
Output_If |
Output interface type and number. If no interface is involved in fast forwarding, this field displays N/A. If the output interface does not exist, this field displays a hyphen (-). |
Flg |
Internal tag, marking internal operation information, such as fragmentation. |
Related commands
reset ip fast-forwarding cache
display ip fast-forwarding fragcache
Use display ip fast-forwarding fragcache to display fast forwarding entries for fragmented packets.
Syntax
Centralized devices in standalone mode:
display ip fast-forwarding fragcache [ ip-address ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ip fast-forwarding fragcache [ ip-address ] [ slot slot-number ]
Distributed devices in IRF mode:
display ip fast-forwarding fragcache [ ip-address ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip-address: Specifies an IP address. If you do not specify an IP address, this command displays fast forwarding entries for all fragmented packets.
slot slot-number: Specifies a card by the slot number. If you do not specify a card, this command displays fast forwarding entries for fragmented packets on all cards. (Distributed devices–In standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays fast forwarding entries for fragmented packets on all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number represents the slot number of the card. If you do not specify a card, this command displays fast forwarding entries for fragmented packets on all cards. (Distributed devices in IRF mode.)
Usage guidelines
This command displays fast forwarding entries for fragmented packets. Each fast forwarding entry for fragmented packets includes the following information:
· Source IP address.
· Source port number.
· Destination IP address.
· Destination port number.
· Protocol number.
· Input interface.
· Fragment ID.
Examples
# Display fast forwarding entries about all fragmented packets.
<Sysname> display ip fast-forwarding fragcache
Total number of fragment fast-forwarding entries: 3
SIP SPort DIP DPort Pro Input_If ID
7.0.0.13 68 8.0.0.1 67 17 GE1/0/3 2
8.0.0.1 67 7.0.0.13 68 17 GE1/0/1 3
8.0.0.1 8 7.0.0.13 0 1 GE1/0/2 5
Table 52 Command output
Field |
Description |
SIP |
Source IP address. |
SPort |
Source port number. |
DIP |
Destination IP address. |
DPort |
Destination port number. |
Pro |
Protocol number. |
Input_If |
Input interface type and number. If no interface is involved in fast forwarding, this field displays N/A. If the input interface does not exist, this field displays a hyphen (-). |
ID |
Fragment ID. |
Related commands
reset ip fast-forwarding cache
ip fast-forwarding aging-time
Use ip fast-forwarding aging-time to configure the aging time for fast forwarding entries.
Use undo ip fast-forwarding aging-time to restore the default.
Syntax
ip fast-forwarding aging-time aging-time
undo ip fast-forwarding aging-time
Default
The aging time is 30 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
aging-time: Specifies the aging time in the range of 10 to 300 seconds.
Examples
# Set the aging time to 20 seconds for fast forwarding entries.
<Sysname> system-view
[Sysname] ip fast-forwarding aging-time 20
Related commands
display ip fast-forwarding aging-time
ip fast-forwarding dscp
Use ip fast-forwarding dscp to enable DSCP-based fast forwarding for GRE and VXLAN packets.
Use undo ip fast-forwarding dscp to restore the default.
Syntax
ip fast-forwarding dscp
undo ip fast-forwarding dscp
Default
DSCP-based fast forwarding for GRE and VXLAN packets is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command is applicable to GRE packets (with IP as the passenger protocol) and VXLAN packets that are processed by software.
This feature uses the DSCP value in the outer header instead of the source port number among the identification criteria to identify GRE and VXLAN traffic flows.
This command is mutually exclusive with NAT and load balancing.
Examples
# Enable DSCP-based GRE and VXLAN packet fast forwarding.
<Sysname> system-view
[Sysname] ip fast-forwarding dscp
ip fast-forwarding load-sharing
Use ip fast-forwarding load-sharing to enable fast forwarding load sharing.
Use undo ip fast-forwarding load-sharing to disable fast forwarding load sharing.
Syntax
ip fast-forwarding load-sharing
undo ip fast-forwarding load-sharing
Default
Fast forwarding load sharing is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Fast forwarding load sharing enables the device to load share packets of the same flow. This feature identifies a data flow by using the five-tuple (source IP, source port, destination IP, destination port, and protocol).
If fast forwarding load sharing is disabled, the device identifies a data flow by the five-tuple and the input interface. No load sharing is implemented.
Examples
# Enable fast forwarding load sharing.
<Sysname> system-Views
[Sysname] ip fast-forwarding load-sharing
ip fast-forwarding vxlan-port
Use ip fast-forwarding vxlan-port to specify the destination UDP port number for identifying VXLAN packets.
Use undo ip fast-forwarding vxlan-port to restore the default.
Syntax
ip fast-forwarding vxlan-port port-number
undo ip fast-forwarding vxlan-port
Default
The destination UDP port number is 4789.
Views
System view
Predefined use roles
network-admin
Parameters
port-number: Specifies a UDP port number in the range of 1 to 65535.
Usage guidelines
This feature is applicable to only the UDP packets that are processed by software.
In a VXLAN network, configure this command on intermediate devices to identify VXLAN packets.
Examples
# Specify the destination UDP port number to 4900 for identifying VXLAN packets.
<Sysname> system-view
[Sysname] ip fast-forwarding vxlan-port 4900
reset ip fast-forwarding cache
Use reset ip fast-forwarding cache to clear the fast forwarding table.
Syntax
Centralized devices in standalone mode:
reset ip fast-forwarding cache
Distributed devices in standalone mode/centralized devices in IRF mode:
reset ip fast-forwarding cache [ slot slot-number ]
Distributed devices in IRF mode:
reset ip fast-forwarding cache [ chassis chassis-number slot slot-number ]
Views
User view
Predefined use roles
network-admin
Parameters
slot slot-number: Specifies a card by the slot number. If you do not specify a card, this command clears the fast forwarding table for all cards. (Distributed devices–In standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears the fast forwarding table for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears the fast forwarding table for all cards. (Distributed devices in IRF mode.)
Examples
# Clear the fast forwarding table.
<Sysname> reset ip fast-forwarding cache
Related commands
display ip fast-forwarding cache
display ip fast-forwarding fragcache
Flow classification commands
forwarding policy
Use forwarding policy to specify a flow classification policy.
Use undo forwarding policy to restore the default.
Syntax
forwarding policy { per-flow | per-packet }
undo forwarding policy
Default
The flow-based policy is used.
Views
System view
Interface view
Predefined user roles
network-admin
Parameters
per-flow: Specifies the flow-based forwarding. The device forwards packets of the same flow to the same CPU. A data flow is defined by the following fields: source IP address, destination IP address, source port number, destination port number, and protocol number. This policy takes the first-in first-out rule.
per-packet: Specifies the packet-based forwarding. The device forwards packets in sequence to different CPUs, even though they are the same flow. This policy does not ensure packet order.
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
No |
MSR 2630 |
No |
MSR3600-28/3600-51 |
No |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
No |
MSR810-W-LM-GL |
No |
MSR830-6EI-GL |
No |
MSR830-10EI-GL |
No |
MSR830-6HI-GL |
No |
MSR830-10HI-GL |
No |
MSR2600-6-X1-GL |
No |
MSR3600-28-SI-GL |
No |
Examples
# Specify the packet-based policy globally.
<Sysname> system-view
[Sysname] forwarding policy per-packet
# Specify the flow-based policy globally.
<Sysname> system-view
[Sysname] forwarding policy per-flow
# Specify the packet-based policy on GigabitEthernet 2/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] forwarding policy per-packet
# Specify the flow-based policy on GigabitEthernet 2/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] forwarding policy per-flow
IPv4 adjacency table commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display adjacent-table
Use display adjacent-table to display IPv4 adjacency entries.
Syntax
Centralized devices in standalone mode:
display adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number } [ count | verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number | slot slot-number } [ count | verbose ]
Distributed devices in IRF mode:
display adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number | chassis chassis-number slot slot-number } [ count | verbose ]
View
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Displays all IPv4 adjacency entries.
physical-interface interface-type interface-number: Displays IPv4 adjacency entries about the specified physical interface.
routing-interface interface-type interface-number: Displays IPv4 adjacency entries about the specified routing interface.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv4 adjacency entries for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv4 adjacency entries for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv4 adjacency entries for all cards. (Distributed devices in IRF mode.)
count: Displays the number of IPv4 adjacency entries.
verbose: Displays detailed information about IPv4 adjacency entries.
Examples
# Display detailed information about all IPv4 adjacency entries.
<Sysname> display adjacent-table all verbose
IP address : 0.0.0.0
Routing interface : Pos2/2/0
Physical interface : Pos2/2/0
Logical interface : N/A
Service type : PPP
Action type : Forwarding
Link media type : P2P
Slot : 1
Cpu : 0
VPN index : 0
Virtual circuit information : N/A
Link head information(IP) : ff030021
Link head information(MPLS) : ff030281
# Display the IPv4 adjacency entries on the card in slot 1.
<Sysname> display adjacent-table slot 1
IP address Routing interface Physical interface Type
0.0.0.0 Pos2/2/0 Pos2/20 PPP
# Display the number of IPv4 adjacency entries on the card in slot 1.
<Sysname> display adjacent-table slot 1 count
Total entries on slot 1: 1
Table 53 Command output
Field |
Description |
IP address |
IP address of the next hop. · For a P2P link, the IP address of the next hop is not needed. This field displays 0.0.0.0. · For an NBMA link, the value 0.0.0.0 indicates the default adjacency entry. Packets are forwarded through the default virtual circuit. |
Routing interface |
Output interface of the matching route entry. |
Physical interface |
Physical interface of which the outgoing packets are sent out. |
Logical interface |
Logical interface for sending the packets. If the entry has no logical interface, this field displays N/A. |
Service type/Type |
Link layer protocol type, such as PPP, HDLC, Tunnel, and MTunnel. |
Action type |
Packet processing type, Forwarding or Drop. |
Link media type |
Link media type: · P2P—Point-to-point link. · NBMA—Non-broadcast multi-access link. |
Slot |
ID of the slot that holds the card. |
Cpu |
Number of the CPU. |
VPN index |
Index of the VPN. |
Virtual circuit information |
Information about the virtual circuit, such as PVC or DLCI. If the entry has no virtual circuit, this field displays N/A. |
Link head information(IP) |
Link layer header for IPv4. |
Link head information(MPLS) |
Link layer header for MPLS. |
IPv6 adjacency table commands
IPv6-related features are not supported on the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR3600-28-SI/3600-51-SI.
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display ipv6 adjacent-table
Use display ipv6 adjacent-table to display IPv6 adjacency entries.
Syntax
Centralized devices in standalone mode:
display ipv6 adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number } [ count | verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number | slot slot-number } [ count | verbose ]
Distributed devices in IRF mode:
display ipv6 adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number | chassis chassis-number slot slot-number } [ count | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Displays all IPv6 adjacency entries.
physical-interface interface-type interface-number: Displays IPv6 adjacency entries about the specified physical interface.
routing-interface interface-type interface-number: Displays IPv6 adjacency entries about the specified routing interface.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6 adjacency entries for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6 adjacency entries for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv6 adjacency entries for all cards. (Distributed devices in IRF mode.)
count: Displays the total number of IPv6 adjacency entries.
verbose: Displays detailed information about IPv6 adjacency entries.
Examples
# Display detailed information about all IPv6 adjacency entries.
IPv6 address : N/A
Routing interface : Pos2/2/0
Physical interface : Pos2/2/0
Logical interface : N/A
Service type : PPP
Action type : Forwarding
Link media type : P2P
Slot : 0
VPN index : 0
Virtual circuit information : N/A
Link head information(IPv6) : 4500000000000000ff2f000002020201020202020000
0800
Link head information(MPLS) : 4500000000000000ff2f000002020201020202020000
0800
# Display the IPv6 adjacency entries on the card in slot 1.
<Sysname> display ipv6 adjacent-table slot 1
IPv6 address Routing interface Physical interface Type
N/A Pos2/2/0 Pos2/2/0 PPP
# Display the total number of IPv6 adjacency entries on the card in slot 1.
<Sysname> display ipv6 adjacent-table slot 1 count
Total entries on slot 1: 1
Table 54 Command output
Field |
Description |
IPv6 address |
IPv6 address of the next hop. · For a P2P link, the IPv6 address of the next hop is not needed. This field has the value 0::0, and displays N/A. · For an NBMA link, the value 0.0.0.0 indicates a default adjacency table. Packets are forwarded through the default virtual circuit. |
Routing interface |
Output interface of the matching route entry. |
Physical interface |
Physical interface of which the outgoing packets are sent out. |
Logical interface |
Logical interface that sends the packets. If the entry has no logical interface, this field displays N/A. |
Service type/Type |
Link layer protocol type, such as PPP, HDLC, Tunnel, and MTunnel. |
Action type |
Packet processing type, Forwarding or Drop. |
Link media type |
Link media type: · P2P—Point-to-point link. · NBMA—Non-broadcast multi-access link. |
Slot |
ID of the slot that holds the card. |
Cpu |
Number of the CPU. |
VPN index |
Index of the VPN. |
Virtual circuit information |
Information about the virtual circuit, such as PVC or DLCI. If the entry has no virtual circuit, this field displays N/A. |
Link head information(IPv6) |
Link layer header for IPv6. |
Link head information(MPLS) |
Link layer header for MPLS. |
IRDP commands
The following matrix shows the feature and hardware compatibility:
Hardware |
IRDP compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE /810-LM-HK/MSR810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR 5620/5660/5680 |
Yes |
Hardware |
IRDP compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
ip irdp
Use ip irdp to enable IRDP on an interface.
Use undo ip irdp to disable IRDP on an interface.
Syntax
ip irdp
undo ip irdp
Default
IRDP is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
This command validates the IRDP settings on an interface. After the IRDP is enabled on an interface, the device can send RA messages out of the interface.
Examples
# Enable IRDP on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip irdp
ip irdp address
Use ip irdp address to specify an IP address for an interface to proxy-advertise.
Use undo ip irdp address to remove the specified proxy-advertised IP address.
Syntax
ip irdp address ip-address preference-value
undo ip irdp address [ ip-address ]
Default
No proxy-advertised IP address is specified.
Views
Interface view
Predefined user roles
network-admin
Parameters
ip-address: Specifies an IP address in dotted decimal notation.
preference-value: Specifies the preference for the IP address, in the range of –2147483648 to 2147483647.
Usage guidelines
You can specify a maximum of four IP addresses for an interface to proxy-advertise. An RA sent on the interface includes the interface IP addresses and the proxy-advertised IP addresses.
If you do not specify an IP address for the undo command, this command removes all proxy-advertised IP addresses from the interface.
Examples
# Specify the IP address 192.168.0.8 and its preference 1600 for GigabitEthernet 1/0/1 to proxy-advertise.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip irdp address 192.168.0.8 1600
Related commands
ip irdp
ip irdp lifetime
Use ip irdp lifetime to set the lifetime of IP addresses advertised on an interface.
Use undo ip irdp lifetime to restore the default.
Syntax
ip irdp lifetime lifetime-value
undo ip irdp lifetime
Default
The lifetime is 1800 seconds.
Views
Interface view
Predefined user roles
network-admin
Parameters
lifetime-value: Specifies the lifetime in seconds, in the range of 4 to 9000.
Usage guidelines
The lifetime cannot be shorter than the maximum advertising interval on an interface.
The lifetime applies to the following IP addresses:
· IP addresses of the interface.
· IP addresses for the interface to proxy-advertise.
Examples
# Set the lifetime of IP addresses advertised on GigabitEthernet 1/0/1 to 2000 seconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip irdp lifetime 2000
ip irdp
ip irdp interval
ip irdp interval
Use ip irdp interval to set the maximum and minimum intervals for advertising RAs on an interface.
Use undo ip irdp interval to restore the default.
Syntax
ip irdp interval max-interval [ min-interval ]
undo ip irdp interval
Default
The maximum interval is 600 seconds, and the minimum interval is 3/4 of the maximum interval.
Views
Interface view
Predefined user roles
network-admin
Parameters
max-interval: Specifies the maximum interval in seconds, in the range of 4 to 1800.
min-interval: Specifies the minimum interval in seconds, in the range of 3 to max-interval.
Usage guidelines
The device broadcasts or multicasts an RA randomly between the maximum and minimum intervals.
Make sure the maximum interval is not longer than the lifetime of advertised IP addresses. Otherwise, the lifetime is automatically adjusted to a value three times the maximum interval.
Examples
# On GigabitEthernet 1/0/1, set the maximum interval to 500 seconds and the minimum interval to 300 seconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip irdp interval 500 300
ip irdp
ip irdp lifetime
ip irdp multicast
Use ip irdp multicast to specify the multicast address 224.0.0.1 as the destination IP address for RAs sent on an interface.
Use undo ip irdp multicast to restore the default.
Syntax
ip irdp multicast
undo ip irdp multicast
Default
The destination IP address is 255.255.255.255.
Views
Interface view
Predefined user roles
network-admin
Examples
# Specify the multicast address 224.0.0.1 as the destination IP address for RAs sent on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip irdp multicast
Related commands
ip irdp
ip irdp preference
Use ip irdp preference to specify the preference of advertised primary and secondary IP addresses on an interface.
Use undo ip irdp preference to restore the default.
Syntax
ip irdp preference preference-value
undo ip irdp preference
Default
The preference of advertised IP addresses is 0.
Views
Interface view
Predefined user roles
network-admin
Parameters
preference-value: Specifies the preference in the range of –2147483648 to 2147483647.
Usage guidelines
A larger preference value represents a higher preference. To request that neighboring hosts do not use any advertised IP address as the default gateway, set the value to the minimum value.
Examples
# Specify preference 1 for IP addresses advertised on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip irdp preference 1
Related commands
ip irdp
IP performance optimization commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display icmp statistics
Use display icmp statistics to display ICMP statistics.
Syntax
Centralized devices in standalone mode:
display icmp statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
display icmp statistics [ slot slot-number ]
Distributed devices in IRF mode:
display icmp statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ICMP statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ICMP statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays ICMP statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
ICMP statistics include information about received and sent ICMP packets.
Examples
# Display ICMP statistics.
<Sysname> display icmp statistics
Input: bad formats 0 bad checksum 0
echo 175 destination unreachable 0
source quench 0 redirects 0
echo replies 201 parameter problem 0
timestamp 0 information requests 0
mask requests 0 mask replies 0
time exceeded 0 invalid type 0
router advert 0 router solicit 0
broadcast/multicast echo requests ignored 0
broadcast/multicast timestamp requests ignored 0
Output: echo 0 destination unreachable 0
source quench 0 redirects 0
echo replies 175 parameter problem 0
timestamp 0 information replies 0
mask requests 0 mask replies 0
time exceeded 0 bad address 0
packet error 1442 router advert 3
display ip statistics
Use display ip statistics to display IP packet statistics.
Syntax
Centralized devices in standalone mode:
display ip statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
display ip statistics [ slot slot-number ]
Distributed devices in IRF mode:
display ip statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IP packet statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IP packet statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IP packet statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
IP statistics include information about received and sent packets, fragments, and reassembly.
Examples
# Display IP packet statistics.
<Sysname> display ip statistics
Input: sum 7120 local 112
bad protocol 0 bad format 0
bad checksum 0 bad options 0
dropped 0
Output: forwarding 0 local 27
dropped 0 no route 2
compress fails 0
Fragment:input 0 output 0
dropped 0
fragmented 0 couldn't fragment 0
Reassembling:sum 0 timeouts 0
Table 55 Command output
Field |
Description |
|
Input |
sum |
Total number of packets received. |
local |
Total number of packets destined for the device. |
|
bad protocol |
Total number of unknown protocol packets. |
|
bad format |
Total number of packets with incorrect format. |
|
bad checksum |
Total number of packets with incorrect checksum. |
|
bad options |
Total number of packets with incorrect option. |
|
dropped |
Total number of packets discarded. |
|
Output |
forwarding |
Total number of packets forwarded. |
local |
Total number of packets locally sent. |
|
dropped |
Total number of packets discarded. |
|
no route |
Total number of packets for which no route is available. |
|
compress fails |
Total number of packets failed to be compressed. |
|
Fragment |
input |
Total number of fragments received. |
output |
Total number of fragments sent. |
|
dropped |
Total number of fragments dropped. |
|
fragmented |
Total number of packets successfully fragmented. |
|
couldn't fragment |
Total number of packets failed to be fragmented. |
|
Reassembling |
sum |
Total number of packets reassembled. |
timeouts |
Total number of reassembly timeouts. |
Related commands
display ip interface
reset ip statistics
display rawip
Use display rawip to display brief information about RawIP connections.
Syntax
Centralized devices in standalone mode:
display rawip
Distributed devices in standalone mode/centralized devices in IRF mode:
display rawip [ slot slot-number ]
Distributed device in IRF mode:
display rawip [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about RawIP connections for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about RawIP connections for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays brief information about RawIP connections for all cards. (Distributed devices in IRF mode.)
Usage guidelines
Brief RawIP connection information includes local and peer addresses, protocol, and PCB.
Examples
# (Centralized devices in standalone mode.) Display brief information about RawIP connections.
<Sysname> display rawip
Local Addr Foreign Addr Protocol Slot PCB
0.0.0.0 0.0.0.0 1 0 0x0000000000000009
0.0.0.0 0.0.0.0 1 0 0x0000000000000008
0.0.0.0 0.0.0.0 1 0 0x0000000000000002
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display brief information about RawIP connections.
<Sysname> display rawip
Local Addr Foreign Addr
Protocol Slot PCB
0.0.0.0 0.0.0.0 2 0 0xffffffffffffffa3
0.0.0.0 0.0.0.0 2 0 0xffffffffffffffa2
0.0.0.0 0.0.0.0 2 0 0xffffffffffffffa1
0.0.0.0 0.0.0.0 103 0 0xffffffffffffffa0
0.0.0.0 0.0.0.0 103 0 0xffffffffffffff9f
0.0.0.0 0.0.0.0 103 0 0xffffffffffffff9e
0.0.0.0 0.0.0.0 17 0 0xffffffffffffff9d
# (Distributed devices in IRF mode.) Display brief information about RawIP connections.
<Sysname> display rawip
Local Addr Foreign Addr Protocol Chassis Slot PCB
0.0.0.0 0.0.0.0 1 1 1 0x0000000000000009
0.0.0.0 0.0.0.0 1 1 1 0x0000000000000008
0.0.0.0 0.0.0.0 1 1 5 0x0000000000000002
Table 56 Command output
Field |
Description |
Local Addr |
Local IP address. |
Foreign Addr |
Peer IP address. |
Protocol |
Protocol number. |
Chassis |
ID of the IRF member device. (Distributed devices in IRF mode.) |
Slot |
Number of the slot that holds the card. (Distributed devices in standalone or IRF mode.) |
Slot |
ID of the IRF member device. (Centralized devices in IRF mode.) |
PCB |
Protocol control block. |
display rawip verbose
Use display rawip verbose to display detailed information about RawIP connections.
Syntax
Centralized devices in standalone mode:
display rawip verbose [ pcb pcb-index ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display rawip verbose [ slot slot-number [ pcb pcb-index ] ]
Distributed device in IRF mode:
display rawip verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pcb pcb-index: Displays detailed RawIP connection information for the specified PCB. The pcb-index argument specifies the index of the PCB. The value range for the pcb-index argument is 1 to 16.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about RawIP connections for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about RawIP connections for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays detailed RawIP connection information for all cards. (Distributed devices in IRF mode.)
Usage guidelines
The detailed information includes socket creator, state, option, type, protocol number, and the source and destination IP addresses of RawIP connections.
Examples
# (Centralized devices in standalone mode.) Display detailed information about RawIP connections.
<Sysname> display rawip verbose
Total RawIP socket number: 1
Creator: ping[320]
State: N/A
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 9216 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A
Type: 3
Protocol: 1
Connection info: src = 0.0.0.0, dst = 0.0.0.0
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV4
TTL: 255(minimum TTL: 0)
Send VRF: 0xffff
Receive VRF: 0xffff
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about RawIP connections.
<Sysname> display rawip verbose
Total RawIP socket number: 1
Location: Slot: 6
Creator: ping[320]
State: N/A
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 9216 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A
Type: 3
Protocol: 1
Connection info: src = 0.0.0.0, dst = 0.0.0.0
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV4
TTL: 255(minimum TTL: 0)
Send VRF: 0xffff
Receive VRF: 0xffff
# (Distributed devices in IRF mode.) Display detailed information about RawIP connections.
<Sysname> display rawip verbose
Total RawIP socket number: 1
Location: Chassis: 2 Slot: 6
Creator: ping[320]
State: N/A
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 9216 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A
Type: 3
Protocol: 1
Connection info: src = 0.0.0.0, dst = 0.0.0.0
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV4
TTL: 255(minimum TTL: 0)
Send VRF: 0xffff
Receive VRF: 0xffff
Table 57 Command output
Field |
Description |
Total RawIP socket number |
Total number of RawIP sockets. |
Location |
Location of the card. (Distributed devices in standalone or IRF mode.) |
Location |
Location of the device. (Centralized devices in IRF mode.) |
Chassis |
ID of the IRF member device. (Distributed devices in IRF mode.) |
Slot |
Number of the slot that holds the card. (Distributed devices in standalone or IRF mode.) |
Slot |
ID of the IRF member device. (Centralized devices in IRF mode.) |
Creator |
Name of the operation that created the socket. The number in brackets is the process number of the creator. |
State |
State of the socket. |
Options |
Socket options. |
Error |
Error code. |
Receiving buffer (cc/hiwat/lowat/drop/state) |
Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states. |
Sending buffer (cc/hiwat/lowat/state) |
Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states. |
Type |
Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types. |
Protocol |
Number of the protocol using the socket. |
Connection info |
Source IP address and destination IP address. |
Inpcb flags |
Flags in the Internet PCB: · INP_RECVOPTS—Receives IP options. · INP_RECVRETOPTS—Receives replied IP options. · INP_RECVDSTADDR—Receives destination IP address. · INP_HDRINCL—Provides the entire IP header. · INP_REUSEADDR—Reuses the IP address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_RECVIF—Records the input interface of the packet. · INP_RECVTTL—Receives TTL of the packet. Only UDP and RawIP support this flag. · INP_DONTFRAG—Sets the Don't Fragment flag. · INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_SNDBYLSPV—Sends through MPLS. · INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag. · INP_USEICMPSRC—Uses the specified IP address as the source IP address for outgoing ICMP packets. · INP_SYNCPCB—Waits until Internet PCB is synchronized. · N/A—None of the above flags. |
Inpcb extflag |
Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · N/A—None of the above flags. |
Inpcb vflag |
IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · INP_TIMEWAIT—In TIMEWAIT state. · INP_ONESBCAST—Sends broadcast packets. · INP_DROPPED—Protocol dropped flag. · INP_SOCKREF—Strong socket reference. · INP_DONTBLOCK—Do not block synchronization of the Internet PCB. · N/A—None of the above flags. |
TTL |
TTL value in the Internet PCB. |
display tcp
Use display tcp to display brief information about TCP connections.
Syntax
Centralized devices in standalone mode:
display tcp
Distributed devices in standalone mode/centralized devices in IRF mode:
display tcp [ slot slot-number ]
Distributed devices in IRF mode:
display tcp [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about TCP connections for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about TCP connections for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays brief information about TCP connections for all cards. (Distributed devices in IRF mode.)
Usage guidelines
Brief TCP connection information includes local IP address, local port number, peer IP address, peer port number, and TCP connection state.
Examples
# (Centralized devices in standalone mode.) Display brief information about TCP connections.
<Sysname> display tcp
*: TCP MD5 Connection
Local Addr:port Foreign Addr:port State Slot PCB
*0.0.0.0:21 0.0.0.0:0 LISTEN 1 0x000000000000c387
192.168.20.200:23 192.168.20.14:1284 ESTABLISHED 1 0x0000000000000009
192.168.20.200:23 192.168.20.14:1283 ESTABLISHED 1 0x0000000000000002
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display brief information about TCP connections.
<Sysname> display tcp
*: TCP MD5 Connection
Local Addr:port Foreign Addr:port State Slot PCB
*0.0.0.0:21 0.0.0.0:0 LISTEN 1 0x000000000000c387
192.168.20.200:23 192.168.20.14:1284 ESTABLISHED 1 0x0000000000000009
192.168.20.200:23 192.168.20.14:1283 ESTABLISHED 1 0x0000000000000002
# (Distributed devices in IRF mode.) Display brief information about TCP connections.
<Sysname> display tcp
*: TCP MD5 Connection
Local Addr:port Foreign Addr:port State Chassis Slot PCB
*0.0.0.0:21 0.0.0.0:0 LISTEN 1 1 0x00000000
0000c387
192.168.20.200:23 192.168.20.14:1284 ESTABLISHED 1 1 0x00000000
00000009
192.168.20.200:23 192.168.20.14:1283 ESTABLISHED 1 1 0x00000000
00000002
Table 58 Command output
Field |
Description |
* |
Indicates that the TCP connection uses MD5 authentication. |
Local Addr:port |
Local IP address and port number. |
Foreign Addr:port |
Peer IP address and port number. |
State |
TCP connection state. |
Chassis |
ID of the IRF member device. (Distributed devices in IRF mode.) |
Slot |
Number of the slot that holds the card. (Distributed devices in standalone or IRF mode.) |
Slot |
ID of the IRF member device. (Centralized devices in IRF mode.) |
PCB |
PCB index. |
display tcp statistics
Use display tcp statistics to display TCP traffic statistics.
Syntax
Centralized devices in standalone mode:
display tcp statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
display tcp statistics [ slot slot-number ]
Distributed devices in IRF mode:
display tcp statistics [ chassis chassis-number slot slot-number ]
Views
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays TCP traffic statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays TCP traffic statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays TCP traffic statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
TCP traffic statistics include information about received and sent TCP packets and Syncache/syncookie.
Examples
# Display TCP traffic statistics.
<Sysname> display tcp statistics
Received packets:
Total: 4150
packets in sequence: 1366 (134675 bytes)
window probe packets: 0, window update packets: 0
checksum error: 0, offset error: 0, short error: 0
packets dropped for lack of memory: 0
packets dropped due to PAWS: 0
duplicate packets: 12 (36 bytes), partially duplicate packets: 0 (0 bytes)
out-of-order packets: 0 (0 bytes)
packets with data after window: 0 (0 bytes)
packets after close: 0
ACK packets: 3531 (795048 bytes)
duplicate ACK packets: 33, ACK packets for unsent data: 0
Sent packets:
Total: 4058
urgent packets: 0
control packets: 50
window probe packets: 3, window update packets: 11
data packets: 3862 (795012 bytes), data packets retransmitted: 0 (0 bytes)
ACK-only packets: 150 (52 delayed)
unnecessary packet retransmissions: 0
Syncache/syncookie related statistics:
entries added to syncache: 12
syncache entries retransmitted: 0
duplicate SYN packets: 0
reply failures: 0
successfully build new socket: 12
bucket overflows: 0
zone failures: 0
syncache entries removed due to RST: 0
syncache entries removed due to timed out: 0
ACK checked by syncache or syncookie failures: 0
syncache entries aborted: 0
syncache entries removed due to bad ACK: 0
syncache entries removed due to ICMP unreachable: 0
SYN cookies sent: 0
SYN cookies received: 0
SACK related statistics:
SACK recoveries: 1
SACK retransmitted segments: 0 (0 bytes)
SACK blocks (options) received: 0
SACK blocks (options) sent: 0
SACK scoreboard overflows: 0
Other statistics:
retransmitted timeout: 0, connections dropped in retransmitted timeout: 0
persist timeout: 0
keepalive timeout: 21, keepalive probe: 0
keepalive timeout, so connections disconnected: 0
fin_wait_2 timeout, so connections disconnected: 0
initiated connections: 29, accepted connections: 12, established connections:
23
closed connections: 50051 (dropped: 0, initiated dropped: 0)
bad connection attempt: 0
ignored RSTs in the window: 0
listen queue overflows: 0
RTT updates: 3518(attempt segment: 3537)
correct ACK header predictions: 0
correct data packet header predictions: 568
resends due to MTU discovery: 0
packets dropped with MD5 authentication: 0
packets permitted with MD5 authentication: 0
reset tcp statistics
display tcp verbose
Use display tcp verbose to display detailed information about TCP connections.
Syntax
Centralized devices in standalone mode:
display tcp verbose [ pcb pcb-index ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display tcp verbose [ slot slot-number [ pcb pcb-index ] ]
Distributed devices in IRF mode:
display tcp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pcb pcb-index: Displays detailed TCP connection information for the specified PCB. The value range for the pcb-index argument is 1 to 16.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about TCP connections for all cards. (Distributed device in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about TCP connections for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays detailed information about TCP connections for all cards. (Distributed devices in IRF mode.)
Usage guidelines
The detailed TCP connection information includes socket creator, state, option, type, protocol number, source IP address and port number, destination IP address and port number, and connection state.
Examples
# (Centralized devices in standalone mode.) Display detailed information about TCP connections.
<Sysname> display tcp verbose
TCP inpcb number: 1(tcpcb number: 1)
Creator: bgpd[199]
State: ISCONNECTED
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 65700 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 65700 / 512 / N/A
Type: 1
Protocol: 6
Connection info: src = 192.168.20.200:179 , dst = 192.168.20.14:4181
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV4
TTL: 255(minimum TTL: 0)
Connection state: ESTABLISHED
TCP options: TF_REQ_SCALE TF_REQ_TSTMP TF_SACK_PERMIT TF_NSR
NSR state: READY(M)
Send VRF: 0x0
Receive VRF: 0x0
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about TCP connections.
<Sysname> display tcp verbose
TCP inpcb number: 1(tcpcb number: 1)
Location: Slot: 6
NSR standby: N/A
Creator: bgpd[199]
State: ISCONNECTED
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 65700 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 65700 / 512 / N/A
Type: 1
Protocol: 6
Connection info: src = 192.168.20.200:179 , dst = 192.168.20.14:4181
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV4
TTL: 255(minimum TTL: 0)
Connection state: ESTABLISHED
TCP options: TF_REQ_SCALE TF_REQ_TSTMP TF_SACK_PERMIT TF_NSR
NSR state: READY(M)
Send VRF: 0x0
Receive VRF: 0x0
# (Distributed devices in IRF mode.) Display detailed information about TCP connections.
<Sysname> display tcp verbose
TCP inpcb number: 1(tcpcb number: 1)
Location: Chassis: 2 Slot: 6
NSR standby: N/A
Creator: bgpd[199]
State: ISCONNECTED
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 65700 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 65700 / 512 / N/A
Type: 1
Protocol: 6
Connection info: src = 192.168.20.200:179 , dst = 192.168.20.14:4181
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV4
TTL: 255(minimum TTL: 0)
Connection state: ESTABLISHED
TCP options: TF_REQ_SCALE TF_REQ_TSTMP TF_SACK_PERMIT TF_NSR
NSR state: READY(M)
Send VRF: 0x0
Receive VRF: 0x0
Table 59 Command output
Field |
Description |
TCP inpcb number |
Number of TCP IP PCBs. |
tcpcb number |
Number of TCP PCBs. This field is not displayed if the state of the TCP connection is TIME_WAIT. |
Location |
Location of the card. (Distributed devices in standalone or IRF mode.) |
Location |
Location of the device. (Centralized devices in IRF mode.) |
Chassis |
ID of the IRF member device. (Distributed devices in IRF mode.) |
Slot |
Slot number of the card. (Distributed devices in standalone or IRF mode.) |
Slot |
ID of the IRF member device. (Centralized devices in IRF mode.) |
NSR standby |
ID of the IRF member device and number of the slot where the NSR standby card resides. This field displays N/A if no NSR standby card is present. |
Creator |
Name of the operation that created the socket. The number in brackets is the process number of the creator. |
State |
State of the socket. |
Options |
Socket options. |
Error |
Error code. |
Receiving buffer(cc/hiwat/lowat/drop/state) |
Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states. |
Sending buffer (cc/hiwat/lowat/state) |
Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states. |
Type |
Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types. |
Protocol |
Number of the protocol using the socket. |
Connection info |
Source IP address and port number, and destination IP address and port number. |
Inpcb flags |
Flags in the Internet PCB: · INP_RECVOPTS—Receives IP options. · INP_RECVRETOPTS—Receives replied IP options. · INP_RECVDSTADDR—Receives destination IP address. · INP_HDRINCL—Provides the entire IP header. · INP_REUSEADDR—Reuses the IP address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_RECVIF—Records the input interface of the packet. · INP_RECVTTL—Receives TTL of the packet. Only UDP and RawIP support this flag. · INP_DONTFRAG—Sets the Don't Fragment flag. · INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_SNDBYLSPV—Sends through MPLS. · INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag. · INP_SYNCPCB—Waits until Internet PCB is synchronized. · N/A—None of the above flags. |
Inpcb extflag |
Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · N/A—None of the above flags. |
Inpcb vflag |
IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · INP_TIMEWAIT—In TIMEWAIT state. · INP_ONESBCAST—Sends broadcast packets. · INP_DROPPED—Protocol dropped flag. · INP_SOCKREF—Strong socket reference. · INP_DONTBLOCK—Do not block synchronization of the Internet PCB. · N/A—None of the above flags. |
TTL |
TTL value in the Internet PCB. |
TCP options |
TCP options: · TF_MD5SIG—Enables MD5 signature. · TF_PASSWORD—The MD5 password is configured. · TF_NODELAY—Do not delay sending acknowledgements. · TF_NOOPT—No TCP options. · TF_NOPUSH—Allows TCP to send non-full-sized segments. · TF_BINDFOREIGNADDR—Bind the peer IP address. · TF_NSR—Enables TCP NSR. · TF_REQ_SCALE—Enables the TCP window scale option. · TF_REQ_TSTMP—Enables the time stamp option. · TF_SACK_PERMIT—Enables the TCP selective acknowledgement option. |
NSR state |
State of the TCP connections. Between the parentheses is the role of the connection: · M—Main connection. · S—Standby connection. |
display tcp-proxy
Use display tcp-proxy to display brief information about TCP proxy.
Syntax
Centralized devices in standalone mode:
display tcp-proxy
Distributed devices in standalone mode/centralized devices in IRF mode:
display tcp-proxy slot slot-number
Distributed devices in IRF mode:
display tcp-proxy chassis chassis-number slot slot-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (Distributed devices in IRF mode.)
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
Yes |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
TCP proxy splits every TCP connection that passes through it into two TCP connections to relay data packets between clients and servers. The split is transparent to the servers and clients. This feature reduces bandwidth use and improves TCP performance. It is used for services such as load balancing, WAAS, and SSL VPN.
Examples
# Display brief information about TCP proxy.
<Sysname> display tcp-proxy
Local Addr:port Foreign Addr:port State Service type
192.168.56.25:1111 111.111.111.125:8080 ESTABLISHED WAAS
111.111.111.125:8080 192.168.56.25:1111 ESTABLISHED WAAS
Table 60 Command output
Field |
Description |
Local Addr:port |
Local IP address and port number. |
Foreign Addr:port |
Peer IP address and port number. |
State |
TCP connection state. |
Service type |
Type of services that the TCP proxy is used for: · LB—Load balancing services. · WAAS—Wide area application services. · SSL VPN—SSL VPN services. |
display tcp-proxy port-info
Use display tpc-proxy port-info to display the usage of non-well known ports for TCP proxy.
Syntax
Centralized devices in standalone mode:
display tcp-proxy port-info
Distributed devices in standalone mode/centralized devices in IRF mode:
display tcp-proxy port-info slot slot-number
Distributed devices in IRF mode:
display tcp-proxy port-info chassis chassis-number slot slot-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays non-well known port usage for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays non-well known port usage for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays non-well known port usage for all cards. (Distributed devices in IRF mode.)
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
Yes |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
The TCP ports are divided into well known ports (port numbers from 0 through 1023) and non-well known ports (port numbers from 1024 through 65535).
· Well known ports are for certain services, for example, port 23 for Telnet service, ports 20 and 21 for FTP service, and port 80 for HTTP service.
· Non-well known ports are available for various services. You can use the display tpc-proxy port-info command to display the usage of these ports.
Examples
# Display the usage of non-well known ports for TCP proxy.
<Sysname> display tcp-proxy port-info
Index Range State
16 [1024, 1087] USABLE
17 [1088, 1151] USABLE
18 [1152, 1215] USABLE
19 [1216, 1279] USABLE
20 [1280, 1343] USABLE
...
1020 [65280, 65343] USABLE
1021 [65344, 65407] USABLE
1022 [65408, 65471] USABLE
1023 [65472, 65535] USABLE
Table 61 Command output
Field |
Description |
Index |
Index of the port range. |
Range |
Start port number and end port number. |
State |
State of the port range: · USABLE—The ports are assignable. · ASSIGNED—Some ports are dynamically assigned and some ports are not. · ALLASSIGNED—All ports are dynamically assigned. The assigned ports can be reclaimed. · TO RECLAIM—Some ports are statically assigned. The assigned ports can be reclaimed. · RESERVED—The ports are reserved. The reserved ports cannot be dynamically assigned. |
display udp
Use display udp to display brief information about UDP connections.
Syntax
Centralized devices in standalone mode:
display udp
Distributed devices in standalone mode/centralized devices in IRF mode:
display udp [ slot slot-number ]
Distributed devices in IRF mode:
display udp [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about UDP connections for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about UDP connections for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays brief information about UDP connections for all cards. (Distributed devices in IRF mode.)
Usage guidelines
Brief UDP connection information includes local IP address and port number, and peer IP address and port number.
Examples
# (Centralized devices in standalone mode.) Display brief information about UDP connections.
<Sysname> display udp
Local Addr:port Foreign Addr:port Slot PCB
0.0.0.0:69 0.0.0.0:0 1 0x0000000000000003
192.168.20.200:1024 192.168.20.14:69 1 0x0000000000000002
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display brief information about UDP connections.
<Sysname> display udp
Local Addr:port Foreign Addr:port Slot PCB
0.0.0.0:69 0.0.0.0:0 1 0x0000000000000003
192.168.20.200:1024 192.168.20.14:69 5 0x0000000000000002
# (Distributed devices in IRF mode.) Display brief information about UDP connections.
<Sysname> display udp
Local Addr:port Foreign Addr:port Chassis Slot PCB
0.0.0.0:69 0.0.0.0:0 1 1 0x0000000000000003
192.168.20.200:1024 192.168.20.14:69 1 5 0x0000000000000002
Table 62 Command output
Field |
Description |
Local Addr:port |
Local IP address and port number. |
Foreign Addr:port |
Peer IP address and port number. |
Chassis |
ID of the IRF member device. (Distributed devices in IRF mode.) |
Slot |
Number of the slot that holds the card. (Distributed devices in standalone or IRF mode.) |
Slot |
ID of the IRF member device. (Centralized devices in IRF mode.) |
PCB |
PCB index. |
display udp statistics
Use display udp statistics to display UDP traffic statistics.
Syntax
Centralized devices in standalone mode:
display udp statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
display udp statistics [ slot slot-number ]
Distributed devices in IRF mode:
display udp statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays UDP traffic statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays UDP traffic statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays UDP traffic statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
UDP traffic statistics include information about received and sent UDP packets.
Examples
# Display UDP traffic statistics.
<Sysname> display udp statistics
Received packets:
Total: 240
checksum error: 0, no checksum: 0
shorter than header: 0, data length larger than packet: 0
no socket on port(unicast): 0
no socket on port(broadcast/multicast): 240
not delivered, input socket full: 0
Sent packets:
Total: 0
Related commands
reset udp statistics
display udp verbose
Use display udp verbose to display detailed information about UDP connections.
Syntax
Centralized devices in standalone mode:
display udp verbose [ pcb pcb-index ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display udp verbose [ slot slot-number [ pcb pcb-index ] ]
Distributed devices in IRF mode:
display udp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pcb pcb-index: Displays detailed UDP connection information for the specified PCB. The value range for the pcb-index argument is 1 to 16.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about UDP connections for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about UDP connections for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays detailed information about UDP connections for all cards. (Distributed devices in IRF mode.)
Usage guidelines
The detailed information includes socket creator, status, option, type, protocol number, source IP address and port number, and destination IP address and port number for UDP connections.
Examples
# (Centralized devices in standalone mode.) Display detailed UDP connection information.
<Sysname> display udp verbose
Total UDP socket number: 1
Creator: sock_test_mips[250]
State: N/A
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 41600 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A
Type: 2
Protocol: 17
Connection info: src = 0.0.0.0:69, dst = 0.0.0.0:0
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV4
TTL: 255(minimum TTL: 0)
Send VRF: 0xffff
Receive VRF: 0xffff
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed UDP connection information.
<Sysname> display udp verbose
Total UDP socket number: 1
Location: Slot: 6
Creator: sock_test_mips[250]
State: N/A
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 41600 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A
Type: 2
Protocol: 17
Connection info: src = 0.0.0.0:69, dst = 0.0.0.0:0
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV4
TTL: 255(minimum TTL: 0)
Send VRF: 0xffff
Receive VRF: 0xffff
# (Distributed devices in IRF mode.) Display detailed UDP connection information.
<Sysname> display udp verbose
Total UDP socket number: 1
Location: Chassis: 2 Slot: 6
Creator: sock_test_mips[250]
State: N/A
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 41600 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A
Type: 2
Protocol: 17
Connection info: src = 0.0.0.0:69, dst = 0.0.0.0:0
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV4
TTL: 255(minimum TTL: 0)
Send VRF: 0xffff
Receive VRF: 0xffff
Table 63 Command output
Field |
Description |
Total UDP socket number |
Total number of UDP sockets. |
Location |
Location of the card. (Distributed devices in standalone or IRF mode.) |
Location |
Location of the device. (Centralized devices in IRF mode.) |
Chassis |
ID of the IRF member device. (Distributed devices in IRF mode.) |
Slot |
Slot number of the card. (Distributed devices in standalone or IRF mode.) |
Slot |
ID of the IRF member device. (Centralized devices in IRF mode.) |
Creator |
Name of the operation that created the socket. The number in brackets is the process number of the creator. |
State |
Socket state. |
Options |
Socket option. |
Error |
Error code. |
Receiving buffer(cc/hiwat/lowat/drop/state) |
Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states. |
Sending buffer(cc/hiwat/lowat/state) |
Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states. |
Type |
Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types. |
Protocol |
Number of the protocol using the socket. |
Inpcb flags |
Flags in the Internet PCB: · INP_RECVOPTS—Receives IP options. · INP_RECVRETOPTS—Receives replied IP options. · INP_RECVDSTADDR—Receives destination IP address. · INP_HDRINCL—Provides the entire IP header. · INP_REUSEADDR—Reuses the IP address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_RECVIF—Records the input interface of the packet. · INP_RECVTTL—Receives TTL of the packet. Only UDP and RawIP support this flag. · INP_DONTFRAG—Sets the Don't Fragment flag. · INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_SNDBYLSPV—Sends through MPLS. · INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag. · INP_SYNCPCB—Waits until Internet PCB is synchronized. · N/A—None of the above flags. |
Inpcb extflag |
Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · N/A—None of the above flags. |
Inpcb vflag |
IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · INP_TIMEWAIT—In TIMEWAIT state. · INP_ONESBCAST—Sends broadcast packets. · INP_DROPPED—Protocol dropped flag. · INP_SOCKREF—Strong socket reference. · INP_DONTBLOCK—Do not block synchronization of the Internet PCB. · N/A—None of the above flags. |
TTL |
TTL value in the Internet PCB. |
ip forward-broadcast
Use ip forward-broadcast to enable an interface to receive and forward directed broadcast packets destined for the directly connected network.
Use undo ip forward-broadcast to disable an interface from receiving and forwarding directed broadcast packets destined for the directly connected network.
Syntax
ip forward-broadcast
undo ip forward-broadcast
Default
An interface cannot forward directed broadcasts destined for the directly connected network.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.
If an interface is allowed to forward directed broadcasts destined for the directly connected network, hackers can exploit this vulnerability to attack the target network. In some scenarios, however, an interface must receive and send such directed broadcast packets to support UDP helper and Wake on LAN.
This command enables an interface to accept directed broadcast packets that are destined for and received from the directly connected network to support UDP helper. UDP helper converts the directed broadcasts to unicasts and forwards them to a specific server.
The command also enables the interface to forward directed broadcast packets that are destined for the directly connected network and are received from another subnet to support Wake on LAN. Wake on LAN sends the directed broadcasts to wake up the hosts on the target network.
Examples
# Enable the interface GigabitEthernet 1/0/1 to receive and forward directed broadcast packets destined for the directly connected network.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip forward-broadcast
ip icmp error-interval
Use ip icmp error-interval to set the bucket size and the interval for tokens to arrive in the bucket for ICMP error messages.
Use undo ip icmp error-interval to restore the default.
Syntax
ip icmp error-interval interval [ bucketsize ]
undo ip icmp error-interval
Default
The bucket allows a maximum of 10 tokens, and a token is placed in the bucket every 100 milliseconds.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the interval for tokens to arrive in the bucket. The value range is 0 to 2147483647 milliseconds. To disable the ICMP rate limit, set the value to 0.
bucketsize: Specifies the maximum number of tokens allowed in the bucket. The value range is 1 to 200.
Usage guidelines
This command limits the rate at which ICMP error messages are sent. Use this command to avoid sending excessive ICMP error messages within a short period that might cause network congestion. A token bucket algorithm is used with one token representing one ICMP error message.
A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.
A token is removed from the bucket when an ICMP error message is sent. When the bucket is empty, ICMP error messages are not sent until a new token is placed in the bucket.
Examples
# Set the bucket size to 40 tokens and the interval for tokens to arrive in the bucket to 200 milliseconds for ICMP error messages.
<Sysname> system-view
[Sysname] ip icmp error-interval 200 40
ip icmp source
Use ip icmp source to specify the source address for outgoing ICMP packets.
Use undo ip icmp source to remove the specified source address for outgoing ICMP packets.
Syntax
ip icmp source [ vpn-instance vpn-instance-name ] ip-address
undo ip icmp source [ vpn-instance vpn-instance-name ]
Default
No source address is specified for outgoing ICMP packets. The device uses the IP address of the sending interface as the source IP address for outgoing ICMP packets.
Views
System view
Predefined user roles
network-admin
Parameters
vpn-instance vpn-instance-name: Specifies the VPN instance to which the specified address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. The specified VPN instance must exist. If the specified IP address is on the public network, do not use this option.
ip-address: Specifies an IP address.
Usage guidelines
It is a good practice to specify the IP address of the loopback interface as the source IP address for outgoing ping echo request and ICMP error messages. This feature helps users to locate the sending device easily.
Examples
# Specify 1.1.1.1 as the source address for outgoing ICMP packets.
<Sysname> system-view
[Sysname] ip icmp source 1.1.1.1
ip mtu
Use ip mtu to set an MTU for an interface.
Use undo ip mtu to restore the default.
Syntax
ip mtu mtu-size
undo ip mtu
Default
No MTU is set for an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
mtu-size: Specifies an MTU in the range of 128 to 1650 bytes.
Usage guidelines
When a packet exceeds the MTU of the output interface, the device processes it in one of the following ways:
· If the packet disallows fragmentation, the device discards it.
· If the packet allows fragmentation, the device fragments it and forwards the fragments.
Fragmentation and reassembling consume system resources, so set an appropriate MTU for an interface to avoid fragmentation.
If an interface supports both the mtu and ip mtu commands, the device fragments a packet based on the MTU set by the ip mtu command.
Examples
# Set the MTU of interface GigabitEthernet 1/0/1 to 1280 bytes.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip mtu 1280
ip reassemble local enable
Use ip reassemble local enable to enable IPv4 local fragment reassembly.
Use undo ip reassemble local enable to disable local fragment reassembly.
Syntax
ip reassemble local enable
undo ip reassemble local enable
Default
IPv4 local fragment reassembly is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature improves IPv4 fragment reassembly efficiency on distributed devices as follows:
· In standalone mode, this feature enables the receiving LPU to reassemble the fragments of an IPv4 packet if all the fragments arrive at it. If this feature is disabled, all fragments are delivered to the active MPU for reassembly. The feature applies only to fragments destined for the same LPU.
· In IRF mode, this feature enables the receiving subordinate to reassemble the fragments of an IPv4 packet if all fragments arrive at it. If this feature is disabled, all fragments are delivered to the master device for reassembly. The feature applies only to fragments destined for the same subordinate.
Examples
# Enable IPv4 local fragment reassembly.
<Sysname> system-view
[Sysname] ip reassemble local enable
ip redirects enable
Use ip redirects enable to enable sending ICMP redirect messages.
Use undo ip redirects enable to disable sending ICMP redirect messages.
Syntax
ip redirects enable
undo ip redirects enable
Default
Sending ICMP redirect messages is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing tables.
A host that has only one route destined for the default gateway sends all packets to the default gateway. The default gateway sends an ICMP redirect message to inform the host of a correct next hop by following these rules:
· The receiving and sending interfaces are the same.
· The selected route is not created or modified by any ICMP redirect messages.
· The selected route is not destined for 0.0.0.0.
· There is no source route option in the received packet.
Examples
# Enable sending ICMP redirect messages.
<Sysname> system-view
[Sysname] ip redirects enable
ip ttl-expires enable
Use ip ttl-expires enable to enable sending ICMP time exceeded messages.
Use undo ip ttl-expires enable to disable sending ICMP time exceeded messages.
Syntax
ip ttl-expires enable
undo ip ttl-expires enable
Default
Sending ICMP time exceeded messages is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
A device sends ICMP time exceeded messages by following these rules:
· The device sends an ICMP TTL exceeded in transit message to the source when the following conditions are met:
¡ The received packet is not destined for the device.
¡ The TTL field of the packet is 1.
· When the device receives the first fragment of an IP datagram destined for the device itself, it starts a timer. If the timer expires before all the fragments of the datagram are received, the device sends an ICMP fragment reassembly time exceeded message to the source.
A device disabled from sending ICMP time exceeded messages does not send ICMP TTL exceeded in transit messages but can still send ICMP fragment reassembly time exceeded messages.
Examples
# Enable sending ICMP time exceeded messages.
<Sysname> system-view
[Sysname] ip ttl-expires enable
ip unreachables enable
Use ip unreachables enable to enable sending ICMP destination unreachable messages.
Use undo ip unreachables enable to disable sending ICMP destination unreachable messages.
Syntax
ip unreachables enable
undo ip unreachables enable
Default
Sending ICMP destination unreachable messages is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
A device sends ICMP destination unreachable messages by following these rules:
· The device sends the source an ICMP network unreachable message when the following conditions are met:
¡ The received packet does not match any route.
¡ No default route exists in the routing table.
· The device sends the source an ICMP protocol unreachable message when the following conditions are met:
¡ The received packet is destined for the device.
¡ The transport layer protocol of the packet is not supported by the device.
· The device sends the source an ICMP port unreachable message when the following conditions are met:
¡ The received UDP packet is destined for the device.
¡ The packet's port number does not match the running process.
· The device sends the source an ICMP source route failed message when the following conditions are met:
¡ The source uses Strict Source Routing to send packets.
¡ The intermediate device finds that the next hop specified by the source is not directly connected.
· The device sends the source an ICMP fragmentation needed and DF set message when the following conditions are met:
¡ The MTU of the sending interface is smaller than the packet.
¡ The packet has Don't Fragment set.
Examples
# Enable sending ICMP destination unreachable messages.
<Sysname> system-view
[Sysname] ip unreachables enable
reset ip statistics
Use reset ip statistics to clear IP traffic statistics.
Syntax
Centralized devices in standalone mode:
reset ip statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
reset ip statistics [ slot slot-number ]
Distributed devices in IRF mode:
reset ip statistics [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears IP traffic statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears IP traffic statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears IP traffic statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
Use this command to clear history IP traffic statistics before you collect IP traffic statistics for a time period.
Examples
# Clear IP traffic statistics.
<Sysname> reset ip statistics
display ip interface
reset tcp statistics
Use reset tcp statistics to clear TCP traffic statistics.
Syntax
reset tcp statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear TCP traffic statistics.
<Sysname> reset tcp statistics
reset udp statistics
Use reset udp statistics to clear UDP traffic statistics.
Syntax
reset udp statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear UDP traffic statistics.
<Sysname> reset udp statistics
Related commands
display udp statistics
tcp mss
Use tcp mss to set the TCP maximum segment size (MSS).
Use undo tcp mss to restore the default.
Syntax
tcp mss value
undo tcp mss
Default
The TCP MSS is not set.
Views
Interface view
Predefined user roles
network-admin
Parameters
value: Specifies the TCP MSS in the range of 128 to 1610 bytes.
Usage guidelines
The MSS option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, TCP fragments the segment according to the receiver's MSS.
If you set the TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.
This configuration takes effect only on TCP connections that are established after the configuration and not on the TCP connections that already exist.
This configuration is effective only on IP packets. If MPLS is enabled on the interface, do not set the TCP MSS on the interface.
Examples
# Set the TCP MSS to 300 bytes on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] tcp mss 300
tcp path-mtu-discovery
Use tcp path-mtu-discovery to enable TCP path MTU discovery.
Use undo tcp path-mtu-discovery to disable TCP path MTU discovery.
Syntax
tcp path-mtu-discovery [ aging age-time | no-aging ]
undo tcp path-mtu-discovery
Default
TCP path MTU discovery is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
aging age-time: Specifies the aging time for the path MTU, in the range of 10 to 30 minutes. The default aging time is 10 minutes.
no-aging: Does not age out the path MTU.
Usage guidelines
After you enable TCP path MTU discovery, all new TCP connections detect the path MTU. The device uses the path MTU to calculate the MSS to avoid IP fragmentation.
After you disable TCP path MTU discovery, the system stops all path MTU timers. The TCP connections established later do not detect the path MTU, but the TCP connections previously established still can detect the path MTU.
Examples
# Enable TCP path MTU discovery and set the path MTU aging time to 20 minutes.
<Sysname> system-view
[Sysname] tcp path-mtu-discovery aging 20
tcp syn-cookie enable
Use tcp syn-cookie enable to enable SYN Cookie to protect the device from SYN flood attacks.
Use undo tcp syn-cookie enable to disable SYN Cookie.
Syntax
tcp syn-cookie enable
undo tcp syn-cookie enable
Default
SYN Cookie is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
A TCP connection is established through a three-way handshake:
1. The sender sends a SYN packet to the server.
2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state, and replies with a SYN ACK packet to the sender.
3. The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP connection is established.
An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large number of SYN packets, but they do not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and cannot handle normal services.
SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet, it responds to the request with a SYN ACK packet without establishing a TCP semi-connection.
The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the sender.
Examples
# Enable SYN Cookie.
<Sysname> system-view
[Sysname] tcp syn-cookie enable
tcp timer fin-timeout
Use tcp timer fin-timeout to set the TCP FIN wait timer.
Use undo tcp timer fin-timeout to restore the default.
Syntax
tcp timer fin-timeout time-value
undo tcp timer fin-timeout
Default
The TCP FIN wait timer is 675 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
time-value: Specifies the TCP FIN wait timer in the range of 76 to 3600 seconds.
Usage guidelines
TCP starts the FIN wait timer when the state of a TCP connection changes to FIN_WAIT_2. If no FIN packet is received within the timer interval, the TCP connection is terminated.
If a FIN packet is received, TCP changes the connection state to TIME_WAIT. If a non-FIN packet is received, TCP restarts the timer and tears down the connection when the timer expires.
Examples
# Set the TCP FIN wait timer to 800 seconds.
<Sysname> system-view
[Sysname] tcp timer fin-timeout 800
tcp timer syn-timeout
Use tcp timer syn-timeout to set the TCP SYN wait timer.
Use undo tcp timer syn-timeout to restore the default.
Syntax
tcp timer syn-timeout time-value
undo tcp timer syn-timeout
Default
The TCP SYN wait timer is 75 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
time-value: Specifies the TCP SYN wait timer in the range of 2 to 600 seconds.
Usage guidelines
TCP starts the SYN wait timer after sending a SYN packet. Within the SYN wait timer if no response is received or the upper limit on TCP connection tries is reached, TCP fails to establish the connection.
Examples
# Set the TCP SYN wait timer to 80 seconds.
<Sysname> system-view
[Sysname] tcp timer syn-timeout 80
tcp window
Use tcp window to set the size of the TCP receive/send buffer.
Use undo tcp window to restore the default.
Syntax
tcp window window-size
undo tcp window
Default
The size of the TCP receive/send buffer is 63 KB.
Views
System view
Predefined user roles
network-admin
Parameters
window-size: Specifies the size of the TCP receive/send buffer, in the range of 1 to 64 KB.
Examples
# Set the size of the TCP receive/send buffer to 3 KB.
<Sysname> system-view
[Sysname] tcp window 3
UDP helper commands
The following matrix shows the feature and hardware compatibility:
Hardware |
UDP helper compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE /810-LM-HK/MSR810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR 5620/5660/5680 |
Yes |
Hardware |
UDP helper compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
Yes |
display udp-helper interface
Use display udp-helper interface to display information about broadcast to unicast conversion by UDP helper on an interface.
Syntax
display udp-helper interface interface-type interface-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number.
Usage guidelines
This command displays information about destination servers and total number of unicast packets converted from UDP broadcast packets by UDP helper.
Examples
# Display information about broadcast to unicast conversion by UDP helper on GigabitEthernet 1/0/1.
<Sysname> display udp-helper interface gigabitethernet 1/0/1
Interface Server VPN instance Server address Packets sent
GigabitEthernet1/0/1 abc 192.1.1.2 0
GigabitEthernet1/0/1 N/A 192.1.1.2 0
Table 64 Command output
Field |
Description |
Interface |
Interface name. |
Server VPN instance |
VPN instance to which the destination server belongs. |
Server address |
Destination server to which UDP packets are forwarded. |
Packets sent |
Number of unicast packets that are converted from broadcast packets by UDP helper. |
Related commands
reset udp-helper statistics
udp-helper server
reset udp-helper statistics
Use reset udp-helper statistics to clear packet statistics for UDP helper.
Syntax
reset udp-helper statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear the packet statistics for UDP helper.
<Sysname> reset udp-helper statistics
Related commands
display udp-helper interface
udp-helper broadcast-map
Use udp-helper broadcast-map to specify a multicast address for UDP helper to convert broadcast to multicast.
Use undo udp-helper broadcast-map to restore the default.
Syntax
udp-helper broadcast-map multicast-address [ acl acl-number ]
undo udp-helper broadcast-map multicast-address
Default
No multicast address is specified for UDP helper to convert broadcast to multicast.
Views
Interface view
Predefined user roles
network-admin
Parameters
multicast-address: Specifies the destination multicast address to which the destination broadcast address is converted.
acl acl-number: Specifies an ACL by its number. The ACL filters incoming broadcast packets for UDP helper. Packets permitted by the ACL can be converted. If no ACL is specified, all incoming broadcast packets are checked for UDP helper.
· For a basic ACL, the value range is 2000 to 2999.
· For an advanced ACL, the value range is 3000 to 3999.
Usage guidelines
Use this command on the interface that receives broadcast packets.
You can configure a maximum of 20 unicast and multicast addresses for UDP helper to convert broadcast packets.
Examples
# Configure UDP helper to convert received broadcast packets on GigabitEthernet 1/0/1 to multicast packets destined for 225.0.0.1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] udp-helper broadcast-map 225.0.0.1
udp-helper enable
Use udp-helper enable to enable UDP helper.
Use undo udp-helper enable to disable UDP helper.
Syntax
udp-helper enable
undo udp-helper enable
Default
UDP helper is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
For UDP helper to take effect, make sure the following conditions are met:
· UDP helper is enabled.
· A UDP port number is specified by using the udp-helper port command.
· Packet conversion for UDP helper is configured by using the udp-helper server, udp-helper broadcast-map, or udp-helper multicast-map command.
Examples
# Enable UDP helper.
<Sysname> system-view
[Sysname] udp-helper enable
Related commands
udp-helper port
udp-helper server
udp-helper multicast-map
udp-helper broadcast-map
udp-helper multicast-map
Use udp-helper multicast-map to map a multicast address to a directed broadcast or a unicast address for UDP helper.
Use undo udp-helper multicast-map to restore the default.
Syntax
udp-helper multicast-map multicast-address ip-address [ global | vpn-instance vpn-instance-name ] [ acl acl-number ]
undo udp-helper multicast-map multicast-address ip-address [ global | vpn-instance vpn-instance-name ]
Default
No address mapping is specified for UDP helper to convert multicast to broadcast or unicast.
Views
Interface view
Predefined user roles
network-admin
Parameters
multicast-address: Specifies the destination address of the multicast packets.
ip-address: Specifies a unicast address or a directed broadcast address to which a destination multicast address is converted.
global: Forwards converted packets on the public network.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the destination unicast or broadcast address belongs. The VPN instance name is a case-sensitive string of 1 to 31 characters.
acl acl-number: Specifies an ACL by its number. The ACL filters incoming multicast packets. Packets permitted by the ACL can be converted. If no ACL is specified, all incoming multicast packets are checked for UDP helper.
· For a basic ACL, the value range is 2000 to 2999.
· For an advanced ACL, the value range is 3000 to 3999.
Usage guidelines
Use this command on the interface that receives multicast packets.
If the global keyword and a VPN instance are not specified, UDP helper forwards converted packets in the VPN bound to the interface that receives multicast packets. If the interface is not bound to any VPNs, UDP helper forwards the converted packets on the public network.
You can map one multicast address to a maximum of 16 broadcast and unicast addresses. The packets destined for the multicast address are forwarded to all mapping addresses.
Examples
# Configure UDP helper to convert the multicast packets destined for 225.0.0.1 to broadcast packets destined for 192.168.1.255.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] udp-helper multicast-map 225.0.0.1 192.168.1.255
# Configure UDP helper to convert the multicast packets destined for 225.0.0.1 to unicast packets destined for 192.168.1.3 in VPN instance a.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] udp-helper multicast-map 225.0.0.1 192.168.1.3 vpn-instance a
udp-helper port
Use udp-helper port to specify a UDP port number for UDP helper.
Use undo udp-helper port to remove UDP port numbers.
Syntax
udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time }
undo udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time }
Default
No UDP port numbers are specified for UDP helper.
Views
System view
Predefined user roles
network-admin
Parameters
port-number: Specifies a UDP port number in the range of 1 to 65535 (except 67 and 68).
dns: Specifies the UDP port 53 used by DNS packets.
netbios-ds: Specifies the UDP port 138 used by NetBIOS distribution service packets.
netbios-ns: Specifies the UDP port 137 used by NetBIOS name service packets.
tacacs: Specifies the UDP port 49 used by TACACS packets.
tftp: Specifies the UDP port 69 used by TFTP packets.
time: Specifies the UDP port 37 used by time protocol packets.
Usage guidelines
To specify a UDP port, you can specify the port number or the protocol keyword. For example, udp-helper port 53 and udp-helper port dns specify the same UDP port.
You can specify a maximum of 256 UDP ports on a device.
Examples
# Specify the UDP port 100 for UDP helper.
<Sysname> system-view
[Sysname] udp-helper port 100
udp-helper server
Use udp-helper server to specify a destination server for UDP helper to convert broadcast to unicast.
Use undo udp-helper server to remove a destination server.
Syntax
udp-helper server ip-address [ global | vpn-instance vpn-instance-name ]
undo udp-helper server [ ip-address [ global | vpn-instance vpn-instance-name ] ]
Default
No destination server is specified for UDP helper to convert broadcast to unicast.
Views
Interface view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address of a destination server, in dotted decimal notation.
global: Forwards converted unicast packets to the server on the public network.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the server belongs. The VPN instance name is a case-sensitive string of 1 to 31 characters.
Usage guidelines
Specify destination servers on an interface that receives UDP broadcast packets.
You can specify a maximum of 20 unicast and multicast addresses for UDP helper to convert broadcast packets on an interface.
If you do not specify the ip-address argument, the undo udp-helper server command removes all destination servers on the interface.
If you specify only the IP address, UDP helper forwards converted unicast packets in the VPN bound to the interface that receives broadcast packets. If the interface is not bound to any VPNs, UDP helper forwards the unicast packets on the public network.
Examples
# Specify the destination server 192.1.1.2 for UDP helper to convert broadcast to unicast on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] udp-helper server 192.1.1.2
# Specify the destination server 192.1.1.2 in VPN instance a for UDP helper to convert broadcast to unicast on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] udp-helper server 192.1.1.2 vpn-instance a
Related commands
display udp-helper interface
IPv6 basics commands
IPv6-related features are not supported on the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR3600-28-SI/3600-51-SI.
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display ipv6 fib
Use display ipv6 fib to display IPv6 FIB entries.
Syntax
display ipv6 fib [ vpn-instance vpn-instance-name ] [ ipv6-address [ prefix-length ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
ipv6-address: Specifies an IPv6 address.
prefix-length: Specifies a prefix length for the IPv6 address, in the range of 0 to 128.
Usage guidelines
An IPv6 FIB entry includes the destination address, prefix length, next hop address, and output interface information.
If you do not specify a VPN, this command displays IPv6 FIB entries for the public network.
If you do not specify the prefix length, this command displays the IPv6 FIB entry longest matching the IPv6 address. If you specify a prefix, this command displays the IPv6 FIB entry that exactly matches the IPv6 address and prefix length.
If you do not specify any parameters, this command displays all IPv6 FIB entries for the public network.
Examples
# Display all IPv6 FIB entries for the public network.
<Sysname> display ipv6 fib
Destination count: 1 FIB entry count: 1
Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay F:FRR
Destination: ::1 Prefix length: 128
Nexthop : ::1 Flags: UH
Time stamp : 0x1 Label: Null
Interface : InLoop0 Token: Invalid
Table 65 Command output
Field |
Description |
Destination count |
Total number of destination addresses. |
FIB entry count |
Total number of IPv6 FIB entries. |
Destination |
Destination address. |
Prefix length |
Prefix length of the destination address. |
Nexthop |
Next hop address. |
Flags |
Route flag: · U—Usable route. · G—Gateway route. · H—Host route. · B—Black hole route. · D—Dynamic route. · S—Static route. · R—Recursive route. · F—Fast re-route. |
Time stamp |
Time when the IPv6 FIB entry was generated. |
Label |
Inner MPLS label. |
Interface |
Outgoing interface. |
Token |
Label switched path index number. |
display ipv6 icmp statistics
Use display ipv6 icmp statistics to display ICMPv6 packet statistics.
Syntax
Centralized devices in standalone mode:
display ipv6 icmp statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 icmp statistics [ slot slot-number ]
Distributed devices in IRF mode:
display ipv6 icmp statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ICMPv6 packet statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ICMPv6 packet statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays ICMPv6 packet statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
This command displays statistics about received and sent ICMPv6 packets.
Examples
# Display ICMPv6 packet statistics.
<Sysname> display ipv6 icmp statistics
Input: bad code 0 too short 0
checksum error 0 bad length 0
path MTU changed 0 destination unreachable 0
too big 0 parameter problem 0
echo request 0 echo reply 0
neighbor solicit 0 neighbor advertisement 0
router solicit 0 router advertisement 0
redirect 0 router renumbering 0
output: parameter problem 0 echo request 0
echo reply 0 unreachable no route 0
unreachable admin 0 unreachable beyond scope 0
unreachable address 0 unreachable no port 0
too big 0 time exceed transit 0
time exceed reassembly 0 redirect 0
ratelimited 0 other errors 0
display ipv6 interface
Use display ipv6 interface to display IPv6 interface information.
Syntax
display ipv6 interface [ interface-type [ interface-number ] ] [ brief ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface-type: Specifies an interface by its type.
interface-number: Specifies an interface by its number.
brief: Displays brief information.
Usage guidelines
If you specify the brief keyword, this command displays brief IPv6 interface information, including physical status, link-layer protocols, and IPv6 address.
If you do not specify the brief keyword, this command displays detailed IPv6 interface information, including IPv6 configuration and operating information, and IPv6 packet statistics.
If you do not specify an interface, this command displays IPv6 information about all interfaces except VA interfaces.
If you specify only the interface-type argument, this command displays IPv6 information about the interfaces of the specified type.
If you specify both the interface-type and the interface-number arguments, this command displays IPv6 information about the specified interface.
Examples
# Display IPv6 information about the interface GigabitEthernet 1/0/1.
<Sysname> display ipv6 interface gigabitethernet 1/0/1
GigabitEthernet1/0/1 current state: UP
Line protocol current state: UP
IPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00 [TENTATIVE]
Global unicast address(es):
10::1234:56FF:FE65:4322, subnet is 10::/64 [TENTATIVE] [AUTOCFG]
[valid lifetime 4641s/preferred lifetime 4637s]
20::1234:56ff:fe65:4322, subnet is 20::/64 [TENTATIVE] [EUI-64]
30::1, subnet is 30::/64 [TENTATIVE] [ANYCAST]
40::2, subnet is 40::/64 [TENTATIVE] [DHCP]
50::3, subnet is 50::/64 [TENTATIVE]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FF04:5D00
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
InReceives: 0
InTooShorts: 0
InTruncatedPkts: 0
InHopLimitExceeds: 0
InBadHeaders: 0
InBadOptions: 0
ReasmReqds: 0
ReasmOKs: 0
InFragDrops: 0
InFragTimeouts: 0
OutFragFails: 0
InUnknownProtos: 0
InDelivers: 0
OutRequests: 0
OutForwDatagrams: 0
InNoRoutes: 0
InTooBigErrors: 0
OutFragOKs: 0
OutFragCreates: 0
InMcastPkts: 0
InMcastNotMembers: 0
OutMcastPkts: 0
InAddrErrors: 0
InDiscards: 0
OutDiscards: 0
Table 66 Command output
Field |
Description |
GigabitEthernet1/0/1 current state |
Physical state of the interface: · Administratively DOWN—The interface has been administratively shut down by using the shutdown command. · DOWN—The interface is administratively up but its physical state is down, possibly because of a connection or link failure. · UP—The administrative and physical states of the interface are both up. |
Line protocol current state |
Link layer state of the interface: · DOWN—The link layer protocol state of the interface is down. · UP—The link layer protocol state of the interface is up. |
IPv6 is enabled |
IPv6 is enabled on the interface. This feature is automatically enabled after an IPv6 address is configured for an interface. |
link-local address |
Link-local address of the interface. |
Global unicast address(es) |
Global unicast addresses of the interface. IPv6 address states: · TENTATIVE—Initial state. DAD is being performed or is to be performed on the address. · DUPLICATE—The address is not unique on the link. · PREFERRED—The address is preferred and can be used as the source or destination address of a packet. If an address is in this state, the command does not display the address state. · DEPRECATED—The address is beyond the preferred lifetime but in the valid lifetime. It is valid, but it cannot be used as the source address for a new connection. Packets destined for the address are processed correctly. If a global unicast address is not manually configured, the following notations indicate how the address is obtained: · AUTOCFG—Stateless autoconfigured. · DHCP—Assigned by a DHCPv6 server. · EUI-64—Manually configured EUI-64 IPv6 address. · RANDOM—Random address automatically generated. If the address is a manually configured anycast address, it is noted with ANYCAST. |
valid lifetime |
Specifies how long autoconfigured global unicast addresses using a prefix are valid. |
preferred lifetime |
Specifies how long autoconfigured global unicast addresses using a prefix are preferred. |
Joined group address(es) |
Addresses of the multicast groups that the interface has joined. |
MTU |
MTU of the interface. |
ND DAD is enabled, number of DAD attempts |
DAD is enabled. · If DAD is enabled, this field displays the number of attempts to send an NS message for DAD (set by using the ipv6 nd dad attempts command). · If DAD is disabled, this field displays ND DAD is disabled. To disable DAD, set the number of attempts to 0. |
ND reachable time |
Time during which a neighboring device is reachable. |
ND retransmit interval |
Interval for retransmitting an NS message. |
Hosts use stateless autoconfig for addresses |
Hosts obtained IPv6 addresses through stateless autoconfiguration. |
Received IPv6 packets, including error messages. |
|
Received IPv6 packets that are too short. For example, the received IPv6 packet is less than 40 bytes. |
|
Received IPv6 packets with a length less than the payload length field specified in the packet header. |
|
Received IPv6 packets with a hop count exceeding the hop limit field specified in the packet header. |
|
Received IPv6 packets with incorrect extension headers. |
|
Received IPv6 fragments. |
|
Number of reassembled IPv6 packets. |
|
Received IPv6 fragments that are discarded because of certain errors. |
|
Received IPv6 fragments that are discarded because the amount of time they stay in the system buffer exceeds the specified interval. |
|
IPv6 packets that fail to be fragmented on the output interface. |
|
Received IPv6 packets with unknown or unsupported protocol type. |
|
Received IPv6 packets that are delivered to user protocols (such as ICMPv6, TCP, and UDP). |
|
Local IPv6 packets sent by IPv6 user protocols. |
|
IPv6 packets forwarded by the interface. |
|
Received IPv6 packets that are discarded because no matching route can be found. |
|
Received IPv6 packets that fail to be forwarded because they exceeded the Path MTU. |
|
Fragmented IPv6 packets on the output interface. |
|
Number of IPv6 fragments on the output interface. |
|
Received IPv6 multicast packets. |
|
Received IPv6 multicast packets that are discarded because the interface is not in the multicast group. |
|
IPv6 multicast packets sent by the interface. |
|
Received IPv6 packets that are discarded due to invalid destination addresses. |
|
Received IPv6 packets that are discarded due to resource problems rather than packet errors. |
|
IPv6 packets that fail to be sent due to resource problems rather than packet errors. |
# Display brief IPv6 information about all interfaces.
<Sysname> display ipv6 interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IPv6 Address
GigabitEthernet1/0/1 up up 2001::1
GigabitEthernet1/0/2 up up Unassigned
Table 67 Command output
Field |
Description |
*down: administratively down |
The interface has been administratively shut down by using the shutdown command. |
(s): spoofing |
Spoofing attribute of the interface. The link protocol state of the interface is up, but the link is temporarily established on demand or does not exist. |
Interface |
Name of the interface. |
Physical |
Physical state of the interface: · *down—The interface has been administratively shut down by using the shutdown command. · down—The interface is administratively up but its physical state is down, possibly because of a connection or link failure. · up—The administrative and physical states of the interface are both up. |
Protocol |
Link layer protocol state of the interface: · down—The network layer protocol state of the interface is down. · up—The network layer protocol state of the interface is up. |
IPv6 Address |
IPv6 address of the interface. · If multiple global unicast addresses are configured, this field displays the lowest address. · If no global unicast address is configured, this field displays the link-local address. · If no address is configured, this field displays Unassigned. |
display ipv6 interface prefix
Use display ipv6 interface prefix to display IPv6 prefix information for an interface.
Syntax
display ipv6 interface interface-type interface-number prefix
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number.
Examples
# Display IPv6 prefix information for GigabitEthernet 1/0/1.
<Sysname> display ipv6 interface gigabitEthernet 1/0/1 prefix
Prefix: 1001::/65 Origin: ADDRESS
Age: - Flag: AL
Lifetime(Valid/Preferred): 2592000/604800
Prefix: 2001::/64 Origin: STATIC
Age: - Flag: L
Lifetime(Valid/Preferred): 3000/2000
Prefix: 3001::/64 Origin: RA
Age: 600 Flag: A
Lifetime(Valid/Preferred): -
Table 68 Command output
Filed |
Description |
Prefix |
IPv6 address prefix. |
Origin |
How the prefix is generated: · STATIC—Manually configured by using the ipv6 nd ra prefix command. · RA—Advertised in RA messages after stateless autoconfiguration is enabled. · ADDRESS—Generated by a manually configured address. |
Age |
Aging time in seconds. If the prefix does not age out, this field displays a hyphen (-). |
Flag |
Flags advertised in RA messages. If no flags are available, this field displays a hyphen (-). · L—The address with the prefix is directly reachable on the link. · A—The prefix is used for stateless autoconfiguration. |
Lifetime |
Lifetime in seconds advertised in RA messages. If the prefix does not need to be advertised, this field displays a hyphen (-). · Valid—Valid lifetime of the prefix. · Preferred—Preferred lifetime of the prefix. |
Related commands
ipv6 nd ra prefix
display ipv6 nd suppression xconnect-group
Use display ipv6 nd suppression xconnect-group to display ND suppression entries.
Syntax
Centralized devices in standalone mode:
display ipv6 nd suppression xconnect-group [ name group-name ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 nd suppression xconnect-group [ name group-name ] [ slot slot-number ] [ count ]
Distributed devices in IRF mode:
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
count: Specifies the total number of ND suppression entries.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ND suppression entries for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ND suppression entries for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays ND suppression entries for all cards. (Distributed devices in IRF mode.)
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
No |
MSR3600-28/3600-51 |
No |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
No |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
Examples
# Display ND suppression entries for all cross-connect groups.
<Sysname> display ipv6 nd suppression xconnect-group
IPv6 address MAC address Xconnect-group Connection Aging
2001::1 000c-29fe-5a8f vpna svc 25
2001::2 000c-29fe-5aa3 vpna svc 2
# Display the total number of ND suppression entries.
<Sysname> display ipv6 nd suppression xconnect-group count
Total entries: 2
Table 69 Command output
Filed |
Description |
IPv6 address |
IPv6 address in the ND suppression entry. |
MAC address |
MAC address in the ND suppression entry |
Xconnect-group |
Name of the cross-connect group to which the ND suppression entry belongs. |
Connection |
Name of the cross-connect to which the ND suppression entry belongs. |
Aging |
Remaining aging time of the ND suppression entry, in minutes. |
display ipv6 neighbors
Use display ipv6 neighbors to display IPv6 neighbor information.
Syntax
Centralized devices in standalone mode:
display ipv6 neighbors { ipv6-address | all | dynamic | interface interface-type interface-number | static | vlan vlan-id } [ verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 neighbors { { ipv6-address | all | dynamic | static } [ slot slot-number ] | interface interface-type interface-number | vlan vlan-id } [ verbose ]
Distributed devices in IRF mode:
display ipv6 neighbors { { ipv6-address | all | dynamic | static } [ chassis chassis-number slot slot-number ] | interface interface-type interface-number | vlan vlan-id } [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6-address: Specifies the IPv6 address of a neighbor whose information is displayed.
all: Displays information about all neighbors, including neighbors acquired dynamically and configured statically on the public network and all private networks.
dynamic: Displays information about all neighbors acquired dynamically.
static: Displays information about all neighbors configured statically.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6 neighbor information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6 neighbor information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv6 neighbor information for all cards. (Distributed devices in IRF mode.)
interface interface-type interface-number: Specifies an interface by its type and number.
vlan vlan-id: Displays information about neighbors in the specified VLAN. The value range for VLAN ID is 1 to 4094.
verbose: Displays detailed neighbor information.
Usage guidelines
You can use the reset ipv6 neighbors command to clear IPv6 neighbor information.
Examples
# Display all neighbor information.
<Sysname> display ipv6 neighbors all
Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid
IPv6 Address Link Layer VID Interface State T Age
FE80::200:5EFF:FE32:B800 0000-5e32-b800 N/A GE1/0/1 REACH D 10
# Display detailed information about all neighbors.
<Sysname> display ipv6 neighbors all verbose
Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid
IPv6 Address: FE80::200:5EFF:FE32:B800
Link layer : 0000-5e32-b800 VID : N/A Interface: GE1/0/1
State : REACH Type: IS Age : -
Vpn-instance: vpn1
Nickname : 0x0001
Table 70 Command output
Field |
Description |
IPv6 Address |
IPv6 address of a neighbor. |
Link Layer |
Link layer address (MAC address) of a neighbor. |
VID |
VLAN to which the interface connected to a neighbor belongs. |
Interface |
Interface connected to a neighbor. |
State |
State of a neighbor: · INCMP—The address is being resolved. The link layer address of the neighbor is unknown. · REACH—The neighbor is reachable. · STALE—Whether the neighbor is reachable is unknown. The device does not verify the reachability any longer unless data is sent to the neighbor. · DELAY—Whether the neighbor is reachable is unknown. The device sends an NS message after a delay. · PROBE—Whether the neighbor is reachable is unknown. The device sends an NS message to verify the reachability of the neighbor. |
Type |
Neighbor information type: · S—Statically configured. · D—Dynamically obtained. · O—Learned from the OpenFlow module. · R—Learned from the IPoE or Portal module. · I—Invalid. |
Age |
A hyphen (-) indicates a static entry. For a dynamic entry, this field displays the elapsed time in seconds. If the neighbor is never reachable, this field displays a pound sign (#). |
Vpn-instance |
Name of a VPN or [No Vrf] with no VPN configured. |
This field is not supported in the current software version. Nickname of a neighboring entry. The name is a 4-bit hexadecimal number. |
Related commands
ipv6 neighbor
reset ipv6 neighbors
display ipv6 neighbors count
Use display ipv6 neighbors count to display the number of neighbor entries.
Syntax
Centralized devices in standalone mode:
display ipv6 neighbors { all | dynamic | interface interface-type interface-number | static | vlan vlan-id } count
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 neighbors { { all | dynamic | static } [ slot slot-number ] | interface interface-type interface-number | vlan vlan-id } count
Distributed devices in IRF mode:
display ipv6 neighbors { { all | dynamic | static } [ chassis chassis-number slot slot-number ] | interface interface-type interface-number | vlan vlan-id } count
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Displays the total number of all neighbor entries, including neighbor entries created dynamically and configured statically.
dynamic: Displays the total number of neighbor entries created dynamically.
static: Displays the total number of neighbor entries configured statically.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the number of neighbor entries for all cards. (Distributed devices in standalone mode.).
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the number of neighbor entries for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays the number of neighbor entries for all cards. (Distributed devices in IRF mode.)
interface interface-type interface-number: Specifies an interface by its type and number.
vlan vlan-id: Displays the total number of neighbor entries in the specified VLAN. The value range for VLAN ID is 1 to 4094.
Examples
# Display the total number of neighbor entries created dynamically.
<Sysname> display ipv6 neighbors dynamic count
Total number of dynamic entries: 2
display ipv6 neighbors vpn-instance
Use display ipv6 neighbors vpn-instance to display neighbor information about a VPN.
Syntax
display ipv6 neighbors vpn-instance vpn-instance-name [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN must already exist.
count: Displays the total number of neighbor entries in the specified VPN.
Examples
# Display neighbor information about the VPN vpn1.
<Sysname> display ipv6 neighbors vpn-instance vpn1
Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid
IPv6 address Link Layer VID Interface State T Age
FE80::200:5EFF:FE32:B800 0000-5e32-b800 N/A GE1/0/1 REACH IS -
Table 71 Command output
Field |
Description |
IPv6 address |
IPv6 address of a neighbor. |
Link-layer |
Link layer address (MAC address) of a neighbor. |
VID |
VLAN to which the interface connected to a neighbor belongs. |
Interface |
Interface connected to a neighbor. |
State |
Neighbor state: · INCMP—The address is being resolved. The link layer address of the neighbor is unknown. · REACH—The neighbor is reachable. · STALE—Whether the neighbor is reachable is unknown. The device does not verify the reachability any longer unless data is sent to the neighbor. · DELAY—Whether the neighbor is reachable is unknown. The device sends an NS message after a delay. · PROBE—Whether the neighbor is reachable is unknown. The device sends an NS message to verify the reachability of the neighbor. |
T |
Neighbor information type: · S—Statically configured. · D—Dynamically obtained. · O—Learned from the OpenFlow module. · I—Invalid. |
Age |
A hyphen (-) indicates a static entry. For a dynamic entry, this field displays the elapsed time in seconds. If the neighbor is never reachable, this field displays a pound sign (#). |
display ipv6 pathmtu
Use the display ipv6 pathmtu command to display IPv6 Path MTU information.
Syntax
display ipv6 pathmtu [ vpn-instance vpn-instance-name ] { ipv6-address | { all | dynamic | static } [ count ] }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv6 Path MTU information about the public network.
ipv6-address: Specifies the destination IPv6 address for which the Path MTU information is to be displayed.
all: Displays all Path MTU information for the public network.
dynamic: Displays all dynamic Path MTU information.
static: Displays all static Path MTU information.
count: Displays the total number of Path MTU entries.
Usage guidelines
Use display ipv6 pathmtu to display the IPv6 Path MTU information, including the dynamic Path MTUs and the static Path MTUs.
Examples
# Display all Path MTU information.
<Sysname> display ipv6 pathmtu all
IPv6 destination address PathMTU Age Type
1:2::3:2 1800 - Static
1:2::4:2 1400 10 Dynamic
1:2::5:2 1280 10 Dynamic
# Displays the total number of Path MTU entries.
<Sysname> display ipv6 pathmtu all count
Total number of entries: 3
Table 72 Command output
Field |
Description |
PathMTU |
Path MTU value on the network path to an IPv6 address. |
Age |
Time for a Path MTU to live. For a static Path MTU, this field displays a hyphen (-). |
Type |
Path MTU type: · Dynamic—Dynamically negotiated. · Static—Statically configured. |
Total number of entries |
Total number of Path MTU entries. |
Related commands
ipv6 pathmtu
reset ipv6 pathmtu
display ipv6 prefix
Use display ipv6 prefix to display information about IPv6 prefixes, including dynamic and static prefixes.
Syntax
display ipv6 prefix [ prefix-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
prefix-number: Specifies the ID of an IPv6 prefix, in the range of 1 to 1024. If this argument is not specified, the command displays information about all IPv6 prefixes.
Usage guidelines
A static IPv6 prefix is configured by using the ipv6 prefix command.
A dynamic IPv6 prefix is obtained from the DHCPv6 server, and its prefix ID is configured by using the ipv6 dhcp client pd command.
Examples
# Display information about all IPv6 prefixes.
<Sysname> display ipv6 prefix
Number Prefix Type
1 1::/16 Static
2 11:77::/32 Dynamic
# Display information about the IPv6 prefix with prefix ID 1.
<Sysname> display ipv6 prefix 1
Number: 1
Type : Dynamic
Prefix: ABCD:77D8::/32
Preferred lifetime 90 sec, valid lifetime 120 sec
Table 73 Command output
Field |
Description |
Number |
Prefix ID. |
Type |
Prefix type: · Static—Static IPv6 prefix. · Dynamic—Dynamic IPv6 prefix. |
Prefix |
Prefix and its length. If no prefix is obtained, this field displays Not-available. |
Preferred lifetime 90 sec |
Preferred lifetime in seconds. For a static IPv6 prefix, this field is not displayed. |
valid lifetime 120 sec |
Valid lifetime in seconds. For a static IPv6 prefix, this field is not displayed. |
Related commands
ipv6 dhcp client pd
ipv6 prefix
display ipv6 rawip
Use display ipv6 rawip to display brief information about IPv6 RawIP connections.
Syntax
Centralized devices in standalone mode:
display ipv6 rawip
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 rawip [ slot slot-number ]
Distributed devices in IRF mode:
display ipv6 rawip [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about IPv6 RawIP connections for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about IPv6 RawIP connections for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays brief information about IPv6 RawIP connections for all cards. (Distributed devices in IRF mode.)
Usage guidelines
Brief information about IPv6 RawIP connections includes the local and peer IPv6 addresses, protocol number, and PCB.
Examples
# (Centralized devices in standalone mode.) Display brief information about IPv6 RawIP connections.
Local Addr Foreign Addr Protocol Slot PCB
2001:2002:2003:2 3001:3002:3003:3 58 0 0x0000000000000009
2002::100 2002::138 58 0 0x0000000000000008
:: :: 58 0 0x0000000000000002
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display brief information about IPv6 RawIP connections.
Local Addr Foreign Addr Protocol Slot PCB
2001:2002:2003:2 3001:3002:3003:3 58 1 0x0000000000000009
004:2005:2006:20 004:3005:3006:30
07:2008 07:3008
2002::100 2002::138 58 2 0x0000000000000008
:: :: 58 5 0x0000000000000002
# (Distributed devices in IRF mode.) Display brief information about IPv6 RawIP connections.
<Sysname> display ipv6 rawip
Local Addr Foreign Addr Protocol Chassis Slot PCB
2001:2002:2003:2 3001:3002:3003:3 58 1 1 0x0000000000000009
004:2005:2006:20 004:3005:3006:30
07:2008 07:3008
2002::100 2002::138 58 1 2 0x0000000000000008
:: :: 58 1 5 0x0000000000000002
Table 74 Command output
Field |
Description |
Local Addr |
Local IPv6 address. |
Foreign Addr |
Peer IPv6 address. |
Protocol |
Protocol number. |
Chassis |
ID of the IRF member device. (Distributed devices in IRF mode.) |
Slot |
Number of the slot that holds the card. (Centralized devices in standalone mode/distributed devices in standalone or IRF mode.) |
Slot |
ID of the IRF member device. (Centralized devices in IRF mode.) |
PCB |
PCB index. |
display ipv6 rawip verbose
Use display ipv6 rawip verbose to display detailed information about IPv6 RawIP connections.
Syntax
Centralized devices in standalone mode:
display ipv6 rawip verbose [ pcb pcb-index ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 rawip verbose [ slot slot-number [ pcb pcb-index ] ]
Distributed devices in IRF mode:
display ipv6 rawip verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pcb pcb-index: Displays detailed information about IPv6 RawIP connections of the specified PCB. The value range for the pcb-index argument is 1 to 16.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about IPv6 RawIP connections for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about IPv6 RawIP connections for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays detailed information about IPv6 RawIP connections for all cards. (Distributed devices in IRF mode.)
Usage guidelines
Detailed information about an IPv6 RawIP connection includes socket's creator, state, option, type, and protocol number, and source and destination IPv6 addresses of the connection.
Examples
# (Centralized devices in standalone mode.) Display detailed information about an IPv6 RawIP connection.
<Sysname> display ipv6 rawip verbose
Total RawIP socket number: 1
Location:
Creator: ipv6stackd[320]
State: N/A
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 9216 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A
Type: 3
Protocol: 58
Connection info: src = ::, dst = ::
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV6
Hop limit: 255 (minimum hop limit: 0)
Send VRF: 0xffff
Receive VRF: 0xffff
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about an IPv6 RawIP connection.
<Sysname> display ipv6 rawip verbose
Total RawIP socket number: 1
Location: slot: 0
Creator: ipv6stackd[320]
State: N/A
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 9216 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A
Type: 3
Protocol: 58
Connection info: src = ::, dst = ::
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV6
Hop limit: 255 (minimum hop limit: 0)
Send VRF: 0xffff
Receive VRF: 0xffff
# (Distributed devices in IRF mode.) Display detailed information about an IPv6 RawIP connection.
<Sysname> display ipv6 rawip verbose
Total RawIP socket number: 1
Location: chassis: 2 slot: 6
Creator: ping ipv6[320]
State: N/A
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/state): 0 / 9216 / 1 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A
Type: 3
Protocol: 58
Connection info: src = ::, dst = ::
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV6
Hop limit: 255 (minimum hop limit: 0)
Send VRF: 0xffff
Receive VRF: 0xffff
Table 75 Command output
Field |
Description |
Total RawIP socket number |
Total number of IPv6 RawIP sockets. |
Location |
Location of the card. (Distributed devices in standalone or IRF mode.) |
Location |
Location of the device. (Centralized devices in IRF mode.) |
chassis |
ID of the IRF member device. (Distributed devices in IRF mode.) |
slot |
Number of the slot that holds the card. (Distributed devices in standalone or IRF mode.) |
slot |
ID of the IRF member device. (Centralized devices in IRF mode.) |
Creator |
Task name of the socket. The process number is in the square brackets. |
State |
Socket state. |
Options |
Socket options. |
Error |
Error code. |
Receiving buffer (cc/hiwat/lowat/drop/state) |
Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states. |
Sending buffer(cc/hiwat/lowat/state) |
Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states. |
Type |
Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types. |
Protocol |
Number of protocol using the socket. 58 represents ICMP. |
Connection info |
Connection information, including the source and destination IPv6 addresses. |
Inpcb flags |
Flags in the Internet PCB: · INP_RECVOPTS—Receives IPv6 options. · INP_RECVRETOPTS—Receives replied IPv6 options. · INP_RECVDSTADDR—Receives destination IPv6 address. · INP_HDRINCL—Provides the entire IPv6 header. · INP_REUSEADDR—Reuses the IPv6 address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · IN6P_IPV6_V6ONLY—Only supports IPv6 protocol stack. · IN6P_PKTINFO—Receives the source IPv6 address and input interface of the packet. · IN6P_HOPLIMIT—Receives the hop limit. · IN6P_HOPOPTS—Receives the hop-by-hop options extension header. · IN6P_DSTOPTS—Receives the destination options extension header. · IN6P_RTHDR—Receives the routing extension header. · IN6P_RTHDRDSTOPTS—Receives the destination options extension header preceding the routing extension header. · IN6P_TCLASS—Receives the traffic class of the packet. · IN6P_AUTOFLOWLABEL—Attaches a flow label automatically. · IN6P_RFC2292—Uses the API specified in RFC 2292. · IN6P_MTU—Discovers differences in the MTU size of every link along a given data path. TCP does not support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_USEICMPSRC—Uses the specified IPv6 address as the source IPv6 address for outgoing ICMP packets. · INP_SYNCPCB—Waits until Internet PCB is synchronized. · N/A—None of the above flags. |
Inpcb extflag |
Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · N/A—None of the above flags. |
Inpcb vflag |
IP version flag in the Internet PCB: · INP_IPV4—IPv4 protocol. · INP_IPV6—IPv6 protocol. · INP_IPV6PROTO—Creates an Internet PCB based on IPv6 protocol. · INP_TIMEWAIT—In TIMEWAIT state. · INP_ONESBCAST—Sends broadcast packets. · INP_DROPPED—Protocol dropped flag. · INP_SOCKREF—Strong socket reference. · INP_DONTBLOCK—Do not block synchronization of the Internet PCB. · N/A—None of the above flags. |
Hop limit |
Hop limit in the Internet PCB. |
Send VRF |
Sent instances. |
Receive VRF |
Received instances. |
display ipv6 router-renumber statistics
Use display ipv6 router-renumber statistics to display router renumbering statistics.
Syntax
display ipv6 router-renumber statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
You can use this command to display router renumbering traffic statistics and information about packet sequence number, reset sequence number, and segment number.
Examples
# Display router renumbering statistics.
<Sysname> display ipv6 router-renumber statistics
Enabling/disabling protocol failed: 0
Packets with sequence number error: 2
Packets with segment number error: 1
PCO check failed: 0
Packets with T-flag set and R-flag unset: 1
Router-renumber function disable: 0
Packets too short: 0
Packets with invalid destinations: 0
Create result packets failed: 0
Sent result packets failed: 0
Received command packets: 7
Received reset packets: 3
Sent result packets: 9
SequenceNumber: 0x2
ResetSequenceNumber: 0x2
SegmentNumber[0]: 0x1
SegmentNumber[1]: 0x0
SegmentNumber[2]: 0x0
SegmentNumber[3]: 0x0
SegmentNumber[4]: 0x0
SegmentNumber[5]: 0x0
SegmentNumber[6]: 0x0
SegmentNumber[7]: 0x0
Related commands
reset ipv6 router-renumber statistics
display ipv6 statistics
Use display ipv6 statistics to display IPv6 and ICMPv6 packet statistics.
Syntax
Centralized devices in standalone mode:
display ipv6 statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 statistics [ slot slot-number ]
Distributed devices in IRF mode:
display ipv6 statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6 and ICMPv6 packet statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6 and ICMPv6 packet statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv6 and ICMPv6 packet statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
This command displays statistics about received and sent IPv6 and ICMPv6 packets.
Use the reset ipv6 statistics command to clear the statistics of all IPv6 and ICMPv6 packets.
Examples
# Display IPv6 and ICMPv6 packet statistics.
<Sysname> display ipv6 statistics
IPv6 statistics:
Sent packets:
Total: 0
Sent locally: 0 Forwarded: 0
Raw packets: 0 Discarded: 0
Fragments: 0 Fragments failed: 0
Routing failed: 0
Received packets:
Total: 0
Received locally: 0 Hop limit exceeded: 0
Fragments: 0 Reassembled: 0
Reassembly failures: 0 Reassembly timeout: 0
Format errors: 0 Option errors: 0
Protocol errors: 0
ICMPv6 statistics:
Sent packets:
Total: 0
Unreachable: 0 Too big: 0
Hop limit exceeded: 0 Reassembly timeouts: 0
Parameter problems: 0
Echo requests: 0 Echo replies: 0
Neighbor solicits: 0 Neighbor adverts: 0
Router solicits: 0 Router adverts: 0
Redirects: 0 Router renumbering: 0
Send failed:
Rate limitation: 0 Other errors: 0
Received packets:
Total: 0
Checksum errors: 0 Too short: 0
Bad codes: 0
Unreachable: 0 Too big: 0
Hop limit exceeded: 0 Reassembly timeouts: 0
Parameter problems: 0 Unknown error types: 0
Echo requests: 0 Echo replies: 0
Neighbor solicits: 0 Neighbor adverts: 0
Router solicits: 0 Router adverts: 0
Redirects: 0 Router renumbering: 0
Unknown info types: 0
Deliver failed:
Bad length: 0
Related commands
reset ipv6 statistics
display ipv6 tcp
Use display ipv6 tcp to display brief information about IPv6 TCP connections.
Syntax
Centralized devices in standalone mode:
display ipv6 tcp
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 tcp [ slot slot-number ]
Distributed devices in IRF mode:
display ipv6 tcp [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about IPv6 TCP connections for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about IPv6 TCP connections for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays brief information about IPv6 TCP connections for all cards. (Distributed devices in IRF mode.)
Usage guidelines
Brief information about IPv6 TCP connections includes the local IPv6 address and port number, peer IPv6 address and port number, and TCP connection state.
Examples
# (Centralized devices in standalone mode.) Display brief information about IPv6 TCP connections.
*: TCP MD5 Connection
LAddr->port FAddr->port State Slot PCB
*2001:2002:2003:2 3001:3002:3003:3 ESTABLISHED 0 0x000000000000c387
004:2005:2006:20 004:3005:3006:30
07:2008->1200 07:3008->1200
2001::1->23 2001::5->1284 ESTABLISHED 0 0x0000000000000008
2003::1->25 2001::2->1283 LISTEN 0 0x0000000000000009
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display brief information about IPv6 TCP connections.
*: TCP MD5 Connection
LAddr->port FAddr->port State Slot PCB
*2001:2002:2003:2 3001:3002:3003:3 ESTABLISHED 1 0x000000000000c387
004:2005:2006:20 004:3005:3006:30
07:2008->1200 07:3008->1200
2001::1->23 2001::5->1284 ESTABLISHED 2 0x0000000000000008
2003::1->25 2001::2->1283 LISTEN 3 0x0000000000000009
# (Distributed devices in IRF mode.) Display brief information about IPv6 TCP connections.
<Sysname> display ipv6 tcp
*: TCP MD5 Connection
LAddr->port FAddr->port State Chassis Slot PCB
*2001:2002:2003:2 3001:3002:3003:3 ESTABLISHED 1 1 0x000000000000c387
004:2005:2006:20 004:3005:3006:30
07:2008->1200 07:3008->1200
2001::1->23 2001::5->1284 ESTABLISHED 1 2 0x0000000000000008
2003::1->25 2001::2->1283 LISTEN 1 3 0x0000000000000009
Table 76 Command output
Field |
Description |
* |
Indicates that the TCP connection uses MD5 authentication. |
LAddr->port |
Local IPv6 address and port number. |
FAddr->port |
Peer IPv6 address and port number. |
State |
IPv6 TCP connection state. |
Chassis |
ID of the IRF member device. (Distributed devices in IRF mode.) |
Slot |
Number of the slot that holds the card. (Centralized devices in standalone mode/distributed devices in standalone or IRF mode.) |
Slot |
ID of the IRF member device. (Centralized devices in IRF mode.) |
PCB |
PCB index. |
display ipv6 tcp verbose
Use display ipv6 tcp verbose to display detailed information about IPv6 TCP connections.
Syntax
Centralized devices in standalone mode:
display ipv6 tcp verbose [ pcb pcb-index ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 tcp verbose [ slot slot-number [ pcb pcb-index ] ]
Distributed devices in IRF mode:
display ipv6 tcp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pcb pcb-index: Displays detailed information about IPv6 TCP connections of the specified PCB. The value range for the pcb-index argument is 1 to 16.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about IPv6 TCP connections for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about IPv6 TCP connections for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays detailed information about IPv6 TCP connections for all cards. (Distributed devices in IRF mode.)
Usage guidelines
The detailed information includes socket's creator, state, option, type, protocol number, source IPv6 address and port number, destination IPv6 address and port number, and the connection state.
Examples
# (Centralized devices in standalone mode.) Display detailed information about an IPv6 TCP connection.
<Sysname> display ipv6 tcp verbose
TCP inpcb number: 1(tcpcb number: 1)
Location:
Creator: ipv6stackd[199]
State: ISCONNECTED
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 65536 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 65536 / 512 / N/A
Type: 1
Protocol: 6
Connection info: src = 2001::1->179 , dst = 2001::2->4181
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV6
Hop limit: 255 (minimum hop limit: 0)
Connection state: ESTABLISHED
TCP options: TF_REQ_SCALE TF_REQ_TSTMP TF_SACK_PERMIT TF_NSR
NSR state: READY(M)
Send VRF: 0x0
Receive VRF: 0x0
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about an IPv6 TCP connection.
<Sysname> display ipv6 tcp verbose
TCP inpcb number: 1(tcpcb number: 1)
Location: slot: 0
NSR standby: N/A
Creator: ipv6stackd[199]
State: ISCONNECTED
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 65536 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 65536 / 512 / N/A
Type: 1
Protocol: 6
Connection info: src = 2001::1->179 , dst = 2001::2->4181
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV6
Hop limit: 255 (minimum hop limit: 0)
Connection state: ESTABLISHED
TCP options: TF_REQ_SCALE TF_REQ_TSTMP TF_SACK_PERMIT TF_NSR
NSR state: READY(M)
Send VRF: 0x0
Receive VRF: 0x0
# (Distributed devices in IRF mode.) Display detailed information about an IPv6 TCP connection.
<Sysname> display ipv6 tcp verbose
TCP inpcb number: 1(tcpcb number: 1)
Location: Chassis: 2 Slot: 6
NSR standby: N/A
Creator: bgpd[199]
State: ISCONNECTED
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/state): 0 / 65536 / 1 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 65536 / 512 / N/A
Type: 1
Protocol: 6
Connection info: src = 2001::1->179 , dst = 2001::2->4181
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV6
Hop limit: 255 (minimum hop limit: 0)
Connection state: ESTABLISHED
TCP options: TF_REQ_SCALE TF_REQ_TSTMP TF_SACK_PERMIT TF_NSR
NSR state: READY(M)
Send VRF: 0x0
Receive VRF: 0x0
Table 77 Command output
Field |
Description |
TCP inpcb number |
Number of IPv6 TCP Internet PCBs. |
tcpcb number |
Number of IPv6 TCP PCBs (excluding PCBs of TCP in TIME_WAIT state). |
Location |
Location of the card. (Distributed devices in standalone or IRF mode.) |
Location |
Location of the device. (Centralized devices in IRF mode.) |
Chassis |
ID of the IRF member device. (Distributed devices in IRF mode.) |
Slot |
Number of the slot that holds the card. (Distributed devices in standalone or IRF mode.) |
ID of the IRF member device. (Centralized devices in IRF mode) |
|
NSR standby: |
ID of the IRF member device and number of the slot where the NSR standby card resides. This field displays N/A if no NSR standby card is present. |
Creator |
Task name of the socket. The process number is in the square brackets. |
State |
Socket state. |
Options |
Socket options. |
Error |
Error code. |
Receiving buffer(cc/hiwat/lowat/drop/state) |
Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states. |
Sending buffer(cc/hiwat/lowat/state) |
Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states. |
Type |
Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types. |
Protocol |
Number of the protocol using the socket. 6 represents TCP. |
Connection info |
Connection information, including source IPv6 address and port number, and destination IPv6 address and port number. |
Inpcb flags |
Flags in the Internet PCB: · INP_RECVOPTS—Receives IPv6 options. · INP_RECVRETOPTS—Receives replied IPv6 options. · INP_RECVDSTADDR—Receives destination IPv6 address. · INP_HDRINCL—Provides the entire IPv6 header. · INP_REUSEADDR—Reuses the IPv6 address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · IN6P_IPV6_V6ONLY—Only supports IPv6 protocol stack. · IN6P_PKTINFO—Receives the source IPv6 address and input interface of the packet. · IN6P_HOPLIMIT—Receives the hop limit. · IN6P_HOPOPTS—Receives the hop-by-hop options extension header. · IN6P_DSTOPTS—Receives the destination options extension header. · IN6P_RTHDR—Receives the routing extension header. · IN6P_RTHDRDSTOPTS—Receives the destination options extension header preceding the routing extension header. · IN6P_TCLASS—Receives the traffic class of the packet. · IN6P_AUTOFLOWLABEL—Attaches a flow label automatically. · IN6P_RFC2292—Uses the API specified in RFC 2292. · IN6P_MTU—Discovers differences in the MTU size of every link along a given data path. TCP does not support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_SYNCPCB—Waits until Internet PCB is synchronized. · N/A—None of the above flags. |
Inpcb extflag |
Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · INP_EXLISTEN—Listens to the socket. · N/A—None of the above flags. |
Inpcb vflag |
IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · INP_IPV6—IPv6 protocol. · INP_IPV6PROTO—Creates an Internet PCB based on IPv6 protocol. · INP_TIMEWAIT—In TIMEWAIT state. · INP_ONESBCAST—Sends broadcast packets. · INP_DROPPED—Protocol dropped flag. · INP_SOCKREF—Strong socket reference. · INP_DONTBLOCK—Do not block synchronization of the Internet PCB. · N/A—None of the above flags. |
Hop limit |
Hop limit in the Internet PCB. |
Connection state |
TCP connection state: · CLOSED—The server receives a disconnection request's reply from the client. · LISTEN—The server is waiting for connection requests. · SYN_SENT—The client is waiting for the server to reply to the connection request. · SYN_RCVD—The server receives a connection request. · ESTABLISHED—The server and client have established connections and can transmit data bidirectionally. · CLOSE_WAIT—The server receives a disconnection request from the client. · FIN_WAIT_1—The client is waiting for the server to reply to a disconnection request. · CLOSING—The server and client are waiting for peer's disconnection reply when receiving disconnection requests from each other. · LAST_ACK—The server is waiting for the client to reply to a disconnection request. · FIN_WAIT_2—The client receives a disconnection reply from the server. · TIME_WAIT—The client receives a disconnection request from the server. |
TCP options |
TCP options: · TF_MD5SIG—Enables MD5 signature. · TF_PASSWORD—The MD5 password is configured. · TF_NODELAY—Do not delay sending acknowledgements. · TF_NOOPT—No TCP options. · TF_NOPUSH—Allows TCP to send non-full-sized segments. · TF_BINDFOREIGNADDR—Bind the peer IP address. · TF_NSR—Enables TCP NSR. · TF_REQ_SCALE—Enables the TCP window scale option. · TF_REQ_TSTMP—Enables the time stamp option. · TF_SACK_PERMIT—Enables the TCP selective acknowledgement option. |
NSR state |
State of the TCP connections. Between the parentheses is the role of the connection: · M—Main connection. · S—Standby connection. |
Send VRF |
Sent instances. |
Receive VRF |
Received instances. |
display ipv6 tcp-proxy
Use display ipv6 tcp-proxy to display brief information about IPv6 TCP proxy.
Syntax
Centralized devices in standalone mode:
display ipv6 tcp-proxy
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 tcp-proxy slot slot-number
Distributed devices in IRF mode:
display ipv6 tcp-proxy chassis chassis-number slot slot-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (Distributed devices in IRF mode.)
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
IPv6 TCP proxy splits every IPv6 TCP connection that passes through it into two IPv6 TCP connections to relay data packets between servers and clients. The split is transparent to the servers and client. This feature reduces bandwidth use and improves IPv6 TCP performance. It is used for services such as load balancing, WAAS, and SSL VPN.
Examples
# Display brief information about IPv6 TCP proxy.
<Sysname> display ipv6 tcp-proxy slot 1
LAddr->port FAddr->port State Service type
2001::1->45 11:22:33:44->54602 ESTABLISHED WAAS
11:22:33:44->54602 2001::1->45 ESTABLISHED WAAS
Table 78 Command output
Field |
Description |
LAddr->port |
Local IPv6 address and port number. |
Faddr->port |
Peer IPv6 address and port number. |
State |
IPv6 TCP connection state. |
Service type |
Type of services that the IPv6 TCP proxy is used for: · LB—Load balancing services. · WAAS—Wide area application services. · SSL VPN—SSL VPN services. |
display ipv6 tcp-proxy port-info
Use display ipv6 tpc-proxy port-info to display the usage of non-well known ports for IPv6 TCP proxy.
Syntax
Centralized devices in standalone mode:
display ipv6 tcp-proxy port-info
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 tcp-proxy port-info slot slot-number
Distributed devices in IRF mode:
display ipv6 tcp-proxy port-info chassis chassis-number slot slot-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays non-well known port usage for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays non-well known port usage for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays non-well known port usage for all cards. (Distributed devices in IRF mode.)
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
The TCP ports are divided into well-known ports (port numbers from 0 through 1023) and non-well known ports (port numbers from 1024 through 65535).
· Well known ports are for certain services, for example, port 23 for Telnet service, ports 20 and 21 for FTP service, and port 80 for HTTP service.
· Non-well known ports are available for various services. You can use the display ipv6 tpc-proxy port-info command to display the usage of these ports.
Examples
# Display the usage of non-well known ports for IPv6 TCP proxy.
<Sysname> display ipv6 tcp-proxy port-info
Index Range State
16 [1024, 1087] USABLE
17 [1088, 1151] USABLE
18 [1152, 1215] USABLE
19 [1216, 1279] USABLE
20 [1280, 1343] USABLE
...
1020 [65280, 65343] USABLE
1021 [65344, 65407] USABLE
1022 [65408, 65471] USABLE
1023 [65472, 65535] USABLE
Table 79 Command output
Field |
Description |
Index |
Index of the port range. |
Range |
Start port number and end port number. |
State |
State of the port range: · USABLE—The ports are assignable. · ASSIGNED—Some ports are dynamically assigned and some ports are not. · ALLASSIGNED—All ports are dynamically assigned. The assigned ports can be reclaimed. · TO RECLAIM—Some ports are statically assigned. The assigned ports can be reclaimed. · RESERVED—The ports are reserved. The reserved ports cannot be dynamically assigned. |
display ipv6 udp
Use display ipv6 udp to display brief information about IPv6 UDP connections.
Syntax
Centralized devices in standalone mode:
display ipv6 udp
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 udp [ slot slot-number ]
Distributed devices in IRF mode:
display ipv6 udp [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about IPv6 UDP connections for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about IPv6 UDP connections for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays brief information about IPv6 UDP connections for all cards. (Distributed devices in IRF mode.)
Usage guidelines
Brief information about an IPv6 UDP connection includes local IPv6 address and port number, and peer IPv6 address and port number.
Examples
# (Centralized devices in standalone mode.) Displays brief information about IPv6 UDP connections.
LAddr->port FAddr->port Slot PCB
2001:2002:2003:2 3001:3002:3003:3 0 0x000000000000c387
004:2005:2006:20 004:3005:3006:30
07:2008->1200 07:3008->1200
2001::1->23 2001::5->1284 0 0x0000000000000008
2003::1->25 2001::2->1283 0 0x0000000000000009
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Displays brief information about IPv6 UDP connections.
LAddr->port FAddr->port Slot PCB
2001:2002:2003:2 3001:3002:3003:3 1 0x000000000000c387
004:2005:2006:20 004:3005:3006:30
07:2008->1200 07:3008->1200
2001::1->23 2001::5->1284 2 0x0000000000000008
2003::1->25 2001::2->1283 3 0x0000000000000009
# (Distributed devices in IRF mode.) Displays brief information about IPv6 UDP connections.
<Sysname> display ipv6 udp
LAddr->port FAddr->port Chassis Slot PCB
2001:2002:2003:2 3001:3002:3003:3 1 1 0x000000000000c387
004:2005:2006:20 004:3005:3006:30
07:2008->1200 07:3008->1200
2001::1->23 2001::5->1284 1 2 0x0000000000000008
2003::1->25 2001::2->1283 1 3 0x0000000000000009
Table 80 Command output
Field |
Description |
LAddr->port |
Local IPv6 address and port number. |
FAddr->port |
Peer IPv6 address and port number. |
Chassis |
ID of the IRF member device. (Distributed devices in IRF mode.) |
Slot |
Number of the slot that holds the card. (Centralized devices in standalone mode/distributed devices in standalone or IRF mode.) |
Slot |
ID of the IRF member device. (Centralized devices in IRF mode.) |
PCB |
PCB index. |
display ipv6 udp verbose
Use display ipv6 udp verbose to display detailed information about IPv6 UDP connections.
Syntax
Centralized devices in standalone mode:
display ipv6 udp verbose [ pcb pcb-index ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 udp verbose [ slot slot-number [ pcb pcb-index ] ]
Distributed devices in IRF mode:
display ipv6 udp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pcb pcb-index: Displays detailed information about IPv6 UDP connections of the specified PCB. The value range for the pcb-index argument is 1 to 16.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about IPv6 UDP connections for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about IPv6 UDP connections for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays detailed information about IPv6 UDP connections for all cards. (Distributed devices in IRF mode.)
Usage guidelines
The detailed information includes socket's creator, state, option, type, protocol number, source IPv6 address and port number, destination IPv6 address and port number, and connection state.
Examples
# (Centralized devices in standalone mode.) Display detailed information about an IPv6 UDP connection.
<Sysname> display ipv6 udp verbose
Total UDP socket number: 1
Location:
Creator: sock_test_mips[250]
State: N/A
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 41600 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A
Type: 2
Protocol: 17
Connection info: src = ::->69, dst = ::->0
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV6
Hop limit: 255 (minimum hop limit: 0)
Send VRF: 0xffff
Receive VRF: 0xffff
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about an IPv6 UDP connection.
<Sysname> display ipv6 udp verbose
Total UDP socket number: 1
Location: slot: 0
Creator: ipv6stackd[250]
State: N/A
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 41600 / 1 / 0 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A
Type: 2
Protocol: 17
Connection info: src = ::->69, dst = ::->0
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV6
Hop limit: 255 (minimum hop limit: 0)
Send VRF: 0xffff
Receive VRF: 0xffff
# (Distributed devices in IRF mode.) Display detailed information about an IPv6 UDP connection.
<Sysname> display ipv6 udp verbose
Total UDP socket number: 1
Location: chassis: 2 slot: 6
Creator: sock_test_mips[250]
State: N/A
Options: N/A
Error: 0
Receiving buffer(cc/hiwat/lowat/state): 0 / 41600 / 1 / N/A
Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A
Type: 2
Protocol: 17
Connection info: src = ::->69, dst = ::->0
Inpcb flags: N/A
Inpcb extflag: N/A
Inpcb vflag: INP_IPV6
Hop limit: 255 (minimum hop limit: 0)
Send VRF: 0xffff
Receive VRF: 0xffff
Table 81 Command output
Field |
Description |
Total UDP socket number |
Total number of IPv6 UDP sockets. |
Location |
Location of the card. (Distributed devices in standalone or IRF mode.) |
Location |
Location of the device. (Centralized devices in IRF mode.) |
chassis |
ID of the IRF member device. (Distributed devices in IRF mode.) |
slot |
Number of the slot that holds the card. (Distributed devices in standalone or IRF mode.) |
slot |
ID of the IRF member device. (Centralized devices in IRF mode.) |
Creator |
Task name of the socket. The progress number is in the square brackets. |
State |
Socket state. |
Options |
Socket options. |
Error |
Error code. |
Receiving buffer(cc/hiwat/lowat/drop/state) |
Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states. |
Sending buffer(cc/hiwat/lowat/state) |
Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states. |
Type |
Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types. |
Protocol |
Number of the protocol using the socket. 17 represents UDP. |
Connection info |
Connection information, including source IPv6 address and port number, and destination IPv6 address and port number. |
Inpcb flags |
Flags in the Internet PCB: · INP_RECVOPTS—Receives IPv6 options. · INP_RECVRETOPTS—Receives replied IPv6 options. · INP_RECVDSTADDR—Receives destination IPv6 address. · INP_HDRINCL—Provides the entire IPv6 header. · INP_REUSEADDR—Reuses the IPv6 address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · IN6P_IPV6_V6ONLY—Only supports IPv6 protocol stack. · IN6P_PKTINFO—Receives the source IPv6 address and input interface of the packet. · IN6P_HOPLIMIT—Receives the hop limit. · IN6P_HOPOPTS—Receives the hop-by-hop options extension header. · IN6P_DSTOPTS—Receives the destination options extension header. · IN6P_RTHDR—Receives the routing extension header. · IN6P_RTHDRDSTOPTS—Receives the destination options extension header preceding the routing extension header. · IN6P_TCLASS—Receives the traffic class of the packet. · IN6P_AUTOFLOWLABEL—Attaches a flow label automatically. · IN6P_RFC2292—Uses the API specified in RFC 2292. · IN6P_MTU—Discovers differences in the MTU size of every link along a given data path. TCP does not support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_SYNCPCB—Waits until Internet PCB is synchronized. · N/A—None of the above flags. |
Inpcb extflag |
Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · N/A—None of the above flags. |
Inpcb vflag |
IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · INP_IPV6—IPv6 protocol. · INP_IPV6PROTO—Creates an Internet PCB based on IPv6 protocol. · INP_TIMEWAIT—In TIMEWAIT state. · INP_ONESBCAST—Sends broadcast packets. · INP_DROPPED—Protocol dropped flag. · INP_SOCKREF—Strong socket reference. · INP_DONTBLOCK—Do not block synchronization of the Internet PCB. · N/A—None of the above flags. |
Hop limit |
Hop limit in the Internet PCB. |
Send VRF |
Sent instances. |
Receive VRF |
Received instances. |
ipv6 address
Use ipv6 address to configure an IPv6 global unicast address for an interface.
Use undo ipv6 address to delete an IPv6 address of the interface.
Syntax
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
undo ipv6 address [ ipv6-address prefix-length | ipv6-address/prefix-length ]
Default
No IPv6 global unicast address is configured for an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies an IPv6 address.
prefix-length: Specifies a prefix length in the range of 1 to 128.
Usage guidelines
Like public IPv4 addresses, IPv6 global unicast addresses are assigned to ISPs. This type of address allows for prefix aggregation to reduce the number of global routing entries.
If you do not specify any parameters, the undo ipv6 address command deletes all IPv6 addresses of an interface.
Examples
# Set the IPv6 global unicast address of GigabitEthernet 1/0/1 to 2001::1 with prefix length 64.
Method 1:
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 address 2001::1/64
Method 2:
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 address 2001::1 64
ipv6 address anycast
Use ipv6 address anycast to configure an IPv6 anycast address for an interface.
Use undo ipv6 address anycast to delete the IPv6 anycast address of the interface.
Syntax
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast
undo ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast
Default
No IPv6 anycast address is configured for an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies an IPv6 anycast address.
prefix-length: Specifies a prefix length in the range of 1 to 128.
Examples
# Set the IPv6 anycast address of interface GigabitEthernet 1/0/1 to 2001::1 with prefix length 64.
Method 1:
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 address 2001::1/64 anycast
Method 2:
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 address 2001::1 64 anycast
ipv6 address auto
Use ipv6 address auto to enable the stateless address autoconfiguration feature on an interface, so that the interface can automatically generate a global unicast address.
Use undo ipv6 address auto to disable this feature.
Syntax
ipv6 address auto
undo ipv6 address auto
Default
The stateless address autoconfiguration feature is disabled.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
After a global unicast address is generated through stateless autoconfiguration, a link-local address is generated automatically.
To delete the global unicast address and the link-local address that are automatically generated, use either of the following commands:
· undo ipv6 address auto
· undo ipv6 address
Examples
# Enable stateless address autoconfiguration on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 address auto
ipv6 address auto link-local
Use ipv6 address auto link-local to automatically generate a link-local address for an interface.
Use undo ipv6 address auto link-local to restore the default.
Syntax
ipv6 address auto link-local
undo ipv6 address auto link-local
Default
No link-local address is configured on an interface. A link-local address is automatically generated after an IPv6 global unicast address is configured for the interface.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
Link-local addresses are used for neighbor discovery and stateless autoconfiguration on the local link. Packets using link-local addresses as the source or destination addresses cannot be forwarded to other links.
After an IPv6 global unicast address is configured for an interface, a link-local address is automatically generated. This link-local address is the same as the one generated by using the ipv6 address auto link-local command.
The undo ipv6 address auto link-local command deletes only the link-local addresses generated through the ipv6 address auto link-local command. If the undo command is executed on an interface with an IPv6 global unicast address configured, the interface still has a link-local address.
You can also manually assign an IPv6 link-local address for an interface by using the ipv6 address link-local command. Manual assignment takes precedence over automatic generation for IPv6 link-local addresses.
· If you first use automatic generation and then manual assignment, the manually assigned link-local address overwrites the automatically generated address.
· If you first use manual assignment and then automatic generation, both of the following occur:
¡ The automatically generated link-local address does not take effect.
¡ The link-local address of an interface is still the manually assigned address.
If you delete the manually assigned address, the automatically generated link-local address takes effect.
Examples
# Configure GigabitEthernet 1/0/1 to automatically generate a link-local address.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 address auto link-local
Related commands
ipv6 address link-local
ipv6 address eui-64
Use ipv6 address eui-64 to configure an EUI-64 IPv6 address for an interface.
Use undo ipv6 address eui-64 to delete an EUI-64 IPv6 address from an interface.
Syntax
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64
undo ipv6 address [ ipv6-address prefix-length | ipv6-address/prefix-length ] eui-64
Default
No EUI-64 IPv6 address is configured for an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-address/prefix-length: Specifies an IPv6 address and IPv6 prefix length. The ipv6-address and prefix-length arguments jointly specify the prefix of an EUI-64 IPv6 address. The value range for the prefix-length argument is 1 to 64.
Usage guidelines
An EUI-64 IPv6 address is generated based on the specified prefix and the automatically generated interface ID. To display the EUI-64 IPv6 address, use the display ipv6 interface command.
The prefix length of an EUI-64 IPv6 address cannot be greater than 64.
Examples
# Configure an EUI-64 IPv6 address for interface GigabitEthernet 1/0/1. The prefix of the address is the same as that of 2001::1/64, and the interface ID is generated based on the MAC address of the device.
Method 1:
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 address 2001::1/64 eui-64
Method 2:
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 address 2001::1 64 eui-64
Related commands
display ipv6 interface
ipv6 address link-local
Use ipv6 address link-local to configure a link-local address for the interface.
Use undo ipv6 address link-local to restore the default.
Syntax
ipv6 address ipv6-address link-local
undo ipv6 address ipv6-address link-local
Default
No link-local address is configured for the interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies an IPv6 link-local address. The first 10 bits of an address must be 1111111010 (binary). The first group of hexadecimals in the address must be FE80 to FEBF.
Usage guidelines
Manual assignment takes precedence over automatic generation.
If you use automatic generation, and then use manual assignment, the manually assigned link-local address overwrites the one that is automatically generated.
If you use manual assignment and then use automatic generation, both of the following occur:
· The automatically generated link-local address does not take effect.
· The manually assigned link-local address of an interface remains.
After you delete the manually assigned address, the automatically generated link-local address takes effect. For automatic generation of an IPv6 link-local address, see the ipv6 address auto link-local command.
Examples
# Configure a link-local address for GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 address fe80::1 link-local
Related commands
ipv6 address auto link-local
ipv6 address prefix-number
Use ipv6 address prefix-number to specify an IPv6 prefix for an interface to automatically generate an IPv6 global unicast address and advertise the prefix.
Use undo ipv6 address prefix-number to restore the default.
Syntax
ipv6 address prefix-number sub-prefix/prefix-length
undo ipv6 address prefix-number
Default
No IPv6 prefix is specified for IPv6 address autoconfiguration.
Views
Interface view
Predefined user roles
network-admin
Parameters
prefix-number: Specifies an IPv6 prefix by its ID in the range of 1 to 1024. The specified IPv6 prefix can be manually configured or obtained through DHCPv6.
sub-prefix: Specifies the sub-prefix bit and host bit for the IPv6 global unicast address.
prefix-length: Specifies the sub-prefix length in the range of 1 to 128.
Usage guidelines
This command enables an interface to automatically generate an IPv6 global unicast address based on the specified IPv6 prefix, sub-prefix bit, and host bit.
An interface can generate only one IPv6 global unicast address based on the prefix specified by using the ipv6 address command. To configure the interface to generate a new IPv6 address, execute the undo ipv6 address command to delete the configuration, and then execute the ipv6 address command.
Examples
# Configure a static IPv6 prefix AAAA::/16 and assign ID 1 to the prefix. Configure GigabitEthernet 1/0/1 to use this prefix to generate the IPv6 address AAAA:CCCC:DDDD::10/32 and advertise this prefix.
<Sysname> system-view
[Sysname] ipv6 prefix 1 AAAA::/16
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 address 1 BBBB:CCCC:DDDD::10/32
# Configure GigabitEthernet 1/0/1 to obtain an IPv6 prefix through DHCPv6 and assign ID 2 to the obtained prefix. Configure GigabitEthernet 1/0/1 to use the obtained prefix to generate an IPv6 address and advertise the prefix.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp client pd 2 rapid-commit option-group 1
[Sysname-Vlan-interface10] quit
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 address 2 BBBB:CCCC:DDDD::10/32
Related commands
ipv6 prefix
ipv6 dhcp client pd
ipv6 bandwidth-based-sharing
Use ipv6 bandwidth-based-sharing to enable IPv6 load sharing based on bandwidth.
Use undo ipv6 bandwidth-based-sharing to disable IPv6 loading sharing based on bandwidth.
Syntax
undo ipv6 bandwidth-based-sharing
Default
IPv6 load sharing based on bandwidth is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature load shares IPv6 traffic among multiple output interfaces based on their load percentages. The device calculates the load percentage for each output interface in terms of the interface expected bandwidth.
For devices that run load sharing protocols, they implement load sharing based on the ratios defined by these protocols.
Examples
# Enable IPv6 load sharing based on bandwidth.
[Sysname] ipv6 bandwidth-based-sharing
ipv6 extension-header drop enable
Use ipv6 extension-header drop enable to enable a device to discard IPv6 packets that contain extension headers.
Use undo ipv6 extension-header drop enable to disable a device from discarding IPv6 packets that contain extension headers.
Syntax
ipv6 extension-header drop enable
undo ipv6 extension-header drop enable
Default
A device does not discard IPv6 packets that contain extension headers.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables a device to discard a received IPv6 packet in which the extension headers cannot be processed by the device.
Examples
# Enable the device to discard IPv6 packets that contain extension headers.
<Sysname> system-view
[Sysname] ipv6 extension-header drop enable
ipv6 hop-limit
Use ipv6 hop-limit to set the Hop Limit field in the IPv6 header.
Use undo ipv6 hop-limit to restore the default.
Syntax
ipv6 hop-limit value
undo ipv6 hop-limit
Default
The hop limit is 64.
Views
System view
Predefined user roles
network-admin
Parameters
value: Specifies the number of hops, in the range of 1 to 255.
Usage guidelines
The hop limit determines the number of hops that an IPv6 packet generated by the device can travel.
The device advertises the hop limit in RA messages. All RA message receivers use the advertised value to fill in the Hop Limit field for IPv6 packets to be sent. To disable the device from advertising the hop limit, use the ipv6 nd ra hop-limit unspecified command.
Examples
# Set the maximum number of hops to 100.
<Sysname> system-view
[Sysname] ipv6 hop-limit 100
Related commands
ipv6 nd ra hop-limit unspecified
ipv6 hoplimit-expires enable
Use ipv6 hoplimit-expires enable to enable sending ICMPv6 time exceeded messages.
Use undo ipv6 hoplimit-expires to disable sending ICMPv6 time exceeded messages.
Syntax
ipv6 hoplimit-expires enable
undo ipv6 hoplimit-expires enable
Default
Sending ICMPv6 time exceeded messages is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
ICMPv6 time exceeded messages are sent to the source of IPv6 packets after the device discards IPv6 packets because hop or reassembly times out.
To prevent too many ICMPv6 error messages from affecting device performance, disable this feature. Even with the feature disabled, the device still sends fragment reassembly time exceeded messages.
Examples
# Disable sending ICMPv6 time exceeded messages.
<Sysname> system-view
[Sysname] undo ipv6 hoplimit-expires enable
ipv6 icmpv6 error-interval
Use ipv6 icmpv6 error-interval to set the bucket size and the interval for tokens to arrive in the bucket for ICMPv6 error messages.
Use undo ipv6 icmpv6 error-interval to restore the default.
Syntax
ipv6 icmpv6 error-interval interval [ bucketsize ]
undo ipv6 icmpv6 error-interval
Default
The bucket allows a maximum of 10 tokens, and a token is placed in the bucket every 100 milliseconds.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the interval for tokens to arrive in the bucket. The value range is 0 to 2147483647 milliseconds. To disable the ICMPv6 rate limit, set the value to 0.
bucketsize: Specifies the maximum number of tokens allowed in the bucket. The value range is 1 to 200.
Usage guidelines
This command limits the rate at which ICMPv6 error messages are sent. Use this command to prevent network congestion caused by excessive ICMPv6 error messages generated within a short period. A token bucket algorithm is used with one token representing one ICMPv6 error message.
A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.
A token is removed from the bucket when an ICMPv6 error message is sent. When the bucket is empty, ICMPv6 error messages are not sent until a new token is placed in the bucket.
Examples
# Set the bucket size to 40 tokens and the interval for tokens to arrive in the bucket to 200 milliseconds for ICMPv6 error messages.
<Sysname> system-view
[Sysname] ipv6 icmpv6 error-interval 200 40
ipv6 icmpv6 multicast-echo-reply enable
Use ipv6 icmpv6 multicast-echo-reply enable to enable replying to multicast echo requests.
Use undo ipv6 icmpv6 multicast-echo-reply to restore the default.
Syntax
ipv6 icmpv6 multicast-echo-reply enable
undo ipv6 icmpv6 multicast-echo-reply enable
Default
The device is disabled from replying to multicast echo requests.
Views
System view
Predefined user roles
network-admin
Usage guidelines
If a host is configured to reply to multicast echo requests, an attacker can use this mechanism to attack the host. For example, the attacker can send an echo request to a multicast address with Host A as the source. All hosts in the multicast group will send echo replies to Host A.
To prevent attacks, do not enable the device to reply to multicast echo requests unless necessary.
Examples
# Enable replying to multicast echo requests.
<Sysname> system-view
[Sysname] ipv6 icmpv6 multicast-echo-reply enable
ipv6 icmpv6 source
Use ipv6 icmpv6 source to specify an IPv6 address as the source address for outgoing ICMPv6 packets.
Use undo ipv6 icmpv6 source to remove the specified IPv6 source address for outgoing ICMPv6 packets.
Syntax
ipv6 icmpv6 source [ vpn-instance vpn-instance-name ] ipv6-address
undo ipv6 icmpv6 source [ vpn-instance vpn-instance-name ]
Default
No IPv6 source address for outgoing ICMPv6 packets is specified. The device uses the IPv6 address of the sending interface as the source IPv6 address for outgoing ICMPv6 packets.
Views
System view
Predefined user roles
network-admin
Parameters
vpn-instance vpn-instance-name: Specifies the VPN instance to which the specified address belongs. The VPN instance name is a case-sensitive string of 1 to 31 characters. The specified VPN instance must already exist. If the specified IPv6 address is on the public network, do not use this option.
ipv6-address: Specifies an IPv6 address.
Usage guidelines
It is a good practice to specify the IPv6 address of the loopback interface as the source IPv6 address for outgoing ping echo request and ICMPv6 error messages. This feature helps users to easily locate the sending device.
Examples
# Specify IPv6 address 1::1 as the source address for outgoing ICMPv6 packets.
<Sysname> system-view
[Sysname] ipv6 icmpv6 source 1::1
ipv6 mtu
Use ipv6 mtu to configure the MTU of IPv6 packets sent over an interface.
Use undo ipv6 mtu to restore the default MTU.
Syntax
ipv6 mtu size
undo ipv6 mtu
Default
No MTU is configured for an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
size: Specifies the size of the MTUs of an interface, in the range of 1280 to 1650 bytes.
Usage guidelines
IPv6 routers do not support packet fragmentation. After an IPv6 router receives an IPv6 packet, if the packet size is greater than the MTU of the forwarding interface, the router discards the packet. Meanwhile, the router sends the MTU to the source host through an ICMPv6 packet — Packet Too Big message. The source host fragments the packet according to the MTU and resends it. To reduce the extra flow overhead resulting from packet drops, set an appropriate interface MTU for your network.
Examples
# Set the MTU of IPv6 packets over GigabitEthernet 1/0/1 to 1280 bytes.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 mtu 1280
ipv6 nd autoconfig managed-address-flag
Use ipv6 nd autoconfig managed-address-flag to set the managed address configuration flag (M) to 1 in RA advertisements to be sent.
Use undo ipv6 nd autoconfig managed-address-flag to restore the default.
Syntax
ipv6 nd autoconfig managed-address-flag
undo ipv6 nd autoconfig managed-address-flag
Default
The M flag is set to 0 in RA advertisements. Hosts receiving the advertisements will obtain IPv6 addresses through stateless autoconfiguration.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
The M flag in RA advertisements determines whether receiving hosts use stateful autoconfiguration to obtain IPv6 addresses.
· If the M flag is set to 1 in RA advertisements, receiving hosts use stateful autoconfiguration (for example, from an DHCPv6 server) to obtain IPv6 addresses.
· If the M flag is set to 0 in RA advertisements, receiving hosts use stateless autoconfiguration. Stateless autoconfiguration generates IPv6 addresses according to link-layer addresses and the prefix information in the RA advertisements.
Examples
# Set the M flag to 1 in RA advertisements to be sent.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
Use ipv6 nd autoconfig other-flag to set the other stateful configuration flag (O) to 1 in RA advertisements to be sent.
Use undo ipv6 nd autoconfig other-flag to restore the default.
Syntax
ipv6 nd autoconfig other-flag
undo ipv6 nd autoconfig other-flag
Default
The O flag is set to 0 in RA advertisements. Hosts receiving the advertisements will acquire other information through stateless autoconfiguration.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
The O flag in RA advertisements determines whether receiving hosts use stateful autoconfiguration to obtain configuration information other than IPv6 addresses.
· If the O flag is set to 1 in RA advertisements, receiving hosts use stateful autoconfiguration (for example, from a DHCPv6 server) to obtain configuration information other than IPv6 addresses.
· If the O flag is set to 0 in RA advertisements, receiving hosts use stateless autoconfiguration to obtain configuration information other than IPv6 addresses.
Examples
# Set the O flag to 0 in RA advertisements to be sent.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] undo ipv6 nd autoconfig other-flag
ipv6 nd dad attempts
Use ipv6 nd dad attempts to set the number of attempts to send an NS message for DAD.
Use undo ipv6 nd dad attempts to restore the default.
Syntax
ipv6 nd dad attempts interval
undo ipv6 nd dad attempts
Default
The number of attempts to send an NS message for DAD is 1.
Views
Interface view
Predefined user roles
network-admin
Parameters
interval: Specifies the number of attempts to send an NS message for DAD, in the range of 0 to 600. If it is set to 0, DAD is disabled.
Usage guidelines
An interface sends an NS message for DAD after obtaining an IPv6 address.
If the interface does not receive a response within the time specified by using ipv6 nd ns retrans-timer, it resends an NS message.
If the interface receives no response after making the maximum sending attempts (set by using ipv6 nd dad attempts), the interface uses the obtained address.
Examples
# Set the number of attempts to send an NS message for DAD to 20.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 nd dad attempts 20
Related commands
display ipv6 interface
ipv6 nd ns retrans-timer
ipv6 nd ns retrans-timer
Use ipv6 nd ns retrans-timer to set the interval for retransmitting an NS message.
Use undo ipv6 nd ns retrans-timer to restore the default.
Syntax
ipv6 nd ns retrans-timer value
undo ipv6 nd ns retrans-timer
Default
The local interface sends NS messages at every an interval of 1000 milliseconds, and the Retrans Timer field in the RA messages sent is 0. The interval for retransmitting an NS message is determined by the receiving device.
Views
Interface view
Predefined user roles
network-admin
Parameters
value: Specifies the interval value in the range of 1000 to 4294967295 milliseconds.
Usage guidelines
If a device does not receive a response from the peer within the specified interval, the device resends an NS message. The device retransmits an NS message at the specified interval and uses the interval value to fill the Retrans Timer field in RA messages to be sent.
Examples
# Specify GigabitEthernet 1/0/1 to retransmit NS messages every 10000 milliseconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 nd ns retrans-timer 10000
Related commands
display ipv6 interface
ipv6 nd nud reachable-time
Use ipv6 nd nud reachable-time to set the neighbor reachable time on an interface.
Use undo ipv6 nd nud reachable-time to restore the default.
Syntax
ipv6 nd nud reachable-time time
undo ipv6 nd nud reachable-time
Default
The neighbor reachable time on the local interface is 30000 milliseconds, and the value of the Reachable Time field in RA messages is 0. The reachable time is determined by the receiving device.
Views
Interface view
Predefined user roles
network-admin
Parameters
time: Specifies the neighbor reachable time in the range of 1 to 3600000 milliseconds.
Usage guidelines
If the neighbor reachability detection shows that a neighbor is reachable, the device considers the neighbor reachable within the specified reachable time. If the device must send a packet to the neighbor after the specified reachable time expires, the device reconfirms whether the neighbor is reachable. The device sets the specified value as the neighbor reachable time on the local interface and uses the value to fill the Reachable Time field in RA messages to be sent.
Examples
# Set the neighbor reachable time on GigabitEthernet 1/0/1 to 10000 milliseconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 nd nud reachable-time 10000
Related commands
display ipv6 interface
ipv6 nd ra halt
Use ipv6 nd ra halt to suppress an interface from advertising RA messages.
Use undo ipv6 nd ra halt to disable this feature.
Syntax
ipv6 nd ra halt
undo ipv6 nd ra halt
Default
An interface is suppressed from sending RA messages.
Views
Interface view
Predefined user roles
network-admin
Examples
# Disable RA message suppression on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] undo ipv6 nd ra halt
ipv6 nd ra hop-limit unspecified
Use ipv6 nd ra hop-limit unspecified to specify unlimited hops in RA messages.
Use undo ipv6 nd ra hop-limit unspecified to restore the default.
Syntax
ipv6 nd ra hop-limit unspecified
undo ipv6 nd ra hop-limit unspecified
Default
The maximum number of hops in the RA messages is limited to 64.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
To set the maximum number of hops to a value rather than the default setting, use the ipv6 hop-limit command.
Examples
# Specify unlimited hops in the RA messages on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 nd ra hop-limit unspecified
Related commands
ipv6 hop-limit
ipv6 nd ra interval
Use ipv6 nd ra interval to set the maximum and minimum intervals for advertising RA messages.
Use undo ipv6 nd ra interval to restore the default.
Syntax
ipv6 nd ra interval max-interval min-interval
undo ipv6 nd ra interval
Default
The maximum interval between RA messages is 600 seconds, and the minimum interval is 200 seconds.
Views
Interface view
Predefined user roles
network-admin
Parameters
max-interval: Specifies the maximum interval value in seconds, in the range of 4 to 1800.
min-interval: Specifies the minimum interval value in the range of 3 seconds to three-fourths of the maximum interval.
Usage guidelines
The device advertises RA messages randomly between the maximum interval and the minimum interval.
The maximum interval for sending RA messages should be less than or equal to the router lifetime in RA messages.
Examples
# Set the maximum interval for advertising RA messages to 1000 seconds and the minimum interval to 700 seconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 nd ra interval 1000 700
Related commands
ipv6 nd ra router-lifetime
ipv6 nd ra no-advlinkmtu
Use ipv6 nd ra no-advlinkmtu to turn off the MTU option in RA messages.
Use undo ipv6 nd ra no-advlinkmtu to restore the default.
Syntax
ipv6 nd ra no-advlinkmtu
undo ipv6 nd ra no-advlinkmtu
Default
RA messages contain the MTU option.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
The MTU option in the RA messages specifies the link MTU to ensure that all nodes on the link use the same MTU.
Examples
# Turn off the MTU option in RA messages on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 nd ra no-advlinkmtu
ipv6 nd ra prefix
Use ipv6 nd ra prefix to configure the prefix information in RA messages.
Use undo ipv6 nd ra prefix to restore the default.
Syntax
ipv6 nd ra prefix { ipv6-prefix prefix-length | ipv6-prefix/prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig | off-link ] *
undo ipv6 nd ra prefix { ipv6-prefix | ipv6-prefix/prefix-length }
Default
No prefix information is configured for RA messages. Instead, the IPv6 address of the interface sending RA messages is used as the prefix information.
If the IPv6 address is manually configured, the prefix uses the fixed valid lifetime 2592000 seconds (30 days) and preferred lifetime 604800 seconds (7 days).
If the IPv6 address is automatically obtained (through DHCP, for example), the prefix uses the valid and preferred lifetime of the IPv6 address.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-prefix: Specifies the IPv6 prefix.
prefix-length: Specifies the prefix length of the IPv6 address.
valid-lifetime: Specifies the valid lifetime of a prefix, in the range of 0 to 4294967295 seconds.
preferred-lifetime: Specifies the preferred lifetime of a prefix used for stateless autoconfiguration, in the range of 0 to 4294967295 seconds. The preferred lifetime cannot be greater than the valid lifetime.
no-autoconfig: Specifies a prefix not to be used for stateless autoconfiguration. If you do not specify this keyword, the prefix is used for stateless autoconfiguration.
off-link: Indicates that the address with the prefix is not directly reachable on the link. If you do not specify this keyword, the address with the prefix is directly reachable on the link.
Usage guidelines
After hosts on the same link receive RA messages, they can use the prefix information in the RA messages for stateless autoconfiguration.
Examples
# Configure the prefix information in RA messages on GigabitEthernet 1/0/1.
Method 1:
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 nd ra prefix 2001:10::100/64 100 10
Method 2:
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 nd ra prefix 2001:10::100 64 100 10
ipv6 nd ra router-lifetime
Use ipv6 nd ra router-lifetime to set the router lifetime in RA messages.
Use undo ipv6 nd ra router-lifetime to restore the default.
Syntax
ipv6 nd ra router-lifetime time
undo ipv6 nd ra router-lifetime
Default
The router lifetime in RA messages is 1800 seconds.
Views
Interface view
Predefined user roles
network-admin
Parameters
time: Specifies the router lifetime in the range of 0 to 9000 seconds. If the value is set to 0, the router does not act as the default router.
Usage guidelines
The router lifetime in RA messages specifies how long the router sending the RA messages acts as the default router. Hosts receiving the RA messages check this value to determine whether to use the sending router as the default router. If the router lifetime is 0, the router cannot be used as the default router.
The router lifetime in RA messages must be greater than or equal to the advertising interval.
Examples
# Set the router lifetime in RA messages on GigabitEthernet 1/0/1 to 1000 seconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 nd ra router-lifetime 1000
Related commands
ipv6 nd ra interval
ipv6 nd route-direct advertise
Use ipv6 nd route-direct advertise to enable ND direct route advertisement.
Use undo ipv6 nd route-direct advertise to disable ND direct route advertisement.
Syntax
ipv6 nd route-direct advertise
undo ipv6 nd route-direct advertise
Default
The ND direct route advertisement feature is disabled.
Views
L3VE interface view
Predefined user roles
network-admin
Examples
# Enable ND direct route advertisement for L3VE interface VE-L3VPN 1.
[Sysname] interface ve-l3vpn 1
[Sysname-VE-L3VPN1] ipv6 nd route-direct advertise
ipv6 nd router-preference
Use ipv6 nd router-preference to set a router preference in RA messages.
Use undo ipv6 nd router-preference to restore the default.
Syntax
ipv6 nd router-preference { high | low | medium }
undo ipv6 nd router-preference
Default
The router preference is medium.
Views
Interface view
Predefined user roles
network-admin
Parameters
high: Sets the router preference to the highest setting.
low: Sets the router preference to the lowest setting.
medium: Sets the router preference to the medium setting.
Usage guidelines
A hosts selects a router with the highest preference as the default router.
When router preferences are the same in RA messages, a host selects the router corresponding to the first received RA message as the default gateway.
Examples
# Set the router preference in RA messages to the lowest on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 nd router-preference low
ipv6 nd suppression enable
Use ipv6 nd suppression enable to enable IPv6 ND suppression.
Use undo ipv6 nd suppression enable to disable IPv6 ND suppression.
Syntax
ipv6 nd suppression enable
undo ipv6 nd suppression enable
Default
IPv6 ND suppression is disabled.
Views
Cross-connect view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
You must enable L2VPN before you enter cross-connect view.
Examples
# Enable IPv6 ND suppression for cross-connect 2 in cross-connect group 1.
[Sysname] xconnect-group 1
[Sysname-xcg-1] connection 2
[Sysname-xcg-1-2] ipv6 nd suppression enable
Related commands
ipv6 nd suppression push interval
ipv6 nd suppression push interval
Use ipv6 nd suppression push interval to enable the ND suppression push feature and set a push interval.
Use undo ipv6 nd suppression push interval to disable the ND suppression push feature.
Syntax
ipv6 nd suppression push interval interval
undo ipv6 nd suppression push interval
Default
The ND suppression push feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the push interval value in the range of 1 to 1440 minutes.
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
No |
MSR3600-28/3600-51 |
No |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
No |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
The ND suppression push feature regularly pushes ND suppression entries by advertising NA messages.
Examples
# Enable the device to push ND suppression entries every 2 minutes.
[Sysname]ipv6 nd suppression push interval 2
Related commands
ipv6 nd suppression enable
ipv6 neighbor
Use ipv6 neighbor to configure a static neighbor entry.
Use undo ipv6 neighbor to delete a static neighbor entry.
Syntax
ipv6 neighbor ipv6-address mac-address { vlan-id port-type port-number | interface interface-type interface-number } [ vpn-instance vpn-instance-name ]
undo ipv6 neighbor ipv6-address interface-type interface-number
Default
No static neighbor entries exist.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the IPv6 address of the static neighbor entry.
mac-address: Specifies the MAC address (48 bits) of the static neighbor entry, in the format of H-H-H.
vlan-id: Specifies the VLAN ID of the static neighbor entry, in the range of 1 to 4094.
port-type port-number: Specifies a Layer 2 port of the static neighbor entry by its type and number.
interface interface-type interface-number: Specifies a Layer 3 interface of the static neighbor entry by its type and number.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the static neighbor entry belongs. The VPN instance name is a case-sensitive string of 1 to 31 characters. If the static neighbor entry is for the public network, do not specify this option.
Usage guidelines
A neighbor entry stores information about a link-local node. The entry can be created dynamically through NS and NA messages, or configured statically.
The device uniquely identifies a static neighbor entry by using the neighbor's IPv6 address and the number of the Layer 3 interface that connects to the neighbor. You can configure a static neighbor entry by using either of the following methods:
· Method 1—Associate a neighbor IPv6 address and link-layer address with the Layer 3 interface of the local node.
· Method 2—Associate a neighbor IPv6 address and link-layer address with a Layer 2 port in a VLAN containing the local node.
You can use either of the previous configuration methods to configure a static neighbor entry for a VLAN interface.
· If Method 1 is used, the neighbor entry is in INCMP state. After the device obtains the corresponding Layer 2 port information, the neighbor entry goes into REACH state.
· If Method 2 is used, the port specified by port-type port-number must belong to the VLAN specified by vlan-id and the corresponding VLAN interface must already exist. After the static neighbor entry is configured, the device associates the VLAN interface with the IPv6 address to uniquely identify the static neighbor entry. The entry will be in REACH state.
To delete a static neighbor entry for a VLAN interface, specify only the corresponding VLAN interface.
Examples
# Configure a static neighbor entry for Layer 3 interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] ipv6 neighbor 2000::1 fe-e0-89 interface gigabitethernet 1/0/1
Related commands
display ipv6 neighbors
reset ipv6 neighbors
ipv6 neighbor link-local minimize
Use ipv6 neighbor link-local minimize to minimize link-local ND entries.
Use undo ipv6 neighbor link-local minimize to restore the default.
Syntax
ipv6 neighbor link-local minimize
undo ipv6 neighbor link-local minimize
Default
All ND entries are assigned to the driver.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Perform this command to minimize link-local ND entries assigned to the driver. Link-local ND entries refer to ND entries that contain link-local addresses.
By default, the device assigns all ND entries to the driver. With this feature enabled, the device does not add newly learned link-local ND entries whose link local addresses are not the next hop of any route to the driver. This saves driver resources.
This feature affects only newly learned link-local ND entries rather than existing ND entries.
Examples
# Minimize link-local ND entries.
<Sysname> system-view
[Sysname] ipv6 neighbor link-local minimize
ipv6 neighbor stale-aging
Use ipv6 neighbor stale-aging to set the aging timer for ND entries in stale state.
Use undo ipv6 neighbor stale-aging to restore the default.
Syntax
ipv6 neighbor stale-aging aging-time
undo ipv6 neighbor stale-aging
Default
The aging timer for ND entries in stale state is 240 minutes.
Views
System view
Predefined user roles
network-admin
Parameters
aging-time: Specifies the aging timer for ND entries in stale state, in the range of 1 to 1440 minutes.
Usage guidelines
This aging time applies to all ND entries in stale state. If an ND entry in stale state is not updated before the timer expires, it moves to the delay state. If it is still not updated in 5 seconds, the ND entry moves to the probe state. The device sends an NS message for detection a maximum of three times. If no response is received, the device deletes the ND entry.
Examples
# Set the aging timer for ND entries in stale state to 120 minutes.
<Sysname> system-view
[Sysname] ipv6 neighbor stale-aging 120
ipv6 neighbors max-learning-num
Use ipv6 neighbors max-learning-num to set the maximum number of dynamic neighbor entries that an interface can learn. This prevents the interface from occupying too many neighbor table resources.
Use undo ipv6 neighbors max-learning-num to restore the default.
Syntax
ipv6 neighbors max-learning-num max-number
undo ipv6 neighbors max-learning-num
Default
The following matrix shows the default values for the max-number argument:
Hardware |
Default |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
2048 |
MSR2600-6-X1/2600-10-X1 |
2048 |
MSR 2630 |
2048 |
MSR3600-28/3600-51 |
2048 |
MSR3600-28-SI/3600-51-SI |
2048 |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
4096 |
MSR 3610/3620/3620-DP/3640/3660 |
4096 |
MSR5620/5660/5680 |
4096 |
Hardware |
Default |
MSR810-LM-GL |
2048 |
MSR810-W-LM-GL |
2048 |
MSR830-6EI-GL |
2048 |
MSR830-10EI-GL |
2048 |
MSR830-6HI-GL |
2048 |
MSR830-10HI-GL |
2048 |
MSR2600-6-X1-GL |
2048 |
MSR3600-28-SI-GL |
2048 |
Views
Layer 2/Layer 3 interface view
Layer 2/Layer 3 aggregate interface view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of dynamic neighbor entries that an interface can learn.
The following matrix shows the value ranges for the max-number argument:
Hardware |
Value range |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
0 to 2048 |
MSR2600-6-X1/2600-10-X1 |
0 to 2048 |
MSR 2630 |
0 to 2048 |
MSR3600-28/3600-51 |
0 to 2048 |
MSR3600-28-SI/3600-51-SI |
0 to 2048 |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
0 to 4096 |
MSR 3610/3620/3620-DP/3640/3660 |
0 to 4096 |
MSR5620/5660/5680 |
0 to 4096 |
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
Yes |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
The device can dynamically acquire the link-layer address of a neighboring node through NS and NA messages and add it into the neighbor table.
When the number of dynamic neighbor entries reaches the threshold, the interface stops learning neighbor information.
Examples
# Set the maximum number of dynamic neighbor entries that GigabitEthernet 1/0/1 can learn to 10.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 neighbors max-learning-num 10
ipv6 pathmtu
Use ipv6 pathmtu to set a static Path MTU for an IPv6 address.
Use undo ipv6 pathmtu to delete the Path MTU configuration for an IPv6 address.
Syntax
ipv6 pathmtu [ vpn-instance vpn-instance-name ] ipv6-address value
undo ipv6 pathmtu [ vpn-instance vpn-instance-name ] ipv6-address
Default
No static Path MTU is set.
Views
System view
Predefined user roles
network-admin
Parameters
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the Path MTU belongs. The VPN instance name is a case-sensitive string of 1 to 31 characters. If the Path MTU is for the public network, do not specify this option.
ipv6-address: Specifies an IPv6 address.
value: Specifies the Path MTU of the specified IPv6 address, in the range of 1280 to 10240 bytes.
Usage guidelines
You can set a static Path MTU for a destination IPv6 address. When a source host sends a packet through an interface, it compares the interface MTU with the static Path MTU of the specified destination IPv6 address. If the packet size is larger than the smaller one of the two values, the host fragments the packet according to the smaller value.
Examples
# Set a static Path MTU for an IPv6 address.
<Sysname> system-view
[Sysname] ipv6 pathmtu fe80::12 1300
Related commands
display ipv6 pathmtu
reset ipv6 pathmtu
ipv6 pathmtu age
Use ipv6 pathmtu age to set the aging time for a dynamic Path MTU.
Use undo ipv6 pathmtu age to restore the default.
Syntax
ipv6 pathmtu age age-time
undo ipv6 pathmtu age
Default
The aging time for dynamic Path MTU is 10 minutes.
Views
System view
Predefined user roles
network-admin
Parameters
age-time: Specifies the aging time for Path MTU in minutes, in the range of 10 to 100.
Usage guidelines
After the path MTU from a source host to a destination host is dynamically determined, the source host sends subsequent packets to the destination host based on this MTU. After the aging time expires, the following events occur:
· The dynamic Path MTU is removed.
· The source host determines a dynamic path MTU through the Path MTU mechanism again.
The aging time is invalid for a static Path MTU.
Examples
# Set the aging time for a dynamic Path MTU to 40 minutes.
<Sysname> system-view
[Sysname] ipv6 pathmtu age 40
Related commands
display ipv6 pathmtu
ipv6 prefer temporary-address
Use ipv6 prefer temporary-address to enable the system to preferentially use the temporary IPv6 address of the sending interface as the source address of a packet.
Use undo ipv6 prefer temporary-address to disable the system to preferentially use the temporary IPv6 address of the sending interface as the source address of a packet.
Syntax
ipv6 prefer temporary-address
undo ipv6 prefer temporary-address
Default
The system is disabled to preferentially use the temporary IPv6 address of the sending interface as the source address of a packet.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The temporary address feature enables the system to generate and preferentially use the temporary IPv6 address of the sending interface as the source address of a packet. If the temporary IPv6 address cannot be used because of a DAD conflict, the system uses the public IPv6 address.
Examples
# Enable the system to preferentially use the temporary IPv6 address of the sending interface as the source address of the packet.
<Sysname> system-view
[Sysname] ipv6 prefer temporary-address
Related commands
ipv6 address auto
ipv6 nd ra prefix
ipv6 temporary-address
ipv6 prefix
Use ipv6 prefix to configure a static IPv6 prefix.
Use undo ipv6 prefix to delete a static IPv6 prefix.
Syntax
ipv6 prefix prefix-number ipv6-prefix/prefix-length
undo ipv6 prefix prefix-number
Default
No static IPv6 prefixes exist.
Views
System view
Predefined user roles
network-admin
Parameters
prefix-number: Specifies a prefix ID in the range of 1 to 1024.
ipv6-prefix/prefix-length: Specifies a prefix and its length. The value range for the prefix-length argument is 1 to 128.
Usage guidelines
To modify an existing static prefix, execute the undo ipv6 prefix command to delete the existing static prefix, and then execute the ipv6 prefix command.
Dynamic IPv6 prefixes obtained from DHCPv6 servers cannot be manually removed or modified.
A static IPv6 prefix can have the same prefix ID with a dynamic IPv6 prefix, but the static one takes precedence over the dynamic one.
Examples
# Create static IPv6 prefix 2001:0410::/32 with prefix ID 1.
<Sysname> system-view
[Sysname] ipv6 prefix 1 2001:0410::/32
Related commands
display ipv6 prefix
ipv6 reassemble local enable
Use ipv6 reassemble local enable to enable IPv6 local fragment reassembly.
Use undo ipv6 reassemble local enable to disable IPv6 local fragment reassembly.
Syntax
undo ipv6 reassemble local enable
Default
IPv6 local fragment reassembly is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Execute this command on a distributed device to improve IPv6 local fragment reassembly efficiency. This feature allows the receiving LPU to reassemble the fragments of an IPv6 packet if all fragments arrive at it. If this feature is disabled, all fragments are delivered to the active MPU for reassembly.
This feature applies only to fragments destined for the same LPU.
Examples
# Enable IPv6 local fragment reassembly.
<Sysname> system-view
[Sysname] ipv6 reassemble local enable
ipv6 redirects enable
Use ipv6 redirects enable to enable sending ICMPv6 redirect messages.
Use undo ipv6 redirects enable to disable sending ICMPv6 redirect messages.
Syntax
ipv6 redirects enable
undo ipv6 redirects enable
Default
Sending ICMPv6 redirect messages is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The default gateway sends an ICMPv6 redirect message to the source of an IPv6 packet to inform the source of a better first hop.
Sending ICMPv6 redirect messages enables hosts that hold few routes to establish routing tables and find the best route. Because this feature adds host routes into the routing tables, host performance degrades when there are too many host routes. As a result, sending ICMPv6 redirect messages is disabled by default.
Examples
# Enable sending ICMPv6 redirect messages.
<Sysname> system-view
[Sysname] ipv6 redirects enable
ipv6 router-renumber enable
Use ipv6 router-renumber enable to enable router renumbering on the interface.
Use undo ipv6 router-renumber enable to disable router renumbering on the interface.
Syntax
ipv6 router-renumber enable
undo ipv6 router-renumber enable
Default
Router renumbering is disabled.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
When a device receives a legitimate router renumbering message, it renumbers the prefixes and IP addresses of all Layer 3 interfaces that are enabled with the router renumbering feature.
Examples
# Enable router renumbering on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 router-renumber enable
ipv6 temporary-address
Use ipv6 temporary-address to enable the temporary IPv6 address feature.
Use undo ipv6 temporary-address to restore the default.
Syntax
ipv6 temporary-address [ valid-lifetime preferred-lifetime ]
undo ipv6 temporary-address
Default
The system does not generate any temporary IPv6 address.
Views
System view
Predefined user roles
network-admin
Parameters
valid-lifetime: Specifies the valid lifetime for temporary IPv6 addresses, in the range of 600 to 4294967295 seconds. The default valid lifetime is 604800 seconds (7 days).
preferred-lifetime: Specifies the preferred lifetime for temporary IPv6 addresses, in the range of 600 to 4294967295 seconds. The default preferred lifetime is 86400 seconds (1 day).
Usage guidelines
You must enable stateless autoconfiguration before enabling the temporary address feature.
The valid lifetime for temporary IPv6 addresses must be greater than or equal to the preferred lifetime for temporary IPv6 addresses.
In stateless address autoconfiguration, an interface automatically generates an IPv6 global unicast address by using the address prefix in the received RA message and the interface ID. On an IEEE 802 interface (such as an Ethernet interface or a VLAN interface), the interface ID is generated based on the interface's MAC address and is globally unique. An attacker can exploit this rule to easily identify the sending device.
To fix the vulnerability, you can enable the temporary address feature. An IEEE 802 interface generates the following addresses:
· Public IPv6 address—Includes an address prefix in the RA message and a fixed interface ID generated based on the interface's MAC address.
· Temporary IPv6 address—Includes an address prefix in the RA message and a random interface ID generated through MD5.
When the valid lifetime of a temporary IPv6 address expires, the system deletes the address and generates a new one. This enables the system to send packets with different source addresses through the same interface. The preferred lifetime and valid lifetime for a temporary IPv6 address are determined as follows:
· The preferred lifetime of a temporary IPv6 address takes the smaller of the following values:
¡ The preferred lifetime of the address prefix in the RA message.
¡ The preferred lifetime configured for temporary IPv6 addresses minus DESYNC_FACTOR (a random number in the range of 0 to 600 seconds).
· The valid lifetime of a temporary IPv6 address takes the smaller of the following values:
¡ The valid lifetime of the address prefix.
¡ The valid lifetime configured for temporary IPv6 addresses.
Examples
# Enable the system to generate a temporary IPv6 address.
<Sysname> system-view
[Sysname] ipv6 temporary-address
Related commands
ipv6 address auto
ipv6 nd ra prefix
ipv6 prefer temporary-address
ipv6 unreachables enable
Use ipv6 unreachables enable to enable sending ICMPv6 destination unreachable messages.
Use undo ipv6 unreachables to disable sending ICMPv6 destination unreachable messages.
Syntax
ipv6 unreachables enable
undo ipv6 unreachables enable
Default
Sending ICMPv6 destination unreachable messages is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
If the device fails to forward a received IPv6 packet because of a destination unreachable error, it performs the following operations:
· Drops the packet.
· Sends an ICMPv6 destination unreachable message to the source.
If the device is generating ICMPv6 destination unreachable messages incorrectly, disable sending ICMPv6 destination unreachable messages to prevent attack risks.
Examples
# Enable sending ICMPv6 destination unreachable messages.
<Sysname> system-view
[Sysname] ipv6 unreachables enable
local-proxy-nd enable
Use local-proxy-nd enable to enable local ND proxy.
Use undo local-proxy-nd enable to disable local ND proxy.
Syntax
local-proxy-nd enable
undo local-proxy-nd enable
Default
Local ND proxy is disabled.
Views
VLAN interface view
Layer 3 Ethernet interface view
Layer 3 Ethernet subinterface view
Predefined user roles
network-admin
Examples
# Enable local ND proxy on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] local-proxy-nd enable
Related commands
proxy-nd enable
proxy-nd enable
Use proxy-nd enable to enable common ND proxy.
Use undo proxy-nd enable to disable common ND proxy.
Syntax
proxy-nd enable
undo proxy-nd enable
Default
Common ND proxy is disabled.
Views
VLAN interface view
Layer 3 Ethernet interface view
Layer 3 Ethernet subinterface view
Predefined user roles
network-admin
Examples
# Enable common ND proxy on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] proxy-nd enable
Related commands
local-proxy-nd enable
reset ipv6 nd suppression xconnect-group
Use reset ipv6 nd suppression xconnect-group to clear ND suppression entries.
Syntax
reset ipv6 nd suppression xconnect-group [ name group-name ]
Views
User view
Predefined user roles
network-admin
Parameters
name group-name: Specifies a cross-connect group by its name, a case-sensitive string of 1 to 31 characters excluding hyphens (-).
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
No |
MSR3600-28/3600-51 |
No |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
No |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
Yes |
Examples
# Clear ND suppression entries on the device.
<Sysname> reset ipv6 nd suppression xconnect-group
Related commands
display ipv6 nd suppression xconnect-group
reset ipv6 neighbors
Use reset ipv6 neighbors to clear IPv6 neighbor information.
Syntax
Centralized devices in standalone mode:
reset ipv6 neighbors { all | dynamic | interface interface-type interface-number | static }
Distributed devices in standalone mode/centralized devices in IRF mode:
reset ipv6 neighbors { all | dynamic | interface interface-type interface-number | slot slot-number | static }
Distributed devices in IRF mode:
reset ipv6 neighbors { all | dynamic | interface interface-type interface-number | chassis chassis-number slot slot-number | static }
Views
User view
Predefined user roles
network-admin
Parameters
all: Clears static and dynamic neighbor information for all interfaces.
dynamic: Clears dynamic neighbor information for all interfaces.
interface interface-type interface-number: Clears dynamic neighbor information for the interface specified by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a cad, this command clears dynamic neighbor information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears dynamic neighbor information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears dynamic neighbor information for all cards. (Distributed devices in IRF mode.)
static: Clears static neighbor information for all interfaces.
Usage guidelines
You can use the display ipv6 neighbors command to display IPv6 neighbor information.
Examples
# Clear neighbor information for all interfaces.
<Sysname> reset ipv6 neighbors all
This will delete all the entries. Continue? [Y/N]:Y
# Clear dynamic neighbor information for all interfaces.
<Sysname> reset ipv6 neighbors dynamic
This will delete all the dynamic entries. Continue? [Y/N]:Y
# Clear all neighbor information for GigabitEthernet 1/0/1.
<Sysname> reset ipv6 neighbors interface gigabitethernet 1/0/1
This will delete all the dynamic entries by the interface you specified. Continue? [Y/N]:Y
Related commands
display ipv6 neighbors
ipv6 neighbor
reset ipv6 pathmtu
Use reset ipv6 pathmtu to clear the Path MTU information.
Syntax
reset ipv6 pathmtu { all | dynamic | static }
Views
User view
Predefined user roles
network-admin
Parameters
all: Clears all Path MTUs.
dynamic: Clears all dynamic Path MTUs.
static: Clears all static Path MTUs.
Examples
# Clear all Path MTUs.
<Sysname> reset ipv6 pathmtu all
Related commands
display ipv6 pathmtu
reset ipv6 router-renumber statistics
Use reset ipv6 router-renumber statistics to clear router renumbering statistics.
Syntax
reset ipv6 router-renumber statistics
Views
User view
Predefined user roles
network-admin
Usage guidelines
This command does not clear the sequence number, the reset sequence number, or the segment number.
Examples
# Clear router renumbering statistics.
<Sysname> reset ipv6 router-renumber statistics
Related commands
display ipv6 router-renumber statistics
reset ipv6 statistics
Use reset ipv6 statistics to clear IPv6 and ICMPv6 packet statistics.
Syntax
Centralized devices in standalone mode:
reset ipv6 statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
reset ipv6 statistics [ slot slot-number ]
Distributed devices in IRF mode:
reset ipv6 statistics [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a cad, this command clears IPv6 and ICMPv6 packet statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears IPv6 and ICMPv6 packet statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears IPv6 and ICMPv6 packet statistics for all cards. (Distributed devices in IRF mode.)
Examples
# Clear IPv6 and ICMPv6 packet statistics.
<Sysname> reset ipv6 statistics
Related commands
display ipv6 statistics
DHCPv6 commands
DHCPv6 features are not supported on the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR3600-28-SI/3600-51-SI.
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
Common DHCPv6 commands
display ipv6 dhcp duid
Use display ipv6 dhcp duid to display the DUID of the local device.
Syntax
display ipv6 dhcp duid
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent). A DHCPv6 device adds its DUID in a sent packet.
This command displays output only after the DHCPv6 process is running on the device.
Examples
# Display the DUID of the local device.
<Sysname> display ipv6 dhcp duid
The DUID of this device: 0003000100e0fc005552.
ipv6 dhcp dscp
Use ipv6 dhcp dscp to set the DSCP value for the DHCPv6 packets sent by the DHCPv6 server or the DHCPv6 relay agent.
Use undo ipv6 dhcp dscp to restore the default.
Syntax
ipv6 dhcp dscp dscp-value
undo ipv6 dhcp dscp
Default
The DSCP value is 56 in DHCPv6 packets sent by the DHCPv6 server or the DHCPv6 relay agent.
Views
System view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies the DSCP value for DHCPv6 packets, in the range of 0 to 63.
Usage guidelines
The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Examples
# Set the DSCP value to 30 for DHCPv6 packets sent by the DHCPv6 server or the DHCPv6 relay agent.
<Sysname> system-view
[Sysname] ipv6 dhcp dscp 30
ipv6 dhcp log enable
Use ipv6 dhcp log enable to enable DHCPv6 server logging.
Use undo ipv6 dhcp log enable to disable DHCPv6 server logging.
Syntax
ipv6 dhcp log enable
undo ipv6 dhcp log enable
Default
DHCPv6 server logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command enables the DHCPv6 server to generate DHCPv6 logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.
As a best practice, disable this feature if the log generation affects the device performance or reduces the address and prefix allocation efficiency. For example, this situation might occur when a large number of clients frequently come online or go offline.
Examples
# Enable DHCPv6 server logging.
<Sysname> system-view
[Sysname] ipv6 dhcp log enable
ipv6 dhcp select
Use ipv6 dhcp select to enable the DHCPv6 server or DHCPv6 relay agent on an interface.
Use undo ipv6 dhcp select to restore the default.
Syntax
ipv6 dhcp select { relay | server }
undo ipv6 dhcp select
Default
An interface does not work in the DHCPv6 server mode or in the DHCPv6 relay agent mode. It discards DHCPv6 packets from DHCPv6 clients.
Views
Interface view
Predefined user roles
network-admin
Parameters
relay: Enables the DHCPv6 relay agent on the interface.
server: Enables the DHCPv6 server on the interface.
Usage guidelines
Before changing the DHCPv6 server mode to the DHCPv6 relay agent mode on an interface, use the following commands to remove IPv6 address/prefix bindings:
· reset ipv6 dhcp server ip-in-use
· reset ipv6 dhcp server pd-in-use
Do not configure the DHCPv6 client on the interface that has been configured as the DHCPv6 relay agent or DHCPv6 server.
Examples
# Enable the DHCPv6 server on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp select server
Related commands
display ipv6 dhcp relay server-address
display ipv6 dhcp server
DHCPv6 server commands
address range
Use address range to specify a non-temporary IPv6 address range in a DHCPv6 address pool for dynamic allocation.
Use undo address range to restore the default.
Syntax
address range start-ipv6-address end-ipv6-address [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]
undo address range
Default
No non-temporary IPv6 address range exists.
Views
DHCPv6 address pool view
Predefined user roles
network-admin
Parameters
start-ipv6-address: Specifies the start IPv6 address.
end-ipv6-address: Specifies the end IPv6 address.
preferred-lifetime preferred-lifetime: Specifies the preferred lifetime for the non-temporary IPv6 addresses. The value range is 60 to 4294967295 seconds, and the default is 604800 seconds (7 days).
valid-lifetime valid-lifetime: Specifies the valid lifetime for the non-temporary IPv6 addresses. The value range is 60 to 4294967295 seconds, and the default is 2592000 seconds (30 days). The valid lifetime cannot be shorter than the preferred lifetime.
Usage guidelines
If you do not specify a non-temporary IPv6 address range, all unicast addresses on the subnet specified by the network command in address pool view are assignable. If you specify a non-temporary IPv6 address range, only the IPv6 addresses in the specified IPv6 address range are assignable.
You can specify only one non-temporary IPv6 address range in an address pool. If you execute this command multiple times, the most recent configuration takes effect.
The non-temporary IPv6 address range specified by the address range command must be on the subnet specified by the network command.
Examples
# Configure a non-temporary IPv6 address range from 3ffe:501:ffff:100::10 through 3ffe:501:ffff:100::31 in address pool 1.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] network 3ffe:501:ffff:100::/64
[Sysname-dhcp6-pool-1] address range 3ffe:501:ffff:100::10 3ffe:501:ffff:100::31
Related commands
display ipv6 dhcp pool
network
temporary address range
class pool
Use class pool to specify a DHCPv6 address pool for a DHCPv6 user class.
Use undo class pool to restore the default.
Syntax
class class-name pool pool-name
undo class class-name pool
Default
No DHCPv6 address pool is specified for a DHCPv6 user class.
Views
DHCPv6 policy view
Predefined user roles
network-admin
Parameters
class-name: Specifies a DHCPv6 user class by its name, a case-insensitive string of 1 to 63 characters.
pool-name: Specifies a DHCPv6 address pool by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can specify only one DHCPv6 address pool for a DHCPv6 user class in a DHCPv6 policy. If you execute this command multiple times for a user class, the most recent configuration takes effect.
Examples
# Specify DHCPv6 address pool pool1 for DHCPv6 user class test in DHCPv6 policy 1.
<Sysname> system-view
[Sysname] ipv6 dhcp policy 1
[Sysname-dhcp6-policy-1] class test pool pool1
Related commands
default pool
ipv6 dhcp policy
ipv6 dhcp pool
default pool
Use default pool to specify the default DHCPv6 address pool.
Use undo default pool to restore the default.
Syntax
default pool pool-name
undo default pool
Default
No default DHCPv6 address pool is specified.
Views
DHCPv6 policy view
Predefined user roles
network-admin
Parameters
pool-name: Specifies a DHCPv6 address pool by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In a DHCPv6 policy, the DHCPv6 server uses the default address pool to assign IPv6 address, IPv6 prefix, or other parameters to clients that do not match any user class.
You can specify only one default address pool in a DHCPv6 policy. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify DHCPv6 address pool pool1 as the default DHCPv6 address pool in DHCPv6 policy 1.
<Sysname> system-view
[Sysname] ipv6 dhcp policy 1
[Sysname-dhcp6-policy-1] default pool pool1
Related commands
class pool
ipv6 dhcp policy
display ipv6 dhcp option-group
Use display ipv6 dhcp option-group to display information about a DHCPv6 option group.
Syntax
display ipv6 dhcp option-group [ option-group-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
option-group-number: Specifies a static or dynamic DHCPv6 option group by its ID. The value range for the option group ID is 1 to 100. If you do not specify an option group, this command displays information about all DHCPv6 option groups.
Usage guidelines
A static DHCPv6 option group is created by using the ipv6 dhcp option-group command.
A dynamic DHCPv6 option group is created automatically by a DHCPv6 client after it obtains the DHCPv6 configuration parameters. Dynamic option groups cannot be manually modified or removed.
Examples
# Display information about all DHCPv6 option groups.
<Sysname> display ipv6 dhcp option-group
DHCPv6 option group: 1
DNS server addresses:
Type: Static
Interface: N/A
1::1
DNS server addresses:
Type: Dynamic (DHCPv6 address allocation)
Interface: GigabitEthernet1/0/1
1::1
Domain name:
Type: Static
Interface: N/A
aaa.com
Domain name:
Type: Dynamic (DHCPv6 address allocation)
Interface: GigabitEthernet1/0/1
aaa.com
Options:
Code: 23
Type: Dynamic (DHCPv6 prefix allocation)
Interface: GigabitEthernet1/0/1
Length: 2 bytes
Hex: ABCD
DHCPv6 option group: 20
DNS server addresses:
Type: Static
Interface: N/A
1::1
DNS server addresses:
Type: Dynamic (DHCPv6 address allocation)
Interface: GigabitEthernet1/0/1
1::1
Domain name:
Type: Static
Interface: N/A
aaa.com
Domain name:
Type: Dynamic (DHCPv6 address allocation)
Interface: GigabitEthernet1/0/1
aaa.com
Options:
Code: 23
Type: Dynamic (DHCPv6 prefix allocation)
Interface: GigabitEthernet1/0/1
Length: 2 bytes
Hex: ABCD
Table 82 Command output
Field |
Description |
DHCPv6 option group |
ID of the DHCPv6 option group. |
Type |
Types of the DHCPv6 option: · Static—Parameter in a static DHCPv6 option group. · Dynamic (DHCPv6 address allocation)—Parameter in a dynamic DHCPv6 option group created during IPv6 address acquisition. · Dynamic (DHCPv6 prefix allocation)—Parameters in a dynamic DHCPv6 option group created during IPv6 prefix acquisition. · Dynamic (DHCPv6 address and prefix allocation)—Parameters in a dynamic DHCPv6 option group created during IPv6 address and prefix acquisition. |
Interface |
Interface name. |
DNS server addresses |
IPv6 address of the DNS server. |
Domain name |
Domain name suffix. |
SIP server addresses |
IPv6 address of the SIP server. |
SIP server domain names |
Domain name of the SIP server. |
Options |
Self-defined options. |
Code |
Code of the self-defined option. |
Length |
Self-defined option length in bytes. |
Hex |
Self-defined option content represented by a hexadecimal string. |
Related commands
ipv6 dhcp option-group
display ipv6 dhcp pool
Use display ipv6 dhcp pool to display information about a DHCPv6 address pool.
Syntax
display ipv6 dhcp pool [ pool-name | vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pool-name: Displays information about the specified DHCPv6 address pool. The pool name is a case-insensitive string of 1 to 63 characters. If you do not specify a DHCPv6 address pool, this command displays information about all DHCPv6 address pools.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display information about DHCPv6 address pools for the public network, do not specify this option.
Examples
# Display information about DHCPv6 address pool 1.
<Sysname> display ipv6 dhcp pool 1
DHCPv6 pool: 1
Network: 3FFE:501:FFFF:100::/64
Preferred lifetime 604800, valid lifetime 2592000
Prefix pool: 1
Preferred lifetime 24000, valid lifetime 36000
Addresses:
Range: from 3FFE:501:FFFF:100::1
to 3FFE:501:FFFF:100::99
Preferred lifetime 70480, valid lifetime 200000
Total address number: 153
Available: 153
In-use: 0
Temporary addresses:
Range: from 3FFE:501:FFFF:100::200
to 3FFE:501:FFFF:100::210
Preferred lifetime 60480, valid lifetime 259200
Total address number: 17
Available: 17
In-use: 0
Static bindings:
DUID: 0003000100e0fc000001
IAID: 0000003f
Prefix: 3FFE:501:FFFF:200::/64
Preferred lifetime 604800, valid lifetime 2592000
DUID: 0003000100e0fc00cff1
IAID: 00000001
Address: 3FFE:501:FFFF:2001::1/64
Preferred lifetime 604800, valid lifetime 2592000
DNS server addresses:
2::2
Domain name:
aaa.com
SIP server addresses:
5::1
SIP server domain names:
bbb.com
# Display information about DHCPv6 address pool 1.
<Sysname> display ipv6 dhcp pool 1
DHCPv6 pool: 1
Network: Not-available
Preferred lifetime 604800, valid lifetime 2592000
# Display information about DHCPv6 address pool 1.
<Sysname> display ipv6 dhcp pool 1
DHCPv6 pool: 1
Network: 1::/64(Zombie)
Preferred lifetime 604800, valid lifetime 2592000
Table 83 Command output
Field |
Description |
DHCPv6 pool |
Name of the DHCPv6 address pool. |
Network |
IPv6 subnet for dynamic IPv6 address allocation. If the subnet prefix is ineffective, this field displays Not-available. If the subnet prefix becomes ineffective after a configuration recovery (for example, a switchover from the backup to the master), the prefix is marked (Zombie). |
Prefix pool |
Prefix pool referenced by the address pool. |
Preferred lifetime |
Preferred lifetime in seconds. |
valid lifetime |
Valid lifetime in seconds. |
Addresses |
Non-temporary IPv6 address range. |
Range |
IPv6 address range for dynamic allocation. |
Total address number |
Total number of IPv6 addresses. |
Available |
Total number of available IPv6 addresses. |
In-use |
Total number of assigned IPv6 addresses. |
Temporary addresses |
Temporary IPv6 address range for dynamic allocation. |
Static bindings |
Static bindings configured in the address pool. |
DUID |
Client DUID. |
IAID |
Client IAID. If no IAID is configured, this field displays Not configured. |
Prefix |
IPv6 address prefix. |
Address |
Static IPv6 address. |
DNS server addresses |
DNS server address. |
Domain name |
Domain name. |
SIP server addresses |
SIP server address. |
SIP server domain names |
Domain name of the SIP server. |
display ipv6 dhcp prefix-pool
Use display ipv6 dhcp prefix-pool to display information about a prefix pool.
Syntax
display ipv6 dhcp prefix-pool [ prefix-pool-number ] [ vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
prefix-pool-number: Displays detailed information about a prefix pool specified by its number in the range of 1 to 128. If you do not specify a prefix pool, this command displays brief information about all prefix pools.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display information about prefix pools for the public network, do not specify this option.
Examples
# Display brief information about all prefix pools.
<Sysname> display ipv6 dhcp prefix-pool
Prefix-pool Prefix Available In-use Static
1 5::/64 64 0 0
# Display brief information about all prefix pools.
<Sysname> display ipv6 dhcp prefix-pool
Prefix-pool Prefix Available In-use Static
2 Not-available 0 0 0
# Display brief information about all prefix pools.
<Sysname> display ipv6 dhcp prefix-pool
Prefix-pool Prefix Available In-use Static
11 21::/112(Zombie) 0 64 0
# Display detailed information about prefix pool 1.
<Sysname> display ipv6 dhcp prefix-pool 1
Prefix: 5::/64
Assigned length: 70
Total prefix number: 64
Available: 64
In-use: 0
Static: 0
# Display detailed information about prefix pool 1.
<Sysname> display ipv6 dhcp prefix-pool 1
Prefix: Not-available
Assigned length: 70
Total prefix number: 0
Available: 0
In-use: 0
Static: 0
# Display detailed information about prefix pool 1.
<Sysname> display ipv6 dhcp prefix-pool 1
Prefix: 5::/64(Zombie)
Assigned length: 70
Total prefix number: 10
Available: 0
In-use: 10
Static: 0
Table 84 Command output
Field |
Description |
Prefix-pool |
Prefix pool number. |
Prefix |
Prefix specified in the prefix pool. If the prefix is ineffective, this field displays Not-available. If the prefix becomes ineffective after a configuration recovery (for example, a switchover from the backup to the master), the prefix is marked (Zombie). |
Available |
Number of available prefixes. |
In-use |
Number of assigned prefixes. |
Static |
Number of statically bound prefixes. |
Assigned length |
Length of assigned prefixes. |
Total prefix number |
Number of prefixes. |
display ipv6 dhcp server
Use display ipv6 dhcp server to display DHCPv6 server configuration information.
Syntax
display ipv6 dhcp server [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Displays DHCPv6 server configuration information for the specified interface. If you do not specify an interface, this command displays DHCPv6 server configuration information for all interfaces.
Examples
# Display DHCPv6 server configuration information for all interfaces.
<Sysname> display ipv6 dhcp server
Interface Pool
GigabitEthernet1/0/1 1
GigabitEthernet1/0/2 global
# Display DHCPv6 server configuration information for the interface GigabitEthernet 1/0/1.
<Sysname> display ipv6 dhcp server interface gigabitethernet 1/0/1
Using pool: 1
Preference value: 0
Allow-hint: Enabled
Rapid-commit: Disabled
Table 85 Command output
Field |
Description |
Interface |
Interface enabled with DHCPv6 server. |
Pool |
Address pool applied to the interface. If no address pool is applied to the interface, global is displayed. The DHCPv6 server selects a global address pool to assign a prefix, an address, and other configuration parameters to a client. |
Using pool |
Address pool applied to the interface. If no address pool is applied to the interface, global is displayed. The DHCPv6 server selects a global address pool to assign a prefix, an address, and other configuration parameters to a client. |
Preference value |
Server preference in the DHCPv6 Advertise message. The value range is 0 to 255. The bigger the value is, the higher preference the server has. |
Allow-hint |
Indicates whether desired address/prefix assignment is enabled. |
Rapid-commit |
Indicates whether rapid address/prefix assignment is enabled. |
display ipv6 dhcp server conflict
Use display ipv6 dhcp server conflict to display information about IPv6 address conflicts.
Syntax
display ipv6 dhcp server conflict [ address ipv6-address ] [ vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
address ipv6-address: Displays conflict information for the specified IPv6 address. If you do not specify an IPv6 address, this command displays information about all IPv6 address conflicts.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display conflict information for IPv6 addresses on the public network, do not specify this option.
Usage guidelines
The DHCPv6 server creates IP address conflict information in the following conditions:
· The DHCPv6 client sends a DECLINE packet to the DHCPv6 server to inform the server of an IPv6 address conflict.
· The DHCPv6 server discovers that the only assignable address in the address pool is its own IPv6 address.
Examples
# Display information about all address conflicts.
<Sysname> display ipv6 dhcp server conflict
IPv6 address Detect time
2001::1 Apr 25 16:57:20 2007
1::1:2 Apr 25 17:00:10 2007
Table 86 Command output
Field |
Description |
IPv6 address |
Conflicted IPv6 address. |
Detect time |
Time when the conflict was discovered. |
Related commands
reset ipv6 dhcp server conflict
display ipv6 dhcp server database
Use display ipv6 dhcp server database to display information about DHCPv6 binding auto backup.
Syntax
display ipv6 dhcp server database
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about DHCPv6 binding auto backup.
<Sysname> display ipv6 dhcp server database
File name : database.dhcp
Username :
Password :
Update interval : 600 seconds
Latest write time : Feb 8 16:02:23 2014
Status : Last write succeeded.
Table 87 Command output
Field |
Description |
|
File name |
Name of the DHCPv6 binding backup file. |
|
Username |
Username for accessing the URL of the remote backup file. |
|
Password |
Password for accessing the URL of the remote backup file. This field displays ****** if a password is configured. |
|
Update interval |
Waiting time in seconds after a DHCPv6 binding change for the DHCPv6 server to update the backup file. |
|
Latest write time |
Time of the latest update. |
|
Status |
Status of the update: · Writing—The backup file is being updated. · Last write succeeded—The backup file was successfully updated. · Last write failed—The backup file failed to be updated. |
display ipv6 dhcp server expired
Use display ipv6 dhcp server expired to display lease expiration information.
Syntax
display ipv6 dhcp server expired [ [ address ipv6-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
address ipv6-address: Displays lease expiration information for the specified IPv6 address. If you do not specify an IPv6 address, this command displays lease expiration information for all IPv6 addresses.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display lease expiration information about IPv6 addresses on the public network, do not specify this option.
pool pool-name: Displays lease expiration information for the DHCPv6 address pool specified by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a DHCPv6 address pool, this command displays lease expiration information for all DHCPv6 address pools.
Usage guidelines
DHCPv6 assigns the expired IPv6 addresses to DHCPv6 clients when all available addresses have been assigned.
Examples
# Display all lease expiration information.
<Sysname> display ipv6 dhcp server expired
IPv6 address DUID Lease expiration
2001:3eff:fe80:4caa: 3030-3066-2e65-3230-302e- Apr 25 17:10:47 2007
37ee:7::1 3130-3234-2d45-7468-6572-
6e65-7430-2f31
Table 88 Command output
Field |
Description |
IPv6 address |
Expired IPv6 address. |
DUID |
Client DUID bound to the expired IPv6 address. |
Lease expiration |
Time when the lease expired. |
Related commands
reset ipv6 dhcp server expired
display ipv6 dhcp server ip-in-use
Use display ipv6 dhcp server ip-in-use to display binding information for assigned IPv6 addresses.
Syntax
display ipv6 dhcp server ip-in-use [ [ address ipv6-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
address ipv6-address: Displays binding information for the specified IPv6 address. If you do not specify an IPv6 address, this command displays binding information for all IPv6 addresses.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display binding information about IPv6 addresses on the public network, do not specify this option.
pool pool-name: Displays IPv6 address binding information for the DHCPv6 address pool specified by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a DHCPv6 address pool, this command displays IPv6 address binding information for all DHCPv6 address pools.
Examples
# Display binding information for all assigned IPv6 address.
<Sysname> display ipv6 dhcp server ip-in-use
Pool: 1
IPv6 address Type Lease expiration
2:1::1 Auto(O) Jul 10 19:45:01 2008
Pool: 2
IPv6 address Type Lease expiration
1:1::2 Static(F) Not available
Pool: 3
IPv6 address Type Lease expiration
1:2::1F1 Static(O) Oct 9 09:23:31 2008
Pool: 4
IPv6 address Type Lease expiration
1:2::2 Auto(Z) Oct 11 09:23:31 2008
# Display binding information for all assigned IPv6 addresses for the specified DHCPv6 address pool.
<Sysname> display ipv6 dhcp server ip-in-use pool 1
Pool: 1
IPv6 address Type Lease expiration
2:1::1 Auto(O) Jul 10 22:22:22 2008
3:1::2 Static(C) Jan 1 11:11:11 2008
# Display binding information for the specified IPv6 address.
<Sysname> display ipv6 dhcp server ip-in-use address 2:1::3
Pool: 1
Client: FE80::C800:CFF0:FE18:0
Type: Auto(O)
DUID: 00030001CA000C180000
IAID: 0x00030001
IPv6 address: 2:1::3
Preferred lifetime 400, valid lifetime 500
Expires at Jul 10 09:45:01 2008 (288 seconds left)
Table 89 Command output
Field |
Description |
Pool |
DHCPv6 address pool. |
IPv6 address |
IPv6 address assigned. |
Type |
IPv6 address binding types: · Static(F)—Free static binding whose IPv6 address has not been assigned. · Static(O)—Offered static binding whose IPv6 address has been selected and sent by the DHCPv6 server in a DHCPv6-OFFER packet to the client. · Static(C)—Committed static binding whose IPv6 address has been assigned to the client. · Auto(O)—Offered dynamic binding whose IPv6 address has been dynamically selected by the DHCPv6 server and sent in a DHCPv6-OFFER packet to the DHCPv6 client. · Auto(C)—Committed dynamic binding whose IPv6 address has been dynamically assigned to the DHCPv6 client. · Auto(Z)—Zombie dynamic binding whose IPv6 address has been dynamically assigned to the DHCPv6 client. The binding becomes zombie because the subnet prefix goes invalid for address allocation after a configuration recovery, for example, after a switchover from the backup to the master. |
Lease-expiration |
Time when the lease of the IPv6 address will expire. If the lease expires after the year 2100, this field displays Expires after 2100. For an unassigned static binding, this field displays Not available. |
Client |
IPv6 address of the DHCPv6 client. For an unassigned static binding, this field is blank. |
DUID |
Client DUID. |
IAID |
Client IAID. For an unassigned static binding without IAID specified, this field displays N/A. |
Preferred lifetime |
Preferred lifetime in seconds of the IPv6 address. |
valid lifetime |
Valid lifetime in seconds of the IPv6 address. |
Expires at |
Time when the lease of an IPv6 address will expire. If the lease expires after the year 2100, this field displays Expires after 2100. |
Related commands
reset ipv6 dhcp server ip-in-use
display ipv6 dhcp server pd-in-use
Use display ipv6 dhcp server pd-in-use to display binding information for the assigned IPv6 prefixes.
Syntax
display ipv6 dhcp server pd-in-use [ pool pool-name | [ prefix prefix/prefix-len ] [ vpn-instance vpn-instance-name ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pool pool-name: Displays IPv6 prefix binding information for the DHCPv6 address pool specified by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a DHCPv6 address pool, this command displays IPv6 prefix binding information for all DHCPv6 address pools.
prefix prefix/prefix-len: Displays binding information for the specified IPv6 prefix. The value range for the prefix length is 1 to 128. If you do not specify an IPv6 prefix, this command displays binding information for all IPv6 prefixes.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display binding information for IPv6 prefixes on the public network, do not specify this option.
Examples
# Display all IPv6 prefix binding information.
<Sysname> display ipv6 dhcp server pd-in-use
Pool: 1
IPv6 prefix Type Lease expiration
2:1::/24 Auto(O) Jul 10 19:45:01 2008
Pool: 2
IPv6 prefix Type Lease expiration
1:1::/64 Static(F) Not available
Pool: 3
IPv6 prefix Type Lease expiration
1:2::/64 Static(O) Oct 9 09:23:31 2008
Pool: 4
IPv6 prefix Type Lease expiration
12::/80 Auto(Z) Oct 17 09:34:59 2008
# Display IPv6 prefix binding information for DHCPv6 address pool 1.
<Sysname> display ipv6 dhcp server pd-in-use pool 1
Pool: 1
IPv6 prefix Type Lease expiration
2:1::/24 Auto(O) Jul 10 22:22:22 2008
3:1::/64 Static(C) Jan 1 11:11:11 2008
# Display binding information for the IPv6 prefix 2:1::3/24.
<Sysname> display ipv6 dhcp server pd-in-use prefix 2:1::3/24
Pool: 1
Client: FE80::C800:CFF:FE18:0
Type: Auto(O)
DUID: 00030001CA000C180000
IAID: 0x00030001
IPv6 prefix: 2:1::/24
Preferred lifetime 400, valid lifetime 500
Expires at Jul 10 09:45:01 2008 (288 seconds left)
Table 90 Command output
Field |
Description |
IPv6 prefix |
IPv6 prefix assigned. |
Type |
Prefix binding types: · Static(F)—Free static binding whose IPv6 prefix has not been assigned. · Static(O)—Offered static binding whose IPv6 prefix has been selected and sent by the DHCPv6 server in a DHCPv6-OFFER packet to the client. · Static(C)—Committed static binding whose IPv6 prefix has been assigned to the client. · Auto(O)—Offered dynamic binding whose IPv6 prefix has been dynamically selected by the DHCPv6 server and sent in a DHCPv6-OFFER packet to the DHCPv6 client. · Auto(C)—Committed dynamic binding whose IPv6 prefix has been dynamically assigned to the DHCPv6 client. · Auto(Z)—Zombie dynamic binding whose IPv6 prefix has been dynamically assigned to the DHCPv6 client. The binding becomes zombie because the prefix in the prefix pool goes invalid after a configuration recovery, for example, after a switchover from the backup to the master. |
Pool |
Address pool. |
Lease-expiration |
Time when the lease of the IPv6 prefix will expire. If the lease will expire after the year 2100, this field displays Expires after 2100. For an unassigned static binding, this field displays Not available. |
Client |
IPv6 address of the DHCPv6 client. For an unassigned static binding, this field is blank. |
DUID |
Client DUID. |
IAID |
Client IAID. For an unassigned static binding without IAID, this field displays N/A. |
Preferred lifetime |
Preferred lifetime in seconds of the IPv6 prefix. |
valid lifetime |
Valid lifetime in seconds of the IPv6 prefix. |
Expires at |
Time when the lease of the prefix will expire. If the lease expires after the year 2100, this field displays Expires after 2100. |
Related commands
reset ipv6 dhcp server pd-in-use
display ipv6 dhcp server statistics
Use display ipv6 dhcp server statistics to display DHCPv6 packet statistics on the DHCPv6 server.
Syntax
display ipv6 dhcp server statistics [ pool pool-name | vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pool pool-name: Displays DHCPv6 packet statistics for the DHCPv6 address pool specified by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an address pool, this command displays DHCPv6 packet statistics for all address pools.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To display DHCPv6 server statistics for the public network, do not specify this option.
Examples
# Display all DHCPv6 packet statistics on the DHCPv6 server.
<Sysname> display ipv6 dhcp server statistics
Bindings:
Ip-in-use : 1
Pd-in-use : 0
Expired : 0
Conflict : 0
Packets received : 1
Solicit : 1
Request : 0
Confirm : 0
Renew : 0
Rebind : 0
Release : 0
Decline : 0
Information-request : 0
Relay-forward : 0
Packets dropped : 0
Packets sent : 0
Advertise : 0
Reconfigure : 0
Reply : 0
Relay-reply : 0
Table 91 Command output
Field |
Description |
Bindings |
Number of bindings: · Ip-in-use—Total number of address bindings. · Pd-in-use—Total number of prefix bindings. · Expired—Total number of expired address bindings. |
Conflict |
Total number of conflicted addresses. If statistics about an address pool are displayed, this field is not displayed. |
Packets received |
Number of messages received by the DHCPv6 server. The message types include: · Solicit. · Request. · Confirm. · Renew. · Rebind. · Release. · Decline. · Information-request. · Relay-forward. If statistics about an address pool are displayed, this field is not displayed. |
Packets dropped |
Number of packets discarded. If statistics about an address pool are displayed, this field is not displayed. |
Packets sent |
Number of messages sent by the DHCPv6 server. The message types include: · Advertise. · Reconfigure. · Reply. · Relay-reply. If statistics about an address pool are displayed, this field is not displayed. |
Related commands
reset ipv6 dhcp server statistics
dns-server
Use dns-server to specify a DNS server in a DHCPv6 address pool.
Use undo dns-server to remove the specified DNS server from a DHCPv6 address pool.
Syntax
dns-server ipv6-address
undo dns-server ipv6-address
Default
No DNS server address is specified.
Views
DHCPv6 address pool view
DHCPv6 option group view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the IPv6 address of a DNS server.
Usage guidelines
You can use the dns-server command to specify up to eight DNS servers in an address pool. A DNS server specified earlier has a higher preference.
Examples
# Specify the DNS server address 2:2::3 in DHCPv6 address pool 1.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] dns-server 2:2::3
Related commands
display ipv6 dhcp pool
domain-name
Use domain-name to specify a domain name suffix in a DHCPv6 address pool.
Use undo domain-name to restore the default.
Syntax
domain-name domain-name
undo domain-name
Default
No domain name suffix is specified.
Views
DHCPv6 address pool view
DHCPv6 option group view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a domain name suffix, a case-sensitive string of 1 to 50 characters.
Usage guidelines
You can configure only one domain name suffix in an address pool.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the domain name aaa.com in DHCPv6 address pool 1.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] domain-name aaa.com
Related commands
display ipv6 dhcp pool
if-match
Use if-match to configure a match rule for a DHCPv6 user class.
Use undo if-match to delete a match rule for a DHCP user class.
Syntax
if-match rule rule-number { option option-code [ ascii ascii-string [ offset offset | partial ] | hex hex-string [ mask mask | offset offset length length | partial ] ] | relay-agent gateway-ipv6-address }
undo if-match rule rule-number
Default
No match rules are configured for the DHCPv6 user class.
Views
DHCPv6 user class view
Predefined user roles
network-admin
Parameters
rule rule-number: Assigns the match rule an ID in the range of 1 to 128. A smaller ID represents a higher match priority.
option option-code: Specifies a DHCPv6 option by its number in the range of 1 to 65535.
ascii ascii-string: Specifies an ASCII string of 1 to 128 characters.
offset offset: Specifies the offset in bytes after which the match operation starts. The value range is 0 to 65534. If you specify an ASCII string, a packet matches the rule if the option content after the offset is the same as the ASCII string. If you specify a hexadecimal string, a packet matches the rule if the option content of the specified length after the offset is the same as the hexadecimal string.
partial: Enables partial match. A packet matches the rule if the specified option in the packet contains the ASCII or hexadecimal string specified in the rule. For example, if the specified string is abc, option content xabc, xyzabca, xabcyz, and abcxyz all match the rule.
hex hex-string: Specifies a hexadecimal string. The length of the hexadecimal string must be an even number in the range of 2 to 256.
mask mask: Specifies the mask for the match operation. The mask is a hexadecimal string whose length is an even number in the range of 2 to 256 and must be the same as the hex-string length. The DHCPv6 server selects a string of the mask length from the start of the option, and ANDs the selected string and the specified hexadecimal string with the mask. The packet matches the rule if the two AND operation results are the same.
length length: Specifies the length of the option content to be matched, in the range of 1 to 128 bytes. The length must be the same as the hex-string length.
relay-agent gateway-ipv6-address: Specifies a link-address field value. The value is an IPv6 address. A packet matches the rule if its link-address field value is the same as that in the rule.
Usage guidelines
You can configure multiple match rules for a DHCPv6 user class. Each match rule is uniquely identified by a rule ID within its type (option or relay agent address). The DHCPv6 server compares the option content or relay agent address in the DHCPv6 requests against the match rules. If a match is found, the DHCPv6 client matches the DHCPv6 user class.
As a best practice, do not configure rules of different types to use the same ID. Any two rules cannot have the same content.
· If the rule that you are configuring has the same ID and type as an existing rule, the new rule overwrites the existing rule.
· If the rule that you are configuring has the same ID as an existing rule but a different type, the new rule takes effect and coexists with the existing rule.
When you configure an if-match option rule, follow these guidelines:
· To match packets that contain an option, specify only the option code.
· To match a hexadecimal string by AND operations, specify the option option-code hex hex-string mask mask options.
· To match a hexadecimal string directly, specify the option option-code hex hex-string [ offset offset length length | partial ] options.
If you do not specify the optional parameters, a packet matches a rule if the option content starts with the hexadecimal string.
· To match an ASCII string, specify the option option-code ascii ascii-string [ offset offset | partial ] options.
If you do not specify the optional parameters, a packet matches a rule if the option content starts with the ASCII string.
Examples
# Configure match rule 1 for the DHCPv6 user class exam to match DHCPv6 requests that contain Option 16.
<Sysname> system-view
[Sysname] ipv6 dhcp class exam
[Sysname-dhcp6-class-exam] if-match rule 1 option 16
# Configure match rule 2 for the DHCPv6 user class exam to match DHCPv6 requests in which the highest bit of the fourth byte in Option 16 is 1.
<Sysname> system-view
[Sysname] ipv6 dhcp class exam
[Sysname-dhcp6-class-exam] if-match rule 2 option 16 hex 00000080 mask 00000080
# Configure match rule 3 for the DHCPv6 user class exam to match DHCPv6 requests in which the first three bytes of Option 16 are 0x13ae92.
<Sysname> system-view
[Sysname] ipv6 dhcp class exam
[Sysname-dhcp6-class-exam] if-match rule 3 option 16 hex 13ae92 offset 0 length 3
# Configure match rule 4 for the DHCPv6 user class exam to match DHCPv6 requests in which the Option 16 contains the hexadecimal string 0x13ae.
<Sysname> system-view
[Sysname] ipv6 dhcp class exam
[Sysname-dhcp6-class-exam] if-match rule 5 option 16 hex 13ae partial
# Configure match rule 5 for the DHCPv6 user class exam to match DHCPv6 requests in which the link-address field is 2001::1.
<Sysname> system-view
[Sysname] ipv6 dhcp class exam
[Sysname-dhcp6-class-exam] if-match rule 5 relay-agent 2001::1
Related commands
ipv6 dhcp class
ipv6 dhcp apply-policy
Use ipv6 dhcp apply-policy to apply a DHCPv6 policy to an interface.
Use undo ipv6 dhcp apply-policy to restore the default.
Syntax
ipv6 dhcp apply-policy policy-name
undo ipv6 dhcp apply-policy
Default
No DHCPv6 policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a DHCPv6 policy by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can apply only one DHCPv6 policy to an interface. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply the DHCPv6 policy test to GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp apply-policy test
Related commands
ipv6 dhcp class
ipv6 dhcp class
Use ipv6 dhcp class to create a DHCPv6 user class and enter its view, or enter the view of an existing DHCPv6 user class.
Use undo ipv6 dhcp class to delete the specified DHCPv6 user class.
Syntax
ipv6 dhcp class class-name
undo ipv6 dhcp class class-name
Default
No DHCPv6 user classes exist.
Views
System view
Predefined user roles
network-admin
Parameters
class-name: Specifies a name for the DHCPv6 user class, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In the DHCPv6 user class view, you can use the if-match command to configure match rules for user classification.
Examples
# Create a DHCPv6 user class test and enter DHCPv6 user class view.
<Sysname> system-view
[Sysname] ipv6 dhcp class test
[Sysname-dhcp6-class-test]
Related commands
class pool
ipv6 dhcp policy
if-match
ipv6 dhcp option-group
Use ipv6 dhcp option-group to create a static DHCPv6 option group and enter its view.
Use undo ipv6 dhcp option-group to delete the specified static DHCPv6 option group.
Syntax
ipv6 dhcp option-group option-group-number
undo ipv6 dhcp option-group option-group-number
Default
No static DHCPv6 option groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
option-group-number: Assigns an ID to the static option group, in the range of 1 to 100.
Usage guidelines
A static DHCPv6 option group can use the same ID as a dynamic DHCPv6 option group. If a static DHCPv6 option group and a dynamic DHCPv6 option group use the same ID, the static one takes precedence over the dynamic one.
Examples
# Create static DHCPv6 option group 1 and enter its view.
<Sysname> system-view
[Sysname] ipv6 dhcp option-group 1
[Sysname-dhcp6-option-group1]
Related commands
display ipv6 dhcp option-group
ipv6 dhcp policy
Use ipv6 dhcp policy to create a DHCPv6 policy and enter its view, or enter the view of an existing DHCPv6 policy.
Use undo ipv6 dhcp policy to delete a DHCPv6 policy.
Syntax
ipv6 dhcp policy policy-name
undo ipv6 dhcp policy policy-name
Default
No DHCPv6 policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Assigns a name to the DHCPv6 policy. The policy name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
In DHCP policy view, you can specify address pools for different user classes. Clients matching a user class will obtain IPv6 addresses and other parameters from the specified address pool.
For a DHCPv6 policy to take effect, you must apply it to an interface.
Examples
# Create DHCPv6 policy test and enter its view.
<Sysname> system-view
[Sysname] ipv6 dhcp policy test
[Sysname-dhcp6-policy-test]
Related commands
class pool
default pool
ipv6 dhcp apply-policy
ipv6 dhcp class
ipv6 dhcp pool
Use ipv6 dhcp pool to create a DHCPv6 address pool and enter its view, or enter the view of an existing DHCPv6 address pool.
Use undo ipv6 dhcp pool to delete the specified DHCPv6 address pool.
Syntax
ipv6 dhcp pool pool-name
undo ipv6 dhcp pool pool-name
Default
No DHCPv6 address pools exist.
Views
System view
Predefined user roles
network-admin
Parameters
pool-name: Specifies a name for the DHCPv6 address pool, a case-insensitive string of 1 to 63 characters.
Usage guidelines
A DHCPv6 address pool stores IPv6 address/prefix and other configuration parameters to be assigned to DHCPv6 clients.
When you delete a DHCPv6 address pool, binding information for the assigned IPv6 addresses and prefixes in the address pool is also deleted.
Examples
# Create a DHCPv6 address pool named pool1 and enter its view.
<Sysname> system-view
[Sysname] ipv6 dhcp pool pool1
Related commands
class pool
display ipv6 dhcp pool
ipv6 dhcp server apply pool
ipv6 dhcp prefix-pool
Use ipv6 dhcp prefix-pool to create a prefix pool and specify the prefix and the assigned prefix length for the pool.
Use undo ipv6 dhcp prefix-pool to delete the specified prefix pool.
Syntax
ipv6 dhcp prefix-pool prefix-pool-number prefix { prefix-number | prefix/prefix-len } assign-len assign-len [ vpn-instance vpn-instance-name ]
undo ipv6 dhcp prefix-pool prefix-pool-number [ vpn-instance vpn-instance-name ]
Default
No prefix pools exist.
Views
System view
Predefined user roles
network-admin
Parameters
prefix-pool-number: Specifies a prefix pool number in the range of 1 to 128.
prefix { prefix-number | prefix/prefix-len }: Specifies a prefix by its ID or in the format of prefix/prefix length. The value range for the prefix-number argument is 1 to 1024. The value range for the prefix-len argument is 1 to 128.
assign-len assign-len: Specifies the assigned prefix length. The value range is 1 to 128, and the value must be greater than or equal to prefix-len. The difference between assign-len and prefix-len must be no more than 16.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To create a prefix pool for the public network, do not specify this option.
Usage guidelines
Different prefix pools cannot overlap.
To modify a prefix pool, execute the undo ipv6 dhcp prefix-pool command to delete the prefix pool, and then execute the ipv6 dhcp prefix-pool command.
Deleting a prefix pool clears all prefix bindings from the prefix pool.
When you specify a prefix by its ID, follow these restrictions and guidelines:
· This command does not take effect if the prefix does not exist. This command takes effect after the prefix is created.
· Do not specify the same prefix for different prefix pools in a VPN.
· If the prefix that the ID represents is changed, the prefix range in the prefix pool accordingly changes.
Examples
# Create IPv6 prefix 88:99::/32 with the ID 3. Configure prefix pool 2 with IPv6 prefix 3 and assigned prefix length 42. Prefix pool 2 contains 1024 prefixes from 88:99::/42 to 88:99:FFC0::/42.
<Sysname> system-view
[Sysname] ipv6 prefix 3 88:99::/32
[Sysname] ipv6 dhcp prefix-pool 2 prefix 3 assign-len 42
# Create prefix pool 1, and specify the prefix 2001:0410::/32 with the assigned prefix length 42. Prefix pool 1 contains 1024 prefixes from 2001:0410::/42 to 2001:0410:FFC0::/42.
<Sysname> system-view
[Sysname] ipv6 dhcp prefix-pool 1 prefix 2001:0410::/32 assign-len 42
Related commands
display ipv6 dhcp prefix-pool
prefix-pool
ipv6 dhcp server
Use ipv6 dhcp server to configure global address assignment on an interface. The server on the interface uses a global address pool to assign configuration information to a client.
Use undo ipv6 dhcp server to restore the default.
Syntax
ipv6 dhcp server { allow-hint | preference preference-value | rapid-commit } *
undo ipv6 dhcp server
Default
The server does not support desired address/prefix assignment or rapid address/prefix assignment. The server preference is set to 0.
Views
Interface view
Predefined user roles
network-admin
Parameters
allow-hint: Enables desired address/prefix assignment.
preference preference-value: Specifies the server preference in Advertise messages, in the range of 0 to 255. The default value is 0. A greater value represents a higher preference.
rapid-commit: Enables rapid address/prefix assignment involving two messages.
Usage guidelines
The allow-hint keyword enables the server to assign the desired address or prefix to the requesting client. If the desired address or prefix is not included in any global address pool, or is already assigned to another client, the server assigns the client a free address or a prefix. If the allow-hint keyword is not specified, the server ignores the desired address or prefix, and selects an address or prefix from a global address pool.
If you use the ipv6 dhcp server and ipv6 dhcp server apply pool commands on the same interface, the ipv6 dhcp server apply pool command takes effect.
Examples
# Configure global address assignment on the interface GigabitEthernet 1/0/1. Use the desired address/prefix assignment and rapid address/prefix assignment, and set the server preference to the highest 255.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp server allow-hint preference 255 rapid-commit
Related commands
display ipv6 dhcp server
ipv6 dhcp select
ipv6 dhcp server apply pool
Use ipv6 dhcp server apply pool to apply a DHCPv6 address pool to an interface.
Use undo ipv6 dhcp server apply pool to restore the default.
Syntax
ipv6 dhcp server apply pool pool-name [ allow-hint | preference preference-value | rapid-commit ] *
undo ipv6 dhcp server apply pool
Default
No DHCPv6 address pool is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
pool-name: Specifies a DHCPv6 address pool by its name, a case-insensitive string of 1 to 63 characters.
allow-hint: Enables desired address/prefix assignment.
preference preference-value: Specifies the server preference in Advertise messages, in the range of 0 to 255. The default value is 0. A greater value represents a higher preference.
rapid-commit: Enables rapid address/prefix assignment involving two messages.
Usage guidelines
Upon receiving a DHCPv6 request, the DHCPv6 server selects an IPv6 address or prefix from the address pool applied to the receiving interface. If no address pool is applied, the server selects an IPv6 address or prefix from a global address pool that matches the IPv6 address of the receiving interface or the DHCPv6 relay agent.
The allow-hint keyword enables the server to assign the desired address or prefix to the client. If the desired address or prefix does not exist or is already assigned to another client, the server assigns a free address or prefix. If allow-hint is not specified, the server ignores the desired address or prefix, and assigns a free address or prefix.
Only one address pool can be applied to an interface. If you execute this command multiple times, the most recent configuration takes effect.
A non-existing address pool can be applied to an interface, but the server cannot assign any prefix, address, or other configuration information from the address pool until the address pool is created.
Examples
# Apply address pool 1 to GigabitEthernet 1/0/1, configure the address pool to support desired address/prefix assignment and address/prefix rapid assignment, and set the preference to 255.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit
Related commands
display ipv6 dhcp server
ipv6 dhcp pool
ipv6 dhcp select
ipv6 dhcp server database filename
Use ipv6 dhcp server database filename to configure the DHCPv6 server to back up the DHCPv6 bindings to a file.
Use undo ipv6 dhcp server database filename to restore the default.
Syntax
ipv6 dhcp server database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }
undo ipv6 dhcp server database filename
Default
The DHCPv6 server does not back up the DHCPv6 bindings.
Views
System view
Predefined user roles
network-admin
Parameters
filename: Specifies the name of a local backup file. For information about the filename argument, see Fundamentals Configuration Guide.
url url: Specifies the URL of a remote backup file. The URL is a case-sensitive string of 1 to 255 characters. Do not include a username or password in the URL.
username username: Specifies the username for accessing the URL of the remote backup file, a case-sensitive string of 1 to 32 characters. Do not specify this option if a username is not required for accessing the URL of the remote backup file.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters. Do not specify this argument if a password is not required for accessing the URL of the remote backup file.
Usage guidelines
The command automatically creates the file if you specify a nonexistent file.
With this command executed, the DHCPv6 server backs up its bindings immediately and runs auto backup. The server, by default, waits 300 seconds after a binding change to update the backup file. You can use the ipv6 dhcp server database update interval command to change the waiting time. If no DHCPv6 binding changes, the backup file is not updated.
As a best practice, back up the bindings to a remote file. If you use the local storage medium, the frequent erasing and writing might damage the medium and then cause the DHCPv6 server to malfunction.
When the backup file is on a remote device, follow these restrictions and guidelines to specify the URL, username, and password:
· If the file is on an FTP server, enter URL in the format of ftp://server address:port/file path, where the port number is optional.
· If the file is on a TFTP server, enter URL in the format of tftp://server address:port/file path, where the port number is optional.
· The username and password must be the same as those configured on the FTP server. If the server authenticates only the username, the password can be omitted.
· If the IP address of the server is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[1::1]/database.dhcp.
· You can also specify the DNS domain name for the server address field, for example, ftp://company/database.dhcp.
Examples
# Configure the DHCPv6 server to back up its bindings to the file database.dhcp
<Sysname> system-view
[Sysname] ipv6 dhcp server database filename database.dhcp
# Configure the DHCPv6 server to back up its bindings to the file database.dhcp in the working directory of the FTP server at 10::1.
<Sysname> system-view
[Sysname] ipv6 dhcp server database filename url ftp://[10::1]/database.dhcp username 1 password simple 1
Related commands
ipv6 dhcp server database update interval
ipv6 dhcp server database update now
ipv6 dhcp server database update stop
ipv6 dhcp server database update interval
Use ipv6 dhcp server database update interval to set the waiting time for the DHCPv6 server to update the backup file after a DHCPv6 binding change.
Use undo ipv6 dhcp server database update interval to restore the default.
Syntax
ipv6 dhcp server database update interval interval
undo ipv6 dhcp server database update interval
Default
The DHCPv6 server waits 300 seconds to update the backup file after a DHCPv6 binding change. If no DHCPv6 binding changes, the backup file is not updated.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Sets the waiting time in the range of 60 to 864000 seconds.
Usage guidelines
The waiting time takes effect only after you configure the DHCPv6 binding auto backup by using the ipv6 dhcp server database filename command.
When a DHCPv6 binding is created, updated, or removed, the waiting period starts. The DHCPv6 server updates the backup file when the waiting period is reached. All bindings changed during the period will be saved to the backup file.
Examples
# Set the waiting time to 10 minutes for the DHCPv6 server to update the backup file.
<Sysname> system-view
[Sysname] ipv6 dhcp server database update interval 600
Related commands
ipv6 dhcp server database filename
ipv6 dhcp server database update now
ipv6 dhcp server database update stop
ipv6 dhcp server database update now
Use ipv6 dhcp server database update now to manually save the DHCPv6 bindings to the backup file.
Syntax
ipv6 dhcp server database update now
Views
System view
Predefined user roles
network-admin
Usage guidelines
Each time this command is executed, the DHCPv6 bindings are saved to the backup file.
For this command to take effect, you must configure the DHCPv6 auto backup by using the ipv6 dhcp server database filename command.
Examples
# Manually save the DHCPv6 bindings to the backup file.
<Sysname> system-view
[Sysname] ipv6 dhcp server database update now
Related commands
ipv6 dhcp server database filename
ipv6 dhcp server database update interval
ipv6 dhcp server database update stop
ipv6 dhcp server database update stop
Use ipv6 dhcp server database update stop to terminate the download of DHCPv6 bindings from the backup file.
Syntax
ipv6 dhcp server database update stop
Views
System view
Predefined user roles
network-admin
Usage guidelines
The DHCPv6 server does not provide services during the binding download process. If the connection breaks up during the process, the waiting timeout timer is 60 minutes. When the timer expires, the DHCPv6 server stops waiting and starts providing address allocation services. You can execute this command to terminate the download immediately.
Manual termination allows the DHCPv6 server to provide services without waiting for the connection to be repaired. The IPv6 addresses and prefixes associated with the undownloaded bindings will be assigned to clients and address conflicts might occur.
Examples
# Terminate the download of the backup DHCPv6 bindings.
<Sysname> system-view
[Sysname] ipv6 dhcp server database update stop
Related commands
ipv6 dhcp server database filename
ipv6 dhcp server database update interval
ipv6 dhcp server database update now
ipv6 dhcp server forbidden-address
Use ipv6 dhcp server forbidden-address to exclude IPv6 addresses in the DHCPv6 address pool from dynamic allocation.
Use undo ipv6 dhcp server forbidden-address to remove the configuration.
Syntax
ipv6 dhcp server forbidden-address start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ]
undo ipv6 dhcp server forbidden-address start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ]
Default
Except for the DHCPv6 server address, all IPv6 addresses in a DHCPv6 address pool are assignable.
Views
System view
Predefined user roles
network-admin
Parameters
start-ipv6-address: Specifies the start IPv6 address.
end-ipv6-address: Specifies the end IPv6 address, which cannot be lower than start-ipv6-address. If you do not specify an end IPv6 address, only the start IPv6 address is excluded from dynamic allocation. If you specify an end IPv6 address, the IP addresses from start-ipv6-address through end-ipv6-address are all excluded from dynamic allocation.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To specify an IPv6 address on the public network, do not specify this option.
Usage guidelines
The IPv6 addresses of some devices such as the gateway and FTP server cannot be assigned to clients. Use this command to exclude such addresses from dynamic allocation.
If the excluded IPv6 address is in a static DHCPv6 binding, the address can still be assigned to the client.
The address or address range specified in the undo form of the command must be the same as the address or address range specified in the command. To remove an IP address that has been specified as part of an address range, you must remove the entire address range.
You can execute this command multiple times to exclude multiple IPv6 address ranges from dynamic allocation.
Examples
# Exclude IPv6 addresses of 2001:10:110::1 through 2001:10:110::20 from dynamic assignment.
<Sysname> system-view
[Sysname] ipv6 dhcp server forbidden-address 2001:10:110::1 2001:10:110::20
Related commands
ipv6 dhcp server forbidden-prefix
static-bind
ipv6 dhcp server forbidden-prefix
Use ipv6 dhcp server forbidden-prefix to exclude IPv6 prefixes in the DHCPv6 prefix pool from dynamic allocation.
Use undo ipv6 dhcp server forbidden-prefix to remove the configuration.
Syntax
ipv6 dhcp server forbidden-prefix start-prefix/prefix-len [ end-prefix/prefix-len ] [ vpn-instance vpn-instance-name ]
undo ipv6 dhcp server forbidden-prefix start-prefix/prefix-len [ end-prefix/prefix-len ] [ vpn-instance vpn-instance-name ]
Default
No IPv6 prefixes in the DHCPv6 prefix pool are excluded from dynamic allocation.
Views
System view
Predefined user roles
network-admin
Parameters
start-prefix/prefix-len: Specifies the start IPv6 prefix. The prefix-len argument specifies the prefix length in the range of 1 to 128.
end-prefix/prefix-len: Specifies the end IPv6 prefix. The prefix-len argument specifies the prefix length in the range of 1 to 128. The value for end-prefix cannot be lower than that for start-prefix. If you do not specify this argument, only the start-prefix/prefix-len is excluded from dynamic allocation. If you specify this argument, the prefixes from start-prefix/prefix-len to end-prefix/prefix-len are all excluded.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To specify an IPv6 prefix on the public network, do not specify this option.
Usage guidelines
If the excluded IPv6 prefix is in a static binding, the prefix can still be assigned to the client.
The prefix or prefix range specified in the undo form of the command must be the same as the prefix or prefix range specified in the command. To remove a prefix that has been specified as part of a prefix range, you must remove the entire prefix range.
You can execute this command multiple times to exclude multiple IPv6 prefix ranges from dynamic allocation.
Examples
# Exclude IPv6 prefixes from 2001:3e11::/32 through 2001:3eff::/32 from dynamic allocation.
<Sysname> system-view
[Sysname] ipv6 dhcp server forbidden-prefix 2001:3e11::/32 2001:3eff::/32
Related commands
ipv6 dhcp server forbidden-address
static-bind
network
Use network to specify an IPv6 subnet for dynamic allocation in a DHCPv6 address pool.
Use undo network to restore the default.
Syntax
network { prefix/prefix-length | prefix prefix-number [ sub-prefix/sub-prefix-length ] } [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] [ export-route ]
undo network
Default
No IPv6 subnet is specified in a DHCPv6 address pool.
Views
DHCPv6 address pool view
Predefined user roles
network-admin
Parameters
prefix/prefix-length: Specifies the IPv6 subnet for dynamic allocation. The value range for the prefix-length argument is 1 to 128.
prefix prefix-number: Specifies an IPv6 prefix by its ID in the range of 1 to 1024.
sub-prefix/sub-prefix-length: Specifies an IPv6 sub-prefix and its length. The value range for the sub-prefix-length argument is 1 to 128.
preferred-lifetime preferred-lifetime: Sets the preferred lifetime. The value range is 60 to 4294967295 seconds, and the default is 604800 seconds (7 days).
valid-lifetime valid-lifetime: Sets the valid lifetime. The value range is 60 to 4294967295 seconds, and the default is 2592000 seconds (30 days). The valid lifetime must be longer than or equal to the preferred lifetime.
export-route: Advertises the subnet assigned to DHCPv6 clients. If you do not specify this keyword, the subnet will not be advertised.
Usage guidelines
You can specify only one subnet for a DHCPv6 address pool. If you execute the network command multiple times, the most recent configuration takes effect.
Modifying or removing the network configuration removes assigned addresses in the current address pool.
The IPv6 subnets cannot be the same in different DHCPv6 address pools.
If you execute the network export-route command multiple times, the most recent configuration takes effect.
When you configure the network prefix command, follow these restrictions and guidelines:
· The IPv6 subnet is determined by the specified IPv6 prefix, IPv6 sub-prefix, and IPv6 sub-prefix length. The prefix of the IPv6 subnet is the IPv6 prefix suffixed with the IPv6 sub-prefix from the IPv6 prefix length+1 bit to the sub-prefix length bit. The prefix length of the IPv6 subnet is the sub-prefix length. If the IPv6 sub-prefix is not longer than the IPv6 prefix or if you do not specify an IPv6 sub-prefix, the IPv6 subnet defined by the IPv6 prefix is used for dynamic allocation.
· This command does not take effect if the specified IPv6 prefix does not exist. This command takes effect after the IPv6 prefix is created.
· If the prefix that the ID represents is changed, the IPv6 subnet in this command accordingly changes, and the assigned prefix and address bindings are cleared.
Examples
# Specify the subnet 3ffe:501:ffff:100::/64 in DHCPv6 address pool 1.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] network 3ffe:501:ffff:100::/64
# Create IPv6 prefix 88:99::/32 with the prefix ID 3. Create DHCPv6 address pool 1 and use the IPv6 subnet defined by the IPv6 prefix for dynamic allocation.
<Sysname> system-view
[Sysname] ipv6 prefix 3 88:99::/32
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] network prefix 3
# Create IPv6 prefix 88:99::/32 with the prefix ID 3. Create DHCPv6 address pool 1 and use IPv6 subnet 88:99:ffff:100::/64 defined by IPv6 prefix 3 and IPv6 sub-prefix 3ffe:501:ffff:100::/64 for dynamic allocation.
<Sysname> system-view
[Sysname] ipv6 prefix 3 88:99::/32
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] network prefix 3 3ffe:501:ffff:100::/64
Related commands
address range
display ipv6 dhcp pool
temporary address range
option
Use option to configure a self-defined DHCPv6 option in a DHCPv6 address pool.
Use undo option to remove a self-defined DHCPv6 option from a DHCPv6 address pool.
Syntax
option code hex hex-string
undo option code
Default
No self-defined DHCPv6 option is configured in a DHCPv6 address pool.
Views
DHCPv6 address pool view
DHCPv6 option group view
Predefined user roles
network-admin
Parameters
code: Specifies a number for the self-defined option, in the range of 21 to 65535, excluding 25 through 26, 37 through 40, and 43 through 48.
hex hex-string: Specifies the content of the option, a hexadecimal string of even numbers from 2 to 256.
Usage guidelines
The DHCPv6 server fills the self-defined option with the specified hexadecimal string and sends it in a response to the client.
You can self-define options for the following purposes:
· Add newly released options.
· Add options for which the vendor defines the contents, for example, Option 43.
· Add options for which the CLI does not provide a dedicated configuration command like dns-server. For example, you can use the option 31 hex 00c80000000000000000000000000001 command to define the NTP server address 200::1 for DHCP clients.
If a DHCPv6 option is specified by both the dedicated command and the option command, the DHCPv6 server preferentially assigns the content specified by the dedicated command. For example, if a DNS server address is specified by the dns-server command and the option 23 command, the server uses the address specified by dns-server command.
If you execute the option command multiple times with the same code specified, the most recent configuration takes effect.
Examples
# Configure Option 23 that specifies a DNS server address 2001:f3e0::1 in DHCPv6 address pool 1.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] option 23 hex 2001f3e0000000000000000000000001
Related commands
display ipv6 dhcp pool
dns-server
domain-name
sip-server
option-group
Use option-group to specify a DHCPv6 option group for a DHCPv6 address pool.
Use undo option-group to restore the default.
Syntax
option-group option-group-number
undo option-group
Default
No DHCPv6 option group is specified for a DHCPv6 address pool.
Views
DHCPv6 address pool view
Predefined user roles
network-admin
Parameters
option-group--number: Specifies a DHCPv6 option group by its number in the range of 1 to 100.
Examples
# Specify DHCPv6 option group 1 for DHCPv6 address pool 1.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] option-group 1
Related commands
display ipv6 dhcp pool
ipv6 dhcp option-group
prefix-pool
Use prefix-pool to apply a prefix pool to a DHCPv6 address pool, so the DHCPv6 server can dynamically select a prefix from the prefix pool for a client.
Use undo prefix-pool to remove the prefix pool.
Syntax
prefix-pool prefix-pool-number [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]
undo prefix-pool prefix-pool-number
Default
No prefix pool is applied to a DHCPv6 address pool.
Views
DHCPv6 address pool view
Predefined user roles
network-admin
Parameters
prefix-pool-number: Specifies a prefix pool by its number in the range of 1 to 128.
preferred-lifetime preferred-lifetime: Sets the preferred lifetime in the range of 60 to 4294967295 seconds. The default value is 604800 seconds (7 days).
valid-lifetime valid-lifetime: Sets the valid lifetime in the range of 60 to 4294967295 seconds. The default value is 2592000 seconds (30 days). The valid lifetime must be longer than or equal to the preferred lifetime.
Usage guidelines
Only one prefix pool can be applied to an address pool.
You can apply a prefix pool that has not been created to an address pool. The setting takes effect after the prefix pool is created.
To modify the prefix pool in a DHCPv6 address pool, execute the undo prefix-pool command to remove the prefix pool, and then execute the prefix-pool command.
Examples
# Apply prefix pool 1 to address pool 1, and use the default preferred lifetime and valid lifetime.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] prefix-pool 1
# Apply prefix pool 2 to address pool 2, and set the preferred lifetime to one day and the valid lifetime to three days.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 2
[Sysname-dhcp6-pool-2] prefix-pool 2 preferred-lifetime 86400 valid-lifetime 259200
Related commands
display ipv6 dhcp pool
ipv6 dhcp prefix-pool
reset ipv6 dhcp server conflict
Use reset ipv6 dhcp server conflict to clear IPv6 address conflict information.
Syntax
reset ipv6 dhcp server conflict [ address ipv6-address ] [ vpn-instance vpn-instance-name ]
Views
User view
Predefined user roles
network-admin
Parameters
address ipv6-address: Clears conflict information for the specified IPv6 address. If you do not specify an IPv6 address, this command clears all IPv6 address conflict information.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To clear conflict information about IPv6 addresses on the public network, do not specify this option.
Usage guidelines
Address conflicts occur when dynamically assigned IP addresses have been statically configured for other hosts. After the conflicts are resolved, you can use the reset ipv6 dhcp server conflict command to clear conflict information so that the conflicted addresses can be assigned to clients.
Examples
# Clear all IPv6 address conflict information.
<Sysname> reset ipv6 dhcp server conflict
Related commands
display ipv6 dhcp server conflict
reset ipv6 dhcp server expired
Use reset ipv6 dhcp server expired to clear binding information for lease-expired IPv6 addresses.
Syntax
reset ipv6 dhcp server expired [ [ address ipv6-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]
Views
User view
Predefined user roles
network-admin
Parameters
address ipv6-address: Clears binding information for the specified lease-expired IPv6 address. If you do not specify an IPv6 address, this command clears binding information for all lease-expired IPv6 address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To clear binding information about lease-expired IPv6 addresses on the public network, do not specify this option.
pool pool-name: Clears binding information for lease-expired IPv6 addresses in the address pool specified by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an address pool, this command clears binding information for lease-expired IPv6 addresses in all address pools.
Examples
# Clear binding information for expired IPv6 address 2001:f3e0::1.
<Sysname> reset ipv6 dhcp server expired address 2001:f3e0::1
Related commands
display ipv6 dhcp server expired
reset ipv6 dhcp server ip-in-use
Use reset ipv6 dhcp server ip-in-use to clear binding information for assigned IPv6 addresses.
Syntax
reset ipv6 dhcp server ip-in-use [ address ipv6-address [ vpn-instance vpn-instance-name ] | pool pool-name ]
Views
User view
Predefined user roles
network-admin
Parameters
address ipv6-address: Clears binding information for the specified assigned IPv6 address. If you do not specify an IPv6 address, this command clears binding information for all assigned IPv6 addresses.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To clear binding information about assigned IPv6 addresses on the public network, do not specify this option.
pool pool-name: Clears binding information for assigned IPv6 addresses in the address pool specified by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an address pool, this command clears binding information for assigned IPv6 addresses in all address pools.
Usage guidelines
If you execute this command to clear information about an assigned static binding, the static binding becomes an unassigned static binding.
Examples
# Clear binding information for all assigned IPv6 addresses.
<Sysname> reset ipv6 dhcp server ip-in-use
# Clears binding information for assigned IPv6 addresses in DHCPv6 address pool 1.
<Sysname> reset ipv6 dhcp server ip-in-use pool 1
# Clears binding information for the assigned IPv6 address 2001:0:0:1::1.
<Sysname> reset ipv6 dhcp server ip-in-use address 2001:0:0:1::1
Related commands
display ipv6 dhcp server ip-in-use
reset ipv6 dhcp server pd-in-use
Use reset ipv6 dhcp server pd-in-use to clear binding information for assigned IPv6 prefixes.
Syntax
reset ipv6 dhcp server pd-in-use [ pool pool-name | [ prefix prefix/prefix-len ] [ vpn-instance vpn-instance-name ] ]
Views
User view
Predefined user roles
network-admin
Parameters
pool pool-name: Clears binding information for assigned IPv6 prefixes in the address pool specified by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an address pool, this command clears binding information for assigned IPv6 prefixes in all address pools.
prefix prefix/prefix-len: Clears binding information for the specified assigned IPv6 prefix. The value range for the prefix length is 1 to 128. If you do not specify an IPv6 prefix, this command clears binding information for all assigned IPv6 prefixes.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To clear binding information about assigned IPv6 prefixes on the public network, do not specify this option.
Usage guidelines
If you execute this command to clear information about an assigned static binding, the static binding becomes an unassigned static binding.
Examples
# Clear binding information for all assigned IPv6 prefixes.
<Sysname> reset ipv6 dhcp server pd-in-use
# Clears binding information for assigned IPv6 prefixes in DHCPv6 address pool 1.
<Sysname> reset ipv6 dhcp server pd-in-use pool 1
# Clears binding information for the assigned IPv6 prefix 2001:0:0:1::/64.
<Sysname> reset ipv6 dhcp server pd-in-use prefix 2001:0:0:1::/64
Related commands
display ipv6 dhcp server pd-in-use
reset ipv6 dhcp server statistics
Use reset ipv6 dhcp server statistics to clear DHCPv6 server statistics.
Syntax
reset ipv6 dhcp server statistics [ vpn-instance vpn-instance-name ]
Views
User view
Predefined user roles
network-admin
Parameters
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters. To clear DHCPv6 server statistics for the public network, do not specify this option.
Examples
# Clear DHCPv6 server statistics.
<Sysname> reset ipv6 dhcp server statistics
Related commands
display ipv6 dhcp server statistics
sip-server
Use sip-server to specify the IPv6 address or domain name of a SIP server in the DHCPv6 address pool.
Use undo sip-server to remove a SIP server.
Syntax
sip-server { address ipv6-address | domain-name domain-name }
undo sip-server { address ipv6-address | domain-name domain-name }
Default
No SIP server address or domain name is specified.
Views
DHCPv6 address pool view
DHCPv6 option group view
Predefined user roles
network-admin
Parameters
address ipv6-address: Specifies the IPv6 address of a SIP server.
domain-name domain-name: Specifies the domain name of a SIP server, a case-insensitive string of 1 to 50 characters.
Usage guidelines
You can specify up to eight SIP server addresses and eight SIP server domain names in an address pool. A SIP server that is specified earlier has a higher preference.
Examples
# Specify the SIP server address 2:2::4 in DHCPv6 address pool 1.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] sip-server address 2:2::4
# Specify the SIP server domain name bbb.com in DHCPv6 address pool 1.
[Sysname-dhcp6-pool-1] sip-server domain-name bbb.com
Related commands
display ipv6 dhcp pool
static-bind
Use static-bind to statically bind an IPv6 address or prefix to a client in the DHCPv6 address pool.
Use undo static-bind to delete a static binding.
Syntax
static-bind { address ipv6-address/addr-prefix-length | prefix prefix/prefix-len } duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]
undo static-bind { address ipv6-address/addr-prefix-length | prefix prefix/prefix-len }
Default
No static binding is configured in a DHCPv6 address pool.
Views
DHCPv6 address pool view
Predefined user roles
network-admin
Parameters
address ipv6-address/addr-prefix-length: Specifies the IPv6 address and prefix length. The value range for the prefix length is 1 to 128.
prefix prefix/prefix-len: Specifies the prefix and prefix length. The value range for the prefix length is 1 to 128.
duid duid: Specifies a client DUID. The value is an even hexadecimal number in the range of 2 to 256.
iaid iaid: Specifies a client IAID. The value is a hexadecimal number in the range of 0 to FFFFFFFF. If you do not specify an IAID, the server does not match the client IAID for prefix assignment.
preferred-lifetime preferred-lifetime: Sets the preferred lifetime of the address or prefix. The value range is 60 to 4294967295 seconds, and the default is 604800 seconds (7 days).
valid-lifetime valid-lifetime: Sets the valid lifetime of the address or prefix. The value range is 60 to 4294967295 seconds, and the default is 2592000 seconds (30 days). The valid lifetime cannot be shorter than the preferred lifetime.
Usage guidelines
You can specify multiple static bindings in a DHCPv6 address pool.
An IPv6 address or prefix can be bound to only one DHCPv6 client.
To modify a static binding, execute the undo static-bind command to delete the binding, and then execute the static-bind command.
Examples
# In address pool 1, bind IPv6 address 2001:0410::/35 to the client DUID 0003000100e0fc005552 and IAID A1A1A1A1.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] static-bind address 2001:0410::/35 duid 0003000100e0fc005552 iaid A1A1A1A1
# In address pool 1, bind prefix 2001:0410::/35 to the client DUID 00030001CA0006A400 and IAID A1A1A1A1.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] static-bind prefix 2001:0410::/35 duid 00030001CA0006A400 iaid A1A1A1A1
Related commands
display ipv6 dhcp pool
temporary address range
Use temporary address range to configure a temporary IPv6 address range in a DHCPv6 address pool for dynamic allocation.
Use undo temporary address range to restore the default.
Syntax
temporary address range start-ipv6-address end-ipv6-address [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]
undo temporary address range
Default
No temporary IPv6 address range is configured in a DHCPv6 address pool.
Views
DHCPv6 address pool view
Predefined user roles
network-admin
Parameters
start-ipv6-address: Specifies the start IPv6 address.
end-ipv6-address: Specifies the end IPv6 address.
preferred-lifetime preferred-lifetime: Sets the preferred lifetime. The value range is 60 to 4294967295 seconds, and the default is 604800 seconds (7 days).
valid-lifetime valid-lifetime: Sets the valid lifetime. The value range is 60 to 4294967295 seconds, and the default is 2592000 seconds (30 days). The valid lifetime cannot be shorter than the preferred lifetime.
Usage guidelines
If you do not execute the temporary address range command, the DHCPv6 server does not support temporary address assignment.
You can configure only one temporary IPv6 address range in an address pool. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In DHCPv6 address pool 1, configure a temporary IPv6 address range from 3ffe:501:ffff:100::50 to 3ffe:501:ffff:100::60.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 1
[Sysname-dhcp6-pool-1] network 3ffe:501:ffff:100::/64
[Sysname-dhcp6-pool-1] temporary address range 3ffe:501:ffff:100::50 3ffe:501:ffff:100::60
Related commands
display ipv6 dhcp pool
address range
network
vpn-instance
Use vpn-instance to apply a DHCPv6 address pool to a VPN instance.
Use undo vpn-instance to remove the application.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The DHCPv6 address pool is not applied to any VPN instance.
Views
DHCPv6 address pool view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The MPLS L3VPN instance name is a case-sensitive string of 1 to 31 characters.
Usage guidelines
If a DHCPv6 address pool is applied to a VPN instance, the DHCPv6 server assigns IPv6 addresses in this address pool to clients in the specified VPN instance.
The DHCPv6 server identifies the VPN instance to which a DHCPv6 client belongs according to the following information:
· The client's VPN information stored in authentication modules, such as IPoE.
· The VPN information of the DHCPv6 server's interface that receives DHCPv6 packets from the client.
The VPN information from authentication modules takes priority over the VPN information of the receiving interface.
Examples
# Apply DHCPv6 address pool 0 to VPN instance abc.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 0
[Sysname-dhcp6-pool-0] vpn-instance abc
DHCPv6 relay agent commands
display ipv6 dhcp relay server-address
Use display ipv6 dhcp relay server-address to display DHCPv6 server addresses specified on the DHCPv6 relay agent.
Syntax
display ipv6 dhcp relay server-address [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays DHCPv6 server addresses on all interfaces enabled with DHCPv6 relay agent.
Examples
# Display DHCPv6 server addresses on all interfaces enabled with DHCPv6 relay agent.
<Sysname> display ipv6 dhcp relay server-address
Interface: GigabitEthernet1/0/1
Server address Outgoing Interface
2::3
3::4 GigabitEthernet1/0/3
Interface: GigabitEthernet1/0/2
Server address Outgoing Interface
2::3
3::4 GigabitEthernet1/0/3
# Display DHCPv6 server addresses on GigabitEthernet 1/0/1.
<Sysname> display ipv6 dhcp relay server-address interface gigabitethernet 1/0/1
Interface: GigabitEthernet1/0/1
Server address Outgoing Interface
2::3
3::4 GigabitEthernet1/0/3
Table 92 Command output
Field |
Description |
Server address |
DHCPv6 server address specified on the DHCP relay agent. |
Outgoing Interface |
Output interface of DHCPv6 packets. If no output interface is specified, the device searches the routing table for the output interface. |
Related commands
ipv6 dhcp relay server-address
ipv6 dhcp select
display ipv6 dhcp relay statistics
Use display ipv6 dhcp relay statistics to display DHCPv6 packet statistics on the DHCPv6 relay agent.
Syntax
display ipv6 dhcp relay statistics [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays DHCPv6 packets statistics on all interfaces enabled with DHCPv6 relay agent.
Examples
# Display DHCPv6 packet statistics on all interfaces enabled with DHCPv6 relay agent.
<Sysname> display ipv6 dhcp relay statistics
Packets dropped : 4
Packets received : 14
Solicit : 0
Request : 0
Confirm : 0
Renew : 0
Rebind : 0
Release : 0
Decline : 0
Information-request : 7
Relay-forward : 0
Relay-reply : 7
Packets sent : 14
Advertise : 0
Reconfigure : 0
Reply : 7
Relay-forward : 7
Relay-reply : 0
# Display DHCPv6 packet statistics on the DHCPv6 relay agent on GigabitEthernet 1/0/1.
<Sysname> display ipv6 dhcp relay statistics interface gigabitethernet 1/0/1
Packets dropped : 4
Packets received : 16
Solicit : 0
Request : 0
Confirm : 0
Renew : 0
Rebind : 0
Release : 0
Decline : 0
Information-request : 8
Relay-forward : 0
Relay-reply : 8
Packets sent : 16
Advertise : 0
Reconfigure : 0
Reply : 8
Relay-forward : 8
Relay-reply : 0
Table 93 Command output
Field |
Description |
Packets dropped |
Number of discarded packets. |
Packets received |
Number of received packets. |
Solicit |
Number of received solicit packets. |
Request |
Number of received request packets. |
Confirm |
Number of received confirm packets. |
Renew |
Number of received renew packets. |
Rebind |
Number of received rebind packets. |
Release |
Number of received release packets. |
Decline |
Number of received decline packets. |
Information-request |
Number of received information request packets. |
Relay-forward |
Number of received relay-forward packets. |
Relay-reply |
Number of received relay-reply packets. |
Packets sent |
Number of sent packets. |
Advertise |
Number of sent advertise packets. |
Reconfigure |
Number of sent reconfigure packets. |
Reply |
Number of sent reply packets. |
Relay-forward |
Number of sent Relay-forward packets. |
Relay-reply |
Number of sent Relay-reply packets. |
Related commands
reset ipv6 dhcp relay statistics
gateway-list
Use gateway-list to specify a list of gateway addresses for DHCPv6 clients in the relay address pool.
Use undo gateway-list to remove the specified gateway addresses from a DHCPv6 relay address pool.
Syntax
gateway-list ipv6-address&<1-8>
undo gateway-list [ ipv6-address&<1-8> ]
Default
No gateway address is specified in a DHCPv6 relay address pool.
Views
DHCPv6 relay address pool view
Predefined user roles
network-admin
Parameters
ipv6-address&<1-8>: Specifies a space-separated list of up to eight addresses. Only the first gateway address takes effect and it must reside on the same subnet assigned to the DHCP clients.
Usage guidelines
DHCPv6 clients of the same access type can be classified into different types by their locations. In this case, the relay interface typically has no IPv6 address configured. You can use the gateway-list command to specify the gateway for clients matching the same relay address pool.
Upon receiving a DHCPv6 Solicit or Request from a client that matches a relay address pool, the relay agent processes the packet as follows:
· Fills the link-address field of the packet with the specified gateway address.
· Forwards the packet to all DHCPv6 servers in the matching relay address pool.
The DHCPv6 servers select an address pool according to the gateway address.
Examples
# Specify the gateway address 10::1 in DHCPv6 relay address pool p1.
<Sysname> system-view
[Sysname] ipv6 dhcp pool p1
[Sysname-dhcp6-pool-p1] gateway-list 10::1
ipv6 dhcp relay gateway
Use ipv6 dhcp relay gateway to specify a gateway address for DHCPv6 clients on the DHCPv6 relay interface.
Use undo ipv6 dhcp relay gateway to restore the default.
Syntax
ipv6 dhcp relay gateway ipv6-address
undo ipv6 dhcp relay gateway
Default
The first IPv6 address of the relay interface is used as the gateway address for DHCPv6 clients.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies a gateway address. The IPv6 address must be an IPv6 address of the relay interface.
Usage guidelines
The DHCPv6 relay agent uses the specified IPv6 address instead of the first IPv6 address of the relay interface as the gateway address for DHCPv6 clients.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify 10::1 as the gateway address for DHCPv6 clients on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp relay gateway 10::1
Related commands
gateway-list
ipv6 dhcp relay interface-id
Use ipv6 dhcp relay interface-id to specify a padding mode for the Interface-ID option.
Use undo ipv6 dhcp relay interface-id to restore the default.
Syntax
ipv6 dhcp relay interface-id { bas | interface }
undo ipv6 dhcp relay interface-id
Default
The DHCPv6 relay agent fills the Interface-ID option with the interface index of the interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
bas: Specifies the BAS mode.
interface: Specifies the interface name mode. This mode pads the Interface-ID option in ASCII code with the interface name and VLAN ID of the interface.
Usage guidelines
Enable the DHCPv6 relay agent on the interface before executing this command. Otherwise, the command does not take effect.
Examples
# Specify the BAS mode as the padding mode for the Interface-ID option on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp relay interface-id bas
# Specify the interface name mode as the padding mode for the Interface-ID option on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp relay interface-id interface
ipv6 dhcp relay server-address
Use ipv6 dhcp relay server-address to specify a DHCPv6 server on the DHCPv6 relay agent.
Use undo ipv6 dhcp relay server-address to remove DHCPv6 server addresses.
Syntax
ipv6 dhcp relay server-address ipv6-address [ interface interface-type interface-number ]
undo ipv6 dhcp relay server-address [ ipv6-address [ interface interface-type interface-number ] ]
Default
No DHCPv6 server address is specified on the DHCPv6 relay agent.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the IPv6 address of a DHCPv6 server.
interface interface-type interface-number: Specifies an output interface through which the relay agent forwards the DHCPv6 requests to the DHCPv6 server. If you do not specify an output interface, the relay agent looks up the routing table for an output interface.
Usage guidelines
Upon receiving a request from a DHCPv6 client, the interface encapsulates the request into a Relay-forward message and forwards the message to the specified DHCPv6 server.
You can specify a maximum of eight DHCPv6 servers on an interface. The DHCPv6 relay agent forwards DHCP requests to all the specified DHCPv6 servers.
If the DHCPv6 server address is a link-local address or multicast address, you must specify an output interface. If you do not specify an output interface, DHCPv6 packets might fail to reach the DHCPv6 server.
If you do not specify an IPv6 address, the undo ipv6 dhcp relay server-address command removes all DHCPv6 server addresses specified on the interface.
Do not enable the DHCPv6 client and the DHCPv6 relay agent on the same interface.
Examples
# Enable the DHCPv6 relay agent on GigabitEthernet 1/0/1 and specify the DHCPv6 server address 2001:1::3.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp select relay
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp relay server-address 2001:1::3
Related commands
display ipv6 dhcp relay server-address
ipv6 dhcp select
remote-server
Use remote-server to specify DHCPv6 servers for a DHCPv6 relay address pool.
Use undo remote-server to remove the configuration.
Syntax
remote-server ipv6-address [ interface interface-type interface-number ]
undo remote-server [ ipv6-address [ interface interface-type interface-number ] ]
Default
No DHCPv6 server is specified for the DHCPv6 relay address pool.
Views
DHCPv6 relay address pool view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies a DHCPv6 server address.
interface interface-type interface-number: Specifies the outgoing interface by its type and number for the DHCPv6 relay agent to forward packets to the DHCPv6 server. If you do not specify an outgoing interface, the DHCPv6 relay agent performs a routing table lookup.
Usage guidelines
You can specify a maximum of eight DHCPv6 servers in one DHCPv6 relay address pool.
If you do not specify any parameters, the undo remote-server command removes all DHCPv6 servers in the relay address pool.
If a DHCPv6 server address is a link-local address, you must specify an outgoing interface by using the interface keyword in this command. Otherwise, DHCPv6 packets might fail to reach the DHCPv6 server.
Examples
# Specify DHCPv6 server 10::1 for DHCPv6 relay address pool 0.
<Sysname> system-view
[Sysname] ipv6 dhcp pool 0
[Sysname-dhcp6-pool-0] remote-server 10::1
reset ipv6 dhcp relay statistics
Use reset ipv6 dhcp relay statistics to clear packets statistics on the DHCPv6 relay agent.
Syntax
reset ipv6 dhcp relay statistics [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears all relay agent statistics.
Examples
# Clear packet statistics on the DHCPv6 relay agent.
<Sysname> reset ipv6 dhcp relay statistics
Related commands
display ipv6 dhcp relay statistics
DHCPv6 client commands
display ipv6 dhcp client
Use display ipv6 dhcp client to display DHCPv6 client information.
Syntax
display ipv6 dhcp client [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information about all DHCPv6 clients.
Examples
# Display the DHCPv6 client information on GigabitEthernet 1/0/1.
<Sysname> display ipv6 dhcp client interface gigabitethernet 1/0/1
GigabitEthernet1/0/1:
Type: Stateful client requesting address and prefix
State: OPEN
Client DUID: 0003000100e002000000
Preferred server
Reachable via address: FE80::2E0:1FF:FE00:18
Server DUID: 0003000100e001000000
IA_NA: IAID 0x00000642, T1 50 sec, T2 80 sec
Address: 1:1::2/128
Preferred lifetime 100 sec, valid lifetime 200 sec
Will expire on Feb 4 2014 at 15:37:20(288 seconds left)
IA_PD: IAID 0x00000642, T1 50 sec, T2 80 sec
Prefix: 12:34::/48
Preferred lifetime 100 sec, valid lifetime 200 sec
Will expire on Mar 27 2014 at 08:13:24 (199 seconds left)
DNS server addresses:
2:2::3
Domain name:
aaa.com
SIP server addresses:
2:2::4
SIP server domain names:
bbb.com
Options:
Code: 88
Length: 3 bytes
Hex: AABBCC
Table 94 Command output
Field |
Description |
Type |
Types of DHCPv6 client: · Stateful client requesting address—A DHCPv6 client that requests an IPv6 address. · Stateful client requesting prefix—A DHCPv6 client that requests an IPv6 prefix. · Stateful client requesting address and prefix—A DHCPv6 client that requests an IPv6 address and prefix. · Stateless client—A DHCPv6 client that requests configuration parameters other than an IPv6 address and prefix through stateless DHCPv6. |
State |
Current state of the DHCPv6 client: · IDLE—The client is in idle state. · SOLICIT—The client is locating a DHCPv6 server. · REQUEST—The client is requesting an IPv6 address or prefix. · OPEN—The client has obtained an IPv6 address or prefix. · RENEW—The client is extending the lease (after T1 and before T2). · REBIND—The client is extending the lease (after T2 and before the lease expires). · RELEASE—The client is releasing an IPv6 address or prefix. · DECLINE—The client is declining an IPv6 address or prefix because of an address or prefix conflict. · INFO-REQUESTING—The client is requesting configuration parameters through stateless DHCPv6. |
Client DUID |
DUID of the DHCPv6 client. |
Preferred server |
Information about the DHCPv6 server selected by the DHCPv6 client. |
Reachable via address |
Reachable address for the DHCPv6 client. It is the link local address of the DHCPv6 server or DHCPv6 relay agent. |
Server DUID |
DUID of the DHCPv6 server. |
IA_NA |
IA_NA information. |
IA_PD |
IA_PD information. |
IAID |
IA identifier. |
T1 |
T1 value in seconds. |
T2 |
T2 value in seconds. |
Address |
IPv6 address obtained. This field is displayed only when the DHCPv6 client type is Stateful client requesting address. |
Prefix |
IPv6 prefix obtained. This field is displayed only when the DHCPv6 client type is Stateful client requesting prefix. |
Preferred lifetime |
Preferred lifetime in seconds. |
valid lifetime |
Valid lifetime in seconds. |
Will expire on Feb 4 2014 at 15:37:20 (288 seconds left) |
Time when the lease expires and the remaining time of the lease. If the lease expires after the year 2100, this field displays Will expire after 2100. |
DNS server addresses |
IPv6 address of the DNS server. |
Domain name |
Domain name suffix. |
SIP server addresses |
IPv6 address of the SIP server. |
SIP server domain names |
Domain name of the SIP server. |
Options |
Self-defined options. |
Code |
Code of the self-defined option. |
Length |
Self-defined option length in bytes. |
Hex |
Self-defined option content represented by a hexadecimal string. |
Related commands
ipv6 address dhcp-alloc
ipv6 dhcp client duid
ipv6 dhcp client pd
display ipv6 dhcp client statistics
Use display ipv6 dhcp client statistics to display DHCPv6 client statistics.
Syntax
display ipv6 dhcp client statistics [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays statistics for all DHCPv6 clients.
Examples
# Display DHCPv6 client statistics on GigabitEthernet 1/0/1.
<Sysname> display ipv6 dhcp client statistics interface gigabitethernet 1/0/1
Interface : GigabitEthernet1/0/1
Packets received : 1
Reply : 1
Advertise : 0
Reconfigure : 0
Invalid : 0
Packets sent : 5
Solicit : 0
Request : 0
Renew : 0
Rebind : 0
Information-request : 5
Release : 0
Decline : 0
Table 95 Command output
Field |
Description |
Interface |
Interface that acts as the DHCPv6 client. |
Packets Received |
Number of received packets. |
Reply |
Number of received reply packets. |
Advertise |
Number of received advertise packets. |
Reconfigure |
Number of received reconfigure packets. |
Invalid |
Number of invalid packets. |
Packets sent |
Number of sent packets. |
Solicit |
Number of sent solicit packets. |
Request |
Number of sent request packets. |
Renew |
Number of sent renew packets. |
Rebind |
Number of sent rebind packets. |
Information-request |
Number of sent information request packets. |
Release |
Number of sent release packets. |
Decline |
Number of sent decline packets. |
reset ipv6 dhcp client statistics
ipv6 address dhcp-alloc
Use ipv6 address dhcp-alloc to configure an interface to use DHCPv6 for IPv6 address acquisition.
Use undo ipv6 address dhcp-alloc to cancel an interface from using DHCPv6, and clear the obtained IPv6 address and other configuration parameters.
Syntax
ipv6 address dhcp-alloc [ option-group option-group-number | rapid-commit ] *
undo ipv6 address dhcp-alloc
Default
An interface does not use DHCPv6 for IPv6 address acquisition.
Views
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
VLAN interface view
Predefined user roles
network-admin
Parameters
option-group option-group-number: Enables the DHCPv6 client to create a dynamic DHCPv6 option group for saving the configuration parameters, and assigns an ID to the option group. The value range for the ID is 1 to 100. If you do not specify this option, the DHCPv6 client does not create any dynamic DHCPv6 option groups.
rapid-commit: Supports rapid address or prefix assignment.
Examples
# Configure GigabitEthernet 1/0/1 to use DHCPv6 for IPv6 address acquisition. Configure the DHCPv6 client to support rapid address assignment and create dynamic DHCPv6 option group 1 for the configuration parameters obtained.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 address dhcp-alloc rapid-commit option-group 1
Related commands
display ipv6 dhcp client
ipv6 dhcp client dscp
Use ipv6 dhcp client dscp to set the DSCP value for DHCPv6 packets sent by the DHCPv6 client.
Use undo ipv6 dhcp client dscp to restore the default.
Syntax
ipv6 dhcp client dscp dscp-value
undo ipv6 dhcp client dscp
Default
The DSCP value in DHCPv6 packets is 56.
Views
System view
Predefined user roles
network-admin
Parameters
dscp-value: Sets the DSCP value for DHCP packets, in the range of 0 to 63.
Usage guidelines
The DSCP value is carried in the Traffic class field of a DHCPv6 packet. It specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Examples
# Set the DSCP value to 30 for DHCPv6 packets sent by the DHCPv6 client.
<Sysname> system-view
[Sysname] ipv6 dhcp client dscp 30
ipv6 dhcp client duid
Use ipv6 dhcp client duid to configure the DHCPv6 client DUID for an interface.
Use undo ipv6 dhcp client duid to restore the default.
Syntax
ipv6 dhcp client duid { ascii string | hex string | mac interface-type interface-number }
undo ipv6 dhcp client duid
Default
The interface uses the device bridge MAC address to generate its DHCPv6 client DUID.
Views
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
VLAN interface view
Predefined user roles
network-admin
Parameters
ascii string: Specifies a case-sensitive ASCII string of 1 to 130 characters as the DHCPv6 client DUID.
hex string: Specifies a hexadecimal string of 2 to 260 characters as the DHCPv6 client DUID.
mac interface-type interface-number: Specifies the MAC address of the specified interface as the DHCPv6 client DUID. The interface-type interface-number arguments specify an interface by its type and number.
Usage guidelines
The DUID of a DHCPv6 client is the globally unique identifier of the client, so make sure the DUID that you configure is unique.
A DHCPv6 client pads its DUID into the Option 1 of the DHCPv6 packet that it sends to the DHCPv6 server. The DHCPv6 server can assign specific IPv6 addresses or prefixes to DHCPv6 clients with specific DUIDs.
Examples
# Specify the MAC address of GigabitEthernet 1/0/2 as the DHCPv6 client DUID for GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp client duid mac gigabitethernet 1/0/2
Related commands
display ipv6 dhcp client
ipv6 dhcp client pd
Use ipv6 dhcp client pd to configure an interface to use DHCPv6 for IPv6 prefix acquisition.
Use undo ipv6 dhcp client pd to cancel an interface from using DHCPv6, and clear the obtained IPv6 prefix and other configuration parameters.
Syntax
ipv6 dhcp client pd prefix-number [ option-group option-group-number | rapid-commit ]*
undo ipv6 dhcp client pd
Default
An interface does not use DHCPv6 for IPv6 prefix acquisition.
Views
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
VLAN interface view
Predefined user roles
network-admin
Parameters
prefix-number: Specifies an IPv6 prefix ID in the range of 1 to 1024. After obtaining an IPv6 prefix, the client assigns the ID to the IPv6 prefix.
rapid-commit: Supports rapid address or prefix assignment.
option-group option-group-number: Enables the DHCPv6 client to create a dynamic DHCPv6 option group for saving the configuration parameters, and assigns an ID to the option group. The value range for the ID is 1 to 100. If you do not specify this option, the DHCPv6 client does not create any dynamic DHCPv6 option groups.
Examples
# Configure GigabitEthernet 1/0/1 to use DHCPv6 for IPv6 prefix acquisition. Specify IDs for the dynamic IPv6 prefix and dynamic DHCPv6 option group, and configure the client to support rapid prefix assignment.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp client pd 1 rapid-commit option-group 1
display ipv6 dhcp client
ipv6 dhcp client stateless enable
Use ipv6 dhcp client stateless enable to enable stateless DHCPv6.
Use undo ipv6 dhcp client stateless enable to disable stateless DHCPv6.
Syntax
ipv6 dhcp client stateless enable
undo ipv6 dhcp client stateless enable
Default
Stateless DHCPv6 is disabled.
Views
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
VLAN interface view
Predefined user roles
network-admin
Usage guidelines
Stateless DHCPv6 enables the interface to send an Information-request message to the multicast address of all DHCPv6 servers and DHCPv6 relay agents for configuration parameters.
Examples
# Enable stateless DHCPv6 on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp client stateless enable
ipv6 dhcp client stateful
Use ipv6 dhcp client stateful to configure an interface to use DHCPv6 for IPv6 address and prefix acquisition.
Use undo ipv6 dhcp client stateful to cancel an interface from using DHCPv6, and clear the obtained IPv6 address, prefix, and other configuration parameters.
Syntax
ipv6 dhcp client stateful prefix prefix-number [ option-group option-group-number | rapid-commit ] *
undo ipv6 dhcp client stateful
Default
An interface does not use DHCPv6 for IPv6 address and prefix acquisition.
Views
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
VLAN interface view
Predefined user roles
network-admin
Parameters
prefix prefix-number: Specifies an IPv6 prefix ID in the range of 1 to 1024. After obtaining an IPv6 prefix, the client assigns the ID to the IPv6 prefix.
rapid-commit: Supports rapid address and prefix assignment.
option-group option-group-number: Enables the DHCPv6 client to create a dynamic DHCPv6 option group for saving the configuration parameters, and assigns an ID to the option group. The value range for the ID is 1 to 100. If you do not specify this option, the DHCPv6 client does not create any dynamic DHCPv6 option groups.
Usage guidelines
The ipv6 dhcp client stateful command takes effect if it is configured with the ipv6 address dhcp-alloc and ipv6 dhcp client pd commands on an interface. You must execute the undo ipv6 dhcp client stateful command to have the ipv6 address dhcp-alloc and ipv6 dhcp client pd commands take effect.
Examples
# Configure GigabitEthernet 1/0/1 to use DHCPv6 for IPv6 address and prefix acquisition. Specify IDs for the dynamic IPv6 prefix and dynamic DHCPv6 option group, and configure the client to support rapid address and prefix assignment.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp client stateful prefix 1 rapid-commit option-group 1
Related commands
ipv6 address dhcp-alloc
ipv6 dhcp client pd
reset ipv6 dhcp client statistics
Use reset ipv6 dhcp client statistics to clear DHCPv6 client statistics.
Syntax
reset ipv6 dhcp client statistics [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears all DHCPv6 client statistics.
Examples
# Clear all DHCPv6 client statistics.
<Sysname> reset ipv6 dhcp client statistics
Related commands
display ipv6 dhcp client statistics
DHCPv6 snooping commands
DHCPv6 snooping works between the DHCPv6 client and the DHCPv6 server or between the DHCPv6 client and DHCPv6 the relay agent. DHCPv6 snooping does not work between the DHCPv6 server and the DHCPv6 relay agent.
display ipv6 dhcp snooping binding
Use display ipv6 dhcp snooping binding to display DHCPv6 snooping entries.
Syntax
display ipv6 dhcp snooping binding [ address ipv6-address [ vlan vlan-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
address ipv6-address: Displays the DHCPv6 snooping entry for the specified IPv6 address. If you do not specify an IPv6 address, this command displays DHCPv6 snooping entries for all IPv6 addresses.
vlan vlan-id: Specifies the ID of the VLAN where the IPv6 address resides. If you do not specify a VLAN, this command displays DHCPv6 snooping entries for the IPv6 address in all VLANs.
Examples
# Display all DHCPv6 snooping entries.
<Sysname> display ipv6 dhcp snooping binding
1 DHCPv6 snooping entries found.
IPv6 address MAC address Lease VLAN SVLAN Interface
================ ============== =========== ==== ===== ========================
2::1 00e0-fc00-0006 54 2 N/A GigabitEthernet1/0/1
Table 96 Command output
Field |
Description |
IPv6 Address |
IPv6 address assigned to the DHCPv6 client. |
MAC Address |
MAC address of the DHCPv6 client. |
Lease |
Remaining lease duration in seconds. |
VLAN |
When both DHCPv6 snooping and QinQ are enabled or the DHCPv6 packet contains two VLAN tags, this field identifies the outer VLAN tag. Otherwise, it identifies the VLAN where the port connecting the DHCPv6 client resides. |
SVLAN |
When both DHCPv6 snooping and QinQ are enabled or the DHCPv6 packet contains two VLAN tags, this field identifies the inner VLAN tag. Otherwise, it displays N/A. |
Interface |
Port connecting to the DHCPv6 client. |
Related commands
ipv6 dhcp snooping binding record
reset ipv6 dhcp snooping binding
display ipv6 dhcp snooping binding database
Use display ipv6 dhcp snooping binding database to display information about DHCPv6 snooping entry auto backup.
Syntax
display ipv6 dhcp snooping binding database
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about DHCPv6 snooping entry auto backup.
<Sysname> display ipv6 dhcp snooping binding database
File name : database.dhcp
Username :
Password :
Update interval : 600 seconds
Latest write time : Feb 27 18:48:04 2012
Status : Last write succeeded.
Table 97 Command output
Field |
Description |
File name |
Name of the DHCPv6 snooping entry backup file. |
Username |
Username for accessing the URL of the remote backup file. |
Password |
Password for accessing the URL of the remote backup file. This field displays ****** if a password is configured. |
Update interval |
Waiting time in seconds after a DHCPv6 snooping entry change for the DHCPv6 snooping device to update the backup file. |
Latest write time |
Time of the latest update. |
Status |
Status of the update: · Writing—The backup file is being updated. · Last write succeeded—The backup file was successfully updated. · Last write failed—The backup file failed to be updated. |
display ipv6 dhcp snooping packet statistics
Use display ipv6 dhcp snooping packet statistics to display DHCPv6 packet statistics for DHCPv6 snooping.
Syntax
Centralized devices in standalone mode:
display ipv6 dhcp snooping packet statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 dhcp snooping packet statistics [ slot slot-number ]
Distributed devices in IRF mode:
display ipv6 dhcp snooping packet statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays DHCPv6 packet statistics for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays DHCPv6 packet statistics for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays DHCPv6 packet statistics for the global active MPU. (Distributed devices in IRF mode.)
Examples
# Display DHCPv6 packet statistics for DHCPv6 snooping.
<Sysname> display ipv6 dhcp snooping packet statistics
DHCPv6 packets received : 100
DHCPv6 packets sent : 200
Invalid DHCPv6 packets dropped : 0
Related commands
reset ipv6 dhcp snooping packet statistics
display ipv6 dhcp snooping trust
Use display ipv6 dhcp snooping trust to display information about trusted ports.
Syntax
display ipv6 dhcp snooping trust
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about trusted ports.
<Sysname> display ipv6 dhcp snooping trust
DHCPv6 snooping is enabled.
Interface Trusted
========================= ============
GigabitEthernet1/0/1 Trusted
The output shows that DHCPv6 snooping is enabled and GigabitEthernet 1/0/1 is the trusted port.
Related commands
ipv6 dhcp snooping trust
ipv6 dhcp snooping binding database filename
Use ipv6 dhcp snooping binding database filename to configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to a file.
Use undo ipv6 dhcp snooping binding database filename to disable the auto backup and remove the backup file.
Syntax
ipv6 dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }
undo ipv6 dhcp snooping binding database filename
Default
The DHCPv6 snooping device does not back up DHCPv6 snooping entries.
Views
System view
Predefined user roles
network-admin
Parameters
filename: Specifies the name of a local backup file. For information about the filename argument, see Fundamentals Configuration Guide.
url url: Specifies the URL of a remote backup file. The URL is a case-sensitive string of 1 to 255 characters. Do not include a username or password in the URL. Case sensitivity and the supported path format type vary by server.
username username: Specifies the username for accessing the URL of the remote backup file. The username is a case-sensitive string of 1 to 32 characters. Do not specify this option if a username is not required for accessing the URL.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters. Do not specify this argument if a password is not required for accessing the URL of the remote backup file.
Usage guidelines
This command automatically creates the file if you specify a nonexistent file.
With this command executed, the DHCPv6 snooping device backs up its snooping entries immediately and runs auto backup. The snooping device, by default, waits 300 seconds after a DHCPv6 snooping entry change to update the backup file. You can use the ipv6 dhcp snooping binding database update interval command to change the waiting time. If no DHCPv6 snooping entry changes, the backup file is not updated.
As a best practice, back up the DHCPv6 snooping entries to a remote file. If you use the local storage medium, the frequent erasing and writing might damage the medium and then cause the DHCPv6 snooping device malfunction.
When the file is on a remote device, follow these restrictions and guidelines to specify the URL, username, and password:
· If the file is on an FTP server, enter URL in the format of ftp://server address:port/file path, where the port number is optional.
· If the file is on a TFTP server, enter URL in the format of tftp://server address:port/file path, where the port number is optional.
· The username and password must be the same as those configured on the FTP server. If the server authenticates only the username, the password can be omitted.
· If the IP address of the server is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[1::1]/database.dhcp.
· You can also specify the DNS domain name for the server address field, for example, ftp://company/database.dhcp.
Examples
# Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the file database.dhcp.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping binding database filename database.dhcp
# Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the file database.dhcp in the working directory of the FTP server at 1::1.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping binding database filename url ftp://[1::1]/database.dhcp username 1 password simple 1
# Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the file database.dhcp in the working directory of the TFTP server at 2::1.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping binding database filename url tftp://[2::1]/database.dhcp
Related commands
ipv6 dhcp snooping binding database update interval
ipv6 dhcp snooping binding database update interval
Use ipv6 dhcp snooping binding database update interval to set the waiting time for the DHCPv6 snooping device to update the backup file after a DHCPv6 snooping entry change.
Use undo ipv6 dhcp snooping binding database update interval to restore the default.
Syntax
ipv6 dhcp snooping binding database update interval interval
undo ipv6 dhcp snooping binding database update interval
Default
The DHCPv6 snooping device waits 300 seconds to update the backup file after a DHCPv6 snooping entry change. If no DHCPv6 snooping entry changes, the backup file is not updated.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Sets the waiting time in seconds, in the range of 60 to 864000.
Usage guidelines
When a DHCPv6 snooping entry is learned, updated, or removed, the waiting period starts. The DHCPv6 snooping device updates the backup file when the waiting period is reached. All snooping entries changed during the period will be saved to the backup file.
The waiting time takes effect only after you configure the DHCPv6 snooping entry auto backup by using the ipv6 dhcp snooping binding database filename command.
Examples
# Set the waiting time to 600 seconds for the DHCPv6 snooping device to update the backup file.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping binding database update interval 600
Related commands
ipv6 dhcp snooping binding database filename
ipv6 dhcp snooping binding database update now
Use ipv6 dhcp snooping binding database update now to manually save DHCPv6 snooping entries to the backup file.
Syntax
ipv6 dhcp snooping binding database update now
Views
System view
Predefined user roles
network-admin
Usage guidelines
Each time this command is executed, the DHCPv6 snooping entries are saved to the backup file.
This command takes effect only after you configure the DHCPv6 snooping entry auto backup by using the ipv6 dhcp snooping binding database filename command.
Examples
# Manually save DHCPv6 snooping entries to the backup file.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping binding database update now
Related commands
ipv6 dhcp snooping binding database filename
ipv6 dhcp snooping binding record
Use ipv6 dhcp snooping binding record to enable recording of client information in DHCPv6 snooping entries.
Use undo ipv6 dhcp snooping binding record to disable the feature.
Syntax
ipv6 dhcp snooping binding record
undo ipv6 dhcp snooping binding record
Default
DHCPv6 snooping does not record client information.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
This command enables DHCPv6 snooping on the port directly connected to the clients to record client information in DHCPv6 snooping entries.
Examples
# Enable recording of client information in DHCPv6 snooping entries on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping binding record
ipv6 dhcp snooping check request-message
Use ipv6 dhcp snooping check request-message to enable the DHCPv6-REQUEST check feature for the received DHCPv6-RENEW, DHCPv6-DECLINE, and DHCPv6-RELEASE messages.
Use undo ipv6 dhcp snooping check request-message to disable the DHCPv6-REQUEST check feature.
Syntax
ipv6 dhcp snooping check request-message
undo ipv6 dhcp snooping check request-message
Default
The DHCPv6-REQUEST check feature is disabled.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
Use the DHCPv6-REQUEST check feature to protect the DHCPv6 server against DHCPv6 client spoofing attacks. The feature enables the DHCPv6 snooping device to check every received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries.
· If any criterion in an entry is matched, the device compares the entry with the message information.
¡ If they are consistent, the device considers the message valid and forwards it to the DHCPv6 server.
¡ If they are different, the device considers the message forged and discards it.
· If no matching entry is found, the device forwards the message to the DHCPv6 server.
Examples
# Enable DHCPv6-REQUEST check.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping check request-message
ipv6 dhcp snooping deny
Use ipv6 dhcp snooping deny to configure a port as DHCPv6 packet blocking port.
Use undo ipv6 dhcp snooping deny to restore the default.
Syntax
ipv6 dhcp snooping deny
undo ipv6 dhcp snooping deny
Default
A port does not block DHCPv6 requests.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
A DHCPv6 packet blocking port drops all incoming DHCPv6 requests.
Examples
# Configure GigabitEthernet 1/0/1 as a DHCPv6 packet blocking port.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-gigabitethernet 1/0/1] ipv6 dhcp snooping deny
ipv6 dhcp snooping enable
Use ipv6 dhcp snooping enable to enable DHCPv6 snooping.
Use undo ipv6 dhcp snooping enable to disable DHCPv6 snooping.
Syntax
ipv6 dhcp snooping enable
undo ipv6 dhcp snooping enable
Default
DHCPv6 snooping is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use the DHCPv6 snooping feature together with trusted port configuration. Before trusted ports are configured, all ports on the DHCPv6 snooping device are untrusted and discard all responses sent from DHCPv6 servers.
When DHCPv6 snooping is disabled, the device forwards all responses from DHCPv6 servers.
Examples
# Enable DHCPv6 snooping.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping enable
ipv6 dhcp snooping log enable
Use ipv6 dhcp snooping log enable to enable DHCPv6 snooping logging.
Use undo ipv6 dhcp snooping log enable to disable DHCPv6 snooping logging.
Syntax
ipv6 dhcp snooping log enable
undo ipv6 dhcp snooping log enable
Default
DHCPv6 snooping logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command enables the DHCPv6 snooping device to generate DHCPv6 snooping logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.
As a best practice, disable this feature if the log generation affects the device performance.
Examples
# Enable DHCPv6 snooping logging.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping log enable
ipv6 dhcp snooping max-learning-num
Use ipv6 dhcp snooping max-learning-num to set the maximum number of DHCPv6 snooping entries for an interface to learn.
Use undo ipv6 dhcp snooping max-learning-num to restore the default.
Syntax
ipv6 dhcp snooping max-learning-num max-number
undo ipv6 dhcp snooping max-learning-num
Default
The number of DHCPv6 snooping entries for an interface to learn is not limited.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
max-number: Sets the maximum number of DHCPv6 snooping entries for an interface to learn. The value range is 1 to 4294967295.
Examples
# Configure the Layer 2 Ethernet interface GigabitEthernet 1/0/1 to learn a maximum of 10 DHCPv6 snooping entries.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping max-learning-num 10
ipv6 dhcp snooping option interface-id enable
Use ipv6 dhcp snooping option interface-id enable to enable support for the interface-ID option (also called Option 18).
Use undo ipv6 dhcp snooping option interface-id enable to disable support for the interface-ID option.
Syntax
ipv6 dhcp snooping option interface-id enable
undo ipv6 dhcp snooping option interface-id enable
Default
Option 18 is not supported.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
This command takes effect only when DHCPv6 snooping is globally enabled.
Examples
# Enable support for Option 18.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping enable
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option interface-id enable
Related commands
ipv6 dhcp snooping enable
ipv6 dhcp snooping option interface-id string
ipv6 dhcp snooping option interface-id string
Use ipv6 dhcp snooping option interface-id string to specify the content as the interface ID for Option 18.
Use undo ipv6 dhcp snooping option interface-id string to restore the default.
Syntax
ipv6 dhcp snooping option interface-id [ vlan vlan-id ] string interface-id
undo ipv6 dhcp snooping option interface-id [ vlan vlan-id ]
Default
The DHCPv6 snooping device uses its DUID as the content for Option 18.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
vlan vlan-id: Pads the interface ID for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the interface ID for packets received from the default VLAN.
interface-id: Specifies a string of 1 to 128 characters as the interface ID.
Examples
# Specify company001 as the interface ID.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping enable
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option interface-id enable
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option interface-id string company001
Related commands
ipv6 dhcp snooping enable
ipv6 dhcp snooping option interface-id enable
ipv6 dhcp snooping option remote-id enable
Use ipv6 dhcp snooping option remote-id enable to enable support for the remote-ID option (also called Option 37).
Use undo ipv6 dhcp snooping option remote-id enable to restore the default.
Syntax
ipv6 dhcp snooping option remote-id enable
undo ipv6 dhcp snooping option remote-id enable
Default
Option 37 is not supported.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
This command takes effect only when DHCPv6 snooping is globally enabled.
Examples
# Enable support for Option 37.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping enable
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option remote-id enable
Related commands
ipv6 dhcp snooping enable
ipv6 dhcp snooping option remote-id string
ipv6 dhcp snooping option remote-id string
Use ipv6 dhcp snooping option remote-id string to specify the content as the remote ID for Option 37.
Use undo ipv6 dhcp snooping option remote-id string to restore the default.
Syntax
ipv6 dhcp snooping option remote-id [ vlan vlan-id ] string remote-id
undo ipv6 dhcp snooping option remote-id [ vlan vlan-id ]
Default
The DHCPv6 snooping device uses its DUID as the content for Option 37.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
vlan vlan-id: Pads the remote ID for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the remote ID for packets received from the default VLAN.
remote-id: Specifies the a string of 1 to 128 characters as the remote ID.
Examples
# Specify device001 as the remote ID.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping enable
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option remote-id enable
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option remote-id string device001
Related commands
ipv6 dhcp snooping enable
ipv6 dhcp snooping option remote-id enable
ipv6 dhcp snooping trust
Use ipv6 dhcp snooping trust to configure a port as a trusted port.
Use undo ipv6 dhcp snooping trust to restore the default state of a port.
Syntax
ipv6 dhcp snooping trust
undo ipv6 dhcp snooping trust
Default
After you enable DHCPv6 snooping, all ports are untrusted.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
Specify the port facing the DHCP server as trusted and specify the other ports as untrusted so DHCP clients can obtain valid IP addresses.
Examples
# Specify GigabitEthernet 1/0/1 as a trusted port.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping trust
Related commands
display ipv6 dhcp snooping trust
reset ipv6 dhcp snooping binding
Use reset ipv6 dhcp snooping binding to clear DHCPv6 snooping entries.
Syntax
reset ipv6 dhcp snooping binding { all | address ipv6-address [ vlan vlan-id ] }
Views
User view
Predefined user roles
network-admin
Parameters
address ipv6-address: Clears the DHCPv6 snooping entry for the specified IPv6 address.
vlan vlan-id: Clears DHCPv6 snooping entries for the specified VLAN. If you do not specify a VLAN, this command clears DHCPv6 snooping entries for the default VLAN.
all: Clears all DHCPv6 snooping entries.
Usage guidelines
This command applies to all slots on a distributed device.
Examples
# Clear all DHCPv6 snooping entries.
<Sysname> reset ipv6 dhcp snooping binding all
Related commands
display ipv6 dhcp snooping binding
reset ipv6 dhcp snooping packet statistics
Use reset ipv6 dhcp snooping packet statistics to clear DHCPv6 packet statistics for DHCPv6 snooping.
Syntax
Centralized devices in standalone mode:
reset ipv6 dhcp snooping packet statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
reset ipv6 dhcp snooping packet statistics [ slot slot-number ]
Distributed devices in IRF mode:
reset ipv6 dhcp snooping packet statistics [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears DHCPv6 packet statistics for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears DHCPv6 packet statistics for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears DHCPv6 packet statistics for the global active MPU. (Distributed devices in IRF mode.)
Examples
# Clear DHCPv6 packet statistics for DHCPv6 snooping.
<Sysname> reset ipv6 dhcp snooping packet statistics
Related commands
display ipv6 dhcp snooping packet statistics
IPv6 fast forwarding commands
IPv6-related features are not supported on the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR3600-28-SI/3600-51-SI.
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display ipv6 fast-forwarding aging-time
Use display ipv6 fast-forwarding aging-time to display the aging time of IPv6 fast forwarding entries.
Syntax
display ipv6 fast-forwarding aging-time
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the aging time of IPv6 fast forwarding entries.
<Sysname> display ipv6 fast-forwarding aging-time
Aging time: 30s
Table 98 Command output
Field |
Description |
Aging time |
Aging time of IPv6 fast forwarding entries, in seconds. |
Related commands
ipv6 fast-forwarding aging-time
display ipv6 fast-forwarding cache
Use display ipv6 fast-forwarding cache to display IPv6 fast forwarding entries.
Syntax
Centralized devices in standalone mode:
display ipv6 fast-forwarding cache [ ipv6-address ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 fast-forwarding cache [ ipv6-address ] [ slot slot-number ]
Distributed devices in IRF mode:
display ipv6 fast-forwarding cache [ ipv6-address ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command displays all IPv6 fast forwarding entries.
slot slot-number: Specifies a card by the slot number. If you do not specify a card, this command displays IPv6 fast forwarding entries for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6 fast forwarding entries for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv6 fast forwarding entries for all cards. (Distributed devices in IRF mode.)
Usage guidelines
Each IPv6 fast forwarding entry includes the following fields:
· Source IPv6 address.
· Source port number.
· Destination IPv6 address.
· Destination port number.
· Protocol number.
· VPN instance.
· Input and output interfaces.
Examples
# Display all IPv6 fast forwarding entries.
<Sysname> display ipv6 fast-forwarding cache
Total number of IPv6 fast-forwarding items: 2
Src IP: 2002::1 Src port: 129
Dst IP: 2001::1 Dst port: 65535
Protocol: 58
VPN instance: vpn1
Input interface: GE1/0/2
Output interface: GE1/0/1
Src IP: 2001::1 Src port: 128
Dst IP: 2002::1 Dst port: 0
Protocol: 58
VPN instance: vpn2
Input interface: GE1/0/1
Output interface: GE1/0/2
Table 99 Command output
Field |
Description |
Total number of IPv6 fast-forwarding items |
Number of IPv6 fast forwarding entries. |
Src IP |
Source IPv6 address. |
Src port |
Source port number. |
Dst IP |
Destination IPv6 address. |
Dst Port |
Destination port number. |
Protocol |
Protocol number. |
VPN instance |
VPN instance. |
Input interface |
Input interface type and number. If no interface is involved in fast forwarding, this field displays N/A. If the input interface does not exist, this field displays a hyphen (-). |
Output interface |
Output interface type and number. If no interface is involved in fast forwarding, this field displays N/A. If the output interface does not exist, this field displays a hyphen (-). |
Related commands
reset ipv6 fast-forwarding cache
ipv6 fast-forwarding aging-time
Use ipv6 fast-forwarding aging-time to set the aging time for IPv6 fast forwarding entries.
Use undo ipv6 fast-forwarding aging-time to restore the default.
Syntax
ipv6 fast-forwarding aging-time aging-time
undo ipv6 fast-forwarding aging-time
Default
The aging time is 30 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
aging-time: Sets the aging time in the range of 10 to 300 seconds.
Examples
# Set the aging time to 20 seconds for IPv6 fast forwarding entries.
<Sysname> system-view
[Sysname] ipv6 fast-forwarding aging-time 20
Related commands
display ipv6 fast-forwarding aging-time
ipv6 fast-forwarding load-sharing
Use ipv6 fast-forwarding load-sharing to enable IPv6 fast forwarding load sharing.
Use undo ipv6 fast-forwarding load-sharing to disable IPv6 fast forwarding load sharing.
Syntax
ipv6 fast-forwarding load-sharing
undo ipv6 fast-forwarding load-sharing
Default
IPv6 fast forwarding load sharing is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
IPv6 fast forwarding load sharing enables the device to load share packets of the same flow. This feature identifies a data flow by using the five-tuple (source IP, source port, destination IP, destination port, and protocol).
If IPv6 fast forwarding load sharing is disabled, the device identifies a data flow by the five-tuple and the input interface. No load sharing is implemented.
Examples
# Enable IPv6 fast forwarding load sharing.
<Sysname> system-Views
[Sysname] ipv6 fast-forwarding load-sharing
reset ipv6 fast-forwarding cache
Use reset ipv6 fast-forwarding cache to clear the IPv6 fast forwarding table.
Syntax
Centralized devices in standalone mode:
reset ipv6 fast-forwarding cache
Distributed devices in standalone mode/centralized devices in IRF mode:
reset ipv6 fast-forwarding cache [ slot slot-number ]
Distributed devices in IRF mode:
reset ipv6 fast-forwarding cache [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears the IPv6 fast forwarding table for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears the IPv6 fast forwarding table for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears the IPv6 fast forwarding table for all cards. (Distributed devices in IRF mode.)
Examples
# Clear the IPv6 fast forwarding table.
<Sysname> reset ipv6 fast-forwarding cache
Related commands
display ipv6 fast-forwarding cache
Tunneling commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
bandwidth
Use bandwidth to set the expected bandwidth for an interface.
Use undo bandwidth to restore the default.
Syntax
bandwidth bandwidth-value
undo bandwidth
Default
The expected bandwidth (in kbps) is the interface maximum rate divided by 1000.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
bandwidth-value: Specifies the expected bandwidth, in the range of 1 to 400000000 kbps.
Usage guidelines
The expected bandwidth for an interface affects the link costs in OSPF, OSPFv3, and IS-IS. For more information, see Layer 3—IP Routing Configuration Guide.
Examples
# Set the expected bandwidth for Tunnel 1 to 100 kbps.
<Sysname> system-view
[Sysname] interface tunnel 1
[Sysname-Tunnel1] bandwidth 100
default
Use default to restore the default settings for a tunnel interface.
Syntax
default
Views
Tunnel interface view
Predefined user roles
network-admin
Usage guidelines
CAUTION: The default command might interrupt ongoing network services. Make sure you are fully aware of the impact of this command when you use it on a live network. |
This command might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands. Use their undo forms or follow the command reference to restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.
Examples
# Restore the default settings of interface tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1
[Sysname-Tunnel1] default
description
Use description to configure a description for a tunnel interface.
Use undo description to restore the default.
Syntax
description text
undo description
Default
The description for a tunnel interface is Tunnelnumber Interface, for example, Tunnel1 Interface.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 255 characters.
Usage guidelines
Configure descriptions for different interfaces for identification and management purposes.
You can use the display interface command to display the configured interface description.
Examples
# Configure the description for interface Tunnel 1 as tunnel1.
<Sysname> system-view
[Sysname] interface tunnel 1
[Sysname-Tunnel1] description tunnel1
display interface tunnel
destination
Use destination to specify the destination address for a tunnel interface.
Use undo destination to restore the default.
Syntax
destination { ipv4-address | ipv6-address }
undo destination
Default
No tunnel destination address is configured.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the tunnel destination IPv4 address.
ipv6-address: Specifies the tunnel destination IPv6 address.
Usage guidelines
For a manual tunnel interface, you must configure the destination address. For an automatic tunnel interface, you do not need to configure the destination address.
The tunnel destination address must be the address of the receiving interface on the tunnel peer. It is used as the destination address of tunneled packets.
The destination address of the local tunnel interface must be the source address of the peer tunnel interface. The source address of the local tunnel interface must be the destination address of the peer tunnel interface.
Examples
Establish a tunnel between Sysname 1 and Sysname 2. Configure the source and destination addresses for the tunnel:
# Configure the source address 193.101.1.1 and destination address 192.100.1.1 for the tunnel interface on Sysname 1.
<Sysname1> system-view
[Sysname1] interface tunnel 1 mode gre
[Sysname1-Tunnel1] source 193.101.1.1
[Sysname1-Tunnel1] destination 192.100.1.1
# Configure the source address 192.100.1.1 and destination address 193.101.1.1 for the tunnel interface on Sysname 2.
<Sysname2> system-view
[Sysname2] interface tunnel 1 mode gre
[Sysname2-Tunnel1] source 192.100.1.1
[Sysname2-Tunnel1] destination 193.101.1.1
display interface tunnel
interface tunnel
source
display 6rd
Use display 6rd to display 6RD tunnel interface information. The information includes the tunnel source address, IPv6 prefix/prefix length, IPv4 prefix/prefix length, IPv4 suffix/suffix length, BR address, and 6RD delegated prefix.
Syntax
display 6rd [ interface tunnel number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface tunnel number: Specifies an existing tunnel interface by its number. If you do not specify a 6RD tunnel interface, this command displays information about all existing 6RD tunnel interfaces.
Examples
# Display information about 6RD tunnel interface Tunnel 1.
<Sysname> display 6rd interface tunnel 1
Interface : Tunnel1
Tunnel source : 10.11.12.13
6RD status : Operational
IPv6 prefix : 2001:1000::/32
IPv4 prefix : 10.0.0.0/8
IPv4 suffix : 0.0.0.0/0
BR address : 10.11.12.1
Delegated prefix: 2001:1000:B0C:D00::/56
# Display information about all 6RD tunnel interfaces.
<Sysname> display 6rd
Interface : Tunnel0
Tunnel source : 0.0.0.0
6RD status : Not operational
IPv6 prefix : 2002:1000::/32
Interface : Tunnel1
Tunnel source : 10.11.12.13
6RD status : Operational
IPv6 prefix : 2001:1000::/32
IPv4 prefix : 10.0.0.0/8
IPv4 suffix : 0.0.0.0/0
BR address : 10.11.12.1
Delegated prefix: 2001:1000:B0C:D00::/56
Table 100 Command output
Field |
Description |
Interface |
Tunnel interface. |
Tunnel source |
Source address of the tunnel. If a source interface is specified for the tunnel interface, this field displays the IP address of the source interface. If no source address or source interface is specified for the tunnel interface, or the specified source interface has no IP address, this field displays 0.0.0.0. |
6RD status |
6RD configuration status: · Operational—6RD configuration is available. · Not operational—6RD configuration is not available. This field displays Operational when the tunnel source address and 6RD prefix are configured. |
IPv6 prefix |
6RD prefix and its length. If no 6RD prefix is configured, this field displays Not configured. |
IPv4 prefix |
IPv4 prefix and its length. If the prefix length is not configured, this field displays 0.0.0.0/0. |
IPv4 suffix |
IPv4 suffix and its length. If the suffix length is not configured, this field displays 0.0.0.0/0. |
BR address |
IP address of the BR router. If no BR address is configured, this field displays Not configured. |
Delegated prefix |
6RD delegated prefix calculated based on the 6RD configuration. This field is empty if the 6RD status is Not operational. |
Related commands
tunnel 6rd br
tunnel 6rd ipv4
tunnel 6rd prefix
display 6rd destination
Use display 6rd destination to display a 6RD tunnel destination address.
Syntax
display 6rd destination prefix ipv6-prefix interface tunnel number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
prefix ipv6-prefix: Specifies a 6RD delegated prefix.
interface tunnel number: Specifies an existing tunnel interface by its number.
Usage guidelines
After this command is executed, the system displays the 6RD tunnel destination address calculated by the specified 6RD delegated prefix and 6RD configuration on the tunnel interface. The 6RD configuration includes the 6RD prefix/prefix length, IPv4 prefix/prefix length, and IPv4 suffix/suffix length.
Examples
# Display the 6RD tunnel destination address calculated by the 6RD delegated prefix 2001:1000:0101:0100:: and 6RD configuration on interface Tunnel 1.
<Sysname> display 6rd destination prefix 2001:1000:0101:0100:: interface tunnel 1
Interface : Tunnel1
Delegated prefix: 2001:1000:101:100::
Destination : 10.1.1.1
Table 101 Command output
Field |
Description |
Interface |
Tunnel interface. |
Delegated prefix |
6RD delegated prefix. |
Destination |
Tunnel destination address. |
Related commands
display 6rd prefix
display 6rd prefix
Use display 6rd prefix to display a 6RD delegated prefix.
Syntax
display 6rd prefix destination ipv4-address interface tunnel number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
destination ipv4-address: Specifies a 6RD tunnel destination address.
interface tunnel number: Specifies an existing tunnel interface by its number.
Usage guidelines
After this command is executed, the system displays the 6RD delegated prefix calculated by the specified 6RD tunnel destination address and 6RD configuration on the tunnel interface. The 6RD configuration includes the 6RD prefix/prefix length, IPv4 prefix/prefix length, and IPv4 suffix/suffix length. The 6RD delegated prefix calculated on the peer tunnel interface must be the same as the 6RD delegated prefix configured on the local device.
Examples
# Display the 6RD delegated prefix calculated by the 6RD tunnel destination address 10.1.1.1 and 6RD configuration on interface Tunnel 1.
<Sysname> display 6rd prefix destination 10.1.1.1 interface tunnel 1
Interface : Tunnel1
Destination : 10.1.1.1
Delegated Prefix: 2001:1000:101:100::
Table 102 Command output
Field |
Description |
Interface |
Tunnel interface. |
Destination |
6RD tunnel destination address. |
Delegated Prefix |
6RD delegated prefix. |
Related commands
display 6rd destination
display ds-lite b4 information
Use display ds-lite b4 information to display information about the connected B4 routers on the AFTR, including the IPv6 addresses of the B4 routers, and the assigned tunnel IDs.
Syntax
display ds-lite b4 information
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# (Centralized devices in standalone mode.) Display information about the connected B4 routers.
<Sysname> display ds-lite b4 information
B4 address Tunnel ID Tunnel interface Idle time
1234:5678:1234:5678:abcd:abcd:efff:1234 0x00000023 1 12
2000::100:1 0x80000013 2 13
3000::2 0x00000015 3 8
3001::2 0x00000032 -- 15
Total B4 addresses: 4
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about the connected B4 routers.
<Sysname> display ds-lite b4 information
Slot 0 Cpu 0:
B4 address Tunnel ID Tunnel interface Idle time
1234:5678:1234:5678:abcd:abcd:efff:1234 0x00000023 1 12
2000::100:1 0x80000013 2 13
3000::2 0x00000015 3 2
3001::2 0x00000032 -- --
Total B4 addresses: 4
Slot 1 Cpu 0:
B4 address Tunnel ID Tunnel interface Idle time
1234:5678:1234:5678:abcd:abcd:efff:ffff 0x00000125 1 12
5000::100:1 0x80000010 5 13
Total B4 addresses: 2
# (Distributed devices in IRF mode.) Display information about the connected B4 routers.
<Sysname> display ds-lite b4 information
Chassis 1 Slot 0 Cpu0:
B4 address Tunnel ID Tunnel interface Idle time
1234:5678:1234:5678:abcd:abcd:efff:1234 0x00000023 1 12
2000::100:1 0x80000013 2 13
3000::2 0x00000015 3 2
3001::2 0x00000032 -- --
Total B4 addresses: 4
Chassis 1 Slot 1 Cpu0:
B4 address Tunnel ID Tunnel interface Idle time
1234:5678:1234:5678:abcd:abcd:efff:ffff 0x00000125 1 12
5000::100:1 0x80000010 5 13
Total B4 addresses: 2
Table 103 Command output
Field |
Description |
B4 address |
IPv6 address of the B4 router. |
Tunnel ID |
Tunnel ID that the IPv6 address of the B4 router maps to. |
Tunnel interface |
ID of the tunnel interface on the DS-Lite tunnel to which the mapping belongs. When the tunnel to which the mapping belongs is removed or a tunnel with the same ID but different mode is created, this field displays hyphens (--). |
Idle time |
Remaining time in minutes for the mapping between the IPv6 address of the B4 router and tunnel ID. When the mapping ages out but is still used by a session, this field displays hyphens (--). |
Total B4 addresses |
Number of IPv6 addresses for the B4 router. |
display interface tunnel
Use display interface tunnel to display information about tunnel interfaces, including the source address, destination address, and tunnel mode.
Syntax
display interface [ tunnel [ number ] ] [ brief [ description | down ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
number: Specifies the number of an existing tunnel interface.
brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.
description: Displays complete interface descriptions. If you do not specify this keyword, the command displays only the first 27 characters of interface descriptions.
down: Displays information about interfaces in the physical state of DOWN and the causes. If you do not specify this keyword, the command displays information about interfaces in all states.
Usage guidelines
If you do not specify the tunnel keyword, this command displays information about all interfaces on the device.
If you specify the tunnel keyword without the number argument, this command displays information about all existing tunnel interfaces.
Examples
# Display detailed information about interface Tunnel 1.
<Sysname> display interface tunnel 1
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64kbps
Maximum transmission unit: 1476
Internet address: 10.1.2.1/24 (primary)
Tunnel source 2002::1:1 (Vlan-interface10), destination 2001::2:1
Tunnel TOS 0xC8, Tunnel TTL 255
Tunnel protocol/transport GRE/IPv6
GRE key value is 1
Checksumming of GRE packets disabled
Output queue - Urgent queuing: Size/Length/Discards 0/100/0
Output queue - Protocol queuing: Size/Length/Discards 0/500/0
Output queue - FIFO queuing: Size/Length/Discards 0/75/0
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
Table 104 Command output
Field |
Description |
Tunnel1 |
Information about the tunnel interface Tunnel 1. |
Current state |
State of the tunnel interface: · Administratively DOWN—The interface has been shut down by using the shutdown command. · DOWN—The interface is administratively up but its physical state is down. · DOWN (Tunnel-Bundle administratively down)—The tunnel bundle interface to which the interface belongs has been shut down by using the shutdown command. · UP—Both the administrative and physical states of the interface are up. |
Line protocol state |
Link layer protocol state of the tunnel interface. The value is determined by parameter negotiation on the link layer. · UP—The protocol state of the interface is up. · UP (spoofing)—The link protocol state of the interface is up, but the link is temporarily set up on demand or does not exist. This attribute is available for null interfaces and loopback interfaces. · DOWN—The protocol state of the interface is down. |
Description |
Description for the tunnel interface. |
Bandwidth |
Expected bandwidth for the tunnel interface. |
Maximum transmission unit |
MTU of the tunnel interface. |
Internet address |
IP address of the tunnel interface. If no IP address is assigned to the interface, this field displays Internet protocol processing: disabled, and the tunnel interface cannot process packets. The attribute primary indicates that the IP address is the primary IP address of the interface. |
Tunnel source |
Source address of the tunnel. If a source interface is specified for the tunnel interface, this field also displays the source interface in parentheses. |
destination |
Destination address of the tunnel. |
Tunnel TOS |
ToS of tunneled packets. |
Tunnel TTL |
TTL of tunneled packets. |
Tunnel protocol/transport |
Tunnel mode and transport protocol: · CR_LSP—MPLS TE tunnel mode. · DSLITE—DS-Lite tunnel mode on the AFTR. · GRE/IP—GRE/IPv4 tunnel mode. · GRE/IPv6—GRE/IPv6 tunnel mode. · GRE_ADVPN/IP—GRE-encapsulated IPv4 ADVPN tunnel mode. · GRE_ADVPN/IPv6—GRE-encapsulated IPv6 ADVPN tunnel mode. · GRE_EVI/IP—GRE-encapsulated IPv4 EVI tunnel mode. · GRE_EVI/IPv6—GRE-encapsulated IPv6 EVI tunnel mode. · IP/IP—IPv4 over IPv4 tunnel mode. · IP/IPv6—IPv4 over IPv6 tunnel mode. · IPv6—IPv6 tunnel mode. · IPv6/IP—IPv6 over IPv4 manual tunnel mode. · IPv6/IP 6rd—IPv6 over IPv4 6RD tunnel mode. · IPv6/IP 6to4—IPv6 over IPv4 6to4 tunnel mode. · IPv6/IP auto-tunnel—Automatic IPv6 over IPv4 tunnel mode. · IPv6/IP ISATAP—IPv6 over IPv4 ISATAP tunnel mode. · IPv6/IPv6—IPv6 over IPv6 tunnel mode. · UDP_ADVPN/IP—UDP-encapsulated IPv4 ADVPN tunnel mode. · UDP_ADVPN/IPv6—UDP-encapsulated IPv6 ADVPN tunnel mode. · UDP_VXLAN/IP—UDP-encapsulated IPv4 VXLAN tunnel mode. · NVE/IP—IPv4 NVE tunnel mode. |
GRE key value is 1 |
The GRE tunnel interface key is 1. If no GRE tunnel interface key is configured, this field displays GRE key disabled. |
Checksumming of GRE packets disabled |
The GRE packet checksum feature is disabled. If GRE packet checksum is enabled, this field displays Checksumming of GRE packets enabled. |
Source port number is 18001 |
The source port number is 18001 in ADVPN packets sent by the UDP-encapsulated ADVPN tunnel interface. |
Output queue - Urgent queuing: Size/Length/Discards 0/100/0 |
Urgent output queue statistics: |
Output queue - Protocol queuing: Size/Length/Discards 0/500/0 |
Protocol output queue statistics: |
Output queue - FIFO queuing: Size/Length/Discards 0/75/0 |
FIFO output queue statistics: When a CBQ or WFQ queue is configured, this field displays statistics for the CBQ or WFQ queue. |
Last clearing of counters |
Last time when counters were cleared. |
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec |
Average input rate in the last 300 seconds. |
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec |
Average output rate in the last 300 seconds. |
# Display brief information about interface Tunnel 1.
<Sysname> display interface tunnel 1 brief
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
Tun1 UP UP 1.1.1.1 tunnel1
# Display brief information about interface Tunnel 1, including the complete interface description.
<Sysname> display interface tunnel 1 brief description
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
Tun1 UP UP 1.1.1.1 tunnel1
# Display information about interfaces in DOWN state and the causes.
<Sysname> display interface tunnel brief down
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Interface Link Cause
Tun0 DOWN Not connected
Tun1 DOWN Not connected
Table 105 Command output
Field |
Description |
Brief information on interfaces in route mode |
Brief information about Layer 3 interfaces. |
Link: ADM - administratively down; Stby - standby |
Link status: · ADM—The interface has been administratively shut down. To bring it up, use the undo shutdown command. · Stby—The interface is a backup interface. To show the primary interface, use the display interface-backup state command. |
Protocol: (s) - spoofing |
(s) indicates that the data link layer protocol state is UP, but the link is temporarily set up on demand or does not exist. This attribute is available for null interfaces and loopback interfaces. |
Interface |
Abbreviated interface name. |
Link |
Physical link state of the interface: · UP—The link is physically up. · DOWN—The link is physically down. · ADM—The link has been administratively shut down. To bring it up, use the undo shutdown command. · Stby—The interface is a backup interface. |
Protocol |
Data link layer protocol state of the interface: · UP—The data link protocol state of the interface is up. · DOWN—The data link protocol state of the interface is down. · UP(s)—The data link protocol state of the interface is up, but the link is temporarily set up on demand or does not exist. This attribute is available for null interfaces and loopback interfaces. |
Primary IP |
Primary IP address of the interface. If no IP address is configured for the interface, this field displays two hyphens (--). |
Description |
Description for the interface. |
Cause |
Causes for the physical state of DOWN: · Administratively—The link has been shut down by using the shutdown command. To bring it up, use the undo shutdown command. · Not connected—The tunnel is not established. · DOWN (Tunnel-Bundle administratively down)—The tunnel bundle interface to which the tunnel interface belongs has been shut down by using the shutdown command. |
Related commands
destination
interface tunnel
source
ds-lite enable
Use ds-lite enable to enable DS-Lite tunneling on an interface.
Use undo ds-lite enable to disable DS-Lite tunneling on an interface.
Syntax
ds-lite enable
undo ds-lite enable
Default
DS-Lite tunneling is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
Use this command on the AFTR's interface connected to the public IPv4 network, so the AFTR can forward IPv4 packets to the B4 router through the DS-Lite tunnel.
You cannot enable DS-Lite tunneling on a DS-Lite tunnel interface on the AFTR.
Examples
# Enable DS-Lite tunneling on GigabitEthernet 2/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] ds-lite enable
encapsulation-limit
Use encapsulation-limit to set the maximum number of nested encapsulations of a packet allowed on a tunnel interface.
Use undo encapsulation-limit to restore the default.
Syntax
encapsulation-limit number
undo encapsulation-limit
Default
There is no limit to the nested encapsulations of a packet.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
number: Specifies the number of nested encapsulations, in the range of 0 to 10.
Usage guidelines
A packet added with excessive headers becomes oversized. If it exceeds the MTU, it must be fragmented. The fragmentation decreases forwarding rate and increases processing complexity. To avoid this situation, use this command to limit the number of encapsulations.
This command is applicable only to IPv6 over IPv6 tunnels.
Examples
# Set the maximum number of nested encapsulations to 3 on interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode ipv6
[Sysname-Tunnel1] encapsulation-limit 3
Related commands
display interface tunnel
interface tunnel
Use interface tunnel to create a tunnel interface, specify the tunnel mode, and enter tunnel interface view, or enter the view of an existing tunnel interface.
Use undo interface tunnel to delete a tunnel interface.
Syntax
interface tunnel number [ mode { advpn { gre | udp } [ ipv6 ] | ds-lite-aftr | evi | gre [ ipv6 ] | ipsec [ ipv6 ] | ipv4-ipv4 | ipv6 | ipv6-ipv4 [ 6rd | 6to4 | auto-tunnel | isatap ] | mpls-te | nve | vxlan } ]
undo interface tunnel number
Default
No tunnel interfaces exist.
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the number of the tunnel interface. The number of tunnel interfaces that can be created is restricted by the total number of interfaces and the memory.
The following matrix shows the value ranges for the number argument:
Hardware |
Value range |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
0 to 10239 |
MSR810-LMS/810-LUS |
0 to 1023 |
MSR2600-6-X1/2600-10-X1 |
0 to 10239 |
MSR 2630 |
0 to 10239 |
MSR3600-28/3600-51 |
0 to 10239 |
MSR3600-28-SI/3600-51-SI |
0 to 10239 |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
0 to 10239 |
MSR 3610/3620/3620-DP/3640/3660 |
0 to 10239 |
MSR5620/5660/5680 |
0 to 10239 |
Hardware |
Value range |
MSR810-LM-GL |
0 to 10239 |
MSR810-W-LM-GL |
0 to 10239 |
MSR830-6EI-GL |
0 to 10239 |
MSR830-10EI-GL |
0 to 10239 |
MSR830-6HI-GL |
0 to 10239 |
MSR830-10HI-GL |
0 to 10239 |
MSR2600-6-X1-GL |
0 to 10239 |
MSR3600-28-SI-GL |
0 to 10239 |
mode advpn gre: Specifies the GRE-encapsulated IPv4 ADVPN tunnel mode.
mode advpn udp: Specifies the UDP-encapsulated IPv4 ADVPN tunnel mode.
mode advpn gre ipv6: Specifies the GRE-encapsulated IPv6 ADVPN tunnel mode.
mode advpn udp ipv6: Specifies the UDP-encapsulated IPv6 ADVPN tunnel mode.
The following matrix shows the advpn gre, advpn udp, advpn gre ipv6, and advpn udp ipv6 keywords and hardware compatibility:
Hardware |
Keyword compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
mode ds-lite-aftr: Specifies the DS-Lite tunnel mode on the AFTR.
The following matrix shows the ds-lite-aftr keyword and hardware compatibility:
Hardware |
Keyword compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
Yes |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
mode evi: Specifies the IPv4 EVI tunnel mode.
The following matrix shows the evi keyword and hardware compatibility:
Hardware |
Keyword compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
No |
MSR 2630 |
No |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
mode gre: Specifies the GRE/IPv4 tunnel mode.
mode gre ipv6: Specifies the GRE/IPv6 tunnel mode.
mode ipsec: Specifies the IPsec/IPv4 tunnel mode.
mode ipsec ipv6: Specifies the IPsec/IPv6 tunnel mode.
The following matrix shows the ipsec and ipsec ipv6 keywords and hardware compatibility:
Hardware |
Keyword compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
mode ipv4-ipv4: Specifies the IPv4 over IPv4 tunnel mode.
mode ipv6: Specifies the IPv6 tunnel mode. Set this mode for IPv4 over IPv6 manual and IPv6 over IPv6 tunnels.
mode ipv6-ipv4: Specifies the IPv6 over IPv4 manual tunnel mode.
mode ipv6-ipv4 6rd: Specifies the 6RD tunnel mode.
mode ipv6-ipv4 6to4: Specifies the 6to4 tunnel mode.
mode ipv6-ipv4 auto-tunnel: Specifies the IPv4-compatible IPv6 automatic tunnel mode.
mode ipv6-ipv4 isatap: Specifies the ISATAP tunnel mode.
mode mpls-te: Specifies the MPLS TE tunnel mode.
The following matrix shows the mpls-te keyword and hardware compatibility:
Hardware |
Keyword compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
mode nve: Specifies the NVE tunnel mode.
The following matrix shows the nve keyword and hardware compatibility:
Hardware |
Keyword compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
mode vxlan: Specifies the VXLAN tunnel mode.
The following matrix shows the vxlan keyword and hardware compatibility:
Hardware |
Keyword compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Usage guidelines
To create a new tunnel interface, you must specify the tunnel mode in this command. To enter the view of an existing tunnel interface, you do not need to specify the tunnel mode.
A tunnel interface number is locally significant. The tunnel interfaces on the two ends of a tunnel can use the same or different interface numbers.
Examples
# Create the GRE/IPv4 tunnel interface Tunnel 1 and enter tunnel interface view.
<Sysname> system-view
[Sysname] interface tunnel 1 mode gre
[Sysname-Tunnel1]
Related commands
destination
display interface tunnel
source
mtu
Use mtu to set the MTU on a tunnel interface.
Use undo mtu to restore the default.
Syntax
mtu size
undo mtu
Default
If the tunnel interface has never been up, the MTU is 64000 bytes.
If the tunnel interface is up, its MTU is identical to the outgoing interface's MTU minus the length of the tunnel headers. The outgoing interface is automatically obtained through routing table lookup based on the tunnel destination address.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
size: Specifies the MTU, in the range of 100 to 64000 bytes.
Usage guidelines
After you configure an MTU for a tunnel interface, the configured MTU applies regardless of the tunnel interface status (up/down) and the outgoing interface MTU.
To avoid fragmentation after tunnel encapsulation, set the tunnel interface MTU no greater than the value of the outgoing interface MTU minus the length of the tunnel headers.
Examples
# Set the MTU on interface Tunnel 1 to 10000 bytes.
<Sysname> system-view
[Sysname] interface tunnel 1
[Sysname-Tunnel1] mtu 10000
Related commands
display interface tunnel
reset counters interface
Use reset counters interface to clear interface statistics.
Syntax
reset counters interface [ tunnel [ number ] ]
Views
User view
Predefined user roles
network-admin
Parameters
tunnel: Specifies tunnel interfaces.
number: Specifies the tunnel interface number of an existing tunnel interface.
Usage guidelines
Use this command to clear old statistics so you can observe new traffic statistics on a tunnel interface.
· If you do not specify any parameters, this command clears statistics for all interfaces.
· If you specify only the tunnel keyword, this command clears statistics for all tunnel interfaces.
· If you specify both the tunnel keyword and the number argument, this command clears statistics for the specified tunnel interface.
Examples
# Clear statistics for interface Tunnel 1.
<Sysname> reset counters interface tunnel 1
display interface tunnel
service
Use service to specify a primary traffic processing slot for an interface.
Use undo service to restore the default.
Syntax
Distributed devices in standalone mode/centralized devices in IRF mode:
service slot slot-number
undo service slot
Distributed devices in IRF mode:
service chassis chassis-number slot slot-number
undo service chassis
Default
No primary traffic processing slot is specified for an interface.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (Distributed devices in IRF mode.)
Usage guidelines
CAUTION: The following operations might cause a tunnel interface in up state to be down and then up: · Specifying a primary or backup traffic processing slot for the tunnel interface. · Rebooting or hot-swapping the primary or backup traffic processing slot of the tunnel interface. Make sure you understand the potential impact of the operations on your network. |
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
No |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
No |
MSR810-W-LM-GL |
No |
MSR830-6EI-GL |
No |
MSR830-10EI-GL |
No |
MSR830-6HI-GL |
No |
MSR830-10HI-GL |
No |
MSR2600-6-X1-GL |
No |
MSR3600-28-SI-GL |
No |
This command is supported on distributed devices and IRF-capable centralized devices.
Specify a traffic processing slot if a feature (for example, IPsec antireplay) requires that all traffic on a tunnel interface be processed on the same slot.
For high availability, you can specify one primary and one backup traffic processing slot by using the service command and the service standby command, respectively.
To avoid processing slot switchover, specify the primary slot before specifying the backup slot. If you specify the backup slot before specifying the primary slot, traffic is switched over to the primary slot immediately after you specify the primary slot.
If you specify both primary and backup slots for an interface, traffic on that interface is processed as follows:
· The backup slot takes over when the primary slot becomes unavailable. The backup slot continues to process traffic for the interface after the primary slot becomes available again. The switchover will not occur until the backup slot becomes unavailable.
· When no specified traffic processing slots are available, the traffic is processed on the slot at which it arrives. Then, the processing slot that first becomes available again takes over.
If you do not specify a primary or a backup traffic processing slot for an interface, traffic on that interface is processed on the slot at which the traffic arrives.
Examples
# (Distributed devices in standalone mode.) Specify a primary traffic processing slot for Tunnel 200.
<Sysname> system-view
[Sysname] interface tunnel 200
[Sysname-Tunnel200] service slot 2
Related commands
service standby
service standby
Use service standby to specify a backup traffic processing slot for an interface.
Use undo service standby to restore the default.
Syntax
Distributed devices in standalone mode/centralized devices in IRF mode:
service standby slot slot-number
undo service standby slot
Distributed devices in IRF mode:
service standby chassis chassis-number slot slot-number
undo service standby chassis
Default
No backup traffic processing slot is specified for an interface.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (Distributed devices in IRF mode.)
Usage guidelines
CAUTION: The following operations might cause a tunnel interface in up state to be down and then up: · Specifying a primary or backup traffic processing slot for the tunnel interface. · Rebooting or hot-swapping the primary or backup traffic processing slot of the tunnel interface. Make sure you understand the potential impact of the operations on your network. |
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
No |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
No |
MSR810-W-LM-GL |
No |
MSR830-6EI-GL |
No |
MSR830-10EI-GL |
No |
MSR830-6HI-GL |
No |
MSR830-10HI-GL |
No |
MSR2600-6-X1-GL |
No |
MSR3600-28-SI-GL |
No |
This command is supported on distributed devices and IRF-capable centralized devices.
Specify a traffic processing slot if a feature (for example, IPsec antireplay) requires that all traffic on a tunnel interface be processed on the same slot.
For high availability, you can specify one primary and one backup traffic processing slot by using the service command and the service standby command, respectively.
To avoid processing slot switchover, specify the primary slot before specifying the backup slot. If you specify the backup slot before specifying the primary slot, traffic is switched over to the primary slot immediately after you specify the primary slot.
If you specify both primary and backup slots for an interface, traffic on that interface is processed as follows:
· The backup slot takes over when the primary slot becomes unavailable. The backup slot continues to process traffic for the interface after the primary slot becomes available again. The switchover will not occur until the backup slot becomes unavailable.
· When no specified traffic processing slots are available, the traffic is processed on the slot at which it arrives. Then, the processing slot that first becomes available again takes over.
If you do not specify a primary or a backup traffic processing slot for an interface, traffic on that interface is processed on the slot at which the traffic arrives.
Examples
# (Distributed devices in standalone mode.) Specify a primary and a backup traffic processing slot for Tunnel 200.
<Sysname> system-view
[Sysname] interface tunnel 200
[Sysname-Tunnel200] service slot 2
[Sysname-Tunnel200] service standby slot 3
Related commands
service
shutdown
Use shutdown to shut down a tunnel interface.
Use undo shutdown to bring up a tunnel interface.
Syntax
shutdown
undo shutdown
Default
The state of a tunnel interface is not Administratively DOWN.
Views
Tunnel interface view
Predefined user roles
network-admin
Usage guidelines
This command disconnects all links set up on the interface. Make sure you fully understand the impact of the command on your network.
Examples
# Shut down interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1
[Sysname-Tunnel1] shutdown
Related commands
display interface tunnel
source
Use source to specify the source address or source interface for a tunnel interface.
Use undo source to restore the default.
Syntax
source { ipv4-address | ipv6-address | interface-type interface-number }
undo source
Default
No source address or source interface is specified for a tunnel interface.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the tunnel source IPv4 address.
ipv6-address: Specifies the tunnel source IPv6 address.
Usage guidelines
The specified source address or the address of the specified source interface is used as the source address of tunneled packets. To display the configured tunnel source address, use the display interface tunnel command.
The destination address of the local tunnel interface must be the source address of the peer tunnel interface. The source address of the local tunnel interface must be the destination address of the peer tunnel interface.
If you execute this command multiple times, the most recent configuration takes effect.
You cannot specify the tunnel interface of the DS-Lite tunnel on the AFTR as the source interface.
Examples
# Specify GigabitEthernet 2/0/1 as the source interface of interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode gre
[Sysname-Tunnel1] source gigabitethernet 2/0/1
# Specify 192.100.1.1 as the source address of interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode gre
[Sysname-Tunnel1] source 192.100.1.1
destination
display interface tunnel
interface tunnel
tunnel 6rd br
Use tunnel 6rd br to specify a BR address for a 6RD tunnel.
Use undo tunnel 6rd br to restore the default.
Syntax
tunnel 6rd br ipv4-address
undo tunnel 6rd br
Default
No BR address is specified for a 6RD tunnel.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the BR address (IPv4 address of a 6RD BR router), in dotted decimal notation.
Usage guidelines
Use this command on a 6RD CE. For a 6RD network to communicate with a non-6RD network over a 6RD tunnel, you must specify the BR address on the 6RD CE.
All the 6RD CEs and 6RD BR routers in a 6RD network must have the same IPv4 prefix and suffix. Make sure the BR address and the tunnel source address have the same IPv4 prefix and suffix.
Examples
# Specify the BR address as 10.11.12.13 on interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode ipv6-ipv4 6rd
[Sysname-Tunnel1] tunnel 6rd br 10.11.12.13
Related commands
display 6rd
tunnel 6rd ipv4
Use tunnel 6rd ipv4 to specify a prefix length and a suffix length for a 6RD tunnel source address.
Use undo tunnel 6rd ipv4 to restore the default.
Syntax
tunnel 6rd ipv4 { prefix-length length | suffix-length length } *
undo tunnel 6rd ipv4
Default
All 32 bits of the IPv4 tunnel source address are used to create the 6RD delegated prefix.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
prefix-length length: Specifies the prefix length in the range of 0 to 31.
suffix-length length: Specifies the suffix length in the range of 0 to 31.
Usage guidelines
All 6RD tunnel interfaces in a 6RD network must be configured with the same IPv4 prefix length and suffix length.
You can specify a prefix length, a suffix length, both prefix and suffix lengths, or neither. The device will remove the prefix and suffix bits from the tunnel source address and embed the left bits of the address to the 6RD delegated prefix. If neither a prefix length nor a suffix length is specified, all 32 bits of the IPv4 tunnel source address will be embedded in the 6RD delegated prefix.
Examples
# Specify both the prefix length and suffix length as 8 on interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode ipv6-ipv4 6rd
[Sysname-Tunnel1] tunnel 6rd ipv4 prefix-length 8 suffix-length 8
Related commands
display 6rd
display 6rd destination
display 6rd prefix
tunnel 6rd prefix
Use tunnel 6rd prefix to configure the 6RD prefix for a 6RD tunnel.
Use undo tunnel 6rd prefix to restore the default.
Syntax
tunnel 6rd prefix ipv6-prefix/prefix-length
undo tunnel 6rd prefix
Default
No 6RD prefix is configured for a 6RD tunnel.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
ipv6-prefix/prefix-length: Specifies the IPv6 prefix and its length. The value range for the prefix length is 1 to 127.
Usage guidelines
A 6RD delegated prefix contains a 6RD prefix and all or part of the bits in the IPv4 tunnel source address.
All tunnels in a 6RD network must have the same 6RD prefix.
Examples
# Configure the 6RD prefix as 2001:1000::/32 on interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode ipv6-ipv4 6rd
[Sysname-Tunnel1] tunnel 6rd prefix 2001:1000::/32
Related commands
display 6rd
display 6rd destination
display 6rd prefix
tunnel dfbit enable
Use tunnel dfbit enable to set the Don't Fragment (DF) bit for tunneled packets.
Use undo tunnel dfbit enable to restore the default.
Syntax
tunnel dfbit enable
undo tunnel dfbit enable
Default
The DF bit is not set for tunneled packets.
Views
Tunnel interface view
Predefined user roles
network-admin
Usage guidelines
To avoid fragmentation and delay, set the DF bit for tunneled packets. Make sure the path MTU is larger than the tunneled packet length. To avoid discarding tunneled packets whose length is larger than the path MTU, do not set the DF bit.
This command is not supported on a GRE/IPv6 tunnel interface and an IPv6 tunnel interface.
Examples
# Set the DF bit for tunneled packets on interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode gre
[Sysname-Tunnel1] tunnel dfbit enable
tunnel discard ipv4-compatible-packet
Use tunnel discard ipv4-compatible-packet to enable dropping IPv6 packets that use IPv4-compatible IPv6 addresses.
Use undo tunnel discard ipv4-compatible-packet to restore the default.
Syntax
tunnel discard ipv4-compatible-packet
undo tunnel discard ipv4-compatible-packet
Default
IPv6 packets that use IPv4-compatible IPv6 addresses are not dropped.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
This command enables the device to check the source and destination IPv6 addresses of the de-encapsulated IPv6 packets from a tunnel. If a packet uses an IPv4-compatible IPv6 address as the source or destination address, the device discards the packet.
Examples
# Enable dropping IPv6 packets that use IPv4-compatible IPv6 addresses.
<Sysname> system-view
[Sysname] tunnel discard ipv4-compatible-packet
tunnel tos
Use tunnel tos to set the ToS value of tunneled packets.
Use undo tunnel tos to restore the default.
Syntax
tunnel tos { tos-value | copy-inner-tos }
undo tunnel tos
Default
For VXLAN tunneled packets, the ToS value is 0.
For non-VXLAN tunneled packets, the ToS value is the same as the ToS value of the original packets.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
tos-value: Specifies the ToS value of tunneled packets, in the range of 0 to 255.
copy-inner-tos: Configures tunneled packets to use the ToS value of the original packets. This keyword is supported only by VXLAN tunnels.
The following matrix shows the copy-inner-tos keyword and hardware compatibility:
Hardware |
Keyword compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Keyword compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
Usage guidelines
After you execute this command, all the tunneled packets of different services sent on the tunnel interface will use the same configured ToS value. For more information about ToS, see ACL and QoS Configuration Guide.
Examples
# Set the ToS value of tunneled packets to 20 on interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode gre
[Sysname-Tunnel1] tunnel tos 20
# Configure VXLAN tunnel interface Tunnel 2 to use the ToS value of the original packets as the ToS value of tunneled packets.
<Sysname> system-view
[Sysname] interface tunnel 2 mode vxlan
[Sysname-Tunnel2] tunnel tos copy-inner-tos
Related commands
display interface tunnel
tunnel ttl
Use tunnel ttl to set the Time to Live (TTL) of tunneled packets.
Use undo tunnel ttl to restore the default.
Syntax
tunnel ttl ttl-value
undo tunnel ttl
Default
The TTL of tunneled packets is 255.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
ttl-value: Specifies the TTL of tunneled packets, in the range of 1 to 255.
Usage guidelines
The TTL determines the maximum number of hops that the tunneled packets can pass. When the TTL expires, the tunneled packets are discarded to avoid loops.
Examples
# Set the TTL of tunneled packets to 100 on interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode gre
[Sysname-Tunnel1] tunnel ttl 100
Related commands
display interface tunnel
tunnel vpn-instance
Use tunnel vpn-instance to specify a VPN instance for the destination address of a tunnel interface.
Use undo tunnel vpn-instance to restore the default.
Syntax
tunnel vpn-instance vpn-instance-name
undo tunnel vpn-instance
Default
The destination address of a tunnel interface belongs to the public network.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies the name of a VPN instance, a case-sensitive string of 1 to 31 characters.
Usage guidelines
After this command is executed, the device looks up the routing table of the specified VPN instance to forward tunneled packets on the tunnel interface.
For a tunnel interface to come up, the tunnel source and destination must belong to the same VPN. To specify a VPN instance for the tunnel source, use the ip binding vpn-instance command on the tunnel source interface.
Examples
# Specify VPN instance vpn10 for the tunnel destination on interface Tunnel 1.
<Sysname> system-view
[Sysname] ip vpn-instance vpn10
[Sysname-vpn-instance-vpn10] route-distinguisher 1:1
[Sysname-vpn-instance-vpn10] vpn-target 1:1
[Sysname-vpn-instance-vpn10] quit
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] ip binding vpn-instance vpn10
[Sysname-GigabitEthernet2/0/1] ip address 1.1.1.1 24
[Sysname-GigabitEthernet2/0/1] quit
[Sysname] interface tunnel 1 mode gre
[Sysname-Tunnel1] source gigabitethernet 2/0/1
[Sysname-Tunnel1] destination 1.1.1.2
[Sysname-Tunnel1] tunnel vpn-instance vpn10
Related commands
ip binding vpn-instance (MPLS Command Reference)
GRE commands
gre checksum
Use gre checksum to enable GRE checksum.
Use undo gre checksum to disable GRE checksum.
Syntax
gre checksum
undo gre checksum
Default
GRE checksum is disabled.
Views
Tunnel interface view
Predefined user roles
network-admin
Usage guidelines
GRE checksum verifies packet integrity.
You can enable or disable GRE checksum at each end of a tunnel as needed. After GRE checksum is enabled, the sender does the following:
· Calculates the checksum for the GRE header and the payload.
· Sends the packet containing the checksum information to the peer.
The receiver calculates the checksum for the received packet and compares it with that carried in the packet. If the checksums are the same, the receiver processes the packet. If the checksums are different, the receiver discards the packet.
If a packet carries a GRE checksum, the receiver checks the checksum whether or not the receiver is enabled with GRE checksum.
Examples
# Enable GRE checksum.
<Sysname> system-view
[Sysname] interface tunnel 2 mode gre
[Sysname-Tunnel2] gre checksum
gre key
Use gre key to configure a key for a GRE tunnel interface.
Use undo gre key to restore the default.
Syntax
gre key key
undo gre key
Default
No key is configured for a GRE tunnel interface.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
key: Specifies the key for the GRE tunnel interface, in the range of 0 to 4294967295.
Usage guidelines
You can configure a GRE key to check for the validity of packets received on a GRE tunnel interface.
When a GRE key is configured, the sender puts the GRE key into each sent packet. The receiver compares the GRE key in the received packet with its own GRE key. If the two keys are the same, the receiver accepts the packet. If the two keys are different, the receiver drops the packet.
Both ends of a GRE tunnel must have the same key or no key.
Examples
# Configure the GRE key as 123 for the GRE tunnel interface Tunnel 2.
<Sysname> system-view
[Sysname] interface tunnel 2 mode gre
[Sysname-Tunnel2] gre key 123
keepalive
Use keepalive to enable GRE keepalive and set the keepalive interval and the keepalive number.
Use undo keepalive to disable GRE keepalive.
Syntax
keepalive [ interval [ times ] ]
undo keepalive
Default
GRE keepalive is disabled.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
interval: Specifies the keepalive interval, in the range of 1 to 32767 seconds. The default value is 10.
times: Specifies the keepalive number, in the range of 1 to 255. The default value is 3.
Usage guidelines
This command enables the tunnel interface to send keepalive packets at the specified interval. If the device receives no response from the peer within the timeout time, it shuts down the local tunnel interface. The device brings the local tunnel interface up if it receives a keepalive acknowledgment packet from the peer. The timeout time is the result of multiplying the keepalive interval by the keepalive number.
The device always acknowledges the keepalive packets it receives whether or not GRE keepalive is enabled.
GRE/IPv6 mode tunnel interfaces do not support this command.
Examples
# Enable GRE keepalive, set the keepalive interval to 20 seconds, and set the keepalive number to 5.
<Sysname> system-view
[Sysname] interface tunnel 2 mode gre
[Sysname-Tunnel2] keepalive 20 5
service-class
Use service-class to specify a service class value for a GRE tunnel interface.
Use undo service-class to restore the default.
Syntax
service-class service-class-value
undo service-class
Default
No service class value is specified for a GRE tunnel interface.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
service-class-value: Specifies a service class value. The lower the service class value, the lower the forwarding priority for a tunnel. If no service class value is specified for a tunnel, the tunnel is considered to have the lowest forwarding priority. The value range for service class values is 0 to 7.
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
No |
MSR 2630 |
No |
MSR3600-28/3600-51 |
No |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
No |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Command compatibility |
MSR810-LM-GL |
No |
MSR810-W-LM-GL |
No |
MSR830-6EI-GL |
No |
MSR830-10EI-GL |
No |
MSR830-6HI-GL |
No |
MSR830-10HI-GL |
No |
MSR2600-6-X1-GL |
No |
MSR3600-28-SI-GL |
No |
Use this command only on a GRE tunnel interface.
The device selects a tunnel to forward a packet in the following order:
1. The tunnel that has the same service class value as the packet.
2. If multiple tunnels have the same service class value as the packet, the device randomly selects one of the tunnels to forward the packet.
3. If no tunnel has the same service class value as the packet, the device randomly selects a tunnel from all tunnels that have the lowest forwarding priority.
To set a service class value for packets, use the remark service-class command in traffic behavior view. For information about this command, see QoS commands in ACL and QoS Command Reference.
Examples
# Set the service class value of Tunnel 0 to 5.
<Sysname> system-view
[Sysname] interface tunnel 0 mode gre
[Sysname-Tunnel0] service-class 5
ADVPN commands
The following matrix shows the feature and hardware compatibility:
Hardware |
ADVPN compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
ADVPN compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
VAM server commands
The following matrix shows the feature and hardware compatibility:
Hardware |
VAM server compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LUS |
Yes |
MSR810-LMS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
VAM server compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
authentication-algorithm
Use authentication-algorithm to specify the algorithms for VAM protocol packet authentication and their priorities.
Use undo authentication-algorithm to restore the default.
Syntax
authentication-algorithm { aes-xcbc-mac | md5 | none | sha-1 | sha-256 } *
undo authentication-algorithm
Default
SHA-1 is used for protocol packet authentication.
Views
ADVPN domain view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Uses the AES-XCBC-MAC authentication algorithm.
md5: Uses the MD5 authentication algorithm.
none: Performs no authentication.
sha-1: Uses the SHA-1 authentication algorithm.
sha-256: Uses the SHA-256 authentication algorithm.
Usage guidelines
The VAM server and client use SHA-1 for connection request and response packet authentication, and use the negotiated algorithms for negotiation acknowledgment and subsequent VAM protocol packet authentication.
An authentication algorithm specified earlier by using this command has a higher priority during algorithm negotiation. The configuration of this command does not affect registered VAM clients. It applies to subsequently registered VAM clients.
Examples
# Specify the authentication algorithms as MD5, SHA-1, and SHA-256 in descending order of priority for ADVPN domain 1.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] authentication-algorithm md5 sha-1 sha-256
authentication-method
Use authentication-method to specify an authentication mode that the VAM server uses to authenticate clients.
Use undo authentication-method to restore the default.
Syntax
authentication-method { none | { chap | pap } [ domain isp-name ] }
undo authentication-method
Default
The authentication method is CHAP, and the default domain is used.
Views
ADVPN domain view
Predefined user roles
network-admin
Parameters
none: Performs no authentication on clients.
chap: Performs CHAP authentication.
pap: Performs PAP authentication.
domain isp-name: Specifies an ISP domain for authentication. The isp-name argument is a case-insensitive string of 1 to 24 characters. It cannot include back slashes (\), vertical bars (|), slashes (/), colons (:), asterisks (*), question marks (?), quotation marks ("), left angle brackets (<), right angle brackets (>), and at signs (@).
Usage guidelines
If the specified ISP domain does not exist, the authentication will fail.
A newly configured authentication method does not affect registered VAM clients. It applies to subsequently registered VAM clients.
Examples
# Configure the VAM server to use CHAP to authenticate clients.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] authentication-method chap
display vam server address-map
Use display vam server address-map to display IPv4 private-public address mapping information for VAM clients registered with the VAM server.
Syntax
display vam server address-map [ advpn-domain domain-name [ private-address private-ip-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
advpn-domain domain-name: Displays IPv4 address mapping information for VAM clients in the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays address mapping information for VAM clients in all ADVPN domains.
private-address private-ip-address: Displays IPv4 address mapping information for the VAM client with the specified private IPv4 address.
verbose: Displays detailed address mapping information. If you do not specify this keyword, the command displays brief address mapping information.
Examples
# Display IPv4 address mapping information for VAM clients in all ADVPN domains.
<Sysname> display vam server address-map
ADVPN domain name: 1
Total private address mappings: 2
Group Private address Public address Type NAT Holding time
1 10.0.0.1 2001::1 Hub No 0H 13M 34S
1 10.0.0.3 74.125.128.102 Spoke Yes 0H 4M 21S
ADVPN domain name: 2
Total private address mappings: 0
ADVPN domain name: 3
Total private address mappings: 1
Group Private address Public address Type NAT Holding time
1 30.0.0.1 113.124.136.1 Hub No 0H 0M 2S
ADVPN domain name: 4
Total private address mappings: 1
Group Private address Public address Type NAT Holding time
1 40.0.0.1 4001::1 Hub No 1H 8M 22S
ADVPN domain name: 5
Total private address mappings: 1
Group Private address Public address Type NAT Holding time
1 50.0.0.1 115.194.156.1 Hub No 132H 41M 29S
# Display IPv4 address mapping information for VAM clients in ADVPN domain 1.
<Sysname> display vam server address-map advpn-domain 1
ADVPN domain name: 1
Total private address mappings: 2
Group Private address Public address Type NAT Holding time
1 10.0.0.1 2001::1 Hub No 0H 13M 34S
1 10.0.0.3 74.125.128.102 Spoke Yes 0H 4M 21S
# Display IPv4 address mapping information for the VAM client with private IPv4 address 10.0.0.1 in ADVPN domain 1.
<Sysname> display vam server address-map advpn-domain 1 private-address 10.0.0.1
Group Private address Public address Type NAT Holding time
1 10.0.0.1 2001::1 Hub No 0H 13M 34S
Table 106 Command output
Field |
Description |
Group |
Hub group to which the VAM client belongs. |
Private address |
Private address that the VAM client has registered with the VAM server. |
Public address |
Public address that the VAM client has registered with the VAM server. |
Type |
VAM client type: Hub or Spoke. |
NAT |
Whether NAT traversal is used, No or Yes. |
Holding time |
Duration time that elapses since the VAM client successfully registered with the server, in the format of xH yM zS. |
# Display detailed IPv4 address mapping information for VAM clients in all ADVPN domains.
<Sysname> display vam server address-map verbose
ADVPN domain name : 1
Private address : 10.0.0.1
Type : Hub
Hub group : 1
Holding time : 0H 13M 34S
Link protocol : UDP
Public address : 2001::1
Public port : 10018
Registered address: 2001::1
Registered port : 10018
Behind NAT : No
ADVPN domain name : 1
Private address : 10.0.0.3
Type : Spoke
Hub group : 1
Holding time : 0H 4M 21S
Link protocol : UDP
Public address : 74.125.128.102
Public port : 11297
Registered address: 192.168.23.6
Registered port : 2158
Behind NAT : Yes
ADVPN domain name : 3
Private address : 30.0.0.1
Type : Hub
Hub group : 1
Holding time : 0H 0M 2S
Link protocol : GRE
Public address : 113.124.136.1
Registered address: 113.124.136.1
Behind NAT : No
ADVPN domain name : 4
Private address : 40.0.0.1
Hub group : 1
Holding time : 1H 8M 22S
Link protocol : IPsec-UDP
Public address : 4001::1
Registered address: 4001::1
Registered port : 4072
Behind NAT : No
ADVPN domain name : 5
Private address : 50.0.0.1
Type : Hub
Hub group : 1
Holding time : 132H 41M 29S
Link protocol : IPsec-GRE
Public address : 115.194.156.1
Registered address: 115.194.156.1
Behind NAT : No
# Display detailed IPv4 address mapping information for VAM clients in ADVPN domain 1.
<Sysname> display vam server address-map advpn-domain 1 verbose
ADVPN domain name : 1
Private address : 10.0.0.1
Type : Hub
Hub group : 1
Holding time : 0H 13M 34S
Link protocol : UDP
Public address : 2001::1
Public port : 10018
Registered address: 2001::1
Registered port : 10018
Behind NAT : No
ADVPN domain name : 1
Private address : 10.0.0.3
Type : Spoke
Hub group : 1
Holding time : 0H 4M 21S
Link protocol : UDP
Public address : 74.125.128.102
Public port : 11297
Registered address: 192.168.23.6
Registered port : 2158
Behind NAT : Yes
# Display detailed IPv4 address mapping information for the VAM client with private IPv4 address 10.0.0.1 in ADVPN domain 1.
<Sysname> display vam server address-map advpn-domain 1 private-address 10.0.0.1 verbose
ADVPN domain name : 1
Private address : 10.0.0.1
Type : Hub
Hub group : 1
Holding time : 0H 13M 34S
Link protocol : UDP
Public address : 2001::1
Public port : 10018
Registered address: 2001::1
Registered port : 10018
Behind NAT : No
Table 107 Command output
Field |
Description |
Private address |
Private address that the VAM client has registered with the VAM server. |
Type |
VAM client type: Hub or Spoke. |
Hub group |
Hub group to which the VAM client belongs. |
Holding time |
Duration time that elapses since the VAM client successfully registered with the server, in the format of xH yM zS. |
Link protocol |
Link layer protocol used by the VAM client for ADVPN tunnel establishment: · UDP. · GRE. · IPsec-UDP. · IPsec-GRE. |
Public address |
VAM client's public IP address that has been NATed. |
Public port |
VAM client's ADVPN port number that has been NATed. This field is displayed when the Link protocol is UDP or IPsec-UDP. |
Registered address |
Public address that the VAM client has registered with the VAM server. |
Registered port |
ADVPN port number that the VAM client has registered with the VAM server. This field is displayed when the Link protocol is UDP or IPsec-UDP. |
IPsec address |
IP address used by the VAM client for IPsec tunnel establishment. This field is displayed when the Link protocol is IPsec-UDP or IPsec-GRE. |
IPsec port |
UDP port number used by the VAM client for IPsec tunnel establishment. This field is displayed when the Link protocol is IPsec-UDP or IPsec-GRE. |
Behind NAT |
Whether NAT traversal is used, No or Yes. |
Related commands
reset vam server address-map
display vam server ipv6 address-map
Use display vam server ipv6 address-map to display IPv6 private-public address mapping information for VAM clients registered with the VAM server.
Syntax
display vam server ipv6 address-map [ advpn-domain domain-name [ private-address private-ipv6-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
advpn-domain domain-name: Displays IPv6 address mapping information for VAM clients in the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays address mapping information for VAM clients in all ADVPN domains.
private-address private-ipv6-address: Displays IPv6 address mapping information for the VAM client with the specified private IPv6 address.
verbose: Displays detailed address mapping information. If you do not specify this keyword, the command displays brief address mapping information.
Examples
# Display IPv6 address mapping information for VAM clients in all ADVPN domains.
<Sysname> display vam server ipv6 address-map
ADVPN domain name: 1
Total private address mappings: 2
Group Private address Public address Type NAT Holding time
1 1000::1:0:0:1 2001::1 Hub No 0H 13M 34S
2 1000::2:0:0:1 220.181.111.85 Spoke Yes 0H 4M 21S
ADVPN domain name: 2
Total private address mappings: 0
ADVPN domain name: 3
Total private address mappings: 1
Group Private address Public address Type NAT Holding time
1 1003::1:0:0:1 3001::1 Hub No 0H 0M 2S
ADVPN domain name: 4
Total private address mappings: 1
Group Private address Public address Type NAT Holding time
1 1004::1:0:0:1 202.108.231.125 Hub No 1H 8M 22S
ADVPN domain name: 5
Total private address mappings: 1
Group Private address Public address Type NAT Holding time
1 1005::1:0:0:1 5001::1 Hub No 132H 41M 29S
# Display IPv6 address mapping information for VAM clients in ADVPN domain 1.
<Sysname> display vam server ipv6 address-map advpn-domain 1
ADVPN domain name: 1
Total private address mappings: 2
Group Private address Public address Type NAT Holding time
1 1000::1:0:0:1 2001::1 Hub No 0H 13M 34S
2 1000::2:0:0:1 220.181.111.85 Spoke Yes 0H 4M 21S
# Display IPv6 address mapping information for the VAM client with private IPv6 address 1000::1:0:0:1 in ADVPN domain 1.
<Sysname> display vam server ipv6 address-map advpn-domain 1 private-address 1000::1:0:0:1
Group Private address Public address Type NAT Holding time
1 1000::1:0:0:1 2001::1 Hub No 0H 13M 34S
Table 108 Command output
Field |
Description |
Group |
Hub group to which the VAM client belongs. |
Private address |
Private address that the VAM client has registered with the VAM server. |
Public address |
Public address that the VAM client has registered with the VAM server. |
Type |
VAM client type: Hub or Spoke. |
NAT |
Whether NAT traversal is used, No or Yes. |
Holding time |
Duration time that elapses since the VAM client successfully registered with the server, in the format of xH yM zS. |
# Display detailed IPv6 address mapping information for VAM clients in all ADVPN domains.
<Sysname> display vam server ipv6 address-map verbose
ADVPN domain name : 1
Private address : 1000::1:0:0:1
Link local address: FE80::50:4
Type : Hub
Hub group : 1
Holding time : 0H 13M 34S
Link protocol : UDP
Public address : 2001::1
Public port : 2098
Registered address: 2001::1
Registered port : 2098
Behind NAT : No
ADVPN domain name : 1
Private address : 1000::2:0:0:1
Link local address: FE80::60:4
Type : Spoke
Hub group : 2
Holding time : 0H 4M 21S
Link protocol : UDP
Public address : 220.181.111.85
Public port : 10018
Registered address: 10.158.26.14
Registered port : 2694
Behind NAT : Yes
ADVPN domain name : 3
Private address : 1003::1:0:0:1
Link local address: FE80::70:4
Type : Hub
Hub group : 1
Holding time : 0H 0M 2S
Link protocol : GRE
Public address : 3001::1
Registered address: 3001::1
Behind NAT : No
ADVPN domain name : 4
Private address : 1004::1:0:0:1
Link local address: FE80::80:4
Hub group : 1
Holding time : 1H 8M 22S
Link protocol : IPsec-UDP
Public address : 202.108.231.125
Registered address: 202.108.231.125
Registered port : 4072
Behind NAT : No
ADVPN domain name : 5
Private address : 1005::1:0:0:1
Link local address: FE80::90:4
Type : Hub
Hub group : 1
Holding time : 132H 41M 29S
Link protocol : IPsec-GRE
Public address : 5001::1
Registered address: 5001::1
Behind NAT : No
# Display detailed IPv6 address mapping information for VAM clients in ADVPN domain 1.
<Sysname> display vam server ipv6 address-map advpn-domain 1 verbose
ADVPN domain name : 1
Private address : 1000::1:0:0:1
Link local address: FE80::50:4
Type : Hub
Hub group : 1
Holding time : 0H 13M 34S
Link protocol : UDP
Public address : 2001::1
Public port : 2098
Registered address: 2001::1
Registered port : 2098
Behind NAT : No
ADVPN domain name : 1
Private address : 1000::2:0:0:1
Link local address: FE80::60:4
Type : Spoke
Hub group : 2
Holding time : 0H 4M 21S
Link protocol : UDP
Public address : 220.181.111.85
Public port : 10018
Registered address: 10.158.26.14
Registered port : 2694
Behind NAT : Yes
# Display detailed IPv6 address mapping information for the VAM client with private IPv6 address 1000::1:0:0:1 in ADVPN domain 1.
<Sysname> display vam server ipv6 address-map advpn-domain 1 ipv6 private-address 1000::1:0:0:1 verbose
ADVPN domain name : 1
Private address : 1000::1:0:0:1
Link local address: FE80::50:4
Type : Hub
Hub group : 1
Holding time : 0H 13M 34S
Link protocol : UDP
Public address : 2001::1
Public port : 2098
Registered address: 2001::1
Registered port : 2098
Behind NAT : No
Table 109 Command output
Field |
Description |
Private address |
Private address that the VAM client has registered with the VAM server. |
Link local address |
Link local address that the VAM client has registered with the VAM server. |
Type |
VAM client type: Hub or Spoke. |
Hub group |
Hub group to which the VAM client belongs. |
Holding time |
Duration time that elapses since the VAM client successfully registered with the server, in the format of xH yM zS. |
Link protocol |
Link layer protocol used by the VAM client for ADVPN tunnel establishment: · UDP. · GRE. · IPsec-UDP. · IPsec-GRE. |
Public address |
VAM client's public IP address that has been NATed. |
Public port |
VAM client's ADVPN port number that has been NATed. This field is displayed when the Link protocol is UDP or IPsec-UDP. |
Registered address |
Public address that the VAM client has registered with the VAM server. |
Registered port |
ADVPN port number that the VAM client has registered with the VAM server. This field is displayed when the Link protocol is UDP or IPsec-UDP. |
IPsec address |
IP address used by the VAM client for IPsec tunnel establishment. This field is displayed when the Link protocol is IPsec-UDP or IPsec-GRE. |
IPsec port |
UDP port number used by the VAM client for IPsec tunnel establishment. This field is displayed when the Link protocol is IPsec-UDP or IPsec-GRE. |
Behind NAT |
Whether NAT traversal is used, No or Yes. |
Related commands
reset vam server ipv6 address-map
display vam server ipv6 private-network
Use display vam server ipv6 private-network to display IPv6 private networks for VAM clients registered with the VAM server.
Syntax
display vam server ipv6 private-network [ advpn-domain domain-name [ private-address private-ipv6-address ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
advpn-domain domain-name: Displays IPv6 private networks for VAM clients in the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays IPv6 private networks for VAM clients in all ADVPN domains.
private-address private-ipv6-address: Displays IPv6 private networks for the VAM client with the specified private IPv6 address.
Examples
# Display IPv6 private networks for VAM clients in all ADVPN domains.
<Sysname> display vam server ipv6 private-network
ADVPN domain name: 1
Total private networks: 5
Network/Prefix Private address Preference
1000::1:0:0:0/96 1000::1:0:0:2 80
1000::1:0:0:0/100 1000::1:0:0:1 80
1000::1:1:0:0/96 1000::1:0:0:1 80
1000::2:0:0:0/96 1000::1:0:0:2 80
1000::2:0:0:0/96 1000::2:0:0:2 80
ADVPN domain name: 2
Total private networks: 0
ADVPN domain name: 3
Total private networks: 1
Network/Prefix Private address Preference
1001::1:0:0:0/100 1001::1:0:0:1 80
# Display IPv6 private networks for VAM clients in ADVPN domain 1.
<Sysname> display vam server ipv6 private-network advpn-domain 1
ADVPN domain name: 1
Total private networks: 5
Network/Prefix Private address Preference
1000::1:0:0:0/96 1000::1:0:0:2 80
1000::1:0:0:0/100 1000::1:0:0:1 80
1000::1:1:0:0/96 1000::1:0:0:1 80
1000::2:0:0:0/96 1000::1:0:0:2 80
1000::2:0:0:0/96 1000::2:0:0:2 80
# Display IPv6 private networks for the VAM client with private IPv6 address 1000::1:0:0:1.
<Sysname> display vam server ipv6 private-network advpn-domain 1 private-address 1000::1:0:0:1
Total private networks: 2
Network/Prefix Private address Preference
1000::1:0:0:0/100 1000::1:0:0:1 80
1000::1:1:0:0/96 1000::1:0:0:1 80
Table 110 Command output
Field |
Description |
Network/Prefix |
Private network address/prefix length for an ADVPN tunnel interface. |
Private address |
Private address that the VAM client has registered with the VAM server. |
Preference |
Preference of the private route that the VAM client has registered with the VAM server. |
display vam server private-network
Use display vam server private-network to display IPv4 private networks for VAM clients registered with the VAM server.
Syntax
display vam server private-network [ advpn-domain domain-name [ private-address private-ip-address ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
advpn-domain domain-name: Displays IPv4 private networks for VAM clients in the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays IPv4 private networks for VAM clients in all ADVPN domains.
private-address private-ip-address: Displays IPv4 private networks for the VAM client with the specified private IPv4 address.
Examples
# Display IPv4 private networks for VAM clients in all ADVPN domains.
<Sysname> display vam server private-network
ADVPN domain name: 1
Total private networks: 5
Network/Mask Private address Preference
192.168.0.0/24 10.0.0.2 80
192.168.0.0/28 10.0.0.1 80
192.168.1.0/24 10.0.0.1 80
192.168.100.0/24 10.0.0.2 80
192.168.100.0/24 10.0.0.3 80
ADVPN domain name: 2
Total private networks: 0
ADVPN domain name: 3
Total private networks: 1
Network/Mask Private address Preference
192.168.200.0/24 20.0.0.1 80
# Display IPv4 private networks for VAM clients in ADVPN domain 1.
<Sysname> display vam server private-network advpn-domain 1
ADVPN domain name: 1
Total private networks: 5
Network/Mask Private address Preference
192.168.0.0/24 10.0.0.2 80
192.168.0.0/28 10.0.0.1 80
192.168.1.0/24 10.0.0.1 80
192.168.100.0/24 10.0.0.2 80
192.168.100.0/24 10.0.0.3 80
# Display IPv4 private networks for the VAM client with private IPv4 address 10.0.0.1.
<Sysname> display vam server private-network advpn-domain 1 private-address 10.0.0.1
Total private networks: 5
Network/Mask Private address Preference
192.168.0.0/28 10.0.0.1 80
192.168.1.0/24 10.0.0.1 80
Table 111 Command output
Field |
Description |
Network/Mask |
Private network address/mask length for an ADVPN tunnel interface. |
Private address |
Private address that the VAM client has registered with the VAM server. |
Preference |
Preference of the private route that the VAM client has registered with the VAM server. |
display vam server statistics
Use display vam server statistics to display ADVPN domain statistics on the VAM server.
Syntax
display vam server statistics [ advpn-domain domain-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
advpn-domain domain-name: Displays statistics for the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays statistics for all ADVPN domains on the VAM server.
Examples
# Display statistics for all ADVPN domains.
<Sysname> display vam server statistics
Total ADVPN number: 3
Total spoke number: 121
Total hub number : 3
ADVPN domain name : 1
Server status : Enabled
Holding time : 0H 1M 47S
Registered spoke number: 98
Registered hub number : 2
Packets received:
Initialization request : 100
Initialization complete : 100
Register request : 100
Authentication information : 100
Address resolution request : 203
Network registration request : 59
Update request : 196
Logout request : 0
Hub information response : 2
Data flow information response: 0
Keepalive : 642
Error notification : 0
Unkonwn : 0
Packets sent:
Initialization response : 100
Initialization complete : 100
Authentication request : 100
Register response : 100
Address resolution response : 203
Network registration response: 59
Update response : 196
Hub information request : 2
Data flow information request: 0
Logout response : 0
Keepalive : 642
Error notification : 0
ADVPN domain name : 2
Server status : Disabled
ADVPN domain name : 3
Server status : Enabled
Holding time : 0H 33M 53S
Registered spoke number: 23
Registered hub number : 1
Packets received:
Initialization request : 24
Initialization complete : 24
Register request : 24
Authentication information : 24
Address resolution request : 23
Network registration request : 0
Update request : 5
Logout request : 0
Hub information response : 2
Data flow information response: 0
Keepalive : 362
Error notification : 0
Unkonwn : 0
Packets sent:
Initialization response : 24
Initialization complete : 24
Authentication request : 24
Register response : 24
Address resolution response : 23
Network registration response: 0
Update response : 0
Hub information request : 2
Data flow information request: 0
Logout response : 0
Keepalive : 362
Error notification : 0
# Display statistics for ADVPN domain 1.
<Sysname> display vam server statistics advpn-domain 1
ADVPN domain name : 1
Server status : Enabled
Holding time : 0H 1M 47S
Registered spoke number: 98
Registered hub number : 2
Packets received:
Initialization request : 100
Initialization complete : 100
Register request : 100
Authentication information : 100
Address resolution request : 203
Network registration request : 59
Update request : 196
Logout request : 0
Hub information response : 2
Data flow information response: 0
Keepalive : 642
Error notification : 0
Unkonwn : 0
Packets sent:
Initialization response : 100
Initialization complete : 100
Authentication request : 100
Register response : 100
Address resolution response : 203
Network registration response: 59
Update response : 196
Hub information request : 2
Data flow information request: 0
Logout response : 0
Keepalive : 642
Error notification : 0
Table 112 Command output
Field |
Description |
Server status |
Whether the VAM server is enabled, Enabled or Disabled. |
Holding time |
Duration time that elapses after the VAM service is enabled, in the format of xH yM zS. |
Related commands
reset vam server statistics
encryption-algorithm
Use encryption-algorithm to specify the algorithms for VAM protocol packet encryption and their priorities.
Use undo encryption-algorithm to restore the default.
Syntax
encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | des-cbc | none } *
undo encryption-algorithm
Default
The following encryption algorithms are available (in descending order of priority):
· AES-CBC-256
· AES-CBC-192
· AES-CBC-128
· AES-CTR-256
· AES-CTR-192
· AES-CTR-128
· 3DES-CBC
· DES-CBC
Views
ADVPN domain view
Predefined user roles
network-admin
Parameters
3des-cbc: Uses the 3DES-CBC encryption algorithm.
aes-cbc-128: Uses the AES-CBC encryption algorithm, with a key length of 128 bits.
aes-cbc-192: Uses the AES-CBC encryption algorithm, with a key length of 192 bits.
aes-cbc-256: Uses the AES-CBC encryption algorithm, with a key length of 256 bits.
aes-ctr-128: Uses the AES-CTR encryption algorithm, with a key length of 128 bits.
aes-ctr-192: Uses the AES-CTR encryption algorithm, with a key length of 192 bits.
aes-ctr-256: Uses the AES-CTR encryption algorithm, with a key length of 256 bits.
des-cbc: Uses the DES-CBC encryption algorithm.
none: Performs no encryption.
Usage guidelines
The VAM server and client use AES-CBC-128 for connection request and response packet encryption, and use the negotiated algorithms for negotiation acknowledgment and subsequent VAM protocol packet encryption.
An encryption algorithm specified earlier by using this command has a higher priority during algorithm negotiation. The configuration of this command does not affect registered VAM clients. It applies to subsequently registered VAM clients.
Examples
# Specify the encryption algorithms as AES-CBC-128 and 3DES-CBC for ADVPN domain 1, where AES-CBC-128 has a higher priority.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] encryption-algorithm aes-cbc-128 3des-cbc
hub-group
Use hub-group to create a hub group and enter its view, or enter the view of an existing hub group.
Use undo hub-group to delete a hub group.
Syntax
hub-group group-name
undo hub-group group-name
Default
No hub groups exist.
Views
ADVPN domain view
Predefined user roles
network-admin
Parameters
group-name: Specifies a group by its name. A group name is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.).
Usage guidelines
Hub groups apply to large ADVPN networks. You can classify spokes to different hub groups, and specify one or more hubs for each group.
When a VAM client registers with the VAM server, the VAM server selects a hub group for the client as follows:
1. The server matches the private address of the client against the private addresses of hubs in different hub groups in lexicographic order.
2. If a match is found, the server assigns the client to the hub group as a hub.
3. If no match is found, the server matches the client's private address against the private addresses of spokes in different hub groups in lexicographic order.
4. If a match is found, the server assigns the client to the hub group as a spoke.
5. If no match is found, the registration fails.
The VAM server only assigns hub information in the matching hub group to the client. The client only establishes permanent ADVPN tunnels to the hubs in the matching hub group.
Examples
# Create hub group 1 in ADVPN domain 1, and enter hub group view.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1]
hub ipv6 private-address
Use hub ipv6 private-address to configure a hub private IPv6 address in a hub group.
Use undo hub ipv6 private-address to remove a hub private IPv6 address from a hub group.
Syntax
hub ipv6 private-address private-ipv6-address [ public-address { public-ip-address | public-ipv6-address } [ advpn-port port-number ] ]
undo hub ipv6 private-address private-ipv6-address
Default
No hub private IPv6 address is configured.
Views
Hub group view
Predefined user roles
network-admin
Parameters
private-ipv6-address: Specifies the private IPv6 address of a hub. The address must be a global unicast address.
public-address: Specifies the public address of the hub. If you do not specify this keyword, the VAM server uses the public address registered by the hub.
public-ip-address: Specifies the public IPv4 address of the hub. The address must be a unicast address.
public-ipv6-address: Specifies the public IPv6 address of the hub. The address must be a global unicast address.
advpn-port port-number: Specifies the ADVPN port number of the hub, in the range of 1025 to 65535. If you do not specify this option, the VAM server uses the port number registered by the hub.
Usage guidelines
For a hub to traverse a NAT gateway, configure a static mapping between the hub's registered public address/ADVPN port number and a NATed address/port number on the NAT gateway. To use this command to add the hub to a hub group, specify the NATed address and port number as the public address and ADVPN port number.
You can configure multiple hub private IPv6 addresses for a hub group.
If you execute this command multiple times for a private IPv6 address, the most recent configuration takes effect.
Examples
# Add a hub to hub group 1 in ADVPN domain 1 with private IPv6 address 1000::1:0:0:1, public IPv6 address 2001::1, and ADVPN port number 8000.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1] hub ipv6 private-address 1000::1:0:0:1 public-address 2001::1 advpn-port 8000
hub private-address
Use hub private-address to configure a hub private IPv4 address in a hub group.
Use undo hub private-address to remove a hub private IPv4 address from a hub group.
Syntax
hub private-address private-ip-address [ public-address { public-ip-address | public-ipv6-address } [ advpn-port port-number ] ]
undo hub private-address private-ip-address
Default
No hub private IPv4 address is configured.
Views
Hub group view
Predefined user roles
network-admin
Parameters
private-ip-address: Specifies the private IPv4 address of a hub. The address must be a unicast address.
public-address: Specifies the public address of the hub. If you do not specify this keyword, the VAM server uses the public address registered by the hub.
public-ip-address: Specifies the public IPv4 address of the hub. The address must be a unicast address.
public-ipv6-address: Specifies the public IPv6 address of the hub. The address must be a global unicast address.
advpn-port port-number: Specifies the ADVPN port number of the hub, in the range of 1025 to 65535. If you do not specify this option, the VAM server uses the port number registered by the hub.
Usage guidelines
For a hub to traverse a NAT gateway, configure a static mapping between the hub's registered public address/ADVPN port number and a NATed address/port number on the NAT gateway. To use this command to add the hub to a hub group, specify the NATed address and port number as the public address and ADVPN port number.
You can configure a maximum of four hub private IPv4 addresses for a hub group.
If you execute this command multiple times for a private IPv4 address, the most recent configuration takes effect.
Examples
# Add a hub to hub group 1 in ADVPN domain 1 with private IPv4 address 10.1.1.1, public IPv4 address 123.0.0.1, and ADVPN port number 8000.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1] hub private-address 10.1.1.1 public-address 123.0.0.1 advpn-port 8000
keepalive
Use keepalive to set a keepalive interval and a maximum number of keepalive retries for VAM clients.
Use undo keepalive to restore the default.
Syntax
keepalive interval interval retry retries
undo keepalive
Default
The keepalive interval is 180 seconds and the maximum number of keepalive retries is 3.
Views
ADVPN domain view
Predefined user roles
network-admin
Parameters
interval interval: Specifies the keepalive interval in the range of 5 to 65535 seconds.
retry retries: Specifies the maximum number of keepalive retries, in the range of 1 to 6.
Usage guidelines
The VAM server assigns the configured keepalive parameters to clients in the ADVPN domain.
A client sends keepalives to the server at the specified interval. If a client receives no responses from the server after maximum keepalive attempts (keepalive retries + 1), the client stops sending keepalives. If the VAM server receives no keepalives from a client before the timeout timer expires, the server removes information about the client and logs off the client. The timeout time is the product of the keepalive interval and keepalive attempts.
Newly configured keepalive parameters do not affect registered VAM clients. They apply to subsequently registered clients.
If a device configured with dynamic NAT exists between the VAM server and VAM clients, configure the keepalive interval to be shorter than the aging time of NAT entries.
Configure proper values for the keepalive parameters depending on the network condition.
Examples
# Set the keepalive interval for VAM clients in ADVPN domain 1 to 30 seconds, and the maximum number of keepalive retries to 5.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] keepalive interval 30 retry 5
pre-shared-key (ADVPN domain view)
Use pre-shared-key to configure a preshared key for the VAM server.
Use undo pre-shared-key to remove the configuration.
Syntax
pre-shared-key { cipher | simple } string
undo pre-shared-key
Default
No preshared key is configured.
Views
ADVPN domain view
Predefined user roles
network-admin
Parameters
cipher: Specifies a preshared key in encrypted form.
simple: Specifies a preshared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the preshared key. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.
Usage guidelines
The preshared key is used to generate initial encryption and authentication keys during connection initialization. It is also used to generate encryption and authentication keys for subsequent packets if encryption and authentication are needed.
The VAM server and all clients in an ADVPN domain must have the same preshared key.
Examples
# Set the key to 123 in plaintext form for the VAM server in ADVPN domain 1.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] pre-shared-key simple 123
Related commands
pre-shared-key (VAM client view)
retry interval
Use retry interval to set the retry timer for the VAM server.
Use undo retry interval to restore the default.
Syntax
retry interval interval
undo retry interval
Default
The retry timer is 5 seconds.
Views
ADVPN domain view
Predefined user roles
network-admin
Parameters
interval: Specifies the retry timer in the range of 3 to 30 seconds.
Usage guidelines
The VAM server starts the retry timer after it sends a request to a client. If the server receives no response from the client before the retry timer expires, the server resends the request. The server stops sending the request after receiving a response from the client or after the timeout timer (product of the keepalive interval and keepalive attempts) expires.
Examples
# Set the retry timer to 20 seconds for the VAM server in ADVPN domain 1.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] retry interval 20
reset vam server address-map
Use reset vam server address-map to clear IPv4 private-public address mapping information for VAM clients registered with the VAM server.
Syntax
reset vam server address-map [ advpn-domain domain-name [ private-address private-ip-address ] ]
Views
User view
Predefined user roles
network-admin
Parameters
advpn-domain domain-name: Clears IPv4 address mapping information for VAM clients in the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command clears address mapping information for VAM clients in all ADVPN domains.
private-address private-ip-address: Clears IPv4 address mapping information for the VAM client with the specified private IPv4 address.
Usage guidelines
Executing this command also clears IPv4 private network information for the private IPv4 addresses. Then, the system sends an error notification to VAM clients that have registered the private IPv4 addresses and logs off the clients.
Examples
# Clear IPv4 address mapping information for clients in all ADVPN domains.
<Sysname> reset vam server address-map
# Clear IPv4 address mapping information for clients in ADVPN domain 1.
<Sysname> reset vam server address-map advpn-domain 1
# Clear IPv4 address mapping information for the client with private IPv4 address 10.0.0.1 in ADVPN domain 1.
<Sysname> reset vam server address-map advpn-domain 1 private-address 10.0.0.1
Related commands
display vam server address-map
reset vam server ipv6 address-map
Use reset vam server ipv6 address-map to clear IPv6 private-public address mapping information for VAM clients registered with the VAM server.
Syntax
reset vam server ipv6 address-map [ advpn-domain domain-name [ private-address private-ipv6-address ] ]
Views
User view
Predefined user roles
network-admin
Parameters
advpn-domain domain-name: Clears IPv6 address mapping information for VAM clients in the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command clears address mapping information for VAM clients in all ADVPN domains.
private-address private-ipv6-address: Clears IPv6 address mapping information for the VAM client with the specified private IPv6 address.
Usage guidelines
Executing this command also clears IPv6 private network information for the private IPv6 addresses. Then, the system sends an error notification to VAM clients that have registered the private IPv6 addresses and logs off the clients.
Examples
# Clear IPv6 address mapping information for clients in all ADVPN domains.
<Sysname> reset vam server ipv6 address-map
# Clear IPv6 address mapping information for clients in ADVPN domain 1.
<Sysname> reset vam server ipv6 address-map advpn-domain 1
# Clear IPv6 address mapping information for the client with private IPv6 address 1000::1:0:0:1 in ADVPN domain 1.
<Sysname> reset vam server ipv6 address-map advpn-domain 1 private-address 1000::1:0:0:1
Related commands
display vam server ipv6 address-map
reset vam server statistics
Use reset vam server statistics to clear ADVPN domain statistics on the VAM server.
Syntax
reset vam server statistics [ advpn-domain domain-name ]
Views
User view
Predefined user roles
network-admin
Parameters
advpn-domain domain-name: Clears statistics for the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command clears statistics for all ADVPN domains on the server.
Examples
# Clear statistics for ADVPN domain abc.
<Sysname> reset vam server statistics advpn-domain abc
# Clear statistics for all ADVPN domains.
<Sysname> reset vam server statistics
Related commands
display vam server statistics
server enable
Use server enable to enable the VAM server for an ADVPN domain.
Use undo server enable to disable the VAM server for an ADVPN domain.
Syntax
server enable
undo server enable
Default
The VAM server is disabled for an ADVPN domain.
Views
ADVPN domain view
Predefined user roles
network-admin
Usage guidelines
You can also execute the vam server enable command in system view to enable the VAM server for one or all ADVPN domains.
Examples
# Enable the VAM server for ADVPN domain 1.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] server enable
Related commands
vam server enable
shortcut interest
Use shortcut interest to specify an ACL to control establishing IPv4 spoke-to-spoke tunnels.
Use undo shortcut interest to restore the default.
Syntax
shortcut interest { acl { acl-number | name acl-name } all }
undo shortcut interest
Default
Spokes are not allowed to establish direct tunnels.
Views
Hub group view
Predefined user roles
network-admin
Parameters
acl: Specifies an ACL to control establishing IPv4 spoke-to-spoke tunnels.
acl-number: Specifies an IPv4 ACL by its number:
· 2000 to 2999 for IPv4 basic ACLs.
· 3000 to 3999 for IPv4 advanced ACLs.
name acl-name: Specifies an ACL by its name. An ACL name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
all: Allows establishing IPv4 spoke-to-spoke tunnels between all spokes in different hub groups.
Usage guidelines
The VAM server assigns the specified ACL to an online hub. When receiving an IPv4 spoke-to-spoke packet from a spoke, the hub sends a redirect packet to the spoke if all is specified or if the packet matches an ACL rule. Then, the spoke sends the VAM server the destination address of the packet, obtains the remote spoke information, and establishes a direct tunnel to the remote spoke.
After a spoke-spoke tunnel is established, the spokes directly exchange packets.
When you specify an IPv4 ACL, follow these guidelines:
· If the ACL does not exist, the configuration does not take effect. The hub does not send any redirect packets to the spoke.
· If the ACL is an IPv4 basic ACL, this command supports only rules that match source addresses.
· If the ACL is an IPv4 advanced ACL, this command supports rules that match protocol numbers, source/destination addresses, and source/destination ports. It does not support rules that exclude a source/destination port.
· If the ACL contains an unsupported rule, the rule does not take effect.
Examples
# Specify ACL 3000 to control establishing IPv4 spoke-to-spoke tunnels.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1] shortcut interest acl 3000
shortcut ipv6 interest
Use shortcut ipv6 interest to specify an ACL to control establishing IPv6 spoke-to-spoke tunnels.
Use undo shortcut ipv6 interest to restore the default.
Syntax
shortcut ipv6 interest { acl { ipv6-acl-number | name ipv6-acl-name } all }
undo shortcut ipv6 interest
Default
Spokes are not allowed to establish direct tunnels.
Views
Hub group view
Predefined user roles
network-admin
Parameters
acl: Specifies an ACL to control establishing IPv6 spoke-to-spoke tunnels.
ipv6-acl-number: Specifies an IPv6 ACL by its number:
· 2000 to 2999 for IPv6 basic ACLs.
· 3000 to 3999 for IPv6 advanced ACLs.
name ipv6-acl-name: Specifies an IPv6 ACL by its name. An IPv6 ACL name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
all: Allows establishing IPv6 spoke-to-spoke tunnels between all spokes in different hub groups.
Usage guidelines
The VAM server assigns the specified ACL to an online hub. When receiving an IPv6 spoke-to-spoke packet from a spoke, the hub sends a redirect packet to the spoke if all is specified or if the packet matches an ACL rule. Then, the spoke sends the destination address of the packet to the VAM server, obtains the remote spoke information, and establishes a direct tunnel to the remote spoke.
After a spoke-spoke tunnel is established, the spokes directly exchange packets.
When you specify an IPv6 ACL, follow these guidelines:
· If the ACL does not exist, the configuration does not take effect. The hub does not send any redirect packets to the spoke.
· If the ACL is an IPv6 basic ACL, this command supports only rules that match source addresses.
· If the ACL is an IPv6 advanced ACL, this command supports rules that match protocol numbers, source/destination addresses, and source/destination ports. It does not support rules that exclude a source/destination port.
· If the ACL contains an unsupported rule, the rule does not take effect.
Examples
# Specify ACL 3000 to control establishing IPv6 spoke-to-spoke tunnels.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1] shortcut ipv6 interest acl 3000
spoke ipv6 private-address
Use spoke ipv6 private-address to configure a spoke private IPv6 address range in a hub group.
Use undo ipv6 spoke private-address to delete a spoke private IPv6 address range in a hub group.
Syntax
spoke ipv6 private-address { network prefix prefix-length | range start-ipv6-address end-ipv6-address }
undo spoke ipv6 private-address { network prefix prefix-length | range start-ipv6-address end-ipv6-address }
Default
No spoke private IPv6 address range is configured.
Views
Hub group view
Predefined user roles
network-admin
Parameters
network prefix prefix-length: Specifies a prefix and prefix length. The value range for prefix-length is 0 to 128.
range start-ipv6-address end-ipv6-address: Specifies a start IPv6 address and an end IPv6 address.
Usage guidelines
If you specify a prefix and prefix length, the system automatically transforms them to a start address and an end address.
You can configure multiple spoke private IPv6 address ranges in a hub group. The ranges are listed from low to high.
The spoke private IPv6 address range to be deleted must be the same as the configured one.
Examples
# Configure a spoke private IPv6 address range in IPv6 network address format as 1000::/64 for hub group 1.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1] spoke ipv6 private-address network 1000:: 64
spoke private-address
Use spoke private-address to configure a spoke private IPv4 address range in a hub group.
Use undo spoke private-address to delete a spoke private IPv4 address range in a hub group.
Syntax
spoke private-address { network ip-address { mask-length | mask } | range start-address end-address }
undo spoke private-address { network ip-address { mask-length | mask } | range start-address end-address }
Default
No spoke private IPv4 address range is configured.
Views
Hub group view
Predefined user roles
network-admin
Parameters
network ip-address { mask-length | mask }: Specifies an IPv4 address and its mask length (or mask). The value range for mask-length is 0 to 32.
range start-address end-address: Specifies a start IPv4 address and an end IPv4 address.
Usage guidelines
If you specify an IPv4 address and its mask length (or mask), the system automatically transforms them to a start address and an end address.
You can configure multiple spoke private IPv4 address ranges in a hub group. The ranges are listed from low to high.
The spoke private IPv4 address range to be deleted must be the same as the configured one.
Examples
# Configure a spoke private IPv4 address range in IPv4 network address format as 1.1.1.0/24 for hub group 1.
<Sysname> system-view
[Sysname] vam server advpn-domain 1
[Sysname-vam-server-domain-1] hub-group 1
[Sysname-vam-server-domain-1-hub-group-1] spoke private-address network 1.1.1.0 255.255.255.0
vam server advpn-domain
Use vam server advpn-domain to create an ADVPN domain and enter its view, or enter the view of an existing ADVPN domain.
Use undo vam server advpn-domain to remove an ADVPN domain.
Syntax
vam server advpn-domain domain-name [ id domain-id ]
undo vam server advpn-domain domain-name
Default
No ADVPN domains exist.
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies an ADVPN domain by its name. An ADVPN domain name is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.).
id domain-id: Specifies the ID of an ADVPN domain, in the range of 1 to 65535.
Usage guidelines
An ADVPN domain ID is required only when you create the ADVPN domain.
You must specify a unique domain ID for an ADVPN domain.
Examples
# Create ADVPN domain 1 with domain ID 1, and enter its view.
<Sysname> system-view
[Sysname] vam server advpn-domain 1 id 1
[Sysname-vam-server-domain-1]
vam server enable
Use vam server enable to enable the VAM server for ADVPN domains.
Use undo vam server enable to disable the VAM server for ADVPN domains.
Syntax
vam server enable [ advpn-domain domain-name ]
undo vam server enable [ advpn-domain domain-name ]
Default
The VAM server is disabled for an ADVPN domain.
Views
System view
Predefined user roles
network-admin
Parameters
advpn-domain domain-name: Enables the VAM server for the specified ADVPN domain. The domain-name argument is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command enables the VAM server for all ADVPN domains.
Usage guidelines
You can also execute the server enable command in ADVPN domain view to enable the VAM server for an ADVPN domain.
Examples
# Enable the VAM server for all ADVPN domains.
<Sysname> system-view
[Sysname] vam server enable
# Enable the VAM server for ADVPN domain 1.
<Sysname> system-view
[Sysname] vam server enable advpn-domain 1
Related commands
server enable
vam server listen-port
Use vam server listen-port to set the port number of the VAM server.
Use undo vam server listen-port to restore the default.
Syntax
vam server listen-port port-number
undo vam server listen-port
Default
The port number of the VAM server is 18000.
Views
System view
Predefined user roles
network-admin
Parameters
port-number: Specifies the port number in the range of 1025 to 65535.
Usage guidelines
The port number of the VAM server must be the same as the port configured on the VAM clients.
Examples
# Set the port number to 10000.
<Sysname> system-view
[Sysname] vam server listen-port 10000
Related commands
server primary
server secondary
VAM client commands
advpn-domain
Use advpn-domain to specify an ADVPN domain for a VAM client.
Use undo advpn-domain to remove the ADVPN domain.
Syntax
advpn-domain domain-name
undo advpn-domain
Default
No ADVPN domain is specified for a VAM client.
Views
VAM client view
Predefined user roles
network-admin
Parameters
domain-name: Specifies an ADVPN domain by its name. An ADVPN domain name is a case-insensitive string of 1 to 31 characters that can include only letters, digits, and dots (.).
Usage guidelines
An ADVPN domain can contain multiple VAM clients.
Examples
# Specify ADVPN domain 100 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] advpn-domain 100
client enable
Use client enable to enable a VAM client.
Use undo client enable to disable a VAM client.
Syntax
client enable
undo client enable
Default
The VAM client is disabled.
Views
VAM client view
Predefined user roles
network-admin
Usage guidelines
You can also execute the vam client enable command in system view to enable one or all VAM clients.
Examples
# Enable VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] client enable
Related commands
vam client enable
display vam client fsm
Use display vam client fsm to display FSM information for VAM clients.
Syntax
display vam client fsm [ name client-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name client-name: Displays FSM information for the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays FSM information for all VAM clients.
Usage guidelines
This command only displays the configured parameters and dynamically obtained information.
Examples
# Display FSM information for all VAM clients.
<Sysname> display vam client fsm
Client name : abc
Status : Enabled
ADVPN domain name: 1
Primary server: abc.com (28.1.1.23)
Private address: 10.0.0.12
Interface : Tunnel1
Current state : Online (active)
Client type : Hub
Holding time : 9H 20M 30S
Encryption algorithm : AES-CBC-128
Authentication algorithm: SHA1
Keepalive : 30 seconds, 3 times
Number of hubs : 1
Private address: 1000::22
Interface : Tunnel2
Current state : Online (active)
Client type : Spoke
Holding time : 9H 20M 30S
Encryption algorithm : AES-CBC-128
Authentication algorithm: SHA1
Keepalive : 30 seconds, 3 times
Number of hubs : 1
Secondary server: 2811::24
Private address: 10.0.0.12
Interface : Tunnel1
Current state : Offline
Client type : Unknown
Holding time : 0H 0M 0S
Encryption algorithm : AES-CBC-128
Authentication algorithm: SHA1
Keepalive : 0 seconds, 0 times
Number of hubs : 0
Private address: 1000::22
Interface : Tunnel2
Current state : Offline
Client type : Unknown
Holding time : 0H 0M 0S
Encryption algorithm : AES-CBC-128
Authentication algorithm: SHA1
Keepalive : 0 seconds, 0 times
Number of hubs : 0
Client name : hub
Status : Enabled
ADVPN domain name: 2
Primary server: 202.159.36.24
Private address: 10.0.0.12
Interface : Tunnel20
Current state : Online (active)
Client type : Hub
Holding time : 0H 0M 47S
Encryption algorithm : AES-CBC-128
Authentication algorithm: SHA1
Keepalive : 30 seconds, 3 times
Number of hubs : 1
Client name : spoke
Status : Disabled
ADVPN domain name:
Table 113 Command output
Field |
Description |
Status |
VAM client status: Enabled or Disabled. |
Primary server |
Public address of the primary VAM server. |
Private address |
Private address that the VAM client has registered with the VAM server. |
Interface |
ADVPN tunnel interface for the VAM client. |
Current state |
Current state of the VAM client: · Offline. · Init. · Reg. · Online. · Dumb. |
Client type |
VAM client type: · Hub. · Spoke. · Unknown. |
Holding time |
Duration time since the VAM client stayed in its current state, in the format of xH yM zS. |
Encryption algorithm |
Negotiated encryption algorithm. |
Authentication algorithm |
Negotiated authentication algorithm. |
Keepalive |
Keepalive interval (in seconds) and number of retransmissions configured on the VAM server. |
Secondary server |
Public address of the secondary VAM server. |
Related commands
reset vam client fsm
display vam client shortcut interest
Use display vam client shortcut interest to display IPv4 spoke-to-spoke tunnel establishment rules for VAM clients.
Syntax
display vam client shortcut interest [ name client-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name client-name: Displays IPv4 spoke-to-spoke tunnel establishment rules for the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays IPv4 spoke-to-spoke tunnel establishment rules for all VAM clients.
Usage guidelines
The VAM server assigns the rules for establishing IPv4 spoke-to-spoke tunnels only to hubs. If the specified VAM client is a spoke, the number of rules is displayed as 0.
Examples
# Display IPv4 spoke-to-spoke tunnel establishment rules for all VAM clients.
<Sysname> display vam client shortcut interest
Client name : abc
ADVPN domain name: 1
Client type : Spoke
ACL rules : 0
Client name : hub
ADVPN domain name: 2
Client type : Hub
ACL rules : 2
Rule 1: Permit
Protocol : 6 (TCP)
Source : Address 0.0.0.0-255.255.255.255, port 0-65535
Destination: Address 192.168.114.100-192.168.114.200, port 10000-20000
Rule 2: Deny
Protocol : 0 (IP)
Source : Address 0.0.0.0-255.255.255.255, port 0-65535
Destination: Address 0.0.0.0-255.255.255.255, port 0-65535
Client name : spoke
ADVPN domain name: 3
Client type : Unknown
ACL rules : 0
# Display IPv4 spoke-to-spoke tunnel establishment rules for VAM client abc.
<Sysname> display vam client shortcut interest name abc
Client name : abc
ADVPN domain name: 1
Client type : Spoke
ACL rules : 0
Table 114 Command output
Field |
Description |
Client type |
VAM client type: · Hub. · Spoke. · Unknown. |
ACL rules |
Number of ACL rules received by the VAM client. |
Rule n: Operation |
n represents the number of an ACL rule. Rule operation: · Permit—Allows the spokes to establish direct tunnels. · Deny—Disallows the spokes to establish direct tunnels. · Discard—Discards packets. |
Protocol |
· Matching protocol number. |
Source |
Matching source IP address range and port number range. |
Destination |
Matching destination IP address range and port number range. |
display vam client shortcut ipv6 interest
Use display vam client shortcut ipv6 interest to display IPv6 spoke-to-spoke tunnel establishment rules for VAM clients.
Syntax
display vam client shortcut ipv6 interest [ name client-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name client-name: Displays IPv6 spoke-to-spoke tunnel establishment rules for the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays IPv6 spoke-to-spoke tunnel establishment rules for all VAM clients.
Usage guidelines
The VAM server assigns the rules for establishing IPv6 spoke-to-spoke tunnels only to hubs. If the specified VAM client is a spoke, the number of rules is displayed as 0.
Examples
# Display IPv6 spoke-to-spoke tunnel establishment rules for all VAM clients.
<Sysname> display vam client shortcut ipv6 interest
Client name : abc
ADVPN domain name: 1
Client type : Spoke
ACL rules : 0
Client name : hub
ADVPN domain name: 2
Client type : Hub
ACL rules : 2
Rule 1: Permit
Protocol : TCP
Start source address : 0::0
End source address : FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
Start source port : 0
End source port : 65535
Start destination address: 2000::0
End destination address : 2000:1::0
Start destination port : 0
End destination port : 65535
Rule 2: Deny
Protocol : All
Start source address : 0::0
End source address : FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
Start source port : 0
End source port : 65535
Start destination address: 0::0
End destination address : FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
Start destination port : 0
End destination port : 65535
Client name : spoke
ADVPN domain name:
Client type : Unknown
ACL rules : 0
# Display IPv6 spoke-to-spoke tunnel establishment rules for VAM client abc.
<Sysname> display vam client shortcut ipv6 interest name abc
Client name : spoke
ADVPN domain name:
Client type : Unknown
ACL rules : 0
Table 115 Command output
Field |
Description |
Client type |
VAM client type: · Hub. · Spoke. · Unknown. |
ACL rules |
Number of ACL rules received by the VAM client. |
Rule n: operation |
n represents the number of an ACL rule. Rule operation: · Permit—Allows the spokes to establish direct tunnels. · Deny—Disallows the spokes to establish direct tunnels. · Discard—Discards packets. |
Protocol |
· Matching protocol number. |
Start source address |
Matching start address of the source IPv6 address range. |
End source address |
Matching end address of the source IPv6 address range. |
Start source port |
Matching start port number of the source port number range. |
End source port |
Matching end port number of the source port number range. |
Start destination address |
Matching start address of the destination IPv6 address range. |
End destination address |
Matching end address of the destination IPv6 address range. |
Start destination port |
Matching start port number of the destination port number range. |
End destination port |
Matching end port number of the destination port number range. |
display vam client statistics
Use display vam client statistics to display VAM client statistics.
Syntax
display vam client statistics [ name client-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name client-name: Displays statistics for the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command displays statistics for all VAM clients.
Examples
# Display statistics for all VAM clients.
<Sysname> display vam client statistics
Client name: abc
Status : Enabled
Primary server: abc.com
Packets sent:
Initialization request : 1
Initialization complete : 1
Register request : 1
Authentication information : 1
Address resolution request : 9
Network registration request : 0
Update request : 0
Logout request : 0
Hub information response : 0
Data flow information response: 0
Keepalive : 35
Error notification : 0
Packets received:
Initialization response : 1
Initialization complete : 1
Authentication request : 1
Register response : 1
Address resolution response : 9
Network registration response: 0
Update response : 0
Hub information request : 0
Data flow information request: 0
Logout response : 0
Keepalive : 35
Error notification : 0
Unkonwn : 0
Secondary server: 28.1.1.24
Packets sent:
Initialization request : 15
Initialization complete : 0
Register request : 0
Authentication information : 0
Address resolution request : 0
Network registration request : 0
Update request : 0
Logout request : 0
Hub information response : 0
Data flow information response: 0
Keepalive : 0
Error notification : 0
Packets received:
Initialization response : 0
Initialization complete : 0
Register response : 0
Authentication request : 0
Address resolution response : 0
Network registration response: 0
Update response : 0
Hub information request : 0
Data flow information request: 0
Logout response : 0
Keepalive : 0
Error notification : 0
Unkonwn : 0
Client name: hub
Status : Disabled
Client name: spoke
Status : Enabled
Primary server: test.com
Packets sent:
Initialization request : 3
Initialization complete : 3
Register request : 3
Authentication information : 3
Address resolution request : 0
Network registration request : 0
Update request : 0
Logout request : 0
Hub information response : 0
Data flow information response: 0
Keepalive : 124
Error notification : 0
Packets received:
Initialization response : 3
Initialization complete : 3
Authentication request : 3
Register response : 3
Address resolution response : 0
Network registration response: 0
Update response : 0
Hub information request : 0
Data flow information request: 0
Logout response : 0
Keepalive : 114
Error notification : 0
Unkonwn : 0
# Display statistics for VAM client abc.
<Sysname> display vam client statistics name abc
Client name: abc
Status : Enabled
Primary server: abc.com
Packets sent:
Initialization request : 1
Initialization complete : 1
Register request : 1
Authentication information : 1
Address resolution request : 9
Network registration request : 0
Update request : 0
Logout request : 0
Hub information response : 0
Data flow information response: 0
Keepalive : 35
Error notification : 0
Packets received:
Initialization response : 1
Initialization complete : 1
Authentication request : 1
Register response : 1
Address resolution response : 9
Network registration response: 0
Update response : 0
Hub information request : 0
Data flow information request: 0
Logout response : 0
Keepalive : 35
Error notification : 0
Unkonwn : 0
Secondary server: 28.1.1.24
Packets sent:
Initialization request : 15
Initialization complete : 0
Register request : 0
Authentication information : 0
Address resolution request : 0
Network registration request : 0
Update request : 0
Logout request : 0
Hub information response : 0
Data flow information response: 0
Keepalive : 0
Error notification : 0
Packets received:
Initialization response : 0
Initialization complete : 0
Register response : 0
Authentication request : 0
Address resolution response : 0
Network registration response: 0
Update response : 0
Hub information request : 0
Data flow information request: 0
Logout response : 0
Keepalive : 0
Error notification : 0
Unkonwn : 0
Table 116 Command output
Field |
Description |
Status |
VAM client status: Enabled or Disabled. |
Primary server |
Public address or domain name of the primary VAM server. |
Secondary server |
Public address or domain name of the secondary VAM server. |
Related commands
reset vam client statistics
dumb-time
Use dumb-time to set the dumb timer for a VAM client.
Use undo dumb-time to restore the default.
Syntax
dumb-time time-interval
undo dumb-time
Default
The dumb timer for a VAM client is 120 seconds.
Views
VAM client view
Predefined user roles
network-admin
Parameters
time-interval: Specifies the dumb timer in the range of 10 to 600 seconds.
Usage guidelines
A VAM client starts the dumb timer after the timeout timer expires. The client does not process any packets during the dumb time. When the dumb timer expires, the client sends a new connection request to the VAM server.
Examples
# Set the dumb timer to 100 seconds.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] dumb-time 100
pre-shared-key (VAM client view)
Use pre-shared-key to configure a preshared key for a VAM client.
Use undo pre-shared-key to remove the configuration.
Syntax
pre-shared-key { cipher | simple } string
undo pre-shared-key
Default
No preshared key is configured for a VAM client.
Views
VAM client view
Predefined user roles
network-admin
Parameters
cipher: Specifies a preshared key in encrypted form.
simple: Specifies a preshared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the preshared key. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.
Usage guidelines
The preshared key is used to generate initial encryption and authentication keys during connection initialization. It is also used to generate encryption and authentication keys for subsequent packets if encryption and authentication are needed.
All VAM clients and the VAM server in an ADVPN domain must have the same preshared key.
Examples
# Set the key to 123 in plaintext form for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] pre-shared-key simple 123
Related commands
pre-shared-key (ADVPN domain view)
vam client name
reset vam client fsm
Use reset vam client fsm to reset FSMs for VAM clients.
Syntax
reset vam client fsm [ name client-name ]
Views
User view
Predefined user roles
network-admin
Parameters
name client-name: Resets the FSM for the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command resets FSMs for all VAM clients.
Usage guidelines
After the FSM is reset for a VAM client, the client will immediately try to come online.
Examples
# Reset the FSM for VAM client abc.
<Sysname> reset vam client fsm name abc
# Reset FSMs for all VAM clients.
<Sysname> reset vam client fsm
Related commands
display vam client fsm
reset vam client ipv6 fsm
Use reset vam client ipv6 fsm to reset FSMs for IPv6 VAM clients.
Syntax
reset vam client ipv6 fsm [ name client-name ]
Views
User view
Predefined user roles
network-admin
Parameters
name client-name: Resets the FSM for the specified IPv6 VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command resets FSMs for all IPv6 VAM clients.
Usage guidelines
After the FSM is reset for an IPv6 VAM client, the client will immediately try to come online.
Examples
# Reset the FSM for IPv6 VAM client abc.
<Sysname> reset vam client ipv6 fsm name abc
# Reset FSMs for all IPv6 VAM clients.
<Sysname> reset vam client ipv6 fsm
Related commands
display vam client fsm
reset vam client statistics
Use reset vam client statistics to clear VAM client statistics.
Syntax
reset vam client statistics [ name client-name ]
Views
User view
Predefined user roles
network-admin
Parameters
name client-name: Clears statistics for the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command clears statistics for all VAM clients.
Examples
# Clear statistics for VAM client abc.
<Sysname> reset vam client statistics name abc
# Clear statistics for all VAM clients.
<Sysname> reset vam client statistics
Related commands
display vam client statistics
retry
Use retry to set the retry interval and retry number for a VAM client.
Use undo retry to restore the default.
Syntax
retry interval interval count retries
undo retry
Default
The retry interval is 5 seconds and the retry number is 3.
Views
VAM client view
Predefined user roles
network-admin
Parameters
interval interval: Specifies the retry interval in the range of 3 to 30 seconds.
count retries: Specifies the number of retries, in the range of 1 to 6.
Usage guidelines
After a VAM client sends a request to the server, it resends the request if it does not receive any responses within the retry interval. If the client fails to receive a response after maximum attempts (retry times + 1), the client determines that the server is unreachable.
The retry-times setting does not apply to register and update requests. The client sends those requests at the retry interval until it goes offline.
Examples
# Set the retry interval to 20 seconds and the retry number to 4 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] retry interval 20 count 4
server primary
Use server primary to specify a primary VAM server for a VAM client.
Use undo server primary to restore the default.
Syntax
server primary { ip-address ipv4-address | ipv6-address ipv6-address | name host-name } [ port port-number ]
undo server primary
Default
No primary VAM server is specified.
Views
VAM client view
Predefined user roles
network-admin
Parameters
ip-address ipv4-address: Specifies a public IPv4 address for the primary VAM server. The address must be a unicast address.
ipv6-address ipv6-address: Specifies a public IPv6 address for the primary VAM server. The address must be a global unicast address.
name host-name: Specifies a domain name for the primary VAM server. It is a dot-separated, case-insensitive string that can include letters, digits, hyphens (-), and underscores (_). The domain name can include a maximum of 253 characters, and each separated string includes no more than 63 characters.
port port-number: Specifies a port number for the primary VAM server, in the range of 1025 to 65535. The default is 18000.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
The port number of a VAM server must be the same as the port number configured on the VAM server by using the vam server listen-port command.
If the specified primary and secondary VAM servers have the same address or name, only the primary VAM server takes effect.
Examples
# Specify the domain name of the primary VAM server as abc.com and port number as 2000 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] server primary name abc.com port 2000
# Specify the public IP address of the primary VAM server as 1.1.1.1 and port number as 2000 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] server primary ip-address 1.1.1.1 port 2000
# Specify the public IPv6 address of the primary VAM server as 1001::1 and port number as 2000 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] server primary ipv6-address 1001::1 port 2000
Related commands
server secondary
server secondary
Use server secondary to specify a secondary VAM server for a VAM client.
Use undo server secondary to restore the default.
Syntax
server secondary { ip-address ipv4-address | ipv6-address ipv6-address | name host-name } [ port port-number ]
undo server secondary
Default
No secondary VAM server is specified.
Views
VAM client view
Predefined user roles
network-admin
Parameters
ip-address ipv4-address: Specifies a public IPv4 address for the secondary VAM server. The address must be a unicast address.
ipv6-address ipv6-address: Specifies a public IPv6 address for the secondary VAM server. The address must be a global unicast address.
name host-name: Specifies a domain name of a secondary VAM server. It is a dot-separated, case-insensitive string that can include letters, digits, hyphens (-), and underscores (_). The domain name can include a maximum of 253 characters, and each separated string includes no more than 63 characters.
port port-number: Specifies a port number for the secondary VAM server, in the range of 1025 to 65535. The default is 18000.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
The port number of a VAM server must be the same as the port number configured on the VAM server by using the vam server listen-port command.
If the specified primary and secondary VAM servers have the same address or name, only the primary VAM server takes effect.
Examples
# Specify the domain name of the secondary VAM server as abc.com and port number as 2000 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] server secondary name abc.com port 2000
# Specify the public IP address of the secondary VAM server as 1.1.1.2 and port number as 3000 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] server secondary ip-address 1.1.1.2 port 3000
# Specify the public IPv6 address of the primary VAM server as 1001::2 and port number as 3000 for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] server secondary ipv6-address 1001::2 port 3000
Related commands
server primary
user
Use user to configure a username and password for a VAM client.
Use undo user to restore the default.
Syntax
user username password { cipher | simple } string
undo user
Default
No username or password is configured.
Views
VAM client view
Predefined user roles
network-admin
Parameters
username: Specifies a username. The username is a case-sensitive string of 1 to 253 characters. It cannot include slashes (/), back slashes (\), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), quotation marks ("), vertical bars (|), and at signs (@).
password: Specifies a password.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
You can configure only one username for a VAM client.
Examples
# Configure the username as user and password as user in plaintext form for VAM client abc.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc] user user password simple user
vam client enable
Use vam client enable to enable VAM clients.
Use undo vam client enable to disable VAM clients.
Syntax
vam client enable [ name client-name ]
undo vam client enable [ name client-name ]
Default
The VAM client is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
name client-name: Enables the specified VAM client. The client-name argument is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.). If you do not specify this option, the command enables all VAM clients.
Usage guidelines
You can also execute the client enable command in VAM client view to enable a VAM client.
Examples
# Enable all VAM clients.
<Sysname> system-view
[Sysname] vam client enable
# Enable VAM client abc.
<Sysname> system-view
[Sysname] vam client enable name abc
Related commands
client enable
vam client name
Use vam client name to create a VAM client and enter its view, or enter the view of an existing VAM client.
Use undo vam client name to remove a VAM client.
Syntax
vam client name client-name
undo vam client name client-name
Default
No VAM clients exist.
Views
System view
Predefined user roles
network-admin
Parameters
client-name: Specifies a VAM client by its name. A VAM client name is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.).
Examples
# Create VAM client abc and enter its view.
<Sysname> system-view
[Sysname] vam client name abc
[Sysname-vam-client-abc]
ADVPN tunnel commands
advpn group
Use advpn group to configure an ADVPN group name.
Use undo advpn group to restore the default.
Syntax
advpn group group-name
undo advpn group
Default
No ADVPN group name is configured.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
group-name: Specifies the ADVPN group name. The group name is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.).
Usage guidelines
This command must be configured on the tunnel interface of a spoke. The spoke sends the ADVPN group name in a hub-spoke tunnel establishment request to a hub. The hub looks for an ADVPN group-to-QoS policy mapping that matches the ADVPN group name. If a matching mapping is found, the hub applies the QoS policy in the mapping to the hub-spoke tunnel. If no match is found, the hub does not apply a QoS policy to the hub-spoke tunnel.
If you modify the ADVPN group name after the tunnel is established, the spoke will inform the hub of the modification. The hub will look for an ADVPN group-to-QoS policy mapping that matches the new ADVPN group name and apply the QoS policy in the new mapping.
As a best practice, do not configure an ADVPN group name and apply a QoS policy on the same tunnel interface.
Examples
# Configure aaa as the ADVPN group name.
<Sysname> system-view
[Sysname] interface tunnel1 mode advpn gre
[Sysname-Tunnel1] advpn group aaa
advpn ipv6 network
Use advpn ipv6 network to configure a private IPv6 network for an IPv6 ADVPN tunnel interface.
Use undo advpn ipv6 network to remove a private IPv6 network from an IPv6 ADVPN tunnel interface.
Syntax
advpn ipv6 network prefix prefix-length [ preference preference-value ]
undo advpn ipv6 network prefix prefix-length
Default
No private IPv6 network is configured.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
prefix prefix-length: Specifies the prefix and prefix length of the private IPv6 network address. The value range for prefix-length is 0 to 128.
preference preference-value: Specifies a preference for the route to the private network, in the range of 1 to 255. The default is 8.
Usage guidelines
This command is available only for IPv6 ADVPN tunnel interfaces.
Each VAM client registers the private networks for an ADVPN tunnel with the VAM server. If another VAM client receives a packet with the destination address resolved as a registered private address, the VAM server sends the registered VAM client information to the client.
This command takes effect on a tunnel interface that has been configured with an IPv6 address and bound to a VAM client by using the vam ipv6 client command.
You can configure multiple private IPv6 networks for a tunnel interface.
Set the preference of the private network route to be higher than other dynamic routing protocols, and lower than static routing. A higher preference value represents a lower priority.
Examples
# Configure private IPv6 network 1001::/64 for interface Tunnel 1, and set the route preference to 20.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp ipv6
[Sysname-Tunnel1] advpn ipv6 network 1001:: 64 preference 20
Related commands
vam ipv6 client
advpn map group
Use advpn map group to configure a mapping between an ADVPN group and a QoS policy.
Use undo advpn map group to delete a mapping between an ADVPN group and a QoS policy.
Syntax
advpn map group group-name qos-policy policy-name outbound
undo advpn map group group-name
Default
No ADVPN group-to-QoS policy mappings are configured.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
group-name: Specifies the ADVPN group name. The group name is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.).
qos-policy policy-name: Specifies the QoS policy name, a case-sensitive string of 1 to 31 characters.
outbound: Applies the QoS policy to the outbound direction.
Usage guidelines
This command must be configured on the tunnel interface of a hub. After receiving a hub-spoke tunnel establishment request from a spoke, the hub looks for an ADVPN group-to-QoS policy mapping that matches the ADVPN group name carried in the request. If a matching mapping is found, the hub applies the QoS policy in the mapping to the hub-spoke tunnel.
You can configure multiple ADVPN group-to-QoS policy mappings on a tunnel interface.
You can map multiple ADVPN groups to a QoS policy. You can map an ADVPN group to only one QoS policy.
As a best practice, do not configure an ADVPN group-to-QoS policy mapping and apply a QoS policy on the same tunnel interface.
Examples
# Configure a mapping between ADVPN group aaa and QoS policy bbb on Tunnel1.
<Sysname> system-view
[Sysname] interface Tunnel1 mode advpn gre
[Sysname-Tunnel1] advpn map group aaa qos-policy bbb outbound
advpn network
Use advpn network to configure a private IPv4 network for an IPv4 ADVPN tunnel interface.
Use undo advpn network to remove a private IPv4 network from an IPv4 ADVPN tunnel interface.
Syntax
advpn network ip-address { mask-length | mask } [ preference preference-value ]
undo advpn network ip-address { mask-length | mask }
Default
No private IPv4 network is configured.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the private IPv4 network address.
mask-length: Specifies the mask length of the private IPv4 network address, in the range of 0 to 32.
mask: Specifies the mask of the private IPv4 network address.
preference preference-value: Specifies a preference for the route to the private network, in the range of 1 to 255. The default is 8.
Usage guidelines
This command is available only for IPv4 ADVPN tunnel interfaces.
Each VAM client registers the private networks for an ADVPN tunnel with the VAM server. If another VAM client receives a packet with the destination address resolved as a registered private address, the VAM server sends the registered VAM client information to the client.
This command takes effect on a tunnel interface that has been configured with an IPv4 address and bound to a VAM client by using the vam client command.
You can configure multiple private IPv4 networks for a tunnel interface.
Set the preference of the private network route to be higher than other dynamic routing protocols, and lower than static routing. A higher preference value represents a lower priority.
Examples
# Configure private IPv4 network 10.0.5.0 with mask 255.255.255.0 for interface Tunnel 1, and set the route preference to 20.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp
[Sysname-Tunnel1] advpn network 10.0.5.0 255.255.255.0 preference 20
Related commands
vam client
advpn session dumb-time
Use advpn session dumb-time to set the dumb time for an ADVPN tunnel interface.
Use undo advpn session dumb-time to restore the default.
Syntax
advpn session dumb-time time-interval
undo advpn session dumb-time
Default
The dumb time is 120 seconds.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
time-interval: Specifies the dumb time in the range of 10 to 600 seconds.
Usage guidelines
This command is available only for ADVPN tunnel interfaces.
The new dumb time setting only applies to subsequently established tunnels.
Examples
# Set the dumb time to 100 seconds.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp
[Sysname-Tunnel1] advpn session dumb-time 100
advpn session idle-time
Use advpn session idle-time to set the idle timeout time for a spoke-spoke ADVPN tunnel. If no data is forwarded along the spoke-spoke tunnel during the idle timeout time, the tunnel will be removed automatically.
Use undo advpn session idle-time to restore the default.
Syntax
advpn session idle-time time-interval
undo advpn session idle-time
Default
The idle timeout time is 600 seconds.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
time-interval: Specifies the idle timeout time in the range of 60 to 65535 seconds.
Usage guidelines
This command is available only for ADVPN tunnel interfaces.
The new idle timeout setting applies to both established and subsequently established spoke-spoke tunnels.
Examples
# Set the idle timeout time to 800 seconds.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp
[Sysname-tunnel1] advpn session idle-time 800
advpn source-port
Use advpn source-port to set the source UDP port number for ADVPN packets.
Use undo advpn source-port to restore the default.
Syntax
advpn source-port port-number
undo advpn source-port
Default
The source UDP port number is 18001.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
port-number: Specifies the UDP port number in the range of 1025 to 65535.
Usage guidelines
This command is available only for UDP-encapsulated ADVPN tunnels.
If the vam client command configured on the tunnel interface has the compatible keyword, the tunnel interface must have a different source UDP port number than other tunnel interfaces.
Examples
# Set the source UDP port number to 6000.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp
[Sysname-Tunnel1] advpn source-port 6000
Related commands
vam client
display advpn group-qos-map
Use display advpn group-qos-map to display ADVPN group-to-QoS policy mappings.
Syntax
display advpn group-qos-map [ interface tunnel number [ group group-name ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface tunnel number: Specifies an ADVPN tunnel interface by its tunnel interface number. The value range for the number argument is 0 to 1023. If you do not specify a tunnel interface, this command displays ADVPN group-to-QoS policy mappings for all ADVPN tunnel interfaces.
group group-name: Specifies an ADVPN group by its name. If you do not specify an ADVPN group, this command displays ADVPN group-to-QoS policy mappings for all ADVPN groups.
Examples
# Display ADVPN group-to-QoS policy mappings for all ADVPN tunnel interfaces.
<Sysname> display advpn group-qos-map
Interface: Tunnel1
ADVPN group: group1
QoS policy: policy1
Session list:
Private address Public address
10.0.0.3 192.168.180.136
10.0.1.4 192.168.180.137
ADVPN group: bb
QoS policy: bb-policy
No sessions match the ADVPN group-to-QoS policy mapping.
Interface: Tunnel2
ADVPN group: group2
QoS policy: policy2
Session list:
Private address Public address
20.0.0.3 200::3
Table 117 Command output
Field |
Description |
Interface |
ADVPN tunnel interface. |
ADVPN group |
ADVPN group name. |
QoS policy |
QoS policy to which the ADVPN group is mapped. |
Session list |
List of ADVPN tunnels that use the QoS policy on the tunnel interface. |
Private address |
Private address of the ADVPN tunnel peer. |
Public address |
Public address of the ADVPN tunnel peer. |
No sessions match the ADVPN group-to-QoS policy mapping |
No ADVPN tunnels match the ADVPN group-to-QoS policy mapping on the tunnel interface. |
Related commands
advpn group
advpn map group
display advpn ipv6 session
Use display advpn ipv6 session to display IPv6 ADVPN tunnel information.
Syntax
display advpn ipv6 session [ interface tunnel number [ private-address private-ipv6-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface tunnel number: Displays information about IPv6 ADVPN tunnels on an IPv6 ADVPN tunnel interface specified by the interface number. If you do not specify this option, the command displays information about all IPv6 ADVPN tunnels.
private-address private-ipv6-address: Displays information about the IPv6 ADVPN tunnel with the specified peer private IPv6 address.
verbose: Displays detailed IPv6 ADVPN tunnel information. If you do not specify this keyword, the command displays brief IPv6 ADVPN tunnel information.
Examples
# Display brief information about all IPv6 ADVPN tunnels.
<Sysname> display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
1001::3 2000::180:136 1139 H-S Success 5H 38M 8S
1001::4 2000::180:137 3546 H-S Dumb 0H 0M 27S
Interface : Tunnel2
Number of sessions: 1
Private address Public address Port Type State Holding time
1002::4 202.0.180.137 -- S-H Establish 0H 0M 2S
Interface : Tunnel3
Number of sessions: 1
Private address Public address Port Type State Holding time
1003::4 2003::180:137 2057 S-S Success 1H 12M 26S
Interface : Tunnel4
Number of sessions: 1
Private address Public address Port Type State Holding time
1004::4 204.1.181:157 -- H-H Success 10H 48M 19S
Interface : Tunnel5
Number of sessions: 0
# Display brief information about IPv6 ADVPN tunnels on interface Tunnel 1.
<Sysname> display advpn ipv6 session interface tunnel 1
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
1001::3 2000::180:136 1139 H-S Success 5H 38M 8S
1001::4 2000::180:137 3546 H-S Dumb 0H 0M 27S
# Display brief information about the IPv6 ADVPN tunnel with peer private IPv6 address 1001::3 on interface Tunnel 1.
<Sysname> display advpn ipv6 session interface tunnel 1 private-address 1001::3
Private address Public address Port Type State Holding time
1001::3 2000::180:136 1139 H-S Success 5H 38M 8S
Table 118 Command output
Field |
Description |
Interface |
ADVPN tunnel interface. |
Number of sessions |
Number of ADVPN tunnels established on the tunnel interface. |
Private address |
Private address of the ADVPN tunnel peer. |
Public address |
Public address of the ADVPN tunnel peer. |
Port |
Port number of the ADVPN tunnel peer. |
Type |
ADVPN tunnel type: · H-H—Both the local end and the remote end are hubs. · H-S—The local end is a hub and the remote end is a spoke. · S-H—The local end is a spoke and the remote end is a hub. · S-S—Both the local end and the remote end are spokes. |
State |
ADVPN tunnel state: · Success—The tunnel has been successfully established. · Establishing—The tunnel is being established. · Dumb—The tunnel failed to be established and is now quiet. |
Holding time |
Duration time since the tunnel stayed in the current state, in the format of xH yM zS. |
# Display detailed information about all IPv6 ADVPN tunnels.
<Sysname> display advpn ipv6 session verbose
Interface : Tunnel1
Client name : vpn1
ADVPN domain name : 1
Link protocol : UDP
Number of sessions: 2
Private address: 1001::3
Public address : 2000::180:136
ADVPN port : 1139
Session type : Hub-Spoke
State : Success
Holding time : 5H 38M 8S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 2201 packets, 2198 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 216 data packets, 1 control packets
2163 multicasts, 0 errors
Private address: 1001::4
Public address : 2000::180:137
ADVPN port : 3546
Session type : Hub-Spoke
State : Dumb
Holding time : 0H 0M 27S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Output: 16 packets, 0 data packets, 16 control packets
0 multicasts, 0 errors
Interface : Tunnel2
Client name : vpn2
ADVPN domain name : 2
Link protocol : GRE
Number of sessions: 1
Private address: 1002::4
Public address : 202.0.180.137
Session type : Spoke-Hub
State : Establish
Holding time : 0H 0M 2S
ADVPN group : group1
Outbound QoS policy: policy1
Input: 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Interface : Tunnel3
Client name : vpn3
ADVPN domain name : 3
Link protocol : IPsec-UDP
Number of sessions: 1
Private address: 1003::4
Public address : 2003::180:137
ADVPN port : 2057
SA's SPI :
Inbound : 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
Session type : Spoke-Spoke
State : Establish
Holding time : 0H 0M 2S
Input: 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Interface : Tunnel4
Client name : vpn4
ADVPN domain name : 4
Link protocol : IPsec-GRE
Number of sessions: 1
Private address: 1004::4
Public address : 204.1.181:157
SA's SPI :
Inbound: 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
Session type : Hub-Hub
State : Success
Holding time : 10H 48M 19S
Input : 2201 packets, 2198 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Interface : Tunnel5
Client name : vpn5
ADVPN domain name : 5
Link protocol : UDP
Number of sessions: 0
# Display detailed information about IPv6 ADVPN tunnels on interface Tunnel 1.
<Sysname> display advpn ipv6 session interface tunnel 1 verbose
Interface : Tunnel1
Client name : vpn1
ADVPN domain name : 1
Link protocol : UDP
Number of sessions: 2
Private address: 1001::3
Public address : 2000::180:136
ADVPN port : 1139
Session type : Hub-Spoke
State : Success
Holding time : 5H 38M 8S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 2201 packets, 2198 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 216 data packets, 1 control packets
2163 multicasts, 0 errors
Private address: 1001::4
Public address : 2000::180:137
ADVPN port : 3546
Session type : Hub-Spoke
State : Dumb
Holding time : 0H 0M 27S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Output: 16 packets, 0 data packets, 16 control packets
0 multicasts, 0 errors
# Display detailed information about the IPv6 ADVPN tunnel with peer private IPv6 address 1001::3 on interface Tunnel 1.
<Sysname> display advpn ipv6 session interface tunnel 1 private-address 1001::3 verbose
Private address: 1001::3
Public address : 2000::180:136
ADVPN port : 1139
Session type : Hub-Spoke
State : Success
Holding time : 5H 38M 8S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 2201 packets, 2198 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 216 data packets, 1 control packets
2163 multicasts, 0 errors
Table 119 Command output
Field |
Description |
Interface |
ADVPN tunnel interface. |
Client name |
Name of the VAM client bound to the tunnel interface. |
Link protocol |
Link layer protocol for the ADVPN tunnel: · UDP. · GRE. · IPsec-UDP. · IPsec-GRE. |
Number of sessions |
Number of ADVPN tunnels established on the tunnel interface. |
Private address |
Private address of the ADVPN tunnel peer. |
Public address |
Public address of the ADVPN tunnel peer. |
ADVPN port |
UDP port number for the ADVPN tunnel when the link layer protocol is UDP or IPsec-UDP. |
SA's SPI |
SPIs for the inbound and outbound SAs when link layer protocol is IPsec-UDP or IPsec-GRE. |
Session type |
ADVPN tunnel type: · Hub-Hub—Both the local end and the remote end are hubs. · Hub-Spoke—The local end is a hub and the remote end is a spoke. · Spoke-Hub—The local end is a spoke and the remote end is a hub. · Spoke-Spoke—Both the local end and the remote end are spokes. |
State |
ADVPN tunnel state: · Success—The tunnel has been successfully established. · Establishing—The tunnel is being established. · Dumb—The tunnel failed to be established and is now quiet. |
Holding time |
Duration time since the tunnel stayed in the current state, in the format of xH yM zS. |
ADVPN group |
ADVPN group name. |
Outbound QoS policy |
QoS policy to which the ADVPN group is mapped. |
Input |
Statistics for incoming packets, including the number of all packets, data packets, control packets, multicast packets, and erroneous packets. |
Output |
Statistics for outgoing packets, including the number of all packets, data packets, control packets, multicast packets, and erroneous packets. |
Related commands
reset advpn ipv6 session
display advpn session
Use display advpn session to display IPv4 ADVPN tunnel information.
Syntax
display advpn session [ interface tunnel number [ private-address private-ip-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface tunnel number: Displays information about IPv4 ADVPN tunnels on an IPv4 ADVPN tunnel interface specified by the interface number. If you do not specify this option, the command displays information about all IPv4 ADVPN tunnels.
private-address private-ip-address: Displays information about the IPv4 ADVPN tunnel with the specified peer private IPv4 address.
verbose: Displays detailed IPv4 ADVPN tunnel information. If you do not specify this keyword, the command displays brief IPv4 ADVPN tunnel information.
Examples
# Display brief information about all IPv4 ADVPN tunnels.
<Sysname> display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
10.0.0.3 192.168.180.136 1139 H-S Success 5H 38M 8S
10.0.1.4 192.168.180.137 3546 H-S Dumb 0H 0M 27S
Interface : Tunnel2
Number of sessions: 1
Private address Public address Port Type State Holding time
20.0.0.3 200::3 -- S-H Establish 0H 0M 2S
Interface : Tunnel3
Number of sessions: 1
Private address Public address Port Type State Holding time
30.0.0.3 192.168.200.22 2057 S-S Success 1H 12M 26S
Interface : Tunnel4
Number of sessions: 1
Private address Public address Port Type State Holding time
40.0.0.3 4::4 -- H-H Success 10H 48M 19S
Interface : Tunnel5
Number of sessions: 0
# Display brief information about IPv4 ADVPN tunnels on interface Tunnel 1.
<Sysname> display advpn session interface tunnel 1
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
10.0.0.3 192.168.180.136 1139 H-S Success 5H 38M 8S
10.0.1.4 192.168.180.137 3546 H-S Dumb 0H 0M 27S
# Display brief information about the IPv4 ADVPN tunnel with peer private IP address 10.0.0.3 on interface Tunnel 1.
<Sysname> display advpn session interface tunnel 1 private-address 10.0.0.3
Private address Public address Port Type State Holding time
10.0.0.3 192.168.180.136 1139 H-S Success 5H 38M 8S
Table 120 Command output
Field |
Description |
Interface |
ADVPN tunnel interface. |
Number of sessions |
Number of ADVPN tunnels established on the tunnel interface. |
Private address |
Private address of the ADVPN tunnel peer. |
Public address |
Public address of the ADVPN tunnel peer. |
Port |
Port number of the ADVPN tunnel peer. |
Type |
ADVPN tunnel type: · H-H—Both the local end and the remote end are hubs. · H-S—The local end is a hub and the remote end is a spoke. · S-H—The local end is a spoke and the remote end is a hub. · S-S—Both the local end and the remote end are spokes. |
State |
ADVPN tunnel state: · Success—The tunnel has been successfully established. · Establishing—The tunnel is being established. · Dumb—The tunnel failed to be established and is now quiet. |
Holding time |
Duration time since the tunnel stayed in the current state, in the format of xH yM zS. |
# Display detailed information about all IPv4 ADVPN tunnels.
<Sysname> display advpn session verbose
Interface : Tunnel1
Client name : vpn1
ADVPN domain name : 1
Link protocol : UDP
Number of sessions: 2
Private address: 10.0.0.3
Public address : 192.168.180.136
ADVPN port : 1139
Behind NAT : No
Session type : Hub-Spoke
State : Success
Holding time : 5H 38M 8S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 2201 packets, 218 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Private address: 10.0.1.4
Public address : 192.168.180.137
ADVPN port : 3546
Behind NAT : No
Session type : Hub-Spoke
State : Dumb
Holding time : 0H 0M 27S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Output: 16 packets, 0 data packets, 16 control packets
0 multicasts, 0 errors
Interface : Tunnel2
Client name : vpn2
ADVPN domain name : 2
Link protocol : GRE
Number of sessions: 1
Private address: 20.0.0.3
Public address : 200::3
Session type : Spoke-Hub
State : Establish
Holding time : 0H 0M 2S
ADVPN group : group1
Outbound QoS policy: policy1
Input: 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Interface : Tunnel3
Client name : vpn3
ADVPN domain name : 3
Link protocol : IPsec-UDP
Number of sessions: 1
Private address: 30.0.0.3
Public address : 192.168.200.32
ADVPN port : 2057
SA's SPI :
Inbound: 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
Traverse NAT : No
Session type : Spoke-Spoke
State : Establish
Holding time : 0H 0M 2S
ADVPN group : group1
Outbound QoS policy: policy1
Input: 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Interface : Tunnel4
Client name : vpn4
ADVPN domain name : 4
Link protocol : IPsec-GRE
Number of sessions: 1
Private address: 40.0.0.3
Public address : 4::4
SA's SPI :
Inbound: 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
Traverse NAT : No
Session type : Hub-Hub
State : Success
Holding time : 10H 48M 19S
Input : 2201 packets, 2198 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Interface : Tunnel5
Client name : vpn5
ADVPN domain name : 5
Link protocol : UDP
Number of sessions: 0
# Display detailed information about IPv4 ADVPN tunnels on interface Tunnel 1.
<Sysname> display advpn session interface tunnel 1 verbose
Interface : Tunnel1
Client name : vpn1
ADVPN domain name : 1
Link protocol : UDP
Number of sessions: 2
Private address: 10.0.0.3
Public address : 192.168.180.136
ADVPN port : 1139
Behind NAT : No
Session type : Hub-Spoke
State : Success
Holding time : 5H 38M 8S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 2201 packets, 218 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Private address: 10.0.1.4
Public address : 192.168.180.137
ADVPN port : 3546
Behind NAT : No
Session type : Hub-Spoke
State : Dumb
Holding time : 0H 0M 27S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Output: 16 packets, 0 data packets, 16 control packets
0 multicasts, 0 errors
# Display detailed information about the IPv4 ADVPN tunnel with peer private IP address 10.0.0.3 on interface Tunnel 1.
<Sysname> display advpn session verbose interface tunnel 1 private-address 10.0.0.3
Private address: 10.0.0.3
Public address : 192.168.180.136
ADVPN port : 1139
Behind NAT : No
Session type : Hub-Spoke
State : Success
Holding time : 5H 38M 8S
ADVPN group : group1
Outbound QoS policy: policy1
Input : 2201 packets, 218 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Table 121 Command output
Field |
Description |
Interface |
ADVPN tunnel interface. |
Client name |
Name of the VAM client bound to the tunnel interface. |
Link protocol |
Link layer protocol for the ADVPN tunnel: · UDP. · GRE. · IPsec-UDP. · IPsec-GRE. |
Number of sessions |
Number of ADVPN tunnels established on the tunnel interface. |
Private address |
Private address of the ADVPN tunnel peer. |
Public address |
Public address of the ADVPN tunnel peer. |
ADVPN port |
UDP port number for the ADVPN tunnel when the link layer protocol is UDP or IPsec-UDP. |
SA's SPI |
SPIs for the inbound and outbound SAs when link layer protocol is IPsec-UDP or IPsec-GRE. |
Behind NAT |
Whether the tunnel peer is behind a NAT device when the link layer protocol is UDP or GRE. This field is available only on the hub. |
Traverse NAT |
Whether the tunnel peer traverses NAT when the link layer protocol is IPsec-UDP or IPsec-GRE. |
Session type |
ADVPN tunnel type: · Hub-Hub—Both the local end and the remote end are hubs. · Hub-Spoke—The local end is a hub and the remote end is a spoke. · Spoke-Hub—The local end is a spoke and the remote end is a hub. · Spoke-Spoke—Both the local end and the remote end are spokes. |
State |
ADVPN tunnel state: · Success—The tunnel has been successfully established. · Establishing—The tunnel is being established. · Dumb—The tunnel failed to be established and is now quiet. |
Holding time |
Duration time since the tunnel stayed in the current state, in the format of xH yM zS. |
ADVPN group |
ADVPN group name. |
Outbound QoS policy |
QoS policy to which the ADVPN group is mapped. |
Input |
Statistics for incoming packets, including the number of all packets, data packets, control packets, multicast packets, and erroneous packets. |
Output |
Statistics for outgoing packets, including the number of all packets, data packets, control packets, multicast packets, and erroneous packets. |
Related commands
reset advpn session
display advpn session count
Use display advpn session count to display the number of ADVPN sessions in different states.
Syntax
display advpn session count
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the number of ADVPN sessions in different states.
<Sysname> display advpn session count
Total ADVPN sessions: 7
IPv4 sessions: 3
Success: 3
Establishing: 0
Dumb: 0
IPv6 sessions: 4
Success: 4
Establishing: 0
Dumb: 0
Table 122 Command output
Field |
Description |
IPv4 sessions: |
Number of ADVPN sessions in IPv4 private networks. |
IPv6 sessions: |
Number of ADVPN sessions in IPv6 private networks. |
Success |
Number of ADVPN sessions that have been successfully established. |
Establishing |
Number of ADVPN sessions that are being established. |
Dumb |
Number of ADVPN sessions that failed to be established and are now quiet. |
keepalive
Use keepalive to set the keepalive interval and the maximum number of keepalive attempts for an ADVPN tunnel interface.
Use undo keepalive to restore the default.
Syntax
keepalive interval interval retry retries
undo keepalive
Default
The keepalive interval is 180 seconds, and the maximum number of keepalive attempts is 3.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
interval interval: Sets the keepalive interval in the range of 1 to 32767 seconds.
retry retries: Sets the maximum number of keepalive attempts, in the range of 1 to 255.
Usage guidelines
This command is available only for ADVPN tunnel interfaces.
If no keepalives is received before the timeout timer (product of the keepalive interval and keepalive attempts) expires, the tunnel will be removed automatically.
The keepalive interval and the maximum number of keepalive attempts must be the same on the tunnel interfaces in an ADVPN domain.
After this command is executed, the keepalive timer does not start immediately. It starts until the ADVPN tunnel is established.
Examples
# Set the keepalive interval to 20 seconds and the maximum number of keepalive attempts to 5.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp
[Sysname-Tunnel1] keepalive interval 20 retry 5
reset advpn ipv6 session
Use reset advpn ipv6 session to delete IPv6 ADVPN tunnels.
Syntax
reset advpn ipv6 session [ interface tunnel number [ private-address private-ipv6-address ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel number: Deletes IPv6 ADVPN tunnels on an IPv6 ADVPN tunnel interface specified by the interface number. If you do not specify this option, the command deletes all IPv6 ADVPN tunnels.
private-address private-ipv6-address: Deletes the IPv6 ADVPN tunnel with the specified peer private IPv6 address.
Usage guidelines
If the remote tunnel end is a hub in the same group as the local end, the tunnel will be re-established after it is deleted.
Examples
# Delete all IPv6 ADVPN tunnels.
<Sysname> reset advpn ipv6 session
# Delete IPv6 ADVPN tunnels on interface Tunnel 1.
<Sysname> reset advpn ipv6 session interface tunnel 1
# Delete the IPv6 ADVPN tunnel with peer private IPv6 address 1000::1 on interface Tunnel 1.
<Sysname> reset advpn ipv6 session interface tunnel 1 private-address 1000::1
Related commands
display advpn ipv6 session
reset advpn ipv6 session statistics
Use reset advpn ipv6 session statistics to clear statistics for IPv6 ADVPN tunnels.
Syntax
reset advpn ipv6 session statistics [ interface tunnel number [ private-address private-ipv6-address ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel number: Clears statistics for IPv6 ADVPN tunnels on an IPv6 ADVPN tunnel interface specified by the interface number. If you do not specify this option, the command clears statistics for all IPv6 ADVPN tunnels.
private-address private-ipv6-address: Clears statistics for the IPv6 ADVPN tunnel with the specified peer private IPv6 address.
Examples
# Clear statistics for all IPv6 ADVPN tunnels.
<Sysname> reset advpn ipv6 session statistics
# Clear statistics for IPv6 ADVPN tunnels on interface Tunnel 1.
<Sysname> reset advpn ipv6 session statistics interface tunnel 1
# Clear statistics for the IPv6 ADVPN tunnel with peer private IPv6 address 1::1 on interface Tunnel 1.
<Sysname> reset advpn ipv6 session statistics interface tunnel 1 private-address 1::1
reset advpn session
Use reset advpn session to delete IPv4 ADVPN tunnels.
Syntax
reset advpn session [ interface tunnel number [ private-address private-ip-address ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel number: Deletes IPv4 ADVPN tunnels on an IPv4 ADVPN tunnel interface specified by the interface number. If you do not specify this option, the command deletes all IPv4 ADVPN tunnels.
private-address private-ip-address: Deletes the IPv4 ADVPN tunnel with the specified peer private IPv4 address.
Usage guidelines
If the remote tunnel end is a hub in the same group as the local end, the tunnel will be re-established after it is deleted.
Examples
# Delete all IPv4 ADVPN tunnels.
<Sysname> reset advpn session
# Delete IPv4 ADVPN tunnels on interface Tunnel 1.
<Sysname> reset advpn session interface tunnel 1
# Delete the IPv4 ADVPN tunnel with peer private IPv4 address 169.254.0.1 on interface Tunnel 1.
<Sysname> reset advpn session interface tunnel 1 private-address 169.254.0.1
display advpn session
reset advpn session statistics
Use reset advpn session statistics to clear statistics for IPv4 ADVPN tunnels.
Syntax
reset advpn session statistics [ interface tunnel number [ private-address private-ip-address ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel number: Clears statistics for IPv4 ADVPN tunnels on an IPv4 ADVPN tunnel interface specified by the interface number. If you do not specify this option, the command clears statistics for all IPv4 ADVPN tunnels.
private-address private-ip-address: Clears statistics for the IPv4 ADVPN tunnel with the specified peer private IPv4 address.
Examples
# Clear statistics for all IPv4 ADVPN tunnels.
<Sysname> reset advpn session statistics
# Clear statistics for IPv4 ADVPN tunnels on interface Tunnel 1.
<Sysname> reset advpn session statistics interface tunnel 1
# Clear statistics for the IPv4 ADVPN tunnel with peer private IPv4 address 169.254.0.1 on interface Tunnel 1.
<Sysname> reset advpn session statistics interface tunnel 1 private-address 169.254.0.1
vam client
Use vam client to bind a VAM client to an IPv4 ADVPN tunnel interface.
Use undo vam client to remove the binding.
Syntax
vam client client-name [ compatible advpn0 ]
undo vam client
Default
No VAM client is bound to an IPv4 ADVPN tunnel interface.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
client-name: Specifies a VAM client by its name. A VAM client name is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.).
compatible advpn0: Specifies ADVPN V0 packet format. If you do not specify this keyword, packets are not compatible with ADVPN V0 format.
Usage guidelines
This command is available only for IPv4 ADVPN tunnel interfaces.
After a VAM client is bound to an IPv4 ADVPN tunnel interface, the client registers IPv4 private networks for the tunnel interface with the VAM server.
A VAM client can be bound to only one IPv4 ADVPN tunnel interface.
The compatible keyword is required if a device that supports only ADVPN V0 packet format exists in the hub group for the bound VAM client. After the compatible keyword is specified, make sure the tunnel interface has a unique source UDP port number on the device.
Examples
# Bind VAM client abc to the IPv4 ADVPN tunnel interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp
[Sysname-Tunnel1] vam client abc
Related commands
advpn source-port
vam ipv6 client
vam ipv6 client
Use vam ipv6 client to bind a VAM client to an IPv6 ADVPN tunnel interface.
Use undo vam ipv6 client to remove the binding.
Syntax
vam ipv6 client client-name
undo vam ipv6 client
Default
No VAM client is bound to an IPv6 ADVPN tunnel interface.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
client-name: Specifies a VAM client by its name. A VAM client name is a case-insensitive string of 1 to 63 characters that can include only letters, digits, and dots (.).
Usage guidelines
This command is available only for IPv6 ADVPN tunnel interfaces.
After a VAM client is bound to an IPv6 ADVPN tunnel interface, the client registers IPv6 private networks for the tunnel interface with the VAM server.
A VAM client can be bound to only one IPv6 ADVPN tunnel interface.
Examples
# Bind VAM client abc to the IPv6 ADVPN tunnel interface Tunnel 1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode advpn udp ipv6
[Sysname-Tunnel1] vam ipv6 client abc
Related commands
vam client
WAAS commands
The following matrix shows the feature and hardware compatibility:
Hardware |
WAAS compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
WAAS compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
class
Use class to specify a Wide Area Application Services (WAAS) class for a WAAS policy and enter WAAS policy class view.
Use undo class to remove a WAAS class from a WAAS policy.
Syntax
class class-name [ insert-before existing-class ]
undo class class-name
Default
No WAAS class exists in a WAAS policy.
Views
WAAS policy view
Predefined user roles
network-admin
Parameters
class-name: Specifies a WAAS class by its name, a case-insensitive string of 1 to 63 characters. The specified class must already exist.
insert-before existing-class: Inserts the new class before an existing class in the WAAS policy. If you do not specify this option, the new class is placed at the end of the WAAS policy.
Usage guidelines
A WAAS policy can use system-defined WAAS classes (see Table 129).
A packet is checked against WAAS classes in the specified order. When a packet matches a class, the action for the class is performed on the packet, and the match process ends.
You can also use this command to arrange existing WAAS classes in a WAAS policy.
If you do not configure an action for a WAAS class, the device ignores the WAAS class.
As a best practice, configure a WAAS class by modifying a system-defined WAAS class.
Examples
# Specify the system-defined WAAS class AFS for the WAAS policy waas_global, and enter the view of the WAAS class AFS.
<Sysname> system-view
[Sysname] waas policy waas_global
[Sysname-waaspolicy-waas_global] class AFS
[Sysname-waaspolicy-waas_global-AFS]
# Specify the system-defined WAAS class AOL for the WAAS policy waas_global, insert it before AFS, and enter the view of the WAAS class AOL.
[Sysname] waas policy waas_global
[Sysname-waaspolicy-waas_global] class AOL insert-before AFS
[Sysname-waaspolicy-waas_global-AOL]
# Change the position of the WAAS class AOL in the WAAS policy waas_global by inserting it before AFS, and enter the view of the WAAS class AOL.
[Sysname] waas policy waas_global
[Sysname-waaspolicy-waas_global] class AOL insert-before AFS
[Sysname-waaspolicy-waas_global-AOL]
Related commands
display waas policy
waas class
waas policy
display waas class
Use display waas class to display WAAS classes.
Syntax
display waas class [ class-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
class-name: Specifies a WAAS class by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a WAAS class, this command displays all WAAS classes.
Examples
# Display the WAAS class class1.
<Sysname> display waas class class1
WAAS class: class1
match 1 tcp source 1.1.1.1/24 port 50000 60000
match 6 tcp destination 2.2.2.2 port 1 1024
match 11 tcp source 1001::1111/96 port 50000 60000
match 16 tcp destination 2002::2222 port 1 1024
Field |
Description |
match |
Match criterion of the WAAS class. |
Related commands
match tcp
waas class
display waas policy
Use display waas policy to display WAAS policies.
Syntax
display waas policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies a WAAS policy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a WAAS policy, this command displays all WAAS policies.
Examples
# Display the WAAS policy po1.
<Sysname> display waas policy po1
WAAS policy: po1
class cl1
optimize TFO DRE LZ
class cl2
optimize TFO DRE
class cl3
passthrough
class cl4
optimize TFO LZ
class cl5
Table 124 Command output
Field |
Description |
WAAS class in the WAAS policy. |
|
Optimization actions: · TFO (works with only TCP). · DRE. · LZ compression. |
|
Action that does not perform any optimization. |
Related commands
class
waas policy
display waas session
Use display waas session to display WAAS session information.
Syntax
Centralized devices in standalone mode:
display waas session { ipv4 | ipv6 } [ client-ip client-ip ] [ client-port client-port ] [ server-ip server-ip ] [ server-port server-port ] [ peer-id peer-id ] [ verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display waas session { ipv4 | ipv6 } [ client-ip client-ip ] [ client-port client-port ] [ server-ip server-ip ] [ server-port server-port ] [ peer-id peer-id ] [ verbose ] [ slot slot-number ]
Distributed devices in IRF mode:
display waas session { ipv4 | ipv6 } [ client-ip client-ip ] [ client-port client-port ] [ server-ip server-ip ] [ server-port server-port ] [ peer-id peer-id ] [ verbose ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv4: Specifies IPv4 sessions.
ipv6: Specifies IPv6 sessions.
client-ip client-ip: Displays the WAAS session information for the client specified by its IP address.
client-port client-port: Displays the WAAS session information for the clients specified by port number in the range of 1 to 65535.
server-ip server-ip: Displays the WAAS session information for the server specified by its IP address.
server-port server-port: Displays the WAAS session information for the servers specified by port number in the range of 1 to 65535.
peer-id peer-id: Displays the WAAS session information for the peer specified by its bridge MAC address in the format of H-H-H.
verbose: Displays detailed information about WAAS sessions. If you do not specify this keyword, the command displays brief information about WAAS sessions.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays WAAS session information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays WAAS session information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays WAAS session information for all cards. (Distributed devices in IRF mode.)
Usage guidelines
If you specify only the ipv4 or ipv6 keyword, this command displays information about all IPv4 or IPv6 WAAS sessions.
You can display information about WAAS sessions for TCP connections only before they are disconnected.
Examples
# Display brief information about all IPv4 WAAS sessions.
<Sysname> display waas session ipv4
Peer ID: 0021-90ad-0012
Start Time: Fri Mar 21 10:43:05 2014
Source IP/Port: 1.1.1.1/34572
Destination IP/Port: 2.2.2.2/80
Peer ID: 0011-10ad-0012
Start Time: Fri Mar 21 10:45:05 2014
Source IP/Port: 2.2.1.1/34572
Destination IP/Port: 3.2.2.3/80
Total 2 sessions found.
# Display detailed information about all IPv4 WAAS sessions.
<Sysname> display waas session ipv4 verbose
Peer ID: 0021-90ad0-01221
Start Time: Fri Mar 21 11:43:05 2014
Source IP/Port: 1.1.1.1/34572
Destination IP/Port: 2.2.2.2/80
LAN interface: GigabitEthernet2/0/1
WAN interface: GigabitEthernet2/0/2
Configured Policy: TFO DRE LZ
Negotiated Policy: TFO DRE LZ
LAN->WAN bytes: Original 104884 Optimized 88594
WAN->LAN bytes: Original 744588 Optimized 3355445
LZ section:
Encode status:
Bytes in: 0
Bytes out: 0
Bypass bytes: 400
Space saved: 0%
Average Latency: 0 usec
Decode status:
Bytes in: 329
Bytes out: 393
Bypass bytes: 63
Space saved: 16%
Average Latency: 2 usec
DRE section:
Encode status:
Bytes in: 0
Bytes out: 0
Bypass bytes: 314
Space saved: 0%
Average latency: 0 usec
Decode status:
Bytes in: 399
Bytes out: 332
Bypass bytes: 0
Space saved: 0%
Chunk miss: 0
Collision: 0
Average latency: 23 usec
Peer ID: 0011-10ad-0012
Start Time: Fri Mar 21 11:43:05 2014
Source IP/Port: 2.2.1.1/34572
Destination IP/Port: 3.2.2.3/80
LAN interface: GigabitEthernet2/0/1
WAN interface: GigabitEthernet2/0/2
Configured Policy: TFO DRE LZ
Negotiated Policy: TFO DRE LZ
LAN->WAN bytes: Original 104884 Optimized 88594
WAN->LAN bytes: Original 744588 Optimized 3355445
LZ section:
Encode status:
Bytes in: 0
Bytes out: 0
Bypass bytes: 400
Space saved: 0%
Average Latency: 0 usec
Decode status:
Bytes in: 329
Bytes out: 393
Bypass bytes: 63
Space saved: 16%
Average Latency: 2 usec
DRE section:
Encode status:
Bytes in: 0
Bytes out: 0
Bypass bytes: 314
Space saved: 0%
Average latency: 0 usec
Decode status:
Bytes in: 399
Bytes out: 332
Bypass bytes: 0
Space saved: 0%
Chunk miss: 0
Collision: 0
Average latency 23 usec
Total 2 sessions found.
Field |
Description |
Bridge MAC address of the peer device. A bridge MAC address uniquely identifies a peer device. |
|
Time when the WAAS session was established. |
|
IP address and port number of the client. |
|
IP address and port number of the server. |
|
Optimization actions configured on the local device, which can be one or any combination of the following actions: · TFO (works with only TCP). · DRE. · LZ compression. |
|
Optimization actions negotiated with the peer device, which can be one or any combination of the following actions: · TFO (works with only TCP). · DRE. · LZ compression. The negotiated optimization actions are the union of the optimization actions configured on the local device and those configured on the peer device. |
|
Statistics for LAN-to-WAN data: · Original—Number of bytes before optimization. · Optimized—Number of bytes after optimization. |
|
Statistics for WAN-to-LAN data: · Original—Number of bytes before optimization. · Optimized—Number of bytes after optimization. |
|
LZ compression statistics. |
|
DRE statistics. |
|
Compression statistics. |
|
Decompression statistics. |
|
Number of input bytes. |
|
Number of output bytes. |
|
Number of bytes bypassed by DRE. |
|
· Compression ratio: (1–Bytes out/Bytes in) x 100. · Decompression ratio: (1–Bytes in/Bytes out) x 100. |
|
Average latency in milliseconds for the most recent compression or decompression. When multiple CPUs are available on a card, the average latency is the latency time divided by the number of CPUs. |
|
Cumulative number of times that DRE failed to find a dictionary entry according to a dictionary index. |
|
Cumulative number of times that data checks failed. |
display waas statistics dre
Use display waas statistics dre to display DRE statistics.
Syntax
Centralized devices in standalone mode:
display waas statistics dre [ peer-id peer-id ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display waas statistics dre [ peer-id peer-id ] [ slot slot-number ]
Distributed devices in IRF mode:
display waas statistics dre [ peer-id peer-id ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
peer-id peer-id: Specifies a peer device by its bridge MAC address in the format of H-H-H. If you do not specify a peer device, the command displays DRE statistics for all peer devices.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays DRE statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays DRE statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays DRE statistics for all cards. (Distributed devices in IRF mode.)
Examples
# Display DRE statistics for all peer devices.
<Sysname> display waas statistics dre
Peer-ID: 0016-9d38-ca1d
Peer version: 1.0
Cache in storage: 19426304 bytes
Index number: 75884
Age: 00 weeks, 00 days, 00 hours, 00 minutes, 33 seconds
Total connections: 1
Active connections: 0
Encode Statistics
Dre msgs: 2
Bytes in: 392 bytes
Bytes out: 424 bytes
Bypass bytes: 0 bytes
Bytes Matched: 0 bytes
Space saved: -8%
Average latency: 0 usec
Decode Statistics
Dre msgs: 196407
Bytes in: 29132703 bytes
Bytes out: 42413368 bytes
Bypass bytes: 0 bytes
Space saved: 31%
Average latency: 0 usec
Peer-ID: 0d38-9d38-ca1d
Peer version: 1.0
Cache in storage: 33554944 bytes
Index number: 131074
Age: 00 weeks, 00 days, 00 hours, 21 minutes, 31 seconds
Total connections: 2
Active connections: 0
Encode Statistics
Dre msgs: 514872
Bytes in: 111390296 bytes
Bytes out: 60085884 bytes
Bypass bytes: 0 bytes
Bytes Matched: 56336640 bytes
Space saved: 46%
Average latency: 0 usec
Decode Statistics
Dre msgs: 4
Bytes in: 849 bytes
Bytes out: 785 bytes
Bypass bytes: 0 bytes
Space saved: -8%
Average latency: 0 usec
# Display DRE statistics for a specific peer device.
<Sysname> display waas statistics dre peer 0016-9d38-ca1d
Peer-ID: 0016-9d38-ca1d
Peer version: 1.0
Cache in storage: 33554944 bytes
Index number: 131074
Age: 00 weeks, 00 days, 00 hours, 21 minutes, 31 seconds
Total connections: 2
Active connections: 0
Encode Statistics
Dre msgs: 514872
Bytes in: 111390296 bytes
Bytes out: 60085884 bytes
Bypass bytes: 0 bytes
Bytes Matched: 56336640 bytes
Space saved: 46%
Average latency: 0 usec
Decode Statistics
Dre msgs: 4
Bytes in: 849 bytes
Bytes out: 785 bytes
Bypass bytes: 0 bytes
Space saved: -8%
Average latency: 0 usec
Table 126 Command output
Field |
Description |
Peer ID |
Bridge MAC address of the peer device. A bridge MAC address uniquely identifies a peer device. |
WAAS version of the peer device. |
|
Disk space used by metadata. Metadata are original data that have indexes in the dictionary. |
|
Number of dictionary indexes. |
|
Amount of time that has elapsed since the local device initially established an optimized TCP connection with the peer. |
|
Total number of DRE connections. |
|
Number of active DRE connections. |
|
Compression statistics. |
|
Decompression statistics. |
|
Number of data blocks. |
|
Bytes in |
Number of input bytes. |
Bytes out |
Number of output bytes. |
Bypass bytes |
Number of bytes bypassed by DRE. |
Number of bytes matched by DRE. |
|
Space saved |
· Compression ratio: (1–Bytes out/Bytes in) x 100. · Decompression ratio: (1–Bytes in/Bytes out) x 100. |
Average Latency |
Average latency in milliseconds for the most recent compression or decompression. When multiple CPUs are available on a card, the average latency is the latency time divided by the number of CPUs. |
Related commands
display waas status
Use display waas status to display the global WAAS status.
Syntax
display waas status
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the global WAAS status.
WAAS Version: 1.0
Local ID: 02e0-011a-0000
DRE Status: Disabled
LZ Status: Disabled
BlackList Status: Disabled
Total Active connections: 7889
Total data storage size: 1468006400 bytes
Total index number: 11513600
Blacklist Hold-time: 5 minutes
Interfaces Applied policy
GE2/0/1 waas_global
GE2/0/2 waas_default
GE2/0/3 waas_global
Total policy interfaces: 3
Table 127 Command output
Field |
Description |
Bridge MAC address of the local device. A bridge MAC address uniquely identifies a local device. |
|
Total number of active WAAS connections. |
|
Disk space used by all metadata. Metadata are original data that have indexes in the dictionary. |
|
Total number of dictionary indexes. |
|
Aging time for blacklist entries. |
|
List of interfaces with WAAS policies applied. |
|
Number of interfaces with WAAS policies applied. |
display waas tfo auto-discovery blacklist
Use display waas tfo auto-discovery blacklist to display autodiscovered blacklist information.
Syntax
Centralized devices in standalone mode:
display waas tfo auto-discovery blacklist { ipv4 | ipv6 }
Distributed devices in standalone mode/centralized devices in IRF mode:
display waas tfo auto-discovery blacklist { ipv4 | ipv6 } [ slot slot-number ]
Distributed devices in IRF mode:
display waas tfo auto-discovery blacklist { ipv4 | ipv6 } [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv4: Specifies IPv4 blacklist information.
ipv6: Specifies IPv6 blacklist information.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays autodiscovered blacklist information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays autodiscovered blacklist information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays autodiscovered blacklist information for all cards. (Distributed devices in IRF mode.)
Examples
# Display all IPv4 blacklist information.
<Sysname> display waas tfo auto-discovery blacklist ipv4
Server IP address/Port Insert Time
1.1.1.1/8080 Fri Mar 21 10:43:05 2014
1.1.1.2/8080 Fri Mar 21 10:43:06 2014
2.2.2.2/443 Fri Mar 21 10:20:37 2014
Total 3 entries found.
Table 128 Command output
Field |
Description |
Time when a blacklist entry was generated. |
Related commands
reset waas tfo auto-discovery blacklist
waas tfo auto-discovery blacklist enable
waas tfo auto-discovery blacklist hold-time
match tcp
Use match tcp to configure a match criterion.
Use undo match tcp to delete a match criterion.
Syntax
match [ match-id ] tcp { any | destination | source } [ ip-address ipv4-address [ mask-length | mask ] | ipv6-address ipv6-address [ prefix-length ] ] [ port port-list ]
undo match match-id
Default
No match criterion exists.
Views
WAAS class view
Predefined user roles
network-admin
Parameters
match-id: Specifies the ID of the match criterion, in the range of 1 to 65535. If you specify an unused ID, you can create a new match criterion. If you specify a used ID, you can modify the existing match criterion. If you do not specify an ID, the system automatically assigns the lowest available ID.
tcp: Matches TCP packets.
any: Matches any TCP packets.
destination: Specifies destination elements for matching TCP packets.
source: Specifies source elements for matching TCP packets.
ip-address ipv4-address: Specifies an IPv4 address for matching TCP packets.
mask-length: Specifies the mask length for the IPv4 address, in the range of 0 to 32. The default is 32.
mask: Specifies the mask for the IPv4 address. The default is 255.255.255.255.
ipv6-address ipv6-address: Specifies an IPv6 address for matching TCP packets.
prefix-length: Specifies the prefix length for the IPv6 address, in the range of 0 to 128. The default is 128.
port port-list: Specifies a space-separated list of up to 10 port items for matching TCP packets. Each item specifies a port number or a range of port numbers in the form of port-number1 to port-number2. The value for port-number2 must be greater than or equal to the value for port-number1. The value range for the port-number argument is 1 to 65535. If you do not specify a port list, all port numbers are matched.
Usage guidelines
If you specify the destination or source keyword, you must specify the ip-address (or ipv6-address) option, the port option, or both.
If you specify the any keyword, the ip-address (or ipv6-address) option, and the port option, the ip-address (or ipv6-address) and port options match either source or destination fields of packets.
You cannot configure the same match criteria with different match IDs.
A WAAS class can have a maximum of 65535 match criteria. A packet is checked against match criteria in their order of appearance. The packet belongs to the WAAS class if it matches any one of the match criteria.
A WAAS class without any match criteria is not used to match packets.
Examples
# Create a WAAS class named http_class, and configure the class to match packets with source IP address 192.168.0.1/16 and port number 80 or port number in the range of 8000 to 8080.
[Sysname] waas class http_class
[Sysname-waasclass-http_class] match tcp source ip-address 192.168.0.1 16 port 80 8000 to 8080
# Create a WAAS class named http_class, and configure the class to match any TCP packets.
<Sysname> system-view
[Sysname] waas class http_class
[Sysname-waasclass-http_class] match tcp any
Related commands
display waas policy
waas class
optimize
Use optimize to configure optimization actions for a WAAS class.
Use undo optimize to restore the default.
Syntax
undo optimize
Default
No optimization actions are configured for a WAAS class.
Views
WAAS policy class view
Predefined user roles
network-admin
Parameters
tfo: Specifies TFO.
dre: Specifies DRE.
lz: Specifies LZ compression.
Usage guidelines
If you configure both this command and the passthrough command, the most recent configuration takes effect.
An optimization action takes effect only when the corresponding feature is enabled.
An optimization action does not optimize the traffic that matches a blacklist entry.
Examples
# Configure optimization actions TFO, DRE, and LZ for the WAAS class AFS.
[Sysname] waas policy waas_global
[Sysname-waaspolicy-waas_global] class AFS
[Sysname-waaspolicy-waas_global-AFS] optimize tfo dre lz
Related commands
class
display waas policy
passthrough
waas policy
waas tfo optimize dre
waas tfo optimize lz
passthrough
Use passthrough to configure the pass-through action for a WAAS class.
Use undo passthrough to restore the default.
Syntax
passthrough
undo passthrough
Default
The pass-through action is not configured.
Views
WAAS policy class view
Predefined user roles
network-admin
Usage guidelines
The pass-through action allows packets to pass through unoptimized.
If you configure both this command and the optimize command, the most recent configuration takes effect.
Examples
# Configure the pass-through action for the WAAS class AFS.
<Sysname> system-view
[Sysname] waas policy waas_global
[Sysname-waaspolicy-waas_global] class AFS
[Sysname-waaspolicy-waas_global-AFS] optimize tfo dre lz
Related commands
class
display waas policy
optimize
waas policy
reset waas cache dre
Use reset waas cache dre to clear DRE data dictionaries.
Syntax
reset waas cache dre [ peer-id peer-id ]
Views
User view
Predefined user roles
network-admin
network-operator
Parameters
peer-id peer-id: Specifies a peer device by its bridge MAC address in the format of H-H-H. If you do not specify a peer device, this command clears DRE data dictionaries for all peer devices.
Examples
# Clear the DRE data dictionary for the peer device with the bridge MAC address 0789-445d-effa.
<Sysname> reset waas cache dre peer 0789-445d-effa
Related commands
display waas statistics dre
reset waas statistics dre
Use reset waas statistics dre to clear DRE statistics.
Syntax
reset waas statistics dre [ peer-id peer-id ]
Views
User view
Predefined user roles
network-admin
network-operator
Parameters
peer-id peer-id: Specifies a peer device by its bridge MAC address in the format of H-H-H. If you do not specify a peer device, this command clears DRE statistics for all peer devices.
Examples
# Clear DRE statistics for all peer devices.
<Sysname> reset waas statistics dre
Related commands
display waas statistics dre
reset waas tfo auto-discovery blacklist
Use reset waas tfo auto-discovery blacklist to clear all autodiscovered blacklist entries.
Syntax
reset waas tfo auto-discovery blacklist
Views
User view
Predefined user roles
network-admin
network-operator
Examples
# Clear all autodiscovered blacklist entries.
<Sysname> reset waas tfo auto-discovery blacklist
Related commands
display waas tfo auto-discovery blacklist
waas tfo auto-discovery blacklist enable
waas tfo auto-discovery blacklist hold-time
waas apply policy
Use waas apply policy to apply a WAAS policy to an interface.
Use undo waas apply policy to restore the default.
Syntax
waas apply policy [ policy-name ]
undo waas apply policy
Default
No WAAS policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a WAAS policy by its name, a case-insensitive string of 1 to 63 characters. The specified policy must already exist. If you do not specify a WAAS policy, this command applies the system-defined WAAS policy waas_default.
Usage guidelines
Apply a WAAS policy to an interface that connects to the WAN (not an interface that connects to the LAN). The device optimizes or passes through the traffic entering and leaving the WAN according to the configured policy. If the incoming and outgoing interfaces of the traffic are both connected to the WAN, the traffic is not optimized.
A global logical interface (such as a Layer 3 aggregate interface or VLAN interface) that spans multiple cards or IRF member devices can be used to connect to the WAN. To ensure the traffic optimization effect for such an interface, use the service command to specify one of these cards or IRF member devices to forward traffic for the interface.
Examples
# Apply the WAAS policy global_policy to the interface GigabitEthernet 2/0/1.
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] waas apply policy global_policy
Related commands
display waas policy
display waas status
waas policy
waas class
Use waas class to create a WAAS class and enter its view, or enter the view of an existing WAAS class.
Use undo waas class to delete a WAAS class.
Syntax
waas class class-name
undo waas class class-name
Default
Only system-defined WAAS classes exist.
Views
System view
Predefined user roles
network-admin
Parameters
class-name: Specifies a name for the WAAS class, a case-insensitive string of 1 to 63 characters.
Usage guidelines
As a best practice, configure a WAAS class by modifying a system-defined WAAS class (see Table 129).
Examples
# Create a WAAS class named waas_global and enter WAAS class view.
<Sysname> system-view
[Sysname] waas class waas_global
[Sysname-waasclass-waas_global]
Related commands
class
display waas class
waas config remove-all
Use waas config remove-all to delete all WAAS settings.
Syntax
waas config remove-all
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command deletes all configuration data and running data for WAAS and exits the WAAS process.
Examples
# Delete all WAAS settings.
<Sysname> system-view
[Sysname] waas config remove-all
The command will clear all the WAAS configuration. Continue? [Y/N]:y
waas config restore-default
Use waas config restore-default to restore system-defined WAAS settings.
Syntax
waas config restore-default
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command restores the system-defined WAAS policy and WAAS classes to their settings at the time when the WAAS process starts for the first time.
To successfully restore system-defined WAAS settings, make sure none of the interfaces has a WAAS policy applied.
Examples
# Restore system-defined WAAS settings.
<Sysname> system-view
[Sysname] waas config restore-default
The command will restore all the WAAS configuration to default. Continue? [Y/N]:y
waas dre cache aging
Use waas dre cache aging to set the aging time for entries in the data dictionary.
Use undo waas dre cache aging to restore the default.
Syntax
waas dre cache aging minutes
undo waas dre cache aging
Default
Entries in the data dictionary are not aged out, and the newly created entry overwrites the oldest entry if the number of data dictionary entries reaches the limit.
Views
System view
Predefined user roles
network-admin
Parameters
minutes: Specifies the aging time for entries in the data dictionary, in the range of 10 to 60 minutes.
Usage guidelines
The device polls all data dictionary entries and deletes the entries that are not hit within the aging time. If the number of data dictionary entries reaches the limit, the device no longer creates new entries.
The amount of time used by the device to poll all data dictionary entries depends on the number of data dictionary entries on the device.
You must set the same aging time on the local and peer devices.
Examples
# Set the aging time to 10 minutes for entries in the data dictionary.
<Sysname> system-view
[Sysname] waas dre cache aging 10
waas dre offset-step
Use waas dre offset-step to set the DRE match offset step.
Use undo waas dre offset-step to restore the default.
Syntax
waas dre offset-step { general | fast | fastest | normal }
undo waas dre offset-step
Default
The DRE match offset step is normal.
Views
System view
Predefined user roles
network-admin
Parameters
general: Specifies the DRE match offset step as general.
fast: Specifies the DRE match offset step as fast.
fastest: Specifies the DRE match offset step as fastest.
normal: Specifies the DRE match offset step as normal.
Usage guidelines
The following DRE match offset step levels are listed from high to low:
· fastest.
· fast.
· general.
· normal.
The higher the step level, the lower the match precision. As a best practice, use a higher-level offset step on high-speed links to improve match efficiency. Use a lower-level offset step on low-speed links to ensure match precision.
Examples
# Set the DRE match offset step to fast.
<Sysname> system-view
[Sysname] waas dre offset-step fast
waas policy
Use waas policy to create a WAAS policy and enter its view, or enter the view of an existing WAAS policy.
Use undo waas policy to delete a WAAS policy.
Syntax
waas policy policy-name
undo waas policy policy-name
Default
Only the system-defined WAAS policy waas_default exists.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a name for the WAAS policy, a case-insensitive string of 1 to 63 characters.
Usage guidelines
To delete a WAAS policy applied to an interface, first remove the WAAS policy from the interface.
As a best practice, configure a WAAS policy by entering the system-defined WAAS policy view and modifying the system-defined WAAS policy. The system-defined WAAS policy is created by the system when the WAAS process starts for the first time. The system-defined WAAS policy uses all system-defined WAAS classes. Only system-defined WAAS classes FTP-Data and FTPS-Data use source ports as match options. All other system-defined WAAS classes use destination ports as match options.
Table 129 System-defined WAAS policy
WAAS actions |
Source ports |
Destination ports |
|
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
3200–3219, 3221–3224, 3226–3267, 3270–3282, 3284–3305, 3307–3388, 3390–3399, 3600–3659, 3662–3699 |
||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
Passthrough |
N/A |
||
N/A |
|||
Passthrough |
N/A |
||
N/A |
|||
N/A |
|||
Passthrough |
N/A |
||
N/A |
|||
N/A |
|||
N/A |
|||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
N/A |
|||
N/A |
|||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
N/A |
|||
N/A |
|||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
N/A |
|||
Passthrough |
N/A |
||
N/A |
|||
N/A |
|||
Passthrough |
N/A |
||
Passthrough |
N/A |
||
N/A |
|||
N/A |
|||
Passthrough |
N/A |
||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
|||
N/A |
Examples
# Enter system-defined WAAS policy view.
<Sysname> system-view
[Sysname] waas policy waas_default
[Sysname-waaspolicy-waas_default]
Related commands
display waas policy
waas tfo auto-discovery blacklist enable
Use waas tfo auto-discovery blacklist enable to enable the TFO blacklist autodiscovery feature.
Use undo waas tfo auto-discovery blacklist enable to disable the TFO blacklist autodiscovery feature.
Syntax
waas tfo auto-discovery blacklist enable
undo waas tfo auto-discovery blacklist enable
Default
The TFO blacklist autodiscovery feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature automatically discovers servers that cannot receive TCP packets with options and adds the server IP addresses and port numbers to a blacklist.
During the 3-way handshake, the local device considers the TCP connection attempt failed if either of the following situations occurs:
· The peer device does not respond within the specified time period.
· The peer device closes the TCP connection.
Examples
# Enable the TFO blacklist autodiscovery feature.
[Sysname] waas tfo auto-discovery blacklist enable
Related commands
display waas tfo auto-discovery blacklist
waas tfo auto-discovery blacklist hold-time
Use waas tfo auto-discovery blacklist hold-time to set the aging time for autodiscovered blacklist entries.
Use undo waas tfo auto-discovery blacklist hold-time to restore the default.
Syntax
waas tfo auto-discovery blacklist hold-time minutes
undo waas tfo auto-discovery blacklist hold-time
Default
The aging time for autodiscovery blacklist entries is 5 minutes.
Views
System view
Predefined user roles
network-admin
Parameters
minutes: Specifies the aging time for autodiscovered blacklist entries, in the range of 1 to 10080 minutes.
Usage guidelines
An aging timer is started when a blacklist entry is created. The system automatically deletes an autodiscovered blacklist entry to make room for a new blacklist entry when the aging timer expires.
Examples
# Set the aging time to 30 minutes for autodiscovered blacklist entries.
<Sysname> system-view
[Sysname] waas tfo auto-discovery blacklist hold-time 30
Related commands
display waas tfo auto-discovery blacklist
waas tfo auto-discovery blacklist enable
waas tfo base-congestion-window
Use waas tfo base-congestion-window to set the initial congestion window size for slow start.
Use undo waas tfo base-congestion-window to restore the default.
Syntax
waas tfo base-congestion-window segments
undo waas tfo base-congestion-window
Default
The initial congestion window size is two TCP segments.
Views
System view
Predefined user roles
network-admin
Parameters
segments: Specifies the initial congestion window size in the range of 1 to 10 TCP segments.
Usage guidelines
The congestion window size changes with the congestion status and transmission speed. An appropriate initial congestion window size can quickly restore the network to its full transmission capacity after congestion occurs.
Examples
# Set the initial congestion window size to three segments.
<Sysname> system-view
[Sysname] waas tfo base-congestion-window 3
waas tfo congestion-method
Use waas tfo congestion-method to specify a TCP congestion control algorithm for the WAN side.
Use undo waas tfo congestion-method to restore the default.
Syntax
waas tfo congestion-method { bic | reno }
undo waas tfo congestion-method
Default
WAAS uses BIC as the TCP congestion control algorithm on the WAN side.
Views
System view
Predefined user roles
network-admin
Parameters
bic: Specifies BIC as the TCP congestion control algorithm.
reno: Specifies Reno as the TCP congestion control algorithm.
Examples
# Specify Reno as the TCP congestion control algorithm for the WAN side.
<Sysname> system-view
[Sysname] waas tfo congestion-method reno
waas tfo connect-limit
Use waas tfo connect-limit to set the maximum number of concurrent connections.
Use undo waas tfo connect-limit to restore the default.
Syntax
waas tfo connect-limit limit
undo waas tfo connect-limit
Default
The maximum number of concurrent connections is 10000.
Views
System view
Predefined user roles
network-admin
Parameters
limit: Specifies the maximum number of concurrent connections, in the range of 1000 to 4294967295.
Usage guidelines
After the maximum number of concurrent connections is reached, WAAS does not optimize traffic for newly established connections. Configure the maximum number of concurrent connections according to your available memory resources, because optimizing TCP flows consumes memory resources.
You must set the same maximum number of concurrent connections on the local and peer devices.
Examples
# Set the maximum number of concurrent connections to 20000.
<Sysname> system-view
[Sysname] waas tfo connect-limit 20000
waas tfo keepalive
Use waas tfo keepalive to enable TFO keepalives.
Use undo waas tfo keepalive to disable TFO keepalives.
Syntax
waas tfo keepalive
undo waas tfo keepalive
Default
TFO keepalives are enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After you enable TFO keepalives, the system starts the 2-hour TCP keepalive timer. If the local device does not send or receive any data when the timer expires, it sends a keepalive to the peer to maintain the connection.
Examples
# Disable TFO keepalives.
<Sysname> system-view
[Sysname] undo waas tfo keepalive
waas tfo optimize dre
Use waas tfo optimize dre to enable DRE.
Use undo waas tfo optimize dre to disable DRE.
Syntax
waas tfo optimize dre
undo waas tfo optimize dre
Default
DRE is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The DRE optimization action configured in a WAAS policy takes effect only when DRE is enabled.
Examples
# Disable DRE.
<Sysname> system-view
[Sysname] undo waas tfo optimize dre
Related commands
display waas status
waas tfo optimize lz
Use waas tfo optimize lz to enable LZ compression.
Use undo waas tfo optimize lz to disable LZ compression.
Syntax
waas tfo optimize lz
undo waas tfo optimize lz
Default
LZ compression is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The LZ optimization action configured in a WAAS policy takes effect only when LZ compression is enabled.
Examples
# Disable LZ compression.
<Sysname> system-view
[Sysname] undo waas tfo optimize lz
Related commands
display waas status
waas tfo receive-buffer
Use waas tfo receive-buffer to set the TFO receiving buffer size.
Use undo waas tfo receive-buffer to restore the default.
Syntax
waas tfo receive-buffer buffer-size
undo waas tfo receive-buffer
Default
The TFO receiving buffer size is 64 KB.
Views
System view
Predefined user roles
network-admin
Parameters
buffer-size: Specifies the TFO receiving buffer size in the range of 32 to 16384 KB.
Usage guidelines
The TFO receiving buffer size affects network throughput.
Examples
# Set the TFO receiving buffer size to 1024 KB.
<Sysname> system-view
[Sysname] waas tfo receive-buffer 1024
waas unsymmertrical
Use waas unsymmertrical to configure WAAS to operate in asymmetric mode.
Use undo waas unsymmertrical to restore the default.
Syntax
waas unsymmertrical
undo waas unsymmertrical
Default
WAAS operates in symmetric mode.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Configure this command if the device sends and receives packets on different interfaces.
If the device sends and receives packets on the same interface, the device should operate in symmetric mode.
Examples
# Configure WAAS to operate in asymmetric mode.
<Sysname> system-view
[Sysname] waas unsymmertrical
AFT commands
The following matrix shows the feature and hardware compatibility:
Hardware |
AFT compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE /810-LM-HK/MSR810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR 5620/5660/5680 |
Yes |
Hardware |
AFT compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
address
Use address to add an address range to an AFT address group.
Use address to remove an address range from an AFT address group.
Syntax
address start-address end-address
undo address start-address end-address
Default
No address ranges exist.
Views
AFT address group view
Predefined user roles
network-admin
Parameters
start-address end-address: Specifies the start and end IP addresses for an address range. The end address cannot be lower than the start address. If they are the same, the address range has only one IP address.
Usage guidelines
An AFT address group is a set of address ranges. Dynamic AFT translates an IPv6 address to an IPv4 address in one of the address ranges.
Each address range can contain a maximum of 256 addresses.
Make sure the address ranges do not overlap.
Examples
# Add two address ranges to AFT address group 2.
<Sysname> system-view
[Sysname] aft address-group 2
[Sysname-aft-address-group-2] address 10.1.1.1 10.1.1.15
[Sysname-aft-address-group-2] address 10.1.1.20 10.1.1.30
Related commands
aft address-group
aft address-group
Use aft address-group to create an AFT address group and enter its view, or enter the view of an existing AFT address group.
Use undo aft address-group to delete an AFT address group.
Syntax
aft address-group group-id
undo aft address-group group-id
Default
No AFT address groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-id: Assigns an ID to the address group. The value range for this argument is 0 to 65535.
Usage guidelines
An AFT address group is a set of address ranges. Use the address command to add an address range.
The AFT address group is used in dynamic AFT. Dynamic AFT translates the source address of an IPv6 packet to an IPv4 address in the address group.
Examples
# Create AFT address group 1 and enter its view.
<Sysname> system-view
[Sysname] aft address-group 1
[Sysname-aft-address-group-1]
Related commands
address
aft v6tov4 source
display aft address-group
display aft configuration
aft enable
Use aft enable to enable AFT on an interface.
Use undo aft enable to disable AFT on an interface.
Syntax
aft enable
undo aft enable
Default
AFT is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
You must enable AFT on interfaces connected to the IPv4 network and interfaces connected to the IPv6 network.
Examples
# Enable AFT on GigabitEthernet 2/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] aft enable
Related commands
display aft configuration
aft log enable
Use aft log enable to enable AFT logging.
Use undo aft log enable to disable AFT logging.
Syntax
aft log enable
undo aft log enable
Default
AFT logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
For security auditing, you can enable AFT logging to record AFT session information. An AFT session is a session whose source and destination IP addresses are translated by AFT.
AFT can log the following events:
· An AFT port block is created.
· An AFT port block is deleted.
· An AFT session is established.
To log AFT session establishment events, you must also execute the aft log flow-begin command.
· An AFT session is removed.
To log AFT session removal events, you must also execute the aft log flow-end command.
The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable AFT logging.
<Sysname> system-view
[Sysname] aft log enable
Related commands
aft log flow-begin
aft log flow-end
display aft configuration
aft log flow-begin
Use aft log flow-begin to enable AFT session establishment logging.
Use undo aft log flow-begin to disable AFT session establishment logging.
Syntax
aft log flow-begin
undo aft log flow-begin
Default
AFT session establishment logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables the AFT module to generate a log entry for every AFT session establishment event.
AFT session establishment logging takes effect only after you enable AFT logging.
Examples
# Enable AFT session establishment logging.
<Sysname> system-view
[Sysname] aft log flow-begin
Related commands
aft log enable
aft log flow-end
display aft configuration
aft log flow-end
Use aft log flow-end to enable AFT session removal logging.
Use undo aft log flow-end to disable AFT session removal logging.
Syntax
aft log flow-end
undo aft log flow-end
Default
AFT session removal logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables the AFT module to generate a log entry for every AFT session removal event.
AFT session removal logging takes effect only after you enable AFT logging.
Examples
# Enable AFT session removal logging.
<Sysname> system-view
[Sysname] aft log flow-end
Related commands
aft log enable
aft log flow-begin
aft prefix-general
Use aft prefix-general to configure a general prefix.
Use undo aft prefix-general to delete a general prefix.
Syntax
aft prefix-general prefix-general prefix-length
undo aft prefix-general prefix-general prefix-length
Default
No general prefixes exist.
Views
System view
Predefined user roles
network-admin
Parameters
prefix-general: Specifies the general prefix.
prefix-length: Specifies the prefix length. The value for this argument can be 32, 40, 48, 56, 64, or 96.
Usage guidelines
When a general prefix is used in the aft v4tov6 source or aft v4tov6 destination command, it provides IPv4-to-IPv6 source or destination address translation. AFT constructs the IPv6 address by using the general prefix and the source or destination IPv4 address.
When a general prefix is used alone, it provides IPv6-to-IPv4 source and destination address translation. If a source or destination IPv6 address matches the general prefix, AFT translates it to the embedded IPv4 address.
A general prefix cannot be on the same subnet as any interface on the device.
A general prefix must be different from a NAT64 prefix or an IVI prefix.
Examples
# Specify 2000:db8e:: as a general prefix and set its prefix length to 32.
<Sysname> system-view
[Sysname] aft prefix-general 2000:db8e:: 32
Related commands
aft v4tov6 destination
aft v4tov6 source
display aft configuration
aft prefix-ivi
Use aft prefix-ivi to configure an IVI prefix.
Use undo aft prefix-ivi to delete an IVI prefix.
Syntax
aft prefix-ivi prefix-ivi
undo aft prefix-ivi prefix-ivi
Default
No IVI prefixes exist.
Views
System view
Predefined user roles
network-admin
Parameters
prefix-ivi: Specifies an IVI prefix of 32 bits.
Usage guidelines
When an IVI prefix is used alone, it provides IPv6-to-IPv4 source address translation. If a source IPv6 address matches the IVI prefix, it is translated to the embedded IPv4 address.
When an IVI prefix is used in the aft v4tov6 destination command, it provides IPv4-to-IPv6 destination address translation.
An IVI prefix must be different from a NAT64 prefix or a general prefix.
Examples
# Specify 3000:db8e:: as an IVI prefix.
<Sysname> system-view
[Sysname] aft prefix-ivi 3000:db8e::
Related commands
aft v4tov6 destination
display aft configuration
aft prefix-nat64
Use aft prefix-nat64 to configure a NAT64 prefix.
Use undo aft prefix-nat64 to delete a NAT64 prefix.
Syntax
aft prefix-nat64 prefix-nat64 prefix-length
undo aft prefix-nat64 prefix-nat64 prefix-length
Default
No NAT64 prefixes exist.
Views
System view
Predefined user roles
network-admin
Parameters
prefix-nat64: Specifies a NAT64 prefix.
prefix-length: Specifies the NAT64 prefix length. The value for this argument can be 32, 40, 48, 56, 64, or 96.
Usage guidelines
When a NAT64 prefix is used alone or in the aft v4tov6 source command, it provides IPv4-to-IPv6 source address translation. AFT constructs the IPv6 address by using the NAT64 prefix and the source IPv4 address.
When a NAT64 prefix is used alone, it also provides IPv6-to-IPv4 destination address translation. AFT uses the NAT64 prefix to match destination IPv6 addresses and translates matching IPv6 addresses to the embedded IPv4 addresses.
A NAT64 prefix cannot be on the same subnet as any of the interfaces on the device.
A NAT64 prefix must be different from an IVI prefix or a general prefix.
Examples
# Specify 2000:db8e:: as a NAT64 prefix and set its prefix length to 32.
<Sysname> system-view
[Sysname] aft prefix-nat64 2000:db8e:: 32
Related commands
aft v4tov6 source
display aft configuration
aft turn-off tos
Use aft turn-off tos to set the ToS field to 0 for IPv4 packets translated from IPv6 packets.
Use undo aft turn-off tos to restore the default.
Syntax
aft turn-off tos
undo aft turn-off tos
Default
The ToS field value of translated IPv4 packets is the same as the Traffic Class field value of original IPv6 packets.
Views
System view
Predefined user roles
network-admin
Examples
# Set the ToS field to 0 for IPv4 packets translated from IPv6 packets.
<Sysname> system-view
[Sysname] aft turn-off tos
aft turn-off traffic-class
Use aft turn-off traffic-class to set the Traffic Class field to 0 for IPv6 packets translated from IPv4 packets.
Use undo aft turn-off traffic-class to restore the default.
Syntax
aft turn-off traffic-class
undo aft turn-off traffic-class
Default
The Traffic Class field value of translated IPv6 packets is the same as the ToS field value of original IPv4 packets.
Views
System view
Predefined user roles
network-admin
Examples
# Set the Traffic Class field to 0 for IPv6 packets translated from IPv4 packets.
<Sysname> system-view
[Sysname] aft turn-off traffic-class
aft v4tov6 destination
Use aft v4tov6 destination to configure an IPv4-to-IPv6 destination address dynamic translation policy.
Use undo aft v4tov6 destination to delete an IPv4-to-IPv6 destination address dynamic translation policy.
Syntax
aft v4tov6 destination acl { name ipv4-acl-name prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] | number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] } }
undo aft v4tov6 destination acl { name ipv4-acl-name | number ipv4-acl-number }
Default
No IPv4-to-IPv6 destination address dynamic translation policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
acl: Identifies IPv4 packets for address translation. AFT translates destination addresses for IPv4 packets permitted by the ACL.
name ipv4-acl-name: Specifies an IPv4 ACL by its name. The ipv4-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
number ipv4-acl-number: Specifies an IPv4 ACL by its number in the range of 2000 to 3999.
prefix-general prefix-general prefix-length: Specifies a general prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the general prefix to translate destination addresses for packets permitted by the ACL.
prefix-ivi prefix-ivi: Specifies an IVI prefix. AFT uses the IVI prefix to translate destination addresses for packets permitted by the ACL.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which translated IPv6 addresses belong. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To specify IPv6 addresses on the public network, do not specify this option.
Usage guidelines
You must specify different ACLs for different IPv4-to-IPv6 destination address dynamic translation policies.
You can use a nonexistent IVI prefix or general prefix in a policy, but the policy takes effect only after you configure the prefix.
Examples
# Configure the device to use IVI prefix 3000:db8e:: to translate destination addresses for IPv4 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft prefix-ivi 3000:db8e::
[Sysname] aft v4tov6 destination acl number 2000 prefix-ivi 3000:db8e::
# Configure the device to use general prefix 2000:db8e::/32 to translate destination addresses for IPv4 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft v4tov6 destination acl number 2000 prefix-general 2000:db8e:: 32
Related commands
aft prefix-general
aft prefix-ivi
display aft configuration
aft v4tov6 source
Use aft v4tov6 source to configure an IPv4-to-IPv6 source address translation policy.
Use undo aft v4tov6 source to delete an IPv4-to-IPv6 source address translation policy.
Syntax
Static mapping:
aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ] ipv6-address [ vpn-instance ipv6-vpn-instance-name ]
undo aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ]
Dynamic translation policy:
aft v4tov6 source acl { name ipv4-acl-name prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] | number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] } }
undo aft v4tov6 source acl { name ipv4-acl-name | number ipv4-acl-number }
Default
No IPv4-to-IPv6 source address translation policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To specify the IPv4 address on the public network, do not specify this option.
ipv6-address: Specifies an IPv6 address. The IPv6 address cannot be on the same subnet as any interface on the device.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To specify the IPv6 address on the public network, do not specify this option.
acl: Identifies IPv4 packets for address translation. AFT translates source addresses for packets permitted by the ACL.
name ipv4-acl-name: Specifies an IPv4 ACL by its name. The ipv4-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
number ipv4-acl-number: Specifies an IPv4 ACL by its number in the range of 2000 to 3999.
prefix-general prefix-general prefix-length: Specifies a general prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the general prefix to translate source IPv4 address for packets permitted by the ACL.
prefix-nat64 prefix-nat64 prefix-length: Specifies a NAT64 prefix and its prefix length. The value for the prefix-length argument can be 32, 40, 48, 56, 64, or 96. AFT uses the NAT64 prefix to translate source IPv4 address for packets permitted by the ACL.
Usage guidelines
For static mappings, different IPv4 addresses cannot be mapped to the same IPv6 address.
For different dynamic translation policies, you must specify different ACLs.
You can use a nonexistent NAT64 prefix or general prefix in a policy, but the policy takes effect only after you configure the prefix.
Examples
# Map IPv4 source address 2.2.2.123 to IPv6 source address 3001::5.
<Sysname> system-view
[Sysname] aft v4tov6 source 2.2.2.123 3001::5
# Configure the device to use NAT64 prefix 2000::/32 to translate source addresses for IPv4 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft prefix-nat64 2000:: 32
[Sysname] aft v4tov6 source acl number 2000 prefix-nat64 2000:: 32
# Configure the device to use general prefix 3000::/32 to translate source addresses for IPv4 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft v4tov6 source acl number 2000 prefix-general 3000:: 32
aft prefix-nat64
display aft configuration
aft v6server
Use aft v6server to configure an AFT mapping for an IPv6 internal server.
Use undo aft v6server to delete an AFT mapping for an IPv6 internal server.
Syntax
aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ] ipv6-destination-address ipv6-port-number [ vpn-instance ipv6-vpn-instance-name ]
undo aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ]
Default
The IPv6 internal server does not have an AFT mapping.
Views
System view
Predefined user roles
network-admin
Parameters
protocol protocol-type: Specifies a transport layer protocol by its type. The protocol-type argument can be tcp or udp.
ipv4-destination-address: Specifies an IPv4 address.
ipv4-port-number: Specifies an IPv4 port number in the range of 1 to 65535.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To specify the IPv4 address on the public network, do not specify this option.
ipv6-destination-address: Specifies an IPv6 address.
ipv6-port-number: Specifies an IPv6 port number in the range of 1 to 65535.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To specify the IPv6 address on the public network, do not specify this option.
Usage guidelines
The AFT mappings for different IPv6 internal servers cannot be the same.
Examples
# Map IPv6 address 3001::5 and port number 1720 of an IPv6 internal server to IPv4 address 2.2.2.123 and port number 1720 for TCP packets.
<Sysname> system-view
[Sysname] aft v6server protocol tcp 2.2.2.123 1720 3001::5 1720
Related commands
display aft configuration
aft v6tov4 source
Use aft v6tov4 source to configure an IPv6-to-IPv4 source address translation policy.
Use undo aft v6tov4 source to delete an IPv6-to-IPv4 source address translation policy.
Syntax
Static mapping:
aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ] ipv4-address [ vpn-instance ipv4-vpn-instance-name ]
undo aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ]
Dynamic translation policy:
aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number ipv6-acl-number } | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] } { address-group group-id [ no-pat | port-block-size blocksize ] | interface interface-type interface-number } [ vpn-instance ipv4-vpn-instance-name ]
undo aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number ipv6-acl-number } | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance ipv6-vpn-instance-name ] }
Default
No IPv6-to-IPv4 source address translation policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies an IPv6 address.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance to which the IPv6 address belongs. The ipv6-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To specify the IPv6 address on the public network, do not specify this option.
ipv4-address: Specifies an IPv4 address.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance to which the IPv4 address belongs. The ipv4-vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To specify the IPv4 address on the public network, do not specify this option.
acl ipv6: Identifies IPv6 packets for address translation. AFT translates source addresses for IPv6 packets permitted by the ACL.
name ipv6-acl-name: Specifies an IPv6 ACL by its name. The ipv6-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
number ipv6-acl-number: Specifies an IPv6 ACL by its number in the range of 2000 to 3999.
prefix-nat64 prefix-nat64 prefix-length: Specifies a NAT64 prefix and its prefix length. The prefix-length argument represents a prefix length, which can be 32, 40, 48, 56, 64, or 96. AFT translates source IPv6 addresses for packets whose destination IPv6 addresses match the NAT64 prefix.
address-group group-id: Specifies an AFT address group by its ID in the range of 0 to 65535.
no-pat: Specifies the NO-PAT mode. If you do not specify the keyword, AFT uses the PAT mode.
port-block-size blocksize: Specifies the port block size in the range of 100 to 64512. If you specify this option, this command divides the port range (1024 to 65535) by the port block size. For example, if you set the port block size to 1000, the port range is divided into port blocks 1024 to 2023, 2024 to 3023, and so on. If you do not specify the option, the port range will not be divided.
interface interface-type interface-number: Specifies an interface by its type and number. AFT translates source IPv6 addresses to the primary IPv4 address of the specified interface.
Usage guidelines
For static mappings, different IPv6 addresses cannot be mapped to the same IPv4 address.
For different dynamic translation policies, you must specify different ACLs, NAT64 prefixes, and AFT address groups.
You can use a nonexistent NAT64 prefix in a policy, but the policy takes effect only after you configure the prefix.
Examples
# Map source IPv6 address 3001::5 to source IPv4 address 2.2.2.123.
<Sysname> system-view
[Sysname] aft v6tov4 source 3001::5 2.2.2.123
# Configure the device to use AFT address group 0 to translate source addresses for IPv6 packets permitted by ACL 2000.
<Sysname> system-view
[Sysname] aft v6tov4 source acl ipv6 number 2000 address-group 0 port-block-size 100
Related commands
display aft configuration
display aft port-block
display aft address-group
Use display aft address-group to display AFT address group information.
Syntax
display aft address-group [ group-id ]
View
Any view
Predefined user roles
network-admin
network-operator
Parameters
group-id: Specifies an AFT address group ID in the range of 0 to 65535. If you do not specify this argument, the command displays information about all AFT address groups.
Examples
# Display information about all AFT address groups.
<Sysname> display aft address-group
There are 3 AFT address groups.
Group number Start address End address
1 202.110.10.10 202.110.10.15
2 202.110.10.20 202.110.10.25
202.110.10.30 202.110.10.35
6 --- ---
# Display information about AFT address group 1.
<Sysname> display aft address-group 1
Group number Start address End address
1 202.110.10.10 202.110.10.15
Table 130 Command output
Field |
Description |
There are n AFT address groups |
Total number of existing AFT address groups. |
Group number |
Address group ID. |
Start address |
Start IP address of an address range. If you do not specify the start address, this field displays three hyphens (---). |
End address |
End IP address of an address range. If you do not specify the end address, this field displays three hyphens (---). |
display aft address-mapping
Use aft address-mapping to display AFT mappings.
Syntax
Centralized devices in standalone mode:
display aft address-mapping
Distributed devices in standalone mode/centralized devices in IRF mode:
display aft address-mapping [ slot slot-number ]
Distributed devices in IRF mode:
display aft address-mapping [ chassis chassis-number slot slot-number ]
View
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT mappings for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays AFT mappings for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT mappings for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display AFT mappings.
<Sysname> display aft address-mapping
IPv6: Source IP/port: 2000:0:FF01:101:100::8/1024
Destination IP/port: 5000::1717:1714/1025
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
IPv4: Source IP/port: 1.1.1.1/1031
Destination IP/port: 23.23.23.20/1025
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Total address mappings found: 1
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display AFT mappings.
<Sysname> display aft address-mapping
Slot 0:
IPv6: Source IP/port: 2000:0:FF01:101:100::8/1024
Destination IP/port: 5000::1717:1714/1025
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
IPv4: Source IP/port: 1.1.1.1/1031
Destination IP/port: 23.23.23.20/1025
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Total address mappings found: 1
# (Distributed devices in IRF mode.) Display AFT mappings.
<Sysname> display aft address-mapping
Slot 0 in chassis 1:
IPv6: Source IP/port: 2000:0:FF01:101:100::8/1024
Destination IP/port: 5000::1717:1714/1025
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
IPv4: Source IP/port: 1.1.1.1/1031
Destination IP/port: 23.23.23.20/1025
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Total address mappings found: 1
Table 131 Command output
Field |
Description |
Slot 0 |
Slot number of the card. (Distributed devices in standalone mode.) |
Slot 0 |
Member ID of the device in the IRF fabric. (Centralized devices in IRF mode.) |
Slot 0 in chassis 1 |
Slot number of the card and the member ID of the device in the IRF fabric. (Distributed devices in IRF mode.) |
IPv4 |
IPv4 address information. |
IPv6 |
IPv6 address information. |
Source IP/port |
Source IP address and port number. |
Destination IP/port |
Destination IP address and port number. |
VPN instance/VLAN ID/Inline ID |
VPN instance—MPLS L3VPN instance to which the session belongs. VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. Inline ID—INLINE to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or inline ID is specified, a hyphen (-) is displayed for the related field. |
Protocol |
Transport layer protocol type: DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, or UDP-Lite. |
display aft configuration
Use display aft configuration to display AFT configuration.
Syntax
display aft configuration
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display AFT configuration.
<Sysname> display aft configuration
aft address-group 1
address 202.110.10.10 202.110.10.15
address 101.1.1.100 101.1.1.200
aft prefix-ivi 2013::
aft prefix-ivi 1111::
aft v6tov4 source 1::1 1.1.1.1
aft v6tov4 source 1::2 1.1.1.2
interface GigabitEthernet2/0/1
aft enable
display aft no-pat
Use display aft no-pat to display AFT NO-PAT entries.
Syntax
Centralized devices in standalone mode:
display aft no-pat
Distributed devices in standalone mode/centralized devices in IRF mode:
display aft no-pat [ slot slot-number ]
Distributed devices in IRF mode:
display aft no-pat [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT NO-PAT entries for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays AFT NO-PAT entries for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT NO-PAT entries for all cards. (Distributed devices in IRF mode.)
Usage guidelines
An AFT NO-PAT entry records a mapping between an IPv4 address and an IPv6 address without ports.
Examples
# (Centralized devices in standalone mode.) Display AFT NO-PAT entries.
<Sysname> display aft no-pat
IPv6 address: 3006::0002
IPv4 address: 200.100.1.100
IPv4 VPN instance: vpn2
IPv6 VPN instance: vpn1
IPv6 address: 4016::1102
IPv4 address: 202.120.12.110
IPv4 VPN : vpn2
IPv6 VPN : vpn1
Total entries found: 2
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display AFT NO-PAT entries.
<Sysname> display aft no-pat
Slot 0:
IPv6 address: 3006::0002
IPv4 address: 200.100.1.100
IPv4 VPN : vpn2
IPv6 VPN : vpn1
IPv6 address: 4016::1102
IPv4 address: 202.120.12.110
IPv4 VPN : vpn2
IPv6 VPN : vpn1
Total entries found: 2
# (Distributed devices in IRF mode.) Display AFT NO-PAT entries.
<Sysname> display aft no-pat
Slot 0 in chassis 1:
IPv6 address: 3006::0002
IPv4 address: 200.100.1.100
IPv4 VPN : vpn2
IPv6 VPN : vpn1
IPv6 address: 4016::1102
IPv4 address: 202.120.12.110
IPv4 VPN : vpn2
IPv6 VPN : vpn1
Total entries found: 2
Table 132 Command output
Field |
Description |
Slot 0 |
Slot number of the card. (Distributed devices in standalone mode.) |
Slot 0 |
Member ID of the device in the IRF fabric. (Centralized devices in IRF mode.) |
Slot 0 in chassis 1 |
Slot number of the card and the member ID of the device in the IRF fabric. (Distributed devices in IRF mode.) |
IPv6 address |
Original IPv6 address. |
IPv4 address |
Translated IPv4 address. |
IPv4 VPN |
VPN instance to which the translated IPv4 address belongs. If the IPv4 address does not belong to a VPN instance, this field is not displayed. |
IPv6 VPN |
VPN instance to which the original IPv6 address belongs. If the IPv6 address does not belong to a VPN instance, this field is not displayed. |
Total entries found |
Total number of AFT NO-PAT entries. |
display aft port-block
Use display aft port-block to display AFT port block mappings.
Syntax
Centralized devices in standalone mode:
display aft port-block
Distributed devices in standalone mode/centralized devices in IRF mode:
display aft port-block [ slot slot-number ]
Distributed devices in IRF mode:
display aft port-block [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT port block mappings for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays AFT port block mappings for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT port block mappings for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display AFT port block mappings.
<Sysname> display aft port-block
IPv6 address: 3006::0002
IPv4 address: 200.100.1.100
Port block : [1024 – 1123]
IPv4 VPN : vpn2
IPv6 VPN : vpn1
IPv6 address: 4016::1102
IPv4 address: 202.120.12.110
Port block : [1024 – 1200]
IPv4 VPN : vpn2
IPv6 VPN : vpn1
Total entries found: 2
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display AFT port block mappings.
<Sysname> display aft port-block
Slot 0:
IPv6 address: 3006::0002
IPv4 address: 200.100.1.100
Port block : [1024 – 1123]
IPv4 VPN : vpn2
IPv6 VPN : vpn1
IPv6 address: 4016::1102
IPv4 address: 202.120.12.110
Port block : [1024 – 1200]
IPv4 VPN : vpn2
IPv6 VPN : vpn1
Total entries found: 2
# (Distributed devices in IRF mode.) Display AFT port block mappings.
<Sysname> display aft port-block
Slot 0 in chassis 1:
IPv6 address: 3006::0002
IPv4 address: 200.100.1.100
Port block : [1024 – 1123]
IPv4 VPN : vpn2
IPv6 VPN : vpn1
IPv6 address: 4016::1102
IPv4 address: 202.120.12.110
Port block : [1024 – 1200]
IPv4 VPN : vpn2
IPv6 VPN : vpn1
Total entries found: 2
Table 133 Command output
Field |
Description |
Slot 0 |
Slot number of the card. (Distributed devices in standalone mode.) |
Slot 0 |
Member ID of the device in the IRF fabric. (Centralized devices in IRF mode.) |
Slot 0 in chassis 1 |
Slot number of the card and the member ID of the device in the IRF fabric. (Distributed devices in IRF mode.) |
IPv6 address |
Original IPv6 address. |
IPv4 address |
Translated IPv4 address. |
Port block |
Port range for the translated IPv4 address. |
IPv4 VPN |
VPN instance to which the translated IPv4 address belongs. If the IPv4 address does not belong to a VPN instance, this field is not displayed. |
IPv6 VPN |
VPN instance to which the original IPv6 address belongs. If the IPv6 address does not belong to a VPN instance, this field is not displayed. |
Total entries found |
Total number of AFT port block mapping entries. |
display aft session
Use display aft session to display AFT sessions.
Syntax
Centralized devices in standalone mode:
display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance ipv4-vpn-instance-name ] ] [ verbose ]
display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance ipv6-vpn-instance-name ] ] [ verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance ipv4-vpn-instance-name ] ] [ slot slot-number ] [ verbose ]
display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance ipv6-vpn-instance-name ] ] [ slot slot-number ] [ verbose ]
Distributed devices in IRF mode:
display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance ipv4-vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ verbose ]
display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance ipv6-vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv4: Displays IPv4 AFT sessions.
source-ip source-ip-address: Specifies the source IPv4 address of the packets that initiate AFT sessions.
destination-ip destination-ip-address: Specifies the destination IPv4 address of the packets that initiate AFT sessions.
vpn-instance ipv4-vpn-instance-name: Specifies an IPv4 MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display AFT sessions for the public network, do not specify this option.
ipv6: Displays IPv6 AFT sessions.
source-ip source-ipv6-address: Specifies the source IPv6 address of the packets that initiate AFT sessions.
destination-ip destination-ipv6-address: Specifies the destination IPv6 address of the packets that initiate AFT sessions.
vpn-instance ipv6-vpn-instance-name: Specifies an IPv6 MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To displays AFT sessions for the public network, do not specify this option.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT sessions for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays AFT sessions for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT sessions for all cards. (Distributed devices in IRF mode.)
verbose: Display detailed information about AFT sessions. If you do not specify this keyword, this command displays brief information about AFT sessions.
Usage guidelines
If you do not specify any parameters, this command displays all AFT sessions.
Examples
# (Centralized devices in standalone mode.) Display detailed information about AFT sessions.
<Sysname> display aft session ipv4 verbose
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 102.128.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0/1
Responder:
Source IP/port: 102.128.1.55/22
Destination IP/port: 192.168.1.18/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0/2
App: SSH State: TCP_SYN_SENT
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about AFT sessions for the card or member device in slot 0.
<Sysname> display aft session ipv4 slot 0 verbose
Slot 0:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 102.128.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0/1
Responder:
Source IP/port: 102.128.1.55/22
Destination IP/port: 192.168.1.18/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0/2
App: SSH State: TCP_SYN_SENT
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
# (Distributed devices in IRF mode.) Display detailed information about AFT sessions for the card in slot 0 on IRF member device 1.
<Sysname> display aft session ipv4 chassis 1 slot 0 verbose
Slot 0 in chassis 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 102.128.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/2/0/1
Responder:
Source IP/port: 102.128.1.55/22
Destination IP/port: 192.168.1.18/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/2/0/2
App: SSH State: TCP_SYN_SENT
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
Table 134 Command output
Field |
Description |
Slot 0 |
Slot number of the card. (Distributed devices in standalone mode.) |
Slot 0 |
Member ID of the device in the IRF fabric. (Centralized devices in IRF mode.) |
Slot 0 in chassis 1 |
Slot number of the card and the member ID of the device in the IRF fabric. (Distributed devices in IRF mode.) |
Initiator |
Session information about the initiator. |
Source IP/port |
Source IP address and port number. |
Destination IP/port |
Destination IP address and port number. |
VPN instance/VLAN ID/Inline ID |
The fields identify the following information: · VPN instance—MPLS L3VPN instance to which the session belongs. · VLAN ID—VLAN to which the session belongs for Layer 2 forwarding. · Inline ID—INLINE to which the session belongs for Layer 2 forwarding. If no VPN instance, VLAN ID, or inline ID is specified, a hyphen (-) is displayed for the related field. |
Protocol |
Transport layer protocol type: DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, or UDP-Lite. |
Inbound interface |
Input interface. |
Responder |
Session information about the responder. |
APP |
Application layer protocol, such as FTP and DNS. This field displays unknown for the protocol types that are identified by non-well-known ports and not user-defined. |
State |
AFT session state. |
Start time |
Time when the session starts. |
TTL |
Remaining lifetime of the session, in seconds. |
Initiator->Responder |
Number of packets and bytes from the initiator to the responder. |
Responder->Initiator |
Number of packets and bytes from the responder to the initiator. |
Total sessions found |
Total number of AFT sessions. |
Related commands
reset aft session
display aft statistics
Use display aft statistics to display AFT statistics.
Syntax
Centralized devices in standalone mode:
display aft statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
display aft statistics [ slot slot-number ]
Distributed devices in IRF mode:
display aft statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays AFT statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays AFT statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays AFT statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
If you do not specify any parameters, this command displays all AFT statistics.
Examples
# Display all AFT statistics.
<Sysname> display aft statistics
Total NO-PAT entries found: 0
Total port-block entries found: 0
Dropped packets: 0
Configuration sequence changed: 0
Failed to transfer payload: 0
Failed to transfer packet header: 0
Packet examination failed before packet sending: 0
Failed to translate destination address: 0
The translated destination address is invalid: 0
Failed to translate source address: 0
Failed to transfer FSBUF to MBUF: 0
Session ext-info is null: 0
Peer session is null: 0
Failed to get translation information from session: 0
Failed to create session: 0
Failed to fragment the MBUF: 0
Failed to create fast forwarding table: 0
Failed to formalize session: 0
Other reasons: 0
Table 135 Command output
Field |
Description |
Total NO-PAT entries found |
Total number of AFT NO-PAT entries. |
Total port-block entries found |
Total number of AFT port block mappings. |
Dropped packets |
Number of packets dropped by AFT. |
Configuration sequence changed |
Number of packets dropped due to configuration sequence changes. |
Failed to transfer payload |
Number of packets dropped due to ALG failures. |
Failed to transfer packet header |
Number of packets dropped due to packet header transformation failures. |
Packet examination failed before packet sending |
Number of packets dropped due to packet examination failures before packet sending. |
Failed to translate destination address |
Number of packets dropped due to destination address translation failures. |
The translated destination address is invalid |
Number of packets dropped due to the invalidity of the translated destination address. |
Failed to translate source address |
Number of packets dropped due to source address translation failures. |
Failed to transfer FSBUF to MBUF |
Number of packets dropped due to FSBUF-to-MBUF transformation failures. |
Session ext-info is null |
Number of packets dropped due to session extended information acquisition failures. |
Peer session is null |
Number of packets dropped due to peer session lookup failures. |
Failed to get translation information from session |
Number of packets dropped due to translation information acquisition failures from sessions. |
Failed to create session |
Number of packets dropped due to session creation failures. |
Failed to fragment the MBUF |
Number of packets dropped due to fragmentation failures. |
Failed to create fast forwarding table |
Number of packets dropped due to fast forwarding table creation failures. |
Failed to formalize session |
Number of packets dropped due to session formalization failures. |
Other reasons |
Number of packets dropped due to other reasons. |
Related commands
reset aft statistics
reset aft session
Use reset aft session to clear AFT sessions.
Syntax
Centralized devices in standalone mode:
reset aft session
Distributed devices in standalone mode/centralized devices in IRF mode:
reset aft session [ slot slot-number ]
Distributed devices in IRF mode:
reset aft session [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears AFT sessions for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears AFT sessions for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears AFT sessions for all cards. (Distributed devices in IRF mode.)
Usage guidelines
After you clear AFT sessions, the corresponding AFT NO-PAT entries and port block mappings are also cleared.
Examples
# Clear all AFT sessions.
<Sysname> reset aft session
# (Distributed devices in standalone mode.) Clear AFT sessions for the card in slot 2.
<Sysname> reset aft session slot 2
# (Centralized devices in IRF mode.) Clear AFT sessions for IRF member device 2.
<Sysname> reset aft session slot 2
# (Distributed devices in IRF mode.) Clear AFT sessions for the card in slot 2 on member device 1.
<Sysname> reset aft session chassis 1 slot 2
Related commands
display aft session
reset aft statistics
Use reset aft statistics to clear AFT statistics.
Syntax
Centralized devices in standalone mode:
reset aft statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
reset aft statistics [ slot slot-number ]
Distributed devices in IRF mode:
reset aft statistics [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears AFT statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears AFT statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears AFT statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
The AFT statistics include the number of dropped packets, the number of NO-PAT entries, and the number of port block entries. This command only resets the counter for dropped packets.
Examples
# Clear all AFT statistics.
<Sysname> reset aft statistics
# (Distributed devices in standalone mode.) Clear AFT statistics for card 2.
<Sysname> reset aft statistics slot 2
# (Centralized devices in IRF mode.) Clear AFT statistics for IRF member device 2.
<Sysname> reset aft statistics slot 2
# (Distributed devices in IRF mode.) Clear AFT statistics for card 2 on IRF member device 1.
<Sysname> reset aft statistics chassis 1 slot 2
Related commands
display aft statistics
Lighttpd Web service commands
The following matrix shows the feature and hardware compatibility:
Hardware |
Lighttpd Web service compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
MSR2600-6-X1/2600-10-X1 |
No |
MSR 2630 |
No |
MSR3600-28/3600-51 |
No |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
No |
MSR 3610/3620/3620-DP/3640/3660 |
No |
MSR5620/5660/5680 |
No |
Hardware |
lighttpd Web service compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
No |
MSR3600-28-SI-GL |
No |
light-http server directory
Use light-http server directory to specify the lighttpd Web service working directory.
Syntax
light-http server directory directory
undo light-http server directory
Default
No lighttpd Web service working directory is specified.
Views
System view
Predefined user roles
network-admin
Parameters
directory: Specifies the lighttpd Web service working directory.
Usage guidelines
If the lighttpd Web server is already enabled, the specified lighttpd Web service working directory takes effect after you disable the lighttpd Web server and then enable the server again.
To use the lighttpd Web server to provide HTTPS access service, you must save the required certificate to the lighttpd Web service working directory.
Examples
# Set the lighttpd Web service working directory to flash:/lighttpd.
<Sysname> system-view
[Sysname] light-http server directory flash:/lighttpd
Related commands
light-http server enable
light-http server enable
Use light-http server enable to enable the lighttpd Web server.
Use undo light-http server enable to disable the lighttpd Web server.
Syntax
light-http server enable
undo light-http server enable
Default
The lighttpd Web server is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Specify the lighttpd working directory before enabling the lighttpd Web server.
The lighttpd Web server uses port 80 to provide HTTP access service and uses port 443 to provide HTTPS access service. For the device to support Web login at the same time, configure the HTTP server and HTTPS server to use different service ports.
Examples
# Enable the lighttpd Web server.
<Sysname> system-view
[Sysname] light-http server enable
Related commands
light-http server directory
address,634
address,159
address range,416
address range,42
advpn group,578
advpn ipv6 network,579
advpn map group,580
advpn network,581
advpn session dumb-time,581
advpn session idle-time,582
advpn source-port,583
advpn-domain,559
aft address-group,635
aft enable,636
aft log enable,636
aft log flow-begin,637
aft log flow-end,638
aft prefix-general,638
aft prefix-ivi,639
aft prefix-nat64,640
aft turn-off tos,641
aft turn-off traffic-class,641
aft v4tov6 destination,642
aft v4tov6 source,643
aft v6server,644
aft v6tov4 source,645
arp check enable,1
arp check log enable,2
arp fast-reply enable,24
arp ip-conflict log prompt,15
arp max-learning-num,2
arp max-learning-number,4
arp pnp,25
arp route-direct advertise,32
arp send-gratuitous-arp,15
arp snooping enable,21
arp static,6
arp suppression enable,28
arp suppression push interval,29
arp timer aging,8
authentication-algorithm,529
authentication-method,530
bandwidth,495
bandwidth-based-sharing,271
bims-server,43
block-size,160
bootfile-name,44
class,602
class ip-pool,45
class option-group,46
class pool,417
class range,46
client enable,560
ddns apply policy,149
ddns dscp,150
ddns policy,150
default,496
default ip-pool,47
default pool,417
description,496
destination,497
dhcp apply-policy,48
dhcp class,49
dhcp client dad enable,109
dhcp client dscp,109
dhcp client identifier,110
dhcp client-detect,39
dhcp dscp,40
dhcp enable,40
dhcp log enable,41
dhcp option-group,49
dhcp policy,50
dhcp relay check mac-address,89
dhcp relay check mac-address aging time,90
dhcp relay client-information record,90
dhcp relay client-information refresh,91
dhcp relay client-information refresh enable,92
dhcp relay forward reply by-option82,92
dhcp relay gateway,93
dhcp relay information circuit-id,94
dhcp relay information enable,96
dhcp relay information remote-id,96
dhcp relay information strategy,97
dhcp relay release ip,98
dhcp relay server-address,99
dhcp relay source-address,100
dhcp select,41
dhcp server always-broadcast,51
dhcp server apply ip-pool,51
dhcp server bootp ignore,52
dhcp server bootp reply-rfc-1048,53
dhcp server database filename,53
dhcp server database update interval,55
dhcp server database update now,55
dhcp server database update stop,56
dhcp server forbidden-ip,57
dhcp server ip-pool,58
dhcp server ping packets,58
dhcp server ping timeout,59
dhcp server relay information enable,60
dhcp server reply-exclude-option60,60
dhcp smart-relay enable,100
dhcp snooping binding database filename,114
dhcp snooping binding database update interval,116
dhcp snooping binding database update now,116
dhcp snooping binding record,117
dhcp snooping check mac-address,117
dhcp snooping check request-message,118
dhcp snooping deny,119
dhcp snooping enable,119
dhcp snooping information circuit-id,120
dhcp snooping information enable,121
dhcp snooping information remote-id,122
dhcp snooping information strategy,123
dhcp snooping log enable,124
dhcp snooping max-learning-num,125
dhcp snooping trust,125
display 6rd,498
display 6rd destination,499
display 6rd prefix,500
display adjacent-table,282
display advpn group-qos-map,583
display advpn ipv6 session,585
display advpn session,590
display advpn session count,596
display aft address-group,647
display aft address-mapping,648
display aft configuration,649
display aft no-pat,650
display aft port-block,652
display aft session,654
display aft statistics,658
display arp,8
display arp ip-address,11
display arp pnp,26
display arp snooping,21
display arp suppression xconnect-group,29
display arp timer aging,12
display arp vpn-instance,12
display bootp client,131
display ddns policy,151
display dhcp client,111
display dhcp relay check mac-address,101
display dhcp relay client-information,101
display dhcp relay information,103
display dhcp relay server-address,104
display dhcp relay statistics,105
display dhcp server conflict,61
display dhcp server database,62
display dhcp server expired,63
display dhcp server free-ip,64
display dhcp server ip-in-use,65
display dhcp server pool,66
display dhcp server statistics,68
display dhcp snooping binding,126
display dhcp snooping binding database,127
display dhcp snooping information,128
display dhcp snooping packet statistics,129
display dhcp snooping trust,130
display dns domain,134
display dns host,135
display dns server,136
display ds-lite b4 information,501
display fib,267
display icmp statistics,293
display interface tunnel,503
display ip fast-forwarding aging-time,273
display ip fast-forwarding cache,273
display ip fast-forwarding fragcache,275
display ip interface,33
display ip interface brief,35
display ip statistics,294
display ipv6 adjacent-table,285
display ipv6 dhcp client,466
display ipv6 dhcp client statistics,469
display ipv6 dhcp duid,413
display ipv6 dhcp option-group,418
display ipv6 dhcp pool,420
display ipv6 dhcp prefix-pool,422
display ipv6 dhcp relay server-address,459
display ipv6 dhcp relay statistics,460
display ipv6 dhcp server,424
display ipv6 dhcp server conflict,425
display ipv6 dhcp server database,426
display ipv6 dhcp server expired,427
display ipv6 dhcp server ip-in-use,428
display ipv6 dhcp server pd-in-use,429
display ipv6 dhcp server statistics,431
display ipv6 dhcp snooping binding,475
display ipv6 dhcp snooping binding database,476
display ipv6 dhcp snooping packet statistics,477
display ipv6 dhcp snooping trust,478
display ipv6 dns server,137
display ipv6 fast-forwarding aging-time,490
display ipv6 fast-forwarding cache,491
display ipv6 fib,336
display ipv6 icmp statistics,337
display ipv6 interface,338
display ipv6 interface prefix,343
display ipv6 nd suppression xconnect-group,344
display ipv6 neighbors,345
display ipv6 neighbors count,347
display ipv6 neighbors vpn-instance,348
display ipv6 pathmtu,349
display ipv6 prefix,350
display ipv6 rawip,351
display ipv6 rawip verbose,353
display ipv6 router-renumber statistics,357
display ipv6 statistics,358
display ipv6 tcp,360
display ipv6 tcp verbose,361
display ipv6 tcp-proxy,367
display ipv6 tcp-proxy port-info,368
display ipv6 udp,370
display ipv6 udp verbose,371
display local-proxy-arp,18
display nat address-group,181
display nat alg,160
display nat all,161
display nat dns-map,182
display nat eim,184
display nat inbound,186
display nat log,188
display nat no-pat,189
display nat outbound,192
display nat outbound port-block-group,195
display nat port-block,196
display nat port-block-group,198
display nat port-block-usage,199
display nat server,201
display nat server-group,205
display nat session,206
display nat static,210
display nat statistics,216
display proxy-arp,18
display rawip,296
display rawip verbose,297
display tcp,301
display tcp statistics,302
display tcp verbose,305
display tcp-proxy,309
display tcp-proxy port-info,310
display udp,312
display udp statistics,313
display udp verbose,314
display udp-helper interface,330
display vam client fsm,561
display vam client shortcut interest,563
display vam client shortcut ipv6 interest,564
display vam client statistics,566
display vam server address-map,531
display vam server ipv6 address-map,535
display vam server ipv6 private-network,540
display vam server private-network,541
display vam server statistics,542
display waas class,603
display waas policy,604
display waas session,605
display waas statistics dre,609
display waas status,612
display waas tfo auto-discovery blacklist,613
dns domain,138
dns dscp,138
dns proxy enable,139
dns server,140
dns source-interface,141
dns spoofing,141
dns spoofing track,142
dns trust-interface,143
dns-list,70
dns-server,433
domain-name,70
domain-name,434
ds-lite enable,507
dumb-time,570
encapsulation-limit,507
encryption-algorithm,545
expired,71
forbidden-ip,72
forwarding policy,280
gateway-list,106
gateway-list,462
gateway-list,73
global-ip-pool,218
gratuitous-arp-learning enable,16
gratuitous-arp-sending enable,17
gre checksum,525
gre key,525
hub ipv6 private-address,547
hub private-address,548
hub-group,546
if-match,74
if-match,434
inside ip,219
interface tunnel,508
interval,153
ip address,36
ip address bootp-alloc,132
ip address dhcp-alloc,113
ip address unnumbered,37
ip fast-forwarding aging-time,276
ip fast-forwarding dscp,277
ip fast-forwarding load-sharing,277
ip fast-forwarding vxlan-port,278
ip forward-broadcast,318
ip host,144
ip icmp error-interval,319
ip icmp source,320
ip irdp,288
ip irdp address,289
ip irdp interval,290
ip irdp lifetime,289
ip irdp multicast,291
ip irdp preference,291
ip last-hop hold,270
ip load-sharing mode,271
ip mtu,320
ip reassemble local enable,321
ip redirects enable,322
ip ttl-expires enable,322
ip unreachables enable,323
ip-in-use threshold,76
ipv6 address,376
ipv6 address anycast,376
ipv6 address auto,377
ipv6 address auto link-local,378
ipv6 address dhcp-alloc,470
ipv6 address eui-64,379
ipv6 address link-local,379
ipv6 address prefix-number,380
ipv6 bandwidth-based-sharing,381
ipv6 dhcp apply-policy,436
ipv6 dhcp class,437
ipv6 dhcp client dscp,471
ipv6 dhcp client duid,471
ipv6 dhcp client pd,472
ipv6 dhcp client stateful,473
ipv6 dhcp client stateless enable,473
ipv6 dhcp dscp,414
ipv6 dhcp log enable,414
ipv6 dhcp option-group,438
ipv6 dhcp policy,438
ipv6 dhcp pool,439
ipv6 dhcp prefix-pool,440
ipv6 dhcp relay gateway,463
ipv6 dhcp relay interface-id,463
ipv6 dhcp relay server-address,464
ipv6 dhcp select,415
ipv6 dhcp server,441
ipv6 dhcp server apply pool,442
ipv6 dhcp server database filename,443
ipv6 dhcp server database update interval,444
ipv6 dhcp server database update now,445
ipv6 dhcp server database update stop,446
ipv6 dhcp server forbidden-address,446
ipv6 dhcp server forbidden-prefix,447
ipv6 dhcp snooping binding database filename,478
ipv6 dhcp snooping binding database update interval,480
ipv6 dhcp snooping binding database update now,480
ipv6 dhcp snooping binding record,481
ipv6 dhcp snooping check request-message,481
ipv6 dhcp snooping deny,482
ipv6 dhcp snooping enable,483
ipv6 dhcp snooping log enable,483
ipv6 dhcp snooping max-learning-num,484
ipv6 dhcp snooping option interface-id enable,484
ipv6 dhcp snooping option interface-id string,485
ipv6 dhcp snooping option remote-id enable,486
ipv6 dhcp snooping option remote-id string,486
ipv6 dhcp snooping trust,487
ipv6 dns dscp,145
ipv6 dns server,145
ipv6 dns spoofing,146
ipv6 extension-header drop enable,382
ipv6 fast-forwarding aging-time,492
ipv6 fast-forwarding load-sharing,493
ipv6 hop-limit,382
ipv6 hoplimit-expires enable,383
ipv6 host,147
ipv6 icmpv6 error-interval,384
ipv6 icmpv6 multicast-echo-reply enable,384
ipv6 icmpv6 source,385
ipv6 mtu,386
ipv6 nd autoconfig managed-address-flag,386
ipv6 nd autoconfig other-flag,387
ipv6 nd dad attempts,388
ipv6 nd ns retrans-timer,388
ipv6 nd nud reachable-time,389
ipv6 nd ra halt,390
ipv6 nd ra hop-limit unspecified,390
ipv6 nd ra interval,391
ipv6 nd ra no-advlinkmtu,392
ipv6 nd ra prefix,392
ipv6 nd ra router-lifetime,393
ipv6 nd route-direct advertise,394
ipv6 nd router-preference,394
ipv6 nd suppression enable,395
ipv6 nd suppression push interval,396
ipv6 neighbor,397
ipv6 neighbor link-local minimize,398
ipv6 neighbor stale-aging,399
ipv6 neighbors max-learning-num,399
ipv6 pathmtu,401
ipv6 pathmtu age,402
ipv6 prefer temporary-address,402
ipv6 prefix,403
ipv6 reassemble local enable,404
ipv6 redirects enable,404
ipv6 router-renumber enable,405
ipv6 temporary-address,406
ipv6 unreachables enable,407
keepalive,549
keepalive,526
keepalive,596
light-http server directory,662
light-http server enable,663
local-ip-address,220
local-proxy-arp enable,19
local-proxy-nd enable,407
match tcp,614
method,153
mtu,512
nat address-group,221
nat alg,221
nat dns-map,223
nat hairpin enable,224
nat icmp-error reply,224
nat inbound,225
nat inbound rule move,227
nat log alarm,228
nat log enable,229
nat log flow-active,229
nat log flow-begin,230
nat log flow-end,231
nat log port-block usage threshold,231
nat log port-block-assign,232
nat log port-block-withdraw,233
nat mapping-behavior,233
nat outbound,234
nat outbound ds-lite-b4,237
nat outbound port-block-group,239
nat outbound rule move,239
nat port-block global-share enable,240
nat port-block-group,241
nat redirect reply-route,263
nat server,242
nat server rule move,246
nat server-group,247
nat static enable,248
nat static inbound,248
nat static inbound net-to-net,250
nat static inbound object-group,252
nat static inbound rule move,254
nat static outbound,255
nat static outbound net-to-net,257
nat static outbound object-group,259
nat static outbound rule move,261
nat timestamp delete,262
nbns-list,77
netbios-type,77
network,448
network,78
next-server,79
optimize,615
option,80
option,450
option-group,451
passthrough,616
password,154
port-block,263
port-range,264
prefix-pool,451
pre-shared-key (ADVPN domain view),550
pre-shared-key (VAM client view),571
proxy-arp enable,20
proxy-nd enable,408
remote-server,465
remote-server,107
reset advpn ipv6 session,597
reset advpn ipv6 session statistics,598
reset advpn session,598
reset advpn session statistics,599
reset aft session,660
reset aft statistics,660
reset arp,13
reset arp snooping,23
reset arp suppression xconnect-group,30
reset counters interface,513
reset dhcp relay client-information,107
reset dhcp relay statistics,108
reset dhcp server conflict,81
reset dhcp server expired,82
reset dhcp server ip-in-use,82
reset dhcp server statistics,83
reset dhcp snooping binding,130
reset dhcp snooping packet statistics,131
reset dns host,148
reset ip fast-forwarding cache,279
reset ip statistics,324
reset ipv6 dhcp client statistics,474
reset ipv6 dhcp relay statistics,466
reset ipv6 dhcp server conflict,452
reset ipv6 dhcp server expired,453
reset ipv6 dhcp server ip-in-use,453
reset ipv6 dhcp server pd-in-use,454
reset ipv6 dhcp server statistics,455
reset ipv6 dhcp snooping binding,488
reset ipv6 dhcp snooping packet statistics,488
reset ipv6 fast-forwarding cache,493
reset ipv6 nd suppression xconnect-group,409
reset ipv6 neighbors,409
reset ipv6 pathmtu,410
reset ipv6 router-renumber statistics,411
reset ipv6 statistics,411
reset nat count statistics,265
reset nat session,265
reset tcp statistics,325
reset udp statistics,325
reset udp-helper statistics,331
reset vam client fsm,571
reset vam client ipv6 fsm,572
reset vam client statistics,573
reset vam server address-map,551
reset vam server ipv6 address-map,552
reset vam server statistics,553
reset waas cache dre,617
reset waas statistics dre,617
reset waas tfo auto-discovery blacklist,618
retry,573
retry interval,551
server enable,553
server primary,574
server secondary,575
service,513
service standby,515
service-class,527
shortcut interest,554
shortcut ipv6 interest,555
shutdown,516
sip-server,455
source,517
spoke ipv6 private-address,556
spoke private-address,557
ssl-client-policy,155
static-bind,456
static-bind,84
tcp mss,326
tcp path-mtu-discovery,326
tcp syn-cookie enable,327
tcp timer fin-timeout,328
tcp timer syn-timeout,328
tcp window,329
temporary address range,457
tftp-server domain-name,85
tftp-server ip-address,85
tunnel 6rd br,518
tunnel 6rd ipv4,519
tunnel 6rd prefix,520
tunnel dfbit enable,520
tunnel discard ipv4-compatible-packet,521
tunnel tos,522
tunnel ttl,523
tunnel vpn-instance,524
udp-helper broadcast-map,331
udp-helper enable,332
udp-helper multicast-map,333
udp-helper port,334
udp-helper server,335
url,156
user,576
username,158
valid class,86
vam client,600
vam client enable,577
vam client name,578
vam ipv6 client,600
vam server advpn-domain,557
vam server enable,558
vam server listen-port,559
verify class,87
voice-config,87
vpn-instance,458
vpn-instance,88
waas apply policy,618
waas class,619
waas config remove-all,620
waas config restore-default,620
waas dre cache aging,621
waas dre offset-step,621
waas policy,622
waas tfo auto-discovery blacklist enable,627
waas tfo auto-discovery blacklist hold-time,628
waas tfo base-congestion-window,629
waas tfo congestion-method,629
waas tfo connect-limit,630
waas tfo keepalive,631
waas tfo optimize dre,631
waas tfo optimize lz,632
waas tfo receive-buffer,632
waas unsymmertrical,633