H3C H3C S3600 Series Installation instructions
H3C S3600 Series Ethernet Switches
Command Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Manual Version: 20090618-C-1.02
Product Version: Release 1602
Copyright © 2007-2009, Hangzhou H3C Technologies Co., Ltd. and its licensors
All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , Aolynk, , H3Care,
, TOP G, , IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners.
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Technical Support
customer_service@h3c.com
http://www.h3c.com
About This Manual
Organization
H3C S3600 Series Ethernet Switches Command Manual-Release 1602 is organized as follows:
Part Contents
1 CLI Introduces the commands used for switching between the
command levels and command level setting.
2 Login Introduces the commands used for logging into the Ethernet
switch.
3 Configuration File Management Introduces the commands used for configuration file
management.
4 VLAN Introduces the commands used for configuring VLAN.
5 IP Address and Performance Introduces the commands used for IP address configuration
and IP performance configuration.
6 Voice VLAN Introduces the commands used for voice VLANconfiguration.
7 GVRP Introduces the commands used for GVRP configuration.
8 Port Basic Configuration Introduces the commands used for basic port configuration.
9 Link Aggregation Introduces the commands used for link aggregation.
10 Port Isolation Introduces the commands used for port isolation.
11 Port Security-Port Binding Introduces the commands used for port security configuration
and port binding.
12 DLDP Introduces the commands used for DLDP configuration.
13 MAC Address Table
Management Introduces the commands used for MAC address forwarding
table management.
14 Auto Detect Introduces the commands used for auto detect configuration.
15 MSTP Introduces the STP-related commands.
16 Routing Protocol Introduces the commands used for routing protocol
configuration.
17 Multicast Introduces the commands used for multicast configuration.
18 802.1x and System Guard Introduces the commands used for 802.1x and System Guard
configuration.
19 AAA Introduces the commands used for AAA, RADIUS,
HWTACACS, and EAD configuration.
20 Web Authentication Introduces the commands used for Web Authentication
configuration.
21 MAC Address Authentication Introduces the commands used for MAC address
authentication configuration.
22 VRRP Introduces the commands used for VRRP configuration.
23 ARP Introduces the ARP-related commands.
24 DHCP Introduces the commands used for DHCP server, DHCP
relay, and DHCP-snooping configuration.
25 ACL Introduces the ACL-related commands.
Part Contents
26 QoS-QoS Profile Introduces the commands used for QoS and QoS profile
configuration.
27 Web Cache Redirection Introduces the commands used for Web cache redirection
configuration.
28 Mirroring Introduces the commands used for port mirroring.
29 IRF Fabric Introduces the commands used for IRF fabric configuration.
30 Cluster Introduces the commands used for cluster management.
31 PoE-PoE Profile Introduces the commands used for PoE and PoE profile
configuration.
32 UDP Helper Introduces the commandsused for UDP Helper configuration.
33 SNMP-RMON Introduces the commands used for SNMP and RMON
configuration.
34 NTP Introduces the NTP-related commands.
35 SSH Introduces the commands used for SSH configuration.
36 File System Management Introduces the commands used for file system management.
37 FTP–SFTP-TFTP Introduces the related commands of FTP, SFTP and TFTP.
38 Information Center Introduces the commands used for information center
configuration.
39 System Maintenance and
Debugging Introduces the commands used for system maintenance and
debugging.
40 VLAN-VPN Introduces the commands used for VLAN VPN configuration.
41 HWPing Introduces the commands used for HWPing configuration.
42 IPv6 Management Introduces the commands used for IPv6 Management
configuration.
43 DNS Introduces the commands used for DNS configuration.
44 Smart Link-Monitor Link Introduces the commands used for Smart Link and Monitor
Link configuration.
45 Access Management Introduces the commands used for Access Management
configuration
46 Appendix Lists all the commands described in this command manual in
an alphabetic order. The parts and pages where the
commands are described are also given.
Conventions
The manual uses the following conventions:
Command conventions
Convention Description
Boldface The keywords of a command line are in Boldface.
italic Command arguments are in italic.
[ ] Items (keywords or arguments) in square brackets [ ] are optional.
Convention Description
{ x | y | ... }
Alternative items are grouped in braces and separated by vertical bars.
One is selected.
[ x | y | ... ]
Optional alternative items are grouped in square brackets and
separated by vertical bars. One or none is selected.
{ x | y | ... } *
Alternative items are grouped in braces and separated by vertical bars.
A minimum of one or a maximum of all can be selected.
[ x | y | ... ] *
Optional alternative items are grouped in square brackets and
separated by vertical bars. Many or none can be selected.
&<1-n> The argument(s) before the ampersand (&) sign can be entered 1 to n
times.
# A line starting with the # sign is comments.
Symbols
Convention Description
Means reader be extremely careful. Improper operation may cause
bodily injury.
Means reader be careful. Improper operation may cause data loss or
damage to equipment.
Means a complementary description.
Related Documentation
In addition to this manual, each H3C S3600 Series Ethernet Switches documentation set includes the
following:
Manual Description
H3C S3600 Series Ethernet Switches Operation
Manual-Release 1602 It is used for assisting the users in data
configurations and typical applications.
H3C S3600 Series Ethernet Switches
Installation Manual It provides information for the system installation.
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at this URL:
http://www.h3c.com.
The following are the columns from which you can obtain different categories of product documentation:
[Products & Solutions]: Provides information about products and technologies, as well as solutions.
[Technical Support & Document > Technical Documents]: Provides several categories of product
documentation, such as installation, configuration, and maintenance.
[Technical Support & Document > Software Download]: Provides the documentation released with the
software version.
Documentation Feedback
We appreciate your comments.
i
Table of Contents
1 CLI Configuration Commands··················································································································1-1
CLI Configuration Commands·················································································································1-1
command-privilege level··················································································································1-1
display history-command·················································································································1-3
super················································································································································1-4
super authentication-mode··············································································································1-5
super password·······························································································································1-5
1-1
1 CLI Configuration Commands
The super authentication-mode command is added. For details, see super authentication-mode.
CLI Configuration Commands
command-privilege level
Syntax
command-privilege level level view view command
undo command-privilege view view command
View
System view
Parameters
level level: Command level to be set, in the range of 0 to 3.
view view: CLI view. It can be any CLI view that the Ethernet switch supports. The S3600 series support
only the CLI views listed in Table 1-1:
Table 1-1 Available CLI views for the view argument
CLI view Description
acl-adv Advanced ACL view
acl-basic Basic ACL view
acl-ethernetframe Layer 2 ACL view
acl-user User-defined ACL view
aux Aux 1/0/0 port view, that is, console port view
cluster Cluster view
detect-group Detected group view
dhcp-pool DHCP address pool view, which is supported by only the
S3600-EI series
ethernet 100M Ethernet port view
ftp-client FTP client view
gigabitethernet GigabitEthernet port view
1-2
CLI view Description
hwping HWPing test group view
hwtacacs HWTACACS view
isp ISP domain view
loopback Loopback interface view
luser Local user view
manage-vlan Management VLAN view
msdp MSDP view, which is supported by only the S3600-EI
series
mst-region MST region view
mtlk-group Monitor link group view
null NULL interface view
ospf OSPF view, which is supported by only the S3600-EI
series
ospf-area OSPF area view, which is supported by only the S3600-EI
series
peer-key-code Public key editing view
peer-public-key Public key view
pim PIM view, which is supported by only the S3600-EI series
poe-profile PoE profile view
qinq QinQ view
qos-profile QoS profile view
radius-template RADIUS scheme view
rip RIP view
route-policy Routing policy view
shell User view
smlk-group Smart link group view
system System view
user-interface User interface view
vlan VLAN view
vlan-interface VLAN interface view
command: Command for which the level is to be set.
Description
Use the command-privilege level command to set the level of a specified command in a specified
view.
Use the undo command-privilege view command to restore the default.
Commands fall into four levels: visit (level 0), monitor (level 1), system (level 2), and manage (level 3).
The administrator can change the level of a command as required. For example, the administrator can
1-3
change a command from a higher level to a lower level so that the lower level users can use the
command.
The default levels of commands are described in the following table:
Table 1-2 Default levels of commands
Level Name Command
0 Visit level Commands used to diagnose network, such as ping, tracert, and
telnet commands.
1 Monitor level
Commands used to maintain the system and diagnose service fault,
such as debugging, terminal and reset commands.
2 System level All configuration commands except for those at the manage level.
3 Manage level
Commands associated with the basic operation modules and
support modules of the system, such as file system,
FTP/TFTP/XMODEM downloading, user management, and level
setting commands.
Examples
# Set the level of the system-view command in user view (shell) to 0.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] command-privilege level 0 view shell system-view
display history-command
Syntax
display history-command
View
Any view
Parameters
None
Description
Use the display history-command command to display the history commands of the current user, so
that the user can check the configurations performed formerly.
History commands are those commands that was successfully executed recently and saved in the
history command buffer. You can set the size of the buffer by the history-command max-size
command. When the history command buffer is full, the earlier commands will be overwritten by the
new ones.
By default, the CLI can save 10 history commands for each user.
Related commands: history-command max-size in login module.
Examples
# Display the history commands of the current user.
1-4
<Sysname> display history-command
system-view
quit
display history-command
super
Syntax
super [ level ]
View
User view
Parameters
level: User level, in the range of 0 to 3.
Description
Use the super command to switch from the current user level to a specified level.
Executing this command without the level argument will switch the current user level to level 3 by
default.
Note that:
zUsers logged into the switch fall into four user levels, which correspond to the four command levels
respectively. Users at a specific level can only use the commands at the same level or lower levels.
zYou can switch between user levels after logging into a switch successfully. The high-to-low user
level switching is unlimited. However, the low-to-high user level switching requires the
corresponding authentication. The authentication mode can be set through the super
authentication-mode command.
zFor security purpose, the password entered is not displayed when you switch to another user level.
You will remain at the original user level if you have tried three times but failed to enter the correct
authentication information.
Related commands: super authentication-mode, super password.
Examples
# Switch from the current user level to user level 3, using super password authentication.
<Sysname> super 3
Password:
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
# Switch from the current user level to level 3, using HWTACACS authentication.
<Sysname> super 3
Username: user@system
Password:
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
1-5
super authentication-mode
Syntax
super authentication-mode { super-password | scheme }*
undo super authentication-mode
View
User interface view
Parameters
super-password: Adopts super password authentication for low-to-high user level switching.
scheme: Adopts Huawei terminal access controller access control system (HWTACACS)
authentication for low-to-high user level switching.
Description
Use the super authentication-mode command to specify the authentication mode used for low-to-high
user level switching.
Use the undo super authentication-mode command to restore the default.
By default, super password authentication is adopted for low-to-high user level switching.
Note that the two authentication modes are available at the same time to provide authentication
redundancy. When both the two authentication modes are specified, the order to perform the two types
of authentication is determined by the order in which they are specified, as described below.
zIf the super authentication-mode super-password scheme command is executed to specify the
authentication mode for user level switching, the super password authentication is preferred and
the HWTACACS authentication mode is the backup.
zIf the super authentication-mode scheme super-password command is executed to specify the
authentication mode for low-to-high user level switching, the HWTACACS authentication is
preferred and the super password authentication mode is the backup.
zWhen both the super password authentication and the HWTACACS authentication are specified,
the device adopts the preferred authentication mode first. If the preferred authentication mode
cannot be implemented (for example, the super password is not configured or the HWTACACS
authentication server is unreachable), the backup authentication mode is adopted.
Examples
# Specify HWTACACS authentication as the preferred authentication mode when a VTY 0 user
switches from the current level to a higher level, with the super password authentication as the backup
authentication mode.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] super authentication-mode scheme super-password
super password
Syntax
super password [level level ] { cipher |simple }password
1-6
undo super password [ level level ]
View
System view
Parameters
level level: User level, in the range of 1 to 3. It is 3 by default.
cipher: Stores the password in the configuration file in ciphered text.
simple: Stores the password in the configuration file in plain text.
password: Password to be set. If the simple keyword is used, you must provide a plain-text password,
that is, a string of 1 to 16 characters. If the cipher keyword is used, you can provide a password in either
of the two ways:
zInput a plain-text password, that is, a string of 1 to 16 characters, which will be automatically
converted into a 24-character cipher-text password.
zDirectly input a cipher-text password, that is, a string of 1 to 24 characters, which must correspond
to a plain-text password. For example, The cipher-text password “_(TT8F]Y\5SQ=^Q`MAF4<1!!”
corresponds to the plain-text password 1234567.
Description
Use the super password command to set a switching password for a specified user level, which will be
used when users switch from a lower user level to the specified user level.
Use the undo super password command to restore the default configuration.
By default, no such password is set.
Note that, no matter whether a plain-text or cipher-text password is set, users must enter the plain-text
password during authentication.
Examples
# Set the switching password for level 3 to 0123456789 in plain text.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] super password level 3 simple 0123456789
i
Table of Contents
1 Login Commands ······································································································································1-1
Login Commands····································································································································1-1
authentication-mode························································································································1-1
auto-execute command···················································································································1-3
copyright-info enable·······················································································································1-4
databits············································································································································1-4
display telnet-server source-ip ········································································································1-5
display telnet source-ip····················································································································1-6
display user-interface ······················································································································1-6
display users····································································································································1-9
display web users····························································································································1-9
free user-interface ·························································································································1-10
header ···········································································································································1-11
history-command max-size ···········································································································1-13
idle-timeout····································································································································1-13
ip http shutdown ····························································································································1-14
lock ················································································································································1-15
parity··············································································································································1-16
protocol inbound····························································································································1-16
screen-length·································································································································1-17
send···············································································································································1-18
service-type···································································································································1-19
set authentication password··········································································································1-20
shell ···············································································································································1-21
speed·············································································································································1-22
stopbits ··········································································································································1-22
telnet··············································································································································1-23
telnet ipv6······································································································································1-24
telnet source-interface···················································································································1-25
telnet source-ip······························································································································1-25
telnet-server source-interface········································································································1-26
telnet-server source-ip···················································································································1-26
user-interface·································································································································1-27
user privilege level·························································································································1-28
2 Commands for User Control ····················································································································2-1
Commands for Controlling Logging in Users··························································································2-1
acl····················································································································································2-1
free web-users·································································································································2-1
ip http acl·········································································································································2-2
snmp-agent community···················································································································2-2
snmp-agent group ···························································································································2-3
snmp-agent usm-user······················································································································2-4
1-1
1 Login Commands
The commands use to enable/disable copyright information displaying are newly added. Refer to
copyright-info enable for related information.
Login Commands
authentication-mode
Syntax
authentication-mode {password |scheme [ command-authorization ] | none }
View
User interface view
Parameters
none: Specifies not to authenticate users.
password: Authenticates users using the local password.
scheme: Authenticates users locally or remotely using usernames and passwords.
command-authorization: Performs command authorization on TACACS authentication server.
Description
Use the authentication-mode command to specify the authentication mode.
zIf you specify the password keyword to authenticate users using the local password, remember to
set the local password using the set authentication password command. Otherwise, AUX users
can log in to the switch successfully without password, but VTY users will fail the login. VTY users
must enter the correct authentication password to log in to the switch.
zIf you specify the scheme keyword to authenticate users locally or remotely using usernames and
passwords, the actual authentication mode, that is, local or remote, depends on other related AAA
scheme configuration of the domain.
zIf this command is executed with the command-authorization keyword specified, authorization is
performed on the TACACS server whenever you attempt to execute a command, and the
command can be executed only when you pass the authorization. Normally, a TACACS server
contains a list of the commands available to different users.
By default, the authentication mode is none for AUX users and password for VTY users.
1-2
For a VTY user interface, to specify the none keyword or password keyword for login users, make sure
that SSH is not enabled in the user interface. Otherwise, the configuration fails. Refer to the protocol
inbound command for related configuration.
To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet
and SSH services respectively, will be enabled or disabled after corresponding configurations.
zIf the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled.
zIf the authentication mode is password, and thecorresponding password has been set, TCP 23 will
be enabled, and TCP 22 will be disabled.
zIf the authentication mode is scheme, there are three scenarios: when the supported protocol is
specified as telnet, TCP 23 will be enabled; when the supported protocol is specified as SSH, TCP
22 will be enabled; when the supported protocol is specified as all, both the TCP 23 and TCP 22
port will be enabled.
Examples
zExample of the password authentication mode configuration
# Configure to authenticate users using the local password on the console port, and set the
authentication password to aabbcc in plain text.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] authentication-mode password
[Sysname-ui-aux0] set authentication password simple aabbcc
After the configuration, when a user logs in to the switch through the console port, the user must enter
the correct password.
zExample of the scheme authentication mode configuration
# Configure the authentication mode as scheme for VTY users logging in through Telnet.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] authentication-mode scheme
[Sysname-ui-vty0] quit
# Specify domain system as the default domain, and set the scheme authentication mode to local for
the domain.
[Sysname] domain default enable system
[Sysname] domain system
[Sysname-isp-system] scheme local
1-3
[Sysname-ui-vty0] quit
# Configure the local authentication username and password.
[Sysname] local-user guest
[Sysname-luser-guest] password simple 123456
[Sysname-luser-guest] service-type telnet level 2
After the configuration, when a user logs in to the switch through VTY0, the user must enter the
configured username and password.
auto-execute command
Syntax
auto-execute command text
undo auto-execute command
View
VTY user interface view
Parameters
text: Command to be executed automatically.
Description
Use the auto-execute command command to set the command that is executed automatically after a
user logs in.
Use the undo auto-execute command command to disable the specified command from being
automatically executed.
By default, no command is configured to be executed automatically after a user logs in.
Normally, the telnet command is specified to be executed automatically to enable the user to Telnet to a
specific network device automatically.
zThe auto-execute command command may cause you unable to perform common configuration
in the user interface, so use it with caution.
zBefore executing the auto-execute command command and save your configuration, make sure
you can log in to the switch in other modes and cancel the configuration.
Examples
# Configure the telnet 10.110.100.1 command to be executed automatically after users log in to VTY0.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] auto-execute command telnet 10.110.100.1
% This action will lead to configuration failure through ui-vty0. Are you sure?[
1-4
Y/N]y
After the above configuration, when a user logs onto the device through VTY0, the device automatically
executes the configured command and logs off the current user.
copyright-info enable
Syntax
copyright-info enable
undo copyright-info enable
View
System view
Parameters
None
Description
Use the copyright-info enable command to enable copyright information displaying.
Use the undo copyright-info enable command to disable copyright information displaying.
By default, copyright information displaying is enabled. That is, the copyright information is displayed
after a user logs into a switch successfully.
Note that these two commands apply to users logging in through the console port and by means of
Telnet.
Examples
# Disable copyright information displaying.
**************************************************************************
* Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
**************************************************************************
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] undo copyright-info enable
# After the above configuration, no copyright information is displayed after a user logs in, as shown
below.
<Sysname>
databits
Syntax
databits { 7 |8 }
undo databits
1-5
View
AUX user interface view
Parameters
7: Sets the databits to 7.
8: Sets the databits to 8.
Description
Use the databits command to set the databits for the user interface.
Use the undo databits command to revert to the default databits.
The default databits is 8.
Examples
# Set the databits to 7.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] databits 7
display telnet-server source-ip
Syntax
display telnet-server source-ip
View
Any view
Parameters
None
Description
Use the display telnet-server source-ip command to display the source IPaddress configured for the
switch operating as the Telnet server. That is, when the switch operates as the Telnet server, the client
uses this IP address to log in to the switch.
zIf the source IP address or source interface is specified for the switch, this command displays the
IP address or the primary IP address of the source interface.
zIf neither source IP address nor source interface is specified, 0.0.0.0 is displayed. That is, as long
as there is a route between the switch and client, the client can log in to the switch using the IP
address of any Layer 3 interface on the switch.
1-6
When you use the display telnet-server source-ip command to display the source IP address, the
primary IP address of an interface will be displayed even if you have specified a secondary IP address
of the interface as the source IP address.
Examples
# Display the source IP address configured for the switch operating as the Telnet server.
<Sysname> display telnet-server source-ip
The source IP you specified is 192.168.1.1
display telnet source-ip
Syntax
display telnet source-ip
View
Any view
Parameters
None
Description
Use the display telnet source-ip command to display the source IP address configured for the switch
operating as the Telnet client. That is, the source IP address of the Telnet service packets sent when the
switch operates as the Telnet client to log in to the remote device.
zIf the source interface is specified for the switch, this command displays the IP address of the
source interface.
zIf no source address or source IP interface is specified for the switch, 0.0.0.0 is displayed. That is,
the source IP address of Telnet service packets is that of the outbound interface.
Examples
# Display the source IP address configured for the switch operating as the Telnet client.
<Sysname> display telnet source-ip
The source IP you specified is 192.168.1.1
display user-interface
Syntax
display user-interface [ type number | number ] [ summary ]
View
Any view
Other manuals for H3C S3600 Series
13
Table of contents
Other H3C Network Router manuals
H3C
H3C S12500R Series Operating and maintenance manual
H3C
H3C MSR 5600 User manual
H3C
H3C S5560-EI series User manual
H3C
H3C S9500 Series User manual
H3C
H3C S5120-HI Series Instruction Manual
H3C
H3C SR6600 Series Installation guide
H3C
H3C SR6602 User manual
H3C
H3C SR6616 Operating and maintenance manual
H3C
H3C WA6126 User manual
H3C
H3C SR6604-X Operating and maintenance manual
