Vous êtes sur la page 1sur 1148

Quidway Eudemon 200 Firewall

V200R001C03B6

Command Reference

Issue 01
Date 2008-11-15

Huawei Proprietary and Confidential


Copyright © Huawei Technologies Co., Ltd.
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any
assistance, please contact our local office or company headquarters.

Huawei Technologies Co., Ltd.


Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: http://www.huawei.com
Email: support@huawei.com

Copyright © Huawei Technologies Co., Ltd. 2008. All rights reserved.


No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are the property of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but the statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Proprietary and Confidential


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

Contents

About This Document.....................................................................................................................1


1 System Management.................................................................................................................1-1
1.1 Basic Configuration Commands.....................................................................................................................1-2
1.1.1 clock.......................................................................................................................................................1-2
1.1.2 command-privilege.................................................................................................................................1-4
1.1.3 display clock...........................................................................................................................................1-5
1.1.4 display history-command.......................................................................................................................1-6
1.1.5 display hotkey........................................................................................................................................1-7
1.1.6 display version........................................................................................................................................1-9
1.1.7 header...................................................................................................................................................1-10
1.1.8 hotkey...................................................................................................................................................1-11
1.1.9 language-mode.....................................................................................................................................1-13
1.1.10 lock (User View)................................................................................................................................1-13
1.1.11 quit (All Views)..................................................................................................................................1-14
1.1.12 return..................................................................................................................................................1-15
1.1.13 super...................................................................................................................................................1-16
1.1.14 super password...................................................................................................................................1-17
1.1.15 sysname..............................................................................................................................................1-18
1.1.16 system-view........................................................................................................................................1-19
1.2 User Login Configuration Commands..........................................................................................................1-20
1.2.1 acl.........................................................................................................................................................1-21
1.2.2 authentication-mode.............................................................................................................................1-22
1.2.3 auto-execute command.........................................................................................................................1-24
1.2.4 databits.................................................................................................................................................1-25
1.2.5 debugging rsa.......................................................................................................................................1-26
1.2.6 debugging ssh server............................................................................................................................1-26
1.2.7 debugging telnet...................................................................................................................................1-27
1.2.8 display rsa local-key-pair public..........................................................................................................1-28
1.2.9 display rsa peer-public-key..................................................................................................................1-30
1.2.10 display ssh server...............................................................................................................................1-31
1.2.11 display ssh user-information..............................................................................................................1-32
1.2.12 display tcp..........................................................................................................................................1-33
1.2.13 display user-interface.........................................................................................................................1-35

Issue 01 (2008-11-15) Huawei Proprietary and Confidential i


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

1.2.14 display user-interface maximum-vty..................................................................................................1-36


1.2.15 display users.......................................................................................................................................1-37
1.2.16 flow-control........................................................................................................................................1-38
1.2.17 free user-interface...............................................................................................................................1-39
1.2.18 history-command max-size................................................................................................................1-40
1.2.19 idle-timeout........................................................................................................................................1-41
1.2.20 lock authentication-count...................................................................................................................1-42
1.2.21 lock lock-timeout................................................................................................................................1-43
1.2.22 modem................................................................................................................................................1-43
1.2.23 modem auto-answer...........................................................................................................................1-44
1.2.24 modem timer answer..........................................................................................................................1-45
1.2.25 parity...................................................................................................................................................1-46
1.2.26 peer-public-key end............................................................................................................................1-47
1.2.27 protocol inbound................................................................................................................................1-48
1.2.28 public-key-code begin........................................................................................................................1-49
1.2.29 public-key-code end...........................................................................................................................1-50
1.2.30 redirect................................................................................................................................................1-51
1.2.31 rsa local-key-pair create.....................................................................................................................1-51
1.2.32 rsa local-key-pair destroy...................................................................................................................1-53
1.2.33 rsa peer-public-key.............................................................................................................................1-53
1.2.34 screen-length......................................................................................................................................1-54
1.2.35 send.....................................................................................................................................................1-55
1.2.36 set authentication password................................................................................................................1-56
1.2.37 shell....................................................................................................................................................1-57
1.2.38 speed (User Interface View)...............................................................................................................1-58
1.2.39 ssh server authentication-retries.........................................................................................................1-59
1.2.40 ssh server rekey-interval.....................................................................................................................1-60
1.2.41 ssh server timeout...............................................................................................................................1-61
1.2.42 ssh user assign rsa-key.......................................................................................................................1-62
1.2.43 ssh user authentication-type...............................................................................................................1-63
1.2.44 stopbits...............................................................................................................................................1-64
1.2.45 telnet...................................................................................................................................................1-64
1.2.46 user privilege......................................................................................................................................1-65
1.2.47 user-interface......................................................................................................................................1-66
1.2.48 user-interface maximum-vty..............................................................................................................1-67
1.3 Working Mode Configuration Commands....................................................................................................1-68
1.3.1 debugging firewall transparent-mode...................................................................................................1-69
1.3.2 display firewall mode...........................................................................................................................1-70
1.3.3 display firewall transparent-mode config.............................................................................................1-70
1.3.4 display firewall transparent-mode address-table..................................................................................1-71
1.3.5 display firewall transparent-mode traffic.............................................................................................1-72
1.3.6 display firewall transparent-mode trunk-port.......................................................................................1-74

ii Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

1.3.7 firewall arp-learning enable..................................................................................................................1-74


1.3.8 firewall ethernet-frame-filter................................................................................................................1-75
1.3.9 firewall mode........................................................................................................................................1-76
1.3.10 firewall system-ip...............................................................................................................................1-77
1.3.11 firewall transparent-mode aging-time................................................................................................1-78
1.3.12 firewall transparent-mode fast-forwarding.........................................................................................1-79
1.3.13 firewall transparent-mode transmit....................................................................................................1-80
1.3.14 firewall unknown-mac........................................................................................................................1-81
1.3.15 port trunk pvid....................................................................................................................................1-82
1.3.16 port trunk vlan allow-pass all.............................................................................................................1-83
1.3.17 reset firewall transparent-mode address-table....................................................................................1-84
1.3.18 reset firewall transparent-mode traffic...............................................................................................1-84
1.4 File Management Configuration Commands................................................................................................1-85
1.4.1 ascii.......................................................................................................................................................1-87
1.4.2 binary....................................................................................................................................................1-87
1.4.3 bye........................................................................................................................................................1-88
1.4.4 cd (User View).....................................................................................................................................1-89
1.4.5 cd (FTP Client View)...........................................................................................................................1-90
1.4.6 cdup......................................................................................................................................................1-91
1.4.7 close......................................................................................................................................................1-92
1.4.8 compare configuration..........................................................................................................................1-93
1.4.9 copy......................................................................................................................................................1-94
1.4.10 debugging (FTP Client View)............................................................................................................1-95
1.4.11 delete (User View).............................................................................................................................1-95
1.4.12 delete (FTP Client View)...................................................................................................................1-96
1.4.13 dir (User View)..................................................................................................................................1-97
1.4.14 dir (FTP Client View)........................................................................................................................1-98
1.4.15 disconnect...........................................................................................................................................1-99
1.4.16 display current-configuration...........................................................................................................1-100
1.4.17 display ftp-server..............................................................................................................................1-101
1.4.18 display ftp-users...............................................................................................................................1-102
1.4.19 display saved-configuration.............................................................................................................1-103
1.4.20 display startup..................................................................................................................................1-104
1.4.21 display this........................................................................................................................................1-105
1.4.22 execute..............................................................................................................................................1-106
1.4.23 file prompt........................................................................................................................................1-107
1.4.24 format...............................................................................................................................................1-108
1.4.25 ftp.....................................................................................................................................................1-108
1.4.26 ftp server enable...............................................................................................................................1-109
1.4.27 ftp timeout........................................................................................................................................1-110
1.4.28 get.....................................................................................................................................................1-111
1.4.29 lcd.....................................................................................................................................................1-112

Issue 01 (2008-11-15) Huawei Proprietary and Confidential iii


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

1.4.30 ls.......................................................................................................................................................1-113
1.4.31 mkdir (User View)...........................................................................................................................1-114
1.4.32 mkdir (FTP Client View)................................................................................................................1-114
1.4.33 more..................................................................................................................................................1-115
1.4.34 move.................................................................................................................................................1-116
1.4.35 open..................................................................................................................................................1-117
1.4.36 passive..............................................................................................................................................1-118
1.4.37 put.....................................................................................................................................................1-119
1.4.38 pwd (User View)..............................................................................................................................1-120
1.4.39 pwd (FTP Client View)....................................................................................................................1-120
1.4.40 quit (FTP Client View).....................................................................................................................1-121
1.4.41 remotehelp........................................................................................................................................1-122
1.4.42 rename..............................................................................................................................................1-123
1.4.43 reset recycle-bin...............................................................................................................................1-124
1.4.44 reset saved-configuration.................................................................................................................1-124
1.4.45 rmdir (User View)............................................................................................................................1-125
1.4.46 rmdir (FTP Client View)..................................................................................................................1-126
1.4.47 save...................................................................................................................................................1-127
1.4.48 startup system-software....................................................................................................................1-128
1.4.49 startup saved-configuration..............................................................................................................1-129
1.4.50 tftp....................................................................................................................................................1-129
1.4.51 tftp-server acl....................................................................................................................................1-130
1.4.52 undelete............................................................................................................................................1-131
1.4.53 user...................................................................................................................................................1-132
1.4.54 verbose.............................................................................................................................................1-133
1.4.55 xmodem get......................................................................................................................................1-134
1.5 System Maintenance Configuration Commands.........................................................................................1-134
1.5.1 debugging (User View)......................................................................................................................1-136
1.5.2 debugging firewall packet-capture.....................................................................................................1-137
1.5.3 debugging firewall packet-capture error............................................................................................1-139
1.5.4 debugging firewall packet-capture event...........................................................................................1-140
1.5.5 display channel...................................................................................................................................1-141
1.5.6 display cpu-usage-for-user.................................................................................................................1-142
1.5.7 display debugging..............................................................................................................................1-143
1.5.8 display diagnostic-information...........................................................................................................1-143
1.5.9 display device.....................................................................................................................................1-144
1.5.10 display environment.........................................................................................................................1-145
1.5.11 display firewall logtime....................................................................................................................1-146
1.5.12 display firewall packet-capture configuration..................................................................................1-146
1.5.13 display firewall packet-capture queue..............................................................................................1-148
1.5.14 display firewall packet-capture statistic...........................................................................................1-149
1.5.15 display info-center............................................................................................................................1-151

iv Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

1.5.16 display logbuffer..............................................................................................................................1-152


1.5.17 display patch-information................................................................................................................1-154
1.5.18 display schedule reboot....................................................................................................................1-155
1.5.19 display trapbuffer.............................................................................................................................1-156
1.5.20 firewall log-time...............................................................................................................................1-157
1.5.21 firewall packet-capture.....................................................................................................................1-158
1.5.22 firewall packet-capture send host.....................................................................................................1-159
1.5.23 firewall packet-capture send queue..................................................................................................1-160
1.5.24 firewall packet-capture startup.........................................................................................................1-161
1.5.25 firewall session log-type binary discard enable...............................................................................1-161
1.5.26 firewall session log-type...................................................................................................................1-162
1.5.27 info-center channel...........................................................................................................................1-163
1.5.28 info-center console channel..............................................................................................................1-164
1.5.29 info-center enable.............................................................................................................................1-165
1.5.30 info-center logbuffer........................................................................................................................1-166
1.5.31 info-center loghost............................................................................................................................1-167
1.5.32 info-center loghost source................................................................................................................1-168
1.5.33 info-center monitor channel.............................................................................................................1-169
1.5.34 info-center snmp channel.................................................................................................................1-170
1.5.35 info-center source.............................................................................................................................1-171
1.5.36 info-center timestamp.......................................................................................................................1-173
1.5.37 info-center trapbuffer.......................................................................................................................1-174
1.5.38 patch.................................................................................................................................................1-175
1.5.39 ping...................................................................................................................................................1-176
1.5.40 reset firewall log-buf........................................................................................................................1-179
1.5.41 reset firewall packet-capture............................................................................................................1-179
1.5.42 reset logbuffer..................................................................................................................................1-180
1.5.43 reset trapbuffer.................................................................................................................................1-181
1.5.44 service modem-callback...................................................................................................................1-181
1.5.45 session log enable.............................................................................................................................1-182
1.5.46 schedule reboot.................................................................................................................................1-183
1.5.47 terminal debugging...........................................................................................................................1-184
1.5.48 terminal logging...............................................................................................................................1-185
1.5.49 terminal monitor...............................................................................................................................1-186
1.5.50 terminal trapping..............................................................................................................................1-186
1.5.51 tracert................................................................................................................................................1-187
1.6 Web Management Commands....................................................................................................................1-189
1.6.1 debugging ssl......................................................................................................................................1-189
1.6.2 debugging web-manager....................................................................................................................1-190
1.6.3 display web-manager..........................................................................................................................1-191
1.6.4 web-manager......................................................................................................................................1-192
1.6.5 reset web-manager statistics...............................................................................................................1-193

Issue 01 (2008-11-15) Huawei Proprietary and Confidential v


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

1.7 NTP Configuration Commands...................................................................................................................1-194


1.7.1 debugging ntp-service........................................................................................................................1-195
1.7.2 display ntp-service sessions...............................................................................................................1-196
1.7.3 display ntp-service status...................................................................................................................1-196
1.7.4 display ntp-service trace.....................................................................................................................1-198
1.7.5 ntp-service access...............................................................................................................................1-199
1.7.6 ntp-service authentication enable.......................................................................................................1-200
1.7.7 ntp-service authentication-keyid........................................................................................................1-201
1.7.8 ntp-service broadcast-client................................................................................................................1-202
1.7.9 ntp-service broadcast-server...............................................................................................................1-203
1.7.10 ntp-service in-interface disable........................................................................................................1-204
1.7.11 ntp-service max-dynamic-sessions...................................................................................................1-205
1.7.12 ntp-service multicast-client..............................................................................................................1-206
1.7.13 ntp-service multicast-server.............................................................................................................1-207
1.7.14 ntp-service refclock-master..............................................................................................................1-208
1.7.15 ntp-service reliable authentication-keyid.........................................................................................1-208
1.7.16 ntp-service source-interface.............................................................................................................1-209
1.7.17 ntp-service unicast-peer....................................................................................................................1-210
1.7.18 ntp-service unicast-server.................................................................................................................1-211
1.8 SNMP Configuration Commands...............................................................................................................1-212
1.8.1 debugging snmp-agent.......................................................................................................................1-213
1.8.2 display snmp-agent.............................................................................................................................1-214
1.8.3 display snmp-agent community.........................................................................................................1-215
1.8.4 display snmp-agent group..................................................................................................................1-216
1.8.5 display snmp-agent mib-view............................................................................................................1-217
1.8.6 display snmp-agent statistics..............................................................................................................1-218
1.8.7 display snmp-agent sys-info...............................................................................................................1-220
1.8.8 display snmp-agent usm-user.............................................................................................................1-221
1.8.9 enable snmp trap updown...................................................................................................................1-222
1.8.10 ifindex constant................................................................................................................................1-223
1.8.11 set constant-ifindex max-number.....................................................................................................1-224
1.8.12 set constant-ifindex subinterface......................................................................................................1-225
1.8.13 snmp-agent.......................................................................................................................................1-226
1.8.14 snmp-agent community....................................................................................................................1-227
1.8.15 snmp-agent group.............................................................................................................................1-228
1.8.16 snmp-agent local-engineid...............................................................................................................1-229
1.8.17 snmp-agent mib-view.......................................................................................................................1-230
1.8.18 snmp-agent packet max-size............................................................................................................1-231
1.8.19 snmp-agent sys-info.........................................................................................................................1-232
1.8.20 snmp-agent target-host.....................................................................................................................1-233
1.8.21 snmp-agent trap enable.....................................................................................................................1-234
1.8.22 snmp-agent trap enable ospf.............................................................................................................1-236

vi Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

1.8.23 snmp-agent trap life..........................................................................................................................1-237


1.8.24 snmp-agent trap queue-size..............................................................................................................1-238
1.8.25 snmp-agent trap source.....................................................................................................................1-239
1.8.26 snmp-agent usm-user........................................................................................................................1-240
1.9 VPN Manager Configuration Commands...................................................................................................1-241
1.9.1 secoway-server...................................................................................................................................1-241

2 Security Defense.........................................................................................................................2-1
2.1 ACL Configuration Commands......................................................................................................................2-3
2.1.1 acl accelerate enable...............................................................................................................................2-3
2.1.2 acl (System View)..................................................................................................................................2-4
2.1.3 address....................................................................................................................................................2-5
2.1.4 description (ACL View).........................................................................................................................2-6
2.1.5 description (Address Set View or Port Set View)..................................................................................2-7
2.1.6 display acl...............................................................................................................................................2-7
2.1.7 display ip address-set.............................................................................................................................2-9
2.1.8 display ip port-set.................................................................................................................................2-11
2.1.9 display time-range................................................................................................................................2-13
2.1.10 ip address-set......................................................................................................................................2-14
2.1.11 ip port-set............................................................................................................................................2-15
2.1.12 port.....................................................................................................................................................2-16
2.1.13 reset acl counter..................................................................................................................................2-17
2.1.14 rule......................................................................................................................................................2-17
2.1.15 step.....................................................................................................................................................2-21
2.1.16 time-range...........................................................................................................................................2-22
2.2 Security Zone Configuration Commands......................................................................................................2-24
2.2.1 add interface (Security Zone View).....................................................................................................2-24
2.2.2 description (Security Zone View)........................................................................................................2-25
2.2.3 display interzone..................................................................................................................................2-26
2.2.4 display zone..........................................................................................................................................2-27
2.2.5 firewall interzone..................................................................................................................................2-27
2.2.6 firewall zone.........................................................................................................................................2-28
2.2.7 set priority............................................................................................................................................2-29
2.3 Session Configuration Commands................................................................................................................2-30
2.3.1 debugging firewall sessionreuse...........................................................................................................2-31
2.3.2 display firewall fragment.....................................................................................................................2-32
2.3.3 display firewall session aging-time......................................................................................................2-32
2.3.4 display firewall session no-pat.............................................................................................................2-35
2.3.5 display firewall session table................................................................................................................2-36
2.3.6 firewall long-link..................................................................................................................................2-38
2.3.7 firewall long-link aging-time...............................................................................................................2-39
2.3.8 firewall session aging-time...................................................................................................................2-40
2.3.9 firewall session aging-time accelerate enable......................................................................................2-42

Issue 01 (2008-11-15) Huawei Proprietary and Confidential vii


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

2.3.10 reset firewall session table..................................................................................................................2-43


2.4 Packet Filter Configuration Commands........................................................................................................2-44
2.4.1 debugging firewall packet-filter...........................................................................................................2-44
2.4.2 display firewall packet-filter default....................................................................................................2-45
2.4.3 firewall packet-filter default.................................................................................................................2-46
2.4.4 packet-filter..........................................................................................................................................2-47
2.5 Attack Defence and Packet Statistics Configuration Commands.................................................................2-48
2.5.1 debugging firewall defend....................................................................................................................2-50
2.5.2 debugging statistic................................................................................................................................2-51
2.5.3 display firewall defend flag..................................................................................................................2-52
2.5.4 display firewall flow-control statistics.................................................................................................2-52
2.5.5 display firewall statistic........................................................................................................................2-53
2.5.6 firewall defend all enable.....................................................................................................................2-54
2.5.7 firewall defend arp-flood enable interface...........................................................................................2-55
2.5.8 firewall defend arp-spoofing enable.....................................................................................................2-56
2.5.9 firewall defend based-session...............................................................................................................2-57
2.5.10 firewall defend fraggle enable............................................................................................................2-58
2.5.11 firewall defend ftp-bounce enable......................................................................................................2-59
2.5.12 firewall defend icmp-flood.................................................................................................................2-60
2.5.13 firewall defend icmp-flood enable.....................................................................................................2-61
2.5.14 firewall defend icmp-redirect enable..................................................................................................2-62
2.5.15 firewall defend icmp-unreachable enable...........................................................................................2-63
2.5.16 firewall defend ip-fragment enable....................................................................................................2-63
2.5.17 firewall defend ip-spoofing enable.....................................................................................................2-64
2.5.18 firewall defend ip-sweep....................................................................................................................2-65
2.5.19 firewall defend ip-sweep enable.........................................................................................................2-66
2.5.20 firewall defend land enable................................................................................................................2-66
2.5.21 firewall defend large-icmp.................................................................................................................2-67
2.5.22 firewall defend large-icmp enable......................................................................................................2-68
2.5.23 firewall defend packet-header check enable......................................................................................2-69
2.5.24 firewall defend ping-of-death enable.................................................................................................2-69
2.5.25 firewall defend port-scan....................................................................................................................2-70
2.5.26 firewall defend port-scan enable........................................................................................................2-71
2.5.27 firewall defend route-record enable...................................................................................................2-72
2.5.28 firewall defend smurf enable..............................................................................................................2-73
2.5.29 firewall defend source-route enable...................................................................................................2-73
2.5.30 firewall defend syn-flood...................................................................................................................2-74
2.5.31 firewall defend syn-flood enable........................................................................................................2-76
2.5.32 firewall defend tcp-flag enable...........................................................................................................2-77
2.5.33 firewall defend teardrop enable..........................................................................................................2-77
2.5.34 firewall defend time-stamp enable.....................................................................................................2-78
2.5.35 firewall defend tracert enable.............................................................................................................2-79

viii Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

2.5.36 firewall defend udp-flood...................................................................................................................2-79


2.5.37 firewall defend udp-flood enable.......................................................................................................2-81
2.5.38 firewall defend winnuke enable.........................................................................................................2-82
2.5.39 firewall flow-control acl.....................................................................................................................2-82
2.5.40 firewall flow-control car.....................................................................................................................2-83
2.5.41 firewall flow-control h323 enable......................................................................................................2-84
2.5.42 firewall flow-control on.....................................................................................................................2-85
2.5.43 firewall fragment-discard enable........................................................................................................2-85
2.5.44 firewall http-authentication................................................................................................................2-86
2.5.45 firewall session link-state check.........................................................................................................2-87
2.5.46 firewall statistic system connect-number...........................................................................................2-88
2.5.47 firewall statistic system enable...........................................................................................................2-89
2.5.48 firewall statistic system flow-percent.................................................................................................2-90
2.5.49 firewall statistic system last_five_min enable....................................................................................2-91
2.5.50 reset firewall statistic ip......................................................................................................................2-91
2.5.51 reset firewall statistic system..............................................................................................................2-92
2.5.52 reset firewall statistic zone.................................................................................................................2-93
2.5.53 statistic connect-number.....................................................................................................................2-93
2.5.54 statistic connect-speed........................................................................................................................2-95
2.5.55 statistic enable....................................................................................................................................2-96
2.6 ASPF Configuration Commands...................................................................................................................2-97
2.6.1 debugging firewall aspf........................................................................................................................2-97
2.6.2 debugging firewall fragment-forward..................................................................................................2-98
2.6.3 detect....................................................................................................................................................2-99
2.6.4 detect user-define...............................................................................................................................2-100
2.6.5 display firewall servermap.................................................................................................................2-101
2.6.6 firewall cache refresh enable..............................................................................................................2-102
2.6.7 firewall fragment-cache enable..........................................................................................................2-102
2.6.8 firewall fragment-cache max-number one-packet..............................................................................2-103
2.6.9 firewall fragment-cache max-number total........................................................................................2-104
2.6.10 firewall fragment-forward enable.....................................................................................................2-105
2.7 Blacklist Configuration Commands............................................................................................................2-106
2.7.1 debugging firewall blacklist...............................................................................................................2-106
2.7.2 display firewall blacklist....................................................................................................................2-107
2.7.3 firewall blacklist aging-time...............................................................................................................2-108
2.7.4 firewall blacklist authentication-count...............................................................................................2-108
2.7.5 firewall blacklist enable.....................................................................................................................2-109
2.7.6 firewall blacklist item.........................................................................................................................2-111
2.8 MAC and IP Address binding Configuration Commands..........................................................................2-112
2.8.1 debugging firewall mac-binding........................................................................................................2-112
2.8.2 display firewall mac-binding..............................................................................................................2-112
2.8.3 firewall mac-binding..........................................................................................................................2-113

Issue 01 (2008-11-15) Huawei Proprietary and Confidential ix


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

2.9 Port Mapping Configuration Commands....................................................................................................2-114


2.9.1 display port-mapping..........................................................................................................................2-114
2.9.2 port-mapping......................................................................................................................................2-115
2.10 NAT Configuration Commands................................................................................................................2-116
2.10.1 debugging nat...................................................................................................................................2-117
2.10.2 destination-nat..................................................................................................................................2-118
2.10.3 display nat........................................................................................................................................2-119
2.10.4 firewall permit local ip.....................................................................................................................2-120
2.10.5 nat.....................................................................................................................................................2-121
2.10.6 nat address-group.............................................................................................................................2-122
2.10.7 nat alg enable....................................................................................................................................2-123
2.10.8 nat arp-gratuitous send.....................................................................................................................2-124
2.10.9 nat inbound.......................................................................................................................................2-125
2.10.10 nat outbound...................................................................................................................................2-126
2.10.11 nat server........................................................................................................................................2-128
2.10.12 nat server zone................................................................................................................................2-129
2.11 IDS Cooperation Configuration Commands.............................................................................................2-131
2.11.1 debugging firewall ids......................................................................................................................2-131
2.11.2 display firewall ids...........................................................................................................................2-132
2.11.3 firewall ids authentication type........................................................................................................2-133
2.11.4 firewall ids enable............................................................................................................................2-134
2.11.5 firewall ids port................................................................................................................................2-135
2.11.6 firewall ids server.............................................................................................................................2-136
2.12 AAA Configuration Commands................................................................................................................2-137
2.12.1 { cmd | outbound | system } recording-scheme................................................................................2-137
2.12.2 aaa.....................................................................................................................................................2-138
2.12.3 accounting interim-fail.....................................................................................................................2-139
2.12.4 accounting realtime..........................................................................................................................2-140
2.12.5 accounting start-fail..........................................................................................................................2-141
2.12.6 accounting-mode..............................................................................................................................2-142
2.12.7 accounting-scheme (AAA View).....................................................................................................2-142
2.12.8 authentication-mode (Authentication Scheme View)......................................................................2-143
2.12.9 authentication-scheme (AAA View)................................................................................................2-144
2.12.10 authorization-mode.........................................................................................................................2-145
2.12.11 authorization-scheme (AAA View)................................................................................................2-146
2.12.12 display aaa configuration...............................................................................................................2-147
2.12.13 display accounting-scheme............................................................................................................2-148
2.12.14 display authentication-scheme.......................................................................................................2-150
2.12.15 display authorization-scheme.........................................................................................................2-151
2.12.16 display ip pool................................................................................................................................2-152
2.12.17 display recording-scheme...............................................................................................................2-153
2.12.18 display user-car..............................................................................................................................2-154

x Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

2.12.19 ip address ppp-negotiate.................................................................................................................2-155


2.12.20 ip pool.............................................................................................................................................2-155
2.12.21 recording-mode..............................................................................................................................2-156
2.12.22 recording-scheme...........................................................................................................................2-157
2.12.23 user-car (AAA View).....................................................................................................................2-158
2.13 RADIUS Server Configuration Commands..............................................................................................2-159
2.13.1 debugging radius..............................................................................................................................2-160
2.13.2 display radius-server accounting-stop-packet..................................................................................2-161
2.13.3 display radius-server configuration..................................................................................................2-161
2.13.4 radius-server accounting..................................................................................................................2-162
2.13.5 radius-server accounting-stop-packet resend...................................................................................2-163
2.13.6 radius-server authentication.............................................................................................................2-164
2.13.7 radius-server nas-port-format...........................................................................................................2-165
2.13.8 radius-server nas-port-id-format.......................................................................................................2-166
2.13.9 radius-server retransmit....................................................................................................................2-167
2.13.10 radius-server shared-key................................................................................................................2-168
2.13.11 radius-server template....................................................................................................................2-169
2.13.12 radius-server timeout......................................................................................................................2-170
2.13.13 radius-server traffic-unit.................................................................................................................2-171
2.13.14 radius-server type...........................................................................................................................2-171
2.13.15 radius-server user-name domain-included.....................................................................................2-172
2.13.16 reset radius-server accounting-stop-packet....................................................................................2-173
2.14 HWTACACS Server Configuration Commands......................................................................................2-174
2.14.1 debugging hwtacacs.........................................................................................................................2-174
2.14.2 display hwtacacs-server accounting-stop-packet.............................................................................2-175
2.14.3 display hwtacacs-server template.....................................................................................................2-176
2.14.4 hwtacacs-server accounting..............................................................................................................2-177
2.14.5 hwtacacs-server accounting-stop-packet..........................................................................................2-178
2.14.6 hwtacacs-server authentication.........................................................................................................2-179
2.14.7 hwtacacs-server authorization..........................................................................................................2-180
2.14.8 hwtacacs-server shared-key..............................................................................................................2-181
2.14.9 hwtacacs-server source-ip................................................................................................................2-182
2.14.10 hwtacacs-server template...............................................................................................................2-183
2.14.11 hwtacacs-server timer quiet............................................................................................................2-183
2.14.12 hwtacacs-server timer response-timeout........................................................................................2-184
2.14.13 hwtacacs-server traffic-unit............................................................................................................2-185
2.14.14 hwtacacs-server user-name domain-included................................................................................2-186
2.14.15 reset hwtacacs-server accounting-stop-packet...............................................................................2-187
2.14.16 reset hwtacacs-server statistics.......................................................................................................2-187
2.15 Domain Configuration Commands...........................................................................................................2-188
2.15.1 access-limit.......................................................................................................................................2-189
2.15.2 accounting-scheme (AAA Domain View).......................................................................................2-189

Issue 01 (2008-11-15) Huawei Proprietary and Confidential xi


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

2.15.3 acl-number........................................................................................................................................2-190
2.15.4 authentication-scheme (AAA Domain View)..................................................................................2-191
2.15.5 authorization-scheme (AAA Domain View)....................................................................................2-192
2.15.6 display domain.................................................................................................................................2-193
2.15.7 dns....................................................................................................................................................2-194
2.15.8 domain..............................................................................................................................................2-195
2.15.9 hwtacacs-server (AAA Domain View)............................................................................................2-196
2.15.10 idle-cut............................................................................................................................................2-196
2.15.11 nbns................................................................................................................................................2-197
2.15.12 radius-server...................................................................................................................................2-198
2.15.13 state (AAA Domain View).............................................................................................................2-199
2.15.14 user-car (AAA Domain View).......................................................................................................2-200
2.15.15 user-priority....................................................................................................................................2-201
2.15.16 web-server......................................................................................................................................2-201
2.16 Local User Configuration Commands.......................................................................................................2-202
2.16.1 cut access-user (AAA View)............................................................................................................2-203
2.16.2 display access-user...........................................................................................................................2-204
2.16.3 display local-user..............................................................................................................................2-207
2.16.4 local-user access-limit......................................................................................................................2-208
2.16.5 local-user callback-nocheck.............................................................................................................2-209
2.16.6 local-user callback-number..............................................................................................................2-210
2.16.7 local-user call-number......................................................................................................................2-211
2.16.8 local-user ftp-directory.....................................................................................................................2-211
2.16.9 local-user idle-cut.............................................................................................................................2-212
2.16.10 local-user level...............................................................................................................................2-213
2.16.11 local-user mac-address...................................................................................................................2-214
2.16.12 local-user password........................................................................................................................2-215
2.16.13 local-user service-type....................................................................................................................2-216
2.16.14 local-user state................................................................................................................................2-217
2.16.15 local-user user-car..........................................................................................................................2-217
2.16.16 vlan-batch user access-limit...........................................................................................................2-218
2.16.17 vlan-batch user acl-number............................................................................................................2-220
2.16.18 vlan-batch user idle-cut..................................................................................................................2-221
2.16.19 vlan-batch user interface................................................................................................................2-222
2.16.20 vlan-batch user service-type...........................................................................................................2-223
2.16.21 vlan-batch user state.......................................................................................................................2-224
2.16.22 vlan-batch user user-car..................................................................................................................2-225
2.17 L2TP Configuration Commands...............................................................................................................2-226
2.17.1 allow l2tp..........................................................................................................................................2-227
2.17.2 debugging l2tp..................................................................................................................................2-228
2.17.3 display l2tp session...........................................................................................................................2-229
2.17.4 display l2tp tunnel............................................................................................................................2-230

xii Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

2.17.5 interface virtual-template.................................................................................................................2-231


2.17.6 l2tp domain suffix-separator............................................................................................................2-232
2.17.7 l2tp enable........................................................................................................................................2-233
2.17.8 l2tp-group.........................................................................................................................................2-234
2.17.9 mandatory-chap................................................................................................................................2-234
2.17.10 mandatory-lcp.................................................................................................................................2-235
2.17.11 reset l2tp tunnel local-id.................................................................................................................2-236
2.17.12 reset l2tp tunnel peer-name............................................................................................................2-237
2.17.13 start l2tp..........................................................................................................................................2-238
2.17.14 tunnel authentication......................................................................................................................2-239
2.17.15 tunnel avp-hidden...........................................................................................................................2-240
2.17.16 tunnel name....................................................................................................................................2-241
2.17.17 tunnel password..............................................................................................................................2-241
2.17.18 tunnel timer hello...........................................................................................................................2-242
2.18 GRE Configuration Commands................................................................................................................2-243
2.18.1 debugging tunnel..............................................................................................................................2-243
2.18.2 destination........................................................................................................................................2-244
2.18.3 display interface tunnel....................................................................................................................2-245
2.18.4 gre checksum....................................................................................................................................2-247
2.18.5 gre key..............................................................................................................................................2-248
2.18.6 interface tunnel.................................................................................................................................2-249
2.18.7 source...............................................................................................................................................2-250
2.18.8 tunnel-protocol gre...........................................................................................................................2-251
2.19 SLB Configuration Commands.................................................................................................................2-252
2.19.1 addrserver.........................................................................................................................................2-253
2.19.2 display slb group..............................................................................................................................2-254
2.19.3 display slb rserver.............................................................................................................................2-255
2.19.4 display slb vserver............................................................................................................................2-257
2.19.5 group (SLB Configuration View)....................................................................................................2-257
2.19.6 metric................................................................................................................................................2-258
2.19.7 rserver...............................................................................................................................................2-259
2.19.8 slb.....................................................................................................................................................2-261
2.19.9 slb enable..........................................................................................................................................2-262
2.19.10 vserver............................................................................................................................................2-262
2.20 P2P Traffic Limiting Configuration Commands.......................................................................................2-264
2.20.1 cir......................................................................................................................................................2-265
2.20.2 cir default..........................................................................................................................................2-266
2.20.3 debugging firewall p2p-car..............................................................................................................2-267
2.20.4 display p2p-car class........................................................................................................................2-267
2.20.5 display p2p-car pattern-file..............................................................................................................2-269
2.20.6 display p2p-car protocol...................................................................................................................2-270
2.20.7 display p2p-car relation-table aging-time.........................................................................................2-271

Issue 01 (2008-11-15) Huawei Proprietary and Confidential xiii


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

2.20.8 display p2p-car statistic class...........................................................................................................2-271


2.20.9 display p2p-car statistic protocol......................................................................................................2-273
2.20.10 display p2p-car statistic relation-table............................................................................................2-274
2.20.11 firewall p2p-car default-permit......................................................................................................2-275
2.20.12 firewall p2p-car include.................................................................................................................2-276
2.20.13 firewall p2p-car pattern-file active.................................................................................................2-277
2.20.14 firewall p2p-car relation-table aging-time......................................................................................2-278
2.20.15 firewall p2p-detect behavior enable...............................................................................................2-279
2.20.16 firewall p2p-detect default-permit..................................................................................................2-280
2.20.17 firewall p2p-detect packet-number.................................................................................................2-280
2.20.18 p2p-car............................................................................................................................................2-281
2.20.19 p2p-class.........................................................................................................................................2-282
2.20.20 p2p-detect enable............................................................................................................................2-283
2.20.21 p2p-detect mode.............................................................................................................................2-284
2.20.22 reset p2p-car relation-table.............................................................................................................2-285
2.20.23 reset p2p-car statistic......................................................................................................................2-286
2.20.24 undo cir index.................................................................................................................................2-286
2.21 Secospace Cooperation Configuration Commands...................................................................................2-287
2.21.1 cut access-user (Secospace Cooperation Configuration View)........................................................2-288
2.21.2 debugging right-manager.................................................................................................................2-288
2.21.3 default acl 3099................................................................................................................................2-290
2.21.4 display right-manager online-users..................................................................................................2-291
2.21.5 display right-manager role-id rule....................................................................................................2-293
2.21.6 display right-manager role-info........................................................................................................2-294
2.21.7 display right-manager server-group.................................................................................................2-295
2.21.8 display right-manager statistics........................................................................................................2-296
2.21.9 local..................................................................................................................................................2-297
2.21.10 right-manager server-group............................................................................................................2-298
2.21.11 right-manager server-group enable................................................................................................2-299
2.21.12 right-manager status-detect enable.................................................................................................2-300
2.21.13 right-manager user user-name ip roles...........................................................................................2-300
2.21.14 server ip..........................................................................................................................................2-302
2.21.15 sync role-info..................................................................................................................................2-303
2.22 IP-CAR Configuration Commands...........................................................................................................2-304
2.22.1 debugging firewall ip-car.................................................................................................................2-304
2.22.2 display firewall car-class..................................................................................................................2-305
2.22.3 display firewall conn-class...............................................................................................................2-306
2.22.4 display firewall statistic ip-car.........................................................................................................2-307
2.22.5 display ip monitor table....................................................................................................................2-308
2.22.6 firewall car-class..............................................................................................................................2-309
2.22.7 firewall conn-class............................................................................................................................2-310
2.22.8 ip-car.................................................................................................................................................2-310

xiv Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

2.22.9 ip-car enable.....................................................................................................................................2-312


2.22.10 ip-car filter......................................................................................................................................2-312
2.22.11 ip-conn............................................................................................................................................2-314
2.22.12 ip-conn filter...................................................................................................................................2-315
2.22.13 reset firewall statistic ip-car zone...................................................................................................2-316

3 Internetworking..........................................................................................................................3-1
3.1 Interface Management Commands..................................................................................................................3-3
3.1.1 description..............................................................................................................................................3-3
3.1.2 display interface.....................................................................................................................................3-4
3.1.3 display ip interface.................................................................................................................................3-6
3.1.4 interface................................................................................................................................................3-10
3.1.5 reset counters interface.........................................................................................................................3-11
3.1.6 restart....................................................................................................................................................3-12
3.1.7 shutdown (Interface View)...................................................................................................................3-12
3.2 Ethernet Interface Configuration Commands................................................................................................3-13
3.2.1 display interface ethernet......................................................................................................................3-14
3.2.2 duplex...................................................................................................................................................3-16
3.2.3 ip fast-forwarding output......................................................................................................................3-17
3.2.4 ip fast-forwarding qff...........................................................................................................................3-18
3.2.5 ip fast-forwarding same-interface........................................................................................................3-19
3.2.6 loopback (Ethernet interface view)......................................................................................................3-20
3.2.7 mtu (Ethernet interface view)...............................................................................................................3-21
3.2.8 speed (Ethernet Interface View)...........................................................................................................3-22
3.3 AUX Interface Configuration Commands....................................................................................................3-22
3.3.1 async mode...........................................................................................................................................3-23
3.3.2 detect dsr-dtr.........................................................................................................................................3-23
3.3.3 link-protocol ppp (AUX Interface View).............................................................................................3-24
3.3.4 loopback (AUX Interface View)..........................................................................................................3-25
3.3.5 mtu (AUX Interface View)..................................................................................................................3-26
3.4 Basic Logical Interface Configuration Commands.......................................................................................3-26
3.4.1 broadcast-limit link..............................................................................................................................3-27
3.4.2 display interface (Logic Interface).......................................................................................................3-27
3.4.3 display virtual-access...........................................................................................................................3-30
3.4.4 mac-address..........................................................................................................................................3-32
3.4.5 interface (Logic Interface)....................................................................................................................3-33
3.5 E1 Interface Configuration Commands.........................................................................................................3-34
3.5.1 channel-set (E1 Interface View)...........................................................................................................3-34
3.5.2 clock (E1 Interface View)....................................................................................................................3-35
3.5.3 code (E1 Interface View).....................................................................................................................3-36
3.5.4 controller e1 (E1 Interface)..................................................................................................................3-37
3.5.5 display controller e1 (E1 Interface)......................................................................................................3-38
3.5.6 frame-format (E1 Interface View)........................................................................................................3-39

Issue 01 (2008-11-15) Huawei Proprietary and Confidential xv


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

3.5.7 loopback (E1 Interface View).............................................................................................................. 3-40


3.5.8 using (E1 Interface View)....................................................................................................................3-41
3.6 CE1 Interface Configuration Commands......................................................................................................3-42
3.6.1 channel-set (CE1 Interface View)........................................................................................................3-43
3.6.2 clock (CE1 Interface View)..................................................................................................................3-44
3.6.3 code (CE1 Interface View)...................................................................................................................3-45
3.6.4 controller e1 (CE1 Interface)................................................................................................................3-46
3.6.5 display controller e1 (CE1 Interface)...................................................................................................3-47
3.6.6 frame-format (CE1 Interface View).....................................................................................................3-48
3.6.7 loopback (CE1 Interface View)............................................................................................................3-49
3.6.8 using (CE1 Interface View)..................................................................................................................3-50
3.7 T1 Interface Configuration Commands.........................................................................................................3-51
3.7.1 channel-set (T1 Interface View)...........................................................................................................3-52
3.7.2 clock (T1 Interface View).................................................................................................................... 3-53
3.7.3 code (T1 Interface View)..................................................................................................................... 3-54
3.7.4 controller t1 (T1 Interface)...................................................................................................................3-54
3.7.5 display controller t1 (T1 Interface)...................................................................................................... 3-55
3.7.6 frame-format (T1 Interface View)........................................................................................................3-57
3.7.7 loopback (T1 Interface View).............................................................................................................. 3-58
3.8 CT1 Interface Configuration Commands......................................................................................................3-59
3.8.1 channel-set (CT1 Interface View)........................................................................................................3-59
3.8.2 clock (CT1 Interface View)..................................................................................................................3-60
3.8.3 code (CT1 Interface View)...................................................................................................................3-61
3.8.4 controller t1 (CT1 Interface)................................................................................................................ 3-62
3.8.5 display controller t1 (CT1 Interface)....................................................................................................3-63
3.8.6 frame-format (CT1 Interface View).....................................................................................................3-64
3.8.7 loopback (CT1 Interface View)............................................................................................................3-65
3.9 IP Address Configuration Commands...........................................................................................................3-66
3.9.1 display ip interface...............................................................................................................................3-66
3.9.2 firewall permit sub-ip...........................................................................................................................3-70
3.9.3 ip address..............................................................................................................................................3-71
3.9.4 ip address ppp-negotiate.......................................................................................................................3-72
3.9.5 remote address......................................................................................................................................3-73
3.10 IP Performance Configuration Commands.................................................................................................3-74
3.10.1 debugging ip.......................................................................................................................................3-74
3.10.2 debugging tcp event........................................................................................................................... 3-75
3.10.3 debugging tcp md5.............................................................................................................................3-76
3.10.4 debugging tcp packet..........................................................................................................................3-77
3.10.5 debugging udp packet.........................................................................................................................3-78
3.10.6 display fib...........................................................................................................................................3-78
3.10.7 display fib |.........................................................................................................................................3-79
3.10.8 display fib acl.....................................................................................................................................3-81

xvi Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

3.10.9 display fib ip-prefix............................................................................................................................3-82


3.10.10 display fib longer..............................................................................................................................3-84
3.10.11 display fib statistics..........................................................................................................................3-85
3.10.12 display icmp statistics.......................................................................................................................3-86
3.10.13 display ip interface...........................................................................................................................3-88
3.10.14 display ip socket...............................................................................................................................3-92
3.10.15 display ip statistics...........................................................................................................................3-94
3.10.16 display tcp statistics..........................................................................................................................3-95
3.10.17 display tcp status..............................................................................................................................3-98
3.10.18 display udp statistics.........................................................................................................................3-99
3.10.19 reset ip statistics.............................................................................................................................3-100
3.10.20 reset tcp statistics............................................................................................................................3-101
3.10.21 reset udp statistics...........................................................................................................................3-102
3.10.22 tcp timer fin-timeout.......................................................................................................................3-102
3.10.23 tcp timer syn-timeout.....................................................................................................................3-103
3.10.24 tcp window.....................................................................................................................................3-104
3.11 IP Unicast Policy Routing Configuration Commands..............................................................................3-105
3.11.1 apply cost..........................................................................................................................................3-106
3.11.2 apply cost-type.................................................................................................................................3-106
3.11.3 apply default output-interface..........................................................................................................3-107
3.11.4 apply ip-address default next-hop....................................................................................................3-108
3.11.5 apply ip-address next-hop (unicast).................................................................................................3-109
3.11.6 apply ip-precedence..........................................................................................................................3-110
3.11.7 apply output-interface......................................................................................................................3-111
3.11.8 display ip policy...............................................................................................................................3-112
3.11.9 display ip policy setup......................................................................................................................3-113
3.11.10 display ip policy statistics..............................................................................................................3-114
3.11.11 if-match acl (unicast)......................................................................................................................3-114
3.11.12 if-match cost...................................................................................................................................3-115
3.11.13 if-match interface...........................................................................................................................3-116
3.11.14 if-match ip next-hop.......................................................................................................................3-117
3.11.15 if-match ip-prefix...........................................................................................................................3-118
3.11.16 if-match packet-length....................................................................................................................3-119
3.11.17 ip ip-prefix......................................................................................................................................3-120
3.11.18 ip local policy route-policy............................................................................................................3-121
3.11.19 ip policy route-policy.....................................................................................................................3-122
3.11.20 route-policy (unicast).....................................................................................................................3-123
3.12 IP Multicast Policy Routing Configuration Commands...........................................................................3-124
3.12.1 apply ip-address next-hop (multicast)..............................................................................................3-124
3.12.2 debugging ip multicast-policy..........................................................................................................3-125
3.12.3 display ip multicast-policy...............................................................................................................3-126
3.12.4 if-match acl (multicast)....................................................................................................................3-127

Issue 01 (2008-11-15) Huawei Proprietary and Confidential xvii


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

3.12.5 ip multicast-policy route-policy.......................................................................................................3-128


3.12.6 route-policy (multicast)....................................................................................................................3-129
3.13 Common IP Multicast Configuration Commands.....................................................................................3-130
3.13.1 display ip routing-table protocol multicast-static.............................................................................3-131
3.13.2 display multicast forwarding-table...................................................................................................3-132
3.13.3 display multicast routing-table.........................................................................................................3-133
3.13.4 display multicast rpf-info.................................................................................................................3-134
3.13.5 ip rpf-longest-match.........................................................................................................................3-135
3.13.6 ip rpf-route-static..............................................................................................................................3-136
3.13.7 mtracert.............................................................................................................................................3-137
3.13.8 multicast minimum-ttl......................................................................................................................3-139
3.13.9 multicast packet-boundary...............................................................................................................3-139
3.13.10 multicast route-limit.......................................................................................................................3-140
3.13.11 multicast routing-enable.................................................................................................................3-141
3.13.12 reset multicast forwarding-table.....................................................................................................3-142
3.13.13 reset multicast routing-table...........................................................................................................3-143
3.14 IGMP Configuration Commands..............................................................................................................3-144
3.14.1 debugging igmp................................................................................................................................3-145
3.14.2 display igmp group...........................................................................................................................3-146
3.14.3 display igmp interface......................................................................................................................3-147
3.14.4 display igmp local............................................................................................................................3-148
3.14.5 igmp enable......................................................................................................................................3-149
3.14.6 igmp group-limit..............................................................................................................................3-150
3.14.7 igmp group-policy............................................................................................................................3-150
3.14.8 igmp host-join..................................................................................................................................3-151
3.14.9 igmp lastmember-queryinterval.......................................................................................................3-152
3.14.10 igmp max-response-time................................................................................................................3-153
3.14.11 igmp proxy.....................................................................................................................................3-154
3.14.12 igmp robust-count..........................................................................................................................3-155
3.14.13 igmp timer other-querier-present....................................................................................................3-156
3.14.14 igmp timer query............................................................................................................................3-157
3.14.15 igmp version...................................................................................................................................3-158
3.14.16 reset igmp group.............................................................................................................................3-159
3.15 PIM Configuration Commands.................................................................................................................3-160
3.15.1 bsr-policy..........................................................................................................................................3-161
3.15.2 c-bsr..................................................................................................................................................3-162
3.15.3 c-rp...................................................................................................................................................3-163
3.15.4 crp-policy.........................................................................................................................................3-164
3.15.5 display pim bsr-info.........................................................................................................................3-165
3.15.6 display pim interface........................................................................................................................3-166
3.15.7 display pim local..............................................................................................................................3-167
3.15.8 display pim neighbor........................................................................................................................3-168

xviii Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

3.15.9 display pim routing-table.................................................................................................................3-168


3.15.10 display pim rp-info.........................................................................................................................3-169
3.15.11 pim..................................................................................................................................................3-170
3.15.12 pim bsr-boundary...........................................................................................................................3-171
3.15.13 pim dm............................................................................................................................................3-172
3.15.14 pim neighbor-limit..........................................................................................................................3-173
3.15.15 pim neighbor-policy.......................................................................................................................3-174
3.15.16 pim sm............................................................................................................................................3-174
3.15.17 pim timer hello...............................................................................................................................3-175
3.15.18 register-policy.................................................................................................................................3-176
3.15.19 reset pim neighbor..........................................................................................................................3-177
3.15.20 reset pim routing-table...................................................................................................................3-178
3.15.21 source-policy..................................................................................................................................3-179
3.15.22 spt-switch-threshold.......................................................................................................................3-180
3.15.23 static-rp...........................................................................................................................................3-181
3.16 MSDP Configuration Commands.............................................................................................................3-182
3.16.1 cache-sa-enable................................................................................................................................3-183
3.16.2 debugging msdp...............................................................................................................................3-184
3.16.3 display msdp brief............................................................................................................................3-185
3.16.4 display msdp peer-status..................................................................................................................3-185
3.16.5 display msdp sa-cache......................................................................................................................3-186
3.16.6 display msdp sa-count......................................................................................................................3-187
3.16.7 import-source...................................................................................................................................3-188
3.16.8 msdp.................................................................................................................................................3-189
3.16.9 msdp-tracert......................................................................................................................................3-190
3.16.10 originating-rp..................................................................................................................................3-192
3.16.11 peer connect-interface....................................................................................................................3-193
3.16.12 peer description..............................................................................................................................3-194
3.16.13 peer mesh-group.............................................................................................................................3-194
3.16.14 peer minimum-ttl............................................................................................................................3-195
3.16.15 peer request-sa-enable....................................................................................................................3-196
3.16.16 peer sa-cache-maximum.................................................................................................................3-197
3.16.17 peer sa-policy.................................................................................................................................3-198
3.16.18 peer sa-request-policy....................................................................................................................3-199
3.16.19 reset msdp peer...............................................................................................................................3-200
3.16.20 reset msdp sa-cache........................................................................................................................3-200
3.16.21 reset msdp statistics........................................................................................................................3-201
3.16.22 shutdown (MSDP View of Public Network Instance)...................................................................3-202
3.16.23 static-rpf-peer.................................................................................................................................3-202
3.16.24 timer retry.......................................................................................................................................3-204
3.17 Static Route Configuration Commands.....................................................................................................3-204
3.17.1 display ip routing-table.....................................................................................................................3-205

Issue 01 (2008-11-15) Huawei Proprietary and Confidential xix


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

3.17.2 display ip routing-table (destination range specified)......................................................................3-206


3.17.3 display ip routing-table (destination specified)................................................................................3-207
3.17.4 display ip routing-table acl...............................................................................................................3-208
3.17.5 display ip routing-table ip-prefix......................................................................................................3-210
3.17.6 display ip routing-table protocol......................................................................................................3-211
3.17.7 display ip routing-table radix...........................................................................................................3-212
3.17.8 display ip routing-table statistics......................................................................................................3-213
3.17.9 display ip routing-table verbose.......................................................................................................3-214
3.17.10 ip route-static..................................................................................................................................3-216
3.18 ARP Configuration Commands................................................................................................................3-218
3.18.1 arp detect-times................................................................................................................................3-219
3.18.2 arp expire-time.................................................................................................................................3-219
3.18.3 arp-proxy enable...............................................................................................................................3-220
3.18.4 arp static...........................................................................................................................................3-221
3.18.5 arp multi-mac-permit........................................................................................................................3-222
3.18.6 debugging arp packet.......................................................................................................................3-223
3.18.7 display arp........................................................................................................................................3-223
3.18.8 reset arp............................................................................................................................................3-225
3.19 DHCP Configuration Commands..............................................................................................................3-226
3.19.1 debugging dhcp relay.......................................................................................................................3-228
3.19.2 debugging dhcp server.....................................................................................................................3-229
3.19.3 dhcp client enable.............................................................................................................................3-230
3.19.4 dhcp client forbid.............................................................................................................................3-231
3.19.5 dhcp client renew.............................................................................................................................3-232
3.19.6 dhcp enable.......................................................................................................................................3-233
3.19.7 dhcp relay release.............................................................................................................................3-234
3.19.8 dhcp select (Interface View).............................................................................................................3-234
3.19.9 dhcp select (System View)...............................................................................................................3-235
3.19.10 dhcp server detect...........................................................................................................................3-236
3.19.11 dhcp server dns-list (Interface View).............................................................................................3-237
3.19.12 dhcp server dns-list (System View)...............................................................................................3-238
3.19.13 dhcp server domain-name (Interface View)...................................................................................3-239
3.19.14 dhcp server domain-name (System View).....................................................................................3-240
3.19.15 dhcp server expired (Interface View).............................................................................................3-241
3.19.16 dhcp server expired (System View)...............................................................................................3-242
3.19.17 dhcp server forbidden-ip................................................................................................................3-244
3.19.18 dhcp server ip-pool.........................................................................................................................3-245
3.19.19 dhcp server nbns-list (Interface View)...........................................................................................3-246
3.19.20 dhcp server nbns-list (System View).............................................................................................3-247
3.19.21 dhcp server netbios-type (Interface View).....................................................................................3-248
3.19.22 dhcp server netbios-type (System View).......................................................................................3-249
3.19.23 dhcp server option (Interface View)...............................................................................................3-250

xx Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

3.19.24 dhcp server option (System View).................................................................................................3-251


3.19.25 dhcp server ping.............................................................................................................................3-253
3.19.26 dhcp server static-bind...................................................................................................................3-253
3.19.27 display dhcp relay address..............................................................................................................3-254
3.19.28 display dhcp relay statistics............................................................................................................3-255
3.19.29 display dhcp server conflict............................................................................................................3-257
3.19.30 display dhcp server expired............................................................................................................3-258
3.19.31 display dhcp server free-ip.............................................................................................................3-259
3.19.32 display dhcp server ip-in-use..........................................................................................................3-260
3.19.33 display dhcp server statistics..........................................................................................................3-261
3.19.34 display dhcp server tree..................................................................................................................3-263
3.19.35 display dhcp-client.........................................................................................................................3-265
3.19.36 dns-list............................................................................................................................................3-266
3.19.37 domain-name..................................................................................................................................3-267
3.19.38 expired............................................................................................................................................3-268
3.19.39 gateway-list....................................................................................................................................3-269
3.19.40 ip relay address (Interface View)...................................................................................................3-270
3.19.41 ip relay address (System View)......................................................................................................3-271
3.19.42 nbns-list..........................................................................................................................................3-272
3.19.43 netbios-type....................................................................................................................................3-273
3.19.44 network (DHCP)............................................................................................................................3-274
3.19.45 option..............................................................................................................................................3-275
3.19.46 reset dhcp relay statistics................................................................................................................3-276
3.19.47 reset dhcp server conflict................................................................................................................3-276
3.19.48 reset dhcp server ip-in-use..............................................................................................................3-277
3.19.49 reset dhcp server statistics..............................................................................................................3-278
3.19.50 static-bind ip-address......................................................................................................................3-279
3.19.51 static-bind mac-address..................................................................................................................3-280
3.20 DNS Configuration Commands................................................................................................................3-281
3.20.1 display ip host...................................................................................................................................3-281
3.20.2 ip host...............................................................................................................................................3-281
3.21 OSPF Configuration Commands...............................................................................................................3-282
3.21.1 abr-summary.....................................................................................................................................3-284
3.21.2 area...................................................................................................................................................3-285
3.21.3 asbr-summary...................................................................................................................................3-286
3.21.4 authentication-mode (OSPF Area View).........................................................................................3-287
3.21.5 debugging ospf.................................................................................................................................3-288
3.21.6 default cost (OSPF View)................................................................................................................3-290
3.21.7 default interval..................................................................................................................................3-291
3.21.8 default limit......................................................................................................................................3-292
3.21.9 default tag.........................................................................................................................................3-293
3.21.10 default type.....................................................................................................................................3-294

Issue 01 (2008-11-15) Huawei Proprietary and Confidential xxi


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

3.21.11 default-cost.....................................................................................................................................3-294
3.21.12 default-route-advertise...................................................................................................................3-296
3.21.13 display debugging ospf...................................................................................................................3-297
3.21.14 display ospf abr-asbr......................................................................................................................3-298
3.21.15 display ospf asbr-summary.............................................................................................................3-299
3.21.16 display ospf brief............................................................................................................................3-301
3.21.17 display ospf cumulative..................................................................................................................3-302
3.21.18 display ospf diagnostic-information...............................................................................................3-304
3.21.19 display ospf error............................................................................................................................3-306
3.21.20 display ospf interface.....................................................................................................................3-307
3.21.21 display ospf lsdb.............................................................................................................................3-307
3.21.22 display ospf nexthop.......................................................................................................................3-311
3.21.23 display ospf peer.............................................................................................................................3-312
3.21.24 display ospf peer address................................................................................................................3-313
3.21.25 display ospf peer interface..............................................................................................................3-314
3.21.26 display ospf peer route-id...............................................................................................................3-315
3.21.27 display ospf request-queue.............................................................................................................3-315
3.21.28 display ospf retrans-queue..............................................................................................................3-316
3.21.29 display ospf routing........................................................................................................................3-317
3.21.30 display ospf vlink...........................................................................................................................3-317
3.21.31 domain-id.......................................................................................................................................3-318
3.21.32 filter-policy export (OSPF View)...................................................................................................3-319
3.21.33 filter-policy import (OSPF View)..................................................................................................3-320
3.21.34 import-route (OSPF View).............................................................................................................3-321
3.21.35 network (OSPF Aarea View).........................................................................................................3-322
3.21.36 nssa.................................................................................................................................................3-323
3.21.37 opaque-capbility.............................................................................................................................3-324
3.21.38 ospf.................................................................................................................................................3-325
3.21.39 ospf authentication-mode...............................................................................................................3-326
3.21.40 ospf cost..........................................................................................................................................3-327
3.21.41 ospf dr-priority...............................................................................................................................3-328
3.21.42 ospf mib-binding............................................................................................................................3-329
3.21.43 ospf mtu-enable..............................................................................................................................3-330
3.21.44 ospf network-type...........................................................................................................................3-330
3.21.45 ospf timer dead...............................................................................................................................3-332
3.21.46 ospf timer hello...............................................................................................................................3-333
3.21.47 ospf timer poll................................................................................................................................3-333
3.21.48 ospf timer retransmit......................................................................................................................3-334
3.21.49 ospf trans-delay..............................................................................................................................3-335
3.21.50 peer (OSPF View)..........................................................................................................................3-336
3.21.51 preference (OSPF View)................................................................................................................3-337
3.21.52 reset ospf........................................................................................................................................3-338

xxii Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

3.21.53 router id..........................................................................................................................................3-339


3.21.54 silent-interface................................................................................................................................3-340
3.21.55 snmp-agent trap enable ospf...........................................................................................................3-341
3.21.56 spf-schedule-interval......................................................................................................................3-342
3.21.57 stub.................................................................................................................................................3-343
3.21.58 vlink-peer.......................................................................................................................................3-344
3.22 PPP Configuration Commands..................................................................................................................3-345
3.22.1 debugging ppp..................................................................................................................................3-346
3.22.2 display interface mp-group...............................................................................................................3-348
3.22.3 display ppp compression iphc..........................................................................................................3-350
3.22.4 display ppp mp.................................................................................................................................3-351
3.22.5 interface mp-group...........................................................................................................................3-352
3.22.6 ip tcp vjcompress..............................................................................................................................3-353
3.22.7 link-protocol ppp..............................................................................................................................3-354
3.22.8 ppp authentication-mode..................................................................................................................3-355
3.22.9 ppp callback......................................................................................................................................3-356
3.22.10 ppp callback ntstring......................................................................................................................3-357
3.22.11 ppp chap password.........................................................................................................................3-357
3.22.12 ppp chap user..................................................................................................................................3-358
3.22.13 ppp compression iphc.....................................................................................................................3-359
3.22.14 ppp compression stac-lzs................................................................................................................3-360
3.22.15 ppp ipcp dns...................................................................................................................................3-361
3.22.16 ppp lqc............................................................................................................................................3-362
3.22.17 ppp mp............................................................................................................................................3-363
3.22.18 ppp mp binding-mode....................................................................................................................3-365
3.22.19 ppp mp max-bind...........................................................................................................................3-366
3.22.20 ppp mp mp-group...........................................................................................................................3-367
3.22.21 ppp mp min-fragment.....................................................................................................................3-368
3.22.22 ppp mp user bind virtual-template.................................................................................................3-369
3.22.23 ppp mp virtual-template.................................................................................................................3-370
3.22.24 ppp pap local-user..........................................................................................................................3-372
3.22.25 ppp timer negotiate.........................................................................................................................3-373
3.22.26 timer hold.......................................................................................................................................3-373
3.23 PPPoE Configuration Commands.............................................................................................................3-374
3.23.1 reset pppoe-server session statistic interface....................................................................................3-374
3.23.2 debugging pppoe-client....................................................................................................................3-375
3.23.3 display pppoe-client session.............................................................................................................3-376
3.23.4 display pppoe-server session............................................................................................................3-378
3.23.5 pppoe-client......................................................................................................................................3-379
3.23.6 pppoe-server bind virtual-template..................................................................................................3-380
3.23.7 pppoe-server max-sessions local-mac..............................................................................................3-381
3.23.8 pppoe-server max-sessions remote-mac...........................................................................................3-382

Issue 01 (2008-11-15) Huawei Proprietary and Confidential xxiii


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

3.23.9 pppoe-server max-sessions total.......................................................................................................3-383


3.23.10 reset pppoe-client........................................................................................................................... 3-384
3.24 QoS Configuration Commands.................................................................................................................3-385
3.24.1 car.....................................................................................................................................................3-386
3.24.2 classifier behavior............................................................................................................................ 3-387
3.24.3 display traffic behavior.....................................................................................................................3-388
3.24.4 display traffic classifier....................................................................................................................3-390
3.24.5 gts.....................................................................................................................................................3-391
3.24.6 if-match acl (Traffic Classifier View)..............................................................................................3-392
3.24.7 if-match any......................................................................................................................................3-393
3.24.8 if-match classifier.............................................................................................................................3-394
3.24.9 if-match dscp....................................................................................................................................3-395
3.24.10 if-match inbound-interface.............................................................................................................3-396
3.24.11 if-match ip-precedence...................................................................................................................3-397
3.24.12 if-match mac...................................................................................................................................3-398
3.24.13 if-match protocol ip........................................................................................................................3-399
3.24.14 if-match rtp.....................................................................................................................................3-400
3.24.15 qos apply policy............................................................................................................................. 3-401
3.24.16 qos policy....................................................................................................................................... 3-402
3.24.17 qos reserved-bandwidth..................................................................................................................3-403
3.24.18 queue af..........................................................................................................................................3-404
3.24.19 queue ef..........................................................................................................................................3-405
3.24.20 queue wfq.......................................................................................................................................3-406
3.24.21 queue-length...................................................................................................................................3-407
3.24.22 remark dscp....................................................................................................................................3-408
3.24.23 remark fr-de....................................................................................................................................3-409
3.24.24 remark ip-precedence.....................................................................................................................3-410
3.24.25 traffic behavior...............................................................................................................................3-411
3.24.26 traffic classifier...............................................................................................................................3-412
3.24.27 wred................................................................................................................................................3-413
3.24.28 wred dscp........................................................................................................................................3-414
3.24.29 wred ip-precedence.........................................................................................................................3-415
3.24.30 wred weighting-constant................................................................................................................3-416
3.25 RIP Configuration Commands..................................................................................................................3-417
3.25.1 checkzero..........................................................................................................................................3-418
3.25.2 debugging rip....................................................................................................................................3-418
3.25.3 default cost (RIP View)....................................................................................................................3-419
3.25.4 display rip.........................................................................................................................................3-420
3.25.5 filter-policy export (RIP View)........................................................................................................3-421
3.25.6 filter-policy import (RIP View)........................................................................................................3-422
3.25.7 host-route..........................................................................................................................................3-423
3.25.8 import-route (RIP View)..................................................................................................................3-424

xxiv Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

3.25.9 network (RIP View).........................................................................................................................3-425


3.25.10 peer (RIP View).............................................................................................................................3-426
3.25.11 preference (RIP View)...................................................................................................................3-427
3.25.12 reset................................................................................................................................................3-428
3.25.13 rip...................................................................................................................................................3-429
3.25.14 rip authentication-mode..................................................................................................................3-429
3.25.15 rip input..........................................................................................................................................3-431
3.25.16 rip metricin.....................................................................................................................................3-432
3.25.17 rip metricout...................................................................................................................................3-433
3.25.18 rip output........................................................................................................................................3-434
3.25.19 rip split-horizon..............................................................................................................................3-435
3.25.20 rip version.......................................................................................................................................3-435
3.25.21 rip work..........................................................................................................................................3-436
3.25.22 summary.........................................................................................................................................3-437
3.25.23 timers..............................................................................................................................................3-438
3.26 VLAN Configuration Commands.............................................................................................................3-439
3.26.1 debugging vlan packet......................................................................................................................3-439
3.26.2 display vlan statistics interface.........................................................................................................3-440
3.26.3 display vlan statistics vid..................................................................................................................3-441
3.26.4 reset vlan statistics interface.............................................................................................................3-442
3.26.5 reset vlan statistics vid......................................................................................................................3-442
3.26.6 vlan-type dot1q.................................................................................................................................3-443
3.27 Frame Relay Configuration Commands....................................................................................................3-444
3.27.1 debugging fr inarp............................................................................................................................3-446
3.27.2 debugging fr packet..........................................................................................................................3-446
3.27.3 debugging fr.....................................................................................................................................3-447
3.27.4 display fr compress...........................................................................................................................3-449
3.27.5 display fr dlci-switch........................................................................................................................3-450
3.27.6 display fr fragment-info...................................................................................................................3-451
3.27.7 display fr inarp-info..........................................................................................................................3-452
3.27.8 display fr interface............................................................................................................................3-453
3.27.9 display fr iphc...................................................................................................................................3-454
3.27.10 display fr lmi-info...........................................................................................................................3-455
3.27.11 display fr map-info.........................................................................................................................3-456
3.27.12 display fr pvc-info..........................................................................................................................3-458
3.27.13 display fr standby group.................................................................................................................3-459
3.27.14 display fr statistics..........................................................................................................................3-461
3.27.15 display fr switch-table....................................................................................................................3-462
3.27.16 display interface mfr.......................................................................................................................3-463
3.27.17 display mfr......................................................................................................................................3-466
3.27.18 fr compression frf9.........................................................................................................................3-469
3.27.19 fr compression iphc........................................................................................................................3-470

Issue 01 (2008-11-15) Huawei Proprietary and Confidential xxv


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Contents Command Reference

3.27.20 fr dlci..............................................................................................................................................3-471
3.27.21 fr dlci-switch.................................................................................................................................. 3-472
3.27.22 fr inarp............................................................................................................................................3-473
3.27.23 fr interface-type..............................................................................................................................3-474
3.27.24 fr iphc............................................................................................................................................. 3-475
3.27.25 fr lmi n391dte.................................................................................................................................3-476
3.27.26 fr lmi n392dce................................................................................................................................ 3-477
3.27.27 fr lmi n392dte.................................................................................................................................3-478
3.27.28 fr lmi n393dce................................................................................................................................ 3-479
3.27.29 fr lmi n393dte.................................................................................................................................3-480
3.27.30 fr lmi t392dce.................................................................................................................................3-481
3.27.31 fr lmi type.......................................................................................................................................3-482
3.27.32 fr map ip.........................................................................................................................................3-483
3.27.33 fr standby group switch..................................................................................................................3-485
3.27.34 fr standby group switch auto..........................................................................................................3-485
3.27.35 fr standby group switch master...................................................................................................... 3-486
3.27.36 fr standby group switch slave.........................................................................................................3-487
3.27.37 fr switch..........................................................................................................................................3-488
3.27.38 fr switching.....................................................................................................................................3-489
3.27.39 interface mfr...................................................................................................................................3-490
3.27.40 link-protocol (FR Interface View)..................................................................................................3-491
3.27.41 link-protocol fr mfr.........................................................................................................................3-492
3.27.42 mfr bundle-name............................................................................................................................3-493
3.27.43 mfr fragment...................................................................................................................................3-494
3.27.44 mfr fragment-size...........................................................................................................................3-495
3.27.45 mfr link-name.................................................................................................................................3-496
3.27.46 mfr retry..........................................................................................................................................3-497
3.27.47 mfr timer ack..................................................................................................................................3-498
3.27.48 mfr timer hello................................................................................................................................3-499
3.27.49 mfr window-size.............................................................................................................................3-499
3.27.50 mtu (FR Interface View)................................................................................................................3-500
3.27.51 reset fr inarp................................................................................................................................... 3-501
3.27.52 shutdown (FR Interface View).......................................................................................................3-502
3.27.53 timer hold (FR Interface View)......................................................................................................3-503
3.28 HDLC Configuration Commands............................................................................................................. 3-504
3.28.1 debugging hdlc all............................................................................................................................3-504
3.28.2 debugging hdlc event....................................................................................................................... 3-505
3.28.3 debugging hdlc.................................................................................................................................3-506
3.28.4 ip address unnumbered.....................................................................................................................3-508
3.28.5 timer hold (HDLC)...........................................................................................................................3-509

4 Reliability....................................................................................................................................4-1
4.1 VRRP Backup Group Configuration Commands...........................................................................................4-2

xxvi Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Contents

4.1.1 debugging vrrp.......................................................................................................................................4-2


4.1.2 display vrrp.............................................................................................................................................4-3
4.1.3 vrrp un-check ttl.....................................................................................................................................4-4
4.1.4 vrrp vrid preempt-mode.........................................................................................................................4-5
4.1.5 vrrp vrid priority.....................................................................................................................................4-6
4.1.6 vrrp vrid timer advertise.........................................................................................................................4-7
4.1.7 vrrp vrid track.........................................................................................................................................4-8
4.1.8 vrrp vrid virtual-ip................................................................................................................................4-10
4.2 VRRP Management Group Configuration Commands.................................................................................4-11
4.2.1 add interface (VRRP Management Group View)................................................................................4-11
4.2.2 debugging vrrp-group...........................................................................................................................4-13
4.2.3 display vrrp-group................................................................................................................................4-14
4.2.4 triggerdown interface...........................................................................................................................4-14
4.2.5 vgmp-flash enable................................................................................................................................4-15
4.2.6 vrrp group.............................................................................................................................................4-16
4.2.7 vrrp-group enable.................................................................................................................................4-17
4.2.8 vrrp-group group-send..........................................................................................................................4-18
4.2.9 vrrp-group manual-preempt.................................................................................................................4-19
4.2.10 vrrp-group preempt............................................................................................................................4-19
4.2.11 vrrp-group priority..............................................................................................................................4-20
4.2.12 vrrp-group timer hello........................................................................................................................4-22
4.3 HRP Configuration Commands....................................................................................................................4-23
4.3.1 debugging hrp.......................................................................................................................................4-24
4.3.2 debugging hrp configuration check......................................................................................................4-25
4.3.3 display hrp............................................................................................................................................4-26
4.3.4 display hrp configuration check...........................................................................................................4-27
4.3.5 firewall mode composite permit-backupforward.................................................................................4-29
4.3.6 firewall session bak-time......................................................................................................................4-30
4.3.7 hrp auto-sync........................................................................................................................................4-30
4.3.8 hrp configuration check........................................................................................................................4-31
4.3.9 hrp enable.............................................................................................................................................4-33
4.3.10 hrp ospf-cost adjust-enable.................................................................................................................4-34
4.3.11 hrp sync..............................................................................................................................................4-35
4.4 IP-Link Configuration Commands................................................................................................................4-36
4.4.1 debugging ip-link.................................................................................................................................4-36
4.4.2 display ip-link.......................................................................................................................................4-37
4.4.3 ip-link...................................................................................................................................................4-38
4.4.4 ip-link check enable.............................................................................................................................4-39

Issue 01 (2008-11-15) Huawei Proprietary and Confidential xxvii


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Tables

Tables

Table 1-1 Description of the display clock command output...............................................................................1-5


Table 1-2 Description of the display hotkey command output............................................................................1-8
Table 1-3 Description of the display rsa local-key-pair public command output..............................................1-29
Table 1-4 Description of the display rsa peer-public-key command output......................................................1-31
Table 1-5 Description of the display ssh server session command output.........................................................1-32
Table 1-6 Description of the ssh user-information command output.................................................................1-33
Table 1-7 Description of the display tcp status command output......................................................................1-34
Table 1-8 Description of the display user-interface command output...............................................................1-36
Table 1-9 Description of the display user-interface maximum-vty command output........................................1-37
Table 1-10 Description of the display users command output...........................................................................1-38
Table 1-11 Description of the display firewall transparent-mode address-table command output....................1-72
Table 1-12 Description of the display firewall transparent-mode traffic command output...............................1-73
Table 1-13 Description of the display ftp-server command output..................................................................1-102
Table 1-14 Description of the display ftp-users command output................................................................... 1-103
Table 1-15 Description of the display startup command output...................................................................... 1-105
Table 1-16 Description of the debugging firewall packet-capture capture command output.......................... 1-138
Table 1-17 Description of the debugging firewall packet-capture send command output...............................1-138
Table 1-18 Description of the debugging firewall packet-capture error command output.............................. 1-139
Table 1-19 Description of the debugging firewall packet-capture event command output............................. 1-140
Table 1-20 Description of the display channel command output.....................................................................1-141
Table 1-21 Description of the display firewall packet-capture configuration command output......................1-147
Table 1-22 Description of the display firewall packet-capture queue command output..................................1-149
Table 1-23 Description of the display firewall packet-capture statistic command output...............................1-150
Table 1-24 Description of the display info-center command output................................................................1-152
Table 1-25 Description of the display logbuffer command output.................................................................. 1-154
Table 1-26 Description of the display schedule reboot command output........................................................1-156
Table 1-27 Description of the display trapbuffer command output................................................................. 1-157
Table 1-28 Definition of eight information levels............................................................................................1-172
Table 1-29 Description of date.........................................................................................................................1-174
Table 1-30 Description of the ping command output.......................................................................................1-178
Table 1-31 Description of the display ntp-service status command output......................................................1-197
Table 1-32 Description of the display ntp service trace command output.......................................................1-199
Table 1-33 Description of the NTP access authority........................................................................................1-200

Issue 01 (2008-11-15) Huawei Proprietary and Confidential xxix


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Tables Command Reference

Table 1-34 Description of the display snmp-agent command output...............................................................1-215


Table 1-35 Description of the display snmp-agent community command output...........................................1-216
Table 1-36 Description of the display snmp-agent group command output....................................................1-217
Table 1-37 Description of the display snmp-agent mib-view command output..............................................1-218
Table 1-38 Description of the display snmp-agent statistics command output................................................1-219
Table 1-39 Description of the display snmp-agent sys-info command output.................................................1-221
Table 1-40 Description of the display snmp-agent usm-user command output...............................................1-222
Table 2-1 Description of the display ip address-set all command output...........................................................2-10
Table 2-2 Description of the display ip port-set all command output................................................................2-12
Table 2-3 Description of the display time-range all command output...............................................................2-13
Table 2-4 Description of the display firewall session aging-time command output..........................................2-33
Table 2-5 Description of the display firewall session no-pat command output.................................................2-36
Table 2-6 Description of the display firewall session table verbose command output......................................2-37
Table 2-7 Description of the display nat command output..............................................................................2-120
Table 2-8 Description of the display accounting-scheme command output.....................................................2-149
Table 2-9 Description of the display user-car 3 command output....................................................................2-154
Table 2-10 Description of the display l2tp session command output...............................................................2-230
Table 2-11 Description of the display l2tp tunnel command output................................................................2-231
Table 2-12 Description of the display interface tunnel 0 command output.....................................................2-246
Table 2-13 Description of the addrserver command output.............................................................................2-253
Table 2-14 Description of the display slb group command output..................................................................2-255
Table 2-15 Description of the display slb rserver command output.................................................................2-256
Table 2-16 Description of the display slb vserver command output................................................................2-257
Table 2-17 Description of the rserver command output...................................................................................2-261
Table 2-18 Description of the vserver command output..................................................................................2-264
Table 2-19 Description of the display p2p-car class command output............................................................2-268
Table 2-20 Description of the display p2p-car statistic class command output...............................................2-272
Table 2-21 Description of the display p2p-car statistic class command output...............................................2-274
Table 2-22 Description of the debugging right-manager command output.....................................................2-289
Table 2-23 Description of the display right-manager online-users command output......................................2-293
Table 2-24 Description of the display right-manager role-info command output............................................2-294
Table 2-25 Description of the display right-manager server-group command output.....................................2-296
Table 2-26 Description of the display right-manager statistics command output............................................2-297
Table 2-27 Description of the display firewall statistic ip-car command output.............................................2-308
Table 2-28 Description of the display source ip monitor table command output............................................2-309
Table 3-1 Description of the display interface command output.........................................................................3-5
Table 3-2 Description of the display ip interface Ethernet 0/0/0 command output..............................................3-8
Table 3-3 Description of the display interface ethernet command output..........................................................3-15
Table 3-4 Description of the display interface virtual-template command output.............................................3-29
Table 3-5 Description of the display virtual-access command output...............................................................3-31
Table 3-6 Description of the display controller e1 command output.................................................................3-39
Table 3-7 Description of the display controller e1 command output.................................................................3-47

xxx Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference Tables

Table 3-8 Description of the display controller t1 command output..................................................................3-56


Table 3-9 Description of the display controller t1 command output..................................................................3-63
Table 3-10 Description of the display ip interface Ethernet 0/0/0 command output..........................................3-68
Table 3-11 Description of the display fib command output...............................................................................3-79
Table 3-12 Description of the display fib | command output.............................................................................3-81
Table 3-13 Description of the display fib acl command output.........................................................................3-82
Table 3-14 Description of the display fib ip-prefix command output................................................................3-83
Table 3-15 Description of the display fib command output...............................................................................3-85
Table 3-16 Description of the display fib statistics command output................................................................3-86
Table 3-17 Description of the display icmp statistic command output..............................................................3-87
Table 3-18 Description of the display ip interface Ethernet 0/0/0 command output..........................................3-89
Table 3-19 Description of the display ip socket command output.....................................................................3-93
Table 3-20 Description of the display ip statistics command output.................................................................3-94
Table 3-21 Description of the display tcp statistics output................................................................................3-96
Table 3-22 Description of the display tcp status command output....................................................................3-99
Table 3-23 Description of the display udp statistics command output.............................................................3-100
Table 3-24 Description of the display igmp group command output...............................................................3-146
Table 3-25 Description of the display pim interface command output............................................................3-167
Table 3-26 Description of the msdp-tracert command domain........................................................................3-191
Table 3-27 Description of the display ip routing-table command output.........................................................3-205
Table 3-28 Description of the display ip routing-table statistics command output..........................................3-214
Table 3-29 Description of the display ip routing-table verbose command output...........................................3-215
Table 3-30 Description of the display arp command output............................................................................3-224
Table 3-31 Description of the display dhcp relay address command output....................................................3-255
Table 3-32 Description of the display dhcp relay statistics command output..................................................3-256
Table 3-33 Description of the display dhcp server conflict command output..................................................3-258
Table 3-34 Description of the display dhcp server expired command output..................................................3-259
Table 3-35 Description of the display dhcp server free-ip command output...................................................3-260
Table 3-36 Description of the display dhcp server ip-in-use command output................................................3-261
Table 3-37 Description of the display dhcp server statistics command output................................................3-262
Table 3-38 Description of the display dhcp server tree command output........................................................3-264
Table 3-39 Description of the display debugging ospf command output.........................................................3-298
Table 3-40 Description of the display ospf abr-asbr command output............................................................ 3-299
Table 3-41 Description of the display ospf asbr-summary command output...................................................3-300
Table 3-42 Description of the display ospf cumulative command output........................................................3-303
Table 3-43 Commands included in the display ospf diagnostic-information command..................................3-305
Table 3-44 Description of the display interface mp-group command output...................................................3-349
Table 3-45 Description of the display ppp mp command output.....................................................................3-352
Table 3-46 Description of the PPPoE Client debugging switches type........................................................... 3-375
Table 3-47 Description of the display pppoe-client session summary command output.................................3-377
Table 3-48 Description of the display pppoe-client session packet command output..................................... 3-377
Table 3-49 Description of the display traffic behavior command output.........................................................3-389

Issue 01 (2008-11-15) Huawei Proprietary and Confidential xxxi


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Tables Command Reference

Table 3-50 Description of the display traffic classifier command output........................................................3-391


Table 3-51 Description of the display rip command output.............................................................................3-421
Table 3-52 Description of the display fr compress command output...............................................................3-449
Table 3-53 Description of the display fr dlci-switch command output............................................................3-451
Table 3-54 Description of the display fr inarp-info command output..............................................................3-453
Table 3-55 Description of the display fr interface command output................................................................3-454
Table 3-56 Description of the display fr lmi-info command output.................................................................3-456
Table 3-57 Description of the display fr map-info command output...............................................................3-457
Table 3-58 Description of the display fr pvc-info command output................................................................3-459
Table 3-59 Description of the display fr standby group command output.......................................................3-460
Table 3-60 Description of the display fr statistics command output................................................................3-462
Table 3-61 Description of the display fr switch-table command output..........................................................3-463
Table 3-62 Description of the display interface mfr command output.............................................................3-464
Table 3-63 Description of the display mfr command output............................................................................3-467
Table 3-64 Description of the debugging hdlc event command output............................................................3-506
Table 3-65 Description of the debugging hdlc command output.....................................................................3-507
Table 4-1 Description of the debugging hrp configuration check command output..........................................4-26
Table 4-2 Description of the display configuration check acl command output................................................4-28
Table 4-3 Description of the hrp configuration check command error output...................................................4-32
Table 4-4 Description of the display ip-link command output...........................................................................4-38

xxxii Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference About This Document

About This Document

Purpose
This document introduces the detailed command information about the Eudemon 200, including
command function, command format, parameters description, command views, default level,
usage guidelines, examples, and related commands.

This document describes security defense configuration commands, internetworking


configuration commands, system management configuration commands, and reliability
configuration commands of the Eudemon 200 firewall.

Related Versions
The following table lists the product versions related to this document.

Product Name Version

Eudemon 200 V200R001C03B6

Intended Audience
This document is intended for:

l Network engineers
l Network administrator
l Network maintenance engineer

Organization
This document is organized as follows.

Chapter Description

1 System Management Describes the commands of system management.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
About This Document Command Reference

Chapter Description

2 Security Defense Describes the commands of security defense.

3 Internetworking Describes the commands of internetworking.

4 Reliability Describes the commands of reliability.

Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk, which if not


avoided, will result in death or serious injury.
DANGER

Indicates a hazard with a medium or low level of risk, which


if not avoided, could result in minor or moderate injury.
WARNING

Indicates a potentially hazardous situation, which if not


avoided, could result in equipment damage, data loss,
CAUTION
performance degradation, or unexpected results.
TIP Indicates a tip that may help you solve a problem or save
time.

NOTE Provides additional information to emphasize or supplement


important points of the main text.

General Conventions
The general conventions that may be found in this document are defined as follows.

Convention Description

Times New Roman Normal paragraphs are in Times New Roman.

Boldface Names of files, directories, folders, and users are in


boldface. For example, log in as user root.

Italic Book titles are in italics.


Courier New Examples of information displayed on the screen are in
Courier New.

2 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference About This Document

Command Conventions
The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by


vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by


vertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated by


vertical bars. A minimum of one item or a maximum of all
items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by


vertical bars. Several items or no item can be selected.

GUI Conventions
The GUI conventions that may be found in this document are defined as follows.

Convention Description

Boldface Buttons, menus, parameters, tabs, window, and dialog titles


are in boldface. For example, click OK.

> Multi-level menus are in boldface and separated by the ">"


signs. For example, choose File > Create > Folder.

Keyboard Operations
The keyboard operations that may be found in this document are defined as follows.

Format Description

Key Press the key. For example, press Enter and press Tab.

Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl+Alt
+A means the three keys should be pressed concurrently.

Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A means
the two keys should be pressed in turn.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
About This Document Command Reference

Mouse Operations
The mouse operations that may be found in this document are defined as follows.

Action Description

Click Select and release the primary mouse button without moving
the pointer.

Double-click Press the primary mouse button twice continuously and


quickly without moving the pointer.

Drag Press and hold the primary mouse button and move the
pointer to a certain position.

Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.

Updates in Issue 01 (2008-11-15)


Initial commercial release

4 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

1 System Management

About This Chapter

1.1 Basic Configuration Commands


1.2 User Login Configuration Commands
1.3 Working Mode Configuration Commands
1.4 File Management Configuration Commands
1.5 System Maintenance Configuration Commands
1.6 Web Management Commands
1.7 NTP Configuration Commands
1.8 SNMP Configuration Commands
1.9 VPN Manager Configuration Commands

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-1


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

1.1 Basic Configuration Commands

1.1.1 clock
1.1.2 command-privilege
1.1.3 display clock
1.1.4 display history-command
1.1.5 display hotkey
1.1.6 display version
1.1.7 header
1.1.8 hotkey
1.1.9 language-mode
1.1.10 lock (User View)
1.1.11 quit (All Views)
1.1.12 return
1.1.13 super
1.1.14 super password
1.1.15 sysname
1.1.16 system-view

1.1.1 clock

Function
Using the clock command, you can set the current date and clock, name of daylight saving time,
start and end time, and local time zone of the Eudemon.

Using the undo clock command, you can restore the default setting.

Format
clock datetime time date

clock summer-time zone-name { one-off | repeating } start-time start-date end-time end-date


offset

clock timezone zone-name { add | minus } offset

undo clock { summer-time | timezone }

1-2 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Parameters
time: specifies the current clock in the format of HH:MM:SS. HH ranges from 0 to 23, and MM
and SS range from 0 to 59.
date: specifies the current year, month and day in the format of YYYY/MM/DD. YYYY ranges
from 2000 to 2099, MM ranges from 1 to 12, and DD ranges from 1 to 31.
zone-name: specifies the name of daylight saving time, a string in a range of 1 to 32 characters.
one-off: sets the daylight saving time for a specific year.
repeating: sets the daylight saving time for each year since a specific year.
start-time: sets the beginning time of the daylight saving time in the format of HH:MM:SS. HH
ranges from 0 to 23, and MM and SS range from 0 to 59.
start-date: sets the beginning date of the daylight saving time in the format of YYYY/MM/DD.
YYYY ranges from 2000 to 2099, MM ranges from 1 to 12, and DD ranges from 1 to 31.
end-time: sets the ending time of the daylight saving time in the format of HH:MM:SS. HH
ranges from 0 to 23, and MM and SS range from 0 to 59.
end-date: sets the ending date of the daylight saving time in the format of YYYY/MM/DD.
YYYY ranges from 2000 to 2099, MM ranges from 1 to 12, and DD ranges from 1 to 31.
offset: specifies the time offset of the daylight saving time compared with UTC time. The value
is in the format of HH:MM:SS.
add: refers to the added time compared with UTC time.
minus: refers to the minus time compared with UTC time.

Views
User view

Default Level
3: Management level

Usage Guidelines
In the application environment where absolute time is strictly required, the current date and clock
of the Eudemon must be set. The input time parameter may not include second.
The range of YYYY is 1993 to 2035 for some non-Huawei devices. If you use both the devices
of Huawei and non-Huawei, the range is recommended to set to 2000 to 2035.
You can use the display clock command to view the setting after it is valid. In addition, the
message time such as log time and debug time adopts the local time adjusted by the time zone
and daylight saving time.

Examples
# Set the current date of the Eudemon to 0:0:0 01/01/2001.
<Eudemon> clock datetime 0:0:0 2001/01/01

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-3


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Related Topics
1.1.3 display clock

1.1.2 command-privilege

Function
Using the command-privilege command, you can set the command level of the specified view.
Using the undo command-privilege command, you can remove the configured command level.
By default, the ping, tracert, and telnet commands are of the visit level (0). The display
command is the monitoring level (1). Most configuration commands are of the configuration
level (2). After promotion, the command level is 10. The command to configure the user key,
debugging commands, FTP commands, XModem commands, and file system operation
commands are of the management level (3).

CAUTION
Do not change command levels randomly.

Format
command-privilege level level view view command
undo command-privilege view view command

Parameters
level level: specifies the precedence of a command. The value ranges from 0 to 3.
view view: specifies the view name.
command: specifies the command to be configured. You can specify multiple commands in one
command.

Views
System view

Default Level
3: Management level

Usage Guidelines
The commands are divided into four levels, that is, visit, monitoring, configuration, and
management, identified as 0 to 3 respectively.An administrator can authorize the users as
required to enable them to operate in the corresponding view. A login user can operate the
commands according to the authorizations corresponding to the user name or user interface. If
these two privileges conflict with each other, the one corresponding to the user name is adopted.

1-4 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Examples
# Set the privilege of the interface command to 0.
<Eudemon> system-view
[Eudemon] command-privilege level 0 view system interface

1.1.3 display clock

Function
Using the display clock command, you can display the current date and clock of the system.

Format
display clock

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Using this command, you can adjust whether there is any mistake in the system time and modify
the time in time.

Examples
# View the current date and time of the system.
<Eudemon> display clock
22:45:36 UTC Tue 2008/07/29
Time Zone : UTC add 02:00:00
Summer-Time : test repeating 12:11:00 2008/06/20 18:00:00 2008/06/21 01:00:00

Table 1-1 Description of the display clock command output

Item Description

Time Zone Time zone

UTC Universal Time Coordinated

Summer-Time Summer Time

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-5


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Related Topics
1.1.1 clock

1.1.4 display history-command

Function
Using the display history-command command, you can see the history command saved on the
terminal devices.

Format
display history-command

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
By default, 10 latest commands are displayed.
The terminal automatically saves the history commands entered by the user, that is, records any
keyboard entry of the user with Enter as the unit. In this case, the users can view the saved
history commands by the display history-command command.

CAUTION
l The saved history commands are the same as that are input by users. For example, if the user
inputs an incomplete command, the saved command also is incomplete.
l If the user executes the same command for several times, the command earliest executed is
saved. If the same command is output in different forms, they are considered as different
commands.

Examples
# Display the history commands used on the terminal.
<Eudemon> display history-command
display interface
display interface Ethernet 1/0/0
interface Ethernet 1/0/0

1-6 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Related Topics
1.2.18 history-command max-size

1.1.5 display hotkey

Function
Using the display hotkey command, you can display the predefined, undefined and reserved
shortcut keys.

Format
display hotkey

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The shortcut key can be typed where you input the command and the system displays the
command on the screen.

Examples
# Display the usage of shortcut keys.
<Eudemon> display hotkey
----------------- HOTKEY -----------------

=Defined hotkeys=
Hotkeys Command
CTRL_G display current-configuration
CTRL_L display ip routing-table
CTRL_O undo debug all

=Undefined hotkeys=
Hotkeys Command
CTRL_T NULL
CTRL_U NULL

=System hotkeys=
Hotkeys Function
CTRL_A Move the cursor to the beginning of the current line.
CTRL_B Move the cursor one character left.
CTRL_C Stop current command function.
CTRL_D Erase current character.
CTRL_E Move the cursor to the end of the current line.
CTRL_F Move the cursor one character right.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-7


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

CTRL_H Erase the character left of the cursor.


CTRL_K Kill outgoing connection.
CTRL_N Display the next command from the history buffer.
CTRL_P Display the previous command from the history buffer.
CTRL_R Redisplay the current line.
CTRL_V Paste text from the clipboard.
CTRL_W Delete the word left of the cursor.
CTRL_X Delete all characters up to the cursor.
CTRL_Y Delete all characters after the cursor.
CTRL_Z Return to the user view.
CTRL_] Kill incoming connection or redirect connection.
ESC_B Move the cursor one word back.
ESC_D Delete remainder of word.
ESC_F Move the cursor forward one word.
ESC_N Move the cursor down a line.
ESC_P Move the cursor up a line.
ESC_< Specify the beginning of clipboard.
ESC_> Specify the end of clipboard.

Table 1-2 Description of the display hotkey command output


Item Description

HOTKEY Indicates hot keys.

Defined hotkeys Indicates the defined shortcut keys.

CTRL+G Displays the current configuration.

CTRL+L Display the IP routing table.

CTRL+O Cancels outputting all debugging information.

Undefined hotkeys Indicates the undefined hot keys.

CTRL+T Undefined.

CTRL+U Undefined.

System hotkeys Indicates the system-reserved shortcut keys.

CTRL+A Moves the cursor to the beginning of current line.

CTRL+B Moves the cursor one character left.

CTRL+C Stops the current operation.

CTRL+D Deletes the character the cursor currently points.

CTRL+E Moves the cursor to the end of the current line.

CTRL+F Moves the cursor one character right.

CTRL+H Deletes the character to the left of the cursor.

CTRL+K Stops setting up connection.

CTRL+N Displays the next command in the history command buffer.

CTRL+P Displays the previous command in the history command buffer.

CTRL+R Redisplays the current line.

1-8 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Item Description

CTRL+V Pastes the text from the clipboard.

CTRL+W Deletes the character to the left of the cursor.

CTRL+X Deletes all the characters to the left of the cursor.

CTRL+Y Deletes all the characters to the right of the cursor.

CTRL+Z Return to the user view.

CTRL+ ] Cuts off the incoming connection or redirects the connection.

ESC+B Moves the cursor one word left.

ESC+D Deletes.

ESC+F Moves the cursor one word right.

ESC+N Moves the cursor one line down.

ESC+P Moves the cursor one line up.

ESC+< Moves the cursor to the beginning of the clipboard.

ESC+> Moves the cursor to the end of the clipboard.

Related Topics
1.1.8 hotkey

1.1.6 display version

Function
Using the display version command, you can display the system version.

Format
display version

Parameters
None

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-9


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Usage Guidelines
By viewing the version information, you can get the information about the current software
version, frame type, the active control board and the interface board.

Examples
<Eudemon> display version
Huawei Versatile Routing Platform Software
Software Version: Firewall V200R001C03B61b (VRP (R) Software, Version 3.30)
Copyright (c) 2007-2008 Huawei Technologies Co., Ltd.
Quidway E200 Firewall uptime is 0 week(s), 0 day(s), 0 hour(s), 1 minute(s)

Rpu's version information:


256M bytes SDRAM
32M bytes FLASH
512K bytes NVRAM
Pcb Version : VER.B
RPE Logic Version : 003B
SBG Logic Version : 012B
Small BootROM Version : 118
Big BootROM Version : 214

1.1.7 header

Function
Using the header command, you can enable displaying the title.
Using the undo header command, you can disable displaying the title.

Format
header { login | shell } { information text | file file-name }
undo header { login | shell }

Parameters
login: indicates the login messages.
shell: indicates the user session title.
information: indicates the title information.
text: specifies the contents of the title. The value is in the range of 1 to 220 characters.
file: specifies the contents of the file with the indicated file name.
file-name: specifies the file name used by the title, the length of which is 5 to 64 characters. The
title file cannot be more than 128 KB, otherwise the part of more than 128 KB is not displayed.

Views
System view

Default Level
2: Configuration level

1-10 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Usage Guidelines
When a user logs in to the firewall through the terminal line, the firewall prompts the related
messages to the user by setting title attribute. After the terminal connection is activated, the
login title is transmitted to the terminal. If the user successfully logs in, the shell title is displayed.
The first English character is used as the initial and end character of the text. After the user enters
the end character, the system automatically exits from the interactive process.
To exit from the interactive process, as long as the initial and the end of the text are the same
English character, just press Enter.

Examples
# Configure the user session title.
<Eudemon> system
[Eudemon] header shell information %
info:input banner text, and quit with the character '%'.
SHELL : Hello! Welcome use NetEngine%
[Eudemon] quit
<Eudemon>

# Display the Shell title after user login.


Username:Eudemon
Password:******

SHELL : Hello! Welcome use NetEngine


Note: The max number of VTY users is 5, and the current number
of VTY users on line is 2.

# Specify the file to be used as login title.


<Eudemon> system-view
[Eudemon] header login file flash:/header-file.txt

1.1.8 hotkey

Function
Using the hotkey command, you can correlate a command line with the shortcut keys.
Using the undo hotkey command, you can restore the default.

Format
hotkey [ CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U ] command-text
undo hotkey [ CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U ]

Parameters
CTRL_G: specifies a command for the shortcut keys CTRL+G.
CTRL_L: specifies a command for the shortcut keys CTRL+L.
CTRL_O: specifies a command for the shortcut keys CTRL+O.
CTRL_T: specifies a command for the shortcut keys CTRL+T.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-11


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

CTRL_U: specifies a command for the shortcut keys CTRL+U.


command-text: specifies the command line correlated with the shortcut keys.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the system specifies only CTRL_G, CTRL_L and CTRL_O to correspond to certain
commands.
l CTRL_G corresponds to display current-configuration (used to display current
configuration)
l CTRL_L corresponds to display ip routing-table (used to display routing table
information)
l CTRL_O corresponds to undo debugging all (used to disable the overall debugging
function that is disable the output of all debugging information)
You can change the definitions of shortcut keys on your demand.

Examples
# Correlate the display tcp status command with the shortcut keys CTRL_G.
<Eudemon> system-view
[Eudemon] hotkey ctrl_g display tcp status
[Eudemon] display hotkey
----------------- HOTKEY -----------------

=Defined hotkeys=
Hotkeys Command
CTRL_G display tcp status
CTRL_L display ip routing-table
CTRL_O undo debug all

=Undefined hotkeys=
Hotkeys Command
CTRL_T NULL
CTRL_U NULL

=System hotkeys=
Hotkeys Function
CTRL_A Move the cursor to the beginning of the current line.
CTRL_B Move the cursor one character left.
CTRL_C Stop current command function.
CTRL_D Erase current character.
CTRL_E Move the cursor to the end of the current line.
CTRL_F Move the cursor one character right.
CTRL_H Erase the character left of the cursor.
CTRL_K Kill outgoing connection.
CTRL_N Display the next command from the history buffer.
CTRL_P Display the previous command from the history buffer.
CTRL_R Redisplay the current line.
CTRL_V Paste text from the clipboard.
CTRL_W Delete the word left of the cursor.

1-12 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

CTRL_X Delete all characters up to the cursor.


CTRL_Y Delete all characters after the cursor.
CTRL_Z Return to the user view.
CTRL_] Kill incoming connection or redirect connection.
ESC_B Move the cursor one word back.
ESC_D Delete remainder of word.
ESC_F Move the cursor forward one word.
ESC_N Move the cursor down a line.
ESC_P Move the cursor up a line.
ESC_< Specify the beginning of clipboard.
ESC_> Specify the end of clipboard.

Related Topics
1.1.5 display hotkey

1.1.9 language-mode

Function
Using the language-mode command, you can change the language mode of the command line
interface.

Format
language-mode { chinese | english }

Parameters
chinese: changes the language mode of the system to Chinese.
english: changes the language mode of the system to English.

Views
User view

Default Level
0: Visit level

Usage Guidelines
By default, the language mode of the system is English.
After the system switches to Chinese mode, the prompts and echo messages of the command
line on the system interface are displayed in Chinese.

Examples
# Change the English mode to the Chinese mode.
<Eudemon> language-mode chinese
Change language mode, confirm? [Y/N] y

1.1.10 lock (User View)

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-13


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Function
Using the lock command, you can lock the current user interface so as to prevent the unauthorized
users from operating on the terminal interface.

Format
lock

Parameters
None

Views
User view

Default Level
3: Management level

Usage Guidelines
User interface includes console interface, AUX interface, and VTY.

After you enter the command lock, the system prompts inputting password. After you confirm
the password again, the system prompts that Lock succeeds. If you want to enter the system
again, you must press Enter and input the correct password.

Examples
# A user logs in from the Console port and locks the current user interface.
<Eudemon> lock
Password:xxxx
Again:xxxx

locked !

# The user can press Enter to log in to the system after a while. The following prompt displays:
Password:

Related Topics
1.2.46 user privilege

1.1.11 quit (All Views)

Function
Using the quit command, you can quit the current view and enter a view with a lower level. If
the current view is the user view, this command makes you exit from the system.

1-14 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Format
quit

Parameters
None

Views
All views

Default Level
0: Visit level

Usage Guidelines
All the command modes are divided into three levels, which are as follows from the lowest to
the highest:
l User view (user level is 0)
l System view (user level is 2)
l Interface view and AAA view

Examples
# Return to the system view from the interface view and then return to the user view.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] quit
[Eudemon] quit
<Eudemon>

Related Topics
1.1.16 system-view
1.1.12 return

1.1.12 return

Function
Using the return command, you can return to the user view from other views except user view.

Format
return

Parameters
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-15


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
All views

Default Level
2: Configuration level

Usage Guidelines
The shortcut key for the return command is Ctrl+Z.

Examples
# Return to the user view from the system view.
[Eudemon] return
<Eudemon>

Related Topics
1.1.16 system-view

1.1.13 super

Function
Using the super command, you can change the user's current level.

User level indicates the type of the login user. There are 4 user levels. Different from the use of
command level, a login user can only use the commands with the levels no higher than the user
level.

Format
super [ level ]

Parameters
level: specifies the user level. The value ranges from 0 to 15. By default, the level is 3.

Views
User view

Default Level
0: Visit level

Usage Guidelines
Commands are classified into four levels:

1-16 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

l Visit level: Refers to network diagnosis tool commands (such as ping and tracert), and
external commands (including Telnet client, SSH client and RLOGIN). Saving
configuration file is not allowed on this level of commands.
l Refers to commands of this level, including the display command and the debugging
command, which are used for system maintenance, service fault diagnosis. Saving the
configuration file is not allowed on this level of commands.
l Configuration level: Refers to service configuration commands, including routing
command and commands on each network layer, which are used to provide direct network
service to the user.
l Management level: Refers to commands that affect the basic operation of the system and
system support module, which plays a supporting role on service. Commands of this level
involve file system commands, FTP commands, TFTP commands, XModem downloading
commands, configuration file switching commands, power supply control commands,
standby control commands, user management commands, and level setting commands, and
internal parameter setting commands (not stipulated by protocols and by RFC).
In order to prevent unauthorized users from illegal intrusion, user ID authentication is performed
when users at a lower level switch to users at a higher level. In other word, the super
password of the higher level is needed. If no password is set, the error prompts.
For the sake of confidentiality, the password that the user entered is not shown on the screen.
Only when correct password is input for three times, can the user switch to the higher level.
Otherwise, the original user level remains unchanged.

Examples
# Change the current user level to level 3.
<Eudemon> super 3
Password:
Now user privilege is 3 level, and only those commands whose level is
equal to or less than this level can be used.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

Related Topics
1.1.14 super password
1.1.11 quit (All Views)
1.1.12 return

1.1.14 super password

Function
Using the super password command, you can set the password for changing the user from a
lower level to a higher level.
Using the undo super password command, you can cancel the current settings.

Format
super password [ level user-level ] { simple | cipher } password
undo super password [ level user-level ]

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-17


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Parameters
level user-level: specifies the user level. The value ranges from 1 to 15. By default, the password
for the user is set to Level 3.
simple: indicates the password in the plain text.
cipher: indicates the password in the encrypted text.
password: If it is in the form of simple, it must be in the plain text, ranging from 1 to 16 characters.
If it is in the form of cipher, it can be either in the encrypted text with 24 characters such as
(TT8F ] Y\5SQ=^Q`MAF4<1!! or in the plain text with 1 to 16 characters such as 1234567.

Views
System view

Default Level
3: Management level

Usage Guidelines
Input the password in plain text during the authentication no matter the configuration is plain
text or encrypted text.

CAUTION
If simple is selected, the password is saved into the configuration files in the plain text. Some
users at a lower level then can easily get the switch password through viewing the configuration
files. In such a case, the network security cannot be guaranteed. It is suggested to select
cipher to save the password in the cipher text.
After a password is set by using cipher option, the password cannot resume in the system. Do
not lose and forget the super password.

Examples
# Set the user at a lower level to input the password "abcd" when switching to level 3.
<Eudemon> system-view
[Eudemon] super password level 3 cipher abcd

Related Topics
1.1.13 super

1.1.15 sysname

Function
Using the sysname command, you can set the host name of the firewall.

1-18 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Format
sysname host-name

Parameters
host-name: specifies the host name. It is a string of 1 to 30 characters.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the host name of the firewall is Eudemon.

Modifying the host name of the firewall affects the prompt of command line interface. If the
host name of the Eudemon is "Eudemon", the prompt in the user view is <Eudemon>.

Examples
# Set the host name of the firewall as EudemonA.
<Eudemon> system-view
[Eudemon] sysname EudemonA
[EudemonA]

Related Topics
1.1.16 system-view

1.1.16 system-view

Function
Using the system-view command, you can enter the system view from the user view.

Format
system-view

Parameters
None

Views
User view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-19


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
2: Configuration level

Usage Guidelines
The user enters the user view when the user logs in for the first time.

Examples
# Enter the system view from the user view.
<Eudemon> system-view
Enter system view, return user view with Ctrl+Z.
[Eudemon]

Related Topics
1.1.11 quit (All Views)
1.1.12 return

1.2 User Login Configuration Commands

1.2.1 acl
1.2.2 authentication-mode
1.2.3 auto-execute command
1.2.4 databits
1.2.5 debugging rsa
1.2.6 debugging ssh server
1.2.7 debugging telnet
1.2.8 display rsa local-key-pair public
1.2.9 display rsa peer-public-key
1.2.10 display ssh server
1.2.11 display ssh user-information
1.2.12 display tcp
1.2.13 display user-interface
1.2.14 display user-interface maximum-vty
1.2.15 display users
1.2.16 flow-control
1.2.17 free user-interface
1.2.18 history-command max-size

1-20 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

1.2.19 idle-timeout
1.2.20 lock authentication-count
1.2.21 lock lock-timeout
1.2.22 modem
1.2.23 modem auto-answer
1.2.24 modem timer answer
1.2.25 parity
1.2.26 peer-public-key end
1.2.27 protocol inbound
1.2.28 public-key-code begin
1.2.29 public-key-code end
1.2.30 redirect
1.2.31 rsa local-key-pair create
1.2.32 rsa local-key-pair destroy
1.2.33 rsa peer-public-key
1.2.34 screen-length
1.2.35 send
1.2.36 set authentication password
1.2.37 shell
1.2.38 speed (User Interface View)
1.2.39 ssh server authentication-retries
1.2.40 ssh server rekey-interval
1.2.41 ssh server timeout
1.2.42 ssh user assign rsa-key
1.2.43 ssh user authentication-type
1.2.44 stopbits
1.2.45 telnet
1.2.46 user privilege
1.2.47 user-interface
1.2.48 user-interface maximum-vty

1.2.1 acl

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-21


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Function
Using the acl command, you can restrict inbound and outbound authorities for VTY user
interfaces (Telnet and SSH) through referencing ACL.
Using the undo acl command, you can cancel the current settings.
By default, the incoming and outgoing calls are not restricted.

Format
acl acl-number { inbound | outbound }
undo acl { inbound | outbound }

Parameters
acl-number: specifies the number of an access control list (ACL). The value ranges from 2000
to 3999.
inbound: restricts the incoming calls on the user interface.
outbound: restricts the outgoing calls on the user interface.

Views
User interface view

Default Level
3: Management level

Usage Guidelines
The command can be used to restrict the source address by the basic ACL and restrict the
destination address by the advanced ACL.

Examples
# Restrict Telnet outgoing call on the user interface VTY0.
<Eudemon> system-view
[Eudemon] user-interface vty 0
[Eudemon-ui-vty0] acl 2000 outbound

# Remove the restriction on Telnet outgoing call on the user interface VTY0.
<Eudemon> system-view
[Eudemon] user-interface vty 0
[Eudemon-ui-vty0] undo acl outbound

1.2.2 authentication-mode

Function
Using the authentication-mode command, you can set the authentication mode for logging in
to the user interface.

1-22 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Using the undo authentication-mode command, you can restore the default authentication
mode.

By default, the authentication method for the user interface of VTY type is password, and the
logging in to other user interfaces needs no authentication.

Format
authentication-mode { aaa | none | password | local user username password password }

undo authentication-mode

Parameters
aaa: specifies the AAA authentication.

none: specifies the non-authentication mode.

password: specifies the local password authentication.

local: specifies the local username and password authentication.

user username: specifies the local username. It is a string of 1 to 16 characters.

password password: specifies the local password. It is a string of 1 to 16 characters.

Views
User interface view

Default Level
2: Configuration level

Usage Guidelines
When AAA authentication is applied to the local user, the command level accessible after the
user logs in to the Eudemon depends on the priority of the local user of AAA configuration.

If the password authentication or non-authentication is configured, the level of the command


that a user can access is determined by the priority of the user interface after the user logs in to
the system.

Examples
# Enable the local password authentication.
<Eudemon> system-view
[Eudemon] user-interface console 0
[Eudemon-ui-console0] authentication-mode password
[Eudemon-ui-console0] set authentication password simple huawei

Related Topics
1.2.47 user-interface
1.2.36 set authentication password

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-23


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

1.2.3 auto-execute command

Function
Using the auto-execute command command, you can set the automatically executed command.
Using the undo auto-execute command command, you can remove the automatically executed
command.

Format
auto-execute command command
undo auto-execute command

Parameters
command: specifies the command automatically executed.

Views
User interface view

Default Level
2: Configuration level

Usage Guidelines

CAUTION
Make sure that you can log in to the system by other means to remove the configuration before
configuring auto-execute command command and saving the configuration.

By default, the command cannot be automatically executed.


There are the following restrictions while using the auto-execute command command:
l If there is only one Console port or one AUX port on the firewall, the port does not support
auto-execute command.
l If there are one Console port and one AUX port (two ports in total) on the firewall, then
the Console port does not support auto-execute command while the AUX port support.
l There is no restriction on other types of user interfaces.

Commands configured through auto-execute command are automatically executed when the
user logs on. The user interface disconnects automatically after the completion of this command.
Usually, the telnet command configured through auto-execute command at the terminal user
interface enables the user to be connected with the designated host automatically.
Be careful to use this command, for it results in the terminal, fails to perform routine
configuration with the system.

1-24 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Examples
# The telnet 10.110.100.1 command is run automatically after the user logs on from the VTY
0 port.
<Eudemon> system-view
[Eudemon] user-interface vty 0
[Eudemon-ui-vty0] auto-execute command telnet 10.110.100.1

Related Topics
1.2.47 user-interface

1.2.4 databits

Function
Using the databits command, you can set user interface data bit.

Using the undo databits command, you can restore the default data bit.

Format
databits { 7 | 8 }

undo databits

Parameters
7: indicates that data bit is 7 bits.

8: indicates that data bit is 8 bits.

Views
User interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the data bit is 8 bits.

Do not use this command generally, if changed the user interface data bit, the hyper terminal
must be set the same data bit when users log on.

The configuration is effective only when the serial interface works in the asynchronous
interactive mode.

Examples
# Set the data bit to 7 bits.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-25


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

<Eudemon> system-view
[Eudemon] user-interface vty 0
[Eudemon-ui-vty0] databits 7

1.2.5 debugging rsa

Function
Using the debugging rsa command, you can send the debugging information containing the
process of RSA and packet architecture to the information center, and debug a certain user
interface.

Using the undo debugging rsa command, you can disable the debugging.

Format
debugging rsa

undo debugging rsa

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the debugging is disabled.

Examples
# Enable RSA debugging.
<Eudemon> debugging rsa

Related Topics
1.2.31 rsa local-key-pair create
1.2.32 rsa local-key-pair destroy

1.2.6 debugging ssh server

1-26 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Function
Using the debugging ssh server command, you can send the debugging information containing
the negotiation process stipulated by SSH1.5 protocol to the information center, and debug a
certain user interface.
Using the undo debugging ssh server command, you can disable the debugging.

Format
debugging ssh server { vty index | all }
undo debugging ssh server { vty index | all }

Parameters
index: specifies the debugged SSH channel whose value depends on the number of VTY. By
default, the value ranges from 0 to 4.
all: refers to all SSH channels.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the debugging is disabled.

Examples
# Print debugging information in running SSH.
<Eudemon> debugging ssh server vty 0
00:23:20: SSH0: starting SSH control process
00:23:20: SSH0: sent protocol version id SSH-1.5-Eudemon-1.25
00:23:20: SSH0: protocol version id is - SSH-1.5-1.2.26
00:23:20: SSH0: SSH_SMSG_PUBLIC_KEY msg
00:23:21: SSH0: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
00:23:21: SSH: RSA decrypt started
00:23:21: SSH: RSA decrypt finished
00:23:21: SSH: RSA decrypt started
00:23:21: SSH: RSA decrypt finished

Related Topics
1.2.39 ssh server authentication-retries
1.2.40 ssh server rekey-interval
1.2.40 ssh server rekey-interval

1.2.7 debugging telnet

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-27


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Function
Using the debugging telnet command, you can enable the debugging on Telnet.

Using the undo debugging telnet command, you can disable the debugging.

Format
debugging telnet

undo debugging telnet

Parameters
None

Views
User view

Default Level
2: Configuration level

Usage Guidelines
By default, the debugging is disabled.

Examples
# Enable telnet debugging.
<Eudemon> debugging telnet

Related Topics
1.2.45 telnet

1.2.8 display rsa local-key-pair public

Function
Using the display rsa local-key-pair public command, you can display the public key in the
local key pair. If no key is generated, the system prompts "RSA keys not found."

Format
display rsa local-key-pair public

Parameters
None

1-28 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When configuring the firewall, you can run this command on the client and copy the client public
key from the echo message to the RSA public key on the SSH server.

Examples
# Display the public key in the local key pair.
<Eudemon> display rsa local-key-pair public

=====================================================
Time of Key pair created: 20:38:40 2008/8/2
Key name: Eudemon_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
C2E352B5 405553E7 88BF72A2 367F67F9 7999EDCB
FA145E80 8894445F C1164EB6 FC4992A3 59333991
19616B29 7D347D6E E80A499C 573BABED 6841772C
44FE5117
0203
010001

=====================================================
Time of Key pair created: 20:38:50 2008/8/2
Key name: Eudemon_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
EE1C2B5D 2A37EE73 E5D2516D 88F8A174 9A4A9A4F
FCD792F9 46B889DA A69139D7 AA80927F 67D601B7
1C4F9691 49D47201 62AF5908 CCD89328 A1265BFB
AFDC78BF 1D133CF0 E7C9719E 1A16E59C AE6A8C8E
4B71841D DAA9E294 040092E0 CC244BA3
0203
010001

Table 1-3 Description of the display rsa local-key-pair public command output

Item Description

Time of Key pair created Time when the public key is generated

Key name Name of the public key

Key type Type of the public key

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-29


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Related Topics
1.2.31 rsa local-key-pair create

1.2.9 display rsa peer-public-key

Function
Using the display rsa peer-public-key command, you can display the specified RSA public
key. If no public key is specified, all public keys are displayed.

Format
display rsa peer-public-key [ brief | name keyname ]

Parameters
brief: displays the brief information about all the remote public keys.
name keyname: specifies the key name to be displayed. It is a string of 1 to 30 characters.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Using this command, you can view detailed information about all public keys or a specified
public key.

Examples
# Display the detailed information about all the RSA public keys.
<Eudemon> display rsa peer-public-key
Address Bits Name
1023 abcd
1024 hq
1024 wn1
1024 hq_all

# Display the detailed RSA public key named rsakey001.


<Eudemon> display rsa peer-public-key name rsakey001
=====================================
Key name: rsakey001
Key address:
=====================================
Key Code:
308186
028180
739A291A BDA704F5 D93DC8FD F84C4274 631991C1 64B0DF17 8C55FA83 3591C7D4
7D5381D0 9CE82913 D7EDF9C0 8511D83C A4ED2B30 B809808E B0D1F52D 045DE408
61B74A0E 135523CC D74CAC61 F8E58C45 2B2F3F2D A0DCC48E 3306367F E187BDD9

1-30 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

44018B3B 69F3CBB0 A573202C 16BB2FC1 ACF3EC8F 828D55A3 6F1CDDC4 BB45504F


0201
25

Table 1-4 Description of the display rsa peer-public-key command output


Item Description

Key name Name of the public key

Key address Brief information about the public key

Related Topics
1.2.31 rsa local-key-pair create

1.2.10 display ssh server

Function
Using the display ssh server command, you can display the configuration and current session
of the SSH server.

Format
display ssh server { status | session }

Parameters
status: display the global configuration of the SSH server.
session: display the current session of the SSH server.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the global configuration of the SSH server.
<Eudemon> display ssh server status
SSH version : 1.5
SSH connection timeout : 60 seconds
SSH server key generating interval : 1 hours
SSH Authentication retries : 3 times

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-31


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

# Display the current session of the SSH server.


<Eudemon> display ssh server session
Conn Ver Encry State retry Username
VTY0 1.5 DES started 3 Eudemon

Table 1-5 Description of the display ssh server session command output

Item Description

Conn Type of the SSH session

Ver Protocol version of the SSH session

Encry Name of the encryption algorithm

State Status of the SSH session

retry Number of retry times of establishing the SSH session

User-name User name of the SSH server

Related Topics
1.2.39 ssh server authentication-retries
1.2.40 ssh server rekey-interval
1.2.41 ssh server timeout

1.2.11 display ssh user-information

Function
Using the display ssh user-information command, you can display the configuration of the
SSH user.

Format
display ssh user-information [ user-name ]

Parameters
user-name: specifies a valid SSH user name defined by AAA. It is a string of 1 to 64 characters.

Views
All views

Default Level
1: Monitoring level

1-32 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Usage Guidelines
If no user name is specified in the command, the configuration of all the SSH users are displayed.

Using this command, you can view information about the SSH user, including the user name,
password, bound RSA public key, and service type.

Examples
# Display the configurations of all the SSH users.
<Eudemon> display ssh user-information
Username authentication-type user-public-key-name
Jin rsa key001
hanqi1 password key002
1024 all key003

Table 1-6 Description of the ssh user-information command output

Item Description

Username Name of SSH users

authentication-type Authentication mode of SSH users

user-public-key-name Peer RSA public key assigned to SSH users

Related Topics
1.2.42 ssh user assign rsa-key
1.2.43 ssh user authentication-type

1.2.12 display tcp

Function
Using the display tcp status command, you can view and monitor TCP connections at any time.

Using the display tcp statistics command, you can view the statistics of the TCP traffic.

Format
display tcp { statistics | status }

Parameters
None

Views
All views

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-33


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
1: Monitoring level

Usage Guidelines
Compared with the 1.2.15 display users command, the display tcp status command can be
used to display more information about Telnet client and server.

The display information of the display tcp status command includes:

l Local address of TCP connection


l Local port number
l External address
l External port number
l Connection state

The display information of the display tcp statistic command includes:

l Statistics of received data


l Statistics of sent data
l Timeout times of the retransmission timer and the keepalive timer
l Times for initiating connections
l The number of disconnected connections
l The number of dropped packets during MD5 authentication
l The number of passed packets during MD5 authentication

Examples
# Display all TCP connections with the Eudemon.
<Eudemon> display tcp status
TCPCB Local Add:port Foreign Add:port State
04c067a4 0.0.0.0:22 0.0.0.0:0 Listening
04c06564 0.0.0.0:23 0.0.0.0:0 Listening
054c5944 0.0.0.0:80 0.0.0.0:0 Listening
054f75c4 192.168.0.1:23 192.168.0.7:1485 Established

Table 1-7 Description of the display tcp status command output

Item Description

TCPCB TCP task control block number.

Local Local IP address of TCP connection and local port number.


Add:port

Foreign Remote IP address of TCP connection and remote port number.


Add:port

1-34 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Item Description

State Indicates the status of TCP connection.


l Closed: indicates that the connection is closed.
l Listening: indicates that the connection is being monitored.
l Syn_Rcvd: indicates that a SYN packet is received.
l Established: indicates that the connection has been set up.
l Close_Wait: The user sends a FIN packet to the server to close the
connection in the Established status. The server then sends an ACK packet
to the user after receiving the FIN packet and changes to the Cloase_Wait
status.
l Fin_Wait1: The user changes to this status after sending an FIN packet to
the server to close the connection.
l Fin_Wait2: The user changes to this status after receiving an ACK packet
that responds to the sent FIN packet.
l Time_Wait: TCP enters this status after a connection is closed. When it
keeps this status as two times long as the lifetime of the longest packets,
the records about the closed connection are cleared.
l Closing: indicates that the two ends close the connection simultaneously.

Related Topics
1.2.45 telnet

1.2.13 display user-interface

Function
Using the display user-interface command, you can display the information about the user
interface.

Format
display user-interface [ ui-type ui-number1 ] [ ui-number ] [ summary ]

Parameters
ui-type: specifies the type of the user interface.

ui-number1: specifies the relative user interface ID.

ui-number: specifies the absolute user interface ID. The minimum value is 0. The maximum
value is smaller by 1 than the number of the user interfaces that the system supports. Different
devices support different number of user interfaces.

summary: introduces the user interface briefly.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-35


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Using the command, you can view the authentication mode on the user interface.

Examples
# Display the details on the user interface with the absolute ID as 0.
<Eudemon> display user-interface 0
Idx Type Tx/Rx Modem Privi Auth
* 0 CON 0 9600 3 N

* : Current user-interface is active.


I : Current user-interface is active and work in async mode.
Idx : Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi: The privilege of user-interface.
Auth : The authentication mode of user-interface.
A: Authenticate use AAA.
L: Authenticate use local database.
N: Current user-interface need not authentication.
P: Authenticate use current UI's password.

Table 1-8 Description of the display user-interface command output

Item Description

* The current user interface is active.

I The current user interface is active and works in the asynchronous mode.

Idx The absolute ID of the user interface.

Type The type and relative ID of the user interface.

Privi Privilege of the user interface.

Auth Authorization mode of the user interface.

A Adopts AAA to authenticate users.

N The current user interface need not be authenticated.

P Authenticates the user using the password configured on the current user interface.

1.2.14 display user-interface maximum-vty

1-36 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Function
Using the display user-interface maximum-vty command, you can view the maximum number
of VTY user interfaces.

Format
display user-interface maximum-vty

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can modify the maximum number of VTY user interfaces as required.

Examples
# Display the maximum number of VTY users.
<Eudemon> display user-interface maximum-vty
Maximum of VTY user : 15

Table 1-9 Description of the display user-interface maximum-vty command output


Item Description

Maximum of VTY user Indicates the maximum number of VTY users.

Related Topics
1.2.48 user-interface maximum-vty

1.2.15 display users

Function
Using the display users command, you can display the login user information on each interface.

Format
display users [ all ]

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-37


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Parameters
all: display the information of the user who logs on in the user view.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Using this command, you can view information about the users that access the current
firewall, including the user names, addresses, authentication and authorization.

Examples
# Use the display users command on the Console.
<Eudemon> display users
User-Intf Delay Type Ipaddress Username
+ 0 CON 0 00:00:00
146 VTY 0 00:01:37 TEL 3.3.3.101 zhangsan
147 VTY 1 00:00:06 TEL 3.3.3.101 123456789

Table 1-10 Description of the display users command output

Item Description

+ Terminal line in use.

User-Intf Number in the first column indicates the absolute number of user interface
and that in the second column indicates the relative number of user interface.

Delay Interval from the last input by the user till now, in seconds.

Type Connection type includes Telnet, Console, SSH.

IPaddress IP address of the starting host in connection.

Username Indicates login user name. As the AAA authentication is currently


unavailable, this item is null.

1.2.16 flow-control

Function
Using the flow-control command, you can configure the traffic control mode.

Using the undo flow-control command, you can restore the default traffic control mode.

1-38 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Format
flow-control { hardware | software | none }
undo flow-control

Parameters
hardware: indicates the hardware traffic control, only effective to the AUX port.
software: indicates the software traffic control.
none: indicates non-traffic control.

Views
User interface view

Default Level
2: Configuration level

Usage Guidelines
By default, none mode is used, that is , disable traffic control.
The configuration is effective only when the corresponding serial interface works in the
asynchronous interactive mode.
During the EXEC output, press Ctrl+S to stop the screen output, and press Ctrl+Q to resume
the screen output.

Examples
# Set software traffic control in the user interface view.
<Eudemon> system-view
[Eudemon] user-interface console 0
[Eudemon-ui-console0] flow-control software

1.2.17 free user-interface

Function
Using the free user-interface command, you can disconnect with the specified user interface.

Format
free user-interface { ui-number | ui-type ui-number1 }

Parameters
ui-number: specifies the absolute user interface ID. The minimum value is 0 and the maximum
value is smaller by 1 than the number of user interfaces the system supports.
ui-type: specifies the type of the user interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-39


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

ui-number1: specifies the relative user interface number.

Views
User view

Default Level
3: Management level

Usage Guidelines
You can exist from the use view by using the quit command successively.

Examples
# Disconnect with user interface 0.
<Eudemon> free user-interface 0

Related Topics
1.1.11 quit (All Views)
1.2.19 idle-timeout

1.2.18 history-command max-size

Function
Using the history-command max-size command, you can set the size of the history command
buffer.

Using the undo history-command max-size command, you can restore the default size of the
history command buffer.

Format
history-command max-size max-size

undo history-command max-size

Parameters
max-size: specifies the size of the history buffer. The value is in the range of 0 to 256.

Views
User interface view

Default Level
3: Management level

1-40 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Usage Guidelines
By default, the size of the history command buffer is 10, that is, 10 history commands can be
stored.

The command line interface provides a function similar as DosKey, which can automatically
save the history commands entered by users. You can invoke the history commands saved in
the command line interface at any time and repeatedly run them.

Examples
# Set the size of the history command buffer to 20.
<Eudemon> system-view
[Eudemon] user-interface console 0
[Eudemon-ui-console0] history-command max-size 20

Related Topics
1.1.4 display history-command

1.2.19 idle-timeout

Function
Using the idle-timeout command, you can set timeout time for disconnection of the user
interface. That is, if the user does not input the command in a certain period, it should be
disconnected.

Using the undo idle-timeout command, you can restore the default timeout time.

Format
idle-timeout minutes [ seconds ]

undo idle-timeout

Parameters
minutes: specifies the period when the user interface is disconnected in minutes. The value is an
integer ranging from 0 to 35791 minutes.

seconds: specifies the period when the user interface is disconnected in seconds. The value is
an integer ranging from 0 to 59 seconds.

Views
User interface view

Default Level
3: Management level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-41


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Usage Guidelines
By default, the timeout period is 10 minutes.

idle-timeout 0 0: indicates that the user keeps online all the time.

After you run the idle-timeout command to configure the timeout period of the VTY user
interface, the connection to the VTY user interface will be automatically disconnected if the
timeout period expires.

Examples
# Set the timeout time to 1 minute 30 seconds.
<Eudemon> system-view
[Eudemon] user-interface console 0
[Eudemon-ui-console0] idle-timeout 1 30

Related Topics
1.2.17 free user-interface

1.2.20 lock authentication-count

Function
Using the lock authentication-count command, you can configure the number of times that a
user fails to log in.

Using the undo lock authentication-count command, you can restore its default value.

Format
lock authentication-count times

undo lock authentication-count

Parameters
times: specifies the number of times that users fail to log in. Its value ranges from 0 to 12.

Views
User interface view

Default Level
3: Management level

Usage Guidelines
By default, the value of times is set to three times.

1-42 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Examples
# Enter the user interface Console view and set the number of times that a user fails to log in to
12.
<Eudemon> system-view
[Eudemon] user-interface console 0
[Eudemon-ui-console0] lock authentication-count 12

1.2.21 lock lock-timeout

Function
Using the lock lock-timeout command, you can configure the aging time for a user to be placed
into the black list.

Using the undo lock lock-timeout command, you can restore its default value.

Format
lock lock-timeout minutes

undo lock lock-timeout

Parameters
minutes: specifies the aging time for a user to be placed into the black list in a range of 1 to 1000
minutes.

Views
User interface view

Default Level
3: Management level

Usage Guidelines
By default, the value of minutes is set to 10 minutes.

Examples
# Enter the user interface Console view and set the aging time for a user to be placed into the
black list to 500 minutes.
<Eudemon> system-view
[Eudemon] user-interface console 0
[Eudemon-ui-console0] lock lock-timeout 500

1.2.22 modem

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-43


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Function
Using the modem command, you can set the incoming or outgoing call attributes of the Modem.
If no parameter is carried, it indicates allowing the incoming and outgoing call.

Using the undo modem command, you can prevent the incoming or outgoing call. If no
parameter is carried, it indicates preventing the incoming and outgoing call.

Format
modem [ call-in | both ]

undo modem [ call-in | both ]

Parameters
call-in: enables incoming call.

both: enables incoming and outgoing call.

Views
User interface view

Default Level
3: Management level

Usage Guidelines
By default, incoming or outgoing call is prevented.

This command is only effective for the AUX port and other asynchronous interfaces (except the
Console port).

Examples
# Allow the incoming call on the modem.
<Eudemon> system-view
[Eudemon] user-interface aux 1
[Eudemon-ui-aux1] modem call-in

1.2.23 modem auto-answer

Function
Using the modem auto-answer command, you can set the answering mode to automatic
answering.

Using the undo modem auto-answer command, you can set the answering mode to manual
answering.

1-44 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Format
modem auto-answer
undo modem auto-answer

Parameters
None

Views
User interface view

Default Level
3: Management level

Usage Guidelines
By default, the answering mode is manual answering.
This command is only effective for the AUX interface and other asynchronous interfaces (except
the Console port). This command is effective when the incoming and outgoing calls are allowed.
When using dialing connection with the modem, firstly you must configure the Modem
parameters in the associated user interface.

Examples
# Set the answering mode to automatic answering.
<Eudemon> system-view
[Eudemon] user-interface aux 0
[Eudemon-ui-aux0] modem auto-answer

Related Topics
1.2.22 modem

1.2.24 modem timer answer

Function
Using the modem timer answer command, you can set the waiting timeout time from the
moment of off-hook till the moment when carrier is detected during the establishment of
incoming call connection.
Using the undo modem timer answer command, you can restore the default waiting timeout
time.

Format
modem timer answer seconds
undo modem timer answer

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-45


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Parameters
seconds: specifies the timeout time, in seconds. The value is in the range of 1 to 60.

Views
User interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the waiting timeout time is 30 seconds.
This command is only effective for the AUX interface and other asynchronous interfaces (except
the Console interface).

Examples
# Set the waiting timeout time for the Modem to 25 seconds.
<Eudemon> system-view
[Eudemon] user-interface aux 0
[Eudemon-ui-aux0] modem timer answer 25

1.2.25 parity

Function
Using the parity command, you can set the check bit of the user interface.
Using the undo parity command, you can restore the check mode of the user interface to none.

Format
parity { none | even | odd | mark | space }
undo parity

Parameters
none: sets the transmission check bit to no check.
even: sets the transmission check bit to even parity.
odd: sets the transmission check bit to odd parity.
mark: sets the transmission check bit to mark check.
space: sets the transmission check bit to space check.

Views
User interface view

1-46 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Default Level
3: Management level

Usage Guidelines
By default, no check is performed.
The configuration is effective only when the serial interface works in the asynchronous
interactive view.

Examples
# Set the transmission check bit on the Console port to odd parity.
<Eudemon> system-view
[Eudemon] user-interface console 0
[Eudemon-ui-console0] parity odd

1.2.26 peer-public-key end

Function
Using the peer-public-key end command, you can return to the system view from the public
key view.

Format
peer-public-key end

Parameters
None

Views
Public key view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Return to the system view from the public key view and save the configuration.
<Eudemon> system-view
[Eudemon] rsa peer-public-key Eudemon003
[Eudemon-rsa-public-key] peer-public-key end
[Eudemon]

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-47


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Related Topics
1.2.33 rsa peer-public-key
1.2.28 public-key-code begin
1.2.29 public-key-code end

1.2.27 protocol inbound

Function
Using the protocol inbound command, you can specify the protocols supported by the current
user interface.

Format
protocol inbound { all | ssh | telnet }

Parameters
all: supports all the protocols, including Telnet, SSH.

ssh: supports only SSH.

telnet: supports only Telnet.

Views
User interface view

Default Level
3: Management level

Usage Guidelines
By default, the system supports all protocols, namely, Telnet and SSH.

For example, you can use this command to set the protocol as all, ssh. Without configuration,
other user interfaces apply the Telnet protocol by default. A login user preferentially accesses
the user interface through the Telnet protocol and adopts the password authentication by default.
Without the password, the user cannot log in to the firewall. Thus, the user needs to configure
the authentication mode and login password for the user interface with the Telnet protocol.

If you use this command to set the SSH protocol for a certain user interface, before logging in
successfully, you need to set the authentication mode to authentication-mode local or
authentication-mode scheme default. If the authentication modes are authentication-mode
password or authentication-mode none, the protocol inbound ssh fails to be configured.

NOTE
When you use this command to specify the SSH protocol for the user interface, if SSH is enabled but the
local RSA key is not configured, the SSH is unavailable. The configuration of creating a directory takes
effect when you log in the next time.

1-48 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Examples
# Configure the user interfaces from VTY 0 to VTY 4 to support only SSH.
<Eudemon> system-view
[Eudemon] user-interface vty 0 4
[Eudemon-ui-vty0-4] protocol inbound ssh

1.2.28 public-key-code begin

Function
Using the public-key-code begin command, you can enter the edit view of the public key.

Format
public-key-code begin

Parameters
None

Views
Public key view

Default Level
2: Configuration level

Usage Guidelines
Before using this command, you must use the rsa peer-public-key command to specify one key
name.
After inputting the public-key-code begin command, you can enter the public key edit view,
and then input the key characters. Spaces can exist between characters. You can press Enter to
continue inputting the key character. The public key configured must be a hex character string
coded according to the public key format. It is randomly generated by the client software
supporting SSH.

Examples
# Enter the public key edit view and input the key.
<Eudemon> system-view
[Eudemon] rsa peer-public-key Eudemon003
[Eudemon-rsa-public-key] public-key-code begin
[Eudemon-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463
[Eudemon-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913
[Eudemon-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4
[Eudemon-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC
[Eudemon-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16
[Eudemon-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125
[Eudemon-rsa-key-code] public-key-code end
[Eudemon-rsa-public-key] peer-public-key end
[Eudemon]

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-49


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Related Topics
1.2.33 rsa peer-public-key
1.2.29 public-key-code end

1.2.29 public-key-code end

Function
Using the public-key-code end command, you can return to the public key view from the public
key edit view and save the public key configured by the user.

Format
public-key-code end

Parameters
None

Views
Public key edition view

Default Level
2: Configuration level

Usage Guidelines
After this command is run, the process of editing public key ends. Before saving the public key,
the system checks the validity of the key. If there are illegal characters in the public key character
string configured by the user, the system displays relevant prompt. The public key configured
by the user is discarded, so this configuration fails. If the public key configured is valid, it is
saved in public key chain table of the client.
l Generally, in the public key edit view, only the peer-public-key end command can be used
to exit from the public key view, and the quit command cannot be used.
l If the legal key coding is not input in the public key edit view, the key cannot be generated
after the peer-public-key end command is used. The system prompts that generating a key
fails.
l If the key is deleted in another window, the system prompts that the key does not exist and
returns to the system view directly when you run the peer-public-key end command.

Examples
# Quit the public key editing view and save the configuration.
<Eudemon> system-view
[Eudemon] rsa peer-public-key Eudemon003
[Eudemon-rsa-public-key] public-key-code begin
[Eudemon-rsa-key-code] public-key-code end
[Eudemon-rsa-public-key] peer-public-key end
[Eudemon]

1-50 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Related Topics
1.2.33 rsa peer-public-key
1.2.28 public-key-code begin

1.2.30 redirect

Function
Using the redirect command, you can enable the redirect function of the asynchronous interface.
This command is only effective for AUX and TTY user interfaces.

Using the undo redirect command, you can disable the redirect function of the asynchronous
interface.

Format
redirect

undo redirect

Parameters
None

Views
User interface view

Default Level
3: Management level

Usage Guidelines
By default, the redirect function is disabled.

Examples
# Enable the redirect function of the TTY7 user interface.
<Eudemon> system-view
[Eudemon] user-interface tty 7
[Eudemon-ui-tty7] redirect

Related Topics
1.2.45 telnet

1.2.31 rsa local-key-pair create

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-51


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Function
Using the rsa local-key-pair create command, you can configure to generate the local RSA
host key pair and the server key pair.

Format
rsa local-key-pair create

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
If the RSA key has existed, the system will give an alarm to prompt the original key overwritten.
The generated key pair is named hostkey and serverkey. Note that the command is not saved to
the configuration file.
After the command is entered, the system will prompt you to type in the key modulus of the
host. There are at least 128 bits of difference between the bits of server key pair and the bits of
host key pair. Minimum length of server key and host key is 512 bits, and maximum length is
2048 bits. If the keys have existed, you need to confirm whether to modify them.
To implement SSH login, you need to configure and create the local RSA key pair. Before
configuring other SSHs, you must create the local key pair using the rsa local-key-pair
create command.
This command needs to be run only one time and needs not to be run again after the firewall
restarts.

Examples
# Create local host key pair and server key pair.
<Eudemon> system-view
[Eudemon] rsa local-key-pair create
The key name will be: Eudemon_Host
% RSA keys defined for eudemon A_Host already exist.
Confirm to replace them? [yes/no]:y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:512
Generating keys...
.......++++++++++++
.++++++++++++
..++++++++
.............++++++++
[Eudemon]

1-52 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Related Topics
1.2.32 rsa local-key-pair destroy

1.2.32 rsa local-key-pair destroy

Function
Using the rsa local-key-pair destroy command, you can remove all RSA keys at server end,
including Host key and Server key.

Format
rsa local-key-pair destroy

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After entering this command, you need to confirm whether to remove all RSA keys. The
command is not saved to the configuration file.

Examples
# Remove all keys at server end.
<Eudemon> system-view
[Eudemon] rsa local-key-pair destroy
% Keys to be removed are named rtvrp_Host .
% Do you really want to remove these keys? [yes/no]:y
[Eudemon]

Related Topics
1.2.31 rsa local-key-pair create

1.2.33 rsa peer-public-key

Function
Using the rsa peer-public-key command, you can enter public key view.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-53


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Format
rsa peer-public-key key-name

Parameters
key-name: specifies the public key name. It is a string of 1 to 30 characters.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After inputting the command, you can enter the public key view. This command can be used
together with the public-key-code begin command to configure the public key of the client.

The public key of the client is randomly generated by the client software.

Examples
# Enter the public key view.
<Eudemon> system-view
[Eudemon] rsa peer-public-key Eudemon002
[Eudemon-rsa-public-key]

Related Topics
1.2.28 public-key-code begin
1.2.29 public-key-code end
1.2.26 peer-public-key end

1.2.34 screen-length

Function
Using the screen-length command, you can set the number of rows on each screen of the
terminal.

Using the undo screen-length command, you can restore the number of rows on each screen of
the terminal to 24.

Format
screen-length screen-length

undo screen-length

1-54 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Parameters
screen-length: specifies the number of rows displayed on the split screen. It is an integer ranging
from 0 to 512. 0 indicates the split screen is disabled.

Views
User interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the number of rows on one screen is 24.

Generally, the lines per screen on the terminal need not to be adjusted.

Examples
# Set the number of lines in each screen of the terminal to 30.
<Eudemon> system-view
[Eudemon] user-interface console 0
[Eudemon-ui-console0] screen-length 30

1.2.35 send

Function
Using the send command, you can transfer message between user interfaces.

Format
send { all | ui-number | ui-type ui-number1 }

Parameters
all: sends messages to all user interfaces.

ui-number: specifies the absolute user interface ID. The minimum value is 0. The maximum
value is smaller by 1 than the number of the user interfaces the system supports. Different devices
support different number of user interfaces.

ui-type: specifies the type of user interface.

ui-number1: specifies the relative user interface number.

Views
User view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-55


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
3: Management level

Usage Guidelines
After you run the send command, the system prompts the user to enter the message to be sent.
After you confirm to send the message, the user logs in to the specified user interface can receive
the message.

Examples
# Send a message to the user interface Console 0.
<Eudemon> send console 0
Enter message, end with CTRL+Z or Enter; abort with CTRL+C:
Hello,good morning!
Send message? [Y/N]y

# Then users who log on to the Eudemon through Console 0 can receive this message.
<Eudemon>

***
***
***Message from con0 to con0
***
Hello, good morning!

1.2.36 set authentication password

Function
Using the set authentication password command, you can set the local authentication
password.

Using the undo set authentication password command; you can remove the local
authentication password.

Format
set authentication password { simple | cipher } password

undo set authentication password

Parameters
simple: configures the password in the plain text.

cipher: configures the password in the encrypted text.

password: specifies the password for the user interface. If the password is in the form of simple,
the password must be in the plain text. If the password is in the form of cipher, the password
can be either in the encrypted text or in the plain text. The result is determined by the input. The
length of the password in the plain text password is a sequential string with no more than 16
characters. The length of the password in the encrypted text is with 24 bits.

1-56 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Views
User interface view

Default Level
3: Management level

Usage Guidelines
No matter the configuration of password is in the plain text or the encrypted text, the user must
input the plain text password during authentication
You must specify the simple or cipher while configuring the command. If you use the simple
method, the configuration file saves the password in plain text. If you use the cipher method,
then the password is displayed in encrypted text whether you input the plain text password from
1 to 16 bytes or the 24-bit encrypted password.
By default, Telnet users must input the password during login. If no password is configured, the
following is displayed: "Warning: Login password has not been set!"

Examples
# Set the local authentication password for the user interface vty 0 to vty 4 as 12345678.
<Eudemon> system-view
[Eudemon] user-interface vty 0 4
[Eudemon-ui-vty0-4] authentication-mode password
[Eudemon-ui-vty0-4] set authentication password simple 12345678

Related Topics
1.2.2 authentication-mode

1.2.37 shell

Function
Using the shell command, you can set the terminal services enabled on the user interface.
Using the undo shell command, you can remove the current setting.

Format
shell
undo shell

Parameters
None

Views
User interface view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-57


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
3: Management level

Usage Guidelines
By default, the terminal services are enabled on all the user interfaces.
There are several restrictions for the undo shell command as follows:
l If there is only the Console port without the AUX port, the Console port does not support
the command.
l If there is only the AUX port without the Console port, the AUX port does not support the
command.
l If there are both the Console port and the AUX port, the Console port does not support the
command but the AUX port supports.
l There is no restriction on other types of user interfaces.

Examples
# Disable terminal services on the VTY 0 to VTY 4.
<Eudemon> system-view
[Eudemon] user-interface vty 0 4
[Eudemon-ui-vty0-4] undo shell

# As for the Telnet users, the following is displayed after they log in.
% connection refused by remote host!

1.2.38 speed (User Interface View)

Function
Using the speed command, you can set the transmission rate of a user interface.
Using the undo speed command, you can restore the default transmission rate.

Format
speed speed-value
undo speed

Parameters
speed-value: specifies the transmission rate, in bit/s.

Views
User interface view

Default Level
3: Management level

1-58 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Usage Guidelines
By default, the transmission rate is 9600 bit/s.

The configuration is effective only when the serial interface works in the asynchronous
interactive view.

The transmission rates supported by the asynchronous serial interface are:

l 300bit/s
l 600bit/s
l 1200bit/s
l 4800bit/s
l 9600bit/s
l 19200bit/s
l 38400bit/s
l 57600bit/s
l 115200bit/s

Examples
# Set the transmission rate of the user interface to 19200 bit/s.
<Eudemon> system-view
[Eudemon] user-interface console 0
[Eudemon-ui-console0] speed 19200

1.2.39 ssh server authentication-retries

Function
Using the ssh server authentication-retries command, you can set the retry times to
authenticate the SSH connection.

Using the undo ssh server authentication-retries command, you can restore the default retry
times.

Format
ssh server authentication-retries times

undo ssh server authentication-retries

Parameters
times: specifies the retry times to authenticate the SSH connection. The value ranges from 1 to
5.

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-59


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, the retry times is 3.

The configuration takes effect during the next login.

Examples
# Set the retry times to 4.
<Eudemon> system-view
[Eudemon] ssh server authentication-retries 4

Related Topics
1.2.10 display ssh server

1.2.40 ssh server rekey-interval

Function
Using the ssh server rekey-interval command, you can set the interval for updating the key
pair of the SSH server.

Using the undo ssh server rekey-interval command, you can cancel the interval for updating
the key pair of the SSH server and restore the default value 0.

Format
ssh server rekey-interval interval

undo ssh server rekey-interval

Parameters
interval: specifies the interval for updating the key pair of the SSH server. It is an integer ranging
from 0 to 24 hours.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the interval for updating the key pair of the SSH server is 0 that indicates no updating.

1-60 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

The system automatically updates the key pair of the SSH server at the configured interval. If
the client is connected with the server, the public key of the server on the client is not immediately
updated. The public key of the server on the client is updated only when the client is re-connected
with the server.

Examples
# Set the interval for updating the key pair of the SSH server to one hour.
<Eudemon> system-view
[Eudemon] ssh server rekey-interval 3

Related Topics
1.2.10 display ssh server

1.2.41 ssh server timeout

Function
Using the ssh server timeout command, you can set the timeout period of the SSH connection.

Using the undo ssh server timeout command, you can restore the default timeout period.

Format
ssh server timeout seconds

undo ssh server timeout

Parameters
seconds: specifies the login timeout period of the SSH connection. The value ranges from 1 to
120 seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the timeout period is 60 seconds.

Examples
# Set the timeout period to 80 seconds.
<Eudemon> system-view
[Eudemon] ssh server timeout 80

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-61


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Related Topics
1.2.10 display ssh server

1.2.42 ssh user assign rsa-key

Function
Using the ssh user assign rsa-key command, you can assign one existing public key (key-name)
to the user.

Using the undo ssh user assign rsa-key command, you can delete the relationship between the
user and its public key.

Format
ssh user user-name assign rsa-key key-name

undo ssh user user-name assign rsa-key

Parameters
user-name: specifies the valid SSH user name defined by AAA. It is a string of 1 to 64 characters.

key-name: specifies the configured public key name of the client. It is a string of 1 to 64
characters.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
When the system assigns a public key to a user, the system regards the public key assigned last
as valid.

AAA module is responsible for the creation and deletion of local user name. When creating an
SSH user, AAA module first informs SSH, then SSH will add this user name to its user set.
Likewise, when deleting a user, AAA module needs to inform SSH, then SSH will match this
user from its user set. If matched, SSH will delete this user from its user set.

To enable the newly-configured public key to take effect, you must re-log in to the system.

Examples
# Assign "key1" to the user "john".
<Eudemon> system-view
[Eudemon] ssh user john assign rsa-key key1

1-62 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Related Topics
1.2.11 display ssh user-information

1.2.43 ssh user authentication-type

Function
Using the ssh user authentication-type command, you can configure the authentication mode
for the SSH user.
Using the undo ssh user authentication-type command, you can cancel the authentication
mode of the SSH user and restore the default configuration, that is, no authentication mode is
adopted.

Format
ssh user user-name authentication-type { password | rsa | all }
undo ssh user user-name authentication-type { password | rsa | all }

Parameters
user-name: specifies the name of the SSH user. It is a string of 1 to 64 characters.
password: indicates the password authentication.
rsa: indicates the RSA authentication.
all: indicates that either the password authentication or the RSA authentication can be adopted.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the authentication mode of the SSH user is not configured.
If you are a new user, you must set the authentication mode. To enable the newly configured
authentication mode to take effect, you must re-log in to the system.
When configuring the authentication mode of the SSH user, create an SSH user in the configured
authentication mode if no user name is specified.

Examples
# Configure the authentication mode for SSH user Tom.
<Eudemon> system-view
[Eudemon] ssh user Tom authentication-type password

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-63


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Related Topics
1.2.11 display ssh user-information

1.2.44 stopbits

Function
Using the stopbits command, you can set the stop bit of a user interface.

Using the undo stopbits command, you can restore the default stop bit.

Format
stopbits { 1.5 | 1 | 2 }

undo stopbits

Parameters
1.5: indicates to set the stop bit to 1.5 bits.

1: indicates to set the stop bit to 1 bit.

2: indicates to set the stop bit to 2 bits.

Views
User interface view

Default Level
3: Management level

Usage Guidelines
By default, the stop bit is 1 bit.

If the stop bit is 1.5, the corresponding data bit is 5.

If the stop bit is 2, the corresponding data bit is 6, 7 and 8.

The configuration is effective only when the serial interface works in the asynchronous
interactive view.

Examples
# Set the stop bit to 1.5 bits.
<Eudemon> system-view
[Eudemon] user-interface console 0
[Eudemon-ui-console0] stopbits 1.5

1.2.45 telnet

1-64 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Function
Using the telnet command, you can log in to another firewall or router from the current
firewall through Telnet.

Format
telnet host-ip-address [ service-port ]

Parameters
host-ip-address: specifies the IP address of remote firewall or router, which is either decimal
numeral separated by dots or host name.
service-port: specifies the TCP port number to provide Telnet service on the remote firewall or
router. It ranges from 0 to 65535.

Views
User view

Default Level
0: Visit level

Usage Guidelines
By default, if service-port is not specified, the Telnet port number is 23.
By using the telnet command, the user can conveniently log in to another firewall or router from
the current firewall to manage the remote device.

Examples
# Log in to a router (IP address is 129.102.0.1) from the current firewall.
<Eudemon> telnet 129.102.0.1
Trying 129.102.0.1...
Service port is 23
Connected to 129.102.0.1
<Quidway>

1.2.46 user privilege

Function
Using the user privilege command, you can configure the command level for the user interface.
Using the undo user privilege command, you can restore the default command level.

Format
user privilege level level
undo user privilege level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-65


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Parameters
level: specifies the command level. The value is in the range of 0 to 3.

Views
User interface view

Default Level
3: Management level

Usage Guidelines
By default, the command level corresponding to the Console port on the user interface is 3 and
the command level corresponding to other user interfaces is 0.
If the command level configured on the user interface is not in consistence with the actual level
the user corresponds to, the latter is used as the valid level. For instance, the command level
corresponding to user 001 is 3 but the command level configured on VTY 0 for the user 001 is
2. Then when the user logs in the system through VTY 0, it can use the commands of level 3 or
below level 3.

Examples
# Configure the level of the user logging on through VTY 0 to 2.
<Eudemon> system-view
[Eudemon] user-interface vty 0
[Eudemon-ui-vty0] user privilege level 2

# Log in to the firewall through Telnet from VTY 0 to view the detailed user interface.
<Eudemon> display user-interface vty0

Related Topics
1.2.13 display user-interface

1.2.47 user-interface

Function
Using the user-interface command, you can enter one user interface view or multiple user
interface views.

Format
user-interface [ ui-type ] first-ui-number [ last-ui-number ]

Parameters
ui-type: specifies the type of user interface. If the user interface type is specified, use the relative
user interface ID. If the user interface type is not specified, use the absolute user interface ID.

1-66 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

first-ui-number: specifies the first user interface to be configured.

last-ui-number: specifies the last user interface to be configured. The last-ui-number should be
larger than the first-ui-number.

Views
System view

Default Level
3: Management level

Usage Guidelines
After you run this command to enter the user interface view, you can configure the attributes
related to this user interface.

Examples
# Enter the user interface console view to configure console 0.
<Eudemon> system-view
[Eudemon] user-interface console 0
[Eudemon-ui-console0]

# Enter the user interface VTY 0 view to configure VTY 0.


<Eudemon> system-view
[Eudemon] user-interface vty 0
[Eudemon-ui-vty0]

# Enter the user interface VTY view to configure VTY 0 to VTY 3.


<Eudemon> system-view
[Eudemon] user-interface vty 0 3
[Eudemon-ui-vty0-3]

# Enter user interface view to configure user interface 0-4.


<Eudemon> system-view
[Eudemon] user-interface 0 4
[Eudemon-ui0-4]

Related Topics
1.2.13 display user-interface

1.2.48 user-interface maximum-vty

Function
Using the user-interface maximum-vty command, you can set the maximum number of login
users.

Using the undo user-interface maximum-vty command, you can restore the default maximum
number of login users.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-67


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Format
user-interface maximum-vty number
undo user-interface maximum-vty

Parameters
number: specifies the maximum number of Telnet and SSH users. The value is in the range of
0 to 15.

Views
System view

Default Level
3: Management level

Usage Guidelines
By default, the maximum number of Telnet and SSH users is 5.

Examples
# Set the maximum number of Telnet users to 7.
<Eudemon> system-view
[Eudemon] user-interface maximum-vty 7

Related Topics
1.2.14 display user-interface maximum-vty

1.3 Working Mode Configuration Commands

1.3.1 debugging firewall transparent-mode


1.3.2 display firewall mode
1.3.3 display firewall transparent-mode config
1.3.4 display firewall transparent-mode address-table
1.3.5 display firewall transparent-mode traffic
1.3.6 display firewall transparent-mode trunk-port
1.3.7 firewall arp-learning enable
1.3.8 firewall ethernet-frame-filter
1.3.9 firewall mode
1.3.10 firewall system-ip
1.3.11 firewall transparent-mode aging-time

1-68 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

1.3.12 firewall transparent-mode fast-forwarding


1.3.13 firewall transparent-mode transmit
1.3.14 firewall unknown-mac
1.3.15 port trunk pvid
1.3.16 port trunk vlan allow-pass all
1.3.17 reset firewall transparent-mode address-table
1.3.18 reset firewall transparent-mode traffic

1.3.1 debugging firewall transparent-mode

Function
Using the debugging firewall transparent-mode command, you can enable packet forwarding
debugging in transparent mode.

Format
debugging firewall transparent-mode { eth-forwarding [ interface interface-type interface–
number ] | ip-forwarding }

undo debugging firewall transparent-mode { eth-forwarding [ interface interface-type


interface–number ] | ip-forwarding }

Parameters
eth-forwarding: enables Ethernet packet forwarding debugging in transparent mode.

ip-forwarding: enables IP packet forwarding debugging in transparent mode.

interface-type: specifies the type of an interface.

interface-number: specifies the number of an interface.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable Ethernet packet forwarding debugging in transparent mode.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-69


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

<Eudemon> debugging firewall transparent-mode eth-forwarding interface Ethernet


0/0/0

1.3.2 display firewall mode

Function
Using the display firewall mode command, you can view the current working mode of the
firewall.

Format
display firewall mode

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the current mode of the firewall.
<Eudemon> display firewall mode
Firewall mode: route

Related Topics
1.3.9 firewall mode

1.3.3 display firewall transparent-mode config

Function
Using the display firewall transparent-mode config command, you can view the relative
configuration of transparent mode.

Format
display firewall transparent-mode config

1-70 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the relative configuration in transparent mode.
<Eudemon> system-view
[Eudemon] display firewall transparent-mode config
Firewall transparent-info:
arp learning: enable
VLAN forward: enable
system IP address: none
system IP mask : none
unknown-mac:
unicast IP packet: flood
broadcast IP packet: drop
multicast IP packet: drop
15:53:23 06-10-2008

1.3.4 display firewall transparent-mode address-table

Function
Using the display firewall transparent-mode address-table command, you can view the
content in MAC address forwarding table of a firewall.

Format
display firewall transparent-mode address-table [ interface interface-type interface-
number | mac mac-address ]

Parameters
interface interface-type interface-number: specifies the type and number of an interface.

mac mac-address: specifies the unicast MAC address in the format of H-H-H. H is a 4-bit
hexadecimal number, such as 00e0 and fc01. If you input less than 4 bits, the default value 0 is
padded. For example, when you enter e0, 00e0 is displayed. FFFF-FFFF-FFFF is invalid for
MAC address.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-71


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the address forwarding table of the interface Ethernet 0/0/0.
<Eudemon> display firewall transparent-mode address-table interface Ethernet 0/0/0
Mac-address Action Type Aging-time Receive Send Interface-name

Table 1-11 Description of the display firewall transparent-mode address-table command output

Field Description

Mac-Address MAC address

Action Deny or permit

Type Static or dynamic

Aging-time Time to live for the forwarding table

Receive Receive packets from the destination MAC address

Send Send packets from the destination MAC address

Interface-name Outgoing interface name

1.3.5 display firewall transparent-mode traffic

Function
Using the display firewall transparent-mode traffic command, you can view traffic statistics
on a firewall.

Format
display firewall transparent-mode traffic [ interface interface-type interface-number ]

Parameters
interface interface-type interface-number: specifies the type and number of an interface.

1-72 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the traffic statistics on the interface Ethernet 0/0/0 of the firewall.
<Eudemon> display firewall transparent traffic interface Ethernet 0/0/0
the statistic of interface Ethernet0/0/0 :
Input:
0 total, 0 bpdu, 0 single,
0 multi, 0 broadcast;
0 ip,0 ipx, 0 other protocal;
0 eth2, 0 snap,
0 dlsw, 0 other,
0 vlan;
Output:
0 total, 0 bpdu, 0 single,
0 multi, 0 broadcast;
0 ip, 0 ipx, 0 other protocal;
0 eth2, 0 snap,
0 dlsw, 0 other,
0 vlan;
Send way:0 broadcast, 0 fast, 0 other
Discard:
0 by inport state,
0 for local frame ,
0 by mac table,
0 by inport filter,
0 by outport filter,
0 by ip filter ,
0 other

The displayed information consists of three parts: Input, Output, and Discard. Input and Output
indicate type and quantity of packets input and output by the interface. For example, "10 total,
1 bpdu, 2 single" refers to that ten packets in total are input, of these, one BPDU packet and two
unicast packets.

Table 1-12 Description of the display firewall transparent-mode traffic command output

Field Description

Send way Sending way of data

Discard Discarding reason and quantity of discarded packets

0 by import state Quantity of discarded frames due to the abnormal import interface
state

0 for local frame Quantity of discarded frames due to outport interface equal to import
interface

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-73


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Field Description

0 by mac table Quantity of discarded frames due to the prohibited table information
configured in MAC forwarding table

0 by import filter Quantity of discarded frames due to the filtering rule configured on
import interface

0 by outport filter Quantity of discarded frames due to the filtering rule configured on
outport interface

0 by ip filter Quantity of discarded frames due to the filtering rule configured at IP


layer

0 other Quantity of discarded frames due to other reasons

1.3.6 display firewall transparent-mode trunk-port

Function
Using the display firewall transparent-mode trunk-port command, you can display the
firewall Trunk interface.

Format
display firewall transparent-mode trunk-port

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the firewall Trunk interface.
<Eudemon> display firewall transparent-mode trunk-port
Ethernet1/0/0

1.3.7 firewall arp-learning enable

1-74 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Function
Using the firewall arp-learning enable command, you can enable the ARP learning.

Using the undo firewall arp-learning enable command, you can disable the ARP learning.

Format
firewall arp-learning enable

undo firewall arp-learning enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the ARP learning is enabled on the firewall.

When the firewall works in transparent mode, hosts in internal networks and external networks
search MAC addresses mutually through the ARP process; or an external host accesses the
firewall through ping, FTP, and Telnet; or the firewall initiates ping, FTP, and Telnet. In this
case, there are a large number of ARP request and response packets in the network.

On the one hand, the firewall transmits the ARP request or response packets. On the other hand,
it performs the learning based on the packets to create relevant ARP entries for future use.

Examples
# Disable the ARP learning.
<Eudemon> system-view
[Eudemon] undo firewall arp-learning enable

1.3.8 firewall ethernet-frame-filter

Function
Using the firewall ethernet-frame-filter command, you can apply ACL on the inbound or
outbound interface.

Using the undo firewall ethernet-frame-filter command, you can cancel ACL on the inbound
or outbound interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-75


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Format
firewall ethernet-frame-filter acl-number { inbound | outbound }
undo firewall ethernet-frame-filter { inbound | outbound }

Parameters
acl-number: specifies a MAC address based ACL in a range of 4000 to 4099.
inbound: applies ACL on the inbound interface.
outbound: applies ACL on the outbound interface.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
Through applying ACL on the specific interface, you can enable the interface to only receive or
send Ethernet frames in terms of the rule in MAC address.

Examples
# Apply ACL 4000 rule on the inbound interface Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] firewall ethernet-frame-filter 4000 inbound

1.3.9 firewall mode

Function
Using the firewall mode command, you can set the working mode for a firewall.
Using the undo firewall mode command, you can restore its default value.

Format
firewall mode { composite | route | transparent }
undo firewall mode

Parameters
composite: refers to composite mode, namely, some interfaces are configured with IP addresses,
others are not configured with IP addresses.
route: refers to route mode, namely, the interface in use must be configured with IP address.

1-76 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

transparent: refers to transparent mode, namely, all interfaces are not configured with IP
addresses.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the firewall works in route mode.
When the firewall works in route mode, its different interfaces must be configured with different
IP addresses, and connected to different subnetworks. When the firewall works in transparent
mode, its interfaces can not be configured with IP addresses, and the networks connected with
different interfaces must be in the same subnetwork. The composite mode is generally used for
VRRP backup.

CAUTION
The change of the working mode may clear the content of the configuration file in the Flash and
restart the device.

Examples
# Set the firewall to work in transparent mode.
<Eudemon> system-view
[Eudemon] firewall mode transparent
The action will clear the saved configuration in the flash and reboot the system
.Continue?[y/n]y

Related Topics
1.3.2 display firewall mode

1.3.10 firewall system-ip

Function
Using the firewall system-ip command, you can assign the IP address of the system.
Using the undo firewall system-ip command, you can restore its default value.

Format
firewall system-ip system-ip-address [ mask | mask-length ] [ vlan-id vlan-id &<1-5> ]
undo firewall system-ip

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-77


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Parameters
system-ip-address: specifies the IP address of the system, and its value is decimal numeral
separated by dots.
address-mask: specifies the IP address mask, and its value is decimal numeral separated by dots.
If no IP address mask is input, the system uses the default masks of each type of IP addresses.
vlan-id vlan-id &<1-5>: specifies the VLAN ID. It ranges from 1 to 4094. You can configure
one to five VLAN ID.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, IP address is 169.0.0.1, and mask is 255.0.0.0.
Only if the firewall works in transparent mode, you need to assign the IP address of the system.
In transparent mode, since the interface of the firewall is not configured with IP address, you
can not perform remote management over the firewall. After configuring the IP address of the
system, you can log in and perform the management through the address. When the firewall
works in route mode, you do not need to configure IP address of the system.
If no VLAN is added after the system IP address, VLAN 1 is supported by default. If one to five
VLANs are bound, multiple VLANs is supported.

Examples
# Set IP address of the firewall system to 202.106.100.1.
<Eudemon> system-view
[Eudemon] firewall system-ip 202.106.100.1

# Set IP address of the firewall system to 202.106.100.1, and bind the VLAN 2 and VLAN 3.
[Eudemon] firewall system-ip 202.106.100.1 vlan-id 2 vlan-id 3

1.3.11 firewall transparent-mode aging-time

Function
Using the firewall transparent-mode aging-time command, you can set the aging time of the
dynamic address table.
Using the undo firewall transparent-mode aging-time command, you can restore its default
value.

Format
firewall transparent-mode aging-time seconds

1-78 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

undo firewall transparent-mode aging-time

Parameters
seconds: specifies the aging time of the dynamic address table in a range of 10 to 1000000
seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the aging time of the dynamic address table is 300 s.
If hold time for the dynamic address exceeds its aging time stored in the address table, the
dynamic address will be deleted.

Examples
# Set aging time of dynamic addresses to 100 s.
<Eudemon> system-view
[Eudemon] firewall transparent-mode aging-time 100

1.3.12 firewall transparent-mode fast-forwarding

Function
Using the firewall transparent-mode fast-forwarding command, you can enable fast
forwarding on the inbound or outbound interface.
Using the undo firewall transparent-mode fast-forwarding command, you can disable this
function.

Format
firewall transparent-mode fast-forwarding [ inbound | outbound ]
undo firewall transparent-mode fast-forwarding [ inbound | outbound ]

Parameters
inbound: enables fast forwarding on the inbound interface.
outbound: enables fast forwarding on the outbound interface.

Views
Ethernet interface view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-79


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
2: Configuration level

Usage Guidelines
NOTE
The data flow from inbound interface to outbound interface can be forwarded fast, only if the fast forwarding
is configured on both inbound interface and outbound interface.

Examples
# Enable the fast forwarding on the outbound interface Ethernet 0/0/0 of the firewall.
<Eudemon> system-view
[Eudemon] firewall mode transparent
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] firewall transparent-mode fast-forwarding outbound

Related Topics
1.3.9 firewall mode

1.3.13 firewall transparent-mode transmit

Function
Using the firewall transparent-mode transmit command, you can enable the firewall to
transmit the protocol-specific frame.

Using the undo firewall transparent-mode transmit command, you can disable this function.

Format
firewall transparent-mode transmit { bpdu | dlsw | ipx }

undo transparent-mode transmit { bpdu | dlsw | ipx }

Parameters
bpdu: refers to Data frame BPDU (Bridge Protocol Data Unit) in bridge STP algorithm.

dlsw: refers to Data Link Switch frame, used to implement SNA transmission across WAN.

ipx: refers to Novell IPX frame, used to implement address padding, packet routing, and
forwarding.

Views
System view

Default Level
2: Configuration level

1-80 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Usage Guidelines
Before configuring this command, you must configure firewall in transparent mode.

Examples
# Enable the firewall to transmit IPX frame in transparent mode.
<Eudemon> system-view
[Eudemon] firewall transparent-mode transmit ipx

Related Topics
1.3.9 firewall mode

1.3.14 firewall unknown-mac

Function
Using the firewall unknown-mac command, you can set the processing mode of IP packets
with unknown MAC address.

Using the undo firewall unknown-mac command, you can restore its default processing mode.

Format
firewall unknown-mac unicast { drop | arp | flood }

firewall unknown-mac { broadcast | multicast } { drop | flood }

undo firewall unknown-mac [ unicast | broadcast | multicast ]

Parameters
unicast: processes unicast IP packets.

multicast: processes multicast IP packets.

broadcast: processes broadcast IP packets.

drop: discards all IP packets with unknown MAC address.

arp: discards original IP packets and broadcast ARP request packets to other interfaces (not
including the interface receiving packets), so as to obtain the MAC address corresponding to the
destination address in the original packet.

flood: sends all received packets to other interfaces (not including the interface receiving
packets) that must belong to a certain security area. After receiving the response packet, the
firewall will save the MAC address information, then forward subsequent packets using this
address.

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-81


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, the system discards IP packets with unknown MAC address.
In some cases, the firewall might receive IP packets with unknown destination MAC address
(such as configured static ARP mapping items). In this way, the firewall cannot know the peer
MAC address when it forwards packets. Therefore, you need to specify one processing mode
(drop packets, broadcast ARP request, or flood packets).

Examples
# Broadcast the IP packets with unknown MAC addresses in transparent mode.
<Eudemon> system-view
[Eudemon] firewall unknown-mac unicast flood

1.3.15 port trunk pvid

Function
Using the port trunk pvid command, you can set the default VLAN ID of the Trunk port.
Using the undo port trunk pvid command, you can cancel the default VLAN ID of the Trunk
port.

Format
port trunk pvid vlan vlan-id
undo port trunk pvid

Parameters
vlan-id: specifies the default VLAN ID of the interface. It ranges from 1 to 4094.

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set the default VLAN ID of Ethernet 0/0/0 to 1000.

1-82 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] port trunk pvid vlan 1000

1.3.16 port trunk vlan allow-pass all

Function
Using the port trunk vlan allow-pass all command, you can set all VLANs at an interface.
Using the undo port trunk vlan allow-pass all command, you can delete all VLANs at an
interface.

Format
port trunk vlan allow-pass all
undo port trunk vlan allow-pass all

Parameters
None

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
When you allow all VLANs at a port, the port becomes a Trunk port. When you reset all
configured VLANs at a Trunk port, the port then becomes a non-trunk port.
By default, the port is non-trunk port.
An interface that is enabled the Trunk function can forward packets of all VLAN IDs. If this
interface is configured with a corresponding subinterface of a VLAN ID, the subinterface has
precedence to send packets during broadcast.

NOTE
Only the FE Ethernet interface and GE interface can work in Trunk mode except for the virtual Ethernet
interface. Subinterfaces and interfaces that work in routing mode cannot work in Trunk mode.

Examples
# Set Trunk port at interface Ethernet 0/0/1 and allow all VLANs at this interface.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] port trunk vlan allow-pass all

# Delete all VLANs from the interface Ethernet 0/0/1.


[Eudemon-Ethernet0/0/1] undo port trunk vlan allow-pass all

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-83


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

1.3.17 reset firewall transparent-mode address-table

Function
Using the reset firewall transparent-mode address-table command, you can clear all or a
specified interface in the address forwarding table.

Format
reset firewall transparent-mode address-table [ interface interface-type interface-number ]

Parameters
interface interface-type interface-number: specifies the type and number of an interface.

Views
User view

Default Level
2: Configuration level

Usage Guidelines

Examples
# Clear all information in address forwarding table.
<Eudemon> reset firewall transparent-mode address-table

1.3.18 reset firewall transparent-mode traffic

Function
Using the reset firewall transparent-mode traffic command, you can clear traffic statistics on
all interfaces or the specified interface of the firewall.

Format
reset firewall transparent-mode traffic [ interface interface-type interface-number ]

Parameters
interface interface-type interface-number: specifies the type and number of an interface.

Views
User view

1-84 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear all traffic statistics on the interface Ethernet 0/0/1 of the firewall.
<Eudemon> reset firewall transparent-mode traffic Ethernet 0/0/1

1.4 File Management Configuration Commands

1.4.1 ascii
1.4.2 binary
1.4.3 bye
1.4.4 cd (User View)
1.4.5 cd (FTP Client View)
1.4.6 cdup
1.4.7 close
1.4.8 compare configuration
1.4.9 copy
1.4.10 debugging (FTP Client View)
1.4.11 delete (User View)
1.4.12 delete (FTP Client View)
1.4.13 dir (User View)
1.4.14 dir (FTP Client View)
1.4.15 disconnect
1.4.16 display current-configuration
1.4.17 display ftp-server
1.4.18 display ftp-users
1.4.19 display saved-configuration
1.4.20 display startup
1.4.21 display this
1.4.22 execute

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-85


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

1.4.23 file prompt


1.4.24 format
1.4.25 ftp
1.4.26 ftp server enable
1.4.27 ftp timeout
1.4.28 get
1.4.29 lcd
1.4.30 ls
1.4.31 mkdir (User View)
1.4.32 mkdir (FTP Client View)
1.4.33 more
1.4.34 move
1.4.35 open
1.4.36 passive
1.4.37 put
1.4.38 pwd (User View)
1.4.39 pwd (FTP Client View)
1.4.40 quit (FTP Client View)
1.4.41 remotehelp
1.4.42 rename
1.4.43 reset recycle-bin
1.4.44 reset saved-configuration
1.4.45 rmdir (User View)
1.4.46 rmdir (FTP Client View)
1.4.47 save
1.4.48 startup system-software
1.4.49 startup saved-configuration
1.4.50 tftp
1.4.51 tftp-server acl
1.4.52 undelete
1.4.53 user
1.4.54 verbose
1.4.55 xmodem get

1-86 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

1.4.1 ascii

Function
Using the ascii command, you can set the transmission data type to ASCII.
By default, the data type is ASCII.

Format
ascii

Parameters
None

Views
FTP client view

Default Level
2: Configuration level

Usage Guidelines
ASCII and binary are supported by the Eudemonfor data transmission.

Examples
# Set the transmission data type to ASCII.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] ascii
200 Type set to A.

Related Topics
1.4.25 ftp
1.4.2 binary

1.4.2 binary

Function
Using the binary command, you can set file transmission type to binary.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-87


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Format
binary

Parameters
None

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
The type of data for transmission supported by the Eudemon includes ASCII and binary.

By default, the data type is ASCII.

Examples
# Set the file transmission type to binary.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] binary
200 Type set to I.

Related Topics
1.4.25 ftp
1.4.1 ascii

1.4.3 bye

Function
Using the bye command, you can disconnect with the remote FTP server and return to the user
view.

Format
bye

1-88 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Parameters
None

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
After running this command, the user returns the user view on the client.

Examples
# Disconnect with the remote FTP server and return to the user view.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] bye
221 Windows FTP Server (WFTPD, by Texas Imperial Software) says goodbye
<Eudemon>

Related Topics
1.4.25 ftp
1.4.7 close

1.4.4 cd (User View)

Function
Using the cd command, you can switch the current working directory to a specified directory.

Format
cd { .. | dirctory | flash: }

Parameters
directory: specifies the name of destination directory. It is a string of 1 to 64 characters.

..: returns to the upper-level directory.

flash:: specifies the root directory of FLASH.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-89


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
User view

Default Level
3: Management level

Usage Guidelines
By default, the default working directory is used.

Note that the user can access the sub-directories of directory that users are allowed to access.

Examples
# Modify the current working directory to test.
<Eudemon> cd test
<Eudemon> pwd
flash:/test

Related Topics
1.4.38 pwd (User View)

1.4.5 cd (FTP Client View)

Function
Using the cd command, you can change the working directory on the remote FTP server.

Format
cd pathname

Parameters
pathname: specifies the directory. It is a string of 1 to 64 characters.

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
This command can be used to access the directory in another path on the FTP server.

1-90 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Examples
# Change the working directory to d:/temp.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] pwd
257 "D:\abc" is current directory
[ftp] cd d:/temp
250 "D:\temp" is current directory

Related Topics
1.4.25 ftp
1.4.39 pwd (FTP Client View)

1.4.6 cdup

Function
Using the cdup command, you can change the working directory to the upper-level directory.

Format
cdup

Parameters
None

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
This command is used to exit from current directory to an upper-level directory.

Examples
# Change the working directory to an upper-level directory.
<Eudemon> ftp 172.16.104.110
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-91


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] cdup
501 Change to no authenticated directory.

Related Topics
1.4.39 pwd (FTP Client View)

1.4.7 close

Function
Using the close command, you can disconnect with the remote FTP server but remain in the FTP
client view.

Format
close

Parameters
None

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
This command terminates both control connection and data connection with the remote FTP
server.

Examples
# Disconnect with the remote FTP server and remain in the FTP client view.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] close
221 Windows FTP Server (WFTPD, by Texas Imperial Software) says goodbye
[ftp]

1-92 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Related Topics
1.4.25 ftp
1.4.35 open

1.4.8 compare configuration

Function
Using the compare configuration command, you can compare the current configuration files
and those saved in the storage devices.

Format
compare configuration [ line-number1 line-number2 ]

Parameters
line-number1: specifies the start line number in the current configuration file for comparing.
The value ranges from 0 to 65535.
line-number2: specifies the start line number in the saved configuration file for comparing. The
value ranges from 0 to 65535.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
If no parameter is specified, the system compares the saved configuration file and the current
configuration file from the first line. If the two parameters are specified, the system skips the
difference before the compared lines and continues to compare differences between the
configuration files.
Finally, the system outputs the differences (namely locating the differences) respectively
between the saved configuration file and the current configuration files. By default, the output
difference information is restricted to 150 characters. If it is less than 150 characters, differences
till the end of two files are displayed.

Examples
# Compare configuration files.
<Eudemon> compare configuration

Related Topics
1.4.47 save

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-93


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

1.4.9 copy

Function
Using the copy command, you can copy a file.

Format
copy { source-filename | flash: } { destination-filename | flash: }

Parameters
source-filename: specifies the source file name. It is a string of 1 to 64 characters.

destination-filename: specifies the destination file name. It is a string of 1 to 64 characters.

flash:: specifies the root directory of FLASH.

Views
User view

Default Level
3: Management level

Usage Guidelines
If the destination file name is the same as the name of an existing file, the execution fails. If the
destination file name is the same with an existing file, the user is prompted whether the existing
file should be overwritten.

Examples
# Copy the file named info.txt from the flash:/ to flash:/test.
<Eudemon> pwd
flash:
<Eudemon> dir
Directory of flash:/

0 -rw- 8950728 May 19 2008 19:51:07 Eudemon.bin


1 -rw- 4 May 30 2008 10:45:26 boottimes
2 -rw- 268 Jan 08 2008 21:52:46 flashinfo.fls
3 -rw- 268 Jan 08 2008 21:53:02 info.txt
4 -rw- 24 May 29 2008 15:02:09 private-data.txt
5 -rw- 721 May 29 2008 15:02:32 vrpcfg.zip
6 -rw- 396 Apr 14 2008 17:34:59 hostkey
7 -rw- 540 Apr 14 2008 17:35:06 serverkey
8 drw- - May 22 2008 13:53:19 test
9 -rw- 2860 May 26 2008 17:06:09 on1010592.dat

60833 KB total (52076 KB free)


<Eudemon> copy info.txt test
Copy flash:/info.txt to flash:/test/info.txt?[Y/N]:y
100% complete
Info:Copied file flash:/info.txt to flash:/test/info.txt...Done

1-94 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Related Topics
1.4.13 dir (User View)

1.4.10 debugging (FTP Client View)

Function
Using the debugging command, you can enable debugging switch.

Using the undo debugging command, you can disable debugging switch.

Format
debugging

undo debugging

Parameters
None

Views
FTP client view

Default Level
1: Monitoring level

Usage Guidelines
By default, debugging switch is disabled.

Examples
# Enable debugging switch.
<Eudemon> ftp 10.10.10.1
[ftp] debugging

1.4.11 delete (User View)

Function
Using the delete command, you can delete the specified file from the firewall storage device.

Format
delete [ /unreserved ] { file-name | flash: }

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-95


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Parameters
/unreserved: delete the specified file unreservedly, and the deleted file never can be restored.

file-name: specifies the name of the file to be deleted. The file name is in the format of [drive]
[path][file name]. The value is in the range of 1 to 64 characters. "*" wildcard is supported.

flash:: delete the files in the FLASH.

Views
User view

Default Level
3: Management level

Usage Guidelines
The default storage device is FLASH.

The deleted file is in the recycle bin. The dir command does not display the information of
deleted files. However, by using the dir /all command, the information of all files under the
directory, including deleted files, is displayed. The undelete command can be used to restore a
file that has been deleted to the recycle bin through the delete command. To delete such a file
from the recycle bin, you can use the reset recycle-bin command. Note that if two files with the
same filename in different directories are deleted to the recycle bin, only the file that is last
deleted is kept.

Examples
# Delete flash:/test/test.txt.
<Eudemon> delete flash:/test/test.txt
Delete flash:/test/test.txt?[Y/N]y
%Deleting file flash:/test/info.txt...Done!
<Eudemon>

Related Topics
1.4.13 dir (User View)
1.4.52 undelete
1.4.43 reset recycle-bin

1.4.12 delete (FTP Client View)

Function
Using the delete command, you can delete a specified file.

Format
delete remotefile

1-96 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Parameters
remotefile: specifies the file name. It is a string of 1 to 64 characters.

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
The file that is deleted by running the command in the FTP client view cannot be restored.

Examples
# Delete temp.c.
<Eudemon> ftp 10.10.10.1
[ftp] delete temp.c

Related Topics
1.4.14 dir (FTP Client View)

1.4.13 dir (User View)

Function
Using the dir command, you can display the specified file or directory in the firewall storage
device.

Format
dir [ /all ] [ file-name | flash: ]

Parameters
/all: displays all files (including the deleted files).
filename: specifies the name of the file or directory displayed. It is a string of 1 to 64 characters.
flash:: display the files in the flash.

Views
User view

Default Level
3: Management level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-97


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Usage Guidelines
By default, files in the current directory are displayed.

This command supports "*" wildcard.

The dir /all command can be used to display the information about all the files, including the
deleted files. The names of the deleted files are denoted with "[]", for instance, [text]. The deleted
files can be restored through the 1.4.52 undelete command. The 1.4.43 reset recycle-bin
command can be used to delete the file from the recycle bin permanently.

Examples
# Display the information about the file flash:/test/test.txt.
<Eudemon> dir flash:/test/test.txt
Directory of flash:/test/

0 -rw- 268 Jun 11 2008 17:33:42 test.txt

60833 KB total (52073 KB free)

# Display the information about the directory flash:/test/.


<Eudemon> dir flash:/test/
Directory of flash:/test/

0 drw- - May 30 2008 17:41:47 a


1 -rw- 268 Jun 11 2008 17:33:42 test.txt

60833 KB total (52073 KB free)


<Eudemon> dir flash:/test/t*
Directory of flash:/test/

0 -rw- 268 Jun 11 2008 17:33:42 test.txt

60833 KB total (52073 KB free)

Related Topics
1.4.52 undelete
1.4.43 reset recycle-bin

1.4.14 dir (FTP Client View)

Function
Using the dir command, you can display all the files in the directory or the queried file.

Format
dir [ file-name ] [ local-filename ]

Parameters
file-name: specifies the queried file name. It is a string of 1 to 64 characters.

local-filename: specifies the saved local file name. It is a string of 1 to 64 characters.

1-98 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
Using the command, you can view the file contents and save the results to another file.

Examples
# Query the file temp.c and save the query result in the file flash:/test/temp1.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] dir temp.c falsh:/test/temp1
200 PORT command okay
150 File Listing Follows in ASCII mode
226 Transfer finished successfully.
FTP: 61 byte(s) received in 1.767 second(s) 34.52byte(s)/sec.

1.4.15 disconnect

Function
Using the disconnect command, you can disconnect with the remote FTP server and remain in
the FTP client view.

Format
disconnect

Parameters
None

Views
FTP client view

Default Level
3: Management level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-99


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Usage Guidelines
This command terminates both control connection and data connection with the remote FTP
server.

Examples
# Disconnect with the remote FTP server and remain in the FTP client view.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] disconnect
221 Windows FTP Server (WFTPD, by Texas Imperial Software) says goodbye
[ftp]

Related Topics
1.4.25 ftp
1.4.35 open

1.4.16 display current-configuration

Function
Using the display current-configuration command, you can display the currently effective
configurations on the firewall.

If some running configuration parameters are the same with the default parameters, they are not
displayed.

Format
display current-configuration [ configuration [ configuration-type ] | interface interface-
type [ interface-number ] ] [ | { begin | exclude | include } regular-expression ]

Parameters
|: filters information using the regular expression.

begin: outputs the configuration from the line with the matching string.

exclude: outputs only the configuration that does not contain any matching string.

include: outputs only the configuration that contains matching strings.

regular-expression: specifies the string of regular expression.

configuration: displays the global configuration.

1-100 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

configuration-type: specifies the configuration type that depends on the existing configuration,
including AAA configuration, system configuration, user interface configuration and
configuration output.
interface: displays the configuration of specified interface.
interface-type: specifies the interface type.
interface-number: specifies the interface number.

Views
All views

Default Level
3: Management level

Usage Guidelines
After the configurations are complete, use the display current-configuration command to view
which parameters take effect. If the configured parameters have not taken effect, there is no
display.

Examples
# Display the currently effective configurations.
<Eudemon> display current-configuration

Related Topics
1.4.47 save
1.4.44 reset saved-configuration
1.4.19 display saved-configuration

1.4.17 display ftp-server

Function
Using the display ftp-server command, you can display the parameters of the current FTP
server.

Format
display ftp-server

Parameters
None

Views
All views

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-101


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
1: Monitoring level

Usage Guidelines
After the FTP parameters are configured, this command can be used to display the configuration
results.

Examples
# Display the parameter setting of FTP server.
<Eudemon> display ftp-server
FTP server is running
Max user number 5
User count 2
Timeout value(in minute) 30

Table 1-13 Description of the display ftp-server command output


Item Description

Ftp server is running FTP server is started.

Max user number Maximum number of users that can access the FTP server at the
same time.

User count Current number of login users.

Timeout value (in minute) Timeout time for the login FTP user, in minutes.

Related Topics
1.4.26 ftp server enable

1.4.18 display ftp-users

Function
Using the display ftp-users command, you can display the parameters of the current FTP user.

Format
display ftp-users

Parameters
None

Views
All views

1-102 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Default Level
3: Management level

Usage Guidelines
Using this command, you can view information about an FTP user, including FTP user name,
IP address of the client, port number, idle time of the user, and authorization directory.

Examples
# Display parameters of the FTP user.
<Eudemon> display ftp-users
username host port idle topdir
111 1.1.1.1 3720 0 flash:

Table 1-14 Description of the display ftp-users command output

Item Description

username User name

host IP address of the client host

port Port number of the client host

idle Idle time

topdir Directory authorized to the user

Related Topics
1.4.27 ftp timeout

1.4.19 display saved-configuration

Function
Using the display saved-configuration command, you can view the configuration files used
when the firewall is powered on and started up next time. Specify the configuration files using
the 1.4.49 startup saved-configuration command.

Format
display saved-configuration

Parameters
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-103


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When powered on, if the firewall could not work normally, you can use the display saved-
configuration command to check the configuration files used during firewall startup.

Examples
# Display the configuration files used when the firewall is powered on and starts up next time.
<Eudemon> display saved-configuration

Related Topics
1.4.44 reset saved-configuration
1.4.49 startup saved-configuration

1.4.20 display startup

Function
Using the display startup command, you can display the related system software and
configuration file names used for the current and the next startup.

Format
display startup

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The output of the display stratup command is as follows:
l The file name of the system software configured by the user to be used in the current startup.

1-104 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

l The file name of the system software actually used in the current startup.
l The file name of the system software configured for the next startup.
l The configuration file name used for the current startup.
l The configuration file name configured for the next startup.

If the user does not configure any system software to be used in the startup, the startup program
automatically searches the file with the extension name as .bin in the flash. The first searched
file is used to start up the system.

Examples
# Display the file names related to the current and the next startup.
<Eudemon> display startup
Configed startup system software: flash:/Eudemon.bin
Startup system software: flash:/Eudemon.bin
Next startup system software: flash:/Eudemon.bin
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip

Table 1-15 Description of the display startup command output

Item Description

Configed startup system software Specified system software

Startup system software System software used in last startup

Next startup system software System software used in next startup

Startup saved-configuration file Configuration files used in last startup

Next startup saved-configuration file Configuration files used in next startup

Related Topics
1.4.49 startup saved-configuration
1.4.48 startup system-software

1.4.21 display this

Function
Using the display this command, you can display the running configuration of the current view.

Format
display this

Parameters
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-105


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If you need to authenticate whether the configurations is correct after you have finished a set of
configurations under a view, you can use the display this command to view the running
parameters.

Some effective parameters are not displayed if they are the same with the default ones, while
some parameters, though have been configured by the user, if their related functions are not
effective, are not displayed either.

Associated configuration of the interface is displayed when executing the command in interface
views; related configuration of the protocol view is displayed when executing this command in
protocol views; and all the configuration of the protocol view is not displayed when executing
this command in protocol sub-views.

Examples
# Display the running configuration parameters for the current view of the firewall system.
<Eudemon> display this

Related Topics
1.4.47 save
1.4.44 reset saved-configuration
1.4.19 display saved-configuration
1.4.16 display current-configuration

1.4.22 execute

Function
Using the execute command, you can execute the specified batch file.

Format
execute file-name

Parameters
file-name: specifies the name of the batch file, suffixed with "bat". It is a string of 1 to 256
characters.

1-106 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The commands in the batch file are executed one by one. The batch file must not contain invisible
characters. If any such characters are discovered, the execute command exists from the current
process and no rollback is executed.
The execute command does not ensure all the commands in the batch file can be executed. It
cannot do a hot backup for itself. No restriction on the format and content is made to the batch
file.
The procedure of the execution of the batch file is an automatic procedure, equaling to the
implementation of every commands manually.

Examples
# Execute the batch file test.bat in the directory flash:/.
<Eudemon> system-view
[Eudemon] execute test.bat

1.4.23 file prompt

Function
Using the file prompt command, you can modify the alerting pattern of file operation of the
firewall.

Format
file prompt { alert | quiet }

Parameters
alert: enables interactive acknowledgement on the condition that the operation, such as deleting
files, can cause the data loss or deleting a file.
quiet: indicates no alert is given on the condition that the operation, such as deleting files, can
cause the data loss or deleting a file.

Views
System view

Default Level
3: Management level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-107


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Usage Guidelines
By default, the alerting pattern is alert.

When the alerting pattern is set to quiet, no alert is given on the condition that the operation,
such as deleting files, can cause the data loss or deleting a file.

Examples
# Set the alerting pattern of the file operation to quiet.
<Eudemon> system-view
[Eudemon] file prompt quiet

# Set the alerting pattern of the file operation to alert.


[Eudemon] file prompt alert

1.4.24 format

Function
Using the format command, you can format the storage device.

Format
format device-name

Parameters
device-name: specifies the device name such as flash.

Views
User view

Default Level
3: Management level

Usage Guidelines
Formatting results in the loss of all files. The lost files cannot be restored.

Examples
# Format FLASH.
<Eudemon> format flash:
All data(include configuration and system startup file) on flash: will be lost ,
proceed with format ? [Y/N]:y

1.4.25 ftp

1-108 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Function
Using the ftp command, you can set up a control connection with the remote FTP server and
enter the FTP client view.

Format
ftp [ host [ port ] ]

Parameters
host: specifies the IP address or the name of the remote FTP server. It is a string of 1 to 20
characters.

port: specifies the port number of the remote FTP server. The value ranges from 1 to 65535.

Views
User view

Default Level
3: Management level

Usage Guidelines
If no parameter is set in this command, only the FTP view is displayed, and no connection with
the FTP server is set up.

Examples
# Connect the remote FTP server with the IP address as 1.1.1.1.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully

Related Topics
1.4.3 bye
1.4.15 disconnect

1.4.26 ftp server enable

Function
Using the ftp server enable command, you can enable the FTP server and allow the login of
FTP users.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-109


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Using the undo ftp server command, you can disable the FTP server and deny the login of FTP
users.

Format
ftp server enable

undo ftp server

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
By default, the FTP server is disabled.

After the FTP server turns off, the user that logs in to this FTP server can no longer do any
operation, unless the user logs out.

Examples
# Disable the FTP server.
<Eudemon> system-view
[Eudemon] undo ftp server

Related Topics
1.4.17 display ftp-server

1.4.27 ftp timeout

Function
Using the ftp timeout command, you can set the timeout period of the FTP connection.

Using the undo ftp timeout command, you can restore the default timeout period.

Format
ftp timeout minutes

undo ftp timeout

1-110 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Parameters
minutes: specifies the timeout period, in minutes. The value ranges from 1 to 35791.

Views
System view

Default Level
3: Management level

Usage Guidelines
By default, the timeout period of the FTP connection is 30 minutes.

After logging in to the FTP server, the user sets up a connection with the FTP server. If an
abnormal disconnection occurs or the user abnormally cuts the connection, the FTP server is not
notified and thus the connection is still kept. To avoid such a case, the timeout period is set. If
no command interaction is conducted during this period, the FTP server considers the connection
invalid and cuts the connection.

Examples
Set the timeout period of the FTP connection to 36 minutes.
<Eudemon> system-view
[Eudemon] ftp timeout 36

Related Topics
1.4.17 display ftp-server

1.4.28 get

Function
Using the get command, you can download remote files and save them to the local device.

Format
get remote-file [ local-file ]

Parameters
remote-file: specifies the file name on the remote FTP server. It is a string of 1 to 64 characters.

local-file: specifies the local file name. It is a string of 1 to 64 characters.

Views
FTP client view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-111


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
3: Management level

Usage Guidelines
If the local file name is not specified, the downloaded file is saved using the same name with
that of the file on the remote FTP server.

Examples
# Download temp1.c and save it with the name as temp.c.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] get temp1.c temp.c

1.4.29 lcd

Function
Using the lcd command, you can get the local working directory of an FTP client.

Format
lcd

Parameters
None

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
Different from the 1.4.39 pwd (FTP Client View) command that displays the remote working
directory of FTP server, after the lcd command is run, the local working directory of FTP client
is displayed.

Examples
# Display the local working path.

1-112 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

<Eudemon> ftp 1.1.1.1


Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] lcd
% Local directory now flash:.

Related Topics
1.4.39 pwd (FTP Client View)

1.4.30 ls

Function
Using the ls command, you can query a specified file and save the results to a specified file.

Format
ls [ remote-file ] [ local-file ]

Parameters
remote-file: specifies the queried remote file. The name is a string of 1 to 64 characters.
local-file: specifies the name of the local file that stores the results. The name is a string of 1 to
64 characters.

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
By default, all the files are displayed if you do not specify any parameters.

Examples
# Query temp.c.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-113


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

230 Logged in successfully


[ftp] ls temp.c

1.4.31 mkdir (User View)

Function
Using the mkdir command, you can create a directory in the specified directory in the specified
storage device.

Format
mkdir directory

Parameters
directory: specifies a directory name. It is a string of 1 to 64 characters long. The name of the
directory should not include the following characters: ~, /, \, : , *
flash:: specifies the root directory of FLASH.

Views
User view

Default Level
3: Management level

Usage Guidelines
Note that the created directory name can not be the same as other directory or file names in the
specified directory.
The mkdir command supports the four-level directory, and the maximum length of the directory
name at each level is 15 characters.

Examples
# Create a directory dd.
<Eudemon> mkdir dd
Created dir dd.

Related Topics
1.4.13 dir (User View)

1.4.32 mkdir (FTP Client View)

Function
Using the mkdir command, you can create a directory at the remote FTP server.

1-114 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Format
mkdir remote-directory

Parameters
remote-directory: specifies the directory name. It is a string of to 64 characters.

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
After the command is run, the directory that is created exists on the FTP server.

Examples
# Create a directory test at the remote FTP server.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] mkdir test

Related Topics
1.4.46 rmdir (FTP Client View)

1.4.33 more

Function
Using the more command, you can display a specified file.

Format
more file-name

Parameters
file-name: specifies the file name. It is a string of 1 to 64 characters.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-115


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
User view

Default Level
3: Management level

Usage Guidelines
The file system displays the file in the .txt format.

Examples
# Display the content of the file test.txt.
<Eudemon> more test.txt
AppWizard has created this test application for you.
This file contains a summary of what you will find in each of the files that make
up your test application.
Test.dsp
This file (the project file) contains information at the project level and is used
to build a single project or subproject. Other users can share the project (.dsp)
file, but they should export the makefiles locally.

1.4.34 move

Function
Using the move command, you can move a file. But files cannot be moved between different
devices.

Format
move source-file-name dest-file-name

Parameters
source-file-name: specifies the source file name. It is a string of 1 to 64 characters.
dest-file-name: specifies the destination file name. It is a string of 1 to 64 characters.

Views
User view

Default Level
3: Management level

Usage Guidelines
If the name of the destination file is the same with the name of an existing directory, the execution
will fail. If the name of the destination file is the same with an existing file, the display whether
the existing file should be overwritten prompts.

1-116 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Examples
# Move the sample.txt file from flash:/test/sample.txt to flash:/sample.txt.
<Eudemon> dir
Directory of flash:/
-rwxrwxrwx1 noone nogroup 121692 Apr 18 2003 11:17:26 matnLog.dat
-rwxrwxrwx1 noone nogroup 956 Mar 19 2003 09:12:55 exception.dat
-rwxrwxrwx1 noone nogroup 2165 Apr 04 2003 20:48:23 vrpcfg.cfg
-rwxrwxrwx1 noone nogroup 6434223 Mar 29 2003 16:28:20 vrp3.cc
drwxrwxrwx1 noone nogroup - Apr 18 2003 15:29:49 test
6477 KBytes total (48 KBytes free)

<Eudemon> dir flash:/test/


Directory of flash:/test/
-rwxrwxrwx 1 noone nogroup 2227 Apr 18 2003 15:38:30 test.txt
-rwxrwxrwx 1 noone nogroup 2165 Apr 18 2003 15:36:52 sample.txt
6477 KBytes total (46 KBytes free)
<Eudemon> move flash:/test/sample.txt flash:/sample.txt
Move flash:/test/sample.txt to flash:/sample.txt ?[Y/N] :y
% Moved file flash:/test/sample.txt to flash:/sample.txt

<Eudemon> dir
Directory of flash:/
-rwxrwxrwx1 noone nogroup 121692 Apr 18 2003 11:17:26 matnLog.dat
-rwxrwxrwx1 noone nogroup 956 Mar 19 2003 09:12:55 exception.dat
-rwxrwxrwx1 noone nogroup 2165 Apr 04 2003 20:48:23 vrpcfg.cfg
-rwxrwxrwx1 noone nogroup 6434223 Mar 29 2003 16:28:20 vrp3.cc
drwxrwxrwx1 noone nogroup - Apr 18 2003 15:29:49 test
-rwxrwxrwx1 noone nogroup 444 Apr 18 2003 15:40:00 sample.txt
6477 KBytes total (47 KBytes free)

<Eudemon> dir flash:/test/


Directory of flash:/test/
-rwxrwxrwx 1 noone nogroup 2227 Apr 18 2003 15:38:30 test.txt
6477 KBytes total (47 KBytes free)

Related Topics
1.4.13 dir (User View)

1.4.35 open

Function
Using the open command, you can set up a control connection with the remote FTP server.

Format
open host [ port ]

Parameters
host: specifies the IP address or host name of the remote FTP server. It is a string with 1 to 20
characters.
port: specifies the port number of the remote FTP server. The value ranges from 0 to 65535.

Views
FTP client view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-117


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
3: Management level

Usage Guidelines
Using the ftp command in the user view, you can establish a connection with the FTP server
and enter the FTP client view. When the FTP disconnects accidentally, you can run the open
command to create an FTP connection.

Examples
# Set up a connection with FTP server 1.1.1.1.
<Eudemon> ftp
[ftp] open 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully

Related Topics
1.4.25 ftp
1.4.15 disconnect

1.4.36 passive

Function
Using the passive command, you can set data transmission mode to passive.
Using the undo passive command, you can set data transmission mode to active.

Format
passive
undo passive

Parameters
None

Views
FTP client view

Default Level
3: Management level

1-118 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Usage Guidelines
By default, the transmission mode is passive.

Examples
# Set data transmission mode to passive.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] passive

1.4.37 put

Function
Using the put command, you can upload a local file to the remote FTP server.

Format
put local-file [ remote-file ]

Parameters
local-file: specifies the local file name. It is a string of 1 to 64 characters.
remote-file: specifies the file name on the remote FTP server. It is a string of 1 to 64 characters.

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
If no file name on the remote server is specified, the uploaded file uses the same with that of the
local file.

Examples
# Upload the local file temp.c to the remote FTP server and save it with the name as temp1.c.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-119


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] put temp.c temp1.c

Related Topics
1.4.28 get

1.4.38 pwd (User View)

Function
Using the pwd command, you can display the current working directory.

Format
pwd

Parameters
None

Views
User view

Default Level
3: Management level

Usage Guidelines
In both root directory and sub-directory, you can run the pwd command to view the current
directory. Then, the user can run the cd command to change the current directory according the
echo message.

Examples
# Display the current directory.
<Eudemon> pwd
flash:/test

Related Topics
1.4.13 dir (User View)
1.4.4 cd (User View)

1.4.39 pwd (FTP Client View)

1-120 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Function
Using the pwd command, you can display the working directory on the remote FTP server.

Format
pwd

Parameters
None

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
After the user logs in to the FTP server by FTP client remotely, the user can run this command
to view the current working directory of the FTP server.

Examples
# Display the working directory on the remote FTP server.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] pwd
"d:/temp" is current directory.

Related Topics
1.4.25 ftp

1.4.40 quit (FTP Client View)

Function
Using the quit command, you can disconnect with the remote FTP server and exit from the user
view.

Format
quit

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-121


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Parameters
None

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
After running this command, you return to the user view on the FTP client.

Examples
# Disconnect with the remote FTP server and exit from the user view.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] quit
<Eudemon>

1.4.41 remotehelp

Function
Using the remotehelp command, you can display the help of FTP commands.

Format
remotehelp [ protocol-command ]

Parameters
protocol-command: specifies the FTP command. It is of 1 to 16 characters.

Views
FTP client view

Default Level
3: Management level

1-122 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Usage Guidelines
FTP commands are user, pass, acct, cwd, cdup, smnt, quit, rein, port, pasv, type, stru,
mode, retr, stor, stou, appe, allo, rest, rnfr, rnto, abor, dele, rmd, help, noop, xcup, xcwd,
xmkd, xpwd, and xrmd.

Examples
# Display the syntax of the user command.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] remotehelp user
214 Syntax: USER <sp> <username>

1.4.42 rename

Function
Using the rename command, you can rename a file.

Format
rename source-file-name dest-file-name

Parameters
source-file-name: specifies the source file name. It is a string of 1 to 64 characters.

dest-file-name: specifies the destination file name. It is a string of 1 to 64 characters.

Views
User view

Default Level
3: Management level

Usage Guidelines
If the name of the destination file is the same as that of an existing directory or an existing file,
the system prompts an error message.

Examples
# Rename the file sample.txt as sample.bak.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-123


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

<Eudemon> rename sample.txt sample.bak


Rename flash:/sample.txt to flash:/sample.bak?[Y/N]:y
Info:Rename file flash:/sample.txt to flash:/sample.bak ......Done.

1.4.43 reset recycle-bin

Function
Using the reset recycle-bin command, you can delete a file from the recycle bin permanently.

Format
reset recycle-bin [ file-name | flash: ]

Parameters
file-name: specifies the name of the file to be deleted. It is a string of 1 to 64 characters. "*"
wildcard is supported.
flash:: specifies the recycle bin in FLASH.

Views
User view

Default Level
3: Management level

Usage Guidelines
Using the delete (User View) command in the user view, you can remove a file to the recycle
bin only. To delete this file permanently, use the reset recycle-bin command.

Examples
# Delete the file info.txt in the recycle bin.
<Eudemon> reset recycle-bin info.txt
Squeeze flash:/info1.txt ?[Y/N]:y
Clear file from flash will take a long time if needed.......Done!.
%Cleared file flash:/info.txt.

Related Topics
1.4.11 delete (User View)

1.4.44 reset saved-configuration

Function
Using the reset saved-configuration command, you can delete the configuration files saved in
the storage devices.

1-124 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Format
reset saved-configuration

Parameters
None

Views
User view

Default Level
2: Configuration level

Usage Guidelines
This command should be executed with caution. Use it under the guidance of technical personnel.

It is generally used in the following cases:

l After the firewall software is updated, the configuration file in the storage device may not
match the new version software.
l If a used firewall is deployed in a new application environment, the original configuration
file is unable to meet the requirements of the new environment. You need to reconfigure
it.

Using the reset command does not damage the original configuration file when writing the
configuration file.

Examples
# Delete the configuration files saved in the storage device.
<Eudemon> reset saved-configuration
The action will delete the saved configuration in the flash.
The configuration will be erased to reconfigure.
Are you sure?[Y/N]y

Related Topics
1.4.47 save
1.4.16 display current-configuration
1.4.19 display saved-configuration

1.4.45 rmdir (User View)

Function
Using the rmdir command, you can delete a directory.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-125


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Format
rkdir directory

Parameters
directory: specifies the name of the directory. It is a string of 1 to 64 characters.

Views
User view

Default Level
3: Management level

Usage Guidelines
The directory to be deleted must be an empty one.

Examples
# Delete the directory test.
<Eudemon> rmdir test
Remove directory flash:/test?[Y/N]:y
%Removing directory flash:/test.......Done!

Related Topics
1.4.31 mkdir (User View)

1.4.46 rmdir (FTP Client View)

Function
Using the rmdir command, you can delete the specified directory on the server.

Format
rmdir remote-directory

Parameters
remote-directory: specifies the directory name on the remote FTP server. It is a string ranging
from 1 to 64 characters.

Views
FTP client view

Default Level
3: Management level

1-126 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Usage Guidelines
None

Examples
# Delete the d:/temp1 directory on the FTP server.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] rmdir d:/temp1

Related Topics
1.4.32 mkdir (FTP Client View)

1.4.47 save

Function
Using the save command, you can save the current configuration to the storage device.
Using the save configuration-file command, you can save the current configuration to the
specified directory of the storage device. Generally, the command does not affect the starting of
the current configuration file. When configuration-file is the same as the default save path and
configuration file name, this command can be used as the save command.

Format
save [ configuration-file ]

Parameters
configuration-file: specifies the name of the configuration file. It is a string of 5 to 64 characters.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
When a set of configuration is finished and the expected functions have been achieved, the
current configuration file should be saved in the storage device.
The configuration file must take .cfg or .zip as its extension name, and the system configuration
file must be saved under the root directory of the storage device. The default directory is the root

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-127


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

directory of Flash. When saving the configuration file for the first time, if you do not specify
the optional parameter configuration-file, the system asks you whether to save the file as
"vrpcfg.cfg".

Examples
# Save the current configuration to the default storage device.
<Eudemon> save

Related Topics
1.4.44 reset saved-configuration
1.4.19 display saved-configuration
1.4.16 display current-configuration
1.4.49 startup saved-configuration

1.4.48 startup system-software

Function
Using the startup system-software command, you can configure the file name of the system
software used in the next startup.

Format
startup system-software system-file

Parameters
system-file: specifies the file name of the system software. It is a string of 4 to 64 characters.

Views
User view

Default Level
3: Management level

Usage Guidelines
The system software must use .bin as its extension name and must be saved in the root directory
of the storage device. By default, the system software is saved in the root directory of the flash.

Examples
# Configure the system software used in the next startup.
<Eudemon> startup system-software system.bin

1-128 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Related Topics
1.4.20 display startup

1.4.49 startup saved-configuration

Function
Using the startup saved-configuration command, you can configure the configuration file used
in the next startup.

Format
startup saved-configuration configuration-file

Parameters
configuration-file: specifies the name of the configuration file. It is a string of 4 to 64 characters.

Views
User view

Default Level
3: Management level

Usage Guidelines
The configuration file must use .cfg or .zip as its extension name and must be saved in the root
directory of the storage device. By default, the configuration file is saved in the root directory
of the flash.

Examples
# Configure the configuration file used in the next startup.
<Eudemon> startup saved-configuration vrpcfg.zip

Related Topics
1.4.20 display startup

1.4.50 tftp

Function
Using the tftp command, you can upload the file to the TFTP server or download the file on the
TFTP server to the local.

Format
tftp tftp-server { get | put } source-file-name [ dest-file-name ]

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-129


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Parameters
tftp-server: specifies the IP address or the host name of TFTP server.

get: downloads files.

put: uploads files.

source-file-name: specifies the source file name. It is a string of 1 to 56 characters.

dest-file-name: specifies the destination file name. It is a string of 1 to 56 characters.

Views
User view

Default Level
3: Management level

Usage Guidelines
When the name of the local file is not specified, the file is saved with the original name.

Examples
# Download the vrpcfg.txt file at the root directory of the TFTP server to the local hard disk. IP
address of the TFTP server is 1.1.254.2. Save the downloaded file with the name as vrpcfg.bak.
<Eudemon> tftp 1.1.254.2 get vrpcfg.txt hda1:/vrpcfg.bak

# Upload the vrpcfg.txt file at the root directory of the flash to the default directory of the TFTP
server. IP address of the TFTP server is 1.1.254.2. Save the uploaded file with the name as
vrpcfg.bak.
<Eudemon> tftp 1.1.254.2 put flash:/vrpcfg.txt vrpcfg.bak

Related Topics
1.4.51 tftp-server acl

1.4.51 tftp-server acl

Function
Using the tftp-server acl command, you can configure the ACL to control the access of clients
to the FTP server.

Using the undo tftp-server acl command, you can cancel the ACL.

Format
tftp-server acl acl-number

undo tftp-server acl

1-130 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Parameters
acl-number: specifies the basic ACL number. The value ranges from 2000 to 2999.

Views
System view

Default Level
3: Management level

Usage Guidelines
If a firewall serves as a TFTP client, you can configure the ACL on the firewall to control the
login of the local device to the TFTP server through TFTP.

Examples
# Set an ACL rule 2000 to allow specified users to access the TFTP server.
<Eudemon> system-view
[Eudemon] tftp-server acl 2001

Related Topics
1.4.50 tftp

1.4.52 undelete

Function
Using the undelete command, you can restore a deleted file.

Format
undelete file-name

Parameters
file-name: specifies the name of the file to be restored. It is a string of 1 to 64 characters.

Views
User view

Default Level
3: Management level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-131


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Usage Guidelines
If the name of the file to be restored is the same with the name of an existing directory, the
execution fails. If the name of this file is the same with that of an existing file, the display whether
to overwrite the current file name prompts.

Examples
# Restore the deleted file sample.bak.
<Eudemon> undelete sample.bak
Undelete flash:/test/sample.bak?[Y/N]:y
% Undeleted file flash:/test/sample.bak

Related Topics
1.4.11 delete (User View)
1.4.43 reset recycle-bin

1.4.53 user

Function
Using the user command, you can re-log on to the FTP user.

Format
user user-name [ password ]

Parameters
user-name: specifies the login user name. It is a string of 1 to 32 characters.
password: specifies the login password. It is a string of 1 to 16 characters.

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
By using this command, the firewall allows you to log in to an FTP server by using another user
name without exiting from the FTP client view. The FTP connection that is created by running
this command is the same as that is created by running the ftp command.

Examples
# Log in to the FTP server with the user name tom and the password bjhw.
<Eudemon> ftp 1.1.1.1
Trying 1.1.1.1 ...

1-132 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Press CTRL+K to abort


Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] user tom bjhw

1.4.54 verbose

Function
Using the verbose command, you can enable the verbose function.
Using the undo verbose command, you can disable the verbose function.

Format
verbose
undo verbose

Parameters
None

Views
FTP client view

Default Level
3: Management level

Usage Guidelines
By default, the verbose function is disabled.
When you use the verbose command, all FTP response is displayed. After the file is transmitted,
the statistics of transmission rate are displayed too.

Examples
# Enable the verbose function.

<Eudemon> ftp 1.1.1.1


Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(1.1.1.1:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] verbose
Info:Verbose is on

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-133


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Related Topics
1.4.28 get
1.4.37 put

1.4.55 xmodem get

Function
Using the xmodem get command, you can download files from the AUX port to the firewall
through the Xmodem protocol.

Format
xmodem get { file-name | flash: }

Parameters
file-name: specifies the name of the received file that is saved. It is a string. The absolute path
of the file ranges from 1 to 64 characters.
flash: specifies the storage device FLASH.

Views
User view

Default Level
3: Management level

Usage Guidelines
If file-name is specified, the system saves the file with the specified name to a specified path. If
no file-name is specified, the system saves the file with the original name to the specified device.

Examples
# Download files from the AUX port through the Xmodem protocol and save the received file
to flash with the name as test.txt.
<Eudemon> xmodem get flash:/test.txt

1.5 System Maintenance Configuration Commands

1.5.1 debugging (User View)


1.5.2 debugging firewall packet-capture
1.5.3 debugging firewall packet-capture error
1.5.4 debugging firewall packet-capture event

1-134 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

1.5.5 display channel


1.5.6 display cpu-usage-for-user
1.5.7 display debugging
1.5.8 display diagnostic-information
1.5.9 display device
1.5.10 display environment
1.5.11 display firewall logtime
1.5.12 display firewall packet-capture configuration
1.5.13 display firewall packet-capture queue
1.5.14 display firewall packet-capture statistic
1.5.15 display info-center
1.5.16 display logbuffer
1.5.17 display patch-information
1.5.18 display schedule reboot
1.5.19 display trapbuffer
1.5.20 firewall log-time
1.5.21 firewall packet-capture
1.5.22 firewall packet-capture send host
1.5.23 firewall packet-capture send queue
1.5.24 firewall packet-capture startup
1.5.25 firewall session log-type binary discard enable
1.5.26 firewall session log-type
1.5.27 info-center channel
1.5.28 info-center console channel
1.5.29 info-center enable
1.5.30 info-center logbuffer
1.5.31 info-center loghost
1.5.32 info-center loghost source
1.5.33 info-center monitor channel
1.5.34 info-center snmp channel
1.5.35 info-center source
1.5.36 info-center timestamp
1.5.37 info-center trapbuffer

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-135


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

1.5.38 patch
1.5.39 ping
1.5.40 reset firewall log-buf
1.5.41 reset firewall packet-capture
1.5.42 reset logbuffer
1.5.43 reset trapbuffer
1.5.44 service modem-callback
1.5.45 session log enable
1.5.46 schedule reboot
1.5.47 terminal debugging
1.5.48 terminal logging
1.5.49 terminal monitor
1.5.50 terminal trapping
1.5.51 tracert

1.5.1 debugging (User View)

Function
Using the debugging command, you can enable debugging switch.

Using the undo debugging command, you can disable debugging switch.

Format
debugging { all [ timeout time ] | module-name [ debug-option1 ] [ debug-option2 ] … }

undo debugging { all | module-name [ debug-option1 ] [ debug-option2 ] … }

Parameters
all: enables or disables all debugging switches.

timeout time: indicates the duration of debugging commands after the debugging is enabled.
When the set duration reaches the limit, the system automatically disables the debugging. It is
in minutes, ranging from 1 to 1440.

module-name: specifies a Module name.

debug-option: specifies a debugging option.

Views
User view

1-136 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Default Level
1: Monitoring level

Usage Guidelines
By default, all debugging switches are disabled.

The device system provides kinds of debugging, which are generally used to perform network
fault diagnosis by technical support personnel and qualified maintenance personnel.

After the debugging switch is enabled, the system will generate a lot of debugging information
and lower its efficiency. Especially after all debugging switches are enabled through the
debugging all command, the network crash may occur. It is recommended that you should not
use the debugging all command. However, you can conveniently disable all debugging switches
using the undo debugging all command.

Examples
# Enable IP Packet debugging switch.
<Eudemon> debugging ip packet
IP packet debugging switch is on.

1.5.2 debugging firewall packet-capture

Function
Using the debugging firewall packet-capture command, you can enable the packet capture
debugging or the debugging of sending captured packets.

Using the undo debugging firewall packet-capture command, you can disable the packet
capture debugging or the debugging of sending captured packets.

Format
debugging firewall packet-capture [ capture | send ]

undo debugging firewall packet-capture [ capture | send ]

Parameters
capture: indicates the remote packet capture debugging.

send: indicates the debugging of sending captured packets.

Views
User view

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-137


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Usage Guidelines
None

Examples
# Enable the remote packet capture debugging.
<Eudemon> debugging firewall packet-capture capture
*0.66536883 Eudemon CAPT/8/DebugPacket: Saving one captured packet save-time =
2007/7/28 13:30:22, interface = Ethernet0/0/0, direction = ingress,
que-id = 0, serial-num = 3, captured-pktlen = 66, original-iplen = 66

Table 1-16 Description of the debugging firewall packet-capture capture command output
Item Description

Debug *0.66536883 Eudemon CAPT/8/DebugPacket: Saving one captured


information packet save-time=2007/7/28 13:30:22, interface=Ethernet0/0/0,
direction=ingress,
que-id=0, serial-num=3, captured-pktlen=66, original-iplen=66

Meaning Capture an inbound packet on Ethernet 0/0/0 and store it to queue 0. The
length of the packet is 66 bytes and numbered 3.

Cause There are packets reaching the interface during packet capture.

# Enable the debugging of sending captured packets.


<Eudemon> debugging firewall packet-capture send
*0.66536883 Eudemon CAPT/8/DebugPacket: sending one captured packet, destination:
ip = 10.1.1.5, udp-port = 9005, save-time = 2007/7/28 13:30:22, interface =
Ethernet0/0/0, direction = ingress,
que-id = 0, serial-num = 3, captured-pktlen = 66, original-iplen = 66

Table 1-17 Description of the debugging firewall packet-capture send command output
Item Description

Debug *0.66536883 Eudemon CAPT/8/DebugPacket: sending one captured


information packet, destination:
ip = 10.1.1.5, udp-port = 9005, save-time = 2007/7/28 13:30:22, interface
= Ethernet0/0/0, direction = ingress,
que-id = 0, serial-num = 3, captured-pktlen = 66, original-iplen = 66

Meaning Send one packet from queue 0 to port 9005 of the host at 10.1.1.5. The
packet is from the inbound direction and captured on Ethernet 0/0/0. The
66-byte packet is numbered 3.

Cause Send captured packets to the host.

Related Topics
1.5.21 firewall packet-capture

1-138 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

1.5.3 debugging firewall packet-capture error

Function
Using the debugging firewall packet-capture error command, you can enable the packet-
capture error debugging.

Using the undo debugging firewall packet-capture error command, you can disable the
packet-capture error debugging.

Format
debugging firewall packet-capture error

undo debugging firewall packet-capture error

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable the packet-capture error debugging.
<Eudemon> debugging firewall packet-capture capture error
*0.71342320 Eudemon CAPT/8/DebugError: CAPT_RcvPkt: failed to malloc memory!

Table 1-18 Description of the debugging firewall packet-capture error command output

Item Description

Debug *0.71342320 Eudemon CAPT/8/DebugError: CAPT_RcvPkt: failed to


information malloc memory!

Meaning Failed to apply memory space.

Cause Failed to apply memory space.

Measures Check whether free memory is enough.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-139


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Related Topics
1.5.21 firewall packet-capture

1.5.4 debugging firewall packet-capture event

Function
Using the debugging firewall packet-capture event command, you can enable the packet-
capture event debugging.

Using the undo debugging firewall packet-capture event command, you can disable the
packet-capture event debugging.

Format
debugging firewall packet-capture event

undo debugging firewall packet-capture event

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable the packet-capture event debugging.
<Eudemon> debugging firewall packet-capture event
*0.71342300 Eudemon CAPT/8/DebugEvent: Capture Queue 0 is full

Table 1-19 Description of the debugging firewall packet-capture event command output

Item Description

Debug information *0.71342300 Eudemon CAPT/8/DebugEvent: Capture Queue 0 is full

Meaning Queue 0 is full.

Cause Queue 0 is full of captured packets.

1-140 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Related Topics
1.5.21 firewall packet-capture

1.5.5 display channel

Function
Using the display channel command, you can display the contents of an information channel.

Format
display channel [ channel-number | channel-name ]

Parameters
channel-number: specifies the channel number. The value is in the range of 0 to 9. That is, the
system has 10 channels.

channel-name: specifies the channel name.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If no parameter is specified in the command, the setting status of all channels is displayed.

Examples
# Display the content of channel 0.
<Eudemon> display channel 0
channel number:0, channel name:console
MODU_ID NAME ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL
ffff0000 default Y warning Y debugging Y debugging

Table 1-20 Description of the display channel command output

Item Description

MODU_ID The module number that the item functions. "ffff0000" is the default
item.

NAME The module name that the item functions. "default" indicates the default
module.

ENABLE (first) Indicates enabling the log information.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-141


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Item Description

LOG_LEVEL Indicates the level of the log information allowed to be output.

ENABLE (second) Indicates enabling the alarm information.

TRAP_LEVEL Indicates the level of the alarm information allowed to be output.

ENABLE (third) Indicates enabling the debugging information.

DEBUG_LEVEL Indicates the level of the debugging information allowed to be output.

1.5.6 display cpu-usage-for-user

Function
Using the display cpu-usage-for-user command, you can view the statistics and configuration
of the CPU usage.

Format
display cpu-usage-for-user entry-number [ offset ] [ verbose ] [ history ] [ configuration ]

Parameters
entry-number: specifies the number of entries displayed each time. The value is an integer that
ranges from 1 to 60.
offset: specifies that the display begins from an entry before the latest record. The value is an
integer that ranges from 0 to 59.
verbose: displays detailed information about each record.
history: displays the history record of the CPU usage.
configuration: displays the CPU usage of configuration information.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display two entries of the statistics and configuration of the CPU usage.

1-142 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

<Eudemon> display cpu-usage-for-user 2


CPU Usage Stat. Cycle: 60 (Second)
CPU Usage : 3%
CPU Usage Stat. Time : 2008-09-04 15:36:41
CPU Usage Stat. Tick : 0x1311(CPU Tick High) 0x8f595e92(CPU Tick Low)
Actual Stat. Cycle : 0x0(CPU Tick High) 0xb2d72bef(CPU Tick Low)

===== CPU usage info (no: 1 idx: 30) =====


CPU Usage Stat. Cycle: 60 (Second)
CPU Usage : 3%
CPU Usage Stat. Time : 2008-09-04 15:35:41
CPU Usage Stat. Tick : 0x1310(CPU Tick High) 0xdc7c49a2(CPU Tick Low)
Actual Stat. Cycle : 0x0(CPU Tick High) 0xb2d7295c(CPU Tick Low)

1.5.7 display debugging

Function
Using the display debugging command, you can display the enabled debugging.

Format
display debugging [ interface interface-type interface-number ] [ module-name ]

Parameters
module-name: specifies a module name.
interface-type: specifies the type of an interface.
interface-number: specifies the number of an interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
By default, all the enabled debugging is displayed when no parameter is specified.

Examples
# Display all the enabled debugging.
<Eudemon> display debugging
IP packet debugging switch is on.

Related Topics
1.5.1 debugging (User View)

1.5.8 display diagnostic-information

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-143


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Function
Using the display diagnostic-information command, you can display the working status of all
current system modules.

Format
display diagnostic-information

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The display diagnostic-information command output covers the output of the display
commands, that is, 1.1.3 display clock, 1.1.6 display version, and 1.4.16 display current-
configuration.

Using this command, you can collect abundant information that is helpful to locate the problem
in case of system failure.

Examples
# Display the diagnostic information.
<Eudemon> display diagnostic-information

1.5.9 display device

Function
Using the display device command, you can view the infomation of the device.

Format
display device interface-slot

Parameters
interface-slot: specifies the number of the interface slot in decimal integer. Its value ranges from
0 to 5.

1-144 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Views
All views

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# View the infomation of the device.
<Eudemon> display device
Quidway E200 Firewall's Device status:

Slot # Type Online Status


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 RPU Present Normal
1 4CE1 Present Normal
3 PWR Present Normal
5 FAN Present Normal

1.5.10 display environment

Function
Using the display environment command, you can view the temperature and voltage of the
current monitor point.

Format
display environment

Parameters
None

Views
All views

Default Level
2: Configuration level

Usage Guidelines
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-145


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Examples
# View the temperature and voltage of the current monitor point.
<Eudemon> display environment
Environment Temperature information:
local CurrentTemperature LowLimit HighLimit
(deg c ) (deg c) (deg c )
CPU 59 0 95
BOARD 44 0 95
VENT 28 0 65

1.5.11 display firewall logtime

Function
Using the display firewall logtime command, you can display log scan intervals.

Format
display firewall logtime { defend | session | statistic }

Parameters
defend: displays the scan interval of attack-defense logs.

session: displays the scan interval of session logs.

statistic: displays the scan interval of statistics logs.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the scan interval of attack-defense logs.
<Eudemon> display firewall logtime defend
Atack logtime is 30 s.

Related Topics
1.5.20 firewall log-time

1.5.12 display firewall packet-capture configuration

1-146 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Function
Using the display firewall packet-capture configuration command, you can view the
configuration of the remote packet capture.

Format
display firewall packet-capture configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the configuration of remote packet capture.
<Eudemon> display firewall packet-capture configuration
Capture State: Off
Capture Number: 1024
Sending Queue:
Host: 10.1.1.1:9005
Interface Packet-Direction Type QueueID
Ethernet1/0/0 Both All 2
17:01:03 06-02-2008

Table 1-21 Description of the display firewall packet-capture configuration command output

Field Description

Capture State Indicates the status of packet capture.

Capture Number Indicates the maximum number of captured packets on the interface.

Host Indicates the IP address of the destination host.

Sending Queue Indicates the ID of the queue that is sending packets.

Interface Indicates the name of the interface configured with packet capture.

Packet-Direction Indicates the direction of packet capture configured on the interface.

Type Indicates the type of packet capture configured on the interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-147


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Field Description

QueueID Indicates the ID of the queue configured for packet capture on the
interface.

Related Topics
1.5.21 firewall packet-capture

1.5.13 display firewall packet-capture queue

Function
Using the display firewall packet-capture queue command, you can view information about
the packets in the remote packet-capture queue.

Format
display firewall packet-capture queue queue-id [ low-serial [ high-serial ] ]

Parameters
queue-id: specifies the ID of the queue. It ranges from 0 to 4.
low-serial: specifies the serial number of the first packet to be displayed.
high-serial: specifies the serial number of the last packet to be displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display information about the packets in the remote packet-capture queue 2.
<Eudemon> display firewall packet-capture queue 2
Interface: Ethernet0/0/0
Total Packets: 2

Serial Number 0
Direction Egress
Captured Packet Length 98
Original IP/Data Length 84
Packet Content:
Data Link Layer header:

1-148 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

00 e0 4c 83 26 1a 00 18 82 48
c8 8b 08 00
IP/Data Packet:
45 00 00 54 00 0f 00 00 ff 01
b3 8d 03 05 01 01 03 05 01 02
08 00 ce b6 ab d0 00 01 01 6e
dc 25 ba d0 ba d0 00 01 02 03
04 05 06 07 08 09 0a 0b 0c 0d
0e 0f 10 11 12 13 14 15 16 17
18 19 1a 1b 1c 1d 1e 1f 20 21
22 23 24 25 26 27 28 29 2a 2b
2c 2d 2e 2f

Serial Number 1
Direction Ingress
Captured Packet Length 98
Original IP/Data Length 84
Packet Content:
Data Link Layer header:
00 18 82 48 c8 8b 00 e0 4c 83
26 1a 08 00
IP/Data Packet:
45 00 00 54 3b a3 00 00 80 01
f6 f9 03 05 01 02 03 05 01 01
00 00 d6 b6 ab d0 00 01 01 6e
dc 25 ba d0 ba d0 00 01 02 03
04 05 06 07 08 09 0a 0b 0c 0d
0e 0f 10 11 12 13 14 15 16 17
18 19 1a 1b 1c 1d 1e 1f 20 21
22 23 24 25 26 27 28 29 2a 2b
2c 2d 2e 2f

Table 1-22 Description of the display firewall packet-capture queue command output
Field Description

Interface Indicates the name of the interface corresponding with


the queue.

Total Packets Indicates the number of packets to be displayed.

Serial Number Indicates the serial number of the current packet.

Direction Indicates the direction of the current packet.

Captured Packet Length Indicates the length captured.

Original Packet Length Indicates the original length of the packet.

Packet Content Packet Content

Data Link Layer Header Indicates the headers of data link layer packets.

IP/Data Packet Indicates the contents of network layer packets.

Related Topics
1.5.21 firewall packet-capture
1.5.23 firewall packet-capture send queue

1.5.14 display firewall packet-capture statistic

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-149


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Function
Using the display firewall packet-capture statistic command, you can view the schedule and
sending status of remote packet capture.

Format
display firewall packet-capture statistic

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the statistics of packet capture, including packet capture schedule and sending status.
<Eudemon> display firewall packet-capture statistic
QueueID CapturedNumber SentState TCP UDP ICMP Other
----------------------------------------------------------------------
0 10( 10%) Unsent 0.00% 0.00% 100.00% 0.00%
1 0( 0%) Unused 0.00% 0.00% 0.00% 0.00%
2 0( 0%) Unused 0.00% 0.00% 0.00% 0.00%
3 0( 0%) Unused 0.00% 0.00% 0.00% 0.00%
4 0( 0%) Unused 0.00% 0.00% 0.00% 0.00%
17:45:08 06-02-2008

Table 1-23 Description of the display firewall packet-capture statistic command output
Field Description

QueueID Indicates the ID of the queue.

CaptureNumber Indicates the number of captured packets in the queue.

SendState Indicates the sending status of the queue.

TCP Indicates the number of TCP packets in the queue.

UDP Indicates the number of UDP packets in the queue.

ICMP Indicates the number of ICMP packets in the queue.

Other Indicates the number of other types of packets in the queue.

1-150 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Related Topics
1.5.21 firewall packet-capture

1.5.15 display info-center

Function
Using the display info-center command, you can display all the information recorded in the
information center.

Format
display info-center [ statistics ]

Parameters
statistics: displays the statistics in the information center.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display all the information recorded in the information center.
<Eudemon> display info-center
Information Center:enabled
Log host:
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 1024,
current messages 30, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 0
Trap buffer:
enabled,max buffer size 1024, current buffer size 1024,
current messages 0, channel number:3, channel name:trapbuffer
dropped messages 0, overwritten messages 0
logfile:
channel number : 9, channel name : channel9, language : english

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-151


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Information timestamp setting:


log - date, trap - date, debug - boot

Table 1-24 Description of the display info-center command output


Item Description

Information Center Enabling the information center

Log host Status of the log host, including its IP address, the channel number,
the channel name, the language and the level of the logging host

Console Status of the console port, including the channel name and the channel
number

Monitor Status of the monitor port, including the channel name and the channel
number

SNMP Agent Status of the network management agent, including the channel names
and the channel numbers

Log buffer Status of the log buffer, including the enabling state, the maximum
size, the current size, the number of the messages, the channel names,
the channel number, the number of the discarded messages and the
number of the superseded messages

Trap buffer Status of the trapping buffer, including the enabling state, the
maximum size, the current size, the number of the messages, the
channel names, the channel numbers, the number of the discarded
messages and the number of the supersedes messages

Logfile Status of the log file, including the channel names, the channel number
and the language

Information Setting of the timestamp, which explains the type of the timestamp of
timestamp setting the log information, alarm information and debug information

Related Topics
1.5.29 info-center enable
1.5.31 info-center loghost
1.5.30 info-center logbuffer
1.5.37 info-center trapbuffer
1.5.28 info-center console channel
1.5.33 info-center monitor channel
1.5.34 info-center snmp channel

1.5.16 display logbuffer

1-152 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Function
Using the display logbuffer command, you can display the information recorded in the logging
buffer.

Format
display logbuffer [ size sizeval | level levelval | | { begin | include | exclude } regular-
expression ] *
display logbuffer summary [ level levelval ]

Parameters
size sizeval: displays the number of information items in the specified logging buffer. The value
is in the range of 1 to 1024.
level levelval: displays the specified information level. The value is in the range of 1 to 8.
|: filters the output using the regular expressions.
begin: displays the configuration beginning with the specified string (string).
include: displays the configuration including the specified string (string).
exclude: displays the configuration excluding the specified string (string).
regular-expression: specifies the regular expression.
summary: displays the summary of the logging buffer.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
By default, if no parameter is specified in the command, all the information in the logging buffer
is displayed.
If the information number in the current log buffer is smaller than sizeval, the actual items of
the log information are displayed.

Examples
# Display the information in the logging buffer.
<Eudemon> display logbuffer
Logging buffer configuration and contents:enabled
Allowed max buffer size : 1024
Actual buffer size : 1024
Channel number : 4 , Channel name : logbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 1

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-153


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

%Jun 25 11:06:30 2008 Eudemon B SHELL/5/CMD:task:CO0 ip:** user:** command:reset


logbuffer

Table 1-25 Description of the display logbuffer command output

Item Description

Logging Buffer Configuration and contents Status of the log buffer

allowed max buffer size Maximum log buffer size

actual buffer size Actual log buffer size

channel number Channel number

channel name Channel name

dropped messages Discarded massages

overwritten messages Superseded messages

current messages Current messages

Related Topics
1.5.29 info-center enable
1.5.30 info-center logbuffer
1.5.15 display info-center

1.5.17 display patch-information

Function
Using the display patch-information command, you can view information about all the current
patches.

Format
display patch-information

Parameters
None

Views
All views

Default Level
1: Monitoring level

1-154 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Usage Guidelines
None

Examples
# Display information about the system patch.
<Eudemon> display patch-information
No patch in the memory for CpuId < -1 >.

Related Topics
1.5.38 patch

1.5.18 display schedule reboot

Function
Using the display schedule reboot command, you can view the settings of the parameters of
the 1.5.46 schedule reboot command.

Format
display schedule reboot

Parameters
None

Views
All views

Default Level
3: Management level

Usage Guidelines
None

Examples
# Display the settings of the parameters of the schedule reboot command.
<Eudemon> display schedule reboot
Reboot system at 16:00:00 2002/11/1 (in 2 hours and 5 minutes).

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-155


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Table 1-26 Description of the display schedule reboot command output


Item Description

Reboot system Restart time of the system

Related Topics
1.5.46 schedule reboot

1.5.19 display trapbuffer

Function
Using the display trapbuffer command, you can display the information recorded in the alarm
buffer.

Format
diaplay trapbuffer [ size sizeval ]

Parameters
size sizeval: specifies the number of the information items to be displayed in the specified alarm
buffer. The value is in the range of 1 to 1024.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
By default, if no parameter is specified in the command, all the information in the trapping buffer
is displayed.
If the information number in the current alarm buffer is smaller than sizeval, the actual items of
the alarm information are displayed.

Examples
# Display the information in the alarm buffer.
<Eudemon> display trapbuffer
Trapping Buffer Configuration and contents:
enabled
allowed max buffer size : 1024
actual buffer size : 1024
channel number : 3 , channel name : trapbuffer
dropped messages : 0

1-156 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

overwritten messages : 0
current messages : 0

Table 1-27 Description of the display trapbuffer command output


Item Description

Trapping Buffer Configuration and Status of the alarm buffer


contents

allowed max buffer size Maximum alarm buffer size

actual buffer size Actual alarm buffer size

channel number Channel number

channel name Channel name

dropped messages Discarded messages

overwrote messages Superseded messages

current messages Current messages

Related Topics
1.5.29 info-center enable
1.5.37 info-center trapbuffer
1.5.15 display info-center

1.5.20 firewall log-time

Function
Using firewall log-time command, you can set the time to scan log buffer (including attack-
defending, traffic and traffic monitoring).
Using the undo firewall log-time command, you can restore its default value.

Format
firewall { defend | session | statistic } log-time value
undo firewall { defend | session | statistic } log-time

Parameters
defend: displays the scan interval of attack-defense logs.
session: displays the scan interval of session logs.
statistic: displays the scan interval of statistics logs.
log-time value: specifies the time to scan log buffer. The value ranges from 1 to 65535 seconds.
The default value is 30 seconds.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-157


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set the time to scan attack-defending log buffer to 100s.
<Eudemon> system-view
[Eudemon] firewall defend log-time 100

Related Topics
1.5.16 display logbuffer

1.5.21 firewall packet-capture

Function
Using the firewall packet-capture command, you can enable the remote packet capture function
on the interface.

Using the undo firewall packet-capture command, you can disable the remote packet capture
function on the interface.

Format
firewall packet-capture { all | ip acl-number | other } queue queue-id [ ingress | egress ]

undo firewall packet-capture

Parameters
all: indicates all packets.

ip acl-number: captures IP packets matching the specified ACL rule.

acl-number: specifies the number of the advanced ACL rule. It is an integer in a range of 3000
to 3999.

other: captures non-IP packets.

queue-id: specifies the ID of the queue for packet capture. It ranges from 0 to 4.

ingress: captures inbound packets only.

egress: captures outbound packets only.

1-158 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Views
Ethernet main interface view, subinterface view

Default Level
2: Configuration level

Usage Guidelines
This command is usually used for analyzing faults on a network.

Examples
# Capture all packets on Ethernet 0/0/0 and save them to queue 2.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] firewall packet-capture all queue 2

Related Topics
1.5.12 display firewall packet-capture configuration

1.5.22 firewall packet-capture send host

Function
Using the firewall packet-capture send host command, you can specify the IP address and port
number of the destination host that receives the captured packets.

Using the undo firewall packet-capture send host command, you can remove the configuration
related to the destination host.

Format
firewall packet-capture send host ip-address [ destination-port dest-port ]

undo firewall packet-capture send host

Parameters
ip-address: specifies the IP address of the destination host that receives captured packets.

dest-port: specifies the port number of the destination host. It ranges from 1024 to 65535.

Views
System view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-159


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Usage Guidelines
This command is usually used for analyzing faults on a network.

Examples
# Send captured packets to the host at 100.1.1.5.
<Eudemon> system-view
[Eudemon] firewall packet-capture send host 100.1.1.5

Related Topics
1.5.12 display firewall packet-capture configuration

1.5.23 firewall packet-capture send queue

Function
Using the firewall packet-capture send queue command, you can send the queue that keeps
packets.

Using the undo firewall packet-capture send queue command, you can stop sending the queue
that keeps packets.

Format
firewall packet-capture send queue queue-id

undo firewall packet-capture send queue queue-id

Parameters
queue-id: specifies the ID of the queue for packet capture. It ranges from 0 to 4.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
This command is usually used for analyzing faults on the network.

This command cannot be used unless captured packets are available and the IP address of the
destination host is specified already.

Examples
# Send stored packets from queue 2.

1-160 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

<Eudemon> system-view
[Eudemon] firewall packet-capture send queue 2

Related Topics
1.5.13 display firewall packet-capture queue

1.5.24 firewall packet-capture startup

Function
Using the firewall packet-capture startup command, you can start the packet capture process
and specify the maximum number of packets captured on each interface.
Using the undo firewall packet-capture startup command, you can stop the packet capture
process.

Format
firewall packet-capture startup [ max_packets ]
undo firewall packet-capture startup

Parameters
max_packets: specifies the maximum number of packets captured on each interface. It ranges
from 1 to 2048. The default value is 1024.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
This command is usually used for analyzing faults on the network.

Examples
# Start the packet capture process and specify the maximum number of packets captured on each
interface to 2048.
<Eudemon> system-view
[Eudemon] firewall packet-capture startup 2048

Related Topics
1.5.12 display firewall packet-capture configuration

1.5.25 firewall session log-type binary discard enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-161


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Function
Using the firewall session log-type binary discard enable command , you can enable the
function of sending binary logs for discarded packets.

Using the firewall session log-type binary discard enable command , you can disable the
function of sending binary logs for discarded packets.

Format
firewall session log-type binary discard enable

undo firewall session log-type binary discard enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
There are many reasons for packet discarding, such as complying with the deny rule of the ACL,
the default filtering rule of the firewall being deny, and the packet being illegal. If the function
of sending binary logs for discarded packets is enabled, the firewall generates binary logs for
discarded packets and records the corresponding event offset value.

By default, the function of sending binary logs for discarded packets is disabled.

Examples
# Enable the function of sending binary logs for discarded packets.
<Eudemon> system-view
[Eudemon] firewall session log-type binary discard enable
The system performance will be affected when this fuction is enabled! Continue ?[Y/
N]:y

1.5.26 firewall session log-type

Function
Using the firewall session log-type command, you can set the output format of logs.

Using the undo firewall session log-type command, you can restore the default output format
of logs.

1-162 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Format
firewall session log-type { syslog | binary host ip-address port }
undo firewall session log-type

Parameters
syslog: outputs traffic log in syslog format.
binary: outputs traffic log in binary-flow format.
host ip-address: specifies the IP address of the binary log host.
port: specifies the UDP port of the binary log host. The value ranges from 1 to 65535.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Logs can be output in syslog format or binary format.
By default, logs are output in syslog format.

Examples
# Output traffic log in binary format (host address is set to 10.10.10.1 and port number is set to
500).
<Eudemon> system-view
[Eudemon] firewall session log-type binary host 10.10.10.1 500

# Output traffic log in syslog format.


[Eudemon] firewall session log-type syslog

1.5.27 info-center channel

Function
Using the info-center channel command, you can name the specified information channel.
Using the undo info-center channel command, you can restore the default information channel
name.

Format
info-center channel channel-number name channel-name
undo info-center channel channel-number

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-163


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Parameters
channel-number: specifies the channel number, in the range of 0 to 9. That is, the system has 10
channels.

channel-name: specifies a channel name. It can be 1 to 30 characters. Note that the first character
of the channel name cannot be numbers or characters as follows: - / \

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The channels should have the same name.

Examples
# Name channel 0 as "execconsole".
<Eudemon> system-view
[Eudemon] info-center channel 0 name execconsole

1.5.28 info-center console channel

Function
Using the info-center console channel command, you can set outputting the information to the
console through a specified channel.

Using the undo info-center console channel command, you can cancel the current
configuration.

Format
info-center console channel { channel-number | channel-name }

undo info-center console channel

Parameters
channel-number: specifies the channel number, in the range of 0 to 9. That is, the system has 10
channels.

channel-name: specifies the channel name.

Views
System view

1-164 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Default Level
2: Configuration level

Usage Guidelines
By default, the log information is output to the console.
This command takes effect only when the log information center is started up.

Examples
# Output the information to the console through a specified channel.
<Eudemon> system-view
[Eudemon] info-center console channel console

Related Topics
1.5.29 info-center enable
1.5.15 display info-center

1.5.29 info-center enable

Function
Using the info-center enable command, you can enable the information center.
Using the undo info-center enable command, you can disable the information center.

Format
info-center enable
undo info-center enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the information center is enabled.
The system outputs the information to the log host and the console after the information center
is started up.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-165


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Examples
# Enable the information center.
<Eudemon> system-view
[Eudemon] info-center enable
% information center is enabled

Related Topics
1.5.31 info-center loghost
1.5.30 info-center logbuffer
1.5.37 info-center trapbuffer
1.5.28 info-center console channel
1.5.33 info-center monitor channel
1.5.15 display info-center

1.5.30 info-center logbuffer

Function
Using the info-center logbuffer command, you can enable the log buffer, set the number of the
channel for outputting log information and set the size of the log buffer.

Using the undo info-center logbuffer command, you can restore the default configuration

Format
info-center logbuffer [ channel { channel-number | channel-name } | size buffersize ] *

undo info-center logbuffer [ channel | size ]

Parameters
channel: sets the channel for outputting the information to the log buffer.

channel-number: specifies the channel number, in the range of 0 to 9. That is, the system has 10
channels.

channel-name: specifies the channel name.

size: sets the size of the log buffer.

buffersize: specifies the size of the log buffer (the number of messages in the buffer). The value
is in the range of 0 to 1024.

Views
System view

Default Level
2: Configuration level

1-166 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Usage Guidelines
By default, allow to output the information the log buffer and the log buffer size is 512.

This command takes effect only when the information center is started up.

By setting the size of the logging buffer, you can control the output information in this direction.

Examples
# Enable the firewall to send information to the log buffer, and set the size of log buffer to 50.
<Eudemon> system-view
[Eudemon] info-center logbuffer size 50

Related Topics
1.5.29 info-center enable
1.5.15 display info-center

1.5.31 info-center loghost

Function
Using the info-center loghost command, you can set outputting the information to the log host.

Using the undo info-center loghost command, you can cancel the current configuration.

Format
info-center loghost ip-address [ channel { channel-number | channel-name } | facility local-
number | language { chinese | english } ] *

undo info-center loghost ip-address

Parameters
ip-address: specifies the IP address of the log host.

channel: sets the information channel of the log host.

channel-number: specifies the channel number. The value is in the range of 0 to 9. That is the
system has 10 channels.

channel-name: specifies the channel name.

facility: sets the tool used by the log host to record information.

local-number: specifies the tool used by the log host to record information. It is in the range of
local0 to local7.

language: sets the language for the recorded information.

chinese, english: log record language, either Chinese or English can be selected.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-167


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, no information is output to the log host.
By default, the information channel of the log host uses the No.2 information channel, whose
channel name is log host. The local-number of the tool used by the log host to record is local7.
This command takes effect only when the information center is started up.
By setting the IP address of logging host, you can control the output information on the specified
direction. At most, the system has 4 log hosts.

Examples
# Enable the firewall to send information to UNIX workstation with the IP address 202.38.160.1.
<Eudemon> system-view
[Eudemon] info-center loghost 202.38.160.1

Related Topics
1.5.29 info-center enable
1.5.15 display info-center

1.5.32 info-center loghost source

Function
Using the info-center loghost source command, you can specify the source interface that sends
the packets to the log host.
Using the undo info-center loghost source command, you can cancel the current configuration.

Format
info-center loghost source interface-type interface-number
undo info-center loghost source

Parameters
interface-type interface-number: specifies the type and number of the interface.

Views
System view

1-168 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Default Level
2: Configuration level

Usage Guidelines
By default, the source address of the packet sent by a firewall is the IP address of the interface
from which the packet is sent out.

If several firewalls output the information to the same log host, use this command to set different
source interfaces on firewalls. In this way, you can determine from which firewall the packet is
sent and search the received messages conveniently.

Examples
# Set the IP address of Ethernet 0/0/0 as the source address of the log message packets.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ip address 1.1.1.1 255.255.255.0
[Eudemon-Ethernet0/0/0] quit
[Eudemon] info-center loghost source Ethernet 0/0/0

1.5.33 info-center monitor channel

Function
Using the info-center monitor channel command, you can set outputting the information to
the user terminal through a specified channel.

Using the undo info-center monitor channel command, you can cancel the current
configuration.

Format
info-center monitor channel { channel-number | channel-name }

undo info-center monitor channel

Parameters
channel-number: specifies the channel number, in the range of 0 to 9. That is, the system has 10
channels.

channel-name: specifies the channel name.

Views
System view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-169


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Usage Guidelines
By default, no information is output to the user terminal.

This command takes effect only when the information center is started up.

Examples
# Output the information to the user terminal through a specified channel.
<Eudemon> system-view
[Eudemon] info-center monitor channel monitor

Related Topics
1.5.29 info-center enable
1.5.15 display info-center

1.5.34 info-center snmp channel

Function
Using the info-center snmp channel command, you can set the information channel of SNMP.

Using the undo info-center snmp channel command, you can cancel the current configuration.

Format
info-center snmp channel { channel-number | channel-name }

undo info-center snmp channel

Parameters
channel-number: specifies the channel number, in the range of 0 to 9. That is, the system has 10
channels.

channel-name: specifies the channel name.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, channel 5 is used.

This command takes effect only when the information center is enabled.

1-170 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Examples
# Set channel 6 as the SNMP information channel.
<Eudemon> system-view
[Eudemon] info-center snmp channel 6

Related Topics
1.5.29 info-center enable
1.5.15 display info-center

1.5.35 info-center source

Function
Using the info-center source command, you can add records to the information channel.

Using the undo info-center source command, you can remove the records in the information
channel.

Format
info-center source { module-name | default } { channel { channel-number | channel-name } }
[ log { state { on | off } | level severity } * | trap { state { on | off } | level severity } * |
debug { state { on | off } | level severity } * ] *

undo info-center source { module-name | default } { channel { channel-number | channel-


name }

Parameters
module-name: specifies the module names.

default: sets default information record.

channel-number: specifies the number of the information channel. It ranges from 1 to 9.

channel-name: specifies the name of the channel to be set.

log: specifies the logs.

trap: specifies the alarms.

debug: specifies the debugging information.

on: enables information.

off: disables information.

level: sets information level to disable sending out information whose level is higher than
severity.

severity: specifies the information level. The information center divides the information into 8.
The severer the information is, the lower the information level is. For example, the level of
emergencies is 1 while that of debugging is 8.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-171


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Table 1-28 Definition of eight information levels


Severity Level Description

Emergencies 1 A fatal fault, such as the program works abnormally or the device
memory is wrongly used, occurs to the device. The system must
restart.

Alerts 2 An important fault, such as the device memory reaches the high
limit, occurs to device. The fault then needs to be removed
immediately.

Critical 3 A crucial fault occurs, such as the memory occupancy reaches


the lowest limit, the temperature reaches the lowest limit. The
fault then needs to be analyzed and removed.

Errors 4 A fault caused by wrong operation or wrong process occurs, such


as wrong user password or wrong protocol packets are received
from other devices.The fault does not influence the following
service but needs to be paid attention to.

Warnings 5 An abnormity situation of the running device occurs, such as the


user disables the routing process.The fault needs to be paid
attention to since it may affect the service provision.

Notifications 6 Indicates the key operations used to keep the device run
normally, such as the shutdown command, neighbor discovery
or the state machine.

Informational 7 Indicates the common operations to keep the device run


normally, such as the display command.

Debugging 8 Indicates the common information of the device that need not be
paid attention to.

*: refers to that any option can be selected. You can choose at least one option and at most all
options.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
For the specific modules, the default configurations are as follows:
For the logging information, the state is on and the allowed information level is
informational.
For the trapping information, the state is on and the allowed information level is
informational.

1-172 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

For the debugging information, the state is off.

A default record is set for each information channel. Its module name is "default" and module
number is 0xffff0000. However, for different information channels, the record has different
default values for the log, alarm and debugging information. The default configuration record
will be used if a module has no specified configuration record in the channel.

Examples
# Enable the log information of the AAA module in the SNMP channel, and the highest level
of the output information is emergencies.
<Eudemon> system-view
[Eudemon] info-center source aaa channel snmpagent log level emergencies

# Remove the setting of the HRP module in the SNMP channel.


[Eudemon] undo info-center source hrp channel snmpagent

1.5.36 info-center timestamp

Function
Using the info-center timestamp command, you can set the time stamp format in the output
debugging, alarm or log information.

Using the undo info-center timestamp command, you can restore the default format.

Format
info-center timestamp { trap | debugging | log } { boot | date | none }

undo info-center timestamp { trap | debugging | log }

Parameters
trap: indicates the alarm information.

debugging: indicates the debugging information.

log: indicates the log information.

boot: indicates the time passed since the system starts. It is a relative time period. The format is
xxxxxx.yyyyyy. xxxxxx is the high 32 bits of the milliseconds passed since the system starts
while yyyyyy is the low 32 bits of the milliseconds passed since the system starts.

date: indicates the current date and time in the system. Its format is yyyy/mm/dd-hh:mm:ss in
Chinese environment and is mm/dd/yyyy-hh:mm:ss in English environment.

none: indicates the output information contain no time stamp.

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-173


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, the date time stamp is used in the alarm and log information, and the boot time stamp
is used in the debugging information.
When date is used, the following table describes each field.

Table 1-29 Description of date


Filed Description Value

yyyy Year Four numbers.

mm Month Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov,
Dec.

dd Day If the day is before 10, insert a space before the day. For
example, "7".

hh:mm:ss Detailed local time hh is in 24-hour format.mm and ss are in the range of 00
to 59.

Examples
# Set the time stamp format of alarm information as boot.
<Eudemon> system-view
[Eudemon] info-center timestamp trap boot

1.5.37 info-center trapbuffer

Function
Using the info-center trapbuffer command, you can enable the alarm buffer, set the channel
for outputting the alarm information and set the size of the alarm buffer.
Using the undo info-center trapbuffer command, you can cancel the current configuration.

Format
info-center trapbuffer [ channel { channel-number | channel-name } | size buffersize ] *
undo info-center trapbuffer [ channel | size ]

Parameters
channel: sets the channel for outputting information to the alarm buffer.
channel-number: sets the channel number, in the range of 0 to 9. That is, the system has 10
channels.

1-174 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

channel-name: sets the channel name.


size buffersize: sets the size of the alarm buffer (the number of information in the buffer). The
value is in the range of 0 to 1024.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, allow to output information to the alarm buffer. The size of the alarm buffer is 256.
This command takes effect only when information center is started up.
By setting the size of the logging buffer, you can control the output information in this direction.

Examples
# Enable the firewall to send information to the alarm buffer and set the size of the alarm buffer
to 30.
<Eudemon> system-view
[Eudemon] info-center trapbuffer size 30

Related Topics
1.5.29 info-center enable
1.5.15 display info-center

1.5.38 patch

Function
Using the patch command, you can set the status of firewall patches.

Format
patch load
patch { active | deactive | delete | run } patch-number

Parameters
active: activates the patch.
deactive: deactivates the patch.
delete: deletes a specific patch.
load: uploads a patch.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-175


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

run: runs a patch.


patch-number: specifies the number of the patch. It ranges from 1 to 200. At present, only 1 can
be supported.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Activate firewall patches.
<Eudemon> system-view
[Eudemon] patch active 1

1.5.39 ping

Function
Using the ping command, you can check the availability of IP network connection and host.

Format
ping [ -a source-ip-address | -c count | -d | -h ttl_value | -i { interface-type interface-number }
| ip | -n | -p pattern | -q | -r | -s packetsize | -t timeout | -tos tos | -v | -vpn-instance vpn-instance-
name ] * host

Parameters
-a source-ip-address: sets the source IP address for sending the ICMP ECHO-REQUEST packet.
-c count: indicates the number of ICMP ECHO-REQUEST packet transmission events. The
value is in the range of 1 to 4294967295.
-d: sets socket as DEBUG mode.
-h ttl_value: sets the value of TTL. The value is in the range of 1 to 255.
-i interface-type interface-number: sets the interface for sending ICMP ECHO-REQUEST
packets.
-n: uses the host parameters directly as IP address without domain name resolution.
-p pattern: indicates the filling byte of ICMP ECHO-REQUEST packet in hexadecimal format,
with the value ranging from 0 to FFFFFFFF. For example, -p ff fills the entire packet as ff.
-q: displays no other specific information except statistics.

1-176 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

-r: records routes.


-s packetsize: specifies the length of the ECHO-REQUEST packet (excluding IP and ICMP
headers) in bytes, ranging from 20 to 8100.
-t timeout: specifies the time-out in milliseconds for waiting for ECHO-RESPONSE upon
completion of sending ECHO-REQUEST, ranging from 0 to 65535.
-tos tos: specifies the assigned value for sending out the ECHO-REQUEST packets, ranging
from 0 to 255.
-v: displays the received non-ECHO-RESPONSE packets. By default, non-ECHO-RESPONSE
packets are not displayed.
-vpn-instance vpn-instance-name: indicates the VPN instance name. It is a string of 1 to 19
characters.
host: specifies the domain name or the IP address of the destination host.
ip: indicates the IP protocol.

Views
All views

Default Level
0: Visit level

Usage Guidelines
If the above parameters are not specified:
l count is set to 5.
l Socket is not set in DEBUG mode.
l First, host is treated as IP address, if it is not an IP address, the system will perform domain
name resolution.
l pattern starts with 0x01 and ends with 0x09, then repeated.
l No routing is recorded.
l All information (including statistics) is displayed.
l packetsize is set to 56.
l timeout is set to 2000.
l The ICMP packets other than ECHO-RESPONSE packet are not displayed.
l No vpn-instance parameter is configured.

The ping process is described as follows: the source first sends ICMP ECHO-REQUEST packet
to the destination; if the destination network operates normally, the destination host will return
ICMP ECHO-REPLY packet to the source host after receiving ICMP ECHO-REQUEST packet.
You can use the ping command to test the network connection and line quality, and its output
information includes:
l The destination makes response to each echo request packet as follows: If the source does
not receive the response packet within the timeout, the system prompts "Request time out."

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-177


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Otherwise, the system displays bytes of the response packet, sequence number of the packet,
TTL, response time, and so on.
l The final statistics includes the number of sent packets, number of received response
packets, percentage of non-response packets, and minimum, maximum, and average values
of response time.
l If the network transmission speed is slower, you can appropriately increase the timeout.

Examples
# Check whether the host with the IP address 10.1.1.2 is reachable.
<Eudemon> ping 10.1.1.2
ping 10.1.1.2 : 56 data bytes , press CTRL-C to break
Reply from 10.1.1.2 : bytes=56 sequence=1 ttl=255 time = 1ms
Reply from 10.1.1.2 : bytes=56 sequence=2 ttl=255 time = 2ms
Reply from 10.1.1.2 : bytes=56 sequence=3 ttl=255 time = 1ms
Reply from 10.1.1.2 : bytes=56 sequence=4 ttl=255 time = 3ms
Reply from 10.1.1.2 : bytes=56 sequence=5 ttl=255 time = 2ms
--10.1.1.2 ping statistics--
5 packets transmitted
5 packets received
0% packet loss
round-trip min/avg/max = 1/2/3 ms

Table 1-30 Description of the ping command output


Item Description

ping x.x.x.x IP address of the destination host.

x data bytes Length of the sent ECHO-REQUEST packets.

press CTRL-C to Press CTRL + C to terminate the ping test.


break

Reply from x.x.x.x Describes the packets sent by the destination host for responding the
ECHO-REQUEST packets, including:
bytes: indicates the length of the response packets.
sequence: indicates the sequence number of the response packets.
ttl: indicates the TTL value of the response packets.
time: indicates the response time, in milliseconds.
If no response packet is received within the timeout time, "Request
time out" is displayed.

x.x.x.x ping statistics Indicates the statistics about the result of pinging. It includes:
packets transmitted: indicates the number of the sent ECHO-
REQUEST packets.
packets received: indicates the number of the received ECHO-
REQUEST packets.
% packet loss: indicates the percentage of the packets without
response.
round-trip min/avg/max: indicates the maximum, average and
minimum response time.

1-178 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Related Topics
1.5.51 tracert

1.5.40 reset firewall log-buf

Function
Using the reset firewall log-buff command, you can reset the log buffer.

Format
reset firewall log-buf { session | defend | statistic }

Parameters
session: resets traffic log buffer.

defend: resets attack-defense log buffer.

statistic: resets traffic monitoring log buffer.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
If the contents in the log buffer are cleared, they cannot be restored.

Examples
# Reset the traffic log buffer.
<Eudemon> reset firewall log-buf session

1.5.41 reset firewall packet-capture

Function
Using the reset firewall packet-capture command, you can clear up all queues or a specified
queue.

Format
reset firewall packet-capture { all | queue queue-id }

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-179


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Parameters
all: clears up all queues.
queue queue-id: specifies the ID of the queue to be cleared up. It ranges from 0 to 4.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear up queue 2.
<Eudemon> reset firewall packet-capture queue 2

Related Topics
1.5.23 firewall packet-capture send queue

1.5.42 reset logbuffer

Function
Using the reset logbuffer command, you can clear the information in the log buffer.

Format
reset logbuffer

Parameters
None

Views
User view

Default Level
3: Management level

Usage Guidelines
None

1-180 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Examples
# Clear the information in the log buffer.
<Eudemon> reset logbuffer

Related Topics
1.5.16 display logbuffer

1.5.43 reset trapbuffer

Function
Using the reset trapbuffer command, you can clear the information in the alarm buffer.

Format
reset trapbuffer

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Clear the information in the alarm buffer.
<Eudemon> reset trapbuffer

Related Topics
1.5.19 display trapbuffer

1.5.44 service modem-callback

Function
Using the service modem-callback command, you can enable Callback.
Using the undo service modem-callback command, you can disable Callback.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-181


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Format
service modem-callback
undo service modem-callback

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
By default, Callback is disabled.

Examples
# Enable Callback.
<Eudemon> system-view
[Eudemon] service modem-callback

1.5.45 session log enable

Function
Using the session log enable command, you can enable recording of inter-zone traffic logs. If
you set the parameter acl-number, the system records traffic logs of the specified ACL.
Otherwise, the system records logs of all inter-zone traffic.
Using undo session log enable command, you can disable recording of any inter-zone traffic
log.

Format
session log enable [ acl-number acl-number ]
undo session log enable [ acl-number acl-number ]

Parameters
acl-number: specifies an ACL number in a range of 2000 to 3999.

Views
Inter-zone view

1-182 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Default Level
2: Configuration level

Usage Guidelines
By default, the system does not record inter-zone traffic logs.

Examples
# Enable recording of the traffic log of ACL 3100 between zones Trust and Untrust.
<Eudemon> system-view
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] session log enable acl-number 3100

# Disable recording of traffic logs between zones Trust and Untrust.


[Eudemon-interzone-trust-untrust] undo session log enable

1.5.46 schedule reboot

Function
Using the schedule reboot command, you can enable the schedule restart of a firewall, and set
the time at which a firewall restarts or the time for a firewall to wait to restart.
Using the undo schedule reboot command, you can disable the schedule restart function.

Format
schedule reboot { at exact-time | delay interval }
undo schedule reboot

Parameters
at: sets the time at which a firewall restarts.
exact-time: specifies the time at which a firewall restarts. The format is hh:mm YYYY/ MM/
DD. The value of hh ranges from 0 to 23, and the value of mm ranges from 0 to 59. YYYY/
MM/DD is optional.
delay: sets the time for a firewall to wait to restart.
interval: specifies the delay for a firewall to restart. The format is hhh:mm or mmm. The value
of hhh ranges from 0 to 720, the value of mm ranges from 0 to 59, and the value of mmm ranges
from 0 to 43200.

Views
User view

Default Level
3: Management level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-183


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Usage Guidelines
By default, the schedule restart function is disabled on the firewall.

If the schedule reboot at command is used to set a specific date parameter (yyyy/mm/dd) and
the date is a future date, the firewall restarts at the set time and the error is within 1 minute.

If no specific date is set, the following situations occur:

l If the set time is after the current time, the firewall restarts at this time that day.
l If the set time is before the current time, the firewall restarts at this time next day.

Note: The distance between the set date and the current date cannot be greater than 30 days. In
addition, after this command is used, the system prompts you to confirm the input information.
The setting takes effect only after you enter "Y" or "y". If the related setting already exists, the
current setting overwrites the old one.

After the schedule reboot command is used, the parameters set by using the schedule reboot
command become invalid when the clock command is used to adjust the time of the system.

Examples
# Configure a firewall to restart at 22:00 if the current time is 15:50.
<Eudemon> schedule reboot at 22:00
Reboot system at 22:00:00 2000/04/02(in 19 hours and 22 minutes)
confirm?[Y/N]:y

Related Topics
1.5.18 display schedule reboot

1.5.47 terminal debugging

Function
Using the terminal debugging command, you can enable the terminal debugging.

Using the undo terminal debugging command, you can disable the function.

Format
terminal debugging

undo terminal debugging

Parameters
None

Views
User view

1-184 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Default Level
1: Monitoring level

Usage Guidelines
By default, the terminal debugging is disabled.

Examples
# Enable the terminal debugging.
<Eudemon> terminal debugging

Related Topics
1.5.49 terminal monitor

1.5.48 terminal logging

Function
Using the terminal logging command, you can enable the terminal log information.

Using the undo terminal logging command, you can disable the terminal log information.

Format
terminal logging

undo terminal logging

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the terminal log information is enabled.

Examples
# Disable the terminal log information.
<Eudemon> undo terminal logging

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-185


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Related Topics
1.5.49 terminal monitor

1.5.49 terminal monitor

Function
Using the terminal monitor command, you can enable the terminal monitor function.

Using the undo terminal monitor command, you can cancel the configuration.

Format
terminal monitor

undo terminal monitor

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the terminal monitor information is disabled but the console monitor is enabled.

The command only affects the current terminal inputting the commands.

When terminal monitor is disabled, it is equivalent to the execution of undo terminal


debugging, undo terminal logging and undo terminal trapping commands, that is, all the
debugging or logging or alarming information is not displayed at the local terminal.

When terminal monitor is enabled, you can use the terminal debugging/undo terminal
debugging, terminal logging/undo terminal logging, or terminal trapping/undo terminal
trapping command to enable/disable debugging, log or alarm information.

Examples
# Disable the terminal monitor function.
<Eudemon> undo terminal monitor

1.5.50 terminal trapping

1-186 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Function
Using the terminal trapping command, you can enable displaying the terminal alarm
information.
Using the undo terminal trapping command, you can disable displaying the terminal alarm
information.

Format
terminal trapping
undo terminal trapping

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, displaying the terminal alarm information is enabled.

Examples
# Disable displaying the terminal alarm information.
<Eudemon> undo terminal trapping

1.5.51 tracert

Function
Using the tracert command, you can test the gateways that datagram pass along from sending
host to the destination. This command is mainly used to check whether the network connection
is reachable and locate failures that have occurred in the network.

Format
tracert [ -a source-ip-address | -f first_TTL | -m max_TTL | -p port | -q nqueries | -vpn-
instance vpn-instance-name | -w timeout ] * host

Parameters
-a source-ip-address : indicates the source address of the packets configured for the current
tracert command. It is in dotted decimal notation and should be the address of a local interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-187


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

-f first_TTL: indicates the initial TTL. It ranges from 1 to max-TTL. By default, it is 1.


-m max_TTL: indicates the maximum TTL. It ranges from first-TTL to 255. By default, it is
255.
-p port: indicates the port number of the destination host. The value ranges from 0 to 65535. By
default, it is 33434.
-q nqueries: indicates the number of packets tracert packets sent each time. The value ranges
from 1 to 65535. By default, it is 3.
-vpn-instance vpn-instance-name: sets the VPN instance name the destination tracert host
belongs to. It is a string of 1 to 19 in characters.
-w timeout: indicates the timeout time for waiting the response packets, in milliseconds. It ranges
from 0 to 65535. By default, it is 5000 milliseconds.
host: specifies the domain name or the IP address of the destination host.

Views
All views

Default Level
0: Visit level

Usage Guidelines
The tracert process is described as follows: the source first sends a packet with TTL as 1, so
hop 1 sends back an ICMP error message to specify that the packet is not sent (TTL times out),
then the packet is resent with TTL as 2, likewise hop 2 returns TTL timeout, and this process
will go on until the packet reaches the destination. The process is to record the source address
of each ICMP TTL timeout message, so as to provide the routes through which an IP packet
passes on the way to the destination.
The ping command is used to detect network failures while the tracert command is used to
locate network failures.
The output of the tracert command also contains the IP addresses of all gateways the packet
passes when being sent to the destination. If one of gateways times out, " * * * " is displayed.

Examples
# Display the gateway along the path between the local hosts to 18.26.0.115.
<Eudemon> tracert 18.26.0.115
tracert to allspice.lcs.mit.edu (18.26.0.115), 30 hops max
1 helios.ee.lbl.gov (128.3.112.1) 0 ms 0 ms 0 ms
2 lilac-dmc.Berkeley.EDU (128.32.216.1) 19 ms 19 ms 19 ms
3 lilac-dmc.Berkeley.EDU (128.32.216.1) 39 ms 19 ms 19 ms
4 ccngw-ner-cc.Berkeley.EDU (128.32.136.23) 19 ms 39 ms 39 ms
5 ccn-nerif22.Berkeley.EDU (128.32.168.22) 20 ms 39 ms 39 ms
6 128.32.197.4 (128.32.197.4) 59 ms 119 ms 39 ms
7 131.119.2.5 (131.119.2.5) 59 ms 59 ms 39 ms
8 129.140.70.13 (129.140.70.13) 80 ms 79 ms 99 ms
9 129.140.71.6 (129.140.71.6) 139 ms 139 ms 159 ms
10 129.140.81.7 (129.140.81.7) 199 ms 180 ms 300 ms
11 129.140.72.17 (129.140.72.17) 300 ms 239 ms 239 ms
12 * * *

1-188 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

13 128.121.54.72 (128.121.54.72) 259 ms 499 ms 279 ms


14 * * *
15 * * *
16 * * *
17 * * *
18 ALLSPICE.LCS.MIT.EDU (18.26.0.115) 339 ms 279 ms 279 ms

Related Topics
1.5.39 ping

1.6 Web Management Commands

1.6.1 debugging ssl


1.6.2 debugging web-manager
1.6.3 display web-manager
1.6.4 web-manager
1.6.5 reset web-manager statistics

1.6.1 debugging ssl

Function
Using the debugging ssl command, you can enable the SSL debugging function.

Using the undo debugging ssl command, you can disable the SSL debugging function.

Format
debugging ssl { all | event | handshake | warnning }

undo debugging ssl { all | event | handshake | warnning }

Parameters
all: indicates all the SSL debugging functions.

event: indicates the SSL event debugging functions.

handshake: indicates the SSL handshake debugging functions.

warning: indicates the SSL alarm debugging functions.

Views
User view

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-189


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Usage Guidelines
By default, the SSL debugging function is disabled.

Examples
# Enable all the debugging functions of the SSL.
<Eudemon> debugging ssl all
11:58:57 05-26-2008

Related Topics
1.6.4 web-manager

1.6.2 debugging web-manager

Function
Using the debugging web-manager command, you can enable the debugging function of the
Web server.

Using the undo debugging web-manager command, you can disable the debugging function
of the Web server.

Format
debugging web-manager { all | config-process | event | info-process }

undo debugging web-manager { all | config-process | event | info-process }

Parameters
all: indicates all the debugging functions of the Web servers.

config-process: indicates the configuration debugging function of the Web server.

event: indicates the event debugging function of the Web server.

info-process: indicates the query debugging function of the Web server.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the debugging function of the Web server is disabled.

1-190 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Examples
# Enable all the debugging functions of the Web server.
<Eudemon> debugging web-manager all

Related Topics
1.6.4 web-manager

1.6.3 display web-manager

Function
Using the display web-manager command, you can display the relevant information of the Web
server.

Format
display web-manager { configuration | statistics | users }

Parameters
configuration: displays the basic configuration of the Web server.
statistics: displays the statistics information of the Web server.
users: displays the online user information of the Web server.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the basic configuration information of the Web server.
<Eudemon> display web-manager configuration
Httpd server is enable.
rootdir is FLASH:/web/.
default file name is /home.html.
HTTP port is 80.

Httpd security server is enable.


rootdir is FLASH:/web/.
default file name is /home.html.
HTTP port is 443.

11:43:33 05-26-2008

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-191


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

# Display the statistics information of the Web server.


<Eudemon> display web-manager statistics
HTTP Statistics:
RecvAll :4472
RecvHttpMsg :703
RecvHttpAcceptMsg :13
RecvHttpReadMsg :301
RecvHttpWriteMsg :363
RecvHttpCloseMsg :0
RecvHttpPeerCloseMsg :13
RecvHttpErrMsg :0
RecvMsgErr :0
SndAll :0
SndHttpHeader :0
AcceptErr :0
RecvHttpErr :301
SndErr :0
MemAllocErr :0
CloseByCheckSockTimeout :0
HttpTooLarge :0
11:44:11 05-26-2008

# Display the online user information of the Web server.


<Eudemon> display web-manager users
Username CurOnline SockNum
-------------------------------------------------------
user1 1 0
user2 1 0
-------------------------------------------------------
Total online web users: 2
Total SockNum: 4, SessionNum: 2
-------------------------------------------------------
----------detail users info----------------------------
UserName Level UserIp LoginTime
-------------------------------------------------------
user1 1 20.20.20.87 2015/09/04 20:35:06
user2 3 20.20.20.87 2015/09/04 20:34:12
---------End------------------------------------------

Related Topics
1.6.4 web-manager

1.6.4 web-manager

Function
Using the web-manager command, you can enable the Web server function.
Using the undo web-manager command, you can disable the Web server function.

Format
web-manager [ security ] enable [ port port-number ]
undo web-manager [ security ] enable [ port port-number ]

Parameters
security: indicates the type of interactive packets exchanged between the Web browser and the
Web server.

1-192 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

l The key word security is not selected.


The interactive packets between the Web browser and the Web server are HTTP packets.
The default port number is 80.
l The key word security is selected.
The interactive packets between the Web browser and the Web server are HTTPS packets.
The default port number is 443.
port-number: specifies the number of the listening port of the Web management server.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Enable the Web server function.
<Eudemon> system-view
[Eudemon] web-manager security enable
The web server enable command has been sent!
Enable http security-server successfully !
11:38:23 05-26-2008

# Disable the Web server function.


<Eudemon> system-view
[Eudemon] undo web-manager security enable
The web server disable command has been sent!
Disable http security-server successfully !
11:41:49 05-26-2008

Related Topics
1.6.3 display web-manager

1.6.5 reset web-manager statistics

Function
Using the reset web-manager statistics command, you can clear the statistics of Web server.

Format
reset web-manager statistics

Parameters
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-193


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear the statistics of Web server.
<Eudemon> reset web-manager statistics

Related Topics
1.6.4 web-manager

1.7 NTP Configuration Commands

1.7.1 debugging ntp-service


1.7.2 display ntp-service sessions
1.7.3 display ntp-service status
1.7.4 display ntp-service trace
1.7.5 ntp-service access
1.7.6 ntp-service authentication enable
1.7.7 ntp-service authentication-keyid
1.7.8 ntp-service broadcast-client
1.7.9 ntp-service broadcast-server
1.7.10 ntp-service in-interface disable
1.7.11 ntp-service max-dynamic-sessions
1.7.12 ntp-service multicast-client
1.7.13 ntp-service multicast-server
1.7.14 ntp-service refclock-master
1.7.15 ntp-service reliable authentication-keyid
1.7.16 ntp-service source-interface
1.7.17 ntp-service unicast-peer
1.7.18 ntp-service unicast-server

1-194 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

1.7.1 debugging ntp-service

Function
Using the debugging ntp-service command, you can enable debugging switches of NTP service.

Using the undo debugging ntp-service command, you can disable the relevant debugging
switch.

Format
debugging ntp-service { access | adjustment | authentication | event | filter | packet |
parameter | refclock | selection | synchronization | validity | all }

undo debugging ntp-service { access | adjustment | authentication | event | filter | packet |


parameter | refclock | selection | synchronization | validity | all }

Parameters
access: refers to the NTP access debugging switch.

adjustment: refers to the NTP clock adjustment debugging switch.

all: refers to all NTP debugging switches.

authentication: refers to the NTP identity authentication debugging switch.

event: refers to the NTP event debugging switch.

filter: refers to the NTP filter debugging switch.

packet: refers to the NTP packet debugging switch.

parameter: refers to the NTP clock parameter debugging switch.

refclock: refers to the NTP reference clock debugging switch.

selection: refers to the NTP clock selection debugging switch.

synchronization: refers to the NTP clock synchronization debugging switch.

validity: refers to the NTP validity debugging switch.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, all debugging switches are disabled.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-195


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Examples
# Enable NTP access debugging switch.
<Eudemon> debugging ntp-service access

1.7.2 display ntp-service sessions

Function
Using the display ntp-service sessions command, you can display the status of all the sessions
maintained by the local NTP.

Format
display ntp-service sessions [ verbose ]

Parameters
verbose: displays the details of the NTP session. If verbose is not specified, the summary NTP
session is displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the NTP sessions maintained by the local NTP.
<Eudemon> display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[12345]3.2.2.1 LOCAL(0) 2 3 64 19 0.0 16.5 0.5
note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

1.7.3 display ntp-service status

Function
Using the display ntp-service status command, you can display the status of NTP.

Format
display ntp-service status

1-196 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Parameters
None

Default Level
1: Monitoring level

Usage Guidelines
Through the displayed status of NTP, you can know the synchronization state and the clock
stratum of the current node.

Examples
# Display the status of NTP.
<Eudemon> display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 3.2.2.1
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 0.0065 ms
root delay: 16.50 ms
root dispersion: 1.07 ms
peer dispersion: 0.00 ms
reference time: 18:30:22.878 UTC Jun 28 2008(CC1101BE.E0FD4BF0)

Table 1-31 Description of the display ntp-service status command output


Item Description

clock status: Clock status


l Synchronized: indicates that the local system is synchronized with
another NTP server or a reference clock.
l Unsynchronized: indicates that the local system is not synchronized
with any NTP server.

clock stratum: Stratum of the local system clock

reference clock Reference clock


ID: l If the local system clock has been synchronized with another remote
NTP server or a reference clock, this field displays the identifier of the
remote NTP server or reference clock.
l If the local system clock acts as a reference clock, this field displays
"Local".

nominal Nominal frequency of the local system clock


frequence:

actual frequence: Actual frequency of the local system clock

clock precision: Precision of the local system clock

clock offset: Offset between the local system clock to the NTP server

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-197


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Item Description

root delay: Total delay between the local system clock to the primary reference clock

root dispersion: Dispersion between the local system clock to the primary reference clock

peer dispersion: Dispersion between the local system clock and the remote NTP peer

reference time: Reference timestamp

1.7.4 display ntp-service trace

Function
Using the display ntp-service trace command, you can display the summary of each NTP time
server when you trace the reference clock source from the local device.

Format
display ntp-service trace

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command is used to display the summary of each NTP server when you trace the reference
clock source from the local device along the time synchronous NTP server chain.

Examples
# Display the summary of each NTP time server when you trace the reference clock source from
the local device.
<Eudemon> display ntp-service trace
server 127.0.0.1,stratum 3, offset 101856.432708, synch distance 0.00861
server 3.2.2.1,stratum 2, offset 0.005142, synch distance 0.00000
refid 127.127.1.0

1-198 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Table 1-32 Description of the display ntp service trace command output

Item Description

server IP address of the NTP server

stratum Stratum of the associated local clock source

offset Offset to the upper stratum clock source

synch distance The synchronous distance to the upper level clock source. This parameter
evaluates and describes the clock source and NTP chooses the closest clock
source

refid Reference clock source

1.7.5 ntp-service access

Function
Using the ntp-service access command, you can set the access control authority of the local
NTP.

Using the undo ntp-service access command, you can cancel the configured access control
authority.

Format
ntp-service access { query | synchronization | server | peer } acl-number

undo ntp-service access { query | synchronization | server | peer }

Parameters
query: sets the maximum access limitation. Control query can be performed only on the local
NTP service.

synchronization: enables the server to access. Only time request can be performed on the local
NTP service.

server: enables the server access and query. Both time requests and control query can be
performed on the local NTP service, but the local clock cannot be synchronized to the remote
server.

peer: sets the fully access authority. Both time request and control query can be performed on
the local NTP service, and the local clock can be synchronized to the remote server.

acl-number: specifies the IP address access list number. The value is in the range of 2000 to
2999.

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-199


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, no access authority is set.

Compared with NTP authentication, ntp-service access is simpler to assure the network security.
When receiving an access query, the NTP server matches it with peer, server,
synchronization and query orderly, that is, from the minimum access restriction to the
maximum access restriction.

Based on the access limitation to be implemented, configure this command accordingly.

Table 1-33 Description of the NTP access authority

NTP Operation Supported


Mode Restricted NTP Query Devices

Unicast NTP server or Synchronizing the client with the server Client
client mode

Unicast NTP server or Clock synchronization request from the Server


client mode client

NTP peer mode Clock synchronization with each other Symmetric active
end

NTP peer mode Clock synchronization request from the Symmetric passive
active end end

NTP multicast mode Synchronizing the client with the server NTP multicast
client

NTP broadcast mode Synchronizing the client with the server NTP broadcast
client

Examples
# Enable the peer in ACL 2000 to perform time request, query control and time synchronization
on the local device.
<Eudemon> system-view
[Eudemon] ntp-service access peer 2000

# Enable the peer in ACL 2002 to perform time request, query control on the local device.
[Eudemon] ntp-service access synchronization 2002

1.7.6 ntp-service authentication enable

1-200 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Function
Using the ntp-service authentication enable command, you can enable identity authentication
for NTP.
Using the undo ntp-service authentication enable command, you can disable the identity
authentication.

Format
ntp-service authentication enable
undo ntp-service authentication enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, no identity authentication is disabled.
Identity authentication in NTP applies to a network requiring high security.

Examples
# Enable identity authentication for NTP.
<Eudemon> system-view
[Eudemon] ntp-service authentication enable

Related Topics
1.7.7 ntp-service authentication-keyid

1.7.7 ntp-service authentication-keyid

Function
Using the ntp-service authentication-keyid command, you can set NTP authentication key.
Using the undo ntp-service authentication-keyid command, you can remove NTP
authentication key.

Format
ntp-service authentication-keyid key-id authentication-mode md5 password

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-201


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

undo ntp-service authentication-keyid key-id

Parameters
key-id: specifies the key number in the range of 1 to 4294967295.
authentication-mode md5 password: indicates the MD5 authentication password. It is a string
of 1 to 32 characters.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, no authentication key is set.
NTP supports only the MD5 authentication mode.

Examples
# Set MD5 authentication key. The key ID number is 10 and the key is BetterKey.
<Eudemon> system-view
[Eudemon] ntp-service authentication-keyid 10 authentication-mode md5 BetterKey

Related Topics
1.7.6 ntp-service authentication enable
1.7.15 ntp-service reliable authentication-keyid

1.7.8 ntp-service broadcast-client

Function
Using the ntp-service broadcast-client command, you can configure the NTP broadcast client
mode.
Using the undo ntp-service broadcast-client command, you can cancel configuring the NTP
broadcast client mode.

Format
ntp-service broadcast-client
undo ntp-service broadcast-client

Parameters
None

1-202 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the NTP broadcast client mode is not configured.
The local device automatically runs the broadcast-client mode once being specified to receive
the NTP broadcast messages on the current interface.

Examples
# Enable Ethernet 0/0/1 to receive NTP broadcast messages.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] ntp-service broadcast-client

Related Topics
1.7.9 ntp-service broadcast-server

1.7.9 ntp-service broadcast-server

Function
Using the ntp-service broadcast-server command, you can configure the NTP broadcast server
mode.
Using the undo ntp-service broadcast-server command, you can cancel configuring the NTP
broadcast server mode.

Format
ntp-service broadcast-server [ authentication-keyid key-id | version number ] *
undo ntp-service broadcast-server

Parameters
authentication-keyid key-id: specifies the authentication key ID number used to transmit
message to broadcast clients. The value is in the range of 0 to 4294967295.
version number: defines the NTP version number. The value is in the range of 1 to 3. By default,
it is 3.

Views
Interface view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-203


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, the broadcast service is not configured.

Once being specified to send NTP broadcast packets from the current interface, the local device
auto runs as the broadcast server to transmit broadcast messages periodically to the broadcast
clients.

Examples
# Enable Ethernet 1/0/0 to send NTP broadcast packets, with the authentication key number as
4 and the NTP version as 3.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] ntp-service broadcast-server authentication-key 4 version 3

Related Topics
1.7.8 ntp-service broadcast-client

1.7.10 ntp-service in-interface disable

Function
Using the ntp-service in-interface disable command, you can disable the interface from
receiving the NTP message.

Using the undo ntp-service in-interface disable command, you can enable the interface to
receive the NTP message.

Format
ntp-service in-interface disable

undo ntp-service in-interface disable

Parameters
None

Views
Interface view

Default Level
2: Configuration level

1-204 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Usage Guidelines
By default, the interface is enabled to receive the NTP message.

Examples
# Disable Ethernet 1/0/0 from receiving the NTP message.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] ntp-service in-interface disable

1.7.11 ntp-service max-dynamic-sessions

Function
Using the ntp-service max-dynamic-sessions command, you can set the maximum dynamic
NTP session allowed to be set up.
Using the undo ntp-service max-dynamic-sessions command, you can restore the default.

Format
ntp-service max-dynamic-sessions number
undo ntp-service max-dynamic-sessions

Parameters
number: specifies the number of dynamic NTP sessions allowed to be set up. The value is in the
range of 0 to 100.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, 100 sessions are allowed to be set up.
Note the following when using the ntp-service max-dynamic-sessions command:
l This command limits the number of only dynamic sessions.
l Using this command does not affect the NTP session that has been set up. When the number
of sessions exceeds the limitation, session cannot be set up any more.
l Configure this command only on the client. The server does not record the number NTP
sessions.
NOTE
Unicast server/client mode and peer mode are configured through the command line. So, sessions between
them are static. Sessions set up in the broadcast and multicast modes are dynamic.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-205


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Examples
# Set the maximum NTP dynamic sessions allowed to be set up to 50.
<Eudemon> system-view
[Eudemon] ntp-service max-dynamic-sessions 50

1.7.12 ntp-service multicast-client

Function
Using the ntp-service multicast-client command, you can configure the NTP multicast client
mode.
Using the undo ntp-service multicast-client command, you can cancel configuring the NTP
multicast client mode.

Format
ntp-service multicast-client [ ip-address ]
undo ntp-service multicast-client [ ip-address ]

Parameters
ip-address: specifies the multicast IP address, which is a Class D address. By default, it is
224.0.1.1.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the multicast client service is disabled.
Once being specified to receive NTP multicast messages on the current the interface, the local
device auto runs the multicast-client mode.

Examples
# Configure Ethernet 0/0/1 to receive NTP multicast messages. The multicast address of the
multicast packets is 244.0.1.1.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] ntp-service multicast-client 224.0.1.1

Related Topics
1.7.9 ntp-service broadcast-server

1-206 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

1.7.13 ntp-service multicast-server

Function
Using the ntp-service multicast-server command, you can specify an interface on the local
device to send NTP multicast packets. The local device is run in the multicast server mode.

Using the undo ntp-service multicast-server command, you can cancel configuring the NTP
multicast server mode.

Format
ntp-service multicast-server [ ip-address ] [ authentication-keyid key-id | ttl ttl-number |
version number ] *

undo ntp-service multicast-server [ ip-address ]

Parameters
ip-address: specifies the multicast IP address, which is a Class D address. By default, it is
224.0.1.1.

authentication-keyid key-id: specifies the authentication key ID number used when sending
messages to the multicast clients. The value is in the range of 0 to 4294967295.

ttl ttl-number: specifies the life span of the multicast packet, in the range of 1 to 255.

version number: specifies the NTP version number, in the range of 1 to 3. By default, it is 3.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the multicast service is not configured.

Specify a local interface on the local device to send NTP multicast messages. The local device
runs in multicast-server mode as a multicast-server, periodically sending multicast messages to
the multicast client.

Examples
# Configure Ethernet 0/0/1 to send NTP multicast messages. The multicast address is 244.0.1.1,
the authentication key number is 4 and the NTP version number is 3.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] ntp-service multicast-server 224.0.1.1 authentication-
keyid 4 version 3

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-207


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Related Topics
1.7.12 ntp-service multicast-client

1.7.14 ntp-service refclock-master

Function
Using the ntp-service refclock-master command, you can set the external reference clock or
the local clock to be the NTP master clock that provides the synchronizing time for other devices.
Using the undo ntp-service refclock-master command, you can cancel configuring the NTP
master clock.

Format
ntp-service refclock-master [ ip-address ] [ stratum ]
undo ntp-service refclock-master [ ip-address ]

Parameters
ip-address: specifies the IP address of the local clock 127.127.t.u. t ranges from 0 to 37. At
present, it is 1, indicating the local reference clock; u ranges from 0 to 3, indicating the NTP
process number. If no ip-address is specified, by default, the local clock 127.127.1.0 is as the
NTP master clock.
stratum: specifies the stratum of the NTP master clock. The value is in the range of 1 to 15. By
default, it is 8. The smaller the value is, the more accurate the timer is.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, no NTP master clock is specified.
The number of layers of the devices that are time synchronized is automatically set to one larger
than that of the devices providing the synchronizing time.

Examples
# Set the local clock to be the NTP master clock, the stratum of which set to 3.
<Eudemon> system-view
[Eudemon] ntp-service refclock-master 3

1.7.15 ntp-service reliable authentication-keyid

1-208 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Function
Using the ntp-service reliable authentication-keyid command, you can specify the
authentication key to be reliable.
Using the undo ntp-service reliable authentication-keyid command, you can cancel the
current setting.

Format
ntp-service reliable authentication-keyid key-id
undo ntp-service reliable authentication-keyid key-id

Parameters
keyid: specifies the key number. It is an integer ranging from 1 to 4294967295.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, no authentication key is specified to be reliable.
If the identity authentication is enabled, this command is used to specify that one or more keys
are reliable. That is, the client can only synchronize the server that provides the reliable key.
The client cannot synchronize the server that provides reliable keys.

Examples
# Enable the identity authentication in NTP and adopt the MD5 encryption mode with key
number as 37 and the key as BetterKey. Specify the key to be reliable.
<Eudemon> system-view
[Eudemon] ntp-service authentication enable
[Eudemon] ntp-service authentication-keyid 37 authentication-mode md5 BetterKey
[Eudemon] ntp-service reliable authentication-keyid 37

Related Topics
1.7.6 ntp-service authentication enable
1.7.7 ntp-service authentication-keyid

1.7.16 ntp-service source-interface

Function
Using the ntp-service source-interface command, you can specify the local interface that sends
NTP messages.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-209


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Using the undo ntp-service source-interface command, you can cancel the current setting.

Format
ntp-service source-interface interface-type interface-number
undo ntp-service source-interface

Parameters
interface-type interface-number: specifies the local interface that sends the NTP messages.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
In the unicast mode, if you want only one interface to receive the NTP response packets, specify
NTP packets sent from all local interfaces to use the same source IP address.
NOTE
In the broadcast and multicast modes, the ntp-service source-interface command is invalid. It is because
the NTP service is enabled on the specified interface that actually is the source interface.

Examples
# Specify Ethernet 0/0/1 as the source interface to send all the NTP messages.
<Eudemon> system-view
[Eudemon] ntp-service source-interface Ethernet 0/0/1

1.7.17 ntp-service unicast-peer

Function
Using ntp-service unicast-peer command, you can configure the NTP peer mode.
Using undo ntp-service unicast-peer command, you can cancel configuring the NTP peer
mode.

Format
ntp-service unicast-peer ip-address [ version number | authentication-keyid keyid | source-
interface interface-type interface-number | priority ] *
undo ntp-service unicast-peer ip-address

Parameters
version number: defines the NTP version number. It is in the range of 1 to 3. By default, it is 3.

1-210 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

authentication-keyid keyid: specifies the authentication key number used when transmitting
messages to the remote server. The value is in the range of 0 to 4294967295.
source-interface interface-type interface-number: specifies the interface from which the
symmetric active end sends NTP messages to the symmetric passive end. The source IP address
of the NTP message is the IP address of this interface.
priority: specifies the remote server as the preferred one.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
This command is used to set the remote server with a specified ip-address as the peer of the local
device. The local device runs in the symmetric active mode. In this way, the local device can be
synchronized to the remote server and the remote server can also be synchronized to the local
server.

Examples
# Configure the peer 10.10.1.1 to provide the synchronizing time for the local device. The local
device can also provide synchronizing time for the peer. The version number is 3. The IP address
of the NTP packets is the address of Ethernet 0/0/1.
<Eudemon> system-view
[Eudemon] ntp-service unicast-peer 10.10.1.1 version 3 source-interface Ethernet
0/0/1

1.7.18 ntp-service unicast-server

Function
Using the ntp-service unicast-server command, you can configure the NTP server mode.
Using the undo ntp-service unicast-server command, you can cancel configuring the NTP
server mode.

Format
ntp-service unicast-server ip-address [ version number | authentication-keyid keyid | source-
interface interface-type interface-number | priority ] *
undo ntp-service unicast-server ip-address

Parameters
ip-address: specifies the IP address of the remote server. The ip-address is a host address and
cannot be the broadcast address, multicast address or the IP address of a reference clock.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-211


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

version number: defines the NTP version number. It is in the range of 1 to 3. By default, it is 3.
authentication-keyid keyid: specifies the authentication key number used when messages are
transmitted to the remote server. The value is in the range of 0 to 4294967295.
source-interface interface-type interface-number: specifies the interface from which the unicast
client sends NTP messages to the unicast server. The source IP address of the messages is the
IP address of this interface.
priority: specifies the remote server as the preferred one.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the version number is 3. The identity authentication is enabled and the server is not
the preferred one.
This command is used to set the remote server with a specified ip-address as the local time
server. In this way, the local client device can be synchronized to the remote server and the
remote server cannot be synchronized to the local client device.
If the client enables authentication and configures corresponding authentication key, when the
server receives the synchronization request from the client, it will send the NTP packets with
authentication to the client. The client authenticates the packets and starts the clock
synchronization. If the client disable authentication, when the server receives the
synchronization request from the client, it will send the packets without authentication to the
client. When receiving the packets, the client starts the clock synchronization.

Examples
# Configure the server 10.10.1.1 to provide the synchronizing time for the local device. The NTP
version number is 3.
<Eudemon> system-view
[Eudemon] ntp-service unicast-server 10.10.1.1 version 3

1.8 SNMP Configuration Commands

1.8.1 debugging snmp-agent


1.8.2 display snmp-agent
1.8.3 display snmp-agent community
1.8.4 display snmp-agent group
1.8.5 display snmp-agent mib-view
1.8.6 display snmp-agent statistics

1-212 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

1.8.7 display snmp-agent sys-info


1.8.8 display snmp-agent usm-user
1.8.9 enable snmp trap updown
1.8.10 ifindex constant
1.8.11 set constant-ifindex max-number
1.8.12 set constant-ifindex subinterface
1.8.13 snmp-agent
1.8.14 snmp-agent community
1.8.15 snmp-agent group
1.8.16 snmp-agent local-engineid
1.8.17 snmp-agent mib-view
1.8.18 snmp-agent packet max-size
1.8.19 snmp-agent sys-info
1.8.20 snmp-agent target-host
1.8.21 snmp-agent trap enable
1.8.22 snmp-agent trap enable ospf
1.8.23 snmp-agent trap life
1.8.24 snmp-agent trap queue-size
1.8.25 snmp-agent trap source
1.8.26 snmp-agent usm-user

1.8.1 debugging snmp-agent

Function
Using the debugging snmp-agent command, you can enable SNMP Agent debugging switch
to specify SNMP module debugging information.
Using the undo debugging snmp-agent command, you can cancel the setting.

Format
debugging snmp-agent { header | packet | process | trap }
undo debugging snmp-agent { header | packet | process | trap }

Parameters
header: enables data packet header debugging.
packet: enables packet debugging.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-213


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

process: enables SNMP packet process debugging.


trap: enables Trap data packet debugging.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, SNMP Agent debugging switch is disabled.

Examples
# Enable SNMP Agent data packet header debugging switch.
<Eudemon> debugging snmp-agent header

1.8.2 display snmp-agent

Function
Using the display snmp-agent command, you can display the engine ID of the local or the
remote SNMP entity.

Format
display snmp-agent { local-engineid | remote-engineid }

Parameters
local-engineid: displays the engine ID of the local SNMP entity.
remote-engineid: displays the engine ID of the remote SNMP agent.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The SNMP engine ID is the only identification of the SNMP management, and it uniquely
identifies an SNMP entity in one management domain. The SNMP engine ID is an important
component of the SNMP entity, completing the functions of SNMP messages such as message
dispatching, message processing, security authentication and access control.

1-214 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Use this command to view the configuration result after the SNMP agent function is enabled.

Examples
# Display the engine ID of the current device.
<Eudemon> display snmp-agent local-engineid
SNMP local EngineID: 000007DB7F0000013859

Table 1-34 Description of the display snmp-agent command output

Item Description

SNMP local EngineID Indicates the local SNMP engine ID. It can be specified by the
administrator using the snmp-agent local-engineidcommand or
be generated through a certain algorithm.

Related Topics
1.8.16 snmp-agent local-engineid

1.8.3 display snmp-agent community

Function
Using the display snmp-agent community command, you can display the current configuration
of SNMPv1 or SNMPv2c.

Format
display snmp-agent community [ read | write ]

Parameters
read: displays the community name information with the read-only authority.

write: displays the community name information with the authority of read and write.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When configuring the managed entity, use this command to check the community name of the
agent. The output of this command contains the group name, the storage type and ACL rules.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-215


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Examples
# Display the current community name.
<Eudemon> display snmp-agent community
Community name:aaa
Group name:aaa
Acl:2000
Storage-type: nonVolatile

Community name:bbb
Group name:bbb
Storage-type: nonVolatile

Table 1-35 Description of the display snmp-agent community command output

Item Description

Community name Community name

Group name Group name

Acl ACL number

storage-type Storage type

Related Topics
1.8.14 snmp-agent community

1.8.4 display snmp-agent group

Function
Using the display snmp-agent group command, you can display the information based on User
Security Model (USM).

Format
display snmp-agent group [ group-name ]

Parameters
group-name: specifies the SNMP group to be displayed. It is a string of 1 to 32 characters.

Views
All views

Default Level
1: Monitoring level

1-216 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Usage Guidelines
Use this command to check the agent group when the managed entity is configured with
SNMPv3 group. When no parameter is specified, the output of this command contains group
names, security mode and storage modes.

Examples
# Display the SNMP group name and the security mode.
<Eudemon> display snmp-agent group
Group name: gg
Security model: v3 noAuthnoPriv
Readview: ViewDefault
Writeview: <no specified>
Notifyview :<no specified>
Storage-type: nonVolatile
Acl:2000

Table 1-36 Description of the display snmp-agent group command output


Item Description

Group name SNMP group name

Security model Security model of the group

Readview Name of read-only MIB view corresponding to the group

Writeview Name of writable MIB view corresponding to the group

Notifyview Name of notifying MIB view corresponding to the group

Storage-type Storage type

Acl ACL number corresponding to the group

Related Topics
1.8.15 snmp-agent group

1.8.5 display snmp-agent mib-view

Function
Using the display snmp-agent mib-view command, you can display the current MIB view.

Format
display snmp-agent mib-view [ exclude | include | viewname view-name ]

Parameters
exclude: excludes the attributes of the set SNMP MIB view.
include: includes the attributes of the set SNMP MIB view.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-217


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

view-name: specifies the view name to be displayed. It is a string of 1 to 32 characters.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Use this command to display the view specified when configuring the SNMP community name.
By default, the system uses the ViewDefault view.

Examples
# Display the current MIB view.
<Eudemon> display snmp-agent mib-view
View name:ViewDefault
MIB Subtree:internet
Subtree mask:
Storage-type: nonVolatile
View Type:included
View status:active

Table 1-37 Description of the display snmp-agent mib-view command output

Item Description

View name View name

MIB Subtree MIB sub tree

Subtree mask Subtree mask

Storage-type Storage type

Included/excluded Indicating whether to enable or disable the access to a MIB object

Active Status of lines in the list

Related Topics
1.8.17 snmp-agent mib-view

1.8.6 display snmp-agent statistics

Function
Using the display snmp-agent statistics command, you can view the statistics of SNMP packets.

1-218 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Format
display snmp-agent statistics

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If you need to check the communication between the agent and the managed entity or to
troubleshoot SNMP, use this command to display the statistics of the SNMP packets.

Examples
# View the statistics of SNMP packets.
<Eudemon> display snmp-agent statistics
41 Messages delivered to the SNMP entity
0 Messages which were for an unsupported version
7 Messages which used an unknown community name
0 Messages which represented an illegal operation for the community supplied
0 ASN.1 or BER errors in the process of decoding
18 MIB objects retrieved successfully
0 MIB objects altered successfully
0 Get-request PDUs accepted and processed
0 Get-next PDUs accepted and processed
0 Set-request PDUs accepted and processed
57 Messages passed from the SNMP entity
0 SNMP PDUs which had a tooBig error (Maximum packet size 1500)
0 SNMP PDUs which had a noSuchName error
0 SNMP PDUs which had a badValue error
0 SNMP PDUs which had a general error
25 Response PDUs accepted and processed
11 Trap PDUs accepted and processed

Table 1-38 Description of the display snmp-agent statistics command output


Item Description

Messages delivered to the SNMP entity Total number of input SNMP messages

Messages which were for an unsupported Number of messages with version errors
version

Messages which used a SNMP Number of messages with community name


community name not known errors

Messages which represented an illegal Number of messages with authority errors


operation for the community supplied corresponding to community name

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-219


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Item Description

ASN.1 or BER errors in the process of Number of SNMP messages with encoding errors
decoding

Messages passed from the SNMP entity Total number of output SNMP messages

SNMP PDUs which had a badValue Number of SNMP messages with bad values
error-status

SNMP PDUs which had a genErr error- Number of SNMP PDUs with general errors
status

SNMP PDUs which had a noSuchName Number of SNMP PDUs with requests of non-
error-status existing MIB object

SNMP PDUs which had a tooBig error- Number of SNMP PDUs with Too_big errors
status

MIB objects retrieved successfully Number of variables requested by NMS

MIB objects altered successfully Number of variables set by NMS

GetRequest-PDU accepted and processed Number of received Get-request PDUs

GetNextRequest-PDU accepted and Number of received GetNext-request PDUs


processed

GetResponse-PDU accepted and Number of received Get-response PDUs


processed

SetRequest-PDU accepted and processed Number of received Set-request PDUs

Trap-PDU accepted and processed Number of sent Trap PDUs

1.8.7 display snmp-agent sys-info

Function
Using the display snmp-agent sys-info command, you can display the system information of
the current SNMP device.

Format
display snmp-agent sys-info [ contact | location | version ] *

Parameters
contact: displays the contact information of the current SNMP device.

location: displays the physical location information of the current SNMP device.

version: displays the SNMP version running in the current SNMP agent.

1-220 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Use this command to display the contact information about the system maintenance, the physical
location and SNMP version of the current SNMP device.

Examples
# Display the system information of the SNMP agent.
<Eudemon> display snmp-agent sys-info
The contact person for this managed node:
R&D Beijing, Huawei Technologies co.,Ltd.
The physical location of this node:
Beijing China
SNMP version running in the system:
SNMPv3

Table 1-39 Description of the display snmp-agent sys-info command output

Item Description

The contact person for this Indicates the contact person of the managed device. By
managed node specifying this parameter, you can store the important
information to the firewall for convenient querying.

The physical location of this node Location of the managed device.

SNMP version running in the SNMP versions include v1, v2c and v3.
system

Related Topics
1.8.19 snmp-agent sys-info

1.8.8 display snmp-agent usm-user

Function
Using the display snmp-agent usm-user command, you can display the information about
SNMP users.

Format
display snmp-agent usm-user [ engineid engine-id | username user-name | group group-
name ] *

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-221


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Parameters
engineid engine-id: displays the information of the SNMPv3 with a specified engine ID. The
engine ID is a string of 10 to 64 characters.

username user-name: displays the information of the specified SNMPv3 user. The user name
is a string of 1 to 32 characters.

group group-name: displays the user information of the specified group. The group name is in
the range of 1 to 32 characters.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
An SNMP user is the remote user who executes SNMP management operation. The snmp-agent
usm-user command is used to specify the SNMP user.

NOTE
Using the display snmp-agent usm-user command can display the information of SNMPv3 users only.

Examples
<Eudemon> display snmp-agent usm-user
User name: u1
Engine ID: 000007DB7F00000100001106 active

Table 1-40 Description of the display snmp-agent usm-user command output

Item Description

User name Character string used to identify the SNMP user

Engine ID Engine ID used to identify the SNMP device

Active Status of SNMP USER

Related Topics
1.8.26 snmp-agent usm-user

1.8.9 enable snmp trap updown

Function
Using the enable snmp trap updown command, you can enable Trap function on the interface.

1-222 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Using the undo enable snmp trap undown command, you can disable Trap function on the
interface.

Format
enable snmp trap updown
undo enable snmp trap updown

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, sending Trap messages is disabled.
Run the snmp-agent trap enable command to enable sending Trap messages when the status
of the interface change.
When the interface is in the flapping state, run the undo enable snmp trap updown command
to disable the Trap function during the status change of the interface, which effectively reduces
the pressure of the NMS.

Examples
# Enable sending Trap messages when the status of the interface changes.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] enable snmp trap undown

Related Topics
1.8.21 snmp-agent trap enable

1.8.10 ifindex constant

Function
Using the ifindex constant command, you can enable the constant interface index feature.
Using the undo ifindex constant command, you can remove this feature.

Format
ifindex constant

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-223


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

undo ifindex constant

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the constant interface index feature is disabled.

The interface index is required to be unchangeable in a specified application environment, such


as performing accounting based on the interface index. In this occasion, the interface index is
not influenced by interfaces adding or deletion system restarting or hardware or the software
modification.

After the configuration of the interface index is fixed, the interface index values of all current
interfaces and newly created interfaces are fixed. When restarting the device, you must first run
the save command. Otherwise the interface index value may change after you restart the device.

Examples
# Enable the constant interface index feature.
<Eudemon> system-view
[Eudemon] ifindex constant

1.8.11 set constant-ifindex max-number

Function
Using the set constant-ifindex max-number command, you can set the maximum number of
the interfaces enabled with constant index feature.

Using the undo set constant-ifindex max-number command, you can restore the default value.

Format
set constant-ifindex max-number number

undo set constant-ifindex max-number

Parameters
number: specifies the maximum number of the interfaces enabled with the constant index feature.
The value is in the range of 0 to 4294967295.

1-224 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the maximum number is 65535.
This command takes effect only after the constant interface index feature is enabled.

Examples
# Set the maximum number of the interfaces enabled with the constant index feature to 10000.
<Eudemon> system-view
[Eudemon] set constant-ifindex max-number 10000

Related Topics
1.8.10 ifindex constant

1.8.12 set constant-ifindex subinterface

Function
Using the set constant-ifindex subinterface command, you can set the memory distribution
mode for the sub-interface index.

Format
set constant-ifindex subinterface { dense-mode | sparse-mode }

Parameters
dense-mode: sets the memory distribution mode for the sub-interface index as dense mode.
sparse-mode: sets the memory distribution mode for the sub-interface index as sparse mode.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the memory distribution mode for the sub-interface index is the dense mode.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-225


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

The command take effect after the constant interface index feature is enabled.

When you add the sub-interfaces, the dense mode is recommended if the sub-interface
numbering is continuous.

Examples
# Set the memory distribution mode for the sub-interface index as the sparse mode.
<Eudemon> system-view
[Eudemon] set constant-ifindex subinterface sparse-mode

Related Topics
1.8.10 ifindex constant

1.8.13 snmp-agent

Function
Using the snmp-agent command, you can enable the SNMP Agent and specify the SNMP
configuration information.

Using the undo snmp-agent command, you can disable SNMP Agent.

Format
snmp-agent

undo snmp-agent

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the SNMP Agent is disabled.

The snmp-agent command can be used to enable SNMP Agent, and any configuration
commands of snmp-agent can also enable SNMP Agent.

When SNMP Agent is not enabled, configuring the undo snmp-agent command is invalid. After
SNMP Agent is enabled, you can use the undo snmp-agent command to disable SNMP Agent.

1-226 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Examples
# Disable the running SNMP agent.
<Eudemon> system-view
[Eudemon] undo snmp-agent
SNMP Agent disabled

1.8.14 snmp-agent community

Function
Using the snmp-agent community command, you can set the community access name of
SNMPv1 and SNMPv2c, the corresponding MIB view and ACL rules.
Using the undo snmp-agent community command, you can cancel the setting.

Format
snmp-agent community { read | write } community-name [ mib-view view-name | acl acl-
number ] *
undo snmp-agent community community-name

Parameters
read: indicates that the community name has the read-only authority in the specified view.
write: indicates that the community name has the read and write authority in the specified view.
community-name: specifies the character string of community name. The value is in the range
of 1 to 32 characters.
mib-view view-name: sets the MIB view names that the community name can have access to.
The value is in the range of 1 to 32 characters.
acl acl-number: specifies the number of the ACL corresponding to the community name. The
value is in the range of 2000 to 2999.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Using the snmp-agent community command, you can set the read and write authority of the
community name in the MIB view as to control the user access to the MIB view.

Examples
# Set the community name as comaccess and allow read-only access using this community name.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-227


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

<Eudemon> system-view
[Eudemon] snmp-agent community read comaccess

# Set the community name as mgr and allow read and write access.
[Eudemon] snmp-agent community write mgr

# Delete the community name comaccess.


[Eudemon] undo snmp-agent community comaccess

Related Topics
1.8.15 snmp-agent group
1.8.26 snmp-agent usm-user
1.8.3 display snmp-agent community

1.8.15 snmp-agent group

Function
Using the snmp-agent group command, you can configure a new SNMP group, that is, map
the SNMP user to the SNMP view.

Using undo snmp-agent group command, you can delete a specified SNMP group.

Format
snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ]
[ notify-view notify-view ] [ acl acl-number ]

undo snmp-agent group { v1 | v2c } group-name

snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-


view write-view ] [ notify-view notify-view ] [ acl acl-number ]

undo snmp-agent group v3 group-name [ authentication | privacy ]

Parameters
v1: specifies the V1 security mode the user uses.

v2c: specifies the V2 security mode the user uses.

v3: specifies the V3 security mode the user uses.

group-name: specifies the group name. The value is in the range of 1 to 32 bytes.

authentication: authenticates but not encrypts the packet.

privacy: authenticates and encrypts the packet.

read read-view: specifies the name of the read-only view. The value is in the range of 1 to 32
bytes.

write write-view: specifies the name of the read and write view. The value is in the range of 1
to 32 bytes.

1-228 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

notify notify-view: specifies the name of the notify view. The value is in the range of 1 to 32
bytes.

acl acl-number: specifies the number of the standard access list. The value is in the range of
2000 to 2999.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the snmp-agent group group-name v3 command is not configured with
authentication and encryption methods.

Map the SNMP users to different SNMP view so as to control the SNMP user access.

Examples
# Create an SNMP group known as Johngroup.
<Eudemon> system-view
[Eudemon] snmp-agent group v3 Johngroup

Related Topics
1.8.17 snmp-agent mib-view
1.8.26 snmp-agent usm-user
1.8.4 display snmp-agent group

1.8.16 snmp-agent local-engineid

Function
Using the snmp-agent local-engineid command, you can configure the engine ID of a local
SNMP entity.

Using the undo snmp-agent local-engineid command, you can cancel the current setting.

Format
snmp-agent local-engineid engine-id

undo snmp-agent local-engineid

Parameters
engine-id: specifies the character string of engine ID. It must be a hexadecimal number in the
range of 10 to 64.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-229


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the Eudemon adopts an interior algorithm to generate an engine ID which is in the
format of enterprise number + device information.
The algorithm to generate the engine ID keeps to the following rules:
l The first bit is set to 0.
l The first 4 bytes are hexadecimal private device number that is allocated by Internet
Assigned Number Authority (IANA). The device number of Huawei is 2011, being
000007DB in hexadecimal.
l Each device determines the equipment information. It can be either the IP address or the
MAC address.

Examples
# Configure the name of the local device as 12345A4B1C.
<Eudemon> system-view
[Eudemon] snmp-agent local-engineid 12345A4B1C

Related Topics
1.8.26 snmp-agent usm-user

1.8.17 snmp-agent mib-view

Function
Using the snmp-agent mib-view command, you can create or update the information about a
view.
Using the undo snmp-agent mib-view command, you can cancel the current setting.

Format
snmp-agent mib-view { included | excluded } view-name oid-tree
undo snmp-agent mib-view view-name

Parameters
view-name: specifies the name of the view. It is a string of 1 to 32 characters.
oid-tree: specifies the Object Identifier (OID) for MIB sub-tree, which can be a character string
of the variable OID or a character string of variable name. For example, it can be a string such

1-230 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

as 1.4.5.3.1 or system and it can contain the wildcard *, for example, 1.4.5.*.*.1. The value is
in the range of 1 to 255 characters.

included: includes the MIB sub-tree.

excluded: excludes the MIB sub-tree.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the view name is ViewDefault and the OID is 1.3.6.1.

Currently, this command supports not only the input of the character string of the variable OID
as a parameter but also the input of the node name as a parameter.

Examples
# Create a view that includes all MIB-II objects.
<Eudemon> system-view
[Eudemon] snmp-agent mib-view included mib2 1.3.6.1

Related Topics
1.8.15 snmp-agent group

1.8.18 snmp-agent packet max-size

Function
Using the snmp-agent packet max-size command, you can set the maximum SNMP packets
that the SNMP agent receives and forwards.

Using the undo snmp-agent packet max-size command, you can cancel the current setting.

Format
snmp-agent packet max-size max-size

undo snmp-agent packet max-size

Parameters
max-size: specifies the maximum value of SNMP message packets received by or sent from
Agent in bytes, which ranges from 484 to 17940. By default, the value is set to 1500.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-231


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Based on the network environment, use this command to set the maximum SNMP packets that
the SNMP agent receives or forwards.

If the maximum size is too small, the synchronization of the firewall and the NMS may fail. It
is recommended to set the maximum size to 1500.

Examples
# Set the maximum SNMP packet that the SNMP agent receives or forwards to 1042 bytes.
<Eudemon> system-view
[Eudemon] snmp-agent packet max-size 1042

1.8.19 snmp-agent sys-info

Function
Using the snmp-agent sys-info command, you can set the SNMP system information.

Using the undo snmp-agent sys-info command, you can cancel the current setting.

Format
snmp-agent sys-info { contact contact | location location | version { { v1 | v2c | v3 } * |
all } }

undo snmp-agent sys-info { contact | location | version { { v1 | v2c | v3 } * | all } }

Parameters
contact contact: indicates contact information of system maintenance. It is a string of 1 to 225
characters without spaces.

location location: indicates the location of a device. It is a string of 1 to 225 characters without
spaces.

version: sets the SNMP version number used by the system.

v1: specifies SNMPv1.

v2c: specifies SNMPv2c.

v3: specifies SNMPv3.

all: specifies SNMPv1, SNMPv2c and SNMPv3.

1-232 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the system maintenance information is "R&D Beijing, Huawei Technologies
co.,Ltd.": the system location is "Beijing China" and the version is SNMPv3.
Use this command to view the information of the system maintenance, the physical location of
the node and the SNMP version.

Examples
# Set the contact information of the system maintenance as "call Operator at 12345678".
<Eudemon> system-view
[Eudemon] snmp-agent sys-info contact call Operator at 010-12345678

Related Topics
1.8.7 display snmp-agent sys-info

1.8.20 snmp-agent target-host

Function
Using the snmp-agent target-host command, you can set the destination that receives the SNMP
notification.
Using the undo snmp-agent target-host command, you can remove the host that receives the
SNMP messages.

Format
snmp-agent target-host trap address udp-domain ip-address [ udp-port port-number ]
params securityname security-string [ v1 | v2c | v3 [ authentication | privacy ] ]
undo snmp-agent target-host ip-address securityname security-string

Parameters
trap: specifies the host as the trap host.
address: specifies the address of the destination host that receives the SNMP message.
udp-domain: specifies that the transmission domain of the destination host is based on UDP.
ip-address: specifies the IP address of the host.
udp-port port-number: specifies the number of the port that receives the trap packet. The value
is in the range of 0 to 65535. By default, it is 162.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-233


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

params: indicates the information of the login host that generates SNMP messages.

securityname security-string: specifies the community name of SNMPv1, SNMPv2c or the user
name of SNMPv3. The value is in the range of 1 to 32 bytes.

v1 | v2c | v3: specifies the version of trap packets. By default, it is v1.

authentication: authenticates but not encrypts the packet.

privacy: authenticates and encrypts the packet.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Use this command to specify the destination host that receives the trap packets.

l The commands snmp-agent target-host and 1.8.21 snmp-agent trap enable must be
combined to use.
l Using the snmp-agent trap enable command, you can enable the device to send Trap
packets. To enable a host to send notify messages, you need to configure at least one snmp-
agent target-host command and one snmp-agent trap enable command.

Examples
# Allow sending SNMP trap packets to 10.1.1.1.
<Eudemon> system-view
[Eudemon] snmp-agent trap enable standard
[Eudemon] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname comaccess

Related Topics
1.8.21 snmp-agent trap enable
1.8.23 snmp-agent trap life
1.8.4 display snmp-agent group

1.8.21 snmp-agent trap enable

Function
Using the snmp-agent trap enable command, you can enable the device to send trap packets
and set the related trap parameters.

Using the undo snmp-agent trap enable command, you can cancel the current setting.

1-234 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Format
snmp-agent trap enable [ trap-type [ trap-list ] ]
undo snmp-agent trap enable [ trap-type [ trap-list ] ]

Parameters
trap-type: enables a specified type of trap packets.
trap-list: specifies the parameter list corresponding to the specified type of trap packets.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, sending trap packets is disabled.
If no parameter is specified in the snmp-agent trap enable command, it indicates allowing all
the modules to send any type of SNMP trap packets.
The snmp-agent trap enable command should be used together with the snmp-agent target-
host command.
The snmp-agent target-host command applies to specify the destination host of the trap packet.
To send Trap packets, you must configure at least one snmp-agent target-host command.
The module that can send trap packets are configuration (the configuration and management
of MIB), flash, ospf, standard (SNMP MIB), system (system management MIB), vrrp (VRRP
trap packets).

Examples
# Allow sending the trap packets notifying failing SNMP authentication to 10.1.1.1. The trap
packets are in the form of v2c with the security name as public.
<Eudemon> system-view
[Eudemon] snmp-agent trap enable standard authentication
[Eudemon] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname public v2c

# Send any type of OSPF trap packets to 10.1.1.1. The trap packets are in the form of v3 with
the security name as super. The packets are authenticated but not encrypted.
[Eudemon] snmp-agent trap enable ospf
[Eudemon] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname super v3 authentication

Related Topics
1.8.20 snmp-agent target-host
1.8.25 snmp-agent trap source

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-235


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

1.8.23 snmp-agent trap life

1.8.22 snmp-agent trap enable ospf

Function
Using the snmp-agent trap enable ospf command, you can enable the Trap of OSPF.
Using the undo snmp-agent trap enable ospf command, you can disable the Trap.

Format
snmp-agent trap enable ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt |
ifstatechange | iftxretransmit | lsdbapproachoverflow | lsdboverflow | maxagelsa |
nbrstatechange | originatelsa | virifauthfail | virifcfgerror | virifrxbadpkt |
virifstatechange | viriftxretransmit | virnbrstatechange ] *
undo snmp-agent trap enable ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt |
ifstatechange | iftxretransmit | lsdbapproachoverflow | lsdboverflow | maxagelsa |
nbrstatechange | originatelsa | virifauthfail | virifcfgerror | virifrxbadpkt |
virifstatechange | viriftxretransmit | virnbrstatechange ] *

Parameters
process-id: specifies an OSPF process number. If no OSPF process number is specified, this
command is valid for all the current OSPF processes.
ifauthfail, ifcfgerror, ifrxbadpkt, ifstatechange, iftxretransmit, lsdbapproachoverflow,
lsdboverflow, maxagelsa, nbrstatechange, originatelsa, virifauthfail, virifcfgerror,
virifrxbadpkt, virifstatechange, viriftxretransmit, virnbrstatechange: specifies the type of
SNMP Trap packet transmitted by OSPF.
l ifauthfail: indicates the information that the interface authentication fails.
l ifcfgerror: indicates the information that the interface configuration is incorrect.
l ifrxbadpkt: indicates the information about the received incorrect packet.
l ifstatechange: indicates the information about the interface status change.
l iftxretransmit: traces the receiving and sending of packets on an interface.
l lsdbapproachoverflow: indicates the information that LSDB is about to overflow.
l lsdboverflow: indicates the information that LSDB overflows.
l maxagelsa: indicates the max age information about LSA.
l nbrstatechange: indicates the information about the neighbor status change.
l originatelsa: indicates the LSA information generated on the local.
l vifauthfail: indicates the information that the virtual interface authentication fails.
l vifcfgerror: indicates the information that the virtual interface configuration is incorrect.
l virifrxbadpkt: indicates the information about the incorrect packet received by a virtual
interface.
l virifstatechange: indicates the information about the virtual interface status change.
l viriftxretransmit: traces the receiving and sending of packets on a virtual interface.

1-236 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

l virnbrstatechange: indicates the status change of the virtual interface neighbor.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
This command takes no effect on the OSPF process enabled after its execution.

By default, no OSPF process is enabled to transmit Trap packets.

For detailed configuration of SNMP Trap, refer to "system management" in this manual.

Examples
# Enable Trap of OSPF process 100.
<Eudemon> system-view
[Eudemon] snmp-agent trap enable ospf 100

1.8.23 snmp-agent trap life

Function
Using the snmp-agent trap life command, you can set the duration Trap message.

Using the undo snmp-agent trap life command, you can cancel the current setting.

Format
snmp-agent trap life seconds

undo snmp-agent trap life

Parameters
seconds: specifies the duration of Trap messages, in seconds. The value is in the range of 1 to
2592000. By default, it is 120.

Views
System view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-237


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Usage Guidelines
Any trap packet duration that exceeds the time is dropped. For example, if the duration for
reserving the trap packet is set to 500 seconds, Trap messages are discarded after the duration
expires. The Trap messages are no longer reserved or sent.

Examples
# Set the duration of Trap messages to 60 seconds.
<Eudemon> system-view
[Eudemon] snmp-agent trap life 60

Related Topics
1.8.21 snmp-agent trap enable
1.8.20 snmp-agent target-host

1.8.24 snmp-agent trap queue-size

Function
Using the snmp-agent trap queue-size command, you can set the queue length of the trap packet
sent to the destination host.
Using the undo snmp-agent trap queue-size command, you can restore the default queue
length.

Format
snmp-agent trap queue-size size
undo snmp-agent trap queue-size

Parameters
size: specifies the queue length. The value is in the range of 1 to 1000.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the length is 100.
If a large number of Trap messages are sent during a period and the queue is full, Trap message
loss occurs. In such a case, you need to adjust the queue length to avoid Trap message loss.
If the duration for reserving Trap message is long, you must set a longer queue length of Trap
message; otherwise, Trap message loss occurs.

1-238 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Examples
# Set the queue length of trap packets to 200.
<Eudemon> system-view
[Eudemon] snmp-agent trap queue-size 200

Related Topics
1.8.21 snmp-agent trap enable
1.8.20 snmp-agent target-host
1.8.23 snmp-agent trap life

1.8.25 snmp-agent trap source

Function
Using the snmp-agent trap source command, you can specify the source address from which
trap packets are sent.
Using the undo snmp-agent trap source command, you can cancel the current setting.

Format
snmp-agent trap source interface-type interface-number
undo snmp-agent trap source

Parameters
interface-type interface-number: specifies the source interface sending trap packets.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Each SNMP trap packet has a trap address no matter from which interface it is sent. So you can
use this command to trace a specified event.

Examples
# Specify the IP address of the Ethernet 0/0/0 as the source address of trap packets.
<Eudemon> system-view
[Eudemon] snmp-agent trap source Ethernet 0/0/0

Related Topics
1.8.20 snmp-agent target-host

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-239


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

1.8.26 snmp-agent usm-user

Function
Using the snmp-agent usm-user command, you can add a new user to an SNMP group.
Using the undo snmp-agent usm-user command, you can delete an SNMP group user.

Format
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]
undo snmp-agent usm-user { v1 | v2c } user-name group-name
snmp-agent usm-user v3 user-name group-name [ [ authentication-mode { md5 | sha } auth-
password ] [ privacy-mode des56 priv-password ] ] [ acl acl-number ]
undo snmp-agent usm-user v3 user-name group-name { local | engineid engineid-id }

Parameters
v1 specifies the SNMPv1 security mode the user uses.
v2c: specifies the SNMPv2c security mode the user uses.
v3: specifies the V3 security mode the user uses.
user-name: specifies the user name. It is a string of 1 to 32 characters.
group-name: specifies the name of the group the user belong to. It is a string of 1 to 32 characters.
acl: sets the ACL for the access view.
acl-number: specifies the basic ACL. The value is in the range of 2000 to 2999.
authentication-mode: specifies the authentication mode.
md5: specifies the authentication protocol as HMAC-MD5-96.
sha: specifies the authentication protocol as HMAC-SHA-96.
auth-password: specifies the authentication password. It is a string of 1 to 64 characters.
privacy-mode: specifies the encryption mode.
des56: specifies the encryption protocol as DES.
priv-password: specifies the encryption password. It is a string of 1 to 64 characters.
engineid: specifies the engine ID associated with the user.
engineid-string: specifies the character string of the engine ID. It is in the range of 10 to 64
characters.
local: indicates the local entity user.

Views
System view

1-240 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 1 System Management

Default Level
2: Configuration level

Usage Guidelines
By default, after you configure a remote user for a certain agent, the system needs to use engine
ID in authentication. After the user is configured and engine ID changes, the user corresponding
to the original engine ID is invalid.

For SNMPv1 and SNMPv2c, you can use this command to add a new community name. For
SNMPv3, you can use this command to add a new user to an SNMP group.

Examples
# Add a user named John to the SNMP group named Johngroup, with the security level being
authentication, the authentication protocol being MD5 and the password being hello.
<Eudemon> system-view
[Eudemon] snmp-agent usm-user v3 John Johngroup authentication-mode md5 hello

Related Topics
1.8.15 snmp-agent group
1.8.14 snmp-agent community
1.8.16 snmp-agent local-engineid

1.9 VPN Manager Configuration Commands


1.9.1 secoway-server

1.9.1 secoway-server

Function
Using the secoway-server command, you can enable the automatic registration function of the
Eudemon and configure the IP address of the NMS for the automatic registration.

Using the undo secoway-server command, you can disable the automatic registration function
of the Eudemon.

Format
secoway-server ip-address ip-address

undo secoway-server ip-address ip-address

Parameters
ip-address ip-address: specifies the IP address of the NMS server. It is in dotted decimal
notation.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 1-241


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
1 System Management Command Reference

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, no IP address of the NMS server is configured.

Examples
# Configure an IP address of the NMS server for the Eudemon.
<Eudemon> system-view
[Eudemon] secoway-server ip-address 202.38.1.2

1-242 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2 Security Defense

About This Chapter

2.1 ACL Configuration Commands


2.2 Security Zone Configuration Commands
2.3 Session Configuration Commands
2.4 Packet Filter Configuration Commands
2.5 Attack Defence and Packet Statistics Configuration Commands
2.6 ASPF Configuration Commands
2.7 Blacklist Configuration Commands
2.8 MAC and IP Address binding Configuration Commands
2.9 Port Mapping Configuration Commands
2.10 NAT Configuration Commands
2.11 IDS Cooperation Configuration Commands
2.12 AAA Configuration Commands
2.13 RADIUS Server Configuration Commands
2.14 HWTACACS Server Configuration Commands
2.15 Domain Configuration Commands
2.16 Local User Configuration Commands
2.17 L2TP Configuration Commands
2.18 GRE Configuration Commands
2.19 SLB Configuration Commands
2.20 P2P Traffic Limiting Configuration Commands

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-1


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.21 Secospace Cooperation Configuration Commands


2.22 IP-CAR Configuration Commands

2-2 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.1 ACL Configuration Commands


2.1.1 acl accelerate enable
2.1.2 acl (System View)
2.1.3 address
2.1.4 description (ACL View)
2.1.5 description (Address Set View or Port Set View)
2.1.6 display acl
2.1.7 display ip address-set
2.1.8 display ip port-set
2.1.9 display time-range
2.1.10 ip address-set
2.1.11 ip port-set
2.1.12 port
2.1.13 reset acl counter
2.1.14 rule
2.1.15 step
2.1.16 time-range

2.1.1 acl accelerate enable

Function
Using the acl accelerate enable command, you can enable the ACL accelerated searching.

Using the undo acl accelerate enable command, you can disable the function.

Format
acl accelerate enable

undo acl accelerate enable

Parameters
None

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-3


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, the function is disabled.
The MAC address entry does not support the ACL accelerated searching.

Examples
# Enable the ACL accelerated searching.
<Eudemon> system-view
[Eudemon] acl accelerate enable

2.1.2 acl (System View)

Function
Using the acl command, you can create an ACL and access ACL view.
Using the undo acl command, you can delete an ACL.

Format
acl [ number ] acl-number [ match-order { config | auto } ]
undo acl { [ number ] acl-number | all }

Parameters
number acl-number: specifies the number of an Access Control List (ACL). It is an integer in
the following range:
l The ACL numbered from 2000 to 2999 is the basic ACL.
l The ACL numbered from 3000 to 3999 is the advanced ACL.
l The ACL numbered from 4000 to 4099 is the MAC address-based ACL.

match-order: specifies the match order.


config: filters packets against rules in the order in which they are configured.
auto: filters packets against rules in the system default order (based on "Depth-first" principle).
all: refers to all the ACLs.

Views
System view

Default Level
2: Configuration level

2-4 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Usage Guidelines
An ACL contains a series of rules, which are composed of permit or deny statements. You should
create an ACL before defining ACL rules.

To create an access control entry, you need specify the match order, which is an optional
parameter. By default, the match order is config.

Examples
# Create an ACL numbered 2010.
<Eudemon> system-view
[Eudemon] acl number 2010
[Eudemon-acl-basic-2010]

2.1.3 address

Function
Using the address command, you can set the address elements in the address set.

Using the undo address command, you can delete the specified address elements in the address
set.

Format
address [ address-id ] ip-address wildcard [ description ]

undo address address-id

Parameters
address-id: specifies the code of the address element; it is an integer that ranges from 0 to 255.

ip-address: specifies the IP address in dotted decimal.

wildcard: specifies the address wildcard in dotted decimal. 0 and 0.0.0.0 indicates the host.

description: describes the elements in the address set. It is a string of 1 to 32 characters.

Views
Address set view

Default Level
2: Configuration level

Usage Guidelines
When you configure the address command, if the codes are specified:
l When the address elements correspond to the codes already exist, the Eudemon prompts
errors.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-5


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

l When no address element corresponds to the codes, a new address element is created by
using the specified code.
If no code is specified, an address element is added. The system automatically allocates a code
for the address element.
Up to 256 address elements can be set for one address set. The address elements in one address
set cannot be the same.

Examples
# Set the address elements in the address set abc.
<Eudemon> system-view
[Eudemon] ip address-set abc
[Eudemon-address-set-abc] address 1 1.1.1.0 0.0.0.255
[Eudemon-address-set-abc] address 2 2.2.2.0 0.0.0.255

Related Topics
2.1.10 ip address-set
2.1.7 display ip address-set
2.1.14 rule

2.1.4 description (ACL View)

Function
Using the description command, you can records the user's description about the ACL rule.
Using the undo description command, you can delete the description of an ACL.

Format
description text
undo description

Parameters
text: After you configure an ACL rule, you can write descriptive characters about this rule. The
Eudemon saves the descriptive characters.

Views
ACL view

Default Level
2: Configuration level

Usage Guidelines
You can view the information by using the display command.

2-6 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Add a description for ACL 2000.
<Eudemon> system-view
[Eudemon]acl number 2000
[Eudemon-acl-basic-2000]description it is basic acl
[Eudemon-acl-basic-2000]display acl 2000
Basic ACL 2000, 0 rule
it is basic acl
Acl's step is 5

2.1.5 description (Address Set View or Port Set View)

Function
Using the description command, you can configure the description of address sets or port sets.

Using the undo description command, you can delete the description of address sets or port
sets.

Format
description text

undo description

Parameters
text: indicates the description of address sets or port sets. It is a string of 1 to 127 characters.

Views
Address set view, port set view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Configure the description of address set abc as test.
<Eudemon> system-view
[Eudemon] ip address-set abc
[Eudemon-address-set-abc] description test

2.1.6 display acl

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-7


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the display acl command, you can view the ACL rules or the running of accelerated ACL
searching.

Format
display acl { all | acl-number1 [ rule-id rule-id ] | accelerate [ acl-number2 ] }

Parameters
all: displays all the ACLs.
acl-number1: defines a number-based ACL in a range of 2000 to 4099. Where:
l The ACL numbered from 2000 to 2999 is the basic ACL.
l The ACL numbered from 3000 to 3999 is the advanced ACL.
l The ACL numbered from 4000 to 4099 is the MAC address-based ACL.

rule-id: specifies the ID of an ACL rule in a range of 0 to 4294967294.


accelerate: displays the running of accelerated ACL searching.
acl-number2: specifies an ACL number in a range of 2000 to 3999.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the rules in ACL 2001.
<Eudemon> display acl 2001
Basic acl 2001, 2 rules,
rule 1 permit (0 times matched)
rule 2 permit source 1.1.1.1 0 (0 times matched)

# Display the rules in ACL 3100.


<Eudemon> display acl 3100
Advanced ACL 3100, 3 rules,
rule 0 permit icmp (2 times matched)
rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 (0 times matched)
rule 2 permit tcp source 10.110.0.0 0.0.255.255 (0 times matched)

# Display the running of accelerated ACL searching.


<Eudemon> display acl accelerate
acl accelerate is enabled
NOTE:UTD means Up to date, OTD means Out of date

2-8 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

ACL groups marked with ACCELERATE UTD are enabled for fast search, usual method for
others
IDACCELERATESTATUS
----------------------------------------
2020ACCELERATEUTD
3100ACCELERATEOOD
3101UNACCELERATEUTD
FinancialACCELERATEUTD

2.1.7 display ip address-set

Function
Using the display ip address-set command, you can view information on a specified address
set.

Format
display ip address-set { verbose address-set-name { item | reference } | all }

Parameters
verbose: displays the details of the specified address set.
address-set-name: specifies the name of the address set. It is a string of 1 character to 19
characters, starting with a letter from a to z or A to Z.
item: displays the content of the elements in the address set.
reference: displays the ACL rules that reference the specified address set.
all: displays the information on all the address sets.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the information on all the address sets.
<Eudemon>display ip address-set all
Address-set total number(s): 3
Address-set item total number(s): 50
Address-set reference total number(s): 7

Address-set : a
Description : testa
Item number(s): 50
Reference number(s): 3

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-9


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Address-set : abc
Description : testb
Item number(s): 0
Reference number(s): 0

Address-set : abcd
Description : testc
Item number(s): 0
Reference number(s): 4

Table 2-1 lists the description of the display ip address-set all command output.

Table 2-1 Description of the display ip address-set all command output

Item Description

Address-set total number(s) Indicates the total number of address sets on


the Eudemon.

Address-set item total number(s) Indicates the total number of address


elements on the Eudemon.

Address-set reference total number(s) Indicates the total attempts that the ACL
references the address set on the Eudemon.

Address-set Indicates the name of the address set.

Description Indicates the address set description.

Item number(s) Indicates the total number of address


elements in the address set.

Reference number(s) Indicates the number of ACL references of


the address set.

# Display the details of all the address sets named abcd.


<Eudemon> display ip address-set verbose abcd item
Address-set : abcd
Description : testc
Item number(s): 0
Reference number(s): 4
Item(s):

# Display the ACL rule of the address set whose reference name is abcd on the Eudemon.
<Eudemon> display ip address-set verbose abcd reference
Address-set : abcd
Description : testc
Item number(s): 0
Reference number(s): 4
Reference(s):
acl 2000 rule 0
acl 3000 rule 5
acl 3000 rule 10
acl 3010 rule 0

Related Topics
2.1.10 ip address-set

2-10 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.1.3 address

2.1.8 display ip port-set

Function
Using the display ip port-set command, you can view the information on a specified port set.

Format
display ip port-set { verbose port-set-name { item | reference } | all }

Parameters
verbose: displays the details of the specified port set.
port-set-name: specifies the name of the port set. It is a string of 1 character to 19 characters,
starting with a letter from a to z or A to Z.
item: displays the content of the specified port set.
reference: displays the ACL rules that reference the specified port set.
all: displays the details of all the port sets.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the information on all the port sets.
<Eudemon>display ip port-set all
Port-set total number(s): 3
Port-set item total number(s): 8
Port-set reference total number(s): 1

Port-set Name: a
Description: aaaa
Protocol: tcp
Item number(s): 2
Reference number(s): 1

Port-set Name: b
Description: bbbb
Protocol: udp
Item number(s): 3
Reference number(s): 0

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-11


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Port-set Name: c
Description: cccc
Protocol: tcp
Item number(s): 3
Reference number(s): 0

Table 2-2 lists the description of the display ip port-set all command output.

Table 2-2 Description of the display ip port-set all command output


Item Description

Port-set total number(s) Indicates the total number of port sets on the
Eudemon.

Port-set item total number(s) Indicates the total number of port elements on
the Eudemon.

Port-set reference total number(s) Indicates the total attempts that the ACL
references the port sets on the Eudemon.

Port-set Name Indicates the name of the port set.

Description Indicates the port set description.

Protocol Indicates that the protocol of the port set is


TCP/UDP.

Item number(s) Indicates the total number of port elements in


the port set.

Reference number(s) Indicates the attempts that the ACL


references the port set.

# Display all the details on the port sets named abcd.


<Eudemon> display ip port-set verbose abcd item
Port-set Name: abcd
Description: abcdef
Protocol: tcp
Item number(s): 0
Reference number(s): 0
Item(s):

# Display the ACL rules referring the port set abcd on the Eudemon.
<Eudemon> display ip port-set verbose abcd reference
Port-set Name: abcd
Description: abcdef
Protocol: tcp
Item number(s): 0
Reference number(s): 4
Reference(s):
acl 2000 rule 0
acl 3000 rule 5
acl 3000 rule 10
acl 3010 rule 0

Related Topics
2.1.11 ip port-set

2-12 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.1.12 port

2.1.9 display time-range

Function
Using the display time-range command, you can view the current setting and the state (active
or inactive) of the time range.

Format
display time-range { all | time-range-name }

Parameters
time-range-name: specifies the name of the time range.
all: displays all the time ranges.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
It is normal that you find a time range is active while the ACL that it applies is inactive through
the display time-range command. It is because that the system takes about 1 minute to update
the ACL state while the display time-range command displays the current state of the ACL.

Examples
# Display all the time ranges.
<Eudemon> display time-range all
Current time is 17:15:50 3-9-2007 Thursday
Time-range : abc ( Inactive )
from 10:02 2007/3/8 to 24:00 2007/3/8

Table 2-3 Description of the display time-range all command output


Item Description

Current time is 17:15:50 3-9-2007 Thursday Current time

Time-range : abc ( Inactive ) Name and state of current time range

from 10:02 2007/3/8 to 24:00 2007/3/8 Details of current time range

# Display the time range named trname.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-13


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

<Eudemon> display time-range trname


Current time is 02:49:36 2-15-2003 Saturday
Time-range : trname ( Inactive )
14:00 to 16:00 off-day from 00:00 2002/12/1 to 00:00 2003/12/1

2.1.10 ip address-set

Function
Using the ip address-set command, you can create an address set.
Using the undo ip address-set command, you can delete a specified address set.

Format
ip address-set address-set-name
undo ip address-set address-set-name

Parameters
address-set-name: specifies the name of the address set. It is a string of 1 character to 19
characters, starting with a letter from a to z or from A to Z.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the address set is not created.
The Eudemon can support up to 128 address sets.
When one address set is referenced by the ACL, the address set cannot be deleted.
After all the address elements are deleted from the address set, the Eudemon still keeps the
address set. At this time, you can run the undo ip address-set command to delete the empty
address set.

Examples
# Create an address set named abc.
<Eudemon> system-view
[Eudemon] ip address-set abc

Related Topics
2.1.3 address
2.1.14 rule

2-14 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.1.11 ip port-set

Function
Using the ip port-set command, you can create a port set.
Using the undo ip port-set command, you can delete a specified port set.

Format
ip port-set port-set-name protocol { tcp | udp }
undo ip port-set port-set-name

Parameters
port-set-name: specifies the name of the port set. It is a string of 1 character to 19 characters,
starting with a letter from a to z or A to Z.
tcp | udp: indicates the protocol type of the port set. It is TCP or UDP.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the port set is not created.
You must specify the protocol type when creating a port set for the first time.
The Eudemon can support up to 64 port sets.
When one port set is referenced by the ACL, the port set cannot be deleted.
After all the port elements are deleted from the port set, the Eudemon still keeps the port set. At
this time, you can run the undo ip port-set command to delete the empty port set.

Examples
# Create the port set named p1 that uses the TCP.
<Eudemon> system-view
[Eudemon] ip port-set p1 protocol tcp

Related Topics
2.1.12 port
2.1.14 rule
2.1.8 display ip port-set

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-15


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.1.12 port

Function
Using the port command, you can set the port element in the port set.
Using the undo port command, you can delete the specified port elements in the port set.

Format
port [ port-id ] { eq | gt | lt } port-number1
port [ port-id ] range port-number1 port-number2
undo port port-id

Parameters
port-id: specifies the ID of the port element. In one port set, a port ID identifies only one port
element; it is an integer in a range of 0 to 63.
eq | gt | lt | range: indicates the name of port operator, which respectively indicates equal to,
greater than, less than, and within a certain range.
port-number1 port-number2: specifies the port name or number. When indicating the port name,
the parameter value can be: CHARgen, bgp, cmd, daytime, discard, dns, echo, exec, finger,
ftp, ftp-data, gopher, hostname, https, imap, irc, klogin, kshell, login, lpd, mms, nntp,
pop2, pop3, pptp, rtsp, smtp, sqlnet, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, and
www. It is an integer in a range of 0 to 65535.

Views
Port set view

Default Level
2: Configuration level

Usage Guidelines
When you configure the port command, if the codes are specified:
l When the port elements correspond to the codes already exist, the Eudemon prompts errors.
l When no port element corresponds to the codes, you can create a new port element by using
the specified code.
If no code is specified, a port element is added. The system automatically allocates a code for
the port element.
Up to 64 port elements can be set for one port set. The port elements in one port set cannot be
the same.

Examples
# Create a port set named p1.

2-16 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

<Eudemon> system-view
[Eudemon] ip port-set p1 protocol tcp
[Eudemon-tcp-port-set-p1] port eq 45
[Eudemon-tcp-port-set-p1] port gt 450

Related Topics
2.1.11 ip port-set
2.1.8 display ip port-set
2.1.14 rule

2.1.13 reset acl counter

Function
Using the reset acl counter command, you can reset the statistics on the ACL counter.

Format
reset acl counter { all | acl-number }

Parameters
all: resets all the ACLs.

acl-number: refers to a number-based ACL in a range of 2000 to 3999 and 4000 to 4099.
l The ACL numbered from 2000 to 2999 is the basic ACL.
l The ACL numbered from 3000 to 3999 is the advanced ACL.
l The ACL numbered from 4000 to 4099 is the MAC address-based ACL.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Reset the statistics on the ACL 2001 counter.
<Eudemon> reset acl counter 2001

2.1.14 rule

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-17


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the rule command in the ACL view, you can add a rule.
Using the undo rule command, you can delete a rule.

Format
l Add/Delete a rule to/from a basic ACL
rule [ rule-id ] { permit | deny } [ source { source-address source-wildcard | address-
set address-set-name | any } | time-range time-name | logging ] *
undo rule rule-id [ source | time-range | logging ] *
l Add/Delete a rule to/from an advanced ACL
rule [ rule-id ] { permit | deny } protocol [ source { source-address source-wildcard |
address-set address-set-name | any } | destination { destination-address destination-
wildcard | address-set address-set-name | any } | source-port { operator port | range
port1 port2 | port-set port-set-name } | destination-port { operator port | range port1
port2 | port-set port-set-name } | icmp-type { icmp-type icmp-code | icmp-message } |
precedence precedence | tos tos | time-range time-name | logging ] *
undo rule rule-id [ source | destination | source-port | destination-port | icmp-type |
precedence | tos | time-range | logging ] *
l Add/Delete a rule to/from an MAC-address-based ACL
rule [ rule-id ] { permit | deny } [ type type-code type-wildcard | lsap lsap-code lsap-
wildcard ] [ source-mac source-address source-mac-wildcard ] [ dest-mac destination-
address destination-mac-wildcard ]
undo rule rule-id

Parameters
rule-id: specifies the ID of an ACL rule in a range of 0 to 4294967294, which is an optional
parameter. If the specified ID has been assigned to a rule, the new rule will be overlapped to the
rule, which is equal to editing an existing rule. If the specified ID is not assigned to any rules,
you can create a new rule with the ID. In the case of no ID is specified when you create a rule,
the system will assign an ID to the rule automatically.
deny: denies the matched packets.
permit: permits the matched packets.
protocol: specifies the type of name/number-based protocols over IP. The number in the number-
based protocols is from 1 to 255. The name-based protocol can be gre, icmp, igmp, ip, ipinip,
tcp, or udp.
source source-address source-wildcard: specifies the source addresses for the ACL rule, which
is an optional parameter. Without the parameter, all packets match ACL rules. source-address
refers to the source address of a data packet, in the format of dotted decimal. source-wildcard
refers to the wildcard of the source address, in the format of dotted decimal. Inputting "any"
means the source address is 0.0.0.0 and the wildcard is 255.255.255.255.
address-set address-set-name: specifies an address set.
destination destination-address destination-wildcard: specifies the destination addresses for
the ACL rule, which is an optional parameter. Without the parameter, all packets match ACL
rules. destination-address refers to the destination address of a data packet, in the format of

2-18 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

dotted decimal. destination-wildcard refers to the wildcard of the destination address, in the
format of dotted decimal. Inputting "any" means the destination address is 0.0.0.0 and the
wildcard is 255.255.255.255.

icmp-type { icmp-type icmp-code | icmp-message }: specifies the type of ICMP packets and
message codes, which is valid only when packets apply ICMP. It is an optional parameter.
Without the parameter, all ICMP packets match ACL rules. Where:
l icmp-type: refers to ICMP packets are filtered on the basis of the type of ICMP messages,
represented by number in a range of 0 to 255.
l icmp-code: denotes the former packets can also be filtered on the basis of message codes,
represented by number in a range of 0 to 255.
l icmp-message: means ICMP packets can be filtered on the basis of the type name of the
ICMP message.

source-port: specifies source port of UDP/TCP packets, which is valid only when TCP/UDP
protocol is applied in rules. It is an optional parameter. Without the parameter, all TCP/UDP
packets match ACL rules.

destination-port: specifies destination port of UDP/TCP packets, which is valid only when
TCP/UDP protocol is applied in rules. It is an optional parameter. Without the parameter, all
TCP/UDP packets match ACL rules.

operator: refers to operators used to compare port numbers of source or destination addresses
which is an optional parameter. Names and meanings of the operators are shown as follows:
l lt: less than port.
l gt: greater than port.
l eq: equal to port.
l neq: not equal to port.

range: indicates the port numbers between port1 and port2.

port, port1, port2: specify port names or numbers of the TCP/UDP packets; this parameter is
represented by names or numbers from 0 to 65535.

port-set port-set-name: specifies an port set.

precedence precedence: refers to packets are filtered according to precedences, represented by


names or numbers in a range of 0 to 7, which is an optional parameter.

tos tos: refers to packets are filtered based on the type of services, represented by names or
numbers in a range of 0 to 15, which is an optional parameter.

logging: determines to log matched packets, which is an optional parameter, including.the


sequence number of ACL rules, the state of packets (passed or discarded), the type of upper-
layer protocols over IP, the source IP address or destination IP address, the source port number
or destination port number, and the time when data packets match the ACL.

time-range time-name: refers to the valid period of an ACL rule. time-name is a string of 1 to
32 characters.

type type-code type-wildcard: compares the protocol type of a packet with the one configured
in an ACL rule. type-code is represented by a hexadecimal number in the format of xxxx. type-
wildcard denotes wildcards (masks) of protocol types.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-19


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

lsap lsap-code lsap-wildcard: compares the encapsulation format of a packet on an interface


with the one configured in an ACL rule. lsap-code is represented by a hexadecimal number in
the format of xxxx. lsap-wildcard denotes wildcards (masks) of protocol types.

source-mac source-mac-address source-mac-wildcard: compares the source address of a data


frame with the one configured in an ACL rule. source-address refers to the source MAC address
of the data frame in the format of xxxx-xxxx-xxxx. source-mac-wildcard refers to the wildcard
(mask) of the source MAC address.

dest-mac destination-address destination-wildcard: compares the destination address of a data


frame with the one configured in an ACL rule. destination-address refers to the destination MAC
address of the data frame in the format of xxxx-xxxx-xxxx. destination-wildcard refers to the
wildcard (mask) of the destination MAC address.

Views
Group1 in basic ACL view

Group2 in advanced ACL view

Group3 in MAC-address-based ACL view

Default Level
2: Configuration level

Usage Guidelines
It is required that you specify the number of the rule that you want to delete. If you are not aware
of the number of the rule, you can view it by using the display acl command.

Parameters in the undo rule command are described as follows:

l rule-id: refers to the ID of an existing rule. If no parameter follows it, it means deleting the
rule completely. Otherwise, only the relevant information of the rule is deleted.
l source/destination: deletes the source or destination address in the corresponding rule
only, which is an optional parameter.
l source-port/destination-port: deletes the source or destination port in the corresponding
rule only, which is an optional parameter. They are only applied in TCP/UDP protocol.
l icmp-type: deletes ICMP type and message code in the corresponding rule. It is valid only
when ICMP is applied in the rule. It is an optional parameter.
l precedence: deletes the information on precedence in the corresponding rule, which is an
optional parameter.
l tos: deletes the information on tos in the corresponding rule only, which is an optional
parameter.
l time-range: deletes the setting in the corresponding rule that takes effect in the valid period
only, which is an optional parameter.
l logging: refers to the corresponding rule ceases logging matched packets, which is an
optional parameter.

When ACL choose the auto match mode , the rule cannot reference address sets and port sets.

2-20 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Create an ACL 3101 and add a rule in ACL 3101 to deny receiving or sending RIP packets.
<Eudemon> system-view
[Eudemon] acl number 3101
[Eudemon-acl-adv-3101] rule deny udp destination-port eq rip

# Add a rule that permits the hosts at 129.9.0.0 to send WWW packets to the hosts at
202.38.160.0.
[Eudemon-acl-adv-3101] rule permit tcp source 129.9.0.0 0.0.255.255 destination
202.38.160.0 0.0.0.255 destination-port eq www

# Add a rule that denies the hosts at 129.9.0.0 to establish connections with the WWW port (80)
of the hosts at 202.38.160.0 and logs the violation events.
[Eudemon-acl-adv-3101] rule deny tcp source 129.9.0.0 0.0.255.255 destination
202.38.160.0 0.0.0.255 destination-port eq www logging

# Add a rule that permits the hosts at 129.9.8.0 to establish connections with the WWW port
(80) of the hosts at 202.38.160.0.
[Eudemon-acl-adv-3101] rule permit tcp source 129.9.8.0 0.0.0.255 destination
202.38.160.0 0.0.0.255 destination-port eq www

# Add a rule that denies any hosts to establish Telnet connections with the port (23) of the hosts
at 202.38.160.1.
[Eudemon-acl-adv-3101] rule deny tcp destination 202.38.160.1 0 destination-port eq
telnet

# Add a rule that denies the hosts at 129.9.8.0 to establish UDP connections with the port whose
number is greater than 128 of the hosts at 202.38.160.0.
[Eudemon-acl-adv-3101] rule deny udp source 129.9.8.0 0.0.0.255 destination
202.38.160.0 0.0.0.255 destination-port gt 128

# Add a rule that permits the hosts at address set "a" and port set "a" to establish TCP connections
with the hosts at address set "b" and port set "b".
[Eudemon-acl-adv-3101] rule permit tcp source address-set a source-port port-set a
destination address-set b destination-port port-set b

Related Topics
2.1.12 port
2.1.11 ip port-set
2.1.8 display ip port-set
2.1.3 address
2.1.10 ip address-set
2.1.7 display ip address-set

2.1.15 step

Function
Using the step command, you can specify a step for an ACL rule group.
Using the undo step command, you can restore the default step.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-21


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
step step-value

undo step

Parameters
step-value: specifies the value of the ACL step.

Views
ACL view

Default Level
2: Configuration level

Usage Guidelines
Step here refers to the difference between each ID. For instance, given the step is set to 5, the
IDs are the multiples of 5 beginning with 5. The default is 5. It is easy to insert a rule by using
this command. Given there are 4 rules: rule 0, rule 5, rule 10 and rule 15, using the rule 1 xxxx
command, you can insert a rule with the number 1 between rule 0 and rule 5.

NOTE

If the step is set, you need to delete the existing rule, including rule 0, before using the step command to
change the step or running the undo step command to restore the default step.

Examples
# Set the step of ACL 3101 to 2.
<Eudemon> system-view
[Eudemon] acl number 3101
[Eudemon-acl-adv-3101] step 2

2.1.16 time-range

Function
Using the time-range command, you can define a time range to specify a special time range.

Using the undo time-range command, you can delete a time range.

Format
time-range time-range-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }

undo time-range time-range-name [ start-time to end-time days | from time1 date1 [ to time2
date2 ] ]

2-22 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Parameters
time-range-name: specifies the name of the time range, a string of 1 to 32 characters long. It
must begin with an English letter (a through z or A through Z). It cannot specify the word "all"
to avoid confusion.
start-time: specifies the start time of the time range in the format of hh:mm. The range of hh is
0 to 23 hours and that of mm is 0 to 59 minutes.
end-time: specifies the end time of the time range in the format of hh:mm. The range of hh is 0
to 23 hours and that of mm is 0 to 59 minutes.
days: specifies days in week when the time range is valid. Parameters are described as follows:
l Number 0 to 6 refers to Monday to Sunday.
l working-day refers to Monday to Friday.
l off-day refers to Saturday and Sunday.
l daily refers to all the days in week.

from time1 date1: starts from some time of some day, which is an optional parameter.
l The output format of time1 is hh:mm with hh in a range of 0 to 23 and mm in a range of 0
to 59.
l The output format of date1 is YYYY/MM/DD with DD in a range of 1 to 31, MM in a
range of 1 to 12 and YYYY represented by 4 numbers.
Without the parameter means there is no limit to the start time and only the end time is taken
into consideration.
to time2 date2: ends at some time of some day, which is an optional parameter. The output
formats of time2 and date2 are identical to the ones of the start time. The end time must be later
than the start time. Without the parameter, the end time is the greatest time available in the
system.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
l Using parameters start-time and end-time to specify the time range whose period is based
on week. Moreover, you can specify the valid period by configuring days in the command.
l Using the key words from and to to specify the valid period of a specific time range.

You can set multiple time ranges with identical names to specify a specific time range and then
you can apply the time range by specifying the name.

Examples
# Set 0:0 of Jan. 1, 2003 as the effective date.
<Eudemon> system-view
[Eudemon] time-range test from 0:0 2003/1/1

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-23


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

# Set the ACL rule to take effect between 14:00 and 16:00 on weekends (Saturday and Sunday)
and from 20:00 of 2003/4/1 to 20:00 of 2003/12/10.
[Eudemon] time-range test 14:00 to 16:00 off-day
[Eudemon] time-range test from 20:00 2003/4/1 to 20:00 2003/12/10

# Set the ACL rule to take effect between 8:00 and 18:00 from Monday to Friday.
[Eudemon] time-range test 8:00 to 18:00 working-day

# Set the ACL rule to take effect between 14:00 and 18:00 on weekends (Saturday and Sunday).
[Eudemon] time-range test 14:00 to 18:00 off-day

2.2 Security Zone Configuration Commands

2.2.1 add interface (Security Zone View)


2.2.2 description (Security Zone View)
2.2.3 display interzone
2.2.4 display zone
2.2.5 firewall interzone
2.2.6 firewall zone
2.2.7 set priority

2.2.1 add interface (Security Zone View)

Function
Using the add interface command, you can add interfaces to security zones.

Using the undo add interface command, you can remove interfaces from security zones.

Format
add interface interface-type interface-number

undo add interface interface-type interface-number

Parameters
interface-type: specifies the type of an interface.

interface-number: specifies the number of an interface.

Views
Security zone view

2-24 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Default Level
2: Configuration level

Usage Guidelines
Except the local zone, all the other security zones should be bound with specific interfaces for
use, that is, you should add either physical interfaces or logic interfaces to those zones.
This command can be used repeatedly to add interfaces to security zones. A security zone can
contain up to 1024 interfaces.

Examples
# Enter trust zone view and add the interface Ethernet 0/0/0 to the trust zone.
<Eudemon> system-view
[Eudemon] firewall zone trust
[Eudemon-zone-trust] add interface Ethernet 0/0/0

Related Topics
2.2.6 firewall zone
2.2.4 display zone

2.2.2 description (Security Zone View)

Function
Using the description command, you can set the description of a security zone.
Using the undo description command, you can cancel the description of a security zone.

Format
description text
undo description

Parameters
text: describes information, it is a string ranging from 1 to 64 characters.

Views
Security zone view

Default Level
2: Configuration level

Usage Guidelines
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-25


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Examples
# Set the description of the Trust zone as abc.
<Eudemon> system-view
[Eudemon] firewall zone trust
[Eudemon-zone-trust] description abc

2.2.3 display interzone

Function
Using the display interzone command, you can view interzone security policies.

Format
display interzone [ zone-name1 zone-name2 ]

Parameters
zone-name1: specifies the name of a security zone.
zone-name2: specifies the name of a security zone.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If no security zone is specified, you can view all interzones.

Examples
# Display security policies between the trust zone and the DMZ zone.
<Eudemon> system-view
[Eudemon] display interzone trust dmz
interzone trust DMZ
packet-filter 2011 inbound
detect ftp

The above shows interzone security policy:


l ACL11 is applied to filter the inbound packets between the trust zone and the DMZ zone.
l The ASPF filtering policy is applied on FTP traffic based on state.

Related Topics
2.2.6 firewall zone
2.2.4 display zone

2-26 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.2.4 display zone

Function
Using the display zone command, you can view a security zone, such as the priority of the
security zone and interfaces in the security zone.

Format
display zone [ zone-name ] [ interface | priority ]

Parameters
zone-name: specifies the name of a security zone.

interface: displays the interfaces in the specified security zone.

priority: displays the priority of the specified security zone.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If no security zone is specified, you can view all security zones.

Without parameters interface and priority specified, all configuration is displayed.

Examples
# Display the DMZ zone.
<Eudemon> display zone dmz
dmz
priority is 50
interface of the zone is (0):
#

As shown in the above information, the priority of the DMZ zone is 50.

Related Topics
2.2.6 firewall zone
2.2.1 add interface (Security Zone View)
2.2.7 set priority

2.2.5 firewall interzone

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-27


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the firewall interzone command, you can access interzone view. Using the quit
command, you can quit interzone view.

Format
firewall interzone zone-name1 zone-name2

Parameters
zone-name1: specifies the name of a security zone.
zone-name2: specifies the name of a security zone.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
To set security policies for zones, you should access interzone view first.
The sequence of zone-name1 and zone-name2 does not depend on priorities.
The system can support up to 256 interzones.

Examples
# Access interzone view between the trust zone and the DMZ zone.
<Eudemon> system-view
[Eudemon] firewall interzone trust dmz
[Eudemon-interzone-trust-dmz]

Related Topics
2.2.3 display interzone

2.2.6 firewall zone

Function
Using the firewall zone command, you can create a new security zone and access the zone or
other existing zones. Using the quit command, you can quit zone view.
Using the undo firewall zone name zone-name command, you can delete a zone.

Format
firewall zone [ name ] zone-name

2-28 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

undo firewall zone name zone-name

Parameters
name: specifies the name of a new or deleted zone.
zone-name: specifies the name of the security zone, which is case insensitive and can contain
up to 32 characters. The following characters can be applied in the name: A to Z, a to z, 0 to 9
and "_" and the name must start with the letter of A to Z or a to z.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
There are four default security zones:
l Local zone
l Trust zone
l DMZ zone
l Untrust zone
These four security zones can neither be created nor be deleted.
Keyword name is used only when you create or delete a zone. You are not required to set the
keyword when accessing a zone view.
Once a security zone is deleted, all the configurations of the zone will be deleted as well.

Examples
# Create a security zone named userzone and access the zone.
<Eudemon> system-view
[Eudemon] firewall zone name userzone
[Eudemon-zone-userzone]

# Access trust zone view.


<Eudemon> system-view
[Eudemon] firewall zone trust
[Eudemon-zone-trust]

Related Topics
2.2.4 display zone
2.2.7 set priority
2.2.1 add interface (Security Zone View)

2.2.7 set priority

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-29


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the set priority command, you can set priorities for security zones.

Format
set priority security-priority

Parameters
security-priority: sets the priority of a security zone, it is an integer raging from 1 to 100. The
greater the value is, the higher the priority is.

Views
Security zone view

Default Level
2: Configuration level

Usage Guidelines
Only the user-defined security zones can be set with priorities. The priority of the four default
security zones (local zone, trust zone, DMZ zone and untrust zone) respectively is 100, 85, 50
and 5, which cannot be set manually.
By default, the priority of a user-defined security zone is 0.
Identical priorities cannot be set to two different security zones in the same system.

Examples
# Set the priority of the security zone userzone to 60.
<Eudemon> system-view
[Eudemon] firewall zone name userzone
[Eudemon-zone-userzone] set priority 60

Related Topics
2.2.6 firewall zone
2.2.4 display zone

2.3 Session Configuration Commands

2.3.1 debugging firewall sessionreuse


2.3.2 display firewall fragment
2.3.3 display firewall session aging-time
2.3.4 display firewall session no-pat
2.3.5 display firewall session table

2-30 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.3.6 firewall long-link


2.3.7 firewall long-link aging-time
2.3.8 firewall session aging-time
2.3.9 firewall session aging-time accelerate enable
2.3.10 reset firewall session table

2.3.1 debugging firewall sessionreuse

Function
Using the debugging firewall sessionreuse command, you can enable the session reuse
debugging to view related information about session reuse.
Using the undo debugging firewall sessionreuse command, you can disable the session reuse
debugging.

Format
debugging firewall sessionreuse
undo debugging firewall sessionreuse

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the session reuse debugging is disabled.
Using the debugging firewall sessionreuse command, you can enable the session reuse
debugging. The output information whether current session is reused or newly established is as
follows:
l If the current session is reused, the output information is:
FW_SessNew: Reuse the exist session

l If the current session is newly established, the output information is:


FW_SessNew: Create a new session, not reuse

Examples
# Enable the session reuse debugging to view the information about session reuse.
<Eudemon> debugging firewall sessionreuse

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-31


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.3.2 display firewall fragment

Function
Using the display firewall fragment command, you can display the fragment table of a
Eudemon.

Format
display firewall fragment

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the fragment table of the Eudemon.
<Eudemon> display firewall fragment

2.3.3 display firewall session aging-time

Function
Using the display firewall session aging-time command, you can view the aging time of
sessions.

Format
display firewall session aging-time

Parameters
None

Views
All views

2-32 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Default Level
1: Monitoring level

Usage Guidelines
Using this command, you can view the aging time of varieties of protocol packets, such as FTP,
H.323, HTTP, HWCC, MSN, QQ, RTSP, SMTP, TCP, and UDP.

Examples
# Display the aging time of sessions.
<Eudemon> display firewall session aging-time
tcp protocol timeout:600s
udp protocol timeout:120s
icmp protocol timeout:20s
esp protocol timeout:600s
fragment timeout:5s
fin-rst protocol timeout:10s
syn protocol timeout:5s
long-link timeout:604800s
h225 timeout:1200s
h245 timeout:1200s
h323-rtcp timeout:120s
h323-rtp timeout:120s
h323-t120 timeout:10800s
netbios-name timeout:120s
netbios-session timeout:120s
netbios-data timeout:120s
ftp timeout:600s
ftp-data timeout:240s
hwcc timeout:120s
ras timeout:600s
ils timeout:600s
http timeout:600s
smtp timeout:600s
rtsp timeout:600s
rtcp timeout:120s
rtp timeout:120s
telnet timeout:600s
dns timeout:120s
pptp timeout:600s
qq timeout:120s
msn timeout:240s
user-define timeout:120s
sip timeout:600s
sip-rtp timeout:120s
sip-rtcp timeout:120s
mgcp timeout:130s
mgcp-rtp timeout:60s
mgcp-rtcp timeout:80s
mms timeout:600s
mms-data timeout:600s
sqlnet timeout:600s
sqlnet-data timeout:14400s

Table 2-4 lists the description of the display firewall session aging-time command output.

Table 2-4 Description of the display firewall session aging-time command output

Item Description

esp protocol timeout Aging-time of ESP sessions

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-33


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Item Description

tcp protocol timeout Aging-time of TCP sessions

udp protocol timeout Aging-time of UDP sessions

icmp protocol timeout Aging-time of ICMP sessions

fragment timeout Aging-time of fragment packet entries

fin-rst protocol timeout Aging-time of entries in FIN/RST state

syn protocol timeout Aging-time of entries in SYN state

long-link timeout:604800s Aging-time of long-link entries

h225 timeout Aging-time of H.225 entries

h245 timeout Aging-time of H.245 entries

h323-rtcp timeout Aging-time of H.323-RTCP entries

h323-rtp timeout Aging-time of H.323-RTP entries

h323-t120 timeout Aging-time of H.323-T120 entries

ftp timeout Aging-time of FTP controlling channel

ftp-data timeout Aging-time of FTP data channel

ras timeout Aging-time of RAS entries

ils timeout Aging-time of ILS entries

http timeout Aging-time of HTTP entries

hwcc timeout Aging-time of HWCC entries

smtp timeout Aging-time of SMTP entries

rtsp timeout Aging-time of RTSP entries

rtcp timeout Aging-time of RTCP entries

rtp timeout Aging-time of RTP entries

telnet timeout Aging-time of Telnet sessions

netbios-data timeout Aging-time of NetBIOS data entries

netbios-name timeout Aging-time of NetBIOS name entries

netbios-session timeout Aging-time of NetBIOS session entries

dns timeout Aging-time of DNS sessions

pptp timeout Aging-time of PPTP entries

qq timeout Aging-time of QQ entries

msn timeout Aging-time of MSNentries

2-34 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Item Description

user-define timeout Aging-time of user-define entries

sip timeout Aging-time of SIP entries

sip-rtp timeout Aging-time of SIP-RTP entries

sip-rtcp timeout Aging-time of SIP-RTCP entries

mgcp timeout Aging-time of MGCP entries

mgcp-rtp timeout Aging-time of MGCP-RTP entries

mgcp-rtcp timeout Aging-time of MGCP-RTCP entries

mms timeout Aging-time of MMS entries

mms-data timeout Aging-time of MMS-data entries

sqlnet timeout Aging-time of SQLNET entries

sqlnet-data timeout Aging-time of SQLNET-data entries

2.3.4 display firewall session no-pat

Function
Using the display firewall session no-pat command, you can display the one-to-one Network
Address Translation (NAT) entries.

Format
display firewall session no-pat

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to view information about NAT entries after NAT no-PAT mode is
configured.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-35


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Examples
# Display the one-to-one NAT entries.
<Eudemon> display firewall session no-pat
Nopat information:
NOPAT: 6.6.6.1<--->7.7.7.10 ttl: 00:04:00 left: 00:03:59
22:25:38 12-16-2008

Table 2-5 lists the description of the display firewall session no-pat command output.

Table 2-5 Description of the display firewall session no-pat command output

Item Description

NOPAT One-to-one network address

6.6.6.1 IP address before NAT

7.7.7.10 IP address after NAT

ttl Aging-time of No-PAT entries

left Remaining time for deleting No-PAT entries

2.3.5 display firewall session table

Function
Using the display firewall session table command, you can display the session tables entries.

Format
display firewall session table [ source { inside | global } { ip source-ip-address | port source-
port } * ] [ destination { inside | global } { ip destination-ip-address | port destination-port }
* ] [ application protocol ] [ nat ] [ long-link ] [ verbose [ timeout ] ]

Parameters
source: specifies the source IP address or port of the entry to be displayed.

source-ip-address: specifies a source IP address.

source-port: specifies a source port.

destination: specifies the destination IP address or port of the entry to be displayed.

destination-ip-address: specifies a destination IP address.

destination-port: specifies a destination port.

inside: specifies the IP address or port of the private network. For the source IP address,
inside specifies the intranet IP address before NAT; for the destination IP address, inside
specifies the real intranet IP address of the NAT server.

2-36 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

global: specifies the public IP address. For the source IP address,global specifies the public IP
address before NAT; for the destination IP address, global specifies the public IP address by
which the NAT server can be accessed by external users.
application protocol: displays the session entries of a specified application. protocol can be
replaced with the parameters such as dns, ftp, h323, http, hwcc, ils, mgcp, mms, msn, nbt,
pptp, qq, ras, rtsp, sip, smtp, sqlnet, telnet, and user-define.
nat: displays all session entries of NAT.
long-link: displays session entries of a long connection.
verbose: displays session entries in detail.
timeout: displays detailed information about the session entries that exceed the timeout time.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
By specifying the verbose parameter, you can view the information about the session traffic.

Examples
# Display detailed information about all session entries.
<Eudemon> display firewall session table verbose
tcp, TELNET,
6.6.6.2:23<--6.6.6.1:1805
Zone:local<--trust
Receive interface: Ethernet 0/0/0 Send interface: InLoopBack0
tag: 0x1080, State: 0x53, ttl: 00:10:00, left: 00:09:58
InTotalPkt:11, InTotalByt:505, OutTotalPkt:14, OutTotalByt:1111
Create Time: 2008/08/07 11:37:27
11:37:31 08-07-2008

Table 2-6 lists the description of the display firewall session table verbose command output.

Table 2-6 Description of the display firewall session table verbose command output
Item Description

TELNET Telnet protocol used by the session

6.6.6.1:1805 IP address and port number of the low priority

6.6.6.2:23 IP address and port number of the high priority

tag Flag bit of the session option

State State of entries

ttl Aging-time of entries

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-37


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Item Description

left Remaining time for deleting entries

InTotalPkt/InTotalByt Number of inbound packets/bytes

OutTotalPkt/OutTotalByt Number of outbound packets/bytes

# Display the information about the session traffic of NAT whose source IP address is 50.50.50.6,
source port is 1234, destination address is 70.70.70.254, and destination port is 5680.
<Eudemon> display firewall session table source inside ip 50.50.50.6 port 1234
destination global ip 70.70.70.254 port 5680 nat
udp:40.40.40.254:5680[70.70.70.254:5680]<--50.50.50.6:1234
19:45:43 08-12-2008

2.3.6 firewall long-link

Function
Using the firewall long-link command, you can enable the long link in the interzone view.
Using the undo firewall long-link command, you can disable the long link.

Format
firewall long-link acl-number { inbound | outbound }
undo firewall long-link { inbound | outbound }

Parameters
acl-number: specifies the number of the ACL in a range of 3000 to 3999.
inbound: enables long link in incoming direction between two zones.
outbound: enables long link in outgoing direction between two zones.

Views
Interzone view

Default Level
2: Configuration level

Usage Guidelines
The incoming direction and outgoing direction between two zones can associate with ACL rule
alone or at the same time. The two directions can also associate with different ACL rules.
During configuration, it is recommended not to introduce the ACL rule with large range.
Otherwise, the Eudemon performance is affected.

2-38 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Configure the long link in incoming direction between the trust zone and the untrust zone.
<Eudemon> system-view
[Eudemon] acl 3001
[Eudemon-acl-adv-3001] rule permit tcp source 1.1.1.1 0.0.0.255 destination
10.1.1.1 0 source-port eq 8060
[Eudemon-acl-adv-3001] quit
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] firewall long-link 3001 inbound

Related Topics
2.1.2 acl (System View)
2.3.7 firewall long-link aging-time

2.3.7 firewall long-link aging-time

Function
Using the firewall long-link aging-time command, you can set the aging time of the long link.
Using the undo firewall long-link aging-time command, you can restore the aging time of the
long link to the default value.

Format
firewall long-link aging-time aging-time
undo firewall long-link aging-time

Parameters
aging-time: specifies the value of the long link aging time. The value ranges from 1 to 480 hours.
By default, the value of long link aging time is 168.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set the aging time of traffic that matches ACL rule 3001 to 240 hours.
<Eudemon> system-view
[Eudemon] acl 3001
[Eudemon-acl-adv-3001] rule permit tcp source 1.1.1.1 0.0.0.255 destination

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-39


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

10.1.1.1 0 source-port eq 8060


[Eudemon-acl-adv-3001] quit
[Eudemon] firewall interzone trust untrust
[Eudemon-trust-untrust] firewall long-link 3001 inbound
[Eudemon-trust-untrust] quit
[Eudemon] firewall long-link aging-time 240

Related Topics
2.3.6 firewall long-link

2.3.8 firewall session aging-time

Function
Using the firewall session aging-time command, you can set SYN/FIN/RST state waiting
timeout for TCP and idle timeout of session entries for protocols, such as TCP and UDP.

Using the firewall session aging-time esp command, you can configure the aging time for the
ESP NAT session table.

Using the firewall session aging-time default command, you can restore the timeout to the
default value of all protocols.

Using the undo firewall session aging-time command, you can restore the default value.

Format
firewall session aging-time { esp | dns | fin-rst | fragment | ftp | ftp-data | h225 | h245 | h323-
rtcp | h323-rtp | h323-t120 | http | hwcc | icmp | ils | mgcp | mgcp-rtcp | mgcp-rtp | mms |
mms-data | msn | netbios-name | netbios-data | netbios-session | pptp | qq | ras | rtcp | rtp |
rtsp | sip | sip-rtp | sip-rtcp | smtp | sqlnet | sqlnet-data | syn | tcp | telnet | udp | user-
define } seconds

firewall session aging-time default

undo firewall session aging-time { esp | dns | fin-rst | fragment | ftp | ftp-data | h225 |
h245 | h323-rtcp | h323-rtp | h323-t120 | http | hwcc | icmp | ils | mgcp | mgcp-rtcp | mgcp-
rtp | mms | mms-data | msn | netbios-name | netbios-data | netbios-session | pptp | qq | ras |
rtcp | rtp | rtsp | sip | sip-rtp | sip-rtcp | smtp | sqlnet | sqlnet-data | syn | tcp | telnet | udp |
user-define }

Parameters
seconds: specifies either the state waiting timeout of session entries when the firewall detects
SYN/FIN/RST packets or the idle timeout of TCP, UDP, SYN, FIN, RST session entries in a
range of 1 to 65535 seconds.

default: restores the default aging-time.

The default aging time of each protocol is defined as follows:

l esp: 600 seconds


l dns: 120 seconds
l tcp: 600 seconds

2-40 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

l udp: 120 seconds


l icmp: 20 seconds
l fragment: 5 seconds
l fin-rst: 10 seconds
l syn: 5 seconds
l h225: 1200 seconds
l h245: 1200 seconds
l h323-rtcp: 120 seconds
l h323-rtp: 120 seconds
l h323-t120: 10800 seconds
l netbios-name: 120 seconds
l netbios-session: 120 seconds
l netbios-data: 120 seconds
l ftp: 600 seconds
l ftp-data: 240 seconds
l hwcc: 120 seconds
l ras: 600 seconds
l ils: 600 seconds
l http: 600 seconds
l smtp: 600 seconds
l sip: 600 seconds
l sip-rtp: 120 seconds
l sip-rtcp: 120 seconds
l rtsp: 600 seconds
l rtcp: 120 seconds
l rtp: 120 seconds
l telnet: 600 seconds
l pptp: 600 seconds
l qq: 120 seconds
l msn: 240 seconds
l user-define: 120 seconds
l mgcp: 130 seconds
l mgcp-rtcp: 80 seconds
l mgcp-rtp: 60 seconds
l mms: 600 seconds
l mms-data: 600 seconds
l sqlnet: 600 seconds
l sqlnet-data: 14400 seconds

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-41


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The system saves the existing connections and sessions until they expire.

Examples
# Set the SYN waiting timeout for TCP to 20 seconds.
<Eudemon> system-view
[Eudemon] firewall session aging-time syn 20

# Set the FIN waiting timeout for TCP to 10 seconds.


[Eudemon] firewall session aging-time fin-rst 10

# Set the idle timeout for TCP to 3000 seconds.


[Eudemon] firewall session aging-time tcp 3000

# Set the idle timeout for UDP to 110 seconds.


[Eudemon] firewall session aging-time udp 110

Related Topics
2.3.3 display firewall session aging-time

2.3.9 firewall session aging-time accelerate enable

Function
Using the firewall session aging-time accelerate enable command, you can enable the
accelerated aging of Eudemon sessions.

Using the undo firewall session aging-time accelerate enable command, you can disable the
function.

Format
firewall session aging-time accelerate enable

undo firewall session aging-time accelerate enable

Parameters
None

2-42 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the accelerated aging is enabled.

Examples
# Enable the accelerated aging of Eudemon sessions.
<Eudemon> system-view
[Eudemon] firewall session aging-time accelerate enable

2.3.10 reset firewall session table

Function
Using the reset firewall session table command, you can remove session entries and fragment
tables of the Eudemon.

Format
reset firewall session table [ [ interzone zone-name1 zone-name2 | zone zone-name ] [ address-
group address-group-number ] ]
reset firewall session table [ source { inside | global } ip source-ip-address | destination
{ inside | global } ip destination-ip-address ] *

Parameters
interzone zone-name1 zone-name2: specifies the security interzone. zone-name1 and zone-
name2 can be either two of dmz, trust, untrust, local, and the user-defined zone.
zone zone-name: specifies the name of the security zones. zone-name can be dmz, trust,
untrust, local, or the user-defined zone.
address-group address-group-number: specifies the address pool. address-group-number
indicates the address pool number. It is an integer in a range of 0 to 127.
source: indicates deleting the session entries of the source IP address.
ip source-ip-address: specifies a source IP address.
destination: indicates deleting the session entries of the destination IP address.
ip destination-ip-address: specifies a destination IP address.
inside: specifies the intranet IP address. For the source IP address, inside specifies the intranet
IP address before NAT; for the destination IP address, inside specifies the real intranet IP address
of the NAT server.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-43


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

global: specifies the public IP address. For the source IP address, global specifies the public IP
address before NAT; for the destination IP address, global specifies the public IP address by
which the NAT server can be accessed by external users.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
Removing session entries interrupts all the session connections. So, confirm the action before
you run the command.

Examples
# Delete the session entries and fragment tables between DMZ and Trust zones on the
Eudemon.
<Eudemon> reset firewall session table interzone dmz trust
Warning:Resetting session table will affect the system's normal service!Continue?
[Y/N]y

2.4 Packet Filter Configuration Commands


2.4.1 debugging firewall packet-filter
2.4.2 display firewall packet-filter default
2.4.3 firewall packet-filter default
2.4.4 packet-filter

2.4.1 debugging firewall packet-filter

Function
Using the debugging firewall packet-filter command, you can enable the packet filter
debugging on the Eudemon.

Using the undo debugging firewall packet-filter command, you can disable the packet filter
debugging on the Eudemon.

Format
debugging firewall packet-filter { all | icmp | tcp | udp | others } [ interzone zone1 zone2 ]

undo debugging firewall packet-filter { all | icmp | tcp | udp | others } [ interzone zone1
zone2 ]

2-44 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Parameters
icmp: enables the ICMP packet filter debugging.

tcp: enables the TCP packet filter debugging.

udp: enables the UDP packet filter debugging.

others: enable the debugging of other packets (ICMP, UDP, and TCP packets excluded) that
match the ACL.

all: enables all the packet filter debugging.

interzone: enables the interzone packet filter debugging.

zone1: specifies the name of zone1, which can be a local zone, trust zone, DMZ zone or untrust
zone.

zone2: specifies the name of zone2, which can be a local zone, trust zone, DMZ zone or untrust
zone.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the packet filter debugging on the Eudemon is disabled.

CAUTION
All the debugging functions can affect the performance of the Eudemon. Therefore, you are
recommended to disable debugging when the firewall runs normally.

Examples
# Enable the UDP packet filter debugging.
<Eudemon> debugging firewall packet-filter udp

2.4.2 display firewall packet-filter default

Function
Using the display firewall packet-filter default command, you can view the default packet
filter on the Eudemon.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-45


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
display firewall packet-filter default { all | interzone zone1 zone2 }

Parameters
all: displays the default packet filter in all interzones.

interzone: displays the default packet filter in specified interzones.

zone1: specifies the name of zone1, which can be a Local zone, Trust zone, DMZ zone or Untrust
zone.

zone2: specifies the name of zone2, which can be a Local zone, Trust zone, DMZ zone or Untrust
zone.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the Eudemon default action in all interzones.
<Eudemon> display firewall packet-filter default all
Firewall default packet-filter action is :
local-trust : Inbound Deny, Outbound Deny
local-untrust : Inbound Deny, Outbound Deny
local-DMZ : Inbound Deny, Outbound Deny
trust-untrust : Inbound Deny, Outbound Deny
trust-DMZ : Inbound Deny, Outbound Deny
DMZ-untrust : Inbound Deny, Outbound Deny

# Display the Eudemon default action between Trust zones and Untrust zones.
<Eudemon> display firewall packet-filter default interzone trust untrust
Firewall default packet-filter action is :
trust-untrust : Inbound Deny, Outbound Deny

2.4.3 firewall packet-filter default

Function
Using the firewall packet-filter default command, you can default the filter rule on the
Eudemon to permit/deny.

2-46 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Format
firewall packet-filter default { permit | deny } { { all | interzone zone1 zone2 } [ direction
{ inbound | outbound } ] }
undo firewall packet-filter default { { all | interzone zone1 zone2 } [ direction { inbound |
outbound } ] }

Parameters
permit: defaults the filter rule to permit.
deny: defaults the filter rule to deny.
all: sets the filter rule in all interzones.
interzone: sets the filter rule in some interzones.
zone1: specifies the name of zone1, which can be a local zone, trust zone, DMZ zone or untrust
zone.
zone2: specifies the name of zone2, which can be a local zone, trust zone, DMZ zone or untrust
zone.
direction: configures the direction that applies the filter rule.
inbound: applies the filter rule in the inbound direction.
outbound: applies the filter rule in the outbound direction.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the function is disabled.

Examples
# Default the filter rule in all interzones on the Eudemon to deny.
<Eudemon> system-view
[Eudemon] firewall packet-filter default deny all

2.4.4 packet-filter

Function
Using the packet-filter command, you can apply ACL to the interzone.
Using the undo packet-filter command, you can remove the configuration.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-47


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
packet-filter acl-number { inbound | outbound }
undo packet-filter acl-number { inbound | outbound }

Parameters
acl-number: specifies the number of the ACL in a range of 2000 to 3999.
inbound: filters inbound packets.
outbound: filters outbound packets.

Views
Interzone view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Apply ACL3101 in the interzone between the trust zone and the untrust zone to filter inbound
packets.
<Eudemon> system-view
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] packet-filter 3101 inbound

Related Topics
2.1.2 acl (System View)
2.1.6 display acl

2.5 Attack Defence and Packet Statistics Configuration


Commands

2.5.1 debugging firewall defend


2.5.2 debugging statistic
2.5.3 display firewall defend flag
2.5.4 display firewall flow-control statistics
2.5.5 display firewall statistic
2.5.6 firewall defend all enable

2-48 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.5.7 firewall defend arp-flood enable interface


2.5.8 firewall defend arp-spoofing enable
2.5.9 firewall defend based-session
2.5.10 firewall defend fraggle enable
2.5.11 firewall defend ftp-bounce enable
2.5.12 firewall defend icmp-flood
2.5.13 firewall defend icmp-flood enable
2.5.14 firewall defend icmp-redirect enable
2.5.15 firewall defend icmp-unreachable enable
2.5.16 firewall defend ip-fragment enable
2.5.17 firewall defend ip-spoofing enable
2.5.18 firewall defend ip-sweep
2.5.19 firewall defend ip-sweep enable
2.5.20 firewall defend land enable
2.5.21 firewall defend large-icmp
2.5.22 firewall defend large-icmp enable
2.5.23 firewall defend packet-header check enable
2.5.24 firewall defend ping-of-death enable
2.5.25 firewall defend port-scan
2.5.26 firewall defend port-scan enable
2.5.27 firewall defend route-record enable
2.5.28 firewall defend smurf enable
2.5.29 firewall defend source-route enable
2.5.30 firewall defend syn-flood
2.5.31 firewall defend syn-flood enable
2.5.32 firewall defend tcp-flag enable
2.5.33 firewall defend teardrop enable
2.5.34 firewall defend time-stamp enable
2.5.35 firewall defend tracert enable
2.5.36 firewall defend udp-flood
2.5.37 firewall defend udp-flood enable
2.5.38 firewall defend winnuke enable
2.5.39 firewall flow-control acl

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-49


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.5.40 firewall flow-control car


2.5.41 firewall flow-control h323 enable
2.5.42 firewall flow-control on
2.5.43 firewall fragment-discard enable
2.5.44 firewall http-authentication
2.5.45 firewall session link-state check
2.5.46 firewall statistic system connect-number
2.5.47 firewall statistic system enable
2.5.48 firewall statistic system flow-percent
2.5.49 firewall statistic system last_five_min enable
2.5.50 reset firewall statistic ip
2.5.51 reset firewall statistic system
2.5.52 reset firewall statistic zone
2.5.53 statistic connect-number
2.5.54 statistic connect-speed
2.5.55 statistic enable

2.5.1 debugging firewall defend

Function
Using the debugging firewall defend command, you can enable attack defense debugging.
Using the undo debugging firewall defend command, you can disable attack defense
debugging.

Format
debugging firewall defend { all | arp-flood | arp-spoofing | header-check | ip-spoofing |
land | smurf | fraggle | ftp-bounce | winnuke | syn-flood | icmp-flood | udp-flood | icmp-
redirect | icmp-unreachable | ip-sweep | port-scan | source-route | route-record | tracert |
ping-of-death | tear-drop | tcp-flag | tcp-flood | ip-fragment | large-icmp | time-stamp }
undo debugging firewall defend { all | arp-flood | arp-spoofing | header-check | ip-
spoofing | land | smurf | fraggle | ftp-bounce | winnuke | syn-flood | icmp-flood | udp-flood
| icmp-redirect | icmp-unreachable | ip-sweep | port-scan | source-route | route-record |
tracert | ping-of-death | tear-drop | tcp-flag | tcp-flood | ip-fragment | large-icmp | time-
stamp }

Parameters
Each attack type refers to enabling or disabling the attack defense debugging.
all: enables or disables all of the attack defense debugging.

2-50 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, no attack defense debugging is enabled.

Examples
# Enable the debugging for ARP spoofing attack defense.
<Eudemon> debugging firewall defend arp-spoofing
*0.41566466 eudemon SEC/8/
ATTACK:
Detect attack of ARP spoof from 192.168.1.254

2.5.2 debugging statistic

Function
Using the debugging statistic command, you can enable the debugging of statistics.
Using the undo debugging statistic command, you can disable the debugging of statistics.

Format
debugging statistic { all | limit | table | timer }
undo debugging statistic { all | limit | table | timer }

Parameters
all: refers to all debugging.
limit: enables statistics of outbound packets.
table: enables statistics of domain names.
timer: enables statistics of incoming packets.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the debugging of statistics is disabled.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-51


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Examples
# Enable the statistics debugging of outbound packets.
<Eudemon> debugging statistic limit

2.5.3 display firewall defend flag

Function
Using the display firewall defend flag command, you can view the type of attack defense
applied on the Eudemon.

Format
display firewall defend flag

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the type of attack defense applied on the Eudemon.
<Eudemon> display firewall defend flag
The attack defend flag is:
ip-spoofing land smurf fraggle
winnuke syn-flood udp-flood icmp-flood
icmp-redirect icmp-unreachable ip-sweep port-scan
source-route route-record tracert time-stamp
ping-of-death teardrop tcp-flag ip-fragment
ftp-bounce packet-header large-icmp tcp-flood

2.5.4 display firewall flow-control statistics

Function
Using the display firewall flow-control statistics command, you can display the configuration
and statistics of H.323 traffic assurance.

2-52 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Format
display firewall flow-control statistics

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the configuration and statistics ensured of H.323 traffic assurance.
<Eudemon> display firewall flow-control statistics
firewall flow-control h323 is enable
firewall flow-control car cir=15000, cbs=15000, ebs=0 bps
firewall flow-control statistics info
H323 session count = 1
car ForwardBytes = 848742
car ForwardPkts = 8007
car DiscardBytes = -1917580322
car DiscardPkts = 22428179

2.5.5 display firewall statistic

Function
Using the display firewall statistic command, you can view the system statistics, inbound or
outbound statistics in some zones, or statistics of some IP addresses in the source or destination
address table.

Format
display firewall statistic { system [ packet-rate | defend ] | zone zone-name { inzone |
outzone } | ip ip-address { source-ip | destination-ip | both } }

Parameters
system packet-rate: displays the statistics of recent five minutes.
system defend: displays the attack defense of the firewall system.
zone zone-name: displays the statistics of a security zone. zone-name specifies the name of the
zone, including local, trust, DMZ and untrust.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-53


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

ip ip-address: displays the statistics of IP addresses. ip-address refers to the specified IP address.
inzone: displays the inbound statistics.
outzone: displays the outbound statistics.
source-ip: displays the statistics in the source address table.
destination-ip: displays the statistics in the destination address table.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
By default, the traffic statistics function of the latest five minutes is disabled. Only after you run
the firewall statistic system last_five_min enable command to enable that function, the traffic
statistics information on the latest five minutes is available.

Examples
# Display the global statistics of the system.
<Eudemon> display firewall statistic system defend
Display firewall defend statistic:
IP spoof attack : 100 packets
land attack : 0 packets
Smurf attack : 0 packets
fraggle attack : 60 packets
Winnuke attack : 0 packets
Syn flood attack : 0 packets
Udp flood attack : 1353 packets
ICMP flood attack : 0 packets
Redirect attack : 0 packets
Unreacheable attack : 0 packets
Ip sweep attack : 0 packets
Port scan attack : 0 packets
Ip options attack : 0 packets
Ip option source route attack : 0 packets
Ip options route record attack : 0 packets
Trace route attack : 0 packets
Ping of death attack : 0 packets
Tear drop attack : 0 packets
Tcp flag attack : 0 packets
Frag flag attack : 0 packets
Large ICMP attack : 0 packets
Tcp Proxy : 0 packets
Both ip-sweep and port-scan attack : 0 packets
Too much Half Con of SYN Flood : 0 packets
Other attack : 0 packets

# Display the inbound statistics in the trust zone.


<Eudemon> display firewall statistic zone trust inzone

2.5.6 firewall defend all enable

2-54 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Function
Using the firewall defend all enable command, you can enable all attack defense.

Using the undo firewall defend all enable command, you can disable all attack defense.

Format
firewall defend all enable

undo firewall defend all enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, disable all attack defense.

Examples
# Enable all attack defense.
<Eudemon> system-view
[Eudemon] firewall defend all enable

2.5.7 firewall defend arp-flood enable interface

Function
Using the firewall defend arp-flood enable interface command, you can enable the ARP flood
defense function on a specific interface or all interfaces, and configure the upper rate limit of
the ARP packets.

Using the undo firewall defend arp-flood enable interface command, you can disable the ARP
flood defense function on a specific interface or all interfaces.

Format
firewall defend arp-flood enable interface { interface-type interface-number | all } [ max-
rate rate-number ]

undo firewall defend arp-flood enable interface { interface-type interface-number | all }

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-55


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
interface-type: indicates the interface type. The interface can only be an Ethernet physical
interface or subinterface.
interface-number: indicates the interface number.
all: indicates that the ARP flood defense function is enabled on all interfaces.
rate-number: specifies the upper rate limit of the ARP packets, that is, the total number of ARP
packets that can be received in a second. Packets that exceed the threshold are regarded as an
attack. The value is an integer in a range of 1 to 10000, in packets/s. The default value is 1000
packets/s. If the parameter is not specified, the default value will be used.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the ARP flood defense function is disabled on all interfaces.
If you have changed the upper limit of the ARP packets on an interface, you can restore the
default by using the firewall defend arp-flood enable interface { interface-type interface-
number | all } command.
In dual system hot backup environment, because the firewall defend arp-flood enable
interface command can be backed up between the active and standby Eudemons, you can run
the command on the master Eudemon only.

Examples
# Enable the ARP flood defense function on interface Ethernet 0/0/0 and configure the upper
rate limit as 200 packets/s.
<Eudemon> system-view
[Eudemon] firewall defend arp-flood enable interface Ethernet 0/0/0 max-rate 200

2.5.8 firewall defend arp-spoofing enable

Function
Using the firewall defend arp-spoofing enable command, you can enable the ARP spoofing
defense function.
Using the undo firewall defend arp-spoofing enable command, you can disable the ARP
spoofing defense function.

Format
firewall defend arp-spoofing enable

2-56 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

undo firewall defend arp-spoofing enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the ARP spoofing defense function is disabled.

In dual system hot backup environment, because the firewall defend arp-spoofing enable
command can be backed up between the active and standby Eudemons, you can run the command
on the master Eudemon only.

Examples
# Enable the ARP spoofing defense function.
<Eudemon> system-view
[Eudemon] firewall defend arp-spoofing enable

2.5.9 firewall defend based-session

Function
Using the firewall defend tcp-flood based-session command, you can enable the session-based
TCP Flood attack defense function.

Using the firewall defend icmp-flood based-session command, you can enable the session-
based ICMP Flood attack defense function.

Using the firewall defend udp-flood based-session command, you can enable the session-based
UDP Flood attack defense function.

Using the undo firewall defend based-session command, you can disable certain session-based
attack defense functions.

Format
firewall defend tcp-flood based-session max-rate rate-number

firewall defend icmp-flood based-session max-rate rate-number

firewall defend udp-flood based-session max-rate rate-number

undo firewall defend { icmp-flood | tcp-flood | udp-flood } based-session max-rate

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-57


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
max-rate rate-number: specifies the maximum rate for session-based TCP packets, ICMP
packets, or UDP packets. If a certain volume of TCP/ICMP/UDP packets match the quintuple
session table and their rate exceeds the maximum rate, the packets of the session are not permitted
to pass through the firewall any more. For ICMP Flood attack defense, the maximum rate ranges
from 1 packet/s to 200 packet/s; for UDP Flood or TCP Flood attack defense, the maximum rate
ranges from 1 packet/s to 65535 packet/s.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, these attack defense functions are disabled.
To detect TCP sessions, you need to configure only the firewall defend tcp-flood based-session
max-rate command.
To detect UDP/ICMP sessions, you need to configure both the firewall defend udp-flood
based-session max-rate or the firewall defend icmp-flood base-session max-rate command
and the firewall defend udp-flood enable or the firewall defend icmp-flood enable command
in turn.
NOTE

When the traffic rate increases close to the threshold (not exceeding the threshold yet), certain operation
on the Eudemon may trigger the Eudemon to generate an attack defense alarm. The mis-alarm is due to
inaccurate statistics caused by the task scheduling system. In this case the traffic is not attack in real sense.

Examples
# Enable the session-based TCP Flood attack defense and set the maximum rate of TCP packets
to 100 packet/s.
<Eudemon> system-view
[Eudemon] firewall defend tcp-flood based-session max-rate 100

Related Topics
2.5.37 firewall defend udp-flood enable
2.5.13 firewall defend icmp-flood enable

2.5.10 firewall defend fraggle enable

Function
Using the firewall defend fraggle enable command, you can enable the Fraggle attack defense.
Using the undo firewall defend fraggle enable command, you can disable the Fraggle attack
defense.

2-58 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Format
firewall defend fraggle enable

undo firewall defend fraggle enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the Fraggle attack defense is disabled.

Examples
# Enable the Fraggle attack defense.
<Eudemon> system-view
[Eudemon] firewall defend fraggle enable

2.5.11 firewall defend ftp-bounce enable

Function
Using the firewall defend ftp-bounce enable command, you can enable the FTP bounce attack
defense function.

Using the undo firewall defend ftp-bounce enable command, you can disable the FTP bounce
attack defense function.

Format
firewall defend ftp-bounce enable

undo firewall defend ftp-bounce enable

Parameters
None

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-59


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
2: Configuration level

Usage Guidelines
An FTP Bounce attack uses the PORT command of FTP to send data or the FTP command to
a device other than the FTP clients, and thus scans, accesses, or sends data to the device using
the FTP server. You can enable the FTP bounce attack defense function to prevent such attacks.

By default, the FTP bounce attack defense function is disabled.

Examples
# Enable the FTP bounce attack defense function.
<Eudemon> system-view
[Eudemon] firewall defend ftp-bounce enable

2.5.12 firewall defend icmp-flood

Function
Using the firewall defend icmp-flood command, you can enable the ICMP Flood attack defense
and specify an IP address or a zone to be protected.

Using the undo firewall defend icmp-flood command, you can disable the ICMP Flood attack
defense.

Format
firewall defend icmp-flood ip ip-address [ max-rate rate-number ]

firewall defend icmp-flood zone zone-name [ max-rate rate-number ]

undo firewall defend icmp-flood ip [ ip-address ]

undo firewall defend icmp-flood zone [ zone-name ]

undo firewall defend icmp-flood

Parameters
ip ip-address: specifies the IP address of the host to be protected. Using the undo command,
you can disable ICMP Flood detection for the IP address. If only ip is configured in the undo
command, ICMP Flood detection is disabled for all the protected hosts. ICMP Flood attack
defense can protect up to 1000 IP addresses.

zone zone-name: specifies the name of the protected zone. Using the undo command, you can
disable ICMP Flood detection for all IP addresses in the zone. If only zone is configured in the
undo command, ICMP Flood detection is disabled for all the protected zones.

max-rate rate-number: sets the rate threshold for ICMP packets connected with the specific
destination IP address, that is, the total number of ICMP packets received from the address in a
second. If the number is greater than the threshold, it will be regarded as an attack. The default

2-60 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

value of rate-number is 1000 packets per second and the range of the number is 1 to 1,000,000
packets per second.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
When configuring the ICMP Flood attack defense, the IP-based priority is higher than the zone-
based priority. If the ICMP Flood attack defense is enabled both specific to a particular IP address
and to the zone to which the IP address belongs, the IP-based detection parameters are preferred.
If the IP-based configuration is disabled, the zone-based parameters will be applied.

By default, the ICMP Flood attack defense is disabled.

You are required to enable the ICMP Flood attack defense globally by running the firewall
defend icmp-flood enable command and enable inbound IP statistics for the protected IP/zone
when enabling the ICMP Flood attack defense by running the firewall defend icmp-flood
command.

Examples
# Enable the ICMP Flood attack defense for the trust zone and set the rate threshold of ICMP
packets to 500 packet/s.
<Eudemon> system-view
[Eudemon] firewall defend icmp-flood zone trust max-rate 500

2.5.13 firewall defend icmp-flood enable

Function
Using the firewall defend icmp-flood enable command, you can enable the ICMP Flood attack
defense globally.

Using the undo firewall defend icmp-flood enable command, you can disable the ICMP Flood
attack defense globally.

Format
firewall defend icmp-flood enable

undo firewall defend icmp-flood enable

Parameters
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-61


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the ICMP Flood attack defense is disabled globally.

Examples
# Enable the ICMP Flood attack defense globally.
<Eudemon> system-view
[Eudemon] firewall defend icmp-flood enable

2.5.14 firewall defend icmp-redirect enable

Function
Using the firewall defend icmp-redirect enable command, you can enable the ICMP
redirection packet attack defense.
Using the undo firewall defend icmp-redirect enable command, you can disable the ICMP
redirection packet attack defense.

Format
firewall defend icmp-redirect enable
undo firewall defend icmp-redirect enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the ICMP redirection packet attack defense is disabled.

Examples
# Enable the ICMP redirection packet attack defense.

2-62 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

<Eudemon> system-view
[Eudemon] firewall defend icmp-redirect enable

2.5.15 firewall defend icmp-unreachable enable

Function
Using the firewall defend icmp-unreachable enable command, you can enable the ICMP
unreachable packet attack defense.

Using the undo firewall defend icmp-unreachable enable command, you can disable the
ICMP unreachable packet attack defense.

Format
firewall defend icmp-unreachable enable

undo firewall defend icmp-unreachable enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the ICMP unreachable packet attack defense is disabled.

Examples
# Enable the ICMP unreachable packet attack defense.
<Eudemon> system-view
[Eudemon] firewall defend icmp-unreachable enable

2.5.16 firewall defend ip-fragment enable

Function
Using the firewall defend ip-fragment enable command, you can enable the IP fragment packet
attack defense.

Using the undo firewall defend ip-fragment enable command, you can disable the IP fragment
packet attack defense.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-63


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
firewall defend ip-fragment enable

undo firewall defend ip-fragment enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the IP fragment packet attack defense is disabled.

Examples
# Enable the IP fragment packet attack defense.
<Eudemon> system-view
[Eudemon] firewall defend ip-fragment enable

2.5.17 firewall defend ip-spoofing enable

Function
Using the firewall defend ip-spoofing enable command, you can enable the IP Spoofing attack
defense.

Using the undo firewall defend ip-spoofing enable command, you can disable the IP Spoofing
attack defense.

Format
firewall defend ip-spoofing enable

undo firewall defend ip-spoofing enable

Parameters
None

Views
System view

2-64 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Default Level
2: Configuration level

Usage Guidelines
By default, the IP Spoofing attack defense is disabled.

NOTE

The IP Spoofing attack defense cannot be used when the Eudemon works in transparent mode.

Examples
# Enable IP Spoofing attack defense.
<Eudemon> system-view
[Eudemon] firewall defend ip-spoofing enable

2.5.18 firewall defend ip-sweep

Function
Using the firewall defend ip-sweep command, you can enable the IP Sweep attack defense.

Using the undo firewall defend ip-sweep command, you can disable the IP Sweep attack
defense.

Format
firewall defend ip-sweep { max-rate rate-number | blacklist-timeout minutes }

undo firewall defend ip-sweep { max-rate | blacklist-timeout }

Parameters
max-rate rate-number: specifies the threshold for destination address changing rate of packets
sent from the same source address. The default value of rate-number is 4000 times per second.
The number ranges from 1 to 10000 times per second.

blacklist-timeout minutes: adds the source address into the blacklist and set valid time for it.
minutes is measured in minutes in a range of 1 to 1000 minutes. By default, the value is 10.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the IP Sweep attack defense is disabled.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-65


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

This command will not take effect unless the outbound IP statistics for the associated source IP/
zone is enabled.

Examples
# Enable the IP Sweep attack defense and set the threshold of sweeping rate to 1000.
<Eudemon> system-view
[Eudemon] firewall defend ip-sweep max-rate 1000

2.5.19 firewall defend ip-sweep enable

Function
Using the firewall defend ip-sweep enable command, you can enable the IP Sweep attack
defense.
Using the undo firewall defend ip-sweep enable command, you can disable the function.

Format
firewall defend ip-sweep enable
undo firewall defend ip-sweep enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the IP Sweep attack defense is disabled.

Examples
# Enable the IP Sweep attack-defense.
<Eudemon> system-view
[Eudemon] firewall defend ip-sweep enable

2.5.20 firewall defend land enable

Function
Using the firewall defend land enable command, you can enable the Land attack defense.

2-66 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Using the undo firewall defend land enable command, you can disable the Land attack defense.

Format
firewall defend land enable

undo firewall defend land enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the Land attack defense is disabled.

Examples
# Enable the Land attack defense.
<Eudemon> system-view
[Eudemon] firewall defend land enable

2.5.21 firewall defend large-icmp

Function
Using the firewall defend large-icmp max-length command, you can enable the large ICMP
packet attack defense.

Using the undo firewall defend large-icmp max-length command, you can disable the large
ICMP packet attack defense.

Format
firewall defend large-icmp max-length length

undo firewall defend large-icmp max-length

Parameters
length: refers to the allowed maximum length of ICMP packets in a range of 28 to 65535 bytes.
By default, the value is 4000 bytes.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-67


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the large ICMP packet attack defense is disabled.

Examples
# Enable the large ICMP packet attack defense and permit the ICMP packet whose length is less
than 4000 bytes to pass.
<Eudemon> system-view
[Eudemon] firewall defend large-icmp max-length 4000

2.5.22 firewall defend large-icmp enable

Function
Using the firewall defend large-icmp enable command, you can enable the defense against
large-icmp attacks.

Using the undo firewall defend large-icmp enable command, you can disable the attack
defense.

Format
firewall defend large-icmp enable

undo firewall defend large-icmp enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

2-68 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Enable the defense against large-icmp attacks.
<Eudemon> system-view
[Eudemon] firewall defend large-icmp enable

2.5.23 firewall defend packet-header check enable

Function
Using the firewall defend packet-header check enable command, you can enable TCP, UDP,
and ICMP header check.

Using the undo firewall defend packet-header check enable command, you can disable TCP,
UDP, and ICMP header check.

Format
firewall defend packet-header check enable

undo firewall defend packet-header check enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After TCP, UDP, and ICMP header check is enabled, a packet with the incorrect checksum
cannot pass through, and will be reported in an attack log. The log format is the same as that of
other attack logs.

After TCP, UDP, and ICMP header check is enabled, the Eudemon performance will be affected.

By default, TCP, UDP, and ICMP header check is disabled.

Examples
# Enable TCP, UDP, and ICMP header check.
<Eudemon> system-view
[Eudemon] firewall defend packet-header check enable

2.5.24 firewall defend ping-of-death enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-69


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the firewall defend ping-of-death enable command, you can enable the Ping of Death
attack defense.

Using the undo firewall defend ping-of-death enable command, you can disable the Ping of
Death attack defense.

Format
firewall defend ping-of-death enable

undo firewall defend ping-of-death enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the Ping of Death attack defense is disabled.

Examples
# Enable the Ping of Death attack defense.
<Eudemon> system-view
[Eudemon] firewall defend ping-of-death enable

2.5.25 firewall defend port-scan

Function
Using the firewall defend port-scan command, you can enable the port scan attack defense.

Using the undo firewall defend port-scan command, you can disable the port scan attack
defense.

Format
firewall defend port-scan { max-rate rate-number | blacklist-timeout minutes }

undo firewall defend port-scan { max-rate | blacklist-timeout }

2-70 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Parameters
max-rate rate-number: specifies the threshold for destination port changing rate of packets sent
from the same source address. The default value of rate-number is 4000 times per second. The
number ranges from 1 to 10000 times per second.
blacklist-timeout minutes: adds the source address into the blacklist and set valid time for it.
minutes is in a range of 1 to 1000 minutes. The default value is 10.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the port scan attack defense is disabled.
This command will take effect only when the outbound IP statistics for the associated source IP
or zone is enabled.

Examples
# Enable the port scan attack defense and set the threshold of scanning rate to 1000 and valid
time of blacklist to 5 minutes.
<Eudemon> system-view
[Eudemon] firewall defend port-scan max-rate 1000
[Eudemon] firewall defend port-scan blacklist-timeout 5

2.5.26 firewall defend port-scan enable

Function
Using the firewall defend port-scan enable command, you can enable the defense against port
scan attacks.
Using the undo firewall defend port-scan enable command, you can disable the attack defense.

Format
firewall defend port-scan enable
undo firewall defend port-scan enable

Parameters
None

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-71


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, the function is disabled.

Examples
# Enable the defense against port scan attacks.
<Eudemon> system-view
[Eudemon] firewall defend port-scan enable

2.5.27 firewall defend route-record enable

Function
Using the firewall defend route-record enable command, you can enable the attack defense
for the packet carrying the route record.

Using the undo firewall defend route-record enable command, you can disable the attack
defense for the packet carrying the route record.

Format
firewall defend route-record enable

undo firewall defend route-record enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, attack defense for the packet carrying the route record is disabled.

Examples
# Enable attack defense for the packet carrying the route record.
<Eudemon> system-view
[Eudemon] firewall defend route-record enable

2-72 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.5.28 firewall defend smurf enable

Function
Using the firewall defend smurf enable command, you can enable the Smurf attack defense.
Using the undo firewall defend smurf enable command, you can disable the Smurf attack
defense.

Format
firewall defend smurf enable
undo firewall defend smurf enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the Smurf attack defense is disabled.

Examples
# Enable the Smurf attack defense.
<Eudemon> system-view
[Eudemon] firewall defend smurf enable

2.5.29 firewall defend source-route enable

Function
Using the firewall defend source-route enable command, you can enable attack defense for
the packet carrying the source route.
Using the undo firewall defend source-route enable command, you can disable attack defense
for the packet carrying the source route.

Format
firewall defend source-route enable
undo firewall defend source-route enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-73


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, attack defense for the packet carrying the source route is disabled.

Examples
# Enable attack defense for the packet carrying the source route.
<Eudemon> system-view
[Eudemon] firewall defend source-route enable

2.5.30 firewall defend syn-flood

Function
Using the firewall defend syn-flood command, you can enable SYN Flood attack defense and
specify an IP/zone/interface to be protected.
Using the undo firewall defend syn-flood command, you can disable SYN Flood attack defense.

Format
firewall defend syn-flood ip ip-address [ max-rate rate-number | max-number max-number
| tcp-proxy { auto | on | off } ] *
firewall defend syn-flood zone zone-name [ max-rate rate-number | max-number max-
number | tcp-proxy { auto | on | off } ] *
firewall defend syn-flood interface { all | interface-type interface-number } [ max-rate rate-
number ] [ tcp-proxy { auto | on | off } ]
undo firewall defend syn-flood [ ip [ ip-address ] | zone [ zone-name ] | interface { all |
interface-type interface-number } ]

Parameters
ip ip-address: specifies the IP address of the host to be protected. SYN Flood attack defense can
protect up to 1000 IP addresses.
zone zone-name: specifies the name of the protected zone.
interface { all | interface-type interface-number }: sets the incoming interface-based SYN Flood
attack defense. It can be set to all in order to protect all interfaces. Alternatively, it can specify

2-74 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

an interface to perform attack defense. When enabling SYN Flood attack defense, the interface-
based protection is enabled by default. TCP proxy, however, is not enabled before the attack is
detected.

max-rate rate-number: sets the rate threshold for SYN packets that is, the total number of SYN
packets received in a second. If the number is greater than the threshold, it will be regarded as
an attack. The default value of rate-number is 1000 packets per second and the range of the
number is 1 to 1000000 packets per second.

max-number max-number: specifies the maximum number of TCP semi-connections, ranging


from 1 to 10000000. If the number is greater than the threshold, it will be regarded as an attack.
The default value is 1000.

tcp-proxy { auto | on | off }: enables TCP proxy. If auto is configured in the command, TCP
proxy can start automatically when the protected host is attacked by SYN Flood and close
automatically when the host is safe. on/off refers to TCP proxy is enabled/disabled manually no
matter the host is attacked by SYN Flood or not. The default value of TCP proxy is auto, that
is, the system determines to start/close TCP proxy.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, SYN Flood attack defense is disabled.

Before running the firewall defend syn-flood command to defend against SYN flood attacks,
you need to run the firewall defend syn-flood enable command to enable the SYN flood attack
defense function first. In security zone view, run the statistic enable ip inzone command to
enable inbound IP statistics in the protected security zones, or the security zone of the specified
IP address.

The SYN flood attack defense priorities from high to low are

l Interface-based attack defense


l IP address-based attack defense
l Security zone-based attack defense

If SYN flood attack defense of different priorities is configured, the system checks the priority
and implements the attack defense of the highest priority.

If protection is enabled on an inbound interface, the protection is effective for the corresponding
IP address and the protected security zone.

If you run the undo firewall defend syn-flood command without specifying ip-address, the
SYN flood detect function configured for IP addresses will be disabled. If you run the command
without specifying zone-name, the SYN flood detect function configured for the security zones
will be disabled.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-75


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Examples
# Enable SYN flood defense on the host at 10.1.1.2. The TCP proxy function is automatically
enabled.
<Eudemon> system-view
[Eudemon] firewall defend syn-flood ip 10.1.1.2 tcp-proxy auto

# Enable SYN Flood attack defense in the trust zone, set the rate threshold of SYN packets to
100 packets per second and the semi-connection threshold for each IP address in the trust zone
to 2000, and then enable TCP proxy manually.
[Eudemon] firewall defend syn-flood zone trust max-rate 100 max-number 2000 tcp-
proxy on

Related Topics
2.5.31 firewall defend syn-flood enable
2.5.55 statistic enable

2.5.31 firewall defend syn-flood enable


Function
Using the firewall defend syn-flood enable command, you can enable SYN Flood attack
defense in the global scope.
Using the undo firewall defend syn-flood enable command, you can disable SYN Flood attack
defense in the global scope.

Format
firewall defend syn-flood enable
undo firewall defend syn-flood enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, SYN Flood attack defense is disabled in the global scope.

Examples
# Enable SYN Flood attack defense in the global scope.

2-76 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

<Eudemon> system-view
[Eudemon] firewall defend syn-flood enable

2.5.32 firewall defend tcp-flag enable

Function
Using the firewall defend tcp-flag enable command, you can enable TCP flag validity
detection.
Using the undo firewall defend tcp-flag enable command, you can disable TCP flag validity
detection.

Format
firewall defend tcp-flag enable
undo firewall defend tcp-flag enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, TCP flag validity detection is disabled.

Examples
# Enable TCP flag validity detection.
<Eudemon> system-view
[Eudemon] firewall defend tcp-flag enable

2.5.33 firewall defend teardrop enable

Function
Using the firewall defend teardrop enable command, you can enable Teardrop attack defense.
Using the undo firewall defend teardrop enable command, you can disable Teardrop attack
defense.

Format
firewall defend teardrop enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-77


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

undo firewall defend teardrop enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, Teardrop attack defense is disabled.

Examples
# Enable Teardrop attack defense.
<Eudemon> system-view
[Eudemon] firewall defend teardrop enable

2.5.34 firewall defend time-stamp enable

Function
Using the firewall defend time-stamp enable command, you can enable the Timestamp attack
defense.

Using the undo firewall defend time-stamp enable command, you can disable the function.

Format
firewall defend time-stamp enable

undo firewall defend time-stamp enable

Parameters
None

Views
System view

Default Level
2: Configuration level

2-78 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Usage Guidelines
By default, the function is disabled.

Examples
# Enable the Timestamp attack defense.
<Eudemon> system-view
[Eudemon] firewall defend time-stamp enable

2.5.35 firewall defend tracert enable

Function
Using the firewall defend tracert enable command, you can enable Tracert packet attack
defense.

Using the undo firewall defend tracert enable command, you can disable Tracert packet attack
defense.

Format
firewall defend tracert enable

undo firewall defend tracert enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, Tracert packet attack defense is disabled.

Examples
# Enable Tracert packet attack defense.
<Eudemon> system-view
[Eudemon] firewall defend tracert enable

2.5.36 firewall defend udp-flood

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-79


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the firewall defend udp-flood command, you can enable UDP Flood attack defense and
specify an IP/zone to be protected.
Using the undo firewall defend udp-flood command, you can disable UDP Flood attack
defense.

Format
firewall defend udp-flood ip ip-address [ max-rate rate-number ]
firewall defend udp-flood zone zone-name [ max-rate rate-number ]
undo firewall defend udp-flood [ ip [ ip-address ] | zone [ zone-name ] ]

Parameters
ip ip-address: specifies the IP address of the host to be protected. UDP Flood attack defense can
protect up to 1000 IP addresses.
zone zone-name: specifies the name of the protected zone.
max-rate rate-number: sets the rate threshold for UDP packets, that is, the total number of UDP
packets received in a second. If the number is greater than the threshold, it will be regarded as
an attack. The default value of rate-number is 1000 packets per second and the range of the
number is 1 to 1000000 packets per second.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, UDP Flood attack defense is disabled.
You are required to enable UDP Flood attack defense in the global scope by the firewall defend
udp-flood enable command and enable inbound IP statistics for the protected IP/zone when
enabling UDP Flood attack defense by the statistic enable command.
The UDP flood attack defense priorities from high to low are IP address–based attack defense
and security zone–based attack defense.
If the two types of attack defense are both configured, the system will check the priority and
implement the IP address–attack defense.
If the function is configured for a specific IP address, the function is effective for the security
zone of the IP address.
If you run the undo firewall defend udp-flood command without specifying ip-address, the
UDP flood detect function configured for IP addresses will be disabled. If you run the command
without specifying zone-name, the UDP flood detect function configured for the security zones
will be disabled.

2-80 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Enable UDP flood defense on the host at 10.1.1.2. Specify the threshold of the UDP packet
connection rate as 100 packets/s.
<Eudemon> system-view
[Eudemon] firewall defend udp-flood ip 10.1.1.2 max-rate 100

# Configure UDP flood defense on the host in the Trust security and specify the threshold of the
UDP packet connection rate as 100 packets/s.
[Eudemon] firewall defend udp-flood zone trust max-rate 100

Related Topics
2.5.37 firewall defend udp-flood enable
2.5.55 statistic enable

2.5.37 firewall defend udp-flood enable

Function
Using the firewall defend udp-flood enable command, you can enable the UDP Flood attack
defense globally.
Using the undo firewall defend udp-flood enable command, you can disable the UDP Flood
attack defense globally.

Format
firewall defend udp-flood enable
undo firewall defend udp-flood enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the UDP Flood attack defense is disabled globally.

Examples
# Enable the UDP Flood attack defense globally.
<Eudemon> system-view
[Eudemon] firewall defend udp-flood enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-81


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.5.38 firewall defend winnuke enable

Function
Using the firewall defend winnuke enable command, you can enable the WinNuke attack
defense.
Using the undo firewall defend winnuke enable command, you can disable the WinNuke attack
defense.

Format
firewall defend winnuke enable
undo firewall defend winnuke enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the WinNuke attack defense is disabled.

Examples
# Enable the WinNuke attack defense.
<Eudemon> system-view
[Eudemon] firewall defend winnuke enable

2.5.39 firewall flow-control acl

Function
Using the firewall flow-control acl command, you can provide the data flow that conforms to
ACL with the same bandwidth assurance function as H.323.
Using the undo firewall flow-control acl command, you can cancel the bandwidth assurance
function.

Format
firewall flow-control acl acl-number

2-82 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

undo firewall flow-control acl

Parameters
acl-number: specifies the ACL number ranging from 2000 to 3999.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Define that the flow matching ACL 3001 shares the same bandwidth assurance function as H.
323 media stream.
<Eudemon> system-view
[Eudemon] firewall flow-control acl 3001

2.5.40 firewall flow-control car

Function
Using the firewall flow-control car command, you can set the upper limit of the bandwidth of
other traffic according to the bandwidth of the network egress.
Using the undo firewall flow-control car command, you can remove the upper limit of the
bandwidth of other traffic.

Format
firewall flow-control car cir cir-value [ cbs cbs-value ebs ebs-value ]
undo firewall flow-control car

Parameters
cir-value: specifies the Committed Information Rate (CIR), in bit/s. It ranges from 8000 to
155000000.
cbs-value: specifies the Committed Burst Size (CBS), namely, the bits sent at each interval. It
ranges from 15000 to 1000000000.
ebs-value: specifies the Excessive Burst Size (EBS), in bits. It ranges from 0 to 155000000.

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-83


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
2: Configuration level

Usage Guidelines
The Eudemon imposes the bandwidth limitation on other data flow only after detecting the H.
323 traffic.

Examples
# Set the CIR of other flow to 10000000 bit/s.
<Eudemon> system-view
[Eudemon] firewall flow-control car cir 10000000

2.5.41 firewall flow-control h323 enable

Function
Using the firewall flow-control h323 enable command, you can globally enable H.323 traffic
assurance function.
Using the undo firewall flow-control h323 enable command, you can globally disable H.323
traffic assurance function.

Format
firewall flow-control h323 enable
undo firewall flow-control h323 enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Enable H.323 traffic assurance function globally.
<Eudemon> system-view
[Eudemon] firewall flow-control h323 enable

2-84 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.5.42 firewall flow-control on

Function
Using the firewall flow-control on command, you can enable H.323 traffic assurance function
on packets from the interface.
Using the undo firewall flow-control on command, you can disable H.323 traffic assurance
function on packets from the interface.

Format
firewall flow-control on
undo firewall flow-control on

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Enable H.323 traffic assurance function on Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] firewall flow-control on

2.5.43 firewall fragment-discard enable

Function
Using the firewall fragment-discard enable command, you can enable the function of
discarding fragments.
Using the undo firewall fragment-discard enable command, you can disable the function of
discarding fragments.

Format
firewall fragment-discard enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-85


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

undo firewall fragment-discard enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Once this function is enabled, the Eudemon discards all fragments.
By default, this function is disabled.

Examples
# Enable the function of discarding fragments.
<Eudemon> system-view
[Eudemon] firewall fragment-discard enable

2.5.44 firewall http-authentication

Function
Using the firewall http-authentication command, you can start authentication protection to
HTTP services.
Using the undo firewall http-authentication command, you can disable authentication
protection to HTTP services.

Format
firewall http-authentication ip source-ip
undo firewall http-authentication [ ip source-ip ]

Parameters
source-ip: specifies the IP address of the host to be protected.

Views
System view

Default Level
2: Configuration level

2-86 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Usage Guidelines
To defend against resource consumption attacks with TCP packets, the Eudemon provides the
defense against the SYN Flood attack. Considering that some worm virus may conduct resource
consumption attacks to TCP server, the Eudemon provides a specific defense for the HTTP
service.
Using the undo command without the parameter ip source-ip, you can delete all configured IP
addresses.
By default, this function is disabled.

Examples
# Configure authentication protection to HTTP services for the host with IP address 192.168.1.1
against worm virus attacks.
<Eudemon> system-view
[Eudemon] firewall http-authentication ip 192.168.1.1

2.5.45 firewall session link-state check

Function
Using the firewall session link-state check command, you can enable session link state check.
Using the undo firewall session link-state check command, you can disable session link state
check.

Format
firewall session link-state check
undo firewall session link-state check

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
If session link state check is disabled, Eudemon does not check the session state, and the follow-
up packets can establish session tables. Disabling session link state check is used in cases where
the inbound path of the packets is different from the outbound path.
By default, session link state check is enabled.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-87


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Examples
# Enable session link state check.
<Eudemon> system-view
[Eudemon] firewall session link-state check

2.5.46 firewall statistic system connect-number

Function
Using the firewall statistic system connect-number command, you can set high-value or low-
value for TCP/UDP connection number in the system.

Using the undo firewall statistic system connect-number command, you can restore the
default value.

Format
firewall statistic system connect-number { tcp | udp } { high high-value low low-value }

undo firewall statistic system connect-number { tcp | udp }

Parameters
tcp: refers to TCP connections.

udp: refers to UDP connections.

high high-value: refers to the high-value. The range for the high-value of TCP/UDP connection
number in the system is 100000 to 500000. The default value is 500000.

low low-value: refers to the low-value. The range for the low-value of TCP/UDP connection
number in the system is 1 to 500000. The default value is 495000.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Here the high-value or low-value refers to the total number in the system. The Eudemon outputs
an alert log for the irregular connection number over the high-value and outputs a normal log
when the number drops to the low-value.

2-88 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

CAUTION
You are required to use the firewall statistic system connect-number command in system view
to set values associated with the system and to use 2.5.53 statistic connect-number command
in zone view to set values associated with zone/IP.

Examples
# Set the high-value of TCP connection number in the system to 120000 and the low-value to
60000.
<Eudemon> system-view
[Eudemon] firewall statistic system connect-number tcp high 120000 low 60000

2.5.47 firewall statistic system enable

Function
Using the firewall statistic system enable command, you can enable statistics in the global
scope.
Using the undo firewall statistic system enable command, you can disable statistics in the
global scope.

Format
firewall statistic system enable
undo firewall statistic system enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, statistics is enabled in the global scope.

Examples
# Enable statistics in the global scope.
<Eudemon> system-view
[Eudemon] firewall statistic system enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-89


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.5.48 firewall statistic system flow-percent

Function
Using the firewall statistic system flow-percent command, you can set percent, alteration range
and detection period for various packets in a time segment.

Using the undo firewall statistic system flow-percent command, you can restore the default
values of these parameters.

Format
firewall statistic system flow-percent { tcp tcp-percent udp udp-percent icmp icmp-percent
alteration alteration-percent [ time time-value ] }

undo firewall statistic system flow-percent

Parameters
tcp-percent: refers to the percent of TCP packets in a range of 0 to 100. By default, its value is
75.

udp-percent: refers to the percent of UDP packets in a range of 0 to 100. By default, its value is
15.

icmp-percent: refers to the percent of ICMP packets in a range of 0 to 100. By default, its value
is 5.

alteration-percent: refers to the alteration range for the percent of each packet type, represented
by the percent of the percent value of each packet type in a range of 0 to 25. By default, its value
is 25.

time-value: refers to the time period for detection calculation, measured in minutes in a range
of 1 to 6000 minutes. By default, its value is 60 minutes.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
You are required to set percent for TCP, UDP and ICMP packets via this command at the same
time without need for other types of packets. Note that the percent sum of the three types of
packets should be no more than 100%. If the ratios of the global TCP, UDP, and ICMP packets
exceed the corresponding ranges, the alarm log is generated. For example, the default ratios of
TCP, UDP, and ICMP packets are 75%, 15%, and 5% respectively. The fluctuation ratio for
each type of packets is 25%. The system performs the check once an hour. Then the ratio of TCP
packets is 50% to 100% of the total packets. If the ratio is smaller than 50% or larger than 100%,
the alarm is generated. However, there is no limit on the TCP packets.

2-90 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Set the percent of TCP packets, UDP packets and ICMP packets are respectively 50, 25, 15,
and the alteration range is 10%.
<Eudemon> system-view
[Eudemon] firewall statistic system flow-percent tcp 50 udp 25 icmp 15 alteration
10

2.5.49 firewall statistic system last_five_min enable

Function
Using the firewall statistic system last_five_min enable command, you can enable traffic
statistics in recent five minutes.

Using the undo firewall statistic system last_five_min enable, you can disable traffic statistics
in recent five minutes.

Format
firewall statistic system last_five_min enable

undo firewall statistic system last_five_min enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, traffic statistics in recent five minutes is disabled.

You can view the traffic statistics in recent five minutes using the 2.5.5 display firewall
statistic command only when you have enabled traffic statistics in recent five minutes.

Examples
# Enable traffic statistics in recent five minutes.
<Eudemon> system-view
[Eudemon] firewall statistic system last_five_min enable

2.5.50 reset firewall statistic ip

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-91


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the reset firewall statistic ip command, you can reset the statistics of the source or
destination address entry.

Format
reset firewall statistic ip ip-address { source-ip | destination-ip }

Parameters
ip ip-address: resets the statistics of specified IP address. ip-address specifies the IP address.

source-ip: resets the source address entry.

destination-ip: resets the destination address entry.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
The command is invalid if the specified IP address is not existed.

Examples
# Reset the statistics of the source IP address 1.1.1.1.
<Eudemon> reset firewall statistic ip 1.1.1.1 source-ip

2.5.51 reset firewall statistic system

Function
Using the reset firewall statistic system command, you can reset the system statistics or defense.

Format
reset firewall statistic system [ defend ]

Parameters
defend: indicates the Eudemon defence information.

Views
User view

2-92 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Reset system statistics.
<Eudemon> reset firewall statistic system

2.5.52 reset firewall statistic zone

Function
Using the reset firewall statistic zone command, you can reset the inbound or outbound statistics
of a specified security zone.

Format
reset firewall statistic zone zone-name { inzone | outzone }

Parameters
zone zone-name: resets the statistics information of a security zone. zone-name specifies the
name of the security zone, including dmz, trust, untrust and local.
inzone: refers to the inbound of a security zone.
outzone: refers to the outbound of a security zone.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
The command is invalid if the specified security zone is not existed.

Examples
# Reset the outbound statistics of truest zone.
<Eudemon> reset firewall statistic zone trust outzone

2.5.53 statistic connect-number

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-93


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the statistic connect-number command, you can set high-value/low-value for zone/IP-
based TCP or UDP connections in one direction.

Using the undo statistic connect-number command, you can restore the default value.

Format
statistic connect-number { zone | ip } { inzone | outzone } { tcp | udp } { high high-limit
low low-limit }

undo statistic connect-number { zone | ip } { inzone | outzone } { tcp | udp }

Parameters
zone: refers to the value in the zone.

ip: refers to the value of the IP address.

inzone: refers to the inbound direction in the zone.

outzone: refers to the outbound direction in the zone.

tcp: refers to the TCP connection.

udp: refers to the UDP connection.

high high-value: refers to the high-value. The high-value range for TCP/UDP connections in
the zone is 1 to 500000. By default ,it is 500000.The high-value range for IP-based TCP/UDP
connections is 1 to 10240. By default, it is 10240.

low low-value: refers to the low-value. The low-value range for TCP/UDP connections in the
zone is 1 to 500000. Be default, it is 495000. The low-value range for IP-based TCP/UDP
connections is 1 to 10240. By default, it is 8000.

Views
Security zone view

Default Level
2: Configuration level

Usage Guidelines
Here the value for zone/IP-based connections is defined according to the packet transmission
direction related to the destination zone. The firewall outputs an alert log for an irregular number
over the high-value and restricts connection requests to the zone. When the number drops to the
low-value, the firewall outputs a normal log and cancels the limit.

2-94 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

CAUTION
You need to run the 2.5.46 firewall statistic system connect-number command in the system
view to set the parameters related with the system. In addition, you need to run the statistic
connect-number command in the security zone view to set the parameters related with security
zones or IP addresses.

Examples
# Set the high-value for the inbound TCP connections in the untrust zone to 25000 and the low-
value to 10000.
<Eudemon> system-view
[Eudemon] firewall zone untrust
[Eudemon-zone-untrust] statistic connect-number zone inzone tcp high 25000 low 10000

2.5.54 statistic connect-speed

Function
Using the statistic connect-speed command, you can set high-value or low-value for zone/IP-
based TCP/UDP connection speed (per second) in one direction.

Using the undo statistic connect-speed command, you can restore the default value.

Format
statistic connect-speed { zone | ip } { inzone | outzone } { tcp | udp } { high high-value low
low-value }

undo statistic connect-speed { zone | ip } { inzone | outzone } { tcp | udp }

Parameters
zone: refers to the zone-based value.

ip: refers to the IP-based value.

inzone: refers to the inbound direction in the zone.

outzone: refers to the outbound direction in the zone.

tcp: refers to the TCP connection.

udp: refers to the UDP connection.

high high-value: refers to the high-value. The high-value range for TCP/UDP connection speed
in the zone is 1 to 10000. By default, it is 10000. The high-value range for IP-based TCP/UDP
connection speed is 1 to 10000. By default, it is 10000.

low low-value: refers to the low-value. The low-value range for TCP/UDP connection speed in
the zone is 1 to 10000. By default, it is 8000. The low-value range for IP-based TCP/UDP
connection speed is 1 to 10000. By default, it is 8000.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-95


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
Security zone view

Default Level
2: Configuration level

Usage Guidelines
Here the value for zone/IP-based connection speed is defined according to the packet
transmission direction related to the destination zone. The Eudemon outputs an alert log for an
irregular number over the high-value and restricts connection requests to the zone. When the
number drops to the low-value, the Eudemon outputs a normal log.

Examples
# Set the high-value for the inbound TCP connection speed (per second) in the trust zone to 2500
and the low-value to 1000.
<Eudemon> system-view
[Eudemon] firewall zone trust
[Eudemon-zone-trust] statistic connect-speed zone inzone tcp high 2500 low 1000

2.5.55 statistic enable

Function
Using the statistic enable command, you can enable zone or IP-based statistics.
Using the undo statistic enable command, you can disable zone or IP-based statistics.

Format
statistic enable { zone | ip } { inzone | outzone }
undo statistic enable { zone | ip } { inzone | outzone }

Parameters
inzone: enables statistics on inbound packets in the zone. An inbound packet is the packet sent
to the local zone. If the statistics is based on IP, packets are calculated according to destination
addresses.
outzone: enables statistics on outbound packets in the zone. An outbound packet is the packet
sent from the local zone. If the statistics is based on IP, packets are calculated according to source
addresses.

Views
Security zone view

Default Level
2: Configuration level

2-96 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Usage Guidelines
By default, zone or IP-based statistics is disabled.

Examples
# Enable IP-based statistics in the trust zone to take statistics on inbound packets on the basis
of destination addresses only.
<Eudemon> system-view
[Eudemon] firewall zone trust
[Eudemon-zone-trust] statistic enable ip inzone

# Enable zone-based statistics in the untrust zone to take statistics on outbound packets.
[Eudemon-zone-untrust] statistic enable zone outzone

2.6 ASPF Configuration Commands


2.6.1 debugging firewall aspf
2.6.2 debugging firewall fragment-forward
2.6.3 detect
2.6.4 detect user-define
2.6.5 display firewall servermap
2.6.6 firewall cache refresh enable
2.6.7 firewall fragment-cache enable
2.6.8 firewall fragment-cache max-number one-packet
2.6.9 firewall fragment-cache max-number total
2.6.10 firewall fragment-forward enable

2.6.1 debugging firewall aspf

Function
Using the debugging firewall aspf command, you can enable ASPF debugging.

Using the undo debugging firewall aspf command, you can disable ASPF debugging.

Format
debugging firewall aspf { all | activex-blocking | ftp | h323 | http | hwcc | ils | java-
blocking | mgcp | mms | msn | pptp | qq | rtsp | sip | smtp | sqlnet | user-define }

undo debugging firewall aspf { all | activex-blocking | ftp | h323 | http | hwcc | ils | java-
blocking | mgcp | mms | msn | pptp | qq | rtsp | sip | smtp | sqlnet | user-define }

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-97


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
ftp | h323 | http | hwcc | ils | mgcp | mms | msn | pptp | qq | rtsp | sip | smtp | sqlnet | user-
define: specifies the ASPF debugging of the application layer protocol is enabled respectively.

all: enables all ASPF debugging.

user-define, activex-blocking, and java-blocking: enables the debugging of triplet fields,


activex-blocking detection, and java-blocking detection respectively.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, ASPF debugging is disabled.

Examples
# Enable all ASPF debugging.
<Eudemon> debugging firewall aspf all

2.6.2 debugging firewall fragment-forward

Function
Using the debugging firewall fragment-forward command, you can enable the debugging of
the direct forwarding function of message fragments to check whether massage fragments pass
through the Eudemon.

Using the undo debugging firewall fragment-forward command, you can disable the
debugging of the direct forwarding function of message fragments.

Format
debugging firewall fragment-forward

undo debugging firewall fragment-forward

Parameters
None

Views
User view

2-98 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Default Level
2: Configuration level

Usage Guidelines
By default, the debugging of the direct forwarding function of message fragments is disabled.
A hash list of message fragments is created when message fragments pass through the
Eudemon. The direct forwarding function of message fragments is to directly forward these
fragments without creating the list. When the direct forwarding function of message fragments
is enabled, users are not informed whether massage fragments pass through the Eudemon
because the list of hashes of message fragments is not created when message fragments pass
through. Using the debugging firewall fragment-forward command, you can see whether
massage fragments pass through the Eudemon.

Examples
# Enable the debugging of the direct forwarding function of message fragments.
<Eudemon> debugging firewall fragment-forward

2.6.3 detect

Function
Using the detect command, you can apply ASPF on application layer protocols.
Using undo detect command, you can remove the configuration.

Format
detect { activex-blocking [ acl-number ] | ftp | h323 | http | hwcc | ils | java-blocking [ acl-
number ] | mgcp | mms | msn | pptp | qq | rtsp | sip | smtp | sqlnet | user-define }
undo detect { activex-blocking | ftp | h323 | http | hwcc | ils | java-blocking | mgcp | mms |
msn | pptp | qq | rtsp | sip | smtp | sqlnet | user-define }

Parameters

CAUTION
In a security zone, you can apply ASPF on FTP only.

ftp | h323 | http | hwcc | ils | mgcp | mms | msn | pptp | qq | rtsp | sip | smtp | sqlnet: indicates
the application layer protocol on which ASPF is applied, respectively.
user-define, activex-blocking and java-blocking: configure triple ASPF, Active X blocking,
and Jave blocking.
acl-number: specifies the basic ACL number ranging from 2000 to 2999. It takes effect only for
java-blocking and activex-blocking.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-99


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
interzone view/security zone view

Default Level
2: Configuration level

Usage Guidelines
By default, ASPF is not applied on any protocol.

Examples
# Apply ASPF on HTTP protocols and define ACL2001 to filter Java Applets from 10.1.1.1.
<Eudemon> system-view
[Eudemon] acl number 2001
[Eudemon-acl-basic-2001] rule permit source 10.1.1.1 0
[Eudemon-acl-basic-2001] quit
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] detect http
[Eudemon-interzone-trust-untrust] detect java-blocking 2001

# Configure ASPF within a zone.


<Eudemon> system-view
[Eudemon] firewall zone trust
[Eudemon-zone-trust] detect ftp

2.6.4 detect user-define

Function
Using the detect user-define command, you can enable the triplet process on the Eudemon.

Using the undo detect user-define command, you can disable this function.

Format
detect user-define acl-number { inbound | outbound } [ aging-time ]

undo detect user-define { inbound | outbound }

Parameters
acl-number: specifies an ACL rule that is required in the triplet process. It is in the range of 2000
to 3999. By default, it is 0, that is, no user-define is configured.

inbound: indicates the inbound direction.

outbound: indicates the outbound direction.

aging-time: specifies the aging time of entries in the server mapping table for the setup of triplet
mode. It is in the range of 1 to 65535 seconds. The default value is 120 seconds.

2-100 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Views
Interzone view

Default Level
2: Configuration level

Usage Guidelines
By default, this function is disabled.

Examples
# Enable the triplet process between the Trust zone and Untrust zone. The ACL to be matched
is 2000 and aging time of mapping entries is 100 seconds.
<Eudemon> system-view
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] detect user-define inbound 2000 100

2.6.5 display firewall servermap

Function
Using the display firewall servermap command, you can display all the Server Map entries
established during NAT, by ASPF when the ASPF protocol performs ALG resolution, and by
configuring SLB.

Format
display firewall servermap [ ip { global | inside } ip-address ]

Parameters
ip: searches server map entries using a specified source IP address.
global: searches server map entries using the translated public IP address.
inside: searches server map entries using the private IP address before translation.
ip-address: specifies a source IP address in dotted decimal notation.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to view mappings between the private address of the internal server
and the public address after the NAT server is configured.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-101


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

When processing the protocol that needs to be resolved by the Application Level Gateway
(ALG), ASPF creates the Server Map entries.

After SLB is configured, the Server Map entries are created.

Examples
# Display all the Server Map entries according to the private IP address 10.110.1.28 before
address translation.
<Eudemon> display firewall servermap ip inside 10.110.1.28

2.6.6 firewall cache refresh enable

Function
Using the firewall cache refresh enable command, you can start the automatic cache refresh
function of the session table.

Using the undo firewall cache refresh enable command, you can disable the automatic cache
refresh function of the session table.

Format
firewall cache refresh enable

undo firewall cache refresh enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the automatic cache refresh function of the session table is disabled.

Examples
# Start the cache refresh function of the session table.
<Eudemon> system-view
[Eudemon] firewall cache refresh enable

2.6.7 firewall fragment-cache enable

2-102 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Function
Using the firewall fragment-cache enable command, you can enable the fragment cache
function of the Eudemon.

Using the undo firewall fragment-cache enable command, you can disable the fragment cache
function of the Eudemon.

Format
firewall fragment-cache enable [ acl acl-number ]

undo firewall fragment-cache enable

Parameters
acl acl-number: specifies the number of an Access Control List (ACL). The value ranges from
2000 to 3999.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the fragment cache function of the Eudemon is disabled.

Examples
# Enable the fragment cache function of the Eudemon.
<Eudemon> system-view
[Eudemon] firewall fragment-cache enable

2.6.8 firewall fragment-cache max-number one-packet

Function
Using the firewall fragment-cache max-number one-packet command, you can configure the
maximum fragments of a packet in the cache.

Using the undo firewall fragment-cache max-number one-packet command, you can restore
the default fragments of one packet in the cache.

Format
firewall fragment-cache max-number one-packet number

undo firewall fragment-cache max-number one-packet

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-103


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
number: indicates the maximum fragments of a packet in the cache. It ranges from 1 to 10. By
default, it is 10.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the maximum fragments of a packet in the cache is 10.

Examples
# Set the maximum fragments of a packet in the cache to 8.
<Eudemon> system-view
[Eudemon] firewall fragment-cache max-number one-packet 8

2.6.9 firewall fragment-cache max-number total

Function
Using the firewall fragment-cache max-number total command, you can set the maximum
total fragments in the cache.

Using the undo firewall fragment-cache max-number total command, you can restore the
default maximum total fragments in the cache.

Format
firewall fragment-cache max-number total number

undo firewall fragment-cache max-number total

Parameters
number: indicates the maximum fragments in the cache. It ranges from 1000 to 4000. By default,
it is 2000.

Views
System view

Default Level
2: Configuration level

2-104 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Usage Guidelines
By default, the maximum fragments in the cache is 2000.

Examples
# Set the maximum total fragments in the cache to 3000.
<Eudemon> system-view
[Eudemon] firewall fragment-cache max-number total 3000

2.6.10 firewall fragment-forward enable

Function
Using the firewall fragment-forward enable command, you can enable the fragmented packets
directly-forwarding function of the Eudemon when the Eudemon does not conduct NAT
translation. After the command is configured, if the other parts of the fragmented packet reach
the Eudemon earlier than the head of the fragmented packet, the Eudemon directly forwards
them.

Using the undo firewall fragment-forward enable command, you can disable the fragmented
packets directly-forwarding function of the Eudemon.

Format
firewall fragment-forward enable

undo firewall fragment-forward enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the fragmented packets directly-forwarding function of Eudemon is disabled.

Examples
# Enable the fragmented packets directly-forwarding function of the Eudemon.
<Eudemon> system-view
[Eudemon] firewall fragment-forward enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-105


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.7 Blacklist Configuration Commands


2.7.1 debugging firewall blacklist
2.7.2 display firewall blacklist
2.7.3 firewall blacklist aging-time
2.7.4 firewall blacklist authentication-count
2.7.5 firewall blacklist enable
2.7.6 firewall blacklist item

2.7.1 debugging firewall blacklist

Function
Using the debugging firewall blacklist command, you can enable the blacklist debugging on
the Eudemon.
Using the undo debugging firewall blacklist command, you can disable the blacklist debugging
on the Eudemon.

Format
debugging firewall blacklist { all | item | packet }

Parameters
all: displays all debugging.
item: displays the debugging for changes of blacklist entries.
packet: displays the debugging for blacklist entries in packets.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, all the debugging on the Eudemon is disabled.

Examples
# Enable the debugging for all blacklist entries.
<Eudemon> debugging firewall blacklist all

2-106 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.7.2 display firewall blacklist

Function
Using the display firewall blacklist command, you can view the running and entries of the
blacklist on the Eudemon.

Format
display firewall blacklist { enable | item [ source-address ] }

Parameters
enable: displays whether the blacklist of various types is enabled.

item [ source-address ]: displays entries of blacklist. source-address refers to the IP address of


the entry to be displayed. If no IP address is specified, you can view the summary information
on the current blacklist items.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the blacklist entry corresponding to the IP address 192.168.1.1.
<Eudemon> display firewall blacklist item 192.168.1.1
IP ADDRESS REASON INSERTTIME AGETIME
---------------------------------------------------------------
LoginFailed 2008/08/12 18:30:25 10
192.168.1.1 Manual 2008/06/18 17:25:26 Permanent

# Display the running of the blacklist.


<Eudemon> display firewall blacklist enable
firewall blacklist enable manual
firewall blacklist enable login-failed
firewall blacklist enable ids
firewall blacklist enable ip-sweep
firewall blacklist enable port-scan
firewall blacklist enable auth-failed

Related Topics
2.7.5 firewall blacklist enable
2.7.6 firewall blacklist item

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-107


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.7.3 firewall blacklist aging-time

Function
Using the firewall blacklist aging-time command, you can set the aging time of blacklist items.

Using the undo firewall blacklist aging-time command, you can cancel setting the aging time
settings of blacklist items.

Format
firewall blacklist aging-time { auth-failed | login-failed } timeout-value

undo firewall blacklist aging-time { auth-failed | login-failed }

Parameters
auth-failed: indicates the blacklist item of session authentication failure.

login-failed: indicates the blacklist item of login failure through Telnet or SSH.

timeout-value: indicates the aging time of blacklist items. It is an integer in a range of 1 to 1000,
in minutes.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The aging time of blacklist items set by the firewall blacklist aging-time command has a lower
priority than the aging time that is set by the lock lock-timeout command in the user interface
view.

Examples
# Set the aging time of blacklist items indicating login failures to 1000 minutes.
<Eudemon> system-view
[Eudemon] firewall blacklist aging-time login-failed 1000

Related Topics
2.7.2 display firewall blacklist

2.7.4 firewall blacklist authentication-count

2-108 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Function
Using the firewall blacklist authentication-count command, you can set the authentication
times of specified blacklist items.
Using the undo firewall blacklist authentication-count command, you can cancal setting the
authentication times of specified blacklist items.

Format
firewall blacklist authentication-count { auth-failed | login-failed } authentication-times
undo firewall blacklist authentication-count { auth-failed | login-failed }

Parameters
auth-failed: indicates the blacklist item of session authentication failures.
login-failed: indicates the blacklist item of login failures through Telnet or SSH.
authentication-times: indicates authentication times of specified blacklist items. It is an integer
in a range of 1 to 5.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the authentication times of blacklist items is 3.
The authentication times of blacklist items set by the firewall blacklist authentication-count
command has a lower priority than that set by the lock authentication-count command in the
user interface view.
The processing mechanism for the original authentication times of SSH is similar to that of
Telnet.

Examples
# Set the authentication times of blacklist items corresponding to login failure to 5.
<Eudemon> system-view
[Eudemon] firewall blacklist authentication-count login-failed 5

2.7.5 firewall blacklist enable

Function
Using the firewall blacklist enable command, you can enable the blacklist.
Using the undo firewall blacklist enable command, you can disable the blacklist.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-109


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
firewall blacklist enable [ acl-number acl-number | auth-failed | ids | ip-sweep | login-
failed | manual | port-scan ]

undo firewall blacklist enable [ acl-number | auth-failed | ids | ip-sweep | login-failed |


manual | port-scan ]

Parameters
acl-number acl-number: specifies an advanced ACL number in a range of 3000 to 3999. The
blacklist does not block the flows that are permitted by ACL rules.

auth-failed: indicates the blacklist item of session authentication failures.

ids: indicates blacklist item of the IDS type.

ip-sweep: indicates the blacklist item of IP-based scanning attacks.

login-failed: indicates the blacklist item of login failures through Telnet or SSH.

manual: indicates manually added blacklist items.

port-scan: indicates the blacklist item of port-based scanning attacks.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the blacklist is disabled.

Using the firewall blacklist enable command indicates that no parameter is configured, that is,
the blacklist function of all types except the ACL is enabled.

When enabling the blacklist function, you can specify some ACL rules. The blacklist does not
block the traffic permitted by these ACL rules. The ACL here only supports time range and the
quintuplet. The quintuplet is protocol type, source IP address and mask, destination IP address
and mask, source port range and destination port range.

Examples
# Enable the blacklist. Configure the blacklist to allow access traffic to pass through if it is
permitted by the ACL 3000.
<Eudemon> system-view
[Eudemon] firewall blacklist enable acl-number 3000

# Enable the blacklist function corresponding to login failure.


[Eudemon] firewall blacklist enable login-failed

2-110 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Related Topics
2.7.2 display firewall blacklist

2.7.6 firewall blacklist item

Function
Using the firewall blacklist item command, you can manually add a blacklist item.

Using the undo firewall blacklist item command, you can delete the blacklist items, including
the blacklist items with all reasons of the specified IP address.

Format
firewall blacklist item source-address [ timeout interval ]

undo firewall blacklist item [ source-address ]

Parameters
source-address: specifies the IP address to be added into the blacklist. It is in dotted decimal
notation.

timeout interval: specifies the aging time of blacklist item. interval ranges from 1 to 1000
minutes. If timeout interval is not specified in the command, it indicates that the items in this
blacklist need not be aged.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
When creating the blacklist entries, note the following points:
l With the parameter timeout interval, the blacklist entry is removed automatically after the
aging time. As a result, the filtering on the packets from the IP address is invalid.
l Without the parameter, a permanent entry is configured, that is, the entry does not age.

Examples
# Add 192.168.10.10 into a blacklist entries and set the aging time to 100 minutes.
<Eudemon> system-view
[Eudemon] firewall blacklist item 192.168.10.10 timeout 100

Related Topics
2.7.2 display firewall blacklist

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-111


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.8 MAC and IP Address binding Configuration Commands


2.8.1 debugging firewall mac-binding
2.8.2 display firewall mac-binding
2.8.3 firewall mac-binding

2.8.1 debugging firewall mac-binding

Function
Using the debugging firewall mac-binding command, you can enable the address binding
debugging on the Eudemon.
Using the undo debugging firewall mac-binding command, you can disable the address
binding debugging on the Eudemon.

Format
debugging firewall mac-binding { all | item | packet }
undo debugging firewall mac-binding { all | item | packet }

Parameters
all: displays all debugging.
item: displays the debugging for changes of address binding items.
packet: displays the debugging for address binding items in packets.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, all the debugging for address binding items on the Eudemon is disabled.

Examples
# Enable all the debugging for address binding items.
<Eudemon> debugging firewall mac-binding all

2.8.2 display firewall mac-binding

2-112 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Function
Using the display firewall mac-binding command, you can view the running and items of
address binding on the Eudemon.

Format
display firewall mac-binding { enable | item [ source-address ] }

Parameters
enable: displays the running of address binding.
item [ source-address ]: displays the items of address binding. source-address: specifies the IP
address of the item. If no IP address is specified, all the items of address binding are displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View specified address binding item in detail.
<Eudemon> display firewall mac-binding item 1.2.3.6
Firewall Mac-binding items :
Ip address Mac address Vlan id
1.2.3.6 13e2-d234-a222 0

# View the running of the address binding items.


<Eudemon> display firewall mac-binding enable
Mac-binding is enabled

2.8.3 firewall mac-binding

Function
Using the firewall mac-binding enable command, you can enable address binding.
Using the undo firewall mac-binding enable command, you can disable address binding.
Using the firewall mac-binding source-address mac-address command, you can add address
binding item.
Using the undo firewall mac-binding all command, you can delete address binding entries.
Using the undo firewall mac-binding source-address, you can delete a specific address binding
entry.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-113


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
firewall mac-binding { enable | source-address mac-address [ vid vlan-id ] }
undo mac-binding { enable | all | source-address }

Parameters
source-address: specifies IP addresses of an address binding pair.
mac-address: specifies MAC addresses of an address binding pair.
vid vlan-id: indicates the VLAN ID of a specific subinterface. The value is an integer in a range
of 1 to 4094. When the Eudemon subinterface of the IP address is associated with an VLAN ID,
you must specify the vid parameter.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, address binding is disabled.

Examples
# Enable address binding.
<Eudemon> system-view
[Eudemon] firewall mac-binding enable

# Add an address binding item, whose IP address is 192.168.10.10 and MAC address is
00e0-0000-0001.
[Eudemon] firewall mac-binding 192.168.10.10 00e0-0000-0001
%Jun 16 20:40:44 2008 Eudemon SEC/5/BIND: Mac Address <00e0-0000-0001> is binded
to Ip Address <192.168.10.10>

2.9 Port Mapping Configuration Commands

2.9.1 display port-mapping


2.9.2 port-mapping

2.9.1 display port-mapping

Function
Using the display port-mapping command, you can view the running of the self-defined port
mapping.

2-114 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Format
display port-mapping [ application-name | port port-number ]

Parameters
application-name: specifies the name of the application in the port mapping. The valid
application includes ftp, http, h323, smtp, rtsp and sqlnet.
port port-number: specifies the port number in port mapping in a range of 0 to 65535.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display all port mapping.
<Eudemon> display port-mapping
SERVICE PORT ACL TYPE
-------------------------------------------------
ftp 21 system defined
smtp 25 system defined
http 80 system defined
rtsp 554 system defined
h323 1720 system defined
sqlnet 1521 system defined
ftp 20 2001 user defined

Related Topics
2.9.2 port-mapping

2.9.2 port-mapping

Function
Using the port-mapping command, you can establish a mapping from a port to an application
layer protocol.
Using the undo port-mapping command, you can remove an item from the port-mapping.

Format
port-mapping application-name port port-number [ acl acl-number ]
undo port-mapping [ application-name port port-number [ acl acl-number ] ]

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-115


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
application-name: specifies the name of the application. The valid application includes FTP,
HTTP, H323, SMTP, RTSP and SQLNET.
port-number: specifies the number of the port in a range of 0 to 65535.
acl-number: specifies the number of the basic ACL in a range of 2000 to 2999.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
PAM supports two types of mapping mechanisms, Well-known port mapping, and port mapping
for hosts based on the basic ACL. Well-known port mapping is to establish a mapping between
a user-defined port number and an application layer protocol. For instance, if port 8080 is
identified as HTTP, all TCP packets whose destination port number is 8080 will be regarded as
HTTP packets. Port mapping for hosts based on the basic ACL is to establish a mapping for
packets from some hosts. For example, TCP packets sent to the host at 1.1.0.0 via port 8080 are
identified as HTTP packets. The range of the host is defined based on the basic ACL. You cannot
configure both the Well-known port mapping and the port mapping for hosts based on the basic
ACL on a port simultaneously.

Examples
# Establish a mapping relationship between port 3456 and FTP.
<Eudemon> system-view
[Eudemon] port-mapping ftp port 3456

Related Topics
2.9.1 display port-mapping

2.10 NAT Configuration Commands


2.10.1 debugging nat
2.10.2 destination-nat
2.10.3 display nat
2.10.4 firewall permit local ip
2.10.5 nat
2.10.6 nat address-group
2.10.7 nat alg enable
2.10.8 nat arp-gratuitous send

2-116 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.10.9 nat inbound


2.10.10 nat outbound
2.10.11 nat server
2.10.12 nat server zone

2.10.1 debugging nat

Function
Using the debugging nat command, you can enable NAT debugging.

Using the undo debugging nat command, you can disable NAT debugging.

Format
debugging nat { alg | event | packet } [ esp | dns | ftp | h323 | hwcc | icmp | ils | mgcp |
mms | msn | netbios | pptp | qq | rtsp | sip | sqlnet | tcp | udp | user-define ]

undo debugging nat { alg | event | packet } [ esp | dns | ftp | h323 | hwcc | icmp | ils | mgcp |
mms | msn | netbios | pptp | qq | rtsp | sip | sqlnet | tcp | udp | user-define ]

Parameters
alg: enables debugging on application protocol address translation.

event: enables the debugging on address translation events.

packet: enables the debugging on address translation packets.

esp,dns,ftp,h323,hwcc,icmp,ils,mgcp,msn,netbios, pptp, qq, rtsp, sip, tcp, and udp enable


the NAT debugging of the corresponding protocol.

user-define: enables the triplet NAT debugging.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the NAT debugging is disabled.

Examples
# Enable all NAT ALG debugging.
<Eudemon> debugging nat alg

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-117


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

# Enable the debugging on address translation events of the Microsoft Media Server (MMS)
protocol.
<Eudemon> debugging nat event mms

2.10.2 destination-nat

Function
Using the destination-nat command, you can configure the destination NAT function.
Using the undo destination-nat command, you can delete the destination NAT function.

Format
destination-nat acl-number address ip-address [ port port-number ]
undo destination-nat acl-number address ip-address [ portt port-number ]
undo destination-nat all

Parameters
acl-number: specifies the ACL group number, in the range of 3000 to 3999.
ip-address: specifies the real IP address of the WAP gateway in the form of dotted decimal
notation. The IP address can only be class A, class B or class C.
port-number: specifies the destination port number, in the range of 1 to 50000.

Views
Security zone view

Default Level
2: Configuration level

Usage Guidelines
In the same security zone, one ACL can be bound to only one WAP gateway IP address.
If you have configured the port-based NAT function, the device can translate TCP and UDP
packets only.
Because all packets that match an ACL will be translated, you must configure strict ACLs to
translate packets only you wish to translate without disturbing other packets.

Examples
# Translate the destination IP address of the packets from IP address 10.0.0.1 to 202.1.1.2.
<Eudemon> system-view
[Eudemon] acl 3333
[Eudemon-acl-adv-3333] rule permit ip source 10.0.0.1 0
[Eudemon-acl-adv-3333] quit
[Eudemon] firewall zone trust

2-118 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

[Eudemon-zone-trust] destination-nat 3333 address 202.1.1.2

Related Topics
2.2.4 display zone

2.10.3 display nat

Function
Using the display nat command, you can view the configuration of address translation and verify
the configuration according to the output information.

Format
display nat { address-group | alg | all | interzone | server | zone }

Parameters
address-group: displays address groups.
alg: displays information of address translation of application layer protocols.
all: displays all information of address translation.
interzone: displays information of address translation between zones.
server: displays information of the internal server.
zone: displays information of address translation within a zone.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View all information of address translation.
<Eudemon> display nat all
NAT address-group information:
NUM START-ADDRESS END-ADDRESS REFERENCE
0 200.1.1.100 200.1.1.110 1
Total 1 address-groups
NAT information on interzone:
Total 0 items
NAT infomation on zone:
zone-trust:
acl(3000) - addr-group( 0) - type( pat )

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-119


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Total 1 items on the zone


Server in private network information:
Zone GlobalAddr lobalPort InsideAddr InsidePort Protocol VrrpId
---- 200.1.1.200 ---- 10.1.1.2 ---- ---- 0
Total 1 NAT servers
NAT application level gateway information:
h323 NAT application level gateway is disabled
dns NAT application level gateway is enabled
netbios NAT application level gateway is enabled
ils NAT application level gateway is disabled
ftp NAT application level gateway is enabled
icmp NAT application level gateway is enabled
sip NAT application level gateway is disabled
pptp NAT application level gateway is disabled
hwcc NAT application level gateway is disabled
qq NAT application level gateway is disabled
msn NAT application level gateway is disabled
user-define NAT application level gateway is disabled
mgcp NAT application level gateway is disabled
mms NAT application level gateway is disabled
sqlnet NAT application level gateway is disabled
rtsp NAT application level gateway is disabled
esp NAT application level gateway is disabled
11:00:40 03-20-2008

Table 2-7 Description of the display nat command output

Item Description

NAT address-group information Indicates address pool information.

NAT information on interzone Indicates information of interzone address


translation.

NAT infomation on zone Indicates information of address translation within


a zone.

Server in private network information Indicates internal server information.

NAT application level gateway Indicates information of address translation of


information application layer protocols.

2.10.4 firewall permit local ip

Function
Using the firewall permit local ip command, you can permit the access to the internal server
from private IP addresses.

Using the undo firewall permit local ip command, you can deny the access to the internal server
from private IP addresses.

Format
firewall permit local ip

undo firewall permit local ip

2-120 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Parameters
None

Views
Interzone view

Default Level
2: Configuration level

Usage Guidelines
By default, access from private IP addresses to the internal server is permitted.

Examples
# Configure the internal server.
<Eudemon> system-view
[Eudemon] nat server global 2.2.2.2 inside 172.16.1.1

# Permit accessing from private IP addresses to the internal server between the trust zone and
DMZ zone.
[Eudemon] firewall interzone trust dmz
[Eudemon-interzone-trust-dmz] firewall permit local ip

After the configuration, PCs in the trust zone can access the internal server in DMZ through
private IP address 172.16.1.1.

2.10.5 nat

Function
Using the nat command, you can set the intra-zone NAT.

Using the undo nat command, you can delete configured intra-zone NAT.

Format
nat acl-number address-group group-number [ no-pat ]

undo nat acl-numer address-group group-number [ no-pat ]

Parameters
acl-number: specifies the index value of the access control list. The value ranges from 2000 to
3999.

group-number: specifies the number of the defined address pool. The value ranges from 0 to
127

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-121


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

no-pat: indicates the one-to-one address conversion is used; that is, only the address of the data
packet is converted without using the port information. By default, the NAT-PT function is
enabled.

Views
Security zone view

Default Level
2: Configuration level

Usage Guidelines
Convert the source IP address of the packets matching the ACL to an IP address in the address
pool by associating the ACL with the address pool.

Examples
# Perform source IP address conversion on the packets sourced from 10.0.0.1.
<Eudemon> system-view
[Eudemon] acl 3333
[Eudemon-acl-adv-3333] rule permit ip source 10.0.0.1 0
[Eudemon-acl-adv-3333] quit
[Eudemon] firewall zone trust
[Eudemon-zone-trust] nat 3333 address-group 1

Related Topics
2.10.3 display nat

2.10.6 nat address-group

Function
Using the nat address-group command, you can configure an address group.
Using the undo nat address-group command, you can delete the address group.

Format
nat address-group group-number start-address end-address [ vrrp virtual-router-id ]
undo nat address-group group-number [ vrrp ]

Parameters
group-number: specifies the number of the address group in a range of 0 to 127.
start-address: refers to the start address in the address group.
end-address: refers to the end address in the address group.
vrrp virtual-router-id: specifies a VRRP back group number in a range of 1 to 255.

2-122 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Views
System view

Default Level
2: Configuration level

Usage Guidelines

CAUTION
l The maximum length of an address group, that is, the number of addresses in the address
group, is 256.
l When an address group is performing address translation based on an ACL, it cannot be
deleted.
l The broadcast address cannot be configured in the address pool.

An address group is a set of external IP addresses. If start-address is identical with end-


address, there is only one address in the address group.
When you execute the nat address-group command with the VRRP group number to configure
the address pool, the virtual MAC address of the VRRP group is used. Without the VRRP group
number, the actual MAC address of the interface is used.
The undo nat address-group command supports the parameter vrrp. Executing the command
with the VRRP group number, you can remove the VRRP attributes of the group without
changing other configuration of the address pool. The actual MAC address is used for the
subsequent NAT.

Examples
# Configure address-group1 with IP addresses from 202.110.10.10 to 202.110.10.15.
<Eudemon> system-view
[Eudemon] nat address-group 1 202.110.10.10 202.110.10.15

2.10.7 nat alg enable

Function
Using the nat alg enable command, you can enable a protocol supported by NAT.
Using the undo nat alg enable command, you can disable a protocol for NAT.

Format
nat alg enable { dns | esp | ftp | h323 | hwcc | icmp | ils | mgcp | mms | msn | netbios | pptp |
qq | rtsp | sip | sqlnet | user-define }
undo nat alg enable { dns | esp | ftp | h323 | hwcc | icmp | ils | mgcp | mms | msn | netbios |
pptp | qq | rtsp | sip | sqlnet | user-define }

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-123


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
dns, ftp, h323, hwcc, icmp, ils, msn, netbios, pptp, qq, rtsp, and sip indicates the application
protocol on which NAT ALG is applied, respectively.

user-define: enables the triplet NAT function.

Views
System view

Default Level
2: Configuration level

Usage Guidelines

CAUTION
The nat alg enable user-define command takes effect only after the detect user-define command
is executed between domains.

By default, the DNS, FTP, ICMP and NETBIOS protocols are enabled for NAT ALG.

Examples
# Enable NAT ALG of the MGCP protocol.
<Eudemon> system-view
[Eudemon] nat alg enable mgcp

Related Topics
2.10.3 display nat

2.10.8 nat arp-gratuitous send

Function
Using the nat arp-gratuitous send command, you can enable NAT at an interface to send
gratuitous ARP packets.

Format
nat arp-gratuitous send

Parameters
None

2-124 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Send gratuitous packets at the interface Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] nat arp-gratuitous send

2.10.9 nat inbound

Function
Using the nat inbound command, you can configure the NAT in inbound direction.
Using the undo nat inbound command, you can delete the configured NAT in inbound direction.

Format
nat inbound acl-number address-group group-number [ no-pat ]
nat inbound acl-number interface interface-type interface-number
undo nat inbound acl-number address-group group-number [ no-pat ]
undo nat inbound acl-number interface interface-type interface-number

Parameters
acl-number: ACL number. It is an integer in the range 2000 to 3999.
address-group group-number: Address group number. It is an integer in the range 0 to 127.
no-pat: Uses one-to-one address translation, translating data packet address without using port
information. If the no-pat parameter is not used, multiple internal addresses can be mapped to
the same address, that is, Network Address Port Translation (NAPT) is enabled. By default,
NAPT is enabled.
interface interface-type interface-number: Uses the IP address of the interface as address after
translation.

Views
Interzone view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-125


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
2: Configuration level

Usage Guidelines
By associating an ACL with an address group, you can translate the source address in the packet
that matches the ACL rule into some address in the address group or the address of the interface
directly.
Using this command, you can also implement easy-ip by associating an ACL with an interface.

Examples
# Permit hosts on 200.10.10.0/24 to perform address translation via an address group ranging
from 10.1.1.1 to 10.1.1.10.
# Configure an ACL.
<Eudemon> system-view
[Eudemon] acl 3333
[Eudemon-acl-adv-3333] rule permit ip source 200.10.10.0 0.0.0.255
[Eudemon-acl-adv-3333] quit

# Configuring an address group.


[Eudemon] nat address-group 1 10.1.1.1 10.1.1.10

# Use the addresses in address group 1 for address translation, allowing many-to-one translation.
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] nat inbound 3333 address-group 1

# Use the addresses in address group 1 for address translation, not allowing many-to-one
translation.
[Eudemon-interzone-trust-untrust] nat inbound 3333 address-group 1 no-pat

# Use the addresses in address group 1 for address translation, disallowing many-to-one
translation.
[Eudemon-interzone-trust-untrust] nat inbound 3333 interface Ethernet 0/0/0

Related Topics
2.10.3 display nat

2.10.10 nat outbound

Function
Using the nat outbound command, you can configure the NAT in outbound direction.
Using the undo nat outbound command, you can remove the address translation.

Format
nat outbound acl-number address-group group-number [ no-pat ]
nat outbound acl-number interface interface-type interface-number

2-126 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

undo nat outbound acl-number address-group group-number [ no-pat ]


undo nat outbound acl-number interface interface-type interface-number

Parameters
acl-number: specifies the index number of the ACL in a range of 2000 to 3999.
address-group group-number: specifies the number of an existing address group in a range of
0 to 127.
no-pat: applies one-to-one address translation to translate the IP address only with no need for
using the port number.If the no-pat parameter is not used, multiple internal addresses can be
mapped to the same public address, that is, Network Address Port Translation (NAPT) is enabled.
By default, NAPT is enabled.
interface interface-type interface-number: specifies the IP address of the interface as the address
after translation, that is, easy-ip.

Views
Interzone view

Default Level
2: Configuration level

Usage Guidelines
By associating an ACL with an address group, you can translate the source address in the packet
that matches the ACL rule into some address in the address group or the address of the interface
directly.
Using the nat outbound command, you can also implement easy-ip by associating an ACL with
an interface. With it, you can apply the IP address of the interface as the translated address and
perform address translation based on the ACL.

Examples
# Permit hosts at 10.110.10.0/24 to perform address translation via an address group ranging
from 202.110.10.10 to 202.110.10.12.
# Configure the ACL.
<Eudemon> system-view
[Eudemon] acl number 2001
[Eudemon-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Eudemon-acl-basic-2001] quit

# Configure the address group.


[Eudemon] nat address-group 1 202.110.10.10 202.110.10.12

# Use the addresses in address group 1 for address translation, allowing many-to-one translation.
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] nat outbound 2001 address-group 1

# Apply one-to-one address translation.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-127


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

[Eudemon-interzone-trust-untrust] nat outbound 2001 address-group 1 no-pat

# Apply the IP address of Ethernet 0/0/0 directly for address translation.


[Eudemon-interzone-trust-untrust] nat outbound 2001 interface Ethernet 0/0/0

Related Topics
2.10.3 display nat

2.10.11 nat server

Function
Using the nat server command, you can define a map for an internal server so that a subscriber
can access the internal server whose address and port are host-address and host-port via the
address and port defined by global-address and global-port.
Using the undo nat server command, you can remove the map.

Format
nat server global global-address inside host-address [ vrrp virtual-router-id ]
nat server protocol protocol-type global global-address [ global-port1 [ global-port2 ] ]
inside host-address1 [ host-address2 ] [ host-port ] [ vrrp virtual-router-id ]
undo nat server global global-address inside host-address
undo nat server protocol protocol-type global global-address [ global-port1 [ global-port2 ] ]
inside host-address1 [ host-address2 ] [ host-port ]

Parameters
global-address: refers to the IP address (a valid IP address) for the access of external hosts.
host-address: refers to the internal IP address of the server.
protocol-type: refers to the type of the protocol over IP. The number of the protocol ranges from
1 to 255. It can also be replaced by a keyword.
global-port1 [ global-port2 ]: specifies a port range which is corresponding to the address range
on the internal host. Note that global-port2 must be greater than global-port1. The range of
global-port1 and global-port2 is 1 to 65535.
host-address1 [ host-address2 ]: specifies a group of consecutive address ranges corresponding
to the former port range. Note that host-address2 must be greater than host-address1 and the
number of address ranges must be consistent with the number of ports defined by global-
port1 and global-port2.
host-port: refers to the number of service port provided by the server in a range of 1 to 65535.
The common port numbers can be replaced by keywords. For instance, port80 for WWW service
can be replaced by www; port21 for FTP service can be replaced by ftp. If the number is 0, it
means the server provide all services and can be replaced by any, which is equal to a static
connection between global-address and host-address. It is similar when the parameter is not
configured in the command. Note that global-port must be consistent with host-port when it is
any. Otherwise, the configuration will not take effect.

2-128 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

vrrp virtual-router-id: specifies a VRRP backup group number in a range of 1 to 255.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
In the case of configuring a NAT server for a port range (that is, specifying a port range
corresponding to the address range on the internal host by configuring global-port1 and global-
port2 in the command), the number of ports refers to the number of internal servers.

When you execute the nat server command with the VRRP group number to configure address
pool or internal server mapping, the virtual MAC address of the VRRP group is used. Without
the VRRP group number, the actual MAC address of the interface is used.

The undo nat server command does support the parameter vrrp. Therefore, you must delete
the all internal server mapping using the undo command, and then use the nat server command
with the VRRP group number to configure the wanted VRRP groups.

Examples
# Specify the hosts at 10.110.10.10 and 10.110.10.11 respectively to be the WWW server and
FTP server for the LAN and allow the external hosts to access them respectively from http://
202.110.10.10:8080 and ftp://202.110.10.10 is connected to ISP.
<Eudemon> system-view
[Eudemon] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www
[Eudemon] nat server protocol tcp global 202.110.10.10 inside 10.110.10.11 ftp

# Cancel the WWW server.


[Eudemon] undo nat server protocol tcp global 202.110.10.10 8080 inside
10.110.10.10 www

# Cancel the FTP server.


[Eudemon] undo nat server protocol tcp global 202.110.10.10 inside 10.110.10.11 ftp

# Permit the external address 202.110.10.10 to access the Telnet server between 10.110.10.1
and 10.110.10.100 via port 1001 to port 1100, 202.110.10.10:1001 to access 10.110.10.1 and
202.110.10:1002 to access 10.110.10.2.
[Eudemon] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1
10.110.10.100 telnet

Related Topics
2.10.3 display nat

2.10.12 nat server zone

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-129


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the nat server zone command, you can set multiple public IP addresses for one internal
server. These public IP addresses correspond with different security zones. You can access the
internal server specified by host-addrress and host-port respectively through the IP address and
port defined with global-address and global-port.

Using the undo nat server zone command, you can remove the preceding configuration.

Format
nat server zone zone-name global global-address inside host-address [ vrrp virtual-router-
id ]

nat server zone zone-name protocol protocol-type global global-address [ global-port1


[ global-port2 ] ] inside host-address1 [ host-address2 ] [ host-port ] [ vrrp virtual-router-id ]

undo nat server zone zone-name global global-address inside host-address

undo nat server zone zone-name protocol protocol-type global global-address [ global-
port1 [ global-port2 ] ] inside host-address1 [ host-address2 ] [ host-port ]

Parameters
zone-name: specifies a name for the security zone.

global-address: specifies an address provided for external access (a valid IP address).

host-address: specifies an IP address for the internal server.

protocol-type: specifies the type of protocols over IP. It can be replaced by keywords. The
protocol number ranges from 1 to 255.

global-port1 [ global-port2 ]: specify a port range, which corresponds with the address range of
internal hosts. global-port2 should be greater than global-port1. The range of global-port1 and
global-port2 is 1 to 65535.

host-address1 [ host-address2 ]: specify an address range, which corresponds with the port range.
host-address2 should be greater than host-address1. The number of the addresses specified in
the address range should be identical with the number of ports specified by global-port1 and
global-port2.

host-port: specifies a service port number. It ranges from 1 to 65535. The common port numbers
can be replaced by key words. For example, both number 80 and key word www can be used to
indicate a WWW server; number 21 and key word ftp can be used to indicate an FTP service.
If the port number is 0, all types of services can be provided. Key word any can replace 0 in this
situation. If the parameter is not specified, all types of services can be provided just as key word
any is configured. That is similar to the situation where a static connection exists between nodes
specified by global-address and host-address. When host-port is set as any, the global-port
should also be any; otherwise, the configuration is invalid.

vrrp virtual-router-id: specifies a VRRP backup group number. It ranges from 1 to 255.

Views
System view

2-130 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Default Level
2: Configuration level

Usage Guidelines
If global-port1 and global-port2 are configured along with the nat server zone command, that
is, a port range is specified, the number of ports is determined, and the number of internal servers
is determined as well.

When you run the nat server zone command to configure an address pool or internal server
mapping:

l In the scenario where parameter vrrp is configured, the Eudemon returns the virtual MAC
address of the VRRP group.
l In the scenario where parameter vrrp is not configured, the Eudemon returns the actual
MAC address of the corresponding interface.

The undo nat server zone command does not support parameter vrrp. You need to run the
undo nat server zone command to delete the internal server mapping before using the nat server
zone command with parameter vrrp to configure a VRRP backup group number.

Examples
# Set the IP address of the WWW server in the LAN to 10.110.10.10, the IP address of the FTP
server to 10.110.10.11. That permits external network 1 in the zone_a to access WWW services
at http:// 202.110.10.10:8080 and external network 2 in the zone-b to access WWW services at
http:// 196.110.10.10:8080.
<Eudemon> system-view
[Eudemon] nat server zone zone_a protocol tcp global 202.110.10.10 8080 inside
10.110.10.10 www
[Eudemon] nat server zone zone_b protocol tcp global 196.110.10.10 8080 inside
10.110.10.10 www

Related Topics
2.10.3 display nat

2.11 IDS Cooperation Configuration Commands

2.11.1 debugging firewall ids


2.11.2 display firewall ids
2.11.3 firewall ids authentication type
2.11.4 firewall ids enable
2.11.5 firewall ids port
2.11.6 firewall ids server

2.11.1 debugging firewall ids

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-131


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the debugging firewall ids command, you can enable external IDS debugging.

Using the undo debugging firewall ids command, you can disable the debugging.

Format
debugging firewall ids

undo debugging firewall ids

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable external IDS debugging.
<Eudemon> debugging firewall ids

2.11.2 display firewall ids

Function
Using the display firewall ids command, you can view the associated external IDS settings of
the Eudemon.

Format
display firewall ids

Parameters
None

Views
All views

2-132 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Default Level
1: Monitoring level

Usage Guidelines
The associated settings of IDS on the Eudemon are as follows:
l Enabling or disabling
l IP address
l Port number of IDS server
l Encrypting

Examples
# Display the associated settings of external IDS on the Eudemon.
<Eudemon> display firewall ids
Firewall IDS information:
firewall IDS: enable
debug flag: off
server port: 40000
authentication type: vip
authentication string:
client address 0: 169.254.1.10

2.11.3 firewall ids authentication type

Function
Using the firewall ids authentication type command, you can configure packet authentication
for an external IDS server.
Using the undo firewall ids authentication type command, you can restore the default value.

Format
firewall ids authentication type { md5 [ key key-string1 ] | none | vip [ key key-string1 ] }
undo firewall ids authentication

Parameters
md5: applies MD5 packet authentication.
none: does not carry out authentication on packets.
vip: applies VIP packet authentication.
key key-string: specifies the unencrypted key, represented by character string with 1 to 16
characters.

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-133


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
2: Configuration level

Usage Guidelines
Be default, no authentication is configured between the Eudemon and the external IDS server,
that is, the Eudemon does not carry out packet authentication with the external IDS server.
VIP is the IDS monitoring system developed by Venustech. You are not required to configure
an authentication key when applying VIP to authenticate packets.

Examples
# Apply VIP packet authentication between the Eudemon and the third-party IDS server.
<Eudemon> system-view
[Eudemon] firewall ids authentication type vip

Related Topics
About This Document
2.11.6 firewall ids server

2.11.4 firewall ids enable

Function
Using the firewall ids enable command, you can enable external IDS.
Using the undo firewall ids enable command, you can disable external IDS.

Format
firewall ids enable
undo firewall ids enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, external IDS is disabled.

2-134 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

The Eudemon connects with a third-party IDS server, which performs intrusion detection
analysis for the Eudemon, and filters packets according to the analysis result.

NOTE

You should configure the IP address and packet authentication for the IDS server before enabling external
IDS.

Examples
# Enable the external third-party IDS of the Eudemon.
<Eudemon> system-view
[Eudemon] firewall ids enable
Succeed to start ids server.

Related Topics
2.11.6 firewall ids server
2.11.3 firewall ids authentication type

2.11.5 firewall ids port


Function
Using the firewall ids port command, you can specify the port on which the Eudemon
communicates with the external IDS server.
Using the undo firewall ids port command, you can restore the port number to the default value.

Format
firewall ids port port-number
undo firewall ids port

Parameters
port port-number: specifies the number of the port in a range of 1025 to 50000. The default
value is 40000.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the Eudemon communicates with the external IDS server via port 40000.

Examples
# Configure the third-party IDS server at 202.169.100.1 and set the port number to 40000.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-135


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

<Eudemon> system-view
[Eudemon] firewall ids server 202.169.100.1
[Eudemon] firewall ids port 40000

Related Topics
2.11.4 firewall ids enable
2.11.3 firewall ids authentication type

2.11.6 firewall ids server

Function
Using the firewall ids server command, you can configure the IP address for the external IDS
server.

Using the undo firewall ids server command, you can remove the IP address of the IDS server.

Format
firewall ids server ip-address

undo firewall ids server [ ip-address ]

Parameters
ip-address: refers to the IP address of the external IDS server, in the format of dotted decimal.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, no IP address is assigned for the external IDS server.

Examples
# Configure the third-party IDS server at 202.169.100.1.
<Eudemon> system-view
[Eudemon] firewall ids server 202.169.100.1

Related Topics
2.11.4 firewall ids enable
2.11.3 firewall ids authentication type

2-136 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.12 AAA Configuration Commands

2.12.1 { cmd | outbound | system } recording-scheme


2.12.2 aaa
2.12.3 accounting interim-fail
2.12.4 accounting realtime
2.12.5 accounting start-fail
2.12.6 accounting-mode
2.12.7 accounting-scheme (AAA View)
2.12.8 authentication-mode (Authentication Scheme View)
2.12.9 authentication-scheme (AAA View)
2.12.10 authorization-mode
2.12.11 authorization-scheme (AAA View)
2.12.12 display aaa configuration
2.12.13 display accounting-scheme
2.12.14 display authentication-scheme
2.12.15 display authorization-scheme
2.12.16 display ip pool
2.12.17 display recording-scheme
2.12.18 display user-car
2.12.19 ip address ppp-negotiate
2.12.20 ip pool
2.12.21 recording-mode
2.12.22 recording-scheme
2.12.23 user-car (AAA View)

2.12.1 { cmd | outbound | system } recording-scheme

Function
Using the { cmd | outbound | system } recording-scheme command, you can configure a policy
for recording the system-level events, operations of the Eudemon that functions as the client or
commands executed on the Eudemon.
Using the undo { cmd | outbound | system } recording-scheme command, you can delete a
recording policy. In other words, the corresponding events are not recorded.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-137


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
{ cmd | outbound | system } recording-scheme scheme-name
undo { cmd | outbound | system } recording-scheme

Parameters
cmd: records the command executed on the Eudemon currently.
outbound: records the connection information. At present, it can record Telnet users.
system: records the system-level events that are irrelative to users, including the events caused
by the reboot, hsc reset system, and hsc reset viu commands.
scheme-name: specifies the name of a recording scheme, a string of 1 to 32 characters, case
insensitive, on the basis of the naming criterion of Windows, that is, excluding such characters
as \, /, :, *, ?, ", < and >.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, the system-level events are not recorded.

Examples
# Configure a policy test to record the system-level events.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] system recording-scheme test

# Delete the policy for recording the system-level events.


[Eudemon-aaa] undo system recording-scheme

2.12.2 aaa

Function
Using the aaa command, you can enter AAA view and enable AAA.

Format
aaa

Parameters
None

2-138 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Enter AAA view.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa]

2.12.3 accounting interim-fail

Function
Using the accounting interim-fail command, you can configure the real-time accounting fail
policy.
Using the undo accounting interim-fail command, you can restore the default configuration.

Format
accounting interim-fail [ max-times times ] { online | offline }
undo accounting interim-fail

Parameters
max-times: indicates the maximum number of real-time accounting failures. When the
accounting failures exceed the maximum, the real-time accounting failure policy is applied to
users.
times: specifies the number of accounting failures in the range of 1 to 10. The default is 3.
online: If the remote real-time accounting fails, no special action is required. Accounting
succeeds.
offline: If the remote real-time accounting fails. Online service cannot be provided to users.

Views
Accounting scheme view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-139


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Usage Guidelines
By default, if the remote real-time accounting fails, users cannot go online. This is, the offline
mode is adopted.

Examples
# For accounting scheme 1, users go offline when the accounting failures exceed 5.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] accounting-shceme scheme1
[Eudemon-aaa-accounting-scheme1] accounting interim-fail max-times 5 offline

Related Topics
2.12.13 display accounting-scheme

2.12.4 accounting realtime

Function
Using the accounting realtime command, you can configure the current accounting scheme to
enable the real-time accounting and real-time accounting interval.
Using the undo accounting realtime command, you can disable the real-time accounting
function.

Format
accounting realtime interval
undo accounting realtime

Parameters
interval: specifies the interval of real-time accounting, in minutes. It ranges from 3 to 60.

Views
Accounting scheme view

Default Level
2: Configuration level

Usage Guidelines
By default, the accounting interval is five minutes.

Examples
# Enable the real-time accounting on scheme1 and set the accounting interval to five minutes.
<Eudemon> system-view
[Eudemon] aaa

2-140 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

[Eudemon-aaa] accounting-shceme scheme1


[Eudemon-aaa-accounting-scheme1] accounting realtime 5

# Restore the default configuration, that it, disable the real-time accounting function.
[Eudemon-aaa-accouting-scheme1] undo accounting realtime

Related Topics
2.12.13 display accounting-scheme

2.12.5 accounting start-fail

Function
Using the accounting start-fail command, you can configure the policy that enabling real-time
accounting fails.

Format
accounting start-fail { online | offline }

Parameters
online: If the remote real-time accounting fails, no special action is required. Accounting
succeeds.

offline: If the remote real-time accounting fails, online service cannot be provided to users.

Views
Accounting scheme view

Default Level
2: Configuration level

Usage Guidelines
By default, if the remote enabling accounting fails, users cannot go online. This is, the offline
mode is adopted.

Examples
# For the accounting scheme1, no action is required if the remote enabling accounting fails.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] accounting-shceme scheme1
[Eudemon-aaa-accounting-scheme1] accounting start-fail online

Related Topics
2.12.7 accounting-scheme (AAA View)

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-141


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.12.6 accounting-mode

Function
Using the accounting-mode command, you can configure the accounting mode being used by
the current accounting scheme.

Format
accounting-mode { hwtacacs | radius | none }

Parameters
none: does not conduct accounting.
radius: uses the RADIUS server for accounting.
hwtacacs: uses the HWTACACS server for accounting.

Views
Accounting scheme view

Default Level
2: Configuration level

Usage Guidelines
By default, no accounting is conducted on login users.

Examples
# The RADIUS accounting mode is applied to scheme1.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] accounting-shceme scheme1
[Eudemon-aaa-accounting-scheme1] accounting-mode radius

2.12.7 accounting-scheme (AAA View)

Function
Using the accounting-scheme command, you can create an accounting scheme and display the
accounting scheme view.
Using the undo accounting-scheme command, you can delete an existing accounting scheme.

Format
accounting-scheme scheme-name
undo accounting-scheme scheme-name

2-142 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Parameters
scheme-name: specifies the name of an accounting scheme, a string of 1 to 32 characters, case
insensitive, following the naming criterion of Windows, that is, excluding such characters as
\, /, :, *, ?, ", <, and >.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
If the homonymous accounting scheme exists, the accounting scheme view is displayed directly.
The system supports 128 accounting schemes at most.
Moreover, the system has a default scheme, which cannot be deleted but can be modified.

Examples
# Add an accounting scheme with the name newscheme.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] accounting-scheme newscheme
[Eudemon-aaa-accounting-newscheme]

# Delete an existing accounting scheme with the name oldscheme.


<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] undo accounting-scheme oldscheme

# The default accounting scheme view is displayed.


<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] accounting-scheme default
[Eudemon-aaa-accounting-default]

2.12.8 authentication-mode (Authentication Scheme View)

Function
Using the authentication-mode command, you can set an authentication mode for the current
authentication scheme.

Format
authentication-mode { [ hwtacacs | radius | local ] * | [ none ] } *

Parameters
hwtacacs: authenticates through an HWTACACS server.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-143


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

radius: Authenticates through a RADIUS server.

local: authenticates at local.

none: refers to that users can pass directly without being authenticated.

Views
Authentication scheme view

Default Level
2: Configuration level

Usage Guidelines
By default, the authentication mode is local.

If multiple authentication modes are set to an authentication scheme, the execution order of them
is based on the configuration sequence and the authentication in none mode must be the last one
adopted.

Examples
# Set the authentication scheme scheme1 to adopt the local authentication.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] authentication-scheme scheme1
[Eudemon-aaa-authen-scheme1] authentication-mode local

# Set multiple authentication modes to the authentication scheme scheme2 in the sequence of
RADIUS authentication, local authentication, HWTACACS authentication and none
authentication.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] authentication-scheme scheme2
[Eudemon-aaa-authen-scheme2] authentication-mode radius local hwtacacs none

2.12.9 authentication-scheme (AAA View)

Function
Using the authentication-scheme command, you can add or modify an authentication scheme,
and configure the first authentication scheme and the second authentication scheme.

Using the undo authentication-scheme command, you can delete an existing authentication
scheme that is not used by any domain.

Format
authentication-scheme scheme-name

undo authentication-scheme scheme-name

2-144 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Parameters
scheme-name: specifies the name of an accounting scheme, a string of 1 to 32 characters, case
insensitive, following the naming criterion of Windows, that is, excluding such characters as
\, /, :, *, ?, ", <, and >.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
When the specified authorization scheme does not exist, you can define a new one with the name
specified in the authorization-scheme command. Otherwise, you will directly enter the
authentication scheme view specified in the command.

The system supports 16 authorization schemes at most.

Moreover, the system has a default scheme, which cannot be deleted but can be modified.

Examples
# Add an authorization scheme with the name newscheme.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] authentication-scheme newscheme
[Eudemon-aaa-authen-newscheme]

# Delete the authorization scheme oldscheme.


<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] undo authentication-scheme oldscheme

# The default authorization scheme view is displayed.


<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] authentication-scheme default
[Eudemon-aaa-authen-default]

Related Topics
2.12.14 display authentication-scheme

2.12.10 authorization-mode

Function
Using the authorization-mode command, you can set an authorization mode for the current
authorization scheme.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-145


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
authorization-mode { [ hwtacacs | if-authenticated | local ] * | [ none ] } *

Parameters
hwtacacs: authorizes through an HWTACACS server.
local: authorizes at local.
if-authenticated: authorizes the user who passes the authentication except none authentication;
otherwise, the user will not be authorized.
none: authorizes the user directly.

Views
Authentication scheme view

Default Level
2: Configuration level

Usage Guidelines
There are four types of authorization modes. The latter one is adopted when the former one does
not reply.
You have to configure authorization modes. There is no default authorization mode.
If multiple authorization modes are set to an authorization scheme, the execution order of them
is based on the configuration sequence and the authorization in none mode must be the last one
adopted.

Examples
# Set the authorization mode of the authorization scheme scheme1 as local.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] authorization-scheme scheme1
[Eudemon-aaa-author-scheme1] authorization-mode local

# Set multiple authorization modes to the authorization scheme scheme2 in the sequence of if-
authenticated authorization, local authorization, HWTACACS authorization and none
authorization.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] authorization-scheme scheme2
[Eudemon-aaa-author-scheme2] authorization-mode if-authenticated local hwtacacs
none

2.12.11 authorization-scheme (AAA View)

Function
Using the authorization-scheme command, you can define or modify an authorization scheme.

2-146 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Using the undo authorization-scheme command, you can delete an authorization scheme that
is not used by any domain.

Format
authorization-scheme scheme-name
undo authorization-scheme scheme-name

Parameters
scheme-name: specifies the name of the authorization scheme, a string of 1 to 32 characters,
case insensitive, on the basis of the naming criterion of Windows, that is, excluding such
characters as \, /, :, *, ?, ", < and >.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
When the specific authorization scheme does not exist, you can define a new one with the name
specified in the authorization-scheme command; otherwise, you will modify the authorization
scheme.
The system supports 16 authorization schemes at most.
Moreover, the system has a default scheme, which cannot be deleted but can be modified.

Examples
# Define an authorization scheme with the name newscheme.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] authorization-scheme newscheme
[Eudemon-aaa-author-newscheme]

# Delete the authorization scheme oldscheme.


<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] undo authorization-scheme oldscheme

2.12.12 display aaa configuration

Function
Using the display aaa configuration command, you can view AAA configuration, including:
l Utilization rate of domain resources
l Authentication scheme table

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-147


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

l Access table
l Current bill sequence numbers
l Number of online users

Format
display aaa configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display AAA configuration in brief.
<Eudemon> display aaa configuration
--------------------------------------------------------------
AAA configuration information :
--------------------------------------------------------------
Domain : total: 128 used: 1
Authentication-scheme : total: 16 used: 2
Authorization-scheme : total: 16 used: 2
Accounting-scheme : total: 128 used: 2
Recording-scheme : total: 128 used: 0
AAA-access-user : total: 6128 used: 0
Access-user-state : authen: 0 author: 0 acct: 0
---------------------------------------------------------------

2.12.13 display accounting-scheme

Function
Using the display accounting-scheme command, you can view the configuration of an
accounting scheme.

Format
display accounting-scheme [ scheme-name ]

2-148 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Parameters
scheme-name: specifies the name of an accounting scheme, a string of 1 to 32 characters, case
insensitive.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Execute the command in the accounting scheme view or specify an authentication scheme, you
can view its detailed configuration. Otherwise, you will view the brief configuration.

Examples
# Display all accounting schemes in brief.
<Eudemon> display accounting-scheme
-------------------------------------------------------------------
Accounting-scheme-name Accounting-method
-------------------------------------------------------------------
default No accounting
scheme1 No accounting
-------------------------------------------------------------------
Total 2,2 printed

# Display the detailed configuration of the default accounting scheme.


<Eudemon> display accounting-scheme default
------------------------------------------------------------------
Accounting-scheme-name : default
Accounting-method : No accounting
Realtime-accounting-switch : Open
Realtime-accounting-interval(min) : 5
Start-accounting-fail-policy : Cut user
Realtime-accounting-fail-policy : Cut user
Realtime-accounting-failure-retries : 3
---------------------------------------------------------------

Table 2-8 Description of the display accounting-scheme command output


Item Description

Accounting-scheme-name Accounting scheme name

Accounting-method Accounting method configured on the


accounting scheme

Realtime-accounting-switch Real-time accounting function

Realtime-accounting-interval(min) Real-time accounting interval

Start-accounting-fail-policy Enabling accounting fail policy

Realtime-accounting-fail-policy Real-time accounting fail policy

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-149


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Item Description

Realtime-accounting-failure-retries Maximum Real-time accounting fail retries

Related Topics
2.12.7 accounting-scheme (AAA View)
2.12.6 accounting-mode

2.12.14 display authentication-scheme

Function
Using the display authentication-scheme command, you can view the configuration of an
authentication scheme.

Format
display authentication-scheme [ scheme-name ]

Parameters
scheme-name: specifies the name of an authentication scheme. It is a case insensitive string of
1 to 32 characters.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Running the command in authentication scheme view or specifying an authentication scheme,
you can view its detailed configuration; otherwise, you will view the brief configuration.

Examples
# Display all authentication schemes in brief.
<Eudemon> display authentication-scheme
-------------------------------------------------------------
Authentication-scheme-name Authentication-method
-------------------------------------------------------------
default local
scheme1 local
-------------------------------------------------------------
Total 2,2 printed

# Display the default authentication scheme in detail.

2-150 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

<Eudemon> display authentication-scheme default


-------------------------------------------------------------
Authentication-scheme-name : default
Authentication-method : Local authentication
-------------------------------------------------------------

2.12.15 display authorization-scheme

Function
Using the display authorization-scheme command, you can view the configuration of an
authorization scheme.

Format
display authorization-scheme [ scheme-name ]

Parameters
scheme-name: specifies the name of an authorization scheme, a string of 1 to 32 characters, case
insensitive.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Running the command in authorization scheme view or specifying an authorization scheme, you
can view its configuration in detail; otherwise, you will view the configuration in brief.

Examples
# Display all authorization schemes in brief.
<Eudemon> display authorization-scheme
------------------------------------------------------------
Authorization-scheme-name Authorization-method
------------------------------------------------------------
default Local
scheme1 Local
------------------------------------------------------------
Total 2,2 printed

# Display the default authorization scheme in detail.


<Eudemon> display authorization-scheme default
---------------------------------------------------------------
Authorization-scheme-name : default
Authorization-method : Local authorization
---------------------------------------------------------------

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-151


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Related Topics
2.12.11 authorization-scheme (AAA View)
2.12.10 authorization-mode

2.12.16 display ip pool

Function
Using the display ip pool command, you can display the configuration and use of the addresses
in the IP address pool.

Format
display ip pool { global | domain domain-name }

Parameters
global: refers to the global IP address pool.
domain-name: specifies the domain name.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If you set the global parameter, you will display the IP address pool in AAA view. You can
assign the addresses of this IP address pool for users in default domain or none-authentication
users.
If you configure the domain domain-name parameter, you will display the configuration and
use of the IP pool in the specified domain. A PPP user who needs authentication but does not in
the default domain, will use the IP pool in the specified domain.

Examples
# Display the system IP pool.
<Eudemon> display ip pool global
--------------------------------------------------------------------------
Pool-number Pool-start-addr Pool-end-addr Pool-length Used-addr-number
--------------------------------------------------------------------------
1 1.1.1.1 1.1.1.30 30 0
2 2.2.2.2 2.2.3.1 256 0
--------------------------------------------------------------------------
Total pool number: 2

# Display the IP pool in domain mydomain.


<Eudemon> display ip pool domain mydomain
--------------------------------------------------------------------------

2-152 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Pool-number Pool-start-addr Pool-end-addr Pool-length Used-addr-number


--------------------------------------------------------------------------
3 10.1.1.1 10.1.1.50 50 0
4 192.168.1.1 1 0
--------------------------------------------------------------------------
Total pool number: 2

2.12.17 display recording-scheme

Function
Using the display recording-scheme command, you can view the configuration of a recording
scheme, including the recording scheme name, accounting or not, and the HWTACACS template
in use. In the case that no recording scheme is specified, you will view the configuration
information of all recording schemes.

Format
display recording-scheme [ scheme-name ]

Parameters
scheme-name: specifies the name of a recording scheme, a string of 1 to 32 characters, case
insensitive.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the recording scheme currentscheme.
<Eudemon> display recording-scheme currentscheme
-----------------------------------------------------------------
Recording_scheme_name : currentscheme
TACACAS_template_name : NO SET
----------------------------------------------------------------

# Display all recording schemes.


<Eudemon> display recording-scheme
------------------------------------------------------------------
Recording scheme name TACACS Template Name
scheme1 NO SET
Total recording schemes : 1
------------------------------------------------------------------

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-153


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Related Topics
2.12.22 recording-scheme
2.12.21 recording-mode

2.12.18 display user-car

Function
Using the display user-car command, you can display the CAR list of users.

Format
display user-car [ level ]

Parameters
level: specifies the value of a CAR level in the range of 1 to 30.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the CAR list of users.
<Eudemon> display user-car 3
No. Intarget Inburst Inexcess Outtarget Outburst Outexcess
-- (Kbps) (kbit) (kbit) (Kbps) (kbit) (kbit)
3 2048 3072 0 2048 3072 0

Table 2-9 Description of the display user-car 3 command output

Item Description

Intarget Normal traffic to be maintained by the


incoming direction

Inburst Number of bits to be sent at the interval of the


incoming direction

Inexcess Extended burst traffic of the incoming


direction

2-154 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Item Description

Outtarget Normal traffic to be maintained by the


outgoing direction

Outburst Number of bits to be sent at the interval of the


outgoing direction

Outexcess Extended burst traffic of the outgoing


direction

2.12.19 ip address ppp-negotiate

Function
Using the ip address ppp-negotiate command, you can enable IP address negotiation on an
interface.
Using the undo ip address ppp-negotiate command, you can disable the function.

Format
ip address ppp-negotiate
undo ip address ppp-negotiate

Parameters
None

Views
Virtual-Template interface view, Dialer interface view

Default Level
2: Configuration level

Usage Guidelines
By default, this function is disabled on interfaces.

Examples
# Enable IP address negotiation on Virtual-Template interface 24.
<Eudemon> system-view
[Eudemon] interface virtual-template 24
[Eudemon-Virtual-Template24] ip address ppp-negotiate

2.12.20 ip pool

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-155


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the ip pool command, you can define a local address pool for assigning IP addresses to
PPP users.

Using the undo ip pool command, you can delete a local address pool.

Format
ip pool pool-number first-address [ last-address ]

undo ip pool pool-number

Parameters
pool-number: specifies the number of an address pool in a range of 0 to 99.

first-address: specifies the starting IP address in the address pool.

last-address: specifies the ending IP address in the address pool.

Views
AAA view, AAA domain view

Default Level
2: Configuration level

Usage Guidelines
By default, no local address pool is defined.

The total number of IP addresses in all address pools cannot be greater than 4096. In addition,
if no ending IP address is specified during the address pool configuration, there is only one IP
address in the address pool, that is, the starting IP address.

Examples
# Configure the local address pool 0, including the IP addresses from 129.102.0.1 to
129.102.0.10.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] ip pool 0 129.102.0.1 129.102.0.10

2.12.21 recording-mode

Function
Using the recording-mode command, you can set a recording mode for the current recording
scheme.

2-156 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Format
recording-mode hwtacacs template-name

undo recording-mode

Parameters
template-name: specifies the name of an HWTACACS server template involved in a recording
mode, a string of 1 to 32 characters.

Views
Recording scheme view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Configure the recording scheme scheme1 by using the HWTACACS template test.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] recording-scheme scheme1
[Eudemon-aaa-recording-scheme1] recording-mode hwtacacs test

Related Topics
2.12.21 recording-mode
2.12.16 display ip pool

2.12.22 recording-scheme

Function
Using the recording-scheme command, you can define a recording scheme and enter the
corresponding view.

Using the undo recording-scheme command, you can delete a recording scheme.

Format
recording-scheme scheme-name

undo recording-scheme scheme-name

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-157


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
scheme-name: specifies the name of a recording scheme, a string of 1 to 32 characters, case
insensitive, on the basis of the naming criterion of Windows, that is, excluding such characters
as \, /, :, *, ?, ", < and >.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
In recording scheme view, you can configure the scheme through an HWTACACS server
template.

The basic recording policy such as recording mode must be configured.

The system supports 128 recording schemes at most.

Moreover, the system has a default scheme, which cannot be deleted but can be modified.

Examples
# Define a recording scheme by the name of newscheme.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] recording-scheme newscheme
[Eudemon-aaa-recording-newscheme]

# Delete the recording scheme by the name of oldscheme.


<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] undo recording-scheme oldscheme

Related Topics
2.12.20 ip pool

2.12.23 user-car (AAA View)

Function
Using the user-car command, you can set the average upstream/downstream rate, peak rate and
additional rate for the CAR table. The data stream in the range will be forwarded; otherwise, it
will be discarded.

Using the undo user-car command, you can cancel the setting.

2-158 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Format
user-car level-number input target-rate burst-size excess-burst-size output target-rate burst-
size excess-burst-size
undo user-car level-number

Parameters
input: limits the rate of receiving data packets.
output: limits the rate of sending data packets.
level-number: specifies the level of CAR in a range of 1 to 30.
target-rate: refers to the normal traffic in the range of 8000 to 100000000 bit/s (8k to 100M).
The default value is 20000000 bit/s (20M).
burst-size: specifies the number of bits that are sent out at each interval, in the range of 15000
to 100000000 bits (15k to 100M). The default value is 25000000 bits (25M).
excess-burst-size: specifies the size of the excess burst, in a range of 0 to 100000000 bits (0 to
100M). The default value is 5000000 bits (5M).

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set the CAR level to 8 and limit the rate of input and output traffic by specifying the average
rate to 8000 bit/s, burst to 15000 bits, and excess burst to 2000 bits.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] user-car 8 input 8000 15000 2000 output 8000 15000 2000

Related Topics
2.16.14 local-user state

2.13 RADIUS Server Configuration Commands


2.13.1 debugging radius
2.13.2 display radius-server accounting-stop-packet
2.13.3 display radius-server configuration

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-159


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.13.4 radius-server accounting


2.13.5 radius-server accounting-stop-packet resend
2.13.6 radius-server authentication
2.13.7 radius-server nas-port-format
2.13.8 radius-server nas-port-id-format
2.13.9 radius-server retransmit
2.13.10 radius-server shared-key
2.13.11 radius-server template
2.13.12 radius-server timeout
2.13.13 radius-server traffic-unit
2.13.14 radius-server type
2.13.15 radius-server user-name domain-included
2.13.16 reset radius-server accounting-stop-packet

2.13.1 debugging radius

Function
Using the debugging radius command, you can enable the RADIUS packet debugging.

Using the undo debugging radius command, you can disable the RADIUS packet debugging.

Format
debugging radius packet

undo debugging radius packet

Parameters
packet: enables the RADIUS packet debugging.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the RADIUS packet debugging is disabled.

2-160 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Enable the RADIUS packet debugging.
<Eudemon> debugging radius packet

2.13.2 display radius-server accounting-stop-packet

Function
Using the display radius-server accounting-stop-packet command, you can display the
accounting stop packets of the RADIUS server.

Format
display radius-server accounting-stop-packet { template-name | ip ip-address }

Parameters
template-name: specifies the name of a RADIUS server template, displays all accounting stop
packets of the specified RADIUS server template.

ip: displays the accounting stop packets containing specified IP addresses.

ip-address: specifies the IP address in dotted decimal format.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the accounting stop packets of the RADIUS server template named mytemplate.
<Eudemon> display radius-server accounting-stop-packet mytemplate

Related Topics
2.13.16 reset radius-server accounting-stop-packet

2.13.3 display radius-server configuration

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-161


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the display radius-server configuration command, you can view the configuration of a
RADIUS server. If no template is specified, you will view the configuration of all RADIUS
servers.

Format
display radius-server configuration [ template template-name ]

Parameters
template-name: specifies the name of a RADIUS server template, a string of 1 to 32 characters.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the configuration of a RADIUS server.
<Eudemon> display radius-server configuration
--------------------------------------------------------------
Server-template-name : test1
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : secret
Timeout-interval(in second) : 5
Primary-authentication-server : 0.0.0.0:0
Primary-accounting-server : 0.0.0.0:0
Secondary-authentication-server : 0.0.0.0:0
Secondary-accounting-server : 0.0.0.0:0
Retransmission : 3
Domain-included : YES
------------------------------------------------------------

2.13.4 radius-server accounting

Function
Using the radius-server accounting command, you can configure the RADIUS accounting
server.
Using the undo radius-server accounting command, you can cancel the configuration.

Format
radius-server accounting ip-address port [ secondary ]

2-162 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

undo radius-server accounting [ secondary ]

Parameters
ip-address: specifies the IP address of a server in dotted decimal format. It must be a valid unicast
address.

port: specifies the number of a port in a range of 1 to 65535.

secondary: refers to the secondary server. Without the parameter, it refers to the primary server.

Views
RADIUS view

Default Level
2: Configuration level

Usage Guidelines
The IP address of the primary accounting server must differ from that of the secondary
accounting server; otherwise, the failure prompt is displayed.

In the case that this command is executed repeatedly, the new configuration overwrites the
previous one.

You can modify this configuration only when the RADIUS server template is not in use.

Deleting a server takes effect only on the subsequent packets.

Examples
# Configure the primary accounting server.
<Eudemon> system-view
[Eudemon] radius-server template test1
[Eudemon-radius-test1] radius-server accouting 10.163.155.12 1813

Related Topics
2.13.6 radius-server authentication

2.13.5 radius-server accounting-stop-packet resend

Function
Using the radius-server accounting-stop-packet resend command, you can configure the
accounting stop packet retransmission.

Format
radius-server accounting-stop-packet resend { enable times | disable }

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-163


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
enable: enables the accounting stop packet retransmission.
times: specifies the number of times for retransmitting accounting stop packets. Its value ranges
from 1 to 1024. The default value is 100.
disable: prevents accounting stop packets from being retransmitted.

Views
RADIUS view

Default Level
2: Configuration level

Usage Guidelines
By default, the accounting stop packet retransmission is disabled.
You can modify this configuration only when the RADIUS server template is not in use.

NOTE

Note that accounting stop packets occupy a certain memory after this function is enabled. This increases
the system overhead.

Examples
# Set the number of times for retransmitting accounting stop packets to 10.
<Eudemon> system-view
[Eudemon] radius-server template 163
[Eudemon-radius-163] radius-server accounting-stop-packet resend enable 10

2.13.6 radius-server authentication

Function
Using the radius-server authentication command, you can configure a RADIUS authentication
server.
Using the undo radius-server authentication command, you can cancel the configuration.

Format
radius-server authentication ip-address port [ secondary ]
undo radius-server authentication [ secondary ]

Parameters
ip-address: specifies the IP address of a server in dotted decimal format. It must be a valid unicast
address.
port: specifies the number of a port in a range of 1 to 65535.

2-164 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

secondary: refers to the secondary server. Without the parameter, refers to the primary server.

Views
RADIUS view

Default Level
2: Configuration level

Usage Guidelines
The IP address of the primary authentication server must differ from that of the secondary
authentication server; otherwise, the failure prompt is displayed.

In the case that the command is executed repeatedly, the new configuration will overwrite the
previous one.

You can modify this configuration only when the RADIUS server template is not in use.

Deleting a server takes effect only on the subsequent packets.

Examples
# Configure the primary authentication server.
<Eudemon> system-view
[Eudemon] radius-server template test1
[Eudemon-radius-test1] radius-server authentication 10.163.155.13 1812

Related Topics
2.13.4 radius-server accounting

2.13.7 radius-server nas-port-format

Function
Using the radius-server nas-port-format command, you can set the NAS port format.

Format
radius-server nas-port-format { new | old }

Parameters
new: uses the new NAS port format.

old: uses the old NAS port format.

Views
RADIUS view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-165


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, the new NAT port format is adopted.

The NAS port format affects the user's physical port information carried and provides the
information to the RADIUS server for processing various services such as the user name and
port binding. This is the internal extended attribute of Huawei, used for interworking and service
cooperation between devices of Huawei.

These two formats of NAS ports differentiate on the physical port of users that access through
Ethernet.

l The new NAS port format is composed of 8-bit slot number, 4-bit subslot number, 8-bit
port number, and 12-bit VLAN ID orderly.
l The old NAS port format is composed of 12-bit slot number, 8-bit port number, and 12-bit
VLAN ID orderly.

The port format for the user accessing through ADSL is composed of 4-bit slot number, 2-bit
subslot number, 2-bit port number, 8-bit VPI and 16-bit VCI orderly.

The NAS port format must be used along with the accounting system of Huawei.

Examples
# Set the new NAS port format to the RADIUS server template test1.
<Eudemon> system-view
[Eudemon] radius-server template test1
[Eudemon-radius-test1] radius-server nas-port-format new

Related Topics
2.13.3 display radius-server configuration

2.13.8 radius-server nas-port-id-format

Function
Using the radius-server nas-port-id-format command, you can set the NAS port ID format.

Format
radius-server nas-port-id-format { new | old }

Parameters
new: uses the new NAS port ID format.

old: uses the old NAS port ID format.

2-166 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Views
RADIUS view

Default Level
2: Configuration level

Usage Guidelines
By default, the new NAT port ID format is adopted.
Similar to the NAS port format, this is the internal extended attribute of Huawei, used for
interworking and service cooperation between devices of Huawei.
With respect to the new format,
l NAS port ID of the user accessing through Ethernet is in the format of "slot=xx; subslot=xx;
port=xxx; VLAN ID=xxxx", in which slot is in a range of 0 to 15, subslot 0 to 15, port 0
to 255 and VLAN ID 0 to 4095.
l NAS port ID of the user accessing through ADSL is in the format of "slot=xx; subslot=x;
port=x; VPI=xxx; VCI=xxxxx", in which slot is in a range of 0 to 15, subslot 0 to 9, port
0 to 9, VPI 0 to 255, and VCI 0 to 65535.
l NAS port ID of the user accessing through Ethernet is composed of 2-character port
number, 2-byte subslot number, 3-byte card number, and 9-character VLAN ID orderly.
l NAS port ID of the user accessing through ADSL is composed of 2-character port number,
2-byte subslot number, 3-byte card number, 8-character VPI and 16-character VCI,
prefixed with zeros if necessary.

Examples
# Set the new NAS port ID format to the RADIUS server template "test1".
<Eudemon> system-view
[Eudemon] radius-server template test1
[Eudemon-radius-test1] radius-server nas-port-id-format new

Related Topics
2.13.3 display radius-server configuration

2.13.9 radius-server retransmit

Function
Using the radius-server retransmit command, you can set the number of retransmission events.
Using the undo radius-server retransmit command, you can restore the default setting.

Format
radius-server retransmit retry-times [ timeout timeout-value ]
undo radius-server retransmit [ timeout ]

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-167


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
retry-times: specifies the number of retransmission events, in a range of 1 to 5. It defaults to 3.
timeout-value: specifies the timeout value of the retransmission, in a range of 3 to 10 seconds.
The default value is 5 seconds.

Views
RADIUS view

Default Level
2: Configuration level

Usage Guidelines
You can modify this setting only when the RADIUS server template is not in use.
This command can be used along with the radius-server timeout command at the same time.

Examples
# Set the number of retransmission events to 4.
<Eudemon> system-view
[Eudemon] radius-server template test1
[Eudemon-radius-test1] radius-server retransmit 4

Related Topics
2.13.3 display radius-server configuration

2.13.10 radius-server shared-key

Function
Using the radius-server shared-key command, you can set a shared key for a RADIUS server.

Format
radius-server shared-key key-string

Parameters
key-string: specifies a shared key, a string of 1 to 16 characters. It defaults as "huawei".

Views
RADIUS view

Default Level
2: Configuration level

2-168 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Usage Guidelines
You can modify this configuration only when the RADIUS server template is not in use.

Examples
# Set the shared key of the RADIUS server as hello.
<Eudemon> system-view
[Eudemon] radius-server template test1
[Eudemon-radius-test1] radius-server shared-key hello

Related Topics
2.13.3 display radius-server configuration

2.13.11 radius-server template

Function
Using the radius-server template command, you can enter RADIUS view. In the case that the
specific template does not exist, you can create one with the name specified.
Using the undo radius-server template command, you can delete a RADIUS server template.

Format
radius-server template template-name
undo radius-server template template-name

Parameters
template-name: specifies the name of a RADIUS server template, a string of 1 to 32 characters.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
In RADIUS view, you can configure the RADIUS server template.
The system supports 128 RADIUS server templates at most. You can modify this configuration
only when the RADIUS server template is not in use.
If the template is in use while being deleted, the failure prompt is displayed.

Examples
# Create a RADIUS server template test1 and enter the corresponding view.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-169


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

<Eudemon> system-view
[Eudemon] radius-server template test1
[Eudemon-radius-test1]

Related Topics
2.13.3 display radius-server configuration

2.13.12 radius-server timeout

Function
Using the radius-server timeout command, you can set the retransmission timeout for the
RADIUS server.
Using the undo radius-server timeout command, you can restore the default setting.

Format
radius-server timeout timeout-value [ retransmit retry-times ]
undo radius-server timeout [ retransmit ]

Parameters
timeout-value: specifies the timeout value of the retransmission, in a range of 3 to 10 seconds.
The default value is 5 seconds.
retry-times: specifies the number of retransmission events, in a range of 1 to 5. It defaults to 3.

Views
RADIUS view

Default Level
2: Configuration level

Usage Guidelines
You can modify this setting only when the RADIUS server template is not in use.
This command can be used along with the radius-server retransmit command at the same time.

Examples
# Set the retransmission timeout of the server to 6 seconds.
<Eudemon> system-view
[Eudemon] radius-server template test1
[Eudemon-radius-test1] radius-server timeout 6

Related Topics
2.13.3 display radius-server configuration

2-170 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.13.13 radius-server traffic-unit

Function
Using the radius-server traffic-unit command, you can set the traffic unit for the RADIUS
server.

Format
radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

Parameters
byte: takes byte as the traffic unit.

kbyte: takes kilobyte as the traffic unit.

mbyte: takes megabyte as the traffic unit.

gbyte: takes gigabyte as the traffic unit.

Views
RADIUS view

Default Level
2: Configuration level

Usage Guidelines
By default, the traffic unit is byte.

You can modify this setting only when the RADIUS server template is not in use.

This setting is invalid to servers of which the traffic unit is not byte.

Examples
# Set the traffic unit of the RADIUS server as kilobyte.
<Eudemon> system-view
[Eudemon] radius-server template test1
[Eudemon-radius-test1] radius-server traffic-unit kbyte

Related Topics
2.13.3 display radius-server configuration

2.13.14 radius-server type

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-171


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the radius-server type command, you can set the protocol version used by the RADIUS
server.

Format
radius-server type { standard | portal }

Parameters
standard: applies the standard RADIUS protocol to the server.
portal: applies the Portal RADIUS protocol, also called RADIUS+, V1.1, to the server.

Views
RADIUS view

Default Level
2: Configuration level

Usage Guidelines
By default, the server adopts the standard RADIUS protocol.
You can modify this setting only when the RADIUS server template is not in use.

Examples
# Apply the RADIUS+ protocol to the server.
<Eudemon> system-view
[Eudemon] radius-server template test1
[Eudemon-radius-test1] radius-server type portal

Related Topics
2.13.3 display radius-server configuration

2.13.15 radius-server user-name domain-included

Function
Using the radius-server user-name domain-included command, you can set the domain name
to the user name of the RADIUS server.
Using the undo radius-server user-name domain-included command, you can cancel the
setting.

Format
radius-server user-name domain-included

2-172 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

undo radius-server user-name domain-included

Parameters
None

Views
RADIUS view

Default Level
2: Configuration level

Usage Guidelines
By default, the user name contains the domain name.
You can modify this setting only when the RADIUS server template is not in use.

Examples
# Set the user name excluding the domain name.
<Eudemon> system-view
[Eudemon] radius-server template test1
[Eudemon-radius-test1] undo radius-server user-name domain-included

Related Topics
2.13.3 display radius-server configuration

2.13.16 reset radius-server accounting-stop-packet

Function
Using the reset radius-server accounting-stop-packet command, you can reset the statistics
of accounting stop packets.

Format
reset radius-server accounting-stop-packet { all | ip ip-address }

Parameters
all: resets the statistics of all accounting stop packets.
ip ip-address: resets the statistics of the accounting stop packets containing specified IP
addresses. The IP address is in dotted decimal format.

Views
User view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-173


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Reset the statistics of all accounting stop packets.
<Eudemon> reset radius-server accounting-stop-packet all

Related Topics
2.13.2 display radius-server accounting-stop-packet

2.14 HWTACACS Server Configuration Commands


2.14.1 debugging hwtacacs
2.14.2 display hwtacacs-server accounting-stop-packet
2.14.3 display hwtacacs-server template
2.14.4 hwtacacs-server accounting
2.14.5 hwtacacs-server accounting-stop-packet
2.14.6 hwtacacs-server authentication
2.14.7 hwtacacs-server authorization
2.14.8 hwtacacs-server shared-key
2.14.9 hwtacacs-server source-ip
2.14.10 hwtacacs-server template
2.14.11 hwtacacs-server timer quiet
2.14.12 hwtacacs-server timer response-timeout
2.14.13 hwtacacs-server traffic-unit
2.14.14 hwtacacs-server user-name domain-included
2.14.15 reset hwtacacs-server accounting-stop-packet
2.14.16 reset hwtacacs-server statistics

2.14.1 debugging hwtacacs

Function
Using the debugging hwtacacs command, you can enable HWTACACS server debugging.

2-174 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Using the undo debugging hwtacacs command, you can disable HWTACACS server
debugging.

Format
debugging hwtacacs { all | error | event | message | receive-packet | send-packet }
undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

Parameters
all: enables all HWTACACS debugging functions.
error: enables the error debugging.
event: enables the event debugging.
message: enables the message debugging.
receive-packet: enables the debugging on received packets.
send-packet: enables the debugging on sent packets.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, HWTACACS server debugging is disabled.

Examples
# Enable the HWTACACS event debugging.
<Eudemon> debugging hwtacacs event

2.14.2 display hwtacacs-server accounting-stop-packet

Function
Using the display hwtacacs-server accounting-stop-packet command, you can display the
accounting stop packets of the HWTACACS server.

Format
display hwtacacs-server accounting-stop-packet { all | number | ip ip-address }

Parameters
all: displays all the packets whose accountings stop.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-175


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

number: displays the initially specific number of the packets whose accounting stops. It ranges
from 1 to 65535.
ip: displays the accounting stop packets containing specified IP addresses.
ip-address: specifies the IP address in dotted decimal format.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display all accounting stop packets.
<Eudemon> display hwtacacs-server accounting-stop-packet all

Related Topics
2.14.15 reset hwtacacs-server accounting-stop-packet

2.14.3 display hwtacacs-server template

Function
Using the display hwtacacs-server template command, you can view the HWTACACS server.

Format
display hwtacacs-server template [ template-name [ verbose ] ]

Parameters
template-name: specifies the name of an HWTACACS server template. It is a case insensitive
string of 1 to 32 characters.
verbose: displays the statistics of the HWTACACS server in detail.

Views
All views

Default Level
1: Monitoring level

2-176 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Usage Guidelines
None

Examples
# Display all HWTACACS servers.
<Eudemon> display hwtacacs-server template
-----------------------------------------------------------
HWTACACS-server template name : 123
Primary-authentication-server : 0.0.0.0:0
Primary-authorization-server : 0.0.0.0:0
Primary-accounting-server : 0.0.0.0:0
Secondary-authentication-server : 0.0.0.0:0
Secondary-authorization-server : 0.0.0.0:0
Secondary-accounting-server : 0.0.0.0:0
Current-authentication-server : 0.0.0.0:0
Current-authorization-server : 0.0.0.0:0
Current-accounting-server : 0.0.0.0:0
Source-IP-address : 0.0.0.0
Shared-key : -
Quiet-interval(min) : 5
Response-timeout-Interval(sec) : 5
Domain-included : Yes
Traffic-unit : B
-------------------------------------------------------------
Are you sure to display more information (y/n)[y]:y
-------------------------------------------------------------
HWTACACS-server template name : test1
Primary-authentication-server : 1.1.11.1:49
Primary-authorization-server : 0.0.0.0:0
Primary-accounting-server : 1.1.1.1:49
Secondary-authentication-server : 0.0.0.0:0
Secondary-authorization-server : 1.1.1.1:12
Secondary-accounting-server : 0.0.0.0:0
Current-authentication-server : 1.1.11.1:49
Current-authorization-server : 1.1.1.1:12
Current-accounting-server : 1.1.1.1:49
Source-IP-address : 1.1.1.1
Shared-key : -
Quiet-interval(min) : 5
Response-timeout-Interval(sec) : 5
Domain-included : Yes
Traffic-unit : B
-------------------------------------------------------------
Total 2,2 printed

Related Topics
2.14.16 reset hwtacacs-server statistics

2.14.4 hwtacacs-server accounting

Function
Using the hwtacacs-server accounting command, you can configure the HWTACACS
accounting server.

Using the undo hwtacacs-server accounting command, you can cancel the configuration.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-177


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
hwtacacs-server accounting ip-address [ port ] [ secondary ]
undo hwtacacs-server accounting [ secondary ]

Parameters
ip-address: specifies the IP address of a server in dotted decimal format. It must be a valid unicast
address.
port: specifies the port number of a server in a range of 1 to 65535. Its default number is 49.
secondary: refers to the secondary server. Without the parameter, it refers to the primary server.

Views
HWTACACS view

Default Level
2: Configuration level

Usage Guidelines
By default, the IP address of the HWTACACS accounting server is all zeros address.
The IP address of the primary accounting server must differ from that of the secondary
accounting server; otherwise, the failure prompt is displayed.
In the case that this command is executed repeatedly, the new configuration overwrites the
previous one.
This server can be deleted only when it is not used in any active TCP connection for sending
the accounting packets. Deleting a server takes effect only on the subsequent packets.

Examples
# Configure the primary accounting server.
<Eudemon> system-view
[Eudemon] hwtacacs-server template test1
[Eudemon-hwtacacs-test1] hwtacacs-server accounting 10.163.155.12 49

Related Topics
2.14.6 hwtacacs-server authentication

2.14.5 hwtacacs-server accounting-stop-packet

Function
Using the hwtacacs-server accounting-stop-packet command, you can set whether
retransmitting accounting stop packets is permitted and the number of retransmitted accounting
stop packets.

2-178 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Format
hwtacacs-server accounting-stop-packet resend { disable | enable number }

Parameters
disable: disables retransmitting accounting stop packets.
enable: enables retransmitting accounting stop packets.
number: specifies the number of retransmitted accounting stop packets. Its value ranges from 1
to 300.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the retransmitting accounting stop packets is enabled. The number of retransmitted
packets is 100.

Examples
# Enable the retransmitting accounting stop packets. The number of retransmitted packets is 50
per time.
<Eudemon> system-view
[Eudemon] hwtacacs-server accounting-stop-packet resend enable 50

2.14.6 hwtacacs-server authentication

Function
Using the hwtacacs-server authentication command, you can configure the HWTACACS
authentication server.
Using the undo hwtacacs-server authentication command, you can cancel the configuration.

Format
hwtacacs-server authentication ip-address [ port ] [ secondary ]
undo hwtacacs-server authentication [ secondary ]

Parameters
ip-address: specifies the IP address of a server in dotted decimal format. It must be a valid unicast
address.
port: specifies the port number of the server in a range of 1 to 65535. It defaults to 49.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-179


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

secondary: refers to the secondary server.

Views
HWTACACS view

Default Level
2: Configuration level

Usage Guidelines
By default, the IP address of the HWTACACS authentication server is all zeros address.
The IP address of the primary authentication server must differ from that of the secondary
authentication server; otherwise, the failure prompt is displayed.
In the case that the command is executed repeatedly, the new configuration will overwrite the
previous one.
This server can be deleted only when it is not used in any active TCP connection for sending
the authentication packets.

Examples
# Configure the primary authentication server.
<Eudemon> system-view
[Eudemon] hwtacacs-server template test1
[Eudemon-hwtacacs-test1] hwtacacs-server authentication 10.163.155.13 49

Related Topics
2.14.3 display hwtacacs-server template

2.14.7 hwtacacs-server authorization

Function
Using the hwtacacs-server authorization command, you can configure the HWTACACS
authorization server.
Using the undo hwtacacs-server authorization command, you can cancel the configuration.

Format
hwtacacs-server authorization ip-address [ port ] [ secondary ]
undo hwtacacs-server authorization [ secondary ]

Parameters
ip-address: specifies the IP address of a server in dotted decimal format. It must be a valid unicast
address.
port: specifies the port number of the server in a range of 1 to 65535. It defaults to 49.

2-180 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

secondary: refers to the secondary server.

Views
HWTACACS view

Default Level
2: Configuration level

Usage Guidelines
By default, the IP address of HWTACACS authorization server is all zeros address.

The IP address of the primary authorization server must differ from that of the secondary
authorization server; otherwise, the failure prompt is displayed.

In the case that the command is executed repeatedly, the new configuration will overwrite the
previous one.

This server can be deleted only when it is not used in any active TCP connection for sending
the authorization packets.

Examples
# Configure the primary authorization server.
<Eudemon> system-view
[Eudemon] hwtacacs-server template test1
[Eudemon-hwtacacs-test1] hwtacacs-server authorization 10.163.155.13 49

Related Topics
2.14.3 display hwtacacs-server template

2.14.8 hwtacacs-server shared-key

Function
Using the hwtacacs-server shared-key command, you can set a shared key for the
HWTACACS server.

Using the undo hwtacacs-server shared-key command, you can remove the setting.

Format
hwtacacs-server shared-key key-string

undo hwtacacs-server shared-key

Parameters
key-string: specifies a shared key, a string of 1 to 16 characters.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-181


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
HWTACACS view

Default Level
2: Configuration level

Usage Guidelines
By default, the HWTACACS server is not set with any shared key.

Examples
# Set the shared key of the HWTACACS server as "hello".
<Eudemon> system-view
[Eudemon] hwtacacs-server template test1
[Eudemon-hwtacacs-test1] hwtacacs-server shared-key hello

Related Topics
2.14.3 display hwtacacs-server template

2.14.9 hwtacacs-server source-ip

Function
Using the hwtacacs-server source-ip command, you can assign a source IP address for the
HWTACACS server.
Using the undo hwtacacs-server source-ip command, you can cancel the configuration.

Format
hwtacacs-server source-ip ip-address
undo hwtacacs-server source-ip

Parameters
ip-address: specifies the IP address in dotted decimal format.

Views
HWTACACS view

Default Level
2: Configuration level

Usage Guidelines
By default, the source IP address of a packet is the IP address of the send port.

2-182 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Set the source IP address of the HWTACACS server to 10.1.1.1.
<Eudemon> system-view
[Eudemon] hwtacacs-server template test1
[Eudemon-hwtacacs-test1] hwtacacs-server source-ip 10.1.1.1

Related Topics
2.14.3 display hwtacacs-server template

2.14.10 hwtacacs-server template

Function
Using the hwtacacs-server template command, you can enter HWTACACS server view. In
the case that the specific template does not exist, you can create one with the specified name.
Using the undo hwtacacs-server template command, you can delete an HWTACACS server
template.

Format
hwtacacs-server template template-name
undo hwtacacs-server template template-name

Parameters
template-name: specifies the name of an HWTACACS server template, a string of 1 to 32
characters.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Create an HWTACACS server template with the name test1 and enter the corresponding view.
<Eudemon> system-view
[Eudemon] hwtacacs-server template test1
[Eudemon-hwtacacs-test1]

2.14.11 hwtacacs-server timer quiet

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-183


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the hwtacacs-server timer quiet command, you can set the quiet time for the primary
HWTACACS server.
Using the undo hwtacacs-server timer quiet command, you can restore the default setting.

Format
hwtacacs-server timer quiet value
undo hwtacacs-server timer quiet

Parameters
value: specifies the value of quiet time in a range of 1 to 255 minutes.

Views
HWTACACS view

Default Level
2: Configuration level

Usage Guidelines
By default, it takes 5 minutes for the primary server to return to the active state.

Examples
# Set the quiet time of the primary server before it returns to the active state to 10 minutes.
<Eudemon> system-view
[Eudemon] hwtacacs-server template test1
[Eudemon-hwtacacs-test1] hwtacacs-server timer quiet 10

Related Topics
2.14.3 display hwtacacs-server template

2.14.12 hwtacacs-server timer response-timeout

Function
Using the hwtacacs-server timer response-timeout command, you can set the response timeout
for the HWTACACS server.
Using the undo hwtacacs-server timer response-timeout command, you can restore the default
setting.

Format
hwtacacs-server timer response-timeout value

2-184 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

undo hwtacacs-server timer response-timeout

Parameters
value: specifies the value of response timeout in a range of 1 to 300 seconds.

Views
HWTACACS view

Default Level
2: Configuration level

Usage Guidelines
The default response timeout of the HWTACACS server is 5 seconds.

NOTE

Because HWTACACS is implemented based on TCP, either the response timeout or TCP timeout may
cause disconnection with the server.

Examples
# Set the response timeout of the HWTACACS server to 30 seconds.
<Eudemon> system-view
[Eudemon] hwtacacs-server template test1
[Eudemon-hwtacacs-test1] hwtacacs-server timer response-timeout 30

Related Topics
2.14.3 display hwtacacs-server template

2.14.13 hwtacacs-server traffic-unit

Function
Using the hwtacacs-server traffic-unit command, you can set the traffic unit for the
HWTACACS server.

Format
hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }

Parameters
byte: takes byte as the traffic unit.
kbyte: takes kilobyte as the traffic unit.
mbyte: takes megabyte as the traffic unit.
gbyte: takes gigabyte as the traffic unit.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-185


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
HWTACACS view

Default Level
2: Configuration level

Usage Guidelines
By default, the traffic unit is byte.

Examples
# Set the traffic unit of the HWTACACS server as kilobyte.
<Eudemon> system-view
[Eudemon] hwtacacs-server template test1
[Eudemon-hwtacacs-test1] hwtacacs-server traffic-unit kbyte

2.14.14 hwtacacs-server user-name domain-included

Function
Using the hwtacacs-server user-name domain-included command, you can set the domain
name to the user name of the HWTACACS server.

Using the undo hwtacacs-server user-name domain-included command, you can cancel the
setting.

Format
hwtacacs-server user-name domain-included

undo hwtacacs-server user-name domain-included

Parameters
None

Views
HWTACACS view

Default Level
2: Configuration level

Usage Guidelines
By default, the user name contains the domain name.

2-186 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Set the user name including the domain name.
<Eudemon> system-view
[Eudemon] hwtacacs-server template test1
[Eudemon-hwtacacs-test1] undo hwtacacs-server user-name domain-included

2.14.15 reset hwtacacs-server accounting-stop-packet

Function
Using the reset hwtacacs-server accounting-stop-packet command, you can reset the statistics
of accounting stop packets.

Format
reset hwtacacs-server accounting-stop-packet { all | ip ip-address }

Parameters
all: resets the statistics of all accounting stop packets.
ip ip-address: resets the statistics of the accounting stop packets containing specified IP
addresses. The IP address is in dotted decimal format.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Reset the statistics of all accounting stop packets.
<Eudemon> reset hwtacacs-server accounting-stop-packet all

Related Topics
2.14.2 display hwtacacs-server accounting-stop-packet

2.14.16 reset hwtacacs-server statistics

Function
Using the reset hwtacacs-server statistics command, you can reset the statistics of an
HWTACACS server.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-187


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
reset hwtacacs-server statistics { all | accounting | authentication | authorization }

Parameters
all: resets all statistics.
accounting: resets the statistics of all HWTACACS accounting servers.
authentication: resets the statistics of all HWTACACS authentication servers.
authorization: resets the statistics of all HWTACACS authorization servers.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Reset the statistics of all HWTACACS authentication Server.
<Eudemon> reset hwtacacs-server statistics accounting

2.15 Domain Configuration Commands

2.15.1 access-limit
2.15.2 accounting-scheme (AAA Domain View)
2.15.3 acl-number
2.15.4 authentication-scheme (AAA Domain View)
2.15.5 authorization-scheme (AAA Domain View)
2.15.6 display domain
2.15.7 dns
2.15.8 domain
2.15.9 hwtacacs-server (AAA Domain View)
2.15.10 idle-cut
2.15.11 nbns
2.15.12 radius-server

2-188 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.15.13 state (AAA Domain View)


2.15.14 user-car (AAA Domain View)
2.15.15 user-priority
2.15.16 web-server

2.15.1 access-limit

Function
Using the access-limit command, you can set the maximum number of the users that are allowed
to access in spite of the users' types.

Using the undo access-limit command, you can restore the default setting of the maximum
number of the users that are allowed to access.

Format
access-limit max-number

undo access-limit

Parameters
max-number: specifies the maximum number of the users that are allowed to access. The
minimum value is 1 and the maximum value varies from products to products.

Views
AAA Domain view

Default Level
2: Configuration level

Usage Guidelines
By default, the maximum value is determined based on the concrete products.

Examples
# Set the maximum number of the access users to 100.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] access-limit 100

2.15.2 accounting-scheme (AAA Domain View)

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-189


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the accounting-scheme command, you can configure an accounting scheme for the
current domain.
Using the undo accounting-scheme command, you can delete the accounting scheme of the
current domain and restore the default setting.

Format
accounting-scheme scheme-name
undo accounting-scheme

Parameters
scheme-name: specifies the name of an accounting scheme, a string of 1 to 32 characters, case
insensitive, following the naming criterion of Windows, that is, excluding such characters as
\, /, :, *, ?, ", <, and >.

Views
AAA Domain view

Default Level
2: Configuration level

Usage Guidelines
By default, domains adopt the system accounting scheme.

Examples
# Apply the accounting scheme test to the current domain.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] accounting-scheme test

# Delete the accounting scheme of the current domain and restore the default setting.
[Eudemon-aaa-domain-mydomain] undo accounting-scheme

2.15.3 acl-number

Function
Using the acl-number command, you can set an ACL to the current domain.
Using the undo acl-number command, you can delete an ACL from the domain.

Format
acl-number number

2-190 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

undo acl-number

Parameters
number: specifies the number of an ACL in a range of 2000 to 3999. Namely, the basic ACL
and advanced ACL are available.

Views
AAA Domain view

Default Level
2: Configuration level

Usage Guidelines
By default, no ACL is set.

The ACL applied in the domain takes effect on all the users accessing through this domain. In
addition, a domain can only adopt an ACL so that the newly configured ACL will overwrite the
previous one.

Examples
# Apply ACL 2010 to the current domain.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] acl-number 2010

2.15.4 authentication-scheme (AAA Domain View)

Function
Using the authentication-scheme command, you can configure an authentication scheme to the
current domain.

Using the undo authentication-scheme command, you can restore the default setting.

Format
authentication-scheme scheme-name

undo authentication-scheme

Parameters
scheme-name: specifies the name of an authentication scheme, a string of 1 to 32 characters,
case insensitive, following the naming criterion of Windows, that is, excluding such characters
as \, /, :, *, ?, ", < and >.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-191


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
AAA Domain view

Default Level
2: Configuration level

Usage Guidelines
By default, domains adopt the system authentication scheme.

Examples
# Apply the authentication scheme test to the current domain.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] authentication-scheme test

# Restore the default authentication scheme.


[Eudemon-aaa-domain-mydomain] undo authentication-scheme

2.15.5 authorization-scheme (AAA Domain View)

Function
Using the authorization-scheme command, you can configure an authorization scheme to the
current domain.

Using the undo authorization-scheme command, you can restore the default setting.

Format
authorization-scheme scheme-name

undo authorization-scheme

Parameters
scheme-name: specifies the name of an authorization scheme, a string of 1 to 32 characters, case
insensitive, on the basis of the naming criterion of Windows, that is, excluding such characters
as \, /, :, *, ?, ", < and >.

Views
AAA Domain view

Default Level
2: Configuration level

2-192 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Usage Guidelines
By default, domains adopt the system authorization scheme.

Examples
# Apply the authorization scheme test to the current domain.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] authorization-scheme test

# Restore the default authorization scheme.


[Eudemon-aaa-domain-mydomain] undo authorization-scheme

2.15.6 display domain

Function
Using the display domain command, you can view the configuration of a domain, including:
l The domain name
l Status
l Accounting scheme
l Authentication scheme
l CAR index
l Idle-cut data
l Default user priority
l Maximum number of access users
l Number of online users
l Index number

Format
display domain [ domain-name ]

Parameters
domain-name: specifies the name of a domain. It is a case insensitive string of 1 to 20 characters.

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-193


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Usage Guidelines
If no domain is specified, you will view the configuration of all current existing domains.

NOTE

If no domain is specified in domain view, you will view the detail configuration of the current domain.

Examples
# Display the configuration of all existing domains.
<Eudemon> display domain
-----------------------------------------------------------------------
DomainName State CAR Access-limit Online
-----------------------------------------------------------------------
default Active 0 6128 0
mydomain Active 0 6128 0
-----------------------------------------------------------------------
Total 2,2 printed

Related Topics
2.15.8 domain

2.15.7 dns

Function
Using the dns command, you can specify a DNS server for the current domain.

Using the undo dns command, you can remove the DNS server from the current domain.

Format
dns { primary-ip | second-ip } ip-address

undo dns { primary-ip | second-ip }

Parameters
primary-ip: sets the primary DNS server.

second-ip: sets the secondary DNS server.

ip-address: specifies the IP address of the DNS server in dotted decimal format. It must be a
valid unicast address.

Views
AAA Domain view

Default Level
2: Configuration level

2-194 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Usage Guidelines
By default, a domain is not configured with any DNS server.

Examples
# Set the server at 10.1.1.1 as the primary DNS server of the current domain.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] dns primary-ip 10.1.1.1

# Remove the primary DNS server.


[Eudemon-aaa-domain-mydomain] undo dns primary-ip

2.15.8 domain

Function
Using the domain command, you can set up a domain and enter the corresponding view.
Using the undo domain command, you can delete a domain.

Format
domain domain-name
undo domain domain-name

Parameters
domain-name: specifies the name of a domain, a string of 1 to 20 characters, excluding such
characters as \, /, :, *, ?, ", < and >, case insensitive.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
The system supports up to 128 domains.
There is a default domain and each domain is in the "active" state after being created.

Examples
# Specify the domain called mydomain and enter the corresponding view.
<Eudemon> system-view
[Eudemon] aaa

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-195


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

[Eudemon-aaa] domain mydomain


[Eudemon-aaa-domain-mydomain]

# Delete the domain mydomain.


<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] undo domain mydomain

2.15.9 hwtacacs-server (AAA Domain View)

Function
Using the hwtacacs-server command, you can configure an HWTACACS server template for
the current domain.
Using the undo hwtacacs-server command, you can delete the server template.

Format
hwtacacs-server template-name
undo hwtacacs-server

Parameters
template-name: specifies the name of an HWTACACS server template, a string of 1 to 32
characters, case insensitive, on the basis of the naming criterion of Windows, that is, excluding
such characters as \, /, :, *, ?, ", < and >.

Views
AAA domain view

Default Level
2: Configuration level

Usage Guidelines
The HWTACACS server template that the domain using must exist before configure.

Examples
# Configure the HWTACACS server template named mytemplate to the current domain.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] hwtacacs-server mytemplate

# Remove the server template from the domain.


[Eudemon-aaa-domain-mydomain] undo hwtacacs-server

2.15.10 idle-cut

2-196 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Function
Using the idle-cut command, you can set the parameters to disconnect the idle users in the current
domain.

Using the undo idle-cut command, you can disable the function.

Format
idle-cut cut-time-length cut-data-length

undo idle-cut

Parameters
cut-time-length: refers to the online time of idle users, in a range of 1 to 120 minutes.

cut-data-length: The user is regarded in the idle state when his flow is less than this value. It is
in a range of 0 to 768000 bytes.

Views
AAA Domain view

Default Level
2: Configuration level

Usage Guidelines
By default, the idle-cut function is disabled in a domain. When the user traffic is less than 60
bytes, the user is considered idle.

Examples
# Set the maximum online time of the idle users to 60 minutes and the minimum flow to 500
bytes.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] idle-cut 60 500

# Disable the function.


[Eudemon-aaa-domain-mydomain] undo idle-cut

2.15.11 nbns

Function
Using the nbns command, you can specify an NBNS name server for the current domain.

Using the undo nbns command, you can delete an NBNS name server of the current domain.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-197


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
nbns { primary-ip | second-ip } ip-address

undo nbns { primary-ip | second-ip }

Parameters
primary-ip: specifies the primary NBNS name server.

second-ip: specifies the secondary NBNS name server.

ip-address: refers to the IP address of the NBNS name server in dotted decimal format. It must
be a valid unicast address.

Views
AAA Domain view

Default Level
2: Configuration level

Usage Guidelines
By default, no NBNS name server is configured to any domain.

Examples
# Specify the server at 10.1.1.1 as the NBNS name server to the current domain.
<Eudemon> system-view
[Eudemon] aaa

[Eudemon-aaa] domain mydomain


[Eudemon-aaa-domain-mydomain] nbns primary-ip 10.1.1.1

# Delete the NBNS name server of the domain.


[Eudemon-aaa-domain-mydomain] undo nbns primary-ip

2.15.12 radius-server

Function
Using the radius-server command, you can set a RADIUS server template for the current
domain.

Using the undo radius-server command, you can delete the specified server template.

Format
radius-server template-name

undo radius-server

2-198 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Parameters
template-name: refers to the name of a RADIUS server template, a string of 1 to 32 characters,
case insensitive, on the basis of the naming criterion of Windows, that is, excluding such
characters as \, /, :, *, ?, ", < and >.

Views
AAA Domain view

Default Level
2: Configuration level

Usage Guidelines
The RADIUS server template that the domain using must exist before configure.

Examples
# Configure the RADIUS server template named radius-server-163 to the current domain.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] radius-server radius-server-163

# Remove the server template from the domain.


[Eudemon-aaa-domain-mydomain] undo radius-server

2.15.13 state (AAA Domain View)

Function
Using the state command, you can set the state of the current domain.

Format
state { active | block }

Parameters
active: sets the domain to be in the active state.
block: sets the domain to be in the block state.

Views
AAA domain view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-199


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Usage Guidelines
By default, a domain is in the active state after being created.

Examples
# Set the current domain to be in the block state.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] state block

2.15.14 user-car (AAA Domain View)

Function
Using the user-car command, you can set the traffic control level for the current domain.
Using the undo user-car command, you can restore the default setting of the traffic control level
for the current domain.

Format
user-car level
undo user-car

Parameters
level: refers to the level of CAR in a range of 1 to 30.

Views
AAA domain view

Default Level
2: Configuration level

Usage Guidelines
By default, no traffic control level is specified for a domain.

Examples
# Set the traffic control level of the current domain to 3.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] user-car 3

# Restore the default traffic control level, that is, 0.


[Eudemon-aaa-domain-mydomain] undo user-car

2-200 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.15.15 user-priority

Function
Using the user-priority command, you can set a priority for an access user in the current domain.

Using the undo user-priority command, you can restore the default setting of the priority for
an access user in the current domain. .

Format
user-priority level

undo user-priority

Parameters
level: specifies the priority of a user in the range 0 through 7.

Views
AAA Domain view

Default Level
2: Configuration level

Usage Guidelines
By default, the user priority is not specified.

Examples
# Set the priority of the access user to 7.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] user-priority 7

# Restore the default priority of the access user.


[Eudemon-aaa-domain-mydomain] undo user-priority

2.15.16 web-server

Function
Using the web-server command, you can set a Web server by specifying its IP address to the
current domain.

Using the undo web-server command, you can remove the setting of a Web server's specifying
IP address from the current domain.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-201


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
web-server ip-address

undo web-server

Parameters
ip-address: refers to the IP address of a Web server in dotted decimal format.

Views
AAA domain view

Default Level
2: Configuration level

Usage Guidelines
By default, no Web server's specifying IP address is set to any domain.

Examples
# Set a Web server by specifying its IP address to the current domain.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] domain mydomain
[Eudemon-aaa-domain-mydomain] web-server 10.10.1.11

2.16 Local User Configuration Commands

2.16.1 cut access-user (AAA View)


2.16.2 display access-user
2.16.3 display local-user
2.16.4 local-user access-limit
2.16.5 local-user callback-nocheck
2.16.6 local-user callback-number
2.16.7 local-user call-number
2.16.8 local-user ftp-directory
2.16.9 local-user idle-cut
2.16.10 local-user level
2.16.11 local-user mac-address
2.16.12 local-user password

2-202 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.16.13 local-user service-type


2.16.14 local-user state
2.16.15 local-user user-car
2.16.16 vlan-batch user access-limit
2.16.17 vlan-batch user acl-number
2.16.18 vlan-batch user idle-cut
2.16.19 vlan-batch user interface
2.16.20 vlan-batch user service-type
2.16.21 vlan-batch user state
2.16.22 vlan-batch user user-car

2.16.1 cut access-user (AAA View)

Function
Using the cut access-user command, you can disconnect one or multiple users.

Format
cut access-user { domain domain-name | interface interface-type interface-number [ vlan-id
vlan-id ] | ip-address ip-address | mac-address mac-address | user-id start-id [ end-id ] |
username { local | hwtacacs | radius | none | all } [ user-name ] }

Parameters
domain: disconnects all the user access of a domain.
domain-name: specifies a domain name with 1 to 20 characters. The value is case insensitive.
interface-type: specifies the type of an interface.
interface number: specifies the number of an interface.
vlan-id: specifies a VLAN ID in a range of 1 to 4094 and disconnects user access of the VLAN.
ip-address: disconnects user access according to user's IP address.
ip-address: specifies an IP address in dotted decimal notation.
mac-address: disconnects user access according to user's MAC address.
mac-address: specifies a MAC address in the format of H-H-H.
user-id: disconnects user access according to user index.
start-id: specifies the start index number. The minimum value is 0 while the maximum value
depends on the used products.
end-id: specifies the ending index number. The minimum value is 0 while the maximum value
depends on the used products. The value must be greater than the start index number.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-203


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

username: disconnects user access according to the user name.


all: disconnects all user accesses.
local: disconnects users who are authenticated in local mode.
hwtacacs: disconnects users who are authenticated in HWTACACS mode.
radius: disconnects users who are authenticated in RADIUS mode.
none: disconnects users who are not authenticated.
user-name: specifies a user name in the format of "username@domain name", a string of 1 to
64 characters. The value is case insensitive.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
If multiple eligible connections exist, they are released at the same time according to the user
name and authentication mode.

NOTE

l The cut access-user interface and cut access-user mac-address commands take effect on PPP users
only.
l Before using the cut access-user user-id command to tear down a user connection, you need to view
the user ID with the display access-user command.

Examples
# Disconnect user access according to the user name.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] cut access-user username local user0
[Eudemon-aaa] cut access-user username radius user0
[Eudemon-aaa] cut access-user username none user0
[Eudemon-aaa] cut access-user username all user0

# Disconnect users in the domain "mydomain".


[Eudemon-aaa] cut access-user domain mydomain

# Disconnect user with IP address 10.10.1.1.


[Eudemon-aaa] cut access-user ip-address 10.10.1.1

Related Topics
2.16.2 display access-user

2.16.2 display access-user

2-204 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Function
Using the display access-user command, you can view the access.

Format
display access-user [ domain domain-name | ip-address ip-address | mac-address mac-
address | user-id user-id | username user-name ]

Parameters
domain: displays all the user access of a domain.
domain-name: specifies a domain name, a string of 1 to 20 characters. The value is case
insensitive.
ip-address: displays user access according to user's IP address.
ip-address: specifies an IP address in dotted decimal notation.
mac-address: displays user access according to user's MAC address.
mac-address: specifies a MAC address in the format of H-H-H.
user-id: displays user access according to user index. It does not differentiate the user status.
user-id: specifies a user index number. The minimum value is 0. The maximum value is related
to the product being used.
username: displays user access according to the user name.
user-name: specifies a user name in the format of "username@domain name" with 1 to 64
characters. The value is case insensitive.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When you specify the username, user ID, IP address, or MAC address, you will view a specific
connection in detail, including:
l User access ID
l User name
l Port number
l Authentication mode configured
l Authentication mode used
l Accounting mode
l The IP address

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-205


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

l The MAC address


l Access time
l ACL number
l CAR parameter
l Traffic information
l Starting idle time
l Idle-cut data

When you specify a domain, you will view the access of the domain in brief, including:
l User access ID
l User name
l IP address
l MAC address

Examples
# Display the detailed information about connection of a user with user ID 1. In this example,
user with ID 1 is offline.
<Eudemon> display access-user user-id 1
---------------------------------------------------------------
User access index : 1
State : Unused
User name :
User access VLAN/PVC : 4095
User MAC : ffff-ffff-ffff
User access type : Invalid
User authentication type : Invalid
Current authen method : Invalid
Authen result : Failure
Current author method : Invalid
Author result : Failure
Action flag : Idle
Authen state : Idle
Author state : Idle
Accounting method : Invalid
Accounting start time : 1970-01-01 00:00:00
Accounting state : Idle
Up packets number(high,low) : (0,0)
Up bytes number(high,low) : (0,0)
Down packets number(high,low) : (0,0)
Down bytes number(high,low) : (0,0)
----------------------------------------------------------------

# Display the access of all users.


<Eudemon> display access-user
-------------------------------------------------------------
Total users : 0
Wait authen-ack : 0
Authentication success : 0
Accounting ready : 0
Accounting state : 0
Wait leaving-flow-query : 0
Wait accounting-start : 0
Wait accounting-stop : 0
Wait authorization-client : 0
Wait authorization-server : 0
------------------------------------------------------------
Domain-name Online-user

2-206 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

------------------------------------------------------------
default : 0
mydomain : 0
------------------------------------------------------------
The used CID table are :
------------------------------------------------------------

Related Topics
2.16.1 cut access-user (AAA View)

2.16.3 display local-user

Function
Using the display local-user command, you can view the attributes of local users.

Format
display local-user [ domain domain-name | username user-name ]

Parameters
domain: displays all users in a specified domain.
domain-name: refers to the domain name, a string of 1 to 20 characters. The domain name should
not contain such characters as \, /, :, * , ?, ", | and @.
username: displays the user with a specified user name.
user-name: specifies the user name. It is a case-insensitive string of 1 to 64 characters. The name
should not contain such characters as \, /, :, * , ?, ", | and @.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Executing this command, you can:
l View all the users in brief if no optional parameter is specified.
l View attributes of a user in detail by specifying the keyword user-name, including the user
status, CAR level and idle-cut data.
l View a user in brief by specifying other keyword.

Examples
# Display all the local users in brief.
<Eudemon> display local-user
----------------------------------------------------------------

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-207


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Username State Type CAR Access-limit Online


----------------------------------------------------------------
aaa@163 Active All Dft 1 0
aaa Active All Dft No 0
----------------------------------------------------------------
Total 2,2 printed

# Display the local user aaa in detail.


<Eudemon> display local-user username aaa
--------------------------------------------------------------
Username : aaa
Password :
State : Active
Service-type : All
ACL-number : -
User-CAR : -
Idle-cut : No
Access-limit : No
Online-number : 0
MAC-address : -
User-level : 0
FTP-directory : -
Call-number : -
Callback-check : Yes
Callback-number : -
------------------------------------------------------------

2.16.4 local-user access-limit

Function
Using the local-user access-limit command, you can set the maximum number of the
connections that a user can set up.

Using the undo local-user access-limit command, you can cancel the limitation.

Format
local-user user-name access-limit max-number

undo local-user user-name access-limit

Parameters
user-name: specifies a user name, a string of 1 to 64 characters.

max-number: specifies the maximum number of the users allowed to access. The minimum value
is 1, while the maximum number varies from product to product.

Views
AAA view

Default Level
2: Configuration level

2-208 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Usage Guidelines
By default, no limitation is set.

Generally, a user account can set up multiple accesses, for example, 16 accesses through a VLAN
or even more. However, in some PPP mode, you are recommended to set one access to a user
only. Be sure to set the number complying with the carrier's configuration.

When a local user has set up some connections, the new access limitation must be compatible
with the previous ones; otherwise, the setting will fail. To be specific, given the local user has
set up n (n≥1) connections but the new access limitation is m (m<n), the modification will fail.

If it has to, use the cut access-user command to disconnect some connections to fulfill the
modification.

The number of accesses that users can set up is limited by the system capacity, access limitation
of the domain where they reside, and self-access limitation. But only the minimum one
determines in the end.

Examples
# Set the maximum number of the connections that the local user hello@163.net can set up to
5.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] local-user hello@163.net access-limit 5

Related Topics
2.16.1 cut access-user (AAA View)
2.16.16 vlan-batch user access-limit

2.16.5 local-user callback-nocheck

Function
Using the local-user callback-nocheck command, you can disable the check of the callback.

Using the undo local-user callback-nocheck command, you can cancel this attribute.

Format
local-user user-name callback-nocheck

undo local-user user-name callback-nocheck

Parameters
user-name: specifies a user name, a string of 1 to 64 characters.

Views
AAA view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-209


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, this attribute is not set.

For the related command, see local-user related commands.

Examples
# Disable the check of the callback from the local user hello@163.net.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] local-user hello@163.net callback-nocheck

2.16.6 local-user callback-number

Function
Using the local-user callback-number command, you can set a callback number for a local
user.

Using the undo local-user callback-number command, you can delete the callback number.

Format
local-user user-name callback-number callback-number

undo local-user user-name callback-number

Parameters
user-name: specifies a user name, a string of 1 to 64 characters.

callback-number: specifies the callback number in a range of 1 to 64 characters.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, no callback number is set.

For the related command, see local-user related commands.

2-210 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Set the callback number of the local user hello@163.net to 123445.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] local-user hello@163.net callback-number 123445

2.16.7 local-user call-number

Function
Using the local-user call-number command, you can set an ISDN calling number for a local
user.
Using the undo local-user call-number command, you can cancel the ISDN calling number.

Format
local-user user-name call-number call-number [ : subcall-number ]
undo local-user user-name call-number

Parameters
user-name: specifies the user name, a string of 1 to 64 characters.
call-number: specifies the calling number, a character string. The maximum length is 64
characters.
subcall-number: specifies the subcalling number. The maximum length of the calling number
together with the subcalling number is 62.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, no ISDN calling number is configured.

Examples
# Set the ISDN calling number of the local user hello@163.net to 12345.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] local-user hello@163.net call-number 12345

2.16.8 local-user ftp-directory

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-211


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the local-user ftp-directory command, you can set an FTP directory for a local user.
Using the undo local-user ftp-directory command, you can cancel the setting.

Format
local-user user-name ftp-directory directory
undo local-user user-name ftp-directory

Parameters
user-name: specifies the user name, a string of 1 to 64 characters.
directory: specifies the directory that the user can access, a string of 1 to 64 characters.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, no FTP directory is set for users.

Examples
# Set the FTP directory flash:/ to the local user hello@163.net.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] local-user hello@163.net ftp-directory flash:/

2.16.9 local-user idle-cut

Function
Using the local-user idle-cut command, you can enable the idle-cut to a local user.
Using the undo local-user idle-cut command, you can disable the function.

Format
local-user user-name idle-cut
undo local-user user-name idle-cut

Parameters
user-name: specifies the user name, a string of 1 to 64 characters, excluding the wildcards.

2-212 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, this function is disabled.
Whether a user is in the idle state depends on the configuration of the domain to which the user
belongs.

Examples
# Enable the idle-cut to the local user hello@163.net.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] local-user hello@163.net idle-cut

Related Topics
2.15.10 idle-cut
2.16.18 vlan-batch user idle-cut

2.16.10 local-user level

Function
Using the local-user level command, you can set a priority for a local user.
Using the undo local-user level command, you can cancel the setting.

Format
local-user user-name level level
undo local-user user-name level

Parameters
user-name: specifies the user name, a string of 1 to 64 characters.
level: specifies the priority of the user, in a range of 0 to 3.

Views
AAA view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-213


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Usage Guidelines
For the related command, see local-user related commands.

Examples
# Set the priority of the local user hello@163.net to 3.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] local-user hello@163.net level 3

2.16.11 local-user mac-address

Function
Using the local-user mac-address command, you can access a local user by specifying his MAC
address.
Using the undo local-user mac-address command, you can cancel the configuration.

Format
local-user user-name mac-address mac-address
undo local-user user-name mac-address

Parameters
user-name: specifies the user name, a string of 1 to 64 characters.
mac-address: specifies the MAC address of the user in the format of H-H-H.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, no MAC address is specified.

Examples
# Access the local user hello@163.net at 22ec-0533-7788.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] local-user hello@163.net mac-address 22ec-0533-7788

Related Topics
2.16.4 local-user access-limit

2-214 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.16.1 cut access-user (AAA View)


2.16.16 vlan-batch user access-limit

2.16.12 local-user password

Function
Using the local-user password command, you can add a local user.
Using the undo local-user command, you can delete a local user.

Format
local-user user-name [ password { simple | cipher } password ]
undo local-user user-name

Parameters
user-name: specifies the user name, a character string. The part before @ is the user name and
the part after is the domain name; without @, it is the user name only and the default domain is
adopted.
simple: displays the password in the simple text.
cipher: displays the password in the cipher text.
password: specifies the password, a string of 1 to 16 characters in the simple mode or 24
characters in the cipher mode, case sensitive, excluding such special characters of common lines
as space and question mark.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
To delete a local user, there must be no access to the user. If there is, use the local-user state
block command to block the user to reject the subsequent authentication requests.
Up to 1000 local users can be set in the system. For the related commands, see vlan-batch
user related commands.

Examples
# Add a local user with the name hello@163.net.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] local-user hello@163.net password cipher hello

# Delete the local user hello@163.net.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-215


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

[Eudemon-aaa] undo local-user hello@163.net

Related Topics
2.16.3 display local-user

2.16.13 local-user service-type

Function
Using the local-user service-type command, you can set an access type for a local user.

Using the undo local-user service-type command, you can restore the default setting.

Format
local-user user-name service-type { auth | bind | ftp | ppp | ssh | telnet | terminal | web |
web_auth } *

undo local-user user-name service-type

Parameters
user-name: specifies the user name, a string of 1 to 64 characters, excluding the wildcards.

auth: indicates pre-authenticated users.

bind: indicates binding authentication users.

ftp: indicates FTP users.

ppp: indicates PPP users.

ssh: indicates SSH users.

telnet: indicates Telnet users, who are usually network administrators.

terminal: indicates terminal users.

web: indicates Web management users.

web_auth: indicates Web authentication users.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, all access types are available for local users.

2-216 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Set the local user hello@163.net to access through SSH.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] local-user hello@163.net service-type ssh

2.16.14 local-user state

Function
Using the local-user state command, you can set the state of a local user.

Format
local-user user-name state { active | block }

Parameters
user-name: specifies the user name, a string of 1 to 64 characters, excluding the wildcards.
active: activates the local user and then the router accepts the authentication request from him
for further processing.
block: deactivates the local user and then the router rejects the authentication request from him.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
The block command takes effect on the subsequent authentication requests from the user instead
of the previous online connections.

Examples
# Activate the local user hello@163.net.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] local-user hello@163.net state active

Related Topics
2.16.3 display local-user
2.16.1 cut access-user (AAA View)

2.16.15 local-user user-car

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-217


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the local-user user-car command, you can set a traffic control level for a local user.

Using the undo local-user user-car command, you can cancel the setting.

Format
local-user user-name user-car level

undo local-user user-name user-car

Parameters
user-name: specifies the user name, a string of 1 to 64 characters.

level: refers to the traffic control level in a range of 1 to 30.

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, a local user adopts the traffic control level of the domain to which he belongs and
his CAR level is 0.

Examples
# Set the local user hello@163.net to use the user traffic control and his CAR level is 1.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] local-user hello@163.net user-car 1

Related Topics
2.16.22 vlan-batch user user-car

2.16.16 vlan-batch user access-limit

Function
Using the vlan-batch user access-limit command, you can set an access limit for a batch of
VLAN-bind local users.

Using the undo vlan-batch user access-limit command, you can cancel the setting.

2-218 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Format
vlan-batch user access-limit max-number interface interface-type interface-number [ start-
vlan-id number | domain domain-name ] *
undo vlan-batch user access-limit interface interface-type interface-number [ start-vlan-id
number | domain domain-name ] *

Parameters
max-number: specifies the maximum number of the access users. The minimum value is 1 while
the maximum value varies from product to product. There is no default value.
interface-type: specifies the type of an interface.
interface-number: specifies the number of an interface.
start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094.
number: sets the total number of VLANs in a range of 1 to (4094 minus start-vlan-id).
domain-name: specifies the name of a domain, a string of 1 to 20 characters. It defaults as "vlan".

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, there is no limit.
Generally, a user account can set up multiple accesses, for example, 16 accesses through a VLAN
or even more. However, in some PPP mode, you are recommended to set one access to an account
only. The access limit to a RADIUS account is determined during the RADIUS authentication
while that for a local user account is configured at local. Be sure to set the number complying
with the carrier's configuration.
When the local user has set up some connections, the new access limit must be greater than the
previous one; otherwise, the setting will fail.
If it has to, use the cut access-user command to disconnect some connections to fulfill the
modification.
The access number that a user can set up is limited by the system capacity, access limitation of
the domain where he resides and self access limitation but only the minimum one determines in
the end.

Examples
# Set the access limit to 16 for the consecutive 300 VLAN-bind local users with VLAN ID
starting from 100.
<Eudemon> system-view
[Eudemon] aaa

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-219


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

[Eudemon-aaa] vlan-batch user access-limit 16 interface Ethernet 0/0/0.1 100 300


domain lease

Related Topics
2.16.4 local-user access-limit
2.16.1 cut access-user (AAA View)

2.16.17 vlan-batch user acl-number

Function
Using the vlan-batch user acl-number command, you can set an ACL for a batch of VLAN-
bind local users.

Using the undo vlan-batch user acl-number command, you can cancel the setting.

Format
vlan-batch user acl-number acl-number interface interface-type interface-number [ start-
vlan-id number | domain domain-name ] *

undo vlan-batch user acl-number interface interface-type interface-number [ start-vlan-id


number | domain domain-name ] *

Parameters
acl-number: specifies the number of an ACL, in a range of 2000 to 3999, that is, the basic ACL
and advanced ACL are available.

interface-type: specifies the type of an interface.

interface-number: specifies the number of an interface.

start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094. There is no default value.

number: sets the total number of VLANs in a range of 1 to (4094 minus start-vlan-id).

domain-name: specifies the name of a domain, a string of 1 to 20 characters. It defaults as "vlan".

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, no ACL is configured.

2-220 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Apply ACL 2010 to the consecutive 300 VLAN-bind local users with VLAN ID starting from
100.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] vlan-batch user acl-number 2010 interface Ethernet 0/0/0.1 100 300
domain lease

2.16.18 vlan-batch user idle-cut

Function
Using the vlan-batch user idle-cut command, you can enable the idle-cut to a batch of local
users in the VLAN mode.
Using the undo vlan-batch user idle-cut command, you can disable the function.

Format
vlan-batch user idle-cut interface interface-type interface-number [ start-vlan-id number |
domain domain-name ] *
undo vlan-batch user idle-cut interface interface-type interface-number [ start-vlan-id
number | domain domain-name ] *

Parameters
interface-type: specifies the type of an interface.
interface-number: specifies the number of an interface.
start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094.
number: specifies the total number of users in a range of 1 to (4094 minus start-vlan-id).
domain-name: specifies the name of a domain, a string of 1 to 20 characters. It defaults as "vlan".

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, this function is disabled.

Examples
# Enable the idle-cut to the consecutive 300 VLAN-bind local users with VLAN ID starting
from 100.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-221


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] vlan-batch user idle-cut interface Ethernet 0/0/0.1 100 300 domain
lease

Related Topics
2.16.9 local-user idle-cut
2.16.1 cut access-user (AAA View)

2.16.19 vlan-batch user interface

Function
Using the vlan-batch user interface command, you can set a batch of VLAN user accounts.
Using the undo vlan-batch user interface command, you can delete a batch of VLAN user
accounts.

Format
vlan-batch user interface interface-type interface-number [ start-vlan-id number | domain
domain-name | password password ] *
undo vlan-batch user interface interface-type interface-number [ start-vlan-id number |
domain domain-name | password password ] *

Parameters
interface-type: specifies the type of an interface.
interface-number: specifies the number of an interface.
start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094.
number: specifies the total number of users in a range of 1 to (4094 minutes start-vlan-id).
domain-name: specifies the name of a domain, a string of 1 to 20 characters. It defaults as "vlan".
password: specifies the password, a string of 1 to 16 characters in the simple text, case sensitive,
excluding such special characters of common lines as space and question mark. It defaults as
"vlan".

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
The user name is generated by the system so only the account is needed in the binding
authentication of the VLAN access mode.

2-222 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

The system supports up to 1000 users.


Using this command, you can set multiple consecutive VLAN user accounts, which are the same
as the original account generated by using the local-user command.
To delete a local user, there must be no access to the user.
In this case, use the local-user state block command to block the user to reject the subsequent
authentication requests. Then execute the cut access-user username local command to
disconnect all his connections.

Examples
# Add 300 VLAN-bind users with VLAN ID starting from 100 to the domain lease and the
password is vlan.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] vlan-batch user interface Ethernet 0/0/0.1 100 300 domain lease
password vlan

2.16.20 vlan-batch user service-type

Function
Using the vlan-batch user service-type command, you can specify a service type for a batch
of VLAN-bind local users.
Using the undo vlan-batch user service-type command, you can restore the default
configuration.

Format
vlan-batch user service-type { auth | bind | ftp | ppp | ssh | telnet | terminal | web } *
interface interface-type interface-number [ start-vlan-id number | domain domain-name ]
undo vlan-batch user service-type interface interface-type interface-number [ start-vlan-id
number | domain domain-name ]

Parameters
auth: indicates pre-authenticated users.
bind: indicates binding authentication users.
ftp: indicates FTP users.
ppp: indicates PPP users.
ssh: indicates SSH users.
telnet: indicates Telnet users, who are usually network administrators.
terminal: indicates terminal users.
web: indicates Web authentication users.
interface-type: specifies the type of an interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-223


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

interface-number: specifies the number of an interface.


start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094.
number: specifies the total number of users in a range of 1 to (4094 minus the starting VLAN
ID).
domain-name: specifies the name of a domain. It is a string of 1 to 20 characters. By default, it
is "vlan".

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, all access types are available for local users.

Examples
# Configure the Telnet service to the consecutive 300 VLAN-bind local users with the VLAN
ID starting from 100.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] vlan-batch user service-type telnet interface Ethernet 0/0/0.1 100
300 domain lease

Related Topics
2.16.13 local-user service-type

2.16.21 vlan-batch user state

Function
Using the vlan-batch user state command, you can set the state of a batch of local users in the
VLAN mode.

Format
vlan-batch user state { active | block } interface interface-type interface-number [ start-vlan-
id number | domain domain-name ] *

Parameters
active: activates a batch of local users and then the router accepts the authentication requests
from them for further processing.
block: deactivates a batch of local users and then the router rejects the authentication requests
from them.

2-224 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

interface-type: specifies the type of an interface.


interface-number: specifies the number of an interface.
start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094.
number: specifies the total number of users in a range of 1 to (4094 minus start-vlan-id).
domain-name: specifies the name of a domain, a string of 1 to 20 characters. It defaults as "vlan".

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, local users are in the active state.
The block command takes effect on the subsequent authentication requests from the users instead
of the previous online connections.
To disconnect the previous connections, use the command.

Examples
# Deactivate the consecutive 300 VLAN-bind local users with the VLAN ID starting from 100.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] vlan-batch user state block interface Ethernet 0/0/0.1 100 300 domain
lease

Related Topics
2.16.13 local-user service-type
2.16.1 cut access-user (AAA View)

2.16.22 vlan-batch user user-car

Function
Using the vlan-batch user user-car command, you can set a traffic control level for a batch of
VLAN-bind local users.
Using the undo vlan-batch user user-car command, you can cancel the setting.

Format
vlan-batch user user-car { level } interface interface-type interface-number [ start-vlan-id
number | domain domain-name ] *
undo vlan-batch user user-car interface interface-type interface-number [ start-vlan-id
number | domain domain-name ] *

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-225


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
level: refers to the traffic control level in a range 1 to 30. There is no default value.
interface-type: specifies the type of an interface.
interface-number: specifies the number of an interface.
start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094.
number: specifies the total number of users in a range of 1 to (4094 minus start-vlan-id).
domain-name: refers to the name of a domain, a string of 1 to 20 characters. It defaults as "vlan".

Views
AAA view

Default Level
2: Configuration level

Usage Guidelines
By default, traffic control is disabled.

Examples
# Apply the user traffic control in Level-5 to the consecutive 300 VLAN-bind local users with
the VLAN ID starting from 100.
<Eudemon> system-view
[Eudemon] aaa
[Eudemon-aaa] vlan-batch user user-car 5 interface Ethernet 0/0/0.1 100 300 domain
lease

Related Topics
2.16.14 local-user state

2.17 L2TP Configuration Commands

2.17.1 allow l2tp


2.17.2 debugging l2tp
2.17.3 display l2tp session
2.17.4 display l2tp tunnel
2.17.5 interface virtual-template
2.17.6 l2tp domain suffix-separator
2.17.7 l2tp enable
2.17.8 l2tp-group

2-226 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.17.9 mandatory-chap
2.17.10 mandatory-lcp
2.17.11 reset l2tp tunnel local-id
2.17.12 reset l2tp tunnel peer-name
2.17.13 start l2tp
2.17.14 tunnel authentication
2.17.15 tunnel avp-hidden
2.17.16 tunnel name
2.17.17 tunnel password
2.17.18 tunnel timer hello

2.17.1 allow l2tp

Function
Using the allow l2tp command, you can specify the name of the peer end of the tunnel on
receiving call and the virtual template it uses.
Using the undo allow command, you can remove the name of the peer end of the tunnel.

Format
allow l2tp virtual-template virtual-template-number remote remote-name
undo allow

Parameters
virtual-template-number: specifies virtual template module on creating new virtual access
interface, an integer in a range of 0 to 1023.
remote-name: specifies the name of the peer end of the tunnel initiating connection request, case
sensitive, a string of 1 to 30 characters.

Views
L2TP group view

Default Level
2: Configuration level

Usage Guidelines
By default, receiving call is disabled.
This command is used on LNS port.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-227


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

On using L2TP group number1 (the default L2TP group number), the name of the peer end of
the tunnel remote-name can be unspecified. The format of the command in group 1 configuration
mode is as follows: allow l2tp virtual-template virtual-template-number [ remote remote-
name ].
If the peer end name is still specified in L2TP group 1 configuration mode, L2TP group 1 is not
served as the default L2TP group. For example, regarding Windows 2000 beta 2 version, the
local name connected with VPN is NONE, so the peer end name that the Eudemon receives is
NONE. In order to receive the tunnel connection request sent by this kind of nameless peer end,
or for test application, a default L2TP group can be configured.
The allow l2tp command is used on LNS side. If the peer end name of the tunnel is configured,
the name of the peer end of the tunnel should keep accordance with the name of the local end
configured on LAC side.

Examples
# Receive L2TP tunnel connection request sent by LAC, the peer end of AS8010, and create
virtual access interface on virtual-template 1.
<Eudemon> system-view
[Eudemon] l2tp-group 2
[Eudemon-l2tp2] allow l2tp virtual-template 1 remote AS8010

# Make L2TP group 1 as the default L2TP group, receive L2TP tunnel connection request sent
by any peer end, and create virtual access interface according to virtual template 1.
<Eudemon> system-view
[Eudemon] l2tp-group 1
[Eudemon-l2tp1] allow l2tp virtual-template 1

Related Topics
2.17.8 l2tp-group

2.17.2 debugging l2tp

Function
Using the debugging l2tp command, you can enable L2TP debugging.
Using the undo debugging l2tp command, you can remove L2TP debugging.

Format
debugging l2tp { all | control | dump | error | event | hidden | payload | timestamp }
undo debugging l2tp { all | control | dump | error | event | hidden | payload | timestamp }

Parameters
all: enables all the L2TP information debugging.
control: enables control packet debugging.
dump: enables PPP packet debugging.
error: enables error debugging.

2-228 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

event: enables event debugging.

hidden: enables hidden AVP start debugging.

payload: enables L2TP data packet debugging.

timestamp: enables display time stamp debugging.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable L2TP data packet debugging.
<Eudemon> debugging l2tp payload

2.17.3 display l2tp session

Function
Using the display l2tp session command, you can display the current L2TP session.

Format
display l2tp session

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The output information of the command helps the user to confirm the current L2TP session.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-229


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Examples
# Display the current L2TP session.
<Eudemon> display l2tp session
LocalSID RemoteSID LocalTID
112
Total session = 1

Table 2-10 Description of the display l2tp session command output

Item Description

Total session Number of sessions

LocalSID The number uniquely identifying the local session

RemoteSID The number uniquely identifying the peer session

LocalTID Local ID number of the tunnel

Related Topics
2.17.4 display l2tp tunnel

2.17.4 display l2tp tunnel

Function
Using the display l2tp tunnel command, you can view the current L2TP tunnel.

Format
display l2tp tunnel

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The output information of the command helps the user to confirm the current L2TP tunnel.

2-230 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Display the current L2TP tunnel.
<Eudemon> display l2tp tunnel
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName
18172.168.10.217011AS80101
Total tunnels = 1

Table 2-11 Description of the display l2tp tunnel command output

Item Description

Total tunnels Number of tunnels

LocalTID The number uniquely identifying the local tunnel

RemoteTID The number uniquely identifying the peer tunnel

Remote Address IP address of the peer end

Port Port number of the peer end

Sesssions Number of sessions on the tunnel

Remote Name Name of the peer end

Related Topics
2.17.3 display l2tp session

2.17.5 interface virtual-template

Function
Using the interface virtual-template command, you can set virtual template interface.

Using the undo interface virtual-template command, you can cancel the setting.

Format
interface virtual-template virtual-template-number

undo interface virtual-template virtual-template-number

Parameters
virtual-template-number: specifies the number of virtual template, a integer in a range of 0 to
1023.

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-231


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, there is no virtual template interface in the system.
The virtual template interface aims to set the parameters for such virtual interfaces as MP bound
logic interface and L2TP logic interface, which the Eudemon sets dynamically during operation.

Examples
# Set and enter virtual template "interface 1".
<Eudemon> system-view
[Eudemon] interface virtual-template 1

Related Topics
2.17.1 allow l2tp

2.17.6 l2tp domain suffix-separator

Function
Using the l2tp domain suffix-separator command, you can specify delimiter used as suffix.
Using the undo l2tp domain suffix-separator command, you can delete the setting.

Format
l2tp domain suffix-separator separator
undo l2tp domain suffix-separator separator

Parameters
suffix-separator: refers to suffix delimiter, such as vpdnuser@huawei.com.
separator: identifies domain name delimiter. The valid domain name is "@".

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, domain name delimiter does not exist.
The l2tp domain suffix-separator command is used to specify one or more suffix delimiters,
based on the first successful delimiter. Domain name can be separated from username by domain

2-232 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

name delimiter. In this case, the domain name specified by the start l2tp command can be used
on L2TP to search for such domain name. If there is such domain name, it refers to the user is
a VPN user, and needs to establish VPN tunnel connection with the LNS of the user.

Examples
# Specify the domain name as a suffix, separated from the username by "@".
<Eudemon> system-view
[Eudemon] l2tp domain suffix-separator @

Related Topics
2.17.13 start l2tp

2.17.7 l2tp enable

Function
Using the l2tp enable command, you can enable L2TP.

Using the undo l2tp enable command, you can disable L2TP.

Format
l2tp enable

undo l2tp enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, L2TP is disabled.

The VPN service is carried out only when L2TP is enabled.

Examples
# Enable L2TP on the Eudemon.
<Eudemon> system-view
[Eudemon] l2tp enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-233


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Related Topics
2.17.8 l2tp-group

2.17.8 l2tp-group

Function
Using the l2tp-group command, you can create an L2TP group.

Using the undo l2tp-group command, you can delete an L2TP group.

Format
l2tp-group group-number

undo l2tp-group group-number

Parameters
group-number: specifies the number of L2TP group, an integer in a range of 1 to 1000.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the L2TP group is not created.

The l2tp-group command is used to create a L2TP group (L2TP group 1 can be the default
L2TP group). After an L2TP group is deleted by using the undo l2tp-group command, the entire
configuration is deleted.

Examples
# Create L2TP group 2 and enter the L2TP group 2 view.
<Eudemon> system-view
[Eudemon] l2tp-group 2
[Eudemon-l2tp2]

Related Topics
2.17.1 allow l2tp
2.17.13 start l2tp

2.17.9 mandatory-chap

2-234 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Function
Using the mandatory-chap command, you can force LNS to carry out CHAP authentication
again with the client.
Using the undo mandatory-chap command, you can disable CHAP re-authentication.

Format
mandatory-chap
undo mandatory-chap

Parameters
None

Views
L2TP group view

Default Level
2: Configuration level

Usage Guidelines
By default, CHAP re-authentication is not performed.
After the agent authentication is performed to the client on LAC, LNS will perform
authentication to the client again, so as to increase security. If the mandatory-chap command
is used, the authentication will be performed twice to VPN client whose tunnel connection is
initialized by access server: one is performed on access server, and another is performed on LNS
side. Some PPP clients may not support the second authentication. In this case, CHAP
authentication of the local end will fail.

Examples
# Force to perform CHAP authentication.
<Eudemon> system-view
[Eudemon] l2tp-group 1
[Eudemon-l2tp1] mandatory-chap

Related Topics
2.17.10 mandatory-lcp

2.17.10 mandatory-lcp

Function
Using the mandatory-lcp command, you can renegotiate the Link Control Protocol (LCP)
between LNS and the client.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-235


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Using the undo mandatory-lcp command, you can disable LCP renegotiation.

Format
mandatory-lcp
undo mandatory-lcp

Parameters
None

Views
L2TP group view

Default Level
2: Configuration level

Usage Guidelines
By default, LCP is not renegotiated.
Concerning NAS-Initialized VPN client, PPP negotiation will be first performed with NAS
(Network Access Server) at the beginning of a PPP session. If the negotiation is passed, the
tunnel connection will be initiated by the access server and transmit the information collected
on negotiation with the client to LNS. LNS will judge whether the user is legal or not according
to received agent authentication information. The mandatory-lcp command can be used to force
LNS and the client to LCP renegotiate. In this case, NAS agent authentication information is
ignored. If some PPP clients do not support LCP renegotiation, LCP renegotiation will fail.

Examples
# Enable LCP renegotiation.
<Eudemon> system-view
[Eudemon] l2tp-group 1
[Eudemon-l2tp1] mandatory-lcp

Related Topics
2.17.9 mandatory-chap

2.17.11 reset l2tp tunnel local-id

Function
Using the reset l2tp tunnel local-id command, you can reset the specified tunnel connection,
and clear all session connections in the tunnel.

Format
reset l2tp tunnel local-id local-id

2-236 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Parameters
local-id: specifies the local ID of the tunnel.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
The reset l2tp tunnel local-id command is used to clear a tunnel connection compulsorily. When
the peer end user calls in again, the tunnel connection can be re-established.

Examples
# Release the tunnel connection numbered as 10.
<Eudemon> reset l2tp tunnel local-id 10

Related Topics
2.17.4 display l2tp tunnel

2.17.12 reset l2tp tunnel peer-name

Function
Using the reset l2tp tunnel peer-name command, you can reset the specified tunnel connection,
and clear all session connections in the tunnel.

Format
reset l2tp tunnel peer-name peer-name

Parameters
peer-name: specifies name of the peer end of the tunnel, a string of 1 to 30.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
The reset l2tp tunnel peer-name command is used to clear a tunnel connection compulsorily.
When the peer end user calls in again, the tunnel connection can be re-established. If no eligible

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-237


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

tunnel connection exists, the current tunnel connection is not affected. If multiple eligible tunnel
connections with the same name and different IP addresses exist, all eligible tunnel connections
are released.

Examples
# Reset the tunnel connection of the peer end named AS8010.
<Eudemon> reset l2tp tunnel peer-name AS8010

Related Topics
2.17.4 display l2tp tunnel

2.17.13 start l2tp

Function
Using the start l2tp command, you can specify the local end to serve as the trigger condition
when L2TP LAC side sends requests.

Using the undo start command, you can delete the specified trigger condition.

Format
start l2tp { ip ip-address [ ip ip-address ] [ ip ip-address ] ... } { domain domain-name |
fullusername user-name }

undo start

Parameters
ip ip-address: assigns the IP address of the peer end of the tunnel (LNS), five of which can be
set at most, forming backup LNS to each other.

domain domain-name: specifies domain name of triggering connection request, case sensitive,
a string of 1 to 20 characters.

fullusername user-name: specifies full username of triggering connection request, case


sensitive, a string of 1 to 64 characters.

Views
L2TP group view

Default Level
2: Configuration level

Usage Guidelines
This command is used on LAC port. This command is used to specify the IP address of LNS
and to support various triggering connection request:

2-238 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

l Initiating tunnel connection request according to the user's domain name. For example, if
the domain name of the user's company is mycompany.com, the user with domain name
of mycompany.com can be specified as a VPN user.
l Specifying the user as a VPN user through full username directly.

If it is found to be a VPN user, the local end (LAC) will send L2TP tunnel connection request
to a certain LNS according to the configured LNS sequence. After receiving response is got from
LNS, the LNS will serve as the peer end of the tunnel. Otherwise, LAC will send tunnel
connection request to the next LNS.

NOTE

When multiple LNSs are configured, the LAC may time out after accessing a PPP user. This causes the
failure to set up an L2TP tunnel. This problem can be solved through the increased PPP negotiation time.

Conflicts may exist between these VPN user judgment ways. For example, LNS address
specified according to full username is 1.1.1.1, while that according to domain name is 1.1.1.2.
In this case, the sequence for search users is necessary to be specified. The search sequence is:
First check according to the full username whether there is a L2TP group specified by the
username; if the answer is no, then search according to domain name.

Examples
# Judge VPN users according to domain name mycompany.com with the corresponding IP
address of the L2TP access server of the headquarters being 202.38.168.1.
<Eudemon> system-view
[Eudemon] l2tp-group 1
[Eudemon-l2tp1] start l2tp ip 202.38.168.1 domain mycompany.com

Related Topics
2.17.6 l2tp domain suffix-separator

2.17.14 tunnel authentication

Function
Using the tunnel authentication command, you can enable L2TP tunnel authentication.
Using the undo tunnel authentication command, you can remove L2TP tunnel authentication.

Format
tunnel authentication
undo tunnel authentication

Parameters
None

Views
L2TP group view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-239


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, L2TP tunnel authentication is carried out.
In general, authentication needs to be performed on both ends of the tunnel for the sake of
security. In case of network consistency test or receiving connection sent by nameless peer end,
tunnel authentication is not required.

Examples
# Disable authenticating the peer end of the tunnel.
<Eudemon> system-view
[Eudemon] l2tp-group 1
[Eudemon-l2tp1] undo tunnel authentication

2.17.15 tunnel avp-hidden

Function
Using the tunnel avp-hidden command, you can configure Attribute Value Pair (AVP) data to
be transmitted in hidden format.
Using the undo tunnel avp-hidden command, you can restore the default transmission way of
AVP data.

Format
tunnel avp-hidden
undo tunnel avp-hidden

Parameters
None

Views
L2TP group view

Default Level
2: Configuration level

Usage Guidelines
By default, the tunnel transmits AVP data in plain text.
Some parameters of L2TP protocol are transmitted by AVP data. If the user demands data of
high security, this command can be used to configure AVP data to be transmitted in hidden.

2-240 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Set AVP data to be transmitted in hidden.
<Eudemon> system-view
[Eudemon] l2tp-group 1
[Eudemon-l2tp1] tunnel avp-hidden

2.17.16 tunnel name

Function
Using the tunnel name command, you can specify the local name of the tunnel.
Using the undo tunnel name command, you can restore the local name to the default value.

Format
tunnel name name
undo tunnel name

Parameters
name: specifies name of the local name of the tunnel, a string in a range of 1 to 30 characters.

Views
L2TP group view

Default Level
2: Configuration level

Usage Guidelines
By default, the local name is the Eudemon name.
On creating a L2TP group, the local name will be initiated into the Eudemon name.

Examples
# Set the local name of the tunnel as "itsme".
<Eudemon> system-view
[Eudemon] l2tp-group 1
[Eudemon-l2tp1] tunnel name itsme

2.17.17 tunnel password

Function
Using the tunnel password command, you can specify the password of tunnel authentication.
Using the undo tunnel password command, you can cancel the setting.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-241


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
tunnel password { simple | cipher } password
undo tunnel password

Parameters
simple: refers to password in plain text.
cipher: refers to password in cipher text.
password: refers to password used on tunnel authentication, a string of 1 to 16 characters in the
simple mode or 24 characters in the cipher mode, case sensitive, excluding such special
characters of common lines as space and question mark.

Views
L2TP group view

Default Level
2: Configuration level

Usage Guidelines
By default, the password of tunnel authentication is null.

Examples
# Set the password of tunnel authentication as "yougotit", and display it in cipher text.
<Eudemon> system-view
[Eudemon] l2tp-group 1
[Eudemon-l2tp1] tunnel password cipher yougotit

2.17.18 tunnel timer hello

Function
Using the tunnel timer hello command, you can set the forwarding time interval of Hello packet.
Using the undo tunnel timer hello command, you can restore the time interval to the default
value.

Format
tunnel timer hello hello-interval
undo tunnel timer hello

Parameters
hello-interval: sets forward time interval of Hello packet when LAC or LNS has no packet to
receive. It is an integer in seconds in a range of 60 to 1000.

2-242 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Views
L2TP group view

Default Level
2: Configuration level

Usage Guidelines
By default, Hello packet is forwarded in every 60 seconds.

Different Hello packet time intervals can be configured on LNS and LAC side.

Examples
# Set forwarding time interval of Hello packet to 99 seconds.
<Eudemon> system-view
[Eudemon] l2tp-group 1
[Eudemon-l2tp1] tunnel timer hello 99

2.18 GRE Configuration Commands

2.18.1 debugging tunnel


2.18.2 destination
2.18.3 display interface tunnel
2.18.4 gre checksum
2.18.5 gre key
2.18.6 interface tunnel
2.18.7 source
2.18.8 tunnel-protocol gre

2.18.1 debugging tunnel

Function
Using the debugging tunnel command, you can enable tunnel information debugging.

Using the undo debugging tunnel command, you can disable tunnel information debugging.

Format
debugging tunnel

undo debugging tunnel

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-243


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable tunnel information debugging.
<Eudemon> debugging tunnel

2.18.2 destination

Function
Using the destination command, you can specify the filled destination IP address of added IP
header by tunnel interface on encapsulation.

Using the undo destination command, you can delete the setting.

Format
destination ip-address

undo destination

Parameters
ip-address: assigns the IP address of the real physical interface used by the peer end of the tunnel.

Views
Tunnel interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the destination address of the tunnel is not specified in the system.

2-244 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

The specified tunnel destination address is the IP address of the real physical interface receiving
GRE packet, which should be the same as the source address specified by the tunnel interface
of the peer end and the route to the physical interface of the peer end should be ensured reachable.
Totally same source address and destination address cannot be configured on two or more tunnel
interfaces using the same encapsulation protocol.

Examples
# Create tunnel connection between the interface Ethernet 0/0/0 of the Eudemon1 (with IP
address of 193.101.1.1) and the interface Ethernet 0/0/0 of the Eudemon2 (with IP address of
192.100.1.1).
# Configuring Eudemon1.
<Eudemon1> system-view
[Eudemon1] interface tunnel 0
[Eudemon1-Tunnel0] source 193.101.1.1
[Eudemon1-Tunnel0] destination 192.100.1.1

# Configuring Eudemon2.
<Eudemon2> system-view
[Eudemon2] interface tunnel 0
[Eudemon2-Tunnel0] source 192.100.1.1
[Eudemon2-Tunnel0] destination 193.101.1.1

Related Topics
2.18.6 interface tunnel
2.18.7 source

2.18.3 display interface tunnel

Function
Using the display interface tunnel command, you can view the working status of the tunnel
interface.

Format
display interface tunnel [ number ]

Parameters
number: specifies the number of a tunnel interface of the Eudemon with centralized structure in
a range of 0 to 1023.

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-245


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Usage Guidelines
Using the display interface tunnel command, you can view the working status of the tunnel
interface, including: Source address, Destination address (the real physical interface address
receiving/sending GRE packet), Encapsulation mode, Identification keyword and End-to-end
check.

Examples
# Display the current tunnel interface.
<Eudemon> display interface tunnel 0
Tunnel0 current state : UP
Line protocol current state : UP
Description : HUAWEI, Quidway Series, Tunnel0 Interface
The Maximum Transmit Unit is 1500 bytes
Internet Address is 1.1.2.1/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 10.1.1.1, destination 1.1.1.4
Tunnel protocol/transport GRE/IP, key disabled
Checksumming of packets disabled
Last 5 minutes input rate 0 bytes/sec, 0 packets/sec
Last 5 minutes output rate 0 bytes/sec, 0 packets/sec
0 packets input, 0 bytes
0 input error
0 packets output, 0 bytes
0 output error

Table 2-12 Description of the display interface tunnel 0 command output


Item Description

Tunnel0 current state : UP The physical layer of the tunnel interface is UP.

Line protocol current state : UP The link layer of the tunnel interface is UP.

Description The description information of the tunnel interface, which


is HUAWEI in this example.

Quidway The Eudemon is Quidway series.

Tunnel0 Interface Tunnel interface number.

Maximum Transmit Unit The size of MTU in the tunnel, which is 1500 bytes in this
example.

Encapsulation The tunnel formed by encapsulated GRE protocol.

loopback Enable or disable Loopback test. Because the tunnel


interface does not support Loopback test, disable Loopback
is the case in this example.

Tunnel source Source address of the tunnel, which is 1.1.254.88 here.

destination Destination address of the tunnel, which is 1.1.254.11 here.

Tunnel protocol/transport Encapsulation protocol and transmission protocol of the


tunnel, which is GRE and IP here.

2-246 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Item Description

key Identification keyword of the tunnel interface, which is not


specified here.

Checksumming of packets End-to-end check of the tunnel, which is disabled here.

Last 5 minutes input rate Input byte number in second within the last 5 minutes.

packets/sec Input packet number in second within the last 5 minutes.

packets input Total input packet number.

bytes Total input byte number.

input error Number of error packet among all input packets.

output error Number of error packet among all output packets.

Related Topics
2.18.7 source
2.18.2 destination
2.18.5 gre key
2.18.4 gre checksum
2.18.8 tunnel-protocol gre

2.18.4 gre checksum

Function
Using the gre checksum command, you can set the two ends of the tunnel to perform end-to-
end check so as to authenticate the correctness of the packet and discard the packet that does not
pass the authentication.

Using the undo gre checksum command, you can remove the check.

Format
gre checksum

undo gre checksum

Parameters
None

Views
Tunnel interface view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-247


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, end-to-end check of the two ends of the tunnel is disabled.

The two ends of the tunnel can be enabled or disabled checksum according to real application
need. If the local end is enabled checksum, with the peer end disabled checksum, the local end
will not perform checksum on the received packet, but perform checksum on the transmitted
packet. On the contrary, the local end will perform checksum to the packet sent from the peer
end, but will not perform checksum on the transmitted packet.

Examples
# Create a tunnel between tunnel 0 interface of the Eudemon1 and tunnel 2 interface of the
Eudemon2 and set check on both ends of the tunnel.

# Configuring Eudemon1.
<Eudemon1> system-view
[Eudemon1] interface tunnel 0
[Eudemon1-Tunnel0] gre checksum

# Configuring Eudemon2.

<Eudemon2> system-view
[Eudemon2] interface tunnel 2
[Eudemon2-Tunnel2] gre checksum

Related Topics
2.18.6 interface tunnel

2.18.5 gre key

Function
Using the gre key command, you can set ID keyword of the tunnel interface, and avoid wrong
ID or receiving packet from other places by this kind of weak security mechanism.

Using the undo gre key command, you can delete this setting.

Format
gre key key-number

undo gre key

Parameters
key-number: specifies an ID keyword for the two ends of the tunnel, an integer in a range of 0
to 4294967295.

2-248 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Views
Tunnel interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the ID keyword of the tunnel is not set in the system.

If key-number is set on both ends of the tunnel, the same key-number is required to be specified
on both ends, or key-number is set on neither ends.

Examples
# Create a tunnel between the Eudemon 1 and the Eudemon 2 and sets the identification keyword
of the tunnel.

# Configuring Eudemon 1.
<Eudemon 1> system-view
[Eudemon 1] interface Tunnel 3
[Eudemon 1-Tunnel3] gre key 123

# Configuring Eudemon 2.
<Eudemon 2> system-view
[Eudemon 2] interface Tunnel 2
[Eudemon 2-Tunnel2] gre key 123

Related Topics
2.18.6 interface tunnel

2.18.6 interface tunnel

Function
Using the interface tunnel command, you can create a tunnel interface and enters the tunnel
interface configuration mode.

Using the undo interface tunnel command, you can delete the specified tunnel interface.

Format
interface tunnel number

undo interface tunnel number

Parameters
number: specifies the number of a tunnel interface of the device with centralized structure. It
ranges from 0 to 1023.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-249


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, there is no tunnel interface in the system.
Using the interface tunnel command, you can enters interface view of the specific tunnel. If
the tunnel interface is not created, it will be created before entering the interface configuration
mode.
The interface number of the tunnel is only of local significance. Different interface numbers can
be used on both ends of the tunnel.

Examples
# Create the tunnel interface numbered as 0.
<Eudemon> system-view
[Eudemon] interface tunnel 0

Related Topics
2.18.7 source
2.18.2 destination
2.18.5 gre key
2.18.4 gre checksum
2.18.8 tunnel-protocol gre

2.18.7 source

Function
Using the source command, you can assign the source IP address for a Tunnel interface.
Using the undo source command, you can cancel the setting.

Format
source { ip-address | interface-type interface-number }
undo source

Parameters
ip-address: assigns the IP address of the real interface sending GRE packets.
interface-type interface-number: specifies the type and number of an interface.

2-250 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Views
Tunnel interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the system does not specify the source address of a tunnel.
The specified source address is the address of a real interface sending GRE packets. This address
needs to be the same as the destination address specified by the peer.
Two or more than two Tunnel interfaces with the same encapsulation protocol cannot be
configured with the same source address and destination address.

Examples
# Configure tunnel 0 on Eudemon. The real outgoing interface of packets is Ethernet 0/0/0 (with
the IP address 192.100.1.1).
<Eudemon> system-view
[Eudemon] interface Tunnel 0
[Eudemon-Tunnel0] source 192.100.1.1

# Specify the interface type and number of Ethernet 0/0/0.


<Eudemon> system-view
[Eudemon] interface Tunnel 0
[Eudemon-Tunnel0] source Ethernet 0/0/0

Related Topics
2.18.6 interface tunnel
2.18.2 destination

2.18.8 tunnel-protocol gre

Function
Using the tunnel-protocol command, you can configure tunnel interface for GRE or
encapsulation mode. So far, the supported encapsulation protocol is GRE and the transport
protocol is IP.
Using the undo tunnel-protocol command, you can restore the default value.

Format
tunnel-protocol gre
undo tunnel-protocol

Parameters
gre: identifies the encapsulation protocol of the tunnel.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-251


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
Tunnel interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the encapsulation protocol and the transport protocol for the tunnel interface are GRE
and IP respectively.
Two ends of the tunnel must be configured with the same encapsulation protocol and the transport
protocol.

Examples
# Create a tunnel between Eudemon 1 and Eudemon 2. Set the encapsulation protocol as GRE
and transport protocol as IP for the tunnel.
# Configuring Eudemon1.
<Eudemon1> system-view
[Eudemon1] interface Tunnel 3
[Eudemon1-Tunnel3] tunnel-protocol gre

# Configuring Eudemon2.
<Eudemon2> system-view
[Eudemon2] interface Tunnel 2
[Eudemon2-Tunnel2] tunnel-protocol gre

Related Topics
2.18.6 interface tunnel

2.19 SLB Configuration Commands


2.19.1 addrserver
2.19.2 display slb group
2.19.3 display slb rserver
2.19.4 display slb vserver
2.19.5 group (SLB Configuration View)
2.19.6 metric
2.19.7 rserver
2.19.8 slb
2.19.9 slb enable
2.19.10 vserver

2-252 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.19.1 addrserver

Function
Using the addrserver command, you can add real servers to the specified server group.
Using the undo addrserver command, you can remove the specified real server from the server
group.

Format
addrserver rserver-id [ to end-rserver-id ]
undo addrserver rserver-id [ to end-rserver-id ]

Parameters
rserver-id: specifies the first real server ID when configuring servers in batches. It is an integer
in a range of 1 to 128.
end-rserver-id: specifies the last real server ID when configuring servers in batches. It is an
integer in a range of 1 to 128. end-rserver-id should be greater than rserver-id. Otherwise, you
cannot set it.

Views
Server group command view

Default Level
2: Configuration level

Usage Guidelines
You can add at most four real servers to a server group.

Examples
# Add real servers whose ID ranges from 1 to 3 to the group named aa.
<Eudemon> system-view
[Eudemon] slb
[Eudemon-slb] group aa
[Eudemon-slb-group-aa] addrserver 1 to 3

Table 2-13 Description of the addrserver command output

Item Description

error: please specify the real server IDs in The real server ID and the last real server ID
increasing order should be specified in ascending order.

error: real server ID has been already added The real server ID already exists in the server
into server group "group-name" group.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-253


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Item Description

error: the number of real server in this server Adding a real server and the following servers
group has reached maximum. add real server fails because the number of real servers in the
ID and the following fail server group has reached the maximum.

error: the virtual IP of real server ID must When a real server is added to two server
equal to that of server group group-name groups at the same time, the IP addresses of
the virtual servers corresponding to the two
server groups must be the same.

error: the rip of real server ID conflicts with The IP address of the real server conflicts with
inside ip of nat server the internal IP address of the internal server.

error: the server group which binded with The server group bound to the virtual server
virtual server must includes at least one real must contain at least one real server. Deleting
server. delete real server ID fail the last real server fails.

error: real server ID doesn't exist The real server does not exist or has not been
defined.

Related Topics
2.19.2 display slb group

2.19.2 display slb group

Function
Using the display slb group command, you can view the configuration of server groups.

Format
display slb group [ group-name ]

Parameters
group-name: specifies the name of a server group. It is a character string in a range of 1 character
to 31 characters.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If no server group name is specified, information about all the server groups is displayed.

2-254 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Display the configuration of the server group named aa.
<Eudemon> display slb group aa
group name: “aa”
metric: srchash
vserver number: 1
virtural ip: 100.1.1.0
real server number: 3
real server id list:
1, 2, 3

Table 2-14 Description of the display slb group command output

Item Description

group name Indicates the server group name.

metric Indicates the load balancing algorithm used by the server


group.

vserver number Indicates the number of the virtual servers corresponding to


the server group. The value can be 0 or 1.

virtural ip Indicates the IP address of the virtual server corresponding to


the server group.

real server number Indicates the number of the real servers protected by the server
group.

real server id list Indicates the ID list of the real servers protected by the server
group.

2.19.3 display slb rserver

Function
Using the display slb rserver command, you can view the information of real servers.

Format
display slb rserver [ rserver-id [ to end-rserver-id ] ]

Parameters
rserver-id: specifies the first real server ID when configuring servers in batches. It is an integer
in a range of 1 to 128.

end-rserver-id: specifies the last real server ID when configuring servers in batches. It is an
integer in a range of 1 to 128. end-rserver-id should be greater than rserver-id. Otherwise, you
cannot set it.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-255


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If no real server ID is specified, information of all the real servers is displayed.

Examples
# Display the information of the real server whose ID is 1.
<Eudemon> display slb rserver 1
rserver 1 rip 3.2.2.2 weight 32 healthchk
status active
health status 0, applied to 1 group(s)
virtural ip: 2.2.2.2

Table 2-15 Description of the display slb rserver command output

Item Description

rserver Indicates the ID of the real server.

rip Indicates the IP address of the real server.

weight Indicates the weighting of the real server.

healthchk/active/ Indicates whether health check is performed on the real server:


active l healthchk: health check is forcibly performed on the real server.
l active: the real server is forcibly to be healthy.
l inactive: the real server is forcibly to be unhealthy.

status Indicates the health state of the real server.

health status Indicates the health state value of the real server. The range is 0 to
3. The initial health value of each real server is 0.
Eudemon periodically sends the health detection packet to the real
server. On receiving the response packet from the real server,
Eudemon increases the healthy state value by 1 (when reaching the
maximum value 3, the value remains as 3). On receiving no response
packet from the real server, the Eudemon decreases the healthy state
value by 1 (when reaching the minimum value 0, the value remains
as 0).
Healthy state value 1, 2, or 3 indicates that the real server is in
healthy state. Healthy state value 0 indicates that the real server is
in unhealthy state.

applied to 1 group(s) Indicates that the real server is added to a server group.

2-256 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Related Topics
2.19.7 rserver

2.19.4 display slb vserver

Function
Using the display slb vserver command, you can view the configuration of virtual servers.

Format
display slb vserver [ vserver-name ]

Parameters
vserver-name: refers to the virtual server name. It is an integer in a range of 1 to 31.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If no virtual server name is specified, all the virtual server names are displayed.

Examples
# Display the configuration of the real server whose name is abc.
<Eudemon> display slb vserver abc
vserver abc vip 100.1.1.0 group hh

Table 2-16 Description of the display slb vserver command output

Item Description

vserver the real server name

vip the real server IP address

group the server group name correlated with the virtual server

2.19.5 group (SLB Configuration View)

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-257


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the group command, you can configure server group, create and enter the server group
view. If the server group already exists, you will directly enter the server group view.
Using the undo group command, you can delete the server group.

Format
group group-name
undo group group-name

Parameters
group-name: specifies the name of a server group. It is a string in a range of 1 character to 31
characters.

Views
SLB configuration view

Default Level
2: Configuration level

Usage Guidelines
The first character of the server group name must be a letter.
You must delete the real servers from the server group before you deleting the server group.

Examples
# Create and enter the server group view named abc.
<Eudemon> system-view
[Eudemon] slb
[Eudemon-slb] group abc
[Eudemon-slb-group-abc]

Related Topics
2.19.2 display slb group

2.19.6 metric

Function
Using the metric command, you can set load balancing algorithm.
Using the undo metric command, you can restore the default value.

Format
metric { roundrobin | srchash | weightrr }

2-258 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

undo metric

Parameters
roundrobin: refers to the round algorithm.
srchash: refers to the hash algorithm of source address.
weightrr: refers to the weighted round algorithm.

Views
Server group view

Default Level
2: Configuration level

Usage Guidelines
By default, the roundrobin algorithm is used.

Examples
# Use the hash algorithm of the source address as load balancing algorithm.
<Eudemon> system-view
[Eudemon] slb
[Eudemon-slb] group abc
[Eudemon-slb-group-abc] metric srchash

Related Topics
2.19.2 display slb group

2.19.7 rserver

Function
Using the rserver command, you can set the IP address, the weight, the descriptive text for real
servers and compulsively set the state of real servers.
Using the undo rserver command, you can delete real servers at the Eudemon side.

Format
rserver rserver-id [ to end-rserver-id ] rip ip-address [ active | inactive | healthchk ] [ weight
weight ] [ description text ]
undo rserver rserver-id [ to end-rserver-id ]

Parameters
rserver-id: refers to the real server ID. It is an integer in a range of 1 to 128. If a real server is
configured, this ID is the server ID.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-259


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

end-rserver-id: specifies the last real server ID when configuring servers in batches. It is an
integer in a range of 1 to 128.

ip-address: sets the IP address for real servers. When you set them in batches, the IP address
automatically increases 1 backward. If you configure real servers whose ID range from 1 to 3
and set rip ip-address as 10.100.1.1, IP addresses of three real servers are 10.100.1.1, 10.100.1.2
and 10.100.1.3.

active: Performs no health status check on the real server, and forcefully configures the the real
server health status as active.

inactive: Performs no health status check on the real server, and forcefully configures the the
real server health status as inactive.

healthchk: configures health check for real servers. By default, healthchk is configured.

weight: sets the weight of real servers. The Eudemon can judge which server the data stream
should move toward, based on the specified weight of servers. weight refers to the weight of
real servers. It is an integer, ranging from 1 to 63. The default value is 32.

text: sets descriptive text. description refers to descriptive text of servers. It is a character string
in a range of 1 character to 31 characters.

Views
SLB configuration view

Default Level
2: Configuration level

Usage Guidelines
If the rserver is added to a group, the Eudemon does not allow modifying this rserver.

Forcefully configuring the health status of real server means forcefully setting the health status
of real server to active or inactive, and the server no longer takes part in health checks. If
healthchk is configured, the server health status is determined by the health check.

When this command is executed, the system detects whether the configured real server IP address
conflicts with the internal network IP address of any other existing internal server. If yes, the
command execution fails. Similarly, when the nat server command is executed, the system also
checks whether the internal network IP address conflicts with any existing real server IP address.
If yes, the execution fails.

Examples
# Set the real server, whose ID ranges from 1 to 3, whose IP address ranges from 192.168.1.1
to 192.168.1.3, whose weight is 20.
<Eudemon> system-view
[Eudemon] slb
[Eudemon-slb] rserver 1 to 3 rip 192.168.1.1 weight 20

2-260 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Table 2-17 Description of the rserver command output

Item Description

error: please specify the real server IDs Please specify the real server IDs in ascending
in increasing order order.

error: Invalid IP address Invalid IP address.

error: please delete real server ID from Please delete real server ID from server group(s)
server group(s) first first.

error: real server ID is being used by Real server ID is being used by virtual server(s).
virtual server(s), the modification is not The modification is not allowed.
allowed.

Related Topics
2.19.3 display slb rserver

2.19.8 slb

Function
Using the slb command, you can enter the load balancing configuration view.

Format
slb

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Enter the load balancing configuration view.
<Eudemon> system-view
[Eudemon] slb

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-261


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.19.9 slb enable

Function
Using the slb enable command, you can enable slb.
Using the undo slb enable command, you can disable slb.

Format
slb enable
undo slb enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, slb is disabled.
Eudemon's real server health check function is part of load sharing functions. Therefore, after
load sharing is enabled, real server health check is also enabled.

Examples
# Enable slb.
<Eudemon> system-view
[Eudemon] slb enable

2.19.10 vserver

Function
Using the vserver command, you can set the virtual server, including:
l Name
l The virtual IP address
l The server group
l The protocol in use
l The port number of the virtual server

2-262 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

l The port number of the real server

Using the undo vserver command, you can delete the specified virtual server.

Format
vserver vserver-name vip ip-address group group-name [ { tcp | udp } [ vport vport-number
[ rport rport-number ] [ vrrp virtual-router-id ] ] ]

vserver vserver-name vip ip-address group group-name [ vrrp virtual-router-id ]

undo vserver vserver-name

Parameters
vserver-name: specifies the name of a virtual server. It is a string in a range of 1 character to 31
characters.

ip-address: refers to the IP address of the virtual server.

group-name: specifies the name of a server group. It is a string in a range of 1 character to 31


characters.

tcp: uses the TCP protocol.

udp: uses the UDP protocol.

vport vport-number: specifies the port number of virtual server in a range of 1 to 65535.

rport rport-number: specifies the port number of the real server, in a range of 1 to 65535.

virtual-router-id: VRRP group number specified for dual-system hot backup. It is an integer in
the range 1 to 255.

Views
SLB configuration view

Default Level
2: Configuration level

Usage Guidelines
The first character of the virtual server name must be a letter.

Virtual server IP address must be different from real server IP address and Eudemon interface
IP address.

When this command is executed, the system detects whether the configured virtual server IP
address conflicts with the external network IP address of any other existing internal server. If
yes, the command execution fails. Similarly, when the nat server command is executed, the
system also checks whether the external network IP address conflicts with any existing virtual
server IP address. If yes, the execution fails.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-263


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Examples
# Set the virtual server named abc, whose IP address is 100.1.1.1, whose server group is test.
Set the virtual server to use the TCP protocol with the virtual port number 562 and the real port
number 452.
<Eudemon> system-view
[Eudemon] slb
[Eudemon-slb] vserver abc2 vip 100.1.1.0 group test tcp vport 562 rport 452

Table 2-18 Description of the vserver command output


Item Description

error: this virtual server is using by server This virtual server is being used by a server
group 'group-name'. group.

error: no such server group. No such server group exists.

error: vip conflicts with global ip of nat Virtual server IP address conflicts with the
server. external network IP address of an internal
server.

error: the server group which binded with The server group bound with the virtual
virtual server must includes at least one real server must contain at least one real server.
server.

error: the number of virtual server has The number of virtual servers has reached the
reached maximum. upper limit.

error: no such virtual server. No such virtual server exists.

Related Topics
2.19.4 display slb vserver

2.20 P2P Traffic Limiting Configuration Commands


2.20.1 cir
2.20.2 cir default
2.20.3 debugging firewall p2p-car
2.20.4 display p2p-car class
2.20.5 display p2p-car pattern-file
2.20.6 display p2p-car protocol
2.20.7 display p2p-car relation-table aging-time
2.20.8 display p2p-car statistic class
2.20.9 display p2p-car statistic protocol
2.20.10 display p2p-car statistic relation-table

2-264 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

2.20.11 firewall p2p-car default-permit


2.20.12 firewall p2p-car include
2.20.13 firewall p2p-car pattern-file active
2.20.14 firewall p2p-car relation-table aging-time
2.20.15 firewall p2p-detect behavior enable
2.20.16 firewall p2p-detect default-permit
2.20.17 firewall p2p-detect packet-number
2.20.18 p2p-car
2.20.19 p2p-class
2.20.20 p2p-detect enable
2.20.21 p2p-detect mode
2.20.22 reset p2p-car relation-table
2.20.23 reset p2p-car statistic
2.20.24 undo cir index

2.20.1 cir

Function
Using the cir command, you can set a committed traffic rate for a specific time range of a certain
P2P class.

Format
cir cir-rate index index time-range time-range-name

Parameters
cir-rate: specifies the committed traffic rate in a specified time range.It ranges from 0 kbit/s to
500000 kbit/s.
index : specifies the index number for a specified P2P-class time range. It ranges from 1 to 9.
time-range-name: specifies the name for the time range. The name can be a string of a maximum
of 32 characters, starting with a letter (a through z or A through Z). To avoid ambiguity, never
set the name as "all".

Views
P2P-class view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-265


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Usage Guidelines
Each index can be used only once.
If the same time range is configured with multiple committed traffic rates, the option with the
smallest index value takes effect.

Examples
# Set a time range named night and set the committed rate of P2P traffic during time range night
to 5000 kbit/s.
<Eudemon> system-view
[Eudemon] time-range night 18:00 to 23:59 daily
[Eudemon] p2p-class 1
[Eudemon-p2p-class-1]cir 5000 index 1 time-range night

Related Topics
2.20.24 undo cir index

2.20.2 cir default

Function
Using the cir default command, you can set the default committed traffic rate for a P2P class.
When a P2P class does not have a valid time range and committed traffic rate option, the default
committed traffic rate is used.

Format
cir default cir-rate

Parameters
cir-rate: specifies the default committed traffic rate. It ranges from 0 kbit/s to 500000 kbit/s.
The default value is 100kbit/s.

Views
P2P-class view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set the default CIR of P2P class 1 to 5000 kbit/s.
<Eudemon> system-view

2-266 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

[Eudemon] p2p-class 1
[Eudemon-p2p-class-1] cir default 5000

2.20.3 debugging firewall p2p-car

Function
Using the debugging firewall p2p-car command, you can enable the P2P module debugging.

Using the undo debugging firewall p2p-car command, you can disable the P2P module
debugging.

Format
debugging firewall p2p-car { packet | error | event | all }

ubdo debugging firewall p2p-car { packet | error | event | all }

Parameters
packet: indicates the P2P module packet debugging.

event: indicates the P2P module event debugging.

error: indicates the P2P module error debugging.

all: indicates all P2P module debugging.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable the P2P event debugging.
<Eudemon> debugging firewall p2p-car event

2.20.4 display p2p-car class

Function
Using the display p2p-car class command, you can view the configuration of a specific or all
P2P classes.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-267


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Format
.

display p2p-car class [ class-number ]

Parameters
class-number: specifies the number of the P2P class whose configuration is to be displayed. The
value ranges from 0 to 6.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If class-number is not specified, the configuration of all P2P classes is displayed.

Examples
# View the configuration of all P2P classes.
<Eudemon> display p2p-car class
Class Index Bandth(kbps) State time-range
0 0 100 Active
1 0 30000 Active
2 0 100
2 20000 Active day
3 0 100 Active
4 0 100 Active
5 0 100 Active
6 0 100 Active

# View the configuration of P2P class 2.


<Eudemon> display p2p-car class 2
Class Index Bandth(kbps) State time-range
2 0 100
2 20000 Active day

Table 2-19 Description of the display p2p-car class command output

Item Description

Class It indicates the number of the P2P class.

Index It indicates the index of the bandwidth and time-range option. One
P2P classs can be configured with a maximum of 9 time range and
bandwidth options. Index 0 indicates the default setting.

Bandth It indicates the value of the bandwidth, that is, the committed P2P
traffic rate. The unit is kbit/s.

2-268 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Item Description

State It indicates the current state. Null indicates that it does not take effect,
while "Active" means that it takes effect. If the system time matches
a certain time range, the committed traffic rate with the smallest
index value takes effect, instead of the other committed traffic rate
options of the time range.

time-range It indicates the name of the time range.

2.20.5 display p2p-car pattern-file

Function
Using the display p2p-car pattern-file command, you can view information about the activated
pattern file or the pattern file on the FLASH.

Format
display p2p-car pattern-file { active | on-flash }

Parameters
active: indicates the activated pattern file.
on-flash: indicates the pattern file on the FLASH.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The display delivers the following information:
l Version number
l Upload time to FLASH
l Activated time (available for activated pattern file only)
l Included protocols
l File size

Examples
# Display information about the activated pattern file.
<Eudemon> display p2p-car pattern-file active
Version:1.2.2.35

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-269


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

File active time:10:56:57 2008/03/14


File upload time:20:38:18 2008/03/13
File size:115328 bytes
P2P protocol name:BT. PPLIVE. Thunder. eDeM. FEIDIAN. QQlive. CCIPTV. GNUTELLA.
Kazaa. PPSTREAM. COOLSTREAMING. DC. KUGOO. PPGou. POCO. BaiBao. Maze. TVAnts. UU
See. Vagaa. BBSEE. MYSEE. Filetopia. Soulseek.

# View pattern file information on the FLASH.


<Eudemon> display p2p-car pattern-file on-flash
Version:1.2.2.35
File upload time:20:38:18 2008/03/13
File size:115328 bytes
P2P protocol name:BT. PPLIVE. Thunder. eDeM. FEIDIAN. QQlive. CCIPTV. GNUTELLA.
Kazaa. PPSTREAM. COOLSTREAMING. DC. KUGOO. PPGou. POCO. BaiBao. Maze. TVAnts. UU
See. Vagaa. BBSEE. MYSEE. Filetopia. Soulseek.

2.20.6 display p2p-car protocol

Function
Using the display p2p-car protocol command, you can view the configuration of protocols.
The display shows which P2P protocols are controlled in traffic rate and which P2P protocols
are not.

Format
display p2p-car protocol

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If a command line in the information displayed begins with "undo", the protocol specified in
this command line is not configured with P2P detection.

Examples
# Display the configuration of protocols.
<Eudemon> display p2p-car protocol
firewall p2p-car include BT
firewall p2p-car include PPLIVE
firewall p2p-car include Thunder
firewall p2p-car include eDeM
firewall p2p-car include FEIDIAN
firewall p2p-car include QQlive
undo firewall p2p-car include CCIPTV

2-270 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

undo firewall p2p-car include GNUTELLA


undo firewall p2p-car include Kazaa
undo firewall p2p-car include PPSTREAM
undo firewall p2p-car include COOLSTREAMING
undo firewall p2p-car include DC
firewall p2p-car include KUGOO
undo firewall p2p-car include PPGou
firewall p2p-car include POCO
undo firewall p2p-car include BaiBao
undo firewall p2p-car include Maze
firewall p2p-car include TVAnts
undo firewall p2p-car include UUSee
undo firewall p2p-car include Vagaa
undo firewall p2p-car include BBSEE
undo firewall p2p-car include MYSEE
undo firewall p2p-car include Filetopia
undo firewall p2p-car include Soulseek

2.20.7 display p2p-car relation-table aging-time

Function
Using the display p2p-car relation-table aging-time command, you can view the aging time
of the relation table.

Format
display p2p-car relation-table aging-time

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View the aging time of the relation table.
<Eudemon> display p2p-car relation-table aging-time
The relation table aging-time:20s

2.20.8 display p2p-car statistic class

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-271


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Function
Using the display p2p-car statistic class command, you can view the P2P class-based statistics.

Format
display p2p-car statistic class

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the P2P class-based statistics.
<Eudemon> display p2p-car statistic class
class receive(Pkt/Oct) discard(Pkt/Oct) permit(Pkt/Oct)
class0 147268836 147079762 189074
20028561696 20002847632 25714064
class1 0 0 0
0 0 0
class2 0 0 0
0 0 0
class3 115030907 111041407 3989500
15644203352 15101631352 542572000
class4 0 0 0
0 0 0
class5 129113696 62651436 66462260
17559462656 8520595296 9038867360
class6 0 0 0
0 0 0
__________________________________________________________________________
total 391413439 320772605 70640834
53232227704 43625074280 9607153424
statistic from 14:24:35 2008/03/14 to 17:52:37 2008/03/14

Table 2-20 Description of the display p2p-car statistic class command output

Item Description

class It indicates the number of the P2P class.

receive It indicates the traffic received by the P2P class. The first line presents the
number of packets. The second line presents the number of bytes.

2-272 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Item Description

discard It indicates the traffic dropped by the P2P class. The first line presents the
number of packets. The second line presents the number of bytes.

permit It indicates the traffic permitted by the P2P class. The first line presents the
number of packets. The second line presents the number of bytes.

2.20.9 display p2p-car statistic protocol

Function
Using the display p2p-car statistic protocol command, you can view the protocol-based
statistics.

Format
display p2p-car statistic protocol

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the protocol-based statistics of the committed P2P traffic rates.
<Eudemon> display p2p-car statistic protocol
protocol receive(Pkt/Oct) discard(Pkt/Oct) permit(Pkt/Oct)
BT 0 0 0
0 0 0
PPLIVE 0 0 0
0 0 0
Thunder 0 0 0
0 0 0
eDeM 0 0 0
0 0 0
FEIDIAN 123798973 0 123798973
16836660328 0 16836660328
QQlive 379735383 135200548 244534835
51644012088 18387274528 33256737560
CCIPTV 0 0 0

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-273


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

0 0 0
GNUTELLA 0 0 0
0 0 0
Kazaa 0 0 0
0 0 0
PPSTREAM 0 0 0
0 0 0
COOLSTREAMING 0 0 0
0 0 0
DC 0 0 0
0 0 0
KUGOO 234696645 166972359 67724286
31918743720 22708240824 9210502896
PPGou 0 0 0
0 0 0
POCO 0 0 0
0 0 0
BaiBao 0 0 0
0 0 0
Maze 0 0 0
0 0 0
TVAnts 123798973 0 123798973
16836660328 0 16836660328
UUSee 0 0 0
0 0 0
Vagaa 0 0 0
0 0 0
BBSEE 0 0 0
0 0 0
MYSEE 0 0 0
0 0 0
Filetopia 0 0 0
0 0 0
Soulseek 0 0 0
0 0 0
____________________________________________________________________
total 862029974 302172907 559857067
117236076464 41095515352 76140561112
statistic from 14:24:35 2008/03/14 to 17:54:24 2008/03/14

Table 2-21 Description of the display p2p-car statistic class command output
Item Description

protocol It indicates the name of the protocol.

receive It indicates the received traffic of a certain protocol. The first line presents
the number of packets. The second line presents the number of bytes.

discard It indicates the dropped traffic of a certain protocol. The first line presents
the number of packets. The second line presents the number of bytes.

permit It indicates the permitted traffic of a certain protocol. The first line presents
the number of packets. The second line presents the number of bytes.

2.20.10 display p2p-car statistic relation-table

Function
Using the display p2p-car statistic relation-table command, you can view the statistics of the
P2P relation table.

2-274 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Format
display p2p-car statistic relation-table

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View the statistics of the P2P relation table.
<Eudemon> display p2p-car statistic relation-table
Current relation table number:4

2.20.11 firewall p2p-car default-permit

Function
Using the firewall p2p-car default-permit command, you can enable the global P2P traffic
limiting function.
Using the undo firewall p2p-car default-permit command, you can disable the global P2P
traffic limiting function.

Format
firewall p2p-car default-permit
undo firewall p2p-car default-permit

Parameters
None

Views
System view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-275


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Usage Guidelines
After you run the firewall p2p-car default-permit command, the firewall employs the setting
of class 0 by default to limit P2P traffic.

You must configure class 0 before global P2P traffic limiting takes effect.

By default, the global P2P traffic limiting function is disabled.

Examples
# Enable the global P2P traffic limiting function.
<Eudemon> system-view
[Eudemon] firewall p2p-car default-permit

Related Topics
2.20.19 p2p-class

2.20.12 firewall p2p-car include

Function
Using the firewall p2p-car include command, you can limit the traffic of the specified protocols.

Using the undo firewall p2p-car include command, you can remove traffic limiting on the
specified protocols.

Format
firewall p2p-car include protocol

undo firewall p2p-car include protocol

Parameters
protocol: specifies the types of protocols covered by the P2P traffic limiting function. You can
select any type of protocols supported by the current system. You can use the 2.20.6 display
p2p-car protocol command to display the types of protocols supported by the current system.

Views
System view

Default Level
2: Configuration level

2-276 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Usage Guidelines

CAUTION
You must load the P2P pattern file to the FLASH and activate the file before running the
command.

Examples
# Restrict the PPLive traffic.
<Eudemon> system-view
[Eudemon] firewall p2p-car include pplive

Related Topics
2.20.13 firewall p2p-car pattern-file active
2.20.6 display p2p-car protocol

2.20.13 firewall p2p-car pattern-file active

Function
Using the firewall p2p-car pattern-file active command, you can activate the pattern file on
the FLASH.
Using the undo firewall p2p-car pattern-file active command, you can deactivate the pattern
file on the FLASH.

Format
firewall p2p-car pattern-file active
undo firewall p2p-car pattern-file active

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Because activating a pattern file deletes all existing statistics, it is recommended that you activate
the pattern file when the volume of P2P traffic is low.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-277


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Before activating a pattern file, you need to obtain and download the pattern file to the FLASH
of the Eudemon through FTP.

The name of the pattern file is protocol.rul.

When an unidentifiable protocol appears on the network and a certain existing pattern file can
help identify the protocol, you can upgrade the Eudemon by activating the eligible pattern file.

The newly activated pattern file can overwrite the old pattern file.

Examples
# Activate the pattern file (No activated pattern file exists yet).
<Eudemon> system-view
[Eudemon] firewall p2p-car pattern-file active
Active pattern file successfully !

# Activate the pattern file (An activated pattern file exists already).
<Eudemon> system-view
[Eudemon] firewall p2p-car pattern-file active
The using version is 1.2.2.35,new version is 1.2.2.35,Overwrite it?[Y/N]:y
Active pattern file successfully !

2.20.14 firewall p2p-car relation-table aging-time

Function
Using the firewall p2p-car relation-table aging-time command, you can configure the aging
time for the relation table.

Format
firewall p2p-car relation-table aging-time aging-time

Parameters
aging-time: specifies the aging time of the relation table. It ranges from 1 second to 120 seconds.
The default value is 20 seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The relation table records IP addresses and port numbers using the P2P protocols. If the newly
created session matches an IP address and port number listed in the relation table, the session is
directly considered as a P2P session.

2-278 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Set the aging time of the relation table to 40 seconds.
<Eudemon> system-view
[Eudemon] firewall p2p-car relation-table aging-time 40

2.20.15 firewall p2p-detect behavior enable

Function
Using the firewall p2p-detect behavior enable command, you can enable global P2P behavior
detection.

Using the undo firewall p2p-detect behavior enable command, you can disable global P2P
behavior detection.

Format
firewall p2p-detect behavior enable

undo firewall p2p-detect behavior enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After you run the command, Eudemon can identify P2P sessions and offer statistics of multiple
types of packets according to the packet patterns, but is not related to traffic limiting.

In-depth detection is the main detection method. You can run the firewall p2p-detect default-
permit command to enable in-depth detection first. If in-depth detection is not adequate, you
can configure behavior detection which specifically detects the encrypted data flows.

Examples
# Enable global P2P behavior detection.
<Eudemon> system-view
[Eudemon] firewall p2p-detect behavior enable

Related Topics
2.20.11 firewall p2p-car default-permit

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-279


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.20.16 firewall p2p-detect default-permit

Function
Using the firewall p2p-detect default-permit command, you can enable the global P2P traffic
in-depth detection function.

Using the undo firewall p2p-detect default-permit command, you can disable the global P2P
traffic in-depth detection function.

Format
firewall p2p-detect default-permit

undo firewall p2p-detect default-permit

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After you run the firewall p2p-detect default-permit command, the Eudemon can identify the
P2P protocols supported by the current system and take the statistics of traffic of each protocol.
However, the Eudemon does not restrict P2P traffic.

If traffic limiting have been configured, you do not have to configure detection policies and the
system implements in-depth detection by default.

Examples
# Enable the global P2P traffic in-depth detection function.
<Eudemon> system-view
[Eudemon] firewall p2p-detect default-permit

Related Topics
2.20.15 firewall p2p-detect behavior enable

2.20.17 firewall p2p-detect packet-number

2-280 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Function
Using the firewall p2p-detect packet-number command, you can configure the maximum
number of P2P packets detected by Eudemon specific to each P2P session.
Using the undo firewall p2p-detect packet-number command, you can restore the default.

Format
firewall p2p-detect packet-number number
undo firewall p2p-detect packet-number

Parameters
number: indicates the maximum number of P2P packets detected. The value is an integer in a
range of 1 to 48. The default value is 2.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
For an unknown P2P session, Eudemon detects the session according to the maximum number
of the P2P packets configured. If system cannot identify the session when the maximum number
of packets detected has been reached, the system will not process the session as a P2P session.
When P2P behavior detection is configured, you are recommended to configure the number of
packets detected as more than 5.

Examples
# Configure the maximum number of the P2P packets detected as 5.
<Eudemon> system-view
[Eudemon] firewall p2p-detect packet-number 5

2.20.18 p2p-car

Function
Using the p2p-car command, you can apply the P2P traffic limiting policy to the specified
interzone.

Format
p2p-car acl-number class class-number { inbound | outbound }
undo p2p-car acl-number class class-number { inbound | outbound }

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-281


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
acl-number: specifies the ACL number. It ranges from 2000 to 3999. ACL 2000 through 2999
are basic ACL rules, and ACL 3000 through 3999 are advanced ACL rules. The permit statement
of an ACL rule specifies users who need to be limited in traffic while the deny statement specifies
users who need not be restricted.

class-number: specifies the number of the P2P class. It ranges from 0 to 6.

inbound: indicates that the P2P traffic restricting policy is applied to the inbound packets.

outbound: indicates that the P2P traffic limiting policy is applied to the outbound packets.

Views
Interzone view

Default Level
2: Configuration level

Usage Guidelines
If multiple class-numbers are configured in one direction of the traffic specified by the same
ACL, the traffic limit policy corresponding to the minimum class-number will be matched.

A class can be referenced by only one ACL.

Interzone traffic limit policy has a higher priority than the global default traffic limit policy.

Examples
# Apply P2P-class 1 to the inbound direction between the Trust and Untrust zones.
<Eudemon> system-view
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] p2p-car 2000 class 1 inbound

Related Topics
2.20.19 p2p-class
2.20.11 firewall p2p-car default-permit

2.20.19 p2p-class

Function
Using the p2p-class command, you can enter a specific P2P class view.

Using the undo p2p-class command, you can remove the current configuration of a P2P class
and initialize its settings. Once the command is run, all time range and bandwidth options
configured for this P2P class become invalid and the default committed traffic rate is restored
to 100 kbit/s.

2-282 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Format
p2p-class class-number

undo p2p-class class-number

Parameters
class-number: specifies the number of the P2P class. It ranges from 0 to 6.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Enter the P2P class 1 view.
<Eudemon> system-view
[Eudemon] p2p-class 1
[Eudemon-p2p-class-1]

# Remove the configuration of P2P class 1 and initialize its settings.


<Eudemon> system-view
[Eudemon] undo p2p-class 1
The class configuration will be initialized ,Continue? [Y/N]:y

2.20.20 p2p-detect enable

Function
Using the p2p-detect enable command, you can enable inter-zone P2P detection.

Using the undo p2p-detect enable command, you can disable inter-zone P2P detection.

Format
p2p-detect enable

undo p2p-detect enable

Parameters
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-283


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
Interzone view

Default Level
2: Configuration level

Usage Guidelines
After inter-zone P2P detection is enabled, inter-zone P2P sessions are detected using depth
detection.

Configure this detection only for specific zones that require P2P detection between them to
narrow down the detection range and improve performance.

If traffic limit policy is configured, no detection policy needs to be configured and the default
depth detection mode can be used. If P2P detection needs to be used independently without
limiting traffic, or if detection is performed to improve P2P identification ratio, you can configure
the P2P detection policy.

Examples
# Enable inter-zone P2P detection.
<Eudemon> system-view
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] p2p-detect enable

2.20.21 p2p-detect mode

Function
Using the p2p-detect mode command, you can configure inter-zone P2P detection mode.

Using the undo p2p-detect mode command, you can cancel the configured inter-zone P2P
detection mode.

Format
p2p-detect mode { default | behavior }

undo p2p-detect mode { default | behavior }

Parameters
default: Uses depth detection as the P2P detection mode.

behavior: Uses behavior detection as the P2P detection mode.

Views
Interzone view

2-284 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Default Level
2: Configuration level

Usage Guidelines
After this command is executed, Eudemon identifies P2P sessions by using the configured
detection mode, independent of traffic limiting.

Inter-zone detecion policy has a higher priority than that of the global detection policy.

If no global or inter-zone traffic limit policy is configured, the configured detection mode takes
effect only after the p2p-detect enable command is executed. Otherwise, no P2P detection will
be performed.

Examples
# Configure the inter-zone P2P detection mode as behavior detection.
<Eudemon> system-view
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] p2p-detect mode behavior

Related Topics
2.20.20 p2p-detect enable
2.20.16 firewall p2p-detect default-permit
2.20.15 firewall p2p-detect behavior enable

2.20.22 reset p2p-car relation-table

Function
Using the reset p2p-car relation-table command, you can clear the contents of the relation
table.

Format
reset p2p-car relation-table

Parameters
None

Views
User view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-285


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Usage Guidelines
None

Examples
# Clear the contents of the relation table.
<Eudemon> reset p2p-car relation-table

2.20.23 reset p2p-car statistic

Function
Using the reset p2p-car statistic command, you can clear P2P statistics.

Format
reset p2p-car statistic

Parameters
None

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear P2P statistics.
<Eudemon> reset p2p-car statistic

2.20.24 undo cir index

Function
Using the undo cir index command, you can delete the setting of the committed P2P traffic rate
configured for the specified time range of the P2P class.

Format
undo cir index index

2-286 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Parameters
index: specifies the index number of the time range of the P2P class. It ranges from 1 to 9.

Views
P2P-class view

Default Level
3: Management level

Usage Guidelines
None

Examples
# Remove the setting of the committed P2P traffic rate indexed 1 for P2P class 1.
<Eudemon> system-view
[Eudemon] p2p-class 1
[Eudemon-p2p-class-1] undo cir index 1

Related Topics
2.20.1 cir

2.21 Secospace Cooperation Configuration Commands


2.21.1 cut access-user (Secospace Cooperation Configuration View)
2.21.2 debugging right-manager
2.21.3 default acl 3099
2.21.4 display right-manager online-users
2.21.5 display right-manager role-id rule
2.21.6 display right-manager role-info
2.21.7 display right-manager server-group
2.21.8 display right-manager statistics
2.21.9 local
2.21.10 right-manager server-group
2.21.11 right-manager server-group enable
2.21.12 right-manager status-detect enable
2.21.13 right-manager user user-name ip roles
2.21.14 server ip
2.21.15 sync role-info

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-287


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.21.1 cut access-user (Secospace Cooperation Configuration View)

Function
Using the cut access-user command, you can force the specified user to log out.

Format
cut access-user { all | ip ip-address | user-name user-name }

Parameters
all: specifies all online users.

ip-address: specifies the IP address of the online user in the form of dotted decimal notation.

user-name: specifies the user name of the online user with a string, in the range of 1 character
to 32 characters.

Views
Secospace cooperation configuration view

Default Level
2: Configuration level

Usage Guidelines
Users may be forced to log out when specific abnormalities occur. In such cases, run the cut
access-user command.

Examples
# Force a user to log out by the IP address and the user name respectively.
<Eudemon> system-view
[Eudemon] right-manager server-group
[Eudemon-rightm] cut access-user ip 2.2.2.2
[Eudemon-rightm] cut access-user user-name Tom

2.21.2 debugging right-manager

Function
Using the debugging right-manager command, you can enable Secospace cooperation
debugging.

Using the undo debugging right-manager command, you can disable Secospace cooperation
debugging.

2-288 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Format
debugging right-manager { all | event | message | packet | user [ ip ip-address | user-name
user-name ] }

Parameters
all: displays all debugging information.
event: displays the event debugging information.
message: displays the message debugging information.
packet: displays the packet debugging information.
user: displays the login and logout debugging information of all users.
ip-address: displays the login and logout debugging information of users of the specified IP
address.
user-name: displays the login and logout debugging information of the user (s) of the specified
user name.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, debugging is disabled.

Examples
# Enable all debugging information.
<Eudemon> debugging right-manager all
*0.169652666 Eudemon RIGHTM/8/debug:EVENT from MAIN Module Receive a refresh msg
from nps.
*0.170129066 Eudemon RIGHTM/8/debug:EVENT from COPS Module connect to 10.1.2.2.
*0.170262433 Eudemon RIGHTM/8/debug:USER name_Tom(1.6.165.5) from CONFIG Module
logout
*0.170376183 Eudemon RIGHTM/8/debug:USER (1.6.165.5) from CONFIG Module login
Online users reaches max number !
delete user fail !

Table 2-22 Description of the debugging right-manager command output


Item Description

EVENT from MAIN Module Receive a refresh The MAIN module receives a refresh
msg from nps message from the NPS.

EVENT from COPS Module connect to 10.1.2.2 The COPS connection is set up
successfully.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-289


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Item Description

logout The user logs out successfully.

login The user logs in successfully.

Online users reaches max number The number of online users reaches the
upper limit and other users cannot log
on.

delete user fail ! Forcing a user to log out fails because


the user does not exist.

2.21.3 default acl 3099

Function
Using the default acl 3099 command, you can specify the default ACL rule group number.
Using the undo default acl 3099 command, you can cancel the default ACL rule group number.

Format
default acl 3099
undo default acl 3099

Parameters
None

Views
Secospace cooperation configuration view

Default Level
2: Configuration level

Usage Guidelines
After this command is configured, the system prompts you to confirm whether to delete the
existing ACL rules. If you click Y, that is yes, the existing ACL rules of ACL group 3099 are
deleted.

2-290 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

CAUTION
By default, the ACL rule group number is 3099 only. If the ACL rule group number is configured
as other values, the Eudemon does not support the ACL group.
The default ACL rules (excluding rule 0 through 999) are generated by the Eudemon according
to the policy delivered by the Secospace server. You can customize rule 0 through 999 to meet
the requirements of special applications.

If you enable state detection with the 2.21.12 right-manager status-detect enable command,
the interzones indicate the interzone between the security zone where the user resides and the
security zone where the Secospace server resides, and the interzone between the security zone
where the user resides and the security zone where the controlled resource service resides.

If you did not enable state detection, the interzone indicates the interzone between the security
zone where the user resides and the security zone where the Secospace server resides.

Examples
# Configure the default ACL rule group number.
<Eudemon> system-view
[Eudemon] right-manager server-group
[Eudemon-rightm] default acl 3099
The ACL 3099 will be deleted, continue? [Y/N]:y

Related Topics
2.21.10 right-manager server-group
2.21.11 right-manager server-group enable
2.21.14 server ip

2.21.4 display right-manager online-users

Function
Using the display right-manager online-users command, you can view the IP address and role
of an online user.

Format
display right-manager online-users [ ip ip-address | role-name role-name | user-name user-
name ]

Parameters
ip-address: specifies the IP address of the online user in the form of dotted decimal notation.

role-name: specifies the role name of the online user. It is a string of 1 to 32 characters long.

user-name: specifies the user name of the online user. It is a string of 1 to 32 characters long.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-291


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
A role can be used for many users and a user can use multiple roles. You can specify at most 16
roles for a user.

Examples
# View the online users.
<Eudemon> display right-manager online-users
-------------------------------------------------------------------------
Username : name_Tom
Ip : 1.1.5.165
LoginTime : 15:57:56 2007-12-14
Rolename : kk1
RoleId : 1
-------------------------------------------------------------------------
Username : name_John
Ip : 2.1.5.166
LoginTime : 15:57:56 2007-12-15
Rolename : kk1
RoleId : 1

# View the online users at 1.1.5.165.


[Eudemon] display right-manager online-users ip 1.1.5.165
-------------------------------------------------------------------------
Username : name_Tom
Ip : 1.1.5.165
LoginTime : 15:57:56 2007-12-14
Rolename : kk1
RoleId : 1

# View the online users whose role name is "kk2".


[Eudemon] display right-manager online-users role-name kk2
-------------------------------------------------------------------------
Username : name_Rose
Ip : 30.1.5.111
LoginTime : 15:57:56 2007-12-12
Rolename : kk2
RoleId : 2

# View the online users named "name_Tom".


[Eudemon] display right-manager online-users user-name name_Tom
-------------------------------------------------------------------------
Username : name_Tom
Ip : 1.1.5.165
LoginTime : 15:57:56 2007-12-14
Rolename : kk1
RoleId : 1

2-292 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Table 2-23 Description of the display right-manager online-users command output


Item Description

Username User name of the online user.

Ip IP address of the online user.

LoginTime Login time of the online user.

Rolename Role of the online user with a string; able to display up to 16 role
names.

RoleId Role of the online user with a string; able to display up to 16 role
names.

2.21.5 display right-manager role-id rule

Function
Using the display right-manager role-id rule command, you can view the rules that are
associated with the specified roles.

Format
display right-manager role-id role-id rule

Parameters
role-id: specifies the role ID. It is an integer, in the range of 1 to 900.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View the rules of the specified role.
<Eudemon> display right-manager role-id 8 rule
This role has no rule!
<Eudemon> display right-manager role-id 1 rule
Advanced ACL 3100, 2 rules
Acl's step is 1
rule 2 deny ip destination 100.100.100.0 0.0.0.255

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-293


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

rule 6 permit ip

2.21.6 display right-manager role-info

Function
Using the display right-manager role-info command, you can view the role information about
all users.

Format
display right-manager role-info

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View the role information about the user.
<Eudemon> display right-manager role-info
All Role count:10
Role ID ACL3xxx Rolename
--------------------------------------------------------------------
Role 0 3099 default
Role 1 3100 BaseResGroup
Role 2 3101 kk2
Role 3 3102 kk3
Role 4 3103 kk4
--------------------------------------------------------------------
Role 5 3104 kk5
Role 6 3105 kk6
Role 7 3106 kk7
Role 8 3107 kk8
Role 9 3108 kk9
-------------------------------------------------------------------

Table 2-24 Description of the display right-manager role-info command output


Item Description

RoleID Indicates the role ID. The role ID ranges from 1 to 900. The value
0 represents the default rule.

2-294 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Item Description

ACL3xxx Indicates the advanced ACL group number of the role.

Rolename Indicates the role name.


NOTE
One role name maps one role ID.

2.21.7 display right-manager server-group

Function
Using the display right-manager server-group command, you can view the information about
the current server group configured on the Eudemon.

Format
display right-manager server-group

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View the information about the current server group configured on the Eudemon.
<Eudemon> display right-manager server-group
Server-state : Enable
Server-number: 5
Server-ip-address port state master important
192.168.10.10 3288 active Y Y
10.0.0.1 3288 inactive N Y
10.0.0.2 3288 inactive N N
10.0.0.3 3288 inactive N Y
10.0.0.4 3288 inactive N N

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-295


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Table 2-25 Description of the display right-manager server-group command output

Item Description

Server-state Indicates whether the server group is enabled:


l Enable indicates that the server group is effective.
l Disable indicates that the server group is ineffective.

Server-number Indicates the number of servers in a server group. There are


five servers in the group here.

Server-ip-address Indicates the server IP address.

port Indicates the port for communications with servers.

state Indicates the connection state of the server:


l active indicate that the connection is normal.
l inactive indicates that the connection is abnormal.

master If this item is Y, the server is a master server.

important If this item is Y, the server is an important server.

NOTE

l Multiple Secospace servers can be deployed. One of the Secospace servers is the master, and the others
are slaves. The Eudemon connects with the master. Upon disconnection with the master, the
Eudemon attempts to connect with the slaves.
l Up to three Secospace servers can be specified as important servers. There is no direct relationship
between an important server and a master server.

2.21.8 display right-manager statistics

Function
Using the display right-manager statistics command, you can view the statistics of right
management.

Format
display right-manager statistics

Parameters
None

Views
All views

2-296 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View the statistics of right management.
[Eudemon] display right-manager statistics
Online user number : 23
In all login times : 24
In all logout times : 1
Received COPS packets number : 28
Send COPS packets number : 28
COPS packets error number : 0
Protocol process error number : 0

Table 2-26 Description of the display right-manager statistics command output


Item Description

Online user number Number of online users

In all login times Number of login attempts

In all logout times Number of logout attempts

Received COPS packets number Number of COPS packets that are received

Sent COPS packets number Number of COPS packets that are sent

COPS packets error number Number of COPS packet errors

Protocol process error number Number of protocol process errors

2.21.9 local

Function
Using the local command, you can bind a specific IP address or Ethernet interface. After this
command is configured, the Eudemon connects with the Secospace server through the bound IP
address or through the Ethernet interface.
Using the undo local command, you can remove the IP address or Ethernet interface bound with
the Eudemon.

Format
local { ip ip-address | interface interface-type interface-number }
undo local { ip | interface }

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-297


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Parameters
ip ip-address: specifies the IP address that is bound to the Eudemon and used for connecting
with the Secospace server. After the IP address is set, the Eudemon connects with the Secospace
server through this IP address only.
interface interface-type interface-number: specifies the Ethernet interface that is bound to the
Eudemon and used to connect with the Secospace server. After the interface is configured, the
Eudemon connects with the Secospace server through this interface only.

Views
Secospace cooperation configuration view

Default Level
2: Configuration level

Usage Guidelines
Use this command only when the Eudemon must connect to the Secospace server by using a
specific interface or IP address.

Examples
# Bind Ethernet 0/0/0 with the Eudemon for connecting with the Secospace server.
<Eudemon> system-view
[Eudemon] right-manager server-group
[Eudemon-rightm] local interface Ethernet 0/0/0

2.21.10 right-manager server-group

Function
Using the right-manager server-group command, you can enter the Secospace cooperation
configuration view. You can perform Secospace cooperation and related configuration after the
command is executed.

Format
right-manager server-group

Parameters
None

Views
System view

Default Level
2: Configuration level

2-298 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Usage Guidelines
None

Examples
# Enter the Secospace cooperation configuration view.
<Eudemon> system-view
[Eudemon] right-manager server-group
[Eudemon-rightm]

2.21.11 right-manager server-group enable

Function
Using the right-manager server-group enable command, you can enable the Secospace server
group.
Using the undo right-manager server-group enable command, you can disable the Secospace
server group.

Format
right-manager server-group enable
undo right-manager server-group enable

Parameters
None

Views
Secospace cooperation configuration view

Default Level
2: Configuration level

Usage Guidelines
When the server group is enabled, the Eudemon immediately attempts to connect to the servers
in the group. After the connection is established successfully, Eudemon can receive the roles
and role rules delivered by the Secospace server.
By default, the Secospace server group function is disabled.

Examples
# Enable the Secospace server group.
<Eudemon> system-view
[Eudemon] right-manager server-group
[Eudemon-rightm] right-manager server-group enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-299


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.21.12 right-manager status-detect enable

Function
Using the right-manager status-detect enable command, you can enable state inspection.

Using the undo right-manager status-detect enable command, you can disable state
inspection.

Format
right-manager status-detect enable

undo right-manager status-detect enable

Parameters
None

Views
Secospace cooperation configuration view

Default Level
2: Configuration level

Usage Guidelines
In the following cases, the Eudemon allows all users to obtain network resources:

l If only one server is added, when the link between the server and Eudemon goes down, all
the rights will be granted to the user. When the fault recovers, the original right control
restores.
l If multiple common servers are added, all the rights are granted to the user only when the
links between all the servers and Eudemon go down. The original right control restores if
any of the servers recovers.
l If multiple servers, including important and common servers, are added, all the rights are
granted to the user as long as the link between an important server and Eudemon goes down.
The original right control restores only when the links between all the important servers
and Eudemon recover.

Examples
# Enable the status-detect function.
<Eudemon> system-view
[Eudemon] right-manager server-group
[Eudemon-rightm] right-manager status-detect enable

2.21.13 right-manager user user-name ip roles

2-300 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Function
Using the right-manager user user-name ip command, you can help privileged users obtain
corresponding access permissions without authentication.
Using the undo right-manager user user-name ip command, you can withdraw the permission
of a privilege user.

Format
right-manager user user-name user-name ip ip-address roles { role-id role-id &<1-16> |
role-name role-name &<1-16> }
undo right-manager user user-name ip ip-address

Parameters
user-name: specifies the name for the privileged user. It is a string of 1 to 32 characters long.
ip-address: specifies the IP address of the privileged user in dotted decimal notation.
role-id: specifies the role ID of the privileged user. It is an integer in the range from 1 to 900.
role-name: specifies the role name of the privileged user. It is a string with 1 or up to 32 characters
long.

Views
Secospace cooperation configuration view

Default Level
2: Configuration level

Usage Guidelines
After this command is configured, you can add a privileged user (the user name does not exist
yet) or modify the role of a user (the user name already exists).
Once the special access permission is withdrawn, the user need to pass through the authentication
for obtaining the desired access permission.
The mappings between IP address, role, and user are:
l One role name maps one role ID
l One role can map multiple users
l One user can have multiple roles. You can specify at most 16 roles for a user
l One IP address maps one user
l IP addresses are not directly related to roles

Examples
# Add a new online user lisa with the IP address of 10.0.0.1 and role ID of 5.
<Eudemon> system-view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-301


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

[Eudemon] right-manager server-group


[Eudemon-rightm] right-manager user user-name lisa ip 10.0.0.1 roles role-id 5

2.21.14 server ip

Function
Using the server ip command, you can add Secospace servers.
Using the undo server ip command, you can delete Secospace servers.

Format
server ip ip-address [ important ] [ port port-number ] [ shared-key key ]
undo server ip ip-address port port-number

Parameters
ip-address: specifies the IP address of the Secospace server in the form of dotted decimal
notation.
important: specifies a Secospace server to be an important server. If disconnection of a
Secospace server from the Eudemon is influential, the server can be specified as an important
server. By default, the Secospace server is an ordinary server. You can specify up to three
important servers.
port-number: specifies the number of the port between the Eudemon and the Secospace server
with an integer, in the range of 1025 to 65535. By default, this value is 3288.
key: specifies the pre-shared key for the Eudemon and the Secospace server with a string, in the
range of 1 to 128. By default, the key is secospace.

Views
Secospace cooperation configuration view

Default Level
2: Configuration level

Usage Guidelines
Only after the default acl 3099 command is executed can the Secospace server be added
successfully.
When the Secospace servers are added and the server group is enabled through the command
right-manager server-group enable, the Eudemon immediately attempts to connect with the
Secospace servers.

Examples
# Add a important Secospace server.
<Eudemon> system-view

2-302 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

[Eudemon] right-manager server-group


[Eudemon-rightm] server ip 12.33.44.55 important

Related Topics
2.21.3 default acl 3099
2.21.11 right-manager server-group enable

2.21.15 sync role-info

Function
Using the sync role-info command, you can configure to manually synchronize roles and role
rules from Secospace server.

Format
sync role-info [ role-id role-id | role-name role-name ]

Parameters
role-id: specifies the role ID with an integer, in the range of 0 to 900.
role-name: specifies the role name with a string, in the range of 1 character to 32 characters long.

Views
Secospace cooperation configuration view

Default Level
2: Configuration level

Usage Guidelines
Secospace periodically notifies the Eudemon of roles and role rules. It also supports manually
synchronizing roles and role rules from Secospace server by executing this command.
Use this command for manual synchronization only when automatic synchronization of roles
and role rules cannot be completed normally because the Eudemon has a fault or link state is
poor

Examples
# Synchronize the third role.
<Eudemon> system-view
[Eudemon] right-manager server-group
[Eudemon-rightm] sync role-info role-id 3

# Synchronize all roles.


<Eudemon> system-view
[Eudemon] right-manager server-group
[Eudemon-rightm] sync role-info

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-303


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

# Synchronize roles based on the role name ring.


<Eudemon> system-view
[Eudemon] right-manager server-group
[Eudemon-rightm] sync role-info role-name ring

2.22 IP-CAR Configuration Commands


2.22.1 debugging firewall ip-car
2.22.2 display firewall car-class
2.22.3 display firewall conn-class
2.22.4 display firewall statistic ip-car
2.22.5 display ip monitor table
2.22.6 firewall car-class
2.22.7 firewall conn-class
2.22.8 ip-car
2.22.9 ip-car enable
2.22.10 ip-car filter
2.22.11 ip-conn
2.22.12 ip-conn filter
2.22.13 reset firewall statistic ip-car zone

2.22.1 debugging firewall ip-car

Function
Using the debugging firewall ip-car command, you can enable the IP-CAR module debugging.

Format
debugging firewall ip-car { error | event | all }
undo debugging firewall ip-car { error | event | all }

Parameters
error: indicates the IP-CAR module error debugging.
all: indicates all IP-CAR module debugging.
event: indicates the IP-CAR module event debugging.

Views
User view

2-304 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable all IP-CAR debugging.
<Eudemon> debugging firewall ip-car all

When the Eudemon initializes the session table, the following debugging information is
displayed during detection:
<Eudemon>
*0.63312866 Eudemon IPCAR/8/Event:[Session init],[TCP] 192.168.88.1[3084]-
>192.168.88.10[21]
*0.63312966 Eudemon IPCAR/8/Event:[First receive SrcIP need car],[TCP] 192.168.88.1
[3084]->192.168.88.10[21]
*0.63317783 Eudemon IPCAR/8/Event:[Session init],[TCP] 192.168.88.10[20]-
>192.168.88.1[3086]
*0.63317883 Eudemon IPCAR/8/Event:[First receive DstIP need car],[TCP]
192.168.88.10[20]->192.168.88.1[3086]

The following debugging information is displayed when packets are dropped by IP-CAR:
*0.63318016 Eudemon IPCAR/8/Event:[Fast receive Packet droped by dstip],[TCP]
192.168.88.10[20]->192.168.88.1[3086]
*0.63319116 Eudemon IPCAR/8/Event:[Fast receive Packet droped by dstip],[TCP]
192.168.88.10[20]->192.168.88.1[3086]
*0.63322216 Eudemon IPCAR/8/Event:[Fast receive Packet droped by dstip],[TCP]
192.168.88.10[20]->192.168.88.1[3086]
*0.63328416 Eudemon IPCAR/8/Event:[Fast receive Packet droped by dstip],[TCP]
192.168.88.10[20]->192.168.88.1[3086]
*0.63340816 Eudemon IPCAR/8/Event:[Fast receive Packet droped by dstip],[TCP]
192.168.88.10[20]->192.168.88.1[3086]

2.22.2 display firewall car-class

Function
Using the display firewall car-class command, you can view information about bandwidth limit
classes.

Format
display firewall car-class

Parameters
None

Views
All views

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-305


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the configuration of each bandwidth limit class.
<Eudemon> display firewall car-class
Car-class Bandwidth(bps)
0 1000000
1 1000001
2 1000000
3 1000000
4 1000000
5 1000000
6 1000000
7 1000000

2.22.3 display firewall conn-class

Function
Using the display firewall conn-class command, you can view information about connection
number limit classes.

Format
display firewall conn-class

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the configuration of all connection number limit classes.
<Eudemon> display firewall conn-class

2-306 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Conn-class Number
0 1000
1 1001
2 1000
3 10000
4 1000
5 1000
6 1000
7 1000

2.22.4 display firewall statistic ip-car

Function
Using the display firewall statistic ip-car command, you can view the IP-CAR statistics.

Format
display firewall statistic ip-car { inzone | outzone | zone zone-name { inzone | outzone } }

Parameters
inzone: displays the inbound IP-CAR statistics for all security zones.
outzone: displays the outbound IP-CAR statistics for all security zones.
zone zone-name: displays the inbound or outbound IP-CAR statistics for a specific security zone.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View the inbound IP-CAR statistics for all security zones.
<Eudemon> display firewall statistic ip-car inzone
Statistic Zone
Zone ConnDrop(TCP/UDP) TCPDiscard(Pkt/Oct) UDPDiscard(Pkt/Oct)
local 0 0 0
0 0 0
trust 10 1235 2896
20 235698 156670
untrust 0 0 0
0 0 0
dmz 589 44094 0
120 5869446 0

# View the inbound IP-CAR statistics for Trust zones.


<Eudemon> display firewall statistic ip-car zone trust inzone
Statistic Zone:trust

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-307


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

ConnDrop(TCP/UDP) TCPDiscard(Pkt/Oct) UDPDiscard(Pkt/Oct)


10 1235 2896
20 235698 156670

Table 2-27 Description of the display firewall statistic ip-car command output
Item Description

ConnDrop(TCP/ Number of failed TCP/UDP connections. The first line is the number
UDP) of failed TCP connections and the second line is the number of failed
UDP connections.

TCPDiscard(Pkt/ TCP traffic discarded. The first line is the number of packets. The
Oct) second line is the bytes.

UDPDiscard(Pkt/ UDP traffic discarded. The first line is the number of packets. The
Oct) second line is the bytes.

2.22.5 display ip monitor table

Function
Using the display ip monitor table command, you can view the contents of the source IP
address-based monitoring table or destination IP address-based monitoring table.

Format
display { source | destination } ip monitor table [ ip ip-address ]

Parameters
ip-address:specifies the IP address for viewing the source IP address-based monitoring table or
the destination IP address-based monitoring table.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the contents of the source IP address-based monitoring table.
<Eudemon> display source ip monitor table
Source_IP MAX_CAR Max_UDPConn Cur_UDPConn Max_TCPConn Cur_TCPConn

2-308 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

--------------------------------------------------------------------------------
10.1.1.1 10000 1000 500 1000 200
--------------------------------------------------------------------------------
Total 1

Table 2-28 Description of the display source ip monitor table command output

Item Description

Source_IP Source IP address

MAX_CAR Maximum bandwidth

Max_UDPConn Maximum number of UDP connections

Cur_UDPConn Number of current UDP connections

Max_TCPConn Maximum number of TCP connections

Cur_TCPConn Number of current TCP connections

2.22.6 firewall car-class

Function
Using the firewall car-class command, you can configure a bandwidth limit class and its
bandwidth threshold.

Using the undo firewall car-class command, you can restore the default bandwidth threshold
for a specific bandwidth limit class.

Format
firewall car-class class-number bandwidth

undo firewall car-class class-number

Parameters
class-number: specifies the number of bandwidth class, in the range of 0 to 7.

bandwidth: specifies the upper limit of the bandwidth for the bandwidth limit class. It ranges
from 1000 to 500000000 bit/s. By default, the bandwidth thresholds of each class are all 1000000
bit/s. If the bandwidth threshold is set to 500000000 bit/s, the traffic is not restricted.

Views
System view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-309


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

Usage Guidelines
None

Examples
# Set the bandwidth threshold of class 1 to 50000 bit/s.
<Eudemon> system-view
[Eudemon] firewall car-class 1 50000

2.22.7 firewall conn-class


Function
Using the firewall conn-class command, you can configure a connection number limit class and
its connection number threshold.
Using the undo firewall conn-class command, you can restore the default connection number
threshold for a specific connection number limit class.

Format
firewall conn-class class-number number
undo firewall conn-class class-number

Parameters
class-number: specifies the number of connection class, in the range of 0 to 7.
number: specifies the upper limit of the connection number for the connection limit class. It
ranges from 1 to 65535. The default connection number threshold of each class is 1000.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set the connection number threshold of class 1 to 10000.
<Eudemon> system-view
[Eudemon] firewall conn-class 1 10000

2.22.8 ip-car

2-310 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Function
Using the ip-car command, you can bind a bandwidth limit class with users specified by a basic
ACL rule.
Using the undo ip-car command, you can remove the binding between the bandwidth limit class
and users.

Format
ip-car { inzone | outzone } class-number acl-number acl-number
undo ip-car { inzone | outzone } class-number acl-number acl-number

Parameters
inzone: indicates the inbound direction.
outzone: indicates the outbound direction.
class-number: specifies the number for the connection number limit class. It ranges from 0 to
7.
acl-number: specifies the number of basic ACLs. It ranges from 2000 to 2999.

Views
Security zone view

Default Level
2: Configuration level

Usage Guidelines
For each direction (inzone or outzone), up to eight (0 t0 7) bandwidth limit classes can be
configured, and each class can be configured with only one basic ACL. If multiple classes are
configured with the same ACL, the lowest class applies to the user specified by the ACL.
Bandwidth limiting is needed for a user matched by the permit rule in the basic ACL. Bandwidth
limiting is not needed for a user matched by the deny rule.

Examples
# Bind users specified by ACL 2000 with bandwidth limit 20000 bit/s.
<Eudemon> system-view
[Eudemon] firewall car-class 1 20000
[Eudemon] acl 2000
[Eudemon-acl-basic-2000] rule permit source 1.0.0.1 0
[Eudemon-acl-basic-2000] quit
[Eudemon] firewall zone trust
[Eudemon-zone-trust] ip-car outzone 1 acl-number 2000

Related Topics
2.22.6 firewall car-class

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-311


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.22.9 ip-car enable

Function
Using the ip-car enable command, you can enable the IP-CAR function.
Using the undo ip-car enable command, you can disable the IP-CAR function.

Format
ip-car enable
undo ip-car enable

Parameters
None

Views
Security zone view

Default Level
2: Configuration level

Usage Guidelines
Enabling or disabling the IP-CAR function does not affect the existing sessions.

Examples
# Enable the IP-CAR function in the Trust zone view.
<Eudemon> system-view
[Eudemon] firewall zone trust
[Eudemon-zone-trust] ip-car enable

2.22.10 ip-car filter

Function
Using the ip-car filter command, you can configure the bandwidth limit for users of advanced
ACLs.
Using the undo ip-car filter command, you can remove the bandwidth limit configuration for
users of advanced ACLs.

Format
ip-car { inzone | outzone } filter acl-number acl-number
undo ip-car { inzone | outzone } filter

2-312 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Parameters
inzone: indicates the inbound direction.

outzone: indicates the outbound direction.

acl-number: specifies the number of advanced ACLs. It ranges from 3000 to 3999.

Views
Security zone view

Default Level
2: Configuration level

Usage Guidelines
If you need the limit to be accurate to a specific port or a destination IP address, you can employ
advanced ACL rules.

Advanced ACL rules are configured based on basic ACL rules. Before configuring this
command, check whether the IP address specified by the advanced ACL rules are among the
addresses specified by the related basic ACL rules.

Bandwidth limiting is needed for a user matched by the permit rule in the advanced ACL.
Bandwidth limiting is not needed for a user matched by the deny rule.

This command is configured after the ip-car command is executed to bind bandwidth limit class
with the basic ACL. This command can be configured only once in inzone or outzone direction.

If this command is configured, the Eudemon process packets based on the following principle:
The Eudemon first refers to the advanced ACL rules for matching. If a deny statement of the
advanced ACL rules is matched, bandwidth limit is not implemented and the Eudemon does not
use the basic ACL rules any more. If the deny statements of the advanced ACL rules are not
matched, the Eudemon uses the basic ACL rules. If a permit statement of the ACL rules is
matched, bandwidth limit corresponding with the basic ACL rule is implemented; otherwise, no
limit measure is implemented.

Examples
# Specify limit-free configuration for the FTP port at 1.0.0.1.
<Eudemon> system-view
[Eudemon] firewall car-class 1 10000
[Eudemon] acl 2000
[Eudemon-acl-basic-2000] rule permit source 1.0.0.1 0
[Eudemon-acl-basic-2000] quit
[Eudemon] acl 3000
[Eudemon-acl-adv-3000] rule deny tcp source 1.0.0.1 0 source-port eq ftp
[Eudemon-acl-adv-3000] quit
[Eudemon] firewall zone trust
[Eudemon-zone-trust] ip-car outzone 1 acl 2000
[Eudemon-zone-trust] ip-car outzone filter acl-number 3000

Related Topics
2.22.8 ip-car

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-313


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

2.22.11 ip-conn

Function
Using the ip-conn command, you can bind a connection number limit class with users specified
by a basic ACL rule.
Using the undo ip-conn command, you can remove the binding between the connection number
limit class and users.

Format
ip-conn { tcp | udp }{ inzone | outzone } class-number acl-number acl-number
undo ip-conn { tcp | udp }{ inzone | outzone } class-number acl-number acl-number

Parameters
tcp: indicates that TCP connections are restricted.
udp: indicates that UDP connections are restricted.
inzone: indicates the inbound direction.
outzone: indicates the outbound direction.
class-number: specifies the number for the connection number limit class. It ranges from 0 to
7.
acl-number: specifies the number of basic ACLs. It ranges from 2000 to 2999.

Views
Security zone view

Default Level
2: Configuration level

Usage Guidelines
For each direction (inzone or outzone), up to eight (0 to 7) bandwidth limit classes can be
configured, and each class can be configured with only one basic ACL. If multiple classes are
configured with the same ACL, the lowest class applies to the user specified by the ACL.
Users matching the permit statement of the ACL rule are restricted to the connection number
threshold specified by the limit class.

Examples
# Set the maximum number of outbound TCP connections to 100 for users specified by ACL
2000.
<Eudemon> system-view
[Eudemon] firewall conn-class 1 100
[Eudemon] acl 2000

2-314 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

[Eudemon-acl-basic-2000] rule permit source 1.0.0.1 0


[Eudemon-acl-basic-2000] quit
[Eudemon] firewall zone trust
[Eudemon-zone-trust] ip-conn tcp outzone 1 acl-number 2000

Related Topics
2.22.7 firewall conn-class

2.22.12 ip-conn filter

Function
Using the ip-conn filter command, you can configure the connection number limiting for users
of advanced ACLs.
Using the undo ip-conn filter command, you can remove the special connection number limiting
configuration for users of advanced ACLs.

Format
ip-conn { inzone | outzone } filter acl-number acl-number
undo ip-conn { inzone | outzone } filter

Parameters
inzone: indicates the inbound direction.
outzone: indicates the outbound direction.
acl-number: specifies the number of advanced ACLs. It ranges from 3000 to 3999.

Views
Security zone view

Default Level
2: Configuration level

Usage Guidelines
If you need the limit to be accurate to a specific port or a destination IP address, you can employ
advanced ACL rules.
Advanced ACL rules are configured based on basic ACL rules. Before configuring this
command, check whether the IP address specified by the advanced ACL rules are among the
addresses specified by the related basic ACL rules.
Connection number limiting is needed for a user matched by the permit rule in the advanced
ACL. Connection number limiting is not needed for a user matched by the deny rule.
This command is configured after the 2.22.11 ip-conn command is executed to bind connection
number limit class with the basic ACL. This command can be configured only once in inzone
or outzone direction.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-315


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
2 Security Defense Command Reference

If this command is configured, the Eudemon process packets based on the following principle:
The Eudemon first refers to the advanced ACL rules for matching. If a deny statement of the
advanced ACL rules is matched, connection number limit is not implemented and
theEudemon does not use the basic ACL rules any more. If the deny statements of the advanced
ACL rules are not matched, the firewall uses the basic ACL rules. If a permit statement of the
ACL rules is matched, connection number limit corresponding with the basic ACL rule is
implemented; otherwise, no limit measure is implemented.

Examples
# Specify outbound connection number limit-free configuration for the FTP port at 1.0.0.1.
<Eudemon> system-view
[Eudemon] firewall conn-class 1 10000
[Eudemon] acl 2000
[Eudemon-acl-basic-2000] rule permit source 1.0.0.1 0
[Eudemon-acl-basic-2000] quit
[Eudemon] acl 3000
[Eudemon-acl-adv-3000] rule deny tcp source 1.0.0.1 0 source-port eq ftp
[Eudemon-acl-adv-3000] quit
[Eudemon] firewall zone trust
[Eudemon-zone-trust] ip-conn outzone 1 acl 2000
[Eudemon-zone-trust] ip-conn outzone filter acl-number 3000

2.22.13 reset firewall statistic ip-car zone

Function
Using the reset firewall statistic ip-car zone command, you can clear the IP-CAR statistics
about the specified security zone.

Format
reset firewall statistic ip-car zone zone-name

Parameters
zone-name: specifies the name of the security zone whose IP-CAR statistics is to be cleared.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
Statistics in this command refers to the session or packet-dropping information, including TCP/
UDP connections denied by the connection number limit and the number of packets dropped
due to bandwidth limit.

2-316 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 2 Security Defense

Examples
# Clear the IP-CAR statistics about the Trust zone.
<Eudemon> reset firewall statistic ip-car zone trust

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 2-317


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3 Internetworking

About This Chapter

3.1 Interface Management Commands


3.2 Ethernet Interface Configuration Commands
3.3 AUX Interface Configuration Commands
3.4 Basic Logical Interface Configuration Commands
3.5 E1 Interface Configuration Commands
3.6 CE1 Interface Configuration Commands
3.7 T1 Interface Configuration Commands
3.8 CT1 Interface Configuration Commands
3.9 IP Address Configuration Commands
3.10 IP Performance Configuration Commands
3.11 IP Unicast Policy Routing Configuration Commands
3.12 IP Multicast Policy Routing Configuration Commands
3.13 Common IP Multicast Configuration Commands
3.14 IGMP Configuration Commands
3.15 PIM Configuration Commands
3.16 MSDP Configuration Commands
3.17 Static Route Configuration Commands
3.18 ARP Configuration Commands
3.19 DHCP Configuration Commands
3.20 DNS Configuration Commands
3.21 OSPF Configuration Commands

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-1


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.22 PPP Configuration Commands


3.23 PPPoE Configuration Commands
3.24 QoS Configuration Commands
3.25 RIP Configuration Commands
3.26 VLAN Configuration Commands
3.27 Frame Relay Configuration Commands
3.28 HDLC Configuration Commands

3-2 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.1 Interface Management Commands


3.1.1 description
3.1.2 display interface
3.1.3 display ip interface
3.1.4 interface
3.1.5 reset counters interface
3.1.6 restart
3.1.7 shutdown (Interface View)

3.1.1 description

Function
Using the description command, you can set the interface description.

Using the undo description command, you can restore the default setting.

Format
description interface-description

undo description

Parameters
interface-description: specifies a character string to describe an interface of the Eudemon. Its
length is not more than 64 characters. It supports the space and is case sensitive.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the description is "HUAWEI, Eudemon Series, interface-type interface-number
interface".

This command is only used to identify an interface and it has no special meaning and usage. The
display interface command can be used to display the description.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-3


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Set the description of the interface Ethernet 0/0/0 to be Eudemon Ethernet interface.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] description Eudemon ethernet interface

3.1.2 display interface

Function
Using the display interface command, you can view the current operating state and the statistics
of the interface.

Format
display interface [ interface-type [ interface-number ] ]

Parameters
interface-type: specifies the type of an interface, such as Ethernet and Serial. If no interface-type
is specified, the system will display running status and statistics of all interfaces.
interface-number: specifies the number of an interface. If no interface-number is specified, the
system will display running status and statistics of all interfaces with interface-type.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can calculate the traffic and diagnose the fault of the interface based on the information.

Examples
# Display the operating state and statistics of the interface Ethernet 0/0/0.
<Eudemon> display interface Ethernet 0/0/0
Ethernet0/0/0 current state : UP
Line protocol current state : UP
Description : HUAWEI, Eudemon Series, Ethernet0/0/0 Interface
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 10.10.10.1/24
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fca4-b3b5
Media type is twisted pair, loopback not set, promiscuous mode set
100Mb/s-speed mode, Full-duplex mode, link type is auto negotiation
Output flow-control is unsupported, input flow-control is unsupported
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0

3-4 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

5 minutes input rate 0 bytes/sec, 0 packets/sec


5 minutes output rate 0 bytes/sec, 0 packets/sec
Input: 1577 packets, 202525 bytes
1577 broadcasts (100.00%), 0 multicasts (0.00%)
0 errors, 0 runts, 0 giants, 0 CRC,
0 collisions, 0 late collisions, 0 overruns,
0 jabbers, 0 input no buffers, 0 Resource errors,
0 other errors
Output:0 packets, 0 bytes
0 errors, 0 late collisions,
0 underruns, 0 retransmit limits

Table 3-1 Description of the display interface command output

Item Description

Ethernet0/0/0 current Indicates the physical status of Ethernet0/0/0:


state : l UP: indicates that the physical layer status of the interface is
normal.
l DOWN: indicates that the physical layer of the interface fails.
l Administratively down: indicates that the shutdown
command is run on the interface by the administrator.
l Flow Down: indicates that the status of the data flow on the
interface is Down. This status is consistent with the status of
the bound mVRRP virtual router. If the status of the bound
mVRRP virtual router is Backup or Initialize, the status of the
data flow on the service interface is Down.

Line protocol current Indicates the status of the link protocol of the interface:
state : l UP: indicates that the link protocol status of the interface is
normal.
l UP (BFD status down): indicates that the status of the BFD
session that is bound to the interface becomes Down.
l UP (Main BFD status down): indicates that the status of the
BFD session that is associated with the main interface
becomes Down and is associated with the status of the sub-
interface. This status can be displayed only on sub-interfaces.
l DOWN: indicates that the link protocol status of the interface
fails or the interface is not configured with an IP address.
l UP (spoofing): indicates that the link protocol status of the
interface has the spoofing feature. That is, the link protocol
status of the interface keeps Up.

Last up time: Indicates the last time the link protocol status of the interface
becomes Up.

Description Indicates the description about the interface. Up to 64 characters


can be entered. The description can help the user to get familiar
with the interface function.

The Maximum Transmit As for the Ethernet interface or the serial interface, the default is
Unit is 1500 bytes.The packet larger than the MTU is fragmented before
being sent. If the non-fragmentation is configured, the packet is
discarded.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-5


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Internet Address is Indicates the IP address and the subnet mask of the interface.

Hold timer is Indicates the life cycle of the packet.If the packet is not sent out
during the life cycle, it is discarded.

IP Sending Frames' Indicates the Ethernet frame format sent on the interface.The
Format is default is Ethernet_2.The Ethernet can identify the following
format:
l Ethernet_2
l Ethernet_SNAP
l 802.2
l 802.3

Hardware address Indicates the MAC address of the interface.

Output queue : (Urgent The current status of it includes three types of Output queue:
queue : Size/Length/ l Urgent queue indicates the protocol packet of link layer, such
Discards)Output queue : as the packets of PPP and Keeplive enters this queue.
(Protocol queue : Size/
Length/Discards)Output l Protocol queue indicates the packet 6 IP precedence enters this
queue : (FIFO queuing : queue.
Size/Length/Discards) l According to the queue types applied on the interface, FIFO
queue, may be FIFO (First In First Out Queue), PQ (Priority
Queue), CQ (Custom Queue), or CBQ (Class-based Queue).
When congestion happens, an interface sends the packets in
Urgent queue first, those in Protocol queue the second and in
FIFO queue the third.As for the output queue, the meaning of the
fields is as follows:
l Size: indicates the number of packets in the queue.
l Length: indicates length of the longest queue in packets.
l Discards: indicates the number of discarded packets because
the queue is full.
Through checking the relationship between Discards, Size and
Length during a certain period, you can see if the interface
performance satisfies the requirements.If the value of Discards
remains a large value in a long time and cannot process the input
packets in time, a router of higher performance is needed.

Related Topics
3.1.5 reset counters interface
3.1.3 display ip interface

3.1.3 display ip interface

3-6 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the display ip interface command, you can view the configuration and the statistics of
the interface related to IP.

Format
display ip interface [ brief ] [ interface-type interface-number ]

Parameters
interface-typeinterface-number: specifies the type and the number of an interface.
brief: displays summary information, including the IP address, physical link state, the Up or
Down state of the protocol, and the interface description.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Using the display ip interface command, you can view the configuration and the statistics of the
interface related to IP, including:
l IP address
l Statuses of the physical link and protocol
l Description of the interface

By default, if no interface is specified, the system displays IP configuration and statistics of all
interfaces.

Examples
# Display the running state of the interface Ethernet 0/0/0.
<Eudemon> display ip interface Ethernet 0/0/0
Ethernet 0/0/0 current state : DOWN
Line protocol current state : DOWN
The Maximum Transmit Unit : 1500 bytes
ip fast-forwarding mode is QFF
ip fast-forwarding outgoing packets is Enable
ip fast-forwarding on the same-interface is Disable
input packets : 0, bytes : 0, multicasts : 0
output packets : 0, bytes : 0, multicasts : 0
ARP packet input number: 0
Request packet: 0
Reply packet: 0
Unknown packet: 0
Internet Address is 192.168.0.33/24
Internet Address is 192.168.1.33/24 Secondary
Internet Address is 10.10.10.11/24 Secondary
Broadcast address : 192.168.0.255
TTL invalid packet number: 0

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-7


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

ICMP packet input number: 0


Echo reply: 0
Unreachable: 0
Source quench: 0
Routing redirect: 0
Echo request: 0
Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 0
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 0
Netmask reply: 0
Unknown type: 0
DHCP packet deal mode: global

Table 3-2 Description of the display ip interface Ethernet 0/0/0 command output
Item Description

Ethernet0/0/0 current state Indicates the physical status of Ethernet0/0/0:


l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state.
l Administratively down: If the administrator uses
the shutdown command on the interface, the state
is Administratively down.

Line protocol current state Indicates the status of the link protocol of the
interface:
l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state or the IP
address is not configured on the interface.

The Maximum Transmit Unit The Maximum Transmit Unit of the interface. As for
the Ethernet interface or the serial interface, the
default is 1500 bytes. The packet larger than the MTU
is fragmented before being sent. If the non-
fragmentation is configured, the packet is discarded.

ip fast-forwarding Information about fast forwarding of the interface.

input packets : bytes : multicasts Number of the input packets and bytes and multicast
packets.

output packets :bytes : multicasts Number of the output packets, bytes and multicast
packets.

3-8 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

ARP packet input number Collects statistic of the ARP packets received on the
interface.
For the non-Ethernet interfaces, the display of this
item is 0.
Statistics include:
l Total number of ARP packets
l Number of the ARP request packets
l Number of the ARP response packets
l Number of the other ARP packets

Internet Address IP address of the interface. It is in the format of IP


address/mask length.

Broadcast address Broadcast address of the interface.

TTL invalid packet number Number of the packet whose TTL value is illegal.
When the TTL value is 0 or 1, the packet is considered
as illegal TTL packet.

ICMP packet input number Collects ICMP packet statistics received by the
interface.
Statistics are:
l Total number of packets
l Number of ECHO response packets
l Number of destination unreachable packets
l Number of source quench packets
l Number of routing redirection packets
l Number of ECHO request packets
l Number of route advertisement packets
l Number of routing request packets
l Number of timeout packets
l Number of IP header error packets
l Number of time stamp request packets
l Number of time stamp response packets
l Number of information request packets
l Number of information response packets
l Number of mask request packets
l Number of mask response packets
l Number of other ICMP packets

Echo reply Indicates the number of echo-reply packets.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-9


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Unreachable Indicates the number of packets with unreachable


destination.

Source quench Indicates the number of source suppress packets.

Routing redirect Indicates the number of redirected packets.

Echo request Indicates the number of echo-request packets.

Router advert Indicates the number of router-advertising packets.

Router solicit Indicates the number of router-soliciting packets.

Time exceed Indicates the number of timeout packets.

IP header bad Indicates the number of packets with the corrupted IP


header.

Timestamp request Indicates the number of timestamp-replying packets.

Timestamp reply Indicates the number of timestamp-requiring packets.

Information request Indicates the number of information-requiring


packets.

Information reply Indicates the number of information-replying


packets.

Netmask request Indicates the number of mask-requiring packets.

Netmask reply Indicates the number of mask-replying packets.

Unknown type Indicates the number of packets of the unknown type.

DHCP packet deal mode The modes of handling the DHCP packet include:
l Global mode
l Relay mode
l Interface mode

3.1.4 interface

Function
Using the interface command, you can create an interface and enter the interface view.

Format
interface interface-type interface-number

Parameters
interface-type: specifies the type of an interface.

3-10 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

interface-number: specifies the number of an interface.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None.

Examples
# Set an interface Ethernet 0/0/0 and enter the interface view from the system view.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0]

3.1.5 reset counters interface

Function
Using the reset counters interface command, you can clear the interface statistics.

Format
reset counters interface [ interface-type [ interface-number ] ]

Parameters
interface-type: specifies the type of an interface. If no parameter is specified, the statistics of all
interfaces will be cleared.

interface-number: specifies the number of an interface. If no parameter is specified, the statistics


of all interfaces of the specified type will be cleared.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
In some cases, the traffic statistics at a certain interface requires counting within a certain period.
As a result, the original statistics should be cleared before the recounting starts.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-11


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

The reset counters interface command is used to clear the last part of the information displayed
by the display interface command, that is, the statistics of the interface output or input packets.

Examples
# Clear the statistics at all interfaces.
<Eudemon> reset counters interface

Related Topics
3.1.2 display interface

3.1.6 restart

Function
Using the restart command, you can restart the current interface.

Format
restart

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
The effect of running the restart command is equal to consecutively running the shutdown and
undo shutdown commands.

Examples
# Restart the interface Ethernet 0/0/1.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] restart

3.1.7 shutdown (Interface View)

Function
Using the shutdown command, you can shut down the current interface.

3-12 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Using the undo shutdown command, you can enable the interface.

Format
shutdown
undo shutdown

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, when the Eudemon is powered on, all physical interfaces are initialized and enabled.
This command should be used carefully. In some special cases, such as modifying operating
parameters of an interface, the command cannot come to effect at once until the interface is
disabled and re-enabled.
NOTE

When an interface is configured with a sub-interface, the interval for consecutively running the shutdown
and undo shutdown commands on the main interface needs to be 10 seconds at least.

Examples
# Disable the interface Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] shutdown

# Enable the interface.


[Eudemon-Ethernet0/0/0] undo shutdown

Related Topics
3.1.2 display interface

3.2 Ethernet Interface Configuration Commands


3.2.1 display interface ethernet
3.2.2 duplex
3.2.3 ip fast-forwarding output

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-13


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.2.4 ip fast-forwarding qff


3.2.5 ip fast-forwarding same-interface
3.2.6 loopback (Ethernet interface view)
3.2.7 mtu (Ethernet interface view)
3.2.8 speed (Ethernet Interface View)

3.2.1 display interface ethernet

Function
Using the display interface ethernet command, you can view the Ethernet interface such as
configuration parameters and the current running state.

Format
display interface ethernet [ interface-number ]

Parameters
ethernet: displays the state of the fast Ethernet interface.
interface-number: specifies the number of an interface. If no interface number is specified, the
configuration and state of all the interfaces will be displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the state of the interface Ethernet 0/0/0.
<Eudemon> display interface Ethernet 0/0/0
Ethernet0/0/0 current state : UP
Line protocol current state : UP
Description : HUAWEI, Eudemon Series, Ethernet0/0/0 Interface
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 10.10.10.1/24
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fca4-b3b5
Media type is twisted pair, loopback not set, promiscuous mode set
100Mb/s-speed mode, Full-duplex mode, link type is auto negotiation
Output flow-control is unsupported, input flow-control is unsupported
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0

3-14 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0


5 minutes input rate 0 bytes/sec, 0 packets/sec
5 minutes output rate 0 bytes/sec, 0 packets/sec
Input: 1577 packets, 202525 bytes
1577 broadcasts (100.00%), 0 multicasts (0.00%)
0 errors, 0 runts, 0 giants, 0 CRC,
0 collisions, 0 late collisions, 0 overruns,
0 jabbers, 0 input no buffers, 0 Resource errors,
0 other errors
Output:0 packets, 0 bytes
0 errors, 0 late collisions,
0 underruns, 0 retransmit limits

Table 3-3 Description of the display interface ethernet command output


Item Description

Ethernet 0/0/0 current Indicates the physical status of Ethernet 0/0/0:


state : l UP: indicates that the physical layer status of the interface is
normal.
l DOWN: indicates that the physical layer of the interface fails.
l Administratively down: indicates that the shutdown
command is run on the interface by the administrator.
l Flow Down: indicates that the status of the data flow on the
interface is Down. This status is consistent with the status of
the bound mVRRP virtual router. If the status of the bound
mVRRP virtual router is Backup or Initialize, the status of the
data flow on the service interface is Down.

Line protocol current Indicates the status of the link protocol of the interface:
state : l UP: indicates that the link protocol status of the interface is
normal.
l UP (BFD status down): indicates that the status of the BFD
session that is bound to the interface becomes Down.
l UP (Main BFD status down): indicates that the status of the
BFD session that is associated with the main interface
becomes Down and is associated with the status of the sub-
interface. This status can be displayed only on sub-interfaces.
l DOWN: indicates that the link protocol status of the interface
fails or the interface is not configured with an IP address.
l UP (spoofing): indicates that the link protocol status of the
interface has the spoofing feature. That is, the link protocol
status of the interface keeps Up.

Last up time: Indicates the last time the link protocol status of the interface
becomes Up.

Description Indicates the description about the interface. Up to 64 characters


can be entered. The description can help the user to get familiar
with the interface function.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-15


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

The Maximum Transmit As for the Ethernet interface or the serial interface, the default is
Unit is 1500 bytes.The packet larger than the MTU is fragmented before
being sent. If the non-fragmentation is configured, the packet is
discarded.

Internet Address is Indicates the IP address and the subnet mask of the interface.

Hold timer is Indicates the life cycle of the packet.If the packet is not sent out
during the life cycle, it is discarded.

IP Sending Frames' Indicates the Ethernet frame format sent on the interface.The
Format is default is Ethernet_2.The Ethernet can identify the following
format:
l Ethernet_2
l Ethernet_SNAP
l 802.2
l 802.3

Hardware address Indicates the MAC address of the interface.

Output queue : (Urgent The current status of it includes three types of Output queue:
queue : Size/Length/ l Urgent queue indicates the protocol packet of link layer, such
Discards)Output queue : as the packets of PPP and Keeplive enters this queue.
(Protocol queue : Size/
Length/Discards)Output l Protocol queue indicates the packet 6 IP precedence enters this
queue : (FIFO queuing : queue.
Size/Length/Discards) l According to the queue types applied on the interface, FIFO
queue, may be FIFO (First In First Out Queue), PQ (Priority
Queue), CQ (Custom Queue), or CBQ (Class-based Queue).
When congestion happens, an interface sends the packets in
Urgent queue first, those in Protocol queue the second and in
FIFO queue the third.As for the output queue, the meaning of the
fields is as follows:
l Size: indicates the number of packets in the queue.
l Length: indicates length of the longest queue in packets.
l Discards: indicates the number of discarded packets because
the queue is full.
Through checking the relationship between Discards, Size and
Length during a certain period, you can see if the interface
performance satisfies the requirements.If the value of Discards
remains a large value in a long time and cannot process the input
packets in time, a router of higher performance is needed.

3.2.2 duplex

3-16 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the duplex command, you can set the operating mode on fast Ethernet interface.
Using the undo duplex command, you can restore the default setting.

Format
duplex { negotiation | full | half }
undo duplex

Parameters
negotiation: sets the operating mode of Ethernet interface as full-duplex.
full: sets the operating mode of Ethernet interface as half-duplex.
half: sets the operating mode of Ethernet interface as the auto-negotiation.

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
By default, Ethernet interface works in auto-negotiation mode.
Setting operating mode of the Ethernet interface should keep consistent with that of the devices
on the other side.
The duplex command can only be applied on the electrical Ethernet interface.

Examples
# Set the interface Ethernet 0/0/0 to operate in auto-negotiation mode.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] duplex negotiation

Related Topics
3.1.2 display interface

3.2.3 ip fast-forwarding output

Function
Using the ip fast-forwarding output command, you can enable fast forwarding of packets on
an outbound interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-17


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Using the undo ip fast-forwarding output command, you can disable fast forwarding of packets
on an outbound interface.

Format
ip fast-forwarding output

undo ip fast-forwarding output

Parameters
None

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
If an inbound interface is configured with the ip fast-forwarding qff command, the device
judges the outbound interface of the packets during the fast forwarding process. If the outbound
interface has been configured with ip fast-forwarding output, the device continues to send the
packets with fast forwarding process. Otherwise, the device processes the packets with common
forwarding process.

By default, the fast forwarding is enabled on Ethernet interfaces.

Examples
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ip fast-forwarding output

3.2.4 ip fast-forwarding qff

Function
Using the ip fast-forwarding qff command, you can enable fast forwarding of packets on an
inbound interface.

Using the undo ip fast-forwarding qff command, you can disable fast forwarding of packets
on an inbound interface.

Format
ip fast-forwarding qff

undo ip fast-forwarding qff

3-18 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
None

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
When the current interface acts as an incoming interface, the ip fast-forwarding qff command
takes effect. If this command is configured, the incoming interface adopts fast forwarding after
receiving packets. If this command is not configured, the incoming interface sends packets to
the common forwarding queue after receiving packets.

When using the fast forwarding, the firewall forwards packets more rapidly than in common
forwarding mode. However, fast forwarding is only applicable to interfaces that are applied
directly as Ethernet interfaces. It is inapplicable to interface where L2TP and other protocols are
applied.

By default, the fast forwarding is enabled.

Examples
# Enable fast forwarding on the ingress.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ip fast-forwarding qff

3.2.5 ip fast-forwarding same-interface

Function
Using theip fast-forwarding same-interface command, you can configure the firewall not to
send ICMP re-direction packets of which the inbound interface and outbound interface points
to a same interface.

Using the undo ip fast-forwarding same-interface command, you can disable the function.

Format
ip fast-forwarding same-interface

undo ip fast-forwarding same-interface

Parameters
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-19


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
This command is valid in the fast forwarding process of packets. Usually, when the inbound
interface and outbound interface of a packet are a same interface, the firewall will send ICMP
re-direction packets. However, the firewall does not send ICMP re-direction packets, if it is
configured with fast forwarding to accelerate forwarding speed.
By default, this function is disabled.

Examples
# Disable sending ICMP re-direction packets.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ip fast-forwarding same-interface

3.2.6 loopback (Ethernet interface view)

Function
Using the loopback command, you can enable loopback on Ethernet interface.
Using the undo loopback command, you can disable this function.

Format
loopback
undo loopback

Parameters
None

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
The Ethernet interface is set as loopback mode only when some special functions are tested.

3-20 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

By default, loopback is disabled.

Examples
# Enable loopback on interface Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] loopback

3.2.7 mtu (Ethernet interface view)

Function
Using the mtu command, you can set the Maximum Transmission Unit (MTU) of the Ethernet
interface.
Using the undo mtu command, you can restore the default setting.

Format
mtu ethernet-mtu-value
undo mtu

Parameters
ethernet-mtu-value: specifies the MTU of the Ethernet interface in byte in a range of 46 to 1500
bytes.

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
By default, MTU is set to 1500 bytes in either Ethernet_II frame format or 1492 bytes in
Ethernet_SNAP frame format.
The interface shall be run the restart command to ensure that the MTU setting is effective.

Examples
# Set the MTU of the interface Ethernet 0/0/0 to 1492.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] mtu 1000

Related Topics
3.2.1 display interface ethernet

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-21


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.2.8 speed (Ethernet Interface View)

Function
Using the speed command, you can set the operating speed of the current Ethernet interface.
Using the undo speed command, you can restore the default setting.

Format
speed { 10 | 100 | | negotiation }
undo speed

Parameters
10: sets the speed to 10 Mbit/s.
100: sets the speed to 100 Mbit/s.
negotiation: sets the speed to 10Mps or 100Mps in auto-negotiation mode.

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
By default, auto-negotiation mode is used.
The speed command can only be applied to the Ethernet electrical interface.

Examples
# Set the working speed of interface Ethernet 0/0/0 to 100Mbps.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] speed 100

Related Topics
3.1.2 display interface

3.3 AUX Interface Configuration Commands


3.3.1 async mode
3.3.2 detect dsr-dtr
3.3.3 link-protocol ppp (AUX Interface View)

3-22 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.3.4 loopback (AUX Interface View)


3.3.5 mtu (AUX Interface View)

3.3.1 async mode

Function
Using the async mode command, you can set the working mode of AUX interface.

Format
async mode { protocol | flow }

Parameters
protocol: refers to protocol mode, namely, after the connection is established, the system uses
the existing link layer parameters to establish links.
flow: refers to flow mode, also called interactive mode. After a user dials up successfully, the
caller sends a configuration command to the callee (or a user can type this command remotely)
to set link layer working parameters of the callee, then establishes the link. It is generally used
for man-machine interaction, such as dialup. The user in interactive mode is also called EXEC
user.

Views
AUX interface view

Default Level
2: Configuration level

Usage Guidelines
By default, AUX interface works in protocol mode.

Examples
# Set AUX interface to work in flow mode.
<Eudemon> system-view
[Eudemon] interface aux 0
[Eudemon-Aux0] async mode protocol

3.3.2 detect dsr-dtr

Function
Using the detect dsr-dtr command, you can enable the level detection of the aux interface.
Using the undo detect dsr-dtr command, you can disable this function.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-23


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
detect dsr-dtr
undo detect dsr-dtr

Parameters
None

Views
AUX interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the function is enabled.
If the level detection is disabled, the system only detects whether AUX interface is connected
with the cable, and then automatically reports UP and DOWN status of AUX interface to the
user. Otherwise, the system not only detects whether AUX interface is connected with the cable,
but also detects DSR signal. The system considers that AUX interface is UP only if the signal
is valid.

Examples
# Disable the level detection on AUX interface.
<Eudemon> system-view
[Eudemon] interface aux 0
[Eudemon-Aux0] undo detect dsr-dtr

3.3.3 link-protocol ppp (AUX Interface View)

Function
Using the link-protocol command, you can specify the link layer protocol type for AUX
interface.

Format
link-protocol ppp

Parameters
None

Views
AUX interface view

3-24 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Specify the link layer protocol type for AUX interface as PPP.
<Eudemon> system-view
[Eudemon] interface aux 0
[Eudemon-Aux0] link-protocol ppp

3.3.4 loopback (AUX Interface View)

Function
Using the loopback command, you can enable loopback function for the AUX interface.
Using the undo loopback command, you can disable this function.

Format
loopback
undo loopback

Parameters
None

Views
AUX interface view

Default Level
2: Configuration level

Usage Guidelines
By default, loopback function of the AUX interface is disabled.
The AUX interface can be set to loopback only when some special functions are tested.

Examples
# Enable loopback on AUX interface.
<Eudemon> system-view
[Eudemon] interface aux 0
[Eudemon-Aux0] loopback

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-25


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.3.5 mtu (AUX Interface View)

Function
Using the mtu command, you can set MTU of the AUX interface.
Using the undo mtu command, you can restore the default setting.

Format
mtu mtu-value
undo mtu

Parameters
mtu-value: specifies the maximum transmission unit (MTU) of the AUX interface; it is in the
range of 128 bytes to 1500 bytes.

Views
AUX interface view

Default Level
2: Configuration level

Usage Guidelines
By default, MTU is set to 1500 bytes.
After modifying the setting of MTU on the interface by running the mtu command, you need
to run the shutdown and the undo shutdown commands one by one on the interface to help the
newly specified MTU take effect.

Examples
# Set the MTU of the AUX interface to 1200.
<Eudemon> system-view
[Eudemon] interface aux 0
[Eudemon-Aux0] mtu 1200

3.4 Basic Logical Interface Configuration Commands


3.4.1 broadcast-limit link
3.4.2 display interface (Logic Interface)
3.4.3 display virtual-access
3.4.4 mac-address
3.4.5 interface (Logic Interface)

3-26 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.4.1 broadcast-limit link

Function
Using the broadcast-limit link command, you can set the maximum link number of virtual
template in support of sending multicast or broadcast packets.

Using the undo broadcast-limit link command, you can restore the default setting.

Format
broadcast-limit link number

undo broadcast-limit link

Parameters
number: specifies the maximum link number that virtual template interface supports for sending
multicast or broadcast packets. It ranges from 0 to 128. The default value is 30.

Views
Virtual template interface view

Default Level
2: Configuration level

Usage Guidelines
When there are many links on virtual template, sending multicast or broadcast packet from each
link may affect the system. In this case, the broadcast-limit link command can be used for limit,
so that multicast or broadcast packets will be discarded if link number exceeds the limit.

Examples
# Set maximum link number of virtual template interface 1 in support of sending multicast or
broadcast packet to be 100.
<Eudemon> system-view
[Eudemon] interface virtual-template 1
[Eudemon-Virtual-Template1] broadcast-limit link 100

3.4.2 display interface (Logic Interface)

Function
Using the display interface command, you can view the status of a logic interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-27


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
display interface [ virtual-template | virtual-ethernet | loopback | null | logic-channel |
dialer ] [ number ]

Parameters
virtual-template: refers to a virtual template interface.
virtual-ethernet: refers to a virtual Ethernet interface.
loopback: refers to a loopback interface.
null: refers to a null interface.
logic-channel: refers to a logic-channel interface.
dialer: refers to a dialer interface.
number: specifies the number of a virtual interface. For a virtual template interface, virtual
ethernet interface, Lookback interface, logic-channel interface and dialer interface, the value of
number ranges from 0 to 1023.
There is only one Null interface, which is fixed as Null 0. This interface is always Up and cannot
be shut down or deleted.
If no type is specified, the statuses of all the logical interfaces of all types are displayed. If no
number is specified, the statuses of all the logical interfaces of the specified types are displayed.

NOTE

Besides null, the device needs to have been configured with corresponding interfaces. Otherwise, the
parameters of the virtual template and Loopback interfaces cannot be displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the state of all virtual interfaces.
<Eudemon> display interface virtual-template
Virtual-Template1 current state : UP
Line protocol current state :UP (spoofing)
Description : HUAWEI, Eudemon Series, Virtual-Template1 Interface
The Maximum Transmit Unit is 1500 bytes
Internet Address is 192.168.1.5/24
Link layer protocol is PPP
LCP initial
Physical is None, baudrate is 64000 bps
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0

3-28 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0


Output queue : (FIFO queuing : Size/Length/Discards) 0/256/0
Last 5 minutes input rate 0 bytes/sec, 0 packets/sec
Last 5 minutes output rate 0 bytes/sec, 0 packets/sec
0 packets input, 0 bytes, 0 drops
0 packets output, 0 bytes, 0 drops

Table 3-4 Description of the display interface virtual-template command output


Item Description

Virtual-Template1 Indicates the physical status of the Virtual-Template interface:


current state : l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state.
l Administratively down: If the administrator uses the
shutdown command on the interface, the state is
Administratively down.

Line protocol current Indicates the status of the link protocol of the interface:
state : l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state or the IP address is not
configured on the interface.

Description : Indicates the description about the interface. A maximum of 64


characters, which are case sensitive and can be blank spaces. The
description can help the user to get familiar with the interface
function.

The Maximum Transmit As for the serial interface, the default is 1500 bytes. The packet
Unit is larger than the MTU is fragmented before being sent. If the non-
fragmentation is configured, the packet is discarded.

Internet Address is Indicates the IP address configured for the interface. If the
interface is not configured with an IP address, "Internet protocol
processing: disabled" is displayed.

Link layer protocol is Indicates the link layer protocol.

LCP initial Indicates the LCP initialization.

Physical is None Indicates the logical interface does not exist physically.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-29


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Output queue : (Urgent The current status of it includes three types of Output queue:
queue : Size/Length/ l Urgent queue indicates the protocol packet of link layer, such
Discards) Output queue : as the packets of PPP and Keepalive enters this queue.
(Protocol queue : Size/
Length/Discards) Output l Protocol queue indicates the packet 6 IP precedence enters this
queue : (FIFO queuing : queue.
Size/Length/Discards) l According to the queue types applied on the interface, FIFO
queue, may be FIFO (First In First Out Queue), PQ (Priority
Queue), CQ (Custom Queue), or CBQ (Class-based Queue).
When congestion happens, an interface sends the packets in
Urgent queue first, those in Protocol queue the second and in
FIFO queue the third. As for the output queue, the meaning of the
fields is as follows:
l Size: indicates the number of packets in the queue.
l Length: indicates length of the longest queue in packets.
l Discards: indicates the number of discarded packets because
the queue is full.
Through checking the relationship between Discards, Size and
Length during a certain period, you can see if the interface
performance satisfies the requirements. If the value of Discards
remains a large value in a long time and cannot process the input
packets in time, a router of higher performance is needed.

Last 5 minutes input rate Indicates the rate of the byte and the packet that pass through the
Last 5 minutes output interface in the last 5 minutes.
rate

3.4.3 display virtual-access

Function
Using the display virtual-access command, you can view the status of a virtual access interface.

Format
display virtual-access [ vt vt-number | user user-name | peer peer-address | va-number ] *

Parameters
vt-number: specifies the virtual template number of a virtual access interface. It is an integer in
a range of 0 to 1023.

user-name: specifies the login user name of a virtual access interface. It is a string of 1 to 64
characters.

peer-address: specifies the peer address of a virtual access interface in dotted decimal notation.

3-30 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

va-number: specifies the sequence number of a virtual access. It is an integer in a range of 0 to


1023.

If no parameter is specified, the status of all virtual access interfaces is displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When monitoring the interface status or locating the faults for the interface, you can run this
command to obtain the information about the status and statistics of the interface. Based on the
information, you can carry out the flow statistics and diagnose the faults.

Examples
# View the status of all the virtual access interfaces.
<Eudemon> display virtual-access
Virtual-Template1:0 current state : UP
Line protocol current state : UP
Description : HUAWEI, Eudemon Series, Virtual-Template1:0 Interface
The Maximum Transmit Unit is 1500 bytes
Link layer protocol is PPP
LCP opened, MP opened, IPCP opened
Physical is MP
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
Last 5 minutes input rate 0 bytes/sec, 0 packets/sec
Last 5 minutes output rate 0 bytes/sec, 0 packets/sec
2 packets input, 28 bytes, 0 drops
2 packets output, 28 bytes, 0 drops

Table 3-5 Description of the display virtual-access command output

Item Description

Virtual-Template1:0 Indicates the physical status of the Virtual-Template interface:


current state : l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state.
l Administratively down: If the administrator uses the
shutdown command on the interface, the state is
Administratively down.

Line protocol current Indicates the status of the link protocol of the interface:
state : l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state or the IP address is not
configured on the interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-31


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Description : Indicates the description about the interface. A maximum of 64


characters, which are case sensitive and can be blank spaces. The
description can help the user to get familiar with the interface
function.

The Maximum Transmit As for the serial interface, the default is 1500 bytes. The packet
Unit is larger than the MTU is fragmented before being sent. If the non-
fragmentation is configured, the packet is discarded.

Link layer protocol is Indicates the link layer protocol.

LCP, MP, IPCP Indicates the status of LCP, MP, and IPCP:
l opened: is enabled normally.
l initial: is being set up.

Physical is MP Indices he physical connection is MP.

Last 5 minutes input rate Indicates the rate of the byte and the packet that pass through the
Last 5 minutes output interface the last five minutes.
rate

3.4.4 mac-address

Function
Using the mac-address command, you can configure the MAC address of a Virtual Ethernet
(VE) interface.

Using the undo mac-address command, you can restore the default configuration.

Format
mac-address H-H-H

undo mac-address

Parameters
H-H-H: specifies the MAC address of a VE interface. It is a character string in hex.

Views
Virtual Ethernet interface view

Default Level
2: Configuration level

3-32 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
The default MAC address of a VE interface is the MAC address of the Ethernet interface of the
RPU.

Examples
# Configure the MAC address of interface Virtual Ethernet 1.
<Eudemon> system-view
[Eudemon] interface virtual-ethernet 1
[Eudemon-Virtual-Ethernet1] mac-address 1000-1000-1000

3.4.5 interface (Logic Interface)

Function
Using the interface command, you can create a virtual interface.

Using the undo interface command, you can delete the specified virtual interface.

Format
interface { virtual-template number | virtual-ethernet number | dialer number| logic-
channel number | loopback number | null number | ethernet interfacenumer.subinterface
number}

undo interface {virtual-template number | virtual-ethernet number | dialer number | logic-


channel number | loopback number | ethernet interfacenumer.subinterface number }

Parameters
virtual-template: refers to virtual template interface.

virtual-ethernet: refers to a virtual Ethernet interface.

dialer: refers to a dialer interface.

logic-channel: refers to a logic-channel interface.

loopback: refers to a loopback interface.

null: refers to a null interface.

ethernet interfacenumer.subinterface number: specifies an Ethernet subinterface.

number: specifies the number of a virtual interface. For a virtual template interface, virtual
ethernet interface, Lookback interface, logic-channel interface and dialer interface, the value of
number ranges from 0 to 1023.

There is only one Null interface, which is fixed as Null0. This interface is always Up and cannot
be shut down or deleted.

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-33


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
The virtual Ethernet interface is mainly applied to PPPoEoA.

Examples
# Create virtual template interface 10.
<Eudemon> system-view
[Eudemon] interface virtual-template 10
[Eudemon-Virtual-Template10]

Related Topics
3.4.2 display interface (Logic Interface)

3.5 E1 Interface Configuration Commands


3.5.1 channel-set (E1 Interface View)
3.5.2 clock (E1 Interface View)
3.5.3 code (E1 Interface View)
3.5.4 controller e1 (E1 Interface)
3.5.5 display controller e1 (E1 Interface)
3.5.6 frame-format (E1 Interface View)
3.5.7 loopback (E1 Interface View)
3.5.8 using (E1 Interface View)

3.5.1 channel-set (E1 Interface View)

Function
Using the channel-set command, you can configure time slots of E1 interface binding.

Using the undo channel-set command, you can remove the specified time slots. If no parameter
is specified, all the time slots are deleted.

Format
channel-set set-number timeslot-list slot-list

undo channel-set [ set-number ]

3-34 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
set-number: specifies an interface number generated in the E1 interface time slots binding. It
ranges from 0 to 30 in integer.

slot-list: specifies the number or the number range of time slots to be bound. The value ranges
from 1 to 31 in integer. The parameter can be separate single slots or a slot range. Time slots are
separated by ","; while the slot range is represented by "-".

Views
E1 interface view

Default Level
2: Configuration level

Usage Guidelines
This command can be configured only on a E1 interface that operates in CE1 mode.

The E1 interface has two operating modes:

l If a E1 interface is used as a CE1 interface, it is divided into 32 time slots physically. You
can randomly bind any of the time slots except for slot 0. The bound interfaces work as a
single interface whose logical features are the same as that of a synchronous serial interface.
Using the interface serial interface-number : set-numbercommand, you can enter the view
of the interface generated after the binding. You can bind only once.
NOTE
The interface number after the interface serial command refers to the slot number, card number, or
interface number, that is, the index number of the interface generated by the binding of E1 interface
timeslot.
l If a E1 interface is used as an E1 interface, the interface does not support the time slotting
and the channel-set command. It is a 2.048M interface.

Both two modes support PPP, HDLC and FR.

Examples
# Bind timeslots 10 to 15 on E1 1/0/0 to channel-set 1.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0] using ce1
[Eudemon-E1 1/0/0] channel-set 1 timeslot-list 10-15

3.5.2 clock (E1 Interface View)

Function
Using the clock command, you can set the clock mode on an E1 interface.

Using the undo clock command, you can restore the default setting.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-35


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
clock { master | slave }
undo clock

Parameters
master: sets E1 to be a master clock, using internal clock signal of the system.
slave: sets E1 interfaces work in slave clock mode, using line clock signal.

Views
E1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the clock mode of E1 interface is slave.
When the E1 interfaces of two devices are directly connected, you can so as follows:
l When one end can be set as a master clock, while the other end as a slave clock, they work
normally.
l Two ends can be set as a master clock, they also work normally.

Examples
# Set E1 1/0/0 as a master clock using the internal clock signal.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0] clock master

3.5.3 code (E1 Interface View)

Function
code command, you can set the line coding and decoding format for an E1 interface.
Using the undo code command, you can restore the default setting.

Format
code { ami | hdb3 }
undo code

Parameters
ami: performs coding and decoding in Alternate Mark Inversion (AMI) mode.

3-36 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

hdb3: performs coding and decoding in High Density Bipolar Of Order 3 (HDB3) mode.

Views
E1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the coding and decoding format of the E1 interface is HDB3.
As a basic line code, the signals of the AMI code are converted alternately. The circuit of coding
and decoding is simple and the error codes can be easily observed. Therefore, the AMI code is
widely applied. However, when the AMI code is used to obtain the timing information,
consecutive 0's may make it difficult to extract timing signals.
The HDB3 code inherits all advantages of the AMI code and has overcome the difficulty in
obtaining timing signals caused by excessive consecutive 0's. Therefore, it is recommended to
use the HDB3 code as the line coding and decoding format for the PCM transmission system.
The line coding and decoding format of the local end must be the same as that on the remote
end.

NOTE

The HDB3 code is recommended.

Examples
# Set the line coding and decoding format for E1 1/0/0 to HDB3.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0] code hdb3

3.5.4 controller e1 (E1 Interface)

Function
Using the controller e1 command, you can enter the specified E1 interface view.

Format
controller e1 controller-number

Parameters
controller-number: specifies the interface number.

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-37


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
To configure an E1 interface, use the command to enter the E1 interface view.

Examples
# Enter the E1 1/0/0 interface view.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0]

3.5.5 display controller e1 (E1 Interface)

Function
Using the display controller e1 command, you can check the information of an E1 interface.

Format
display controller e1 [ controller-number ]

Parameters
controller-number: specifies the E1 interface number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
According to the status and packet statistics collected by the command, you can monitor the
status and locate the fault of the interface.
If no number is specified, information of all E1 interfaces is displayed.

Examples
# View the information of E1 1/0/0.
<Eudemon> display controller E1 1/0/0
E1 1/0/0 current state : DOWN
Description : HUAWEI, Eudemon Series, E1 1/0/0 Interface
Work Mode is E1 UNFRAME
Framing is NONE,Line Code is HDB3,Source Clock is SLAVE
Loopback is not set, Alarm State is Loss-of-Signal.

3-38 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Table 3-6 Description of the display controller e1 command output


Item Description

E1 1/0/0 current state Indicates the current physical status of the E1 interface:
l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state.
l Administratively Down: If the administrator uses the
shutdown command on the interface, the state is
Administratively Down.

Description Indicates the description about the interface. The description can
help the user to get familiar with the interface function.

Work Mode is Indicates the work mode of the cable:


l E1 UNFRAME: clear channelized work mode.
l E1 FRAMED: unchannelized mode

Framing is Indicates the frame format of the E1 interface.


When E1 works in clear channelized mode, the framing is NONE,
that is, no frame format.
When E1 works in unchannelized mode, there are two frame
formats. See 3.5.6 frame-format (E1 Interface View).

Line Code is Indicates line coding and decoding format of E1 interface.


AMI: Alternate Mark Inversion.
HDB3: High Density Bipolar of Order 3.

Source Clock is Indicates the clock mode:


l master
l slave

loopback is not set Indicates the loopback function of E1 interface is not enabled.
The loopback is usually used for some special tests.

Alarm state is Indicates the alarm type and error type.


Possible error types include:
l Loss-of-Signal.
l Loss of Frame Alignment.
l Loss of Multiframe Alignment.
l Remote Alarm.
l None.

3.5.6 frame-format (E1 Interface View)

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-39


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the frame-format command, you can set the frame format for the E1 interface when
operating in unchannelized mode.

undo frame-format command, you can restore the default setting of frame format for the E1
interface when operating in unchannelized mode.

Format
frame-format { crc4 | no-crc4 }

undo frame-format

Parameters
crc4: indicates the frame format is CRC4.

no-crc4: indicates the frame format is no-CRC4.

Views
E1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the frame format of an E1 interface is no-CRC4.

The frame format can be configured only when the E1 interface operates in the unchannelized
mode.

Examples
# Set the frame format as CRC4 on E1 1/0/0.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0] frame-format crc4

Related Topics
3.5.8 using (E1 Interface View)

3.5.7 loopback (E1 Interface View)

Function
Using the loopback command, you can enable the loopback on an E1 interface.

Using the undo loopback command, you can disable this function.

3-40 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
loopback { local | payload | remote }

undo loopback

Parameters
local: enables the local loopback.

payload: enables the payload loopback. The loopback is performed after the data goes through
the framer and the payload is generated.

remote: enables the remote loopback. The loopback is performed after the data goes through
the framer withouting the payload is generated.

Views
E1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the loopback is disabled.

Loopback is enabled on the E1 interface only for testing whether the chip of the framer works
properly.

NOTE

If the MP binding is implemented on the serial interface formed by the E1 interface, the loopback function
of the E1 interface cannot be enabled.

When the local loopback is set on the interface, the physical status of the interface becomes Up,
and the link protocol status becomes Down.

Examples
# Enable the local loopback on E1 1/0/0.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0] loopback local

3.5.8 using (E1 Interface View)

Function
Using the using command, you can set the operating mode for an E1 interface.

Using the undo using command, you can restore the default setting of the operating mode for
an E1 interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-41


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
using { e1 | ce1 }
undo using

Parameters
e1: indicates that the working mode is clear channel mode.
ce1: indicates that the working mode is unchannelized mode.

Views
E1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the operating mode is CE1.
The E1 interface has two operating modes:
l If an E1 interface works in CE1 mode, it is divided into 32 timeslots physically. You can
randomly bind any of the timeslots except for slot 0. No matter how many timeslots you
use to bind a channel, you have only one chance to bind the time slots to a channel. For
example, when you bind time slot 1 and time slot 2 to form a 128K serial port, none of the
remaining time slots can be bound again. That is, no matter how many timeslots you bind,
you can perform binding once only and bind the timeslots into one serial port only. The
bound interfaces work as a single interface whose logical features are the same as that of
a synchronous serial interface. Using the interface serialcommand, you can enter the view
of the interface generated after the binding.
l If an E1 interface works in E1 mode, the interface does not support the time slotting and
the channel-set command. It is a 2.048M interface.
Both two modes support PPP, HDLC and FR.

Examples
# Set the E1 1/0/0 interface to the E1 operating mode.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0] using e1

Related Topics
3.5.1 channel-set (E1 Interface View)

3.6 CE1 Interface Configuration Commands


3.6.1 channel-set (CE1 Interface View)

3-42 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.6.2 clock (CE1 Interface View)


3.6.3 code (CE1 Interface View)
3.6.4 controller e1 (CE1 Interface)
3.6.5 display controller e1 (CE1 Interface)
3.6.6 frame-format (CE1 Interface View)
3.6.7 loopback (CE1 Interface View)
3.6.8 using (CE1 Interface View)

3.6.1 channel-set (CE1 Interface View)

Function
Using the channel-set command, you can configure time slots of CE1 interface binding.
Using the undo channel-set command, you can remove the specified time slots.

Format
channel-set set-number timeslot-list slot-list
undo channel-set [ set-number ]

Parameters
set-number: specifies an interface number generated in the CE1 interface time slots binding. It
ranges from 0 to 30 in integer.
slot-list: specifies the number or the number range of time slots to be bound. The value ranges
from 1 to 31 in integer. The parameter can be separate single slots or a slot range. Time slots are
separated by ","; while the slot range is represented by "-".

Views
CE1 interface view

Default Level
2: Configuration level

Usage Guidelines

CAUTION
If no parameter is specified in the undo channel-set command, all the channel sets of the CE1
interface are deleted.

This command can be configured only on a CE1 interface that operates in CE1 mode.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-43


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

The CE1 interface has two operating modes:

l If a CE1 interface is used as a CE1 interface, it is divided into 32 time slots physically. You
can randomly bind any of the time slots except for slot 0. The bound interfaces work as a
single interface whose logical features are the same as that of a synchronous serial interface.
Using the interface serial interface-number : set-numbercommand, you can enter the view
of the interface generated after the binding.
NOTE
The interface number after the interface serial command refers to the slot number, card number, or
interface number, that is, the index number of the interface generated by the binding of CE1 interface
timeslot.
l If a CE1 interface is used as an E1 interface, the interface does not support the time slotting
and the channel-set command. It is a 2.048M interface.

Both two modes support PPP, HDLC and FR.

Examples
# Bind timeslots 1, 10 to 15, 18 on E1 1/0/0 to channel-set 1.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0] using ce1
[Eudemon-E1 1/0/0] channel-set 1 timeslot-list 1,10-15,18

Related Topics
3.6.8 using (CE1 Interface View)

3.6.2 clock (CE1 Interface View)

Function
Using the clock command, you can set the clock mode on a CE1 interface.

Using the undo clock command, you can restore the default setting of the clock mode on a CE1
interface.

Format
clock { master | slave }

undo clock

Parameters
master: sets CE1 interfaces work in master clock mode, using internal clock signal of the system.

slave: sets CE1 interfaces work in slave clock mode, using line clock signal.

Views
CE1 interface view

3-44 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
2: Configuration level

Usage Guidelines
By default, the clock mode of CE1 interface is slave.
When the CE1 interfaces of two devices are directly connected, you can so as follows:
l When one end can be set as a master clock, while the other end as a slave clock, they work
normally.
l Two ends can be set as a master clock, they also work normally.

Examples
# Set E1 1/0/0 as a master clock.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0] clock master

3.6.3 code (CE1 Interface View)

Function
Using the code command, you can set the line coding and decoding format for a CE1 interface.
Using the undo code command, you can restore the default setting of line coding and decoding
format for a CE1 interface.

Format
code { ami | hdb3 }
undo code

Parameters
ami: performs coding and decoding in Alternate Mark Inversion (AMI) mode.
hdb3: performs coding and decoding in High Density Bipolar Of Order 3 (HDB3) mode.

Views
CE1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the coding and decoding format of the CE1 interface is HDB3.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-45


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

As a basic line code, the signals of the AMI code are converted alternately. The circuit of coding
and decoding is simple and the error codes can be easily observed. Therefore, the AMI code is
widely applied. However, when the AMI code is used to obtain the timing information,
consecutive 0's may make it difficult to extract timing signals.

The HDB3 code inherits all advantages of the AMI code and has overcome the difficulty in
obtaining timing signals caused by excessive consecutive 0's. Therefore, it is recommended to
use the HDB3 code as the line coding and decoding format for the PCM transmission system.

The line coding and decoding format of the local end must be the same as that on the remote
end.

Examples
# Set the line coding and decoding format for E1 1/0/0 to AMI.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0] code ami

3.6.4 controller e1 (CE1 Interface)

Function
Using the controller e1 command, you can enter the specified CE1 interface view.

Format
controller e1 controller-number

Parameters
controller-number: specifies the interface number.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
To configure a CE1 interface, use the command to enter the CE1 interface view.

Examples
# Enter the E1 1/0/0 interface view.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0]

3-46 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.6.5 display controller e1 (CE1 Interface)

Function
Using the display controller e1 command, you can check the information of a CE1 interface.

Format
display controller e1 [ controller-number ]

Parameters
controller-number: specifies the CE1 interface number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If no number is specified, information of all CE1 interfaces is displayed.

Examples
# View the information of E1 1/0/0.
<Eudemon> display controller E1 1/0/0
E1 1/0/0 current state : DOWN
Description : HUAWEI, Eudemon Series, E1 1/0/0 Interface
Work mode is E1 FRAMED
Framing is NO-CRC4,Line Code is HDB3,Source Clock is MASTER
Loopback is not set, Alarm State is Loss-of-Signal.

Table 3-7 Description of the display controller e1 command output

Item Description

E1 1/0/0 current state Indicates the current physical status of the CE1 interface:
l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state.
l Administratively Down: If the administrator uses the
shutdown command on the interface, the state is
Administratively Down.

Description Indicates the description about the interface. The description can
help the user to get familiar with the interface function.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-47


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Work Mode Indicates the working mode:


l E1 UNFRAMED: clear channelized mode.
l E1 FRAMED: channelized mode.
See 3.6.8 using (CE1 Interface View).

Source clock Indicates the clock type:


l master
l slave
See 3.6.2 clock (CE1 Interface View).

Loopback is not set Indicates the loopback is not enabled on the CE1 interface.
Loopback is enabled on the CE1 interface only for testing some
special functions.

Line Code Indicates the encoding and the decoding format of the CE1
interface.
l AMI: Alternate Mark Inversion.
l High Density Bipolar of Order 3.
See 3.6.3 code (CE1 Interface View).

Framing is Indicates the frame format of the CE1 interface:


l CRC4
l NO-CRC4
See 3.6.6 frame-format (CE1 Interface View).

Alarm state Indicates the alarm type and the error type.
ERROR Possible error types include:
l Loss-of-Signal.
l Loss of Frame Alignment.
l Loss of Multiframe Alignment.
l Remote Alarm.
l None.

3.6.6 frame-format (CE1 Interface View)

Function
Using the frame-format command, you can set the frame format of a CE1 interface.
Using the undo frame-format command, you can restore the default setting of frame format of
a CE1 interface.

3-48 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
frame-format { crc4 | no-crc4 }
undo frame-format

Parameters
crc4: indicates the frame format is CRC4.
no-crc4: indicates the frame format is no-CRC4.

Views
CE1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the frame format of a CE1 interface is no-CRC4.
The frame format can be configured only when the CE1 interface operates in the channelized
mode.

Examples
# Set the frame format as CRC4 on E1 1/0/0.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0] frame-format crc4

Related Topics
3.6.8 using (CE1 Interface View)

3.6.7 loopback (CE1 Interface View)

Function
Using the loopback command, you can enable the loopback on a CE1 interface.
Using the undo loopback command, you can disable this function.

Format
loopback { local | remote | payload }
undo loopback

Parameters
local: enables the local loopback.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-49


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

remote: enables the remote loopback.


payload: enables external payload loopback.

Views
CE1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the loopback is disabled.
Loopback is enabled on the CE1 interface only for testing whether the chip of the framer works
properly.

NOTE

If the MP binding is implemented on the serial interface formed by the CE1 interface, the loopback function
of the CE1 interface cannot be enabled.

When the local loopback is set on the interface, the physical status of the interface becomes Up,
and the link protocol status becomes Down.
If the serial interface formed by the CE1 interface is encapsulated with the PPP protocol, and
after the remote loopback is set, the physical status becomes Up, and the link protocol status
becomes Down

Examples
# Enable the local loopback on E1 1/0/0.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0] loopback local

3.6.8 using (CE1 Interface View)

Function
Using the using command, you can set the operating mode for a CE1 interface.
Using the undo using command, you can restore the default setting of the operating mode for
a CE1 interface.

Format
using { e1 | ce1 }
undo using

Parameters
e1: specifies the E1 mode, also known as clear channel mode.

3-50 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

ce1: specifies the CE1 mode, also known as channelized mode.

Views
CE1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the operating mode is CE1.

A CE1 interface has two working modes:

l If a CE1 interface is used as a CE1 interface, it is divided into 32 timeslots physically. You
can randomly bind any of the timeslots except slot 0. When using this interface, you can
randomly group the timeslots. Then you can use each group of timeslots as one interface
after binding. The logic features of the timeslot groups are the same as those of the
synchronous serial ports. Using the interface serial command, you can enter the view of
the interface generated after the binding.
l If a CE1 interface is used as an E1 interface, the interface does not support the time slotting,
the channel-set command and frame-format command. It is a 2.048M interface.

Both two modes support PPP, HDLC and FR.

Examples
# Switch the CE1 interface to the E1 working mode.
<Eudemon> system-view
[Eudemon] controller E1 1/0/0
[Eudemon-E1 1/0/0] using e1

Related Topics
3.6.1 channel-set (CE1 Interface View)

3.7 T1 Interface Configuration Commands


3.7.1 channel-set (T1 Interface View)
3.7.2 clock (T1 Interface View)
3.7.3 code (T1 Interface View)
3.7.4 controller t1 (T1 Interface)
3.7.5 display controller t1 (T1 Interface)
3.7.6 frame-format (T1 Interface View)
3.7.7 loopback (T1 Interface View)

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-51


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.7.1 channel-set (T1 Interface View)

Function
Using the channel-set command, you can configure time slots of T1 interface binding.

Using the undo channel-set command, you can remove the specified time slots.

Format
channel-set set-number timeslot-list slot-list [ speed { 56k | 64k } ]

undo channel-set set-number

Parameters
set-number: specifies an interface number generated in the T1 interface time slots binding. It
ranges from 0 to 23 in integer.

slot-list: specifies the number or the number range of time slots to be bound. The value ranges
from 0 to 23 in integer. The parameter can be separate single slots or a slot range. Single time
slots are separated by ","; while the slot range is represented by "-".

speed: specifies the speed mode for timeslot binding. When 56k is used, the binding mode is N
x 56 kbit/s. When 64k is used, the binding mode is N x 64 kbit/s. N is an integer in a range of 1
to 24.

The default binding mode is N x 56 kbit/s.

Views
T1 interface view

Default Level
2: Configuration level

Usage Guidelines
The T1 interface has two operating modes:

l If a T1 interface is used as a CT1 interface, it is physically divided into 24 timeslots which


are numbered from 0 to 23. You can bind the T1 interface to timeslots once to form a
channel. For example, if you bind the T1 interface to timeslot 1 and timeslot 2 to form a
serial port with a bandwidth of 128 Kbit/s, you cannot bind the interface to any other
timeslots. That is, no matter how many timeslots you bind to the T1 interface, you can only
bind them once and form only one serial port. The logic features of the serial port thus
formed are the same as those of the synchronous serial port.
l If a T1 interface is used as a T1 interface, the interface does not support the time slotting
and the channel-set command. It is a 1.544M interface.

Both two modes support PPP, HDLC, and FR.

3-52 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Bind 1, 2 and 10 to 15 timeslots of T1 1/0/0 to channel-set 1.
<Eudemon> system-view
[Eudemon] controller T1 1/0/0
[Eudemon-T1 1/0/0] channel-set 1 timeslot-list 1,2,10-15 speed 64k

3.7.2 clock (T1 Interface View)

Function
Using the clock command, you can set the clock mode of a T1 interface.

Using the undo clock command, you can restore the default setting of clock mode of a
T1interface.

Format
clock { master | slave }

undo clock

Parameters
master: sets T1 to be a master clock.

slave: sets T1 to be a slave clock.

Views
T1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the clock mode of T1 interface is slave.

When the T1 interfaces of two devices are directly connected, you can so as follows:
l When one end can be set as a master clock, while the other end as a slave clock, they work
normally.
l Two ends can be set as a master clock, they also work normally.

Examples
# Set T1 1/0/0 as a master clock.
<Eudemon> system-view
[Eudemon] controller T1 1/0/0
[Eudemon-T1 1/0/0] clock master

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-53


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.7.3 code (T1 Interface View)

Function
Using the code command, you can set line coding and decoding format of T1.
Using the undo code command, you can restore the default configuration of line coding and
decoding format of T1.

Format
code { ami | b8zs }
undo code

Parameters
ami: performs coding and decoding in Alternate Mark Inversion (AMI) mode.
b8zs: performs coding and decoding in Bipolar with 8-Zero Substitution (B8ZS) mode.

Views
T1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the coding and decoding format of the T1 interface is B8ZS.
As a basic line code, the signals of the AMI code are converted alternately. The circuit of coding
and decoding is simple and the error codes can be easily observed. Therefore, the AMI code is
widely applied. However, when the AMI code is used to obtain the timing information,
consecutive 0's may make it difficult to extract timing signals.
The line coding and decoding format of the local end must be the same as that on the remote
end.

Examples
# Set line encoding and decoding format of T1 1/0/0 as AMI.
<Eudemon> system-view
[Eudemon] controller T1 1/0/0
[Eudemon-T1 1/0/0] code ami

3.7.4 controller t1 (T1 Interface)

Function
Using the controller t1 command, you can enter the specified T1 interface view.

3-54 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
controller t1 controller-number

Parameters
controller-number: indicates the T1 interface number.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
To configure a T1 interface, use the command to enter the T1 interface view.

Examples
# Enter the T1 1/0/0 interface view.
<Eudemon> system-view
[Eudemon] controller T1 1/0/0
[Eudemon-T1 1/0/0]

3.7.5 display controller t1 (T1 Interface)

Function
Using the display controller t1 command, you can view the configuration and status of a T1
interface.

Format
display controller t1 [ controller-number ]

Parameters
controller-number: indicates the T1 interface number.

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-55


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
According to the status and packet statistics collected by the command, you can monitor the
status and locate the fault of the interface.

If no interface-number is specified, the system displays the configuration and status of all T1
interfaces.

Examples
# View the configuration and status of T1 1/0/0.
<Eudemon> display controller T1 1/0/0
T1 1/0/0 current state : DOWN
Description : HUAWEI, Eudemon Series, T1 1/0/0 Interface
Work mode is T1 FRAMED
Framing is ESF,Line Code is B8ZS,Source Clock is SLAVE
Loopback is not set, Alarm State is Loss-of-Signal.

Table 3-8 Description of the display controller t1 command output

Item Description

T1 1/0/0 current state: Indicates the current physical status of the T1 interface:
l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state.
l Administratively Down: If the administrator uses the
shutdown command on the interface, the state is
Administratively Down.

Description: Indicates the description about the interface. The description can
help the user to get familiar with the interface function.

Work Mode : Indicates the working mode:


l T1 UNFRAMED: clear channelized mode.
l T1 FRAMED: unchannelized mode.

Source Clock: Indicates the clock mode:


l master
l slave
See 3.7.2 clock (T1 Interface View).

Loopback is not set Indicates the loopback is not enabled on the T1 interface. The
lookback can only be enabled on the T1 interface for some special
test.

Line code Indicates the encoding and the decoding format of the T1
interface:
l AMI: Alternate Mark Inversion.
l B8ZS: Bipolar with 8-Zero Substitution.
See 3.7.3 code (T1 Interface View).

3-56 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

Framing is Indicates the frame format of the T1 interface:


l SF: Super Frame.
l ESF: Extended Super Frame.
See 3.7.6 frame-format (T1 Interface View).

Alarm sate Indicates the alarm type and the error type.
Possible error types include:
l Loss-of-Signal.
l Loss of Frame Alignment.
l Loss of Multiframe Alignment.
l Remote Alarm.
l None.

3.7.6 frame-format (T1 Interface View)

Function
Using the frame-format command, you can configure the T1 frame format.
Using the undo frame-format command, you can restore the default configuration of T1 frame
format.

Format
frame-format { sf | esf }
undo frame-format

Parameters
sf: indicates super frame format (SF format).
esf: indicates extended-super frame format (ESF format).

Views
T1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the TI interface uses the ESF format.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-57


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

The frame format on the local end must be the same as that on the remote end.

Examples
# Set the frame format of T1 1/0/0 as SF format.
<Eudemon> system-view
[Eudemon] controller T1 1/0/0
[Eudemon-T1 1/0/0] frame-format sf

3.7.7 loopback (T1 Interface View)

Function
Using the loopback command, you can enable the loopback of a T1 interface.

Using the undo loopback command, you can disable the loopback.

Format
loopback { local | payload | remote }

undo loopback

Parameters
local: enables the local loopback.

payload: enables the payload loopback.

remote: enables the remote loopback.

Views
T1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the loopback is disabled.

The loopback is mainly used to check the status of the interface or cable. In the normal operation,
the loopback should be disabled.

NOTE

If the MP binding is implemented on the serial interface that is formed by binding the timeslots of the high-
speed CT1 interface, the loopback of the CT1 interface cannot be enabled.

When the local loopback is set on the interface, the physical status of the interface becomes Up,
and the link protocol status becomes Down.

3-58 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

When the serial interface that is formed by binding the timeslots of the T1 interface is
encapsulated with the PPP protocol, and after the remote loopback is set, the physical status is
Up, and the link layer protocol becomes Down.

Examples
# Enable the local loopback for T1 1/0/0.
<Eudemon> system-view
[Eudemon] controller T1 1/0/0
[Eudemon-T1 1/0/0] loopback local

3.8 CT1 Interface Configuration Commands


3.8.1 channel-set (CT1 Interface View)
3.8.2 clock (CT1 Interface View)
3.8.3 code (CT1 Interface View)
3.8.4 controller t1 (CT1 Interface)
3.8.5 display controller t1 (CT1 Interface)
3.8.6 frame-format (CT1 Interface View)
3.8.7 loopback (CT1 Interface View)

3.8.1 channel-set (CT1 Interface View)

Function
Using the channel-set command, you can configure time slots of CT1 interface binding.

Using the undo channel-set command, you can remove the specified time slots.

Format
channel-set set-number timeslot-list slot-list [ speed { 56k | 64k } ]

undo channel-set set-number

Parameters
set-number: specifies an interface number generated in the CT1 interface time slots binding. It
ranges from 0 to 23 in integer.

slot-list: specifies the number or the number range of time slots to be bound. The value ranges
from 0 to 23 in integer. The parameter can be separate single slots or a slot range. Single time
slots are separated by ","; while the slot range is represented by "-".

speed: specifies the speed mode for timeslot binding. When 56k is used, the binding mode is N
x 56 kbit/s. When 64k is used, the binding mode is N x 64 kbit/s.

The default binding mode is N x 56 kbit/s.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-59


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
CT1 interface view

Default Level
2: Configuration level

Usage Guidelines
The CT1 interface has two operating modes:
l If a CT1 interface is used as a CT1 interface, it is divided into 24 time slots physically. You
can randomly bind any of the time slots. The bound interfaces work as a single interface
whose logical features are the same as that of a synchronous serial interface. Using the
interface serial interface-number : set-numbercommand, you can enter the view of the
interface generated after the binding.
NOTE
The interface number after the interface serial command refers to the slot number, card number, or
interface number, that is, the index number of the interface generated by the binding of CT1 interface
timeslot.
l If a CT1 interface is used as a T1 interface, the interface does not support the time slotting
and the channel-set command. It works as a 1.544M serial interface.
Both two modes support PPP, HDLC, and FR.

Examples
# Bind 1, 2 and 10 to 15 timeslots of T1 1/0/0 to channel-set 1.
<Eudemon> system-view
[Eudemon] controller T1 1/0/0
[Eudemon-T1 1/0/0] channel-set 1 timeslot-list 1,2,10-15 speed 64k

3.8.2 clock (CT1 Interface View)

Function
Using the clock command, you can set the clock mode of a CT1 interface.
Using the undo clock command, you can restore the default configuration of the clock mode of
a CT1 interface.

Format
clock { master | slave }
undo clock

Parameters
master: sets a CT1 interface as the master clock.
slave: sets a CT1 interface as the slave clock.

3-60 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
CT1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the clock mode of CT1 interface is slave.

When the CT1 interfaces of two devices are directly connected, you can so as follows:
l When one end can be set as a master clock, while the other end as a slave clock, they work
normally.
l Two ends can be set as a master clock, they also work normally.

Examples
# Set the clock mode of T1 1/0/0 as master.
<Eudemon> system-view
[Eudemon] controller T1 1/0/0
[Eudemon-T1 1/0/0] clock master

3.8.3 code (CT1 Interface View)

Function
Using the code command, you can set line coding and decoding format of CT1.

Using the undo code command, you can restore the default configuration.

Format
code { ami | b8zs }

undo code

Parameters
ami: indicates Alternate Mark Inversion.

b8zs: indicates Bipolar with 8-Zero Substitution.

Views
CT1 interface view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-61


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, the coding and decoding format of the CT1 interface is B8ZS.

As a basic line code, the signals of the AMI code are converted alternately. The circuit of coding
and decoding is simple and the error codes can be easily observed. Therefore, the AMI code is
widely applied. However, when the AMI code is used to obtain the timing information,
consecutive 0's may make it difficult to extract timing signals.

The line coding and decoding format of the local end must be the same as that on the remote
end.

Examples
# Set line encoding and decoding format of T1 1/0/0 as AMI.
<Eudemon> system-view
[Eudemon] controller T1 1/0/0
[Eudemon-T1 1/0/0] code ami

3.8.4 controller t1 (CT1 Interface)

Function
Using the controller t1 command, you can enter the specified CT1 interface view.

Format
controller t1 controller-number

Parameters
controller-number: indicates the CT1 interface number.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
To configure a CT1 interface, use the command to enter the CT1 interface view.

Examples
# Enter the T1 1/0/00 interface view.
<Eudemon> system-view
[Eudemon] controller T1 1/0/0
[Eudemon-T1 1/0/0]

3-62 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.8.5 display controller t1 (CT1 Interface)

Function
Using the display controller t1 command, you can view the configuration and status of a CT1
interface.

Format
display controller t1 [ controller-number ]

Parameters
controller-number: indicates the CT1 interface number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
According to the status and packet statistics collected by the command, you can monitor the
status and locate the fault of the interface.

If no interface-number is specified, the system displays the configuration and status of all CT1
interfaces.

Examples
# View the configuration and status of T1 1/0/0.
<Eudemon> display controller T1 1/0/0
T1 1/0/0 current state : DOWN
Description : HUAWEI, Eudemon Series, T1 1/0/0 Interface
Work mode is T1 FRAMED
Framing is ESF,Line Code is B8ZS,Source Clock is SLAVE
Loopback is not set, Alarm State is Loss-of-Signal.

Table 3-9 Description of the display controller t1 command output

Item Description

T1 1/0/0 current state Indicates the current physical status of the CT1 interface:
l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state.
l Administratively Down: If the administrator uses the
shutdown command on the interface, the state is
Administratively Down.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-63


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Description Indicates the description about the interface. The description can
help the user to get familiar with the interface function.

Work Mode Indicates the working mode of the CT1 interface:


l T1 UNFRAMED: clear channelized mode.
l T1 FRAMED: channelized mode.

Source Clock Indicates the clock mode:


l master
l slave
See 3.8.2 clock (CT1 Interface View).

Loopback is not set Indicates the loopback is not enabled on the CT1 interface. The
lookback can only be enabled on the CT1 interface for some
special test.

Line Code Indicates the encoding and the decoding format of the CT1
interface:
l AMI: Alternate Mark Inversion.
l B8ZS: Bipolar with 8-Zero Substitution.
See 3.8.3 code (CT1 Interface View).

Framing is Indicates the frame format of the CT1 interface:


l SF: Super Frame.
l ESF: Extended Super Frame.
See 3.8.6 frame-format (CT1 Interface View).

Alarm State Indicates the alarm type and the error type.
Possible error types include:
l Loss-of-Signal.
l Loss of Frame Alignment.
l Loss of Multiframe Alignment.
l Remote Alarm.
l None.

3.8.6 frame-format (CT1 Interface View)

Function
Using the frame-format command, you can configure the CT1 frame format.

Using the undo frame-format command, you can restore the default configuration of CT1 frame
format.

3-64 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
frame-format { sf | esf }
undo frame-format

Parameters
sf: indicates super frame format (SF format).
esf: indicates extended-super frame format (ESF format).

Views
CT1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the CTI interface uses the ESF format.
The frame format on the local end must be the same as that on the remote end.

Examples
# Set the frame format of T1 1/0/0 as SF format.
<Eudemon> system-view
[Eudemon] controller T1 1/0/0
[Eudemon-T1 1/0/0] frame-format sf

3.8.7 loopback (CT1 Interface View)

Function
Using the loopback command, you can enable the loopback of a CT1 interface.
Using the undo loopback command, you can disable the loopback.

Format
loopback { local | payload | remote }
undo loopback

Parameters
local: enables the local loopback.
payload: enables external payload loopback on the CT1 interface.
remote: enables the remote loopback.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-65


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
CT1 interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the loopback is disabled.

The loopback is mainly used to check the status of the interface or cable. In the normal operation,
the loopback should be disabled.

NOTE

If the MP binding is implemented on the serial interface that is formed by binding the timeslots of the CT1
interface, the loopback of the CT1 interface cannot be enabled.

When the local loopback is set on the interface, the physical status of the interface becomes Up,
and the link protocol status becomes Down.

When the serial interface that is formed by binding the timeslots of the CT1 interface is
encapsulated with the PPP protocol, and after the remote loopback is set, the physical status is
Up, and the link layer protocol becomes Down.

Examples
# Enable the local loopback for T1 1/0/0.
<Eudemon> system-view
[Eudemon] controller T1 1/0/0
[Eudemon-T1 1/0/0] loopback local

3.9 IP Address Configuration Commands


3.9.1 display ip interface
3.9.2 firewall permit sub-ip
3.9.3 ip address
3.9.4 ip address ppp-negotiate
3.9.5 remote address

3.9.1 display ip interface

Function
Using the display ip interface command, you can view the configuration and the statistics of
the interface related to IP.

3-66 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
display ip interface [ brief ] [ interface-type interface-number ]

Parameters
interface-typeinterface-number: specifies the type and the number of an interface.
brief: displays summary information, including the IP address, physical link state, the Up or
Down state of the protocol, and the interface description.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Using the display ip interface command, you can view the configuration and the statistics of the
interface related to IP, including:
l IP address
l Statuses of the physical link and protocol
l Description of the interface

By default, if no interface is specified, the system displays IP configuration and statistics of all
interfaces.

Examples
# Display the running state of the interface Ethernet 0/0/0.
<Eudemon> display ip interface Ethernet 0/0/0
Ethernet 0/0/0 current state : DOWN
Line protocol current state : DOWN
The Maximum Transmit Unit : 1500 bytes
ip fast-forwarding mode is QFF
ip fast-forwarding outgoing packets is Enable
ip fast-forwarding on the same-interface is Disable
input packets : 0, bytes : 0, multicasts : 0
output packets : 0, bytes : 0, multicasts : 0
ARP packet input number: 0
Request packet: 0
Reply packet: 0
Unknown packet: 0
Internet Address is 192.168.0.33/24
Internet Address is 192.168.1.33/24 Secondary
Internet Address is 10.10.10.11/24 Secondary
Broadcast address : 192.168.0.255
TTL invalid packet number: 0
ICMP packet input number: 0
Echo reply: 0
Unreachable: 0
Source quench: 0
Routing redirect: 0
Echo request: 0
Router advert: 0

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-67


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 0
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 0
Netmask reply: 0
Unknown type: 0
DHCP packet deal mode: global

Table 3-10 Description of the display ip interface Ethernet 0/0/0 command output
Item Description

Ethernet0/0/0 current state Indicates the physical status of Ethernet0/0/0:


l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state.
l Administratively down: If the administrator uses
the shutdown command on the interface, the state
is Administratively down.

Line protocol current state Indicates the status of the link protocol of the
interface:
l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state or the IP
address is not configured on the interface.

The Maximum Transmit Unit The Maximum Transmit Unit of the interface. As for
the Ethernet interface or the serial interface, the
default is 1500 bytes. The packet larger than the MTU
is fragmented before being sent. If the non-
fragmentation is configured, the packet is discarded.

ip fast-forwarding Information about fast forwarding of the interface.

input packets : bytes : multicasts Number of the input packets and bytes and multicast
packets.

output packets :bytes : multicasts Number of the output packets, bytes and multicast
packets.

ARP packet input number Collects statistic of the ARP packets received on the
interface.
For the non-Ethernet interfaces, the display of this
item is 0.
Statistics include:
l Total number of ARP packets
l Number of the ARP request packets
l Number of the ARP response packets
l Number of the other ARP packets

3-68 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

Internet Address IP address of the interface. It is in the format of IP


address/mask length.

Broadcast address Broadcast address of the interface.

TTL invalid packet number Number of the packet whose TTL value is illegal.
When the TTL value is 0 or 1, the packet is considered
as illegal TTL packet.

ICMP packet input number Collects ICMP packet statistics received by the
interface.
Statistics are:
l Total number of packets
l Number of ECHO response packets
l Number of destination unreachable packets
l Number of source quench packets
l Number of routing redirection packets
l Number of ECHO request packets
l Number of route advertisement packets
l Number of routing request packets
l Number of timeout packets
l Number of IP header error packets
l Number of time stamp request packets
l Number of time stamp response packets
l Number of information request packets
l Number of information response packets
l Number of mask request packets
l Number of mask response packets
l Number of other ICMP packets

Echo reply Indicates the number of echo-reply packets.

Unreachable Indicates the number of packets with unreachable


destination.

Source quench Indicates the number of source suppress packets.

Routing redirect Indicates the number of redirected packets.

Echo request Indicates the number of echo-request packets.

Router advert Indicates the number of router-advertising packets.

Router solicit Indicates the number of router-soliciting packets.

Time exceed Indicates the number of timeout packets.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-69


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

IP header bad Indicates the number of packets with the corrupted IP


header.

Timestamp request Indicates the number of timestamp-replying packets.

Timestamp reply Indicates the number of timestamp-requiring packets.

Information request Indicates the number of information-requiring


packets.

Information reply Indicates the number of information-replying


packets.

Netmask request Indicates the number of mask-requiring packets.

Netmask reply Indicates the number of mask-replying packets.

Unknown type Indicates the number of packets of the unknown type.

DHCP packet deal mode The modes of handling the DHCP packet include:
l Global mode
l Relay mode
l Interface mode

3.9.2 firewall permit sub-ip

Function
Using the firewall permit sub-ip command, you can enable the communication between the
subnets for receiving and sending packets through the same interface.

Format
firewall permit sub-ip

Parameters
None

Views
System view

Default Level
2: Configuration level

3-70 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
In general, the Eudemon cannot receive and send a packet through the same interface. Therefore,
when an interface is configured with secondary IP addresses using the sub parameter, and the
secondary IP address and primary address are configured as the gateway of two subnets, these
two subnets cannot communicate through the Eudemon. Using the firewall permit sub-ip
command, you can enable the communication between the subnets for receiving and sending
packets through the same interface.

Examples
# Eudemon allows the two sub networks connected by one interface to communicate from
192.168.10.1 to 202.100.1.1.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ip address 192.168.10.1 255.255.255.0
[Eudemon-Ethernet0/0/0] ip address 202.100.1.1 255.255.255.0 sub
[Eudemon] firewall permit sub-ip

3.9.3 ip address

Function
Using the ip address command, you can set an IP address for an interface.

Using the undo ip address command, you can delete an IP address of the interface.

Format
ip address ip-address net-mask [ sub ]

undo ip address [ ip-address net-mask [ sub ] ]

Parameters
ip-address: specifies the IP address of an interface, in dotted-decimal format.

net-mask: specifies the mask of the subnet, in dotted decimal format.

sub: uses the configured subordinate IP address and mask to enable communications among
different subnets.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, no IP address is set.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-71


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

IP address is classified into five types, and users can select proper IP subnet as required.
Moreover, in the case that part of the host address is composed of 0 or the entire host address is
composed of 1, the address has some special use and can not used as ordinary IP address.

The mask identifies the network number in an IP address. For example, the IP address of the
Ethernet interface is 129.9.30.42 and the mask is 255.255.0.0, the network ID of this interface
is 129.9.0.0 after the AND operation is performed on the IP address and the mask.

Normally, one interface only needs to be configured with one IP address. However, to enable
one interface of an Eudemon to connect to several subnets, one interface can be configured with
several IP addresses. Among them, one is primary IP address, and others are secondary IP
addresses. The relationship between the primary and secondary IP addresses is as follows:
l The command undo ip address without parameters refers to deleting all the IP addresses
of the interface.
l The command undo ip address ip-address net-mask refers to deleting the primary IP
address and undo ip address ip-address net-mask sub refers to deleting the secondary
address. All the secondary addresses must be deleted before deleting the primary IP address.

In addition, all the IP addresses assigned for the interfaces on an Eudemon cannot be located in
the same subnet.

Examples
# Set the interface Ethernet 0/0/0 with the primary IP address as 129.102.0.1, the secondary IP
address is 202.38.160.1, and the mask of all subnets is 255.255.255.0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ip address 129.102.0.1 255.255.255.0
[Eudemon-Ethernet0/0/0] ip address 202.38.160.1 255.255.255.0 sub

3.9.4 ip address ppp-negotiate

Function
Using the ip address ppp-negotiate command, you can enable IP address negotiation on an
interface.

Using the undo ip address ppp-negotiate command, you can disable the function.

Format
ip address ppp-negotiate

undo ip address ppp-negotiate

Parameters
None

Views
Virtual-Template interface view, Dialer interface view

3-72 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
2: Configuration level

Usage Guidelines
By default, this function is disabled on interfaces.

Examples
# Enable IP address negotiation on Virtual-Template interface 24.
<Eudemon> system-view
[Eudemon] interface virtual-template 24
[Eudemon-Virtual-Template24] ip address ppp-negotiate

3.9.5 remote address

Function
Using the remote address command, you can assign an IP address for the peer interface.
Using the undo remote address command, you can disable the configuration.

Format
remote address { ip-address | pool [ pool-number ] }
undo remote address

Parameters
ip-address: refers to the IP address.
pool-number: specifies the number of an address pool. It is a number in a range of 0 to 99. By
default, the value is 0.

Views
Virtual-Template interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the interface does not assign the address for the peer interface.
When an interface is encapsulated with PPP, but not configured with IP address, perform the
following task to set the negotiable attribute of IP address for this interface (configuring ip
address ppp-negotiate command on local device while configuring remote address command
on the peer device), so that the local interface can accept the IP address originated from PPP
negotiation. This IP address is assigned by the opposite end. This configuration is mainly used
to obtain IP address assigned by ISP when accessing Internet through ISP.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-73


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# The interface Virtual-Template 0 encapsulated with PPP assigns an IP address 10.0.0.1 for the
peer.
<Eudemon> system-view
[Eudemon] interface Virtual-Template 0
[Eudemon-Virtual-Template0] ppp authentication-mode pap
[Eudemon-Virtual-Template0] remote address 10.0.0.1

3.10 IP Performance Configuration Commands


3.10.1 debugging ip
3.10.2 debugging tcp event
3.10.3 debugging tcp md5
3.10.4 debugging tcp packet
3.10.5 debugging udp packet
3.10.6 display fib
3.10.7 display fib |
3.10.8 display fib acl
3.10.9 display fib ip-prefix
3.10.10 display fib longer
3.10.11 display fib statistics
3.10.12 display icmp statistics
3.10.13 display ip interface
3.10.14 display ip socket
3.10.15 display ip statistics
3.10.16 display tcp statistics
3.10.17 display tcp status
3.10.18 display udp statistics
3.10.19 reset ip statistics
3.10.20 reset tcp statistics
3.10.21 reset udp statistics
3.10.22 tcp timer fin-timeout
3.10.23 tcp timer syn-timeout
3.10.24 tcp window

3.10.1 debugging ip

3-74 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the debugging ip packet command, you can enable the IP debugging. You can filter IP
packets and debugging information by using acl.
Using the undo debugging ip packet command, you can disable the IP debugging.
Using the debugging ip icmp command, you can enable the ICMP debugging.
Using the undo debugging ip icmp command, you can disable the ICMP debugging.
Using the debugging ip policy command, you can enable the debugging of policy-based routing.
Using the undo debugging ip policy command, you can disable the debugging of policy-based
routing.
Using the debugging ip rtpro command, you can enable the debugging of routing protocol.
Using the undo debugging ip rtpro command, you can disable the debugging of routing
protocol.

Format
debugging ip { packet [ acl acl-number ] | icmp | policy | rtpro { interface | kernel |
routing | task [ task | timer ] } }
undo debugging ip { packet | icmp | policy | rtpro [ interface | kernel | routing | task [ task
| timer ] ] }

Parameters
acl-number: specifies ACL in a range of 2000 to 3999. ACL numbered 2000 to 2999 refers to
the basic ACL, and ACL numbered 3000 to 3999 refers to the advanced ACL.
task: indicates debugging task scheduling of routing protocols.
time: debugging the timer of routing protocols.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable IP debugging.
<Eudemon> debugging ip packet

3.10.2 debugging tcp event

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-75


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the debugging tcp event command, you can enable TCP events debugging.
Using the undo debugging tcp event command, you can disable TCP events debugging.

Format
debugging tcp event [ task-id socket-id ]
undo debugging tcp event [ task-id socket-id ]

Parameters
task-id: specifies the ID of a task in a range of 1 to 100.
socket-id: specifies the ID of a socket in a range of 0 to 3072.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
The maximum of the number of enabled debugging switches (combination of task ID and socket
ID). In addition, when TCP is enabled to receive connection request reactively, a new socket
will be created to establish that connection, and some programs will create a new task to process
the connection, like Telnet server. So to view information about connection, such parameters as
task-id and socket-id cannot be used for filtering.

Examples
# Enable debugging of TCP events.
<Eudemon> debugging tcp event

3.10.3 debugging tcp md5

Function
Using the debugging tcp md5 command, you can enable TCP MD5 authentication debugging.
Using the undo debugging tcp md5 command, you can disable TCP MD5 authentication
debugging.

Format
debugging tcp md5
undo debugging tcp md5

3-76 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable TCP MD5 authentication debugging.
<Eudemon> debugging tcp md5

3.10.4 debugging tcp packet

Function
Using the debugging tcp packet command, you can enable the debugging of TCP connection.
Using the undo debugging tcp packet command, you can disable the debugging of TCP
connection.

Format
debugging tcp packet [ task-id socket-id ]
undo debugging tcp packet [ task-id socket-id ]

Parameters
task-id: specifies the ID of a task in a range of 1 to 100.
socket-id: specifies the ID of a socket in a range of 0 to 3072.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-77


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Enable the debugging of TCP connection.
<Eudemon> debugging tcp packet

3.10.5 debugging udp packet

Function
Using the debugging udp packet command, you can enable the debugging of UDP connection.

Using the undo debugging udp packet command, you can disable the debugging of UDP
connection.

Format
debugging udp packet [ task-id socket-id ]

undo debugging udp packet [ task-id socket-id ]

Parameters
task-id: specifies the ID of a task in a range of 1 to 100.

socket-id: specifies the ID of a socket in a range of 0 to 3072.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable the debugging of UDP connection.
<Eudemon> debugging udp packet

3.10.6 display fib

Function
Using the display fib command, you can view the summary of the Forwarding Information Base
(FIB).

3-78 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
display fib

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command outputs FIB in a list, in which each line represents one route.

Examples
# Display FIB.
<Eudemon> display fib
Destination/Mask Nexthop Flag TimeStamp Interface
172.16.0.0/16 172.16.0.1 U t[0] Ethernet0/0/0
66.1.2.0/24 5.5.5.1 GSU t[0] Ethernet0/0/1
66.1.3.0/24 5.5.5.1 GSU t[0] Ethernet1/0/0
172.16.0.1/32 127.0.0.1 GHU t[0] InLoopBack0
5.5.5.2/32 127.0.0.1 GHU t[0] InLoopBack0
127.0.0.0/8 127.0.0.1 U t[0] InLoopBack0

Table 3-11 Description of the display fib command output

Item Description

Destination/ Destination address/Mask length


Mask

Nexthop Nexthop

Flag Current flag, which is the combination of G, H, and U:


l G indicates that the next hop is a gateway.
l H indicates that the next hop is a host.
l U indicates that the route status is Up.

TimeStamp How long this entry exists, in seconds

Interface Output interface

3.10.7 display fib |

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-79


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the display fib | command, you can output the lines related to the line containing the
character string text in the buffer based on the regular expression.

Format
display fib | { begin | include | exclude } text

Parameters
text: specifies a character string for the regular expression.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Using this command, you can output the lines related to the line containing the character string
text in the buffer based on the regular expression.
Using the display fib | begin text command, you can view the lines beginning from the line
including the character string text to the end line of the buffer.
Using the display fib | include text command, you can just view the lines including the character
string text.
Using the display fib | exclude text command, you can view the lines excluding the character
string text.

Examples
# Display the lines beginning from the line including the character string "169.254.0.0" to the
end line of the buffer.
<Eudemon> display fib | begin 169.254.0.0
Destination/Mask Nexthop Flag TimeStamp Interface
169.254.0.0/16 2.1.1.1 U t[0] Ethernet0/0/0
2.0.0.0/16 2.1.1.1 U t[0] Ethernet0/0/0
127.0.0.0/8 127.0.0.1 U t[0] InLoopBack0

# Display all the lines including the character string "Ethernet0/0/0".


<Eudemon> display fib | include Ethernet0/0/0
Destination/Mask Nexthop Flag TimeStamp Interface
169.254.0.0/16 2.1.1.1 U t[0] Ethernet0/0/0
2.0.0.0/16 2.1.1.1 U t[0] Ethernet0/0/0

# Display all the lines excluding the character string "169.254.0.0".


<Eudemon> display fib | exclude 169.254.0.0
Destination/Mask Nexthop Flag TimeStamp Interface
2.0.0.0/16 2.1.1.1 U t[0] Ethernet0/0/0
127.0.0.0/8 127.0.0.1 U t[0] InLoopBack0

3-80 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Table 3-12 Description of the display fib | command output

Item Description

Destination/Mask Destination address or mask length.

Nexthop Nexthop address.

Flag Current flag, which is the combination of G, H, and U:


l G indicates that the next hop is a gateway.
l H indicates that the next hop is a host.
l U indicates that the route status is Up.

TimeStamp How long this entry exists, in seconds.

Interface Output interface.

3.10.8 display fib acl

Function
Using the display fib acl command, you can filter and display FIB information. That is, display
the FIB entries that match the ACL rules in a certain format.

Format
display fib acl { acl-number | string }

Parameters
acl-number: specifies the ACL number. It is an integer in a range of 2000 to 2999.

string: specifies ACL rules in the string format. It is a string with 1 to 32 characters.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
A standard ACL name must be input if the ACL is expressed in name; otherwise, the system
will prompt an abnormal entering. When the ACL name or number ranging from 2000 to 2999
is entered, the corresponding ACL will be searched. If no ACL is found, all FIB table entries
information will be displayed; and if such an ACL is found, the FIB table entries information
will be output in a format.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-81


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

If the number of FIB table entries matching the filtering rules is 0, the following information
will be output.
Route entry matched by access-list 2002:
Summary count: 0

If the number of FIB table entries matching the filtering rules is not 0, the FIB table entry will
be output in the following format.
Route entry matched by access-list 2001:
Summary count: 1
Destination/Mask Nexthop Flag TimeStamp Interface
127.0.0.0/8 127.0.0.1 U t[0] InLoopBack0

Examples
# Display the FIB table entries matched by the ACL.
<Eudemon> display fib acl 2010
Route entry matched by access-list 2010:
Summary counts: 1
Destination/Mask Nexthop Flag TimeStamp Interface
127.0.0.0/8 127.0.0.1 U t[0] InLoopBack0

Table 3-13 Description of the display fib acl command output


Item Descripiton

Destination/Mask Destination address or mask length.

Nexthop Nexthop address.

Flag Current flag, which is the combination of G, H, and U:


l G indicates that the next hop is a gateway.
l H indicates that the next hop is a host.
l U indicates that the route status is Up.

TimeStamp How long this entry exists, in seconds.

Interface Output interface.

3.10.9 display fib ip-prefix

Function
Using the display fib ip-prefix command, you can filter and display FIB. According to the
entered prefix-listname, the system displays the FIB entries permitted by the filtering rule.

Format
display fib ip-prefix prefix -listname

Parameters
prefix -listname: specifies the name of a prefix list. It is a string with 1 to 19 characters.

3-82 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If no FIB table entry matching the prefix list, the prompt will be displayed that the number of
FIB entry matched by the prefix list is 0; if the FIB table entries after filtering is not 0, they will
be output in a format.

If no FIB table entry matching the prefix list, the following information will be output:
Route entry matched by prefix-list abc1:
Summary count: 0

If the number of FIB table entries after filtering is not 0, FIB table entry will be output in the
following format:
Route entry matched by prefix-list abc2:
Summary count: 1
Destination/Mask Nexthop Flag TimeStamp Interface
127.0.0.0/8 127.0.0.1 U t[0] InLoopBack0

Examples
# Display the FIB table entries matched by the prefix list abc0.
<Eudemon> display fib ip-prefix abc0
Route Entry matched by prefix-list abc0:
Summary count: 4
Destination/Mask Nexthop Flag TimeStamp Interface
127.0.0.0/8 127.0.0.1 U t[0] InLoopBack0
127.0.0.1/32 127.0.0.1 U t[0] InLoopBack0
169.0.0.0/8 2.1.1.1 SU t[0] Ethernet1/0/0
169.0.0.0/16 2.1.1.1 SU t[0] Ethernet1/0/0

Table 3-14 Description of the display fib ip-prefix command output

Item Description

Destination/Mask Destination address/Mask length

Nexthop Nexthop

Flag Current flag, which is the combination of G, H, and U:


l G indicates that the next hop is a gateway.
l H indicates that the next hop is a host.
l U indicates that the route status is Up.

TimeStamp How long this entry exists, in seconds

Interface Output interface

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-83


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.10.10 display fib longer

Function
Using display fib dest-address dest-mask [ longer ] command, you can view the FIB table entries
matching the destination address.
Using display fib dest-address1 dest-mask1 dest-address2 dest-mask2 command, you can view
the FIB table entries whose destination address ranges from dest-address1 dest-mask1 to dest-
address2 dest-mask2, including the FIB entries exactly matching dest-address1 dest-mask1 and
dest-address2 dest-mask2.

Format
display fib dest-address1 dest-mask1 [ longer ]
display fib dest-address1 dest-mask1 dest-address2 dest-mask2

Parameters
dest-address1: specifies destination IP address 1 in dotted decimal format.
dest-mask1: specifies subnet mask 1 corresponding to the destination IP address 1, which is the
mask in dotted decimal format or the mask length in integer format.
dest-address2: specifies the destination IP address 2, which is expressed in dotted decimal
format.
dest-mask2: specifies the subnet mask 2 corresponding to the destination IP address 2, which is
the mask in dotted decimal format or the mask length in integer format.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Selecting different parameters leads to different matching methods.
The display fib dest-addresscommand displays according to the destination address, if FIB table
entries can be found within the range of natural mask, all the subnets will be displayed.
Otherwise, only the FIB table entries found by operating the longest match will be displayed.
The display fib dest-address dest-mask command displays the FIB table entries exactly
matching the destination address and mask.
The display fib dest-address longer command displays the FIB table entries matching the
destination addresses within the range of natural mask.
The display fib dest-address dest-mask longer command displays the FIB table entries matching
the destination IP addresses within the entered mask range.

3-84 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

The display fib dest-address1 dest-mask1 dest-address2 dest-mask2 command displays FIB
table entries whose destination address is within the range from dest-addr1 dest-mask1 to dest-
addr2 dest-mask2.

Examples
# Display the FIB table entries whose destination address matches 169.253.0.0 longest with the
natural mask range.
<Eudemon> display fib 169.253.0.0
Destination/Mask Nexthop Flag TimeStamp Interface
169.0.0.0/8 2.1.1.1 U t[0] Ethernet0/0/0

# Display the FIB entries whose destination address is within the range from 69.254.0.0/16 to
169.254.0.6/16.
<Eudemon> display fib 169.254.0.0 255.255.0.0 169.254.0.6 255.255.0.0
Destination/Mask Nexthop Flag TimeStamp Interface
169.254.0.1/8 2.1.1.1 U t[0] Ethernet0/0/0

Table 3-15 Description of the display fib command output


Item Description

Destination/ Destination address / Mask length


Mask

Nexthop Nexthop

Flag Current flag, which is the combination of G, H, and U:


l G indicates that the next hop is a gateway.
l H indicates that the next hop is a host.
l U indicates that the route status is Up.

TimeStamp How long this entry exists, in seconds

Interface Output interface

3.10.11 display fib statistics

Function
Using the display fib statistics command, you can view the total number of FIB table entries.

Format
display fib statistics [ | { begin | exclude | include } regular-expression ]

Parameters
|: uses the regular expression to filter the output information.
begin: outputs information from the row with the matched string.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-85


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

exclude: outputs the row containing no matched string only.


include: outputs only the row containing the matched string.
regular-expression: performs the matched regular expression on the output.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the total number of FIB table entries.
<Eudemon> display fib statistics
Route Entry Count : 30

Table 3-16 Description of the display fib statistics command output


Item Description

Route Entry Count : 30 Total number of FIB table entries.

3.10.12 display icmp statistics

Function
Using the display icmp statistics command, you can display the statistics of the ICMP traffic.

Format
display icmp statistics

Parameters
None

Views
All views

Default Level
1: Monitoring level

3-86 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
Displays all the current traffic statistics of ICMP connections. Statistics is divided into two parts:
sending and receiving. Each part is classified according to different types of packets, such as
statistics of packets that are repeatedly received and statistics of packets whose checksum are
incorrect. There is also some statistics that is closely related to the connection, such as the number
of received connections, the number of repeatedly sent packets, and the number of keepalive
packets. The the above statistical objects are almost measured by packets but some are measured
by bytes.

Examples
# Display the statistics of the ICMP traffic.
<Eudemon> display tcp statistics
Input: bad formats 0 bad checksum 0
echo 0 destination unreachable 0
source quench 0 redirects 0
echo reply 0 parameter problem 0
timestamp 0 information request 0
mask requests 0 mask replies 0
time exceeded 0
Output:echo 0 destination unreachable 333594
source quench 0 redirects 0
echo reply 0 parameter problem 0
timestamp 0 information reply 0
mask requests 0 mask replies 0
time exceeded 34249

Table 3-17 Description of the display icmp statistic command output

Item Description

Input Received packets

Output Sent packets

bad formats Number of packets with mistaken format

bad checksum Number of packets with mistaken checksum

echo Number of echo request packets

destination unreachable Number of unreachable packets

source quench Number of source quench packets

redirects Number of re-direction packets

echo reply Number of echo reply packets

parameter problem Number of packets with mistaken parameters

timestamp Number of timestamp request packets

information request Number of information request packets

mask requests Number of mask request packets

mask replies Number of mask reply packets

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-87


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

time exceeded Number of timeout packets

Related Topics
3.10.17 display tcp status

3.10.13 display ip interface

Function
Using the display ip interface command, you can view the configuration and the statistics of
the interface related to IP.

Format
display ip interface [ brief ] [ interface-type interface-number ]

Parameters
interface-typeinterface-number: specifies the type and the number of an interface.
brief: displays summary information, including the IP address, physical link state, the Up or
Down state of the protocol, and the interface description.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Using the display ip interface command, you can view the configuration and the statistics of the
interface related to IP, including:
l IP address
l Statuses of the physical link and protocol
l Description of the interface

By default, if no interface is specified, the system displays IP configuration and statistics of all
interfaces.

Examples
# Display the running state of the interface Ethernet 0/0/0.
<Eudemon> display ip interface Ethernet 0/0/0
Ethernet 0/0/0 current state : DOWN

3-88 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Line protocol current state : DOWN


The Maximum Transmit Unit : 1500 bytes
ip fast-forwarding mode is QFF
ip fast-forwarding outgoing packets is Enable
ip fast-forwarding on the same-interface is Disable
input packets : 0, bytes : 0, multicasts : 0
output packets : 0, bytes : 0, multicasts : 0
ARP packet input number: 0
Request packet: 0
Reply packet: 0
Unknown packet: 0
Internet Address is 192.168.0.33/24
Internet Address is 192.168.1.33/24 Secondary
Internet Address is 10.10.10.11/24 Secondary
Broadcast address : 192.168.0.255
TTL invalid packet number: 0
ICMP packet input number: 0
Echo reply: 0
Unreachable: 0
Source quench: 0
Routing redirect: 0
Echo request: 0
Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 0
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 0
Netmask reply: 0
Unknown type: 0
DHCP packet deal mode: global

Table 3-18 Description of the display ip interface Ethernet 0/0/0 command output
Item Description

Ethernet0/0/0 current state Indicates the physical status of Ethernet0/0/0:


l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state.
l Administratively down: If the administrator uses
the shutdown command on the interface, the state
is Administratively down.

Line protocol current state Indicates the status of the link protocol of the
interface:
l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state or the IP
address is not configured on the interface.

The Maximum Transmit Unit The Maximum Transmit Unit of the interface. As for
the Ethernet interface or the serial interface, the
default is 1500 bytes. The packet larger than the MTU
is fragmented before being sent. If the non-
fragmentation is configured, the packet is discarded.

ip fast-forwarding Information about fast forwarding of the interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-89


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

input packets : bytes : multicasts Number of the input packets and bytes and multicast
packets.

output packets :bytes : multicasts Number of the output packets, bytes and multicast
packets.

ARP packet input number Collects statistic of the ARP packets received on the
interface.
For the non-Ethernet interfaces, the display of this
item is 0.
Statistics include:
l Total number of ARP packets
l Number of the ARP request packets
l Number of the ARP response packets
l Number of the other ARP packets

Internet Address IP address of the interface. It is in the format of IP


address/mask length.

Broadcast address Broadcast address of the interface.

TTL invalid packet number Number of the packet whose TTL value is illegal.
When the TTL value is 0 or 1, the packet is considered
as illegal TTL packet.

3-90 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

ICMP packet input number Collects ICMP packet statistics received by the
interface.
Statistics are:
l Total number of packets
l Number of ECHO response packets
l Number of destination unreachable packets
l Number of source quench packets
l Number of routing redirection packets
l Number of ECHO request packets
l Number of route advertisement packets
l Number of routing request packets
l Number of timeout packets
l Number of IP header error packets
l Number of time stamp request packets
l Number of time stamp response packets
l Number of information request packets
l Number of information response packets
l Number of mask request packets
l Number of mask response packets
l Number of other ICMP packets

Echo reply Indicates the number of echo-reply packets.

Unreachable Indicates the number of packets with unreachable


destination.

Source quench Indicates the number of source suppress packets.

Routing redirect Indicates the number of redirected packets.

Echo request Indicates the number of echo-request packets.

Router advert Indicates the number of router-advertising packets.

Router solicit Indicates the number of router-soliciting packets.

Time exceed Indicates the number of timeout packets.

IP header bad Indicates the number of packets with the corrupted IP


header.

Timestamp request Indicates the number of timestamp-replying packets.

Timestamp reply Indicates the number of timestamp-requiring packets.

Information request Indicates the number of information-requiring


packets.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-91


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Information reply Indicates the number of information-replying


packets.

Netmask request Indicates the number of mask-requiring packets.

Netmask reply Indicates the number of mask-replying packets.

Unknown type Indicates the number of packets of the unknown type.

DHCP packet deal mode The modes of handling the DHCP packet include:
l Global mode
l Relay mode
l Interface mode

3.10.14 display ip socket

Function
Using the display ip socket command, you can view all sockets in the current system.

Format
display ip socket [ socktype socket-type-value ] [ task-id socket-id ]

Parameters
socket-type-value: specifies the type of a socket (TCP: 1, UDP: 2, RAW IP: 3).
The meanings of the socket type are as follows:
l 1: indicates SOCK_STREAM, which corresponds to the socket of TCP streams.
l 2: indicates SOCK_DGRAM, which corresponds to the socket of UDP packets.
l 3: indicates SOCK_RAW, which corresponds to the socket of RAW IP.

task-id: specifies the ID of a task. It is an integer in a range of 1 to 100.


socket-id: specifies the ID of a socket. It is an integer in a range of 0 to 3072.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

3-92 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Display the socket of TCP type.
<Eudemon> display ip socket
SOCK_STREAM:
Task = VTYD(9), socketid = 1, Proto = 6,
LA = 0.0.0.0:23, FA = 0.0.0.0:0,
sndbuf = 4096, rcvbuf = 4096, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN
socket state = SS_PRIV SS_ASYNC
SOCK_DGRAM:
Task = ROUT(6), socketid = 1, Proto = 17,
LA = 0.0.0.0:0, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0,
socket option = SO_UDPCHECKSUM
socket state = SS_PRIV SS_ASYNC
SOCK_RAW:
Task = ROUT(6), socketid = 2, Proto = 2,
LA = 0.0.0.0, FA = 0.0.0.0,
sndbuf = 32767, rcvbuf = 32767, sb_cc = 0, rb_cc = 0,
socket option = 0,
socket state = SS_PRIV SS_NBIO SS_ASYNC

# Display the socket with socket ID as 4 and task ID as 8.


<Eudemon> display ip socket 8 4
Task = VTYD(8), socketid = 4, Proto = 6,
LA = 0.0.0.0:23, FA = 0.0.0.0:0,
sndbuf = 4096, rcvbuf = 4096, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN
socket state = SS_PRIV SS_ASYNC

Table 3-19 Description of the display ip socket command output


Item Description

SOCK_STREAM The socket type, including:


l SOCK_STREAM
l SOCK_DGRAM
l SOCK_RAW

Task = ROUT(6) Type and ID of the invoked Socket task. If task ROUT invokes
Socket, then the task ID is 6.

socketid = 2 Socket ID.

Proto = 2 The protocol number used by the socket.

sndbuf = 32767, l sndbuf: the sending buffer size of the socket.


rcvbuf = 32767, sb_cc l rcvbuf: the receiving buffer size of the socket.
= 0, rb_cc = 0,
l sb_cc: the current data size in the sending buffer. The value makes
sense only for the socket of TCP type, because only TCP is able
to cache data.
l rb_cc: the current data size in the receiving buffer.

socket option the option of the socket.

socket state the state of the socket.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-93


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.10.15 display ip statistics

Function
Using the display ip statistics command, you can view IP traffic statistics. This includes
statistics information about sending, receiving, disassembling, and assembling packets, which
helps to diagnose faults.

Format
display ip statistics

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the IP traffic statistics.
<Eudemon> display ip statistics
Input: sum 0 local 0
bad protocol 0 bad format 0
bad checksum 0 bad options 0
TTL exceeded 0
Output: forwarding 0 local 0
dropped 0 no route 0
Fragment:input 0 output 0
dropped 0
fragmented 0 couldn't fragment 0
Reassembling:sum 0 timeouts 0
ReassemMBufErrs: 0

Table 3-20 Description of the display ip statistics command output

Item Description

Input Number of received packets

sum Total number of received packets

local Number of packets sent to the upper protocol

3-94 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

bad protocol Number of packets involved in unknown protocols

bad format Number of packets with mistaken format

bad checksum Number of packets with mistaken checksum

bad options Number of packets with mistaken options

TTL exceeded Number of discarded packets due to TTL timeout

Output Number of sent packets

forwarding Number of forwarded packets

local Number of generated packets

dropped Number of discarded packets

no route Number of packets without a route

Fragment Number of fragments

input Number of received fragments

output Number of created fragments

dropped Number of discarded fragments

fragmented Number of successfully fragmented packets

couldn't fragment Number of packets incapable of fragmentation

Reassembling:sum Number of successfully reassembled fragments

timeouts Number of time-out fragments

Related Topics
3.10.13 display ip interface
3.10.19 reset ip statistics

3.10.16 display tcp statistics

Function
Using the display tcp statistics command, you can view TCP traffic statistics.

Format
display tcp statistics

Parameters
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-95


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display TCP traffic statistics.
<Eudemon> display tcp statistics
Received packets:
Total: 0
packets in sequence: 0 (0 bytes)
window probe packets: 0, window update packets: 0
checksum error : 0, bad offset : 0, too short : 0

duplicate packets : 0 (0 bytes), partially duplicate packets : 0(0 bytes)


out-of-order packets : 0 (0 bytes)
packets with data after window : 0 (0 bytes)
packets after close : 0
ACK packets:0 (0 bytes),
duplicate ack packets:0, ack packets with unsend data:0
Sent packets:
Total: 0
urgent packets: 0
control packets: 0 ( 0 RST)
window probe packets: 0, window update packets: 0
data packets : 0 (0 bytes), data packets retransmitted: 0 (0 bytes)
ACK-only packets : 0(0 delayed)

Retransmit timeout: 0, connections dropped in retransmit timeout: 0


Keepalive timeout: 0, keepalive probe: 0, dropped connections in keepalive: 0
Initiated connections: 0, accepted connections: 0,established connections: 0
Closed connections: 0,( dropped: 0, embryonic dropped: 0)
Packet dropped packets with MD5 authentication : 0
Packet permitted packets with MD5 authentication : 0

Table 3-21 Description of the display tcp statistics output

Item Description

Received packets Statistics of received data

Total Total number of the received packets

packets in sequence Number (total byte number) of the packets that arrive in sequence
(bytes)

window probe packets Number of window probe packets

window update Number of window update packets


packets

checksum error Number of packets with mistaken checksum

3-96 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

offset error Number of packets with mistaken length

short error Number of short packets

duplicate packets Number of completely repeated packets (total byte number)


(bytes)

partially duplicate Number of partly repeated packets (total byte number)


packets(bytes)

out-of-order packets Number of packets with mistaken sequence (total bytes)


(bytes)

packets of data after Number of unreachable packets (total byte number)


window(bytes)

packets received after Number of packets that arrive after the connection is closed
close

ACK packets(bytes) Number of the acknowledged packets (the acknowledged data byte
number)

duplicate ACK Number of the re-acknowledged packets


packets

too much ACK Number of acknowledged ACK packets without transmitting data
packets

Sent packets Statistics of sent packets

Total Total number of the sent packets

urgent packets Number of the urgent data packets

control packets (RST) Number of control packets (the number of RST packets)

window probe packets Number of the window probe packets

window update Number of the window update packets


packets

data packets Number of the data packets (total byte number)

data packets Number of the retransmitted packets (total byte number)


retransmitted (0 bytes)

ACK only packets Number of the ACK packets (delayed)


(delayed)

Retransmitted timeout Number of timeout for the retransmission timer

connections dropped Number of dropped connections because their retransmission


in retransmitted number exceeds the limit.
timeout

Keepalive timeout Timeout time of the keepalive timer

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-97


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

keepalive probe Number of the sent keepalive packets

Keepalive timeout, so Number of the discarded connections because the keepalive probe
connections fails
disconnected

Initiated connections Number of initiated connections

accepted connections Number of accepted connections

established Number of established connections


connections

Closed connections Number of the closed connections (the number of dropped


(dropped, initiated connections (after receiving SYN), the number of active connection
dropped) failure (before receiving the peer SYN))

Packets dropped with Number of dropped packets after MD5 authentication


MD5 authentication

Packets permitted with Number of passed packets after MD5 authentication


MD5 authentication

3.10.17 display tcp status

Function
Using the display tcp status command, you can monitor TCP connection any time.

Format
display tcp status

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

3-98 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Display the TCP connection status.
<Eudemon> display tcp status
TCPCB Local Add:port Foreign Add:port State
06b45804 0.0.0.0:22 0.0.0.0:0 Listening
06b455c4 0.0.0.0:23 0.0.0.0:0 Listening
07453364 0.0.0.0:179 1.1.1.1:0 Listening
07454e64 0.0.0.0:179 5.1.1.1:0 Listening
07453b44 0.0.0.0:179 10.1.1.2:0 Listening
074548c4 0.0.0.0:179 11.1.1.2:0 Listening

Table 3-22 Description of the display tcp status command output


Item Description

TCPCB Sequence number of TCP task control block.

Local Add:port The local IP address of the TCP connection is 0.0.0.0. The local
port number is 0.

Foreign Add:port The remote IP address is 0.0.0.0. The remote port number is 0.

State Statuses of TCP connections, which are as follows:


l ESTAB indicates that connections have been established.
l Listening indicates that listening is performed.

3.10.18 display udp statistics

Function
Using the display udp statistics command, you can view UDP traffic statistics.

Format
display udp statistics

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The command is used to display the traffic statistics of all the active UDP connections. Statistics
is classified into two parts: receiving and sending, and each part can be further classified in terms

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-99


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

of different types of packets, checksum error packets, for example. Moreover, there are statistics
closely related to connection, such as the number of broadcast packets. The unit of statistics
results is packet.

Examples
# Display UDP traffic statistics.
<Eudemon> display udp statistics
Received packet:
Total:0
checksum error:0
shorter than header:0, data length larger than packet:0
no socket on port:0
broadcast:0
not delivered, input socket full:0
input packets missing pcb cache:0
Sent packet:
Total:0

Table 3-23 Description of the display udp statistics command output

Item Description

Received packet: UDP packet is received.


Total: 0

checksum error: 0 0 packet has checksum error.

shorter than header: 0, data length And there is 0 packet whose packet length is shorter than
larger than packet: 0 the packet header.

no socket on port: 0 0 packet whose socket uses this port number.

broadcast: 0 0 packet being broadcast packet.

not delivered, input socket full: 0 0 packet not being delivered due to full socket buffer.

input packets missing pcb cache: 0 0 packet not finding pcb.

Sent packet: 0 UDP packet being sent.


Total: 0

Related Topics
3.10.21 reset udp statistics

3.10.19 reset ip statistics

Function
Using the reset ip statistics command, you can clear the IP statistics.

3-100 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
reset ip statistics [ interface interface-type interface-number ]

Parameters
interface-type interface-number: specifies the type and the number of an interface.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear IP statistics.
<Eudemon> reset ip statistics

Related Topics
3.10.13 display ip interface
3.10.15 display ip statistics

3.10.20 reset tcp statistics

Function
Using the reset tcp statistics command, you can clear TCP traffic statistics.

Format
reset tcp statistics

Parameters
None

Views
User view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-101


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
None

Examples
# Clear TCP traffic statistics.
<Eudemon> reset tcp statistics

Related Topics
3.10.16 display tcp statistics

3.10.21 reset udp statistics

Function
Using the reset udp statistics command, you can clear the UDP statistics.

Format
reset udp statistics

Parameters
None

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear UDP traffic statistics.
<Eudemon> reset udp statistics

3.10.22 tcp timer fin-timeout

Function
Using the tcp timer fin-timeout command, you can set the TCP finwait timer.
Using the undo tcp timer fin-timeout command, you can restore the default value.

3-102 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
tcp timer fin-timeout time-value

undo tcp timer fin-timeout

Parameters
time-value: specifies the value of TCP finwait timer in a range of 76 to 3600 seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, TCP finwait timer value is 675 seconds.

When the TCP connection status changes from FIN_WATI_1 to FIN_WAIT_2, the finwait timer
is enabled. If FIN packet is not received before the timeout of finwait timer, the TCP connection
will be disabled.

This parameter needs to be set under the guide of technicians.

Examples
# Set the TCP finwait timer value as 75 seconds.
<Eudemon> system-view
[Eudemon] tcp timer syn-timeout 75

Related Topics
3.10.23 tcp timer syn-timeout
3.10.24 tcp window

3.10.23 tcp timer syn-timeout

Function
Using the tcp timer syn-timeout command, you can set the TCP synwait timer.

Using the undo tcp timer syn-timeout command, you can restore the default value.

Format
tcp timer syn-timeout time-value

undo tcp timer syn-timeout

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-103


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
time-value: specifies the value of TCP synwait timer in a range of 2 to 600 seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, TCP synwait timer value is 75 seconds.

When a syn packet is sent, TCP enables the synwait timer. If the response packet is not received
before synwait timeout, the TCP connection will be disabled.

This parameter needs to be set under the guide of technicians.

Examples
# Set the TCP synwait timer value as 100 seconds.
<Eudemon> system-view
[Eudemon] tcp timer syn-timeout 100

Related Topics
3.10.22 tcp timer fin-timeout
3.10.24 tcp window

3.10.24 tcp window

Function
Using the tcp window command, you can set the size of the transceiving buffer of the connection
oriented Socket.

Using the undo tcp window command, you can restore the default size of the buffer.

Format
tcp window window-size

undo tcp window

Parameters
window-size: specifies the size of the transceiving buffer of the connection oriented Socket. It
ranges from 1 to 32 KB.

3-104 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the size of the connection-oriented transceiving buffer is 8192 bytes.
If this command is configured for several times in the same view, only the last configuration
takes effect.
This parameter needs to be set under the guide of technicians.

Examples
# Set the size of the transceiving buffer of the connection oriented Socket as 4 KB.
<Eudemon> system-view
[Eudemon] tcp window 4

3.11 IP Unicast Policy Routing Configuration Commands


3.11.1 apply cost
3.11.2 apply cost-type
3.11.3 apply default output-interface
3.11.4 apply ip-address default next-hop
3.11.5 apply ip-address next-hop (unicast)
3.11.6 apply ip-precedence
3.11.7 apply output-interface
3.11.8 display ip policy
3.11.9 display ip policy setup
3.11.10 display ip policy statistics
3.11.11 if-match acl (unicast)
3.11.12 if-match cost
3.11.13 if-match interface
3.11.14 if-match ip next-hop
3.11.15 if-match ip-prefix
3.11.16 if-match packet-length
3.11.17 ip ip-prefix

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-105


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.11.18 ip local policy route-policy


3.11.19 ip policy route-policy
3.11.20 route-policy (unicast)

3.11.1 apply cost

Function
Using the apply cost command, you can set the route cost of routing.
Using the undo apply cost command, you can cancel this setting.

Format
apply cost value
undo apply cost

Parameters
value: specifies the route cost of routing information.

Views
Route-policy view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Define an apply clause to set the route cost of routing information as 120.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 10
[Eudemon-route-policy-map1-10] apply cost 120

Related Topics
3.11.11 if-match acl (unicast)
3.11.5 apply ip-address next-hop (unicast)

3.11.2 apply cost-type

Function
Using the apply cost-type command, you can set the route cost type of routing information.

3-106 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Using the undo apply cost-type command, you can cancel the setting.

Format
apply cost-type [ internal | external ]
undo apply cost-type

Parameters
internal: uses the cost of IGP as the MED value of BGP while the EBGP peer notifies the route.
external: refers to the external cost of IS-IS.

Views
Route-Policy view

Default Level
2: Configuration level

Usage Guidelines
By default, the attribute of the route cost is not set.

Examples
# Set the cost of IGP as the MED value of BGP.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 10
[Eudemon-route-policy-map1-10] apply cost-type internal

3.11.3 apply default output-interface

Function
Using the apply default output-interface command, you can set default forwarding interface
for packets.
Using the undo apply default output-interface command, you can cancel the configuration of
the default forwarding interface of packets.

Format
apply default output-interface interface-type interface-number [ interface-type interface-
number ]
undo apply default output-interface interface-type interface-number [ interface-type
interface-number ]

Parameters
interface-type: specifies the type of an interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-107


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

interface-number: specifies the number of an interface.

Views
Route-Policy view

Default Level
2: Configuration level

Usage Guidelines
This command is used to set forwarding interface for the matched IP packet, and the clause is
valid for the packet whose route has not been found.

Examples
# Display how to set the default forwarding interface of packets as Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 1
[Eudemon-rotue-policy-map1-1] apply default output-interface Ethernet 0/0/0

Related Topics
3.11.6 apply ip-precedence
3.11.5 apply ip-address next-hop (unicast)
3.11.7 apply output-interface
3.11.4 apply ip-address default next-hop
3.11.20 route-policy (unicast)

3.11.4 apply ip-address default next-hop

Function
Using the apply ip-address default next-hop command, you can set the default next hop of a
packet.

Using the undo apply ip-address default next-hop command, you can cancel the configured
default packet next hop.

Format
apply ip-address default next-hop ip-address [ ip address ]

undo apply ip-address default next-hop ip-address [ ip address ]

Parameters
ip-address: specifies the IP address of default next hop.

3-108 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
Route-Policy view

Default Level
2: Configuration level

Usage Guidelines
This command is only valid for the packet whose route has not been found.

Examples
# Set the default next hop of a packet to 1.1.1.1.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 1
[Eudemon-rotue-policy-map1-1] apply ip-address default next-hop 1.1.1.1

Related Topics
3.11.6 apply ip-precedence
3.11.5 apply ip-address next-hop (unicast)
3.11.7 apply output-interface
3.11.3 apply default output-interface
3.11.20 route-policy (unicast)

3.11.5 apply ip-address next-hop (unicast)

Function
Using the apply ip-address next-hop command, you can set the packet next hop.

Using the undo apply ip-address next-hop command, you can cancel the configuration about
the next hop.

Format
apply ip-address next-hop { ip-address [ ip-address ] | acl acl-number }

undo apply ip-address next-hop [ ip-address [ ip-address ] | acl acl-number ]

Parameters
ip-address: specifies the IP address of next hop.

Views
Route-Policy view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-109


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
This command is used to set the next hop for the matched IP packet and at most two next hops
can be specified. The next hop should be adjacent to this device.

Examples
# Set the packet next hop to 1.1.1.1.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 1
[Eudemon-rotue-policy-map1-1] apply ip-address next-hop 1.1.1.1

Related Topics
3.11.6 apply ip-precedence
3.11.3 apply default output-interface
3.11.7 apply output-interface
3.11.4 apply ip-address default next-hop
3.11.20 route-policy (unicast)

3.11.6 apply ip-precedence

Function
Using the apply ip-precedence command, you can set precedence of IP packets.

Using the undo apply ip-precedence command, you can remove the precedence of IP packets.

Format
apply ip-precedence precedence

undo apply ip-precedence

Parameters
preference: refers to the preference value. There are totally 8 (in the range 0 to 7) preferences:

l 0: routine
l 1: priority
l 2: immediate
l 3: flash
l 4: flash-override
l 5: critical
l 6: internet

3-110 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

l 7: network

Views
Route-Policy view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set the preference of IP packet to 5 (critical).
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 1
[Eudemon-rotue-policy-map1-1] apply ip-precedence critical

Related Topics
3.11.3 apply default output-interface
3.11.5 apply ip-address next-hop (unicast)
3.11.7 apply output-interface
3.11.4 apply ip-address default next-hop

3.11.7 apply output-interface

Function
Using the apply output-interface command, you can configure a packet forwarding interface.
Using the undo apply output-interface command, you can cancel the configuration.

Format
apply output-interface interface-type interface-number [ interface-type interface-number ]
undo apply output-interface interface-type interface-number [ interface-type interface-
number ]

Parameters
interface-type: specifies the type of an interface.
interface-number: specifies the number of an interface.

Views
Route-Policy view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-111


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
This command is used to configure the packet forwarding interface for the matched IP packet.
At most, two forwarding interfaces can be specified.

Examples
# Specify forwarding interface as Ethernet 0/0/0 for the matched IP packet.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 1
[Eudemon-rotue-policy-map1-1] apply output-interface Ethernet 0/0/0

Related Topics
3.11.6 apply ip-precedence
3.11.5 apply ip-address next-hop (unicast)
3.11.3 apply default output-interface
3.11.4 apply ip-address default next-hop

3.11.8 display ip policy

Function
Using the display ip policy command, you can view the routing policies of local and configured
interface policy routings.

Format
display ip policy

Parameters
None

Views
All views

Default Level
2: Monitoring level

Usage Guidelines
None

3-112 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Display the routing policies of the local and configured interface policy routings.
<Eudemon> display ip policy
Route-policyInterface
pr02Local
pr02Virtual-Template0
pr01Ethernet 0/0/0

The first line is prompt information. The first row shows where the routing policy indicated in
the second row is enabled. Take the first line as an example, "local" refers to that the policy
routing is enabled on the local device, i.e., all the policy routing "pr02" sent from the local device
(not forward through it). The second and third lines represent that the interfaces virtual-template0
and Ethernet 0/0/0 use pr02 and pr01 respectively.

3.11.9 display ip policy setup

Function
Using the display ip policy setup command, you can view the setting of policy routings.

Format
display ip policy setup { local | interface interface-type interface-number }

Parameters
local: displays the setting of local policy routings.
interface: displays the setting of interface policy routings.
interface-type: specifies the type of an interface.
interface-number: specifies the number of an interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The display format of the display ip policy setup local command is the same with the above
command except that it displays the policy routing enabled on the local device but not the
configuration of a certain specified route-policy.
The display ip policy setup interface command displays the configuration of the policy routing
enabled on the interface.

Examples
# Display the specific configurations of the local policy routing, enabled or disabled.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-113


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

<Eudemon> display ip policy setup local


route-policy pr01 permit node 0
if-match acl 2011
apply ip-address next-hop 3.3.3.3

As shown above, the local policy routing has one 0 node and includes an if-match clause and an
apply clause. For the accurate meanings of the if-match clause and apply clause, you can refer
to the configuration guide of the command. The command matches the option map-tag.

3.11.10 display ip policy statistics

Function
Using the display ip policy statistics command, you can view the statistics of policy routings.

Format
display ip policy statistics { local | interface interface-type interface-number }

Parameters
local: displays the statistics of local policy routing packets.
interface: displays the statistics of interface policy routings.
interface-type: specifies the type of an interface.
interface-number: specifies the number of an interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the matching statistics of the specified policy routing.
<Eudemon> display ip policy statistics local
local policy pr02 summary information:
Main board
Total success packet number: 0
Total failure packet number: 0

The above information shows the transmitting success and failure times for all the transmitted
policy (i.e., apply clause) of the local device policy routing.

3.11.11 if-match acl (unicast)

3-114 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the if-match acl command, you can set a match rule based ACL.
Using the undo if-match acl command, you can delete the match rule.

Format
if-match acl acl-number
undo if-match acl acl-number

Parameters
acl-number: specifies the number of ACL. ACL numbered 2000 to 2999 refers to the basic ACL,
and ACL numbered 3000 to 3999 refers to the advanced ACL.

Views
Route-Policy view

Default Level
2: Configuration level

Usage Guidelines
By default, no match rule based ACL is set.

Examples
# Set packets that accord with the access control list 2010 to be matched.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 10
[Eudemon-route-policy-map1-10] if-match acl 2010

Related Topics
3.11.16 if-match packet-length

3.11.12 if-match cost

Function
Using the if-match cost command, you can configure a matching rule that is based on the route
cost.
Using the undo if-match cost command, you can cancel the matching rule setting.

Format
if-match cost value
undo if-match cost

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-115


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
value: specifies the required route cost in a range of 0 to 4294967295.

Views
Route-Policy view

Default Level
2: Configuration level

Usage Guidelines
By default, the matching rule based on the routing cost is not set.

Examples
# Match the routing information whose route cost is 8.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 10
[Eudemon-route-policy-map1-10] if-match cost 8

Related Topics
3.11.13 if-match interface
3.11.11 if-match acl (unicast)
3.11.15 if-match ip-prefix
3.11.14 if-match ip next-hop
3.11.20 route-policy (unicast)
3.11.1 apply cost

3.11.13 if-match interface

Function
Using the if-match interface command, you can match the specified interface of next hop with
the route.
Using the undo if-match interface command, you can cancel the configuration.

Format
if-match interface interface-type interface-number
undo if-match interface

Parameters
interface-type: specifies the type of an interface.
interface-number: specifies the number of an interface.

3-116 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
Route-Policy view

Default Level
2: Configuration level

Usage Guidelines
By default, the matching rule based on the outgoing interface is not set.
For the same Route-policy node, the relationship among various if-match interface is "OR" in
the process of matching. That is, as long as the routing information meets one of the matching
conditions, you can use the apply clause.

Examples
# Define a rule to match the route whose outgoing interface is Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 10
[Eudemon-route-policy-map1-10] if-match interface Ethernet 0/0/0

Related Topics
3.11.11 if-match acl (unicast)
3.11.15 if-match ip-prefix
3.11.14 if-match ip next-hop
3.11.20 route-policy (unicast)
3.11.1 apply cost

3.11.14 if-match ip next-hop

Function
Using the if-match ip next-hop command, you can set a matching rule that is based on the IP
information.
Using the undo if-match ip next-hop command, you can cancel the setting.

Format
if-match ip next-hop { acl acl-number | ip-prefix ip-prefix-name }
undo if-match ip next-hop [ ip-prefix ]

Parameters
acl-number: specifies the ACL for filtering. The value ranges from 2000 to 2999.
ip-prefix-name: specifies the prefix list name of the address for filtering. The value ranges from
1 to 19 characters.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-117


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Route-Policy view

Default Level
2: Configuration level

Usage Guidelines
By default, the matching rule based on the next hop of IP information is not set.

Examples
# Define a rule to match the next hop address that complies with that routing information of the
IP prefix list p1.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 10
[Eudemon-route-policy-map1-10] if-match ip next-hop ip-prefix p1

Related Topics
3.11.13 if-match interface
3.11.11 if-match acl (unicast)
3.11.15 if-match ip-prefix
3.11.17 ip ip-prefix
3.11.20 route-policy (unicast)

3.11.15 if-match ip-prefix

Function
Using the if-match ip-prefix command, you can set a matching rule that is based on the IP
address prefix list.

Using the undo if-match ip-prefix command, you can remove the rule.

Format
if-match ip-prefix ip-prefix-name

undo if-match ip-prefix

Parameters
ip-prefix-name: specifies the name of the IP address prefix list. The name is a string of 1 to 169
characters. The space is not allowed in the string.

Views
Route-Policy view

3-118 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
2: Configuration level

Usage Guidelines
By default, the matching rule based on the IP address prefix list is not set.

Examples
# Set an address prefix list p1 that is used to filter routing information.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 10
[Eudemon-route-policy-map1-10] if-match ip next-hop ip-prefix p1

Related Topics
3.11.13 if-match interface
3.11.11 if-match acl (unicast)
3.11.12 if-match cost
3.11.20 route-policy (unicast)
3.11.17 ip ip-prefix

3.11.16 if-match packet-length

Function
Using the if-match packet-length command, you can set a matching rule that is based on packet
length.

Using the undo if-match packet-length command, you can delete the setting.

Format
if-match packet-length min-length max-length

undo if-match packet-length

Parameters
min-length: refers to minimum packet length of network layer in a range of 0 to 2147483647.

max-length: refers to maximum packet length of network layer in a range of 0 to 2147483647.

Views
Route-Policy view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-119


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, no matching rule based on packet length is set.

Examples
Set the packet in a range of 100 to 200 to be matched.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 10
[Eudemon-route-policy-map1-10] if-match packet-length 100 200

Related Topics
3.11.11 if-match acl (unicast)

3.11.17 ip ip-prefix

Function
Using the ip ip-prefix command, you can configure an address prefix list or an entry of the list.

Using the undo ip ip-prefix command, you can delete an address prefix list or an entry of the
list.

Format
ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ip-address mask-length
[ greater-equal greater-equal | less-equal less-equal ]*

undo ip ip-prefix ip-prefix-name [ index index-number | permit | deny ]

Parameters
ip-prefix-name: specifies the name of an address prefix list. It uniquely identifies an address
prefix list.

index-number: identifies an entry in an address prefix list. The entry with the small index-number
is deleted first.

permit: specifies the match mode of the defined address prefix list entry as permit mode. When
an IP address to be filtered is within the specified prefix range of this entry in permit mode, this
IP address passes the filtering and is not tested by the next node. If not, the next entry test is
conducted.

deny: specifies the match mode of the defined address prefix list entry as deny mode. When an
IP address to be filtered is within the specified prefix range of this entry in deny mode, this
address cannot pass the filtering and will not be tested by the next entry. Otherwise, this address
is tested by the next entry.

ip-address: specifies the IP address prefix range, namely, the IP address. When being specified
as 0.0.0.0 0, it matches all IP addresses.

mask-length: specifies the IP address prefix range, namely, the mask length.. When being
specified as 0.0.0.0 0, it matches all IP addresses.

3-120 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

greater-equal and less-equal: specifies the address prefix range [greater-equal, less-equal] that
needs to be matched after the network len address prefix range is matched. greater-equal
indicates to be greater or equal. less-equal indicates to be less or equal. The value is mask-
length ≤ greater-equal ≤ less-equal ≤ 32. When only the greater-equal is specified, the prefix
ranges from greater-equal to 32. When only the less-equal is specified, the prefix ranges from
len to less-equal.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Being used to filter IP addresses, an address prefix list contains several entries each of which
specifies an address prefix range. The entries are in "or" filter relation, that is, passing the filtering
of an entry results in passing the filtering of this address prefix list. If no filtering is passed, the
filtering of this address prefix list cannot be passed.
The address prefix range consists of two parts that are determined by mask-length and [greater-
equal, less-equal] respectively. If the prefix ranges of the two parts are specified, the IP address
to be filtered must match the prefix ranges of the two parts.
If network mask-length is specified as 0.0.0.0 0, only the default route is matching.
If all routes need to be matched, 0.0.0.0 0 less-equal 32 needs to be configured.

Examples
# Define an address prefix list named p1 and permit only the route with the mask length of 17
or 18 on the network segment 10.0.192.0/ 8 to pass.
<Eudemon> system-view
[Eudemon] ip ip-prefix p1 permit 10.0.192.0 8 greater-equal 17 less-equal 18

3.11.18 ip local policy route-policy

Function
Using the ip local policy route-policy command, you can enable local policy routing.
Using the undo ip local policy route-policy command, you can delete the existing configuration.

Format
ip local policy route-policy policy-name
undo ip local policy route-policy policy-name

Parameters
policy-name: specifies the policy name.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-121


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, local policy routing is disabled.
If the packets received by the interface cannot match the policy routing of the interface or routing
entry, it will search for the local policy routing. If the packets is sent to the external from the
local, it will directly search for the local policy routing. If there is no special demand, it is
recommended that you should not configure local policy routing.

Examples
# Enable local policy routing at system view. The policy routing is specified by route-policy
map1.
<Eudemon> system-view
[Eudemon] ip local policy route-policy map1

Related Topics
3.11.20 route-policy (unicast)

3.11.19 ip policy route-policy

Function
Using the ip policy route-policy command, you can enable policy routing at an interface.
Using the undo ip policy route-policy command, you can delete the existing policy routing at
an interface.

Format
ip policy route-policy policy-name
undo ip policy route-policy policy-name

Parameters
policy-name: specifies the policy name.

Views
Interface view

Default Level
2: Configuration level

3-122 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
By default, interface policy routing is disabled.

Examples
# Enable policy routing specified by route-policy map1 at the interface Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ip policy route-policy map1

Related Topics
3.11.20 route-policy (unicast)

3.11.20 route-policy (unicast)

Function
Using the route-policy command, you can create a route policy and enter route policy view.

Using the undo route-policy command, you can cancel the established route policy.

Format
route-policy policy-name { deny | permit } node node-index

undo route-policy policy-name [ deny | permit | node node-index ]

Parameters
policy-name: specifies a route-policy name. The name is used to identify a route-policy uniquely.

deny: specifies the match mode of the defined route-policy node as deny mode. When a route
matches all the if-match clauses of this node, it will be refused to pass the filtering and will not
be tested by the next node. Only the if-match acl clause instead of the if-match clause is effective
in the application of multicast policy routing.

permit: specifies the match mode of the defined route policy node as permit mode. If a route
matches all the if-match clauses, it is permitted to pass the filtering and execute the apply clauses
of this node. If not, it will take the test of next node of this route policy. Only the if-match acl
clause instead of the if-match clause is effective in the application of multicast policy routing.

node-index: specifies a node index in the route-policy in the range of 0 to 65535. When this route
policy is used for routing filtering, the node with smaller node-number will be tested first.

Views
System view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-123


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, no route policy is defined.

The policy of IP unicast policy routing is implemented by configuring route-policies. Multiple


route policies can be configured on a router. Each route policy may contain multiple route nodes.
Different route nodes in a route policy are identified by an integer sequence number. In each
route node, set the conditions that packets should match (i.e., the match rule) with the if-
match command and configure the forwarding actions to be executed to packets that meet the
match conditions with the apply command.

The if-match clauses of a route node are in "and" filter relation. Only the if-match acl clause is
effective in the application of multicast policy routing. The route policy nodes are in "or" filter
relation. That is, one packet forwarded in one policy node results in all the following nodes being
ignored. If all nodes cannot succeed in matching with the features of packet or node of reject
mode, the packet will be forwarded or rejected according to normal method of searching route
table.

When unicast policy routing is configured on an interface of a router, all unicast packets entering
the router on the interface will be filtered. The filter method is that all policy nodes of the route
policy specified by the policy routing are filtered in the ascending sequence of the numbers.

NOTE

You can set up to 1000 route policies and 20 nodes for each Route-Policy.

Examples
# Configure a route policy named as mpa1, whose node number is 10 and the match mode is
permit, and enter route-policy view.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 10
[Eudemon-route-policy-map1-10]

Related Topics
3.11.5 apply ip-address next-hop (unicast)
3.11.7 apply output-interface

3.12 IP Multicast Policy Routing Configuration Commands


3.12.1 apply ip-address next-hop (multicast)
3.12.2 debugging ip multicast-policy
3.12.3 display ip multicast-policy
3.12.4 if-match acl (multicast)
3.12.5 ip multicast-policy route-policy
3.12.6 route-policy (multicast)

3.12.1 apply ip-address next-hop (multicast)

3-124 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the apply ip-address next-hop command, you can set the next hop IP address list in a
policy node.
Using the undo apply ip-address next-hop command, you can remove the configuration.

Format
apply ip-address [ default ] next-hop { acl acl-number | ip-address [ ip-address ] }
undo apply ip-address next-hop [ acl acl-number | ip-address [ ip-address ] ]

Parameters
acl-number: specifies the number of basic ACL in a range of 2000 to 2999.
ip-address: specifies the next hop address. Multiple next hop addresses can be specified.

Views
Route-Policy view

Default Level
2: Configuration level

Usage Guidelines
By default, no apply clause is defined.
This command specifies the next hop IP address for packets that match the if-match acl
command. It specifies the next hop IP address list for multicast policy routing through the ACL.
This command is in juxtaposition relation with the apply output-interface command. If both
apply clauses are configured, in multicast policy routing, the packets will be replicated and
forwarded to all the interfaces and next hops specified by the ACLs respectively. This is different
from that only one apply clause works in unicast policy routing.
The specified ACL for the next hop IP address is the basic ACL.

Examples
# Configure the next hop IP address 1.1.1.1 for a policy node.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 10
[Eudemon-route-policy-map1-10] apply ip-address next-hop 1.1.1.1

Related Topics
3.12.4 if-match acl (multicast)
3.11.7 apply output-interface
3.12.3 display ip multicast-policy

3.12.2 debugging ip multicast-policy

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-125


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the debugging ip multicast-policy command, you can enable the debugging of IP
multicast policy routing.
Using the undo debugging ip multicast-policy command, you can disable the debugging of IP
multicast policy routing.

Format
debugging ip multicast-policy [ acl acl-number ]
undo debugging ip multicast-policy

Parameters
acl acl-number: sets an interface-based ACL in a range of 1000 to 1999.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
The contents of the debugging information contain the route-node that the packets match and
the next hop or output interface to which the packets are forwarded.
Note that the running of debugging may affect the system performance in some way. It is
recommended to disable the debugging during the system normal operation.

Examples
# Enable the debugging of IP multicast policy routing.
<Eudemon> debugging ip multicast-policy

Related Topics
3.12.6 route-policy (multicast)

3.12.3 display ip multicast-policy

Function
Using the display ip multicast-policy command, you can view the configured multicast policy
routing.

Format
display ip multicast-policy [ [ setup | statistic ] interface interface-type interface-number ]

3-126 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
interface- type interface-number: specifies the type and number of an interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the multicast policy routing configured on interface Ethernet 1/0/0.
<Eudemon> display ip multicast-policy setup interface Ethernet 1/0/0
route-policy pr permit 1
if-match acl 2001

# Display the statistics about the multicast policy routing configured on interface Ethernet
1/0/0.
<Eudemon> display ip multicast-policy statistic interface Ethernet 1/0/0
Interface Ethernet 1/0/0 multicast policy routing information:
Route-policy: pr
permit 1
matched: 0
denied: 0
forwarded: 0
Total matched: 0 denied: 0 forwarded: 0

3.12.4 if-match acl (multicast)

Function
Using the if-match acl command, you can set conditions that multicast packets should match
in each policy node.

Using the undo if-match acl command, you can remove the match conditions set.

Format
if-match { acl acl-number | ip-prefix ip-prefix-name }

undo if-match { acl | ip-prefix }

Parameters
acl-number: specifies the number of basic or advance ACL in a range of 2000 to 3999.

ip-prefix-name: specifies the name of an address prefix list used for filtering.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-127


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Route-Policy view

Default Level
2: Configuration level

Usage Guidelines
By default, no if-match clause is defined.

If a packet meets the if-match conditions specified in a policy node, actions specified by the
node will be performed. If a packet does not meet the if-match conditions specified in a policy
node, the next node will be detected. If a packet does not meet the conditions of all policy nodes,
the packet will return to the normal forwarding flow. The configuration and use of this command
are the same as those of the same command in the unicast policy routing.

Examples
# Set conditions that multicast packets should match in the policy node, with ACL being 2010.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 10
[Eudemon-route-policy-map1-10] if-match acl 2010

3.12.5 ip multicast-policy route-policy

Function
Using the ip multicast-policy route-policy command, you can enable multicast policy routing
on an interface.

Using the undo ip multicast-policy route-policy command, you can remove a multicast policy
route applied on the interface.

Format
ip multicast-policy route-policy policy-name

undo ip multicast-policy route-policy policy-name

Parameters
policy-name: specifies the name of the route policy, which uniquely identifies a route policy.

Views
Interface view

Default Level
2: Configuration level

3-128 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
By default, the received multicast packets are not filtered.
Using this command can enable multicast policy routing defined by the route policy named
policy-name on an interface.
When multicast policy routing is configured on an interface of a router, all multicast packets
entering the router on the interface will be filtered.
The filter method is that all policy nodes of the route policy specified by the policy routing are
filtered in the order of ascending sequence of the numbers. If a packet meets the if-match
conditions specified in a policy node, actions specified by the node will be performed. If a packet
does not meet the if-match conditions specified in a policy node, the next node will be detected.
If a packet does not meet the conditions of all policy nodes, the packet will return to the normal
forwarding flow.

Examples
# Enable the multicast policy routing defined by the route policy named map1 on the interface
Ethernet 1/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] ip multicast-policy route-policy map1

Related Topics
3.12.6 route-policy (multicast)

3.12.6 route-policy (multicast)

Function
Using the route-policy command, you can create a route policy and enter route policy view.
Using the undo route-policy command, you can cancel the established route policy.

Format
route-policy policy-name { deny | permit } node node-index
undo route-policy policy-name [ deny | permit ] [ node node-index ]

Parameters
policy-name: specifies a route-policy name. The name is used to identify a route-policy uniquely.
deny: specifies the match mode of the defined route-policy node as deny mode. When a route
matches all the if-match clauses of this node, it will be refused to pass the filtering and will not
be tested by the next node. Only the if-match acl clause instead of if-match clauses is effective
in the application of multicast policy routing.
permit: specifies the match mode of the defined route policy node as permit mode. If a route
matches all the if-match clauses, it is permitted to pass the filtering and execute the apply clauses
of this node. If not, it will take the test of next node of this route policy. Only the if-match acl
clause instead of if-match clauses is effective in the application of multicast policy routing.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-129


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

node-index: specifies a node index in the route-policy in the range of 0 to 65535. When this route
policy is used for routing filtering, the node with smaller node-number will be tested first.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, no route policy is defined.
The policy of IP multicast policy routing is implemented by configuring route-policies. Multiple
route policies can be configured on the Ethernet 0/0/1. Each route policy may contain multiple
route nodes. Different route nodes in a route policy are identified by an integer sequence number.
In each route node, set the conditions that packets should match (i.e., the match rule) with the
if-match command and configure the forwarding actions to be executed to packets that meet
the match conditions with the apply command.
The if-match clauses of a route node are in "and" filter relation. Only the if-match acl clause
is effective in the application of multicast policy routing. The route policy nodes are in "or" filter
relation. That is, one packet forwarded in one policy node results in all the following nodes being
ignored. If all nodes cannot succeed in matching with the features of packet or node of reject
mode, the packet will be forwarded or rejected according to normal method of searching route
table.
When multicast policy routing is configured on an interface of the Ethernet 0/0/1, all multicast
packets entering the Ethernet 0/0/1 on the interface will be filtered. The filter method is that all
policy nodes of the route policy specified by the policy routing are filtered in the ascending
sequence of the numbers.

NOTE

You can set up to 1000 route policies and 20 nodes for each Route-Policy.

Examples
# Configure a route policy named as map1, whose node number is 10 and the match mode is
permit, and enter Route-Policy view.
<Eudemon> system-view
[Eudemon] route-policy map1 permit node 10
[Eudemon-route-policy-map1-10]

Related Topics
3.11.7 apply output-interface
3.12.1 apply ip-address next-hop (multicast)
3.12.3 display ip multicast-policy

3.13 Common IP Multicast Configuration Commands

3-130 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.13.1 display ip routing-table protocol multicast-static


3.13.2 display multicast forwarding-table
3.13.3 display multicast routing-table
3.13.4 display multicast rpf-info
3.13.5 ip rpf-longest-match
3.13.6 ip rpf-route-static
3.13.7 mtracert
3.13.8 multicast minimum-ttl
3.13.9 multicast packet-boundary
3.13.10 multicast route-limit
3.13.11 multicast routing-enable
3.13.12 reset multicast forwarding-table
3.13.13 reset multicast routing-table

3.13.1 display ip routing-table protocol multicast-static

Function
Using the display ip routing-table protocol multicast-static command, you can view the
multicast static routing.

Format
display ip routing-table protocol multicast-static [ destination-address { destination-mask |
destination-mask-length } ] [ config ]

Parameters
destination-address: refers to multicast destination IP address.

destination-mask: refers to mask of the multicast destination IP address.

destination-mask-length: specifies the mask length of the destination address.

config: refers to static multicast route configuration.

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-131


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
If the config option is not chosen, all the multicast static routing that is currently active can be
displayed. If the config option is chosen, all the configured multicast static routing can be
displayed, including the active and inactive information.

Examples
# Display all the configured multicast static routing.
<Eudemon> display ip routing-table protocol multicast-static config
Routing Table: public net
Multicast RPF route 17.0.0.0/24, interface Serial2
Matched routing protocol = ospf , preference = 1, route-policy = <none>

# Display the multicast static route that exactly matches the multicast address 17.0.0.0.
<Eudemon> display ip routing-table protocol multicast-static 17.0.0.0
255.255.255.0
17.0.0.0/24
RPF interface = 6.1.1.1(Serial2), RPF neighbor = 6.1.1.1
Matched routing protocol = ospf , route-policy = <none> , preference = 1
Running config = ip rpf-route-static 17.0.0.0 24 ospf Serial2 preference 1

3.13.2 display multicast forwarding-table

Function
Using the display multicast forwarding-table command, you can view multicast forwarding
table about the public network instance.

Format
display multicast forwarding-table [ group-address [ mask { group-mask | group-mask-
length } ] | source-address [ mask { source-mask | source-mask-length } ] | incoming-
interface { interface-type interface-number | register } ] *

Parameters
group-address: refers to multicast group address, used to specify a multicast group, in a range
of 224.0.0.0 to 239.255.255.255.
group-mask and source-mask: specifies the address mask.
group-mask-length and source-mask-length: specifies the mask length. Because "1"s in 32-bit
mask are required to be continuous, the mask in dotted decimal notation format can be replaced
by group-mask-length (mask-length is the number of continuous "1"s in the mask).
source-address: refers to unicast IP address of the multicast source.
incoming-interface: refers to incoming interface of the multicast forwarding entry.
register: refers to register interface of PIM-SM.

Views
All views

3-132 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
1: Monitoring level

Usage Guidelines
source-address and group-address of multicast forwarding table are displayed in dotted decimal
notation format and its incoming and outgoing port numbers are displayed by interface name.
This information can be viewed through the 3.15.6 display pim interfacecommand.

Examples
# Display the multicast forwarding table of all the instances.
<Eudemon> display multicast forwarding-table
Multicast Forwarding Cache Table of VPN-Instance: public net
Total 1 entry
00001. (10.10.1.2, 225.1.1.1), iif Ethernet1/2/0, 1 oifs
List of outgoing interface:
01: Register
Matched 153923 pkts(152075924 bytes), Wrong If 0 pkts
Forwarded 153923 pkts(152075924 bytes)
Total 1 entry Listed
Multicast Forwarding Cache Table of VPN-Instance: red
Total 1 entry
00001. (2.2.1.2, 225.1.1.1), iif Mcast_In_IF, 1 oifs
List of outgoing interface:
01: Register
Matched 30 pkts(1080 bytes), Wrong If 0 pkts
Forwarded 30 pkts(1080 bytes)
Total 1 entry Listed

Related Topics
3.13.3 display multicast routing-table

3.13.3 display multicast routing-table

Function
Using the display multicast routing-table command, you can view IP multicast routing table
about public network instance.

Format
display multicast routing-table [ group-address [ mask { group-mask | group-mask-length } ]
| source-address [ mask { source-mask | source-mask-length } ] | incoming-interface
{ interface-type interface-number | register } ] *

Parameters
group-address: refers to multicast group address, used to specify a multicast group and display
the corresponding routing table of the group. The value ranges from 224.0.0.0 to
239.255.255.255.
source-address: refers to unicast IP address of the multicast source.
group-mask and source-mask: specifies the address mask.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-133


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

group-mask-length and source-mask-length: specifies the mask length. Because "1" in 32-bit
mask is required to be continuous, the mask in dotted decimal notation format can be replaced
by mask-length (mask-length is the number of continuous "1"s in the mask).
incoming-interface: refers to incoming interface of the multicast route entry.
register: refers to register interface of PIM-SM.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command displays the multicast routing table, while the display multicast forwarding-
table command displays the multicast forwarding table about public network instance.
The entry (S, G) in the multicast routing table, namely (multicast source, multicast group), acts
as the independent entry in the table. Each entry has a unique Upstream, indicating the interface
at which multicast data arrives. Each entry has also a Downstream List, indicating which
interfaces need multicast forwarding. Proto, the related information about (S, G), refers to the
multicast protocol number in hexadecimal notation format which possesses the (S, G).

Examples
# Display the corresponding route entry of multicast group about the multicast routing table of
public network instance.
<Eudemon> display multicast routing-table
Multicast Routing Table
Total 1 entry
(10.10.1.2, 225.1.1.1)
UpTime: 00:01:28, Timeout in 278 sec
Upstream interface: Ethernet1/0/0(10.10.1.20)
Downstream interface list:
LoopBack0(20.20.20.30), Protocol 0x1: IGMP

Related Topics
3.13.2 display multicast forwarding-table

3.13.4 display multicast rpf-info

Function
Using the display multicast rpf-info command, you can view the Reverse Path Forwarding
(RPF) routing about specified multicast source of public network instance.

Format
display multicast rpf-info source-address

3-134 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
source-address: specifies the IP address of the multicast source.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display all the RPF routing about multicast source 192.193.194.192 in the public network.
<Eudemon> display multicast rpf-info 192.193.194.192
Multicast source's RPF route information about 192.193.194.192
RPF interface: InLoopBack0, RPF neighbor: 127.0.0.1
Referenced route/mask: 192.193.194.192/32
Referenced route type: unicast (DIRECT)
RPF-route selecting rule: preference-preferred

3.13.5 ip rpf-longest-match

Function
Using the ip rpf-longest-match command, you can set the multicast RPF routing policy of the
public instance as the longest matching rule.

Using the undo ip rpf-longest-match command, you can restore the default setting.

Format
ip rpf-longest-match

undo ip rpf-longest-match

Parameters
None

Views
System view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-135


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, routing is performed according to the priority.

Examples
# Set the multicast RPF routing policy of the public instance as the longest matching rule.
<Eudemon> system-view
[Eudemon] ip rpf-longest-match

3.13.6 ip rpf-route-static

Function
Using the ip rpf-route-static command, you can configure the multicast static routing.

Using the undo ip rpf-route-static command, you can delete the multicast static routing from
the multicast static routing table.

Format
ip rpf-route-static source-address { source-mask | source-mask-length } [ protocol ] [ route-
policy policy-name ] { rpf-nbr-ipaddress| interface-type interface-number } [ order order-
number ] [ preference preference ]

undo ip rpf-route-static source-address { source-mask | source-mask-length } [ protocol ]


[ route-policy policy-name ]

Parameters
source-address: specifies the multicast source IP address, namely, the unicast address.

source-mask: specifies the multicast source IP address mask.

source-mask-length: specifies the mask length of the multicast source IP address.

protocol: indicates that the matched route must appear in the specified unicast routing protocol
such as OSPF, RIP, and static.

route-policy: indicates the matching rule of the static multicast routing.

rpf-nbr-ipaddress: specifies the address or route of a neighboring node for reverse path
forwarding. The address is in the format of an IP address.

interface-type interface-number: specifies the name and number of an interface.

order-number: changes the configuration location of the routes at the same network segment. It
ranges from 1 to 100.

preference: specifies the route priority in a range of 1 to 255. The default value is 1.

Views
System view

3-136 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Configure and view the multicast static routing.
<Eudemon> system-view
[Eudemon] ip rpf-route-static 1.0.0.0 255.0.0.0 rip route-policy map1 11.0.0.1
[Eudemon] display ip routing-table protocol multicast-static config

Related Topics
3.13.1 display ip routing-table protocol multicast-static

3.13.7 mtracert

Function
Using the mtracert command, you can trace the network path from the multicast source to the
destination receiver along Multicast Distribution Tree in public network instance, according to
either the multicast kernel routing table or RPF rule to the source. This command can help to
locate the faults, such as information loss and configuration error.

Format
mtracert { source-address } [ last-hop-address ] [ group-address ]

Parameters
source-address: refers to address of the multicast source.
last-hop-address: refers to unicast address, which is the starting address of path tracing. This
address must be an interface address of a hop router. By default, it is a physical interface address
of the local router.
group-address: refers to address of multicast group. By default, the value is 0.0.0.0.

Views
All views

Default Level
2: Configuration level

Usage Guidelines
If the multicast source address is specified only, the last hop address is a physical interface
address of the current router and the group address is 0.0.0.0 by default. Trace reversely from

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-137


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

this router to the first router connecting to the multicast source hop by hop according to the RPF
rule.
If the multicast source address and the last hop address are specified, the group address is 0.0.0.0
by default. Trace reversely from the last hop router to the first router connecting to the multicast
source hop by hop according to the RPF rule.
If the multicast source address and the group address are specified, the last hop address is a
physical interface address of the current router by default. Trace reversely from this router to
the first router connecting to the multicast source hop by hop according to the corresponding (S,
G) entry in the multicast kernel routing table of each router.
If the multicast source address, destination address, and group address are specified, trace
reversely from the last hop router to the first router connecting to the multicast source hop by
hop according to the corresponding (S, G) entry in the multicast kernel routing table of each
router.
The trace mode to the group address of 0.0.0.0 is called weak trace mode.

Examples
# Trace the path reversely in the public network instance from the local hop router 18.110.0.1
to the multicast source 10.10.1.2 in weak trace mode.
<Eudemon> mtracert 10.10.1.2
Type Ctrl+C to abort
Mtrace from 10.10.1.2 to 18.110.0.1 via RPF
Querying full reverse path...
-1 18.110.0.1
Incoming Interface Address: 18.110.0.1
Previous-Hop Router Address: 18.110.0.2
Input packet count on incoming interface: 0
Output packet count on outgoing interface: 0
Total number of packets for this source-group pair: 0
Protocol: PIM
Forwarding TTL: 0
Forwarding Code: No error
-2 18.110.0.2
Incoming Interface Address: 11.110.0.2
Previous-Hop Router Address: 11.110.0.4
Input packet count on incoming interface: 0
Output packet count on outgoing interface: 0
Total number of packets for this source-group pair: 0
Protocol: PIM
Forwarding TTL: 0
Forwarding Code: No error
-3 11.110.0.4
Incoming Interface Address: 10.10.1.3
Previous-Hop Router Address: 0.0.0.0
Input packet count on incoming interface: 0
Output packet count on outgoing interface: 0
Total number of packets for this source-group pair: 0
Protocol: PIM
Forwarding TTL: 0
Forwarding Code: No error

# Trace reversely the path of multicast group 225.1.1.1 in the public network instance from the
multicast source 10.10.1.3 to the destination address 12.110.0.2.
<Eudemon> mtracert 10.10.1.3 12.110.0.2 225.1.1.1
Type Ctrl+C to abort
Mtrace from 10.10.1.3 to 12.110.0.2 via group 225.1.1.1
Querying full reverse path...
-1 12.110.0.2
Incoming Interface Address: 11.110.0.2

3-138 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Previous-Hop Router Address: 11.110.0.4


Input packet count on incoming interface: 316
Output packet count on outgoing interface: 135
Total number of packets for this source-group pair: 4
Protocol: PIM
Forwarding TTL: 0
Forwarding Code: No error
-2 11.110.0.4
Incoming Interface Address: 127.0.0.5
Previous-Hop Router Address: 0.0.0.0
Input packet count on incoming interface: 0
Output packet count on outgoing interface: 0
Total number of packets for this source-group pair: 4
Protocol: Unknown
Forwarding TTL: 0
Forwarding Code: No error

3.13.8 multicast minimum-ttl

Function
Using the multicast minimum-ttl command, you can set the minimum TTL value for multicast
forwarding.
Using the undo multicast minimum-ttl command, you can remove the minimum TTL value.

Format
multicast minimum-ttl ttl-value
undo multicast minimum-ttl

Parameters
ttl-value: refers to minimum TTL value in a range of 0 to 255.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, no minimum TTL value for multicast forwarding is set.

Examples
# Set the minimum TTL value for multicast forwarding to 8.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] multicast minimum-ttl 8

3.13.9 multicast packet-boundary

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-139


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the multicast packet-boundary command, you can configure a multicast forwarding
boundary.
Using the undo multicast packet-boundary command, you can remove the configuration.

Format
multicast packet-boundary acl-number
undo multicast packet-boundary

Parameters
acl-number: refers to number of basic or advanced ACL in a range of 2000 to 3999.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, no multicast forwarding boundary is configured.
You can set boundary conditions for multicast packets on an interface through basic or advanced
Access Control List (ACL). Packets denied by the ACL will be discarded. The source address
of a multicast packet can be filtered through the basic ACL. Both the source address and the
destination address (source group address) of a multicast packet can be filtered through the
advanced ACL.

Examples
# Set boundary conditions for multicast packets through the basic ACL 2100.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet 0/0/1] multicast packet-boundary 2100

3.13.10 multicast route-limit

Function
Using the multicast route-limit command, you can limit the multicast routing table capacity of
public network instance. If the capacity exceeds the limit, the router will discard protocol packets
and data packets of the newly-added (S, G).

Format
multicast route-limit limit-value

3-140 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
limit-value: refers to the limit of multicast routing table capacity in a range of 0 to 512.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the limit of multicast routing table capacity is 512.
If the number of route entries in the routing table has exceeded the configured number when
configuring the command, the previous route entry in the routing table will not be deleted. The
system will prompt "The number of current route entries exceeds the configuration count."
If this command is executed repeatedly in the public network instance with the same name, the
new configuration will overwrite the previous one.

Examples
# Limit the multicast routing table capacity in the public network to 500.
<Eudemon> system-view
[Eudemon] multicast route-limit 500

3.13.11 multicast routing-enable

Function
Using the multicast routing-enable command, you can enable IP multicast routing.
Using the undo multicast routing-enable command, you can disable IP multicast routing.

Format
multicast routing-enable
undo multicast routing-enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-141


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, IP multicast routing is disabled.

Multicast should be enabled in a public network instance before all the multicast commands in
the instance are configured. The system will not forward any multicast packet when IP multicast
routing is disabled.

Examples
# Enable IP multicast routing in the public network.
<Eudemon> system-view
[Eudemon] multicast routing-enable

Related Topics
3.15.13 pim dm
3.15.16 pim sm

3.13.12 reset multicast forwarding-table

Function
Using the reset multicast forwarding-table command, you can clear MFC forwarding entries
or the statistics of MFC forwarding entries in public network instance.

Format
reset multicast forwarding-table [ statistics ] { all | { group-address [ mask { group-mask |
group-mask-length } ] | source-address [ mask { source-mask | source-mask-length } ] |
{ incoming-interface interface-type interface-number } } * }

Parameters
statistics: If this parameter is used, the statistics of MFC forwarding entries will be cleared.
Otherwise, the MFC forwarding entries will be cleared.

all: refers to all the MFC forwarding entries.

group-address: refers to the address of the specified group.

group-mask: refers to the address mask of the specified group.

group-mask-length: refers to the address mask length of the specified group.

source-address: refers to the address of the specified source.

source-mask: refers to the address mask of the specified source.

source-mask-length: refers to the address mask length of the specified source.

incoming-interface: refers to the incoming interface of the specified forwarding entry.

interface-type interface-number: refers to the type and number of an interface.

3-142 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
User view

Default Level
2: Configuration level

Usage Guidelines
The sequence of group-address and source-address can be reversed, but the input group-
address and source-address must be valid. Otherwise, the system will prompt input error.

Examples
# Clear the forwarding entry whose group address is 225.5.4.3 from the MFC forwarding table
in the public network.
<Eudemon> reset multicast forwarding-table 225.5.4.3

# Clear the statistics of the forwarding entry whose group address is 225.5.4.3 from MFC
forwarding table in the public network.
<Eudemon> reset multicast forwarding-table statistics 225.5.4.3

Related Topics
3.15.20 reset pim routing-table
3.13.13 reset multicast routing-table
3.13.2 display multicast forwarding-table

3.13.13 reset multicast routing-table

Function
Using the reset multicast routing-table command, you can clear the route entries in the
multicast routing table of public network instance and remove the forwarding entries in MFC.

Format
reset multicast routing-table { all | { group-address [ mask { group-mask | group-mask-
length } ] | source-address [ mask { source-mask | source-mask-length } ] | { incoming-
interface interface-type interface-number } } * }

Parameters
all: refers to all the route entries in multicast kernel routing table.
group-address: refers to the address of the specified group.
group-mask: refers to the address mask of the specified group.
group-mask-length: refers to the address mask length of the specified group.
source-address: refers to the address of the specified source.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-143


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

source-mask: refers to the address mask of the specified source.


source-mask-length: refers to the address mask length of multicast source.
incoming-interface: refers to the incoming interface of the specified route entry.
interface-type interface-number: refers to the type and number of an interface.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
The sequence of group-address and source-address can be reversed, but the input group-
address and source-address must be valid. Otherwise, the system will prompt input error.

Examples
# Clear the route entry whose group address is 225.5.4.3 from the multicast routing table in the
public network.
<Eudemon> reset multicast routing-table 225.5.4.3

Related Topics
3.15.20 reset pim routing-table
3.13.12 reset multicast forwarding-table
3.13.2 display multicast forwarding-table

3.14 IGMP Configuration Commands


3.14.1 debugging igmp
3.14.2 display igmp group
3.14.3 display igmp interface
3.14.4 display igmp local
3.14.5 igmp enable
3.14.6 igmp group-limit
3.14.7 igmp group-policy
3.14.8 igmp host-join
3.14.9 igmp lastmember-queryinterval
3.14.10 igmp max-response-time
3.14.11 igmp proxy

3-144 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.14.12 igmp robust-count


3.14.13 igmp timer other-querier-present
3.14.14 igmp timer query
3.14.15 igmp version
3.14.16 reset igmp group

3.14.1 debugging igmp

Function
Using the debugging igmp command, you can enable IGMP debugging of public network
instance.
Using the undo debugging igmp command, you can disable the debugging.

Format
debugging igmp { all | event | host | packet | timer }
undo debugging igmp { all | event | host | packet | timer }

Parameters
all: refers to all the debugging of IGMP.
event: refers to the debugging of IGMP events.
hosts: refers to the debugging of IGMP hosts
packet: refers to the debugging of IGMP packets.
timer: refers to the debugging of IGMP timers.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
By default, IGMP debugging is disabled.
If the debugging of all instances is enabled, the debugging of newly-added instance will be
automatically enabled.

Examples
# Enable all IGMP debugging of the public network instance.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-145


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

<Eudemon> debugging igmp all

3.14.2 display igmp group

Function
Using the display igmp group command, you can view the member of the IGMP multicast
group of public network instance.

Format
display igmp group [ group-address | interface interface-type interface-number | local ]

Parameters
group-address: refers to the multicast group address.
interface-type interface-number: refers to the type and number of an interface on the
Eudemon, used to specify the interface.
local: displays the local interface of IGMP.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can specify to view a group, the member information of the multicast group on an interface
or the local interface of IGMP. The information displayed includes the multicast groups joined
through IGMP by the downstream host and those joined statically through command lines.

Examples
# Display the member of the directly connected sub-network in the public network instance.
<Eudemon> display igmp group
Total 3 IGMP groups reported on this router
LoopBack0 (20.20.20.20): Total 3 IGMP Groups reported:
Group Address Last Reporter Uptime Expires
224.1.1.1 20.20.20.20 00:02:04 00:01:15
224.1.1.3 20.20.20.20 00:02:04 00:01:15
224.1.1.2 20.20.20.20 00:02:04 00:01:17

Table 3-24 Description of the display igmp group command output


Item Description

Group address Multicast group address

Last Reporter Report the last host which becomes the multicast group member

3-146 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

Uptime The time since the multicast group is found (hour:minute:second)

Expires The predicted time when the record will be removed from the
IGMP group table (hour:minute:second)

Related Topics
3.14.8 igmp host-join

3.14.3 display igmp interface

Function
Using the display igmp interface command, you can view the IGMP configuration and running
on an interface of public network instance.

Format
display igmp interface [ interface-type interface-number ]

Parameters
interface-type interface-number: refers to the type and number of an interface of the
Eudemon, used to specify the interface. If the parameters are not specified, all the interfaces
running IGMP will be displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The information displayed through the display igmp interface command varies with the
configuration of IGMP proxy on an interface.
l If the interface is neither a proxy nor a client, the configuration of IGMP Proxy will not be
displayed.
l If the interface is a proxy, all the clients will be displayed.
l If the interface is a client, the proxy will be displayed.

Examples
# Display the IGMP configuration and running on all interfaces of the public network instance.
<Eudemon> display igmp interface
Ethernet 0/0/1 (10.10.1.20):

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-147


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

IGMP is enabled
Current IGMP version is 2
Value of query interval for IGMP(in seconds): 60
Value of other querier time out for IGMP(in seconds): 120
Value of maximum query response time for IGMP(in seconds): 10
Value of robust count for IGMP: 2
Value of startup query interval for IGMP(in seconds): 15
Value of last member query interval for IGMP(in seconds): 1
Value of query timeout for IGMP version 1(in seconds): 400
Policy to accept IGMP reports: none
Querier for IGMP: 10.10.1.10
IGMP group limit is 512
Total 2 IGMP groups reported
LoopBack0 (20.20.20.30):
IGMP is enabled
Current IGMP version is 2
Value of query interval for IGMP(in seconds): 60
Value of other querier time out for IGMP(in seconds): 120
Value of maximum query response time for IGMP(in seconds): 10
Value of robust count for IGMP: 2
Value of startup query interval for IGMP(in seconds): 15
Value of last member query interval for IGMP(in seconds): 1
Value of query timeout for IGMP version 1(in seconds): 400
Policy to accept IGMP reports: none
Querier for IGMP: 20.20.20.30 (this router)
IGMP group limit is 512
Total 3 IGMP groups reported

3.14.4 display igmp local

Function
Using the display igmp local command, you can view the local IGMP configuration and running
of public network instance.

Format
display igmp local

Parameters
local: refers to the local interface which receives and sends multicast data.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the local IGMP configuration and running of the public network instance.

3-148 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> display igmp local


Mcast_Out_IF (127.0.0.6):
IGMP is enabled on interface
Current IGMP version is 2
No IGMP group reported
Mcast_In_IF (127.0.0.5):
IGMP is disabled on interface

3.14.5 igmp enable

Function
Using the igmp enable command, you can enable IGMP on an interface.

Using the undo igmp enable command, you can disable IGMP on an interface.

Format
igmp enable

undo igmp enable

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, IGMP is disabled on an interface.

This command can take effect only after multicast is enabled. After this command is configured,
other attributes of IGMP can be set.

Examples
# Enable IGMP on the interface Ethernet 0/0/1.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] igmp enable

Related Topics
3.13.11 multicast routing-enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-149


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.14.6 igmp group-limit

Function
Using the igmp group-limit command, you can limit the number of IGMP groups joined on the
interface. If the number exceeds the limit, the router will not process the joined IGMP packet
any more.

Using the undo igmp group-limit command, you can restore the default configuration.

Format
igmp group-limit limit-value

undo igmp group-limit

Parameters
limit-value: refers to the number of IGMP groups in a range of 0 to 512.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the maximum number of IGMP groups joined on the interface is 512.

If the number of IGMP groups joined on the interface has exceeded the configuration value
during configuration, the previously joined IGMP groups will not be deleted.

If this command is executed repeatedly, the new configuration will overwrite the previous one.

Examples
# Limit the maximum number of IGMP groups joined on the interface Ethernet 0/0/1 to 100.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] igmp group-limit 100

3.14.7 igmp group-policy

Function
Using the igmp group-policy command, you can set the filter of multicast groups on an interface
to control the access to the IP multicast groups.

Using the undo igmp group-policy command, you can remove the filter.

3-150 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
igmp group-policy acl-number [ 1 | 2 ]

undo igmp group-policy

Parameters
acl-number: refers to the number of basic IP ACL, defining the range of a multicast group. The
value ranges from 2000 to 2999.

1: refers to IGMP Version 1.

2: refers to IGMP Version 2. If IGMP version is not specified, IGMP Version 2 is used by default.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, no filter is configured, that is, a host can join any multicast group.

If you do not want the hosts on the network that the interface is on to join some multicast groups
and receive the packets from the multicast groups, you can use this command to limit the range
of the multicast groups served by the interface.

Examples
# Permit the hosts on the interface Ethernet 0/0/1 to join multicast group 225.1.1.1 only.
<Eudemon> system-view
[Eudemon] acl number 2005
[Eudemon-acl-basic-2005] rule permit source 225.1.1.1 0
[Eudemon-acl-basic-2005] quit
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] igmp group-policy 2005

Related Topics
3.14.8 igmp host-join

3.14.8 igmp host-join

Function
Using the igmp host-join command, you can enable an interface of a router to join a multicast
group.

Using the undo igmp host-join command, you can disable the configuration.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-151


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
igmp host-join group-address

undo igmp host-join group-address

Parameters
group-address: refers to multicast address of the multicast group that an interface will join.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, an interface does not join any multicast group.

On one router, up to 1024 interfaces can be configured with igmp host-join command at best.

Examples
# Configure Ethernet 0/0/1 to join the multicast group 255.0.0.1.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] igmp host-join 225.0.0.1

Related Topics
3.14.7 igmp group-policy

3.14.9 igmp lastmember-queryinterval

Function
Using the igmp lastmember-queryinterval command, you can set the interval at which IGMP
querier sends the IGMP specified group query packet when it receives IGMP Leave packet from
the host.

Using the undo igmp lastmember-queryinterval command, you can restore the default value.

Format
igmp lastmember-queryinterval seconds

undo igmp lastmember-queryinterval

3-152 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
seconds: refers to interval at which IGMP querier sends the IGMP specified group query packet
when it receives IGMP Leave packet from the host, in seconds. The value ranges from 1 to 5
seconds. By default, the value is 1 second.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
On a shared network, that is, when there are multiple hosts and multicast routers on a network
segment, the query router (querier for short) takes charge of maintaining IGMP group
membership on an interface. When the host in IGMP Version 2 leaves a group, the host should
send IGMP Leave packet. If IGMP querier receives the packet, it must send the IGMP specified
group query packet for robust-value times according to the interval seconds configured through
the igmp lastmember-queryinterval command (if the command is not configured, seconds is
1) and the robust coefficient robust-value configured through the igmp robust-count (if the
command is not configured, robust-value is 2). If another host receives the IGMP specified group
query packet from IGMP querier and is interested in the group, it will send IGMP Membership
Report packet within the maximum response time regulated by the packet. If IGMP querier
receives IGMP Membership Report packet from another host within the time robust-value x
seconds, it will go on maintaining the group membership. If not, it will regard the group is timeout
and stop maintaining the group membership.
The command is only valid when IGMP query router is running in IGMP Version 2. If the host
runs in IGMP Version 1, it may not send IGMP Leave packet when it leaves a group. At that
time, the command is invalid to the host.

Examples
# Configure the query interval of the querier for the last group member on the interface Ethernet
0/0/1 to 3 seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] igmp lastmember-queryinterval 3

Related Topics
3.14.12 igmp robust-count
3.14.3 display igmp interface

3.14.10 igmp max-response-time

Function
Using the igmp max-response-time command, you can set the maximum response time
contained in the IGMP query packet.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-153


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Using the undo igmp max-response-time command, you can restore the default value.

Format
igmp max-response-time seconds

undo igmp max-response-time

Parameters
seconds: refers to the maximum response time in the IGMP query packet in seconds in a range
of 1 to 25. By default, the value is 10 seconds.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
The maximum query response time determines the period for a router to quickly detect that there
are no more directly connected group members in a LAN.

Examples
# Set the maximum response time to 8 seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] igmp max-response-time 8

Related Topics
3.14.2 display igmp group

3.14.11 igmp proxy

Function
Using the igmp proxy command, you can specify an interface of a leaf network router as the
IGMP proxy of another interface in the same public network instance.

Using the undo igmp proxy command, you can remove the configuration.

Format
igmp proxy interface-type interface-number

undo igmp proxy

3-154 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
interface-type: refers to the type of a proxy interface.
interface-number: refers to the number of a proxy interface.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, IGMP proxy function is disabled.
An interface cannot act as the IGMP proxy of two or more other interfaces at the same time. In
addition, an interface cannot be both a proxy and a client.
If an interface is configured with IGMP proxy for multiple times, the last one overrides all the
previous configurations.

Examples
# Configure the IGMP proxy of router Ethernet 0/0/1 to Ethernet 1/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] igmp proxy Ethernet 1/0/0

Related Topics
3.15.15 pim neighbor-policy

3.14.12 igmp robust-count

Function
Using the igmp robust-count command, you can set the times IGMP querier sends the IGMP
specified group query packet when it receives IGMP Leave packet from the host.
Using the undo igmp robust-count command, you can restore the default value.

Format
igmp robust-count robust-count-value
undo igmp robust-count

Parameters
robust-count-value: specifies IGMP robust coefficient, indicating the times IGMP querier sends
the IGMP specified group query packet when it receives IGMP Leave packet from the host. The
value ranges from 2 to 5. By default, the value is 2.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-155


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
On a shared network, that is, when there are multiple hosts and multicast routers on a network
segment, the query router (querier for short) takes charge of maintaining IGMP group
membership on an interface. When the host in IGMP Version 2 leaves a group, the host should
send IGMP Leave packet. If IGMP querier receives the packet, it must send the IGMP specified
group query packet for robust-value times according to the interval seconds configured through
the igmp lastmember-queryinterval command (if the command is not configured, seconds is
1) and the robust coefficient robust-value configured through the igmp robust-count (if the
command is not configured, robust-value is 2). If another host receives the IGMP specified group
query packet from IGMP querier and is interested in the group, it will send IGMP Membership
Report packet within the maximum response time regulated by the packet. If IGMP querier
receives IGMP Membership Report packet from another host within the time robust-value x
seconds, it will go on maintaining the group membership. If not, it will regard the group is
overtime and stop maintaining the group membership.
The command is only valid when IGMP query router is running in IGMP Version 2. If the host
runs in IGMP Version 1, it may not send IGMP Leave packet when it leaves a group. At that
time, the command is invalid to the host.

Examples
# Configure the robust-value of querier on the interface Ethernet 0/0/1 to 3.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] igmp robust-count 3

Related Topics
3.14.9 igmp lastmember-queryinterval
3.14.3 display igmp interface

3.14.13 igmp timer other-querier-present

Function
Using the igmp timer other-querier-present command, you can set the overtime value of
presence of IGMP querier.
Using the undo igmp timer other-querier-present command, you can restore the default value.

Format
igmp timer other-querier-present seconds
undo igmp timer other-querier-present

3-156 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
seconds: refers to IGMP querier present time, in seconds. The value ranges from 60 to 300
seconds. By default, the value is twice of IGMP query messages interval. It is 120 seconds in
general.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
On a shared network (i.e., there are multiple multicast routers on the same network segment)
the query router (querier for short) takes charge of sending query messages periodically on the
interface. If other non-queriers receive no query messages within the valid period, the router
will consider the previous query to be invalid and the router itself becomes a querier.
In IGMP Version 1, the selection of a querier is determined by the multicast routing protocol.
In IGMP Version 2, the router with the lowest IP address on the shared network segment acts
as the querier.

CAUTION
The Eudemon regards the previous querier invalid if it receives no query messages in the twice
of query interval specified by the igmp timer query command.

Examples
# Configure the Keepalive period of the other IGMP queriers on Ethernet 0/0/1 to 200 seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] igmp timer other-querier-present 200

Related Topics
3.14.14 igmp timer query
3.14.3 display igmp interface

3.14.14 igmp timer query

Function
Using the igmp timer query command, you can set the interval at which a firewall interface
sends IGMP query messages.
Using the undo igmp timer query command, you can restore the default value.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-157


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
igmp timer query seconds
undo igmp timer query

Parameters
seconds: refers to the interval at which the firewall sends the IGMP query messages, in seconds.
It ranges from 1 to 65535. By default, the value is 60 seconds.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
A multicast firewall sends IGMP query messages at intervals to find out whether there are
multicast group members on the network. The query interval can be modified according to the
practical conditions of the network.

Examples
# Set the interval at which multicast firewall Ethernet 0/0/1 sends IGMP query packet to 125
seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/1
[Eudemon-Ethernet0/0/1] igmp timer query 125

Related Topics
3.14.13 igmp timer other-querier-present

3.14.15 igmp version

Function
Using the igmp version command, you can specify the version of IGMP that a router uses.
Using the undo igmp version command, you can restore the default value.

Format
igmp version { 1 | 2 }
undo igmp version

Parameters
1: refers to IGMP Version 1.

3-158 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

2: refers to IGMP Version 2. By default, IGMP Version 2 is used.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
All systems running in the same sub-network must support the same version of IGMP. When a
firewall finds the system of Version 1, it cannot switch to Version 1 by itself.

Examples
# Specify Ethernet 1/0/0 to use IGMP Version 1.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] igmp version 1

3.14.16 reset igmp group

Function
Using the reset igmp group command, you can delete the IGMP group joined on the interface
of public network instance. The deletion of the group does not affect its joining again.

Format
reset igmp group { all | interface interface-type interface-number { all | group-address [ group-
mask ] } }

Parameters
all: refers to all IGMP groups.

interface interface-type interface-number: refers to the type and number of an interface.

group-address: refers to the IGMP group address.

group-mask: refers to the mask of the group address.

Views
User view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-159


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
None

Examples
# Delete all the IGMP groups on all interfaces.
<Eudemon> reset igmp group all

# Delete all the IGMP groups on the interface Ethernet 1/0/0.


<Eudemon> reset igmp group interface Ethernet 1/0/0 all

# Delete the group 225.0.0.1 on the interface Ethernet 1/0/0.


<Eudemon> reset igmp group interface Ethernet 1/0/0 225.0.0.1

# Delete the IGMP groups ranging between the network segment 225.1.1.0 and 225.1.1.255 on
the interface Ethernet 1/0/0.
<Eudemon> reset igmp group interface Ethernet 1/0/0 225.1.1.0 255.255.255.0

3.15 PIM Configuration Commands


3.15.1 bsr-policy
3.15.2 c-bsr
3.15.3 c-rp
3.15.4 crp-policy
3.15.5 display pim bsr-info
3.15.6 display pim interface
3.15.7 display pim local
3.15.8 display pim neighbor
3.15.9 display pim routing-table
3.15.10 display pim rp-info
3.15.11 pim
3.15.12 pim bsr-boundary
3.15.13 pim dm
3.15.14 pim neighbor-limit
3.15.15 pim neighbor-policy
3.15.16 pim sm
3.15.17 pim timer hello
3.15.18 register-policy
3.15.19 reset pim neighbor

3-160 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.15.20 reset pim routing-table


3.15.21 source-policy
3.15.22 spt-switch-threshold
3.15.23 static-rp

3.15.1 bsr-policy

Function
Using the bsr-policy command, you can restrict the range for valid BSR so as to prevent BSR
spoofing.
Using the undo bsr-policy command, you can restore the normal state without any range
restriction and regard all the messages received as valid.

Format
bsr-policy acl-number
undo bsr-policy

Parameters
acl-number: refers to ACL number used by BSR filter policy. It is the basic ACL number in a
range of 2000 to 2999.

Views
PIM view of public network instance

Default Level
2: Configuration level

Usage Guidelines
In PIM SM network which uses BSR mechanism, any Eudemon can set itself as C-BSR and will
take charge of the authority of advertising RP information in the network if it succeeds in
competition. To prevent the valid BSR in the network from being maliciously replaced, the
following two measures should be taken:
l Change RP mapping relationship to prevent the host from spoofing the Eudemonr by
counterfeiting valid BSR packet. BSR packet is multicast packet with TTL of 1, so this
kind of attack usually takes place on the edge Eudemon. BSR is in the internal network and
the host is in the external network, therefore, performing neighbor check and RPF check
to BSR packet can prevent this kind of attack.
l If a Eudemon in the network is controlled by an attacker or an illegal Eudemon accesses
the network, the attacker can set the Eudemon to C-BSR and make it succeed in competition
and control the authority of advertising RP information in the network. TheEudemon, after
being configured as C-BSR, will automatically advertise BSR information to the whole

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-161


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

network. BSR packet is the multicast packet which is forwarded hop by hop with TTL of
1. The whole network will not be affected if the neighbor Eudemon does not receive the
BSR information. The solution is to configure bsr-policy on each Eudemon in the whole
network to restrict the range for legal BSR. For example, if only 1.1.1.1/32 and 1.1.1.2/32
are permitted as BSR, the Eudemon will not receive and forward other BSR information
and legal BSR will not compete with it.

The above two points can partially protect the security of BSR in the network. However, if a
legal BSR Eudemon is controlled by an attacker, it will also lead to the above problem.

When using the rule command to configure the ACL rule, source parameter is translated as
BSR address in bsr-policy command.

Examples
# Set BSR filter policy of the public network instance on a Eudemon. Only permit 1.1.1.1/32 to
act as BSR and regard others invalid.
<Eudemon> system-view
[Eudemon] pim
[Eudemon-pim] bsr-policy 2001
[Eudemon-pim] quit
[Eudemon] acl number 2001
[Eudemon-acl-basic-2001] rule 0 permit source 1.1.1.1 0

3.15.2 c-bsr

Function
Using the c-bsr command, you can configure a candidate BSR.

Using the undo c-bsr command, you can remove the candidate BSR configuration.

Format
c-bsr interface-type interface-number hash-mask-length [ priority ]

undo c-bsr

Parameters
interface-type interface-number: refers to the type and number of the interface . A candidate
BSR is configured on this interface. PIM-SM must be enabled on this interface, the configuration
can take effect.

hash-mask-length: refers to hash mask length. The mask performs the "And" operation with
multicast address first and searches for RP. The value ranges from 0 to 32.

priority: refers to priority of the candidate BSR. The larger the value is, the higher the priority
of candidate BSR is. The value ranges from 0 to 255. By default, the priority is 0.

Views
PIM view of public network instance

3-162 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
2: Configuration level

Usage Guidelines
By default, no candidate BSR is set.
Since BSR and other devices in PIM domain need to exchange a great deal of information during
candidate BSR configuration, a relatively large bandwidth must be guaranteed.

Examples
# Assign the IP address of the Ethernet 1/0/0 in the public network instance as a candidate BSR
with the priority 2.
<Eudemon> system-view
[Eudemon] pim
[Eudemon-pim] c-bsr Ethernet 1/0/0 30 2

Related Topics
3.15.16 pim sm

3.15.3 c-rp

Function
Using the c-rp command, you can configure the Eudemon to advertise itself as a candidate RP
to BSR.
Using the undo c-rp command, you can remove the configuration.

Format
c-rp interface-type interface-number [ group-policy acl-number ] [ priority priority-value ]
undo c-rp { interface-type interface-number | all }

Parameters
interface-type interface-number: refers to interface with the IP address advertised as a candidate
RP address.
acl-number: refers to the number of basic ACL that defines a group range, which is the service
range of the advertised RP. The value ranges from 2000 to 2999.
priority-value: refers to priority of a candidate RP. The larger the value is, the lower the priority
is. The value ranges from 0 to 255. By default, the value is 0.
all: cancels the configurations of all RPs.

Views
PIM view of public network instance

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-163


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, no candidate RP is configured.

When configuring a candidate RP, a relatively large bandwidth should be reserved for the
Eudemon and other devices in PIM domain.

Examples
# Configure the interface Ethernet 1/0/0 in the public network instance as the candidate RP for
all groups.
<Eudemon> system-view
[Eudemon] pim
[Eudemon-pim] c-rp Ethernet 1/0/0

Related Topics
3.15.2 c-bsr

3.15.4 crp-policy

Function
Using the crp-policy command, you can restrict the range for valid C-RP and the group range
served by each C-RP so as to prevent C-RP cheating.

Using the undo crp-policy command, you can restore the normal state without any range
restriction and regard all the received messages valid.

Format
crp-policy acl-number

undo crp-policy

Parameters
acl-number: refers to ACL number used by C-RP filter policy. It is the advanced ACL number
in a range of 3000 to 3999.

Views
PIM view of public network instance

Default Level
2: Configuration level

3-164 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
In PIM SM network which uses BSR mechanism, any Eudemon can set itself as a C-RP serving
the specific group range. If it is elected in RP election, it will become an RP serving in the group
range.

In BSR mechanism C-RP Eudemon unicasts C-RP to BSR Eudemon which is responsible for
advertising all C-RP to the whole network by using BRP.

To prevent C-RP cheating, crp-policy is needed to be configured on BSR Eudemon to restrict


the range for valid C-RP and the group address range it serves. Each C-BSR may become a BSR
possibly, so the same filter policy should be configured on each C-BSR.

This command uses the ACL numbered from 3000 to 3999. When using the rule command to
configure the ACL rule, source parameter refers to C-RP address and destination refers to the
group range the C-RP serves. Upon matching the received C-RP message, only when the C-RP
address in the packet matches source address and the group address range in the packet is the
subset of that in ACL, can this configuration be regarded successful.

Examples
# Configure C-RP policy of the public network instance on C-BSR Eudemon. Only permit
1.1.1.1/32 to act as C-RP which only serves the group range 225.1.0.0/16.
<Eudemon> system-view
[Eudemon] pim
[Eudemon-pim] crp-policy 3100
[Eudemon-pim] quit
[Eudemon] acl number 3100
[Eudemon-acl-adv-3100] rule 0 permit ip source 1.1.1.1 0 destination 225.1.0.0
0.0.255.255

3.15.5 display pim bsr-info

Function
Using the display pim bsr-info command, you can view BootStrap Router (BSR) of public
network instance.

Format
display pim bsr-info

Parameters
None

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-165


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
None

Examples
# Display the current BSR of the public network instance.
<Eudemon> display pim bsr-info
Current BSR Address: 20.20.20.30
Priority: 0
Mask Length: 30
Expires: 00:01:55
Local host is BSR

Related Topics
3.15.2 c-bsr
3.15.3 c-rp

3.15.6 display pim interface

Function
Using the display pim interface command, you can view the PIM interface of public network
instance.

Format
display pim interface [ interface-type interface-number ]

Parameters
interface-type interface-number: refers to the type and number of an interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the PIM about Ethernet 1/0/0 of the public network instance.
<Eudemon> display pim interface Ethernet 1/0/0
PIM information of interface Ethernet 1/0/0:
IP address of the interface is 10.10.1.20
PIM is enabled on interface

3-166 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

PIM version is 2
PIM mode is Sparse
PIM query interval is 30 seconds
Total 1 PIM neighbor on interface
PIM DR(designated router) is 10.10.1.20

Table 3-25 Description of the display pim interface command output


Item Description

PIM is enabled on interface PIM is enabled on the interface.

PIM mode is Sparse The protocol type of the interface is PIM SM.

PIM query interval is 30 seconds The sending interval of Hello message is 30


seconds.

PIM DR(designated router) is 10.10.1.20 IP address of DR is 10.10.1.20.

3.15.7 display pim local

Function
Using the display pim localcommand, display the PIM local interface of instances in the public
network.

Format
display pim local

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the PIM local interface of instances in the public network.
<Eudemon> display pim local
PIM information of interface Mcast_Out_IF:
IP address of the interface is 127.0.0.6

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-167


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

PIM is enabled on interface


PIM version is 2
PIM mode is Dense
PIM information of interface Mcast_In_IF:
IP address of the interface is 127.0.0.5
PIM is enabled on interface
PIM version is 2
PIM mode is Dense

3.15.8 display pim neighbor

Function
Using the display pim neighbor command, you can view the PIM neighbor of public network
instance.

Format
display pim neighbor [ interface interface-type interface-number ]

Parameters
interface-type interface-number: refers to the type and number of an interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the PIM neighbor of the interface Ethernet 1/0/0 of the public network instance.
<Eudemon> display pim neighbor interface Ethernet 1/0/0
Neighbor's Address Interface Name Uptime Expires
10.10.1.10 Ethernet 1/0/0 00:41:59 00:01:16

3.15.9 display pim routing-table

Function
Using the display pim routing-table command, you can view the PIM multicast routing table
of public network instance.

Format
display pim routing-table [ { { * g [ group-address [ mask { group-mask-length | group-
mask } ] ] | * *rp [ rp-address [ mask { rp-mask-length | rp-mask } ] ] } | { group-address

3-168 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

[ mask { group-mask-length | group-mask } ] | source-address [ mask { source-mask-length |


source-mask } ] } * } | incoming-interface { interface-type interface-number | null } | { dense-
mode | sparse-mode } ] *

Parameters
**rp: displays (*, *, RP) route entry.

*g: displays (*, G) route entry.

group-address: refers to address of the multicast group.

source-address: refers to IP address of the multicast source.

incoming-address: refers to route entry of the specified incoming interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the PIM multicast routing table of the public network instance.
<Eudemon> display pim routing-table
PIM-SM Routing Table
Total 0 (S,G) entry, 2 (*,G) entries, 0 (*,*,RP) entry
(*, 224.0.2.30), RP 20.20.20.30
Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF
UpTime: 00:17:25, never timeout
Upstream interface: Null, RPF neighbor: 0.0.0.0
Downstream interface list:
Ethernet 1/0/0, Protocol 0x1: IGMP, never timeout

(*, 225.1.1.1), RP 20.20.20.30


Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF
UpTime: 00:08:45, never timeout
Upstream interface: Null, RPF neighbor: 0.0.0.0
Downstream interface list:
Ethernet 1/0/0, Protocol 0x1: IGMP, never timeout
Matched 0 (S,G) entry, 2 (*,G) entries, 0 (*,*,RP) entry

Related Topics
3.13.3 display multicast routing-table

3.15.10 display pim rp-info

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-169


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the display pim rp-info command, you can view RP of multicast groups of public network
instance, including RP discovered through Auto-RP/BSR mechanism and static RP.

Format
display pim rp-info [ group-address ]

Parameters
group-address: refers to the group address.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If no group address is specified in this command, RP of all groups will be displayed.

Examples
# Display the current RP of multicast group 224.1.1.0 of the public network instance.
<Eudemon> display pim rp-info 224.1.1.0
RP Address for this group is: 20.20.20.20

# Display all RP of the public network instance.


<Eudemon> display pim rp-info
PIM-SM Auto-RP information:
RP Agent is: 20.20.20.20
Group/MaskLen: 228.0.0.0/32
RP 40.40.40.40
Uptime: 00:00:43
Expires: 00:03:01

PIM-SM RP-SET information:


BSR is: 20.20.20.20
Group/MaskLen: 224.0.0.0/4
RP 20.20.20.20
Version: 2
Priority: 0
Uptime: 00:00:15
Expires: 00:02:15
Static RP: 1.1.1.1

3.15.11 pim

Function
Using the pim command, you can enter PIM view of the public network instance.

3-170 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Using the undo pim command, you can clear the configuration in PIM view of the public
network instance.

Format
pim

undo pim

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The global parameter which is related with the PIM must be set in PIM view of the public network
instance.

Examples
# Enter PIM view of the public network instance.
<Eudemon> system-view
[Eudemon] pim
[Eudemon-pim]

3.15.12 pim bsr-boundary

Function
Using the pim bsr-boundary command, you can configure an interface to become the PIM
domain boundary.

Using the undo pim bsr-boundary command, you can remove the boundary.

Format
pim bsr-boundary

undo pim bsr-boundary

Parameters
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-171


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, no domain boundary is set.

After this command is configured on an interface, Bootstrap messages cannot pass the boundary,
whereas other PIM packets can. This command can effectively divide the network to domains
which use different BSRs.

Examples
# Configure a domain boundary on Ethernet 1/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] pim bsr-boundary

Related Topics
3.15.2 c-bsr

3.15.13 pim dm

Function
Using the pim dm command, you can enable PIM-DM.

Using the undo pim dm command, you can disable PIM-DM.

Format
pim dm

undo pim dm

Parameters
None

Views
Interface view

Default Level
2: Configuration level

3-172 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
By default, PIM-DM is disabled.
Once PIM-DM is enabled on an interface, PIM-SM cannot be enabled on the same interface and
vice versa.

Examples
# Enable PIM-DM on Ethernet 1/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] pim dm

3.15.14 pim neighbor-limit

Function
Using the pim neighbor-limit command, you can limit PIM neighbor number on a router
interface. If the number exceeds the limit configured, no new neighbor can be added to the router.
Using the undo pim neighbor-limit command, you can restore the default configuration.

Format
pim neighbor-limit limit
undo pim neighbor-limit

Parameters
limit: refers to the upper limit of PIM neighbor number on an interface in a range of 0 to 128.
By default, it is 128.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
If the PIM neighbor number on an interface has exceeded the value during configuration, the
previous PIM neighbor will not be deleted.

Examples
# Limit the upper limit of PIM neighbor number on the interface Ethernet 1/0/0 to 50.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] pim neighbor-limit 50

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-173


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.15.15 pim neighbor-policy

Function
Using the pim neighbor-policy command, you can configure a router to filter the PIM neighbor
of the current interface.

Using the undo pim neighbor-policy command, you can cancel the filtering.

Format
pim neighbor-policy acl-number

undo pim neighbor-policy

Parameters
acl-number: refers to the number of basic ACL in a range of 2000 to 2999.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
Only the router which is permitted by ACL can act as PIM neighbor of the current interface,
while other routers cannot.

If this command is configured repeatedly, the new configuration will overwrite the previous one.

Examples
# Configure 10.10.1.2 rather than 10.10.1.1 as the PIM neighbor of Ethernet 1/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] pim neighbor-policy 2001
[Eudemon-Ethernet1/0/0] quit
[Eudemon] acl number 2001
[Eudemon-acl-basic-2001] rule permit source 10.10.1.2 0
[Eudemon-acl-basic-2001] rule deny source 10.10.1.1 0

3.15.16 pim sm

Function
Using the pim sm command, you can enable PIM-SM protocol on an interface.

Using the undo pim sm command, you can disable PIM-SM protocol.

3-174 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
pim sm

undo pim sm

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, PIM-SM is disabled.

Once PIM-SM is enabled on an interface, PIM-DM cannot be enabled on the same interface and
vice versa.

Examples
# Enable PIM-SM on Ethernet 1/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] pim sm

3.15.17 pim timer hello

Function
Using the pim timer hello command, you can set the interval, at which PIM router Hello message
is sent.

Using the undo pim timer hello command, you can restore the default value.

Format
pim timer hello seconds

undo pim timer hello

Parameters
seconds: refers to the interval, at which Hello messages are sent, in a range of 1 to 18000 seconds.
By default, the value is 30 seconds.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-175


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Send the interval, at which Hello messages are sent on the interface Ethernet 1/0/0 on the PIM
router to 40 seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] pim sm
[Eudemon-Ethernet1/0/0] pim timer hello 40

3.15.18 register-policy

Function
Using the register-policy command, you can configure a RP to filter the register packet sent by
the DR in the PIM-SM network and to accept the specific packet only.

Using the undo register-policy command, you can remove the configured packet filtering.

Format
register-policy acl-number

undo register-policy

Parameters
acl-number: refers to the number of advanced IP ACL, defining the rule of filtering the source
and group addresses. The value ranges from 3000 to 3999.

Views
PIM view of public network instance

Default Level
2: Configuration level

Usage Guidelines
None

3-176 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# If the local device is the RP of the public network instance in the network, configure only to
accept the multicast data register packets sent by the source on the network segment 10.10.0.0/16
to the multicast address in the range of 225.1.0.0/16.
<Eudemon> system-view
[Eudemon] acl number 3110
[Eudemon-acl-adv-3110] rule permit ip source 10.10.0.0 0.0.255.255 destination
225.1.0.0 0.0.255.255
[Eudemon-acl-adv-3110] quit
[Eudemon] multicast routing-enable
[Eudemon] pim
[Eudemon-pim] register-policy 3110

3.15.19 reset pim neighbor

Function
Using the reset pim neighbor command, you can clear PIM neighbors of public network
instance.

Format
reset pim neighbor { all | { neighbor-address | interface interface-type interface-number } * }

Parameters
all: refers to all PIM neighbors.

neighbor-address: specifies the neighbor address.

interface-type interface-number: refers to the type and number of an interface.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear the PIM neighbor of the interface addressed with 25.5.4.3 in the public network instance.
<Eudemon> reset pim neighbor 25.5.4.3

Related Topics
3.15.8 display pim neighbor

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-177


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.15.20 reset pim routing-table

Function
Using the reset pim routing-table command, you can clear PIM route entries of public network
instance.

Format
reset pim routing-table { all | { group-address [ mask { group-mask | group-mask-length } ]
| source-address [ mask { source-mask | source-mask-length } ] | { incoming-interface
{ interface-type interface-number | null } } } * }

Parameters
all: refers to all PIM route entries.
group-address: refers to the multicast group address.
group-mask: refers to address mask of multicast group.
group-mask-length: refers to address mask length of multicast group.
source-address: refers to the multicast source address.
source-mask: refers to address mask of multicast source.
source-mask-length: refers to address mask length of multicast source.
null: refers to route entry with null incoming interface.
incoming-interface: refers to incoming interface of the route entry in PIM routing table.
interface-type interface-number: refers to the type and number of an interface.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
The sequence of group-address and source-address can be reversed, but the input group-
address and source-address must be valid. Otherwise, the system will prompt input error.
If group-address is configured to 244.0.0.0/24 and source-address to RP address (in which,
group address may have mask, but the result of group address performing the "And" operation
with mask must be 224.0.0.0, while source address has no mask), it refers to only (*, *, RP)
entry is deleted.
If group-address is configured to a group address and source-address to 0 (in which, group
address may have mask while source address has no mask), it refers to only (*, G) entry is deleted.

3-178 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

After this command is executed, not only the multicast route entry is deleted from PIM, but also
the corresponding route entry or forwarding entry in the multicast kernel routing table and MFC
is deleted.

Examples
# Clear the route entry with group address of 225.5.4.3 in PIM routing table of the public network
instance.
<Eudemon> reset pim routing-table 225.5.4.3

Related Topics
3.13.13 reset multicast routing-table
3.13.12 reset multicast forwarding-table
3.15.9 display pim routing-table

3.15.21 source-policy

Function
Using the source-policy command, you can configure the Eudemon to filter the multicast data
packet received according to source (group) address.
Using the undo source-policy command, you can remove the configuration.

Format
source-policy acl-number
undo source-policy

Parameters
acl-number: refers to the number of basic or advanced ACL in a range of 2000 to 3999.

Views
PIM view of public network instance

Default Level
2: Configuration level

Usage Guidelines
If source address filtering and basic ACL are configured, all the multicast data packets received
will be matched with source addresses. The packet which does not pass the matching will be
discarded.
If source address filtering and advanced ACL are configured, all the multicast data packets
received will be matched with source and group addresses. The packet which does not pass the
matching will be discarded.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-179


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

This command filters not only multicast data, but also the multicast data encapsulated in register
packet.
If this command is executed repeatedly, the new configuration will overwrite the previous one.

Examples
# Accept the multicast data packets with source address of 10.10.1.2 and discard the multicast
data packets with source address of 10.10.1.1 in the public network instance.
<Eudemon> system-view
[Eudemon] multicast routing-enable
[Eudemon] pim
[Eudemon-pim] source-policy 2001
[Eudemon-pim] quit
[Eudemon] acl number 2001
[Eudemon-acl-basic-2001] rule permit source 10.10.1.2 0
[Eudemon-acl-basic-2001] rule deny source 10.10.1.1 0

3.15.22 spt-switch-threshold

Function
Using the spt-switch-threshold command, you can set the packet rate threshold when the PIM
leaf Eudemon switches from the RPT to the SPT.
Using the undo spt-switch-threshold command, you can restore the default setting.

Format
spt-switch-threshold { traffic-rate | infinity } [ group-policy acl-number [ order order-
value ] ]
undo spt-switch-threshold [ group-policy acl-number ]

Parameters
traffic-rate: switches rate threshold from the RPT to the SPT in kbit/s in a range of 0 to 65535.
By default, the switch threshold value is 0, i.e., switching starts when the RPT receives the first
data packet.
infinity: never switches to SPT.
acl-number: refers to the number of basic ACL, defining the range of a multicast group. The
value ranges from 2000 to 2999.
order-value: refers to the serial number of group-policy to be increased or updated in the group-
policy list. The value must be 1.

Views
PIM view of public network instance

Default Level
2: Configuration level

3-180 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
If the group-policy is newly added, it acts as the last one. Otherwise, the sequence keeps
unchanged.
With order, users can adjust the sequence of group-policy as required. The system selects the
SPT switch threshold according to the sequence of group-policy. This is flexibly and improves
efficiency.

Examples
# Set the threshold value to 4 kbit/s in the public network instance. If the transmission rate from
the source to the multicast group is higher than it, the Eudemon will switch to the SPT toward
the source.
<Eudemon> system-view
[Eudemon] multicast routing-enable
[Eudemon] pim
[Eudemon-pim] spt-switch-threshold 4

# Add a group-policy in the public network instance to the ACL 2010 and put it at the first place
with the switch rate threshold 100.
<Eudemon> system-view
[Eudemon] pim
[Eudemon-pim] spt-switch-threshold 100 group-policy 2010 order 1

3.15.23 static-rp

Function
Using the static-rp command, you can configure static RP.
Using the undo static-rp command, you can remove the configuration.

Format
static-rp rp-address [ acl-number ]
undo static-rp

Parameters
rp-address: refers to static RP address. This address must be valid unicast IP address and cannot
be configured as the address in 127/8 network segment.
acl-number: refers to the number of basic ACL, used in controlling the multicast group range
that static RP serves. The value is in a range of 2000 to 2999.

Views
PIM view of public network instance

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-181


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
RP is the kernel Eudemon in multicast routing. If the dynamic RP elected through BSR
mechanism is invalid for some reason, static RP can be configured as backup of the dynamic
RP to improve robustness of the network and operation management capability of the multicast
network.
All Eudemons in the PIM domain should be configured with this command and be specified
with the same RP address. If the configured static RP address is the address of an UP interface
on the local device, the local device will act as static RP. PIM is not necessarily enabled on the
interface which acts as static RP.
If this command is configured but ACL is not specified, the static RP configured will serve all
the multicast groups of 224.0.0.0/4. If ACL is specified but no ACL rules are configured, the
static RP configured will serve all the groups of 224.0.0.0/4. Otherwise, the static RP configured
only serves the multicast group permitted by the ACL.
In the case that the RP elected through BSR and Auto-RP mechanisms is valid, static RP does
not take effect. On the contrary, static RP is selected.
If this command is executed repeatedly, multiple static RPs will be configured. In the case that
multiple static RPs serve a group, the RP with the largest IP address will be selected.
If the configured static RP contains the keyword of preferred, static RP is selected when the
dynamic RP elected through BSR and Auto-RP mechanisms contradicts the static RP.

Examples
# Configure the Eudemon with address 11.110.0.6 as static RP in the public network instance
and set it to serve the group defined by ACL 2001. Configure 10.110.0.6 to serve 224.0.0.0/4.
<Eudemon> system-view
[Eudemon] multicast routing-enable
[Eudemon] pim
[Eudemon-pim] static-rp 11.110.0.6 2001
[Eudemon-pim] static-rp 10.110.0.6

Related Topics
3.15.10 display pim rp-info

3.16 MSDP Configuration Commands


3.16.1 cache-sa-enable
3.16.2 debugging msdp
3.16.3 display msdp brief
3.16.4 display msdp peer-status
3.16.5 display msdp sa-cache
3.16.6 display msdp sa-count
3.16.7 import-source
3.16.8 msdp

3-182 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.16.9 msdp-tracert
3.16.10 originating-rp
3.16.11 peer connect-interface
3.16.12 peer description
3.16.13 peer mesh-group
3.16.14 peer minimum-ttl
3.16.15 peer request-sa-enable
3.16.16 peer sa-cache-maximum
3.16.17 peer sa-policy
3.16.18 peer sa-request-policy
3.16.19 reset msdp peer
3.16.20 reset msdp sa-cache
3.16.21 reset msdp statistics
3.16.22 shutdown (MSDP View of Public Network Instance)
3.16.23 static-rpf-peer
3.16.24 timer retry

3.16.1 cache-sa-enable

Function
Using the cache-sa-enable command, you can enable the Eudemon to cache SA state.

Using the undo cache-sa-enable command, you can remove the cache from the Eudemon.

Format
cache-sa-enable

undo cache-sa-enable

Parameters
None

Views
MSDP view of public network instance

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-183


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, the Eudemon caches the SA state, i.e., (S, G) entry after it receives SA messages.
If the Eudemon is in cache state, it will not send SA request message to the specified MSDP
peer when it receives a new group join message.

Examples
# Configure theEudemon to cache all the SA states in the public network instance.
<Eudemon> system-view
[Eudemon] msdp
[Eudemon-msdp] cache-sa-enable

3.16.2 debugging msdp

Function
Using the debugging msdp command, you can enable MSDP debugging of public network
instance.
Using the undo debugging msdp command, you can disable MSDP debugging.

Format
debugging msdp { all | connect | event | packet | source-active }
undo debugging msdp { all | connect | event | packet | source-active }

Parameters
all: refers to all the debugging of MSDP.
connect: refers to the debugging of MSDP peer connection reset.
event: refers to the debugging of MSDP events.
packet: refers to the debugging of MSDP packets.
source-active: refers to the debugging of active MSDP sources.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
By default, MSDP debugging is disabled.
If the debugging of all instances is enabled, the debugging of newly-added instance will be
automatically enabled.

3-184 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Enable all MSDP debugging of the public network instance.
<Eudemon> debugging msdp all

3.16.3 display msdp brief

Function
Using the display msdp brief command, you can view MSDP peer status of public network
instance in brief.

Format
display msdp brief

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display MSDP peer status of the public network instance in brief.
<Eudemon> display msdp brief
MSDP Peer Brief Information
Peer's Address State Up/Down time AS SA Count Reset Count
20.20.20.20 Up 00:00:13 100 0 0

3.16.4 display msdp peer-status

Function
Using the display msdp peer-status command, you can view MSDP peer of public network
instance in detail.

Format
display msdp peer-status [ peer-address ]

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-185


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
peer-address: refers to the address of MSDP peer.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the MSDP peer 10.110.11.11 in the public network instance in detail.
<Eudemon> display msdp peer-status 10.110.11.11
MSDP Peer 20.20.20.20, AS 100
Description:
Information about connection status:
State: Up
Up/down time: 14:41:08
Resets: 0
Connection interface: LoopBack0 (20.20.20.30)
Number of sent/received messages: 867/947
Number of discarded output messages: 0
Elapsed time since last connection or counters clear: 14:42:40
Information about (Source, Group)-based SA filtering policy:
Import policy: none
Export policy: none
Information about SA-Requests:
Policy to accept SA-Request messages: none
Sending SA-Requests status: disable
Minimum TTL to forward SA with encapsulated data: 0
SAs learned from this peer: 0, SA-cache maximum for the peer: none
Input queue size: 0, Output queue size: 0
Counters for MSDP message:
Count of RPF check failure: 0
Incoming/outgoing SA messages: 0/0
Incoming/outgoing SA requests: 0/0
Incoming/outgoing SA responses: 0/0
Incoming/outgoing data packets: 0/0

3.16.5 display msdp sa-cache

Function
Using the display msdp sa-cache command, you can view (S, G) state learnt from MSDP peer
in the public network instance.

Format
display msdp sa-cache [ group-address ] [ source-address ] [ autonomous-system-number ]

3-186 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
group-address: refers to group address of (S, G) entry.
source-address: refers to source address of (S, G) entry. With no source address specified, all
the source information of the specified group will be displayed. If neither group address nor
source address is determined, all SA caches will be displayed.
autonomous-system-number: displays (S, G) entries from specified autonomous system.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Cache state can be displayed only when the cache-sa-enable command is configured.

Examples
# Display (S, G) state learnt from MSDP peer in the public network instance.
<Eudemon> display msdp sa-cache
MSDP Total Source-Active Cache - 5 entries
(Source, Group) Origin RP Pro AS Uptime Expires
(10.10.1.2, 225.1.1.1) 10.10.10.10 BGP 100 00:00:10 00:05:50
(10.10.1.3, 225.1.1.1) 10.10.10.10 BGP 100 00:00:11 00:05:49
(10.10.1.2, 225.1.1.2) 10.10.10.10 BGP 100 00:00:11 00:05:49
(10.10.2.1, 225.1.1.2) 10.10.10.10 BGP 100 00:00:11 00:05:49
(10.10.1.2, 225.1.2.2) 10.10.10.10 BGP 100 00:00:11 00:05:49
MSDP matched 5 entries

3.16.6 display msdp sa-count

Function
Using the display msdp sa-count command, you can view the number of sources and groups
in MSDP cache of public network instance.

Format
display msdp sa-count [ autonomous-system-number ]

Parameters
autonomous-system-number: refers to the number of sources and groups from the specified
autonomous system in a range of 1 to 65535.

Views
All views

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-187


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
1: Monitoring level

Usage Guidelines
The 3.16.1 cache-sa-enable command must be configured before this command is configured.

Examples
# Display the number of sources and groups in MSDP cache of the public network instance.
<Eudemon> display msdp sa-count
Number of cached Source-Active entries, counted by Peer
Peer's Address Number of SA
10.10.10.10 5
Number of source and group, counted by AS
AS Number of source Number of group
? 3 3
Total Source-Active entries: 5

3.16.7 import-source

Function
Using the import-source command, you can configure which (S, G) entries in the domain need
to be advertised when a MSDP originates an SA message.

Using the undo import-source command, you can remove the configuration.

Format
import-source [ acl acl-number ]

undo import-source

Parameters
acl-number: refers to the number of basic or advanced IP ACL in a range of 2000 to 3999,
controlling which sources SA messages will advertise and to which groups it will be sent in the
domain. Basic ACL performs filtering to source and advanced ACL performs filtering to source/
group. If no ACL is specified, no multicast source will be advertised.

Views
MSDP instance view

Default Level
2: Configuration level

Usage Guidelines
By default, all the (S, G) entries in the domain are advertised by the SA message.

3-188 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Besides controlling SA messages creation, you can filter the forwarded SA messages by the
peer sa-policy command.

Examples
# Configure which (S, G) entries from the multicast routing table in SA messages originated by
the MSDP peer in the public network instance.
<Eudemon> system-view
[Eudemon] acl number 3101
[Eudemon-acl-adv-3101] rule permit ip source 10.10.0.0 0.0.255.255 destination
225.1.0.0 0.0.255.255
[Eudemon-acl-adv-3101] quit
[Eudemon] msdp
[Eudemon-msdp] import-source acl 3101

Related Topics
3.16.17 peer sa-policy

3.16.8 msdp

Function
Using the msdp command, you can enable MSDP and enter MSDP view of the public network
instance.

Using the undo msdp command, you can clear all MSDP configurations of the public network
instance, release all resources occupied by MSDP of the public network instance, and restore
the initial status.

Format
msdp

undo msdp

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
For the related command, see peer related commands.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-189


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Enable MSDP public network instance and enter MSDP public network instance view.
<Eudemon> system-view
[Eudemon] msdp
[Eudemon-msdp]

3.16.9 msdp-tracert

Function
Using the msdp-tracert command, you can trace the transmission path of SA messages of public
network instance, which helps to locate the faults such as information loss and configuration
error. After the transmission path of SA messages is determined, correct configuration can avoid
the overflow of SA messages.

Format
msdp-tracert { source-address } { group-address } { rp-address } [ max-hops max-hops ]
[ next-hop-info ] [ sa-info ] [ peer-info ] [ skip-hops skip-hops ]

Parameters
source-address: refers to the multicast source address.

group-address: refers to the multicast group address.

rp-address: refers to the IP address of RP.

max-hops: refers to the maximum number of hops that are traced in a range of 1 to 255. By
default, the value is 16.

next-hop-info: refers to flag bit for collecting the next hop information.

sa-info: refers to flag bit for collecting SA entity information.

peer-info: refers to flag bit for collecting MSDP peer information.

skip-hops: refers to the number of hops that are skipped before collecting detailed information
in a range of 0 to 255. By default, the value is 0.

Views
All views

Default Level
2: Configuration level

Usage Guidelines
None

3-190 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Trace (10.10.1.1, 225.2.2.2, 20.20.20.20) path in the public network instance.
<Eudemon> msdp-tracert 10.10.1.1 225.2.2.2 20.20.20.20

# Specify the maximum number of hops that are traced in the public network instance and collect
detailed information of SA and MSDP peer.
<Eudemon> msdp-tracert 10.10.1.1 225.2.2.2 20.20.20.20 max-hops 10 sa-info peer-
info
MSDP tracert: press CTRL_C to break
D-bit: set if have this (S,G) in cache but with a different RP
RP-bit: set if this router is an RP
NC-bit: set if this router is not caching SA's
C-bit: set if this (S,G,RP) tuple is in the cache
MSDP Traceroute path information:
Router Address: 20.20.1.1
Fixed-length response info:
Peer Uptime: 10 minutes, Cache Entry Uptime: 30 minutes
D-bit: 0, RP-bit: 1, NC-bit: 0, C-bit: 1
Return Code: Reached-max-hops
Next Hop info:
Next-Hop Router Address: 0.0.0.0
SA info:
Count of SA messages received for this (S,G,RP): 0
Count of encapsulated data packets received for this (S,G,RP):0
SA cache entry uptime: 00:30:00 , SA cache entry expiry time: 00:03:32
Peering info:
Peering Uptime: 10 minutes, Count of Peering Resets: 3

Table 3-26 Description of the msdp-tracert command domain

Item Description

Router Address Address where the local router creates Peering session with
Peer-RPF neighbor.

Peer Uptime Time for which the local router performs Peering session
with Peer-RPF neighbor in minute, with the maximum value
of 255.

Cache Entry Uptime Present time of (S, G, RP) entry in SA cache of the local
router, in minute, with the maximum value of 255.

D-bit: 1 (S, G, RP) entry existing in SA cache of the local router. But
the RP is different from the RP specified in the request
message.

RP-bit: 1 The local router is an RP, but it is not necessarily the source
RP in (S, G, RP) entry.

NC-bit: 0 The local router enables SA cache.

C-bit: 1 (S, G, RP) entry exists in SA cache of the local router.

Return Code: Reached-max- Return reason is the reached maximum hops and other
hops possible value includes:
Hit-src-RP: The local hop router is the source RP in (S, G,
RP) entry.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-191


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Next-Hop Router Address: If the parameter next-hop-info is used, Peer-RPF neighbor


0.0.0.0 address will be displayed.

Count of SA messages Number of SA messages received for tracing this (S, G, RP)
received for this (S,G,RP) entry.

Count of encapsulated data Number of encapsulated data packets received for tracing
packets received for this this (S, G, RP) entry.
(S,G,RP)

SA cache entry uptime Present time of SA cache entry.

SA cache entry expiry time Expiry time of SA cache entry.

Peering Uptime: 10 minutes Time for which the local router performs Peering session
with Peer-RPF neighbor.

Count of Peering Resets Number of Peering session resets.

3.16.10 originating-rp

Function
Using originating-rp command, you can allow a MSDP to use the IP address of specified
interface as the RP address in the SA message originated.
Using the undo originating-rp command, you can remove the configuration.

Format
originating-rp interface-type interface-number
undo originating-rp

Parameters
interface-type: refers to the type of an interface.
interface-number: refers to the number of an interface.

Views
MSDP instance view

Default Level
2: Configuration level

Usage Guidelines
By default, the RP address in the SA message is the RP address configured by PIM.

3-192 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Configure logical RP by using this command.

Examples
# Configure the IP address of the interface Ethernet 1/0/0 as the RP address in the SA message
originated in the public network instance.
<Eudemon> system-view
[Eudemon] msdp
[Eudemon-msdp] originating-rp Ethernet 1/0/0

3.16.11 peer connect-interface

Function
Using the peer connect-interface command, you can configure an MSDP peer.

Using the undo peer connect-interface command, you can remove the MSDP peer.

Format
peer peer-address connect-interface interface-type interface-number

undo peer peer-address

Parameters
peer-address: refers to the address of MSDP peer.

connect-interface interface-type interface-number: refers to the type and number of an interface


whose primary address is used by the local router as the source IP address to establish TCP
connection with remote MSDP peers.

Views
MSDP instance view

Default Level
2: Configuration level

Usage Guidelines
If the local router is also in BGP peer relation with a MSDP peer, the MSDP peer and the BGP
peer should use the same IP address.

Examples
# Configure the router using the IP address 125.10.7.6 as an MSDP peer of the local router in
the public network instance.
<Eudemon> system-view
[Eudemon] msdp
[Eudemon-msdp] peer 125.10.7.6 connect-interface Ethernet1/0/0

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-193


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Related Topics
3.16.23 static-rpf-peer

3.16.12 peer description

Function
Using the peer description command, you can configure descriptive text to MSDP peer.

Using the undo peer description command, you can remove the descriptive text.

Format
peer peer-address description text

undo peer peer-address description

Parameters
peer-address: refers to the address of MSDP peer.

text: refers to descriptive text, being case sensitive. The maximum length is 80 characters.

Views
MSDP instance view

Default Level
2: Configuration level

Usage Guidelines
By default, an MSDP peer has no descriptive text.

Administrator can conveniently differentiate MSDP peers by configuring descriptive text.

Examples
# Add descriptive text CstmrA to router 125.10.7.6 in the public network instance to specify that
the router is Client A.
<Eudemon> system-view
[Eudemon] msdp
[Eudemon-msdp] peer 125.10.7.6 description CstmrA

Related Topics
3.16.4 display msdp peer-status

3.16.13 peer mesh-group

3-194 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the peer mesh-group command, you can configure an MSDP peer to join a Mesh Group.
Using the undo peer mesh-group command, you can remove the configuration.

Format
peer peer-address mesh-group name
undo peer peer-address mesh-group

Parameters
peer-address: refers to the address of an MSDP peer to be a member of the Mesh Group.
name: refers to the name of an Mesh Group, being case sensitive. The maximum length is 32
characters.

Views
MSDP instance view

Default Level
2: Configuration level

Usage Guidelines
By default, an MSDP peer is not a member of any Mesh Group.

Examples
# Configure the MSDP peer with address 125.10.7.6 in the public network instance to be a
member of the Mesh Group Grp1.
<Eudemon> system-view
[Eudemon] msdp
[Eudemon-msdp] peer 125.10.7.6 mesh-group Grp1

3.16.14 peer minimum-ttl

Function
Using the peer minimum-ttl command, you can set the minimum TTL (Time-to-Live) value
of the multicast data packets encapsulated in SA messages to be sent to specified MSDP peer.
Using the undo peer minimum-ttl command, you can restore the default TTL threshold.

Format
peer peer-address minimum-ttl ttl-value
undo peer peer-address minimum-ttl

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-195


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
peer-address: refers to the address of the MSDP peer to which the TTL limit applies.
ttl-value: refers to TTL threshold in a range of 0 to 255.

Views
MSDP instance view

Default Level
2: Configuration level

Usage Guidelines
By default, the value of TTL threshold is 0.
For the related command, see peer related commands.

Examples
# Set the TTL threshold value to 10, i.e., only those multicast data packets with a TTL value
greater than or equal to 10 can be forwarded to the MSDP peer 110.10.10.1.
<Eudemon> system-view
[Eudemon] msdp
[Eudemon-msdp] peer 110.10.10.1 minimum-ttl 10

3.16.15 peer request-sa-enable

Function
Using the peer request-sa-enable command, you can enable the router to send SA request
message to the specified MSDP peer when receiving a new group join message.
Using the undo peer request-sa-enable command, you can remove the configuration.

Format
peer peer-address request-sa-enable
undo peer peer-address request-sa-enable

Parameters
peer-address: refers to the address of MSDP peer.

Views
MSDP instance view

Default Level
2: Configuration level

3-196 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
By default, when receiving a new group join message, the router sends no SA request messages
to MSDP peers but waits to receive the next SA message.

Examples
# Send SA request message to the MSDP peer 125.10.7.6 in the public network instance.
<Eudemon> system-view
[Eudemon] msdp
[Eudemon-msdp] peer 125.10.7.6 request-sa-enable

Related Topics
3.16.1 cache-sa-enable

3.16.16 peer sa-cache-maximum

Function
Using the peer sa-cache-maximum command, you can limit the number of caches originated
when the router receives SA messages from an MSDP peer.

Using the undo peer sa-cache-maximum command, you can restore the default configuration.

Format
peer peer-address sa-cache-maximum sa-limit

undo peer peer-address sa-cache-maximum

Parameters
peer-address: refers to the address of MSDP peer.

sa-limit: refers to the maximum value that the SA cache allows in a range of 1 to 2048.

Views
MSDP instance view

Default Level
2: Configuration level

Usage Guidelines
By default, the maximum number of SA caches is 2048.

This configuration is recommended for all MSDP peers in the networks possibly attacked by
DoS.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-197


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Limit the number of caches originated to 100 in the public network instance when the router
receives SA messages from the MSDP peer 125.10.7.6.
<Eudemon> system-view
[Eudemon] msdp
[Eudemon-msdp] peer 125.10.7.6 sa-cache-maximum 100

Related Topics
3.16.6 display msdp sa-count
3.16.4 display msdp peer-status
3.16.3 display msdp brief

3.16.17 peer sa-policy

Function
Using the peer sa-policy command, you can configure a filter list for SA messages received or
forwarded from the specified MSDP peer.
Using the undo peer sa-policy command, you can remove the configuration.

Format
peer peer-address sa-policy { import | export } [ acl acl-number ]
undo peer peer-address sa-policy { import | export }

Parameters
import: receives SA messages from the specified MSDP peer.
export: forwards SA messages from the specified MSDP peer.
peer-address: refers to the address of the MSDP peer whose SA messages need to be filtered.
acl acl-number: refers to the number of advanced IP ACL in a range of 3000 to 3999. If no ACL
is specified, all (S, G) entries are filtered.

Views
MSDP instance view

Default Level
2: Configuration level

Usage Guidelines
By default, messages received or forwarded will not be filtered. All SA messages are received
or forwarded from an MSDP peer.
For the related command, see peer related commands.

3-198 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Forward only those SA messages that passed the advanced IP ACL in the public network
instance.
<Eudemon> system-view
[Eudemon] acl number 3100
[Eudemon-acl-adv-3100] rule permit ip source 170.15.0.0 0.0.255.255 destination
225.1.0.0 0.0.255.255
[Eudemon-acl-adv-3100] quit
[Eudemon] msdp
[Eudemon-msdp] peer 125.10.7.6 connect-interface Ethernet 1/0/0
[Eudemon-msdp] peer 125.10.7.6 sa-policy export acl 3100

3.16.18 peer sa-request-policy

Function
Using the peer sa-request-policy command, you can limit SA request messages that the router
receives from MSDP peers.

Using the undo peer sa-request-policy command, you can remove the limitation.

Format
peer peer-address sa-request-policy [ acl acl-number ]

undo peer peer-address sa-request-policy

Parameters
peer-address: refers to the address from which the local router receives SA request messages
sent by the specified MSDP peer.

acl acl-number: refers to the number of basic IP ACL, describing multicast group address in a
range of 2000 to 2999. If no ACL is specified, all SA request messages will be ignored.

Views
MSDP instance view

Default Level
2: Configuration level

Usage Guidelines
By default, the router receives all SA request messages from the MSDP peer.

If no ACL is specified, all SA requests will be ignored. If ACL is specified, only those SA request
messages from the groups permitted by the ACL will be processed and all the others will be
ignored.

For the related command, see peer related commands.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-199


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Configure the ACL for filtering SA request messages from the MSDP peer 175.58.6.5 in the
public network instance. The SA request messages from group address range 225.1.1.0/8 will
be received and all the others will be ignored.
<Eudemon> system-view
[Eudemon] acl number 2001
[Eudemon-acl-basic-2001] rule permit source 225.1.1.0 0.0.0.255
[Eudemon-acl-basic-2001] quit
[Eudemon] msdp
[Eudemon-msdp] peer 175.58.6.5 sa-request-policy acl 2001

3.16.19 reset msdp peer

Function
Using the reset msdp peer command, you can reset TCP connection with the specified MSDP
peer in public network instance and clear all the statistics of the specified MSDP peer.

Format
reset msdp peer peer-address

Parameters
peer-address: refers to the address of MSDP peer.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear TCP connection and statistics of the MSDP peer 125.10.7.6 in the public network
instance.
<Eudemon> reset msdp peer 125.10.7.6

3.16.20 reset msdp sa-cache

Function
Using the reset msdp sa-cache command, you can clear MSDP SA cache entries of public
network instance.

3-200 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
reset msdp sa-cache [ group-address ]

Parameters
group-address: refers to the address of the group, (S, G) entries matching which are cleared from
the SA cache. If no multicast group address is specified, all SA cache entries will be cleared.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear the cache entry with the group address 225.5.4.3 from the SA cache in the public network
instance.
<Eudemon> reset msdp sa-cache 225.5.4.3

Related Topics
3.16.1 cache-sa-enable
3.16.5 display msdp sa-cache

3.16.21 reset msdp statistics

Function
Using the reset msdp statistics command, you can clear statistics of one or more MSDP peers
in public network instance without resetting the MSDP peer.

Format
reset msdp statistics [ peer-address ]

Parameters
peer-address: refers to the address of the MSDP peer whose statistics, resetting information and
input/output information will be cleared. If no MSDP peer address is specified, all MSDP peers
statistics will be cleared.

Views
User view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-201


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear the statistics of the MSDP peer 25.10.7.6 in the public network instance.
<Eudemon> reset msdp statistics 125.10.7.6

3.16.22 shutdown (MSDP View of Public Network Instance)

Function
Using the shutdown command, you can disable the MSDP peer.
Using the undo shutdown command, you can remove the configuration.

Format
shutdown peer-address
undo shutdown peer-address

Parameters
peer-address: refers to the IP address of MSDP peer.

Views
MSDP view of public network instance

Default Level
2: Configuration level

Usage Guidelines
By default, no MSDP peer is disabled.

Examples
# Disable the MSDP peer 125.10.7.6 in the public network instance.
<Eudemon> system-view
[Eudemon] msdp
[Eudemon-msdp] shutdown 125.10.7.6

3.16.23 static-rpf-peer

3-202 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the static-rpf-peer command, you can configure static RPF peer if you do not want to
perform RPF check to SA messages from a same MSDP peer.

Using the undo static-rpf-peer command, you can remove the static RPF peer.

Format
static-rpf-peer peer-address [ rp-policy list ]

undo static-rpf-peer peer-address

Parameters
peer-address: refers to the address of the static RPF peer to receive SA messages.

rp-policy list: filters policy based on RP address, which filters the RP in SA messages. list refers
to the filter policy name whose length ranges from 1 to 19 characters.

Views
MSDP view of public network instance

Default Level
2: Configuration level

Usage Guidelines
By default, no static RPF peer is configured.

Using the static-rpf-peer command, you can configure static RPF peer if you do not want to
perform RPF check to SA messages from a same MSDP peer. You must configure the peer
related commands before using the static-rpf-peer command. If the parameter is not specified,
all SA messages from static RPF peer will be accepted. If the parameter rp-policy list is specified
and filter policy is configured, the Eudemon will only accept SA messages from the RP which
passes filtering. If no filter policy is configured, the Eudemon will still accept all SA messages
from the static RPF peer.

If only an MSDP peer is configured on the Eudemon, this MSDP peer will be regarded as static
RPF peer.

Examples
# Configure two static RPF peers in the public network instance.
<Eudemon> system-view
[Eudemon] ip ip-prefix list1 permit 130.10.0.0 16
[Eudemon] ip ip-prefix list2 permit 130.10.0.0 16
[Eudemon] msdp
[Eudemon-msdp] peer 130.10.7.6 connect-interface Ethernet 1/0/0
[Eudemon-msdp] peer 130.10.7.5 connect-interface Ethernet 1/0/0
[Eudemon-msdp] static-rpf-peer 130.10.7.6 rp-policy list1
[Eudemon-msdp] static-rpf-peer 130.10.7.5 rp-policy list2

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-203


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.16.24 timer retry

Function
Using the timer retry command, you can set the value of connection request re-try period.
Using the undo timer retry command, you can restore the default value.

Format
timer retry seconds
undo timer retry

Parameters
seconds: refers to value of connection request re-try period in seconds in a range of 1 to 60.

Views
MSDP view of public network instance

Default Level
2: Configuration level

Usage Guidelines
By default, the value of connection request re-try period is 30 seconds.

Examples
# Set the connection request re-try period to 60 seconds in the public network instance.
<Eudemon> system-view
[Eudemon] msdp
[Eudemon-msdp] timer retry 60

3.17 Static Route Configuration Commands


3.17.1 display ip routing-table
3.17.2 display ip routing-table (destination range specified)
3.17.3 display ip routing-table (destination specified)
3.17.4 display ip routing-table acl
3.17.5 display ip routing-table ip-prefix
3.17.6 display ip routing-table protocol
3.17.7 display ip routing-table radix
3.17.8 display ip routing-table statistics

3-204 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.17.9 display ip routing-table verbose


3.17.10 ip route-static

3.17.1 display ip routing-table

Function
Using the display ip routing-table command, you can view the routing table summary.

Format
display ip routing-table

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Each line represents one route. The contents include destination address, mask length, protocol,
preference, cost, next hop and output interface.
Only the route in use, i.e., best route, is displayed with the display ip routing-table command.

Examples
# View the summary of routing table.
<Eudemon> display ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
1.1.1.0/24 DIRECT 0 0 1.1.1.1 Ethernet0/0/0
2.2.2.0/24 STATIC 0 0 2.2.2.1 Ethernet0/0/1
3.3.3.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0

Table 3-27 Description of the display ip routing-table command output

Item Description

Routing Table: Types of routing tables:


l Public net: indicates the public network routing table
l Private net: indicates the private network route table

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-205


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Destination/Mask The destination address and mask length of the network or


host

Protocol The protocol through which the route is learned

Pre Route preference

Cost Route cost

NextHop Next hop

Interface Output interface through which the next hop is reachable

3.17.2 display ip routing-table (destination range specified)

Function
Using the display ip routing-table ip-address1 ip-address2 command, you can view the routing
in the specified address range.

Format
display ip routing-table ip-address1 { mask | mask-length } ip-address2 { mask | mask-
length } [ verbose ]

Parameters
ip-address1, ip-address2: specifies the destination IP address in dotted decimal notation.
ip_address1 and ip_address2 determine one address range together to display the routing in this
address range.

mask: specifies the IP address mask in dotted decimal notation.

mask-length: specifies the IP address mask length in integer in a range of 0 to 32.

verbose: displays both the active and inactive routes in detail. Without the parameter, this
command only displays the summary of active routes.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

3-206 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# View the routing of destination addresses in a range of 1.1.1.0/24 to 2.2.2.0/24.
<Eudemon> display ip routing-table 1.1.1.0 24 2.2.2.0 24
Routing tables:
Summary count: 3
Destination/Mask Protocol Pre Cost Nexthop Interface
1.1.1.0/24 DIRECT 0 0 1.1.1.1 Ethernet0/0/0
1.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
2.2.2.0/24 DIRECT 0 0 2.2.2.1 Interface Ethernet0/0/1

3.17.3 display ip routing-table (destination specified)

Function
Using the display ip routing-table ip-address command, you can view the routing of the
specified destination address.

Format
display ip routing-table ip-address [ mask | mask-length ] [ longer-match ] [ verbose ]

Parameters
ip-address: specifies the destination IP address in dotted decimal notation.
mask: specifies the IP address mask in dotted decimal notation.
mask-length: specifies the IP address mask length in integer in a range of 0 to 32.
verbose: displays both the active and inactive routes in detail. Without the parameter, this
command only displays the summary of active routes.
longer-match: displays only the route that matches the specified network or masks.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Different parameters in the command cause different route matching modes:
l display ip routing-table ip-address
The routing entry that longest matches the destination address is displayed.
l display ip routing-table ip-address mask
The routing entry that precisely matches the destination address and the mask is displayed.
l display ip routing-table ip-address longer-match
All routing entries whose destination address is in the range of natural mask are displayed.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-207


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

l display ip routing-table ip-address mask longer-match


All routing entries whose destination address is in the range of the input mask are displayed.

Examples
# Display brief information if the corresponding route exists in the range of the default subnet
mask.
<Eudemon> display ip routing-table 169.0.0.0
Destination/Mask Protocol Pre Cost Nexthop Interface
169.0.0.0/16 Static 60 0 2.1.1.1 LoopBack1

# Display brief information if no corresponding route exists in the range of the default subnet
mask. Only the longest matched route is displayed.
<Eudemon> display ip routing-table 169.253.0.0
Destination/Mask Protocol Pre Cost Nexthop Interface
169.0.0.0/8 Static 60 0 2.1.1.1 LoopBack1

# Display detailed information if the corresponding route exists in the range of the default subnet
mask.
<Eudemon> display ip routing-table 169.0.0.0 verbose
Routing tables:
+ = Active Route, - = Last Active, # = Both * = Next hop in use
Summary count:2
**Destination: 169.0.0.0 Mask: 255.0.0.0
Protocol: #Static Preference: 60
*NextHop: 2.1.1.1 Interface: 2.1.1.1(LoopBack1)
Vlinkindex: 0
State: <Int ActiveU Static Unicast>
Age: 3:47 Cost: 0/0 Tag: 0
**Destination: 169.0.0.0 Mask: 255.254.0.0
Protocol: #Static Preference: 60
*NextHop: 2.1.1.1 Interface: 2.1.1.1(LoopBack1)
Vlinkindex: 0
State: <Int ActiveU Static Unicast>
Age: 3:47 Cost: 0/0 Tag: 0

For descriptions of output information about the display ip routing-table ip-address verbose
command, see 3.17.1 display ip routing-table and 3.17.9 display ip routing-table verbose.

NOTE

The output information contains a "Vlinkindex" item. It indicates the virtual link number corresponding
to the route. For example, there are virtual links on such interfaces as PPP and FR. Virtual link numbers
will correspond to each route passing through the interface.

3.17.4 display ip routing-table acl

Function
Using the display ip routing-table acl command, you can view the route filtered through
specified basic ACL.

Format
display ip routing-table acl acl-number [ verbose ]

3-208 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
acl-number: specifies the number of basic ACL in a range of 2000 to 2999.
verbose: displays both the active and inactive routes that passed filtering rules in detail. Without
the parameter, this command only displays the summary of the active routes that passed filtering
rules.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The command is used in track route policy to display the route that passed the filtering rule
according the input basic ACL.

Examples
# Display brief information about the route that is in the active state and is permitted by the basic
ACL 2001.
<Eudemon> display ip routing-table acl 2001
Routes matched by access-list 2001:
Summary count: 3
Destination/Mask Protocol Pre Cost Nexthop Interface
169.0.0.0/8 Static 60 0 2.1.1.1 LoopBack1
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoopBack0

# Display brief information about the route that is in the active state and the inactive state and
is permitted by the basic access control list ACL 2001.
<Eudemon> display ip routing-table acl 2001 verbose
Routes matched by access-list 2001:
+ = Active Route, - = Last Active, # = Both * = Next hop in use
Summary count:3
**Destination: 127.0.0.0 Mask: 255.0.0.0
Protocol: #DIRECT Preference: 0
*NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0)
Vlinkindex: 0
State: <NoAdvise Int ActiveU Retain Multicast Unicast>
Age: 3:47 Cost: 0/0 Tag: 0
**Destination: 127.0.0.1 Mask: 255. 255. 255. 255
Protocol: #DIRECT Preference: 0
*NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0)
Vlinkindex: 0
State: <NotInstall NoAdvise Int ActiveU Retain Gateway Multicast Unicast>
Age: 3:47 Cost: 0/0 Tag:0
**Destination: 179.0.0.0 Mask: 255.0.0.0
Protocol: #Static Preference: 60
*NextHop: 4.1.1.1 Interface: 127.0.0.1(LoopBack1)
Vlinkindex: 0
State: <Int Hidden Static Unicast>
Age: 3:47 Cost: 0/0 Tag: 0

For descriptions of output information about the display ip routing-table acl acl-number
verbose command, see 3.17.9 display ip routing-table verbose.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-209


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

NOTE

The output information contains a "Vlinkindex" item. It indicates the virtual link number corresponding
to the route. For example, there are virtual links on such interfaces as PPP and FR. Virtual link numbers
will correspond to each route passing through the interface.

3.17.5 display ip routing-table ip-prefix

Function
Using the display ip routing-table ip-prefix command, you can view the route that passed the
filtering rule according to the input ip prefix list name.

Format
display ip routing-table ip-prefix ip-prefix-name [ verbose ]

Parameters
ip-prefix-name: specifies the name of an IP prefix list. It is a string of 1 to 19 characters.
verbose: displays both the active and inactive routes that passed filtering rules in detail. Without
the parameter, this command only displays the summary of the active routes that passed filtering
rules.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View the summary of the active route that is filtered ip prefix list abc2.
<Eudemon> display ip routing-table ip-prefix abc2
Routes matched by ip-prefix abc2:
Summary count: 4
Destination/Mask Protocol Pre Cost Nexthop Interface
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoopBack0
169.0.0.0/8 Static 60 0 2.1.1.1 LoopBack1
169.0.0.0/15 Static 60 0 2.1.1.1 LoopBack1

# View the active and inactive routes that are filtered prefix list abc2 in detail.
<Eudemon> display ip routing-table ip-prefix abc2 verbose
Routes matched by ip-prefix abc2:
+ = Active Route, - = Last Active, # = Both * = Next hop in use
Summary count:2
**Destination: 127.0.0.0 Mask: 255.0.0.0
Protocol: #Direct Preference: 0

3-210 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

*NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0)


Vlinkindex: 0
State: <NoAdvise Int ActiveU Retain Multicast Unicast>
Age: 3:47 Cost: 0/0 Tag: 0
**Destination: 127.0.0.1 Mask: 255. 255. 255. 255
Protocol: #Direct Preference: 0
*NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0)
Vlinkindex: 0
State: <NotInstall NoAdvise Int ActiveU Retain Gateway Multicast Unicast>
Age: 3:47 Cost: 0/0 Tag: 0

For descriptions of output information about the display ip routing-table ip-prefix verbose
command, see 3.17.1 display ip routing-table and 3.17.9 display ip routing-table verbose.

NOTE

The output information contains a "Vlinkindex" item. It indicates the virtual link number corresponding
to the route. For example, there are virtual links on such interfaces as PPP and FR. Virtual link numbers
will correspond to each route passing through the interface.

3.17.6 display ip routing-table protocol

Function
Using the display ip routing-table protocol command, you can view the route of the specified
protocol.

Format
display ip routing-table protocol protocol [ inactive | verbose ]

Parameters
protocol: specifies a protocol. It can be one of the following values:
l direct: displays direct connection route.
l static: displays the static route.
l mbgp-multicast: displays the MBGP multicast route.
l multicast-static [ destination-address { destination-mask | destination-mask-length } ]
[ config ]: displays the static multicast route.
– destination-address: indicates the destination IP address (multicast address) of the
multicast.
– destination-mask: the mask of the multicast destination IP address.
– destination-mask-length: the mask length of the multicast destination IP address. It is
an integer in the range of 0 to 32.
– config: displays configuration of the static multicast route. If config is configured, all
static multicast routes are displayed, including the activated and inactivated routes.
Otherwise, all activated static multicast routes are displayed.
l ospf: displays the OSPF route.
l ospf-ase: displays OSPF ASE route.
l ospf-nssa: displays OSPF NSSA route.
l rip: displays RIP route.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-211


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

inactive: displays the inactive route. Without the parameter, this command displays the active
and inactive route.

verbose: displays route in detail. Without the parameter, this command displays the route
summary.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View all direct connection routes summary.
<Eudemon> display ip routing-table protocol direct
DIRECT Routing tables:
Summary count: 4
DIRECT Routing tables status:<active>:
Summary count: 3
Destination/Mask Protocol Pre Cost Nexthop Interface
20.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
DIRECT Routing tables status:<inactive>:
Summary count: 1
Destination/Mask Protocol Pre Cost Nexthop Interface
210.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0

# View the static routing table.


<Eudemon> display ip routing-table protocol static
STATIC Routing tables:
Summary count: 1
STATIC Routing tables status:<active>:
Summary count: 0
STATIC Routing tables status:<inactive>:
Summary count: 1
Destination/Mask Protocol Pre Cost Nexthop Interface
1.2.3.0/24 STATIC 60 0 1.2.4.5 Ethernet0/0/0

3.17.7 display ip routing-table radix

Function
Using the display ip routing-table radix command, you can view the route in a tree structure.

Format
display ip routing-table radix

3-212 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
All views

Examples
# View the route in a tree structure.
<Eudemon> display ip routing-table radix
Radix tree for INET (2) inodes 11 routes 7:
+-32+--{192.168.1.55
+-23+
| +-24+--{192.168.0.0
| +-32+--{192.168.0.33
+--0+
| | +--8+--{127.0.0.0
| | | +-32+--{127.0.0.1
| +--1+
| | +-32+--{10.2.1.1
| +-14+
| +-32+--{10.1.1.1

3.17.8 display ip routing-table statistics

Function
Using the display ip routing-table statistics command, you can view the integrated statistics
of the routes.

Format
display ip routing-table statistics

Parameters
None

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-213


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
None

Examples
# View the integrated statistics of the routes.
<Eudemon> display ip routing-table statistics
Routing tables:
Proto route active
DIRECT 6 6
STATIC 5 3
RIP 0 0
OSPF 0 0
O_ASE 0 0
O_NSSA 0 0
AGGRE 0 0
MStatic 0 0
Total 11 9

Table 3-28 Description of the display ip routing-table statistics command output

Item Description

Proto Protocol of the route:


l DIRECT: direct connection route
l STATIC: static route
l RIP: RIP route
l OSPF: OSPF route
l O_ASE: OSPF ASE
l O_NSSA: OSPF NSSA route
l AGGRE: aggregate route
l MStatic: static multicast route

route Total number of all routes.

active Number of activated routes.

Total Total number of routes.

3.17.9 display ip routing-table verbose

Function
Using the display ip routing-table verbose command, you can view routing table in detail.

Format
display ip routing-table verbose

3-214 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The descriptor describing the route state will be displayed first, then the statistics of the entire
routing table will be output and finally the detailed description of each route will be output.
All current routes, including inactive route and invalid route, can be displayed using display ip
routing-table verbose command.

Examples
# Display the detailed routing table.
<Eudemon> display ip routing-table verbose
Routing Tables:
+ = Active Route, - = Last Active, # = Both * = Next hop in use
Destinations: 3 Routes: 3
Holddown: 0 Delete: 0 Hidden: 0
**Destination: 127.0.0.0 Mask: 255.0.0.0
Protocol: #DIRECT Preference: 0
*NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0)
State: <NoAdvise Int ActiveU Retain Unicast>
Age: 19:31:06 Cost: 0/0
**Destination: 127.0.0.1 Mask: 255.255.255.255
Protocol: #Direct Preference: 0
*NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0)
State: <NotInstall NoAdvise Int ActiveU Retain Gateway Unicast>
Age: 14:03:05 Cost: 0/0
**Destination: 169.1.1.0 Mask: 255.255.255.0
Protocol: #DIRECT Preference: 0
*NextHop: 169.1.1.2 Interface: 169.1.1.2(Ethernet0/0/0)
State: <Int ActiveU Retain Unicast >
Age: 44:24:53 Cost: 0/0

Table 3-29 Description of the display ip routing-table verbose command output


Item Description

Routing Tables: Overall information in the routing table.

+ = Active Route Currently active route.

- = Last Active The last active route to the destination address.

# = Both The currently active route is also the last active one.

* = Next hop in use The next hop in use.

Destinations Number of destination addresses in the routing table.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-215


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Routes Number of routes in the routing table.

Holddown Number of currently hold down routes. Holddown refers to a route


advertising policy used by some distance vector (D-V) routing
protocols (such as RIP) in order to avoid flooding of error routes. The
routing information is not updated immediately after changes occur,
but always after a period of time.

Delete Number of routes that have been deleted currently.

Hidden Number of currently hidden routes. Some routes are not available at
present for some reason (e.g., the interface is Down) but do not want
to be deleted. They can be hidden for future restoration.

**Destination Destination IP address of the route. Each piece of specific routing


information begins with the destination.

Mask Destination address mask. If the destination address and mask are all-
zero, it is a default route.

Protocol Type of routes.

Preference Preference of routes. The less value indicates higher preference.

*NextHop The next hop IP address.

Interface IP address of the output interface, with interface name in the bracket.

State Route state:


l Int: Interior Gateway Protocol(IGP) route.
l ActiveU: Active unicast route.
l Gateway: Indirect route.
l Static: Static route.
l Unicast: Unicast route.
l Retain: Not deleted when the routing protocol normally quits.
l NoAdvise: Not advertised.
l NotInstall: Not used for forwarding packets.
l LoopbackDown: The loopback interface is disabled.

Age Duration of the route existing in the routing table, with hour, minute
and second from left to right.

Cost Cost of routes.

3.17.10 ip route-static

3-216 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the ip route-static command, you can configure a static route.

Using the undo ip route-static command, you can cancel the configured static route.

Format
ip route-static ip-address { mask | mask-length } { interface-type interface-number [ next-hop-
address ] | next-hop-address } [ preference preference-value ] [ reject | blackhole ]

ip route-static vpn-instance vpn-instance-name &<1-6> ip-address { mask | mask-length }


{ interface-type interface-number [ next-hop-address ] | next-hop-address } [ public ]
[ preference preference-value ] [ reject | blackhole ]

undo ip route-static ip-address { mask | mask-length } { interface-type interface-number |


next-hop-address } [ preference preference-value ]

undo ip route-static [ vpn-instance vpn-instance-name &<1-6> ] ip-address { mask | mask-


length } { interface-type interface-number | next-hop-address } [ public ] [ preference
preference-value ]

Parameters
ip-address: specifies the destination IP address in dotted decimal notation.

mask: specifies the IP address mask in dotted decimal notation.

mask-length: specifies the IP address mask length in integer in a range of 0 to 32.

interfacce-type interface-number: specifies the type and number of the output interface of the
static route.

next-hop-address: specifies the next hop IP address of the route in dotted decimal notation.

preference-value: specifies the preference level of the route. It is an integer in the range of 1 to
255.

reject: refers to an unreachable route.

blackhole: refers to a blackhole route.

vpn-instance vpn-instance-name: configures routes in a specified VPN instance. The name of


the VPN instance is a string of 1 to 19 characters. You can configure static routes for six VPN
instances at the same time.

public: refers to a public network VPN.

Views
System view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-217


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, the system can obtain the sub-net route directly connected with the Eudemon. When
configuring a static route, the default preference is 60 if it is not specified. If it is not specified
as reject or blackhole, the route will be reachable by default.
Precautions when configuring static route:
l when the destination IP address and the mask are both 0.0.0.0, it is the configured default
route. If it is failed to detect the routing table, a packet will be forwarded along the default
route.
l For different configurations of preference level, flexible routing management policy can
be adopted. For example, to configure multiple routing to the same destination, load share
can be implemented if the same preference level is specified; route backup can be
implemented if different preference levels are specified.
l To configure static route, either output interface or next hop address can be specified, which
one is adopted in practice depends on actual condition. For the interfaces supporting the
resolution from network address to link layer address or point-to-point interface, output
interface or next hop address can be specified. But for Non Broadcast Multi-Access
(NBMA) interfaces, such as dialing interface and interface encapsulated with frame-
relay, they support point-to-multi-point. Except IP route is configured, secondary route,
that is, the map from IP address to link layer address should be established on link layer.
In such condition, output interface cannot be specified and the next hop IP address should
be configured when configuring static route.
In some conditions (for example, the link layer is encapsulated with PPP), opposite address
cannot be learned and output interface can be specified when configuring Eudemon. After
specifying output interface, the configuration of this Eudemon is unnecessary to be modified as
opposite address changes.

Examples
# Configure the next hop of the default route as 129.102.0.2.
<Eudemon> system-view
[Eudemon] ip route-static 0.0.0.0 0.0.0.0 129.102.0.2

# Configure a static route for vpn1. The destination segment is 100.1.0.0 and next hop address
1.1.1.2.
<Eudemon> system-view
[Eudemon] ip route-static vpn-instance vpn1 100.1.0.0 16 1.1.1.2

3.18 ARP Configuration Commands


3.18.1 arp detect-times
3.18.2 arp expire-time
3.18.3 arp-proxy enable
3.18.4 arp static
3.18.5 arp multi-mac-permit
3.18.6 debugging arp packet

3-218 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.18.7 display arp


3.18.8 reset arp

3.18.1 arp detect-times

Function
Using the arp detect-times command, you can set the aging detection times of ARP entries.
Using the undo arp detect-times command, you can restore the default value.

Format
arp detect-times times
undo arp detect-times

Parameters
times: specifies the aging detection times of ARP item in a range of 0 to 10.

Views
Ethernet interface view, Virtual-Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the value is 3.
The arp detect-times command can only be configured on a main interface. Before aging a
dynamic ARP entry, the system performs detection. If no response updates this entry beyond
the set detection times, this ARP entry is deleted. If the aging detection times are set to 0, the
system does not perform detection but directly ages this ARP entry.

Examples
# Set the aging detection times of ARP entries to 5.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] arp detect-times 5

3.18.2 arp expire-time

Function
Using the arp expire-time command, you can set the aging expire time of ARP entries.
Using the undo arp expire-time command, you can restore the default setting.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-219


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
arp expire-time time
undo arp expire-time

Parameters
time: specifies the aging expire time of ARP entries in a range of 60 to 1200 seconds. By default,
it is 1200 seconds.

Views
Ethernet interface view, Virtual-Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the aging expire time of dynamic ARP entries is 1200 seconds, namely 20 minutes.
The arp expire-time command can only be configured on a main interface.

Examples
# Set the expire time of ARP entries to 600 seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] arp expire-time 600

3.18.3 arp-proxy enable

Function
Using the arp-proxy enable command, you can enable ARP proxy on the current interface or
sub interface.
Using the undo arp-proxy enable command, you can disable ARP proxy.

Format
arp-proxy enable
undo arp-proxy enable

Parameters
None

Views
Ethernet interface, sub interface view, Virtual-Ethernet interface view

3-220 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
2: Configuration level

Usage Guidelines
By default, the ARP proxy is disabled on the interface.

Examples
# Enable ARP proxy on sub interface Ethernet 0/0/0.1.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0.1
[Eudemon-Ethernet0/0/0.1] arp-proxy enable

# Disable ARP proxy on sub interface Ethernet 0/0/0.1.


[Eudemon-Ethernet0/0/0.1] undo arp-proxy enable

3.18.4 arp static

Function
Using the arp static command, you can set the ARP mapping table.
Using the undo arp static command, you can cancel mapping items corresponding to some
addresses in the ARP mapping table.

Format
arp static ip-address mac-address [ vid vlan-id ]
undo arp static ip-address

Parameters
ip-address: specifies an IP address of the ARP mapping entries in dotted decimal notation.
vid vlan-id: VLAN ID.
mac-address: specifies an Ethernet MAC address of ARP mapping entries. Its format is H-H-
H, in which H is a hexadecimal number with 1 to 4 bits.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the mapping table of the system ARP is empty and the address mapping can be
obtained through dynamic ARP.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-221


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Normally, ARP mapping table is maintained by dynamic ARP, and only in special situation
manual configuration is needed. Besides, ARP mapping table is only used for LAN and WAN
address resolution will apply other configurations or obtaining means such as the inverse address
resolution of Frame Relay.

Examples
# Assign the Ethernet MAC address e0-fc01-0 corresponding to the IP address 129.102.0.1.
<Eudemon> system-view
[Eudemon] arp static 129.102.0.1 e0-fc01-0

# Assign the Ethernet MAC address aa-fcc-12 corresponding to the IP address 11.0.0.1.
[Eudemon] arp static 11.0.0.1 aa-fcc-12

Related Topics
3.18.8 reset arp
3.18.7 display arp

3.18.5 arp multi-mac-permit

Function
Using the arp multi-mac-permit command, you can enable the learning capability of multicast
MAC addresses on the interface.

Using the undo arp multi-mac-permit command, you can disable the function.

Format
arp multi-mac-permit

undo arp multi-mac-permit

Parameters
None

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
After this function is enabled, this interface and its sub-interface both can learn multicast ARP.

By default, this function is disabled.

3-222 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Enable the learning capability of multicast MAC addresses on the interface Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] arp multi-mac-permit

3.18.6 debugging arp packet

Function
Using the debugging arp packet command, you can enable the ARP packet debugging.
Using the undo debugging arp packet command, you can disable the packet debugging.

Format
debugging arp packet
undo debugging arp packet

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable ARP packet debugging.
<Eudemon> debugging arp packet

3.18.7 display arp

Function
Using the display arp command, you can view the ARP mapping table.

Format
display arp interface interface-type interface-number [ vid vlan-id ] [ | { begin | include |
exclude } text ]

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-223


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

display arp [ network network-address [ network-mask ] ] [ dynamic | static ] [ | { begin |


include | exclude } text ]

Parameters
interface-type interface-number: displays ARP entries of the interface specified type and
number.

vid vlan-id: displays ARP entries of specified VLAN.

static: displays static ARP entries.

dynamic: displays dynamic ARP entries.

network-address: specifies the number of the network.

network-mask: specifies the network mask.

text: specifies the information to be displayed through the regular expression.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
By default, all the ARP entries of the RSU are displayed.

Examples
# Display all static ARP entries.
<Eudemon> display arp
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE
VLAN PVC
172.16.1.10 0005-5d85-d54e S
100
10.110.98.245 00e0-fc0a-a719 I Eth0/0/0
10.110.98.1 00e0-fc08-0423 20 D Eth0/0/1
172.16.1.1 00e0-fc07-86b1 18 D Eth1/0/0
--------------------------------------------------------------------
Total:4 Dynamic:2 Static:1 Interface:1

Table 3-30 Description of the display arp command output

Item Description

IP ADDRESS IP address.

MAC ADDRESS MAC address.

EXPIRE(M) Left keep-alive time of ARP entries.

3-224 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

TYPE Type of ARP entries:


l Interface: MAC address of interface.
l Dynamic: dynamic ARP entries.
l Static: static ARP entries.

INTERFACE Interface type and number of Interface learned


ARP entries.

VLAN/CEVLAN VLAN ID.

PVC Interface where the PVC resides and VPI/VCI.

Related Topics
3.18.4 arp static
3.18.8 reset arp

3.18.8 reset arp

Function
Using the reset arp command, you can clear the ARP entry in the ARP mapping table.

Format
reset arp [ all | dynamic | static | interface interface-type interface-number ]

Parameters
static: resets the static ARP entry.

dynamic: resets the dynamic ARP entry.

all: resets all ARP entries.

interface: indicate the selected interface.

interface-type: specifies the type of an interface.

interface-number: specifies the number of an interface.

Views
User view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-225


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, if no parameter is specified, the operation to RSU board will be performed.
When operation is performed to the specified interface, the interface type can only be Ethernet,
GE or virtual Ethernet and only the dynamic entry can be deleted on the interface.

Examples
# Delete the static entry in the ARP mapping table on the main control board.
<Eudemon> reset arp static

# The following example deletes the dynamic entry in the ARP mapping table on Ethernet
0/0/0.
<Eudemon> reset arp interface Ethernet 0/0/0

Related Topics
3.18.7 display arp
3.18.4 arp static

3.19 DHCP Configuration Commands


3.19.1 debugging dhcp relay
3.19.2 debugging dhcp server
3.19.3 dhcp client enable
3.19.4 dhcp client forbid
3.19.5 dhcp client renew
3.19.6 dhcp enable
3.19.7 dhcp relay release
3.19.8 dhcp select (Interface View)
3.19.9 dhcp select (System View)
3.19.10 dhcp server detect
3.19.11 dhcp server dns-list (Interface View)
3.19.12 dhcp server dns-list (System View)
3.19.13 dhcp server domain-name (Interface View)
3.19.14 dhcp server domain-name (System View)
3.19.15 dhcp server expired (Interface View)
3.19.16 dhcp server expired (System View)
3.19.17 dhcp server forbidden-ip
3.19.18 dhcp server ip-pool

3-226 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.19.19 dhcp server nbns-list (Interface View)


3.19.20 dhcp server nbns-list (System View)
3.19.21 dhcp server netbios-type (Interface View)
3.19.22 dhcp server netbios-type (System View)
3.19.23 dhcp server option (Interface View)
3.19.24 dhcp server option (System View)
3.19.25 dhcp server ping
3.19.26 dhcp server static-bind
3.19.27 display dhcp relay address
3.19.28 display dhcp relay statistics
3.19.29 display dhcp server conflict
3.19.30 display dhcp server expired
3.19.31 display dhcp server free-ip
3.19.32 display dhcp server ip-in-use
3.19.33 display dhcp server statistics
3.19.34 display dhcp server tree
3.19.35 display dhcp-client
3.19.36 dns-list
3.19.37 domain-name
3.19.38 expired
3.19.39 gateway-list
3.19.40 ip relay address (Interface View)
3.19.41 ip relay address (System View)
3.19.42 nbns-list
3.19.43 netbios-type
3.19.44 network (DHCP)
3.19.45 option
3.19.46 reset dhcp relay statistics
3.19.47 reset dhcp server conflict
3.19.48 reset dhcp server ip-in-use
3.19.49 reset dhcp server statistics
3.19.50 static-bind ip-address
3.19.51 static-bind mac-address

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-227


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.19.1 debugging dhcp relay

Function
Using the debugging dhcp relay command, you can enable the DHCP relay debugging to view
the DHCP packets transmitted when a client requires an IP address.
Using the undo debugging dhcp relay command, you can disable the DHCP relay debugging.

Format
debugging dhcp relay { all | error | event | packet [ client mac mac-address ] }
undo debugging dhcp relay { all | error | event | packet [ client mac mac-address ] }

Parameters
all: debugs all DHCP relays.
error: indicates the unknown packet information or error information.
event: debugs DHCP relay event.
packet: indicates the packets of various protocols received by or sent from the DHCP relay.
macmac-address: specifies the MAC address of the DHCP client. It is in the format of H-H-H.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, disable the DHCP relay debugging.
If packets sent from a MAC address are already specified to be displayed and you need to check
information about all packets, run the undo debugging dhcp relay packet command, and then
run the debugging dhcp relay packet command.

Examples
# Display the packets sent from the MAC address 0050-BA34-2117 to the DHCP server. This
allows you to view all the packets sent by the client to require an IP address.
<Eudemon> debugging dhcp relay packet mac 0050-ba34-2117

# Disable the DHCP relay debugging.


<Eudemon> undo debugging dhcp relay packet

# Debugs all DHCP relays.

3-228 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> debugging dhcp relay packet


*0.1252012-DHCP-REL-8-dhcpr_debug_rxtx:
Rx, DHCP request packet, interface Ethernet 0/0/0
*0.1252100-DHCP-REL-8-dhcpr_debug_paket:
Dhcp message type = DISCOVERgured, Boot File Name = Not Configured

3.19.2 debugging dhcp server

Function
Using the debugging dhcp server command, you can enable the DHCP server debugging.
Using the undo debugging dhcp server command, you can disable the debugging.

Format
debugging dhcp server { all | error | event | packet }
undo debugging dhcp server { all | error | event | packet }

Parameters
all: debugs all DHCP servers.
error: debugs the DHCP server error, including the errors that occur during the DHCP packets
processing and the addresses allocation.
event: debugs the DHCP server events, including the address allocation and the timeout of ping
check.
packet: debugs the DHCP packet, including the packets received or transmitted by the DHCP
server and the transmission and response of the ping packets.

Views
User view

Default Level
1: Monitoring

Usage Guidelines
By default, disable the DHCP server debugging.

Examples
# Enable the DHCP server events debugging.
<Eudemon> debugging dhcp server event
*0.62496500-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: ICMP Timeout
*0.62496583-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: Still Need to ICMP detect for 1 times
*0.62497000-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: ICMP Timeout
*0.62497083-DHCP SER-8-DHCPS_DEBUG_COMMON:

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-229


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

DhcpServer: All Try finished


*0.62497166-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: Ack User's Lease

# Enable the DHCP server packet debugging.


<Eudemon> debugging dhcp server packet
*0.62080906-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: receive DHCPRELEASE from 00.05.5D.85.D5.45.
*0.62081016-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: Release Lease for MAC 00.05.5D.85.D5.45. IP is 5.5.5.2
*0.62082240-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: receive DHCPDISCOVER from 00.05.5D.85.D5.45.
*0.62082350-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: Sending ICMP ECHO to Target IP: 5.5.5.2
*0.62082733-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: Sending ICMP ECHO to Target IP: 5.5.5.2
*0.62083233-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: Send DHCPOFFER to MAC=> 00.05.5D.85.D5.45. Offer IP=> 5.5.5.2
*0.62083366-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: receive DHCPREQUEST from 00.05.5D.85.D5.45.
*0.62083483-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: Send DHCPACK to MAC=> 00.05.5D.85.D5.45. Offer IP=> 5.5.5.2

# Enable the DHCP server error debugging.


<Eudemon> debugging dhcp server error
*0.63269475-DHCP SER-8-DHCPS_DEBUG_COMMON:
DhcpServer: Icmp Packet is not EHHOREPLY!

3.19.3 dhcp client enable

Function
Using the dhcp client enable command, you can enable the DHCP client function on the
interface so that the interface can send a DHCP request packet to the DHCP server.

Using the undo dhcp client enable command, you can disable the DHCP client function on the
interface.

Format
dhcp client enable

undo dhcp client enable

Parameters
None

Views
Interface view

Default Level
2: Configuration level

3-230 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
By default, the dhcp client enable is not enabled.

The dhcp client enable command and the pppoe-server and pppoe-client commands in the
interface view are mutually exclusive.

The dhcp client enable command and the ip address command are also mutually exclusive.

The IP address obtained by using the dhcp client command is not saved as configuration
information. When the interface or the device restarts, you need apply for an IP address again.

You can successfully configure the dhcp client enable command only when the dhcp enable
command is already used.

Examples
# Enable the DHCP client function on the Ethernet 0/0/0 interface.
<Eudemon> system-view
[Eudemon] dhcp enable
[Eudemon] firewall zone trust
[Eudemon-zone-trust] add interface Ethernet 0/0/0
[Eudemon-zone-trust] quit
[Eudemon] firewall packet-filter default permit all
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] dhcp client enable

3.19.4 dhcp client forbid

Function
Using the dhcp client forbid command, you can disable the DHCP client from using
thegateway-option andstatic-route-option parameters allocated by the DHCP server.

Using the undo dhcp client forbid command, you can restore the default system configuration.

Format
dhcp client forbid apply { gateway-option | static-route-option }

undo dhcp client forbid apply { gateway-option | static-route-option }

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-231


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, the dhcp client forbid command is disabled. That is, by default, the system uses the
gateway-option and static-route-option parameters allocated by the DHCP server and adds the
default route and the static route thus obtained to the FIB table.

Examples
# On the interface, disable the gateway-option parameter allocated by the DHCP server.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] dhcp client forbid apply gateway-option

3.19.5 dhcp client renew

Function
Using the dhcp client renew command, you can trigger a lease renewal process conducted by
the DHCP client.

Format
dhcp client renew

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the dhcp client renew command is disabled.

When the dhcp client renew command is used, the DHCP client sends a request to the DHCP
server for renewing the lease:
l When receiving a positive response from the DHCP server, the DHCP client renews the
lease and other parameters.
l when receiving a negative response from the DHCP server, the DHCP client releases all
parameters it has obtained and applies for an IP address and other network parameters to
the DHCP server again.
l when receiving no response packet, the DHCP client performs no operation.

The dhcp client renew command can be used only when the DHCP client is enabled and has
obtained an IP address.

3-232 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Renew the IP address lease on the Ethernet 0/0/0 interface.
<Eudemon> system-view
[Eudemon] dhcp enable
[Eudemon] firewall zone trust
[Eudemon-zone-trust] add interface Ethernet 0/0/0
[Eudemon-zone-trust] quit
[Eudemon] firewall packet-filter default permit all
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] dhcp client enable
%May 6 09:29:30 2008 Eudemon DHCPC/5/DHCPC_LOG_REQIP_SUCCESS:interface
Ethernet0/0/0 has acquired ip address successfully, IP address : 192.168.0.2,
Gateway : none; , Static Route : none;
[Eudemon-Ethernet0/0/0] dhcp client renew

3.19.6 dhcp enable

Function
Using the dhcp enable command, you can enable DHCP.

Using the undo dhcp enable command, you can disable DHCP.

Format
dhcp enable

undo dhcp enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, enable DHCP.

Use this command before configuring DHCP. Note that you must enable DHCP on both the
DHCP server and the DHCP relay.

Examples
# Enable DHCP on the current Eudemon.
<Eudemon> system-view
[Eudemon] dhcp enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-233


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.19.7 dhcp relay release

Function
Using the dhcp relay release command, you can configure the DHCP relay to send a request
to the DHCP server for releasing the IP address applied by the client.

Format
dhcp relay release client-ip-address mac-address [ server-ip-address ]

Parameters
client-ip-address: specifies the IP address of the DHCP client.

mac-address: specifies the MAC address of the DHCP client. It is in the format of H-H-H.

server-ip-address: specifies the IP address of the DHCP server.

Views
Interface view, system view

Default Level
2: Configuration level

Usage Guidelines
When the IP address of the DHCP server is not specified, there are two cases:

l If the command is used in the system view, release packets are sent to all DHCP servers.
l If the command is used in the interface view, release packets are sent to all the relay
addresses configured on the interface.

Examples
# Send a release packet to the DHCP server at 10.110.91.174, requesting to release the IP address
192.2.2.25 applied by the client at 0050-ba34-2000.
<Eudemon> system-view
[Eudemon] dhcp relay release 192.2.2.25 0050-ba34-2000 10.110.91.174

3.19.8 dhcp select (Interface View)

Function
Using the dhcp select command, you can set the process mode for the DHCP packets whose
destination address is the local host.

Using the undo dhcp select command, you can restore the default setting.

3-234 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
dhcp select { global | interface | relay }
undo dhcp select

Parameters
global: transmits the DHCP packets to the local DHCP server that assigns addresses in the global
address pool.
interface: transmits the DHCP packets to the local DHCP server that assigns addresses in the
interface address pool.
relay: transmits the DHCP packets through the relay to the external DHCP server assigns
addresses.

Views
Ethernet interface view, Sub-interface view

Default Level
2: Configuration level

Usage Guidelines
If the DHCP server and the client are in the same sub-network, DHCP packets are sent directly
between them; if they are in different sub-networks, enable the DHCP relay to make the external
DHCP server to assign the IP address. If the network scale is small, assign the IP address from
interface-based address pool.
By default, the DHCP packets whose destination address is the local host are transmitted to the
internal server to assign addresses in the global address pool (in the global mode).

Examples
# For the DHCP packets whose destination address is the local host, configure to assign the
addresses in the interface address pool of the internal DHCP server.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] dhcp select interface

Related Topics
3.19.9 dhcp select (System View)

3.19.9 dhcp select (System View)

Function
Using the dhcp select command, you can set the mode for the specified interfaces in a certain
range to process DHCP packets whose destination address is the local host.
Using the undo dhcp select command, you can restore the default setting.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-235


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
dhcp select { global | interface | relay } { interface interface-type sub-interface-number1
[ to interface-type sub-interface-number2 ] | all }
undo dhcp select { interface interface-type sub-interface-number1 [ to interface-type sub-
interface-number2 ] | all }

Parameters
global: transmits the DHCP packets to the local DHCP server that assigns addresses in the global
address pool.
interface: transmits the DHCP packets to the local DHCP server that assigns addresses in the
interface address pool.
relay: transmits the DHCP packets through the relay to the external DHCP server that assigns
addresses.
interface-type sub-interface-number1 [ to interface-type sub-interface-number2 ]: uses the
keyword "to" to connect two interfaces, indicating that the sub-interface number is all the sub-
interfaces (including these two sub-interfaces) between two sub-interfaces. The specified sub-
interfaces must be existent. Sub-interfaces here must be on the same main interface and
configured with IP addresses.
all: indicates all the interfaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the DHCP packets whose destination address is the local host are transmitted to the
internal server. The internal server assigns addresses in the global address pool (in the global
mode).

Examples
# Configure the interfaces from Ethernet 0/0/0.1 to Ethernet 0/0/0.5 to assign addresses in the
interface address pool on the internal server to the DHCP packets whose destination address is
the local host.
<Eudemon> system-view
[Eudemon] dhcp select interface interface Ethernet 0/0/0.1 to Ethernet 0/0/0.5

Related Topics
3.19.8 dhcp select (Interface View)

3.19.10 dhcp server detect

3-236 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the dhcp server detect command, you can enable detecting the pseudo DHCP server.
Using the undo dhcp server detect command, you can disable detecting the pseudo DHCP
server.

Format
dhcp server detect
undo dhcp server detect

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the pseudo DHCP server detect function is disabled.
After the detect function of the pseudo DHCP server is enabled, the Eudemon records related
information such as the IP address and interface of the pseudo DHCP server for the administrator
to discover and deal with fault on the DHCP server. Therefore, users are not interfered by
interrupted network services caused by an incorrect IP address obtained from the DHCP server.

Examples
# Enable detecting the pseudo DHCP server.
<Eudemon> system-view
[Eudemon] dhcp server detect

3.19.11 dhcp server dns-list (Interface View)

Function
Using the dhcp server dns-list command, you can configure the IP address of the DNS server
used by the client that connects with the local interface.
Using the undo dhcp server dns-list command, you can remove specifying the IP address of
the DNS server.

Format
dhcp server dns-list ip-address &<1-8>

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-237


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

undo dhcp server dns-list { ip-address | all }

Parameters
ip-address: specifies the IP address of the DNS server. In the command, you can configure up
to eight IP addresses for the DNS servers. These IP addresses are separated by spaces.

Views
Ethernet interface view, Sub-interface view

Default Level
2: Configuration level

Usage Guidelines
By default, no IP address of the DNS server is configured.

At present, up to eight IP addresses of the DNS server can be configured in a DHCP address
pool.

Examples
# Specify the DNS server 1.1.1.254 for the DHCP address pool interface on Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] dhcp server dns-list 1.1.1.254

Related Topics
3.19.18 dhcp server ip-pool
3.19.12 dhcp server dns-list (System View)
3.19.36 dns-list

3.19.12 dhcp server dns-list (System View)

Function
Using the dhcp server dns-list command, you can set to assign the IP addresses in the DHCP
address pools of multiple interfaces in a specified range to the DNS server used by the DHCP
client.

Using the undo dhcp server dns-list command, you can delete the configured IP addresses.

Format
dhcp server dns-list ip-address &<1-8> { all | interface interface-type sub-interface-
number1 [ to interface-type sub-interface-number2 ] | interface interface-type interface-
number }

3-238 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

undo dhcp server dns-list { ip-address | all } { all | interface interface-type sub-interface-
number1 [ to interface-type sub-interface-number2 ] | interface interface-type interface-
number }

Parameters
ip-address: specifies the IP address of the DNS. In the command, up to eight IP addresses can
be configured. These IP addresses are separated by spaces.

interface interface-type sub-interface-number1 [ to interface-type sub-interface-number2 ]:


specifies the DNS server for the address pool of the sub-interface. The keyword "to" is used to
connect two sub-interfaces. It indicates all the sub-interfaces (including these two sub-interfaces)
between two interfaces. Sub-interfaces here must be on the same main interface and configured
with IP addresses.

interface interface-type interface-number: specifies the DNS server for the interface address
pool.

all: the former "all" in the undo command indicates the addresses of all the gateways, while the
latter one indicates all the interfaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, configure no IP address for the DNS sever.

At present, up to eight IP addresses of the DNS server can be configured in a DHCP address
pool.

Examples
# Specify the DNS server 1.1.1.254 to assign the IP addresses in the DHCP address pools
configured on interfaces from Ethernet 0/0/0.1to Ethernet 0/0/0.5.
<Eudemon> system-view
[Eudemon] dhcp server dns-list 1.1.1.254 interface Ethernet 0/0/0.1 to Ethernet
0/0/0.5

Related Topics
3.19.11 dhcp server dns-list (Interface View)
3.19.18 dhcp server ip-pool
3.19.36 dns-list

3.19.13 dhcp server domain-name (Interface View)

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-239


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the dhcp server domain-name command, you can configure the domain name assigned
to the client by the DHCP address pool on the current interface of the DHCP server.
Using the undo dhcp server domain-name command, you can delete the assigned domain
name.

Format
dhcp server domain-name domain-name
undo dhcp server domain-name

Parameters
domain-name: specifies the domain name that the DHCP server assigns to the client host. It is
a string of 3 to 50 characters.

Views
Ethernet interface view, Sub-interface view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set the domain name assigned by the DHCP address pool on the interface as eth1_0_0.com.cn.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] dhcp server domain-name eth1_0_0.com.cn

Related Topics
3.19.14 dhcp server domain-name (System View)
3.19.18 dhcp server ip-pool
3.19.37 domain-name

3.19.14 dhcp server domain-name (System View)

Function
Using the dhcp server domain-name command, you can set the specified address pool on the
interfaces in a certain range to assign the domain name to the DHCP client.
Using the undo dhcp server domain-name command, you can delete the domain name assigned
to the DHCP client.

3-240 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
dhcp server domain-name domain-name { all | interface interface-type sub-interface-
number1 [ to interface-type sub-interface-number2 ] | interface interface-type interface-
number }

undo dhcp server domain-name { all | interface interface-type sub-interface-number1 [ to


interface-type sub-interface-number2 ] | interface interface-type interface-number }

Parameters
domain-name: specifies the domain name that the DHCP server assigns to the client host. It is
a string with 3 to 50 characters.

interface interface-type sub-interface-number1 [ to interface-type sub-interface-number2 ]:


specifies the domain name of the DHCP client for the address pool of the sub-interface. The
keyword "to" is used to connect two sub-interfaces. It indicates all the sub-interfaces (including
these two sub-interfaces) between the two sub-interfaces. Sub-interfaces here must be on the
same main interface and configured with IP addresses.

interface interface-type interface-number: specifies the domain name of the DHCP client for
the interface address pool.

all: indicates all the interfaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, no domain name is assigned to the DHCP client.

Examples
# Set the domain name of the DHCP address pools on the interfaces from Ethernet 0/0/0.1 to
Ethernet 0/0/0.5 as e0_1_5.com.cn.
<Eudemon> system-view
[Eudemon] dhcp server domain-name e0_1_5.com.cn interface Ethernet 0/0/0.1 to
Ethernet 0/0/0.5

Related Topics
3.19.14 dhcp server domain-name (System View)
3.19.18 dhcp server ip-pool
3.19.37 domain-name

3.19.15 dhcp server expired (Interface View)

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-241


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the dhcp server expired command, you can set the period of validity of the IP addresses
lease.
Using the undo dhcp server expired command, you can restore the default.

Format
dhcp server expired{ day day [ hour hour [ minute minute ] ] | unlimited }
undo dhcp server expired

Parameters
day day: specifies the days the validity lasts. The value ranges from 0 to 365. By default, it is
one day.
hour hour: specifies the hours the validity lasts. The value ranges from 0 to 23. By default, it is
0.
minute minute: specifies the minutes the validity lasts. The value ranges from 0 to 59. By default,
it is 0.
unlimited: indicates the period of validity is unlimited.

Views
Ethernet interface view, Sub-interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the period of validity is one day.

Examples
# Configure an unlimited period of validity of the leases for IP addresses in the address pools
on the interfaces from Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] dhcp server expired unlimited

Related Topics
3.19.16 dhcp server expired (System View)
3.19.18 dhcp server ip-pool
3.19.38 expired

3.19.16 dhcp server expired (System View)

3-242 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the dhcp server expired command, you can set the period of validity of the leases for IP
addresses in the DHCP address pools on the interfaces in a certain range.
Using the undo dhcp server expired command, you can restore the default.

Format
dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited }{ all | interface
interface-type sub-interface-number1 [ to interface-type sub-interface-number2 ] | interface
interface-type interface-number }
undo dhcp server expired { all | interface interface-type sub-interface-number1 [ to interface-
type sub-interface-number2 ] | interface interface-type interface-number }

Parameters
day day: specifies the days the validity lasts The value ranges from 0 to 365. By default, it is 1
day.
hour hour: specifies the hours the validity lasts. The value ranges from 0 to 23. By default, it is
0.
minute minute: specifies the minutes the validity lasts. The value ranges from 0 to 59. By default,
it is 0.
unlimited: indicates the period of validity is unlimited.
interface interface-type sub-interface-number1 [ to interface-type sub-interface-number2 ]:
specifies the valid lease period for the address pool of the sub-interface. The keyword "to" is
used to connect two sub-interfaces. It indicates all the sub-interfaces (including these two sub-
interfaces) between the two sub-interfaces. Sub-interfaces here must be on the same main
interface and configured with IP addresses.
interface interface-type interface-number: specifies the valid lease period for the interface
address pool.
all: indicates all the interfaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the period of validity is one day.

Examples
# Configure an unlimited period of validity of the leases for IP addresses in the address pools
on the interfaces from Ethernet 0/0/0.1 to Ethernet 0/0/0.5.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-243


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

<Eudemon> system-view
[Eudemon] dhcp server expired unlimited interface Ethernet 0/0/0.1 to Ethernet
0/0/0.5

Related Topics
3.19.15 dhcp server expired (Interface View)
3.19.18 dhcp server ip-pool
3.19.38 expired

3.19.17 dhcp server forbidden-ip

Function
Using the dhcp server forbidden-ip command, you can configure the range of the IP addresses
that does not participate in auto-allocation in the DHCP address pool.

Using the undo dhcp server forbidden-ip command, you can delete the specified range of the
IP address that does not participate in auto-allocation.

Format
dhcp server forbidden-ip low-ip-address [ high-ip-address ]

undo dhcp server forbidden-ip low-ip-address [ high-ip-address ]

Parameters
low-ip-address: specifies the start IP address in the address range that does not participate in
auto-allocation.

high-ip-address: specifies the maximum IP address that does not participate in auto-allocation.
It is in the same segment with low-ip-address and should be larger than low-ip-address . If this
parameter is not specified, there is only one IP address, that is, low-ip-address.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, all the IP addresses in address pools participate in auto-allocation.

Use this command several times to set different IP address ranges that do not participate in auto-
allocation. When the undo dhcp server forbidden-ip command is used to delete the settings,
the parameters must be identical to the configured ones and part of the configured address cannot
be deleted.

3-244 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Reserve the IP addresses from 10.110.1.1 to 10.11.01.63 not to participate auto-allocation.
<Eudemon> system-view
[Eudemon] dhcp server forbidden-ip 10.110.1.1 10.110.1.63

Related Topics
3.19.18 dhcp server ip-pool
3.19.44 network (DHCP)
3.19.50 static-bind ip-address

3.19.18 dhcp server ip-pool

Function
Using the dhcp server ip-pool command, you can create a DHCP address pool and enter the
DHCP address pool view.
Using the undo dhcp server ip-pool command, you can delete the specified address pool.

Format
dhcp server ip-pool pool-name
undo dhcp server ip-pool pool-name

Parameters
pool-name: specifies the name of address pool. It is the unique identifier in the address pool. It
is a string with 1 to 35 characters.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, create no DHCP address pool.
When using the dhcp server ip-pool command, you can enter the DHCP address pool view
directly if the specified address pool exists. Otherwise, create an address pool first and then enter
the DHCP address pool view.Each DHCP server can be configured with multiple address pools.
At present, it supports 50 non-local address pools.

Examples
# Establish the DHCP address pool with the ID being 0.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-245


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

<Eudemon> system-view
[Eudemon] dhcp server ip-pool 0
[Eudemon-dhcp-0]

Related Topics
3.19.6 dhcp enable
3.19.38 expired
3.19.44 network (DHCP)

3.19.19 dhcp server nbns-list (Interface View)

Function
Using the dhcp server nbns-list command, you can configure the IP address of the NetBIOS
server address assigned by the DHCP address pool to its client.

Using the undo dhcp server nbns-list command, you can delete the configuration.

Format
dhcp server nbns-list ip-address &<1-8>

undo dhcp server nbns-list { ip-address | all }

Parameters
ip-address: specifies the IP address of NetBIOS server.

all: indicates the IP addresses of all the NetBIOS servers.

Views
Ethernet interface view, Sub-interface view

Default Level
2: Configuration level

Usage Guidelines
By default, no NetBIOS address is configured.

At present, each DHCP address pool can be associated with eight NetBIOS servers.

Examples
# Configure the DHCP address pool on Ethernet 0/0/0 to allocate the NetBIOS server with the
IP address as 10.12.1.99 to its clients.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] dhcp server nbns-list 10.12.1.99

3-246 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Related Topics
3.19.20 dhcp server nbns-list (System View)
3.19.18 dhcp server ip-pool
3.19.42 nbns-list
3.19.43 netbios-type

3.19.20 dhcp server nbns-list (System View)

Function
Using the dhcp server nbns-list command, you can configure the DHCP address pool on the
specified interface to allocate the NetBIOS server address for its client.
Using the undo dhcp server nbns-list command, you can delete the configuration.

Format
dhcp server nbns-list ip-address &<1-8> { all | interface interface-type sub-interface-
number1 [ to interface-type sub-interface-number2 ] | interface interface-type interface-
number }
undo dhcp server nbns-list { ip-address | all } { all | interface interface-type sub-interface-
number1 [ to interface-type sub-interface-number2 ] | interface interface-type interface-
number }

Parameters
ip-address: specifies the IP address of NetBIOS server. Up to 8 IP address can be specified in
one command, separated by spaces.
interface interface-type sub-interface-number1 [ to interface-type sub-interface-number2 ]:
specifies the NetBIOS server for the address pool of the sub-interface. The keyword "to" is used
to connect two sub-interfaces. It indicates all the sub-interfaces (including these two sub-
interfaces) between the two sub-interfaces.
interface interface-type interface-number: specifies the server for the interface address pool.
all: the former one indicates the IP addresses of all the NetBIOS servers, while the latter one
indicates all the interfaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, no NetBIOS address is configured.
One DHCP address pool can be associated with up to eight IP addresses of the NetBIOS.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-247


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Configure the DHCP address pools on the interfaces from Ethernet 0/0/0.1 to Ethernet
0/0/0.5 to allocate the NetBIOS with an IP address 10.12.1.99.
<Eudemon> system-view
[Eudemon] dhcp server nbns-list 10.12.1.99 interface Ethernet 0/0/0.1 to Ethernet
0/0/0.5

Related Topics
3.19.19 dhcp server nbns-list (Interface View)
3.19.18 dhcp server ip-pool
3.19.42 nbns-list
3.19.43 netbios-type

3.19.21 dhcp server netbios-type (Interface View)

Function
Using the dhcp server netbios-type command, you can configure the NetBIOS node type of
the DHCP client on the current interface.
Using the undo dhcp server netbios-type command, you can restore the default setting.

Format
dhcp server netbios-type { b-node | h-node | m-node | p-node }
undo dhcp server netbios-type { b-node | h-node | m-node | p-node }

Parameters
b-node: indicates the broadcast mode, obtaining the mapping between the host name and the IP
address.
p-node: indicates the peer-to-peer mode. That is, the mapping relationship is obtained through
the communication with the NetBIOS server.
m-node: indicates the mixed mode, namely, the p-node with the broadcast feature.
h-node: indicates the hybrid mode, namely, the b-node with the peer-to-peer communication
mechanism.

Views
Ethernet interface view, Sub-interface view

Default Level
2: Configuration level

Usage Guidelines
By default, h-node s specified for the client.

3-248 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

When the NetBIOS protocol is used on the WAN, the DHCP client needs to set the mapping
between the host name and the IP address.

Examples
# Configure the DHCP address pool on Ethernet 0/0/0 to allocate the p-node NetBIOS to the
client.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] dhcp server netbios-type p-node

Related Topics
3.19.22 dhcp server netbios-type (System View)
3.19.18 dhcp server ip-pool
3.19.42 nbns-list
3.19.43 netbios-type

3.19.22 dhcp server netbios-type (System View)

Function
Using the dhcp server netbios-type command, you can configure the NetBIOS node type of
the DHCP client on the current interface.
Using the undo dhcp server netbios-type command, you can restore the default setting.

Format
dhcp server netbios-type { b-node | h-node | m-node | p-node } {all | interface interface-type
sub-interface-number1 [ to interface-type sub-interface-number2 ] | interface interface-type
interface-number }
undo dhcp server netbios-type { all | interface interface-type sub-interface-number1 [ to
interface-type sub-interface-number2 ] | interface interface-type interface-number }

Parameters
b-node: indicates the broadcast mode, obtaining the mapping between the host name and the IP
address.
p-node: indicates the peer-to-peer mode. That is, the mapping relationship is obtained through
the communication with the NetBIOS server.
m-node: indicates the mixed mode, namely, the b-node with peer-to-peer communication
mechanism.
h-node: indicates the hybrid mode, namely, the p-node with broadcast mechanism.
interface interface-type sub-interface-number1 [ to interface-type sub-interface-number2 ]:
specifies the NetBIOS node type for the address pool of the sub-interface. The keyword "to" is
used to connect two sub-interfaces. It indicates all the sub-interfaces (including these two sub-
interfaces) between the two sub-interfaces. Sub-interfaces here must be on the same main
interface and configured with IP addresses.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-249


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

interface interface-type interface-number: specifies the NetBIOS node type for the interface
address pool.
all: specifies the NetBIOS node type for all the interfaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, h-node is specified.
When the NetBIOS protocol is used on the WAN, the DHCP client needs to set the mapping
between the host name and the IP address.
After using this command, you cannot use the display current-configuration command to
display the information. Instead, you can run the dhcp server netbios-type (interface view)
command recursively to display the information.

Examples
# Configure the DHCP address pool on the interfaces from Ethernet 0/0/0.1 to Ethernet 0/0/0.5
to allocate the p-node NetBIOS to its clients.
<Eudemon> system-view
[Eudemon] dhcp server netbios-type p-node interface Ethernet 0/0/0.1 to Ethernet
0/0/0.5

Related Topics
3.19.21 dhcp server netbios-type (Interface View)
3.19.18 dhcp server ip-pool
3.19.42 nbns-list
3.19.43 netbios-type

3.19.23 dhcp server option (Interface View)

Function
Using the dhcp server option command, you can configure the user-defined options of the
DHCP address pool on the current interface.
Using the undo dhcp server option command, you can delete the configuration.

Format
dhcp server option code { ascii ascii-string | hex hex-string | ip-address ip-address &<1-8> }
undo dhcp server option code

3-250 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
code: specifies the value of the user-defined option. It is an integer ranging from 2 to 254.
ascii ascii-string: indicates the ASCII character string. ascii-string is a string of 1 to 63 characters.
hex hex-string: indicates the hexadecimal number string of 2 bits or 4 bits (such as aa or aabb).
ip-address ip-address &<1-8>: specifies the IP address enabled with the option function. You
can configure one to eight IP addresses.

Views
Ethernet interface view, Sub-interface view

Default Level
2: Configuration level

Usage Guidelines
The Option field in the DHCP packet applies to save some control messages and parameters that
are not defined in common protocols. After the Option field is configured on the DHCP server,
the DHCP client can obtain the configuration information in the Option field that are carried in
the DHCP response packets sent from the server.

NOTE

DHCP self-defined option is optionally configured. Common functions, such as DNS service for the client,
NetBIOS service and lease, cannot be configured using the Option command. They can only be
implemented through related commands.

Examples
# Define the hexadecimal number with code 100 being 0xaa for the DHCP address pool on
Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] dhcp server option 100 hex aa

Related Topics
3.19.24 dhcp server option (System View)
3.19.45 option

3.19.24 dhcp server option (System View)

Function
Using the dhcp server option command, you can configure the user-defined options for the
interfaces in a certain range. After using this command, you cannot use the display current-
configuration command to display the information. Instead, you can use the dhcp server option
(interface view) command recursively.
Using the undo dhcp server option command, you can delete the configuration.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-251


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
dhcp server optioncode { ascii ascii-string | hex hex-string | ip-address ip-address
&<1-8> }{ all | interface interface-type sub-interface-number1 [ to interface-type sub-interface-
number2 ] | interface interface-type interface-number }

undo dhcp server option code { all | interface interface-type sub-interface-number1 [ to


interface-type sub-interface-number2 ] | interface interface-type interface-number }

Parameters
code: specifies the value of the user-defined option. It is an integer ranging from 2 to 254.

ascii ascii-string: indicates the ASCII character string. It is a string of 1 to 63 characters.

hex hex-string: indicates the hexadecimal number string of 2 bits or 4 bits (such as aa or aabb).

ip-address ip-address : specifies the IP address enabled with the option function. You can
configure one to eight IP addresses.

interface interface-type sub-interface-number1 [ to interface-type sub-interface-number2 ]:


specifies the DHCP user-defined option for the address pool of the sub-interface. The keyword
"to" is used to connect two sub-interfaces. It indicates all the sub-interfaces (including these two
sub-interfaces) between the two sub-interfaces. Sub-interfaces here must be on the same main
interface and configured with IP addresses.

interface interface-type interface-number: specifies the DHCP user-defined option for the
interface address pool.

all: specifies the DHCP user-defined option for all the interfaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The Option field of the DHCP packet keeps undefined control information and parameters of
some common protocols. If this command is configured on the DHCP server, the DHCP client
obtains the configuration information in the option fields of the DHCP packets responded by
the server when the DHCP client applies for IP address.

NOTE

DHCP user-defined option is optionally configured. Common functions, such as DNS service for the client,
NetBIOS service and lease, cannot be configured using the Option command. They can only be
implemented through related commands.

Examples
# Define the hexadecimal number with code 100 being 0x11 and 0x22 for the address pools on
the interfaces Ethernet 0/0/0.

3-252 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> system-view
[Eudemon] dhcp server option 100 hex 11 22 interface Ethernet 0/0/0

Related Topics
3.19.23 dhcp server option (Interface View)
3.19.45 option

3.19.25 dhcp server ping

Function
Using the dhcp server ping command, you can configure the maximum number and the longest
response-wait time of the ping packets.
Using the undo dhcp server ping command, you can restore the default.

Format
dhcp server ping { packets number | timeout interval }
undo dhcp server ping { packets | timeout }

Parameters
packets number: specifies the maximum number of the ping packets to be sent. It is an integer
ranging from 0 to 10. 0 indicates no ping operation. By default, it is 2.
timeout interval: indicates the longest response-wait time of each ping packet in milliseconds.
It is an integer ranging from 0 to 10000 milliseconds. By default, it is 500 milliseconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The DHCP server detects the utilization of the addresses by sending ping packets to avoid the
address collision caused by the repeated allocation of IP addresses.

Examples
# Set the maximum number of the ping packets to be sent by the DHCP server to 10; set and the
default value of the response-wait time to 500ms.
<Eudemon> system-view
[Eudemon] dhcp server ping packets 10

3.19.26 dhcp server static-bind

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-253


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the dhcp server static-bind command, you can configure the static binding for the IP
address on the DHCP address pool on the current interface.

Using the undo dhcp server static-bind command, you can delete the configuration.

Format
dhcp server static-bind ip-address ip-address mac-address mac-address

undo dhcp server static-bind { ip-address ip-address | mac-address mac-address }

Parameters
ip-address: specifies the IP address statically bound. It must be a valid IP address in the current
interface address pool.

mac-address: specifies the MAC address statically bound.

Views
Ethernet interface view, Sub-interface view

Default Level
2: Configuration level

Usage Guidelines
By default, static address binding is not configured in the interface address pool.

IP address and MAC address must be unique in all the static address bindings on an interface.

Examples
# Statically bind the MAC address 0000-e03f-0305 with the IP address 10.1.1.1.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] dhcp server static-bind 10.1.1.1 0000-e03f-0305

3.19.27 display dhcp relay address

Function
Using the display dhcp relay address command, you can view the configurations of the DHCP
relay on an interface.

Format
display dhcp relay address [ interface interface-type interface-number | all ]

3-254 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
interface-type interface-number: specifies the name and the number of the interface.

all: indicates all the interfaces.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View the DHCP relay address configurations of all the interfaces.
<Eudemon> display dhcp relay address all
** Ethernet0/0/0 DHCP Relay Address **
Relay Address [0] : 3.3.3.3

Table 3-31 Description of the display dhcp relay address command output

Item Description

Ethernet0/0/0 DHCP Relay Address Views the DHCP relay address on the specified
interface

Related Topics
3.19.40 ip relay address (Interface View)

3.19.28 display dhcp relay statistics

Function
Using the display dhcp relay statistics command, you can view the statistics on DHCP relay,
such as the number of the incorrect packets, the number of the DHCP packets received by the
client, the number of the DHCP packets received by the server, the number of the DHCP packets
sent to the server, and the number of the DHCP packets sent to the client (including unicast and
broadcast packets).

Format
display dhcp relay statistics

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-255


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# View the statistics of the DHCP relay.
<Eudemon> display dhcp relay statistics
Bad Packets received: 0
DHCP packets received from clients: 0
DHCP DISCOVER packets received: 0
DHCP REQUEST packets received: 0
DHCP DECLINE packets received: 0
DHCP RELEASE packets received: 0
DHCP INFORM packets received: 0
DHCP packets received from servers: 0
DHCP OFFER packets received: 0
DHCP ACK packets received: 0
DHCP NAK packets received: 0
DHCP packets sent to servers: 0
DHCP packets sent to clients: 0
Unicast packets sent to clients: 0
Broadcast packets sent to clients: 0

Table 3-32 Description of the display dhcp relay statistics command output
Item Description

Bad Packets received Number of received mistaken packets

DHCP packets received from clients Number of DHCP received from clients

DHCP DISCOVER packets received Number of received DHCP DISCOVER packets

DHCP REQUEST packets received Number of received DHCP REQUEST packets

DHCP DECLINE packets received Number of received DHCP DECLINE packets

DHCP INFORM packets received Number of received DHCP INFORM packets

DHCP packets received from servers Number of DHCP packets received from servers

DHCP OFFER packets received Number of received DHCP OFFER packets

DHCP ACK packets received Number of received DHCP ACK packets

DHCP NAK packets received Number of received DHCP NAK packets

3-256 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

DHCP packets sent to servers Number of packets sent to servers

DHCP packets sent to clients Number of packets sent to clients

Unicast packets sent to clients Number of unicast packets sent to clients

Broadcast packets sent to clients Number of broadcast packets sent to clients

3.19.29 display dhcp server conflict

Function
Using the display dhcp server conflict command, you can view the statistics of the DHCP
address collision, such as the conflict IP addresses, the detection type of the confliction and the
time at which the confliction occurs.

Format
display dhcp server conflict{ all | ip ip-address }

Parameters
all: checks statistics on all conflict IP addresses.

ip-address: checks statistics on the specified conflict IP address.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If the parameter all is selected, all conflict addresses are displayed.If the parameter ip ip-
address is selected, the conflict information of the specified address are displayed.

Examples
# Display the statistics of the DHCP address collision.
<Eudemon> display dhcp server conflict all
Address Discover Time
10.110.1.2 Jan 11 2003 11:57: 7 PM

Table 3-33 lists the description of the display dhcp server tree command output.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-257


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Table 3-33 Description of the display dhcp server conflict command output
Item Description

Address Conflicted IP addresses

Discover Time Discovered conflict time

Related Topics
3.19.47 reset dhcp server conflict

3.19.30 display dhcp server expired

Function
Using the display dhcp server expired command, you can view the expired address lease in
the DHCP address pool. The expired addresses can be assigned to other DHCP clients in a certain
condition.

Format
display dhcp server expired { ip ip-address | pool [ pool-name ] | interface [ interface-type
interface-number ] | all}

Parameters
ip-address: specifies an IP address.
pool-name: specifies the name of the global address pool. It is a string with 1 to 64 characters.
If no pool name is specified, it indicates all global address pools.
interface-type interface-number: specifies the address pool of the interface. The absence of the
parameter means all the interface address pools.
all: checks all expired IP addresses.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the expired lease in the DHCP address pool.

3-258 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> display dhcp server expired all


Global pool:
IP address Hardware address Lease expiration Type
2.2.2.2 4444-4444-4444 NOT Used Manual
Interface pool:
IP address Hardware address Lease expiration Type

Table 3-34 lists the description of the display dhcp server tree command output.

Table 3-34 Description of the display dhcp server expired command output

Item Description

Global pool: Information of the timeout leasing contract in the global


address pool

Interface pool: Information of the timeout leasing contract in the interface


address pool

IP address Bound IP addresses

Hardware address Bound MAC addresses

Lease expiration Lease expiration

Type Type of binding addresses:


l Manual: manual binding
l Auto: automatic binding

3.19.31 display dhcp server free-ip

Function
Using the display dhcp server free-ip command, you can view the unused address range of the
DHCP address pool.

Format
display dhcp server free-ip

Parameters
None

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-259


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
None

Examples
# Display the available address range of the DHCP address pool.
<Eudemon> display dhcp server free-ip
IP Range from 1.0.0.0 to 2.2.2.1
IP Range from 2.2.2.3 to 2.255.255.255
IP Range from 4.0.0.0 to 4.255.255.255
IP Range from 5.5.5.0 to 5.5.5.0
IP Range from 5.5.5.2 to 5.5.5.255

Table 3-35 Description of the display dhcp server free-ip command output

Item Description

IP Range from to Displays the address range of the DHCP address


pool

3.19.32 display dhcp server ip-in-use

Function
Using the display dhcp server ip-in-use command, you can view the address binding
information of the DHCP client such as its hardware address, IP address and address lease.

Format
display dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | interface [ interface-type
interface-number] all }

Parameters
ip-address: specifies an IP address. If this parameter is not specified, the binding information of
all the addresses is displayed.

pool-name: specifies a global address pool. It is a string of 1 to 64 characters. If this parameter


is not specified, the binding information of all the global address pools is displayed.

interface-type interface-number: specifies an interface address pool. If this parameter is not


specified, the binding information of all the interface address pools is displayed.

all: checks all binding information of IP addresses.

Views
All views

3-260 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the address binding information of the DHCP address pool.
<Eudemon> display dhcp server ip-in-use all
Global pool:
IP address Hardware address Lease expiration Type
2.2.2.2 44444-4444-4444 NOT Used Manual
Interface pool:
IP address Hardware address Lease expiration Type
5.5.5.1 0050-ba28-930a Jun 5 2007 10:56: 7 AM Auto:COMMITED

Table 3-36 lists the description of the display dhcp server tree command output.

Table 3-36 Description of the display dhcp server ip-in-use command output

Item Description

Global pool: Information of the bound addresses in the global address pool

Interface pool: Information of the bound addresses in the interface address pool

IP address Bound IP addresses

Hardware address Bound MAC addresses

Lease expiration Lease expiration

Type Type of binding addresses:


l Manual: manual binding
l Auto: automatic binding

3.19.33 display dhcp server statistics

Function
Using the display dhcp server statistics command, you can view the statistics of the DHCP
server, such as the number of the DHCP address pools, the auto or manually bound addresses
and the timeout addresses, the unidentifiable packets and the DHCP request or response packets.

Format
display dhcp server statistics

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-261


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the statistics of the DHCP server.
<Eudemon> display dhcp server statistics
Global Pool:
Pool Number: 5
Binding
Auto: 0
Manual: 1
Expire: 0
Interface Pool:
Pool Number: 1
Binding
Auto: 1
Manual: 0
Expire: 0
Boot Request: 6
Dhcp Discover: 1
Dhcp Request: 4
Dhcp Decline: 0
Dhcp Release: 1
Dhcp Inform: 0
Boot Reply: 4
Dhcp Offer: 1
Dhcp Ack: 3
Dhcp Nak: 0
Bad Messages: 0

Table 3-37 lists the description of the display dhcp server tree command output.

Table 3-37 Description of the display dhcp server statistics command output

Item Description

Global Pool Statistics on the global address pools

Interface Pool Statistics on the interface address pools

Pool Number Number of the address pools

Auto Number of the auto-bound IP addresses

Manual Number of the manual-bound IP addresses

3-262 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

Expire Number of the timeout IP addresses

Boot Request Number of the messages that the DHCP clients send
to the DHCP server

Dhcp Discover, Dhcp Request, Dhcp Statistics on the received DHCP packets
Decline, Dhcp Release, Dhcp Inform

Boot Reply Number of the messages that the DHCP server sends
to the DHCP clients

Dhcp Offer, Dhcp Ack, Dhcp Nak Statistics on the sent DHCP packets

Bad Messages Statistics on the error packets

Related Topics
3.19.49 reset dhcp server statistics

3.19.34 display dhcp server tree

Function
Using the display dhcp server tree command, you can view the tree-structure information of
the DHCP address pools.The information contains:

l Address pools of each node


l Option parameters
l Address leases
l DNS server

Format
display dhcp server tree { pool [ pool-name ] | interface [ interface-type interface-number] |
all }

Parameters
pool-name: specifies the name of the global address pool. It is a string of 1 to 64 characters. The
absence of the parameter means all the global address pools.

interface-type interface-number: specifies the name of the interface address pool. The absence
of the parameter means all the interface address pools.

all: indicates all the DHCP address pools.

Views
All views

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-263


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the tree-structure information of the DHCP address pools.
<Eudemon> display dhcp server tree all
Global pool:
Pool name: P1
Sibling node:p2
network 1.1.1.0 mask 255.255.255.0
dns-list 10.1.1.2
domain-name huawei.com
expired day 30 hour 0 minute 0
Pool name: p2
PrevSibling node:p1
network 10.1.1.0 mask 255.255.255.0
dns-list 10.1.1.20
domain-name huawei.com
expired day 10 hour 0 minute 0
Pool name: p3
PrevSibling node:p2
static-bind ip-address 5.5.5.5 mask 255.0.0.0
static-bind mac-address 0011-0011-0011
expired unlimited
Interface pool:
Pool name: Ethernet0/0/0
network 11.11.11.0 mask 255.255.255.0
gateway-list 11.11.11.1
dns-list 10.1.1.2
domain-name huawei.com
option 32 hex 22
nbns-list 10.1.1.3
netbios-type b-node
expired day 1 hour 0 minute 0

Table 3-38 lists the description of the display dhcp server tree command output.

Table 3-38 Description of the display dhcp server tree command output

Item Description

Global pool Information of the global address pools

Interface pool Information of the interface address pools

Pool Name Name of the address pools

network Range of the assignable addresses

static-bind ip-address 5.5.5.5 mask Static bound IP addresses


255.0.0.0

static-bind mac-address Static bound MAC addresses


0011-0011-0011

3-264 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

Sibling node Next sibling node (other subnets in the same


natural segment) address pool of this node. The
sequence between the sibling nodes is based on the
configuration sequence.

PrevSibling node Previous sibling node of this node.

option User-defined DHCP options

expired Valid period of address lease, represented by days,


hours and minutes

gateway-list The gateway router assigned to the DHCP client

dns-list DNS server assigned to the DHCP client

domain-name Domain name specified for the DHCP client

nbns-list NetBIOS server assigned to the DHCP client

netbios-type NetBIOS node type specified for the DHCP client

3.19.35 display dhcp-client

Function
Using the display dhcp-client command, you can display information about the DHCP client
on each interface. The information displayed includes the state, the IP addresses applied, and
whether the DHCP client is enabled.

Format
display dhcp-client { all | interface interface-type interface-number } [ verbose ]

Parameters
interface-type interface-number: interface type and interface number.

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-265


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
When the command contains the keyword verbose, all information items are displayed. When
the command does not contain the keyword verbose, the start time of the application, the time
of IP binding, and some other items are not displayed.

Examples
# Display all information about the DHCP client on the port Ethernet 0/0/0.
<Eudemon> display dhcp-client interface Ethernet 0/0/0 verbose
Ethernet0/0/0 dhcp client : enable
current state : BOUND
Begin time : 2008.05.06 09:29:23
Server IP : 192.168.0.1
Client IP : 192.168.0.2
Subnet mask : 255.255.255.192
Gateway :
Static route :
Bound time : 2008.05.06 09:29:30
Lease : 86400s
Renew time : 43200s
Rebind time : 75600s
09:29:42 05-06-2008

Related Topics
3.19.3 dhcp client enable

3.19.36 dns-list

Function
Using the dns-list command, you can assign an IP address in the global DHCP address pool to
the DNS server of the client.

Using the undo dns-list command, you can remove the configuration.

Format
dns-list ip-address &<1-8>

undo dns-list { ip-address | all }

Parameters
ip-address: specifies the IP address of DNS. Up to 8 IP addresses can be configured through a
command, separated by spaces.

all: indicates deleting all IP addresses (in the global DHCP address pool) allocated for the DNS
server of the client.

Views
DHCP address pool view

3-266 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
2: Configuration level

Usage Guidelines
By default, no IP address of DNS server is configured.

You can configure up to eight IP addresses of the DNS servers in each DHCP address pool.

Examples
# Specify 1.1.1.254 as the IP address of the DNS server for DHCP address pool 0.
<Eudemon> system-view
[Eudemon] dhcp server ip-pool 0
[Eudemon-dhcp-0] dns-list 1.1.1.254

Related Topics
3.19.11 dhcp server dns-list (Interface View)
3.19.12 dhcp server dns-list (System View)
3.19.18 dhcp server ip-pool

3.19.37 domain-name

Function
Using the domain-name command, you can configure the domain name assigned by a global
address pool of the DNS server to clients.

Using the undo domain-name command, you can clear the assigned domain name.

Format
domain-name domain-name

undo domain-name domain-name

Parameters
domain-name: specifies the domain name that the DHCP server assigns to clients. It is a string
of with 3 to 50 characters.

Views
DHCP address pool view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-267


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, no domain name is assigned to DHCP clients and the domain name is null.

Examples
# Set the domain name to mydomain.com.cn for DHCP address pool 0.
<Eudemon> system-view
[Eudemon] dhcp server ip-pool 0
[Eudemon-dhcp-0] domain-name mydomain.com.cn

Related Topics
3.19.18 dhcp server ip-pool
3.19.13 dhcp server domain-name (Interface View)
3.19.14 dhcp server domain-name (System View)

3.19.38 expired

Function
Using the expired command, you can configure the lease for addresses in a global DHCP address
pool.

Using the undo expired command, you can restore the default setting.

Format
expired { day day [ hour hour [ minute minute ] ] | unlimited }

undo expired

Parameters
day day: specifies the number of days. The value ranges from 0 to 365. By default, the value is
1 day.

hour hour: specifies the number of hours. The value ranges from 0 to 23. By default, the value
is 0.

minute minute: specifies the number of hours. The value ranges from 0 to 59. By default, the
value is 0.

unlimited: indicates the unlimited valid period.

Views
DHCP address pool view

Default Level
2: Configuration level

3-268 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
By default, the IP address lease is one day.

Examples
# Set the leases of IP addresses in the global address pool 0 to one day, two hours and three
minutes.
<Eudemon> system-view
[Eudemon] dhcp server ip-pool 0
[Eudemon-dhcp-0] expired day 1 hour 2 minute 3

Related Topics
3.19.18 dhcp server ip-pool
3.19.15 dhcp server expired (Interface View)
3.19.16 dhcp server expired (System View)

3.19.39 gateway-list

Function
Using the gateway-list command, you can configure the IP address of the gateway router used
by DHCP clients.

If the DHCP client needs to access the external server or host, packets must be received or
forwarded through the gateway router. Use this command to configure an IP address for the
gateway router.

Using the undo gateway-list command, you can delete the configuration.

Format
gateway-list ip-address & <1-8>

undo gateway-list { ip-address | all }

Parameters
ip-address: specifies the IP address of the gateway router. You can configure a maximum of
eight IP addresses in a command and separate them with spaces.

all: indicates the IP addresses of all gateways.

Views
DHCP address pool view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-269


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, no gateway router is configured.

Examples
# Associate the gateway router at 10.110.1.99 with the DHCP address pool 0.
<Eudemon> system-view
[Eudemon] dhcp server ip-pool 0
[Eudemon-dhcp-0] gateway-list 10.110.1.99

Related Topics
3.19.18 dhcp server ip-pool
3.19.44 network (DHCP)

3.19.40 ip relay address (Interface View)

Function
Using the ip relay address command, you can configure a relay address on an interface for
transparent packets forwarding.
Using the undo ip relay address command, you can delete the configured relay address.

Format
ip relay address ip-address
undo ip relay address { ip-address | all }

Parameters
ip-address: specifies the IP address of the DHCP server.
all: indicates all the IP addresses of the DHCP server.

Views
Ethernet interface view, sub-interface view

Default Level
2: Configuration level

Usage Guidelines
The IP relay address indicates the IP address of the DHCP server or next-hop relay address
specified on the device enabled with DHCP relay.
When DHCP is enabled on an interface, you can specify the DHCP server or next-hop relay
address for the interface by configuring an IP relay address. The DHCP broadcast packets
received from this interface are sent to the specified server or next-hop relay address. In this

3-270 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

way, the interface at the IP relay address should support the broadcast mode.You can configure
up to 20 relay addresses on each interface enabled with DHCP relay.
By default, no relay IP address is configured on any Ethernet interface.

NOTE

In some periods of the DHCP configuration, the DHCP client sends broadcast packets; therefore, interfaces
configured with relay addresses should support the broadcast mode, that is, ip relay address command
only applies on interfaces supporting broadcast, such as the Ethernet interface.

Examples
# Specify IP addresses of two DHCP servers on Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ip relay address 202.38.1.2
[Eudemon-Ethernet0/0/0] ip relay address 202.38.1.3

3.19.41 ip relay address (System View)

Function
Using the ip relay address command, you can configure a relay address on the Ethernet interface
for transparent packets forwarding.
Using the undo ip relay address command, you can delete the configured relay address.

Format
ip relay address ip-address { all | interface interface-type sub-interface-number1 [ to interface-
type sub-interface-number2 ] | interface interface-type interface-number }
undo ip relay address { ip-address | all} { all | interface interface-type sub-interface-number1
[ to interface-type sub-interface-number2 ] | interface interface-type interface-number }

Parameters
ip-address: specifies the IP address of the DHCP server.
interface-type sub-interface-number1 [ to interface-type sub-interface-number2 ]: uses the
keyword "to" to connect two sub-interfaces. It indicates that the sub-interface number is all the
sub-interfaces (including these two sub-interfaces) between two interfaces. Sub-interfaces here
must be on the same main interface and configured with IP addresses.
all: In the undo command, the first all refers to all relay addresses and the second all indicates
all interfaces.

Views
System view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-271


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, no relay address is configured on any Ethernet interface.

NOTE

In some periods of the DHCP configuration, the DHCP client sends broadcast packets; therefore, interfaces
configured with relay addresses should support the broadcast mode, that is, ip relay address command
only applies on interfaces supporting broadcast, such as the Ethernet interface.

Examples
# Add a relay IP address for the interfaces between Ethernet0/0/0.1 and Ethernet0/0/0.5.
<Eudemon> system-view
[Eudemon] ip relay address 202.38.1.2 interface Ethernet 0/0/0.1 to Ethernet
0/0/0.5

3.19.42 nbns-list

Function
Using the nbns-list command, you can configure the IP address of the NetBIOS server for the
clients of a global DHCP address pool.

Using the undo nbns-list command, you can remove the configured IP address of the NetBIOS
serve.

Format
nbns-list ip-address &<1-8>

undo nbns-list { ip-address | all }

Parameters
ip-address: specifies the IP address of NetBIOS server. You can configure up to eight IP
addresses in a command and separate them with spaces.

all: deletes IP addresses of all the NetBIOS servers.

Views
DHCP address pool view

Default Level
2: Configuration level

Usage Guidelines
By default, no IP address of the NetBIOS server is configured.

At present, you can configure up to eight NetBIOS servers for each DHCP address pool.

3-272 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Specify the NetBIOS server at 10.12.1.99 for the clients of DHCP address pool 0.
<Eudemon> system-view
[Eudemon] dhcp server ip-pool 0
[Eudemon-dhcp-0] nbns-list 10.12.1.99

Related Topics
3.19.18 dhcp server ip-pool
3.19.19 dhcp server nbns-list (Interface View)
3.19.22 dhcp server netbios-type (System View)
3.19.43 netbios-type

3.19.43 netbios-type

Function
Using the netbios-type command, you can configure the NetBIOS node type of the clients of a
global DHCP address pool.
Using the undo netbios-type command, you can restore the default setting.

Format
netbios-type { b-node | h-node | m-node | p-node }
undo netbios-type

Parameters
b-node: indicates the broadcast mode. That is, the mapping between the host name and IP address
are obtained by means of broadcast.
p-node: indicates the peer-to-peer mode. That is, mappings are obtained by means of
communicating with the NetBIOS server.
m-node: indicates the mixed (m) mode, namely, the p-node with the broadcast feature.
h-node: indicates the hybrid (h) mode, namely, the b-node with the peer-to-peer communication
mechanism.

Views
DHCP address pool view

Default Level
2: Configuration level

Usage Guidelines
By default, NetBIOS node type is specified as h-node.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-273


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Specify the b-node NetBIOS server for the clients of DHCP address pool 0.
<Eudemon> system-view
[Eudemon] dhcp server ip-pool 0
[Eudemon-dhcp-0] netbios-type b-node

Related Topics
3.19.18 dhcp server ip-pool
3.19.21 dhcp server netbios-type (Interface View)
3.19.22 dhcp server netbios-type (System View)
3.19.42 nbns-list

3.19.44 network (DHCP)

Function
Using the network command, you can configure IP address ranges used for dynamic address
allocation.

Using the undo network command, you can delete the configuration.

Format
network ip-address [ mask { mask | mask-length }]

undo network

Parameters
ip-address: specifies the subnet address of the IP address pool used for dynamic allocation.

mask: indicates the network mask of the IP address pool. Natural mask is adopted if the
parameter is not specified.

mask: specifies the mask of the IP address pool in dotted decimal notation.

mask-length: represents the length of the IP address pool. The value ranges from 0 to 32.

Views
DHCP address pool view

Default Level
2: Configuration level

Usage Guidelines
By default, no IP address range is configured for dynamic address allocation.

3-274 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Addresses in each DHCP address pool must in the same network segment. The newly configured
segment supersedes the original one. If the system requires several such address segments, you
can configure them in multiple address pools.

Examples
# Set an address range 192.168.8.0/24 for the DHCP address pool 0.
<Eudemon> system-view
[Eudemon] dhcp server ip-pool 0
[Eudemon-dhcp-0] network 192.168.8.0 mask 255.255.255.0

Related Topics
3.19.18 dhcp server ip-pool
3.19.17 dhcp server forbidden-ip

3.19.45 option

Function
Using the option command, you can configure the self-defined options for a DHCP global
address pool.
Using the undo option command, you can delete the self-defined DHCP options.

Format
option code { ascii ascii-string | hex hex-string | ip-address ip-address }
undo option code

Parameters
code: specifies the value of the self-defined options. It is an integer ranging from 2 to 254.
ascii ascii-string: specifies an ASCII string. It is an integer ranging from 1 to 63.
hex hex-string: specifies a 2-digit or 4-digit hexadecimal string, such as aa or aabb.
ip-address ip-address & <1-8>: specifies an IP address. You can configure up to eight IP
addresses.

Views
DHCP address pool view

Default Level
2: Configuration level

Usage Guidelines
New options appear along with the development of DHCP. In order to accommodate these
options, you can add them manually to the attribute list of the DHCP server.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-275


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Define the hexadecimal numbers of code 100 to 0x11 and 0x22.
<Eudemon> system-view
[Eudemon] dhcp server ip-pool 0
[Eudemon-dhcp-0] option 100 hex 11 22

Related Topics
3.19.23 dhcp server option (Interface View)
3.19.24 dhcp server option (System View)

3.19.46 reset dhcp relay statistics

Function
Using the reset dhcp relay statistics command, you can clear the DHCP relay statistics.

Format
reset dhcp relay statistics

Parameters
None

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear the DHCP relay statistics.
<Eudemon> reset dhcp relay statistics

Related Topics
3.19.28 display dhcp relay statistics

3.19.47 reset dhcp server conflict

3-276 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the reset dhcp server conflict command, you can release the conflicting IP addresses in
the DHCP address pool.

Format
reset dhcp server conflict { ip ip-address | all }

Parameters
ip ip-addressip-address: indicates the conflicting IP addresses.

all: indicates that all the conflicting IP addresses in the address pool are released.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Release all the conflicting IP addresses in the address pool.
<Eudemon> reset dhcp server conflict all

Related Topics
3.19.29 display dhcp server conflict

3.19.48 reset dhcp server ip-in-use

Function
Using the reset dhcp server ip-in-use command, you can clear the DHCP dynamic address
binding information.

Format
reset dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | interface [ interface-type
interface-number ] | all }

Parameters
ip ip-address: specifies the binding information of a specified IP address.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-277


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

pool-name: specifies a global address pool. It is a string of 1 to 64 characters. If no name is


specified, it indicates all global address pools.

interface-type interface-number: specifies an interface address pool. If no interface is specified,


it applies to all the interface address pools.

all: indicates all the address pools.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear the binding information of the address 10.110.1.1.
<Eudemon> reset dhcp server ip-in-use ip 10.110.1.1
The current configuration will delete the dynamic binding information of DHCP.

Are you sure?[Y/N]Y

Related Topics
3.19.32 display dhcp server ip-in-use

3.19.49 reset dhcp server statistics

Function
Using the reset dhcp server statistics command, you can clear the statistics of the DHCP server,
such as the number of DHCP address pools, automatically and manually and expired bound
addresses, number of unknown packets, and number of DHCP request or response packets.

Format
reset dhcp server statistics

Parameters
None

Views
User view

3-278 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear the statistics of the DHCP server.
<Eudemon> reset dhcp server statistics

Related Topics
3.19.33 display dhcp server statistics

3.19.50 static-bind ip-address

Function
Using the static-bind ip-address command, you can bind an IP address statically.
Using the undo static-bind ip-address command, you can delete the statically bound IP address.

Format
static-bind ip-address ip-address [ mask { mask | mask-length } ]
undo static-bind ip-address

Parameters
ip-address: specifies the IP address to be bound.
mask: specifies the mask of the IP address to be bound. If it is not specified, the natural mask is
adopted.
mask-length: indicates the mask length. It is an integer ranging from 0 to 32.

Views
DHCP address pool view

Default Level
2: Configuration level

Usage Guidelines
By default, no IP address is bound statically.
Use the static-bind ip-address and static-bind mac-address commands to configure the bound
IP address and the bound MAC address respectively.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-279


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Bind the PC whose MAC address is 0000-e03f-0305 with the IP address 10.1.1.1. The mask
is 255.255.255.0.
<Eudemon> system-view
[Eudemon] dhcp server ip-pool 1
[Eudemon-dhcp-1] static-bind ip-address 10.1.1.1 mask 255.255.255.0

Related Topics
3.19.18 dhcp server ip-pool
3.19.51 static-bind mac-address

3.19.51 static-bind mac-address

Function
Using the static-bind mac-address command, you can bind a MAC address statically.
Using the undo static-bind mac-address command, you can delete the statically bound MAC
address.

Format
static-bind mac-address mac-address
undo static-bind mac-address

Parameters
mac-address: specifies the host MAC address to be bound. It is in the format of H-H-H.

Views
DHCP address pool view

Default Level
2: Configuration level

Usage Guidelines
By default, no MAC address is bound statically.
The static-bind mac-address and static-bind ip-address commands must be used together to
configure the bound MAC address and IP address respectively.

Examples
# Bind the PC whose MAC address is 0000-e03f-0305 with an IP address 10.1.1.1. The mask
is 255.255.255.0.
<Eudemon> system-view
[Eudemon] dhcp server ip-pool 0

3-280 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

[Eudemon-dhcp-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0


[Eudemon-dhcp-0] static-bind mac-address 0000-e03f-0305

Related Topics
3.19.18 dhcp server ip-pool
3.19.50 static-bind ip-address

3.20 DNS Configuration Commands


3.20.1 display ip host
3.20.2 ip host

3.20.1 display ip host

Function
Using the display ip host command, you can view all the host names and their IP addresses.

Format
display ip host

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display all the host names and their IP addresses.
<Eudemon> display ip host
Host Age Flags Address
h1 0 static 10.1.1.1
h2 0 static 10.1.1.2

3.20.2 ip host

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-281


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the ip host command, you can assign the IP address corresponding to a host name.
Using the undo ip host command, you can cancel the configuration.

Format
ip host host-name ip-address
undo ip host host-name [ ip-address ]

Parameters
host-name: specifies the name of a host with 1 to 20 characters.
ip-address: specifies the IP address corresponding to a host name in the format of X.X.X.X.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, there is no host name and IP address.
You can set up to 50 static domain name resolution entries.

Examples
# Assign the IP address corresponding to the host Eudemon1 as 10.110.0.1.
<Eudemon> system-view
[Eudemon] ip host Eudemon1 10.110.0.1

# Assign the IP address corresponding to the host Eudemon2 as10.110.0.2.


[Eudemon] ip host Eudemon2 10.110.0.2

# Assign the IP address corresponding to the host Eudemon3 as 10.110.0.3.


[Eudemon] ip host Eudemon3 10.110.0.3

# Remove the IP address 10.110.0.2 corresponding to the host name Eudemon2.


[Eudemon] undo ip host Eudemon2 10.110.0.2

3.21 OSPF Configuration Commands


3.21.1 abr-summary
3.21.2 area
3.21.3 asbr-summary

3-282 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.21.4 authentication-mode (OSPF Area View)


3.21.5 debugging ospf
3.21.6 default cost (OSPF View)
3.21.7 default interval
3.21.8 default limit
3.21.9 default tag
3.21.10 default type
3.21.11 default-cost
3.21.12 default-route-advertise
3.21.13 display debugging ospf
3.21.14 display ospf abr-asbr
3.21.15 display ospf asbr-summary
3.21.16 display ospf brief
3.21.17 display ospf cumulative
3.21.18 display ospf diagnostic-information
3.21.19 display ospf error
3.21.20 display ospf interface
3.21.21 display ospf lsdb
3.21.22 display ospf nexthop
3.21.23 display ospf peer
3.21.24 display ospf peer address
3.21.25 display ospf peer interface
3.21.26 display ospf peer route-id
3.21.27 display ospf request-queue
3.21.28 display ospf retrans-queue
3.21.29 display ospf routing
3.21.30 display ospf vlink
3.21.31 domain-id
3.21.32 filter-policy export (OSPF View)
3.21.33 filter-policy import (OSPF View)
3.21.34 import-route (OSPF View)
3.21.35 network (OSPF Aarea View)
3.21.36 nssa

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-283


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.21.37 opaque-capbility
3.21.38 ospf
3.21.39 ospf authentication-mode
3.21.40 ospf cost
3.21.41 ospf dr-priority
3.21.42 ospf mib-binding
3.21.43 ospf mtu-enable
3.21.44 ospf network-type
3.21.45 ospf timer dead
3.21.46 ospf timer hello
3.21.47 ospf timer poll
3.21.48 ospf timer retransmit
3.21.49 ospf trans-delay
3.21.50 peer (OSPF View)
3.21.51 preference (OSPF View)
3.21.52 reset ospf
3.21.53 router id
3.21.54 silent-interface
3.21.55 snmp-agent trap enable ospf
3.21.56 spf-schedule-interval
3.21.57 stub
3.21.58 vlink-peer

3.21.1 abr-summary

Function
Using the abr-summary command, you can configure the route aggregation on the area border
firewall.

Using the undo abr-summary command, you can cancel the function of route aggregation on
the area border firewall.

Format
abr-summary ip-address mask [ advertise | not-advertise ]

undo abr-summary { all | ip-address mask }

3-284 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
ip-address: specifies a network segment address, in dotted-decimal format.
mask: specifies the network mask, in dotted-decimal format.
advertise: only advertises aggregation routes.
not-advertise: suppresses advertising routes in the relevant range.
all: cancels all routes aggregation on area border firewall.

Views
OSPF area view

Default Level
2: Configuration level

Usage Guidelines
By default, the area border firewall doesn't aggregate routes.
This command is applicable only to the ABR and is used for the route aggregation in an area.
The ABR only transmits an aggregated route to other areas. Route aggregation refers to that the
routing information is processed in the ABR and for each network segment configured with
route aggregation, there is only one route transmitted to other areas. An area can configure
multiple aggregation network segments. Thus OSPF can aggregate various network segments
together.

Examples
# Aggregate the routes in the two network segments, 36.42.10.0 and 36.42.110.0, of OSPF area
1 into one route 36.42.0.0 and transmit it to other areas.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] area 1
[Eudemon-ospf-1-area-0.0.0.1] network 36.42.10.0 0.0.0.255
[Eudemon-ospf-1-area-0.0.0.1] network 36.42.110.0 0.0.0.255
[Eudemon-ospf-1-area-0.0.0.1] abr-summary 36.42.0.0 255.255.0.0

3.21.2 area

Function
Using the area command, you can enter OSPF area view.
Using the undo area command, you can cancel the designated area.

Format
area area-id
undo area area-id

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-285


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
area-id: specifies the ID of the OSPF area, which can be a decimal integer (ranging from 0 to
4294967295) or in IP address format.

Views
OSPF view, OSPF area view

Default Level
2: Configuration level

Usage Guidelines
Before you delete the OSPF area by using the undo area command, you need to delete the related
configurations, such as configuration set by the network and vlink-peer commands. Otherwise,
errors appear.

Examples
# Enter area 0 view.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] area 0
[Eudemon-ospf-1-area-0.0.0.0]

3.21.3 asbr-summary

Function
Using the asbr-summary command, you can configure summarization of imported routes by
OSPF.

Using the undo asbr-summary command, you can cancel the summarization.

Format
asbr-summary ip-address mask [ not-advertise | tag tag-value ]

undo asbr-summary { all | ip-address mask }

Parameters
ip-address: specifies a matched IP address in dotted decimal notation.

mask: specifies an IP address mask in dotted decimal notation.

not-advertise: does not advertise routes matching the specified IP address and mask. Aggregated
route will be advertised without this parameter.

tag tag-value: controls advertisement of routes depending on Route-policy. tag-value is in the


range from 0 to 4294967295. By default, it is 1.

3-286 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
OSPF view

Default Level
2: Configuration level

Usage Guidelines
By default, summarization of imported routes is disabled.

After the summarization of imported routes is configured, if the local firewall is an Autonomous
System Border Router (ASBR), this command summarizes the imported Type-5 LSAs in the
summary address range. When NSSA is configured, this command will also summarize the
imported Type-7 LSAs in the summary address range.

If the local firewall acts as both an ABR and a switch router in the NSSA, this command
summarizes Type-5 LSAs transformed from Type-7 LSAs. If the router is not the firewall in the
NSSA, the summarization is disabled.

Examples
# Set Eudemon importing summarization of routes.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] asbr-summary 10.2.0.0 255.255.0.0 not-advertise

Related Topics
3.21.15 display ospf asbr-summary

3.21.4 authentication-mode (OSPF Area View)

Function
Using the authentication-mode command, you can configure one area of OSPF to support the
authentication attribute.

Using the undo authentication-mode command, you can cancel the authentication attribute of
this area.

Format
authentication-mode { simple | md5 }

undo authentication-mode

Parameters
simple: uses simple text authentication mode.

md5: uses MD5 cipher text authentication mode.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-287


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
OSPF area view

Default Level
2: Configuration level

Usage Guidelines
By default, an area does not support authentication attribute.

All the routers in one area must use the same authentication mode (no authentication, supporting
simple text authentication or MD5 cipher text authentication). If the mode of supporting
authentication is configured, all routers on the same segment must use the same authentication
key. To configure a simple text authentication in this area, use the ospf authentication-mode
simple command. And, use the ospf authentication-mode md5 command to configure the
cipher text authentication in this area.

Examples
# Enter area 0 view.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] area 0

# Specify the OSPF area 0 to support MD5 cipher text authentication.


[Eudemon-ospf-1-area-0.0.0.0] authentication-mode md5

Related Topics
3.21.39 ospf authentication-mode

3.21.5 debugging ospf

Function
Using the debugging ospf command, you can enable OSPF debugging.

Using the undo debugging ospf command, you can disable the function.

Using the debugging ospf packet command, you can enable the OSPF debugging of receiving
and sending packets.

Using the undo debugging ospf packet command, you can disable the OSPF debugging of
receiving and sending packets.

Using the debugging ospf spf command, you can enable the debugging in the process of SPF
calculation. The debugging information covers the IGP Shortcut and the forwarding adjacency.

Using the undo debugging ospf spf command, you can disable the debugging in the process of
SPF calculation.

3-288 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
debugging ospf [ process-id ] { all | event | lsa-originate | te }

undo debugging ospf [ process-id ] { all | event | lsa-originate | te }

debugging ospf [ process-id ] packet [ ack | dd | hello | request | update ]

undo debugging ospf [ process-id ] packet [ ack | dd | hello | request | update ]

debugging ospf [ process-id ] spf { all | brief | intra }

undo debugging ospf [ process-id ] spf { all | brief | intra }

debugging ospf [ process-id ] spf { asbr-summary | ase | net-summary | nssa } [ acl acl-
number | ip-prefix ip-prefix-name ]

undo debugging ospf [ process-id ] spf { all | asbr-summary | ase | intra | net-summary |
nssa }

Parameters
process-id: specifies an OSPF process number. It is an integer in a range of 1 to 65535. If no
process number is specified, all the process debugging is enabled or disabled.

all: enables the debugging information about all OSPFs.

event: enables OSPF event information debugging.

lsa-originate: enables the debugging information about OSPF LSA packets.

te: enables the debugging of OSPF traffic engineering.

ack: enables the debugging of OSPF ACK packets.

dd: enables the debugging of OSPF DD packets.

hello: enables the debugging of OSPF Hello packets.

request: enables the debugging of OSPF Request packets.

update: enables the debugging of OSPF Update packets.

all(debugging ospf spf): enables the debugging of all SPFs.

brief: displays the SPF information in brief.

intra: enables the SPF debugging of intra-area LSA.

asbr-summary: enables the SPF debugging of ASBR-Summary LSA.

ase: enables the SPF debugging of ASE LSA.

net-summary: enables the SPF debugging of inter-area LSA.

nssa: enables the SPF debugging of NSSA LSA.

acl acl-number: specifies the basic ACL number in a range of 2000 to 2999.

ip-prefix ip-prefix-name: specifies the prefix list name in a string of characters, ranging from 1
to 19.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-289


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
User view

Default Level
3: Management level

Usage Guidelines
By default, OSPF debugging is disabled.

If no process number is specified, the debugging information of all OSPF processes is displayed.

In OSPF multiple processes, the debugging command can enable the debugging of both all
processes at the same time and one process.

If no process number is specified in the debugging command, the command is valid to all
processes. And it keeps the state during the router running period no matter OSPF process exits
or not. In this way, the execution of this command will enable/disable each enabled OSPF
debugging. At the same time, the debugging specified by this command will be enabled
automatically when new OSPF is enabled.

If there is a specified process number in the debugging command, only the specified process is
debugged. The configuration command is invalid if OSPF is not enabled. And the debugging
state will not be kept after exiting the process, either.

Examples
# Enable the debugging of all packets.
<Eudemon> debugging ospf all

# Enable the debugging of OSPF packets.


<Eudemon> debugging ospf packet

# Disable the SPF debugging of NSSA LSA.


<Eudemon> undo debugging ospf spf nssa

Related Topics
3.21.13 display debugging ospf

3.21.6 default cost (OSPF View)

Function
Using the default cost command, you can configure the default cost for OSPF to import external
routes.

Using the undo default cost command, you can restore the default value of the default routing
cost configured for OSPF to import external routes.

3-290 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
default cost value
undo default cost

Parameters
value: Default routing cost of external route imported by OSPF in a range of 0 to 16777214. By
default, its value is 1.

Views
OSPF view

Default Level
2: Configuration level

Usage Guidelines
Since OSPF can import external routing information and propagate it to the entire Autonomous
System (AS), it is necessary to specify the default routing cost for the protocol to import external
routes.
If multiple OSPFs are enabled, the command is valid to this process only.

Examples
# Specify the default routing cost for OSPF to import external routes as 10.
<Eudemon> system-view
[Eudemon] ospf 1
[Eudemon-ospf-1] default cost 10

3.21.7 default interval

Function
Using the default interval command, you can configure the default interval for OSPF to import
external routes.
Using the undo default interval command, you can restore the default value of the default
interval of importing external routes.

Format
default interval seconds
undo default interval

Parameters
seconds: specifies the default interval for importing external routes. It ranges from 1 to
2147483647 seconds. By default, it is 1 second.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-291


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
OSPF view

Default Level
2: Configuration level

Usage Guidelines
Because OSPF can import the external routing information and broadcast it to the entire AS, it
is necessary to specify the default interval for the protocol to import external routes.

Examples
# Specify the default interval for OSPF to import external routes as 10 seconds.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] default interval 10

3.21.8 default limit

Function
Using the default limit command, you can configure default value of maximum number of
imported routes in a unit time.
Using the undo default limit command, you can restore the default value.

Format
default limit routes
undo default limit

Parameters
routes: sets the number of imported external routes in a unit time in a range of 200 to 2147483647.
By default, the value is 1000.

Views
OSPF view

Default Level
2: Configuration level

Usage Guidelines
OSPF can import external route information and broadcast them to the whole AS, so it is
necessary to regulate the default value of external route information imported in one process.

3-292 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Specify the default value of OSPF importing external routes as 200.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] default limit 200

Related Topics
3.21.7 default interval

3.21.9 default tag

Function
Using the default tag command, you can configure the default tag of OSPF when it redistributes
an external route.

Using the undo default tag command, you can restore the default tag of OSPF when it
redistributes the external route.

Format
default tag tag-value

undo default tag

Parameters
tag-value: sets a default tag in a range of 0 to 4294967295.

Views
OSPF view

Default Level
2: Configuration level

Usage Guidelines
When OSPF redistributes a route found by other routing protocols in the firewall and uses it as
the external routing information of its own AS, some additional parameters are required,
including the default cost and the default tag of the route.

Examples
# Set the default tag of OSPF imported external route of AS as 10.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] default tag 10

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-293


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Related Topics
3.21.10 default type

3.21.10 default type

Function
Using the default type command, you can configure the default type when OSPF redistributes
external routes.

Using the undo default type command, you can restore the default type when OSPF redistributes
external routes.

Format
default type type

undo default type

Parameters
type: specifics the type of the external route. That is, type 1 or type 2.

Views
OSPF view

Default Level
2: Configuration level

Usage Guidelines
By default, the external routes of type 2 are imported.

OSPF specifies the two types of external routing information. The default type command can
be used to specify the default type when external routes are imported.

Examples
# Specify the default type as type 1 when OSPF imports an external route.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] default type 1

Related Topics
3.21.9 default tag

3.21.11 default-cost

3-294 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the default-cost command, you can configure the cost of the default route transmitted by
OSPF to the STUB or NSSA area.
Using the undo default-cost command, you can restore the cost of the default route transmitted
by OSPF to the STUB or NSSA area to the default value.

Format
default-cost value
undo default-cost

Parameters
value: specifies the cost value of the default route transmitted by OSPF to the STUB or NSSA
area in a range of 0 to 16777214.

Views
OSPF area view

Default Level
2: Configuration level

Usage Guidelines
By default, the cost of the default route transmitted by OSPF to the STUB or NSSA area is 1.
This command is applicable for the border routers connected to STUB or NSSA area.
The stub and default-cost commands are necessary in configuring STUB area. All the routers
connected to STUB area must use stub command to configure the stub attribute to this area.
Using the default-cost command, you can specify the cost of the default route transmitted by
ABR to STUB or NSSA area.
This command is only valid for this process if multiple OSPF processes are enabled.

Examples
# Set the area 1 as the STUB area and the cost of the default route transmitted to this STUB area
to 60.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] area 1
[Eudemon-ospf-1-area-0.0.0.1] network 20.0.0.0 0.255.255.255
[Eudemon-ospf-1-area-0.0.0.1] stub
[Eudemon-ospf-1-area-0.0.0.1] default-cost 60

Related Topics
3.21.57 stub
3.21.36 nssa

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-295


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.21.12 default-route-advertise

Function
Using the default-route-advertise command, you can import default route to OSPF route area.

Using the undo default-route-advertise command, you can cancel the import of default route.

Format
default-route-advertise [ always | cost cost-value | route-policy route-policy-name | type type-
value ] *

undo default-route-advertise [ always | cost | route-policy | type ] *

Parameters
always: The parameter will generate an ASE LSA which describes the default route and advertise
it if the local router is not configured with the default route. If this parameter is not set, the local
router cannot import the ASE LSA, which generates the default route only when it is configured
with the default route.

cost cost-value: specifies the cost value of this ASE LSA. The cost-value ranges from 0 to
16777214. By default, the value is 1.

route-policy route-policy-name: specifies a route policy. If the default route matches the route
policy specified by route-policy-name, route policy will affect the value in ASE LAS. The length
of route-policy-name parameter ranges from 1 to 19 character string.

type type-value: specifies cost type of this ASE LSA. It ranges from 1 to 2. By default, the value
is 2.

Views
OSPF view

Default Level
2: Configuration level

Usage Guidelines
By default, OSPF does not import default route.

The import-route command cannot import the default route. To import the default route to the
route area, this command must be used. When local device is not configured with default route,
the keyword always should be used by ASE LSA to generate default route.

This command is valid for this process only if multiple OSPF processes are enabled.

Examples
# Import the ASE LSA which generates the default route to the OSPF area.

3-296 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] default-route-advertise

# The ASE LSA of default route will be generated and advertised to OSPF route area even the
local device has no default route.
[Eudemon-ospf-1] default-route-advertise always

# Import default route to the routing table of OSPF 168.


<Eudemon> system-view
[Eudemon] router id 10.110.0.8
[Eudemon] ospf 168
[Eudemon-ospf-168] default-route-advertise always

Related Topics
3.21.34 import-route (OSPF View)

3.21.13 display debugging ospf

Function
Using the display debugging ospf command, you can view the global OSPF debugging state
and each process debugging state.

Format
display debugging ospf

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the global OSPF debugging state and each process debugging state.
<Eudemon> display debugging ospf
OSPF global debugging state:
OSPF SPF INTRA debugging switch is on
OSPF SPF NETSUM debugging switch is on
OSPF SPF ASBRSUM debugging switch is on
OSPF SPF ASE debugging switch is on

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-297


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

OSPF SPF NSSA debugging switch is on


OSPF EVENT debugging switch is on
OSPF LSA debugging switch is on
OSPF all PACKET debugging switch is on
OSPF TE debugging switch is on

Table 3-39 lists the description of the display debugging ospf command output.

Table 3-39 Description of the display debugging ospf command output


Item Description

OSPF global debugging Indicates the global OSPF debugging


information switch.

OSPF SPF INTRA debugging switch Indicates the OSPF debugging information
switch about LSA in the area.

OSPF SPF NETSUM debugging switch Indicates the OSPF debugging information
switch about LSA between areas.

OSPF SPF ASBRSUM debugging switch Indicates the OSPF debugging information
switch about ASBR-Summary LSA.

OSPF SPF ASE debugging switch Indicates the OSPF debugging information
switch about ASE LSA.

OSPF SPF NSSA debugging switch Indicates the OSPF debugging information
switch about NSSA LSA.

OSPF EVENT debugging switch Indicates the OSPF event debugging


information switch.

OSPF LSA debugging switch Indicates the OSPF LSA debugging


information switch.

OSPF all PACKET debugging switch Indicates all OSPF packet debugging
information switch.

OSPF TE debugging switch Indicates OSPF debugging information


switch about traffic-engineering extensions.

Related Topics
3.21.5 debugging ospf

3.21.14 display ospf abr-asbr

Function
Using the display ospf abr-asbr command, you can view the Area Border Router (ABR) and
Autonomous System Border Router (ASBR) of OSPF.

Format
display ospf [ process-id ] abr-asbr

3-298 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
process-id: specifies an OSPF process ID. It is an integer in a range of 1 to 65535.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the OSPF ABR and ASBR.
<Eudemon> display ospf abr-asbr
OSPF Process 1 with Router ID 10.1.1.2

Routing Table to ABR and ASBR

I = Intra i = Inter A = ASBR B = ABR S = SumASBR


Destination Area Cost Nexthop Interface
IB 10.10.1.2 0.0.0.0 1 10.110.1.1 Ethernet1/0/0

Table 3-40 lists the description of the display ospf abr-asbr command output.

Table 3-40 Description of the display ospf abr-asbr command output

Item Description

Destination Information about ABR or ASBR

Area Area number

Cost Cost from the local router to ABR or ASBR

Nexthop Next hop router through which packets are


transmitted to the ABR or ASBR

Interface The interface through which packets are


transmitted to the ABR or ASBR

3.21.15 display ospf asbr-summary

Function
Using the display ospf asbr-summary command, you can view the summary of OSPF imported
routes.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-299


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
display ospf [ process-id ] asbr-summary [ ip-address mask ]

Parameters
process-id: specifies an OSPF process ID. It is an integer in a range of 1 to 65535.
ip-address: specifies a matched IP address in dotted decimal notation.
mask: specifies an IP address mask in dotted decimal notation.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If the ip-address and mask parameters are not configured, the summary of all imported routes
will be viewed.

Examples
# Display the summary of all OSPF imported routes.
<Eudemon> display ospf asbr-summary
OSPF Process 1 with Router ID 192.168.1.1
Summary Addresses
Total summary address count: 2

Summary Address
net : 168.10.0.0
mask : 255.254.0.0
tag : 1
status : Advertise
The Count of Route is 0

Summary Address
net : 1.1.0.0
mask : 255.255.0.0
tag : 1
status : DoNotAdvertise
The Count of Route is 0

Table 3-41 lists the description of the display ospf asbr-summary command output.

Table 3-41 Description of the display ospf asbr-summary command output

Item Description

Total Summary address count Number of the aggregated routes

net Network address of the aggregated routes

mask Network mask of the aggregated routes

3-300 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

tag Tag of the aggregated routes

status Advertisement status of the aggregated


routes:
l Advertise: Advertise after the aggregation.
l DoNotAdvertise: Do not advertise after
the aggregation.

The count of route Number of the aggregated routes

Related Topics
3.21.3 asbr-summary

3.21.16 display ospf brief

Function
Using the display ospf brief command, you can view the summary of OSPF.

Format
display ospf [ process-id ] brief

Parameters
process-id: specifies a process number of OSPF. It is an integer in a range of 1 to 65535.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If no process number is specified, this command displays all OSPF processes in configuration
sequence.
When locating faults of OSPF, you can get the summary of OSPF by using the command. You
can then analyze the faults of OSPF according to the summary.

Examples
# Display the OSPF summary.
<Eudemon> display ospf brief

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-301


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

OSPF Process 1 with Router ID 3.3.3.3


OSPF Protocol Information
RouterID: 3.3.3.3 Border Router: Area
Spf-schedule-interval: 5
Routing preference: Inter/Intra: 10 External: 150
Default ASE parameters: Metric: 1 Tag: 1 Type: 2
SPF computation count: 13
Area Count: 2 Nssa Area Count: 0

Area 0.0.0.0:
Authtype: none Flags: <>
SPF scheduled: <>
Interface: 20.0.0.2 (Ethernet 0/0/0)
Cost: 1 State: BackupDR Type: Broadcast
Priority: 1
Designated Router: 20.0.0.1
Backup Designated Router: 20.0.0.2
Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1

Interface: 30.0.0.1 (Ethernet 0/0/1)


Cost: 1 State: DR Type: Broadcast
Priority: 1
Designated Router: 30.0.0.1
Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1

Area 0.0.0.1:
Authtype: none Flags: <Transit>
SPF scheduled: <>
Interface: 40.0.0.1 (LoopBack0) --> 40.0.0.1
Cost: 1562 State: P To P Type: PointToPoint
Priority: 1
Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1

# Display the summary of OSPF 100.


<Eudemon> display ospf 100 brief

OSPF Process 100 with Router ID 1.2.3.4


OSPF Protocol Information

RouterID: 1.2.3.4
Spf-schedule-interval: 5
Routing preference: Inter/Intra: 10 External: 150
Default ASE parameters: Metric: 1 Tag: 1 Type: 2
SPF computation count: 0
Area Count: 0 Nssa Area Count: 0

3.21.17 display ospf cumulative

Function
Using the display ospf cumulative command, you can view the OSPF cumulative information.
The output of this command is helpful to OSPF fault diagnosis.

Format
display ospf [ process-id ] cumulative

Parameters
process-id: specifies a process number of OSPF. It is an integer in a range of 1 to 65535.

3-302 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the OSPF cumulative information.
<Eudemon> display ospf cumulative
IO Statistics
Type Input Output
Hello 225 437
DB Description 78 86
Link-State Req 18 18
Link-State Update 48 53
Link-State Ack 25 21
ASE: 1 Checksum Sum: FCAF
LSAs originated by this router
Router: 50 SumNet: 40 SumASB: 2
LSAs Originated: 92 LSAs Received: 33
Area 0.0.0.0:
Neighbors: 1 Interfaces: 1
Spf: 54 Checksum Sum F020
rtr: 2 net: 0 sumasb: 0 sumnet: 1
Area 0.0.0.1:
Neighbors: 0 Interfaces: 1
Spf: 19 Checksum Sum 14EAD
rtr: 1 net: 0sumasb: 1sumnet: 1
Routing Table:
Intra Area: 2 Inter Area: 0ASE: 1

Table 3-42 lists the description of the display ospf cumulative command output.

Table 3-42 Description of the display ospf cumulative command output

Item Description

IO statistics Detailed statistics of the transceived packets


and LSA

Type Type of OSPF packets

Input Number of received packets

Output Number of sent packets

Hello OSPF Hello packets

DB Description OSPF Data Base Description packets

Link State Req OSPF Link State Request packets

Link State Update OSPF Link State Update packets

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-303


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Link State Ack OSPF Link State Acknowledgement packets

ASE Checksum Autonomous system external LSA checksum

LSA s originated by this router Detailed statistics of receiving and sending


LSAs

Router Router LSA

SumNet Type-3 summary LSA

SumASB Type-4 summary LSA

LSA originated Generated LSA

LSA Received Received LSA

Area Area ID

Routing Table Routing Table

Intra Area Number of intra-area routes

Inter Area Number of inter-area routes

ASE Number of ASE routes

3.21.18 display ospf diagnostic-information

Function
Using the display ospf diagnostic-information command, you can display all information
related to an OSPF process.

Format
display ospf [ process-id ] diagnostic-information

Parameters
process-id: specifies an OSPF process ID. It is an integer in a range of 1 to 65535.

Views
All views

Default Level
1: Monitoring level

3-304 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
Whatever view the display ospf diagnostic-information command is executed, the system
returns to user view after the execution. In addition, the information is display without split
screen. You can use the shortcut key <Ctrl+C> to end the display.

If you are unfamiliar with OSPF commands, you can use this command to obtain most of the
information for OSPF trouble locating.

The display ospf diagnostic-information command contains the commands listed in Table
3-43.

Table 3-43 Commands included in the display ospf diagnostic-information command

Command Output

display clock Current system time

display version Version information

display memory Memory information

display task Task information

display current-configuration Current configuration information

display ospf brief OSPF summary information

display ospf cumulative OSPF statistic

display ospf error OSPF error information

display ospf asbr-summary Aggregation information of imported routes

display ospf sham-link OSPF sham-link information

display ospf vlink OSPF virtual-link information

display ospf request-queue OSPF request list information

display ospf retrans-queue OSPF retransmission list

display ospf interface OSPF interface information

display ospf peer OSPF neighbor information

display ospf peer brief Summary information of OSPF neighbor

display ospf lsdb brief Summary information of OSPF link state


database

display ospf lsdb Information of OSPF link state database

display ospf nexthop OSPF next hop information

display ospf abr-asbr Information of ABR and ASBR

display ospf routing OSPF routing table information

display ip routing-table Local routing table information

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-305


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Command Output

display fib Forwarding table information

Examples
# Display all information of OSPF process 100.
<Eudemon> display ospf 100 diagnostic-information

The display ospf diagnostic-information command contains the commands listed in Table
3-43. For details, see the commands in the table.

3.21.19 display ospf error

Function
Using the display ospf error command, you can view the OSPF error information.

Format
display ospf [ process-id ] error

Parameters
process-id: specifies an OSPF process ID. It is an integer in a range of 1 to 65535.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the OSPF error information.
<Eudemon> display ospf error
OSPF packet error statistics:
0: IP: received my own packet0: OSPF: bad packet type
0: OSPF: bad version0: OSPF: bad checksum
0: OSPF: bad area id0: OSPF: area mismatch
0: OSPF: bad virtual link0: OSPF: bad authentication type
0: OSPF: bad authentication key 0: OSPF: packet too small
0: OSPF: packet size > ip length 0: OSPF: transmit error
0: OSPF: interface down0: OSPF: unknown neighbor
0: HELLO: netmask mismatch0: HELLO: hello timer mismatch
0: HELLO: dead timer mismatch0: HELLO: extern option mismatch

3-306 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

0: HELLO: router id confusion0: HELLO: virtual neighbor unknown


0: HELLO: NBMA neighbor unknown 0: DD: neighbor state low
0: DD: router id confusion0: DD: extern option mismatch
0: DD: unknown LSA type0: LS ACK: neighbor state low
0: LS ACK: bad ack0: LS ACK: duplicate ack
0: LS ACK: unknown LSA type0: LS REQ: neighbor state low
0: LS REQ: empty request0: LS REQ: bad request
0: LS UPD: neighbor state low0: LS UPD: newer self-generate LSA
0: LS UPD: LSA checksum bad0: LS UPD:received less recent LSA
0: LS UPD: unknown LSA type 0: OSPF routing: next hop not exist
0: DD: MTU option mismatch

3.21.20 display ospf interface

Function
Using the display ospf interface command, you can view the OSPF interface.

Format
display ospf [ process-id ] interface [ interface-type interface-number ]

Parameters
process-id: specifies an OSPF process ID. It is an integer in a range of 1 to 65535.

interface-type: specifies the type of an interface.

interface-number: specifies the number of an interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the OSPF interface Ethernet 1/0/0.
<Eudemon> display ospf interface Ethernet 1/0/0
Interface: 10.110.0.2 (Ethernet 1/0/0)
Cost: 1 State: BackupDR Type: Broadcast
Priority: 1
Designated Router: 10.110.0.1
Backup Designated Router: 10.110.0.2
Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1

3.21.21 display ospf lsdb

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-307


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the display ospf lsdb command, you can view the database of OSPF connecting state.

Format
display ospf [ process-id ] [ area-id ] lsdb [ brief ]
display ospf [ process-id ] [ area-id ] lsdb [ router | network | summary | asbr | ase | nssa |
opaque { as | area-local | link-local } ] [ link-state-id ] [ originate-router [ advertising-router-
id ] | self-originate ]

Parameters
process-id: specifies an OSPF process ID. It is an integer in a range of 1 to 65535.
area-id: refers to ID of the OSPF area, represented by decimal integer in a range of 0 to
4294967295 or in IP address format.
brief: displays the database in brief.
asbr: displays the database of Type-4 LSA (Summary-ASBR-LSA).
network: displays the database of Type-2 LSA (Network-LSA).
nssa: displays the database of Type-7 LSA (NSSA-external-LSA).
opaque link-local: displays the database of Type-9 LSA.
opaque area-local: displays the database of Type-10 LSA.
opaque as: displays the database of Type-11 LSA.
router: displays the database of Type-1 LSA (Router-LSA).
summary: displays the database of Type-3 LSA (Summary-Net-LSA).
ip-address: specifies a link state ID in IP address format.
originate-router ip-address: specifies the IP address of the router advertising LSA packet.
self-originate: displays the database of self-originated LSA generated by local router.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the database of OSPF connecting state.

3-308 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> display ospf lsdb


OSPF Process 1 with Router ID 123.1.1.1
Link State Database

Area: 0.0.0.0
Type LinkState ID AdvRouter Age Len Sequence Metric Where
Rtr 1.1.1.1 1.1.1.1 563 36 80000008 0 SpfTree
Net 1.1.1.2 123.1.1.1 595 32 80000001 0 SpfTree

AS External Database:
Type LinkState ID AdvRouter Age Len Sequence Metric Where
ASE 1.1.0.0 1.1.1.1 561 36 80000001 1 Uninitialized
ASE 123.1.1.1 1.1.1.1 561 36 80000001 1 Uninitialized

# Display the database of OSPF connecting state in brief.


<Eudemon> display ospf lsdb brief
OSPF Process 1 with Router ID 10.1.1.2
LS Database Statistics:
Area ID Router Network S-Net S-ASBR Type-7 | Subtotal
0.0.0.0 2 1 0 0 0 | 3
Total 2 1 0 0 0 |
----------------------------------------------------------------|
Area ID Opq-9 Opq-10 | Subtotal
0.0.0.0 0 0 | 0
Total 0 0 |
----------------------------------------------------------------|
All Area ASE Opq-11 | Total
Total 0 0 | 3

# Display the database of Type-7 LSA.


<Eudemon> display ospf lsdb nssa
OSPF Process 1 with Router ID 1.1.1.1
Link State Database

Area: 0.0.0.1

type : NSSA
ls id : 1.1.0.0
adv rtr : 1.1.1.1
ls age : 93
len : 36
seq# : 80000002
chksum : 0x3c66
options : (No Type 7/5 translation, DC)
Net mask : 255.255.0.0
Tos 0 metric: 1
E type : 2
Forwarding Address :2.2.2.1
Tag: 1

# Display database of summary route.


<Eudemon> display ospf lsdb summary
OSPF Process 1 with Router ID 1.1.1.1
Link State Database

Area: 0.0.0.0

Type : SumNet
Ls id : 2.2.0.0
Adv rtr : 1.1.1.1
Ls age : 304
Len : 28
seq# : 80000001
chksum : 0x61d4
Options : (DC)
Net mask : 255.255.0.0
Tos 0 metric: 1

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-309


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

# Display the database of Type-1 LSA.


<Eudemon> display ospf lsdb router
Link State Data Base
Area: 0.0.0.0

Type : Router
Ls id : 20.0.0.1
Adv rtr : 20.0.0.1
Ls age : 988
Len : 36
seq# : 80000006
chksum : 0x428c
Options : (DC) ASBR
Link count: 1
Link ID: 20.0.0.1
Data : 20.0.0.1
Type : TransNet
Metric : 10

# Display database of Type-2 LSA.


<Eudemon> display ospf lsdb network
OSPF Process 1 with Router ID 1.1.1.1
Link State Database
Area: 0.0.0.0

Type : Net
Ls id : 1.1.1.2
Adv rtr : 123.1.1.1
Ls age : 515
Len : 32
seq# : 80000002
chksum : 0xc470
Options : (DC)
Net mask : 255.255.0.0
Attached Router 123.1.1.1
Attached Router 1.1.1.1

# Display database of Type-4 LSA.


<Eudemon> display ospf lsdb asbr
OSPF Process 1 with Router ID 2.2.2.2
Link State Database

Area: 0.0.0.1

Type : SumASB
Ls id : 123.1.1.1
Adv rtr : 1.1.1.1
Ls age : 20
Len : 28
seq# : 80000001
chksum : 0x1f9b
Options : (DC)
Tos 0 metric: 1

# Display database of Type-5 LSA.


<Eudemon> display ospf lsdb ase
OSPF Process 1 with Router ID 1.1.1.1
Link State Database

type : ASE
ls id : 1.1.0.0
adv rtr : 1.1.1.1
ls age : 15
len : 36
seq# : 80000001
chksum : 0x4a8

3-310 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

options : (DC)
Net mask : 255.255.0.0
Tos 0 metric: 1
E type : 2
Forwarding Address :0.0.0.0
Tag: 1

# Display the LSA packets advertised from the router at 3.3.3.3.


<Eudemon> display ospf lsdb originate-router 3.3.3.3
Link State Database

Area: 0.0.0.0
Type LinkState ID AdvRouter Age Len Sequence Metric Where
Stub 30.0.0.0 3.3.3.3 -1 24 0 0 SpfTree
SNet 40.0.0.0 3.3.3.3 1524 28 80000006 1562 Inter List

Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric Where
Stub 40.0.0.0 3.3.3.3 -1 24 0 0 SpfTree
ASB 20.0.0.1 3.3.3.3 1524 28 80000003 1 SumAsb List

# Display the database of the LSA packets generated by local router.


<Eudemon> display ospf lsdb self-originate
OSPF Process 1 with Router ID 1.1.1.1
Link State Database

Area: 0.0.0.0
Type LinkState ID AdvRouter Age Len Sequence Metric Where
Rtr 1.1.1.1 1.1.1.1 539 36 80000016 0 SpfTree
SNet 2.2.0.0 1.1.1.1 445 28 80000008 1 Inter List

Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric Where
Rtr 1.1.1.1 1.1.1.1 539 36 8000000e 0 SpfTree
SNet 1.1.0.0 1.1.1.1 445 28 8000000a 1 Inter List
ASB 123.1.1.1 1.1.1.1 445 28 80000007 1 SumAsb List
AS External Database:
Type LinkState ID AdvRouter Age Len Sequence Metric Where
ASE 100.0.0.0 1.1.1.1 849 36 8000000a 2 Ase List
ASE 1.1.0.0 1.1.1.1 737 36 8000000e 1 Ase List

3.21.22 display ospf nexthop

Function
Using the display ospf nexthop command, you can view next-hop.

Format
display ospf [ process-id ] nexthop

Parameters
process-id: specifies an OSPF process ID. It is an integer in a range of 1 to 65535.

Views
All views

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-311


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the OSPF next-hop.
<Eudemon> display ospf nexthop
Address Type Refcount Intf Addr Intf Name
---------------------------------------------------------------
202.38.160.1 Direct 3202.38.160.1 Interface Ethernet 1/0/0
202.38.160.2 Neighbor 1202.38.160.1 Interface Ethernet 1/0/0

3.21.23 display ospf peer

Function
Using the display ospf peer command, you can view the neighbors in OSPF areas.
Using the display ospf peer brief command, you can view in OSPF briefly, mainly the neighbor
number at all states in every area.

Format
display ospf [ process-id ] peer [ brief ]
display ospf [ process-id ] area-id peer

Parameters
process-id: specifies an OSPF process ID.
area-id: specifies an area ID with a decimal integer (The value ranges from 0 to 4294967295)
or in dotted decimal notation. If the area ID is specified, the command is used to display OSPF
neighboring relationship in the specified area. If area-id is specified, you cannot configure
brief.
brief: displays neighbors in areas in brief.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The display format of OSPF neighbor valid time varies with the length of time. Description is
as follows:

3-312 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

l XXYXXMXXD: More than a year, namely year: month: day


l XXXdXXhXXm: More than a day but less than a year, that is, day: hour: minute
l XX: XX: XX: Less than a day, namely hour: minute: second

Examples
# Display OSPF peer.
<Eudemon> display ospf peer
Area 0.0.0.0 interface 1.1.1.1(Pos2/0/0)'s neighbor(s)
RouterID: 1.1.1.3 Address: 1.1.1.3
State: Full Mode: Nbr is Master Priority: 1
DR: 1.1.1.3 BDR: 1.1.1.1
Dead timer expires in 31s
Neighbor is comes for 00:08:24

# Display neighbors in areas in brief.


<Eudemon> display ospf peer brief
OSPF Process 1 with Router ID 1.1.1.1
Neighbor Statistics
Area ID Down Attempt Init 2-Way ExStart Exchange Loading Full Total
0.0.0.0 0 0 0 0 0 0 0 1 1
0.0.0.1 0 0 0 0 0 0 0 1 1
Total 0 0 0 0 0 0 0 2 2

3.21.24 display ospf peer address

Function
Using the display ospf peer address command, you can view the OSPF neighbor between the
local device and a router by specifying the IP address of the router.

Format
display ospf [ process-id ] peer address ip-address

Parameters
process-id: specifies an OSPF process ID.

ip-address: specifies the IP address of a neighbor to display the neighbor relationship between
the local device and the specified router.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-313


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Display the OSPF neighbor between the local device and the router with IP address 10.1.1.1.
<Eudemon> display ospf peer address 10.1.1.1
OSPF Process 100 with Router ID 3.3.3.3
Neighbors
Area 1 interface 10.1.1.2(Serial1)'s neighbor(s)
RouterID: 2.2.2.2 Address: 10.1.1.1
State: Full Mode: Nbr is Master Priority: 1
DR: None BDR: None
Dead timer expires in 34s
Neighbor comes up for 00:27:15

3.21.25 display ospf peer interface

Function
Using the display ospf peer interface command, you can display OSPF neighbors on an
interface.

Format
display ospf [ process-id ] peer interface interface-type interface-number

Parameters
process-id: specifies an OSPF process ID.
interface-type: specifies the type of an interface.
interface-number: specifies the number of an interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command cannot display OSPF neighbors of sham links.

Examples
# Display OSPF neighbors at interface AUX0.
<Eudemon> display ospf peer interface aux 0
OSPF Process 100 with Router ID 3.3.3.3
Neighbors
Area 1 interface 10.1.1.2(Serial1)'s neighbor(s)
RouterID: 2.2.2.2 Address: 10.1.1.1
State: Full Mode: Nbr is Master Priority: 1
DR: None BDR: None
Dead timer expires in 34s
Neighbor comes up for 00:27:15

3-314 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.21.26 display ospf peer route-id

Function
Using the display ospf peer router-id command, you can view the OSPF relationship with a
specific router.

Format
display ospf [ process-id ] peer router-id router-id

Parameters
process-id: specifies an OSPF process ID.
router-id: specifies a router ID in dotted decimal notation to display neighbor relationship with
the router.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the OSPF neighbor relationship with Router whose ID is 4.4.4.4.
<Eudemon> display ospf peer router-id 4.4.4.4
OSPF Process 100 with Router ID 3.3.3.3
Neighbors
Area 2 interface 168.1.12.1(Serial0)'s neighbor(s)
RouterID: 4.4.4.4 Address: 168.1.12.2
State: Full Mode: Nbr is Master Priority: 1
DR: None BDR: None
Dead timer expires in 34s
Neighbor comes up for 00:03:43

3.21.27 display ospf request-queue

Function
Using the display ospf request-queue command, you can view the OSPF request queue.

Format
display ospf [ process-id ] request-queue

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-315


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
process-id: specifies an OSPF process ID.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the OSPF request queue.
<Eudemon> display ospf request-queue
The Router's Neighbors is
RouterID: 103.160.1.1 Address: 103.169.2.5
Interface: 103.169.2.2 Area: 0.0.0.1
LSID:129.11.25.0 AdvRouter:103.160.1.1 Sequence:80000001 Age:201
LSID:129.11.25.0 AdvRouter:103.160.1.1 Sequence:80000001 Age:201
LSID:129.11.25.0 AdvRouter:103.160.1.1 Sequence:80000001 Age:201

3.21.28 display ospf retrans-queue

Function
Using the display ospf retrans-queue command, you can view the OSPF retransmission queue.

Format
display ospf [ process-id ] retrans-queue

Parameters
process-id: specifies an OSPF process ID.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

3-316 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Display the OSPF retransmission queue.
<Eudemon> display ospf retrans-queue
OSPF Process 200 with Router ID 103.160.1.1
Retransmit List
The Router's Neighbors is
RouterID: 162.162.162.162 Address: 103.169.2.2
Interface: 103.169.2.5 Area: 0.0.0.1
Retrans list:
Type: ASE LSID:129.11.77.0 AdvRouter:103.160.1.1
Type: ASE LSID:129.11.108.0 AdvRouter:103.160.1.1

3.21.29 display ospf routing

Function
Using the display ospf routing command, you can view the OSPF routing table.

Format
display ospf [ process-id ] routing

Parameters
process-id: specifies an OSPF process ID in a range of 1 to 65535.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the routing table about OSPF.
<Eudemon> display ospf routing
Routing for Network
Destination Cost Type NextHop AdvRouter Area
10.110.0.0/16 1 Net 10.110.0.1 10.110.0.1 0
30.110.0.0/16 1 Stub 30.110.0.1 3.3.3.3 0

Total Nets: 2
Intra Area: 2 Inter Area: 0 ASE: 0 NSSA: 0

3.21.30 display ospf vlink

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-317


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the display ospf vlink command, you can view OSPF virtual links.

Format
display ospf [ process-id ] vlink

Parameters
process-id: specifies an OSPF process ID.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display OSPF virtual links.
<Eudemon> display ospf vlink
Virtual-link Neighbor-id -> 1.1.1.1, State: Down
Cost: 0 State: Down Type: Virtual
Transit Area: 0.0.0.1
Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1

3.21.31 domain-id

Function
Using the domain-id command, you can configure the domain-id.

Using the undo domain-id command, you can restore the default value.

Format
domain-id { id | ip-address }

undo domain-id

Parameters
id: Specifies the domain-id, in the range of 0 to 4294967295. By default, it is 0.

ip-address: Specifies the domain-id in the form of IP address. By default, it is 0.0.0.0.

3-318 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
OSPF view

Default Level
2: Configuration level

Usage Guidelines
The configured domain-id will take effect only after the user view command reset ospf is
executed.

Examples
# Set the domain-id of OSPF 100 to 100.
<Eudemon> system-view
[Eudemon] ospf 100
[Eudemon-ospf-100] domain-id 100

3.21.32 filter-policy export (OSPF View)

Function
Using the filter-policy export command, you can set the rule of OSPF filtering the advertised
routing.
Using the undo filter-policy export command, you can cancel the filtering rules that have been
set.

Format
filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ]
undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ]

Parameters
acl-number: specifies an ACL number in a range of 2000 to 3999. ACL numbered 2000 to 2999
refers to the basic ACL, and ACL numbered 3000 to 3999 refers to the advanced ACL.
ip-prefix-name: specifies the number of an address prefix list. It is a string of characters in a
range of 1 to 19.
routing-protocol: specifies a protocol advertising the routing, including direct, isis, bgp, rip
and static at present.

Views
OSPF view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-319


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, no filtering of the distributed routing is performed.

In some cases, it may be required that only the routing meeting some conditions can be
advertised. Then, the filter-policy command can be used to configure the filtering conditions
for the routing information to be advertised. Only the routing passing the filtration can be
advertised.

Examples
# Configure OSPF that only advertises the routing information permitted by ACL 2001.
<Eudemon> system-view
[Eudemon] acl number 2001
[Eudemon-acl-basic-2001] rule permit source 11.0.0.0 0.255.255.255
[Eudemon-acl-basic-2001] rule deny source any
[Eudemon-acl-basic-2001] ospf
[Eudemon-ospf-1] filter-policy 2001 export

3.21.33 filter-policy import (OSPF View)

Function
Using the filter-policy import command, you can configure the OSPF rules of filtering the
routing received.

Using the undo filter-policy import command, you can cancel the filtering of the routing
received.

Format
filter-policy { acl-number | ip-prefix ip-prefix-name | gateway prefix-list-name } import

undo filter-policy { acl-number | ip-prefix ip-prefix-name | gateway ip-prefix-name } import

Parameters
acl-number: specifies an ACL number used for filtering the destination addresses of the routing
information.

ip-prefix-name: specifies the name of an address prefix list used for filtering the destination
addresses of the routing information.

gateway ip-prefix-name: specifies the name of an address prefix list used for filtering the
addresses of the neighboring routers advertising the routing.

Views
OSPF view

Default Level
2: Configuration level

3-320 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
By default, no filtering of the received routing is performed.

In some cases, it may be required that only the routing meeting some conditions can be received.
Then, the filter-policy command can be used to set the filtering conditions for the routing to be
advertised. Only the routing passing the filtration can be received.

Using the filter-policy import command, you can filter the routes calculated by OSPF. Only
the filtered routes can be added to the routing table. The filtering can be performed according
to the next hop and destination of the route.

Since OSPF is a dynamic routing protocol based on link state, its routing hides in the link state,
this command cannot filter the advertised/received routing in link state. There is more limitation
when using this command in OSPF than using it in distance vector routing protocol.

This command is valid for this process only if multiple OSPF processes are enabled.

Examples
# Filter the received routing according to the rule defined by ACL 2002.
<Eudemon> system-view
[Eudemon] acl number 2002
[Eudemon-acl-basic-2002] rule permit source 20.0.0.0 0.255.255.255
[Eudemon-acl-basic-2002] rule deny source any
[Eudemon-acl-basic-2002] ospf
[Eudemon-ospf-1] filter-policy 2002 import

3.21.34 import-route (OSPF View)

Function
Using the import-route command, you can import another routing protocol.

Using the undo import-route command, you can cancel the imported external routing.

Format
import-route protocol process-id [ cost value | type { 1 | 2 } | tag value | route-policy route-
policy-name ] *

undo import-route protocol process-id

Parameters
protocol: specifies the source routing protocol that can be imported. At present, it includes
direct, static, rip, ospf, ospf-ase and ospf-nssa.

ospf process-id: imports the internal routes found by OSPF process-id as external routing
information. If no process number is specified, the OSPF default process number 1 is used.

ospf-ase process-id: imports the ASE external routes found by OSPF process-id as external
routing information. If no process number is specified, the OSPF default process number 1 is
used.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-321


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

ospf-nssa process-id: imports the NSSA external routes found by OSPF process-id as external
routing information. If no process number is specified, the OSPF default process number 1 is
used.
route-policy route-policy-name: imports the routes matching the specified route policy.

Views
OSPF view

Default Level
2: Configuration level

Usage Guidelines
By default, the routing of other protocols is not imported.
Moreover, process-id is related to protocol. Some protocols do not need to be configured with
process-id.

Examples
# Specify an imported RIP route as the route of type 2, with the route tag as 33 and the route
cost as 50.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] import-route rip type 2 tag 33 cost 50

# Specify OSPF process 100 to import the route found by OSPF 160.
<Eudemon> system-view
[Eudemon] ospf 100
[Eudemon-ospf-100] import-route ospf 160

3.21.35 network (OSPF Aarea View)

Function
Using the network command, you can configure the interface running OSPF.
Using the undo network command, you can cancel the interface running OSPF.

Format
network ip-address wildcard-mask
undo network ip-address wildcard-mask

Parameters
ip-address: specifies the address of the network segment where the interface locates.
wildcard: specifies the IP address wildcard mask, which is the reversed form of the mask of IP
address.

3-322 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
OSPF area view

Default Level
2: Configuration level

Usage Guidelines
By default, the interface does not belong to any area.

To run the OSPF protocol on one interface, the master IP address of this interface must be in the
range of the network segment specified by this command. If only the slave IP address of the
interface is in the range of the network segment specified by this command, this interface will
not run OSPF protocol.

Examples
# Specify the interfaces whose master IP addresses are in the segment range of 10.110.36.0 to
run the OSPF protocol and specify the number of the OSPF area (where these interfaces are
located) as 6.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] area 6
[Eudemon-ospf-1-area-0.0.0.6] network 10.110.36.0.0 0.0.0.255

# Enable OSPF process 100 on the Eudemon and specify the number of the area where the
interface is located as 2.
<Eudemon> system-view
[Eudemon] router id 10.110.1.9
[Eudemon] ospf 100
[Eudemon-ospf-100] area 2
[Eudemon-ospf-100-area-0.0.0.2] network 131.108.20.0 0.0.0.255

Related Topics
3.21.38 ospf

3.21.36 nssa

Function
Using the nssa command, you can configure an area as NSSA area.

Using the undo nssa command, you can cancel the function.

Format
nssa [ default-route-advertise | no-import-route | no-summary ] *

undo nssa

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-323


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
default-route-advertise: imports default route to NSSA area.

no-import-route: does not import the routes specified by import-route to NSSA area.

no-summary: disables ABR to transmit summary_net LSAs to the NSSA area.

Views
OSPF area view

Default Level
2: Configuration level

Usage Guidelines
By default, NSSA area is not configured.

For all the routers connected to the NSSA area, the command nssa must be used to configure
the area as the NSSA attribute.

The default-route-advertise parameter is used to generate default type-7 LSA. No matter


whether there is route 0.0.0.0 in the routing table on ABR, type-7 LSA default route will be
generated always. Only when there is route 0.0.0.0 in the routing table on ASBR, will type-7
LSA default route be generated.

On ASBR, the no-import-route parameter enables the external route imported by OSPF through
import-route command not to be advertised to NSSA area.

Examples
# Configure area 1 as NSSA area.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] area 1
[Eudemon-ospf-1-area-0.0.0.1] network 10.110.0.0 0.255.255.255
[Eudemon-ospf-1-area-0.0.0.1] nssa

3.21.37 opaque-capbility

Function
Using the opaque-capability enable command, you can enable the Opaque capability of OSPF.

Using the undo opaque-capability command, you can disable the Opaque capability of OSPF.

Format
opaque-capability enable

undo opaque-capability

3-324 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
None

Views
OSPF view

Default Level
2: Configuration level

Usage Guidelines
By default, Opaque capability of OSPF is disabled.
If the application based on Opaque LSA is enabled, for example, the area TE capability is
enabled, the Opaque capability cannot be disabled.

Examples
# Enable Opaque capability.
<Eudemon> system-view
[Eudemon] ospf 100
[Eudemon-ospf-100] opaque-capability enable

3.21.38 ospf

Function
Using the ospf command, you can enable the OSPF protocol.
Using the undo ospf command, you can disable the OSPF protocol.

Format
ospf [ process-id ] [ router-id router-id ]
undo ospf [ process-id ]

Parameters
process-id: specifies the number of OSPF in a range of 1 to 65535. By default, the number is 1.
router-id: specifies the router ID used in OSPF process in dotted decimal format.

Views
System view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-325


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, the system does not run the OSPF protocol.
You can specify run multiple OSPF processes on the device by specifying different process IDs.
To do that, it is suggested to specify a router ID for each process with the parameter router-id.

Examples
# Enable the running of the OSPF protocol.
<Eudemon> system-view
[Eudemon] router id 10.110.1.8
[Eudemon] ospf
[Eudemon-ospf-1]

# Enable the OSPF process 120 to run OSPF.


<Eudemon> system-view
[Eudemon] router id 10.110.1.8
[Eudemon] ospf 120
[Eudemon-ospf-120]

Related Topics
3.21.35 network (OSPF Aarea View)

3.21.39 ospf authentication-mode

Function
Using the ospf authentication-mode command, you can set the authentication mode and key
between adjacent routers.
Using the undo ospf authentication-mode command, you can cancel the authentication key
that has been set.

Format
ospf authentication-mode { simple password | md5 key-id key }
undo ospf authentication-mode { simple | md5 }

Parameters
simple: indicates simple authentication.
password: specifies the plain authentication key. It is a string of 1 to 8 characters.
md5: indicates MD5 authentication.
key-id: specifies the ID of the authentication key in MD5 cipher text authentication mode in the
range of 1 to 255.
key: specifies the MD5 authentication key. If it is input in a simple form, MD5 key is a character
string of 1 to 16 characters. And it will be displayed in a cipher text form in a length of 24
characters when display current-configuration command is executed. Inputting the 24-
character MD5 key in a cipher text form is also supported.

3-326 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the interface does not authenticate the OSPF packets.

The passwords for authentication keys of the routers on the same network segment must be
identical. In addition, using the authentication-mode command, you can set the authentication
type of the area authentication key so as to validate the configuration.

Examples
# Set the area 1 where the network segment 131.119.0.0 of Interface Ethernet 0/0/0 is located
to support MD5 cipher text authentication. The authentication key identifier is set to 15 and the
authentication key is Huawei.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] area 1
[Eudemon-ospf-1-area-0.0.0.1] network 131.119.0.0 0.0.255.255
[Eudemon-ospf-1-area-0.0.0.1] authentication-mode md5
[Eudemon-ospf-1-area-0.0.0.1] quit
[Eudemon-ospf-1] quit
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ospf authentication-mode md5 15 test

Related Topics
3.21.4 authentication-mode (OSPF Area View)

3.21.40 ospf cost

Function
Using the ospf cost command, you can configure different packet sending cost so as to send
packets from different interfaces.

Using the undo ospf cost command, you can restore the default cost.

Format
ospf cost value

undo ospf cost

Parameters
value: specifies the cost for running OSPF protocol in a range of 1 to 65535.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-327


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the interface automatically calculates the cost required for running OSPF protocol
according to the current baud rate.

Examples
# Specify the cost spent when an interface runs OSPF as 33.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ospf cost 33

3.21.41 ospf dr-priority

Function
Using the ospf dr-priority command, you can configure the priority for electing the "designated
router" on an interface.
Using the undo ospf dr-priority command, you can restore the default value.

Format
ospf dr-priority priority-number
undo ospf dr-priority

Parameters
priority-number: specifies an interface priority for electing the "designated router", ranging from
0 to 255.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the interface priority for electing the "designated router" is 1.
Interface priority determines the interface qualification when electing the "designated router".
The interface with high priority is considered first when there is collision in election.

3-328 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

NOTE

If the priority of a device is 0, it cannot be elected as a DR or BDR.

Examples
# Set the priority of the interface Ethernet 0/0/0 to 8, when electing the DR.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ospf dr-priority 8

3.21.42 ospf mib-binding

Function
Using the ospf mib-binding command, MIB operation can be bound on the specified OSPF
process.
Using the undo ospf mib-binding command, you can restore the default configuration.

Format
ospf mib-binding process-id
undo ospf mib-binding

Parameters
process-id: specifies the number of an OSPF process. It is an integer in a range of 1 to 65535.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, MIB operation is bound on the first enabled OSPF process.
MIB operation is always bound on the first process enabled by OSPF protocol. Using this
command, MIB operation can be bound on other OSPF processes. Using the undo ospf mib-
binding command, you can cancel the binding. MIB operation is rebound automatically by
OSPF protocol on the first enabled process.

Examples
# Bind MIB operation on OSPF process 100.
<Eudemon> system-view
[Eudemon] ospf mib-binding 100

# Cancel MIB operation binding

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-329


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

[Eudemon] undo ospf mib-binding

3.21.43 ospf mtu-enable

Function
Using the ospf mtu-enable command, you can enable the interface to write MTU value when
sending DD packets.
Using the undo ospf mtu-enable command, you can restore the default settings.

Format
ospf mtu-enable
undo ospf mtu-enable

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the MTU value is 0 when sending DD packets, that is, the actual MTU value of the
interface is not written.
Database Description Packets (DD packets) are used to describe its own LSDB when the router
running OSPF protocol is synchronizing the database.
The default MTU value of DD packet is 0. With this command, the specified interface can be
set manually to write the MTU value area in DD packets when sending DD packets, that is, the
actual MTU value of the interface is written in.

Examples
# Set interface Ethernet 0/0/0 to write MTU value area when sending DD packets.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ospf mtu-enable

3.21.44 ospf network-type

Function
Using the ospf network-type command, you can configure the network type of OSPF interface.

3-330 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Using the undo ospf network-type command, you can restore the default network type of the
OSPF interface.

Format
ospf network-type { broadcast | nbma | p2mp | p2p }
undo ospf network-type

Parameters
broadcast: sets the interface network type to broadcast.
nbma: sets the interface network type to Non-Broadcast Multicast Access.
p2mp: sets the interface network type to point-to-multipoint.
p2p: sets the interface network type to point-to-point.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
OSPF divides networks into four types by link layer protocol:
l Broadcast: If Ethernet or FDDI is adopted, OSFP defaults the network type to broadcast.
l Non-Broadcast Multi-access (nbma): If Frame Relay, ATM, HDLC or X.25 is adopted,
OSPF defaults the network type to NBMA.
l Point-to-Multipoint (p2mp): OSPF will not default the network type of any link layer
protocol to p2mp. The general undertaking is to change a partially connected NBMA
network to p2mp network if the NBMA network is not fully-meshed.
l Point-to-point (p2p): If PPP or LAPB is adopted, OSPF defaults the network type to p2p.

If there is a router not supporting multicast address on the broadcast network, the interface
network type can be changed to NBMA. The interface network type can also be changed from
NBMA to broadcast.
A network that can be called an NBMA network or can be changed to a broadcast network should
satisfy the following condition: there is a virtual circuit directly connects any two routers on the
network. In other words, the network is full-meshed. If the network cannot satisfy this condition,
the interface network type must be changed to point-to-multipoint. In this way, these two routers
can exchange routing information via a router directly connected with the two routers.
If there are only two routers running OSPF protocol on the same network segment, the interface
network type can be changed to point-to-point.

NOTE

When the network type of an interface is NBMA or it is changed to NBMA manually, the peer (OSPF
view)command must be used to configure the neighboring point.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-331


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Set the interface Ethernet 0/0/0 to NBMA type.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ospf network-type nbma

Related Topics
3.21.41 ospf dr-priority

3.21.45 ospf timer dead

Function
Using the ospf timer dead command, you can set the dead interval of the OSPF neighbor.
Using the undo ospf timer dead command, you can restore the default value of the dead interval
of the neighbor.

Format
ospf timer dead seconds
undo ospf timer dead

Parameters
seconds: specifies the dead interval of the OSPF neighbor in a range of 1 to 65535 seconds.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the dead interval for the OSPF neighbors of p2p and broadcast interfaces is 40
seconds, and for those of p2mp and nbma interfaces is 120 seconds.
The dead interval of OSPF neighbors means that within this interval, if no Hello message is
received from the neighbor, the neighbor will be considered to be invalid. The value of dead
seconds should be at least 4 times of that of the Hello seconds. The dead seconds for the routers
on the same network segment must be identical.

Examples
# Set the neighbor dead interval on the interface Ethernet 0/0/0 to 80 seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ospf timer dead 80

3-332 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Related Topics
3.21.46 ospf timer hello

3.21.46 ospf timer hello

Function
Using the ospf timer hello command, you can configure the interval for transmitting Hello
messages on an interface.

Using the undo ospf timer hello command, you can restore the default value.

Format
ospf timer hello seconds

undo ospf timer hello

Parameters
seconds: specifies an interval for an interface to transmit hello message in a range of 1 to 255
seconds.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the interval is 10 seconds for an interface of p2p or broadcast type to transmit Hello
messages, and 30 seconds for an interface of nbma or p2mp type.

Examples
# Set the interval of transmitting Hello messages on the interface Ethernet 0/0/0 to 20 seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ospf timer hello 20

Related Topics
3.21.45 ospf timer dead

3.21.47 ospf timer poll

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-333


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the ospf timer poll command, you can configure the poll Hello message interval on
NBMA network.
Using the undo ospf timer poll command, you can restore the default value.

Format
ospf timer poll seconds
undo ospf timer poll

Parameters
seconds: specifies the poll Hello messages interval in a range of 1 to 65535 seconds.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the poll Hello message interval is 120 seconds.
On the NBMA network, if a neighbor is invalid, the Hello message will be transmitted regularly
according to the poll seconds. You can configure the poll seconds to specify how often the
interface transmits Hello message before it establishes adjacency with the adjacent router. The
value of poll seconds should be no less than 3 times of that of Hello seconds.

Examples
# Transmit poll Hello message from interface Ethernet 0/0/0 every 130 seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ospf timer poll 130

3.21.48 ospf timer retransmit

Function
Using the ospf timer retransmit command, you can set the interval for LSA re-transmitting on
an interface.
Using the undo ospf timer retransmit command, you can restore the default interval value for
LSA re-transmitting on the interface.

Format
ospf timer retransmit interval

3-334 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

undo ospf timer retransmit

Parameters
interval: sets an interval for re-transmitting LSA on an interface in a range of 1 to 65535 seconds.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the interval for LSA re-transmitting on an interface is 5 seconds.

If a firewall running OSPF transmits a "link state advertisement"(LSA) to the peer, it needs to
wait for the acknowledgement packet from the peer. If no acknowledgement is received from
the peer within the LSA retransmission, this LSA will be re-transmitted.

According to RFC 2328, the LSA retransmission between adjacent routers should not be set too
short. Otherwise, unexpected retransmission will be caused.

Examples
# Specify the retransmission for LSA transmitting between the interface Ethernet 0/0/0 and the
adjacent routers to 12 seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ospf timer retransmit 12

3.21.49 ospf trans-delay

Function
Using the ospf trans-delay command, you can configure the LSA transmitting delay on an
interface.

Using the undo ospf trans-delay command, you can restore the default value of the LSA
transmitting delay on an interface.

Format
ospf trans-delay seconds

undo ospf trans-delay

Parameters
seconds: specifies a transmitting delay of LSA on an interface in a range of 1 to 3600 seconds.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-335


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the transmitting delay is 1 second.

LSA will age in the "link state database" (LSDB) of the firewall as time goes by (add 1 for every
second), but it will not age during network transmission. Therefore, it is necessary to add a period
of time set by this command to the aging time of LSA before transmitting it.

Examples
# Specify the trans-delay of transmitting LSA on the interface Ethernet 0/0/0 as 3 seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ospf trans-delay 3

3.21.50 peer (OSPF View)

Function
Using the peer command, you can configure the IP address of adjacent routers and specify a
DR priority on an NBMA network.

Using the undo peer command, you can cancel the configuration.

Format
peer ip-address [ dr-priority priority]

undo peer ip-address

Parameters
ip-address: sets the IP address of the neighboring point.

dr-priority priority: sets priority of neighboring router in the network. It is an integer in a range
of 0 to 255. By default, the value is 1.

Views
OSPF view

Default Level
2: Configuration level

3-336 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
On NBMA network, a full-meshed network (that is, there is a VC directly connecting any two
routers on the network) can be implemented by configuring map. Thus OSPF can perform in
the same way in the frame relay network as in the broadcast network (such as electing DR and
BDR). However, the IP address of adjacent routers and their election rights must be configured
manually for the interface because adjacent routers cannot be found dynamically by advertising
Hello messages.

Examples
# Configure the IP address of peer router as 10.1.1.1.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] peer 10.1.1.1

3.21.51 preference (OSPF View)

Function
Using the preference command, you can configure the preference of an OSPF protocol route.
Using the undo preference command, you can restore the default value of the OSPF protocol
route.

Format
preference [ ase ] preference-value
undo preference [ ase ]

Parameters
preference-value: specifies the preference of OSPF routes in a range of 1 to 255.
ase: refers to the preference of an imported external route of the AS.

Views
OSPF view

Default Level
2: Configuration level

Usage Guidelines
By default, the preference of an OSPF protocol internal route is 10 and the preference of an
external route is 150.
Because multiple dynamic routing protocols could be running on a router, there is the problem
of routing information sharing among routing protocols and selection. Therefore, a default
preference is specified for each routing protocol. When multiple routes to the same destination

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-337


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

are found by different routing protocols, the route found by high preference routing protocol
will be selected to forward IP packets.

Examples
# Specify the preference of an external imported route of the AS as 160.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] preference ase 160

3.21.52 reset ospf

Function
Using the reset ospf all command, you can reset all the OSPF processes.

The reset ospf process-id command can be used to reset the specified process and clear statistics
data.

Format
reset ospf [ statistics ] { all | process-id }

Parameters
process-id: specifies an OSPF process number. If no OSPF process number is specified, all the
OSPF processes should be reset.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
Using the reset ospf all command to reset the OSPF process, the following results are expected:

l Clear invalid LSA immediately without waiting for LSA timeout.


l If the Router ID changes, a new Router ID will take effect by executing the command.
l Re-elect DR and BDR conveniently.
l OSPF configuration will not be lost if the system is restarted.
l Delete the original OSPF routes.
l After OSPF process is restarted, new routes and LSA will be generated correspondingly
and LSA will be advertised.

The system will require the user to confirm whether to re-enable the OSPF protocol after
execution of the command.

3-338 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Reset all the OSPF processes.
<Eudemon> reset ospf all

# Reset the OSPF process 200.


<Eudemon> reset ospf 200

3.21.53 router id

Function
Using the router id command, you can configure the ID of a device running the OSPF protocol.
Using the undo router id command, you can cancel the device ID that has been configured.

Format
router id router-id
undo router id

Parameters
router-id: specifies the ID of a device, which is a 32-bit unsigned integer.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, use the smallest IP address of all the device interfaces as the device ID.
Device ID is a 32-bit unsigned integer that uniquely identifies a device in an OSPF AS. You can
specify the ID for a device. If the user doesn't specify device ID, the device will automatically
select one from configured IP address as the ID of this device. If no IP address is configured for
any interface of the device, the device ID must be configured in OSPF view. Otherwise, OSPF
protocol cannot be enabled.
When the device ID is configured manually, the IDs of any two devices cannot be identical in
the AS. So, the IP address of certain interface might as well be selected as the ID of this device.

NOTE

The modified device ID will not be valid unless OSPF is re-enabled.

Examples
# Set the device ID to 10.1.1.3.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-339


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

<Eudemon> system-view
[Eudemon] router id 10.1.1.3

Related Topics
3.21.38 ospf

3.21.54 silent-interface

Function
Using the silent-interface command, you can disable an interface to transmit OSPF packet.
Using the undo silent-interface command, you can restore the default setting.

Format
silent-interface interface-type interface-number
undo silent-interface interface-type interface-number

Parameters
interface-type interface-number: specifies the type and number of an interface.

Views
OSPF view

Default Level
2: Configuration level

Usage Guidelines
By default, the interface is enabled to transmit OSPF packet.
You can use this command to disable an interface to transmit OSPF packet, so as to prevent the
router on some network from receiving the OSPF routing information.
Different processes can disable the same interface to transmit OSPF packet. While silent-
interface command only takes effect on the interface enabled with OSPF by this process, being
invalid for the interface enabled by other processes.

Examples
# Disable interface Ethernet 0/0/0 to transmit OSPF packet.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] silent-interface Ethernet 0/0/0

# Disable interface Ethernet 0/0/0 to transmit OSPF packet in both OSPF process 100 and OSPF
process 200.
<Eudemon> system-view
[Eudemon] router id 10.110.1.9

3-340 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

[Eudemon] ospf 100


[Eudemon-ospf-100] silent-interface Ethernet 0/0/0
[Eudemon-ospf-100] quit
[Eudemon] router id 20.18.0.7
[Eudemon] ospf 200
[Eudemon-ospf-200] silent-interface Ethernet 0/0/0

3.21.55 snmp-agent trap enable ospf

Function
Using the snmp-agent trap enable ospf command, you can enable the Trap of OSPF.

Using the undo snmp-agent trap enable ospf command, you can disable the Trap.

Format
snmp-agent trap enable ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt |
ifstatechange | iftxretransmit | lsdbapproachoverflow | lsdboverflow | maxagelsa |
nbrstatechange | originatelsa | virifauthfail | virifcfgerror | virifrxbadpkt |
virifstatechange | viriftxretransmit | virnbrstatechange ] *

undo snmp-agent trap enable ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt |


ifstatechange | iftxretransmit | lsdbapproachoverflow | lsdboverflow | maxagelsa |
nbrstatechange | originatelsa | virifauthfail | virifcfgerror | virifrxbadpkt |
virifstatechange | viriftxretransmit | virnbrstatechange ] *

Parameters
process-id: specifies an OSPF process number. If no OSPF process number is specified, this
command is valid for all the current OSPF processes.

ifauthfail, ifcfgerror, ifrxbadpkt, ifstatechange, iftxretransmit, lsdbapproachoverflow,


lsdboverflow, maxagelsa, nbrstatechange, originatelsa, virifauthfail, virifcfgerror,
virifrxbadpkt, virifstatechange, viriftxretransmit, virnbrstatechange: specifies the type of
SNMP Trap packet transmitted by OSPF.

l ifauthfail: indicates the information that the interface authentication fails.


l ifcfgerror: indicates the information that the interface configuration is incorrect.
l ifrxbadpkt: indicates the information about the received incorrect packet.
l ifstatechange: indicates the information about the interface status change.
l iftxretransmit: traces the receiving and sending of packets on an interface.
l lsdbapproachoverflow: indicates the information that LSDB is about to overflow.
l lsdboverflow: indicates the information that LSDB overflows.
l maxagelsa: indicates the max age information about LSA.
l nbrstatechange: indicates the information about the neighbor status change.
l originatelsa: indicates the LSA information generated on the local.
l vifauthfail: indicates the information that the virtual interface authentication fails.
l vifcfgerror: indicates the information that the virtual interface configuration is incorrect.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-341


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

l virifrxbadpkt: indicates the information about the incorrect packet received by a virtual
interface.
l virifstatechange: indicates the information about the virtual interface status change.
l viriftxretransmit: traces the receiving and sending of packets on a virtual interface.
l virnbrstatechange: indicates the status change of the virtual interface neighbor.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
This command takes no effect on the OSPF process enabled after its execution.

By default, no OSPF process is enabled to transmit Trap packets.

For detailed configuration of SNMP Trap, refer to "system management" in this manual.

Examples
# Enable Trap of OSPF process 100.
<Eudemon> system-view
[Eudemon] snmp-agent trap enable ospf 100

3.21.56 spf-schedule-interval

Function
Using the spf-schedule-interval command, you can set the route calculation interval of OSPF.

Using the undo spf-schedule-interval command, you can restore the default setting.

Format
spf-schedule-interval seconds

undo spf-schedule-interval

Parameters
seconds: specifies the SPF calculation interval in a range of 1 to 10 seconds.

Views
OSPF view

3-342 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
2: Configuration level

Usage Guidelines
By default, the value is 5 seconds.
According to the Link State Database (LSDB), the router running OSPF can calculate the shortest
path tree taking itself as the root and determine the next hop to the destination network according
to the shortest path tree. By adjusting SPF calculation interval, network frequently changing can
be restrained, which may lead to that too many bandwidth resources and router resources will
be used.

Examples
# Set the OSPF route calculation interval of Eudemon to 6 seconds.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] spf-schedule-interval 6

3.21.57 stub

Function
Using the stub command, you can set the type of an OSPF area as the STUB area.
Using the undo stub command, you can cancel the settings.

Format
stub [ no-summary ]
undo stub

Parameters
no-summary: disables ABR to transmit Summary LSAs to the STUB area.

Views
OSPF area view

Default Level
2: Configuration level

Usage Guidelines
By default, no area is set to be the STUB area.
Using the stub command, you can configure an area as "stub". If the router is an ABR, it will
send a default route to the connected stub area. Using the default-cost command, you can set
the default route cost value.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-343


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

In addition, you can prevent type-3 LSA from entering the stub area connected with the ABR
by setting no-summary parameter to stub command on the ABR.

Examples
# Set the type of OSPF area 1 to the STUB area.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] area 1
[Eudemon-ospf-1-area-0.0.0.1] stub

Related Topics
3.21.11 default-cost

3.21.58 vlink-peer

Function
Using the vlink-peer command, you can create and configure a virtual link.
Using the undo vlink-peer command, you can cancel an existing virtual link.

Format
vlink-peer router-id [ hello seconds | retransmit seconds | trans-delay seconds | dead
seconds | simple password | md5 key-id key ] *
undo vlink-peer router-id

Parameters
router-id: specifies the router ID of a virtual link neighbor in dotted decimal notation.
hello seconds: specifies an interval for transmitting hello message. It ranges from 1 to 8192
seconds. This value must equal the hello seconds value of the router virtually linked to the
interface. By default, the value is 10 seconds.
retransmit seconds: specifies the interval for re-transmitting the LSA packets on an interface.
It ranges from 1 to 8192 seconds. By default, the value is 5 seconds.
trans-delay seconds: specifies the interval for delaying transmitting LSA packets on an
interface. It ranges from 1 to 8192 seconds. By default, the value is 1 second.
dead seconds: specifies the interval of death timer. It ranges from 1 to 8192 seconds. This value
must equal the dead seconds of the router virtually linked to it and must be at least 4 times of
the hello seconds. By default, the value is 40 seconds.
simple password: specifies the simple text authentication key, not exceeding 8 characters, of
the interface. This value must equal the authentication key of the virtually linked neighbor.
key-id: specifies the MD5 authentication key ID. Its value ranges from 1 to 255. It must be equal
to the authentication key ID of the virtually linked neighbor.
key: specifies the authentication key on an interface. A plain text password is a consecutive
character string of no greater than 16 characters. This value must equal the authentication key

3-344 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

of the virtually linked neighbor. The length of an encrypted password must be 24 characters in
encrypted text.

Views
OSPF area view

Default Level
2: Configuration level

Usage Guidelines
According to RFC2328, the OSPF area should be connected with the backbone network. You
can use vlink-peer command to keep the connectivity. Virtual link somewhat can be regarded
as a common ospf enabled interface so that you can easily understand how to configure the
parameters such as hello, retransmit, and trans-delay on it.
When configuring virtual link authentication, the authentication-mode (OSPF Area View)
command is used to set the authentication mode as MD5 cipher text or simple text on the
backbone network.

Examples
# Create a virtual link to 10.110.0.3 and use the MD5 cipher text authentication mode.
<Eudemon> system-view
[Eudemon] ospf
[Eudemon-ospf-1] area 10.0.0.0
[Eudemon-ospf-1-area-10.0.0.0] vlink-peer 10.110.0.3 md5 3 345

Related Topics
3.21.4 authentication-mode (OSPF Area View)

3.22 PPP Configuration Commands


3.22.1 debugging ppp
3.22.2 display interface mp-group
3.22.3 display ppp compression iphc
3.22.4 display ppp mp
3.22.5 interface mp-group
3.22.6 ip tcp vjcompress
3.22.7 link-protocol ppp
3.22.8 ppp authentication-mode
3.22.9 ppp callback
3.22.10 ppp callback ntstring
3.22.11 ppp chap password

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-345


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.22.12 ppp chap user


3.22.13 ppp compression iphc
3.22.14 ppp compression stac-lzs
3.22.15 ppp ipcp dns
3.22.16 ppp lqc
3.22.17 ppp mp
3.22.18 ppp mp binding-mode
3.22.19 ppp mp max-bind
3.22.20 ppp mp mp-group
3.22.21 ppp mp min-fragment
3.22.22 ppp mp user bind virtual-template
3.22.23 ppp mp virtual-template
3.22.24 ppp pap local-user
3.22.25 ppp timer negotiate
3.22.26 timer hold

3.22.1 debugging ppp

Function
Using the debugging ppp command, you can enable the PPP debugging.

Using the undo debugging ppp command, you can disable the PPP debugging.

Format
debugging ppp all [ interface interface-type interface-number ]

debugging ppp { ccp | chap | ipcp | lcp | mplscp | osicp | pap } { all | error | event | packet |
state } [ interface interface-type interface-number ]

debugging ppp mp { all | error | event | packet } [ interface interface-type interface-


number ]

debugging ppp { cbcp | ip | lqc | mpls-multicast | mpls-unicast | osi-npdu | scp | vjcomp }


packet [ interface interface-type interface-number ]

debugging ppp core event [ interface interface-type interface-number ]

debugging ppp compression iphc { rtp | tcp }

undo debugging ppp all [ interface interface-type interface-number ]

undo debugging ppp { ccp | chap | ipcp | lcp | mplscp | osicp | pap } { all | error | event |
packet | state } [ interface interface-type interface-number ]

3-346 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

undo debugging ppp mp { all | error | event | packet } [ interface interface-type interface-
number ]

undo debugging ppp { cbcp | ip | lqc | mpls-multicast | mpls-unicast | osi-npdu | scp |


vjcomp } packet [ interface interface-type interface-number ]

undo debugging ppp core event [ interface interface-type interface-number ]

undo debugging ppp compression iphc { rtp | tcp }

Parameters
ccp: indicates PPP Compression Control Protocol.

chap: indicates PPP Challenge Handshake Authentication Protocol.

ipcp: indicates the PPP IP Control Protocol.

lcp: indicates the PPP Link Control Protocol.

mp: indicates the PPP Multilink Protocol.

mplscp: indicates the MPLS Control Protocol.

osicp: indicates the PPP OSI Network Layer Control Protocol.

pap: indicates the PPP Authentication Protocols.

cbcp: indicates the PPP Callback Control Protocol.

ip: indicates IP.

lqc: indicates the Link Quality Monitoring.

mpls-multicast: indicates the MPLS multicast packet.

mpls-unicast: indicates the MPLS unicast packet.

osi-npdu: indicates the OSI Network Packet Data Unit.

scp: indicates s the PPP Stac LZS Compression Protocol.

vjcomp: indicates the Van Jacobson Compressing TCP/IP Headers.

error: outputs the error message.

event: debugs the event.

packet: debugs the packet.

state: debugs the state. When MP is used, this parameter is disabled.

interface-type: indicates the type of the interface.

interface-number: indicates the number of the interface.

compression: debugs the PPP compression.

Views
User view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-347


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
1: Monitoring level

Usage Guidelines
By default, the PPP debugging is disabled.
According to the status and statistics of the interface collected by the command, you can measure
the traffic and locate the fault of the interface.
Debugging affects the performance of the system. So, after debugging, run the undo
debugging command to disable it immediately.

Examples
# Enable the PPP debugging for SCP packets.
<Eudemon> debugging ppp scp packet

3.22.2 display interface mp-group

Function
Using the display interface mp-group command, you can view the status of an MP-Group
interface.

Format
display interface mp-group [ number ]

Parameters
number: specifies the number of the MP-Group interface. It is an integer in a range of 0 to 1023.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command is available only when the MP-Group interface has been created.
According to the status and statistics of the interface collected by the command, you can measure
the traffic and locate the fault of the interface.

Examples
# View the status of the MP-Group interface.

3-348 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> display interface mp-group


Mp-group0 current state : DOWN
Line protocol current state : DOWN
Description : HUAWEI, Eudemon Series, Mp-group0 Interface
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 168.1.2.10/24
Link layer protocol is PPP
LCP initial
Physical is MP, baudrate is 0 bps
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/256/0
Last 5 minutes input rate 0 bytes/sec, 0 packets/sec
Last 5 minutes output rate 0 bytes/sec, 0 packets/sec
0 packets input, 0 bytes, 0 drops
0 packets output, 0 bytes, 0 drops

Table 3-44 Description of the display interface mp-group command output


Item Description

Mp-group0 current state : Indicates the physical status of the MP-Group 0 interface:
l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state.
l Administratively down: If the administrator uses the
shutdown command on the interface, the state is
Administratively down.

Line protocol current Indicates the status of the link protocol of the interface:
state : l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state or the IP address is not
configured on the interface.

Internet Address is Indicates the IP address configured for the interface. If the
interface is not configured with an IP address, "Internet protocol
processing: disabled" is displayed.

Link layer protocol is Indicates the link layer protocol. It is only be PPP for MP-Group
interface.

LCP initial Indicates the status of the link protocol of the interface:
l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state or the IP address is not
configured on the interface.

Description : Indicates the description about the interface. A maximum of 64


characters, which are case sensitive and can be blank spaces. The
description can help the user to get familiar with the interface
function.

The Maximum Transmit As for the serial interface, the default is 1500 bytes. The packet
Unit is larger than the MTU is fragmented before being sent. If the non-
fragmentation is configured, the packet is discarded.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-349


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Output queue : (Urgent The current status of it includes three types of Output queue:
queue : Size/Length/ l Urgent queue indicates the protocol packet of link layer, such
Discards) Output queue : as the packets of PPP and Keepalive enters this queue.
(Protocol queue : Size/
Length/Discards) Output l Protocol queue indicates the packet 6 IP precedence enters this
queue : (FIFO queuing : queue.
Size/Length/Discards) l According to the queue types applied on the interface, FIFO
queue, may be FIFO (First In First Out Queue), PQ (Priority
Queue), CQ (Custom Queue), or CBQ (Class-based Queue).
When congestion happens, an interface sends the packets in
Urgent queue first, those in Protocol queue the second and in FIFO
queue the third. As for the output queue, the meaning of the fields
is as follows:
l Size: indicates the number of packets in the queue.
l Length: indicates length of the longest queue in packets.
l Discards: indicates the number of discarded packets because
the queue is full.
Through checking the relationship between Discards, Size and
Length during a certain period, you can see if the interface
performance satisfies the requirements. If the value of Discards
remains a large value in a long time and cannot process the input
packets in time, a router of higher performance is needed.

5 minutes input rate 5 Indicates the rate of the byte and the packet that pass through the
minutes output interface in the last 5 minutes.

0 packets input, 0 bytes, The field indicates:


0 drops0 packets output, l Number of packets and bytes received and sent on the interface
0 bytes, 0 drops
l Number of bytes that is discarded owing to the insufficient
cache

3.22.3 display ppp compression iphc

Function
Using the display ppp compression iphc command, you can display the statistics of IP packets
header compression on PPP links.

Format
display ppp compression iphc { rtp | tcp } [ interface-type interface-number ]

Parameters
rtp: displays IPHC RTP statistics.
tcp: displays IPHC TCP statistics.

3-350 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

interface-type interface-number: specifies the type and number of an interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the statistics of IP packet header compression on PPP links.
<Eudemon> system-view
[Eudemon] display ppp compression iphc tcp

3.22.4 display ppp mp

Function
Using the display ppp mp command, you can view the interface information and statistics of
MP.

Format
display ppp mp [ interface interface-type interface-number ]

Parameters
interface-type interface-number: specifies the type and number of the interface to be displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Use this command to check whether the physical interface is successfully bound to the specified
MP-Group or VT.
If you do not specify the interface type and number, information and statistics of all the interfaces
of MP are displayed.
According to the status and statistics of the interface collected by the command, you can measure
the traffic and locate the fault of the interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-351


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# View the MP interface information.
<Eudemon> display ppp mp interface mp-group 0
Mp-group is Mp-group0
===========Sublinks status begin======
Serial2/0/0:1 physical DOWN,protocol DOWN
Serial2/0/0:2 physical DOWN,protocol DOWN
===========Sublinks status end========
no bundled son channel

Table 3-45 Description of the display ppp mp command output

Item Description

physical Indicates the physical status of the interface in the MP


binding:
l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state.
l Administratively down: If the administrator uses the
shutdown command on the interface, the state is
Administratively down.

protocol Indicates the status of the link protocol of the interface


in the MP binding:
l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state or the IP address
is not configured on the interface.

no bundled son channel Indicates that no sub-channel is bound in the MP.

Related Topics
3.22.7 link-protocol ppp
3.22.17 ppp mp

3.22.5 interface mp-group

Function
Using the interface mp-group command, you can create an MP-Group interface.

Using the undo interface mp-group command, you can delete the specified MP-Group
interface.

Format
interface mp-group number

undo interface mp-group number

3-352 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
number: specifies the number of the MP-Group interface. The sequence number ranges from 0
to 1023, which means one interface board supports at most 1024 Mp-Group interfaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
This command is used in conjunction with the ppp mp mp-group command. An MP-Group
interface can be either created first, or added into an Mp-Group first.

Examples
# Create the interface MP-Group 0.
<Eudemon> system-view
[Eudemon] interface mp-group 0
[Eudemon-Mp-group0]

Related Topics
3.22.20 ppp mp mp-group

3.22.6 ip tcp vjcompress

Function
Using the ip tcp vjcompress command, you can enable a PPP interface to compress the VJ TCP
header.

Using the undo ip tcp vjcompress command, you can disable the PPP interface to compress
the VJ TCP header.

Format
ip tcp vjcompress

undo ip tcp vjcompress

Parameters
None

Views
Interface view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-353


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
This command is only used in the interface with PPP as the link layer protocol.

If the VJ TCP header is permitted to compress at the PPP interface, the interface at the opposite
end shall also permit compressing the VJ TCP header.

By default, the VJ TCP header is disabled to compress at the PPP interface.

Examples
# The VJ TCP header is permitted to compress at the PPP interface.
<Eudemon> system-view
[Eudemon] interface Dialer 0
[Eudemon-Dialer0] ip tcp vjcompress

3.22.7 link-protocol ppp

Function
Using the link-protocol ppp command, you can configure the link-layer protocol encapsulated
on the interface as PPP.

Format
link-protocol ppp

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the link-layer protocol for interface encapsulation is PPP

PPP is a link-layer protocol bearing network-layer packets over the point-to-point link. It defines
a whole set of protocols including Link Control Protocol (LCP), Network-layer Control Protocol
(NCP), Password Authentication Protocol (PAP) and Challenge Handshake Authentication
Protocol (CHAP).It is widely used for it provides user authentication, easy scalability and
supports synchronization and asynchronization.

3-354 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Configure PPP encapsulation on interface Dialer 0.
<Eudemon> system-view
[Eudemon] interface Dialer 0
[Eudemon-Dialer0] link-protocol ppp

3.22.8 ppp authentication-mode

Function
Using the ppp authentication-mode command, you can set the local PPP authentication
algorithm for the peer device.
Using the undo ppp authentication-mode command, you can cancel the setting.

Format
ppp authentication-mode { chap [ pap ] | pap } [ call-in ]
undo ppp authentication-mode

Parameters
chap: authenticates the peer in CHAP mode.
pap: authenticates the peer in PAP mode.
call-in: authenticates the peer only when the remote user calls in.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, no authentication is carried out.
Using the ppp authentication-mode chap pap command, you can perform the CHAP
authentication first in the LCP negotiation. If the authenticated part does not support this mode,
perform the PAP authentication. If the authenticated part does not support the two modes, the
negotiation fails.
There are two PPP authentication algorithms:
l PAP is a 2-way handshake authentication, which sends the password in plain text.
l CHAP is a 3-way handshake authentication, which sends the password in encrypted text.
In addition, the defined AAA authentication algorithm list can be used.
Whether the authentication succeeds or not depends on AAA, which can authenticate on the
basis of the local authentication database or AAA server.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-355


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Authenticate the peer device by means of PAP on interface Dialer 0.
<Eudemon> system-view
[Eudemon] interface Dialer 0
[Eudemon-Dialer0] ppp authentication-mode pap

Related Topics
3.22.12 ppp chap user
3.22.24 ppp pap local-user
3.22.11 ppp chap password

3.22.9 ppp callback

Function
Using the ppp callback command, you can configure the local end as the callback client or the
server, which sends or receives the callback requests.
Using the undo ppp callback command, you can disable the client or the server that the local
end serves as Callback.

Format
ppp callback { client | server }
undo ppp callback { client | server }

Parameters
client: sets the local end as callback client.
server: sets the local end as callback server.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the callback negotiation is rejected.
The calling party can save the transmission expense (caller charging) through the use of the
callback.

Examples
# Configure the local end as the client of the Callback.

3-356 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:1
[Eudemon-Serial1/0/0:1] ppp callback client

Related Topics
3.22.10 ppp callback ntstring

3.22.10 ppp callback ntstring

Function
Using the ppp callback ntstring command, you can set the dialing string required in calling
back the Eudemon from Windows NT Server.
Using the undo ppp callback ntstring command, you can cancel the set callback dialing string.

Format
ppp callback ntstring dial-string
undo ppp callback ntstring [ dial-string ]

Parameters
dial-string: defines a string of characters for the callback, whose length ranges from 1 to 64.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
When the Eudemon, as the master calling end of the callback, calls Windows NT Server that
requires the callback number sent by it, this command shall be configured.

Examples
# Set the dialing string required as 660068 when Windows NT Server calls back the
Eudemon.
<Eudemon> system-view
[Eudemon] interface dialer 0
[Eudemon-Dialer0] ppp callback ntstring 660068

Related Topics
3.22.9 ppp callback

3.22.11 ppp chap password

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-357


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the ppp chap password command, you can configure the default CHAP password while
performing CHAP authentication.

Using the undo ppp chap password command, you can cancel the setting.

Format
ppp chap password { simple | cipher } password

undo ppp chap password

Parameters
password: specifies the password. The length ranges from 1 to 16.

simple | cipher: displays the password in plain text or in encrypted text.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
While configuring CHAP authentication, you should set the local password as the password of
the peer user.

Examples
# Set the user password as testpwd in plain text when the local Eudemon perform the
authentication via CHAP.
<Eudemon> system-view
[Eudemon] interface dialer 0
[Eudemon-Dialer0] ppp chap password simple testpwd

Related Topics
3.22.8 ppp authentication-mode

3.22.12 ppp chap user

Function
Using the ppp chap user command, you can set the user name in performing the CHAP
authentication.

Using the undo ppp chap user command, you can delete the existing setting.

3-358 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
ppp chap user user-name
undo ppp chap user

Parameters
user-name: specifies the user name of CHAP authentication, which is the one sent to the peer
equipment to perform the CHAP authentication. It is character string , whose length ranges from
1 to 64.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the user name of the CHAP authentication is blank.
While configuring CHAP authentication, you should set the username of each end as the
local_user of the peer end, and set the corresponding password accordingly.

Examples
# Set the local user name as Eudemon when CHAP authentication is performed on interface
Dialer 0.
<Eudemon> system-view
[Eudemon] interface Dialer 0
[Eudemon-Dialer0] ppp chap user Eudemon

Related Topics
3.22.8 ppp authentication-mode

3.22.13 ppp compression iphc

Function
Using the ppp compression iphc command, you can enable IPHC.
Using the undo ppp compression iphc command, you can disable IPHC.

Format
ppp compression iphc [ nonstandard | rtp-connections rtp-connections | tcp-connections
tcp-connections ]
undo ppp compression iphc [ rtp-connections | tcp-connections ]

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-359


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
nonstandard: uses nonstandard mode when compressing RTP or TCP packet header.

rtp-connectionsrtp-connections: sets the maximum number of RTP connections in a range of


3 to 1000.

tcp-connectionstcp-connections: sets the maximum number of TCP connections in a range of


3 to 256.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Enable IPHC and use nonstandard mode when compressing RTP or TCP packet header.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] ppp compression iphc nonstandard

Related Topics
3.22.7 link-protocol ppp

3.22.14 ppp compression stac-lzs

Function
Using the ppp compression stac-lzs command, you can set the PPP protocol to start the Stac
compression algorithm.

Using the undo ppp compression stac-lzs command, you can disable the compression at the
relevant interface.

Format
ppp compression stac-lzs

undo ppp compression stac-lzs

Parameters
None

3-360 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, compression is disabled.

When stac-lzs compression is configured on the interface, the data frame size can be reduced
through data compression without damaging the data. However, this configuration will add load
to the Eudemon. It is recommended that this function be disabled when the Eudemon has already
been overloaded.

Examples
# Configure stac-lzs compression on the local Eudemon.
<Eudemon> system-view
[Eudemon] interface dialer 0
[Eudemon-Dialer0] ppp compression stac-lzs

Related Topics
3.22.7 link-protocol ppp

3.22.15 ppp ipcp dns

Function
Using the ppp ipcp dns command, you can enable the Eudemon to provide the address of DNS
server for the peer.

Using the undo ppp ipcp dns command, you can disable this process.

Format
ppp ipcp dns admit-any

ppp ipcp dns primary-dns-address [ secondary-dns-address ]

undo ppp ipcp dns { primary-dns-address [ secondary-dns-address ] | admit-any }

Parameters
primary-dns-address: specifies the address of the primary DNS server.

secondary-dns-address: specifies the address of the secondary DNS server.

admit-any: receives any DNS address requested by the peer.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-361


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the device does not provide the address of DNS server for the peer.
When other device connect with the Eudemon through the PPP protocol, that is, the host accesses
the Eudemon, the Eudemon can assign a DNS server address to the peer after the negotiation.
In this manner, the peer can directly access the network through the domain name.
If a user accesses the Eudemon through a PC, this user can run the winipcfg and ipconfig/all
commands on the PC to view the DNS server address assigned by the Eudemon.
The Eudemon can provide the addresses of the primary and secondary DNS servers for the peer.

Examples
# Configure the primary DNS server address of the local Eudemon as 100.1.1.1, and the
secondary DNS server address as 100.1.1.2.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0
[Eudemon-Serial1/0/0] ppp ipcp dns 100.1.1.1 100.1.1.2

Related Topics
3.22.8 ppp authentication-mode

3.22.16 ppp lqc

Function
Using the ppp lqc command, you can enable the quality monitoring on PPP link.
Using the undo ppp lqc command, you can disable the function.

Format
ppp lqc close-percentage [ resume-percentage ]
undo ppp lqc

Parameters
close-percentage: specifies the quality percentage for closing the PPP link. It is in a range of 0
to 100.
resume-percentage: specifies the quality percentage for resuming the closed the PPP link. It is
in a range of 0 to 100.

3-362 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the quality monitoring is disabled.
The default value of resume-percentage is equal to that of close-percentage.
With the quality monitoring, you can perform the real-time monitoring on the quality of PPP
link (including the PPP link bound to MP). The link is closed when its quality is lower than
close-percentage, and is resumed automatically when its quality reaches to resume-percentage
again. There is a delay prior to the PPP link is resumed in order to prohibit the oscillation of the
link.
You must set the value of resume-percentage to be equal to or higher than that of close-
percentage.
If you tend to enable the quality monitoring at both ends of the PPP link at the same time, make
sure that the device parameters of both ends must be equal. Generally, you are recommended
not to do that.
You are recommended not to enable the quality monitoring of PPP link on dial-up line. When
you enable the function on dial-up line, the DCC module will cut off the line in case that the
link is closed, which will lead the monitoring to work informally. The DCC module only resumes
the dial-up line when there is data to be transmitted, and then the link quality monitoring can be
restored.

Examples
# Enable the quality monitoring of PPP link at interface Dialer0, and set the close-percentage to
90% and the resume-percentage to 95%.
<Eudemon> system-view
[Eudemon] interface dialer0
[Eudemon-Dialer0] ppp lqc 90 95

3.22.17 ppp mp

Function
Using the ppp mp command, you can bind an PPP encapsulation interface to a specified virtual
interface template through authentication binding.
Using the undo ppp mp command, you can enable the interface to operate in the common PPP
mode.

Format
ppp mp

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-363


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

undo ppp mp

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the PPP encapsulated interface operates in the common PPP mode.

To increase the bandwidth, multiple PPP links can be bound to form a logical MP interface.

When a virtual template is bound on the interface in authentication mode, this command must
be executed. The physical interface must pass the PAP or CHAP authentication. Different
physical interfaces on the same VT may adopt different authentication modes.

In addition, this command and the ppp mp virtual-template command are mutually exclusive.
That is, an interface can only be configured with one binding mode, either direct binding or
authenticated binding.

NOTE

When using a VT to bind an interface, consider the following items:


l Physical interfaces must be bound into one VT in the same mode.
l All physical interfaces in one VT must be at the same interface board.
l Number of the physical interfaces bound in one VT that are used to interwork at two ends must be the
same.
l Multiple physical interfaces are bound in one local VT. The peer interfaces directly connected to those
physical interfaces must be bound into one VT.

When the interface is bound to the virtual interface template:


l If the interface LCP is Opened, you must re-start the interface. Thus, the re-negotiation of
the PPP protocol can be ensured to bind the interface successfully to the MP.
l Otherwise, you does not need to re-start the interface because the auto-negotiation of the
PPP protocol.

NOTE

After the configuration is complete, you need to re-start the interface for the re-negotiation of the PPP
protocol to ensure all the interfaces are successfully bound to the MP.

After the undo ppp mp command is successfully configured in the interface view, MP binding
is removed from the interface. You need not to restart the interface because the PPP protocol
can implement the auto-negotiation till that the links protocol status of the interface turns Up.
A period of time about 40s is needed for the successful running of the undo ppp mp command
to the Up status of the link layer protocol of the interface.

3-364 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Configure PPP encapsulated Serial 1/0/0:0 to operate in the MP mode.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] ppp mp

Related Topics
3.22.7 link-protocol ppp

3.22.18 ppp mp binding-mode

Function
Using the ppp mp binding-mode command, you can set the MP binding mode.

Using the undo ppp mp binding-mode command, you can restore the default mode of the MP
binding.

Format
ppp mp binding-mode { authentication | both | descriptor }

undo ppp mp binding-mode

Parameters
authentication: performs the MP binding based on the user name used in authentication of PPP.

both: performs the MP binding based on both the user name used in the authentication of PPP
and the terminal identifier.

descriptor: performs the MP binding based on the terminal identifier.

Views
Virtual-template interface view, Dialer interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the MP binding is based on the user name used in authentication and terminal
identifier.

The user name refers to the peer user name received when the PPP link performs the PAP or
CHAP authentication. The terminal ID, which uniquely identifies a device, refers to the terminal
identifier received from the remote end in the LCP negotiation. The system can perform the MP
binding based on the received user name or terminal ID. Thus, the interfaces with the same user
name or/and terminal identifier are bound together.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-365


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Perform the MP binding based on the user name of the PPP authentication.
<Eudemon> system-view
[Eudemon] interface virtual-template 10
[Eudemon-Virtual-Template10] ppp mp binding-mode authentication

Related Topics
3.22.17 ppp mp

3.22.19 ppp mp max-bind

Function
Using the ppp mp max-bind command, you can set the maximum number of the bundled links
of MP.

Using the undo ppp mp max-bind command, you can restore the default configuration.

Format
ppp mp max-bind max-bind-number

undo ppp mp max-bind

Parameters
max-bind-number: indicates the maximum number of links that can be bound. The value ranges
from 1 to 128. The default is 128.

Views
Virtual-template interface view, Mp-Group interface view

Default Level
2: Configuration level

Usage Guidelines
Normally, it is not recommended to change the configuration, which may influence the PPP
performance.

If an virtual-temlpate interface reports failure in deleting MP links, it is possible that the


maximum binding number is smaller than the actually configured one. Ensure that the maximum
binding number is larger than the actual one.

In the virtual-template interface view or Mp-Group interface view, if this configuration changes,
execute the shutdown command to remove the MP binding on all the sub-channels. Then execute
the undo shutdown command to configure the MP binding again. At this time, the modification
can take effect.

3-366 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Set the maximum number of links of MP binding to 12.
<Eudemon> system-view
[Eudemon] interface virtual-template 10
[Eudemon-Virtual-Template10] ppp mp max-bind 12

Related Topics
3.22.17 ppp mp

3.22.20 ppp mp mp-group

Function
Using the ppp mp mp-group command, you can add the current interface into the specified
Mp-Group.

Using the undo ppp mp command, you can delete the current interface from the specified Mp-
Group.

Format
ppp mp mp-group number

undo ppp mp

Parameters
number: specifies the number of the Mp-Group interface. The value ranges from 1 to 1023.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
This command is used in conjunction with the interface mp-group command. The Mp-group
interface can either be first created, or be first added into an Mp-Group.

In addition, the interface that joins the Mp-Group should be a logic serial interface witch created
by E1/T1 interface. The Dialer interface can be configured the command, but it is not
recommended to configure.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-367


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

NOTE

When using an MP-Group to bind an interface, consider the following items:


l Physical interfaces must be bound into one MP-Group in the same mode.
l All physical interfaces in one MP-Group must be at the same interface board.
l Number of the physical interfaces bound in one MP-Group that are used to interwork at two ends
must be the same.
l Multiple physical interfaces are bound in one local MP-Group. The peer interfaces directly connected
to those physical interfaces must be bound into one MP-Group.

When binding an interface to the MP-Group:


l If the LCP of the physical interface is in the Opened status, run the command shutdown,
undo shutdown or restart to restart the physical interface. In this way, the LCP can re-
negotiate to ensure the physical interface is successfully bound to the MP.
l If the LCP status is not Opened, it is not necessary to restart the interface. PPP can
automatically complete negotiation to successfully bind the interface to MP.

After the configuration is complete, you need to re-start the interface for the re-negotiation of
the PPP protocol to ensure all the interfaces are successfully bound to the MP.

After the undo ppp mp command is successfully configured in the interface view, MP binding
is removed from the interface. You need not to restart the interface because the PPP protocol
can implement the auto-negotiation till that the links protocol status of the interface turns Up.
A period of time about 40s is needed for the successful running of the undo ppp mp command
to the Up status of the link layer protocol of the interface.

Examples
# Add the Serial 1/0/0:0 into the Mp-Group 1.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] ppp mp mp-group1

Related Topics
3.22.5 interface mp-group

3.22.21 ppp mp min-fragment

Function
Using the ppp mp min-fragment command, you can set the minimum packet size for the MP
outgoing packets.

Using the undo ppp mp min-fragment command, you can restore the default configuration.

Format
ppp mp min-fragment size

undo ppp mp min-fragment

3-368 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
size: specifies the minimum packet size for MP outgoing packet. The outgoing packet larger
than the value is fragmented; while the packet smaller than the value is not fragmented. The
value ranges from 128 to 1500 bytes. The default is 500.

Views
Virtual-template interface view, MP-Group interface view

Default Level
2: Configuration level

Usage Guidelines
If you do not want packets of small size to be fragmented, configure size relatively larger.

NOTE

l In the Mp-Group interface view, if this configuration changes, execute the shutdown command to
remove the MP binding on all the sub-channels.
l Then execute the undo shutdown command to configure the MP binding again. At this time, the
modification can take effect.

Examples
# Enable the fragmentation when the MP packet reaches 1000 bytes.
<Eudemon> system-view
[Eudemon] interface mp-group 0
[Eudemon-Mp-group0] ppp mp min-fragment 1000

Related Topics
3.22.17 ppp mp

3.22.22 ppp mp user bind virtual-template

Function
Using the ppp mp user command, you can bind an MP user with a virtual template interface.
Using the undo ppp mp user command, you can remove the binding.

Format
ppp mp user user-name bind virtual-template virtual-template-number
undo ppp mp user user-name

Parameters
user-name: specifies an MP user name with 1 to 64 characters.
virtual-template-number: specifies a virtual template number in a range of 0 to 1023.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-369


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
System view

Default Level
2: Configuration level

Usage Guidelines
During the process of setting up a PPP connection, if a virtual template interface is specified
after the PPP authentication succeeds, the MP binding is performed according to the parameters
of the virtual template interface. In addition, a new virtual interface comes into existence and is
used to transmit data.
A device can be configured with up to 200 ppp mp user username bind virtual-template
number commands.
A virtual template interface can be configured with the following working parameters:
l A local IP address and the IP address assigned to the peer of PPP (or an IP address pool)
l PPP working parameters

Examples
# Bind MP user "userabc" with interface Virtual-Template 1.
<Eudemon> system-view
[Eudemon] interface virtual-template 1
[Eudemon-Virtual-Template1] ip address 1.1.1.1 24
[Eudemon] ppp mp user userabc bind virtual-template 1

3.22.23 ppp mp virtual-template

Function
Using the ppp mp virtual-template command, you can set the virtual template number to be
bound by the interface.
Using the undo ppp mp command, you can disable the MP binding of the interface.

Format
ppp mp virtual-template number
undo ppp mp

Parameters
number: specifies the virtual template number to be bound by the interface. The value ranges
from 0 to 1023.

Views
Interface view

3-370 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
2: Configuration level

Usage Guidelines
By default, the MP binding of the interface is disabled and the interface works in the common
PPP mode.

This command specifies the virtual template number to be bound on the interface.In addition,
the MP binding on the interface needs not to be configured with the PAP or CHAP authentication.
Interfaces with the same virtual template number are bound together directly.

Moreover, this command and the ppp mp command are mutually exclusive. That is, only one
of the two commands can be configured on the same interface.

NOTE

When using a VT to bind an interface, consider the following items:


l Physical interfaces must be bound into one VT in the same mode.
l All physical interfaces in one VT must be at the same interface board as the VRP does not support
trans-board MP binding.
l Number of the physical interfaces bound in one VT that are used to interwork at two ends must be
the same.
l Multiple physical interfaces are bound in one local VT. The peer interfaces directly connected to
those physical interfaces must be bound into one VT.

When binding an interface to the VT:


l If the LCP of the physical interface is in the Opened status, run the restart command to
restart the physical interface. In this way, the LCP can re-negotiate to ensure the physical
interface is successfully bound to the MP.
l If the LCP status is not Opened, it is not necessary to restart the interface. PPP can
automatically complete negotiation to successfully bind the interface to MP.

NOTE

After the configuration is complete, you need to re-start the interface for the re-negotiation of the PPP
protocol to ensure all the interfaces are successfully bound to the MP.

After the undo ppp mp command is successfully configured in the interface view, MP binding
is removed from the interface. You need not to re-start the interface because the PPP protocol
can implement the auto-negotiation till that the links protocol status of the interface turns Up.
A period of time about 40s is needed for the successful running of the undo ppp mp command
to the Up status of the link layer protocol of the interface.

Examples
# Configure the PPP encapsulated Serial 1/0/0:1 to operate in the MP mode.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:1
[Eudemon-Serial1/0/0:1] ppp mp virtual-template 1

Related Topics
3.22.7 link-protocol ppp

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-371


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.22.24 ppp pap local-user

Function
Using the ppp pap local-user command, you can specify the username and password sent by
the local Eudemon when it is authenticated by the peer device via the PAP method.

Using the undo ppp pap local-user command, you can disable the configuration.

Format
ppp pap local-user user-name password { simple | cipher } password

undo ppp pap local-user

Parameters
user-name: specifies a username sent to be authenticated by the peer.

password: specifies the password sent to be authenticated by the peer.

simple: sets the password in plain text.

cipher: sets the password in encrypted text.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, when the local device is authenticated by the peer device through the PAP method,
both the username and the password sent by the local device are empty.

When the local device is authenticated via the PAP method by the peer device, the username
and password sent by the local device must be the same as the user and password of the peer
device.

Examples
# Set the username of the local device authenticated by the peer end through the PAP method
as testuser and the password as testpwd.
<Eudemon> system-view
[Eudemon] interface dialer 0
[Eudemon-Dialer0] ppp pap local-user testuser password simple testpwd

Related Topics
3.22.8 ppp authentication-mode

3-372 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.22.25 ppp timer negotiate

Function
Using the ppp timer negotiate command, you can set the PPP negotiation timeout.
Using the undo ppp timer negotiate command, you can restore the default value.

Format
ppp timer negotiate seconds
undo ppp timer negotiate

Parameters
Seconds: specifies the time of negotiation timeout in seconds. During the PPP negotiation, if the
local end does not receive the response packet of the peer end, PPP will resend the last packet.
The time ranges from 1 to 10 seconds.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the PPP timeout is 3 seconds.

Examples
# Set the PPP negotiation timeout to 5 seconds.
<Eudemon> system-view
[Eudemon] interface Dialer 0
[Eudemon-Dialer0] ppp timer negotiate 5

3.22.26 timer hold

Function
Using the timer hold command, you can set the polling interval of link layer protocol on the
interface.
Using the undo timer hold command, you can restore the default setting.

Format
timer hold seconds
undo timer hold

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-373


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
seconds: specifies the polling interval in a range of 0 to 32767 seconds.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the polling interval is 10 seconds.
The polling interval of the devices at the two sides of the link must be set the same. If the polling
interval is set to 0, the link detection is disabled.

Examples
# Set the polling interval on Ethernet 0/0/0 to 20 seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] timer hold 20

3.23 PPPoE Configuration Commands


3.23.1 reset pppoe-server session statistic interface
3.23.2 debugging pppoe-client
3.23.3 display pppoe-client session
3.23.4 display pppoe-server session
3.23.5 pppoe-client
3.23.6 pppoe-server bind virtual-template
3.23.7 pppoe-server max-sessions local-mac
3.23.8 pppoe-server max-sessions remote-mac
3.23.9 pppoe-server max-sessions total
3.23.10 reset pppoe-client

3.23.1 reset pppoe-server session statistic interface

Function
Using the reset pppoe-server session statistic interface command, you can clear PPPoE server
session statistics based on interfaces..

3-374 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
reset pppoe-server session statistic interface interface-type interface-number

Parameters
interface-type: interface type.

interface-number: interface number.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear PPPoE server session statistics of interface Virtual-Ethernet 0.
<Eudemon> reset pppoe-server session statistic interface Virtual-Ethernet 0

3.23.2 debugging pppoe-client

Function
Using the debugging pppoe-client command, you can enable PPPoE Client debugging.

Format
debugging pppoe-client option [ interface interface-type interface-number ]

Parameters
option: specifies a PPPoE Client debugging switch type as listed in the following table.

Table 3-46 Description of the PPPoE Client debugging switches type

Debugging Switch Type Description

all Enable all PPPoE Client debugging switch.

data Enable the PPPoE Session phase data packet


debugging switch.

error Enable PPPoE Client error debugging switch.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-375


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Debugging Switch Type Description

event Enable PPPoE Client event debugging


switch.

packet Enable PPPoE Discovery phase negotiation


packet debugging switch.

verbose Display the detailed contents of PPPoE data.

interface interface-type interface-number: specifies the type and number of an interface, to


enable the debugging of a specific interface. If no interface is specified, the system will enable
the debugging of all interfaces.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Enable the debugging of negotiation packets in PPPoE discovery phase.
<Eudemon> debugging pppoe-client packet

3.23.3 display pppoe-client session

Function
Using the display pppoe-client session command, you can display the status and statistics of
PPPoE session.

Format
display pppoe-client session { summary | packet } [ dial-bundle-number number ]

Parameters
summary: displays the summary of PPPoE session.
packet: displays the statistics of PPPoE session data packet.
dial-bundle-number number: displays the statistics of the specified PPPoE session. The value
of number is in a range of 1 to 255. If PPPoE session is not specified, the system will display
the statistics of all PPPoE sessions.

3-376 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the summary of PPPoE session.
<Eudemon> display pppoe-client session summary
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
1 1 1 Eth0 00e0fc0254f3 00049a23b050 PPPUP
2 2 3 Eth0 00e0fc0254f3 00049a23b050 PPPUP

Table 3-47 Description of the display pppoe-client session summary command output

Item Description

ID Session ID, PPPoE session ID

Bundle Dialer Bundle containing PPPoE session

Dialer Corresponding Dialer interface of PPPoE session

Intf Ethernet interface containing PPPoE session

Client-MAC MAC address of PPPoE Client

Server-MAC MAC address of PPPoE Server

State State of PPPoE session

# Display the statistics of PPPoE session data packet.


<Eudemon> display pppoe-client session packet
ID InP InO InD OutP OutO OutD
1 164 6126 0 83 1069 0
2 304 9886 0 156 2142 0

Table 3-48 Description of the display pppoe-client session packet command output

Item Description

ID Session ID, PPPoE session ID

InP In Packets: number of received packets

InO In Octets: number of received octets

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-377


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

InD In Discards: number of received illegal and discarded packets

OutP Out Packets: number of sent packets

OutO Out Octets: number of sent octets

OutD Out Discard: number of sent and discarded illegal packets

3.23.4 display pppoe-server session

Function
Using the display pppoe-server session command, you can view the status and statistics of
PPPoE sessions.

Format
display pppoe-server session { all | packet | statistic interfaceinterface-type interface-
number }

Parameters
all: displays all PPPoE sessions.
packet: displays packet statistics of PPPoE sessions.
statistic: displays statistics of PPPoE sessions.
interfaceinterface-type interface-number: displays statistics of PPPoE sessions on specified
interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Use the display pppoe-server session all command to display the operating status of PPPoE
system.
<Eudemon> display pppoe-server session all
SID Intf State OIntf RemMAC LocMAC
1 Virtual-Template100:0 UP Ethernet 0/0/0 0050.ba1a.02ce 0001.af02.a40f

3-378 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

The main parameters in the display information are described as follows:


l SID: refers to the session ID.
l Intf: refers to the virtual interface.
l State: refers to the session status.
l OIntf: refers to the Ethernet interface.
l RemMAC (Remote MAC): refers to the peer MAC address.
l LocMAC (Local MAC): refers to the local MAC address.

# Use the display pppoe-server session packet command to display the operating status of
PPPoE system.
<Eudemon> display pppoe-server session packet
SID RemMAC LocMAC InP InO InD OutP OutO OutD
1 0050ba1a02ce 0001af02a40f 42 2980 0 16 343 0

The main parameters in the display information are described as follows:


l SID: refers to the session ID.
l RemMAC (Remote MAC): refers to the peer MAC address.
l LocMAC (Local MAC): refers to the local MAC address.
l InP (In Packets): refers to the number of received packets.
l InO (In Octets): refers to the number of received octets.
l InD (In Discards): refers to the number of received and discarded illegal packets.
l OutP (Out Packets): refers to the number of sent packets.
l OutO (Out Octets): refers to the number of sent octets.
l OutD (Out Discard): refers to the number of sent and discarded illegal packets.

Related Topics
3.22.7 link-protocol ppp
3.23.6 pppoe-server bind virtual-template

3.23.5 pppoe-client

Function
Using the pppoe-client command, you can establish a PPPoE session and specify the Dialer
Bundle corresponding to the session.

Using the undo pppoe-client command, you can delete a PPPoE session.

Format
pppoe-client dial-bundle-number number [ no-hostuniq ] [ idle-timeout seconds [ queue-
length queue-length ] ]

undo pppoe-client dial-bundle-number number

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-379


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
dial-bundle-number number: specifies a dialer Bundle number corresponding to PPPoE
session. It ranges from 1 to 255. The parameter number can be used to identify a PPPoE session,
or as the number of a PPPoE session.
no-hostuniq: the call originated from PPPoE Client does not carry the Host-Uniq field. By
default, no no-hostuniq parameter is set, that is, PPPoE session works in permanent online mode
by default.
idle-timeout seconds: specifies the idle time of PPPoE session in seconds. It ranges from 1 to
65535. If the parameter is not set, PPPoE session will work in permanent online mode.
Otherwise, it will work in packet trigger mode.
queue-length packets: specifies the number of packets cached in the system before PPPoE
session is not established. It ranges from 1 to 100. The parameter will be enabled only after idle-
timeout is configured. By default, packets is 10.

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
By default, no PPPoE session is configured.
Multiple PPPoE sessions can be configured at one Ethernet interface, that is, one Ethernet
interface might belong to multiple Dialer Bundles at the same time. However, one Dialer Bundle
only has one Ethernet interface. PPPoE session and Dialer Bundle are one-to-one. If the Dialer
Bundle at a certain Dialer has had one Ethernet interface used by PPPoE, any other interfaces
cannot be added to this Dialer Bundle. Likewise, if Dialer Bundle has had other interfaces other
than the PPPoE Ethernet interface, this Dialer Bundle can also not be added to the Ethernet
interface used by PPPoE Client.
Eudemon will not initiate PPPoE call to establish PPPoE session unless it has data to transmit.
If there is no data transmission on the PPPoE link within seconds, the Eudemon will
automatically terminate PPPoE session. PPPoE session will be re-established only after it has
new data to transmit.

Examples
# Create a PPPoE session on the interface Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] pppoe-client dial-bundle-number 1

Related Topics
3.23.10 reset pppoe-client

3.23.6 pppoe-server bind virtual-template

3-380 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the pppoe-server bind virtual-template command, you can enable PPPoE on the virtual
template interface specified by the Ethernet interface.

Using the undo pppoe-server bind command, you can disable PPPoE protocol on the relevant
interface.

Format
pppoe-server bind virtual-template virtual-template-number

undo pppoe-server bind

Parameters
virtual-template-number: sets the number of a virtual template interface for access PPPoE, and
its value ranges from 0 to 1023.

Views
Ethernet interface view

Default Level
2: Configuration level

Usage Guidelines
By default, PPPoE protocol is disabled.

Examples
# Enable PPPoE on virtual template interface 1 of interface Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] pppoe-server bind virtual-template 1

Related Topics
3.22.7 link-protocol ppp

3.23.7 pppoe-server max-sessions local-mac

Function
Using the pppoe-server max-sessions local-mac command, you can set the maximum number
of PPPoE sessions that can be established at a local MAC address.

Using the undo pppoe-server max-sessions local-mac command, you can restore the default
setting.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-381


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
pppoe-server max-sessions local-mac local-mac-number

undo pppoe-server max-sessions local-mac

Parameters
local-mac-number: specifies the maximum number of sessions that can be established at a local
MAC address, which ranges from 1 to 8192.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set the maximum number of PPPoE sessions that can be established at a local MAC address
to 50.
<Eudemon> system-view
[Eudemon] pppoe-server max-sessions local-mac 50

Related Topics
3.23.8 pppoe-server max-sessions remote-mac
3.23.9 pppoe-server max-sessions total

3.23.8 pppoe-server max-sessions remote-mac

Function
Using the pppoe-server max-sessions remote-mac command, you can set the maximum
number of PPPoE sessions that can be established at a peer MAC address.

Using the undo pppoe-server max-sessions remote-maccommand, you can restore the default
setting.

Format
pppoe-server max-sessions remote-mac remote-mac-number

undo pppoe-server max-sessions remote-mac

3-382 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
remote-mac-number: specifies the maximum number of PPPoE sessions that can be established
at a peer MAC address in a range of 1 to 8192.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set the maximum number of PPPoE sessions that can be established at a remote MAC address
to 50.
<Eudemon> system-view
[Eudemon] pppoe-server max-sessions remote-mac 50

Related Topics
3.23.7 pppoe-server max-sessions local-mac
3.23.9 pppoe-server max-sessions total

3.23.9 pppoe-server max-sessions total

Function
Using the pppoe-server max-sessions total command, you can set the maximum number of
PPPoE sessions that the system can establish.
Using the undo pppoe-server max-sessions total command, you can restore the default setting.

Format
pppoe-server max-sessions total total-number
undo pppoe-server max-sessions total

Parameters
total-number: specifies the Maximum number of PPPoE sessions that the system can establish.
It ranges from 1 to 65535. By default, the value of number is 1000.

Views
System view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-383


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set the maximum number of PPPoE sessions established by the system to 2000.
<Eudemon> system-view
[Eudemon] pppoe-server max-sessions total 2000

Related Topics
3.23.7 pppoe-server max-sessions local-mac
3.23.8 pppoe-server max-sessions remote-mac

3.23.10 reset pppoe-client

Function
Using the reset pppoe-client command, you can terminate PPPoE session and re-initiate the
connection later.

Format
reset pppoe-client { all | dial-bundle-number number }

Parameters
all: clears all PPPoE sessions.
dial-bundle-number number: specifies a dialer Bundle number. It ranges from 1 to 255. It is
used to clear the PPPoE session corresponding to Dialer Bundle.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
If PPPoE session is terminated in permanent online mode using the command reset pppoe-
client, the Eudemon will automatically re-establish PPPoE session in sixteen seconds.
If PPPoE session is terminated in packet trigger mode using the command reset pppoe-client,
the Eudemon will not re-establish PPPoE session unless it has data to transmit.

3-384 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Clear all PPPoE sessions, and re-initiate PPPoE session later.
<Eudemon> reset pppoe-client all

Related Topics
3.23.5 pppoe-client

3.24 QoS Configuration Commands


3.24.1 car
3.24.2 classifier behavior
3.24.3 display traffic behavior
3.24.4 display traffic classifier
3.24.5 gts
3.24.6 if-match acl (Traffic Classifier View)
3.24.7 if-match any
3.24.8 if-match classifier
3.24.9 if-match dscp
3.24.10 if-match inbound-interface
3.24.11 if-match ip-precedence
3.24.12 if-match mac
3.24.13 if-match protocol ip
3.24.14 if-match rtp
3.24.15 qos apply policy
3.24.16 qos policy
3.24.17 qos reserved-bandwidth
3.24.18 queue af
3.24.19 queue ef
3.24.20 queue wfq
3.24.21 queue-length
3.24.22 remark dscp
3.24.23 remark fr-de
3.24.24 remark ip-precedence
3.24.25 traffic behavior

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-385


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.24.26 traffic classifier


3.24.27 wred
3.24.28 wred dscp
3.24.29 wred ip-precedence
3.24.30 wred weighting-constant

3.24.1 car

Function
Using the car command, you can configure traffic monitoring for a behavior.

Using the undo car command, you can delete the configuration.

Format
car cir committed-information-rate [ cbs committed-burst-size ebs excess-burst-size ] [ green
action [ red action ] ]

undo car

Parameters
cir: refers to committed information rate (CIR). It is an integer in a range of 8000 to 1000000000
bit/s.

cbs committed-burst-size: refers to committed burst size (CBS), the number of bits that can be
sent in each interval in a range of 15000 bits to 155000000 bits. When committed-information-
rate is greater than 30000 bit/s, by default, committed-burst-size is as half as that of committed-
information-rate. When committed-information-rate is smaller than 30000 bit/s, by default,
committed-burst-size is 15000 bit/s.

ebs excess-burst-size: refers to excess burst size (CBS) in a range of 0 to 155000000 bits. By
default, it is 0.

green: refers to action conducted to packets when traffic of packets conforms to the traffic
convention. By default, the action of green is pass.

red: refers to action conducted to packets when traffic of packets does not conform to the traffic
convention. By default, the action of red is discard.

action: refers to action conducted to the packets, which is divided into the following types:

l discard: drops the packet.


l remark-dscp-pass: sets new-dscp and transmit the packet in a range of 0 to 63.
l remark-prec-pass: sets new-precedence of IP and transmit the packet in a range of 0 to 7.
l remark-mpls-exp-pass: sets the new MPLS EXP and transmit the packet in a range of 0
to 7.
l pass: transmits the packet.

3-386 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
Traffic behavior view

Default Level
2: Configuration level

Usage Guidelines
The policy can be used in the input or output direction of the interface.
Application of policy includes TP policy on an interface, which will cause the previous qos
car command ineffective.
If this command is configured on classes of the same policy repeatedly, the latest configuration
will overwrite the previous ones.

Examples
# Use traffic monitor for a behavior. The normal traffic of packets is 38400 bit/s. Burst traffic
twice of the normal traffic can pass initially and later the traffic is transmitted normally when
the rate does not exceed 38400 bit/s. When the rate exceeds 38400 bit/s, the precedence of the
packet turns to 0 and the packet is transmitted.
<Eudemon> system-view
[Eudemon] traffic behavior database
[Eudemon-behavior-database] car cir 38400 cbs 76800 ebs 0 green pass red remark-
prec-pass 0

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

3.24.2 classifier behavior

Function
Using the classifier behavior command, you can specify the behavior for the class in the policy.
Using the undo classifier command, you can remove the application of the class in the policy.

Format
classifier classifier-name behavior behavior-name
undo classifier classifier-name

Parameters
classifier-name: It must be the name of the defined class, the system-defined or user-defined
class.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-387


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

behavior-name: It must be the name of the defined behavior, the system-defined or user-defined
behavior.

Views
QoS policy view

Default Level
2: Configuration level

Usage Guidelines
Each class in the policy can only be associated with one behavior.

The undo command is not used for the default class.

Examples
# Specify the behavior test for the class database in the policy policy1.
<Eudemon> system-view
[Eudemon] qos policy policy1
[Eudemon-qospolicy-policy1] classifier database behavior test

Related Topics
3.24.16 qos policy

3.24.3 display traffic behavior

Function
Using the display traffic behavior command, you can display the configuration of the specified
behaviors on the firewall.

Format
display traffic behavior { system-defined | user-defined } [ behavior-name ]

Parameters
system-defined: refers to the policy pre-defined by the system.

user-defined: refers to the policy pre-defined by the user.

behavior-name: specifies the behavior name. If it is not specified, the configuration of all the
behaviors pre-defined by the system or by the user will be displayed.

Views
All views

3-388 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
1: Monitoring level

Usage Guidelines
The output of the display traffic behavior command is as follows:

l Traffic behavior name


l AF information
l Traffic shaping behavior
l Marking behavior
l Traffic policing behavior
l EF information

Examples
# Display the user-defined behavior on the Eudemon.
<Eudemon> display traffic behavior user-defined
User Defined Behavior Information:
Behavior: test
Assured Forwarding:
Bandwidth 30 (Kbps)
Discard Method: Tail
Queue Length : 64 (Packets)
General Traffic Shape:
CIR 30000 (bps), CBS 15000 (bit), EBS 0 (bit)
Queue length 50 (Packets)
Marking:
Remark MPLS EXP 3

Behavior: database
Marking:
Remark IP Precedence 3
Committed Access Rate:
CIR 20000 (bps), CBS 15000 (bit), EBS 0 (bit)
Conform Action: pass
Exceed Action: discard
Expedited Forwarding:
Bandwidth 50 (Kbps) CBS 1500 (Bytes)

Table 3-49 lists the description of the display traffic behavior command output.

Table 3-49 Description of the display traffic behavior command output

Item Description

User Defined Classifier Information Behaviors defined by users

Behavior Name of the behavior

Assured Forwarding Details about AF

General Traffic Shape Detailed behaviors about traffic


shaping

Marking Marking behaviors

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-389


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Committed Access Rate Detailed behaviors about traffic


policing

Expedited Forwarding Details about EF

Related Topics
3.24.25 traffic behavior

3.24.4 display traffic classifier

Function
Using the display traffic classifier command, you can view the class configured on the
Eudemon.

Format
display traffic classifier { system-defined | user-defined } [ classifier-name ]

Parameters
system-defined: refers to the class pre-defined by the system.
user-defined: refers to the class pre-defined by the user.
classifier-name: specifies the class name. The name is a string of 1 to 31 characters. If it is not
specified, all classes pre-defined by the system or by the user will be displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The output of the display traffic classifier command is as follows:
l Traffic class name
l Relationship of the matching rule of each class
l Matching rules

Examples
# Display the user-defined class configured on the Eudemon.

3-390 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> display traffic classifier user-defined


User Defined Classifier Information:
Classifier: test
Operator: AND
Rule(s) : if-match ip-precedence 5
Classifier: database
Operator: AND
Rule(s) : if-match acl 3131
if-match inbound-interface Ethernet 1/0/0

Table 3-50 lists the description of the display traffic classifier command output.

Table 3-50 Description of the display traffic classifier command output

Item Description

User Defined Classifier Information Traffic classification defined by


users

Classifier Name of traffic classification

Operator Relationship between matching rules


of the traffic classes

Rule(s) Matching rules

Related Topics
3.24.26 traffic classifier

3.24.5 gts

Function
Using the gts command, you can configure traffic shaping for a behavior.

Using the undo gts command, you can delete traffic shaping for a behavior.

Format
gts cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size [ queue-
length queue-length ] ] ]

undo gts

Parameters
cir committed-information-rate: refers to committed information rate (CIR). It is an integer in
a range of 8000 to 1000000000 bit/s.

cbs committed-burst-size: refers to burst size in a range of 15000 to 155000000 bits. When
committed-information-rate is greater than 30000 bit/s, by default, committed-burst-size value
is as half as that of committed-information-rate. When cir is smaller than 30000 bit/s, by default,
committed-burst-size is 15000 bit/s.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-391


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

ebs excess-burst-size: refers to excess burst size (CBS) in a range of 0 to 155000000 bits. By
default, the value is 0.
queue-length queue-length: refers to the maximum length of a queue in a range of 1 to 1024.
By default, the value is 50.

Views
Traffic behavior view

Default Level
2: Configuration level

Usage Guidelines
A policy in which shape is used on an interface can only be applied in the output direction of
the interface.
Application of policy including shape policy on an interface will cause the previously configured
qos gts command ineffective.
If this command is frequently configured on the class of the same policy, the last configuration
will overwrite the previous ones.

Examples
# Configure GTS for a behavior. The normal traffic is 38400 bit/s. Burst traffic twice of the
normal traffic can pass initially and later the traffic is transmitted normally when the rate is less
than or equal to 38400 bit/s. When the rate exceeds 38400 bit/s, the traffic will enter the queue
buffer and the buffer queue length is 100.
<Eudemon> system-view
[Eudemon] traffic behavior database
[Eudemon-behavior-database] gts cir 38400 cbs 76800 ebs 0 queue-length 100

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

3.24.6 if-match acl (Traffic Classifier View)

Function
Using the if-match acl command, you can define ACL match rule.
Using the undo if-match acl command, you can delete ACL match rule.

Format
if-match [ not ] acl acl-number
undo if-match [ not ] acl acl-number

3-392 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
not: does not match this class.
acl-number: specifies an ACL number in a range of 2000 to 3999. Where:
l The ACL numbered from 2000 to 2999 is the basic ACL.
l The ACL numbered from 3000 to 3999 is the advanced ACL.

Views
Traffic classifier view

Default Level
2: Configuration level

Usage Guidelines
Define ACLs before configuring traffic classification rules based on ACLs.

Examples
# Define a class to match ACL 3101.
<Eudemon> system-view
[Eudemon] traffic classifier class1
[Eudemon-classifier-class1] if-match acl 3101

Related Topics
3.24.26 traffic classifier

3.24.7 if-match any

Function
Using the if-match any command, you can define the rule matching all packets.
Using the undo if-match any command, you can delete the rule matching all packets.

Format
if-match [ not ] any
undo if-match [ not ] any

Parameters
not: does not match this type.

Views
Traffic classifier view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-393


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
When the action defined in the traffic policy is applied to all the traffic passing the interface
rather than only one class of traffic, you must configure rules for matching all the data packets.

Examples
# Define the rule matching all packets.
<Eudemon> system-view
[Eudemon] traffic classifier class1
[Eudemon-classifier-class1] if-match any

Related Topics
3.24.26 traffic classifier

3.24.8 if-match classifier

Function
Using the if-match classifier command, you can define class-map match rule.
Using the Using the undo if-match classifier command, you can delete the class-map match rule.
command, you can delete the class-map match rule.

Format
if-match [ not ] classifier classifier-name
undo if-match [ not ] classifier classifier-name

Parameters
not: does not match this type.
classifier-name: specifies the class name. It is a case-sensitive string of 1 to 31 characters without
blank space.

Views
Traffic classifier view

Default Level
2: Configuration level

Usage Guidelines
This configuration method is the only one to match the traffic with both the match-all and match-
any features.

3-394 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

For example: refers to class A need to match: rule1 & rule2 | rule3

traffic classifier classB operator and

if-match rule1

if-match rule2

traffic classifier classA operator or

if-match rule3

if-match classifier classB

Examples
# Define match rule of class2 and class1 should be used.

# Define match rule of class2 and class1 should be used. Therefore, class1 is configured first.
The match rule of class1 is ACL 101 and the IP precedence is 5.
<Eudemon> system-view
[Eudemon] traffic classifier class1
[Eudemon-classifier-class1] if-match ip-precedence 5
[Eudemon-classifier-class1] quit

# Define the packet whose class is class2, match rule is class1 and destination MAC address is
0050-BA27-BED3.
[Eudemon] traffic classifier class2
[Eudemon-classifier-class2] if-match classifier class1
[Eudemon-classifier-class2] if-match destination-address mac 0050-BA27-BED3

Related Topics
3.24.26 traffic classifier

3.24.9 if-match dscp

Function
Using the if-match dscp command, you can define IP DSCP match rule.

Using the undo if-match dscp command, you can delete IP DSCP match rule.

Format
if-match [ not ] dscp dscp-value &<1-8>

undo if-match [ not ] dscp dscp-value &<1-8>

Parameters
not: does not match this type.

dscp-value: specifies the DSCP value in a range of 0 to 63; or it can be af11, af12, af13, af21,
af22, af23, af31, af32, af33, af41, af42, af4, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-395


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Traffic classifier view

Default Level
2: Configuration level

Usage Guidelines
More than one such command can be configured under a class. They do not overwrite one other.

When each command is configured, the dscp-values will be sorted automatically in the ascending
order. The command can be deleted only when the specified DSCP values are identical with
those in the rule (sequence may be different).

A maximum of eight DSCP values can be set. If multiple DSCPs of the same value are specified,
the system regards them as one by default. Different DSCP values are in OR relation.

Examples
# Define the match rule of class1 as matching the packets with the DSCP value as 1, 6, or 9.
<Eudemon> system-view
[Eudemon] traffic classifier class1
[Eudemon-classifier-class1] if-match dscp 1 6 9

Related Topics
3.24.26 traffic classifier

3.24.10 if-match inbound-interface

Function
Using the if-match inbound-interface command, you can define input interface match rule of
a class.

Using the undo if-match inbound-interface command, you can delete input interface match
rule of a class.

Format
if-match [ not ] inbound-interface interface-type interface-number

undo if-match [ not ] inbound-interface interface-type interface-number

Parameters
not: does not match this class.

interface-type: specifies the type of an interface.

interface-number: specifies the number of an interface.

3-396 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
Traffic classifier view

Default Level
2: Configuration level

Usage Guidelines
The interface should exist before this command is used. If the interface is a dynamic interface,
matching rules should be deleted once the interface is deleted.
Supported interface type includes:
l ATM
l Ethernet
l Serial
l Tunnel
l POS
l VT

Examples
# Define that the class matches the packets entering from Ethernet 1/0/0.
<Eudemon> system-view
[Eudemon] traffic classifier class1
[Eudemon-classifier-class1] if-match inbound-interface Ethernet 1/0/0

Related Topics
3.24.26 traffic classifier

3.24.11 if-match ip-precedence

Function
Using the if-match ip-precedence command, you can define IP precedence match rule.
Using the undo if-match ip-precedence command, you can delete IP precedence match rule.

Format
if-match [ not ] ip-precedence ip-precedence-value &<1-8>
undo if-match [ not ] ip-precedence

Parameters
not: does not match this class.
ip-precedence-value: refers to precedence value in a range of 0 to 7.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-397


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Traffic classifier view

Default Level
2: Configuration level

Usage Guidelines
When any command is configured, the ip-precedence-value will be sorted automatically in
ascending order.

Multiple precedence values can be specified and the maximum number is 8. If multiple
precedence values of the same are specified, the system regards them as one. Relation between
different precedence values is "OR".

During the configuration, IP precedence values should be configured with the same command.
Otherwise, the latest configuration supersedes the previous ones.

Examples
# Define the match rule of class1 as matching the packets with the precedence value as 1 or 6.
<Eudemon> system-view
[Eudemon] traffic classifier class1
[Eudemon-classifier-class1] if-match ip-precedence 1 6

Related Topics
3.24.26 traffic classifier

3.24.12 if-match mac

Function
Using the if-match { destination-mac | source-mac } command, you can define matching rule
of the destination or source MAC address.

Using the undo if-match { destination-mac | source-mac } command, you can delete the
matching rule of the destination or source MAC address.

Format
if-match [ not ] { destination-mac | source-mac } mac-address

undo if-match [ not ] { destination-mac | source-mac } mac-address

Parameters
not: does not match this class.

mac-address: specifies the MAC address in the format of H-H-H.

3-398 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
Traffic classifier view

Default Level
2: Configuration level

Usage Guidelines
The matching rules of the destination MAC address are only meaningful for the policies on the
outbound interface. They can be configured only on the Ethernet interface.

The matching rules of the source MAC address are meaningful only for the policies on the
inbound interface. They can be configured only on the Ethernet interface.

Examples
# Define that the matching rule of class1: Packets with the destination MAC address as 0050-
ba27-bed3 are matched.
<Eudemon> system-view
[Eudemon] traffic classifier class1
[Eudemon-classifier-class1] if-match destination-mac 0050-ba27-bed3

# Define the matching rule of class2: Packets with the source MAC address as 0050-ba27-bed2
are matched.
<Eudemon> system-view
[Eudemon] traffic classifier class2
[Eudemon-classifier-class2] if-match source-mac 0050-ba27-bed2

Related Topics
3.24.26 traffic classifier

3.24.13 if-match protocol ip

Function
Using the if-match protocol command, you can define protocol match rule.

Using the undo if-match protocol command, you can delete protocol match rule.

Format
if-match [ not ] protocol ip

undo if-match [ not ] protocol ip

Parameters
not: does not match this class.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-399


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Traffic classifier view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Define the packet whose class match protocol is IP.
<Eudemon> system-view
[Eudemon] traffic classifier class1
[Eudemon-classifier-class1] if-match protocol ip

Related Topics
3.24.26 traffic classifier

3.24.14 if-match rtp

Function
Using the if-match rtp command, you can define port match rule of RTP.
Using the undo if-match rtp command, you can delete the port match rule of RTP.

Format
if-match [ not ] rtp start-port min-rtp-port-number end-port max-rtp-port-number
undo if-match [ not ] rtp start-port min-rtp-port-number end-port max-rtp-port-number

Parameters
not: does not match this class.
min-rtp-port-number: specifies the minimum UDP destination port number. It is an integer in a
range of 2000 to 65535.
max-rtp-port-number: specifies the maximal UDP destination port numbers. It is an integer in
a range of 2000 to 65535.

Views
Traffic classifier view

Default Level
2: Configuration level

3-400 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
This command can match RTP packets in the range of specified RTP port number, i.e., to match
packets of even UDP port numbers between min-rtp-port-number and max-rtp-port-number
If this command is frequently used under a class, the latest configuration will overwrite the
previous ones.

Examples
# Define the match rule of class1 as matching the packets whose RTP port number is the even
UDP port number between 16384 and 32767.
<Eudemon> system-view
[Eudemon] traffic classifier class1
[Eudemon-classifier-class1] if-match rtp start-port 16384 end-port 32767

Related Topics
3.24.26 traffic classifier

3.24.15 qos apply policy

Function
Using the qos apply policy command, you can apply the associated policy on the interface.
Using the undo qos apply policy command, you can delete the associated policy.

Format
qos apply policy policy-name { inbound | outbound }
undo qos apply policy { inbound | outbound }

Parameters
policy-name: specifies the name of a policy. It is a case-sensitive string of 1 to 31 characters
without blank space.
inbound: refers to the inbound direction.
outbound: refers to the outbound direction.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
During applying the policy, the policy cannot be applied on the interface if the sum of bandwidths
specified for the classes in the policy for AF and EF exceeds the available bandwidth of the

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-401


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

interface. If the available bandwidth on the interface is modified, but the sum of bandwidths
specified for AF and EF still exceeds the available bandwidth on the interface, the policy will
be deleted. The queue af, queue ef, queue wfq and GTS configurations are not allowed for the
inbound policy and the behavior associated with the class.
The application of the policy in the interface view is described as follows:
l The VT introduced by common physical interface and MP can be applied with the policy
configured with various features, including remark, car, gts, queue af, queue ef, queue
wfq and wred.
l The policy configured with traffic shaping feature (such as gts) and queue features (such
as queue ef, queue af and queue wfq) cannot be applied on the inbound interface as an
inbound policy.
l The outbound policy can be applied on the ATM PVC only when it is configured with
queue features (such as queue ef, queue af and queue wfq).
l The sub-interface does not support queue feature but supports traffic shaping (gts) and
traffic policing (car). Therefore, only the policy configured with traffic shaping and traffic
policing can be applied on the sub-interface.

Examples
# Apply the policy default on the outbound Ethernet 1/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] qos apply policy default outbound

3.24.16 qos policy

Function
Using the qos policy command, you can define a policy and enter policy view.
Using the undo qos policy command, you can delete a policy.

Format
qos policy policy-name
undo qos policy policy-name

Parameters
policy-name: specifies the name of a policy. It is a case-sensitive string of 1 to 31 characters
without blank space.

Views
System view

Default Level
2: Configuration level

3-402 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
The policy cannot be deleted if it is applied on an interface. It is necessary to remove the policy
on the current interface before deleting it.
policy-name should not be that of the policies defined by the system.

Examples
# Define a policy named as test.
<Eudemon> system-view
[Eudemon] qos policy test
[Eudemon-qospolicy-test]

Related Topics
3.24.2 classifier behavior

3.24.17 qos reserved-bandwidth

Function
Using the qos reserved-bandwidth command, you can set the maximum percentage of the
reserved bandwidth to the available bandwidth.
Using the undo qos reserved-bandwidth command, you can restore the default value.

Format
qos reserved-bandwidth pct percent
undo qos reserved-bandwidth

Parameters
percent: specifies percentage of the reserved bandwidth to the available bandwidth. The value
ranges from 1 to 100.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the maximum percentage of the reserved bandwidth to the available bandwidth is
80.
Because control packets and layer 2 frame headers will take up some bandwidth, the reserved
bandwidth shall be less than or equal to 80% of the available bandwidth.
Do not change the value of the reserved bandwidth at will.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-403


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

In QoS application of the Eudemon, the send queues on each interface, including, RTP queues
and CBWFQ queues. The bandwidth of these queues is configurable. Moreover, the total
bandwidth of queues on each interface must be less than the maximum reserved bandwidth.

When the network keeps stable, if the proportion of the maximum reserved bandwidth
accounting for the available bandwidth reduces, the maximum reserved bandwidth reduces too.
Thus, the bandwidth of some queues may be greater than the configured maximum reserved
bandwidth and consequently, these queues become unavailable. Therefore, when you intend to
reduce the proportion of the maximum reserved bandwidth, the Eudemon will alert "It may cause
some queues are unavailable". When this configuration affects a certain queue, the Eudemon
will alert further base on the actual situation.

Examples
# Set 85% of the available bandwidth as the reserved bandwidth for Ethernet 1/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 1/0/0
[Eudemon-Ethernet1/0/0] qos reserved-bandwidth pct 85

3.24.18 queue af

Function
Using the queue af command, you can configure Assured Forwarding and the minimum
available bandwidth for a class.

Using the undo queue af command, you can cancel the configuration.

Format
queue af bandwidth { bandwidth-value | pct percentage }

undo queue af

Parameters
bandwidth-value: specifies the bandwidth, in kbit/s. The value ranges from 8 to 1000000.

percentage: refers to the percentage of the available bandwidth in a range of 1 to 100.

Views
Traffic behavior view

Default Level
2: Configuration level

Usage Guidelines
When associating the class with the behavior queue af belongs to in the policy, the following
must be satisfied.

3-404 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

l The sum of the bandwidth specified for the classes in the same policy to ensure forwarding
(queue af) and expedited forwarding (queue ef) must be less than or equal to the available
bandwidth of the interface where the policy is applied.
l The sum of percentages of the bandwidth specified for the classes in the same policy to
ensure forwarding (queue af) and expedited forwarding (queue ef) must be less than or
equal to 100.
l The bandwidth configuration for the classes in the same policy to ensure forwarding (queue
af) and expedited forwarding (queue ef) must adopt the value of the same type. For example,
they all adopt the absolute value form or the percentage form.

Examples
# Configure traffic behavior named database and set the minimum bandwidth of the behavior
to 200kbit/s.
<Eudemon> system-view
[Eudemon] traffic behavior database
[Eudemon-behavior-database] queue af bandwidth 200

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

3.24.19 queue ef

Function
Using the queue ef command, you can configure expedited forwarding packets to the absolute
priority queue and set the maximum bandwidth.

Using the undo queue ef command, you can cancel the configuration.

Format
queue ef bandwidth { bandwidth-value [ cbs burst ] | pct percentage }

undo queue ef

Parameters
bandwidth-value: specifies the bandwidth, in kbit/s. It is an integer in a range of 8 to 1000000.

percentage: refers to percentage of available bandwidth in a range of 1 to 100.

burst: specifies the allowed burst size in a range of 32 to 2000000 bytes. By default, burst is
bandwidth-value*25.

Views
Traffic behavior view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-405


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
The command can not be used together with queue af, queue-length and wred in the behavior
view.

In the policy the default class default-class can be not associated with the behavior queue ef
belongs to.

When associating the class with the behavior queue af belongs to in the policy, the following
must be satisfied.

l The sum of the bandwidth specified for the classes in the same policy to ensure forwarding
(queue af) and expedited forwarding (queue ef) must be less than or equal to the available
bandwidth of the interface where the policy is applied.
l The sum of percentages of the bandwidth specified for the classes in the same policy to
ensure forwarding (queue af) and expedited forwarding (queue ef) must be less than or
equal to 100.
l The bandwidth configuration for the classes in the same policy to ensure forwarding (queue
af) and expedited forwarding (queue ef) must adopt the value of the same type. For example,
they all adopt the absolute value form or the percentage form.

Examples
# Configure packets to enter priority queue. By default, the maximum bandwidth is 200 kbit/s
and burst is 5000 bytes.
<Eudemon> system-view
[Eudemon] traffic behavior database
[Eudemon-behavior-database] queue ef bandwidth 200 cbs 5000

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

3.24.20 queue wfq

Function
Using the queue wfq command, you can configure the default-class to use fair queue.

Using the undo queue wfq command, you can delete configuration.

Format
queue wfq [ queue-number total-queue-number ]

undo queue wfq

3-406 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
total-queue-number: refers to the number of fair queue, which can be 16, 32, 64, 128, 256, 512,
1024, 2048 and 4096 and the default value is 64.

Views
Traffic behavior view

Default Level
2: Configuration level

Usage Guidelines
The behavior configured with the command can only be associated with the default class. It can
also be used together with commands like queue-length or wred.

Examples
# Configure WFQ for default-class and the queue number is 16.
<Eudemon> system-view
[Eudemon] traffic behavior test
[Eudemon-behaviro-test] queue wfq queue-number 16
[Eudemon] qos policy huawei
[Eudemon-qospolicy-huawei] classifier default-class behavior test

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

3.24.21 queue-length

Function
Using the queue-length command, you can set the maximum queue length.

Using the undo queue-length command, you can delete the setting.

Format
queue-length queue-length

undo queue-length

Parameters
queue-length: refers to the maximum threshold value of the queue in a range of 1 to 512.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-407


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
Traffic behavior view

Default Level
2: Configuration level

Usage Guidelines
This command can be used only after the queue af or queue wfq command has been configured.

The queue-length, which has been set, will be deleted when the undo queue af or undo queue
wfq command is executed.

The queue-length, which has been set, will be deleted when the random drop mode is set via
the wred command, and vise versa.

The default drop mode is tail drop and the queue length is 64.

Examples
# Set tail drop and the maximum queue length as 16.
<Eudemon> system-view
[Eudemon] traffic behavior database
[Eudemon-behavior-database] queue af bandwidth 200
[Eudemon-behavior-database] queue-length 16

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

3.24.22 remark dscp

Function
Using the remark dscp command, you can remark the DSCP value of a labeled packet.

Using the undo remark dscp command, you can cancel the DSCP value of the labeled packet.

Format
remark dscp dscp-value

undo remark dscp

Parameters
dscp-value: refers to preset DSCP value in a range of 0 to 63, which can be any of the following
keys: default, ef, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1,
cs2, cs3, cs4, cs5 , cs6 or cs7.

3-408 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
Traffic behavior view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set DSCP value to 6 to identify packets.
<Eudemon> system-view
[Eudemon] traffic behavior database
[Eudemon-behavior-database] remark dscp 6

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

3.24.23 remark fr-de

Function
Using the remark fr-de command, you can set the value of the DE flag bit in the FR packet.

Using the undo remark fr-de command, you can remove the value of the DE flag bit in the FR
packet.

Format
remark fr-de fr-de-value

undo remark fr-de

Parameters
fr-de-value: refers to the value of the DE flag bit in the FR packet in a range of 0 to 1.

Views
Traffic behavior view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-409


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
None

Examples
# Set the value of the DE flag bit in the FR packet as 1.
<Eudemon> system-view
[Eudemon] traffic behavior database
[Eudemon-behavior-database] remark fr-de 1

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

3.24.24 remark ip-precedence

Function
Using the remark ip-precedence command, you can set precedence value to identify matched
packets.

Using the undo remark ip-precedence command, you can delete precedence value.

Format
remark ip-precedence ip-precedence-value

undo remark ip-precedence

Parameters
ip-precedence-value: refers to preset precedence value in the range of 0 to 7.

Views
Traffic behavior view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Set precedence value to 6 to identify packets.

3-410 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> system-view
[Eudemon] traffic behavior database
[Eudemon-behavior-database] remark ip-prcedence 6

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

3.24.25 traffic behavior

Function
Using the traffic behavior command you can define a traffic behavior and enter behavior view.
Using the undo traffic behavior command, you can delete a traffic behavior.

Format
traffic behavior behavior-name
undo traffic behavior behavior-name

Parameters
behavior-name: refers to the behavior name. It is a case-sensitive string of 1 to 31 characters
without blank space.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
behavior-name shall not be that of the traffic behavior pre-defined by the system.

Examples
# Define a traffic behavior named behavior1.
<Eudemon> system-view
[Eudemon] traffic behavior behavior1
[Eudemon-behavior-behavior1]

Related Topics
3.24.16 qos policy
3.24.15 qos apply policy
3.24.2 classifier behavior

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-411


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.24.26 traffic classifier

Function
Using the traffic classifier command, you can define a class and enter the class view.

Using the undo traffic classifier command, you can delete a class.

Format
traffic classifier classifier-name [ operator { and | or } ]

undo traffic classifier classifier-name

Parameters
classifier-name: specifies the name of the defined class. It is a case-sensitive string of 1 to 31
characters without blank space.

and: specifies the relation between the rules in the class as logic AND. That is, the packet that
matches all the rules belongs to this class.

or: specifies the relation between the rules in the class as logic OR. That is, the packet that
matches any one of the rules belongs to this class.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the relation is operator and.

classifier-name shall not be that of the classes pre-defined by the system.

Examples
# Define a class named as class1.
<Eudemon> system-view
[Eudemon] traffic classifier class1
[Eudemon-classifier-class1]

Related Topics
3.24.16 qos policy
3.24.15 qos apply policy
3.24.2 classifier behavior

3-412 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.24.27 wred

Function
Using the wred command, you can set drop mode as WRED.

Using the undo wred command, you can delete the setting.

Format
wred [ dscp | ip-precedence ]

undo wred [ dscp | ip-precedence ]

Parameters
dscp: refers to that DSCP value is used during calculating drop proportion for a packet.

ip-precedence: refers to that IP precedence value is used during calculating drop proportion for
a packet. By default, ip-precedence is set.

Views
Traffic behavior view

Default Level
2: Configuration level

Usage Guidelines
This command can be used only after the queue af and queue wfq commands have been set.
The wred command and the queue-length command can not be used at the same time. Other
configurations under the random drop will be deleted when this command is deleted. When a
policy is applied on an interface, the previous WRED configuration on interface level will
become ineffective.

The behavior associated with default-class can only use wred ip-precedence.

Examples
# Configure WRED for a behavior named database and drop proportion is calculated by IP
precedence.
<Eudemon> system-view
[Eudemon] traffic behavior database
[Eudemon-behavior-database] wred ip-precedence

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-413


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.24.28 wred dscp

Function
Using the wred dscp command, you can set the low limit and high limit and the discard
probability denominator of DSCP-based WRED.
Using the undo wred dscp command, you can delete the configuration.

Format
wred dscp dscp-value low-limit low-limit high-limit high-limit [ discard-probability discard-
prob ]
undo wred dscp dscp-value

Parameters
dscp-value: refers to DSCP value in a range of 0 to 63, which can be any of the following keys:
default, ef, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3,
cs4, cs5, cs6 or cs7.
low-limit: refers to lower threshold value in a range of 1 to 1024 packets.
high-limit: refers to upper threshold value in a range of 1 to 1024 packets.
discard-prob: refers to denominator of drop proportion in a range of 1 to 255.

Views
Traffic behavior view

Default Level
2: Configuration level

Usage Guidelines
By default, the low limit of DSCP-based WRED is 10, high limit is 30, and the discard probability
denominator is 10.
This command can be used only after the wred dscp command has been used to enable WRED
drop mode based on DSCP.
The configuration of wred dscp will be deleted if the configuration of wred is deleted.
The setting of drop parameter will be deleted if the configuration of queue af is deleted.

Examples
# Set the queue lower limit to 20, upper limit to 40 and discard probability to 15 for the packet
whose DSCP is 3.
<Eudemon> system-view
[Eudemon] traffic behavior database
[Eudemon-behavior-database] wred dscp

3-414 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

[Eudemon-behavior-database] wred dscp 3 low-limit 20 high-limit 40 discard-


probability 15

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

3.24.29 wred ip-precedence

Function
Using the wred ip-precedence command, you can set precedence lower limit, upper limit and
drop proportion denominator of WRED.

Using the undo wred ip-precedence command, you can remove the precedence set.

Format
wred ip-precedence precedence low-limit low-limit high-limit high-limit [ discard-
probability discard-prob ]

undo wred ip-precedence precedence

Parameters
precedence: refers to precedence of IP packet in a range of 0 to 7.

low-limit: refers to lower threshold value in a range of 1 to 1024 packets.

high-limit: refers to upper threshold value in a range of 1 to 1024 packets.

discard-prob: refers to denominator of drop proportion in a range of 1 to 255.

Views
Traffic behavior view

Default Level
2: Configuration level

Usage Guidelines
By default, precedence lower limit of WRED is 10, upper limit is 30, and drop proportion
denominator is 10.

Before using this command, enable IP-precedence-based WRED by using the wred command.

The configuration of wred ip-precedence is deleted if the configuration of wred is cancelled.

The configuration of packet discard parameters is deleted if the configuration of queue af is


cancelled.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-415


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Set lower limit to 20, upper limit to 40 and discard probability to 15 for the packet with the
precedence 3.
<Eudemon> system-view
[Eudemon] traffic behavior database
[Eudemon-behaviro-database] wred ip-precedence
[Eudemon-behavior-database] wred ip-precedence 3 low-limit 20 high-limit 40
discard-probability 15

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

3.24.30 wred weighting-constant

Function
Using the wred weighting-constant command, you can set exponential for the calculation of
average queue length by WRED.

Using the undo wred weighting-constant command, you can delete the configuration.

Format
wred weighting-constant exponent

undo wred weighting-constant

Parameters
exponent: refers to exponential in a range of 1 to 16.

Views
Traffic behavior view

Default Level
2: Configuration level

Usage Guidelines
By default, exponential for the calculation of average queue length by WRED is 9.

This command can be used only after the queue af command has been configured and the
wred command has been used to enable WRED drop mode.

The configuration of wred weighting-constant will be deleted if random-detect is deleted.

3-416 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Set exponential for calculating average queue to 6.
<Eudemon> system-view
[Eudemon] traffic behavior database
[Eudemon-behavior-database] queue af bandwidth 200
[Eudemon-behavior-database] wred ip-precedence
[Eudemon-behavior-database] wred weighting-constant 6

Related Topics
3.24.16 qos policy
3.24.25 traffic behavior
3.24.2 classifier behavior

3.25 RIP Configuration Commands


3.25.1 checkzero
3.25.2 debugging rip
3.25.3 default cost (RIP View)
3.25.4 display rip
3.25.5 filter-policy export (RIP View)
3.25.6 filter-policy import (RIP View)
3.25.7 host-route
3.25.8 import-route (RIP View)
3.25.9 network (RIP View)
3.25.10 peer (RIP View)
3.25.11 preference (RIP View)
3.25.12 reset
3.25.13 rip
3.25.14 rip authentication-mode
3.25.15 rip input
3.25.16 rip metricin
3.25.17 rip metricout
3.25.18 rip output
3.25.19 rip split-horizon
3.25.20 rip version
3.25.21 rip work
3.25.22 summary

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-417


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.25.23 timers

3.25.1 checkzero

Function
Using the checkzero command, you can check the zero field of RIP-1 packet.
Using the undo checkzero command, you can cancel the check of the zero fields.

Format
checkzero
undo checkzero

Parameters
None

Views
RIP view

Default Level
2: Configuration level

Usage Guidelines
By default, RIP-1 performs the zero field check.
According to RFC1058, some fields in RIP-1 packets must be zero, called zero fields. With the
checkzero command, the zero check operation for RIP-1 packet can be enabled or disabled.
During the zero check operation, if the RIP-1 packet in which the zero fields are not zeros is
received, it will be rejected.
Because the RIP-2 packet does not have a zero, this command is invalid for RIP-2.
To save CPU resources, the zero field check is not performed when all neighbors are reliable.

Examples
# Disable zero check for RIP-1 packet.
<Eudemon> system-view
[Eudemon] rip
[Eudemon-rip] undo checkzero

3.25.2 debugging rip

Function
Using the debugging rip command, you can enable the RIP packet debugging.

3-418 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Using the undo debugging rip command, you can disable the RIP packet debugging.

Format
debugging rip { packet | receive | send }

Parameters
packet: enables the RIP packets debugging.

receive: enables the RIP receiving packets debugging.

send: enables the RIP sending packets debugging.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the RIP packet debugging is disabled.

You can learn the current receiving and sending RIP packets on each interface by using this
command.

Examples
# Enable the RIP packets debugging.
<Eudemon> debugging rip packet

3.25.3 default cost (RIP View)

Function
Using the default cost command, you can set the default routing cost of an imported route.

Using the undo default cost command, you can restore the default value.

Format
default cost value

undo default cost

Parameters
value: sets the default routing cost in a range of 1 to 16.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-419


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
RIP view

Default Level
2: Configuration level

Usage Guidelines
By default, the default routing cost is 1.

If no specific routing cost is specified when importing other protocol routes with the import-
route command, the importing will be performed with the default routing cost specified by the
default cost command.

Examples
# Set the default routing cost of importing other route protocol routes as 3.
<Eudemon> system-view
[Eudemon] rip
[Eudemon-rip] default cost 3

Related Topics
3.25.8 import-route (RIP View)

3.25.4 display rip

Function
Using the display rip command, you can view the current RIP running state and its
configuration.

Format
display rip [ vpn-instance vpn-instance-name ]

Parameters
vpn-instance vpn-instance-name: specifies the name of the VPN instance. The name is a string
of 1 to 19 characters.

Views
All views

Default Level
1: Monitoring level

3-420 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
None

Examples
# Display the current running state and configuration information of the RIP protocol.
<Eudemon> display rip
RIP is turned on
public net VPN-Instance
Checkzero is on Default cost : 1
Summary is on Preference : 100
Period update timer : 30
Timeout timer : 180
Garbage-collection timer : 120
No peer router
Network :
10.0.0.0

Table 3-51 lists the description of the display rip command output.

Table 3-51 Description of the display rip command output


Item Description

Checkzero MBZ check

Default cost Default cost of RIP routes

Summary Whether route aggregation is enabled

Preference Preference of the RIP process

Period update timer RIP update interval

Timeout timer Aging interval of RIP routes

Garbage-collection timer Period for collecting garbage routes

No peer router No assigned unicast address

Network Network address

3.25.5 filter-policy export (RIP View)

Function
Using the filter-policy export command, you can filter the advertised routing by RIP.
Using the undo filter-policy export command, you cannot filter the advertised routing.

Format
filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ]
undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ]

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-421


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
acl-number: specifies an ACL number used for filtering the destination addresses of the routing
information.

ip-prefix ip-prefix-name: specifies the name of an address prefix list used for filtering the
destination addresses of the routing.

routing-protocol: specifies a routing protocol whose routing is to be filtered, including direct,


isis, ospf, ospf-ase, ospf-nssa and static at present.

Views
RIP view

Default Level
2: Configuration level

Usage Guidelines
By default, RIP does not filter the advertised routing.

Examples
# Filter the advertised route based on ACL 2003.
<Eudemon> system-view
[Eudemon] rip
[Eudemon-rip] filter-policy 2003 export

Related Topics
3.25.6 filter-policy import (RIP View)

3.25.6 filter-policy import (RIP View)

Function
Using the filter-policy gateway command, you can filter the received routing distributed from
the specified address.

Using the undo filter-policy gateway command, you cannot filter the received routing
information distributed from the specified address.

Using the filter-policy acl-number import command, you can filter the received global routing.

Using the undo filter-policy acl-number import command, you cannot filter the received global
routing.

Using the filter-policy ip-prefix ip-prefix-name import command, you can filter the received
global routing information based on the address prefix list.

Using the undo filter-policy ip-prefix ip-prefix-name import command, you cannot filter the
received global routing information based on the address prefix list.

3-422 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
filter-policy { acl-number | gateway ip-prefix-name | ip-prefix ip-prefix-name } import
undo filter-policy { acl-number | gateway ip-prefix-name | ip-prefix ip-prefix-name } import

Parameters
acl-number: specifies ACL number used for filtering the destination addresses of the routing. It
is an integer in a range of 2000 to 3999.
gateway ip-prefix-name: Name of address prefix list used to filter the addresses of the
neighboring routers advertising the routing information. It is a string of 1 to 19 characters.
ip-prefix ip-prefix-name: specifies name of address prefix list used for filtering the destination
addresses of the routing. It is a string of 1 to 19 characters.

Views
RIP view

Default Level
2: Configuration level

Usage Guidelines
By default, RIP does not filter the received routing.
The range of the routes received by RIP can be controlled by specifying the ACL and the address
prefix list.

Examples
# Filter the global routing based on ACL 2003.
<Eudemon> system-view
[Eudemon] rip
[Eudemon-rip] filter-policy 2003 import

Related Topics
3.25.5 filter-policy export (RIP View)

3.25.7 host-route

Function
Using the host-route command, you can control the RIP to accept the host route.
Using the undo host-route command, you can reject the host route.

Format
host-route

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-423


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

undo host-route

Parameters
None

Views
RIP view

Default Level
2: Configuration level

Usage Guidelines
By default, Eudemon accepts the host route.
In some special cases, RIP receives a great number of host routes on the same network segment.
These routes cannot help the path search much but occupy a lot of resources. In this case, the
undo host-route command can be used to reject host routes.

Examples
# Configure RIP to reject a host route.
<Eudemon> system-view
[Eudemon] rip
[Eudemon-rip] undo host-route

3.25.8 import-route (RIP View)

Function
Using the import-route command, you can import the routes of other protocols into RIP.
Using the undo import-route command, you can cancel the routes imported from other
protocols.

Format
import-route protocol [ process-id ] [ cost value ] [ route-policy route-policy-name ]
undo import-route protocol [ process-id ]

Parameters
protocol: specifies the source routing protocol to be imported by RIP. At present, RIP can import
the following routes: , direct, ospf, ospf-ase, ospf-nssa and static.
process-id: specifies the protocol process ID. It is an integer in a range of 1 to 65535. For ospf,
ospf-ase, or ospf-nssa, the process ID needs to be specified.
value: specifies the cost value of the route to be imported in a range of 1 to 16.

3-424 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

route-policy route-policy-name: specifies the name of the configured route policy when the
external route is imported. The name is a string of 1 to 19 characters.

Views
RIP view

Default Level
2: Configuration level

Usage Guidelines
By default, RIP does not import any other routes.

The import-route command is used to import the route of another protocol by using a certain
value. RIP regards the imported route as its own route and transmits it with the specified value.
This command can greatly enhance the RIP capability of obtaining routes, thus increasing the
RIP performance.

If the cost value is not specified, routes will be imported according to the default cost. It is in
the range of 1 to 16. If it is greater than or equal to 16, it refers to an unreachable route and the
transmission will be stopped in 120 seconds.

Examples
# Import a static route with cost being 4.
<Eudemon> system-view
[Eudemon] rip
[Eudemon-rip] import-route static cost 4

# Set the default cost and import an OSPF route with the default cost.
[Eudemon-rip] default cost 3
[Eudemon-rip] import-route ospf

Related Topics
3.25.3 default cost (RIP View)

3.25.9 network (RIP View)

Function
Using the network command, you can enable Routing Information Protocol (RIP) on the
interface.

Using the undo network command, you can cancel the RIP on the interface.

Format
network network-address

undo network network-address

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-425


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
network-address: specifies the number of the network that is enabled or disabled. Its value is
the IP network address of each interface.

Views
RIP view

Default Level
2: Configuration level

Usage Guidelines
By default, RIP is disabled on any interface.
After enabling a RIP routing process, it is disabled on any interface by default. RIP at a certain
interface must be enabled with the network command.
The undo network command is similar to the interface undo rip work command in terms of
function.
l Their similarity is that the interface using either command will not receive/transmit RIP
routes.
l The difference between them is that, in the case of undo rip work, other interfaces will
still forward the routes of the interface using the undo rip work command. In the case of
undo network, it is like to perform undo rip work command on the interface, and the
routes of corresponding interfaces cannot be transmitted by RIP. Therefore, the packets
transmitted to this interface cannot be forwarded.
When the network command is used on an address, the effect is that RIP is applied on the
interface on the network segment at this address. For example, the results of viewing the network
129.102.1.1 with both the display current-configuration command and the display rip
command are shown as the network 129.102.0.0.

Examples
# Enable the RIP on the interface with the network address as 129.102.0.0.
<Eudemon> system-view
[Eudemon] rip
[Eudemon-rip] network 129.102.0.0

Related Topics
3.25.21 rip work

3.25.10 peer (RIP View)

Function
Using the peer command, you can assign the destination address of the peer to which information
is sent in unicast mode.

3-426 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Using the undo peer command, you can cancel the configuration.

Format
peer ip-address

undo peer ip-address

Parameters
ip-address: specifies the IP address of the peer router, represented in the format of dotted decimal.

Views
RIP view

Default Level
2: Configuration level

Usage Guidelines
By default, do not send RIP packet to any destination.

This command specifies the sending destination address to fit some non-broadcast networks.
Usually, it is not recommended to use this command.

Examples
# Specify the sending destination address 202.38.165.1.
<Eudemon> system-view
[Eudemon] rip
[Eudemon-rip] peer 202.38.165.1

3.25.11 preference (RIP View)

Function
Using the preference command, you can set the route preference of RIP.

Using the undo preference command, you can restore the default preference.

Format
preference value

undo preference

Parameters
value: specifies a preference level in a range of 1 to 255.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-427


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
RIP view

Default Level
2: Configuration level

Usage Guidelines
By default, the route preference of RIP is 100.
Every routing protocol has its own preference. Its default value is determined by the specific
routing policy. The preference will finally determine the routing algorithm to obtain the optimal
route in the IP routing table.

Examples
# Specify the RIP preference as 20.
<Eudemon> system-view
[Eudemon] rip
[Eudemon-rip] preference 20

3.25.12 reset

Function
Using the reset command, you can reset the system parameters of RIP.

Format
reset

Parameters
None

Views
RIP view

Default Level
2: Configuration level

Usage Guidelines
When you need to set parameters of RIP once again, this command can be used to restore the
default setting.

Examples
# Reset the RIP system.

3-428 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> system-view
[Eudemon] rip
[Eudemon-rip] reset

3.25.13 rip

Function
Using the rip command, you can enable the RIP and enter RIP view.

Using the undo rip command, you can cancel RIP.

Format
rip

undo rip

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the system does not run RIP.

For the sake of entering the RIP view to set various RIP global parameters, RIP should be enabled
first. Whereas setting parameters related to the interfaces is not restricted by enabling or disabling
RIP.

NOTE

The previous interface parameters would be invalid when RIP is disabled.

Examples
# Enable the RIP and enter the RIP view.
<Eudemon> system-view
[Eudemon] rip
[Eudemon-rip]

3.25.14 rip authentication-mode

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-429


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the rip authentication-mode command, you can set RIP-2 authentication mode and
parameters.
Using the undo rip authentication-mode command, you can cancel the RIP-2 authentication.

Format
rip authentication-mode { simple password1 | md5 { nonstandard password2 md5-key-id |
usual password3 } }
undo rip authentication-mode

Parameters
simple: refers to simple text authentication mode.
password1: specifies the authentication key in simple text with 1 to 16 characters.
md5: refers to MD5 cipher text authentication mode.
nonstandard: specifies the MD5 cipher text authentication packet to use a nonstandard packet
format described in RFC 2082. The MD5 cipher text authentication key is configured; however,
the packet type of MD5 cipher text authentication is not specified. Thus, the nonstandard packet
format is used and md5-key-id is 1.
password2: specifies an authentication key; when it is in simple text, the length is in the range
of 1 character to 16 characters; when it is in cipher text, the length is 24 characters.
md5-key-id: specifies the key for MD5 authentication ranging from 1 to 255.
usual: specifies the MD5 cipher text authentication packet to use the general packet format (RFC
1723 standard format).
password3:specifies an authentication key; when it is in simple text, the length is in the range
of 1 character to 16 characters; when it is in cipher text, the length is 24 characters.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
RIP-1 does not support authentication. There are two RIP authentication modes:
l simple text authentication
l MD5 cipher text authentication
When MD5 cipher text authentication mode is used, there are two types of packet formats:
l One is described in RFC 1723, which was brought forward earlier.
l The other is described in RFC 2082.

3-430 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

The Eudemon supports both of the packet formats and you can select either of them on demand.

Examples
# Use the simple text authentication with the password as aaa on Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] rip version 2
[Eudemon-Ethernet0/0/0] rip authentication-mode simple aaa

# Set MD5 cipher text authentication at Ethernet 0/0/0 with the password as aaa and the packet
type as nonstandard.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] rip version 2
[Eudemon-Ethernet0/0/0] rip authentication-mode md5 nonstandard aaa 1

# Set MD5 cipher text authentication at Ethernet 0/0/0 with the password as aaa and the packet
type as usual.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] rip version 2
[Eudemon-Ethernet0/0/0] rip authentication-mode md5 usual aaa 1

Related Topics
3.25.20 rip version

3.25.15 rip input

Function
Using the rip input command, you can allow an interface to receive RIP packets.

Using the undo rip input command, you can cancel an interface to receive RIP packets.

Format
rip input

undo rip input

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-431


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
By default, RIP packets at all interfaces (except loopback interface) can be received.
This command is used together with the other two commands: rip output and rip work.
Functionally, rip work is equal to rip input & rip output. The latter two control the receipt
and the transmission of RIP packets on an interface. The former command equals the functional
combination of the latter two commands.

Examples
# Specify the interface Ethernet 0/0/0 not to receive RIP packets.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] undo rip input

Related Topics
3.25.18 rip output
3.25.21 rip work

3.25.16 rip metricin

Function
Using the rip metricout command, you can configure the additional route metric to the route
when an interface transmits RIP packets.
Using the undo rip metricout command, you can restore the default value of this additional
route metric.

Format
rip metricin value
undo rip metricin

Parameters
value: specifies an additional route metric added when transmitting a packet in a range of 1 to
16.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the additional route metric added when transmitting a packet is 0.

3-432 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

This command is valid for the routes distributed by the local network and other routes imported
by other routes. This command is invalid for the routes imported by the local router.

Examples
# Set the additional route metric to 2 when the interface Ethernet 0/0/0 transmits RIP packets.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] rip metricin 2

Related Topics
3.25.17 rip metricout

3.25.17 rip metricout

Function
Using the rip metricout command, you can configure the additional route metric to the route
when an interface transmits RIP packets.
Using the undo rip metricout command, you can restore the default value of this additional
route metric.

Format
rip metricout value
undo rip metricout

Parameters
value: specifies an additional route metric added when transmitting a packet in a range of 1 to
16.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the additional route metric added when transmitting a packet is 1.
This command is valid for the routes distributed by the local network and other routes imported
by other routes. This command is invalid for the routes imported by the local router.

Examples
# Set the additional route metric to 2 when the interface Ethernet 0/0/0 transmits RIP packets.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-433


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] rip metricout 2

Related Topics
3.25.16 rip metricin

3.25.18 rip output

Function
Using the rip output command, you can configure an interface to transmit RIP packets to the
external.
Using the undo rip output command, you can cancel the configuration.

Format
rip output
undo rip output

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, RIP packets at all interfaces (except loopback interface) can be transmitted.
This command is used together with the other two commands: rip input and rip work.
Functionally, rip work is equal to rip input & rip output. The latter two control the receipt
and the transmission of RIP packets on an interface. The former command equals the functional
combination of the latter two commands.

Examples
# Disable the interface Ethernet 0/0/0 to transmit RIP packets.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] undo rip output

Related Topics
3.25.15 rip input

3-434 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.25.21 rip work

3.25.19 rip split-horizon

Function
Using the rip split-horizon command, you can configure an interface to use split horizon when
transmitting RIP packets.

Using the undo rip split-horizon command, you can configure an interface not to use split
horizon when transmitting RIP packets.

Format
rip split-horizon

undo rip split-horizon

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, an interface is enabled to use split horizon when transmitting RIP packets.

Normally, split horizon is necessary for reducing route loop. Only in some special cases, split
horizon should be disabled to ensure the correct execution of protocols.

Examples
# Specify the interface Ethernet 0/0/0 not to use split horizon when processing RIP packets.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] undo rip split-horizon

3.25.20 rip version

Function
Using the rip version command, you can configure the version of RIP packets on an interface.

Using the undo rip version command, you can restore the default value.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-435


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
rip version 1

rip version 2 [ broadcast | multicast ]

undo rip version

Parameters
1: specifies that interface version is RIP-1.

2: specifies that interface version is RIP-2.

broadcast: transmits RIP-2 packets in broadcast mode.

multicast: transmits RIP-2 packets in multicast mode.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the interface RIP version is RIP-1. RIP-1 transmits packets in broadcast mode, while
RIP-2 transmits packets in multicast mode.

When running RIP-1, the interface only receives and transmits RIP-1, and receives RIP-2
broadcast packets, but does not receive RIP-2 multicast packets. When running RIP-2 in
broadcast mode, the interface only receives and transmits RIP-2 broadcast packets, receives
RIP-1 packets, but does not receive RIP-2 multicast packets. When running RIP-2 in multicast
mode, the interface only receives and transmits RIP-2 multicast packets, but does not receive
RIP-2 broadcast packets and RIP-1 packets.

Examples
# Set the interface Ethernet 0/0/0 as RIP-2 broadcast mode.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] rip version 2 broadcast

3.25.21 rip work

Function
Using the rip work command, you can enable the running of RIP on an interface.

Using the undo rip work command, you can disable the running of RIP on an interface.

3-436 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
rip work
undo rip work

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, RIP runs on an interface.
This command is used together with rip input, rip output and network commands.

Examples
# Disable the interface Ethernet 0/0/0 to run the RIP.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] undo rip work

Related Topics
3.25.15 rip input
3.25.18 rip output

3.25.22 summary

Function
Using the summary command, you can enable RIP-2 automatic route summarization.
Using the undo summary command, you can disable RIP-2 automatic route summarization.

Format
summary
undo summary

Parameters
None

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-437


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
RIP view

Default Level
2: Configuration level

Usage Guidelines
By default, RIP-2 route summarization is enabled.

Route aggregation can be performed to reduce the routing traffic on the network as well as to
reduce the size of the routing table. If RIP-2 is used, route summarization function can be disabled
with the undo summary command, when it is necessary to broadcast the subnet route.

RIP-1 does not support subnet mask. Forwarding subnet route may cause ambiguity. Therefore,
RIP-1 uses route summarization all the time. The undo summary command is invalid for RIP-1.

Examples
# Set RIP version on the interface Ethernet 0/0/0 as RIP-2 and disable the route summarization.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] rip version 2
[Eudemon-Ethernet0/0/0] quit
[Eudemon] rip
[Eudemon-rip] undo summary

Related Topics
3.25.20 rip version

3.25.23 timers

Function
Using the timers command, you can set timeout time interval and regular update time interval
for the RIP route.

Using the undo timers command, you can restore the default value.

Format
timers { timeout timeout-timer-length | update update-timer-length } *

undo timers { timeout | update } *

Parameters
timeout-timer-length: refers to the timeout time interval of the RIP route in a range of 1 to 3600s.

update-timer-length: refers to the regular update time interval of the RIP route in a range of 1
to 3600s.

3-438 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Views
RIP view

Default Level
2: Configuration level

Usage Guidelines
By default, the timeout time interval of the RIP route is 180 seconds, and the regular update time
interval is 30 seconds.

Examples
# Set timeout time interval of the RIP route and regular update time interval of the RIP route as
120s and 60s respectively.
<Eudemon> system-view
[Eudemon] rip
[Eudemon-rip] timers timeout 120 update 60

3.26 VLAN Configuration Commands


3.26.1 debugging vlan packet
3.26.2 display vlan statistics interface
3.26.3 display vlan statistics vid
3.26.4 reset vlan statistics interface
3.26.5 reset vlan statistics vid
3.26.6 vlan-type dot1q

3.26.1 debugging vlan packet

Function
Using the debugging vlan packet command, you can enable VLAN packet debugging.
Using the undo debugging vlan packet command, you can disable VLAN packet debugging.

Format
debugging vlan packet [ interface interface-type interface-number.sub-interface-number ]
[ vid vlan-id ]
undo debugging vlan packet [ interface interface-type interface-number ] [ vid vlan-id ]

Parameters
interface-type interface-number: specifies the type and the number of an interface. This interface
must be a sub-interface.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-439


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

sub-interface-number: specifies the number of a sub-interface.

vlan-id: specifies a VLAN ID in a range of 1 to 4094.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, VLAN packet debugging is disabled.

If no parameter is specified, you will enable or disable all VLAN packet debugging on all VLAN
sub-interfaces.

Examples
# Enable VLAN packet debugging on sub-interface Ethernet 0/0/0.1.
<Eudemon> debugging vlan packet interface Ethernet 0/0/0.1

3.26.2 display vlan statistics interface

Function
Using the display vlan statistics interface command, you can view the packet statistics on a
certain VLAN.

Format
display vlan statistics interface interface-type interface-number .sub-interface-number

Parameters
interface-type interface-number: specifies the type and number of an interface. At present, the
interface types supported include Ethernet interface and Gigabit Ethernet interface, and it only
supports sub-interface.

sub-interface-number: specifies the number of an Ethernet sub-interface in a range of 1 to 4096.

Views
All views

Default Level
1: Monitoring level

3-440 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
None

Examples
# Display the VLAN statistics on interface Ethernet 0/0/0.1.
<Eudemon> display vlan statistics interface Ethernet 0/0/0.1
VLAN packet statistics:
0 Packets received, 0 bytes
64 Packets transmitted, 2944 bytes
0 Received error ,0 Transmitted error

Related Topics
3.26.4 reset vlan statistics interface

3.26.3 display vlan statistics vid

Function
Using display vlan statistics vid command, you can view the packet statistics on a certain
VLAN, such as the received packet number and the sent packet number.

Format
display vlan statistics vid vlan-id

Parameters
vlan-id: specifies a VLAN ID. It is an integer in a range of 1 to 4094.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Display the packet statistics on VLAN 10.
<Eudemon> display vlan statistics vid 10
VLAN packet statistics:
0 Packets received, 0 bytes
0 Packets transmitted, 0 bytes

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-441


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Related Topics
3.26.4 reset vlan statistics interface

3.26.4 reset vlan statistics interface

Function
Using the reset vlan statistics interface command, you can clear VLAN statistics on a certain
interface.

Format
reset vlan statistics interface interface-type interface-number .sub-interface-number

Parameters
interface-type interface-number: specifies the type and number of an interface. The interface
types supported include Ethernet interface and Gigabit Ethernet interface.
sub-interface-number: specifies the number of an Ethernet subinterface in a range of 1 to 4096.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear the VLAN statistics on interface Ethernet 0/0/0.1.
<Eudemon> reset vlan statistics interface ethernet Ethernet 0/0/0.1

Related Topics
3.26.2 display vlan statistics interface

3.26.5 reset vlan statistics vid

Function
Using the reset vlan statistics vid command, you can clear the VLAN statistics.

Format
reset vlan statistics vid vlan-id

3-442 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
vlan-id: specifies a VLAN ID. It is an integer in a range of 1 to 4094.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Clear the statistics with VLAN ID 10.
<Eudemon> reset vlan statistics vid 10

Related Topics
3.26.3 display vlan statistics vid

3.26.6 vlan-type dot1q

Function
Using the vlan-type dot1q command, you can set the encapsulation types on the sub-interface.

Using the undo vlan-type dot1q command, you can delete the encapsulation types on the sub-
interface.

Format
vlan-type dot1q low-vid [ high-vid ]

undo vlan-type dot1q low-vid [ high-vid ]

Parameters
low-vid: specifies the first VLAN ID in a range of 1 to 4094.

high-vid: specifies the first VLAN ID in a range of 1 to 4094. Note that the last VLAN ID must
be greater that the first VLAN ID.

Views
Sub-Interface view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-443


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
By default, there is no encapsulation on the subinterface, nor VLAN ID related to the
subinterface.

Examples
# Set the interface Ethernet 0/0/0.1 to be related to VLAN 50 to 60, and its encapsulation format
is dot1q.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0.1
[Eudemon-Ethernet0/0/0.1] vlan-type dot1q 50 60

3.27 Frame Relay Configuration Commands


3.27.1 debugging fr inarp
3.27.2 debugging fr packet
3.27.3 debugging fr
3.27.4 display fr compress
3.27.5 display fr dlci-switch
3.27.6 display fr fragment-info
3.27.7 display fr inarp-info
3.27.8 display fr interface
3.27.9 display fr iphc
3.27.10 display fr lmi-info
3.27.11 display fr map-info
3.27.12 display fr pvc-info
3.27.13 display fr standby group
3.27.14 display fr statistics
3.27.15 display fr switch-table
3.27.16 display interface mfr
3.27.17 display mfr
3.27.18 fr compression frf9
3.27.19 fr compression iphc
3.27.20 fr dlci
3.27.21 fr dlci-switch

3-444 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.27.22 fr inarp
3.27.23 fr interface-type
3.27.24 fr iphc
3.27.25 fr lmi n391dte
3.27.26 fr lmi n392dce
3.27.27 fr lmi n392dte
3.27.28 fr lmi n393dce
3.27.29 fr lmi n393dte
3.27.30 fr lmi t392dce
3.27.31 fr lmi type
3.27.32 fr map ip
3.27.33 fr standby group switch
3.27.34 fr standby group switch auto
3.27.35 fr standby group switch master
3.27.36 fr standby group switch slave
3.27.37 fr switch
3.27.38 fr switching
3.27.39 interface mfr
3.27.40 link-protocol (FR Interface View)
3.27.41 link-protocol fr mfr
3.27.42 mfr bundle-name
3.27.43 mfr fragment
3.27.44 mfr fragment-size
3.27.45 mfr link-name
3.27.46 mfr retry
3.27.47 mfr timer ack
3.27.48 mfr timer hello
3.27.49 mfr window-size
3.27.50 mtu (FR Interface View)
3.27.51 reset fr inarp
3.27.52 shutdown (FR Interface View)
3.27.53 timer hold (FR Interface View)

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-445


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

3.27.1 debugging fr inarp

Function
Using the debugging fr inarp command, you can enable the debugging of FR INARP.
Using the undo debugging fr inarp command, you can disable the debugging of FR INARP.

Format
debugging fr inarp [ interface interface-type interface-number [ dlci dlci-number ] ]
undo debugging fr inarp [ interface interface-type interface-number [ dlci dlci-number ] ]

Parameters
interface-type: specifies the interface type.
interface-number: specifies the interface number.
dlci dlci-number: specifies the DLCI number of the VC. The value is an integer ranging from
16 to 1007.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
When monitoring the statuses of interfaces or check the causes of interface failure, you can run
this command to obtain information about interface statuses and statistics. Then, you can
diagnose the failure of interfaces according to this information.
Enabling debugging of FR affects the system performance greatly. Therefore, this command
should be used cautiously. After the debugging, run the undo debugging command to disable
it immediately.

Examples
# Enable the debugging of FR INARP.
<Eudemon> debugging fr inarp

3.27.2 debugging fr packet

Function
Using the debugging fr packet command, you can enable the FR packets debugging and output
the debugging information based on the packet type.

3-446 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Using the undo debugging fr packet command, you can disable the FR packets debugging.

Format
debugging fr packet [ interface interface-type interface-number [ dlci dlci-number ] ]
undo debugging fr packet [ interface interface-type interface-number [ dlci dlci-number ] ]

Parameters
interface-type: indicates the type of the interface.
interface-number: indicates the number of the interface.
dlci-number: indicates DLCI number. The value is an integer ranging from 16 to 1007.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
According to the status and statistics of the interface collected by the command, you can locate
the fault.
Enabling the FR debugging affectes the system performance. So, confirm the action before you
use the command. After debugging, run the undo debugging command to disable it
immediately.

Examples
# Enable the FR packets debugging.
<Eudemon> debugging fr packet

3.27.3 debugging fr

Function
Using the debugging fr command, you can enable the FR debugging.
Using the undo debugging fr command, you can disable the FR debugging.

Format
debugging fr { all | compress | congestion | de | lmi | mfr control | mfr fragment | transmit-
rate } [ interface interface-type interface-number ]
debugging fr event
debugging fr fragment interface interface-type interface-number dlci-number

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-447


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

undo debugging fr { all | compress | congestion | de | lmi | mfr control | mfr fragment |
transmit-rate } [ interface interface-type interface-number ]

undo debugging fr event

undo debugging fr fragment interface interface-type interface-number dlci-number

Parameters
all: enables all the FR debugging.

compress: enables the FR compression debugging.

congestion: enables the debugging of the FR traffic congestion management.

de: enables the DE debugging of the FR traffic shaping.

event: enables the FR event debugging. When event is used, no interface can be specified.

fragment: enables the debugging of the FR fragment. When fragment is used, DLCI must be
specified.

lmi: enables the debugging of the FR Local Management Interface (LMI) protocol.

mfr control: enables the debugging of the MFR binding and bundle link.

mfr fragment: enables the debugging of the MFR fragment.

transmit-rate: enables the debugging of the FR sending rate.

interface-type: specifies the interface type.

interface-number: specifies the interface number.

dlci-number: specifies the DLCI number of VC. It is an integer ranges from 16 to 1007.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the FR debugging is disabled.

If the debugging of the MFR binding and bundle link (mfr control) are enabled, the sent/received
bundle link controlling information and status change are displayed.If the debugging of MFR
fragment (mfr fragment) is enabled, the MFR fragment information is displayed.

If FR traffic shaping is enabled, the change of FR transmitting rate can be seen after the
debugging of the FR sending rate (transmit-rate) is enabled.

Enabling the FR debugging affectes the system performance. So, confirm the action before you
use the command. After debugging, run the undo debugging command to disable it
immediately.

3-448 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Enable the FR compression debugging on all the interfaces.
<Eudemon> debugging fr compress

# Enable the debugging of MFR 1, supposing several links have been bundle on it.
<Eudemon> debugging fr mfr control interface mfr1

3.27.4 display fr compress

Function
Using the display fr compress command, you can view the statistics of the FR compression. If
no interface is specified, the DLCI compression statistics of all the interfaces are displayed.

Format
display fr compress [ interface interface-type interface-number ]

Parameters
interface-type: displays the FR compression information of the specified interface type.

interface-number: displays the FR compression information of the specified interface number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
According to the status and statistics of the interface collected by the command, you can measure
the traffic and locate the fault.

Examples
# View the FR compression statistics.
<Eudemon> display fr compress interface Serial 1/0/0:0.1
Serial 1/0/0:0.1 -DLCI:100
uncompressed bytes xmt/rcv 0/0 compressed bytes xmt/rcv 0/0
1 min avg ratio xmt/rcv 0.000/0.000 5 min avg ratio xmt/rcv 0.000/0.000

Table 3-52 Description of the display fr compress command output

Item Description

Serial 1/0/0:0.1 -DLCI: DLCI of the interface

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-449


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

uncompressed bytes xmt/rcv Number of uncompressed sent/received bytes

compressed bytes xmt/rcv Number of compressed sent/received bytes

1 min avg ratio xmt/rcv Average compression rate of sending/receiving in


1 minute

5 min avg ratio xmt/rcv Average compression rate of sending/receiving in


5 minutes

Related Topics
3.27.18 fr compression frf9

3.27.5 display fr dlci-switch

Function
Using the display fr dlci-switch command, you can view the information of the configured FR
switching to check whether the FR switching is correctly configured.

Format
display fr dlci-switch [ interface interface-type interface-number ]

Parameters
interface-type: specifies the interface type.
interface-number: specifies the interface number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The specified interface can only be a main interface. If no interface is specified, information of
all interfaces is displayed.
According to the status and statistics of the interface collected by the command, you can measure
the traffic and locate the fault.

Examples
# View the information about the FR switching.

3-450 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> display fr dlci-switch


Frame relay switch statistics
Status Interface(Dlci) ----------> Interface(Dlci)
Inactive Serial 1/0/0:1(16) Serial 1/0/0:2(16)
Inactive Serial 1/0/0:1(200) Serial 1/0/0:2(300)
Inactive Serial 1/0/0:2(16) Serial 1/0/0:1(16)
Inactive Serial 1/0/0:2(300) Serial 1/0/0:1(200)
Inactive Serial 1/0/0:3(400) Serial 1/0/0:4(500)
Inactive Serial 1/0/0:4(500) Serial 1/0/0:3(400)

Table 3-53 Description of the display fr dlci-switch command output


Item Description

Frame Relay switch statistics for board 1 Statistics of the FR switching on interface
board 1.

Status Connection status.

Interface(Dlci) < -- > Interface(Dlci) Input interface and its DLCI, and output
interface and its DLCI.
"< -- >" indicates the corresponding
relationship between interfaces of two ends
of the FR switching.

Related Topics
3.27.21 fr dlci-switch

3.27.6 display fr fragment-info

Function
Using the display fr fragment-info command, you can view the FR fragments.

Format
display fr fragment-info [ interface interface-type interface-number ] [ dlci-number ]

Parameters
interface-type: specifies the interface type.
interface-number: specifies the interface number.
dlci-number: specifies the DLCI number. The value is an integer ranging from 16 to 1007.

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-451


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
You can specify only a main interface. If you do not specify the interface, information about all
interfaces are displayed.

Examples
# Display the FR fragments on all interfaces.
<Eudemon> display fr fragment-info

3.27.7 display fr inarp-info

Function
Using the display fr inarp-info command, you can view the packet statistics of the FR InARP.

Format
display fr inarp-info [ interface interface-type interface-number ]

Parameters
interface-type: displays the statistics about the FR InARP of the specified interface type.
interface-number: displays the statistics about the FR InARP of the specified interface number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The specified interface can only be a main interface. If no interface is specified, information of
all interfaces is displayed.
The packets of the FR InARP include:
l Address resolution request packet
l Address resolution response packet

According to the output of the command, you can judge whether InARP works normally.

Examples
# View the packet statistics of the FR InARP.
<Eudemon> display fr inarp-info
Frame relay InverseARP statistics for interface Serial 1/0/0:0 (DTE)
In ARP request Out ARP reply Out ARP request In ARP reply
0 0 1 1

3-452 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Table 3-54 Description of the display fr inarp-info command output

Item Description

Frame relay InverseARP statistics for Statistics of reversed IP address resolution of


interface Serial 1/0/0:0 (DTE) frame relay on the DTE interface Serial 1/0/0:0.

In ARP request Number of received ARP request packets

Out ARP reply Number of sent ARP reply packets

Out ARP request Number of sent ARP request packets

In ARP reply Number of received ARP reply packets

Related Topics
3.27.22 fr inarp

3.27.8 display fr interface

Function
Using the display fr interface command, you can view the status of an FR interface. The output
includes:
l Interface type (DTE or DCE)
l Physical status
l Status of the link layer protocol

For sub-interfaces, the interface type and link layer protocol status are displayed.

Format
display fr interface [ interface-type interface-number ]

Parameters
interface-type: specifies the interface type.

interface-number: specifies the interface number.You can specify either the main interface or
the sub-interface.

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-453


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
If no interface is specified, information of all interfaces is displayed.

According to the status and statistics of the interface collected by the command, you can and
locate the fault.

Examples
# View the status of all FR interfaces.
<Eudemon> display fr interface
MFR12, DTE, physical down, protocol down
MFR12.1, multi-point, protocol down
Serial 1/0/0:0, DTE, physical down, protocol down
Serial 2/0/0:0, DTE, physical up, protocol up

Table 3-55 Description of the display fr interface command output

Item Description

MFR12 Indicates the interface type and number.

DTE Indicates the working mode of the interface:


l DTE: DTE interface working mode
l DCE: DCE interface working mode
l NNI: network to network interface (NNI) working mode

physical down Indicates the physical link is Down.


The cause may be the cable is not installed properly.

protocol down Indicates the network protocol is Down.


The cause may be DLCI is not configured.

multi-point Indicates the type of the sub-interface is PTM.

Related Topics
3.27.16 display interface mfr

3.27.9 display fr iphc

Function
Using the display fr iphc command, you can view IP packet header compression of an FR
interface.

Format
display fr iphc [ interface interface-type interface-number ]

3-454 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
interface-type: specifies the interface type.

interface-number: specifies the interface number. The specified interface can only be a main
interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If no interface is specified, information of all interfaces is displayed.

Examples
# View IP packet header compression as follows.
<Eudemon> display fr iphc

Related Topics
3.27.23 fr interface-type

3.27.10 display fr lmi-info

Function
Using the display fr lmi-info command, you can view the statistics of the LMI protocol frame.

Format
display fr lmi-info [ interface interface-type interface-number ]

Parameters
interface-type: specifies the interface type.

interface-number: specifies the interface number.

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-455


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
The LMI protocol is used to maintain the current FR link. The LMI protocol packets are divided
into:
l Status enquiry packet
l Status packet

If no interface is specified, the information of all the interfaces is displayed.

Examples
# View the statistics of the LMI protocol frame.
<Eudemon> display fr lmi-info
Frame relay LMI statistics for interface MFR6 (DTE, Q933)
T391DTE = 10 (hold timer 10)
N391DTE = 5, N392DTE = 3, N393DTE = 4
out status enquiry = 0, in status = 0
status timeout = 0, discarded messages = 0
Frame relay LMI statistics for interface Serial 2/0/0:0 (DCE, Q933)
T392DCE = 15, N392DCE = 3, N393DCE = 4
in status enquiry = 250, out status = 250
status enquiry timeout = 0, discarded messages = 15

Table 3-56 Description of the display fr lmi-info command output

Item Description

T391DTE = 10 (keepalive 10) Indicates the DTE polling timer.


It defines the interval of sending the status request by DTE.

N391DTE = Indicates the polling number.


When the timer reaches N391, the full-status request is sent.

N392DTE = Indicates the error threshold in the observed events.

N393DTE = Indicates the event counter of the observed events.

out status enquiry = Indicates the number of the sent status enquiries.

in status = Indicates the number of the received status responses.

status enquiry timeout = Indicates the times of request timeout.

discarded messages= Indicates the number of the discarded messages.

DCE, ANSI Indicates the format of the ANSI message on the DCE side.
LMI information formats include ANSI and Q933.

Related Topics
3.27.23 fr interface-type

3.27.11 display fr map-info

3-456 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the display fr map-info command, you can view the FR address mapping table.

Format
display fr map-info [ interface interface-type interface-number ]

Parameters
interface-type: specifies the interface type. You can specify either the main interface or the sub-
interface.

interface-number: specifies the interface number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
According the display, you can view:
l Whether the static address mapping configured is correct.
l Whether the dynamic address mapping operates normally.

If no interface is specified, the information of all the interfaces is displayed.

Examples
# Display the FR address mapping table.
<Eudemon> display fr map-info
Map Statistics for interface Serial 1/0/0:0 (DTE)
DLCI = 100, IP INARP 100.100.1.1, Serial 1/0/0:0
create time = 2008/04/21 14:48:44, status = ACTIVE
encapsulation = ietf, vlink = 14, broadcast
DLCI = 200, IP INARP 100.100.1.1, Serial 1/0/0:0
create time = 2008/04/21 14:34:42, status = ACTIVE
encapsulation = ietf, vlink = 0, broadcast
DLCI = 300, IP 1.1.1.1, Serial 1/0/0:0
create time = 2008/04/21 15:03:35, status = ACTIVE
encapsulation = ietf, vlink = 15

Table 3-57 Description of the display fr map-info command output

Item Description

Map Statistics for interface Statistics of the address mapping table of Serial 1/0/0:0 that
Serial 1/0/0:0 (DTE) belongs to DTE.

DLCI = VC number.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-457


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

IP INARP Dynamic IP address.

Serial 1/0/0:0 Type and number of the interface.


The number of the interface is also the VC number.

create time = Time of creating the address mapping information.

status = Status of the address mapping.

encapsulation = Encapsulation protocol of the interface.


You can change it by using the link-protocol fr command.

vlink = Total number of the VC connections.

broadcast Broadcast is supported.

Related Topics
3.27.32 fr map ip
3.27.22 fr inarp

3.27.12 display fr pvc-info

Function
Using the display fr pvc-info command, you can view the configuration and statistics of the FR
PVC:

Format
display fr pvc-info [ interface interface-type interface-number ] [ dlci-number ]

Parameters
interface-type: specifies the interface type.

interface-number: specifies the interface number. specifies either the main interface or the sub-
interface.

dlci-number: specifies the DLCI number. The value is an integer ranging from 16 to 1007.

Views
All views

Default Level
1: Monitoring level

3-458 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
l If no parameter is specified, basic FR configuration and statistics of all interfaces are
displayed.
l If interface numbers are specified but the DLCI number is not specified, basic FR
configuration and statistics of DLCI of the specified interface are displayed.
l If both interface number and DLCI number are specified, basic FR configuration and
statistics of specified DLCI of specified interface are displayed.
If FRF.9 is used, the status of the FR compression is displayed.

Examples
# View the configuration and statistics of FR PVC.
<Eudemon> display fr pvc-info
PVC statistics for interface Serial 1/0/0:0 (DCE, physical UP)
DLCI = 124, USAGE = LOCAL (0110), Serial 1/0/0:0
create time = 2007/02/01 10:07:39, status = ACTIVE
in BECN = 0, in FECN = 0
in packets = 1332382, in bytes = 15993025
out packets = 1332388, out bytes = 15992860
PVC statistics for interface Serial 1/0/0:0 (DTE, physical UP)
DLCI = 100, USAGE = UNUSED (0000), Serial 1/0/0:0
create time = 2007/02/01 09:09:20, status = ACTIVE
in BECN = 0, in FECN = 0
in packets = 0, in bytes = 0
out packets = 0, out bytes = 0

Table 3-58 Description of the display fr pvc-info command output


Item Description

DLCI VC identifier

Status VC status

in BECN Number of BECN (Backward Explicit Congestion


Notification) received by the VC

In FECN Number of FECN (Forward Explicit Congestion


Notification) received by the VC

in packets Number of packets received by the VC

in bytes Number of bytes received by the VC

out packets Number of packets sent by the VC

out bytes Number of bytes sent by the VC

3.27.13 display fr standby group

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-459


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the display fr standby group command, you can view the configuration and status of a
FR PVC standby group.

Format
display fr standby group [ group-number ]

Parameters
group-number: specifies the number of an FR PVC standby group. The value is an integer ranges
from 1 to 256.

Views
All views

Default Level
2: Configuration level

Usage Guidelines
If no group number is specified, information about all standby groups is displayed.

According to the status and statistics of the interface collected by the command, you can measure
the traffic and locate the fault.

Examples
# Display the configuration and status of the FR PVC standby group 1.
<Eudemon> display fr standby group
Group 1, AUTO mode, MASTER state:
MASTER,Total 2 PVCs,2 PVCs is ok; DOWN PVCs critical value:100%
Bad PVCs list:
Good PVCs list:
OUT Serial 1/0/0:0 VC:100 STATUS:GOOD; IN Serial 2/0/0:0 VC:100 STATUS:GOOD
OUT Serial 1/0/0:0 VC:200 STATUS:GOOD; IN Serial 2/0/0:0 VC:200 STATUS:GOOD
SLAVE,Total 2 PVCs, 2 PVCs is ok; UP PVCs critical value:100%
BAD PVCs LIST:
Good PVCs list:
OUT Serial 3/0/0:0: VC:100 STATUS:GOOD; IN Serial 4/0/0:0 VC:100 STATUS:GOOD
OUT Serial 3/0/0:0 VC:200 STATUS:GOOD; IN Serial 4/0/0:0 VC:200 STATUS:GOOD

Table 3-59 Description of the display fr standby group command output

Item Description

Group 1 Number of the standby group.

AUTO mode Switch mode.


AUTO indicates automatic switch from the master
PVC to the slave PVC.

3-460 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

MASTER,Total 2 PVCs,2 PVCs is ok; Information of master PVCs: two are available.
DOWN PVCs critical value:100% Note that all master PVCs must be in the Down
status during switching.

Bad PVCs list: Unavailable PVC list.


That is, PVCs are in the Down status.

Good PVCs list Available PVC list.


That is, PVCs are in the Up status.

SLAVE,Total 2 PVCs, 2 PVCs is ok; Information of slave PVCs: two are available.
UP PVCs critical value:100% Note that all slave PVCs must be in the Up status
during switching.

3.27.14 display fr statistics

Function
Using the display fr statistics command, you can view the current FR statistics about received
and sent packets.

Format
display fr statistics [ interface interface-type interface-number ]

Parameters
interface-type: specifies the interface type.

interface-number: specifies the interface number. It can only specify the number of the main
interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
According to the status and statistics of the interface collected by the command, you can measure
the traffic and locate the fault.

If no interface is specified, the information about all the interfaces are displayed.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-461


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# View the current FR statistics about received and sent packets.
<Eudemon> display fr statistics interface Serial 2/0/0:0
Frame relay packet statistics for interface Serial 2/0/0:0 (DCE)
in packets = 2132202, in bytes = 25592466
out packets = 2132208, out bytes = 25592426
discarded in packets = 0, discarded out packets = 0

Table 3-60 Description of the display fr statistics command output


Item Action

in packets Indicates the number of the received packets.

out packets Indicates the number of the sent packets.

bytes Indicates the number of the received and sent


bytes.

discarded in packets Indicates the number of the missed packets when


discarded out packets the device serves as the receiver and transmitter.

3.27.15 display fr switch-table

Function
Using the display fr switch-table command, you can view the current switching table of FR.

Format
display fr switch-table { all | name pvc-name }

Parameters
all: displays information about all the FR switching tables of the router.
pvc-name: displays information about the FR switching table of a specified switching name. It
is a string of 1 to 256 characters.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
According to the status and statistics of the interface collected by the command, you can measure
the traffic and locate the fault.

3-462 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# View the current switching table of FR.
<Eudemon> display fr switch-table name pvc1
PVC-Name Status Interface(Dlci) <-----> Interface(Dlci)
pvc1 Active Serial 1/0/0:0(100) Serial 2/0/0:0(300)
<Eudemon> display fr switch-table all
Total PVC switch records:1
PVC-Name Status Interface(Dlci) <-----> Interface(Dlci)
pvc1 Active Serial 1/0/0:0(100) Serial 2/0/0:0(300)

Table 3-61 Description of the display fr switch-table command output

Item Description

PVC-Name Name of the PVC

Status Status of the PVC

Interface(Dlci) <-----> Interface(Dlci) Interface type, interface number and PVC


number on the two ends of the PVC

Related Topics
3.27.37 fr switch

3.27.16 display interface mfr

Function
Using the display interface mfr command, you can view the configuration, status and packet
statistics of an MFR interface.

Format
display interface mfr [ interface-number [ subnumber ] ]

Parameters
interface-number: specifies the number of a bundle interface.

subnumber: specifies the sub-interface number of a bundle interface. It is an integer in a range


of 1 to 1024.

Views
All views

Default Level
1: Monitoring level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-463


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
According to the status and statistics of the interface collected by the command, you can measure
the traffic and locate the fault.

Examples
# Display the configuration and status of MFR 0.
<Eudemon> display interface mfr 0
MFR0 current state : DOWN
Line protocol current state : DOWN
Description : HUAWEI, Eudemon Series, MFR0 Interface
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet protocol processing : disabled
Link layer protocol is FR IETF
LMI DLCI is 0, LMI type is Q.933a, frame relay DTE
LMI status enquiry sent 0, LMI status received 0
LMI status timeout 0, LMI message discarded 0
Physical is MFR, baudrate: 0
QoS max-bandwidth : 0 Kbps
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
5 minutes input rate 0 bytes/sec, 0 packets/sec
5 minutes output rate 0 bytes/sec, 0 packets/sec
0 packets input, 0 bytes, 0 drops
0 packets output, 0 bytes, 0 drops

Table 3-62 Description of the display interface mfr command output

Item Description

MFR0 current state: Indicates the physical status of MFR 0:


l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state.
l Administratively Down: If the administrator
uses the shutdown command on the interface,
the state is Administratively Down.

Line protocol current state: Indicates the status of the link protocol of the
interface:
l UP: indicates the normal enabled state.
l DOWN: indicates the abnormal state or the IP
address is not configured on the interface.

Description: Indicates the description about the interface.


Up to 80 characters can be entered. The
description can help the user to get familiar with
the interface function.

The Maximum Transmit Unit is As for the serial interface, the default value is 1500
bytes.
The packet larger than the MTU is fragmented
before being sent. If the non-fragmentation is
configured, the packet is discarded.

3-464 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Item Description

Internet Address is Indicates the IP address and the subnet mask of the
interface.

Link layer protocol is Indicates the link layer protocol.

LMI DLCI is 0, LMI type is Q.933a, DLCI used by LMI is 0 of the Q933A on the FR
frame relay DTE DTE

LMI status enquiry sent, LMI status Indicates the number of the sent status enquiries
received and the received status packets.

LMI status timeout , LMI message Indicates times of the LMI status enquiry timeouts
discarded and the number of discarded LMI messages.

Physical is MFR, baudrate: Indicates the physical link is MFR and the
baudrate.

Output queue : (Urgent queue : Size/ Indicates the current status of the output queue.
Length/Discards)Output queue : Generally, there are three types of output queues:
(Protocol queue : Size/Length/Discards) l Urgent queue: Link layer protocol packets, such
Output queue : (FIFO queuing : Size/ as the negotiation packets and the Keepablive
Length/Discards) messages of PPP, join this queue.
l Protocol queue: Packets whose IP priorities are
6 join this queue.
l FIFO queue: This queue may be a First In First
Out Queue (FIFO), a Priority Queue (PQ), a
Custom Queue (CQ), or a Class-based Queue
(CBQ).
When congestion occurs, the interface first sends
the packets in the urgent queue, then the packets
in the protocol queue, and finally the packets in the
FIFO queue. Each of the queues is displayed as
numbers in the format of Size/Length/Discards.
The fields of the format are as follows:
l Size: indicates the number of groups in the
queue.
l Length: indicates the maximum queue length in
the form of groups.
l Discards: indicates the number of groups
discarded when the queue is full.
By comparing the value of Discards and those of
Size and Length, you can decide whether the
performance of interface is satisfactory. For
example, if the value of Discards is comparatively
large, it indicates that the device is handling other
tasks and cannot process the new groups in time.
If this persists for a long time, it generally indicates
that a more powerful device is needed.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-465


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Last 5 minutes input rate 0 bytes/sec, 0 Indicates the rate of the byte and the packet that
packets/secLast 5 minutes output rate 0 pass through the interface in the last five minutes.
bytes/sec, 0 packets/sec

8 packets input, 206 bytes, 0 drops The field indicates:


8 packets output, 222 bytes, 0 drops l The number of packets and bytes received and
sent on the interface
l The number of bytes that is discarded owing to
the insufficient cache

3.27.17 display mfr

Function
Using the display mfr command, you can view configuration and statistics of the MFR bundle
and bundle link.

Format
display mfr [ interface interface-type interface-number | verbose ]

Parameters
interface-type: specifies the interface type.
interface-number: specifies the interface number.
verbose: displays the detailed statistics, including the number of controlling packets sent and
received.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
According to the status and statistics of the interface collected by the command, you can measure
the traffic and locate the fault.
If no bundle or bundle link is specified, information of all bundles and bundle links is displayed.

Examples
# View the configuration and status of all FR bundles and FR bundle links.

3-466 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> display mfr interface mfr 0


Bundle interface:MFR0, Bundle state = down, Bundle class = A,
fragment disabled
Bundle name = MFR0
Bundle links:
LID : Serial 1/0/0:1 Peer LID:
Bound to MFR0(BID:MFR0)
Physical state: up, link state: add sent,
Bundle Link statistics:
Hello(TX/RX): 0/0 Hello_ack(TX/RX): 0/0
Add_link(TX/RX): 15/0 Add_link_ack(TX/RX): 0/0
Add_link_rej(TX/RX): 0/0
Remove_link(TX/RX): 0/0 Remove_link_ack(TX/RX): 0/0
Pkts dropped(in/out): 0/0
Timer: ACK 4, Hello 10
Retry: Max 2, Current 0
Cause code: ack timer expiry
LID : Serial 1/0/0:2 Peer LID:
Bound to MFR0(BID:MFR0)
Physical state: up, link state: add sent,
Bundle Link statistics:
Hello(TX/RX): 0/0 Hello_ack(TX/RX): 0/0
Add_link(TX/RX): 13/0 Add_link_ack(TX/RX): 0/0
Add_link_rej(TX/RX): 0/0
Remove_link(TX/RX): 0/0 Remove_link_ack(TX/RX): 0/0
Pkts dropped(in/out): 0/0
Timer: ACK 4, Hello 10
Retry: Max 2, Current 0
Cause code: ack timer expiry

Table 3-63 Description of the display mfr command output


Item Description

Bundle interface Bundle interface.

Bundle state Running state of bundle interface.

Bundle class Class A indicates if there is one bundle link is in the Up status,
the bundle is flagged as Up.
The bundle is Down only after all bundle links are Down.

Bundle links Physical interface information of each bundle link.

LID Bundle link identifier.


By default, it is the interface name of the current bound link.

Peer LID Bundle link identifier of the peer end.


By default, it is the interface name of the peer bound link.

Physical state Operating status of the physical interface.

Link state Operating status of the bundle link protocol.

Bundle Link statistics Packet statistics of the bundle link.

Hello(TX/RX) Number of "Hello" packets sent and received.


The "Hello" packet maintains link status.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-467


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

Hello_ack(TX/RX) Number of "Hello" acknowledgement packets sent and


received.
The "Hello_ack" packet notifies the peer that a "Hello"
packet has been received.

Add_link(TX/RX) Number of "Add_link" packets sent and received.


The "Add_link" packet notifies the peer that the local node
has prepared for processing frames.

Add_link_ack(TX/RX) Number of "Add_link" acknowledgement packets


transmitted and received.
The "Add_link_ack" packet notifies the peer that an
"Add_link" packet has been received.

Add_link_rej(TX/RX) Number of "Add_link" reject packets transmitted and


received.
The "Add_link_rej" packet is used to notify the peer that an
"Add_link" packet has been rejected.

Remove_link(TX/RX) Number of "Remove_link" packets transmitted and received.


The "Remove_link" packet notifies the peer that the local
node is removing a bundle link from the bundle.

Remove_link_ack(TX/RX) Number of "Remove_link" acknowledgement packets


transmitted and received.
The "Remove_link_ack" packet notifies the peer that a
"Remove_link" packet has been received.

Pkts dropped(in/out) Number of discarded packets that are sent and received.

Timer: Ack 4 The time of waiting for Hello acknowledgement message


before the bundle link retransmits a Hello message or
retransmits an "Add_link" message used for initial
synchronization.

Hello 10 Interval for the bundle link to send a Hello message.

Retry: max 2 Maximum retry times for the bundle link to retransmit a Hello
message or retransmit an "Add_link" packet that is used for
initial synchronization before the bundle link waits for the
Hello acknowledgement message.

Current 0 Current retried times.

Cause code The reason for the bundle link to be in the current status.

Related Topics
3.27.41 link-protocol fr mfr
3.27.39 interface mfr

3-468 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.27.18 fr compression frf9

Function
Using the fr compression frf9 command, you can enable the FR compression.
Using the undo fr compression frf9 command, you can disable the FR compression.

Format
fr compression frf9
undo fr compression frf9

Parameters
None

Views
FR sub-interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the FR compression is disabled.
Before configuring this command, you must configure DLCI of the interface.
This command is only valid for the P2P interfaces. That is, it is only valid for FR sub-interfaces
of P2P type. The FR compression takes effect only on the IETF FR packet. If the encapsulation
mode of packets is nonstandard and this command is used to enable frame relay FRF.9
compression, the system prompts that nonstandard encapsulation does not support FRF.9
compression.

NOTE

l FRF.9 compression applies to low-speed links.


l MFR links do not use the FRF.9 compression function.
l FRF.9 compression involves a synchronization process. If packets are disordered during compression,
the compression fails.

Examples
# Enable the FR compression on the P2P FR sub-interface Serial 1/0/0:1.1.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:1
[Eudemon-Serial 1/0/0:1] link-protocol fr
[Eudemon-Serial 1/0/0:1] quit
[Eudemon] interface Serial 1/0/0:1.1 p2p
[Eudemon-Serial 1/0/0:1.1] fr dlci 100

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-469


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

[Eudemon-fr-dlci-Serial 1/0/0:1.1-100] quit


[Eudemon-Serial 1/0/0:1.1] fr compression frf9

Related Topics
3.27.32 fr map ip

3.27.19 fr compression iphc

Function
Using the fr compression iphc command, you can enable the IP header compression.

undo fr compression iphc command, you can disable the compression.

Format
fr compression iphc

undo fr compression iphc

Parameters
None

Views
FR interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the function is disabled.

The fr compression iphc command and the fr iphc command can be configured separately
regardless of the sequence.

After the undo fr compression iphc command is configured to cancel the IP header
compression, the configuration of the fr iphc command remains effective.

After the fr compression iphc command is configured to restore the IP header compression, the
parameter configured by the fr iphc command remains effective.

Examples
# Enable the IP header compression on the FR interface Serial 1/0/0:1.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:1
[Eudemon-Serial 1/0/0:1] link-protocol fr
[Eudemon-Serial 1/0/0:1] fr compression iphc

3-470 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Related Topics
3.27.24 fr iphc

3.27.20 fr dlci

Function
Using the fr dlci command, you can configure the VC for an FR interface.
Using the undo fr dlci command, you can remove the configuration.

Format
fr dlci dlci-number
undo fr dlci [ dlci-number ]

Parameters
dlci-number: specifies the VC number allocated for an FR interface. It is an integer ranging from
16 to 1007.

Views
FR interface view, FR sub-interface view, MFR interface view

Default Level
2: Configuration level

Usage Guidelines
When the FR interface type is DCE or NNI, it is necessary to manually configure the VC for
both a main interface and a sub-interface interface. When the FR interface type is DTE:
l If the interface is a main interface, the system automatically determines the VC according
to the peer device.
l If the interface is a sub-interface, the VC should be manually specified for the interface at
both DCE and DTE sides.
The maximum number of VCs that can be configured is determined by the MTU. The specific
maximum numbers of VCs are as follows:
l (MTU - 13)/8 (adopting CISCO LMI)
l (MTU - 14)/5 (adopting ANSI LMI)
l (MTU - 13)/5 (adopting Q933 LMI)

When running the undo fr dlci command, if you do not specify the DLCI, all DLCIs on the
interface are deleted. If you run this command on the FR main interface, the DLCIs on the FR
sub-interface are not deleted.

Examples
# Allocate a VC with DLCI 100 for the FR sub-interface Serial 1/0/0:0.1.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-471


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0.1
[Eudemon-Serial 1/0/0:0.1] fr dlci 100
[Eudemon-fr-dlci-Serial 1/0/0:0.1-100]

Related Topics
3.27.23 fr interface-type

3.27.21 fr dlci-switch

Function
Using the fr dlci-switch command, you can configure a static route for the FR PVC switching.

Using the undo fr dlci-switch command, you can delete a static route for the FR PVC switching.

Format
fr dlci-switch in-dlci interface interface-type interface-number dlci out-dlci

undo fr dlci-switch in-dlci

Parameters
in-dlci: specifies the DLCI of the interface where the packet is received, The value is an integer
ranging from 16 to 1007.

interface-type: specifies the type of egress.

interface-number: specifies the number of egress.

out-dlci: specifies the DLCI of the specified interface forwarding a packet. The value is an integer
ranges from 16 to 1007.

Views
FR interface view, MFR interface view, TUNNEL interface view

Default Level
2: Configuration level

Usage Guidelines
By default, no static route for the FR PVC switching is configured.

The fr switching command can be configured before or after the static route of the FR PVC is
configured.

The type of the forwarding interface can be either FR or MFR, or Tunnel. If a tunnel interface
is specified as the forwarding interface, the FR packets can be transmitted over IP.

3-472 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Configure a static route that allows packets on the link with DLCI 100 on Serial 1/0/0:1 to be
forwarded through the link with DLCI 200 on Serial 2/0/0:1.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:1
[Eudemon-Serial 1/0/0:1] fr dlci-switch 100 interface Serial 2/0/0:1 dlci 200

# Configure a static route that allows packets on the link with DLCI 200 on Serial 4/0/0 to be
forwarded through the link with DLCI 300 on the tunnel 4.
[Eudemon-Serial 4/0/0] fr dlci-switch 200 interface tunnel4 dlci 300

Related Topics
3.27.38 fr switching

3.27.22 fr inarp

Function
Using the fr inarp command, you can enable the FR InARP.
undo fr inarp command, you can disable this function.

Format
fr inarp [ ip [ dlci-number ] ]
undo fr inarp [ ip [ dlci-number ] ]

Parameters
ip: performs InARP on IP.
dlci-number: performs InARP on the specified VC. The number is an integer ranges from 16 to
1007.

Views
FR interface view, MFR interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the function is enabled.
If the DLCI is not specified, the InARP takes effect on all PVCs.

Examples
# Enable the In ARP on all PVCs of the FR interface Serial 1/0/0:0.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-473


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial 1/0/0:0] link-protocol fr
[Eudemon-Serial 1/0/0:0] fr inarp

Related Topics
3.27.51 reset fr inarp
3.27.7 display fr inarp-info

3.27.23 fr interface-type

Function
Using the fr interface-type command, you can set the FR interface type.
Using the undo fr interface-type command, you can restore the default type.

Format
fr interface-type { dce | dte | nni }
undo fr interface-type

Parameters
dte: indicates data terminal equipment (DTE), namely, user equipment. The corresponding
interface type is DTE.
dce: indicates data circuit-terminating equipment (DCE), namely, the network equipment that
provides access to user equipment. The corresponding interface type is DCE.
nni: indicates network-to-network interface (NNI), namely, the type of the interface between
frame relay switches. The corresponding interface type is NNI.

Views
FR interface view, MFR interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the FR interface type is DTE.
In FR, there are two communicating parties:
l User side: The user side is called DTE.
l Network side: The network side is called DCE.

In an FR network, the interface between the FR switches is NNI and works in the NNI mode. If
the device is used for FR switching, the FR interface should operate in the NNI mode or the
DCE mode.

3-474 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Set the type of the FR interface Serial 1/0/0:0 as DCE.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] link-protocol fr
[Eudemon-Serial1/0/0:0] fr interface-type dce

Related Topics
3.27.40 link-protocol (FR Interface View)

3.27.24 fr iphc

Function
Using the fr iphc command, you can enable the IP header compression, including the RTP/TCP
header compression.

undo fr iphc command, you can disable this function.

Format
fr iphc { nonstandard | rtp-connections number1 | tcp-connections number2 | tcp-include }

undo fr iphc { nonstandard | rtp-connections | tcp-connections | tcp-include }

Parameters
nonstandard: specifies the nonstandard compatible compression format.

rtp-connections number1: specifies the number of RTP compression connections. It is an


integer ranging from 3 to 255. The initial number is 255.

tcp-connections number2: specifies the number of TCP compression connections. It is an


integer ranging from 3 to 255. The initial number is 255.

tcp-include: includes the TCP header compression into the RTP compression.

Views
FR interface view, MFR interface view

Default Level
2: Configuration level

Usage Guidelines
The fr iphc command and the fr compression iphc command can be configured separately
regardless of the sequence.

After the undo fr compression iphc command is configured to cancel the IP header
compression, the configuration of the fr iphc command remains effective.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-475


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

After the fr compression iphc command is configured to restore the IP header compression, the
parameter configured by the fr iphc command remains effective.

Examples
# Configure the number of RTP compression connections as 200 on the FR interface Serial
1/0/0.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0
[Eudemon-Serial1/0/0] link-protocol fr
[Eudemon-Serial1/0/0] fr iphc rtp-connections 200

Related Topics
3.27.32 fr map ip
3.27.19 fr compression iphc

3.27.25 fr lmi n391dte

Function
Using the fr lmi n391dte command, you can configure the parameter N391 at the DTE side.
Using the undo fr lmi n391dte command, you can restore the default.

Format
fr lmi n391dte n391-value
undo fr lmi n391dte

Parameters
n391-value: specifies the counts of sending a PVC status-enquiry. It is an integer ranging from
1 to 255. The default is 6.

Views
FR interface view, MFR interface view

Default Level
2: Configuration level

Usage Guidelines
The DTE device sends a status-enquiry packet at regular intervals (set by T391). There are two
types of status-enquiry packets:
l Link integrity authentication packet
l Link status-enquiry packet

The parameter N391 defines the sending proportion of the two types of packets, namely, link
integrity authentication packets: link status-enquiry packets = (N391 - 1): 1.

3-476 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Examples
# Configure the FR interface Serial 1/0/0 to operate in the DTE mode. Set the counter value of
the PVC status-enquiry to 10.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0
[Eudemon-Serial1/0/0] link-protocol fr
[Eudemon-Serial1/0/0] fr interface-type dte
[Eudemon-Serial1/0/0:0] fr lmi n391dte 10

Related Topics
3.27.23 fr interface-type
3.27.53 timer hold (FR Interface View)

3.27.26 fr lmi n392dce

Function
Using the fr lmi n392dce command, you can configure the parameter N392 at the DCE side.
Using the undo fr lmi n392dce command, you can restore the default.

Format
fr lmi n392dce n392-value
undo fr lmi n392dce

Parameters
n392-value: specifies the error threshold. It is an integer ranging from 1 to 10. The default is 3.

Views
FR interface view, MFR interface view

Default Level
2: Configuration level

Usage Guidelines
The DCE device requires the DTE device to send a status-enquiry packet at regular intervals
(set by T392). If the DCE device does not receive the status-enquiry packet within a certain
period, it records the error and adds one to the error count. If the errors exceed the threshold, the
DCE device considers the physical channels and all the VCs to be unavailable.
N392 and N393 together define the "error threshold":
l N393 indicates the event observed.
l N392 indicates the error threshold in the observed event.

N392 at the DCE side should be less than N393 at the DCE side.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-477


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Configure the FR interface Serial 1/0/0:0 to operate in the DCE mode and configure N392 and
N393 to 5 and 6 respectively.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] link-protocol fr
[Eudemon-Serial1/0/0:0] fr interface-type dce
[Eudemon-Serial1/0/0:0] fr lmi n392dce 5
[Eudemon-Serial1/0/0:0] fr lmi n393dce 6

Related Topics
3.27.23 fr interface-type
3.27.28 fr lmi n393dce

3.27.27 fr lmi n392dte

Function
Using the fr lmi n392dte command, you can configure N392 at the DTE side.
Using the undo fr lmi n392dte command, you can restore the default.

Format
fr lmi n392dte n392-value
undo fr lmi n392dte

Parameters
n392-value: specifies the error threshold. The value is an integer ranges from 1 to 10. The default
is 3.

Views
FR interface view, MFR interface view

Default Level
2: Configuration level

Usage Guidelines
The DTE device sends a status-enquiry packet at regular intervals (defined by T392) to query
the link status. On receiving this packet, the DCE device immediately sends a status packet. If
the DTE does not receive a response during a specified period, it records the error and adds one
to the error count. If the errors exceed the threshold, the DTE device considers the physical
channels and all VCs to be unavailable.
N392 and N393 together define the "error threshold":
l N393 indicates the event observed.

3-478 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

l N392 indicates the error threshold in the observed event.

N392 at the DTE side should be less than N393 at the DTE side.

Examples
# Set the FR interface Serial 1/0/0:0 to operate in the DTE mode. Set N392 and N393 to 5 and
6 respectively.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial 1/0/0:0] link-protocol fr
[Eudemon-Serial 1/0/0:0] fr interface-type dte
[Eudemon-Serial 1/0/0:0] fr lmi n392dte 5
[Eudemon-Serial 1/0/0:0] fr lmi n393dte 6

Related Topics
3.27.23 fr interface-type
3.27.29 fr lmi n393dte

3.27.28 fr lmi n393dce

Function
Using the fr lmi n393dce command, you can set the N393 at the DCE side.
Using the undo fr lmi n393dce command, you can restore the default.

Format
fr lmi n393dce n393-value
undo fr lmi n393dce

Parameters
n393-value: specifies the event counter. It is an integer ranging from 1 to 10. The default is 4.

Views
FR interface view, MFR interface view

Default Level
2: Configuration level

Usage Guidelines
The DTE device sends a status-enquiry packet at regular intervals (defined by T392) to query
the link status. If the DCE does not receive the enquiry during a specified period, it records the
error and adds one to the error count. If the errors exceed the threshold, the DCE device considers
the physical channels and all VCs to be unavailable.
N392 and N393 together define the "error threshold":

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-479


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

l N393 indicates the event observed.


l N392 indicates the error threshold in the observed event.

If the errors amount to N392 in the observed N393, the DCE device regards that errors reach
the threshold, the DCE device regards the physical channels and all VCs as unavailable.
N392 at the DCE side should be less than N393 at the DCE side.

Examples
# Configure the FR interface Serial 1/0/0:0 to operate in the DCE mode. Set N392 and N393 to
5 and 6 respectively.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] link-protocol fr
[Eudemon-Serial1/0/0:0] fr interface-type dce
[Eudemon-Serial1/0/0:0] fr lmi n392dce 5
[Eudemon-Serial1/0/0:0] fr lmi n393dce 6

Related Topics
3.27.23 fr interface-type
3.27.26 fr lmi n392dce

3.27.29 fr lmi n393dte

Function
Using the fr lmi n393dte command, you can configure the N393 at the DTE side.
Using the undo fr lmi n393dte command, you can restore the default.

Format
fr lmi n393dte n393-value
undo fr lmi n393dte

Parameters
n393-value: specifies the event counter. It is an integer ranging from 1 to 10. The default is 4.

Views
FR interface view, MFR interface view

Default Level
2: Configuration level

Usage Guidelines
The DTE device sends a status-enquiry packet at regular intervals to query the link status. On
receiving this packet, the DCE device immediately sends a status packet. If the DTE does not

3-480 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

receive a response during a specified period, it records the error and adds one to the error count.
If the errors exceed the threshold, the DTE device considers the physical channels and all VCs
as unavailable.

N392 and N393 together define the error threshold:


l N393 indicates the event observed.
l N392 indicates the error threshold in the observed event.

If the errors amount to N392 in the N393 enquiry packets, the DTE device regards that errors
reach the threshold, and thus regards the physical channels and all VCs as unavailable.

N392 at the DTE side should be less than N393 at the DTE side.

Examples
# Configure the FR interface Serial 1/0/0:0 to operate in the DTE mode. Set N392 and N393 to
5 and 6 respectively.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] link-protocol fr
[Eudemon-Serial1/0/0:0] fr interface-type dte
[Eudemon-Serial1/0/0:0] fr lmi n392dte 5
[Eudemon-Serial1/0/0:0] fr lmi n393dte 6

Related Topics
3.27.23 fr interface-type
3.27.27 fr lmi n392dte

3.27.30 fr lmi t392dce

Function
Using the fr lmi t392dce command, you can configure T392 at the DCE side, namely the
maximum time for DCE to wait for a status-enquiry packet.

Using the undo fr lmi t392dce command, you can restore the default value.

Format
fr lmi t392dce t392-value

undo fr lmi t392dce

Parameters
t392-value: specifies the value of the polling timer. It is an integer ranging from 5 to 30, in
seconds. By default, it is 15 seconds.

Views
FR interface view, MFR interface view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-481


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
T392 at the DCE side should be greater than T391 at the DTE side.

Examples
# Configure the FR interface Serial 1/0/0:0 to operate in the DCE mode. Set T392 to 10.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] link-protocol fr
[Eudemon-Serial1/0/0:0] fr interface-type dce
[Eudemon-Serial1/0/0:0] fr lmi t392dce 10

Related Topics
3.27.23 fr interface-type
3.27.53 timer hold (FR Interface View)

3.27.31 fr lmi type

Function
Using the fr lmi type command, you can configure the LMI protocol type of FR.

Using the undo fr lmi type command, you can restore the default type.

Format
fr lmi type { ansi | nonstandard | q933a }

undo fr lmi type

Parameters
ansi: specifies the standard LMI protocol type defined in ANSI T1.617 Appendix D.

nonstandard: specifies the nonstandard compatible LMI protocol.

q933a: specifies the LMI protocol of Q.933 Appendix A.

Views
FR interface view, MFR interface view

Default Level
2: Configuration level

3-482 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
By default, the LMI protocol type of is q933a.

Examples
# Configure the FR LMI protocol of Serial 1/0/0:0 as the nonstandard compatible protocol.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial 1/0/0:0] link-protocol fr
[Eudemon-Serial 1/0/0:0] fr lmi type nonstandard

3.27.32 fr map ip

Function
Using the fr map ip command, you can add a static address mapping between a FR address and
a DLCI.
Using the undo fr map ip command, you can remove a static FR address mapping.

Format
fr map ip { ip-address [ mask ] | default } dlci-number [ broadcast [ ietf | nonstandard ] ]
[ compression { frf9 | iphc connections number } ]
undo fr map ip { ip-address | default } dlci-number

Parameters
ip-address: specifies the IP address of the peer.
mask: specifies the IP address mask. The input format of the subnet mask must be X.X.X.X,
where X is an integer ranging from 0 to 255.
default: creates a default mapping.
dlci-number: specifies the local VC number. The value is an integer ranging from 16 to 1007.
broadcast: indicates the IP address supports broadcast packets.
ietf: indicates that the packet format on the FR interface is IETF.
nonstandard: indicates the packet format on the FR interface is nonstandard format.
compression frf9: enables the FR compression using the FRF.9 standard and LZS stac
algorithm. This parameter is invalid on the P2P interface.
connections number: specifies the number of RTP header compression connections. The value
is an integer ranging from 3 to 255.
l If the number of RTP header compression connections is configured through the fr map
ip command, PVC in the mapping uses this configured value.
l If the RTP connection number is not configured, PVC uses the number of RTP connections
configured on the FR interface that the PVC belongs to (IPHC is configured through the
fr iphc command).

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-483


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

l If the FR interface is not configured with the number of RTP connections, PVC uses the
default 256.

Views
FR interface view and FR sub-interface view

Default Level
2: Configuration level

Usage Guidelines
By default, no address mapping is enabled.
This command can be configured only on the FR main interface or point-to-miltipoint FR sub-
interface, and the packet encapsulation type must be IETF. If the packet encapsulation type is
nonstandard, and when the command is used to enable FRF.9 compression, the system prompts
that the nonstandard encapsulation type does not support FRF.9 compression.
NOTE

l FRF.9 compression is applicable to the low-speed links.


l MFR link does not use the FRF.9 compression.
l FRF.9 compression has one synchronization procedure. During the compression, if the packets are in
disorder, the compression fails.

CAUTION
If the two main interfaces on DTE and DCE satisfy the following two conditions:
l The FRF.9 compression is configured on the two main interfaces.
l The DLCI of the main interface of the device at the DTE side is learned from the dynamic
address mapping.
After running the undo fr map ip { ip-address | default } dlci-number command succeeds on
the main interface of the device at the DTE side, you must restart these two main interfaces, so
the DTE and DCE can communicate.

For a P2P FR interface, use thefr compression frf9 command to enable the compression.

Examples
# The IP address of the peer device connected to Serial 1/0/0:0 is 202.38.163.252. There is a VC
with DLCI of 50 on the local Serial 1/0/0:0 connected to this device. Configure the static address
mapping between the peer IP address and the local interface.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] link-protocol fr
[Eudemon-Serial1/0/0:0] fr map ip 202.38.163.252 50

Related Topics
3.27.11 display fr map-info

3-484 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.27.22 fr inarp

3.27.33 fr standby group switch

Function
Using the fr standby group switch command, you can configure a switching mode from the
master PVC to the slave PVC for a specified FR PVC standby group.

Using the undo fr standby group command, you can restore the default mode.

Format
fr standby group group-number switch { manual | auto }

undo fr standby group group-number

Parameters
group-number: specifies the number of a FR PVC standby group. The value is an integer ranging
from 1 to 256.

manual: indicates the manual switching mode.

auto: indicates the automatic switching mode.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the switching mode is auto.

To switch the slave PVC to the master PVC, only the manual mode is available.

Examples
# Manually switch the master PVC to the slave PVC in the FR PVC standby group 1.
<Eudemon> system-view
[Eudemon] fr standby group 1 switch manual
[Eudemon] fr standby group 1 switch slave

Related Topics
3.27.13 display fr standby group

3.27.34 fr standby group switch auto

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-485


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Function
Using the fr standby group switch auto command, you can set a threshold over which the
master PVCs automatically switch to the slave PVCs.

Using the undo fr standby group command, you can restore the default setting.

Format
fr standby group group-number switch auto inactive-master-percent active-slave-percent

undo fr standby group group-number

Parameters
group-number: specifies the number of a FR PVC standby group. The value is an integer ranges
from 1 to 256.

inactive-master-percent: specifies the percent of master PVCs in the inactive state.

active-slave-percent: specifies the percent of slave PVCs in the active state.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the percentage for the active links in the Inactive state and that for the standby links
in the Active state are both 100%.

This command takes effect only in the automatic mode.

Examples
# Enable the automatic switch when 50% master PVCs are in the inactive state and 60% slave
PVCs are in the active state in the FR PVC standby group 1.
<Eudemon> system-view
[Eudemon] fr standby group 1 switch auto 50 60

Related Topics
3.27.33 fr standby group switch
3.27.13 display fr standby group

3.27.35 fr standby group switch master

3-486 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Function
Using the fr standby group switch master command, you can manually switch the slave PVC
to the master PVC in a PVC standby group.

Format
fr standby group group-number switch master

Parameters
group-number: specifies the number of a FR PVC standby group. The value is an integer ranges
from 1 to 256.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
This command is available only during manual switch.

Examples
# Manually switch the slave PVC to the master PVC in the FR PVC standby group 1.
<Eudemon> system-view
[Eudemon] fr standby group 1 switch manual
[Eudemon] fr standby group 1 switch master

Related Topics
3.27.33 fr standby group switch
3.27.36 fr standby group switch slave

3.27.36 fr standby group switch slave

Function
Using the fr standby group switch slave command, you can manually switch the master PVC
to the slave PVC in a PVC standby group.

Format
fr standby group group-number switch slave

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-487


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
group-number: specifies the number of a FR PVC standby group. The value is integer ranges
from 1 to 256.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
This command is available only during manual switch.

Examples
# Manually switch the master PVC to the slave PVC in the FR PVC standby group 1.
<Eudemon> system-view
[Eudemon] fr standby group 1 switch manual
[Eudemon] fr standby group 1 switch slave

Related Topics
3.27.33 fr standby group switch
3.27.35 fr standby group switch master

3.27.37 fr switch

Function
Using the fr switch command, you can back up a PVC used for the FR switching.
Using the undo fr switch command, you can delete the specified PVC.

Format
fr switch pvc-name [ interface interface-type in-interface-number dlci in-dlci interface
interface-type out-interface-number dlci out-dlci [ [ standby pvc-name ] group group-
number ] ]
undo fr switch pvc-name

Parameters
pvc-name: specifies the name of PVC used for the FR switching. It is a string of 1 to 31 characters.
interface interface-type in-interface-number dlci in-dlci: specifies the type, number, and DLCI
value of the interface on the inbound side of the PVC. in-dlci ranges from 16 to 1007.
interface interface-type out-interface-number dlci out-dlci: specifies the type, number, and
DLCI value of the interface on the outbound side of the PVC.out-dlci ranges from 16 to 1007.

3-488 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

standby pvc-name: indicates the switching slave PVC with pvc-name as the name. pvc-name is
a string of 1 to 31 characters.
group-number: specifies the number of the standby group to which the switching PVC belongs.
The number is an integer ranges from 1 to 256. The master PVC and the slave PVC must be in
the same standby group.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, there is no PVC used for the FR switching.
During configuration, set the interface type to DCE or NNI first, and configure the DLCI on the
interface.
If group is specified in the command without standby, it indicates this PVC is a master PVC.
With standby, the PVC is a slave PVC. A slave PVC corresponds to only one master PVC so
that the new master PVC configured overwrites the previous one fro the same slave PVC.
To back up a switching PVC, if the specified standby group does not exist, the system
automatically creates a standby group with the specified number and adds the PVC into the
group.
When deleting a switching PVC, the system automatically deletes the standby group if the PVC
is the last link in the group.

Examples
# Create a switching PVC named pvc 2. Specify the pvc 2 as the slave PVC of a switching PVC
named pvc 1. Both of them belong to the PVC standby group 1.
<Eudemon> system-view
[Eudemon] fr switch pvc2 interface Serial 1/0/0:0 dlci 100 interface Serial 2/0/0:0
dlci 200 standby pvc1 group 1

Related Topics
3.27.13 display fr standby group

3.27.38 fr switching

Function
Using the fr switching command, you can enable an FR DCE or NNI interface to perform the
PVC switching.
undo fr switching command, you can disable an FR DCE or NNI interface from performing
the PVC switching.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-489


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Format
fr switching

undo fr switching

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the FR switching is disabled.

After enabling an FR DCE or NNI interface to perform PVC switching, you need to configure
the route for the PVC switching.

Examples
# Enable the FR switching.
<Eudemon> system-view
[Eudemon] fr switching

Related Topics
3.27.21 fr dlci-switch
3.27.37 fr switch

3.27.39 interface mfr

Function
Using the interface mfr command, you can create a MFR bundle interface or sub-interface and
enter the corresponding interface view.

Using the undo interface mfr command, you can delete a specified MFR bundle interface or
sub-interface.

Format
interface mfr interface-number[.subnumber [ p2mp | p2p ] ]

undo interface mfr interface-number[.subnumber ]

3-490 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
interface-number: specifies the interface number of a MFR bundle. It is an integer ranging from
0 to 1023.

subnumber: specifies the sub-interface number of a MFR bundle. The value is an integer ranging
from 1 to 1024.

p2mp: indicates the type of a sub-interface is PTM, which is the default FR sub-interface type.

p2p: indicates the type of a sub-interface is P2P.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, there is no MFR interface or sub-interface.

You must delete all physical interfaces from an MFR interface before using the undo interface
mfr command to delete the MFR interface.

An MFR interface must be created before an MFR sub-interface.

Examples
# Create a MFR bundle interface with a PTM sub-interface.
<Eudemon> system-view
[Eudemon] interface mfr 0
[Eudemon-MFR0] quit
[Eudemon] interface mfr 0.1 p2mp
[Eudemon-MFR0.1]

Related Topics
3.27.41 link-protocol fr mfr
3.27.42 mfr bundle-name

3.27.40 link-protocol (FR Interface View)

Function
Using the link-protocol command, you can set the link layer encapsulation protocol of a serial
interface.

Format
link-protocol { fr [ ietf | nonstandard ] | hdlc | ppp }

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-491


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Parameters
fr: indicates FR as the link layer protocol of a serial interface.
ietf: indicates IETF standard encapsulation, which is implemented according to RFC1490. It is
the default encapsulation mode.
nonstandard: indicates the compatible nonstandard encapsulation mode.
hdlc: indicates HDLC as the link layer protocol of a serial interface.
ppp: indicates PPP as the link layer protocol of a serial interface.

Views
FR interface view, MFR interface view

Default Level
2: Configuration level

Usage Guidelines
By default, a serial interface is encapsulated with PPP. When encapsulating the FR, IETF is the
default encapsulation format.
If you want to configure frame relay networks, you need encapsulate the protocols of interfaces
into frame relay protocols.
If you change the frame relay encapsulation mode of an interface, the original frame relay settings
of the interface are deleted. After the frame relay encapsulation mode is changed, you need reset
the parameters of frame relay.
After the link layer of an interface is changed, you need run the shutdown command to disable
the interface and run the undo shutdown command to enable the interface again so that the
settings can take effect.

Examples
# Implement frame relay protocol encapsulation on interface Serial 1/0/0:0 in nonstandard mode.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] link-protocol fr nonstandard

3.27.41 link-protocol fr mfr

Function
Using the link-protocol fr mfr command, you can configure the current physical interface as a
MFR bundle link and bind it onto a specified MFR interface.

Format
link-protocol fr mfr interface-number

3-492 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Parameters
interface-number: specifies the interface number.

Views
FR interface view

Default Level
2: Configuration level

Usage Guidelines
By default, there is no MFR bundle link.

In this command, the specified MFR interface must exist. Up to 16 physical interfaces can be
bound onto an MFR interface.

To delete a physical interface from an MFR interface, you can use the link-protocol command
to apply a link layer protocol of non-FR MFR to the interface.

Examples
# Configure Serial 1/0/0:0 as a bundle link and add it to the FR bundle interface MFR 1.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial 1/0/0:0] link-protocol fr mfr 1

Related Topics
3.27.39 interface mfr
3.27.45 mfr link-name

3.27.42 mfr bundle-name

Function
Using the mfr bundle-name command, you can set the FR bundle identification (BID).

undo mfr bundle-name command, you can restore the default.

Format
mfr bundle-name [ name ]

undo mfr bundle-name

Parameters
name: specifies the name of a BID. It is a string of 1 to 49 characters.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-493


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Views
MFR interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the BID is in the form of "MFR + FR bundle number" such as MFR1.
Each MFR bundle has a BID, which is locally valid. Therefore, the BIDs at both ends of the link
can be the same.
When the BID of an interface is changed, the new BID can take effect only after the
shutdown and undo shutdown commands are executed on the interface.

Examples
# Set the BID of the FR link as bundle1.
<Eudemon> system-view
[Eudemon] interface MFR 1
[Eudemon-MFR1] mfr bundle-name bundle1

Related Topics
3.27.45 mfr link-name

3.27.43 mfr fragment

Function
Using the mfr fragment command, you can enable the fragmentation of a MFR bundle.
Using the undo mfr fragment command, you can disable the function.

Format
mfr fragment
undo mfr fragment

Parameters
None

Views
MFR interface view

Default Level
2: Configuration level

3-494 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
By default, the function is disabled.
If data traffic is heavy, you can set the MFR fragmentation to decrease the transmitting delay.
It is recommended to configure the same fragmentation mechanism on two ends to improve the
efficiency.

Examples
# Enable the fragmentation on MFR 1.
<Eudemon> system-view
[Eudemon] interface mfr 1
[Eudemon-MFR1] mfr fragment

Related Topics
3.27.44 mfr fragment-size
3.27.49 mfr window-size

3.27.44 mfr fragment-size

Function
Using the mfr fragment-size command, you can configure the maximum fragment size allowed
on an FR bundle link.
Using the undo mfr fragment-size command, you can restore the default setting.

Format
mfr fragment-size bytes
undo mfr fragment-size

Parameters
bytes: specifies the fragment size in bytes. It is an integer ranging from 60 to 1500.

Views
FR interface view, MFR interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the maximum fragment size allowed on an FR bundle link is 300 bytes.
The priority of the fragment size configured in the FR interface view is higher than that
configured in the MFR interface view.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-495


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Configure the maximum fragment size allowed on the MFR bundle link Serial 1/0/0:0 to 60
bytes.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] link-protocol fr mfr 1
[Eudemon-Serial1/0/0:0] mfr fragment-size 60

Related Topics
3.27.43 mfr fragment
3.27.49 mfr window-size

3.27.45 mfr link-name

Function
mfr link-name command, you can set the FR bundle link identifier (LID).
undo mfr link-name command, you can restore the default setting.

Format
mfr link-name [ name ]
undo mfr link-name

Parameters
name: specifies the name of a bundle LID. It is a string of 1 to 49 characters.

Views
FR interface view

Default Level
2: Configuration level

Usage Guidelines
By default, LID is the name of the corresponding physical interface.
The peer identifies an FR bundle link through LID or associates the bundle link with an FR
bundle by using LID. LID is locally valid. Therefore, the LIDs at both ends of a link can be the
same.
If a bundle LID on an interface is changed, the modification takes effect only the shutdown and
the undo shutdown commands are executed on the interface.

Examples
# Set the bundle LID of the MFR bundle link Serial 1/0/0:0 to bl1.

3-496 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial 1/0/0:0] link-protocol fr mfr 1
[Eudemon-Serial 1/0/0:0] mfr link-name bl1

Related Topics
3.27.42 mfr bundle-name

3.27.46 mfr retry

Function
Using the mfr retry command, you can set the maximum times that an FR bundle link can
retransmit the Hello message while waiting for a Hello acknowledgement.

Using the undo mfr retry command, you can restore the default setting.

Format
mfr retry number

undo mfr retry

Parameters
number: specifies the maximum times that a bundle link can retransmit the Hello message. The
value is an integer ranging from 1 to 5. The default is 2.

Views
FR interface view

Default Level
2: Configuration level

Usage Guidelines
If the times that a bundle link retransmits the Hello message reaches the maximum before
receiving response from the peer, the system regards the link protocol on the bundle link is faulty.

This command be configured only after the link-protocol fr mfr command is used to associate
an FR bundle link interface with an FR bundle.

Examples
# Set the maximum retransmission times of the Hello message to 3 on the bundle link Serial
1/0/0:0.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial 1/0/0:0] link-protocol fr mfr 1
[Eudemon-Serial 1/0/0:0] mfr retry 3

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-497


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Related Topics
3.27.47 mfr timer ack
3.27.48 mfr timer hello

3.27.47 mfr timer ack

Function
mfr timer ack command, you can set the time of waiting for the Hello response before the FR
bundle link retransmits the Hello message.

undo mfr timer ack command, you can restore the default setting.

Format
mfr timer ack seconds

undo mfr timer ack

Parameters
seconds: specifies the time of waiting for the Hello response before retransmitting the Hello
message in seconds. It is an integer ranging from 1 to 10. By default, it is 4 seconds.

Views
FR interface view

Default Level
2: Configuration level

Usage Guidelines
The two ends of an FR bound link periodically send the Hello message to the peer. After receiving
the message, the peer sends back a Hello response.

Examples
# Set the FR bundle link Serial 1/0/0:0 to wait for 6 seconds before retransmitting the Hello
message.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] link-protocol fr mfr 1
[Eudemon-Serial1/0/0:0] mfr timer ack 6

Related Topics
3.27.48 mfr timer hello
3.27.46 mfr retry

3-498 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

3.27.48 mfr timer hello

Function
Using the mfr timer hello command, you can set the interval of transmitting a Hello message
for an FR bundle link.
Using the undo mfr timer hello command, you can restore the default setting.

Format
mfr timer hello seconds
undo mfr timer hello

Parameters
seconds: specifies the interval of transmitting the Hello message for a bundle link in seconds. It
is an integer ranging from 1 to 180. By default, it is 10 seconds.

Views
FR interface view

Default Level
2: Configuration level

Usage Guidelines
The two ends of an FR bound link periodically send the Hello message to the peer. After receiving
the message, the peer sends back a Hello response.

Examples
# Configure the bundle link Serial 1/0/0:0 to transmit the Hello message every 15 seconds.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] link-protocol fr mfr 1
[Eudemon-Serial1/0/0:0] mfr timer hello 15

Related Topics
3.27.47 mfr timer ack
3.27.46 mfr retry

3.27.49 mfr window-size

Function
Using the mfr window-size command, you can configure the number of fragments held by the
window when MFR reassembles fragments.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-499


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Using the undo mfr window-size command, you can restore the default setting.

Format
mfr window-size number

undo mfr window-size

Parameters
number: specifies the number of fragments. The value is an integer ranging from 1 to 16.

Views
MFR interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the size of a sliding window equals the number of physical interfaces of an MFR
bundle.

The size of the window decides the reassembly speed, but a bigger window does not necessarily
guarantees a higher reassembly speed. To decide the size of the window, weigh the relationship
between the MFR bundled links and the window size. It is recommended to adopt the default
size.

Examples
# Set the size of the sliding window of MFR123 to 8.
<Eudemon> system-view
[Eudemon] interface MFR 123
[Eudemon-MFR123] mfr window-size 8

Related Topics
3.27.39 interface mfr
3.27.43 mfr fragment
3.27.44 mfr fragment-size

3.27.50 mtu (FR Interface View)

Function
Using the mtu command, you can set the MTU of a serial interface.

Using the undo mtu command, you can restore the default setting.

3-500 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
mtu mtu

undo mtu

Parameters
mtu: specifies the MTU of a serial interface in byte. It is an integer ranging from 128 to 1500.

Views
Synchronous serial interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the MTU of a serial interface is 1500 bytes.

After the MTU is changed by using the mtu command, the modification does not take effect
immediately. You should run the shutdown command and the undo shutdown command
successively to ensure the new MTU takes effect.

Examples
# Set the MTU of Serial 1/0/0:0 to 1200.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] mtu 1200

3.27.51 reset fr inarp

Function
Using the reset fr inarp command, you can clear the address mapping established by InARP.

Format
reset fr inarp

Parameters
None

Views
User view

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-501


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Default Level
2: Configuration level

Usage Guidelines
Sometimes, traffic statistics within a certain period is needed. In this situation, clear the existing
statistics before restarting the count.

Examples
# Clear all the FR dynamic address mapping.
<Eudemon> reset fr inarp

Related Topics
3.27.22 fr inarp
3.27.7 display fr inarp-info

3.27.52 shutdown (FR Interface View)

Function
In the FR switching view:

Using the shutdown command, you can disable all the current switching PVC.

Using the undo shutdown command, you can enable all the current switching PVC.

In the FR interface view and MFR interface view:

Using the shutdown command, you can disable the current interface.

Using the undo shutdown command, you can enable the current interface.

Format
shutdown

undo shutdown

Parameters
None

Views
FR switching view, FR interface view, and MFR interface view

Default Level
2: Configuration level

3-502 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Usage Guidelines
In the FR switching view:

By default, the switching PVC is enabled.

In the FR interface view and MFR interface view:

By default; the FR interface and MFR interface is enabled.

When sub-interfaces exist, if you execute the shutdown command and the undo shutdown
command on the main interface in succession, the two commands should be used at an interval
of at least 15 seconds.

Examples
# Disable all the current switching PVCs named "PVC1".
<Eudemon> system-view
[Eudemon] fr switch pvc1 interface Serial 1/0/0:0 dlci 100 interface Serial 2/0/0:0
dlci 200
[Eudemon-fr-switching-pvc1] shutdown

# Shutdown the current interface.


[Eudemon] interface mfr 0
[Eudemon-MFR0] shutdown

3.27.53 timer hold (FR Interface View)

Function
Using the timer hold command, you can configure the interval (defined in T391) of sending the
status-enquiry packet for a DTE device.

Using the undo timer hold command, you can restore the default.

Format
timer hold seconds

undo timer hold

Parameters
seconds: specifies the value of polling timer, in seconds. It is an integer ranging from 0 to 32767.
When seconds is 0, it indicates that the LMI protocol is disabled. The default is 10 seconds.

Views
FR interface view, MFR interface view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-503


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Usage Guidelines
T391: It is a time variable. It defines the interval of sending the status-enquiry packet for a DTE
device.

Examples
# Configure the FR interface Serial 1/0/0:0 to operate in the DTE mode. Set the value of polling
timer to 15 seconds.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:0
[Eudemon-Serial1/0/0:0] link-protocol fr
[Eudemon-Serial1/0/0:0] fr interface-type dte
[Eudemon-Serial1/0/0:0] timer hold 15

Related Topics
3.27.23 fr interface-type
3.27.30 fr lmi t392dce

3.28 HDLC Configuration Commands


3.28.1 debugging hdlc all
3.28.2 debugging hdlc event
3.28.3 debugging hdlc
3.28.4 ip address unnumbered
3.28.5 timer hold (HDLC)

3.28.1 debugging hdlc all

Function
Using the debugging hdlc all command, you can enable all the debugging of HDLC.
Using the undo debugging hdlc all command, you can disable all the debugging of HDLC.

Format
debugging hdlc all
undo debugging hdlc all

Parameters
None

Views
User view

3-504 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Default Level
1: Monitoring level

Usage Guidelines
Running this command, you can enable all the debugging of HDLC. Thus, after debugging, run
the undo debugging command to disable it immediately.

For the example for the displayed information, refer to other debugging commands of HDLC.

Examples
# Enable the debugging of HDLC.
<Eudemon> debugging hdlc all

Related Topics
3.28.3 debugging hdlc
3.28.2 debugging hdlc event

3.28.2 debugging hdlc event

Function
Using the debugging hdlc event command, you can enable the event debuggimg of HDLC.

Using the undo debugging hdlc event command, you can disable the event debugging of HDLC.

Format
debugging hdlc event [ interface interface-type interface-number ]

undo debugging hdlc event [ interface interface-type interface-number ]

Parameters
Interface interface-type interface-number: specifies the interface type and interface number.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
Debugging degrades the performance of the system. Thus, after debugging, run the undo
debugging command to disable it immediately.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-505


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Examples
# Enable the event debugging of HDLC.
<Eudemon> debugging hdlc event
*0.1472740 Eudemon HDLC/8/debug2:Serial 1/0/0 Keepalive timer expired! ID: 71

Table 3-64 Description of the debugging hdlc event command output


Item Description

Eudemon Indicates the name of the device.

HDLC/8/debug2 Indicates:
l Module name: HDLC
l Level: 8
l Information summary

Serial 1/0/0 Indicates the name of the interface where the HDLC events
occur.

Keepalive timer expired! Indicates that the keepalive time is expired.

ID: Indicates the ID of the keepalive timer.

Related Topics
3.28.3 debugging hdlc
3.28.1 debugging hdlc all

3.28.3 debugging hdlc

Function
Using the debugging hdlc command, you can enable the debugging of the HDLC interface
packets.
Using the undo debugging hdlc command, you can disable the debugging of the HDLC interface
packets.

Format
debugging hdlc { ip | isis | keepalive } { in | in-out | out } [ interface interface-type interface-
number ]
undo debugging hdlc { ip | isis | keepalive } { in | in-out | out } [ interface interface-type
interface-number ]

Parameters
ip: indicates the debugging information about the IP packets.
isis: indicates the debugging information about the IS-IS packets.

3-506 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

keepalive: indicates the debugging information about the Keepalive packets.

in: indicates the debugging information about the received packets.

in-out: indicates the debugging information about the received and sent packets.

out: indicates the debugging information about the sent packets.

interface interface-type interface-number: specifies the interface type and interface number.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
Using the debugging hdlc command, you can output debugging information based on different
packet types.

Debugging degrades the performance of the system. Thus, after debugging, run the undo
debugging command to disable it immediately.

Examples
# Enable the debugging of the IP packets sent by the HDLC interface.
<Eudemon> debugging hdlc ip out
*0.3240530 Eudemon HDLC/8/debug2:Serial 1/0/0 O Length 88, Address 0x0F, Protocol
IP

# Enable the debugging of the Keepalive packets received by the HDLC interface.
<Eudemon> debugging hdlc keepalive in
*0.4963530 Eudemon HDLC/8/debug2:Serial 1/0/0 I Length 22, Address 0x8F, Protocol
KEEPALIVE
*0.4963630 Eudemon HDLC/8/debug2:Serial 1/0/0 I Length 18, KEEPALIVE_REQ,
NotifyingRemoteSeq 28051, ReflectingLocalSeq 56958

# Enable the debugging of the Keepalive packets sent by the HDLC interface.
<Eudemon> debugging hdlc keepalive out
*0.6923470 Eudemon HDLC/8/debug2:Serial 1/0/0 O Length 18, KEEPALIVE_REQ,
myseq 28694, mineseen 28694, yourseen 57602, line UP
*0.6923470 Eudemon HDLC/8/debug2:Serial 1/0/0 O Length 22, Address 0x8F, Protocol
KEEPALIVE

Table 3-65 Description of the debugging hdlc command output

Item Description

Eudemon Indicates the name of the device.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-507


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

Item Description

HDLC/8/debug2 Indicates:
l Module name: HDLC
l Level: 8
l Information summary

Serial 1/0/0 Indicates the name of the interface that receives the packets.

Length Indicates the length of the received packets.


l I: in represents the received packets.
l O: out represents the sent packets.
When the address field is behind the length field, the packet
length includes the length of the frame heading. When the
keepalive packet type is behind the length field, the packet length
does not include the length of the frame heading.

Address Indicates the address. When the address is the unicast one, the
address is 0x0F. When the address is the multicast one, the
address is 0x8F.

KEEPALIVE_REQ Indicates the keepalive request packets.

NotifyingRemoteSeq Indicates sequence number of the packets sent by the peer end.

ReflectingLocalSeq Indicates the sequence number of the packets responded by the


local end.

mineseen Indicates the sequence number of the sent packets recorded by


the local end, which equals myseq.

yourseen Indicates the corresponding sequence number of the packets of


the peer end.

line Indicates the link status of the peer end. The possible link status
is Up or Down.

Related Topics
3.28.1 debugging hdlc all
3.28.2 debugging hdlc event

3.28.4 ip address unnumbered

Function
Using the ip address unnumbered command, you can configure an interface to borrow the IP
address of another interface.
Using the undo ip address unnumbered command, you can disable an interface from
borrowing the IP address of another interface.

3-508 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 3 Internetworking

Format
ip address unnumbered interface interface-type interface-number
undo ip address unnumbered

Parameters
interface-type: specifies the type of the interface whose IP address is to be borrowed.
interface-number: specifies the number of the interface whose IP address is to be borrowed.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the interface does not borrow the IP address of another interface.
Using the ip address unnumbered command, you can encapsulate PPP, HDLC, FR, and Tunnel
interfaces and enable an interface to borrow the IP address of an Ethernet interface, a loopback
interface, or an interface of another type. Ethernet interfaces cannot borrow the IP addresses of
other interfaces.
As the unnumbered interface itself has no IP address and thus routes cannot be added to it, you
must manually configure routes to realize connection between Eudemon interfaces.
NOTE

If an interface encapsulated HDLC is configured to borrow an IP address, the borrowing peer must be able
to learn the network routes to the other peer. Otherwise, packets cannot reach the other peer.

Examples
# Interface Serial 1/0/0 :1 encapsulated HDLC borrows the IP address of Ethernet interface
Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:1
[Eudemon-Serial1/0/0:1] ip address unnumbered interface Ethernet 0/0/0

3.28.5 timer hold (HDLC)

Function
Using the timer hold command, you can set the polling interval.
Using the undo timer hold command, you can restore the default.

Format
timer hold seconds

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 3-509


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
3 Internetworking Command Reference

undo timer hold

Parameters
seconds: specifies the value of the polling interval. The value ranges from 0 to 32767 in seconds.
0 indicates that the link detection is disabled. The default is 10 seconds.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the polling interval of the link layer protocol applied on the interface is 10 seconds.
The polling interval of devices on both ends must be consistent. If the polling interval on both
sides is 0, it means the link detection is disabled.
If the network delay is long or the congestion is serious, you can properly enlarge the interval
to decrease the possibility of network flapping.

Examples
# Set the polling interval on Serial 1/0/0:1 to 20 seconds.
<Eudemon> system-view
[Eudemon] interface Serial 1/0/0:1
[Eudemon-Serial 1/0/0:1] timer hold 20

3-510 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

4 Reliability

About This Chapter

4.1 VRRP Backup Group Configuration Commands


4.2 VRRP Management Group Configuration Commands
4.3 HRP Configuration Commands
4.4 IP-Link Configuration Commands

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-1


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

4.1 VRRP Backup Group Configuration Commands


4.1.1 debugging vrrp
4.1.2 display vrrp
4.1.3 vrrp un-check ttl
4.1.4 vrrp vrid preempt-mode
4.1.5 vrrp vrid priority
4.1.6 vrrp vrid timer advertise
4.1.7 vrrp vrid track
4.1.8 vrrp vrid virtual-ip

4.1.1 debugging vrrp

Function
Using the debugging vrrp command, you can enable the packet, state or timer debugging of a
VRRP backup group.

Using the undo debugging vrrp command, you can disable the packet, state or timer debugging
of a VRRP backup group.

Format
debugging vrrp { packet | state | timer } [ vrid vrid ]

undo debugging vrrp { packet | state | timer }

Parameters
packet: enables the packet debugging of a VRRP backup group.

state: enables the state debugging of a VRRP backup group.

timer: enables the timer debugging of a VRRP backup group.

vrid vrid: specifies the ID of a virtual router. It is an integer in a range of 1 to 255.

Views
User view

Default Level
1: Monitoring level

4-2 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

Usage Guidelines
By default, the debugging of a VRRP backup group is disabled.

Examples
# Enable the state debugging of a VRRP backup group.
<Eudemon> debugging vrrp state

4.1.2 display vrrp

Function
Using the display vrrp command, you can view the status information and configuration
parameters of a VRRP backup group.

Format
display vrrp [ interface interface-type interface-number [ virtual-router-id ] ]

Parameters
interface interface-type interface-number: specifies the type and number of an interface. The
type of the interface can only be Ethernet.
virtual-router-id: specifies the ID of a backup group. It is an integer in a range of 1 to 255.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
By setting different optional parameters, you can view different status information and
configuration parameters. Specifically:
l If both the interface name and the backup group ID are set in the command, you can view
the status information and configuration parameters of the relevant backup group.
l If only the interface name is configured in the command, you can view the status
information and configuration parameters of all backup groups associated with the
interface.
l If neither the interface name nor the backup group ID is set in the command, you can view
the status information and configuration parameters of all backup groups associated with
the Eudemon.

Examples
# Display all backup groups associated with the Eudemon.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-3


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

<Eudemon> display vrrp


Ethernet 0/0/0 | Virtual Router 1
state : Master
Virtual IP : 13.13.13.1
Virtual MAC : 0000-5e00-0101
Primary IP : 13.13.13.10
Config Prior : 100
Run Prior : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth type : NONE

Ethernet 0/0/1 | Virtual Router 2


state : Master
Virtual IP : 2.2.2.1
Virtual MAC : 0000-5e00-0102
Primary IP : 2.2.2.3
Config Prior : 100
Run Prior : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth type : NONE

# Display all backup groups associated with the Ethernet 0/0/0.


<Eudemon> display vrrp interface Ethernet 0/0/0
Ethernet 0/0/0 | Virtual Router 1
state : Master
Virtual IP : 13.13.13.1
Virtual MAC : 0000-5e00-0101
Primary IP : 13.13.13.10
Config Prior : 100
Run Prior : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth type : NONE

# Display the specified backup group associated with the Ethernet 0/0/0.
<Eudemon> display vrrp interface Ethernet 0/0/0 1
Ethernet 0/0/0 | Virtual Router 1
state : Master
Virtual IP : 13.13.13.1
Virtual MAC : 0000-5e00-0101
Primary IP : 13.13.13.10
Config Prior : 100
Run Prior : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth type : NONE

4.1.3 vrrp un-check ttl

Function
Using the vrrp un-check ttl command, you can disable the check of the TTL value of VRRP
packets.

Using the undo vrrp un-check ttl command, you can enable the check of the TTL value of
VRRP packets.

Format
vrrp un-check ttl

4-4 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

undo vrrp un-check ttl

Parameters
None

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the Eudemon checks the TTL value of VRRP packets.
As stipulated by the RFC 2338, the system checks the TTL value of the received VRRP packets.
If this value is not 255, the VRRP packets are discarded. In some networking environments,
especially when the devices from different manufacturers are used together, the preceding
processing may cause incorrect packet discarding. However, you can configure the system not
to check the TTL value of VRRP packets.

Examples
# Disable the check of the TTL value of VRRP packets.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] vrrp un-check ttl

4.1.4 vrrp vrid preempt-mode

Function
Using the vrrp vrid preempt-mode command, you can enable the backup group to preempt or
configure the preemption delay time for the Eudemon in the backup group.
Using the undo vrrp vrid preempt-mode command, you can disable the backup group to
preempt.

Format
vrrp vrid virtual-router-id preempt-mode [ timer delay delay-value ]
undo vrrp vrid virtual-router-id preempt-mode

Parameters
virtual-router-id: specifies the ID of the VRRP backup group. It is an integer in a range of 1 to
255.
delay-value: specifies the delay time in seconds in a range of 0 to 255. The default value is 0.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-5


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, preemption is enabled.

This command is valid only for backup groups that are not added to any VRRP management
group. Once a VRRP backup group is added to some VRRP management group, it complies
with the preemption mode of the VRRP management group.

If you want the Eudemon with higher priority to be the master device, you should set preemption
mode as well as delay time for the Eudemon. In the case that no preemption mode is set, the
delay time will automatically restore to be 0.

Examples
# Set the Eudemon to work in preemption mode.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] vrrp vrid 1 preempt-mode

# Set delay time for preemption.


[Eudemon-Ethernet0/0/0] vrrp vrid 1 preempt-mode timer delay 5

# Cancel preemption mode.


[Eudemon-Ethernet0/0/0] undo vrrp vrid 1 preempt-mode

4.1.5 vrrp vrid priority

Function
Using the vrrp vrid priority command, you can set priority for the Eudemon in the backup
group.

Using the undo vrrp vrid priority command, you can restore the default value of priority.

Format
vrrp vrid virtual-router-id priority priority-value

undo vrrp vrid virtual-router-id priority

Parameters
virtual-router-id: specifies the ID of the VRRP backup group. It is an integer in a range of 1 to
255.

4-6 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

priority-value: specifies the value of a priority. It is an integer in a range of 1 to 254. The default
value is 100. Where:

l Priority 0 is reserved for special usage.


l Priority 255 is reserved for IP Address Owner.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
This command is valid no matter whether the backup group joins a VRRP management group
or not:

l When the backup group is added to a VRRP management group, its VRRP state is
determined by the VRRP management group to which it belongs. To prevent backup groups
that do not belong to the management group but have a higher priority from disturbing the
VRRP state of the management group, you should set higher priorities for components in
the VRRP management group.
l In the event that the backup group is not added to any VRRP management group, the priority
of a backup group determines whether to switch state. Usually, the Eudemon in a backup
group with a higher priority might be the master.

Examples
# Set the priority of the Eudemon in backup group1 to 150.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] vrrp vrid 1 priority 150

4.1.6 vrrp vrid timer advertise

Function
Using the vrrp vrid timer advertise command, you can set an interval, at which VRRP packets
are sent, for the master Eudemon in backup group.

Using the undo vrrp vrid timer advertise command, you can restore the default interval.

Format
vrrp vrid virtual-router-id timer advertise interval

undo vrrp vrid virtual-router-id timer advertise

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-7


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

Parameters
virtual-router-id: specifies the ID of a VRRP backup group. It is an integer in a range of 1 to
255.

interval: specifies an interval, at which the master Eudemon sends VRRP packets in a range of
1 to 255 seconds.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, the interval for the master Eudemon in the backup group to send VRRP packetsit is
1 second.

VRRP timer is valid no matter the backup group is added to a VRRP management group or not.
You can set an interval, at which VRRP packets are sent, for the master Eudemon in backup
group by running this command.

NOTE

To validate the newly set interval right away, you can enable the re-negotiation on the interface by running
the shutdown and undo shutdown command orderly since real time update is unavailable for the VRRP
timer.

Examples
# Set the interval, at which VRRP packets are sent, for the master Eudemon in backup group1
to 5 seconds.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] vrrp vrid 1 timer advertise 5

4.1.7 vrrp vrid track

Function
Using the vrrp vrid track command, you can monitor some interface.

Using the undo vrrp vrid track command, you can cancel monitoring some interface.

Format
vrrp vrid virtual-router-id track interface-type interface-number [ reduced value-reduced ]

undo vrrp vrid virtual-router-id track [ interface-type interface-number ]

4-8 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

Parameters
virtual-router-id: specifies the ID of a VRRP backup group. It is an integer in a range of 1 to
255.

interface-type: specifies the type of an interface to be monitored.

interface-number: specifies the number of an interface to be monitored.

reduced value-reduced: specifies the reduced value of the priority. It is an integer in a range of
1 to 255. The default value is 10.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
The function of monitoring interface greatly extends VRRP backup functions, that is, the backup
function can take effect not only when the Eudemon breaks down but also when errors occur to
some interface on the Eudemon.

Using this command, you can enable the function so that when the monitored interface is Down,
the priority of the associated Eudemon will automatically reduce by a certain amount. If it is the
master Eudemon, the other backup Eudemon with the higher priority in the backup group will
become the new master Eudemon.

However, this function is invalid for the interface that is the IP Address Owner.

Generally, the working modes are as follows:

l Composite mode: When IP addresses and VRRP backup groups are configured on the
heartbeat interface but not configured on the other interfaces, if the other interfaces stop
working, the priority of Eudemon cannot automatically descend through VGMP. Therefore,
you need use the vrrp vrid track command on the heartbeat interface to monitor the other
interfaces. Upon running the command, when the other interfaces stop working, the priority
of the heartbeat interface can automatically descend and the master and backup switch can
be implemented.
l Routing mode: When an interface of Eudemon is connected with the router, you cannot
configure VRRP backup groups on the interface. Therefore, you need run this command
on the heartbeat interface. Upon running this command, when the interface connected with
the router stops working, the priority of the heartbeat interface automatically descends, and
master and backup switch can be implemented.

Examples
# Enable monitoring Ethernet 0/0/1, and configure the reduced value of the priority is 50.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] vrrp vrid 1 track Ethernet 0/0/1 reduced 50

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-9


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

4.1.8 vrrp vrid virtual-ip

Function
Using the vrrp vrid virtual-ip command, you can create a backup group or add virtual IP
addresses to an existing backup group.
Using the undo vrrp vrid virtual-ip command, you can delete a backup group or remove some
virtual IP addresses from a backup group.

Format
vrrp vrid virtual-router-id virtual-ip virtual-address [ mask | mask-length ] [ preference ]
undo vrrp vrid virtual-router-id [ virtual-ip virtual-address ]

Parameters
virtual-router-id: specifies the ID of the VRRP backup group. It is an integer in a range of 1 to
255.
virtual-address: specifies the virtual IP address of the VRRP backup group in dotted decimal
notation.
mask: specifies the address mask in dotted decimal notation.
mask-length: specifies the address mask length. It is an integer in a range of 0 to 32.
preference: sends packets using the virtual IP address of the VRRP backup group as the source
IP address. If this parameter is not specified, the actual IP address of the interface is used as the
source IP address of outgoing packets.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
By default, no backup group is added to the system.
This command is valid no matter the backup group is added to a VRRP management group or
not.
NOTE

l When VRRP management group is used on the Eudemon, make sure that the virtual IP address is not
identical with the actual IP address of any interface.
l The network segment of the virtual IP address cannot overlap that of any interface.
l The interface where the command is executed must be configured with an IP address.

Users can use this command to create a backup group or add virtual IP addresses to an existing
backup group. A backup group can be configured with 16 virtual IP addresses at most. If the

4-10 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

virtual IP address and the IP address of the interface are not in the same network segment, the
backup group can be configured with only one IP address. Users can also use the undo vrrp
vrid virtual-ip command to delete an existing backup group or a virtual IP address in a backup
group. If all IP addresses in a backup group are deleted, the system will automatically delete the
backup group.

Examples
# Create a backup group and configure it with a virtual IP address.
<Eudemon> system-view
[Eudemon] interface Ethernet 0/0/0
[Eudemon-Ethernet0/0/0] vrrp vrid 1 virtual-ip 10.10.10.10 24

4.2 VRRP Management Group Configuration Commands


4.2.1 add interface (VRRP Management Group View)
4.2.2 debugging vrrp-group
4.2.3 display vrrp-group
4.2.4 triggerdown interface
4.2.5 vgmp-flash enable
4.2.6 vrrp group
4.2.7 vrrp-group enable
4.2.8 vrrp-group group-send
4.2.9 vrrp-group manual-preempt
4.2.10 vrrp-group preempt
4.2.11 vrrp-group priority
4.2.12 vrrp-group timer hello

4.2.1 add interface (VRRP Management Group View)

Function
Using the add interface command, you can add some VRRP backup group, which is associated
with the interface, to the VRRP management group and specify a data channel or bind IP-
Link.
Using the undo add interface command, you can remove some VRRP backup group, which is
associated with the interface, from the VRRP management group.

Format
add interface interface-type interface-number vrrp vrid virtual-router-id [ data [ transfer-
only ] | ip-link number &<1-100> ] *
undo add interface interface-type interface-number vrrp vrid virtual-router-id

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-11


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

Parameters
interface-type interface-number: specifies the type and number of an interface.

virtual-router-id: specifies the ID of the VRRP backup group. It is an integer in a range of 1 to


255.

data: sets a link that is associated with the interface to transfer state information.

transfer-only: indicates the state change of the interface does not affect the state of the associated
VRRP management group.

ip-link number &<1-100>: binds the VRRP of VGMP with an IP-Link. A maximum of 100 IP
links can be bound. number specifies the ID of the IP-Link. It is an integer in a range of 1 to
100.

Views
VRRP management group view

Default Level
2: Configuration level

Usage Guidelines
By default, a VRRP backup group is not added to any VRRP management group.

Set the parameterdata according to the actual networking:

l Setting the parameter data in the command, you can specify a link that is associated with
the interface to transfer state information.
l Without the parameter, the channel is only used to transfer service information.

The state of interfaces at the two ends of the data channel will affect the state of VRRP backup
groups. The parameter transfer-onlydetermines whether the state change further affects the state
of the VRRP management group:

l If the parameter is set in the command, the data channel is only used to transfer state
information and the state of interfaces at the two ends of the channel will not affect the state
of the VRRP management group.
l If the parameter is not set, the state of the channel will affect the state of the VRRP
management group.

Examples
# Add VRRP backup group1 that is associated with Ethernet 0/0/0 to VRRP management group1.
<Eudemon> system-view
[Eudemon] vrrp group 1
[Eudemon-vrrpgroup-1] add interface Ethernet 0/0/0 vrrp vrid 1

# Add VRRP backup group2 that is associated with Ethernet 0/0/1 to VRRP management group1
and specify the link associated with the interface to transfer state information.
[Eudemon-vrrpgroup-1] add interface Ethernet 0/0/1 vrrp vrid 2 data

4-12 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

# Add VRRP backup group3 that is associated with Ethernet 1/0/0 to VRRP management group1
and specify the link associated with the interface to transfer state information only.
[Eudemon-vrrpgroup-1] add interface Ethernet 1/0/0 vrrp vrid 3 data transfer-only

# Add VRRP backup group1 that is associated with the interface Ethernet 0/0/0 to VRRP
management group1 and specify the link associated with the interface to transfer state
information. Bind VRRP backup group1 to IP-Link 1 and IP-Link 2.
[Eudemon-vrrpgroup-1] add interface Ethernet 0/0/0 vrrp vrid 1 data ip-link 1 ip-
link 2

Related Topics
4.2.6 vrrp group
4.2.8 vrrp-group group-send

4.2.2 debugging vrrp-group

Function
Using the debugging vrrp-group command, you can enable packet, state or timer debugging
of the VRRP management group.
Using the undo debugging vrrp-group command, you can disable the debugging of the VRRP
management group.

Format
debugging vrrp-group { all | packet | state | timer }
undo debugging vrrp-group { all | packet | state | timer }

Parameters
all: enables all debugging of the VRRP management group.
packet: enables packet debugging of the VRRP management group.
state: enables state debugging of the VRRP management group.
timer: enables timer debugging of the VRRP management group.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the debugging of VRRP management group is disabled.
This command will take effect only after the VRRP management group is enabled.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-13


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

Examples
# Enable state debugging of the VRRP management group.
<Eudemon> debugging vrrp-group state

4.2.3 display vrrp-group

Function
Using the display vrrp-group command, you can view the state and parameter settings of the
VRRP management group.

Format
display vrrp-group [ verbose ]

Parameters
verbose: displays the state and parameter setting of the VRRP management group in detail.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command will take effect only after the VRRP management group is enabled.

Examples
# Display the state and parameter setting of the VRRP management group in detail.
<Eudemon> display vrrp-group verbose
Vrrp Group 1
state : Initialize
Priority : 0
Preempt : YES Delay Time : 0
Timer : 1000
Group-Send :NO
Peer Status : ONLine
Vrrp number : 1
interface : Ethernet 0/0/0, vrrp id : 1 Peer Down

4.2.4 triggerdown interface

Function
Using the triggerdown interface command, you can trigger the state of an Ethernet interface
to Down and then to Up.

4-14 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

Using the undo triggerdown interface command, you can reset the triggerdown setting of an
Ethernet interface.

Format
triggerdown interface interface-type interface-number

undo triggerdown interface interface-type interface-number

Parameters
interface interface-type interface-number: specifies the type and number of an interface. The
interface can only be FE and GE interface.

Views
VRRP management group view

Default Level
2: Configuration level

Usage Guidelines
Be default, the Down-Up of an Ethernet interface is not triggered.

This function is used in networking for dual-system hot backup with the Eudemon working in
composite mode.

If an Ethernet interface is configured with this function, once the state of VRRP management
group changes from Master to non-Master, this interface will be triggered to turn Down and then
Up. This is to trigger Down and Up of the switch's interface that is connected with the
Eudemon, and update ARP entries of the switch.

Thus, while the state of dual-system hot backup changes, the corresponding interface information
will be updated rapidly so that the switch can find correct paths soon.

Examples
# Trigger Down-Up at Ethernet 0/0/0.
<Eudemon> system-view
[Eudemon] vrrp group 1
[Eudemon-vrrpgroup-1] triggerdown interface Ethernet 0/0/0

4.2.5 vgmp-flash enable

Function
Using the vgmp-flash enable command, you can disable master/backup switch for Flash-related
operations such as Save, Delete, FTP, and patch upgrade.

Using the undo vgmp-flash enable command, you can enable master/backup switch for Flash-
related operations.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-15


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

Format
vgmp-flash enable

undo vgmp-flash enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, master/switch is disabled for Flash-related operations.

The vgmp-flash enable command can be backed up between the master firewall and the backup
firewall. Therefore, you can configure this command only on the master firewall when dual-
system hot backup functions properly.

Examples
# Enable master/backup switch for Flash-related operations.
<Eudemon> system-view
[Eudemon] undo vgmp-flash enable

4.2.6 vrrp group

Function
Using the vrrp group command, you can create a VRRP management group and enter VRRP
management group view.

Using the undo vrrp group command, you can delete a existing VRRP management group.

Format
vrrp group group-identifier

undo vrrp group group-identifier

Parameters
group-identifier: specifies the ID of the VRRP management group. It is an integer in a range of
1 to 16.

4-16 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, no VRRP management group is created.

At most 16 VRRP backup groups can be added to a VRRP management group.

Examples
# Create VRRP management group1 and enter VRRP management group view.
<Eudemon> system-view
[Eudemon] vrrp group 1
[Eudemon-vrrpgroup-1]

Related Topics
4.2.1 add interface (VRRP Management Group View)
4.2.7 vrrp-group enable

4.2.7 vrrp-group enable

Function
Using the vrrp-group enable command, you can enable the VRRP management group.

Using the undo vrrp-group enable command, you can disable the VRRP management group.

Format
vrrp-group enable

undo vrrp-group enable

Parameters
None

Views
VRRP management group view

Default Level
2: Configuration level

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-17


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

Usage Guidelines
By default, VRRP management group is disabled.

Examples
# Enable the VRRP management group.
<Eudemon> system-view
[Eudemon] vrrp group 1
[Eudemon-vrrpgroup-1] vrrp-group enable

Related Topics
4.2.6 vrrp group

4.2.8 vrrp-group group-send

Function
Using the vrrp-group group-send command, you can configure the flag of group send packets
for the VRRP management group.
Using the undo vrrp-group group-send command, you can delete the flag of group send packets
for the VRRP management group.

Format
vrrp-group group-send
undo vrrp-group group-send

Parameters
None

Views
VRRP management group view

Default Level
2: Configuration level

Usage Guidelines
By default, the flag of group-transmitting packets is not configured.
If the VRRP management group is configured with the flag of group send packets, it will send
packets through all data channels, including normal running channels and timeout channels.

Examples
# Configure the flag of group send packets for the VRRP management group.

4-18 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

<Eudemon> system-view
[Eudemon] vrrp group 1
[Eudemon-vrrpgroup-1] vrrp-group group-send

Related Topics
4.2.1 add interface (VRRP Management Group View)

4.2.9 vrrp-group manual-preempt

Function
Using the vrrp-group manual-preempt command, you can enable manual preempt of the
VRRP management group.

Format
vrrp-group manual-preempt

Parameters
None

Views
VRRP management group view

Default Level
2: Configuration level

Usage Guidelines
By default, manual preempt of the VRRP management group is disabled.

If you enable manual preempt for a VRRP management group with a higher priority, the
Eudemon in the management group will switch to be the master device.

Examples
# Enable manual preempt of the VRRP management group.
<Eudemon> system-view
[Eudemon] vrrp group 1
[Eudemon-vrrpgroup-1] vrrp-group manual-preempt

Related Topics
4.2.10 vrrp-group preempt
4.2.11 vrrp-group priority

4.2.10 vrrp-group preempt

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-19


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

Function
Using the vrrp-group preempt command, you can enable automatic preempt of the VRRP
management group and configure the delay time of preempt.
Using the undo vrrp-group preempt command, you can disable automatic preempt of the
VRRP management group.

Format
vrrp-group preempt [ delay delay-value ]
undo vrrp-group preempt

Parameters
delay delay-value: specifies the delay time of preempt. It is an integer in a range of 0 to 1800000
milliseconds.

Views
VRRP management group view

Default Level
2: Configuration level

Usage Guidelines
By default, automatic preempt of the VRRP management group is disabled.

Examples
# Enable automatic preempt of the VRRP management group and set the delay time to 1000
milliseconds.
<Eudemon> system-view
[Eudemon] vrrp group 1
[Eudemon-vrrpgroup-1] vrrp-group preempt delay 1000

Related Topics
4.2.9 vrrp-group manual-preempt
4.2.11 vrrp-group priority

4.2.11 vrrp-group priority

Function
Using the vrrp-group priority command, you can calculate the priority of the VRRP
management group based on VRRP priorities, or set priority for the VRRP management group
or added value of priority for backup groups in the management group.
Using the undo vrrp-group priority command, you can restore the default value, or set not to
calculate the priority of the VRRP management group based on VRRP priorities.

4-20 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

Format
vrrp-group priority { plus plus-value | priority-value | using-vrrppriority }

undo vrrp-group priority [ plus | using-vrrppriority ]

Parameters
plus plus-value: specifies the added value of priority of each VRRP backup group in the VRRP
management group. It is an integer in a range of 0 to 254.

priority-value: specifies the priority of the VRRP management group. It is an integer in a range
of 1 to 254.

using-vrrppriority: calculates the priority of VRRP management group based on VRRP


priorities.

Views
VRRP management group view

Default Level
2: Configuration level

Usage Guidelines
By default, the priority of the VRRP management group is 100 and the added value is 0.

After the vrrp vrid track command is run to configure a VRRP backup group to monitor the
specified interface, the monitoring function is still valid if this backup group joins a VRRP
management group.

When the status of the monitored interface turns Down, the priority of the VRRP backup group
reduces. Whether the priority of the VRRP management group reduces is as follows:

l If the VRRP management group is configured with the vrrp-group priority using-
vrrppriority command, its priority is calculated according to formula 1. Then, the active
and standby devices perform switchover. Formula 1 is as follows:
The priority of a VRRP management group = the priority sum of VRRP backup groups on
which the interfaces not configured with the transfer-only attribute and are in the Up state/
the total number of VRRP backup groups not configured with the transfer-only attribute.
l If the VRRP management group is not configured with the vrrp-group priority using-
vrrppriority command and this group does not contain the VRRP of the monitored
interface, the priority of this group experiences no change. Then, the active and standby
devices do not perform switchover.
l If the VRRP management group is not configured with the vrrp-group priority using-
vrrppriority command and this group contains the VRRP of the monitored interface, the
priority of this group is calculated through formula 2 when the monitored interface is Down.
Then, the active and standby device perform switchover. Formula 2 is as follows:
The priority of a VRRP management group = the configured priority of the VRRP
management group – (the priority sum of VRRP backup groups on which the interfaces
not configured with the transfer-only attribute and are in the Up state/16).

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-21


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

When the status of the monitored interface turns Up, the working process is the same as the
preceding.

NOTE

The vrrp-group priority using-vrrppriority command is applied to the following occasions: The
specified interface monitored by a VRRP backup group through the vrrp vrid track command cannot be
configured with the VRRP or the configured VRRP does not join the VRRP management group. In addition,
the service is affected after the status of the monitored interface turns Down. Thus, the VRRP management
group needs to be configured with the vrrp-group priority using-vrrppriority command. This can make
the priority of the VRRP management group to be calculated based on VRRP priorities after the status of
the monitored interface turns Down. The active/standby switchover is then conducted.

If the vrrp vrid track command is not configured, the priority of a VRRP management group
is calculated as follows:

l If the management group is configured with the vrrp-group priority using-


vrrppriority command, its priority is calculated according to formula 1.
l If the vrrp-group priority using-vrrppriority command is not configured, the priority of
the VRRP backup group reduces when the status of the interface of this VRRP backup
group turns Down. Then, the VRRP management group re-calculates the priority through
formula 2 and decides whether to adjust the VRRP status.
Suppose the initial priority of a VRRP management group is 100 and this group contains
three VRRP backup groups. The information of each backup group and a data channel is
as follows:
– Data channel interface 1 corresponds to VRRP1 with the priority of 128 and the attribute
of data.
– Data channel interface 2 corresponds to VRRP2 with the priority of 128 and the attribute
of data transfer-only.
– Data channel interface 3 corresponds to VRRP3 with the priority of 96 and no attribute.
When interface 1 turns Down, the priority of the management group is 92, that is, 100 –
128/16 = 92. When both interface 1 and interface 2 turn Down, the priority of the
management group is still 92. This is because the attribute of interface 2 is data transfer-
only, which does not affect the status or the priority of the management group. When both
interface 1 and interface 3 turn Down, the priority of the management group is 86, that is,
100 – 128/16 – 96/16 = 86.

Examples
# Set the priority of the VRRP management group to 120 and the added value for backup group
priority to 10.
<Eudemon> system-view
[Eudemon] vrrp group 1
[Eudemon-vrrpgroup-1] vrrp-group prioriy 120
[Eudemon-vrrpgroup-1] vrrp-group prioriy plus 10

# Set to calculate the priority of VRRP management group 1 depending on VRRP priorities.
[Eudemon-vrrpgroup-1] vrrp-group priority using-vrrppriority

4.2.12 vrrp-group timer hello

4-22 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

Function
Using the vrrp-group timer hello command, you can set the interval, at which Hello messages
are sent for the master Eudemon in the VRRP management group.
Using the undo vrrp-group timer hello command, you can restore its default value.

Format
vrrp-group timer hello interval
undo vrrp-group timer hello

Parameters
interval: specifies the interval, at which Hello messages are sent. It is an integer in a range of
200 to 60000 milliseconds.

Views
VRRP management group view

Default Level
2: Configuration level

Usage Guidelines
By default, the interval at which Hello messages are sent for the master Eudemon in the VRRP
management group is 1000 milliseconds.
The master Eudemon in the VRRP management group sends a Hello message to the backup
Eudemon at a regular interval. After receiving the Hello message, the backup Eudemon sends
back state, preemption mode and priority to the master Eudemon so that master/backup
Eudemons can communicate with each other.

Examples
# Set the interval of the master, at which Hello messages are sent, to 500 milliseconds.
<Eudemon> system-view
[Eudemon] vrrp group 1
[Eudemon-vrrpgroup-1] vrrp-group timer hello 500

4.3 HRP Configuration Commands


4.3.1 debugging hrp
4.3.2 debugging hrp configuration check
4.3.3 display hrp
4.3.4 display hrp configuration check
4.3.5 firewall mode composite permit-backupforward

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-23


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

4.3.6 firewall session bak-time


4.3.7 hrp auto-sync
4.3.8 hrp configuration check
4.3.9 hrp enable
4.3.10 hrp ospf-cost adjust-enable
4.3.11 hrp sync

4.3.1 debugging hrp

Function
Using the debugging hrp command, you can enable packet, state or timer debugging of HRP
after the dual-system hot backup is enabled.
Using the undo debugging hrp command, you can disable packet, state or timer debugging of
HRP.

Format
debugging hrp { all | packet | state | timer }
undo debugging hrp { all | packet | state | timer }

Parameters
all: enables all HRP debugging.
packet: enables HRP packet debugging.
state: enables HRP state debugging.
timer: enables HRP timer debugging.

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the debugging of HRP is disabled.
You can run this command only when the dual-system hot backup function is enabled, that is,
the hrp enable command is configured.

Examples
# Enable HRP packet debugging.

4-24 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

<Eudemon> debugging hrp packet

4.3.2 debugging hrp configuration check

Function
Using the debugging hrp configuration check command, you can enable the debugging for
checking the consistency of hrp configuration.
Using the undo debugging hrp configuration check command, you can disable the debugging
for checking the consistency of hrp configuration.

Format
debugging hrp configuration check
undo debugging hrp configuration check

Parameters
None

Views
User view

Default Level
1: Monitoring level

Usage Guidelines
By default, the debugging for checking the consistency of hrp configuration is disabled.

Examples
# Enable the debugging for checking the consistency of hrp configuration.
<Eudemon> debugging hrp configuration check
*0.194184883 eudemon COCHK/8/DEBUGGING:
Output configuration check message block:
00 01 00 0c 00 01 00 00 00 00 00 00

# Some information is output after the MD5 calculation. If the information displayed is not all
zeros, the consistency check is complete.
*0.194185033 eudemon COCHK/8/DEBUGGING:
Output configuration check message head:
00 01 00 18 01 01 00 00 00 00 00 3b

*0.194185183 eudemon COCHK/8/DEBUGGING:


Output hrp message for configuration check :
00 00 00 00 02 17 00 00 00 00 00 00 02 17 00 00
00 00 00 00 00 00 00 12 00 00 00 3c 00 00 00 00
00 00 00 00

*0.194185433 eudemon COCHK/8/DEBUGGING:


Output vgmp message for configuration check :

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-25


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

02 00 fe 2d 00 00 00 00 00 00 00 02 00 00 00 6b
05 01 00 00 00 00 00 00 00 00 00 3c

*0.194185650 eudemon COCHK/8/DEBUGGING:


Output vrrp message for configuration check :
2f 00 00 00 00 00 c5 76

From the previous debugging information, you can find that the Eudemon sends a consistency
check message, and the result of the consistency check.Table 4-1 lists the description of the
debugging hrp configuration check command output.

Table 4-1 Description of the debugging hrp configuration check command output
Item Description

Output configuration check message block Outputs the check control block.

Output configuration check message head Outputs the check control head.

Output hrp message for configuration check Outputs the information on checking the
HRP module.

Output vgmp message for configuration check Outputs the information on checking the
VGMP module.

Output vrrp message for configuration check Outputs the information on checking the
VRRP module.

4.3.3 display hrp

Function
Using the display hrp command, you can view HRP parameter setting and state.

Format
display hrp [ verbose ]

Parameters
verbose: displays HRP in detail.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

4-26 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

Examples
# Display HRP state and parameter setting.
<Eudemon> display hrp
The firewall's config state is: MASTER
The master standby is: Virtual VRRP Group 1

# Display HRP state and parameter setting in detail.


<Eudemon> display hrp verbose
The firewall's config state is: MASTER
The master standby is: Virtual VRRP Group 1
HRP Channal on VRRP group 1 status:
VRRP Group status: MASTER
HRP status: RTORROUTINE_BACKUP 1

4.3.4 display hrp configuration check

Function
Using the display hrp configuration check command, you can query the result of checking the
consistency of the master and backup firewalls configuration.

Format
display hrp configuration check { acl | all | hrp }

Parameters
acl: displays the result of the ACL consistency check.
all: displays the result of the ACL and HRP consistency check.
hrp: displays the result of the HRP consistency check.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Examples
# Check the result of checking the consistency of the ACLs on the master and backup firewalls.
<Eudemon> system-view
[Eudemon] hrp configuration check acl
[Eudemon] display hrp configuration check acl
Module : acl
State : finish
Start-time: 2008/04/22 17:19:37

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-27


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

End-time : 2008/04/22 17:21:21


Result : timeout

Table 4-2 lists the description of the display configuration check acl command output.

Table 4-2 Description of the display configuration check acl command output

Item Description

Module Indicates the module to be checked:


l ACL
l HRP

State Indicates the checking status:


l init: indicates the initial state. It means that configuration
consistency check does not start.
l check: indicates the checking state. It means that configuration
consistency is being checked.
l finish: indicates the finish state. It means that configuration
consistency check is finished.

Start-time Indicates the start time of the checking.

End-time Indicates the end time of the checking.

Result Indicates the results of checking. If configuration consistency check is


not performed, this item is blank. If configuration consistency check is
performed, the results are as follows:

fail to get local Indicates that obtaining local configuration


configuration information failed.

timeout Indicates that response timed out. (Check


whether response timed out when running
the hrp configuration check command
and the display hrp configuration check
command, and when received the response
packet from the peer end. That is, check
whether more than 60 seconds have passed
since the start of the configuration check.)

abnormal end of task Indicates that the task stopped abnormally.


(Abnormal results are obtained from
comparison between the local and peer end
configuration information. An error
occurred when constructing the request
message.)

fail to send request Indicates that sending the configuration


message consistency check message failed.

abort check by user Indicates that before the configuration


check finishes, the user runs the undo hrp
configuration check command to stop the
check.

4-28 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

Item Description

same configuration Indicates that configuration check


succeeded and the configurations at the
two sides are consistent.

different configuration Indicates that configuration check


succeeded and the configurations at the
two sides are not consistent.

Related Topics
4.3.8 hrp configuration check

4.3.5 firewall mode composite permit-backupforward

Function
Using the firewall mode composite permit-backupforward command, you can permit the
backup device to forward packets.
Using the undo firewall mode composite permit-backupforward command, you can forbid
the backup device to forward packets.

Format
firewall mode composite [ permit-backupforward ]

Parameters
permit-backupforward: indicates the backup device is permitted to forward packets.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
This command is only applicable to the master device working in composite mode. That is, you
can use the firewall mode composite permit-backupforward command in the system view of
the master device to allow packet forwarding by the backup device. By resetting the firewall
mode composite command without the parameter permit-backupforward, you can disable
packet forwarding by the backup device.

Examples
# Permit the backup device to forward packets.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-29


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

<Eudemon> system-view
[Eudemon] firewall mode composite permit-backupforward

4.3.6 firewall session bak-time

Function
Using the firewall session bak-time command, you can set the session entry duration before
backup.
Using the undo firewall session bak-time command, you can restore the default duration.

Format
firewall session bak-time seconds
undo firewall session bak-time

Parameters
seconds: specifies the session entry duration before backup, in a range of 1 to 60 seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the session entry duration before backup is 10 seconds.
You can flexibly adjust the session entry duration to avoid too short duration. Only the session
entries that exceed the specified period are backed up.

Examples
# Set the duration of all session entries in the dual-system hot backup to 15 seconds.
<Eudemon> system-view
[Eudemon] firewall session bak-time 15

4.3.7 hrp auto-sync

Function
Using the hrp auto-sync command, you can enable automatic backup of configuration
commands or connection status.
Using the undo hrp auto-sync command, you can disable automatic backup of configuration
commands or connection status.

4-30 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

Format
hrp auto-sync [ config [ batch-backup ] | connection-status ]

undo hrp auto-sync [ config [ batch-backup ] | connection-status ]

Parameters
config: enables the function of automatically backing up configuration commands.

batch-backup: enables the function of automatically backing up configuration commands in


batch.

connection-statusenables the function of automatically backing up connection state.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the Eudemon carries out automatic batch backup after it is booted and then carries
out automatic real-time backup after the batch backup completes.

This command is available only when the dual-system hot backup function is enabled, that is,
when the hrp enable command is configured.

If no parameter is specified, the hrp auto-sync command can carry out automatic backup of
configuration commands and connection states.

In master/backup mode, only firewalls in the master VRRP management group can automatically
back up configuration commands and connection status.

In load balancing mode, only master configuration devices can automatically back up
configuration commands and firewalls in the master VRRP management group can
automatically back up connection status.

Examples
# Enable the automatic backup of configuration commands.
<Eudemon> system-view
[Eudemon] hrp auto-sync config

Related Topics
4.3.9 hrp enable

4.3.8 hrp configuration check

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-31


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

Function
Using the hrp configuration check command, you can check whether the settings on the master
and backup firewalls are consistent.

Using the undo hrp configuration check command, you can prohibit the checking on
consistency of the settings on the master and backup firewalls.

Format
hrp configuration check { acl | hrp }

undo hrp configuration check

Parameters
acl: checks the configuration consistency of the ACL on the master and backup firewalls.

hrp: checks the configuration consistency of the VGMP group and HRP on the master and
backup firewalls.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
None

Examples
# Check the configuration consistency of the ACLs on the master and backup firewalls.
<Eudemon> system-view
[Eudemon] hrp configuration check acl
You need use command: 'display hrp configuration check ...' to see the result.

Table 4-3 lists the description of the hrp configuration check command error output.

Table 4-3 Description of the hrp configuration check command error output

Item Description

Unknown error Indicates an unknown error.

Head message error Indicates an message header error of configuration


consistency check.

Fail to send packet Indicates that sending the configuration consistency


check message failed.

4-32 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

Related Topics
4.3.4 display hrp configuration check

4.3.9 hrp enable

Function
Using the hrp enable command, you can enable HRP dual-system hot backup.
Using the undo hrp enable command, you can disable HRP dual-system hot backup.

Format
hrp enable
undo hrp enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, HRP dual-system hot backup is disabled.
You can automatically or manually back up commands only after dual-system hot backup is
enabled. If the state of the VRRP management group changes, thereby HRP state and master/
slave configuration devices state might change. Moreover, HRP state might affect the state of
the VRRP management group.
After dual-system hot backup is disabled, configuration commands and connection status cannot
be backed up but VRRP backup groups can still be added to or deleted from the VRRP
management group.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-33


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

CAUTION
Before enabling HRP, the interface configuration on the master and the backup must keep
consistent, including:
l Position and number of the interfaces.
l Configuration related to hot backup. That is, VRRPs configured on the interfaces or sub-
interfaces on corresponding slots must be added into the same VRRP management group.
l Interfaces and sub-interfaces on corresponding slots must be added into the same zone.

Examples
# Enable HRP dual-system hot backup.
<Eudemon> system-view
[Eudemon] hrp enable

Related Topics
4.3.7 hrp auto-sync
4.3.11 hrp sync

4.3.10 hrp ospf-cost adjust-enable

Function
Using the hrp ospf-cost adjust-enable command, you can enable OSPF cost change based on
HRP state.

Using the undo hrp ospf-cost adjust-enable command, you can disable OSPF cost change
based on HRP state.

Format
hrp ospf-cost adjust-enable ospf-cost

undo hrp ospf-cost adjust-enable

Parameters
ospf-cost: specifies the cost value of OSPF. It is an integer in a range of 1 to 65535.

Views
System view

Default Level
2: Configuration level

4-34 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

Usage Guidelines
After running the hrp ospf-cost adjust-enable command, switch between the master and the
backup changes the cost value of the OSPF. Thus, the OSPF changes the routes to enable the
backup Eudemon to take over services.

Examples
# Enable OSPF cost change based on HRP state.
<Eudemon> system-view
[Eudemon] hrp ospf-cost adjust-enable 300

4.3.11 hrp sync

Function
Using the hrp sync command, you can enable batch backup of configuration commands and
connection status manually.
Using the undo hrp sync command, you can disable batch backup of configuration commands
and connection status manually.

Format
hrp sync [ config | connection-status ]
undo hrp sync [ config | connection-status ]

Parameters
config: enables batch backup of configuration commands manually.
connection-status: enables batch backup of connection status manually.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
By default, batch backup of connection status manually is disabled.
The interval between two successive manual batch backup operations should be longer than 5
minutes. That is, for the hrp sync command, the hrp sync config command, and the hrp sync
connection-status command, any two of them must be run at an interval of longer than 5 minutes.
If no parameter is specified, the hrp sync command can carry out manual batch backup of
configuration commands and connection states.
In master/backup mode, only devices in the master VRRP management group can automatically
back up configuration commands and connection status.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-35


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

In load balancing mode, only master configuration devices can automatically back up
configuration commands and devices in the master VRRP management group can automatically
back up connection status.

Examples
# Enable batch backup of configuration commands manually.
<Eudemon> hrp sync config

Related Topics
4.3.9 hrp enable

4.4 IP-Link Configuration Commands


4.4.1 debugging ip-link
4.4.2 display ip-link
4.4.3 ip-link
4.4.4 ip-link check enable

4.4.1 debugging ip-link

Function
Using the debugging ip-link command, you can debug the current IP-Link in receiving and
sending packets as well as the status change of the link.
Using the undo debugging ip-link command, you can disable the debugging of IP-Link.

Format
debugging ip-link [ number ] [ event | packet ]
undo debugging ip-link [ number ] [ event | packet ]

Parameters
number: specifies the ID of the IP-Link. It is an integer in a range of 1 to 100.
event: debugs the IP-Link event including the status change of the link.
packet: debugs IP-Link packets, including sending and receiving packets.

Views
User view

Default Level
1: Monitoring level

4-36 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

Usage Guidelines
By default, the debugging of IP-Link is disabled.
You can debug a number-specific IP-Link or all IP-links. When no ID is specified, debug all IP-
Links.
You can debug the link status change event of a specified IP-Link or debug the IP-Link in sending
and receiving packets.

NOTE

l Refer to the debugging operation of ICMP packets and ARP packets when debugging an IP-link.
l After an IP-Link receives its own ICMP reply packets through the IP-Link module, these packets are
dropped. The IP-Link does not transfer these packets to the upper layer for process. Therefore, the
debugging ip icmp command cannot display IP-Link detection packets sent by the IP-Link itself.

Examples
# Debug the link status change event of IP-Link 1.
<Eudemon> debugging ip-link 1 event

4.4.2 display ip-link

Function
Using the display ip-link command, you can view the configuration and status information
about all IP-Links or a specified IP-Link.

Format
display ip-link [ number ]

Parameters
number: specifies the ID of the IP-Link. It is an integer in a range of 1 to 100.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When no ID is specified, the configuration and status information about all IP-Links are
displayed.

Examples
# Query all IP-Links.

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-37


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

<Eudemon> dislay ip-link


num state timer mode destination-IP interface-name
1 down 3 arp 12.1.1.1 Ethernet 0/0/0
2 down 3 icmp 12.1.1.1 Ethernet 0/0/1

Table 4-4 lists the description of the display ip-link command output.

Table 4-4 Description of the display ip-link command output


Item Description

num Indicates the ID of an IP-Link.

state Indicates the status of an IP-Link:


l Up
l Down

timer Indicates the interval for scheduled IP-Link detection.

mode Indicates the IP-Link detection mode. The detection modes are
as follows:
l ICMP
l ARP

destination-IP Indicates the destination address of the links.

interface-name Indicates the bound interface.

Related Topics
4.4.3 ip-link

4.4.3 ip-link

Function
Using the ip-link command, you can configure an IP-Link.
Using the undo ip-link command, you can delete an existing IP-Link.

Format
ip-link number destination ip-address [ interface interface-type interface-number ] [ timer
interval ] [ mode { icmp | arp } ]
undo ip-link number

Parameters
number: specifies the ID of IP-Link. It is an integer in a range of 1 to 100.
ip-address: specifies the destination IP address. This address should not be a loopback address,
class D IP address (multicast address), broadcast address (0.0.0.0 and 255.255.255.255), or other
illegal IP address.

4-38 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
Command Reference 4 Reliability

interface interface-type interface-number: specifies the type and number of the egress used to
reach the destination IP address. The interface type specified in this command can be Ethernet
or GE only. If this parameter is not configured, the firewall obtains an egress by looking up in
the routing table.
timer interval: specifies the interval for the link changing from Up to Down when the IP-Link
cannot receive the packets. It ranges from 1s to 5s. The default interval is 3s.
mode { icmp | arp } : sets the detection mode such as ICMP and ARP of the IP-Link. The default
mode is ICMP.

NOTE

The ARP-mode IP-Link can detect destination IP addresses in the same network segment only. It cannot
detect destination IP addresses in different network segments.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, no IP-Link is configured.
After the ip-link command is configured, an IP-Link aiming to detect a specific destination IP
address is generated.
When the IP-Link function is enabled but not started, the IP-Link does not send detection packets
to the specified destination IP addresses. After the IP-Link function is enabled and started:
l In the scenario where routes or a default route to the specified destination IP addresses are
available, the IP-Link sends detection packets to the specified destination IP addresses
regularly and waits for the reply packets to the detection packets.
l In the scenario where no route to the specified destination IP addresses is available, the IP-
Link does not send auto-detection packets.
NOTE

When an IP-Link is configured, if you cannot find detection packets sent, check whether the IP-Link
detection function is enabled and whether routes to the specified destination IP addresses are available.

Examples
# Configure an IP-Link.
<Eudemon> system-view
[Eudemon] ip-link 1 destination 1.1.1.1 interface Ethernet 0/0/0 mode arp

Related Topics
4.4.2 display ip-link

4.4.4 ip-link check enable

Issue 01 (2008-11-15) Huawei Proprietary and Confidential 4-39


Copyright © Huawei Technologies Co., Ltd.
Quidway Eudemon 200 Firewall
4 Reliability Command Reference

Function
Using the ip-link check enable command, you can enable the IP-Link auto-detection function.
Using the undo ip-link check enable command, you can disable the IP-Link auto-detection
function.

Format
ip-link check enable
undo ip-link check enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
By default, the IP-Link auto-detection function is disabled.
After the IP-Link auto-detection function is enabled and an IP-Link is configured, the IP-Link
automatically sends a specified type of detection packets to the specified destination IP
addresses.

NOTE

When an IP-Link is configured and no IP-Link detection packets are found, check whether the IP-Link
auto-detection function is enabled.

Examples
# Enable the IP-Link auto-detection function.
<Eudemon> system-view
[Eudemon] ip-link check enable

4-40 Huawei Proprietary and Confidential Issue 01 (2008-11-15)


Copyright © Huawei Technologies Co., Ltd.

Vous aimerez peut-être aussi