3COM OS Switch 4500 V3.03.02p15 Release Notes
3COM OS Switch 4500 V3.03.02p15 Release Notes
3COM OS Switch 4500 V3.03.02p15 Release Notes
Full spelling Access Control List Command line interface Dynamic Host Configuration Protocol File Transfer Protocol Generic Attribute Registration Protocol GARP VLAN Registration Protocol Huawei Group Management Protocol Hypertext Transfer Protocol Internet Control Message Protocol Internet Group Management Protocol Internet Protocol Link Aggregation Control Protocol Management Information Base Multiple Spanning Tree Protocol Neighbor Discovery Protocol Net Time Protocol Quality of Service Remote Authentication Dial-In User Service Remote Monitoring Rapid Spanning Tree Protocol Simple Network Management Protocol Strict Priority Secure Shell
Page 1 of 74
Full spelling Spanning Tree Protocol Trivial File Transfer Protocol User Datagram Protocol Virtual Local Area Network 3Com Network Director
Page 2 of 74
Table of Contents
Version Information 6 Version Number 6 Version History 6 Hardware and Software Compatibility Matrix 7 Restrictions and Cautions 8 Feature List 9 Hardware Features 9 Software Features 9 Version Updates 11 Feature Updates 11 Command Line Updates 15 MIB Updates 29 Configuration Changes 31 V3.03.02p15 Operation Changes 31 V3.03.02p11 Operation Changes 31 V3.03.02p09 Operation Changes 32 V3.03.02p06 Operation Changes 32 V3.03.02p05 Operation Changes 32 V3.03.02p04 Operation Changes 33 V3.03.02p03 Operation Changes 33 V3.03.02p01 Operation Changes 34 V3.03.02 Operation Changes 34 V3.03.00p03 Operation Changes 34 V3.03.00p01 Operation Changes 35 V3.03.00 Operation Changes 35 Open Problems and Workarounds 35 List of Resolved Problems 36 Resolved Problems in V3.03.02p15 36 Resolved Problems in V3.03.02p11 38 Resolved Problems in V3.03.02p09 39 Resolved Problems in V3.03.02p06 42 Resolved Problems in V3.03.02p05 44 Resolved Problems in V3.03.02p04 45 Resolved Problems in V3.03.02p03 47 Resolved Problems in V3.03.02p01 52 Resolved Problems in V3.03.02 53 Resolved Problems in V3.03.00p03 54 Resolved Problems in V3.03.00p02 56 Resolved Problems in V3.03.00p01 59
December 30, 2010 Page 3 of 74
Resolved Problems in V3.03.00 61 Resolved Problems in V3.02.00p02 61 Resolved Problems in V3.02.00p01 61 Resolved Problems in V3.02.00 62 Resolved Problems in V3.01.00p03 62 Resolved Problems in V3.01.00p02 62 Resolved Problems in V3.01.00p01 62 Resolved Problems in V3.01.00 63 Related Documentation 63 Software Upgrading 63 Remote Upgrading through CLI 63 Boot Menu 64 Software Upgrading via Console Port (Xmodem Protocol) 65 Using TFTP Through an Ethernet Interface 67 Using FTP Through an Ethernet Interface 68 Appendix 69 Details of Added or Modified CLI Commands in V3.03.02p06 69 dot1x unicast-trigger 69 Details of Added or Modified CLI Commands in V3.03.02p11 69 mac-authentication timer offline-detect 69 bpdu-drop any 70 Details of Added or Modified CLI Commands in V3.03.02p15 71 voice vlan lldp 71 display link-delay 71 link-delay 72 link-delay up 73 link-delay updown 73
Page 4 of 74
List of Tables
Table 1 Version history .............................................................................................................................. 6 Table 2 Compatibility matrix....................................................................................................................... 7 Table 3 Hardware features ........................................................................................................................ 9 Table 4 Software features.......................................................................................................................... 9 Table 5 Feature updates...........................................................................................................................11 Table 6 Command line updates............................................................................................................... 15 Table 7 MIB updates................................................................................................................................ 29
Page 5 of 74
Version Information
Version Number
Version Information: 3Com OS V3.03.02s168p15 Note: To view version information, use the display version command in any view. See Note.
Version History
Table 1 Version history Version number V3.03.02s168p15 V3.03.02s168p11 V3.03.02s168p09 Last version V3.03.02s168p11 V3.03.02s168p09 V3.03.02s168p06 Release Date 2010-12-15 2010-06-21 2010-04-23 None None From the version, only release the APP of 168-bit encryption for SSH. None Remarks
V3.03.02s56p06 V3.03.02s168p06 V3.03.02s56p05 V3.03.02s168p05 V3.03.02s56p04 V3.03.02s168p04 V3.03.02s56p03 V3.03.02s168p03 V3.03.02s56p01 V3.03.02s168p01 V3.03.02s56 V3.03.02s168 V3.03.00s56p03 V3.03.00s168p03 V3.03.00s56p02 V3.03.00s168p02 V3.03.00s56p01 V3.03.00s168p01 V3.03.00s56 V3.03.00s168
V3.03.02s56p05 V3.03.02s168p05 V3.03.02s56p04 V3.03.02s168p04 V3.03.02s56p03 V3.03.02s168p03 V3.03.02s56p01 V3.03.02s168p01 V3.03.02s56 V3.03.02s168 V3.03.00s56p03 V3.03.00s168p03 V3.03.00s56p02 V3.03.00s168p02 V3.03.00s56p01 V3.03.00s168p01 V3.03.00s56 V3.03.00s168 V3.02.00s56p02 V3.02.00s168p02
2009-12-23
2009-10-14
None
2009-08-19
None
2009-06-19
None
2009-02-23
features
2008-10-31
features
2008-09-25
2008-06-16
None
2008-03-20
None
2008-02-29
of
Page 6 of 74
Version number V3.02.00s56p02 V3.02.00s168p02 V3.02.00s56p01 V3.02.00s168p01 V3.02.00s56 V3.02.00s168 V3.01.00s56p03 V3.01.00s168p03 V3.01.00s56p02 V3.01.00s168p02 V3.01.00s56p01 V3.01.00s168p01 V3.01.00s56 V3.01.00s168
Last version V3.02.00s56p01 V3.02.00s168p01 V3.02.00s56 V3.02.00s168 V3.01.00s56p03 V3.01.00s168p03 V3.01.00s56p02 V3.01.00s168p02 V3.01.00s56p01 V3.01.00s168p01 V3.01.00s56 V3.01.00s168 First release
Remarks
2007-06-30
None
2007-01-17
features
2006-09-21
2006-06-13
None
2006-01-09
None
2005-10-27
First release
Specifications
iNode PC 3.60-E6307
4.04 None
Page 7 of 74
When a switch with a new version flash runs V3.01.00, using FTP to upload an application file to the switch, or performing write operations on the flash of the switch such as executing the display diagnostic-information command often fails. V3.01.00p01 and later have solved this problem. A device running boot ROM V1.00 may get out of power during startup, which may cause the loss of the application file. You are recommended to upgrade the boot ROM version to V1.01 to solve this problem.
<4500>display version 3Com Corporation Switch 4500 26-Port Software Version 3Com OS V3.xx.xx ------- Note Copyright (c) 2004-2008 3Com Corporation and its licensors, All rights reserved. Switch 4500 26-Port uptime is 0 week, 0 day, 0 hour, 0 minute
Switch 4500 26-Port with 1 MIPS Processor 64M 8196K bytes DRAM bytes Flash Memory
Page 8 of 74
Feature List
Hardware Features
Table 3 Hardware features Category Dimensions (H W D) Description 43.6mm 440mm 260mm (1.72 17.32 10.24 in.) (devices without PWR) 43.6mm 440mm 420mm (1.72 17.32 16.54 in.) (devices with PWR)
Weight (full configuration) 3.5Kg (7.72 lb.) (26-port devices without PWR) 4Kg (8.82 lb.) (50-port devices without PWR) 5.8Kg (12.79 lb.) (26-port devices with PWR) 6.2Kg (13.67 lb.) (50-Port devices with PWR)
Maximum consumption
power
40 W (26-port devices without PWR) 50 W (50-port devices without PWR) 380 W (26-port devices with PWR) 380 W (50-Port devices with PWR)
Input voltage
AC: Rated voltage range: 100 VAC to 240 VAC (50Hz to 60Hz) Max voltage range: 90 VAC to 264 VAC (50Hz to 60Hz) DC: Rated voltage range: 48 VDC to 60 VDC Max voltage range: 72 VDC to 36 VDC
Software Features
Table 4 Software features Features Port auto-negotiation Flow control Link aggregation Description Supports both speed and duplex mode auto-negotiation. Supports IEEE 802.3x-compliant flow control for full-duplex, and backpressure based flow control for half-duplex. Supports up to 8 aggregation groups, each of which supports up to 8 FE ports or 4 GE ports.
Page 9 of 74
Description The port internal loopback test detects the connectivity between switch chips and PHY chips. The port external loopback test detects the connectivity between PHY chips and network interfaces with the help of the self-loop header. The two tests used together can determine whether a fault is a switch fault or a link fault.
Combo ports Unicast, multicast and broadcast suppression VLAN MAC address table Supports bandwidth ratio- and rate-based suppression modes on ports. Supports port-based VLANs, and up to 256 IEEE 802.1Q-compliant VLANs. Supports MAC address learning and up to 8K MAC addresses; Complies with IEEE 802.1D; Notifies MAC address changes to ARP. RSTP 802.1X authentication Supports STP and complies with IEEE 802.1D. Supports PEAP/EAP/TLS/TTLS. The main purpose of IEEE 802.1X is to implement authentication for wireless LAN users, but its application in IEEE 802 LANs provides a method of authenticating LAN users. SSHv2 Secure Shell (SSH) offers an approach to logging into a remote device securely. By encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception. A switch can work as an SSH server to support connections with SSH clients running on PCs. The voice VLAN feature adds ports into voice VLANs by identifying the source MAC addresses of packets. It automatically assigns higher priority for voice traffic to ensure voice quality. This feature supports two application modes: manual and automatic. Through a DHCP relay agent, DHCP clients in a subnet can communicate with a DHCP server in another subnet to obtain valid IP addresses. In this way, DHCP clients in different subnets can share one DHCP server. This method saves costs and helps implement centralized management. Supports up to 256 static ARP entries. Supports static routing and RIP. Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. Bandwidth management; flow control with 64 bps granularity; 8 sending queues per port; Traffic classification; Traffic rate limit; Port mirroring, which supports only one source mirroring port.
Voice VLAN
QoS
Page 10 of 74
Description Software upload and upgrade through the XMODEM protocol, FTP or TFTP To implement authentication on remote telnet, web, and console users, you need to configure use names and passwords on a RADIUS server, and configure RADIUS authentication on the access switch. When such a user logs onto the switch, the switch sends the user name and password to the RADIUS server for authentication. If the user passes authentication, it can log it to the switch. The switch can only works as a TFTP client. Configuration methods supported: CLI, console port, telnet, and Modem; Features and functions supported: SNMP, remote monitoring (RMON) 1/2/3/9 group MIBs, system logging, hierarchical alarming, Syslog And NTP. Filtering, output and collection of alarm/debug information; Diagnostic tools: Ping, Tracert, and so on; Remote maintenance through Telnet and other ways
Network maintenance
web Fault diagnostics and alarm output Fast startup Detects and reports hardware/software faults. In fast startup mode, a switch can complete a startup process within 60 seconds by skipping the power-on self test (POST) and directly running the APP program. You can set the startup mode to fast or normal in the boot ROM menu.
Version Updates
Feature Updates
Table 5 Feature updates Version Number V3.03.02p15 Item Hardware feature updates Software feature updates None New feature: 1) Automatic Discovery of IP Phones Using LLDP 2) Link State Change Suppression Configuration V3.03.02p11 Hardware feature updates Software feature updates None New features: bpdu-drop any Description
Page 11 of 74
Item Hardware feature updates Software feature updates None New features:
Description
1) DHCP client supports automatic configuration of default route None New features: 1) 802.1X Unicast Trigger Function None None None New features: 1) System-guard transparent feature With this function, you can configure the switch not to deliver RIP multicast packets to the CPU while the protocol is not enabled on the switch. 2) Mac-address max-mac-count log 3) LACP MAD
V3.03.02p06
V3.03.02p05
V3.03.02p04
V3.03.02p03
None New features: 1) Restart accounting when the reauthentication user name changes. 2) Private LLDP MIB 3) CPU-protection feature 4) Command-alias feature 5) Loopback detection trap 6) IPv6 ACL
V3.03.02p01
Version Number
Item 4) 5)
This feature can be configured to ignore the authentication attribute in the RADIUS Authentication Accept packet. Please refer to the Operation Manual and Command Manual. V3.03.02 Hardware feature updates Software feature updates None New features: 1) 2) 3) 4) LLDP IP Source Guard Dynamic ARP Inspection HWTACACS.
Please refer to the Operation Manual and Command Manual. V3.03.00p03 Hardware feature updates Software feature updates None New features: 1) 2) 3) V3.03.00p02 Hardware feature updates Software feature updates Sub IP DHCP server Password control
None New features: RSA, DSA negotiation order self-selection and GVRP None New features: Support for RFC4188 and RFC2674. None New features added to V3.03.00e on the basis of V3.02.xx: 1) 2) 3) 4) 5) VLAN mapping Selective QINQ IGMP snooping non-flooding FTP banner HTTP banner
Page 13 of 74
V3.03.00p01
V3.03.00
Version Number
Item 6) 7) 8) 9)
Description Telnet copyright Speed auto-negotiation configuration Port link-delay (link state change delay) Host manual addition to a multicast group
10) Dot1X handshake control 11) Router port manual designation 12) Support for inner-VLAN based Layer-2 ACL configuration, which allows you to configure ACL rules based on the inner VLAN information of packets. 13) IPv6 management 14) DHCP snooping support for processing DHCP NAK and decline packets 15) Enhanced SFP, supporting SFP encryption information reading 16) Port isolation across a stack 17) EAP authentication mode for telnet users 18) Port security and/or mode 19) RIP support for modifying the offset field for specific subnets 20) SNMP support for password configuration copy 21) IGMPv3 snooping 22) Support for long domain names 23) Support for mask configuration in SNMP MIBview 24) MAC-authentication support for guest VLAN 25) DLDP recover 26) DHCP option 82 string function 27) HGMP topology management and trace-MAC 28) EAD quick employment 29) Support for web-based cluster configuration 30) Destination MAC address update Deleted features: password control V3.02.00p02 Hardware feature updates Software feature updates None New features: 1. Or mode of port-security Dot1X request packets trigger dot1X authentication; non-dot1X packets with an
December 30, 2010 Page 14 of 74
Version Number
Item
Description unknown MAC address trigger MACauthentication. Suppose the source MAC address of a dot1X packet passes MAC authentication. If it then passes dot1X authentication, the original MAC authentication user logs out automatically; if not, the original MAC authentication user keeps online.
V3.02.00
None New features: 1) 2) 3) 4) 5) Putty V0.58 support Syslog to host 802.1X PEAP/EAP/TLS/TTLS NTP Notifying MAC address/port changes to ARP
V3.01.00
First release; refer to related manuals for more information. First release; refer to related manuals for more information.
None None None Refer to Details of Added or Modified CLI Commands in V3.03.02p06
Page 15 of 74
New Commands
Version Number
Item Removed Commands Modified Commands None None None None None Command 1: Syntax
Description
V3.03.02p05
V3.03.02p04
New Commands
system-guard transparent rip undo system-guard transparent rip View System view Description Use the system-guard transparent command to configure the system-guard transparent function for RIP protocol. Then, upon receiving a RIP multicast packet, the switch will only broadcast the packet within the corresponding VLAN, but not deliver the packet to the CPU for processing. Use the undo system-guard transparent command to disable the function for RIP protocol. Then, upon receiving a RIP multicast packet, the switch will not only broadcast the packet within the corresponding VLAN but also deliver the packet to the CPU for processing. By default, the system-guard transparent function is disabled on the switch. Note that: If RIP is enabled on the switch, do not enable the system-guard transparent function for the protocol. Otherwise, RIP cannot function normally. Example
[sysname] system-guard transparent rip Caution: When enabling RIP, undo this command. Otherwise, RIP can't work correctly.
None None Please refer to the manuals of new features provided along with current version. None
Page 16 of 74
Version Number
Description Please refer to the manuals of new features provided along with current version for IPv6 acl command. Command 1: Syntax [ undo ] icmp acl-priority View System view Description Use the icmp acl-priority command to modify the local priority of ICMP packets which are forwarded to the CPU. When the device has an IP address configured, enabling the command will occupy some hardware ACL resources. Use the undo icmp acl-priority command to keep the local priority and free the corresponding hardware ACL resources. By default, the icmp acl-priority command is applied. Example
[Switch] undo icmp acl-priority
V3.03.02p01
New Commands
Command 2: Syntax [ undo ] mirroring stp-collaboration View System view Description Use the mirroring stp-collaboration command to enable the collaboration of mirroring and STP state. When a mirrored port is in STP discarding state (or in discarding state in at least one instance while it is in MSTP mode), mirroring on this port doesnt work. When its STP state changes to forwarding state, mirroring is activated. Use the undo mirroring stp-collaboration command to disable the collaboration. By default, the mirrored port is independent
December 30, 2010 Page 17 of 74
Version Number
Item
undo attribute-ignore { all | standard | vendor vendor-id } View RADIUS view Description The attribute-ignore vendor vendor-id type type-value command is used to ignore specific private attributes having the specified vendor ID and type. The attribute-ignore standard type typevalue command is used to ignore all the standard attributes having the specified type. undo attribute-ignore all command is used to remove all the attribute-ignore configuration. undo attribute-ignore standard command is used to remove the ignore configuration of RADIUS standard attributes. undo attribute-ignore vendor vendor-id is used to remove the ignore configuration of the given Vendor ID private attribute. One RADIUS standard attribute can be configured with one attribute-ignore command at most; one Vendor ID can bee configured with one attribute-ignore command at most. One RADIUS scheme can be configured with 3 attribute-ignore commands at most. Example # Configure RADIUS scheme system to ignore the type 81 standard attribute.
[Switch]radius scheme system [Switch-radius-system]attribute-ignore standard type 81
# Configure RADIUS scheme system to ignore the type 22 H3C private attribute with
December 30, 2010 Page 18 of 74
Version Number
Item
# Remove the H3C private attribute ignore configuration of RADIUS scheme system:
[Switch-radius-system]undo ignore vendor 2011 attribute-
Removed commands Modified Commands V3.03.02 New Commands Removed commands Modified Commands V3.03.00p03 New Commands
None None Please refer to the Command Manual. Please refer to the Command Manual. Please refer to the Command Manual. Command 1: Syntax ip address ip-address { mask | masklength } [ sub ] undo ip address [ ip-address { mask | mask-length } [ sub ] ] View VLAN interface view, loopback interface view Parameters ip-address: IP address, in dotted decimal notation. mask: Subnet mask, in dotted decimal notation. mask-length: Subnet mask length, the number of consecutive ones in the mask. It is in the range of 0 to 32. sub: Specifies a secondary IP address of a VLAN or loopback interface. Description Use the ip address command to specify an Operation Operation Operation Manual Manual Manual and and and
Page 19 of 74
Version Number
Item
Description IP address and mask for a VLAN or loopback interface. Use the undo ip address command to remove an IP address and mask of a VLAN or loopback interface. By default, no IP address is configured for VLAN or loopback interface. Note that: If you execute the undo ip address command without any parameter, the switch deletes both primary and secondary IP addresses of the interface. The undo ip address ip-address { mask | mask-length } command is used to delete the primary IP address. The undo ip address ip-address { mask | mask-length } sub command is used to delete specified secondary IP addresses. You can assign at most five IP address to an interface, among which one is the primary IP address and the others are secondary IP addresses. A newly specified primary IP address overwrites the previous one if there is any. The primary and secondary IP addresses of an interface cannot reside on the same network segment; the IP address of a VLAN interface must not be in the same network segment as that of a loopback interface on a device. A VLAN interface cannot be configured with a secondary IP address if the interface has been configured to obtain an IP address through BOOTP or DHCP. Examples # Assign the primary IP address 129.12.0.1 and secondary IP address 129.12.1.1 to VLAN-interface 1 with subnet mask 255.255.255.0.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 129.12.0.1 255.255.255.0 [Sysname-Vlan-interface1] ip address 129.12.1.1 255.255.255.0 sub
Page 20 of 74
Version Number
Item Syntax
Description
igmp-snooping special-query source-ip { current-interface | ip-address } undo igmp-snooping source-ip View VLAN view Parameters current-interface: Specifies the IP address of the current VLAN interface as the source address to be carried in IGMP group-specific queries. If the current VLAN interface does not have an IP address, the default IP address 0.0.0.0 will be used as the source IP address of IGMP group-specific queries. ip-address: Specifies the source address to be carried in IGMP group-specific queries, which can be any legal IP address. Description Use the igmp-snooping special-query source-ip command to configure the source address to be carried in IGMP group-specific queries. Use the undo igmp-snooping special-query source-ip command to restore the default. By default, the Layer 2 multicast switch sends group-specific query messages with the source IP address of 0.0.0.0. Related commands: igmp-snooping querier. Examples # Configure the switch to send groupspecific query messages with the source IP address 2.2.2.2 in VLAN 3.
<Sysname> system-view System view, return to user view with Ctrl+Z. [Sysname] igmp-snooping enable [Sysname] vlan 3 [Sysname-vlan3] igmp-snooping enable [Sysname-vlan3] igmp-snooping specialquery source-ip 2.2.2.2
special-query
Version Number
Item Syntax
Description
language-mode { english | chinese } View: user view Reason No need to support Chinese language mode Modified Commands Command 1: Syntax traffic-limit inbound acl-rule [ unioneffect ] target-rate [ burst-bucket burstbucket-size ] [ exceed action ] undo traffic-limit inbound acl-rule View Ethernet port view Parameters inbound: Imposes traffic limit on the packets received through the interface. acl-rule: ACL rules to be applied for traffic classification. This argument can be the combination of multiple ACLs. For more information about this argument. Note that the ACL rules referenced must be those defined with the permit keyword. union-effect: Specifies that all the ACL rules, including those identified by the aclrule argument in this command and those applied previously, are valid. If this keyword is not specified, traffic policing issues both the rate limiting action and the permit action at the same time, that is, traffic policing permits the conforming traffic to pass through. If this keyword is specified, traffic policing issues only the rate limiting action but not the permit action. In this case, if a packet matches both an ACL rule specified in the traffic-limit command and another previously applied ACL rule with the deny keyword specified, the packet will be dropped.
On Ethernet 1/0/1, assume that the filter command is configured to filter packets
December 30, 2010 Page 22 of 74
Version Number
Item
Description destined to IP address 2.2.2.2 and the traffic-limit command is configured to limit the rate of packets sourced from IP address 1.1.1.1 within 128 kbps. Whether packets conforming to the rate limit of 128 kbps, sourced from IP address 1.1.1.1, and destined to IP address 2.2.2.2 (referred to as packets A later) will be dropped depends on the union-effect keyword of the trafficlimit command. If the union-effect keyword is not specified, the traffic-limit command issues both the rate limiting action and the permit action. Whether packets A can pass through depends on the configuration order of the filter command and the traffic-limit command. If the traffic-limit command is configured after the filter command is configured, packets A can pass through; otherwise, packets A are dropped. If the union-effect keyword is specified, the traffic-limit command issues only the rate limiting action. Whether packets A can pass through depends on the filter command. As for this example, packets A are dropped. target-rate: Target packet rate (in kbps) to be set. The range of this argument varies with the port type as follows. Fast Ethernet port: 64 to 99,968 Gigabit Ethernet port: 64 to 1,000,000 The granularity of rate limit is 64 kbps. If the number you input is in the range N*64 to (N+1)*64 (N is a natural number), it will be rounded off to (N+1)*64. burst-bucket burst-bucket-size: Specifies the maximum burst traffic size (in KB) allowed. The burst-bucket-size argument ranges from 4 to 512 and defaults to 512. Note that it must be an integer power of 2. exceed action: Specifies the action to be taken when the traffic rate exceeds the threshold. The action argument can be: drop: Drops the packets. remark-dscp value: Sets a new DSCP value for the packets and then forwards the packets. Description Use the traffic-limit command to enable traffic policing and set the related settings. Use the undo traffic-limit command to disable traffic policing for packets matching specific ACL rules.
Page 23 of 74
Version Number
Item
Description Related commands: display qos-interface traffic-limit. Examples # Configure traffic policing for inbound packets sourced from VLAN 200 on Ethernet 1/0/1, setting the target packet rate to 128 kbps, burst bucket size to 64 KB, and configuring to drop the packets exceeding the rate limit.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] acl number 4000 rule [Sysname-acl-ethernetframe-4000] permit source 200 [Sysname-acl-ethernetframe-4000] quit [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] traffic-limit inbound link-group 4000 128 burstbucket 64 exceed drop
Command 2: Syntax line-rate { inbound | outbound } target-rate [ burst-bucket burst-bucket-size ] undo line-rate{ inbound | outbound } View Ethernet port view Parameters inbound: Limits the inbound packet rate. outbound: Limits the outbound packet rate. target-rate: Total target rate (in kbps). The range of this argument varies with port type as follows: Fast Ethernet port: 64 to 99,968; GigabitEthernet port: 64 to 1,000,000. The granularity of port rate limit is 64 kbps. Assume that the value you provide for the target-rate argument is in the range N*64 to (N+1)*64 (N is a natural number), it will be rounded off to (N+1)*64. burst-bucket burst-bucket-size: Specifies the maximum burst traffic size (in KB). This is the buffer size provided for burst traffic while traffic is being forwarding or received at the rate of target-rate. The burst-bucketsize argument must be an integer power of 2, in the range of 4 to 512. If it is not specified, 512 KB applies by default.
December 30, 2010 Page 24 of 74
Version Number
Item Description
Description
Use the line-rate command to limit the rate of the inbound or outbound packets on a port. Use the undo line-rate command to cancel the line rate configuration. Compared to traffic policing, line rate applies to all the inbound or outbound packets passing through a port and thus a simpler solution when you only want to limit the rate of all the inbound or outbound packets passing through a port as a whole. Examples # Limit the inbound packet rate to 128 kbps on Ethernet 1/0/1 and provide 32 KB of buffer for burst traffic.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] line-rate inbound 128 burst-bucket 32
Command 3: Syntax display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | static ] View Any view Parameters vlan-id1: Specifies the ID of a VLAN of which information is to be displayed, in the range of 1 to 4094. to vlan-id2: In conjunction with vlan-id1, define a VLAN range to display information about all existing VLANs in the range. The vlan-id2 argument takes a value in the range of 1 to 4094, and must not be less than that of vlan-id1. all: Displays information about all the VLANs.
December 30, 2010 Page 25 of 74
Version Number
Item
Description dynamic: Displays the number of dynamic VLANs and the ID of each dynamic VLAN. Dynamic VLANs refer to VLANs that are generated through GVRP or those distributed by a RADIUS server. static: Displays the number of static VLANs and the ID of each static VLAN. Static VLANs refer to VLANs manually created. Description Use the display vlan command to display information about VLANs. The output shows the ID, type, VLAN interface state and member ports of a VLAN. If no keyword or argument is specified, the command displays the number of existing VLANs in the system and the ID of each VLAN. Command 4: Syntax display ntdp device-list [ verbose ] View Any view Parameters verbose: Displays the detailed information of devices in a cluster. Description Use the display ntdp device-list command to display the cluster device information collected by NTDP. Examples # Display the list of devices collected by NTDP.
<Sysname> display ntdp device-list MAC HOP IP PLATFORM 000f-e20f-3901 0 100.100.1.1/24 Switch 4500 000f-e20f-3190 1 16.1.1.1/24 Switch 4500
V3.02.00p02
New Commands
Page 26 of 74
Version Number
Item View
Description
System view Parameters None Description Use the port-security enable command to enable port security. Use the undo port-security command to disable port security. By default, port security is disabled. Caution Enabling port security resets the following configurations on the ports to the defaults (as shown in parentheses below): 802.1x (disabled), port access control method (macbased), and port access control mode (auto) MAC authentication (disabled) In addition, you cannot perform the abovementioned configurations manually because these configurations change with the port security mode automatically. Examples # Enable port security.
<Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] port-security enable Notice: The port-control of 802.1x will be restricted to auto when portsecurity is enabled. Please wait... Done.
enable
Command 2: Configures port-security mode Syntax port-security port-mode { autolearn | mac-and-userlogin-secure | mac-anduserlogin-secure-ext | mac-authentication | mac-else-userlogin-secure | mac-elseuserlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userloginsecure-or-mac-ext | userlogin-withoui } undo port-security port-mode View
December 30, 2010 Page 27 of 74
Version Number
Item
Description Ethernet port view Description Use the port-security port-mode command to set the security mode of the port. Use the undo port-security port-mode command to restore the default mode. By default, the port is in the noRestriction mode, namely access to the port is not restricted.
Before setting the security mode to autolearn, you need to use the portsecurity max-mac-count command to configure the maximum number of MAC addresses allowed on the port. When a port operates in the autolearn mode, you cannot change the maximum number of MAC addresses allowed on the port. After setting the security mode to autolearn, you cannot configure static or blackhole MAC addresses on the port. When the port security mode is not noRestriction, you need to use the undo port-security port-mode command to change it back to noRestriction before you change the port security mode to other modes.
On a port configured with a security mode, you cannot do the following: Configure the maximum number of MAC addresses that can be learned. Configure the port as a reflector port for port mirroring. Configure the port as a Fabric port. Configure link aggregation.
Note that: If port security is enabled in system view and dot1X or MAC authentication is enabled on a port, some port-security related commands are executed on the port automatically. These commands cant be executed manually for compatibility with later releases. The details are as follows. 1) If MAC-authentication and MAC-based dot1X are
December 30, 2010 Page 28 of 74
Version Number
Item
Description enabled on a port, the following command is executed on the port automatically. port-security secure-ext port-mode mac-else-userlogin-
2) If MAC-based dot1X is enabled on a port, the following command is executed on the port automatically. port-security port-mode userlogin-secure-ext 3) If port-based dot1X is enabled on a port, the following command is executed on the port automatically. port-security port-mode userlogin 4) If mac-authentication is enabled on a port, the following command is executed on the port automatically. port-security port-mode mac-authentication Removed commands Modified Commands V3.02.00 New Commands Removed commands Modified Commands V3.01.00 New Commands Removed commands Modified Commands None None Please refer to the command manuals None Please refer to the command manuals First release; please refer to the manuals. First release; please refer to the manuals. First release; please refer to the manuals.
MIB Updates
Table 7 MIB updates Version number V3.03.02p15 Item New Modified V3.03.02p11 New Modified V3.03.02p09 New Modified V3.03.02p06 New Modified V3.03.02p05
December 30, 2010
MIB file None None None None None None None None None
Module None None None None None None None None None None None None None None None None None None
Description
New
Page 29 of 74
Version number
MIB file
Module None None None 1) VOICE VLAN 2) LLDP None None None
Description
V3.03.02p04
New Modified
V3.03.02p03
New
1) H3C-VOICEVLAN-MIB 2) H3C-LLDPEXT-MIB
1) Add node h3cVoiceVlanPortLe gacy and h3cVoiceVlanPortQo sTrus in h3cvoiceVlanPortTa ble to control 'voice VLAN legacy' and 'voice VLAN QOS trust'. 2) Adding the following private MIB: (1) h3clldpAdminStatus: Enable/Disable LLDP in global; (2) h3clldpComplianceC DPStatus: LLDP supports CDP in global; (3) h3clldpPortConfigTa ble:LLDP port configure table; (4) h3clldpPortConfigPo rtNum: LLDP port number; (5) h3clldpPortConfigCD PComplianceStatus: LLDP supports CDP in port
None None
None None
None None
Page 30 of 74
Version number
Item Modified
Description The vlan assignment mode SHOULD be the same as the mode of the corresponding server. 1 (integer) - Integer Vlan assignment mode. 2 (string) - String Vlan assignment mode. 3 (vlanlist) - VLAN-List Vlan assignment mode. The default value is integer. The 3rd mode is to support auto-vlan feature, which will be supported on the new software version.
V3.03.00p03
New Modified
None dot1X_tree.c
None After you set the attribute of the module to true, all 802.1X users on the corresponding port are disconnected, and then the attribute of the module returns to false. If you perform get operations on the module, it always returns false.
Configuration Changes
V3.03.02p15 Operation Changes
1) DHCP Snooping supports forwarding BOOTP packet
In early version: The syslog records only the user's name after a WEB user log in, such as:
%Apr %Apr 7 09:10:24:698 2010 switch WEB/5/USER:- 1 -web login succeed 7 09:10:47:961 2010 switch WEB/5/USER:- 1 -web logout
In current version: The syslog records both the user's name and the user's IP address after a WEB user log in, such as:
%Apr 7 09:20:34:698 2010 switch WEB/5/USER:- 1 -web (1.1.1.1) login succeed
Page 31 of 74
2)
In early version:LLDP packets are forwarded to other ports if LLDP function is disabled globally. In current version:LLDP packets aren't forwarded if LLDP function is disabled globally.
In early version: Switch serves as DHCP relay. If the packet received by the device whose length less than 300 bytes, the device does not add padding automatically to make packet length to 300 bytes. In current version: Switch serves as DHCP relay. If the packet received by the device whose length less than 300 bytes, the device add padding automatically to make packet length to 300 bytes. 2) Dot1x free-ip and stack aren't mutually exclusive any longer
In early version: DHCP server, DHCP snooping and DHCP Relay can not be enabled at the same time; otherwise PC can't get IP address successfully. In current version: DHCP server, DHCP snooping and DHCP Relay can be enabled at the same time. PC can get IP address successfully from switch, and of three functions can record its item.
In early version: Executing this command, only destination-hit function is enabled. In current version: Executing this command, the mac-address synchronization function will also be enabled besides the destination-hit function. 2) The change to the 'display mac-address'
In early version: There is no 'unit id' option, only display mac-address' can be executed to show the mac-addresses on the current device.
December 30, 2010 Page 32 of 74
In current version: The 'unit id' option is introduced. Therefore, the mac-address on every unit can be displayed through display mac-address unit id.
In early version: Specific syslog messages will be sent to log server from every unit in a stack. In current version: Specific syslog messages will be sent to log server only from the master unit in a stack. 2) The change to VLAN number
In early version: The device supports 256 VLANs. In current version: The device supports 4K VLANs.
In early version: Executing "Net2Startup" operation in "CONFIG-MAN-MIB", the filename can not contain directory. In current version: Executing "Net2Startup" operation in "CONFIG-MAN-MIB", the filename can contain directory. 2) Change to the content of option60 field in DHCP packets
In early version: When the switch is configured as a DHCP client, the option60 field in DHCP discover packets sent by the switch is filled only with the product series information. In current version: When the switch is configured as a DHCP client, the option60 field in DHCP discover packets sent by the switch is filled with the product series information and other more detailed information. 3) Change to the source MAC address of Loopback-detection packet
From 3.03.02p03, the source MAC address of Loopback-detection packet is changed from the Bridge MAC of the device to 00e0-fc09-bcf9. 4) The operation about Management address in LLDP packets
In early version:
December 30, 2010 Page 33 of 74
If the LLDP management-address has not been configured, the IP address of the VLAN with smallest ID which the port belongs to will be used. And if the IP address of the VLAN with smallest ID which the port belong to has not been configured, the loopback IP (127.0.0.1) address will be used. In current version: (1) If the LLDP management-address has not been configured, the IP address of the smallest permitted VLAN whose IP is configured will be used; (2) If the LLDP management-address has been configured, and the port belongs to the VLAN with the LLDP management-address, the IP address will be used; (3) Otherwise, no IP address will be used. 5) Modification of 802.1X re-authentication with user-name change
In early version: Doing 802.1X re-authentication with a RADIUS server. Even if user-name changes, the device just sends RADIUS Access-Request packet for the latter user-name, but does not send RADIUS Accounting-Stop packet for the former user-name. In current version: Doing 802.1X re-authentication with a RADIUS server. If user-name changes, the device sends RADIUS Accounting-Stop packet for the former user-name firstly, then sends RADIUS AccessRequest packet for the latter user-name.
Before modification, the switch cannot recognize any optical module with checksum errors. After modification, the switch can recognize such modules and output corresponding debug information .
In early version: By default, the IEEE 802.1t standard is used to calculate the default path costs of ports. In current version: By default, the legacy standard is used to calculate the default path costs of ports.
Before modification:
Page 34 of 74
The switch will delete the "poe enable" configuration of a port if the port detects overload for three consecutive times. After modification: The switch will not delete the "poe enable" configuration of a port if the port detects overload for three consecutive times.
Before modification: The interval for sending 802.1X multicast requests set with the dot1X timer tx-period command is in the range 10 to 120 seconds. If a port joins the guest VLAN upon receiving no response for an 802.1X multicast request, the shortest time for the port to join the guest VLAN is about 10 seconds. After Modification: The interval for sending 802.1X multicast requests set with the dot1X timer tx-period command is in the range 1 to 120 seconds. If a port joins to the guest VLAN upon receiving no response for an 802.1X multicast request, the shortest time for the port to join the guest VLAN is about 1 second.
Page 35 of 74
LSOD10082/LSOD10232
First Found-in Version: V3.03.02p11 Condition: When STP is disabled, 'loopback internal' test is executed on port A. At the same time, port B receives an STP packet. Port A and port B are in the same VLAN. Description: STP packet is sent back from port B.
LSOD10247/LSOD10274
First Found-in Version: V3.03.02p11 Condition: Use the command 'port-security trap dot1xlogon', 'port-security trap dot1xlogoff' or 'port-security trap dot1xlogfailure' to open the trap of dot1x, and the dot1x authentication-method is EAP, a user logs in successfully, and change the username when doing re-authentication. Description: Although the re-authentication is successful, the username in the trap dose not change.
ZDD03292/ZDD03331
First Found-in Version: V3.03.02p11 Condition: Configure the switch as DHCP client, and there is no END option in ACK packet from DHCP server. Description: The switch can not get IP address.
LSOD10189/LSOD10187
First Found-in Version: V3.03.02p11 Condition: Plug in BIDI fiber module. Description: The fiber module type is different between log information and the information displayed by command 'display transceiver interface'.
LSOD10207
First Found-in Version: V3.03.02p11 Condition: Configure the device through Web. Select Port > MAC Address [Add] from the navigation tree to add MAC address to a port of specified VLAN. Description: Cannot choose a port of specified VLAN to add MAC address.
LSOD10180
First Found-in Version: V3.03.02p11
December 30, 2010 Page 36 of 74
Condition: When the first octet of the MAC address of the client or the gateway is not 0x00(such as 30-00-00-00-00-01). Description: The EAD-Quick-Deploy feature doesn't work.
LSOD10079
First Found-in Version: V3.03.02p11 Condition: There are telnet users on device, executing display users all command. Description: The IP address is reduplicated in the result. For example (the italic part is unwanted):
<sysname>display users all UI F 0 F 1 2 3 4 5 6 7 AUX 0 AUX 1 AUX 2 AUX 3 AUX 4 AUX 5 AUX 6 AUX 7 VTY 0 VTY 1 00:00:13 00:00:03 TEL TEL 18.118.118.45 18.118.118.111 3 3 Delay 00:01:09 00:00:00 Type Ipaddress Username Userlevel 3 3
LSOD10077
First Found-in Version: V3.03.02p11 Condition: In a fabric, both master and slave were attacked by telnet log on packets. Description: The ACL resources will leak on master and slave.
LSOD10050
First Found-in Version: V3.03.02p11 Condition: Configure 'pki certificate access-control-policy', then add and remove rule. Description: Every operation will lead to 1056 bytes memory leak.
LSOD10083
First Found-in Version: V3.03.02p11 Condition: Switch serves as DHCP snooping, and it receives bootp packets or abnormal DHCP packets without option 53. Description: Switch reboots abnormally.
LSOD10016
First Found-in Version: V3.03.02p11
Page 37 of 74
Condition: Switch serve as DHCP snooping, and it receives DHCP ACK packets with source UDP port 4011. Description: DHCP snooping can not transmit those DHCP ACK packets.
LSOD10023
First Found-in Version: V3.03.02p11 Condition: Switch serves as DHCP relay and DHCP snooping, PC gets IP address through switch and renews its IP address. Description: When PC renew its IP address, DHCP snooping can not refresh its item.
ZDD02999
First Found-in Version: V3.03.02p09 Condition: Some NMS send messages to the device at the same time. Description: The device can only process 10 messages in one time, others are dropped.
LSOD09955
First Found-in Version: V3.03.00p02 Condition: A device receives ARP reply packet with VLAN X in 8021.q tag, and the corresponding VLAN interface X is UP. However, the port that receives the packet is NOT in the VLAN X. Description: The receiving port learns the ARP by error.
LSOD09894
First Found-in Version: V3.03.02p09 Condition: CPU is busy and there is a lot of trap information in a moment. Description: device reboots abnormally.
LSOD09928
First Found-in Version: V3.03.02p09 Condition: configured 'snmp-agent target-host trap address udp-domain A.B.C.D (D>223) params securityname RADAR'in system view. Description: execute 'undo snmp-agent target-host A.B.C.D (D>223) securityname RADAR' unsuccessfully.
LSOD09920
First Found-in Version: V3.03.02p09
Page 38 of 74
Condition: Configure 'authentication-mode scheme command-authorization' on VTY scheme. Telnet user passes RADIUS authentication and login the device. Description: After login, every command executed by user will cause memory leak.
LSOD09911
First Found-in Version: V3.03.02p09 Condition: The switch is enabled with DHCP snooping. The PXE client obtains an IP address through the switch, and downloads the bootstrap program and boot menu through the switch. Description: The PXE client can obtain an IP address successfully, but it fails to download the bootstrap program and boot menu.
LSOD09909
First Found-in Version: V3.03.02p09 Condition: Configure 'mac-address max-mac-count X' on the portA. Description: The system sometimes prompts 'MAC address table exceeded maximum number X on interface portA' after the learning MAC count of the port A has not reached the limit.
LSOD09745
First Found-in Version: V3.03.02p06 Condition: In a stack, dot1x is not enabled globally, but enabled on several ports. Description: Attempt to execute dot1x globally times out and fails.
LSOD09830
First Found-in Version: V3.03.02p06 Condition: The client application does dot1x authentication with TTLS certification. Description: By chance, the device reboots abnormally for dead loop.
LSOD09837
First Found-in Version: V3.03.02p06 Condition: Switch serves as DHCP relay, two PCs get IP address through two different relay interfaces. Description: In the offer packets that switch sent to PC, the source IP address in IP header is incorrect.
Page 39 of 74
ZDD02827
First Found-in Version: V3.03.02p06 Condition: Switch serves as DHCP relay and it receives a bootp packet without magic cookie. Description: The switch regards the packet as wrong one and drops it.
LSOD09587
First Found-in Version: V3.03.02p06 Condition: Several ACL numbers including the same rule can be applied on one port for trafficpriority action to remark different COS value. Such as:
Basic ACL 2000, 1 rule
Basic ACL
2001, 1 rule
interface Ethernet1/0/1 traffic-priority inbound ip-group 2000 rule 0 cos spare traffic-priority inbound ip-group 2001 rule 0 cos background
Description: After one ACL rule is removed from the port, the other ACL rules cant be deleted. Note: Action traffic-limit/traffic-remark-vlanid has similar problem.
LSOD09728
First Found-in Version: V3.03.02p06 Condition: Execute the command 'virtual-cable-test' in Ethernet interface view. Description: The command is executed correctly, but it does not give cable length.
LSOD09619
First Found-in Version: V3.03.02p06 Condition: The network device acted as SSH server, and received specific SSH attack packets. Description: The device will be rebooted abnormally.
LSOD09678
First Found-in Version: V3.03.02p06 Condition: As the following operation: 1. Create an SSL server policy, example: ssl server-policy myssl1 2. Https use this SSL server policy, example: ip https ssl-server-policy myssl1 3. Undo use this SSL server policy, example: undo ip https ssl-server-policy Description: This ssl server policy can't be deleted.
Page 40 of 74
LSOD09700
First Found-in Version: V3.03.02p06 Condition: Enable DHCP server and DHCP snooping on switch. The pool lease of DHCP server is set less than one minute, and lots of users get IP address from switch. Description: The memory exhausted on switch.
LSOD09499
First Found-in Version: V3.03.02p06 Condition: When 802.1X authentication and mac-authentication are both enabled on the port, the user first pass the mac-authentication and success get IP address by DHCP, then do 802.1X authentication success and get IP address by DHCP again. Description: Sometimes the IP address shown by the command "display connection" is in reverse order.
LSOD09555
First Found-in Version: V3.03.02p06 Condition: On the authentication port Y, execute undo dot1x command and then execute dot1x command during dot1X authentication. Description: In a very small chance, the information Port Y is Processing Last 802.1X command... Please try again later. is shown.
LSOD09550
First Found-in Version: V3.03.02p06 Condition: Configure dot1x timer server-timeout to X seconds, and configure dot1x authentication-method eap. Do dot1X authentication. The EAP Request Challenge packet from the switch to the client gets no response. Description: The switch will not send EAP Failure packet until (X+80) seconds after.
LSOD09598
First Found-in Version: V3.03.02p06 Condition: Configure accounting optional. And configure dot1x timer server-timeout to X seconds. Do dot1X authentication with RADIUS server. When logging in, accounting-Start packet from the switch to the RADIUS server gets no response. Description: After log out, the client can not log in again until X seconds after.
LSOD09554
First Found-in Version: V3.03.02p06 Condition: The switch enables DHCP snooping and the up-link port of the switch is configured as the trust port of DHCP snooping. The DHCP server and the users PC are connected to the uplink port of the switch. Description: DHCP snooping record the user item on trust port.
LSOD09521
First Found-in Version: V3.03.02p06
December 30, 2010 Page 41 of 74
Condition: STP or MSTP is enabled on the device. There are dynamic ND entries or 'Discarding'. Description: 1). Dynamic ND entries on the port are not deleted.
short-
static resolved ND entries on one port whose STP state is changed from 'Forwarding' to
2). Short-static resolved ND entries on the port are not changed to INCMP state. Note: Short-static ND entry is configured by command line. The entry doesn't have port information. The port information will be learnt by ND packets. When the port information is learnt, the ND entry is called short-static resolved ND entry. Short-static ND entry Example: ipv6 neighbor 3000::1 0000-0002-0002 interface vlan-interface 1.
LSOD09717/LSOD09709
First Found-in Version: V3.03.02p06 Condition: Configuring 'authentication-mode scheme command-authorization' on the then the user running a valid command such as 'quit' through telnet. Description: The device will be rebooted abnormally. user interface, a user telnet the switch and logging in successfully through local authentication mode,
LSOD09572/LSOD09605
First Found-in Version: V3.03.02p06 Condition: Configuring the switch as a DHCP server, an IP phone connecting the switch and getting voice VLAN ID and IP address from the switch. Description: The IP phone can not get voice VLAN ID and IP address successfully within 25 seconds.
LSOD09537
First Found-in Version: V3.03.02p05 Condition: User's MAC item moves from port A to port B in switch. Port A is a single port, port B is in the aggregation group whose master port is down. Description: User's ARP item can not be updated by MAC item.
LSOD09483
First Found-in Version: V3.03.02p05 Condition: Test the IPV6 communication between a device and a stack that has an aggregation group across different units. Description: The stack device can not communicate with other device.
Page 42 of 74
LSOD09498
First Found-in Version: V3.03.02p05 Condition: Connect with huawei S2300. Enable LLDP and show LLDP neighbor information. Description: The 'Management address OID' section of neighbor information will be garbage characters.
LSOD09434
First Found-in Version: V3.03.02p05 Condition: In domain view, configure authentication scheme to be radius scheme, but do not configure accounting scheme. Configure accounting optional. Description: Users can not log-in successfully.
LSOD09447
First Found-in Version: V3.03.02p05 Condition: Do 802.1X authentication with iNode client (whose version is lower than V3.60-E6206) on PC, and upload IP address option is chosen. PC gets IP address from DHCP server. Description: The switch passes empty user-name to the RADIUS server, and authentication fails.
LSOD09406
First Found-in Version: V3.03.02p03 Condition: There are many switches serve as DHCP snooping in network. PC applies for IP address through DHCP snooping and finally get a conflict one. Description: The DHCP Decline packets broadcast in network for a while.
LSOD09332
First Found-in Version: V3.03.02p03 Condition: Configure DHCP rate limit on port, and display the configuration. Description: The switch shows the default configuration.
LSOD09048
First Found-in Version: V3.03.02p03 Condition: Configure the ipv6 ACL that include destination IP address and source IP address in sequence. Description: The source IP address includes part of the destination IP address in the current information.
LSOD09439
First Found-in Version: V3.03.00p01 Condition: Configure port-security auto learn mode on port A. Delete all MAC-address and change the VLAN ID of the port A while there are background traffic. Description: The MAC of the old VLAN is left occasionally.
LSOD09268
First Found-in Version: V3.03.00p02 Condition: Connect device to HUAWEI S2300 and running LLDP.
December 30, 2010 Page 43 of 74
LSOD09295
First Found-in Version: V3.03.02p03 Condition: Dot1x is enabled on a device. Ping the device with IPv6 address from an unauthenticated PC. Description: The device makes a response to the ping request.
LSOD09204
First Found-in Version: V3.03.02p03 Condition: Connect PC to port A. Configure port-security on port A (the port-mode is mac-anduserlogin-secure, userlogin-secure-or-mac, mac-else-userlogin-secure, userlogin-secure or userlogin-withoui). Do 802.1X authentication with windows XP client on PC. Description: After log-in, windows XP client does re-authentication frequently.
LSOD09167
First Found-in Version: V3.03.02p03 Condition: Many 802.1X users are on-line on the same device (about 1000). In system-view, execute undo dot1x command, and then execute dot1x command. Description: Executing the dot1x command always fails, and the system prompts Processing Last 802.1X command... Please try again later.
LSOD09156
First Found-in Version: V3.03.02p04 Condition: In stack, do 802.1X authentication with iMC server. User A log-in, then user B log-in from another device of the fabric with the same user-name of A. Description: The iMC server forces user A to log-out.
LSOD08866
First Found-in Version: V3.03.02p03 Condition: Walk the entAliasMappingIdentifier node. Description: The multiple entities of walk result have the same index which causes the failure in synchronizing device data through SNMP network management.
LSOD09143
First Found-in Version: V3.03.02p03
December 30, 2010 Page 44 of 74
Condition: The device has been configured igmp-snooping non flooding function. The VLAN X is configured igmp-snooping function and configures port Y as static router port. VLAN X receives unknown multicast flow, and then disables igmp-snooping function in VLAN X. Description: The port which is not router port can receive unknown multicast flow.
LSOD09176
First Found-in Version: V3.03.02p03 Condition: Enable voice VLAN legacy and connect an IP phone to switch. Description: The switch may ignore CDP packets from IP phone, and voice VLAN will not work.
LSOD09145
First Found-in Version: V3.03.02p01 Condition: Voice VLAN, dot1x (or port-securtiy) and DHCP-launch are enabled on the device, and then the device receives DHCP Discover packet or DHCP Request packet whose source MAC address is belong to a Voice VLAN OUI. Description: The source MAC address of DHCP Discover packet or DHCP Request packet can not be learnt. The correct behavior is: the source MAC address should be learnt.
ZDD02152
First Found-in Version: V3.03.02p03 Condition: Switch work as Telnet client or server. Input non-english character after login. Description: Possible unexpected logout.
LSOD08964
First Found-in Version: V3.03.02p03 Condition: Enable DHCP snooping and DHCP snooping option 82 on switch with replacing strategy. Description: Switch can not replace OPTION 82 of DHCP discover packet correctly.
LSOD09106
First Found-in Version: V3.03.02p03 Condition: EAD fast deployment is enabled on the port connecting the switch to a client, and no VLAN-interface is created for the VLAN where the port resides. The client sends repetitive HTTP requests or out-of-sequence HTTP packets when it is unauthenticated and accesses the network. Description: A memory leak occurs.
Page 45 of 74
LSOD09080
First Found-in Version: V3.03.02p03 Condition: Access MIB node "hwNDPPortStatus" on a stack. Description: Each slave unit leaks 9K-byte memories every time. No memory leakage occurs on master unit.
LSOD08774
First Found-in Version: V3.03.02p01 Condition: Do EAD authentication with iMC server. Description: The user goes off-line soon after passing the security checking.
LSOD09095
First Found-in Version: V3.03.02 Condition: Enable 802.1x authentication on a device, and connect a PC to a trunk port of the device through a Netgear switch. The data traffic should be tagged when it passes the trunk port. Then do 802.1x authentication. Description: After log-on, PCs MAC-Address is learnt in the PVID VLAN of the port, not the tagged VLAN. So, the port can not forward the data traffic.
LSOD09097
First Found-in Version: V3.03.02p03 Condition: The device has been configured user ACL remark VLAN ID, and user VLAN ID is configured as multicast VLAN ID. The device receives IGMP report message from the host. Description: The device can not transmit IGMP report message to upstream device periodically, so as to multicast stream to be interrupted.
LSOD09102
First Found-in Version: V3.03.00 Condition: Set up an extended IP ACL with number 3000, and add a rule with protocol key. Such as "rule 0 permit ip", in which "ip" means IP protocol. View the configuration file by "more" command after saving configuration, or display the current configuration. Description: The protocol key of the rule in the configuration becomes capital, and it will be lowercase in current version. For example, former version shows up "rule 0 permit IP" and current version shows "rule 0 permit ip". There is no any effect for function.
LSOD09100
First Found-in Version: V3.03.02p03 Condition: Net management software, which is using SNMP, is connected to the slave device in a stack. Description: Execute setting operation; the operation can be succeeding, but the device cannot send SNMP response to the net management software.
LSOD09045
First Found-in Version: V3.03.02 Condition: A large amount of security MAC addresses are learnt in a stack.
December 30, 2010 Page 46 of 74
Description: Several MAC address can not be aged after aging timer is reached.
LSOD08988
First Found-in Version: V3.03.02p03 Condition: One user with privilege level 0 login the web management interface. Description: WEB can not show the page of "Help".
LSOD08964
First Found-in Version: V3.03.02p01 Condition: A switch serves as DHCP SNOOPING, and enable DHCP SNOOPING OPTION 82 function with replace strategy on the switch. Description: The switch can not replace the OPTION 82 of DHCP discover packet correctly.
LSOD06917
First Found-in Version: V3.03.02p01 Condition: In the following network, the monitor port is on the master device (UNIT 1). After rebooting fabric with saved configuration, configure the ports of UNIT 3 as the source mirroring port and the monitor port.
Description: The fabric can't ping the PC connected to the mirroring port successfully.
LSOD08776
First Found-in Version: V3.03.02p01 Condition: Execute "ip host" command and the "hostname" parameter includes "-" character. Description: The command fails and the message of "Invalid host name format!" is prompted.
Page 47 of 74
LSOD08782
First Found-in Version: V3.03.02p01 Condition: Enable dot1x function and some dot1x clients are on-line. Description: The ports which have passed dot1x authentication will forward the unicast EAP packets to the entire vlan.
LSOD08757
First Found-in Version: V3.03.02p01 Condition: Enable NDP on a fabric system and many NDP adjacent devices attached to the same port of the device. Description: When getting the NDP neighbor information through SNMP, the usage of CPU of the device is high.
LSOD08753
First Found-in Version: V3.03.02p01 Condition: Enable NTP on a fabric system, the NTP server is connected to one port of the slave device. Description: When working in NTP multicast client modes, the stack device can not synchronize the clock from NTP Server.
LSOD08892
First Found-in Version: V3.03.02p01 Condition: The devices are in a fabric. Lots of VLAN and some MSTP instances are configured. Execute the command "active region-configuration". Description: There is little probability that the command fails and the device outputs the following information: Command synchronization failed, please try later...
LSOD08819
First Found-in Version: V3.03.02p01 Condition: The last port of a device in a fabric has a link-up state and is configured with link-delay. Reboot the fabric after saving configuration. Description: There is little probability that the port mentioned above can't send packets.
LSOD08905
First Found-in Version: V3.03.02p01 Condition: Execute command "display memory" in a stack composed of multiple devices. Press "Ctrl+C" before the display process completes. Description: A memory leak of 1K bytes occurs.
LSOD08907
First Found-in Version: V3.03.02p01 Condition: Access a device repeatedly by SSH with public key authentication. Description: An exception may occur on the device at little probability.
Page 48 of 74
LSOD08729
First Found-in Version: V3.03.02p01 Condition: Set port-security as "and" mode in device. Some users do MAC and dot1x authentication on several ports at the same time. Description: The dynamic "auto vlan" is added to some port's configuration.
LSOD08843
First Found-in Version: V3.03.02p01 Condition: Set port-mirroring function on web. Description: The CPU usage of device is up to 100%, and the information of port-mirroring can't be normally displayed at web view.
LSOD08788
First Found-in Version: V3.03.02p01 Condition: The 802.1x server is CAMS or iMC, the device enable DHCP snooping or DHCP relay, the 802.1x client which is on-line requests ip address frequently. Description: The device send accounting update packet to server frequently, which lead the 802.1x client off-line.
LSOD08808
First Found-in Version: V3.03.02p01 Condition: The IP address of a WEB server is the same as that of the vlan-interface of a device. Description: After user login through web-authentication, the user's layer-2 traffic can't be forwarded normally.
LSOD08738
First Found-in Version: V3.03.02p01 Condition: When congestion happens on a port, enable burst mode function. Description: All packets can't be forwarded on the port.
LSOD08679
First Found-in Version: V3.03.02p01 Condition: Units A, B, and C are in the same stack. An 802.1x user logs in through Port X of unit A, and Port X is assigned to the authorization VLAN (PVID or auto VLAN). Reboot unit B. Then the user in unit A logs off, and Port X leaves the authorization VLAN. Description: After the user logs off, execute the display interface command on units A and B to display information about port X. It is showed that the port is no longer in the authorization VLAN. Execute the display command on unit C, and it is showed that the port is still in the authorization VLAN.
LSOD08657
First Found-in Version: V3.03.02p01 Condition: In a stack device, configure port security in autolearn mode for a port, and set the max-mac-count limit. Let the port learn MAC addresses automatically, and make MAC count of the port reach the limit.
December 30, 2010 Page 49 of 74
Description: Try to add one more MAC address to the port using the mac-address security command. Although a failure information is showed, the display mac-address command shows that the additional MAC address is added actually, making the MAC count of the port exceed the limit.
LSOD08665
First Found-in Version: V3.03.02p01 Condition: In a stack, enable port security in autolearn mode and aging mode on ports. After the security MAC is learnt, disable the port security feature when the security MAC is aging. Description: The device reboots.
LSOD08631
First Found-in Version: V3.03.02p01 Condition: Enable 802.1X and debugging for RADIUS packets. Lots of users log on and then log off. Description: The device reboots.
LSOD08656
First Found-in Version: V3.03.02p01 Condition: Configure the multicast static-group command on a device configured with multicast VLAN. Description: When deleting the multicast static-group configuration, the IGMP snooping groups can't be removed.
LSOD08713
First Found-in Version: V3.03.02p01 Condition: Display the voice VLAN information of an LLDP neighbor. Description: The COS value and DSCP value of the voice VLAN are incorrect.
LSOD08716
First Found-in Version: V3.03.02p01 Condition: Configure the lldp compliance CDP command on a switch to communicate with a Cisco device through Cisco CDP version 1. Description: The duplex mode of the LLDP neighbor displayed is incorrect.
LSOD08575
First Found-in Version: V3.03.02p01 Condition: When non-flooding is enabled, the device acts as the NTP client in the multicast mode to synchronize timekeeping. Description: The timekeeping of the device can not be synchronized.
LSOD08674
First Found-in Version: V3.03.02p01
Page 50 of 74
Condition: In a stack, there is global am user-bind in the startup configuration file. After rebooting, the minimum Unit ID is not that of the master. Configure global am user-bind again and then delete all the global am user-bind from the slave units. Description: The device displays the checksum different from that of unit 1 when you save the configuration.
LSOD08652
First Found-in Version: V3.03.02p01 Condition: Add a hybrid port to the Guest VLAN of 802.1x, and then use the undo port hybrid vlan command to remove the port from the Guest VLAN. Description: The display interface command shows that the port is still in the Guest VLAN. Actually, the port is not in the VLAN.
LSOD08675
First Found-in Version: V3.03.02p01 Condition: In a stack, a port in unit A is assigned to the guest VLAN (VLAN x) of port security. Then send packets with authenticated MAC addresses as source MAC to the port continuously. Description: After the port is removed from the guest VLAN, PVID of the port changes back to the original VLAN y. Execute the display mac-address on unit B, and some dynamic MAC addresses in VLAN y without authentication are displayed.
LSOD08678
First Found-in Version: V3.03.02p01 Condition: Reboot the master device of a stack. Description: Failed to discover LLDP neighbors on an STP port in Discarding state.
LSOD08726
First Found-in Version: V3.03.02p01 Condition: There are several units in a stack. Reboot the master device of the stack. Description: The VRRP function becomes abnormal.
LSOD08667
First Found-in Version: V3.03.02p01 Condition: Use the display transceiver xxx command to check the Copper SFP information. Description: The device does not support displaying Copper SFP information.
LSOD08673
First Found-in Version: V3.03.02p01 Condition: Configure am user-bind in system view of a stack member. Description: The packets with authenticated MAC addresses as source MAC can not be forwarded by the other units of the stack.
LSOD08570
First Found-in Version: V3.03.02p01
Page 51 of 74
Condition: Enable the port security feature on a stack, and set the intrusion mode to blockmac. After one port (for example, port A) learns some blocked MAC addresses, remove the device to which port A belongs from the stack. Description: Such blocked MAC addresses on the other devices of the stack can not be removed.
LSOD08734
First Found-in Version: V3.03.02p01 Condition: Enable STP and loopback detection in both interface view and system view. A loop occurs on the port. Description: The loop on the port can not be detected.
LSOD08284
First found-in version: V3.03.02 Condition: Reboot a stacking device. Description: After reboot, there is little probobility that some MAC entry information in the MAC forwarding table cannot be displayed.
LSOD08291
First found-in version: V3.03.02 Condition: Set the authentication mode with the command xrn-fabric authentication-mode md5 STRING<1-16> in a stack. Set the MD5 password twice, and the last configured password has 16 characters. Save the configuration and reboot a device in the stack. Description: After startup, the stack cannot be established and the stack ports are in isolated state (auth failure).
LSOD08603
First found-in version: V3.03.02 Condition: Execute the dot1x authentication-method pap command. Description: A user whose password has two characters cannot pass dot1x authentication.
LSOD08460
First found-in version: V3.03.02 Condition: The device is enabled with voice VLAN, dot1x (or port-security with userlogin, userloginext, userloginsecure mode) and DHCP-launch. Description: A PC connected to the device cannot pass dot1x authentication.
LSOD08576
First found-in version: V3.03.02
December 30, 2010 Page 52 of 74
Condition: There are security MAC addresses in the switch. Then walk dot1qTpFdbStatus node through SNMP. Description: The result is incomplete.
LSOD08651
First found-in version: V3.03.02 Condition: Enable DHCP-snooping on a ring-mode stack. The DHCP server and DHCP client connect to different stacking units. The port connected to the DHCP server is configured with the dhcp-snooping trust command and belongs to a link-aggregation group. Description: The DHCP client will get duplicate DHCP ACK packets when requesting an IP address.
LSOD08655
First found-in version: V3.03.02 Condition: Configure a space-included string for DHCP server option 130 . Description: The operation fails.
LSOD08646
First found-in version: V3.03.02 Condition: The member ports of a link-aggregation group which belong to different units are configured as mirrored ports. The mirroring-group monitor port and the link-aggregation group master port are on the same unit. Description: The LLDP information on the master port of the link-aggregation group is wrong.
LSOD08628
First found-in version: V3.03.02 Condition: Get the value of node lldpRemPortDescription via MIB. Description: The result is the same as ifAlias. In fact, that value should be the same as ifDesc.
LSOD08193
First found-in version: V3.03.00p03 Condition: Configure password information. Description: The password can be displayed in log information, compromising security.
Page 53 of 74
LSOD08145
First found-in version: V3.03.00p03 Condition: Enable selective QinQ, and configure outer VLAN tag-to-inner VLAN tag mappings until the system resources become insufficient. Description: Configured mappings cannot be deleted. To delete them, you need to restart the device.
LSOD07413
First found-in version: V3.03.00p01 Condition: Two switches comprise a cluster. The header legal command is configured on the member switch. Execute the cluster switch-to 1 command on the command switch to log into the member switch. Description: The login operation fails no matter whether "Y" or "N" is input.
LSOD07744
First found-in version: V3.03.00p02 Condition: Modify RADIUS scheme configuration through the CLI and web interface respectively when there exist online users. Description: Modification through CLI fails, while modification through web interface succeeds.
LSOD07980/ LSOD07531/LSOD07749
First found-in version: V3.03.00p01 Condition: A PC acts as an administrator user and its MAC address is configured as a static MAC address on the switch. Description: Logging into the web NM interface of the switch from the PC fails because the login request is redirected to the EAD server.
LSOD07692
First found-in version: V3.03.00p02 Condition: Configure the maximum hops of topology discovery with the ntdp hop xxx command. If the new maximum hop number is less than the previous one, a cluster is built on the device. Description: Devices beyond the maximum hops of topology discovery also join the cluster.
LSOD07939
First found-in version: V3.03.00p02 Condition: Local user User 1 sets the access-limit to N on the switch. Then, N local users except for User 1 log into the switch (Local users can be FTP/ LAN-access/SSH/telnet/terminal users. If
December 30, 2010 Page 54 of 74
a user logs into the switch through 2 ways at the same time, for example, FTP and telnet, the user is counted as two logged-in users.). Description: User 1 cannot log in to the switch.
LSOD08070
First found-in version: V3.03.00 Condition: Configure the dot1x authentication-method eap command in system view, and configure the port-security port-mode mac-and-userlogin-secure or port-security port-mode mac-and-userlogin-secure-ext on a port that is connected to a PC. The PC passes 802.1X authentication but fails MAC authentication . Description: The PC goes online. (It is required that the PC can go online after passing both 802.1X authentication and MAC authentication.)
LSOD08034
First found-in version: V3.03.00p02 Condition: The switch acts as the SSH/Telnet server, and SecureCRT acts as the SSH/Telnet client. After the client logs into the server, copy a lot of configuration setting into the client window. Description: Some configurations are lost.
LSOD07962
First found-in version: V3.03.00p02 Condition: Configure an ACL rule and configure a description for the rule. View ACL rule information through the web interface. Description: Two entries for the rule exist, and one entry is empty.
LSOD08035
First found-in version: V3.03.00p02 Condition: A stacking switch serves as a DHCP client and gets an IP address from the DHCP server. When the client renews its lease, the DHCP server returns a NAK packet. Description: DHCP clients on the master and slave devices in the stack have different states.
LSOD08049
First found-in version: V3.03.00p02 Condition: The switch receives a packet with a broadcast destination MAC address and a unicast destination IP address other than the IP address of the receiving VLAN interface. Description: The switch can't send a redirect packet to the sender.
LSOD08101
First found-in version: V3.03.00p02 Condition: Enable DHCP snooping on the switch. Description: The device can't forward DHCP packets whose UDP source port is 68 and whose UDP destination port is neither 67 nor 68.
LSOD08106
First found-in version: V3.03.00p02
December 30, 2010 Page 55 of 74
Condition: Enable selective QinQ, and configure outer VLAN tag-to-inner VLAN tag mappings until the system resources become insufficient. Description: Configured mappings cannot be deleted. To delete them, you need to restart the switch.
LSOD08118
First found-in version: V3.03.00p02 Condition: Update the software from version A (V3.01.xx and V3.02.xx) to version B (V3.03.00, V3.03.00p01 and V3.03.00p02). Description: The password used on version A is invalid on version B.
PC1 and PC2 communicate with each other at Layer-3 through Switch 1. Configure a static ARP entry that has no VLAN ID or outbound interface specified for PC2 on Switch 1. After PC1 and PC2 communicate with each other, the egress port and VLAN ID (VLAN B) of the ARP entry are learned. Then change the network as follows: Remove VLAN B from Switch 1, configure VLAN B on Switch 2, and move PC2 from Switch 1 to Switch 2. After that, all PC1, Switch 1, Switch 2 and PC2 communicate with one another at Layer-3. The new network is shown below:
Description: The ping operation from PC1 to PC2 fails. To solve the problem, you have to reboot Switch 1.
LSOD07630
First found-in version: V3.03.00p01
December 30, 2010 Page 56 of 74
Condition: Perform EAD authentication on a port. Before authentication, the port's PVID is V1. During authentication, the port is assigned a VLAN ID of V2. V2 and V1 are not in the same MSTP instance. Description: EAD security policy authentication fails.
LSOD07571
First found-in version: V3.03.00p01 Condition: The switch works together with the CAMS server to implement RADIUS authentication. The CAMS server assigns an SSL VPN group number to the switch. Description: RADIUS authentication fails because the switch does not support the SSL VPN group number attribute.
LSOD07676
First found-in version: V3.03.00p01 Condition: Configure the ip address dhcp-alloc command on a VLAN interface. Description: The TTL of the DHCP Discover packet sent on the VLAN interface is 1. Because the DHCP relay agent drops packets with TTL being 1, the DHCP Discover packet can't be forwarded to the DHCP server.
LSOD07670
First found-in version: V3.03.00p01 Condition: A port (Ethernet1/0/28, for example) receives more than 500 error packets (CRC error packets, for example) within one minute. Shutdown the port. Description: The switch prints the information "The link partner of Ethernet1/0/28 may be bad, sending lots of error packets", which means the shutdown port is still receiving error packets.
LSOD07668
First found-in version: V3.03.00p01 Condition: Set forced mode, such as speed 100 and duplex full, for a lot of ports of the switch. Save the configuration and reboot the switch. Description: The startup duration is much longer than before.
LSOD07316
First found-in version: V3.03.00p01 Condition: Perform 802.1X authentication on a user through the CAMS server. Before authentication, the VLAN ID of the receiving port is V1. After authentication, the assigned VLAN ID is V2. Description: On the CAMS, the user's VLAN ID is V1, not V2.
LSOD07416/LSOD07422/LSOD07420/LSOD01108
First found-in version: V3.03.00p01 Condition: Perform 802.1X authentication on a user in VLAN V1. VLAN V2 is assigned. V1 and V2 belong to different MSTP instances. Description: Authentication fails.
Page 57 of 74
LSOD07375
First found-in version: V3.03.00p01 Condition: Send UDP packets with destination port as 1645 or 1646 to the device. Description: Each UDP packet causes a memory leak of 32 bytes.
LSOD07479
First found-in version: V3.03.00p01 Condition: Disable and then enable STP repeatedly. Description: The device may reboot without exception information.
LSOD07124
First found-in version: V3.03.00p01 Condition: A stack serves as a DHCP relay agent. After a PC gets an IP address through the relay agent, it sends a DHCP Inform packet to get extra information. Description: The DHCP relay agent does not process the DHCP ACK packet from the DHCP server correctly, and thus the PC cannot process the DHCP ACK packet.
LSOD07425
First found-in version: V3.03.00p01 Condition: Execute the debugging snmp-agent detail process 0 command in hidecmd view. The CPU usage is high (>50%). Then, use IMC software to scan the interfaces on the device. Description: The device reboots.
LSOD07313
First found-in version: V3.03.00p01 Condition: Swap an SFP module within 5 seconds. Description: Use the display transceiver command to check the SFP module information, which is updated.
LSOD07467
First found-in version: V3.03.00p01 Condition: The outgoing traffic speed on port A is higher than its maximum speed. Description: Dropped packets are not counted
LSOD07460
First found-in version: V3.03.00p01 Condition: A stack is established, and the following conditions are met on a stacking device. (1) The unit ID is not 1. (2) The DHCP server is connected to a port of this unit, and the port is configured as a DHCPsnooping trusted port. Description: A DHCP client connected to the device can't get an IP address successfully.
Page 58 of 74
LSOD07240
First found-in version: V3.03.00 Condition: Send DHCP request packets to the switch (a DHCP relay agent) continuously and clear clients entries from the relay agent at the same time. Description: The switch reboots or cannot create clients entries according to DHCP requests.
LSOD07138
First found-in version: V3.03.00 Condition: A stack has DHCP snooping enabled. A PC gets an IP address from a DHCP server through the stack. Description: Display DHCP client information on Unit X with the display dhcp-snooping unit X command. The remaining lease time is always 0.
LSOD07145
First found-in version: V3.03.00 Condition: An administrator initiates RADIUS authentication. The server assigns two administrative privilege attributes, (Vendorid=43, Type=1) and (Vendorid=2011, Type=29). Description: RADIUS authentication fails.
LSOD07184
First found-in version: V3.03.00 Condition: A stacking device joins a cluster as a cluster member. Description: A memory leak of 512 bytes occurs on the slave device per minute.
LSOD07234
First found-in version: V3.03.00 Condition: Execute the undo cluster enable command on a stacking device that also works as a cluster member. Description: The cluster configuration of the master device cannot be synchronized to the salve device.
LSOD07128
First found-in version: V3.03.00 Condition: A stack has STP BPDU protection enabled. An STP edge port on a slave device becomes administratively down upon receiving BPDUs. Description: Using the display stp portdown command cannot view information about the port.
December 30, 2010 Page 59 of 74
LSOD07143
First found-in version: V3.03.00 Condition: Port A, which is not a STP edge port, is connected to a terminal. Port A goes up. Description: The STP status of port A in MSTI changes from discarding to forwarding directly, without passing the learning state.
LSOD07136
First found-in version: V3.03.00 Condition: Telnet to a device that is handling huge IUC traffic. Description: The telnet user is hung up and the corresponding resources cannot be released.
LSOD07140
First found-in version: V3.03.00 Condition: Two devices form a stack. Telnet to the slave device and execute the free userinterface vty command on its console port. Then, use the display users command to view the user information on the master device. Description: The master device reboots abnormally.
LSOD06680/LSOD07269
First found-in version: V3.03.00 Condition: The device has the default configuration file 'config.def', but has no startup configuration file specified. Description: The device does not use the auto-configuration function after startup, but runs the default configuration file 'config.def'.
ZDD01517
First found-in version: V3.03.00 Condition: Use the AT&T network management tool to backup the configuration on the device. Description: A memory leak of 512K bytes occurs each time a backup operation is performed.
LSOD06530
First found-in version: V3.03.00 Condition: The network diagram is shown below: The stack acts as an FTP client. Device A in the stack is not directly connected to the FTP server. All devices in the figure are the S4500 series.
LSOD06010
First found-in version: V3.03.00
Page 60 of 74
Condition: Configure a static route with the blackhole attribute on the device, and its next hop address is a reachable valid IP address. For example, execute the ip route-static 1.1.1.0 255.255.255.0 2.2.2.2 blackhole command. Description: IP packets matching the blackhole route are still forwarded normally.
LSOD03115
First found-in version: V3.02.00 Condition: Execute ? on the switch repeatedly. Description: The usage of memory increases continuously until it gets exhausted and no command can be executed.
LSOD02840
First found-in version: V3.02.00 Condition: The switch acts as the SSH server. SSH packets from the SSH client are fragmented before reaching the SSH server. Description: The SSH connection between client and server cant be established successfully, or SSH doesnt work after the SSH connection is established.
OLSD31930
First found-in version: V3.02.00 Condition: Execute the display diagnostic command. Description: display mac number in hardware and display mac hided in hardware cannot be resolved.
OLSD31973
First found-in version: V3.02.00
December 30, 2010 Page 61 of 74
Condition: Display log information on the device. Description: Information such as msg:rtbit_set_vrf:0.0.0.0/0(n_bitsset=1) public vpn-instance appears.
OLSD29599
First found-in version: V3.01.00p02 Condition: Configure a sysname with a space through the web interface, for example, "4500 sysnametest". Description: After the switch reboots, a syntax error is reported and the sysname is changed back to the original sysname, because the sysname cannot contain any space.
OLSD30143
First found-in version: V3.01.00p02 Condition: Configure and display an ACL through the web interface. Description: An ACL rule in deny mode configured through CLI cannot be displayed on the web interface, and you cannot configure an ACL rule in deny mode through the web interface.
Description: Some errors occur and command executions fail. For example, if you download a large file from the FTP server when there is enough space, the following prompt appears:
Local space is not enough ! System will delete the file which has been transferred, please wait... ...Error Writing Local File: not enough space!
On an S4500 device that has an Intel J3D flash installed and runs a version earlier than V3.01.00p01, performing above-mentioned operations will fail.
Related Documentation
For the most up-to-date version of documentation: 1) 2) Go to http://www.3Com.com/downloads Select Documentation for Type of File and select Product Category.
Software Upgrading
The device software can be upgraded through the console port, TFTP, and FTP.
Page 63 of 74
After getting the new application file, reboot the device to validate it. Note that if you do not have enough Flash space, upgrade the Boot ROM program first, and then download the application file to the device. The following sections introduce some approaches to local upgrading.
Boot Menu
Upon power-on, the switch runs the Boot ROM program first. The following information will be displayed on the terminal:
Starting......
******************************************************************
Copyright (c) 2003-2005 3Com Corporation. Creation date CPU type : Sep 13 2005, 10:42:24 : BCM4704
CPU Clock Speed : 200MHz BUS Clock Speed : 33MHz Memory Size : 64MB
Mac Address
: 000fe2004500
After the screen displays Press Ctrl-B to enter Boot Menu..., you need to press <Ctrl+B> within 5 seconds to access the Boot menu. Otherwise, the system will start program decompression, and then you have to reboot the switch to access the Boot menu.
Enter the correct password (no password is set by default) to access the Boot menu.
Page 64 of 74
BOOT
MENU
1. Download application file to flash 2. Select application file to boot 3. Display all files in flash 4. Delete file from flash 5. Modify bootrom password 6. Enter bootrom upgrade menu 7. Skip current configuration file 8. Set bootrom password recovery 9. Set switch startup mode 0. Reboot
Step 2: Enter 3 to select the Xmodem protocol and press <Enter>. The following information appears:
Please select your download baudrate: 1. 9600 2. 19200 3. 38400 4. 57600 5. 115200 6. Exit Enter your choice (0-5):
Step 3: Select the appropriate download baud rate. For example, enter 5 to select the download baud rate of 115200 bps. Press <Enter> and the following information appears:
December 30, 2010 Page 65 of 74
Step 4: Configure the same baud rate on the console terminal, disconnect the terminal and reconnect it. Then, press <Enter> to start downloading. The following information appears:
Are you sure to download file to flash? Yes or No(Y/N)y Now please start transfer file with XMODEM protocol. If you want to exit, Press <Ctrl+X>. Downloading ... CCCCC
After the terminal baud rate is modified, it is necessary to disconnect and then re-connect the terminal emulation program to validate the new setting.
Step 5: Select [Transfer\Send File] from the terminal window. Click <Browse> in the pop-up window and select the software to be downloaded. Select Xmodem from the Protocol drop down list.
Figure 1 Send File Step 6: Click <Send> and the following window appears.
Page 66 of 74
Figure 2 Xmodem File Send Step 7: After downloading completes, the following information appears:
Loading ...CCCCCCCCCC done!
Switch 4500 series are not shipped with the TFTP server program.
Step 3: Run the terminal emulation program on the PC, and start the switch, to access the Boot menu. Step 4: Enter 1 in the Boot menu, and press <Enter> to enter the following menu.
Please set application file download protocol parameter: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3):1
Page 67 of 74
Step 5: Enter 1 to use TFTP, and press <Enter>. The following information appears:
Load File name Switch IP address segment) Server IP address (IP address of the PC where the file is stored) (This address and the server IP address must be on the same network
Step 6: Input correct information and press <Enter>. The following information appears:
Are you sure to download file to flash? Yes or No(Y/N)
Step 7: Enter Y to start downloading the files. Enter N to return to the Boot menu. Take entering Y as an example. Enter Y and press <Enter>, the system begins downloading programs. After downloading completes, the system starts writing the programs to the flash. Upon completion of this operation, the screen displays the following information to indicate that the downloading is completed:
Loading ........................................................done! Writing to flash................................................done!
Step 5: Enter 2 to select FTP and press <Enter>. The following information appears:
Please modify your FTP protocol parameter: Load File name Switch IP address Server IP address FTP User Name FTP User Password
Step 6: Input correct information and press <Enter>. The following information appears:
Are you sure to download file to flash? Yes or No(Y/N):
Page 68 of 74
Step 7: Enter Y to start downloading the files. Enter N to return to the Boot menu. Take the first case as an example. Enter Y and press <Enter>, and the system begins downloading programs. After downloading completes, the system starts writing the programs into the flash. Upon completion of this operation, the screen displays the following information to indicate that the downloading is completed:
Loading ........................................................done! Writing to flash................................................done!
Appendix
Details of Added or Modified CLI Commands in V3.03.02p06
dot1x unicast-trigger
Syntax dot1x unicast-trigger undo dot1x unicast-trigger View Ethernet interface view Default Level 2: System level Parameters None Description Use the dot1x unicast-trigger command to enable the unicast trigger function of 802.1X on a port. Use the undo dot1x unicast-trigger command to disable this function. By default, the unicast trigger function is disabled.
Page 69 of 74
View System view, Ethernet port view Parameters offline-detect-value: Offline detect timer, which specifies the idle timeout interval (in seconds) for users. At this interval, the switch checks whether there is traffic from each user. If receiving no traffic from a user within two consecutive intervals, the switch logs the user out and notifies the RADIUS server. The value range for the offline-detect-value argument is 0 to 3000000. The default is 300 seconds. Description Use the mac-authentication timer offline-detect command to set the offline detect timer for MAC authentication. Use the undo mac-authentication timer offline-detect command to restore the default. Note that: The offline detect timer configured in system view applies to all MAC authentication-enabled ports. The offline detect timer configured in Ethernet port view applies to the current port only. You can set the offline detect timer to different values on different Ethernet ports. The offline detect timer configured in Ethernet port view takes precedence over the one configured in system view. If the offline-detect-value argument takes the value of 0, the offline detect timer is disabled.
bpdu-drop any
Syntax bpdu-drop any undo bpdu-drop any View Ethernet port view Parameters None Description Use the bpdu-drop any command to enable BPDU dropping on the Ethernet port. Use the undo bpdu-drop any command to disable BPDU dropping on the Ethernet port. By default, BPDU dropping is disabled.
December 30, 2010 Page 70 of 74
display link-delay
Syntax display link-delay View Any view Parameters None
Page 71 of 74
Description Use the display link-delay command to display information about ports configured with link state change suppression, including the port name and the configured timer. Related commands: link-delay, link-delay up, and link-delay updown. Examples # Display information about ports configured with link state change suppression.
<H3C>display link-delay Interface Up Delay Time Down Delay Time
link-delay
Syntax link-delay delay-time undo link-delay View Ethernet port view Parameters delay-time: Link down suppression interval (in seconds), which ranges from 2 to 10. Description Use the link-delay command to enable physical link state change suppression and set the link down suppression timer. When the physical link of the port goes down, the port starts the timer and does not report link state changes to the system within the timer interval. Use the undo link-delay command to disable link state change suppression. By default, link state change suppression is disabled. Examples # Enable link down suppression on port Ethernet 1/0/5, and set the link down suppression interval to 8 seconds.
<Sysname> system-view Enter system view, return to user view with Ctrl+Z. [Sysname] interface Ethernet1/0/5 [Sysname-Ethernet1/0/5] link-delay 8
Page 72 of 74
link-delay up
Syntax link-delay up delay-time undo link-delay View Ethernet port view Parameters delay-time: Link up suppression interval (in seconds), which ranges from 2 to 10. Description Use the link-delay up command to enable physical link state change suppression and set the link up suppression timer. When the physical link of the port goes up, the port starts the timer and does not report link state changes to the system within the timer interval. Use the undo link-delay command to disable link state change suppression. By default, link state change suppression is disabled. Examples # Enable link up suppression on port Ethernet 1/0/5, and set the link up suppression interval to 8 seconds.
<Sysname> system-view Enter system view, return to user view with Ctrl+Z. [Sysname] interface Ethernet1/0/5 [Sysname-Ethernet1/0/5] link-delay up 8
link-delay updown
Syntax link-delay updown delay-time undo link-delay View Ethernet port view Parameters delay-time: Link state change suppression interval (in seconds), which ranges from 2 to 10.
Page 73 of 74
Description Use the link-delay updown command to enable physical link state change suppression and set the link up-down suppression timer. When the physical link of the port goes down or goes up, the port starts the timer and does not report link state changes to the system within the timer interval. Use the undo link-delay command to disable link state change suppression. By default, link state change suppression is disabled. Examples # Enable link state change suppression on port Ethernet 1/0/5, and set the link up-down suppression interval to 8 seconds.
<Sysname> system-view Enter system view, return to user view with Ctrl+Z. [Sysname] interface Ethernet1/0/5 [Sysname-Ethernet1/0/5] link-delay updown 8
Page 74 of 74