3COM

Switch 4500 V3.03.
02p21 Release Notes

Keywords: Resolved problems, software upgrading
Abstract: This release notes describes the Switch 4500 V3.03.02p21 release with respect to version
information, updating, unresolved and solved problems, and software upgrading.
Acronyms:
Abbreviations
Full spelling
ACL
Access Control List
CLI
Command line interface
DHCP
Dynamic Host Configuration Protocol
FTP
File Transfer Protocol
GARP
Generic Attribute Registration Protocol
GVRP
GARP VLAN Registration Protocol
HTTP
Hypertext Transfer Protocol
ICMP
Internet Control Message Protocol
IGMP
Internet Group Management Protocol
IP
Internet Protocol
LACP
Link Aggregation Control Protocol
MIB
Management Information Base
MSTP
Multiple Spanning Tree Protocol
NDP
Neighbor Discovery Protocol
NTP
Net Time Protocol
QOS
Quality of Service
RADIUS
Remote Authentication Dial-In User Service
RMON
Remote Monitoring
RSTP
Rapid Spanning Tree Protocol
SNMP
Simple Network Management Protocol
SP
Strict Priority
SSH
Secure Shell
STP
Spanning Tree Protocol
December 20, 2012
Page 1 of 1
Abbreviations
Full spelling
TFTP
Trivial File Transfer Protocol
UDP
User Datagram Protocol
VLAN
Virtual Local Area Network
3ND
3Com Network Director
December 20, 2012
Page 2 of 2
3COM OS Switch 4500 V3.03.02p21 Release Notes
Table of Contents
Version Information 7
Version Number 7
Version History 7
Hardware and Software Compatibility Matrix 8
Restrictions and Cautions 9
Feature List 10
Hardware Features 10
Software Features 10
Version Updates 12
Feature Updates 12
Command Line Updates 17
MIB Updates 31
Configuration Changes 33
V3.03.02p21 Operation Changes 33
V3.03.02 Operation Changes 37
V3.03.00 Operation Changes 38
Open Problems and Workarounds 38
List of Resolved Problems 39
Resolved Problems in V3.03.02p21 39
December 20, 2012
Page 3 of 3

Resolved Problems in V3.03.02 60
Related Documentation 70
Software Upgrading 70
Remote Upgrading through CLI 70
Boot Menu 71
Software Upgrading via Console Port (Xmodem Protocol) 72
Using TFTP Through an Ethernet Interface 74
Using FTP Through an Ethernet Interface 75
Appendix 76
Details of Added or Modified CLI Commands in V3.03.02p06 76
dot1x unicast-trigger 76
mac-authentication timer offline-detect 76
bpdu-drop any 77
voice vlan lldp 78
display link-delay 78
link-delay 79
link-delay up 80
link-delay updown 80
mac-address station-move quick-notify 81
arp rate-limit enable noshut 82
dot1x auth-fail-retry 82
Modified command: bims-server 83
Modified command: dhcp server bims-server 84
Modified command: dldp authentication-mode 85
Modified command: xrn-fabric authentication-mode 85
Modified command: key (HWTACACS scheme view) 86
Modified command: key (RADIUS scheme view) 87
December 20, 2012
Page 4 of 4
Modified command: local-server nas-ip 87

Modified command: mac-authentication authmode usernameasmacaddress 88
Modified command: mac-authentication authpassword 89
Modified command: ntp-service authentication-keyid 90
Modified command: password (Remote-ping test group view) 90
Modified command: password (local user view) 91
Modified command: rip authentication-mode 92
Modified command: set authentication password 93
Modified command: snmp-agent usm-user v3 93
Modified command: super password 95
December 20, 2012
Page 5 of 5
List of Tables
Table 1 Version history .............................................................................................................................. 7
Table 2 Compatibility matrix....................................................................................................................... 8
Table 3 Hardware features ...................................................................................................................... 10
Table 4 Software features ........................................................................................................................ 10
Table 5 Feature updates .......................................................................................................................... 12
Table 6 Command line updates ............................................................................................................... 17
Table 7 MIB updates ................................................................................................................................ 31
Table 8 Encrypted authentication key length requirements ..................................................................... 94
Table 9 Encrypted privacy key length requirements ................................................................................ 94
December 20, 2012
Page 6 of 6
Version Information
Version Number
Version Information: 3Com OS V3.03.02s168p21
Note: To view version information, use the display version command in any view. See Note.
Version History
Table 1 Version history
Version number
Last version
Release Date
Remarks
V3.03.02s168p21
V3.03.02s168p20
2012-12-14
None
V3.03.02s168p20
V3.03.02s168p19
2012-10-18
None
V3.03.02s168p19
V3.03.02s168p15
2012-06-19
None
V3.03.02s168p15
V3.03.02s168p11
2010-12-15
None
V3.03.02s168p11
V3.03.02s168p09
2010-06-21
None
V3.03.02s168p09
V3.03.02s168p06
2010-04-23
From the version, only

release the APP of
168-bit encryption for
SSH.
V3.03.02s56p06
V3.03.02s56p05
2009-12-23
None
V3.03.02s168p06
V3.03.02s168p05
V3.03.02s56p05
V3.03.02s56p04
2009-10-14
None
V3.03.02s168p05
V3.03.02s168p04
V3.03.02s56p04
V3.03.02s56p03
2009-08-19
None
V3.03.02s168p04
V3.03.02s168p03
V3.03.02s56p03
V3.03.02s56p01
2009-06-19
None
V3.03.02s168p03
V3.03.02s168p01
V3.03.02s56p01
V3.03.02s56
2009-02-23
features
V3.03.02s168p01
V3.03.02s168
New
released
V3.03.02s56
V3.03.00s56p03
2008-10-31
features
V3.03.02s168
V3.03.00s168p03
New
released
V3.03.00s56p03
V3.03.00s56p02
2008-09-25
None
V3.03.00s168p03
V3.03.00s168p02
V3.03.00s56p02
V3.03.00s56p01
2008-06-16
None
V3.03.00s168p02
V3.03.00s168p01
V3.03.00s56p01
V3.03.00s56
2008-03-20
None
V3.03.00s168p01
V3.03.00s168
December 20, 2012
Page 7 of 7
Version number
Last version
V3.03.00s56
V3.02.00s56p02
V3.03.00s168
V3.02.00s168p02
V3.02.00s56p02
V3.02.00s56p01
V3.02.00s168p02
V3.02.00s168p01
V3.02.00s56p01
V3.02.00s56
V3.02.00s168p01
V3.02.00s168
V3.02.00s56
V3.01.00s56p03
V3.02.00s168
V3.01.00s168p03
V3.01.00s56p03
V3.01.00s56p02
V3.01.00s168p03
V3.01.00s168p02
V3.01.00s56p02
V3.01.00s56p01
V3.01.00s168p02
V3.01.00s168p01
V3.01.00s56p01
V3.01.00s56
V3.01.00s168p01
V3.01.00s168
V3.01.00s56
First release
Release Date
Remarks
2008-02-29
First
release
V3.03.xx
2007-07-20
None
2007-06-30
None
2007-01-17
New
released
2006-09-21
None
2006-06-13
None
2006-01-09
None
2005-10-27
First release
of
features
V3.01.00s168
Hardware and Software Compatibility Matrix

Table 2 Compatibility matrix
Item
Specifications
Product family
Switch 4500 Series
Hardware platform
26-Port/50-Port/26-Port PWR/50-Port PWR
Minimum memory
requirements
64 MB
Minimum Flash
requirements
8 MB
Boot ROM version
Version 4.06 (Note: It is required to use V1.00 or later, but V4.06 is

preferred. You can view the version number with the display version
command in any view. Please see Note)
Host software
s3n03_03_02s168p21.app
iMC version
iMC PLAT 5.1 SP1(E0202P05)

iMC UAM 5.1 SP1(E0301P03)
iMC TAM 5.1 (E0301)
iMC QoSM 5.1 (E0201)
iNode version
December 20, 2012
iNode PC 5.1(E0304)
Page 8 of 8
Item
Specifications
Web version
5.01
Remarks
None
When a switch with a new version flash runs V3.01.00, using FTP to upload an application file to
the switch, or performing write operations on the flash of the switch such as executing the
display diagnostic-information command often fails. V3.01.00p01 and later have solved this
problem.
A device running boot ROM V1.00 may get out of power during startup, which may cause the
loss of the application file. You are recommended to upgrade the boot ROM version to V1.01 to
solve this problem.
<4500>display version
3Com Corporation
Switch 4500 26-Port Software Version 3Com OS V3.xx.xx ------- Note
Copyright (c) 2004-2008 3Com Corporation and its licensors, All rights reserved.
Switch 4500 26-Port uptime is 0 week, 0 day, 0 hour, 0 minute
Switch 4500 26-Port with 1 MIPS Processor

64M
bytes DRAM
8196K
bytes Flash Memory
Config Register points to FLASH
CPLD Version is CPLD 003

Bootrom Version is x.xx
--------
Note
[Subslot 0] 24 FE + 4 GE Hardware Version is 00.00.00
Restrictions and Cautions

1)
For storm suppression, use the pps mode because the ratio mode is not suitable for long frames.
2)
The forwarding capability of some ports cannot reach the wire speed when the switch works as a
stacking device.
3)
Silicon behavior: IP packets with the Options field cannot be forwarded.
4)
After an ARP entry is aged out from the software, it is not removed from the hardware
immediately. Since then, if the ARP entry is not updated within an hour, it is removed from the
hardware.
5)
After upgrading the software of a NTP-configured stacking device from a version between
V3.03.00 and V3.03.00p03 to V3.03.02 or later, you need to remove the existing NTP
configuration and reconfigure it.
December 20, 2012
Page 9 of 9
6)
A version prior to V3.03.02p21 might not support the cipher and simple keywords or use a
different password encryption algorithm than V3.03.02p21 or a later version. If you downgrade
the software from V3.03.02p21 or a later version to a version prior to V3.03.02p21, or upgrade it
to V3.03.02p21 or a later version and roll it back after saving the configuration file, the relevant
configuration commands might get lost or the passwords might become invalid. For more
information, see the change descriptions for the commands.
Feature List
Hardware Features
Table 3 Hardware features
Category
Description
Dimensions (H W D)
43.6mm 440mm 260mm (1.72 17.32 10.24 in.) (devices without

PWR)
43.6mm 440mm 420mm (1.72 17.32 16.54 in.) (devices with
PWR)
Weight (full configuration)
3.5Kg (7.72 lb.) (26-port devices without PWR)

4Kg (8.82 lb.) (50-port devices without PWR)
5.8Kg (12.79 lb.) (26-port devices with PWR)
6.2Kg (13.67 lb.) (50-Port devices with PWR)
Maximum
consumption
power
40 W (26-port devices without PWR)

50 W (50-port devices without PWR)
380 W (26-port devices with PWR)
380 W (50-Port devices with PWR)
Input voltage
AC:
Rated voltage range: 100 VAC to 240 VAC (50Hz to 60Hz)
Max voltage range: 90 VAC to 264 VAC (50Hz to 60Hz)
DC:
Rated voltage range: 48 VDC to 60 VDC
Max voltage range: 72 VDC to 36 VDC
Operating temperature
0C to 45C (32F to 113F)
Operating humidity
10% to 90%
Software Features
Table 4 Software features
Features
Port auto-negotiation
December 20, 2012
Description
Supports both speed and duplex mode auto-negotiation.
Page 10 of 10
Features
Description
Flow control
Supports IEEE 802.3x-compliant flow control for full-duplex, and backpressure based flow control for half-duplex.
Link aggregation
Supports up to 8 aggregation groups, each of which supports up to 8 FE

ports or 4 GE ports.
Port internal/external
loopback test
The port internal loopback test detects the connectivity between switch
chips and PHY chips. The port external loopback test detects the
connectivity between PHY chips and network interfaces with the help of
the self-loop header. The two tests used together can determine whether
a fault is a switch fault or a link fault.
Combo ports
Unicast, multicast and
broadcast suppression
Supports bandwidth ratio- and rate-based suppression modes on ports.
VLAN
Supports port-based VLANs, and up to 256 IEEE 802.1Q-compliant

VLANs.
MAC address table
Supports MAC address learning and up to 8K MAC addresses;

Complies with IEEE 802.1D;
Notifies MAC address changes to ARP.
RSTP
Supports STP and complies with IEEE 802.1D.
802.1X authentication
Supports PEAP/EAP/TLS/TTLS.
The main purpose of IEEE 802.1X is to implement authentication for
wireless LAN users, but its application in IEEE 802 LANs provides a
method of authenticating LAN users.
SSHv2
Secure Shell (SSH) offers an approach to logging into a remote device

securely. By encryption and strong authentication, it protects devices
against attacks such as IP spoofing and plain text password interception.
A switch can work as an SSH server to support connections with SSH
clients running on PCs.
Voice VLAN
The voice VLAN feature adds ports into voice VLANs by identifying the
source MAC addresses of packets. It automatically assigns higher priority
for voice traffic to ensure voice quality. This feature supports two
application modes: manual and automatic.
DHCP relay agent
Through a DHCP relay agent, DHCP clients in a subnet can

communicate with a DHCP server in another subnet to obtain valid IP
addresses. In this way, DHCP clients in different subnets can share one
DHCP server. This method saves costs and helps implement centralized
management.
ARP
Supports up to 256 static ARP entries.
IP routing
Supports static routing and RIP.
IGMP Snooping
Internet Group Management Protocol Snooping (IGMP Snooping) is a

multicast constraining mechanism that runs on Layer 2 devices to
manage and control multicast groups.
December 20, 2012
Page 11 of 11
Features
Description
QoS
Bandwidth management;
flow control with 64 bps granularity;
8 sending queues per port;
Traffic classification;
Traffic rate limit;
Port mirroring, which supports only one source mirroring port.
Software upload and

upgrade
Software upload and upgrade through the XMODEM protocol, FTP or

TFTP
Remote authentication
To implement authentication on remote telnet, web, and console users,

you need to configure use names and passwords on a RADIUS server,
and configure RADIUS authentication on the access switch. When such
a user logs onto the switch, the switch sends the user name and
password to the RADIUS server for authentication. If the user passes
authentication, it can log it to the switch.
FTP, TFTP
The switch can only works as a TFTP client.
System configuration
and management
Configuration methods supported: CLI, console port, telnet, and Modem;
Network maintenance
Filtering, output and collection of alarm/debug information;
Features and functions supported: SNMP, remote monitoring (RMON)

1/2/3/9 group MIBs, system logging, hierarchical alarming, Syslog And
NTP.
Diagnostic tools: Ping, Tracert, and so on;

Remote maintenance through Telnet and other ways
web
Fault diagnostics and
alarm output
Detects and reports hardware/software faults.
Fast startup
In fast startup mode, a switch can complete a startup process within 60

seconds by skipping the power-on self test (POST) and directly running
the APP program. You can set the startup mode to fast or normal in the
boot ROM menu.
Version Updates
Feature Updates
Table 5 Feature updates
Version Number
V3.03.02p21
December 20, 2012
Item
Description
Hardware feature
updates
None
Software feature
updates
None
Page 12 of 12
Version Number
V3.03.02p20
V3.03.02p19
V3.03.02p15
Item
Description
Hardware feature
updates
None
Software feature
updates
None
Hardware feature
updates
None
Software feature
updates
New feature:
Hardware feature
updates
None
Software feature
updates
New feature:
ARP quick update
1) Automatic Discovery of IP Phones Using LLDP

2) Link State Change Suppression Configuration
V3.03.02p11
V3.03.02p09
V3.03.02p06
V3.03.02p05
V3.03.02p04
Hardware feature
updates
None
Software feature
updates
New features:
Hardware feature
updates
None
Software feature
updates
New features:
Hardware feature
updates
None
Software feature
updates
New features:
Hardware feature
updates
None
Software feature
updates
None
Hardware feature
updates
None
Software feature
updates
New features:
bpdu-drop any
1) DHCP client supports automatic configuration

of default route
1) 802.1X Unicast Trigger Function
1) System-guard transparent feature

With this function, you can configure the switch not
to deliver RIP multicast packets to the CPU while
the protocol is not enabled on the switch.
2) Mac-address max-mac-count log
3) LACP MAD
V3.03.02p03
December 20, 2012
Hardware feature
updates
None
Page 13 of 13
Version Number
Item
Software feature
updates
Description
New features:
1) Restart accounting when the reauthentication
user name changes.
2) Private LLDP MIB
3) CPU-protection feature
4) Command-alias feature
5) Loopback detection trap
6) IPv6 ACL
V3.03.02p01
Hardware feature
updates
None
Software feature
updates
New features:
1)
HTTPS
2)
Auto VLAN
3)
AM binding
3 types of binding added: IP-MAC binding, IP-port

binding, MAC-port binding.
4)
line-rate assignment feature of RADIUS
5)
Attribute ignore feature
This feature can be configured to ignore the

authentication
attribute
in
the
RADIUS
Authentication Accept packet.
Please refer to the Operation Manual and
Command Manual.
V3.03.02
Hardware feature
updates
None
Software feature
updates
New features:
1)
LLDP
2)
IP Source Guard
3)
Dynamic ARP Inspection
4)
HWTACACS.
Please refer to the Operation Manual and

Command Manual.
V3.03.00p03
V3.03.00p02
December 20, 2012
Hardware feature
updates
None
Software feature
updates
New features:
Hardware feature
1)
Sub IP
2)
DHCP server
3)
Password control
None
Page 14 of 14
Version Number
Item
Description
updates
V3.03.00p01
V3.03.00
Software feature
updates
New features:
Hardware feature
updates
None
Software feature
updates
New features:
Hardware feature
updates
None
Software feature
updates
New features added to V3.03.00e on the basis of

V3.02.xx:
RSA, DSA negotiation order self-selection and

GVRP
Support for RFC4188 and RFC2674.
1)
VLAN mapping
2)
Selective QINQ
3)
IGMP snooping non-flooding
4)
FTP banner
5)
HTTP banner
6)
Telnet copyright
7)
Speed auto-negotiation configuration
8)
Port link-delay (link state change delay)
9)
Host manual addition to a multicast group
10) Dot1X handshake control

11) Router port manual designation
12) Support for inner-VLAN based Layer-2 ACL
configuration, which allows you to configure
ACL rules based on the inner VLAN
information of packets.
13) IPv6 management
14) DHCP snooping support for processing DHCP
NAK and decline packets
15) Enhanced SFP, supporting SFP encryption
information reading
16) Port isolation across a stack
17) EAP authentication mode for telnet users
18) Port security and/or mode
19) RIP support for modifying the offset field for
specific subnets
20) SNMP support for password configuration
copy
21) IGMPv3 snooping
December 20, 2012
Page 15 of 15
Version Number
Item
Description
22) Support for long domain names
23) Support for mask configuration in SNMP MIBview
24) MAC-authentication support for guest VLAN
25) DLDP recover
26) DHCP option 82 string function
27) HGMP topology management and trace-MAC
28) EAD quick employment
29) Support for web-based cluster configuration
30) Destination MAC address update
Deleted features: password control
V3.02.00p02
Hardware feature
updates
None
Software feature
updates
New features:
1. Or mode of port-security
Dot1X
request
packets
trigger
dot1X
authentication; non-dot1X packets with an
unknown
MAC
address
trigger
MACauthentication. Suppose the source MAC address
of a dot1X packet passes MAC authentication. If it
then passes dot1X authentication, the original
MAC authentication user logs out automatically; if
not, the original MAC authentication user keeps
online.
V3.02.00
V3.01.00
December 20, 2012
Hardware feature
updates
None
Software feature
updates
New features:
1)
Putty V0.58 support
2)
Syslog to host
3)
802.1X PEAP/EAP/TLS/TTLS
4)
NTP
5)
Notifying MAC address/port changes to ARP
Hardware feature
updates
First release; refer to related manuals for more

information.
Software feature
updates
First release; refer to related manuals for more

information.
Page 16 of 16
Command Line Updates

Table 6 Command line updates
Version Number
V3.03.02p21
Item
Description
New Commands
None
Removed Commands
local-user password-display-mode { auto |

cipher-force }
undo local-user password-display-mode
V3.03.02p20
V3.03.02p19
Modified Commands
Refer to Details of Added or Modified CLI

Commands in V3.03.02p21
New Commands
None
Removed Commands
None
Modified Commands
None
New Commands
Command 1: mac-address station-move quicknotify

Command 2: dot1x auth-fail-retry
Removed Commands
None
Modified Commands
Command 1: arp rate-limit enable noshut

Add new keyword of noshut to command arp ratelimit enable. Please refer to Details of Added or
Modified CLI Commands in V3.03.02p19
V3.03.02p15
V3.03.02p11
New Commands

Removed Commands
None
Modified Commands
None
New Commands
bpdu-drop any
Removed Commands
None
Modified Commands
mac-authentication timer offline-detect

V3.03.02p09
V3.03.02p06
December 20, 2012
New Commands
None
Removed Commands
None
Modified Commands
None
New Commands

Removed Commands
None
Page 17 of 17
Version Number
V3.03.02p05
V3.03.02p04
Item
Description
Modified Commands
None
New Commands
None
Removed Commands
None
Modified Commands
None
New Commands
Command 1:
Syntax
system-guard transparent rip
undo system-guard transparent rip
View
System view
Description
Use
the
system-guard
transparent
command to configure the system-guard
transparent function for RIP protocol. Then,
upon receiving a RIP multicast packet, the
switch will only broadcast the packet within
the corresponding VLAN, but not deliver the
packet to the CPU for processing.
Use the undo system-guard transparent
command to disable the function for RIP
protocol. Then, upon receiving a RIP
multicast packet, the switch will not only
broadcast
the
packet
within
the
corresponding VLAN but also deliver the
packet to the CPU for processing.
By default, the system-guard transparent
function is disabled on the switch.
Note that:
z
If RIP is enabled on the switch, do not

enable the system-guard transparent
function for the protocol. Otherwise, RIP
cannot function normally.
Example
[sysname] system-guard transparent rip
Caution: When enabling RIP, undo this
command. Otherwise, RIP can't work
correctly.
V3.03.02p03
December 20, 2012
Removed Commands
None
Modified Commands
None
New Commands
Please refer to the manuals of new features

provided along with current version.
Removed Commands
None
Modified Commands
Please refer to the manuals of new features

provided along with current version for IPv6 acl
Page 18 of 18
Version Number
Item
Description
command.
V3.03.02p01
New Commands
Command 1:
Syntax
[ undo ] icmp acl-priority
View
System view
Description
Use the icmp acl-priority command to
modify the local priority of ICMP packets
which are forwarded to the CPU. When the
device has an IP address configured,
enabling the command will occupy some
hardware ACL resources.
Use the undo icmp acl-priority command
to keep the local priority and free the
corresponding hardware ACL resources.
By default, the icmp acl-priority command
is applied.
Example
[Switch] undo icmp acl-priority
Command 2:
Syntax
[ undo ] mirroring stp-collaboration
View
System view
Description
Use the mirroring stp-collaboration
command to enable the collaboration of
mirroring and STP state. When a mirrored
port is in STP discarding state (or in
discarding state in at least one instance
while it is in MSTP mode), mirroring on this
port doesnt work. When its STP state
changes to forwarding state, mirroring is
activated.
Use the undo mirroring stp-collaboration
command to disable the collaboration.
By default, the mirrored port is independent
of its STP state.
December 20, 2012
Page 19 of 19
Version Number
Item
Description
Example
[Switch] mirroring stp-collaboration
Command 3:
Syntax
attribute-ignore { standard
vendor-id } type type-value
vendor
undo attribute-ignore { all | standard |

vendor vendor-id }
View
RADIUS view
Description
The attribute-ignore vendor vendor-id
type type-value command is used to ignore
specific private attributes having the
specified vendor ID and type.
The attribute-ignore standard type typevalue command is used to ignore all the
standard attributes having the specified
type.
undo attribute-ignore all command is used
to
remove
all
the
attribute-ignore
configuration.
undo attribute-ignore standard command
is used to remove the ignore configuration of
RADIUS standard attributes.
undo attribute-ignore vendor vendor-id is
used to remove the ignore configuration of
the given Vendor ID private attribute.
One RADIUS standard attribute can be
configured
with
one
attribute-ignore
command at most; one Vendor ID can bee
configured
with
one
attribute-ignore
command at most. One RADIUS scheme
can be configured with 3 attribute-ignore
commands at most.
Example
# Configure RADIUS scheme system to
ignore the type 81 standard attribute.
[Switch]radius scheme system
[Switch-radius-system]attribute-ignore
standard type 81
# Configure RADIUS scheme system to

ignore the type 22 H3C private attribute with
Vendor ID 25506.
December 20, 2012
Page 20 of 20
Version Number
Item
Description
[Switch-radius-system]attribute-ignore
vendor 25506 type 22
# Remove the standard attribute ignore

configuration of RADIUS scheme system.
[Switch-radius-system]undo
ignore standard
attribute-
# Remove the H3C private attribute ignore

configuration of RADIUS scheme system:
ignore vendor 2011
attribute-
# Remove all the ignore attribute

configurations of RADIUS scheme system:
ignore all
V3.03.02
V3.03.00p03
attribute-
Removed commands
None
Modified Commands
None
New Commands
Please refer to the

Command Manual.
Operation
Manual
and
Removed commands
Please refer to the

Command Manual.
Operation
Manual
and
Modified Commands
Please refer to the

Command Manual.
Operation
Manual
and
New Commands
Command 1:
Syntax
ip address ip-address { mask | masklength } [ sub ]
undo ip address [ ip-address { mask |
mask-length } [ sub ] ]
View
VLAN interface view, loopback interface
view
Parameters
ip-address: IP address, in dotted decimal
notation.
mask: Subnet mask, in dotted decimal
notation.
mask-length: Subnet mask length, the
number of consecutive ones in the mask. It
is in the range of 0 to 32.
sub: Specifies a secondary IP address of a
VLAN or loopback interface.
Description
Use the ip address command to specify an
IP address and mask for a VLAN or
December 20, 2012
Page 21 of 21
Version Number
Item
Description
loopback interface.
Use the undo ip address command to
remove an IP address and mask of a VLAN
or loopback interface.
By default, no IP address is configured for
VLAN or loopback interface.
Note that:
z
If you execute the undo ip address

command without any parameter, the
switch deletes both primary and
secondary IP addresses of the
interface.
The undo ip address ip-address
{ mask | mask-length } command is
used to delete the primary IP address.
The undo ip address ip-address
{ mask | mask-length } sub command is
used to delete specified secondary IP
addresses.
You can assign at most five IP address
to an interface, among which one is the
primary IP address and the others are
secondary IP addresses. A newly
specified primary IP address overwrites
the previous one if there is any.
The primary and secondary IP
addresses of an interface cannot reside
on the same network segment; the IP
address of a VLAN interface must not
be in the same network segment as that
of a loopback interface on a device.
A VLAN interface cannot be configured
with a secondary IP address if the
interface has been configured to obtain
an IP address through BOOTP or
DHCP.
Examples
# Assign the primary IP address 129.12.0.1
and secondary IP address 129.12.1.1 to
VLAN-interface 1 with subnet mask
255.255.255.0.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ip address
129.12.0.1 255.255.255.0
[Sysname-Vlan-interface1] ip address
129.12.1.1 255.255.255.0 sub
V3.03.00p02
Removed commands
None
Modified commands
None
New commands
Command 1:
Syntax
December 20, 2012
Page 22 of 22
Version Number
Item
Description
igmp-snooping special-query source-ip
{ current-interface | ip-address }
undo
igmp-snooping
source-ip
special-query
View
VLAN view
Parameters
current-interface: Specifies the IP address
of the current VLAN interface as the source
address to be carried in IGMP group-specific
queries. If the current VLAN interface does
not have an IP address, the default IP
address 0.0.0.0 will be used as the source
IP address of IGMP group-specific queries.
ip-address: Specifies the source address to
be carried in IGMP group-specific queries,
which can be any legal IP address.
Description
Use the igmp-snooping special-query
source-ip command to configure the source
address to be carried in IGMP group-specific
queries.
Use the undo igmp-snooping special-query
source-ip command to restore the default.
By default, the Layer 2 multicast switch
sends group-specific query messages with
the source IP address of 0.0.0.0.
Related commands: igmp-snooping querier.
Examples
# Configure the switch to send groupspecific query messages with the source IP
address 2.2.2.2 in VLAN 3.
System view, return to user view with
Ctrl+Z.
[Sysname] igmp-snooping enable
[Sysname] vlan 3
[Sysname-vlan3] igmp-snooping enable
[Sysname-vlan3] igmp-snooping specialquery source-ip 2.2.2.2
V3.03.00
Removed commands
None
Modified Commands
None
New Commands
Please refer to the documents provided by 3Com.
Removed commands
Command 1:
Syntax
December 20, 2012
Page 23 of 23
Version Number
Item
Description
language-mode { english | chinese }
View:
user view
Reason
No need to support Chinese language mode
Modified Commands
Command 1:
Syntax
traffic-limit inbound acl-rule [ unioneffect ] target-rate [ burst-bucket burstbucket-size ] [ exceed action ]
undo traffic-limit inbound acl-rule
View
Ethernet port view
Parameters
inbound: Imposes traffic limit on the packets
received through the interface.
acl-rule: ACL rules to be applied for traffic
classification. This argument can be the
combination of multiple ACLs. For more
information about this argument. Note that
the ACL rules referenced must be those
defined with the permit keyword.
union-effect: Specifies that all the ACL
rules, including those identified by the aclrule argument in this command and those
applied previously, are valid. If this keyword
is not specified, traffic policing issues both
the rate limiting action and the permit action
at the same time, that is, traffic policing
permits the conforming traffic to pass
through. If this keyword is specified, traffic
policing issues only the rate limiting action
but not the permit action. In this case, if a
packet matches both an ACL rule specified
in the traffic-limit command and another
previously applied ACL rule with the deny
keyword specified, the packet will be
dropped.
On Ethernet 1/0/1, assume that the filter

command is configured to filter packets
destined to IP address 2.2.2.2 and the
traffic-limit command is configured to limit
December 20, 2012
Page 24 of 24
Version Number
Item
Description
the rate of packets sourced from IP address
1.1.1.1 within 128 kbps. Whether packets
conforming to the rate limit of 128 kbps,
sourced from IP address 1.1.1.1, and
destined to IP address 2.2.2.2 (referred to
as packets A later) will be dropped depends
on the union-effect keyword of the trafficlimit command.
z
If the union-effect keyword is not
specified, the traffic-limit command
issues both the rate limiting action and
the permit action. Whether packets A
can pass through depends on the
configuration order of the filter
command
and
the
traffic-limit
command. If the traffic-limit command
is configured after the filter command is
configured, packets A can pass through;
otherwise, packets A are dropped.
z
If the union-effect keyword is specified,
the traffic-limit command issues only
the rate limiting action. Whether packets
A can pass through depends on the
filter command. As for this example,
packets A are dropped.
target-rate: Target packet rate (in kbps) to be
set. The range of this argument varies with
the port type as follows.
z
z
Fast Ethernet port: 64 to 99,968

Gigabit Ethernet port: 64 to 1,000,000
The granularity of rate limit is 64 kbps. If the

number you input is in the range N*64 to
(N+1)*64 (N is a natural number), it will be
rounded off to (N+1)*64.
burst-bucket burst-bucket-size: Specifies
the maximum burst traffic size (in KB)
allowed. The burst-bucket-size argument
ranges from 4 to 512 and defaults to 512.
Note that it must be an integer power of 2.
exceed action: Specifies the action to be
taken when the traffic rate exceeds the
threshold. The action argument can be:
z
z
drop: Drops the packets.

remark-dscp value: Sets a new DSCP
value for the packets and then forwards
the packets.
Description
Use the traffic-limit command to enable
traffic policing and set the related settings.
Use the undo traffic-limit command to
disable traffic policing for packets matching
specific ACL rules.
Related commands: display qos-interface
December 20, 2012
Page 25 of 25
Version Number
Item
Description
traffic-limit.
Examples
# Configure traffic policing for inbound
packets sourced from VLAN 200 on Ethernet
1/0/1, setting the target packet rate to 128
kbps, burst bucket size to 64 KB, and
configuring to drop the packets exceeding
the rate limit.
Ctrl+Z.
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000]
rule
permit source 200
[Sysname-acl-ethernetframe-4000] quit
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1]
traffic-limit
inbound link-group 4000 128 burstbucket 64 exceed drop
Command 2:
Syntax
line-rate { inbound | outbound } target-rate
[ burst-bucket burst-bucket-size ]
undo line-rate{ inbound | outbound }
View
Ethernet port view
Parameters
inbound: Limits the inbound packet rate.
outbound: Limits the outbound packet rate.
target-rate: Total target rate (in kbps). The
range of this argument varies with port type
as follows:
z
z
Fast Ethernet port: 64 to 99,968;

GigabitEthernet port: 64 to 1,000,000.
The granularity of port rate limit is 64 kbps.

Assume that the value you provide for the
target-rate argument is in the range N*64 to
(N+1)*64 (N is a natural number), it will be
rounded off to (N+1)*64.
burst-bucket burst-bucket-size: Specifies
the maximum burst traffic size (in KB). This
is the buffer size provided for burst traffic
while traffic is being forwarding or received
at the rate of target-rate. The burst-bucketsize argument must be an integer power of
2, in the range of 4 to 512. If it is not
specified, 512 KB applies by default.
Description
December 20, 2012
Page 26 of 26
Version Number
Item
Description
Use the line-rate command to limit the rate
of the inbound or outbound packets on a
port.
Use the undo line-rate command to cancel
the line rate configuration.
Compared to traffic policing, line rate applies
to all the inbound or outbound packets
passing through a port and thus a simpler
solution when you only want to limit the rate
of all the inbound or outbound packets
passing through a port as a whole.
Examples
# Limit the inbound packet rate to 128 kbps
on Ethernet 1/0/1 and provide 32 KB of
buffer for burst traffic.
Ctrl+Z.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1]
line-rate
inbound 128 burst-bucket 32
# Display the line rate configuration of

Ethernet 1/0/1.
[Sysname-Ethernet1/0/1] display qosinterface Ethernet 1/0/1 line-rate
Ethernet1/0/1: line-rate
Inbound: 128 Kbps
Burst bucket size: 32 Kbyte
Command 3:
Syntax
display vlan [ vlan-id1 [ to vlan-id2 ] | all |
dynamic | static ]
View
Any view
Parameters
vlan-id1: Specifies the ID of a VLAN of which
information is to be displayed, in the range
of 1 to 4094.
to vlan-id2: In conjunction with vlan-id1,
define a VLAN range to display information
about all existing VLANs in the range. The
vlan-id2 argument takes a value in the range
of 1 to 4094, and must not be less than that
of vlan-id1.
all: Displays information about all the
VLANs.
dynamic: Displays the number of dynamic
VLANs and the ID of each dynamic VLAN.
Dynamic VLANs refer to VLANs that are
December 20, 2012
Page 27 of 27
Version Number
Item
Description
generated through GVRP or
distributed by a RADIUS server.
those
static: Displays the number of static VLANs

and the ID of each static VLAN. Static
VLANs refer to VLANs manually created.
Description
Use the display vlan command to display
information about VLANs. The output shows
the ID, type, VLAN interface state and
member ports of a VLAN.
If no keyword or argument is specified, the
command displays the number of existing
VLANs in the system and the ID of each
VLAN.
Command 4:
Syntax
display ntdp device-list [ verbose ]
View
Any view
Parameters
verbose: Displays the detailed information
of devices in a cluster.
Description
Use the display ntdp device-list command
to display the cluster device information
collected by NTDP.
Examples
# Display the list of devices collected by
NTDP.
<Sysname> display ntdp device-list
MAC
HOP
IP
PLATFORM
000f-e20f-3901
0
100.100.1.1/24
Switch 4500
000f-e20f-3190
1
16.1.1.1/24
Switch 4500
V3.02.00p02
New Commands
Command 1:
Syntax
port-security enable
undo port-security enable
View
December 20, 2012
Page 28 of 28
Version Number
Item
Description
System view
Parameters
None
Description
Use the port-security enable command to
enable port security.
Use the undo port-security
command to disable port security.
enable
By default, port security is disabled.

Caution
Enabling port security resets the following
configurations on the ports to the defaults
(as shown in parentheses below):
z
802.1x (disabled), port access control
method (macbased), and port access
control mode (auto)
z
MAC authentication (disabled)
In addition, you cannot perform the abovementioned configurations manually because
these configurations change with the port
security mode automatically.
Examples
# Enable port security.
Ctrl+Z.
[Sysname] port-security enable
Notice: The port-control of 802.1x
will be restricted to auto when portsecurity is enabled.
Please wait... Done.
Command 2: Configures port-security mode

Syntax
port-security port-mode { autolearn |
mac-and-userlogin-secure | mac-anduserlogin-secure-ext | mac-authentication
| mac-else-userlogin-secure | mac-elseuserlogin-secure-ext | secure | userlogin |
userlogin-secure | userlogin-secure-ext |
userlogin-secure-or-mac
| userloginsecure-or-mac-ext | userlogin-withoui }
undo port-security port-mode
View
Ethernet port view
December 20, 2012
Page 29 of 29
Version Number
Item
Description
Description
Use the port-security port-mode command
to set the security mode of the port.
Use the undo port-security port-mode
command to restore the default mode.
By default, the port is in the noRestriction
mode, namely access to the port is not
restricted.
Before setting the security mode to

autolearn, you need to use the portsecurity max-mac-count command to
configure the maximum number of MAC
addresses allowed on the port.
When a port operates in the autolearn
mode, you cannot change the maximum
number of MAC addresses allowed on
the port.
After setting the security mode to
autolearn, you cannot configure static
or blackhole MAC addresses on the
port.
When the port security mode is not
noRestriction, you need to use the
undo
port-security
port-mode
command to change it back to
noRestriction before you change the
port security mode to other modes.
On a port configured with a security mode,

you cannot do the following:
z
z
z
z
Configure the maximum number of

MAC addresses that can be learned.
Configure the port as a reflector port for
port mirroring.
Configure the port as a Fabric port.
Configure link aggregation.
Note that:
If port security is enabled in system view and dot1X
or MAC authentication is enabled on a port, some
port-security related commands are executed on
the port automatically. These commands cant be
executed manually for compatibility with later
releases. The details are as follows.
1) If MAC-authentication and MAC-based dot1X are
enabled on a port, the following command is
executed on the port automatically.
December 20, 2012
Page 30 of 30
Version Number
Item
Description
port-security
secure-ext
port-mode
mac-else-userlogin-
2) If MAC-based dot1X is enabled on a port, the

following command is executed on the port
automatically.
port-security port-mode userlogin-secure-ext
3) If port-based dot1X is enabled on a port, the
automatically.
port-security port-mode userlogin
4) If mac-authentication is enabled on a port, the
automatically.
port-security port-mode mac-authentication
V3.02.00
V3.01.00
Removed commands
None
Modified Commands
None
New Commands
Please refer to the command manuals
Removed commands
None
Modified Commands
Please refer to the command manuals
New Commands
First release; please refer to the manuals.
Removed commands
Modified Commands
MIB Updates
Table 7 MIB updates
Version number
V3.03.02p21
V3.03.02p20
V3.03.02p19
V3.03.02p15
V3.03.02p11
V3.03.02p09
December 20, 2012
Item
MIB file
Module
Description
New
None
None
None
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
None
None
None
Page 31 of 31
Version number
V3.03.02p06
V3.03.02p05
V3.03.02p04
V3.03.02p03
Item
MIB file
Module
Description
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
1) H3C-VOICEVLAN-MIB
1) VOICE
VLAN
2) H3C-LLDPEXT-MIB
2) LLDP
1) Add node
h3cVoiceVlanPortLe
gacy and
h3cVoiceVlanPortQo
sTrus in
h3cvoiceVlanPortTa
ble to control 'voice
VLAN legacy' and
'voice VLAN QOS
trust'.
2) Adding the following
private MIB:
(1)
h3clldpAdminStatus:
Enable/Disable
LLDP in global;
(2)
h3clldpComplianceC
DPStatus: LLDP
supports CDP in
global;
(3)
h3clldpPortConfigTa
ble:LLDP port
configure table;
(4)
h3clldpPortConfigPo
rtNum: LLDP port
number;
(5)
h3clldpPortConfigCD
PComplianceStatus:
LLDP supports CDP
in port
V3.03.02p01
December 20, 2012
Modified
None
None
None
New
None
None
None
Page 32 of 32
Version number
Item
Modified
MIB file
Module
a3com_domain_tr
ee.c
h3cDomain
VlanAssign
Mode
Description
The vlan assignment
mode SHOULD be the
same as the mode of
the corresponding
server.
1 (integer) - Integer
Vlan assignment mode.
2 (string) - String Vlan
assignment mode.
3 (vlanlist) - VLAN-List
Vlan assignment mode.
The default value is
integer.
The 3rd mode is to
support auto-vlan
feature, which will be
supported on the new
software version.
V3.03.00p03
New
None
None
None
Modified
dot1X_tree.c
dot1XPaeP
ortInitialize
After you set the

attribute of the module
to true, all 802.1X users
on the corresponding
port are disconnected,
and then the attribute of
the module returns to
false.
If you perform get
operations on the
module, it always
returns false.
Configuration Changes
V3.03.02p21 Operation Changes
None

1)
Modified the value of node hh3cUserPassword in HH3C-USER-MIB due to security concerns.

When read, hh3cUserPassword always returns a zero-length OCTET STRING.
2)
Changed to the operation mode of the hwDHCPSIPInUseTable and hwDHCPSIPInUseExTable

MIB
Before modification, if the switch is enabled with DHCP server and has assigned IP addresses, the
hwDHCPSIPInUseExTable and the hwDHCPSIPInUseTable MIB tables contain IP address
assignment data after an SNMP walk operation is performed on them.
December 20, 2012
Page 33 of 33
After modification, if the switch is enabled with DHCP server and has assigned IP addresses, the
hwDHCPSIPInUseExTable and the hwDHCPSIPInUseTable MIB tables do not contain IP address
assignment data after an SNMP walk operation is performed on them.

1)
The operation of set the maximum number of 802.1X authentication attempts for the MACAuthenticated users that are online
In early version: Unlimited.

In current version: Provide 'dot1x auth-fail-retry' command to set the maximum number of attempts.
By default, the maximum number of attempts is 5.
2)
The operation of EAPOL V2
In early version: The system only supports to process the EAPOL packets of version 1, the EAPOL
packets of version 2 will be dropped.
In current version: The system supports to process the EAPOL packets of version 1 and the EAPOL
packets of version 2
3)
The change to the max value of the dot1x re-authentication timer
The max value of the dot1x re-authentication timer is modified from 7200s (2 hours) to 86400s (24
hours).
4)
The change to the value of Server-Type used in radius access request packets of MAC
authentication
To differentiate the user type, the value of Server-Type used in radius access request packets
changes from 2 to 10 in the case of MAC address authentication. The other authentication keeps the
original value 2.
5)
The 'voice vlan lldp' and fabric aren't mutually exclusive any longer.
6)
The change to ARP packet rate limit function
In early version: ARP packet rate limit can't work if ARP detection isn't enabled.
In current version: ARP packet rate limit works no matter ARP detection is enabled or not.

1)
DHCP Snooping supports forwarding BOOTP packet

1)
The Changes of syslog records WEB user's name
In early version: The syslog records only the user's name after a WEB user log in, such as:
%Apr
7 09:10:24:698 2010 switch WEB/5/USER:- 1 -web login succeed
%Apr
7 09:10:47:961 2010 switch WEB/5/USER:- 1 -web logout
In current version: The syslog records both the user's name and the user's IP address after a WEB
user log in, such as:
%Apr
December 20, 2012
7 09:20:34:698 2010 switch WEB/5/USER:- 1 -web (1.1.1.1) login succeed
Page 34 of 34

%Apr
2)
7 09:20:37:961 2010 switch WEB/5/USER:- 1 -web (1.1.1.1) logout
The Changes of LLDP function
In early version:LLDP packets are forwarded to other ports if LLDP function is disabled globally.
In current version:LLDP packets aren't forwarded if LLDP function is disabled globally.

1)
The change of the bootp reply packets length
In early version:
Switch serves as DHCP relay. If the packet received by the device whose length less than 300 bytes,
the device does not add padding automatically to make packet length to 300 bytes.
In current version:
Switch serves as DHCP relay. If the packet received by the device whose length less than 300 bytes,
the device add padding automatically to make packet length to 300 bytes.
2)
Dot1x free-ip and stack aren't mutually exclusive any longer

1)
The change to DHCP server, DHCP snooping and DHCP Relay
In early version:
DHCP server, DHCP snooping and DHCP Relay can not be enabled at the same time; otherwise PC
can't get IP address successfully.
In current version:
DHCP server, DHCP snooping and DHCP Relay can be enabled at the same time. PC can get IP
address successfully from switch, and of three functions can record its item.

2)
The change to the operation of 'mac-address aging destination-hit enable' command
In early version:
Executing this command, only destination-hit function is enabled.
In current version:
Executing this command, the mac-address synchronization function will also be enabled besides the
destination-hit function.
3)
The change to the 'display mac-address'
In early version:
There is no 'unit id' option, only display mac-address' can be executed to show the mac-addresses
on the current device.
December 20, 2012
Page 35 of 35
In current version:
The 'unit id' option is introduced. Therefore, the mac-address on every unit can be displayed through
display mac-address unit id.

1)
The change to the Syslog
In early version:
Specific syslog messages will be sent to log server from every unit in a stack.
In current version:
Specific syslog messages will be sent to log server only from the master unit in a stack.
2)
The change to VLAN number
In early version:
The device supports 256 VLANs.
In current version:
The device supports 4K VLANs.

1)
The operation of Net2Startup in CONFIG-MAN-MIB
In early version:
Executing "Net2Startup" operation in "CONFIG-MAN-MIB", the filename can not contain directory.
In current version:
Executing "Net2Startup" operation in "CONFIG-MAN-MIB", the filename can contain directory.
2)
Change to the content of option60 field in DHCP packets
In early version:
When the switch is configured as a DHCP client, the option60 field in DHCP discover packets sent by
the switch is filled only with the product series information.
In current version:
When the switch is configured as a DHCP client, the option60 field in DHCP discover packets sent by
the switch is filled with the product series information and other more detailed information.
3)
Change to the source MAC address of Loopback-detection packet
From 3.03.02p03, the source MAC address of Loopback-detection packet is changed from the Bridge
MAC of the device to 00e0-fc09-bcf9.
4)
The operation about Management address in LLDP packets
In early version:
December 20, 2012
Page 36 of 36
If the LLDP management-address has not been configured, the IP address of the VLAN with smallest
ID which the port belongs to will be used. And if the IP address of the VLAN with smallest ID which
the port belong to has not been configured, the loopback IP (127.0.0.1) address will be used.
In current version:
(1) If the LLDP management-address has not been configured, the IP address of the smallest
permitted VLAN whose IP is configured will be used;
(2) If the LLDP management-address has been configured, and the port belongs to the VLAN with the
LLDP management-address, the IP address will be used;
(3) Otherwise, no IP address will be used.
5)
Modification of 802.1X re-authentication with user-name change
In early version:
Doing 802.1X re-authentication with a RADIUS server. Even if user-name changes, the device just
sends RADIUS Access-Request packet for the latter user-name, but does not send RADIUS
Accounting-Stop packet for the former user-name.
In current version:
Doing 802.1X re-authentication with a RADIUS server. If user-name changes, the device sends
RADIUS Accounting-Stop packet for the former user-name firstly, then sends RADIUS AccessRequest packet for the latter user-name.

1)
Optical module recognition changes
Before modification, the switch cannot recognize any optical module with checksum errors.
After modification, the switch can recognize such modules and output corresponding debug
information .
V3.03.02 Operation Changes

1)
The change to the default stp pathcost standard
In early version:
By default, the IEEE 802.1t standard is used to calculate the default path costs of ports.
In current version:
By default, the legacy standard is used to calculate the default path costs of ports.

1)
PoE operation changes
Before modification:
December 20, 2012
Page 37 of 37
The switch will delete the "poe enable" configuration of a port if the port detects overload for three
consecutive times.
After modification:
The switch will not delete the "poe enable" configuration of a port if the port detects overload for three
consecutive times.

1)
dot1x timer tx-period command changes
The interval for sending 802.1X multicast requests set with the dot1X timer tx-period command is in
the range 10 to 120 seconds. If a port joins the guest VLAN upon receiving no response for an
802.1X multicast request, the shortest time for the port to join the guest VLAN is about 10 seconds.
After Modification:
The interval for sending 802.1X multicast requests set with the dot1X timer tx-period command is in
the range 1 to 120 seconds. If a port joins to the guest VLAN upon receiving no response for an
802.1X multicast request, the shortest time for the port to join the guest VLAN is about 1 second.
V3.03.00 Operation Changes

After modification:
1)
Info-center related configuration is placed at the end part of the configuration file.
2)
The vlan-vpn enable command is exclusive with stack configuration only, and can coexist with
other protocols such as STP/GVRP.
3)
The device is compatible with line feed characters "\r\n" and"\n", so that it can exchange files with
the TFTP server running on the UNIX system.
4)
The ping operation performance is improved, but consequently the real time performance of
displaying port statistics is reduced, that is, a delay occurs when you view port statistics.
5)
You can perform port mirroring and mirroring group configuration through the web interface.
6)
The device forwards unknown EAP packets rather than discards them.
7)
The sequence of matching web files is changed from main, backup, default to default, main,
backup.
8)
The device no longer sends PortMstiStateDiscarding trap and log packets when a port goes
down.
Open Problems and Workarounds

None
December 20, 2012
Page 38 of 38
List of Resolved Problems

Resolved Problems in V3.03.02p21
LSOD010610
z
Symptom: The switch may reboot abnormally.
Condition: The XRN function is not enabled and the switch receives XRN packets
LSOD010596
z
Symptom: Because of the weak cryptographic algorithm there is a risk that the stored passwords
possibly be cracked.
Condition: Configure password in ciphertext.

LSOD010562
z
Symptom: There is little possibility that some routes are correct in the FIB table but updated to
hardware incorrectly.
Condition: There are lots of ECMP routes and ARP entrys on the device. Change the state of the
VLAN interface and refresh ARP entries frequently.
LSOD010570
z
Symptom: When access the hh3cUserPassword node of hh3cUserInfoTable by SNMP, the

device returns the user's password.
Condition: Access the hh3cUserPassword node of hh3cUserInfoTable by SNMP.

LSOD010543
z
First Found-in Version: V3.03.02p15
Condition: Switch serves as DHCP server, and the client requests IP addresses from it with its
MAC address and a series of different client IDs.
Description: The usage of CPU of the switch is continuously high when walking DHCP server ipin-use MIB item with a network management tool.
LSOD010537
z
Condition: Switch serves as dhcp-snooping and configures dhcp-snooping information string with
quotation mark.
Description: The DHCP-snooping option 82 field of the packet also contains quotation mark.
ZDD04632/ZDD04712
z
December 20, 2012
Page 39 of 39

z
Condition: In the Access-Accept packet from the RADIUS Server to the client, the sub-attributes
in Attribute 26(Vender-Specific) don't be encapsulated in the type-length-value (TLV) standard
format.
Description: The RADIUS Server sends an Access-Accept response, but the switch drops this
packet because of wrong format. The user can't get online.
ZDD04483/ZDD04548
z
Condition: The device receives LLDP data unit which contain Location ID type-length-value (TLV)
and its LCI length equal to zero. Display neighbor information.
Description: The device reboots abnormally.
LSOD10526
z
Condition: Query the LLDP lldpRemSysName MIB with a 'TimeFilter' value of zero.
Description: Reports No Such Instance currently exists at this OID
LSOD10515
z
Condition:
The default route of the device is an ECMP route and the next-hop of default route has a
blackhole route. Configure routes and VLAN interfaces in sequence, for example:
1) Add default route: ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
2) Add blackhole route with a subnet which covers next-hop IP of default route: ip route-static
1.1.0.0 255.255.0.0 NULL 0
3) Create a link-down VLAN interface with a subnet which covers next-hop IP of default Route ,
the VLAN interface state is changed from DOWN to UP: [switch-Vlan-interface100]1.1.1.10 24
4) Delete the ECMP route: undo ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
5) Check the route table of the device: display drv drv-route
Description: The ECMP route isnt deleted successfully.
LSOD10502
z
Condition: Enable lldp compliance cdp in a stack; the stack has CDP neighbor(s); the stack split
or merge occurs.
Description: There may be memory leaks on all stack members.
LSOD10493/LSOD10496
z
Condition: Port down occurs during the 802.1x authentication on it.
Description: Sometimes, the switch will reboot abnormally.
December 20, 2012
Page 40 of 40
LSOD10482
z
Condition: In a stack, the switch configured global AM user binding item, and it configured port
AM user binding item on some units, and then delete the global AM user binding item.
Description: The AM user binding items are not synchronized on some units.
ZDD04028
z
Condition: Login with hwtacacs, pass the authentication but fail the authorization (no matter
whether the authentication server and the authorization are the same).
Description: Re-free the memory, sometimes cause exception to reboot.
LSOD10465
z
Condition: The user execute the command debugging vty fsm or debugging vty negotiate firstly,
and then execute the command free user-interface vty.
Description: The switch may reboot abnormally.
LSOD10436
z
Condition: Configure EAP authentication on the switch but PAP authentication is used between
the RADIUS server and client.
Description: The switch cannot forward EAP messages with a type value of 7 transparently. The
authentication fails.
LSOD10460
z
Condition: The switch serves as NTP client. The NTP server precision is less than the NTP client.
The NTP client synchronized time from NTP server.
Description: The synchronization fails.
ZDD04119/ZDD04171
z
Condition: Device with LLDP running, such as IP Phone, is connected to switch. The switch
receives LLDP packets from the IP Phone and sets up LLDP neighbor information entry. And the
chassisID of the neighbor information is net address.
Description: The chassisID in the LLDP information displayed on the switch is not correct.
LSOD10418/LSOD10425
z
Condition: Configure one port with 'speed 10' and 'duplex half'. Connect some type of other
device to this port.
Description: The communication speed is slow.
December 20, 2012
Page 41 of 41
LSOD10428
z
Condition: Reboot a fabric with configurations of STP or dot1x and so on.
Description: The devices may fail to build a fabric with little probability after reboot.
LSOD10395/LSOD10396
z
Condition: Switch serves as DHCP relay, it receives DHCP discover packet, the bootp flag of
which is 0x0001.
Description: The switch drops DHCP packet, and DHCP client can not get IP address.
LSOD10391
z
Condition: Configure routes and VLAN interfaces in sequence, for example:

1) Add a valid static route with mask length of 32: ip route-static 2.1.1.2 32 1.1.1.2
2) Create a link-up VLAN interface with a subnet which covers the subnet IP in the above route:
[switch-Vlan-interface1]ip address 2.1.1.1 24
3) Delete the static route: undo ip route-static 2.1.1.2 32
4) Check the FIB table: display fib
Description: The static route isnt deleted successfully.
LSOD10340
z
Condition: Configure dot1x function, and the dot1x authentication-method is EAP. In one second,
the dot1x client sends two EAPOL-start packets in one second to trigger an authentication.
Description: The dot1x authentication failed.
LSOD10272/LSOD10301
z
Condition: With stack and link aggregation over units, the master port from one device has
configured 'port trunk permit vlan all', the slave port from other device has configured 'port trunk
permit vlan 1'.
Description: The slave port is not selected. Configure 'port trunk permit vlan all' under this port is
invalid.
LSOD10303/LSOD10306
z
Condition: Enable DHCP relay with valid configuration. Make the relay receive DHCP inform
packet from client.
Description: DHCP inform packet will be relayed to DHCP server, but the sources IP of the
relayed inform packet will be not DHCP relay's input interface.
December 20, 2012
Page 42 of 42
LSOD10299/LSOD10302
z
Condition: Enable DHCP relay with valid configuration and system server group 1 is referred by
VLAN interface, and DHCP client successfully apply IP address. Create another server group 0
and then delete it in system mode.
Description: After irrelevant server group 0 being created and deleted, DHCP client can not get IP
address.
LSOD10310/LSOD10311
z
First Found-in Version: 3.03.02p15
Condition: A 100M BIDI SFP module is inserted into a combo slot.
Description: The module maybe cant be identified.

LSOD10261/LSOD10269
z
Condition: IGMP packets are received by a port on which 'port-security port-mode autolearn' is
configured.
Description: The source MAC can't be learnt by the device.
LSOD10082/LSOD10232
z
Condition: When STP is disabled, 'loopback internal' test is executed on port A. At the same time,
port B receives an STP packet. Port A and port B are in the same VLAN.
Description: STP packet is sent back from port B.
LSOD10247/LSOD10274
z
Condition: Use the command 'port-security trap dot1xlogon', 'port-security trap dot1xlogoff' or
'port-security trap dot1xlogfailure' to open the trap of dot1x, and the dot1x authentication-method
is EAP, a user logs in successfully, and change the username when doing re-authentication.
Description: Although the re-authentication is successful, the username in the trap dose not
change.
ZDD03292/ZDD03331
z
Condition: Configure the switch as DHCP client, and there is no END option in ACK packet from
DHCP server.
Description: The switch can not get IP address.
LSOD10189/LSOD10187
z
Condition: Plug in BIDI fiber module.
December 20, 2012
Page 43 of 43
Description: The fiber module type is different between log information and the information
displayed by command 'display transceiver interface'.
LSOD10207
z
Condition: Configure the device through Web. Select Port > MAC Address [Add] from the
navigation tree to add MAC address to a port of specified VLAN.
Description: Cannot choose a port of specified VLAN to add MAC address.
LSOD10180
z
Condition: When the first octet of the MAC address of the client or the gateway is not 0x00(such
as 30-00-00-00-00-01).
Description: The EAD-Quick-Deploy feature doesn't work.
LSOD10079
z
Condition: There are telnet users on device, executing display users all command.
Description: The IP address is reduplicated in the result. For example (the italic part is unwanted):
<sysname>display users all

UI
Delay
Type
Ipaddress
Username
Userlevel
F 0
AUX 0
00:01:09
F 1
AUX 1
00:00:00
AUX 2
AUX 3
AUX 4
AUX 5
AUX 6
AUX 7
+ 18.118.118.458
+ 18.118.118.1119
10
VTY 2
11
VTY 3
12
VTY 4
VTY 0
VTY 1
00:00:13
00:00:03
TEL
TEL
18.118.118.45
18.118.118.111
User-interface is active.
User-interface is active and work in async mode.
3
3
LSOD10077
z
Condition: In a fabric, both master and slave were attacked by telnet log on packets.
Description: The ACL resources will leak on master and slave.
LSOD10050
z
Condition: Configure 'pki certificate access-control-policy', then add and remove rule.
December 20, 2012
Page 44 of 44

z
Description: Every operation will lead to 1056 bytes memory leak.
LSOD10083
z
Condition: Switch serves as DHCP snooping, and it receives bootp packets or abnormal DHCP
packets without option 53.
Description: Switch reboots abnormally.
LSOD10016
z
Condition: Switch serve as DHCP snooping, and it receives DHCP ACK packets with source
UDP port 4011.
Description: DHCP snooping can not transmit those DHCP ACK packets.
LSOD10023
z
Condition: Switch serves as DHCP relay and DHCP snooping, PC gets IP address through
switch and renews its IP address.
Description: When PC renew its IP address, DHCP snooping can not refresh its item.

LSOD09957
z
Condition: Configure VLAN-interface A and B on the device. Configure IP address of B as NASIP address of the RADIUS scheme. Do dot.1X authentication with RADIUS server.
Description: NAS-IP address in RADIUS Authentication-Request packet sent to server is IP

address of A, not B.
ZDD02999
z
Condition: Some NMS send messages to the device at the same time.
Description: The device can only process 10 messages in one time, others are dropped.
LSOD09955
z
Condition: A device receives ARP reply packet with VLAN X in 8021.q tag, and the corresponding
VLAN interface X is UP. However, the port that receives the packet is NOT in the VLAN X.
Description: The receiving port learns the ARP by error.
LSOD09894
z
Condition: CPU is busy and there is a lot of trap information in a moment.
Description: device reboots abnormally.
December 20, 2012
Page 45 of 45
LSOD09928
z
Condition: configured 'snmp-agent target-host trap address udp-domain A.B.C.D (D>223) params
securityname RADAR'in system view.
Description: execute 'undo snmp-agent target-host A.B.C.D (D>223) securityname RADAR'

unsuccessfully.
LSOD09920
z
Condition: Configure 'authentication-mode scheme command-authorization' on VTY scheme.

Telnet user passes RADIUS authentication and login the device.
Description: After login, every command executed by user will cause memory leak.
LSOD09911
z
Condition: The switch is enabled with DHCP snooping. The PXE client obtains an IP address
through the switch, and downloads the bootstrap program and boot menu through the switch.
Description: The PXE client can obtain an IP address successfully, but it fails to download the
bootstrap program and boot menu.
LSOD09909
z
Condition: Configure 'mac-address max-mac-count X' on the portA.
Description: The system sometimes prompts 'MAC address table exceeded maximum number X
on interface portA' after the learning MAC count of the port A has not reached the limit.

LSOD09759
z
Condition: Configure ACL group with number between 5000 and 5999, and add at least 2 userdefined ACL rules. These user-defined ACL rules are setup by the command with 'rule-string
rule-mask offset' format, such as 'rule 1 permit 0806 ffff 24 000fe213629e ffffffffffff 34'. Save the
configuration and reboot the switch.
Description: The switch can not boot up successfully because of dead loop.
LSOD09745
z
Condition: In a stack, dot1x is not enabled globally, but enabled on several ports.
Description: Attempt to execute dot1x globally times out and fails.
LSOD09830
z
Condition: The client application does dot1x authentication with TTLS certification.
Description: By chance, the device reboots abnormally for dead loop.
December 20, 2012
Page 46 of 46
LSOD09837
z
Condition: Switch serves as DHCP relay, two PCs get IP address through two different relay
interfaces.
Description: In the offer packets that switch sent to PC, the source IP address in IP header is
incorrect.
ZDD02827
z
Condition: Switch serves as DHCP relay and it receives a bootp packet without magic cookie.
Description: The switch regards the packet as wrong one and drops it.
LSOD09587
z
Condition: Several ACL numbers including the same rule can be applied on one port for trafficpriority action to remark different COS value.
Such as:
Basic ACL
2000, 1 rule
Acl's step is 1
rule 0 permit
Basic ACL
2001, 1 rule
Acl's step is 1
rule 0 permit
interface Ethernet1/0/1
traffic-priority inbound ip-group 2000 rule 0 cos spare
traffic-priority inbound ip-group 2001 rule 0 cos background
z
Description: After one ACL rule is removed from the port, the other ACL rules cant be deleted.
Note: Action traffic-limit/traffic-remark-vlanid has similar problem.
LSOD09728
z
Condition: Execute the command 'virtual-cable-test' in Ethernet interface view.
Description: The command is executed correctly, but it does not give cable length.
LSOD09619
z
Condition: The network device acted as SSH server, and received specific SSH attack packets.
Description: The device will be rebooted abnormally.
LSOD09678
z
Condition: As the following operation:
December 20, 2012
Page 47 of 47
1. Create an SSL server policy, example: ssl server-policy myssl1

2. Https use this SSL server policy, example: ip https ssl-server-policy myssl1
3. Undo use this SSL server policy, example: undo ip https ssl-server-policy
z
Description: This ssl server policy can't be deleted.
LSOD09700
z
Condition: Enable DHCP server and DHCP snooping on switch. The pool lease of DHCP server
is set less than one minute, and lots of users get IP address from switch.
Description: The memory exhausted on switch.
LSOD09499
z
Condition: When 802.1X authentication and mac-authentication are both enabled on the port, the
user first pass the mac-authentication and success get IP address by DHCP, then do 802.1X
authentication success and get IP address by DHCP again.
Description: Sometimes the IP address shown by the command "display connection" is in reverse
order.
LSOD09555
z
Condition: On the authentication port Y, execute undo dot1x command and then execute dot1x
command during dot1X authentication.
Description: In a very small chance, the information Port Y is Processing Last 802.1X command...
Please try again later. is shown.
LSOD09550
z
Condition: Configure dot1x timer server-timeout to X seconds, and configure dot1x

authentication-method eap. Do dot1X authentication. The EAP Request Challenge packet from
the switch to the client gets no response.
Description: The switch will not send EAP Failure packet until (X+80) seconds after.
LSOD09598
z
Condition: Configure accounting optional. And configure dot1x timer server-timeout to X

seconds. Do dot1X authentication with RADIUS server. When logging in, accounting-Start packet
from the switch to the RADIUS server gets no response.
Description: After log out, the client can not log in again until X seconds after.
LSOD09554
z
December 20, 2012
Page 48 of 48

z
Condition: The switch enables DHCP snooping and the up-link port of the switch is configured as
the trust port of DHCP snooping. The DHCP server and the users PC are connected to the uplink port of the switch.
Description: DHCP snooping record the user item on trust port.
LSOD09521
z
Condition: STP or MSTP is enabled on the device. There are dynamic ND entries or
short-
static resolved ND entries on one port whose STP state is changed from 'Forwarding' to
'Discarding'.
z
Description: 1). Dynamic ND entries on the port are not deleted.

2). Short-static resolved ND entries on the port are not changed to INCMP state.
Note: Short-static ND entry is configured by command line. The entry doesn't have port information.
The port information will be learnt by ND packets. When the port information is learnt, the ND entry is
called short-static resolved ND entry.
Short-static ND entry Example: ipv6 neighbor 3000::1 0000-0002-0002 interface vlan-interface 1.
LSOD09717/LSOD09709
z
Condition: Configuring 'authentication-mode scheme command-authorization' on the
user
interface, a user telnet the switch and logging in successfully through local authentication mode,
then the user running a valid command such as 'quit' through telnet.
z
Description: The device will be rebooted abnormally.
LSOD09572/LSOD09605
z
Condition: Configuring the switch as a DHCP server, an IP phone connecting the switch and
getting voice VLAN ID and IP address from the switch.
Description: The IP phone can not get voice VLAN ID and IP address successfully within 25
seconds.

LSOD09324
z
Condition: Configure IPv6 ACL rule including COS or VID by WEB or command line.
Description: The rule is configured successfully by WEB, but unsuccessfully by command line.
LSOD09537
z
Condition: User's MAC item moves from port A to port B in switch. Port A is a single port, port B
is in the aggregation group whose master port is down.
Description: User's ARP item can not be updated by MAC item.
December 20, 2012
Page 49 of 49
LSOD09483
z
Condition: Test the IPV6 communication between a device and a stack that has an aggregation
group across different units.
Description: The stack device can not communicate with other device.
LSOD09498
z
Condition: Connect with huawei S2300. Enable LLDP and show LLDP neighbor information.
Description: The 'Management address OID' section of neighbor information will be garbage
characters.
LSOD09434
z
Condition: In domain view, configure authentication scheme to be radius scheme, but do not
configure accounting scheme. Configure accounting optional.
Description: Users can not log-in successfully.
LSOD09447
z
Condition: Do 802.1X authentication with iNode client (whose version is lower than V3.60-E6206)
on PC, and upload IP address option is chosen. PC gets IP address from DHCP server.
Description: The switch passes empty user-name to the RADIUS server, and authentication fails.
LSOD09406
z
Condition: There are many switches serve as DHCP snooping in network. PC applies for IP
address through DHCP snooping and finally get a conflict one.
Description: The DHCP Decline packets broadcast in network for a while.
LSOD09332
z
Condition: Configure DHCP rate limit on port, and display the configuration.
Description: The switch shows the default configuration.
LSOD09048
z
Condition: Configure the ipv6 ACL that include destination IP address and source IP address in
sequence.
Description: The source IP address includes part of the destination IP address in the current
information.
LSOD09439
z
December 20, 2012
Page 50 of 50

z
Condition: Configure port-security auto learn mode on port A. Delete all MAC-address and
change the VLAN ID of the port A while there are background traffic.
Description: The MAC of the old VLAN is left occasionally.
LSOD09268
z
Condition: Connect device to HUAWEI S2300 and running LLDP.
Description: The device can not find S2300 as LLDP neighbor.
LSOD09295
z
Condition: Dot1x is enabled on a device. Ping the device with IPv6 address from an
unauthenticated PC.
Description: The device makes a response to the ping request.

LSOD09096
z
Condition: Connect PC to port A of a slave device in stack. After reboot the slave device, the port
A enters guest-VLAN.
Description: Display interface information on the master of stack. It is shown that the port A is not
in the guest-VLAN.
LSOD09204
z
Condition: Connect PC to port A. Configure port-security on port A (the port-mode is mac-anduserlogin-secure, userlogin-secure-or-mac, mac-else-userlogin-secure, userlogin-secure or
userlogin-withoui). Do 802.1X authentication with windows XP client on PC.
Description: After log-in, windows XP client does re-authentication frequently.
LSOD09167
z
Condition: Many 802.1X users are on-line on the same device (about 1000). In system-view,
execute undo dot1x command, and then execute dot1x command.
Description: Executing the dot1x command always fails, and the system prompts Processing
Last 802.1X command... Please try again later.
LSOD09156
z
Condition: In stack, do 802.1X authentication with iMC server. User A log-in, then user B log-in
from another device of the fabric with the same user-name of A.
Description: The iMC server forces user A to log-out.
December 20, 2012
Page 51 of 51
LSOD08866
z
Condition: Walk the entAliasMappingIdentifier node.
Description: The multiple entities of walk result have the same index which causes the failure in
synchronizing device data through SNMP network management.
LSOD09143
z
Condition: The device has been configured igmp-snooping non flooding function. The VLAN X is
configured igmp-snooping function and configures port Y as static router port. VLAN X receives
unknown multicast flow, and then disables igmp-snooping function in VLAN X.
Description: The port which is not router port can receive unknown multicast flow.
LSOD09176
z
Condition: Enable voice VLAN legacy and connect an IP phone to switch.
Description: The switch may ignore CDP packets from IP phone, and voice VLAN will not work.
LSOD09145
z
Condition: Voice VLAN, dot1x (or port-securtiy) and DHCP-launch are enabled on the device,
and then the device receives DHCP Discover packet or DHCP Request packet whose source
MAC address is belong to a Voice VLAN OUI.
Description: The source MAC address of DHCP Discover packet or DHCP Request packet can
not be learnt. The correct behavior is: the source MAC address should be learnt.

LSOD09059
z
First Found-in Version: V3.03.00
Condition: configure "dot1x guest-vlan" on the port. Users succeed in authentication, and
authorization VLAN is assigned to the port. After that, configure "undo dot1x" on the port.
Description: In a very tiny chance, the port remains in the authorization VLAN.
ZDD02152
z
Condition: Switch work as Telnet client or server. Input non-english character after login.
Description: Possible unexpected logout.
LSOD08964
z
Condition: Enable DHCP snooping and DHCP snooping option 82 on switch with replacing
strategy.
Description: Switch can not replace OPTION 82 of DHCP discover packet correctly.
December 20, 2012
Page 52 of 52
LSOD09106
z
Condition: EAD fast deployment is enabled on the port connecting the switch to a client, and no
VLAN-interface is created for the VLAN where the port resides. The client sends repetitive HTTP
requests or out-of-sequence HTTP packets when it is unauthenticated and accesses the network.
Description: A memory leak occurs.
LSOD09080
z
Condition: Access MIB node "hwNDPPortStatus" on a stack.
Description: Each slave unit leaks 9K-byte memories every time. No memory leakage occurs on
master unit.
LSOD08774
z
Condition: Do EAD authentication with iMC server.
Description: The user goes off-line soon after passing the security checking.
LSOD09095
z
Condition: Enable 802.1x authentication on a device, and connect a PC to a trunk port of the
device through a Netgear switch. The data traffic should be tagged when it passes the trunk port.
Then do 802.1x authentication.
Description: After log-on, PCs MAC-Address is learnt in the PVID VLAN of the port, not the
tagged VLAN. So, the port can not forward the data traffic.
LSOD09097
z
Condition: The device has been configured user ACL remark VLAN ID, and user VLAN ID is
configured as multicast VLAN ID. The device receives IGMP report message from the host.
Description: The device can not transmit IGMP report message to upstream device periodically,
so as to multicast stream to be interrupted.
LSOD09102
z
Condition: Set up an extended IP ACL with number 3000, and add a rule with protocol key. Such
as "rule 0 permit ip", in which "ip" means IP protocol. View the configuration file by "more"
command after saving configuration, or display the current configuration.
Description: The protocol key of the rule in the configuration becomes capital, and it will be
lowercase in current version. For example, former version shows up "rule 0 permit IP" and
current version shows "rule 0 permit ip". There is no any effect for function.
LSOD09100
z
December 20, 2012
Page 53 of 53

z
Condition: Net management software, which is using SNMP, is connected to the slave device in a
stack.
Description: Execute setting operation; the operation can be succeeding, but the device cannot
send SNMP response to the net management software.
LSOD09045
z
Condition: A large amount of security MAC addresses are learnt in a stack.
Description: Several MAC address can not be aged after aging timer is reached.
LSOD08988
z
Condition: One user with privilege level 0 login the web management interface.
Description: WEB can not show the page of "Help".

LSOD08968
z
Condition: Enable mac-authentication and set the offline-detect timer to be larger than one half of
mac-address aging timer on the switch. And connect a PC to the switch to do mac-authentication,
but the traffic sent from the PC is very small, such as only sending one packet every 2 or 3
minutes.
Description: The PC may log off probably even though the mac-address of the PC has not agedout on the switch.
LSOD08964
z
Condition: A switch serves as DHCP SNOOPING, and enable DHCP SNOOPING OPTION 82
function with replace strategy on the switch.
Description: The switch can not replace the OPTION 82 of DHCP discover packet correctly.
LSOD06917
z
Condition: In the following network, the monitor port is on the master device (UNIT 1). After
rebooting fabric with saved configuration, configure the ports of UNIT 3 as the source mirroring
port and the monitor port.
December 20, 2012
Page 54 of 54

z
Description: The fabric can't ping the PC connected to the mirroring port successfully.
LSOD08776
z
Condition: Execute "ip host" command and the "hostname" parameter includes "-" character.
Description: The command fails and the message of "Invalid host name format!" is prompted.
LSOD08782
z
Condition: Enable dot1x function and some dot1x clients are on-line.
Description: The ports which have passed dot1x authentication will forward the unicast EAP
packets to the entire vlan.
LSOD08757
z
Condition: Enable NDP on a fabric system and many NDP adjacent devices attached to the same
port of the device.
Description: When getting the NDP neighbor information through SNMP, the usage of CPU of the
device is high.
LSOD08753
z
Condition: Enable NTP on a fabric system, the NTP server is connected to one port of the slave
device.
Description: When working in NTP multicast client modes, the stack device can not synchronize
the clock from NTP Server.
LSOD08892
z
Condition: The devices are in a fabric. Lots of VLAN and some MSTP instances are configured.
Execute the command "active region-configuration".
Description: There is little probability that the command fails and the device outputs the following
information: Command synchronization failed, please try later...
LSOD08819
z
Condition: The last port of a device in a fabric has a link-up state and is configured with link-delay.
Reboot the fabric after saving configuration.
Description: There is little probability that the port mentioned above can't send packets.
LSOD08905
z
Condition: Execute command "display memory" in a stack composed of multiple devices. Press
"Ctrl+C" before the display process completes.
Description: A memory leak of 1K bytes occurs.
December 20, 2012
Page 55 of 55
LSOD08907
z
Condition: Access a device repeatedly by SSH with public key authentication.
Description: An exception may occur on the device at little probability.
LSOD08729
z
Condition: Set port-security as "and" mode in device. Some users do MAC and dot1x
authentication on several ports at the same time.
Description: The dynamic "auto vlan" is added to some port's configuration.
LSOD08843
z
Condition: Set port-mirroring function on web.
Description: The CPU usage of device is up to 100%, and the information of port-mirroring can't
be normally displayed at web view.
LSOD08788
z
Condition: The 802.1x server is CAMS or iMC, the device enable DHCP snooping or DHCP relay,
the 802.1x client which is on-line requests ip address frequently.
Description: The device send accounting update packet to server frequently, which lead the
802.1x client off-line.
LSOD08808
z
Condition: The IP address of a WEB server is the same as that of the vlan-interface of a device.
Description: After user login through web-authentication, the user's layer-2 traffic can't be
forwarded normally.
LSOD08738
z
Condition: When congestion happens on a port, enable burst mode function.
Description: All packets can't be forwarded on the port.
LSOD08679
z
Condition: Units A, B, and C are in the same stack. An 802.1x user logs in through Port X of unit
A, and Port X is assigned to the authorization VLAN (PVID or auto VLAN). Reboot unit B. Then
the user in unit A logs off, and Port X leaves the authorization VLAN.
Description: After the user logs off, execute the display interface command on units A and B to
display information about port X. It is showed that the port is no longer in the authorization VLAN.
Execute the display command on unit C, and it is showed that the port is still in the authorization
VLAN.
December 20, 2012
Page 56 of 56
LSOD08657
z
Condition: In a stack device, configure port security in autolearn mode for a port, and set the
max-mac-count limit. Let the port learn MAC addresses automatically, and make MAC count of
the port reach the limit.
Description: Try to add one more MAC address to the port using the mac-address security
command. Although a failure information is showed, the display mac-address command shows
that the additional MAC address is added actually, making the MAC count of the port exceed the
limit.
LSOD08665
z
Condition: In a stack, enable port security in autolearn mode and aging mode on ports. After the
security MAC is learnt, disable the port security feature when the security MAC is aging.
Description: The device reboots.
LSOD08631
z
Condition: Enable 802.1X and debugging for RADIUS packets. Lots of users log on and then log
off.
LSOD08656
z
Condition: Configure the multicast static-group command on a device configured with multicast
VLAN.
Description: When deleting the multicast static-group configuration, the IGMP snooping groups
can't be removed.
LSOD08713
z
Condition: Display the voice VLAN information of an LLDP neighbor.
Description: The COS value and DSCP value of the voice VLAN are incorrect.
LSOD08716
z
Condition: Configure the lldp compliance CDP command on a switch to communicate with a
Cisco device through Cisco CDP version 1.
Description: The duplex mode of the LLDP neighbor displayed is incorrect.
LSOD08575
z
Condition: When non-flooding is enabled, the device acts as the NTP client in the multicast mode
to synchronize timekeeping.
Description: The timekeeping of the device can not be synchronized.
December 20, 2012
Page 57 of 57
LSOD08674
z
Condition: In a stack, there is global am user-bind in the startup configuration file. After rebooting,
the minimum Unit ID is not that of the master. Configure global am user-bind again and then
delete all the global am user-bind from the slave units.
Description: The device displays the checksum different from that of unit 1 when you save the
configuration.
LSOD08652
z
Condition: Add a hybrid port to the Guest VLAN of 802.1x, and then use the undo port hybrid vlan
command to remove the port from the Guest VLAN.
Description: The display interface command shows that the port is still in the Guest VLAN.
Actually, the port is not in the VLAN.
LSOD08675
z
Condition: In a stack, a port in unit A is assigned to the guest VLAN (VLAN x) of port security.
Then send packets with authenticated MAC addresses as source MAC to the port continuously.
Description: After the port is removed from the guest VLAN, PVID of the port changes back to the
original VLAN y. Execute the display mac-address on unit B, and some dynamic MAC addresses
in VLAN y without authentication are displayed.
LSOD08678
z
Condition: Reboot the master device of a stack.
Description: Failed to discover LLDP neighbors on an STP port in Discarding state.
LSOD08726
z
Condition: There are several units in a stack. Reboot the master device of the stack.
Description: The VRRP function becomes abnormal.
LSOD08667
z
Condition: Use the display transceiver xxx command to check the Copper SFP information.
Description: The device does not support displaying Copper SFP information.
LSOD08673
z
Condition: Configure am user-bind in system view of a stack member.
Description: The packets with authenticated MAC addresses as source MAC can not be
forwarded by the other units of the stack.
December 20, 2012
Page 58 of 58
LSOD08570
z
Condition: Enable the port security feature on a stack, and set the intrusion mode to blockmac.
After one port (for example, port A) learns some blocked MAC addresses, remove the device to
which port A belongs from the stack.
Description: Such blocked MAC addresses on the other devices of the stack can not be removed.
LSOD08734
z
Condition: Enable STP and loopback detection in both interface view and system view. A loop
occurs on the port.
Description: The loop on the port can not be detected.

LSOD08278
z
First found-in version: V3.03.02
Condition: Run command update fabric filename on device A, which is in a stack.
Description: A memory leak of 256 bytes occurs.
LSOD08284
z
Condition: Reboot a stacking device.
Description: After reboot, there is little probobility that some MAC entry information in the MAC
forwarding table cannot be displayed.
LSOD08291
z
Condition: Set the authentication mode with the command xrn-fabric authentication-mode md5
STRING<1-16> in a stack. Set the MD5 password twice, and the last configured password has
16 characters. Save the configuration and reboot a device in the stack.
Description: After startup, the stack cannot be established and the stack ports are in isolated
state (auth failure).
LSOD08603
z
Condition: Execute the dot1x authentication-method pap command.
Description: A user whose password has two characters cannot pass dot1x authentication.
LSOD08460
z
Condition: The device is enabled with voice VLAN, dot1x (or port-security with userlogin,
userloginext, userloginsecure mode) and DHCP-launch.
Description: A PC connected to the device cannot pass dot1x authentication.
December 20, 2012
Page 59 of 59
LSOD08576
z
Condition: There are security MAC addresses in the switch. Then walk dot1qTpFdbStatus node
through SNMP.
Description: The result is incomplete.
LSOD08651
z
Condition: Enable DHCP-snooping on a ring-mode stack. The DHCP server and DHCP client
connect to different stacking units. The port connected to the DHCP server is configured with the
dhcp-snooping trust command and belongs to a link-aggregation group.
Description: The DHCP client will get duplicate DHCP ACK packets when requesting an IP
address.
LSOD08655
z
Condition: Configure a space-included string for DHCP server option 130 .
Description: The operation fails.
LSOD08646
z
Condition: The member ports of a link-aggregation group which belong to different units are
configured as mirrored ports. The mirroring-group monitor port and the link-aggregation group
master port are on the same unit.
Description: The LLDP information on the master port of the link-aggregation group is wrong.
LSOD08628
z
Condition: Get the value of node lldpRemPortDescription via MIB.
Description: The result is the same as ifAlias. In fact, that value should be the same as ifDesc.
Resolved Problems in V3.03.02

LSOD08196
z
First found-in version: V3.03.00p03
Condition: The switch is the first-hop router of a multicast source, and another vendors device
(for example, IP 8800 of NEC) is the RP. The RP cannot create multicast entries through PIM null
register packets. When the link between the first-hop router and the RP breaks, the multicast
entries on the RP are aged out.
Description: When the link between the first-hop router and the RP recovers, the RP cannot
create multicast entries.
LSOD08193
z
Condition: Configure password information.
December 20, 2012
Page 60 of 60

z
Description: The password can be displayed in log information, compromising security.
LSOD08145
z
Condition: Enable selective QinQ, and configure outer VLAN tag-to-inner VLAN tag mappings
until the system resources become insufficient.
Description: Configured mappings cannot be deleted. To delete them, you need to restart the
device.

LSOD07956
z
Condition: Get the value of module0 under the entPhysicalVendorType MIB node.
Description: The returned value is Null, which should be 256.
LSOD07413
z
Condition: Two switches comprise a cluster. The header legal command is configured on the
member switch. Execute the cluster switch-to 1 command on the command switch to log into
the member switch.
Description: The login operation fails no matter whether "Y" or "N" is input.
LSOD07744
z
Condition: Modify RADIUS scheme configuration through the CLI and web interface respectively
when there exist online users.
Description: Modification through CLI fails, while modification through web interface succeeds.
LSOD07980/ LSOD07531/LSOD07749
z
Condition: A PC acts as an administrator user and its MAC address is configured as a static MAC
address on the switch.
Description: Logging into the web NM interface of the switch from the PC fails because the login
request is redirected to the EAD server.
LSOD07692
z
Condition: Configure the maximum hops of topology discovery with the ntdp hop xxx command.
If the new maximum hop number is less than the previous one, a cluster is built on the device.
Description: Devices beyond the maximum hops of topology discovery also join the cluster.
LSOD07939
z
December 20, 2012
Page 61 of 61

z
Condition: Local user User 1 sets the access-limit to N on the switch. Then, N local users except
for User 1 log into the switch (Local users can be FTP/ LAN-access/SSH/telnet/terminal users. If
a user logs into the switch through 2 ways at the same time, for example, FTP and telnet, the
user is counted as two logged-in users.).
Description: User 1 cannot log in to the switch.
LSOD08070
z
Condition: Configure the dot1x authentication-method eap command in system view, and
configure the port-security port-mode mac-and-userlogin-secure or port-security port-mode
mac-and-userlogin-secure-ext on a port that is connected to a PC. The PC passes 802.1X
authentication but fails MAC authentication .
Description: The PC goes online. (It is required that the PC can go online after passing both
802.1X authentication and MAC authentication.)
LSOD08034
z
Condition: The switch acts as the SSH/Telnet server, and SecureCRT acts as the SSH/Telnet
client. After the client logs into the server, copy a lot of configuration setting into the client window.
Description: Some configurations are lost.
LSOD07962
z
Condition: Configure an ACL rule and configure a description for the rule. View ACL rule
information through the web interface.
Description: Two entries for the rule exist, and one entry is empty.
LSOD08035
z
Condition: A stacking switch serves as a DHCP client and gets an IP address from the DHCP
server. When the client renews its lease, the DHCP server returns a NAK packet.
Description: DHCP clients on the master and slave devices in the stack have different states.
LSOD08049
z
Condition: The switch receives a packet with a broadcast destination MAC address and a unicast
destination IP address other than the IP address of the receiving VLAN interface.
Description: The switch can't send a redirect packet to the sender.
LSOD08101
z
Condition: Enable DHCP snooping on the switch.
Description: The device can't forward DHCP packets whose UDP source port is 68 and whose
UDP destination port is neither 67 nor 68.
December 20, 2012
Page 62 of 62
LSOD08106
z
Condition: Enable selective QinQ, and configure outer VLAN tag-to-inner VLAN tag mappings
until the system resources become insufficient.
Description: Configured mappings cannot be deleted. To delete them, you need to restart the
switch.
LSOD08118
z
Condition: Update the software from version A (V3.01.xx and V3.02.xx) to version B (V3.03.00,
V3.03.00p01 and V3.03.00p02).
Description: The password used on version A is invalid on version B.

LSOD07718
z
Condition:
The network diagram is shown below:
PC1 and PC2 communicate with each other at Layer-3 through Switch 1.
Configure a static ARP entry that has no VLAN ID or outbound interface specified for PC2 on Switch
1. After PC1 and PC2 communicate with each other, the egress port and VLAN ID (VLAN B) of the
ARP entry are learned.
Then change the network as follows:
Remove VLAN B from Switch 1, configure VLAN B on Switch 2, and move PC2 from Switch 1 to
Switch 2.
After that, all PC1, Switch 1, Switch 2 and PC2 communicate with one another at Layer-3.
The new network is shown below:
Description: The ping operation from PC1 to PC2 fails. To solve the problem, you have to reboot
Switch 1.
December 20, 2012
Page 63 of 63
LSOD07630
z
Condition: Perform EAD authentication on a port. Before authentication, the port's PVID is V1.
During authentication, the port is assigned a VLAN ID of V2. V2 and V1 are not in the same
MSTP instance.
Description: EAD security policy authentication fails.
LSOD07571
z
Condition: The switch works together with the CAMS server to implement RADIUS authentication.
The CAMS server assigns an SSL VPN group number to the switch.
Description: RADIUS authentication fails because the switch does not support the SSL VPN
group number attribute.
LSOD07676
z
Condition: Configure the ip address dhcp-alloc command on a VLAN interface.
Description: The TTL of the DHCP Discover packet sent on the VLAN interface is 1. Because the
DHCP relay agent drops packets with TTL being 1, the DHCP Discover packet can't be
forwarded to the DHCP server.
LSOD07670
z
Condition: A port (Ethernet1/0/28, for example) receives more than 500 error packets (CRC error
packets, for example) within one minute. Shutdown the port.
Description: The switch prints the information "The link partner of Ethernet1/0/28 may be bad,
sending lots of error packets", which means the shutdown port is still receiving error packets.
LSOD07668
z
Condition: Set forced mode, such as speed 100 and duplex full, for a lot of ports of the switch.
Save the configuration and reboot the switch.
Description: The startup duration is much longer than before.
LSOD07316
z
Condition: Perform 802.1X authentication on a user through the CAMS server. Before
authentication, the VLAN ID of the receiving port is V1. After authentication, the assigned VLAN
ID is V2.
Description: On the CAMS, the user's VLAN ID is V1, not V2.
LSOD07416/LSOD07422/LSOD07420/LSOD01108
z
Condition: Perform 802.1X authentication on a user in VLAN V1. VLAN V2 is assigned. V1 and
V2 belong to different MSTP instances.
December 20, 2012
Page 64 of 64

z
Description: Authentication fails.
LSOD07375
z
Condition: Send UDP packets with destination port as 1645 or 1646 to the device.
Description: Each UDP packet causes a memory leak of 32 bytes.
LSOD07479
z
Condition: Disable and then enable STP repeatedly.
Description: The device may reboot without exception information.
LSOD07124
z
Condition: A stack serves as a DHCP relay agent. After a PC gets an IP address through the
relay agent, it sends a DHCP Inform packet to get extra information.
Description: The DHCP relay agent does not process the DHCP ACK packet from the DHCP
server correctly, and thus the PC cannot process the DHCP ACK packet.
LSOD07425
z
Condition: Execute the debugging snmp-agent detail process 0 command in hidecmd view.
The CPU usage is high (>50%). Then, use IMC software to scan the interfaces on the device.
LSOD07313
z
Condition: Swap an SFP module within 5 seconds.
Description: Use the display transceiver command to check the SFP module information, which
is updated.
LSOD07467
z
Condition: The outgoing traffic speed on port A is higher than its maximum speed.
Description: Dropped packets are not counted
LSOD07460
z
Condition: A stack is established, and the following conditions are met on a stacking device.
(1) The unit ID is not 1.

(2) The DHCP server is connected to a port of this unit, and the port is configured as a DHCPsnooping trusted port.
z
Description: A DHCP client connected to the device can't get an IP address successfully.
December 20, 2012
Page 65 of 65

LSOD07038
z
Condition: The stack serves as a DHCP relay agent. After a PC gets its IP address from a DHCP
server through the DHCP relay agent, it sends a DHCP Inform packet to the DHCP server.
Description: When the PC requests an IP address again, it has to repeat the request operation
before it gets an IP address.
LSOD07240
z
Condition: Send DHCP request packets to the switch (a DHCP relay agent) continuously and
clear clients entries from the relay agent at the same time.
Description: The switch reboots or cannot create clients entries according to DHCP requests.
LSOD07138
z
Condition: A stack has DHCP snooping enabled. A PC gets an IP address from a DHCP server
through the stack.
Description: Display DHCP client information on Unit X with the display dhcp-snooping unit X
command. The remaining lease time is always 0.
LSOD07145
z
Condition: An administrator initiates RADIUS authentication. The server assigns two

administrative privilege attributes, (Vendorid=43, Type=1) and (Vendorid=2011, Type=29).
Description: RADIUS authentication fails.
LSOD07184
z
Condition: A stacking device joins a cluster as a cluster member.
Description: A memory leak of 512 bytes occurs on the slave device per minute.
LSOD07234
z
Condition: Execute the undo cluster enable command on a stacking device that also works as a
cluster member.
Description: The cluster configuration of the master device cannot be synchronized to the salve
device.
LSOD07128
z
Condition: A stack has STP BPDU protection enabled. An STP edge port on a slave device
becomes administratively down upon receiving BPDUs.
Description: Using the display stp portdown command cannot view information about the port.
December 20, 2012
Page 66 of 66
LSOD07143
z
Condition: Port A, which is not a STP edge port, is connected to a terminal. Port A goes up.
Description: The STP status of port A in MSTI changes from discarding to forwarding directly,
without passing the learning state.
LSOD07136
z
Condition: Telnet to a device that is handling huge IUC traffic.
Description: The telnet user is hung up and the corresponding resources cannot be released.
LSOD07140
z
Condition: Two devices form a stack. Telnet to the slave device and execute the free userinterface vty command on its console port. Then, use the display users command to view the
user information on the master device.
Description: The master device reboots abnormally.
LSOD06680/LSOD07269
z
Condition: The device has the default configuration file 'config.def', but has no startup
configuration file specified.
Description: The device does not use the auto-configuration function after startup, but runs the
default configuration file 'config.def'.
ZDD01517
z
Condition: Use the AT&T network management tool to backup the configuration on the device.
Description: A memory leak of 512K bytes occurs each time a backup operation is performed.
LSOD06530
z
Condition: The network diagram is shown below: The stack acts as an FTP client. Device A in the
stack is not directly connected to the FTP server. All devices in the figure are the S4500 series.
Description: Performing FTP put operations on Device A fails.
LSOD06010
z
December 20, 2012
Page 67 of 67

z
Condition: Configure a static route with the blackhole attribute on the device, and its next hop
address is a reachable valid IP address. For example, execute the ip route-static 1.1.1.0
255.255.255.0 2.2.2.2 blackhole command.
Description: IP packets matching the blackhole route are still forwarded normally.

None

LSOD03797
z
Condition: Execute the undo shutdown or shutdown command on the combo port of a device
whose unit ID is not 1. .
Description: The output information shows that the unit ID is not correct.

LSOD03479
z
Condition: Change the sysname in the default configuration file and reboot the device (the default
configuration file is used).
Description: After startup, the new sysname does not take effect.
LSOD03115
z
Condition: Execute ? on the switch repeatedly.
Description: The usage of memory increases continuously until it gets exhausted and no
command can be executed.
LSOD02840
z
Condition: The switch acts as the SSH server. SSH packets from the SSH client are fragmented
before reaching the SSH server.
Description: The SSH connection between client and server cant be established successfully, or
SSH doesnt work after the SSH connection is established.
OLSD31930
z
Condition: Execute the display diagnostic command.
Description: display mac number in hardware and display mac hided in hardware cannot be
resolved.
OLSD31973
z
December 20, 2012
Page 68 of 68

z
Condition: Display log information on the device.
Description: Information such as msg:rtbit_set_vrf:0.0.0.0/0(n_bitsset=1) public vpn-instance

appears.

None, only new features added.

OLSD30061
z
Condition: The device receives broadcast packets destined to a subnet not directly connected.
Description: The switch processes these packets and thus extra system resources are consumed.
OLSD29599
z
Condition: Configure a sysname with a space through the web interface, for example, "4500
sysnametest".
Description: After the switch reboots, a syntax error is reported and the sysname is changed back
to the original sysname, because the sysname cannot contain any space.
OLSD30143
z
Condition: Configure and display an ACL through the web interface.
Description: An ACL rule in deny mode configured through CLI cannot be displayed on the web
interface, and you cannot configure an ACL rule in deny mode through the web interface.

Problem 1
z
Condition: No DC power is used on the switch.
Description: The switch keeps sending traps and the following information appears frequently.
%Apr 23 11:06:13:982 2000 11FL-Voice-SW2 DEV/5/DEV_LOG:- 1 Power 2 recovered
%Apr 23 11:06:15:547 2000 11FL-Voice-SW2 DEV/5/DEV_LOG:- 1 Power 2 is absent

Problem 1
z
Condition: Use FTP to download an application file to the switch that uses the Intel J3D flash, or
perform other write operations to the flash such as execute the display diagnostic-information
command.
December 20, 2012
Page 69 of 69
Description: Some errors occur and command executions fail. For example, if you download a
large file from the FTP server when there is enough space, the following prompt appears:
Local space is not enough !
System will delete the file which has been transferred, please wait...
...Error Writing Local File: not enough space!
On an S4500 device that has an Intel J3D flash installed and runs a version earlier than V3.01.00p01,
performing above-mentioned operations will fail.

First release.
Related Documentation
For the most up-to-date version of documentation:
1)
Go to http://www.3Com.com/downloads
2)
Select Documentation for Type of File and select Product Category.
Software Upgrading
The device software can be upgraded through the console port, TFTP, and FTP.
Remote Upgrading through CLI

You may upgrade the application and Boot ROM program of a device remotely through command line
interface (CLI). To this end, telnet to the device from a computer (at 10.10.110.1) running FTP server
first; and then get the application and Boot ROM program, switch.app and switch.btm for example,
from the FTP server as follows:
<Switch> ftp 10.10.110.1
Trying
Press CTRL+K to abort
Connected
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(none):lyt
331 Give me your password, please
Password:
230 Logged in successfully
[ftp] get switch.app switch.app
[ftp] get switch.btm switch.btm
[ftp] bye
<Switch> boot bootrom switch.btm
please wait ...
Bootrom is updated!
<Switch> boot boot-loader switch.app
<Switch> display boot-loader
December 20, 2012
Page 70 of 70

The app to boot at the next time is: flash:/ switch.app
<Switch> reboot
After getting the new application file, reboot the device to validate it.
Note that if you do not have enough Flash space, upgrade the Boot ROM program first, and then
download the application file to the device.
The following sections introduce some approaches to local upgrading.
Boot Menu
Upon power-on, the switch runs the Boot ROM program first. The following information will be
displayed on the terminal:
Starting......
******************************************************************
*
*
*
Switch 4500 PWR 50-Port BOOTROM, Version 1.00
*
*
******************************************************************
Copyright (c) 2003-2005 3Com Corporation.

Creation date
: Sep 13 2005, 10:42:24
CPU type
: BCM4704
All Rights Reserved.
CPU Clock Speed : 200MHz

BUS Clock Speed : 33MHz
Memory Size
: 64MB
Mac Address
: 000fe2004500
Press Ctrl-B to enter Boot Menu... 2
After the screen displays Press Ctrl-B to enter Boot Menu..., you need to press <Ctrl+B> within 5
seconds to access the Boot menu. Otherwise, the system will start program decompression, and then
you have to reboot the switch to access the Boot menu.
The system displays:

Password :
Enter the correct password (no password is set by default) to access the Boot menu.
December 20, 2012
Page 71 of 71
Remember your Boot ROM password.
BOOT
MENU
1. Download application file to flash

2. Select application file to boot
3. Display all files in flash
4. Delete file from flash
5. Modify bootrom password
6. Enter bootrom upgrade menu
7. Skip current configuration file
8. Set bootrom password recovery
9. Set switch startup mode
0. Reboot
Enter your choice(0-9):
Software Upgrading via Console Port (Xmodem Protocol)

Step 1: Enter 6 in the Boot menu and press <Enter> to access the bootRom update menu.
Bootrom update menu:
1. Set TFTP protocol parameter
2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):
Step 2: Enter 3 to select the Xmodem protocol and press <Enter>. The following information appears:
Please select your download baudrate:
1. 9600
2. 19200
3. 38400
4. 57600
5. 115200
6. Exit
Enter your choice (0-5):
Step 3: Select the appropriate download baud rate. For example, enter 5 to select the download baud
rate of 115200 bps. Press <Enter> and the following information appears:
December 20, 2012
Page 72 of 72

Download baudrate is 115200 bps. Please change the terminal's baudrate to 115200 bps,
and select XMODEM protocol.
Press ENTER key when ready.
Step 4: Configure the same baud rate on the console terminal, disconnect the terminal and reconnect
it. Then, press <Enter> to start downloading. The following information appears:
Are you sure to download file to flash? Yes or No(Y/N)y
Now please start transfer file with XMODEM protocol.
If you want to exit, Press <Ctrl+X>.
Downloading ... CCCCC
After the terminal baud rate is modified, it is necessary to disconnect and then re-connect the terminal
emulation program to validate the new setting.
Step 5: Select [Transfer\Send File] from the terminal window. Click <Browse> in the pop-up window
and select the software to be downloaded. Select Xmodem from the Protocol drop down list.
Figure 1 Send File

Step 6: Click <Send> and the following window appears.
December 20, 2012
Page 73 of 73
Figure 2 Xmodem File Send

Step 7: After downloading completes, the following information appears:
Loading ...CCCCCCCCCC done!
Using TFTP Through an Ethernet Interface

1) Introduction to TFTP
The Trivial File Transfer Protocol (TFTP) employs UDP to provide unreliable data transfer service.
2) Upgrade procedure
Step 1: Connect an Ethernet interface of the switch to the PC where the program files are located,
and connect the console port of the switch to the same PC.
Step 2: Run the TFTP server program on the PC, and put the program files into a file directory.
Switch 4500 series are not shipped with the TFTP server program.
Step 3: Run the terminal emulation program on the PC, and start the switch, to access the Boot menu.
Step 4: Enter 1 in the Boot menu, and press <Enter> to enter the following menu.
Please set application file download protocol parameter:
Enter your choice(0-3):1
December 20, 2012
Page 74 of 74
Step 5: Enter 1 to use TFTP, and press <Enter>. The following information appears:
Load File name
Switch IP address
(This address and the server IP address must be on the same network
segment)
Server IP address
(IP address of the PC where the file is stored)
Step 6: Input correct information and press <Enter>. The following information appears:
Are you sure to download file to flash? Yes or No(Y/N)
Step 7: Enter Y to start downloading the files. Enter N to return to the Boot menu. Take entering Y as
an example. Enter Y and press <Enter>, the system begins downloading programs. After downloading
completes, the system starts writing the programs to the flash. Upon completion of this operation, the
screen displays the following information to indicate that the downloading is completed:
Loading ........................................................done!
Writing to flash................................................done!
Using FTP Through an Ethernet Interface

1) Introduction to FTP
The 4500 can serve as an FTP server or client. In the following example, the 4500 serves as an FTP
client.
2) Upgrade procedure
Step 1: Connect an Ethernet interface of the 4800G to the PC where the program files are located,
and connect the console port of the switch to the same PC.
Step 2: Run the FTP server program on the PC, and put the program files into a file directory.
Step 3: Run the terminal emulation program on the PC, and start the switch to access the Boot menu.
Step 4: Enter 1 in the Boot menu and press <Enter> to access the following menu.
Please set application file download protocol parameter:
Enter your choice(0-3):2
Step 5: Enter 2 to select FTP and press <Enter>. The following information appears:
Please modify your FTP protocol parameter:
Load File name
Switch IP address
Server IP address
FTP User Name
FTP User Password
Step 6: Input correct information and press <Enter>. The following information appears:
Are you sure to download file to flash? Yes or No(Y/N):
December 20, 2012
Page 75 of 75
Step 7: Enter Y to start downloading the files. Enter N to return to the Boot menu. Take the first case
as an example. Enter Y and press <Enter>, and the system begins downloading programs. After
downloading completes, the system starts writing the programs into the flash. Upon completion of this
operation, the screen displays the following information to indicate that the downloading is completed:
Loading ........................................................done!
Writing to flash................................................done!
Appendix
Details of Added or Modified CLI Commands in V3.03.02p06
dot1x unicast-trigger
Syntax
dot1x unicast-trigger
undo dot1x unicast-trigger
View
Ethernet interface view
Default Level
2: System level
Parameters
None
Description
Use the dot1x unicast-trigger command to enable the unicast trigger function of 802.1X on a port.
Use the undo dot1x unicast-trigger command to disable this function.
By default, the unicast trigger function is disabled.

mac-authentication timer offline-detect
Syntax
mac-authentication timer offline-detect offline-detect-value
undo mac-authentication timer offline-detect
December 20, 2012
Page 76 of 76
View
System view, Ethernet port view
Parameters
offline-detect-value: Offline detect timer, which specifies the idle timeout interval (in seconds) for users.
At this interval, the switch checks whether there is traffic from each user. If receiving no traffic from a
user within two consecutive intervals, the switch logs the user out and notifies the RADIUS server.
The value range for the offline-detect-value argument is 0 to 3000000. The default is 300 seconds.
Description
Use the mac-authentication timer offline-detect command to set the offline detect timer for MAC
authentication.
Use the undo mac-authentication timer offline-detect command to restore the default.
Note that:
z
The offline detect timer configured in system view applies to all MAC authentication-enabled
ports.
The offline detect timer configured in Ethernet port view applies to the current port only. You can
set the offline detect timer to different values on different Ethernet ports.
The offline detect timer configured in Ethernet port view takes precedence over the one
configured in system view.
If the offline-detect-value argument takes the value of 0, the offline detect timer is disabled.
bpdu-drop any
Syntax
bpdu-drop any
undo bpdu-drop any
View
Ethernet port view
Parameters
None
Description
Use the bpdu-drop any command to enable BPDU dropping on the Ethernet port.
Use the undo bpdu-drop any command to disable BPDU dropping on the Ethernet port.
By default, BPDU dropping is disabled.
December 20, 2012
Page 77 of 77

voice vlan lldp
Syntax
voice vlan lldp
undo voice vlan lldp
View
Ethernet port view
Parameters
None
Description
Use the voice vlan lldp command to enable automatic discovery of IP phones using LLDP on the
Ethernet port.
Use the undo voice vlan lldp command to disable automatic discovery of IP phones using LLDP on
the Ethernet port.
By default, automatic discovery of IP phones using LLDP is disabled on ports.
Examples
# Enable automatic discovery of IP phones using LLDP on Ethernet 1/0/1.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] voice vlan lldp
display link-delay
Syntax
display link-delay
View
Any view
Parameters
None
December 20, 2012
Page 78 of 78
Description
Use the display link-delay command to display information about ports configured with link state
change suppression, including the port name and the configured timer.
Related commands: link-delay, link-delay up, and link-delay updown.
Examples
# Display information about ports configured with link state change suppression.
<H3C>display link-delay
Interface
Up Delay Time
Down Delay Time
====================== ============== ==============

Ethernet1/0/1
Ethernet1/0/2
Ethernet1/0/3
link-delay
Syntax
link-delay delay-time
undo link-delay
View
Ethernet port view
Parameters
delay-time: Link down suppression interval (in seconds), which ranges from 2 to 10.
Description
Use the link-delay command to enable physical link state change suppression and set the link down
suppression timer. When the physical link of the port goes down, the port starts the timer and does
not report link state changes to the system within the timer interval.
Use the undo link-delay command to disable link state change suppression.
By default, link state change suppression is disabled.
Examples
# Enable link down suppression on port Ethernet 1/0/5, and set the link down suppression interval to
8 seconds.
Enter system view, return to user view with Ctrl+Z.
[Sysname-Ethernet1/0/5] link-delay 8
December 20, 2012
Page 79 of 79
link-delay up
Syntax
link-delay up delay-time
undo link-delay
View
Ethernet port view
Parameters
delay-time: Link up suppression interval (in seconds), which ranges from 2 to 10.
Description
Use the link-delay up command to enable physical link state change suppression and set the link up
suppression timer. When the physical link of the port goes up, the port starts the timer and does not
report link state changes to the system within the timer interval.
Examples
# Enable link up suppression on port Ethernet 1/0/5, and set the link up suppression interval to 8
seconds.
[Sysname-Ethernet1/0/5] link-delay up 8
link-delay updown
Syntax
link-delay updown delay-time
undo link-delay
View
Ethernet port view
Parameters
delay-time: Link state change suppression interval (in seconds), which ranges from 2 to 10.
December 20, 2012
Page 80 of 80
Description
Use the link-delay updown command to enable physical link state change suppression and set the
link up-down suppression timer. When the physical link of the port goes down or goes up, the port
starts the timer and does not report link state changes to the system within the timer interval.
Examples
# Enable link state change suppression on port Ethernet 1/0/5, and set the link up-down suppression
interval to 8 seconds.
[Sysname-Ethernet1/0/5] link-delay updown 8

mac-address station-move quick-notify
Syntax
mac-address station-move quick-notify enable
undo mac-address station-move quick-notify enable
View
System view
Parameters
None
Description
Use the mac-address station-move quick-notify enable command to enable ARP quick update.
Use the undo mac-address station-move quick-notify enable command to restore the default.
By default, ARP quick update is disabled.
Examples
# Enable ARP quick update.
[Sysname] mac-address station-move quick-notify enable
December 20, 2012
Page 81 of 81
arp rate-limit enable noshut

Syntax
arp rate-limit enable [ noshut ]
undo arp rate-limit enable
View
System view
Parameters
noshut: Does not shut down the port.
Description
Use the arp rate-limit enable command to enable ARP packet rate limit on the port.
Use the undo arp rate-limit enable command to disable ARP packet rate limit on the port.
By default, ARP packet rate limit is disabled, and ARP packet rate is not limited on a port.
Without the noshut keyword, this command enables the switch to shut down the port when the
maximum rate is reached.
With the noshut keyword, this command enables the switch to discard incoming ARP packets
received on the port when the maximum rate is reached.
Note
We recommend you to set a small value for the maximum rate with command arp rate-limit rate.
dot1x auth-fail-retry
Syntax
dot1x auth-fail-retry retry-value
undo dot1x auth-fail-retry
View
System view
Parameters
retry-value: For the MAC-Authenticated users that are online, specifies the maximum number of
attempts because of having failed 802.1X authentication, in the range of 0 to 50.
December 20, 2012
Page 82 of 82
Description
Use the dot1x auth-fail-retry command to set the maximum number of attempts because of having
failed 802.1X authentication, for the MAC-Authenticated users that are online. The default maximum
number of attempts is 5.
Use the undo dot1x auth-fail-retry command to restore the default.
Examples
# Set the maximum number of attempts because of having failed 802.1X authentication as 3.
[Sysname] dot1x auth-fail-retry 3
Unless otherwise stated, all passwords and keys, including those configured in plaintext, are stored in
encrypted form for security purposes .
Modified command: bims-server

Old syntax
bims-server ip ip-address [ port port-number ] sharekey key
New syntax
bims-server ip ip-address [ port port-number ] sharekey [ cipher | simple ] key
Views
DHCP address pool view
Parameters
ip ip-address: Specifies the IP address of the BIMS server.
port port-number: Specifies the port number of the BIMS server, in the range of 1 to 65534.
cipher: Sets a ciphertext key.
simple: Sets a plaintext key.
key: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a string
of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters. If
neither cipher nor simple is specified, you set a plaintext key string.
December 20, 2012
Page 83 of 83
Change description
Before modification: The cipher and simple keywords are not supported. The key you enter must be a
plaintext string of 1 to 16 characters.
After modification: You can enter a key in encrypted form or plaintext form.
Modified command: dhcp server bims-server

Old syntax
dhcp server bims-server ip ip-address [ port port-number ] sharekey key { interface interface-type
interface-number [ to interface-type interface-number ] | all }
New syntax
dhcp server bims-server ip ip-address [ port port-number ] sharekey [ cipher | simple ] key { interface
interface-type interface-number [ to interface-type interface-number ] | all }
Views
System view
Parameters
ip ip-address: Specifies the IP address of the BIMS server.
port port-number: Specifies the port number of the BIMS server, in the range of 1 to 65534.
key: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a string
of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters. If
interface interface-type interface-number [ to interface-type interface-number ]: Specifies an interface
range. The interface-type interface-number arguments specify an interface by its type and number.
all: Specifies all interfaces.
Change description
December 20, 2012
Page 84 of 84
Modified command: dldp authentication-mode

Old syntax
dldp authentication-mode { none | simple simple-password | md5 md5-password }
New syntax
dldp authentication-mode { none | { simple | md5 } password }
Views
System view
Parameters
none: Specifies not to perform authentication.
simple: Specifies the simple authentication mode and sets a plaintext or ciphertext password.
md5: Specifies the MD5 authentication mode and sets a plaintext or ciphertext password.
password: Sets the password. This argument is case sensitive. It must be a plaintext string of 1 to 16
characters, or a ciphertext string of 33 to 53 characters.
Change description
z
For simple authentication, you can set only a plaintext password of 1 to 16 characters.
For MD5 authentication, you can set a plaintext or ciphertext password. A plaintext password
comprises 1 to 16 characters, and a ciphertext password is a ciphertext string corresponding
to the plaintext password.
After modification: Both simple authentication and MD5 authentication support plaintext or ciphertext
passwords. A plaintext password is a string of 1 to 16 characters, and a ciphertext password is a
string of 33 to 53 characters.
Modified command: xrn-fabric authentication-mode

Syntax
xrn-fabric authentication-mode { md5 key | simple password }
Views
System view
Parameters
md5: Specifies the MD5 authentication mode.
December 20, 2012
Page 85 of 85
key: Specifies an MD5 authentication key. You can enter the key in plaintext form or encrypted form.
In plaintext form, it must be a case-sensitive string of 1 to 16 characters. In encrypted form, it must be
a case-sensitive string of 24 characters. For security purposes, the plaintext form of the MD5
authentication key is encrypted before being stored.
simple: Specifies the simple authentication mode.
password: Specifies a password in plaintext form, a case-sensitive string of 1 to 16 characters. The
password is stored in plaintext form. This password storing strategy will not create security risks,
because the password is only useful for member chassis in the XRN fabric.
Change description
Before modification: You can enter the MD5 authentication key only in plaintext form.
After modification: MD5 authentication key can be entered in plaintext form or encrypted form.
Modified command: key (HWTACACS scheme view)

Old syntax
key { accounting | authentication | authorization } string
New syntax
key { accounting | authentication | authorization } [ cipher | simple ] string
Views
HWTACACS scheme view
Parameters
accounting: Sets the key for secure HWTACACS accounting communication.
authentication: Sets the key for secure HWTACACS authentication communication.
authorization: Sets the key for secure HWTACACS authorization communication.
string: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a
string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 117 characters.
If neither cipher nor simple is specified, you set a plaintext key string.
Change description
Before modification: The cipher and simple keywords are not supported. The key for securing
HWTACACS authentication, authorization, or accounting communication must be a plaintext string of
1 to 16 characters.
December 20, 2012
Page 86 of 86
After modification: You can set a key in encrypted form or plaintext form to secure HWTACACS
authentication, authorization, or accounting communication.
Modified command: key (RADIUS scheme view)

Old syntax
key { accounting | authentication } string
New syntax
key { accounting | authentication } [ cipher | simple ] string
Views
RADIUS scheme view
Parameters
accounting: Sets the key for secure RADIUS accounting communication.
authentication: Sets the key for secure RADIUS authentication/authorization communication.
string: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a
string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters. If
Change description
Before modification: The cipher and simple keywords are not supported. The key for securing RADIUS
authentication/authorization or accounting communication must be a plaintext string of 1 to 16
characters.
After modification: You can set a key in encrypted form or plaintext form to secure RADIUS
authentication/authorization or accounting communication.
Modified command: local-server nas-ip

Old syntax
local-server nas-ip ip-address key password
New syntax
local-server nas-ip ip-address key [ cipher | simple ] password
December 20, 2012
Page 87 of 87
Views
System view
Parameters
nas-ip ip-address: Specifies the IP address of the network access server through which users can
access the local RADIUS authentication/authorization server. The IP address must be in dotted
decimal notation.
key [ simple | cipher ] password: Sets the key to share between the local RADIUS
authentication/authorization server and the network access server.
z
password: Specifies the key string. This argument is case sensitive. If simple is specified, it
must be a string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1
to 53 characters. If neither cipher nor simple is specified, you set a plaintext key string.
Change description
Before modification: The cipher and simple keywords are not supported. The key to share between
the local RADIUS authentication/authorization server and the network access server must be a
After modification: You can set a key in encrypted form or plaintext form to share between the local
RADIUS authentication/authorization server and the network access server.
Modified command: mac-authentication authmode usernameasmacaddress

Old syntax
mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen | withouthyphen } { lowercase | uppercase } | fixedpassword password ]
New syntax
mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen | withouthyphen } { lowercase | uppercase } | fixedpassword [ cipher | simple ] password ]
Views
System view
Parameters
usernameformat: Specifies the username and password input format for MAC-based accounts.
with-hyphen: Uses the hyphenated MAC address of a user, such as 00-05-e0-1c-02-e3, as the
username and password for MAC authentication of the user.
December 20, 2012
Page 88 of 88
without-hyphen: Uses the unhyphenated MAC address of a user, such as 0005e01c02e3, as the
username and password for MAC authentication of the user.
lowercase: Enters letters of the MAC address in lower case.
uppercase: Enters letters of the MAC address in upper case.
fixedpassword [ simple | cipher ] password: Uses a fixed password, instead of user MAC addresses,
for MAC authentication users.
z
cipher: Sets a ciphertext password.
simple: Sets a plaintext password.
password: Specifies the password string. This argument is case sensitive. If simple is
specified, it must be a string of 1 to 63 characters. If cipher is specified, it must be a ciphertext
string of 1 to 117 characters. If neither cipher nor simple is specified, you set a plaintext
password.
Change description
Before modification: The cipher and simple keywords are not supported. The password you enter
must be a plaintext string.
After modification: You can enter a password in encrypted form or plaintext form.
Modified command: mac-authentication authpassword

Old syntax
mac-authentication authpassword password
New syntax
mac-authentication authpassword [ cipher | simple ] password
Views
System view
Parameters
[ cipher | simple ] password: Sets the password of the shared account for MAC authentication users.
z
password: Specifies the password string. This argument is case sensitive. If simple is
specified, it must be a string of 1 to 63 characters. If cipher is specified, it must be a ciphertext
string of 1 to 117 characters. If neither cipher nor simple is specified, you set a plaintext
password.
December 20, 2012
Page 89 of 89
Change description
Before modification: The cipher and simple keywords are not supported. The password you enter
must be a plaintext string.
After modification: You can enter a password in encrypted form or plaintext form.
Modified command: ntp-service authentication-keyid

Old syntax
ntp-service authentication-keyid keyid authentication-mode md5 value
New syntax
ntp-service authentication-keyid keyid authentication-mode md5 [ cipher | simple ] value
Views
System view
Parameters
keyid: Specifies a key ID in the range of 10 to 4294967295.
value: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a
string of 1 to 32 characters. If cipher is specified, it must be a ciphertext string of 1 to 73 characters. If
Change description
Modified command: password (Remote-ping test group view)

Old syntax
password password
New syntax
password [ cipher | simple ] password
December 20, 2012
Page 90 of 90
Views
Remote-ping test group view
Parameters
cipher: Sets a ciphertext FTP password.
simple: Sets a plaintext FTP password.
password: Specifies the password string. This argument is case sensitive. If simple is specified, it
must be a string of 1 to 32 characters. If cipher is specified, it must be a ciphertext string of 1 to 73
characters. If neither cipher nor simple is specified, you set a plaintext password string.
Change description
Before modification: The cipher and simple keywords are not supported. The FTP password must be a
After modification: You can set an FTP password in encrypted form or plaintext form.
Modified command: password (local user view)

Syntax
password [ { cipher | simple } password ]
Views
Local user view
Parameters
password: Specifies the password string. This argument is case sensitive.
z
If simple is specified, it is a plaintext string of 1 to 63 characters.
If cipher is specified, it is a string of 1 to 117 characters. If you specify a password of 1 to 63

characters and the system can decrypt the password, the system considers that you have
specified a ciphertext password. If you specify a password of 1 to 63 characters but the
system cannot decrypt the password, the system considers that you have specified a plaintext
password. A password comprising 64 to 117 characters is always considered a ciphertext
password.
Change description
Before modification: If cipher is specified, you can set an 88-character password or a password of 1 to
63 characters.
December 20, 2012
Page 91 of 91
After modification: If cipher is specified, you can set a password of 1 to 117 characters.
Modified command: rip authentication-mode

Old syntax
rip authentication-mode { md5 { rfc2082 key-string key-id | rfc2453 key-string } | simple password }
New syntax
rip authentication-mode { md5 { rfc2082 [ cipher ] key-string key-id | rfc2453 [ cipher ] key-string } |
simple [ cipher ] password }
Views
Interface view
Parameters
md5: Specifies the MD5 authentication mode.
rfc2082: Uses the message format defined in RFC 2082.
cipher: Sets a ciphertext authentication key or password. If this keyword is not specified, you set a
plaintext authentication key or password.
key-string: Specifies the MD5 key string. This argument is case sensitive. It must be a plaintext string
of 1 to 16 characters, or a ciphertext string of 33 to 53 characters.
key-id: Specifies the MD5 key number, in the range of 1 to 255.
rfc2453: Uses the message format defined in RFC 2453 (IETF standard).
simple: Specifies the simple authentication mode.
password: Sets the password in simple authentication mode. This argument is case sensitive. It must
be a plaintext string of 1 to 16 characters, or a ciphertext string of 33 to 53 characters.
Change description
z
For simple authentication, you can set only a plaintext password.
For MD5 authentication, the ciphertext password you set must comprise 24 characters.
After modification:
z
For simple authentication, the cipher keyword is added, which means you can set a ciphertext
password.
For MD5 authentication, the ciphertext password you set can comprise 33 to 53 characters.
December 20, 2012
Page 92 of 92
Modified command: set authentication password

Syntax
set authentication password { simple | cipher } password
Views
User interface view
Parameters
key: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a
plaintext string of 1 to 16 characters. If cipher is specified, it can be a plaintext string of 1 to 16
characters or a ciphertext string of 17 to 53 characters.
Change description
Before modification: When you specify the cipher keyword, you can enter a string of 1 to 16
characters or a string of 24 characters as the password.
After modification: When you specify the cipher keyword, you can enter a string of 1 to 53 characters
as the password.
Modified command: snmp-agent usm-user v3

Syntax
snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha } authpassword [ privacy-mode { aes128 | des56 } priv-password ] ] [ acl acl-number ]
Views
System view
Parameters
user-name: Specifies a username, a case-sensitive string of 1 to 32 characters.
group-name: Specifies a group name, a case-sensitive string of 1 to 32 characters.
cipher: Specifies that auth-password and priv-password are encrypted keys, which can be calculated
to a hexadecimal string by using the snmp-agent calculate-password command. If this keyword is not
specified, auth-password and priv-password are plaintext keys.
authentication-mode: Specifies an authentication algorithm. MD5 is faster but less secure than SHA.
For more information about these algorithms, see Security Configuration Guide.
December 20, 2012
Page 93 of 93

z
md5: Specifies the MD5 authentication algorithm.
sha: Specifies the SHA-1 authentication algorithm.
auth-password: Specifies a case-sensitive plaintext or encrypted authentication key. A plaintext key is

a string of 1 to 64 visible characters. If the cipher keyword is specified, the encrypted authentication
key length requirements differ by authentication algorithm and key string format, as shown in Table 8.
Table 8 Encrypted authentication key length requirements
Authentication algorithm
Hexadecimal string
Non-hexadecimal string
MD5
32 characters
53 characters
SHA
40 characters
57 characters
privacy-mode: Specifies an encryption algorithm for privacy. The three encryption algorithms AES,
3DES, and DES are in descending order of security. Higher security means more complex
implementation mechanism and lower speed. DES is enough to meet general requirements.
z
des56: Specifies the DES algorithm.
aes128: Specifies the AES algorithm.
priv-password: Specifies a case-sensitive plaintext or encrypted privacy key. A plaintext key is a string
of 1 to 64 characters. If the cipher keyword is specified, the encrypted privacy key length
requirements differ by authentication algorithm and key string format, as shown in Table 9.
Table 9 Encrypted privacy key length requirements
Authentication
algorithm
Encryption
algorithm
Hexadecimal string
Non-hexadecimal string
MD5
AES128 or DES56
32 characters
53 characters
SHA
AES128 or DES56
40 characters
53 characters
acl acl-number: Specifies a basic ACL to filter NMSs by source IPv4 address. The acl-number
argument represents a basic ACL number in the range of 2000 to 2999. Only the NMSs with the IPv4
addresses permitted in the ACL can use the specified username to access the SNMP agent.
local: Represents a local SNMP entity user.
engineid engineid-string: Specifies an SNMP engine ID as a hexadecimal string. The engineid-string
argument must comprise an even number of hexadecimal characters, in the range of 10 to 64. Allzero and all-F strings are invalid.
Change description
Before modification: Only authentication and privacy keys in hexadecimal format are supported.
After modification: Both hexadecimal and non-hexadecimal format authentication and privacy keys
are supported.
z
For encrypted authentication key length requirements, see Table 8.
December 20, 2012
Page 94 of 94

z
For encrypted privacy key length requirements, see Table 9.
Modified command: super password

Syntax
super password [ level user-level ] { cipher | simple } password
Views
System view
Parameters
level user-level: Specifies a user privilege level in the range of 1 to 3. The default is 3.
key: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a
plaintext string of 1 to 16 characters. If cipher is specified, it can be a plaintext string of 1 to 16
characters or a ciphertext string of 17 to 53 characters.
Change description
Before modification: When you specify the cipher keyword, you can enter a string of 1 to 16
characters or a string of 24 characters as the password.
After modification: When you specify the cipher keyword, you can enter a string of 1 to 53 characters
as the password.
December 20, 2012
Page 95 of 95

3COM

Cargado por

Información del documento

Descripción original:

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

3COM

Cargado por

Copyright:

Formatos disponibles

Switch 4500 V3.03.

02p21 Release Notes

Access Control List

Command line interface

Dynamic Host Configuration Protocol

File Transfer Protocol

Generic Attribute Registration Protocol

GARP VLAN Registration Protocol

Hypertext Transfer Protocol

Internet Control Message Protocol

Internet Group Management Protocol

Link Aggregation Control Protocol

Management Information Base

Multiple Spanning Tree Protocol

Neighbor Discovery Protocol

Net Time Protocol

Remote Authentication Dial-In User Service

Rapid Spanning Tree Protocol

Simple Network Management Protocol

Spanning Tree Protocol

December 20, 2012

Trivial File Transfer Protocol

User Datagram Protocol

Virtual Local Area Network

3Com Network Director

December 20, 2012

3COM OS Switch 4500 V3.03.02p21 Release Notes

3COM OS Switch 4500 V3.03.02p21 Release Notes

Resolved Problems in V3.03.02p03 54

3COM OS Switch 4500 V3.03.02p21 Release Notes

Modified command: local-server nas-ip 87

December 20, 2012

3COM OS Switch 4500 V3.03.02p21 Release Notes

December 20, 2012

3COM OS Switch 4500 V3.03.02p21 Release Notes

From the version, only

December 20, 2012

3COM OS Switch 4500 V3.03.02p21 Release Notes

Hardware and Software Compatibility Matrix

Switch 4500 Series

26-Port/50-Port/26-Port PWR/50-Port PWR

Boot ROM version

Version 4.06 (Note: It is required to use V1.00 or later, but V4.06 is

iMC PLAT 5.1 SP1(E0202P05)

3COM OS Switch 4500 V3.03.02p21 Release Notes

Switch 4500 26-Port with 1 MIPS Processor

bytes Flash Memory

Config Register points to FLASH

CPLD Version is CPLD 003

[Subslot 0] 24 FE + 4 GE Hardware Version is 00.00.00

Restrictions and Cautions

Silicon behavior: IP packets with the Options field cannot be forwarded.

December 20, 2012

3COM OS Switch 4500 V3.03.02p21 Release Notes

43.6mm 440mm 260mm (1.72 17.32 10.24 in.) (devices without

Weight (full configuration)

3.5Kg (7.72 lb.) (26-port devices without PWR)

40 W (26-port devices without PWR)

0C to 45C (32F to 113F)

3COM OS Switch 4500 V3.03.02p21 Release Notes

Supports up to 8 aggregation groups, each of which supports up to 8 FE

Supports bandwidth ratio- and rate-based suppression modes on ports.

Supports port-based VLANs, and up to 256 IEEE 802.1Q-compliant