Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Full spelling
ACL
CLI
DHCP
FTP
GARP
GVRP
HTTP
ICMP
IGMP
IP
Internet Protocol
LACP
MIB
MSTP
NDP
NTP
QOS
Quality of Service
RADIUS
RMON
Remote Monitoring
RSTP
SNMP
SP
Strict Priority
SSH
Secure Shell
STP
Page 1 of 1
Abbreviations
Full spelling
TFTP
UDP
VLAN
3ND
Page 2 of 2
Table of Contents
Version Information 7
Version Number 7
Version History 7
Hardware and Software Compatibility Matrix 8
Restrictions and Cautions 9
Feature List 10
Hardware Features 10
Software Features 10
Version Updates 12
Feature Updates 12
Command Line Updates 17
MIB Updates 31
Configuration Changes 33
V3.03.02p21 Operation Changes 33
V3.03.02p20 Operation Changes 33
V3.03.02p19 Operation Changes 34
V3.03.02p15 Operation Changes 34
V3.03.02p11 Operation Changes 34
V3.03.02p09 Operation Changes 35
V3.03.02p06 Operation Changes 35
V3.03.02p05 Operation Changes 35
V3.03.02p04 Operation Changes 36
V3.03.02p03 Operation Changes 36
V3.03.02p01 Operation Changes 37
V3.03.02 Operation Changes 37
V3.03.00p03 Operation Changes 37
V3.03.00p01 Operation Changes 38
V3.03.00 Operation Changes 38
Open Problems and Workarounds 38
List of Resolved Problems 39
Resolved Problems in V3.03.02p21 39
Resolved Problems in V3.03.02p20 39
Resolved Problems in V3.03.02p19 39
Resolved Problems in V3.03.02p15 43
Resolved Problems in V3.03.02p11 45
Resolved Problems in V3.03.02p09 46
Resolved Problems in V3.03.02p06 49
Resolved Problems in V3.03.02p05 51
Resolved Problems in V3.03.02p04 52
December 20, 2012
Page 3 of 3
Page 4 of 4
Page 5 of 5
List of Tables
Table 1 Version history .............................................................................................................................. 7
Table 2 Compatibility matrix....................................................................................................................... 8
Table 3 Hardware features ...................................................................................................................... 10
Table 4 Software features ........................................................................................................................ 10
Table 5 Feature updates .......................................................................................................................... 12
Table 6 Command line updates ............................................................................................................... 17
Table 7 MIB updates ................................................................................................................................ 31
Table 8 Encrypted authentication key length requirements ..................................................................... 94
Table 9 Encrypted privacy key length requirements ................................................................................ 94
Page 6 of 6
Version Information
Version Number
Version Information: 3Com OS V3.03.02s168p21
Note: To view version information, use the display version command in any view. See Note.
Version History
Table 1 Version history
Version number
Last version
Release Date
Remarks
V3.03.02s168p21
V3.03.02s168p20
2012-12-14
None
V3.03.02s168p20
V3.03.02s168p19
2012-10-18
None
V3.03.02s168p19
V3.03.02s168p15
2012-06-19
None
V3.03.02s168p15
V3.03.02s168p11
2010-12-15
None
V3.03.02s168p11
V3.03.02s168p09
2010-06-21
None
V3.03.02s168p09
V3.03.02s168p06
2010-04-23
V3.03.02s56p06
V3.03.02s56p05
2009-12-23
None
V3.03.02s168p06
V3.03.02s168p05
V3.03.02s56p05
V3.03.02s56p04
2009-10-14
None
V3.03.02s168p05
V3.03.02s168p04
V3.03.02s56p04
V3.03.02s56p03
2009-08-19
None
V3.03.02s168p04
V3.03.02s168p03
V3.03.02s56p03
V3.03.02s56p01
2009-06-19
None
V3.03.02s168p03
V3.03.02s168p01
V3.03.02s56p01
V3.03.02s56
2009-02-23
features
V3.03.02s168p01
V3.03.02s168
New
released
V3.03.02s56
V3.03.00s56p03
2008-10-31
features
V3.03.02s168
V3.03.00s168p03
New
released
V3.03.00s56p03
V3.03.00s56p02
2008-09-25
None
V3.03.00s168p03
V3.03.00s168p02
V3.03.00s56p02
V3.03.00s56p01
2008-06-16
None
V3.03.00s168p02
V3.03.00s168p01
V3.03.00s56p01
V3.03.00s56
2008-03-20
None
V3.03.00s168p01
V3.03.00s168
Page 7 of 7
Version number
Last version
V3.03.00s56
V3.02.00s56p02
V3.03.00s168
V3.02.00s168p02
V3.02.00s56p02
V3.02.00s56p01
V3.02.00s168p02
V3.02.00s168p01
V3.02.00s56p01
V3.02.00s56
V3.02.00s168p01
V3.02.00s168
V3.02.00s56
V3.01.00s56p03
V3.02.00s168
V3.01.00s168p03
V3.01.00s56p03
V3.01.00s56p02
V3.01.00s168p03
V3.01.00s168p02
V3.01.00s56p02
V3.01.00s56p01
V3.01.00s168p02
V3.01.00s168p01
V3.01.00s56p01
V3.01.00s56
V3.01.00s168p01
V3.01.00s168
V3.01.00s56
First release
Release Date
Remarks
2008-02-29
First
release
V3.03.xx
2007-07-20
None
2007-06-30
None
2007-01-17
New
released
2006-09-21
None
2006-06-13
None
2006-01-09
None
2005-10-27
First release
of
features
V3.01.00s168
Specifications
Product family
Hardware platform
Minimum memory
requirements
64 MB
Minimum Flash
requirements
8 MB
Host software
s3n03_03_02s168p21.app
iMC version
iNode version
December 20, 2012
iNode PC 5.1(E0304)
Page 8 of 8
Item
Specifications
Web version
5.01
Remarks
None
When a switch with a new version flash runs V3.01.00, using FTP to upload an application file to
the switch, or performing write operations on the flash of the switch such as executing the
display diagnostic-information command often fails. V3.01.00p01 and later have solved this
problem.
A device running boot ROM V1.00 may get out of power during startup, which may cause the
loss of the application file. You are recommended to upgrade the boot ROM version to V1.01 to
solve this problem.
<4500>display version
3Com Corporation
Switch 4500 26-Port Software Version 3Com OS V3.xx.xx ------- Note
Copyright (c) 2004-2008 3Com Corporation and its licensors, All rights reserved.
Switch 4500 26-Port uptime is 0 week, 0 day, 0 hour, 0 minute
bytes DRAM
8196K
--------
Note
For storm suppression, use the pps mode because the ratio mode is not suitable for long frames.
2)
The forwarding capability of some ports cannot reach the wire speed when the switch works as a
stacking device.
3)
4)
After an ARP entry is aged out from the software, it is not removed from the hardware
immediately. Since then, if the ARP entry is not updated within an hour, it is removed from the
hardware.
5)
After upgrading the software of a NTP-configured stacking device from a version between
V3.03.00 and V3.03.00p03 to V3.03.02 or later, you need to remove the existing NTP
configuration and reconfigure it.
Page 9 of 9
6)
A version prior to V3.03.02p21 might not support the cipher and simple keywords or use a
different password encryption algorithm than V3.03.02p21 or a later version. If you downgrade
the software from V3.03.02p21 or a later version to a version prior to V3.03.02p21, or upgrade it
to V3.03.02p21 or a later version and roll it back after saving the configuration file, the relevant
configuration commands might get lost or the passwords might become invalid. For more
information, see the change descriptions for the commands.
Feature List
Hardware Features
Table 3 Hardware features
Category
Description
Dimensions (H W D)
Maximum
consumption
power
Input voltage
AC:
Rated voltage range: 100 VAC to 240 VAC (50Hz to 60Hz)
Max voltage range: 90 VAC to 264 VAC (50Hz to 60Hz)
DC:
Rated voltage range: 48 VDC to 60 VDC
Max voltage range: 72 VDC to 36 VDC
Operating temperature
Operating humidity
10% to 90%
Software Features
Table 4 Software features
Features
Port auto-negotiation
December 20, 2012
Description
Supports both speed and duplex mode auto-negotiation.
Page 10 of 10
Features
Description
Flow control
Supports IEEE 802.3x-compliant flow control for full-duplex, and backpressure based flow control for half-duplex.
Link aggregation
Port internal/external
loopback test
The port internal loopback test detects the connectivity between switch
chips and PHY chips. The port external loopback test detects the
connectivity between PHY chips and network interfaces with the help of
the self-loop header. The two tests used together can determine whether
a fault is a switch fault or a link fault.
Combo ports
Unicast, multicast and
broadcast suppression
VLAN
RSTP
802.1X authentication
Supports PEAP/EAP/TLS/TTLS.
The main purpose of IEEE 802.1X is to implement authentication for
wireless LAN users, but its application in IEEE 802 LANs provides a
method of authenticating LAN users.
SSHv2
Voice VLAN
The voice VLAN feature adds ports into voice VLANs by identifying the
source MAC addresses of packets. It automatically assigns higher priority
for voice traffic to ensure voice quality. This feature supports two
application modes: manual and automatic.
ARP
IP routing
IGMP Snooping
Page 11 of 11
Features
Description
QoS
Bandwidth management;
flow control with 64 bps granularity;
8 sending queues per port;
Traffic classification;
Traffic rate limit;
Port mirroring, which supports only one source mirroring port.
Remote authentication
FTP, TFTP
System configuration
and management
Network maintenance
Fast startup
Version Updates
Feature Updates
Table 5 Feature updates
Version Number
V3.03.02p21
Item
Description
Hardware feature
updates
None
Software feature
updates
None
Page 12 of 12
Version Number
V3.03.02p20
V3.03.02p19
V3.03.02p15
Item
Description
Hardware feature
updates
None
Software feature
updates
None
Hardware feature
updates
None
Software feature
updates
New feature:
Hardware feature
updates
None
Software feature
updates
New feature:
V3.03.02p11
V3.03.02p09
V3.03.02p06
V3.03.02p05
V3.03.02p04
Hardware feature
updates
None
Software feature
updates
New features:
Hardware feature
updates
None
Software feature
updates
New features:
Hardware feature
updates
None
Software feature
updates
New features:
Hardware feature
updates
None
Software feature
updates
None
Hardware feature
updates
None
Software feature
updates
New features:
bpdu-drop any
V3.03.02p03
December 20, 2012
Hardware feature
updates
None
Page 13 of 13
Version Number
Item
Software feature
updates
Description
New features:
1) Restart accounting when the reauthentication
user name changes.
2) Private LLDP MIB
3) CPU-protection feature
4) Command-alias feature
5) Loopback detection trap
6) IPv6 ACL
V3.03.02p01
Hardware feature
updates
None
Software feature
updates
New features:
1)
HTTPS
2)
Auto VLAN
3)
AM binding
5)
Hardware feature
updates
None
Software feature
updates
New features:
1)
LLDP
2)
IP Source Guard
3)
4)
HWTACACS.
V3.03.00p02
December 20, 2012
Hardware feature
updates
None
Software feature
updates
New features:
Hardware feature
1)
Sub IP
2)
DHCP server
3)
Password control
None
Page 14 of 14
Version Number
Item
Description
updates
V3.03.00p01
V3.03.00
Software feature
updates
New features:
Hardware feature
updates
None
Software feature
updates
New features:
Hardware feature
updates
None
Software feature
updates
1)
VLAN mapping
2)
Selective QINQ
3)
4)
FTP banner
5)
HTTP banner
6)
Telnet copyright
7)
8)
9)
Page 15 of 15
Version Number
Item
Description
22) Support for long domain names
23) Support for mask configuration in SNMP MIBview
24) MAC-authentication support for guest VLAN
25) DLDP recover
26) DHCP option 82 string function
27) HGMP topology management and trace-MAC
28) EAD quick employment
29) Support for web-based cluster configuration
30) Destination MAC address update
Deleted features: password control
V3.02.00p02
Hardware feature
updates
None
Software feature
updates
New features:
1. Or mode of port-security
Dot1X
request
packets
trigger
dot1X
authentication; non-dot1X packets with an
unknown
MAC
address
trigger
MACauthentication. Suppose the source MAC address
of a dot1X packet passes MAC authentication. If it
then passes dot1X authentication, the original
MAC authentication user logs out automatically; if
not, the original MAC authentication user keeps
online.
V3.02.00
V3.01.00
Hardware feature
updates
None
Software feature
updates
New features:
1)
2)
Syslog to host
3)
802.1X PEAP/EAP/TLS/TTLS
4)
NTP
5)
Hardware feature
updates
Software feature
updates
Page 16 of 16
Item
Description
New Commands
None
Removed Commands
V3.03.02p20
V3.03.02p19
Modified Commands
New Commands
None
Removed Commands
None
Modified Commands
None
New Commands
Removed Commands
None
Modified Commands
V3.03.02p15
V3.03.02p11
New Commands
Removed Commands
None
Modified Commands
None
New Commands
bpdu-drop any
Refer to Details of Added or Modified CLI
Commands in V3.03.02p11
Removed Commands
None
Modified Commands
V3.03.02p09
V3.03.02p06
New Commands
None
Removed Commands
None
Modified Commands
None
New Commands
Removed Commands
None
Page 17 of 17
Version Number
V3.03.02p05
V3.03.02p04
Item
Description
Modified Commands
None
New Commands
None
Removed Commands
None
Modified Commands
None
New Commands
Command 1:
Syntax
system-guard transparent rip
undo system-guard transparent rip
View
System view
Description
Use
the
system-guard
transparent
command to configure the system-guard
transparent function for RIP protocol. Then,
upon receiving a RIP multicast packet, the
switch will only broadcast the packet within
the corresponding VLAN, but not deliver the
packet to the CPU for processing.
Use the undo system-guard transparent
command to disable the function for RIP
protocol. Then, upon receiving a RIP
multicast packet, the switch will not only
broadcast
the
packet
within
the
corresponding VLAN but also deliver the
packet to the CPU for processing.
By default, the system-guard transparent
function is disabled on the switch.
Note that:
z
Example
[sysname] system-guard transparent rip
Caution: When enabling RIP, undo this
command. Otherwise, RIP can't work
correctly.
V3.03.02p03
Removed Commands
None
Modified Commands
None
New Commands
Removed Commands
None
Modified Commands
Version Number
Item
Description
command.
V3.03.02p01
New Commands
Command 1:
Syntax
[ undo ] icmp acl-priority
View
System view
Description
Use the icmp acl-priority command to
modify the local priority of ICMP packets
which are forwarded to the CPU. When the
device has an IP address configured,
enabling the command will occupy some
hardware ACL resources.
Use the undo icmp acl-priority command
to keep the local priority and free the
corresponding hardware ACL resources.
By default, the icmp acl-priority command
is applied.
Example
[Switch] undo icmp acl-priority
Command 2:
Syntax
[ undo ] mirroring stp-collaboration
View
System view
Description
Use the mirroring stp-collaboration
command to enable the collaboration of
mirroring and STP state. When a mirrored
port is in STP discarding state (or in
discarding state in at least one instance
while it is in MSTP mode), mirroring on this
port doesnt work. When its STP state
changes to forwarding state, mirroring is
activated.
Use the undo mirroring stp-collaboration
command to disable the collaboration.
By default, the mirrored port is independent
of its STP state.
December 20, 2012
Page 19 of 19
Version Number
Item
Description
Example
[Switch] mirroring stp-collaboration
Command 3:
Syntax
attribute-ignore { standard
vendor-id } type type-value
vendor
Page 20 of 20
Version Number
Item
Description
[Switch-radius-system]attribute-ignore
vendor 25506 type 22
attribute-
attribute-
V3.03.02
V3.03.00p03
attribute-
Removed commands
None
Modified Commands
None
New Commands
Operation
Manual
and
Removed commands
Operation
Manual
and
Modified Commands
Operation
Manual
and
New Commands
Command 1:
Syntax
ip address ip-address { mask | masklength } [ sub ]
undo ip address [ ip-address { mask |
mask-length } [ sub ] ]
View
VLAN interface view, loopback interface
view
Parameters
ip-address: IP address, in dotted decimal
notation.
mask: Subnet mask, in dotted decimal
notation.
mask-length: Subnet mask length, the
number of consecutive ones in the mask. It
is in the range of 0 to 32.
sub: Specifies a secondary IP address of a
VLAN or loopback interface.
Description
Use the ip address command to specify an
IP address and mask for a VLAN or
Page 21 of 21
Version Number
Item
Description
loopback interface.
Use the undo ip address command to
remove an IP address and mask of a VLAN
or loopback interface.
By default, no IP address is configured for
VLAN or loopback interface.
Note that:
z
Examples
# Assign the primary IP address 129.12.0.1
and secondary IP address 129.12.1.1 to
VLAN-interface 1 with subnet mask
255.255.255.0.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ip address
129.12.0.1 255.255.255.0
[Sysname-Vlan-interface1] ip address
129.12.1.1 255.255.255.0 sub
V3.03.00p02
Removed commands
None
Modified commands
None
New commands
Command 1:
Syntax
Page 22 of 22
Version Number
Item
Description
igmp-snooping special-query source-ip
{ current-interface | ip-address }
undo
igmp-snooping
source-ip
special-query
View
VLAN view
Parameters
current-interface: Specifies the IP address
of the current VLAN interface as the source
address to be carried in IGMP group-specific
queries. If the current VLAN interface does
not have an IP address, the default IP
address 0.0.0.0 will be used as the source
IP address of IGMP group-specific queries.
ip-address: Specifies the source address to
be carried in IGMP group-specific queries,
which can be any legal IP address.
Description
Use the igmp-snooping special-query
source-ip command to configure the source
address to be carried in IGMP group-specific
queries.
Use the undo igmp-snooping special-query
source-ip command to restore the default.
By default, the Layer 2 multicast switch
sends group-specific query messages with
the source IP address of 0.0.0.0.
Related commands: igmp-snooping querier.
Examples
# Configure the switch to send groupspecific query messages with the source IP
address 2.2.2.2 in VLAN 3.
<Sysname> system-view
System view, return to user view with
Ctrl+Z.
[Sysname] igmp-snooping enable
[Sysname] vlan 3
[Sysname-vlan3] igmp-snooping enable
[Sysname-vlan3] igmp-snooping specialquery source-ip 2.2.2.2
V3.03.00
Removed commands
None
Modified Commands
None
New Commands
Removed commands
Command 1:
Syntax
Page 23 of 23
Version Number
Item
Description
language-mode { english | chinese }
View:
user view
Reason
No need to support Chinese language mode
Modified Commands
Command 1:
Syntax
traffic-limit inbound acl-rule [ unioneffect ] target-rate [ burst-bucket burstbucket-size ] [ exceed action ]
undo traffic-limit inbound acl-rule
View
Ethernet port view
Parameters
inbound: Imposes traffic limit on the packets
received through the interface.
acl-rule: ACL rules to be applied for traffic
classification. This argument can be the
combination of multiple ACLs. For more
information about this argument. Note that
the ACL rules referenced must be those
defined with the permit keyword.
union-effect: Specifies that all the ACL
rules, including those identified by the aclrule argument in this command and those
applied previously, are valid. If this keyword
is not specified, traffic policing issues both
the rate limiting action and the permit action
at the same time, that is, traffic policing
permits the conforming traffic to pass
through. If this keyword is specified, traffic
policing issues only the rate limiting action
but not the permit action. In this case, if a
packet matches both an ACL rule specified
in the traffic-limit command and another
previously applied ACL rule with the deny
keyword specified, the packet will be
dropped.
Page 24 of 24
Version Number
Item
Description
the rate of packets sourced from IP address
1.1.1.1 within 128 kbps. Whether packets
conforming to the rate limit of 128 kbps,
sourced from IP address 1.1.1.1, and
destined to IP address 2.2.2.2 (referred to
as packets A later) will be dropped depends
on the union-effect keyword of the trafficlimit command.
z
If the union-effect keyword is not
specified, the traffic-limit command
issues both the rate limiting action and
the permit action. Whether packets A
can pass through depends on the
configuration order of the filter
command
and
the
traffic-limit
command. If the traffic-limit command
is configured after the filter command is
configured, packets A can pass through;
otherwise, packets A are dropped.
z
If the union-effect keyword is specified,
the traffic-limit command issues only
the rate limiting action. Whether packets
A can pass through depends on the
filter command. As for this example,
packets A are dropped.
target-rate: Target packet rate (in kbps) to be
set. The range of this argument varies with
the port type as follows.
z
z
Description
Use the traffic-limit command to enable
traffic policing and set the related settings.
Use the undo traffic-limit command to
disable traffic policing for packets matching
specific ACL rules.
Related commands: display qos-interface
December 20, 2012
Page 25 of 25
Version Number
Item
Description
traffic-limit.
Examples
# Configure traffic policing for inbound
packets sourced from VLAN 200 on Ethernet
1/0/1, setting the target packet rate to 128
kbps, burst bucket size to 64 KB, and
configuring to drop the packets exceeding
the rate limit.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000]
rule
permit source 200
[Sysname-acl-ethernetframe-4000] quit
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1]
traffic-limit
inbound link-group 4000 128 burstbucket 64 exceed drop
Command 2:
Syntax
line-rate { inbound | outbound } target-rate
[ burst-bucket burst-bucket-size ]
undo line-rate{ inbound | outbound }
View
Ethernet port view
Parameters
inbound: Limits the inbound packet rate.
outbound: Limits the outbound packet rate.
target-rate: Total target rate (in kbps). The
range of this argument varies with port type
as follows:
z
z
Page 26 of 26
Version Number
Item
Description
Use the line-rate command to limit the rate
of the inbound or outbound packets on a
port.
Use the undo line-rate command to cancel
the line rate configuration.
Compared to traffic policing, line rate applies
to all the inbound or outbound packets
passing through a port and thus a simpler
solution when you only want to limit the rate
of all the inbound or outbound packets
passing through a port as a whole.
Examples
# Limit the inbound packet rate to 128 kbps
on Ethernet 1/0/1 and provide 32 KB of
buffer for burst traffic.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1]
line-rate
inbound 128 burst-bucket 32
Command 3:
Syntax
display vlan [ vlan-id1 [ to vlan-id2 ] | all |
dynamic | static ]
View
Any view
Parameters
vlan-id1: Specifies the ID of a VLAN of which
information is to be displayed, in the range
of 1 to 4094.
to vlan-id2: In conjunction with vlan-id1,
define a VLAN range to display information
about all existing VLANs in the range. The
vlan-id2 argument takes a value in the range
of 1 to 4094, and must not be less than that
of vlan-id1.
all: Displays information about all the
VLANs.
dynamic: Displays the number of dynamic
VLANs and the ID of each dynamic VLAN.
Dynamic VLANs refer to VLANs that are
December 20, 2012
Page 27 of 27
Version Number
Item
Description
generated through GVRP or
distributed by a RADIUS server.
those
V3.02.00p02
New Commands
Command 1:
Syntax
port-security enable
undo port-security enable
View
Page 28 of 28
Version Number
Item
Description
System view
Parameters
None
Description
Use the port-security enable command to
enable port security.
Use the undo port-security
command to disable port security.
enable
Page 29 of 29
Version Number
Item
Description
Description
Use the port-security port-mode command
to set the security mode of the port.
Use the undo port-security port-mode
command to restore the default mode.
By default, the port is in the noRestriction
mode, namely access to the port is not
restricted.
Note that:
If port security is enabled in system view and dot1X
or MAC authentication is enabled on a port, some
port-security related commands are executed on
the port automatically. These commands cant be
executed manually for compatibility with later
releases. The details are as follows.
1) If MAC-authentication and MAC-based dot1X are
enabled on a port, the following command is
executed on the port automatically.
December 20, 2012
Page 30 of 30
Version Number
Item
Description
port-security
secure-ext
port-mode
mac-else-userlogin-
V3.02.00
V3.01.00
Removed commands
None
Modified Commands
None
New Commands
Removed commands
None
Modified Commands
New Commands
Removed commands
Modified Commands
MIB Updates
Table 7 MIB updates
Version number
V3.03.02p21
V3.03.02p20
V3.03.02p19
V3.03.02p15
V3.03.02p11
V3.03.02p09
December 20, 2012
Item
MIB file
Module
Description
New
None
None
None
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
None
None
None
Page 31 of 31
Version number
V3.03.02p06
V3.03.02p05
V3.03.02p04
V3.03.02p03
Item
MIB file
Module
Description
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
None
None
None
Modified
None
None
None
New
1) H3C-VOICEVLAN-MIB
1) VOICE
VLAN
2) H3C-LLDPEXT-MIB
2) LLDP
1) Add node
h3cVoiceVlanPortLe
gacy and
h3cVoiceVlanPortQo
sTrus in
h3cvoiceVlanPortTa
ble to control 'voice
VLAN legacy' and
'voice VLAN QOS
trust'.
2) Adding the following
private MIB:
(1)
h3clldpAdminStatus:
Enable/Disable
LLDP in global;
(2)
h3clldpComplianceC
DPStatus: LLDP
supports CDP in
global;
(3)
h3clldpPortConfigTa
ble:LLDP port
configure table;
(4)
h3clldpPortConfigPo
rtNum: LLDP port
number;
(5)
h3clldpPortConfigCD
PComplianceStatus:
LLDP supports CDP
in port
V3.03.02p01
Modified
None
None
None
New
None
None
None
Page 32 of 32
Version number
Item
Modified
MIB file
Module
a3com_domain_tr
ee.c
h3cDomain
VlanAssign
Mode
Description
The vlan assignment
mode SHOULD be the
same as the mode of
the corresponding
server.
1 (integer) - Integer
Vlan assignment mode.
2 (string) - String Vlan
assignment mode.
3 (vlanlist) - VLAN-List
Vlan assignment mode.
The default value is
integer.
The 3rd mode is to
support auto-vlan
feature, which will be
supported on the new
software version.
V3.03.00p03
New
None
None
None
Modified
dot1X_tree.c
dot1XPaeP
ortInitialize
Configuration Changes
V3.03.02p21 Operation Changes
None
2)
Before modification, if the switch is enabled with DHCP server and has assigned IP addresses, the
hwDHCPSIPInUseExTable and the hwDHCPSIPInUseTable MIB tables contain IP address
assignment data after an SNMP walk operation is performed on them.
December 20, 2012
Page 33 of 33
After modification, if the switch is enabled with DHCP server and has assigned IP addresses, the
hwDHCPSIPInUseExTable and the hwDHCPSIPInUseTable MIB tables do not contain IP address
assignment data after an SNMP walk operation is performed on them.
The operation of set the maximum number of 802.1X authentication attempts for the MACAuthenticated users that are online
In early version: The system only supports to process the EAPOL packets of version 1, the EAPOL
packets of version 2 will be dropped.
In current version: The system supports to process the EAPOL packets of version 1 and the EAPOL
packets of version 2
3)
The max value of the dot1x re-authentication timer is modified from 7200s (2 hours) to 86400s (24
hours).
4)
The change to the value of Server-Type used in radius access request packets of MAC
authentication
To differentiate the user type, the value of Server-Type used in radius access request packets
changes from 2 to 10 in the case of MAC address authentication. The other authentication keeps the
original value 2.
5)
The 'voice vlan lldp' and fabric aren't mutually exclusive any longer.
6)
In early version: ARP packet rate limit can't work if ARP detection isn't enabled.
In current version: ARP packet rate limit works no matter ARP detection is enabled or not.
In early version: The syslog records only the user's name after a WEB user log in, such as:
%Apr
%Apr
In current version: The syslog records both the user's name and the user's IP address after a WEB
user log in, such as:
%Apr
Page 34 of 34
2)
In early version:LLDP packets are forwarded to other ports if LLDP function is disabled globally.
In current version:LLDP packets aren't forwarded if LLDP function is disabled globally.
In early version:
Switch serves as DHCP relay. If the packet received by the device whose length less than 300 bytes,
the device does not add padding automatically to make packet length to 300 bytes.
In current version:
Switch serves as DHCP relay. If the packet received by the device whose length less than 300 bytes,
the device add padding automatically to make packet length to 300 bytes.
2)
In early version:
DHCP server, DHCP snooping and DHCP Relay can not be enabled at the same time; otherwise PC
can't get IP address successfully.
In current version:
DHCP server, DHCP snooping and DHCP Relay can be enabled at the same time. PC can get IP
address successfully from switch, and of three functions can record its item.
In early version:
Executing this command, only destination-hit function is enabled.
In current version:
Executing this command, the mac-address synchronization function will also be enabled besides the
destination-hit function.
3)
In early version:
There is no 'unit id' option, only display mac-address' can be executed to show the mac-addresses
on the current device.
December 20, 2012
Page 35 of 35
In current version:
The 'unit id' option is introduced. Therefore, the mac-address on every unit can be displayed through
display mac-address unit id.
In early version:
Specific syslog messages will be sent to log server from every unit in a stack.
In current version:
Specific syslog messages will be sent to log server only from the master unit in a stack.
2)
In early version:
The device supports 256 VLANs.
In current version:
The device supports 4K VLANs.
In early version:
Executing "Net2Startup" operation in "CONFIG-MAN-MIB", the filename can not contain directory.
In current version:
Executing "Net2Startup" operation in "CONFIG-MAN-MIB", the filename can contain directory.
2)
In early version:
When the switch is configured as a DHCP client, the option60 field in DHCP discover packets sent by
the switch is filled only with the product series information.
In current version:
When the switch is configured as a DHCP client, the option60 field in DHCP discover packets sent by
the switch is filled with the product series information and other more detailed information.
3)
From 3.03.02p03, the source MAC address of Loopback-detection packet is changed from the Bridge
MAC of the device to 00e0-fc09-bcf9.
4)
In early version:
December 20, 2012
Page 36 of 36
If the LLDP management-address has not been configured, the IP address of the VLAN with smallest
ID which the port belongs to will be used. And if the IP address of the VLAN with smallest ID which
the port belong to has not been configured, the loopback IP (127.0.0.1) address will be used.
In current version:
(1) If the LLDP management-address has not been configured, the IP address of the smallest
permitted VLAN whose IP is configured will be used;
(2) If the LLDP management-address has been configured, and the port belongs to the VLAN with the
LLDP management-address, the IP address will be used;
(3) Otherwise, no IP address will be used.
5)
In early version:
Doing 802.1X re-authentication with a RADIUS server. Even if user-name changes, the device just
sends RADIUS Access-Request packet for the latter user-name, but does not send RADIUS
Accounting-Stop packet for the former user-name.
In current version:
Doing 802.1X re-authentication with a RADIUS server. If user-name changes, the device sends
RADIUS Accounting-Stop packet for the former user-name firstly, then sends RADIUS AccessRequest packet for the latter user-name.
Before modification, the switch cannot recognize any optical module with checksum errors.
After modification, the switch can recognize such modules and output corresponding debug
information .
In early version:
By default, the IEEE 802.1t standard is used to calculate the default path costs of ports.
In current version:
By default, the legacy standard is used to calculate the default path costs of ports.
Before modification:
Page 37 of 37
The switch will delete the "poe enable" configuration of a port if the port detects overload for three
consecutive times.
After modification:
The switch will not delete the "poe enable" configuration of a port if the port detects overload for three
consecutive times.
Before modification:
The interval for sending 802.1X multicast requests set with the dot1X timer tx-period command is in
the range 10 to 120 seconds. If a port joins the guest VLAN upon receiving no response for an
802.1X multicast request, the shortest time for the port to join the guest VLAN is about 10 seconds.
After Modification:
The interval for sending 802.1X multicast requests set with the dot1X timer tx-period command is in
the range 1 to 120 seconds. If a port joins to the guest VLAN upon receiving no response for an
802.1X multicast request, the shortest time for the port to join the guest VLAN is about 1 second.
Info-center related configuration is placed at the end part of the configuration file.
2)
The vlan-vpn enable command is exclusive with stack configuration only, and can coexist with
other protocols such as STP/GVRP.
3)
The device is compatible with line feed characters "\r\n" and"\n", so that it can exchange files with
the TFTP server running on the UNIX system.
4)
The ping operation performance is improved, but consequently the real time performance of
displaying port statistics is reduced, that is, a delay occurs when you view port statistics.
5)
You can perform port mirroring and mirroring group configuration through the web interface.
6)
The device forwards unknown EAP packets rather than discards them.
7)
The sequence of matching web files is changed from main, backup, default to default, main,
backup.
8)
The device no longer sends PortMstiStateDiscarding trap and log packets when a port goes
down.
Page 38 of 38
Condition: The XRN function is not enabled and the switch receives XRN packets
LSOD010596
z
Symptom: Because of the weak cryptographic algorithm there is a risk that the stored passwords
possibly be cracked.
Symptom: There is little possibility that some routes are correct in the FIB table but updated to
hardware incorrectly.
Condition: There are lots of ECMP routes and ARP entrys on the device. Change the state of the
VLAN interface and refresh ARP entries frequently.
LSOD010570
z
Condition: Switch serves as DHCP server, and the client requests IP addresses from it with its
MAC address and a series of different client IDs.
Description: The usage of CPU of the switch is continuously high when walking DHCP server ipin-use MIB item with a network management tool.
LSOD010537
z
Condition: Switch serves as dhcp-snooping and configures dhcp-snooping information string with
quotation mark.
Description: The DHCP-snooping option 82 field of the packet also contains quotation mark.
ZDD04632/ZDD04712
z
Page 39 of 39
Condition: In the Access-Accept packet from the RADIUS Server to the client, the sub-attributes
in Attribute 26(Vender-Specific) don't be encapsulated in the type-length-value (TLV) standard
format.
Description: The RADIUS Server sends an Access-Accept response, but the switch drops this
packet because of wrong format. The user can't get online.
ZDD04483/ZDD04548
z
Condition: The device receives LLDP data unit which contain Location ID type-length-value (TLV)
and its LCI length equal to zero. Display neighbor information.
LSOD10526
z
Condition: Query the LLDP lldpRemSysName MIB with a 'TimeFilter' value of zero.
LSOD10515
z
Condition:
The default route of the device is an ECMP route and the next-hop of default route has a
blackhole route. Configure routes and VLAN interfaces in sequence, for example:
1) Add default route: ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
2) Add blackhole route with a subnet which covers next-hop IP of default route: ip route-static
1.1.0.0 255.255.0.0 NULL 0
3) Create a link-down VLAN interface with a subnet which covers next-hop IP of default Route ,
the VLAN interface state is changed from DOWN to UP: [switch-Vlan-interface100]1.1.1.10 24
4) Delete the ECMP route: undo ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
5) Check the route table of the device: display drv drv-route
LSOD10502
z
Condition: Enable lldp compliance cdp in a stack; the stack has CDP neighbor(s); the stack split
or merge occurs.
LSOD10493/LSOD10496
z
Page 40 of 40
LSOD10482
z
Condition: In a stack, the switch configured global AM user binding item, and it configured port
AM user binding item on some units, and then delete the global AM user binding item.
Description: The AM user binding items are not synchronized on some units.
ZDD04028
z
Condition: Login with hwtacacs, pass the authentication but fail the authorization (no matter
whether the authentication server and the authorization are the same).
LSOD10465
z
Condition: The user execute the command debugging vty fsm or debugging vty negotiate firstly,
and then execute the command free user-interface vty.
LSOD10436
z
Condition: Configure EAP authentication on the switch but PAP authentication is used between
the RADIUS server and client.
Description: The switch cannot forward EAP messages with a type value of 7 transparently. The
authentication fails.
LSOD10460
z
Condition: The switch serves as NTP client. The NTP server precision is less than the NTP client.
The NTP client synchronized time from NTP server.
ZDD04119/ZDD04171
z
Condition: Device with LLDP running, such as IP Phone, is connected to switch. The switch
receives LLDP packets from the IP Phone and sets up LLDP neighbor information entry. And the
chassisID of the neighbor information is net address.
Description: The chassisID in the LLDP information displayed on the switch is not correct.
LSOD10418/LSOD10425
z
Condition: Configure one port with 'speed 10' and 'duplex half'. Connect some type of other
device to this port.
Page 41 of 41
LSOD10428
z
Description: The devices may fail to build a fabric with little probability after reboot.
LSOD10395/LSOD10396
z
Condition: Switch serves as DHCP relay, it receives DHCP discover packet, the bootp flag of
which is 0x0001.
Description: The switch drops DHCP packet, and DHCP client can not get IP address.
LSOD10391
z
LSOD10340
z
Condition: Configure dot1x function, and the dot1x authentication-method is EAP. In one second,
the dot1x client sends two EAPOL-start packets in one second to trigger an authentication.
LSOD10272/LSOD10301
z
Condition: With stack and link aggregation over units, the master port from one device has
configured 'port trunk permit vlan all', the slave port from other device has configured 'port trunk
permit vlan 1'.
Description: The slave port is not selected. Configure 'port trunk permit vlan all' under this port is
invalid.
LSOD10303/LSOD10306
z
Condition: Enable DHCP relay with valid configuration. Make the relay receive DHCP inform
packet from client.
Description: DHCP inform packet will be relayed to DHCP server, but the sources IP of the
relayed inform packet will be not DHCP relay's input interface.
Page 42 of 42
LSOD10299/LSOD10302
z
Condition: Enable DHCP relay with valid configuration and system server group 1 is referred by
VLAN interface, and DHCP client successfully apply IP address. Create another server group 0
and then delete it in system mode.
Description: After irrelevant server group 0 being created and deleted, DHCP client can not get IP
address.
LSOD10310/LSOD10311
z
Condition: IGMP packets are received by a port on which 'port-security port-mode autolearn' is
configured.
LSOD10082/LSOD10232
z
Condition: When STP is disabled, 'loopback internal' test is executed on port A. At the same time,
port B receives an STP packet. Port A and port B are in the same VLAN.
LSOD10247/LSOD10274
z
Condition: Use the command 'port-security trap dot1xlogon', 'port-security trap dot1xlogoff' or
'port-security trap dot1xlogfailure' to open the trap of dot1x, and the dot1x authentication-method
is EAP, a user logs in successfully, and change the username when doing re-authentication.
Description: Although the re-authentication is successful, the username in the trap dose not
change.
ZDD03292/ZDD03331
z
Condition: Configure the switch as DHCP client, and there is no END option in ACK packet from
DHCP server.
LSOD10189/LSOD10187
z
Page 43 of 43
Description: The fiber module type is different between log information and the information
LSOD10207
z
Condition: Configure the device through Web. Select Port > MAC Address [Add] from the
navigation tree to add MAC address to a port of specified VLAN.
Description: Cannot choose a port of specified VLAN to add MAC address.
LSOD10180
z
Condition: When the first octet of the MAC address of the client or the gateway is not 0x00(such
as 30-00-00-00-00-01).
Description: The EAD-Quick-Deploy feature doesn't work.
LSOD10079
z
Condition: There are telnet users on device, executing display users all command.
Description: The IP address is reduplicated in the result. For example (the italic part is unwanted):
Delay
Type
Ipaddress
Username
Userlevel
F 0
AUX 0
00:01:09
F 1
AUX 1
00:00:00
AUX 2
AUX 3
AUX 4
AUX 5
AUX 6
AUX 7
+ 18.118.118.458
+ 18.118.118.1119
10
VTY 2
11
VTY 3
12
VTY 4
VTY 0
VTY 1
00:00:13
00:00:03
TEL
TEL
18.118.118.45
18.118.118.111
User-interface is active.
3
3
LSOD10077
z
Condition: In a fabric, both master and slave were attacked by telnet log on packets.
LSOD10050
z
Condition: Configure 'pki certificate access-control-policy', then add and remove rule.
Page 44 of 44
LSOD10083
z
Condition: Switch serves as DHCP snooping, and it receives bootp packets or abnormal DHCP
packets without option 53.
LSOD10016
z
Condition: Switch serve as DHCP snooping, and it receives DHCP ACK packets with source
UDP port 4011.
Description: DHCP snooping can not transmit those DHCP ACK packets.
LSOD10023
z
Condition: Switch serves as DHCP relay and DHCP snooping, PC gets IP address through
switch and renews its IP address.
Description: When PC renew its IP address, DHCP snooping can not refresh its item.
Condition: Configure VLAN-interface A and B on the device. Configure IP address of B as NASIP address of the RADIUS scheme. Do dot.1X authentication with RADIUS server.
ZDD02999
z
Condition: Some NMS send messages to the device at the same time.
Description: The device can only process 10 messages in one time, others are dropped.
LSOD09955
z
Condition: A device receives ARP reply packet with VLAN X in 8021.q tag, and the corresponding
VLAN interface X is UP. However, the port that receives the packet is NOT in the VLAN X.
LSOD09894
z
Page 45 of 45
LSOD09928
z
Condition: configured 'snmp-agent target-host trap address udp-domain A.B.C.D (D>223) params
securityname RADAR'in system view.
LSOD09920
z
Description: After login, every command executed by user will cause memory leak.
LSOD09911
z
Condition: The switch is enabled with DHCP snooping. The PXE client obtains an IP address
through the switch, and downloads the bootstrap program and boot menu through the switch.
Description: The PXE client can obtain an IP address successfully, but it fails to download the
bootstrap program and boot menu.
LSOD09909
z
Description: The system sometimes prompts 'MAC address table exceeded maximum number X
on interface portA' after the learning MAC count of the port A has not reached the limit.
Condition: Configure ACL group with number between 5000 and 5999, and add at least 2 userdefined ACL rules. These user-defined ACL rules are setup by the command with 'rule-string
rule-mask offset' format, such as 'rule 1 permit 0806 ffff 24 000fe213629e ffffffffffff 34'. Save the
configuration and reboot the switch.
Description: The switch can not boot up successfully because of dead loop.
LSOD09745
z
Condition: In a stack, dot1x is not enabled globally, but enabled on several ports.
LSOD09830
z
Condition: The client application does dot1x authentication with TTLS certification.
Page 46 of 46
LSOD09837
z
Condition: Switch serves as DHCP relay, two PCs get IP address through two different relay
interfaces.
Description: In the offer packets that switch sent to PC, the source IP address in IP header is
incorrect.
ZDD02827
z
Condition: Switch serves as DHCP relay and it receives a bootp packet without magic cookie.
Description: The switch regards the packet as wrong one and drops it.
LSOD09587
z
Condition: Several ACL numbers including the same rule can be applied on one port for trafficpriority action to remark different COS value.
Such as:
Basic ACL
2000, 1 rule
Acl's step is 1
rule 0 permit
Basic ACL
2001, 1 rule
Acl's step is 1
rule 0 permit
interface Ethernet1/0/1
traffic-priority inbound ip-group 2000 rule 0 cos spare
traffic-priority inbound ip-group 2001 rule 0 cos background
z
Description: After one ACL rule is removed from the port, the other ACL rules cant be deleted.
LSOD09728
z
Description: The command is executed correctly, but it does not give cable length.
LSOD09619
z
Condition: The network device acted as SSH server, and received specific SSH attack packets.
LSOD09678
z
Page 47 of 47
LSOD09700
z
Condition: Enable DHCP server and DHCP snooping on switch. The pool lease of DHCP server
is set less than one minute, and lots of users get IP address from switch.
LSOD09499
z
Condition: When 802.1X authentication and mac-authentication are both enabled on the port, the
user first pass the mac-authentication and success get IP address by DHCP, then do 802.1X
authentication success and get IP address by DHCP again.
Description: Sometimes the IP address shown by the command "display connection" is in reverse
order.
LSOD09555
z
Condition: On the authentication port Y, execute undo dot1x command and then execute dot1x
command during dot1X authentication.
Description: In a very small chance, the information Port Y is Processing Last 802.1X command...
Please try again later. is shown.
LSOD09550
z
Description: The switch will not send EAP Failure packet until (X+80) seconds after.
LSOD09598
z
Description: After log out, the client can not log in again until X seconds after.
LSOD09554
z
Page 48 of 48
Condition: The switch enables DHCP snooping and the up-link port of the switch is configured as
the trust port of DHCP snooping. The DHCP server and the users PC are connected to the uplink port of the switch.
LSOD09521
z
Condition: STP or MSTP is enabled on the device. There are dynamic ND entries or
short-
static resolved ND entries on one port whose STP state is changed from 'Forwarding' to
'Discarding'.
z
Note: Short-static ND entry is configured by command line. The entry doesn't have port information.
The port information will be learnt by ND packets. When the port information is learnt, the ND entry is
called short-static resolved ND entry.
Short-static ND entry Example: ipv6 neighbor 3000::1 0000-0002-0002 interface vlan-interface 1.
LSOD09717/LSOD09709
z
user
interface, a user telnet the switch and logging in successfully through local authentication mode,
then the user running a valid command such as 'quit' through telnet.
z
LSOD09572/LSOD09605
z
Condition: Configuring the switch as a DHCP server, an IP phone connecting the switch and
getting voice VLAN ID and IP address from the switch.
Description: The IP phone can not get voice VLAN ID and IP address successfully within 25
seconds.
Condition: Configure IPv6 ACL rule including COS or VID by WEB or command line.
Description: The rule is configured successfully by WEB, but unsuccessfully by command line.
LSOD09537
z
Condition: User's MAC item moves from port A to port B in switch. Port A is a single port, port B
is in the aggregation group whose master port is down.
Page 49 of 49
LSOD09483
z
Condition: Test the IPV6 communication between a device and a stack that has an aggregation
group across different units.
Description: The stack device can not communicate with other device.
LSOD09498
z
Condition: Connect with huawei S2300. Enable LLDP and show LLDP neighbor information.
Description: The 'Management address OID' section of neighbor information will be garbage
characters.
LSOD09434
z
Condition: In domain view, configure authentication scheme to be radius scheme, but do not
configure accounting scheme. Configure accounting optional.
LSOD09447
z
Condition: Do 802.1X authentication with iNode client (whose version is lower than V3.60-E6206)
on PC, and upload IP address option is chosen. PC gets IP address from DHCP server.
Description: The switch passes empty user-name to the RADIUS server, and authentication fails.
LSOD09406
z
Condition: There are many switches serve as DHCP snooping in network. PC applies for IP
address through DHCP snooping and finally get a conflict one.
LSOD09332
z
Condition: Configure DHCP rate limit on port, and display the configuration.
LSOD09048
z
Condition: Configure the ipv6 ACL that include destination IP address and source IP address in
sequence.
Description: The source IP address includes part of the destination IP address in the current
information.
LSOD09439
z
Page 50 of 50
Condition: Configure port-security auto learn mode on port A. Delete all MAC-address and
change the VLAN ID of the port A while there are background traffic.
LSOD09268
z
LSOD09295
z
Condition: Dot1x is enabled on a device. Ping the device with IPv6 address from an
unauthenticated PC.
Condition: Connect PC to port A of a slave device in stack. After reboot the slave device, the port
A enters guest-VLAN.
Description: Display interface information on the master of stack. It is shown that the port A is not
in the guest-VLAN.
LSOD09204
z
Condition: Connect PC to port A. Configure port-security on port A (the port-mode is mac-anduserlogin-secure, userlogin-secure-or-mac, mac-else-userlogin-secure, userlogin-secure or
userlogin-withoui). Do 802.1X authentication with windows XP client on PC.
LSOD09167
z
Condition: Many 802.1X users are on-line on the same device (about 1000). In system-view,
execute undo dot1x command, and then execute dot1x command.
Description: Executing the dot1x command always fails, and the system prompts Processing
Last 802.1X command... Please try again later.
LSOD09156
z
Condition: In stack, do 802.1X authentication with iMC server. User A log-in, then user B log-in
from another device of the fabric with the same user-name of A.
Page 51 of 51
LSOD08866
z
Description: The multiple entities of walk result have the same index which causes the failure in
synchronizing device data through SNMP network management.
LSOD09143
z
Condition: The device has been configured igmp-snooping non flooding function. The VLAN X is
configured igmp-snooping function and configures port Y as static router port. VLAN X receives
unknown multicast flow, and then disables igmp-snooping function in VLAN X.
Description: The port which is not router port can receive unknown multicast flow.
LSOD09176
z
Description: The switch may ignore CDP packets from IP phone, and voice VLAN will not work.
LSOD09145
z
Condition: Voice VLAN, dot1x (or port-securtiy) and DHCP-launch are enabled on the device,
and then the device receives DHCP Discover packet or DHCP Request packet whose source
MAC address is belong to a Voice VLAN OUI.
Description: The source MAC address of DHCP Discover packet or DHCP Request packet can
not be learnt. The correct behavior is: the source MAC address should be learnt.
Condition: configure "dot1x guest-vlan" on the port. Users succeed in authentication, and
authorization VLAN is assigned to the port. After that, configure "undo dot1x" on the port.
Description: In a very tiny chance, the port remains in the authorization VLAN.
ZDD02152
z
Condition: Switch work as Telnet client or server. Input non-english character after login.
LSOD08964
z
Condition: Enable DHCP snooping and DHCP snooping option 82 on switch with replacing
strategy.
Description: Switch can not replace OPTION 82 of DHCP discover packet correctly.
Page 52 of 52
LSOD09106
z
Condition: EAD fast deployment is enabled on the port connecting the switch to a client, and no
VLAN-interface is created for the VLAN where the port resides. The client sends repetitive HTTP
requests or out-of-sequence HTTP packets when it is unauthenticated and accesses the network.
LSOD09080
z
Description: Each slave unit leaks 9K-byte memories every time. No memory leakage occurs on
master unit.
LSOD08774
z
Description: The user goes off-line soon after passing the security checking.
LSOD09095
z
Condition: Enable 802.1x authentication on a device, and connect a PC to a trunk port of the
device through a Netgear switch. The data traffic should be tagged when it passes the trunk port.
Then do 802.1x authentication.
Description: After log-on, PCs MAC-Address is learnt in the PVID VLAN of the port, not the
tagged VLAN. So, the port can not forward the data traffic.
LSOD09097
z
Condition: The device has been configured user ACL remark VLAN ID, and user VLAN ID is
configured as multicast VLAN ID. The device receives IGMP report message from the host.
Description: The device can not transmit IGMP report message to upstream device periodically,
so as to multicast stream to be interrupted.
LSOD09102
z
Condition: Set up an extended IP ACL with number 3000, and add a rule with protocol key. Such
as "rule 0 permit ip", in which "ip" means IP protocol. View the configuration file by "more"
command after saving configuration, or display the current configuration.
Description: The protocol key of the rule in the configuration becomes capital, and it will be
lowercase in current version. For example, former version shows up "rule 0 permit IP" and
current version shows "rule 0 permit ip". There is no any effect for function.
LSOD09100
z
Page 53 of 53
Condition: Net management software, which is using SNMP, is connected to the slave device in a
stack.
Description: Execute setting operation; the operation can be succeeding, but the device cannot
send SNMP response to the net management software.
LSOD09045
z
Description: Several MAC address can not be aged after aging timer is reached.
LSOD08988
z
Condition: One user with privilege level 0 login the web management interface.
Condition: Enable mac-authentication and set the offline-detect timer to be larger than one half of
mac-address aging timer on the switch. And connect a PC to the switch to do mac-authentication,
but the traffic sent from the PC is very small, such as only sending one packet every 2 or 3
minutes.
Description: The PC may log off probably even though the mac-address of the PC has not agedout on the switch.
LSOD08964
z
Condition: A switch serves as DHCP SNOOPING, and enable DHCP SNOOPING OPTION 82
function with replace strategy on the switch.
Description: The switch can not replace the OPTION 82 of DHCP discover packet correctly.
LSOD06917
z
Condition: In the following network, the monitor port is on the master device (UNIT 1). After
rebooting fabric with saved configuration, configure the ports of UNIT 3 as the source mirroring
port and the monitor port.
Page 54 of 54
Description: The fabric can't ping the PC connected to the mirroring port successfully.
LSOD08776
z
Condition: Execute "ip host" command and the "hostname" parameter includes "-" character.
Description: The command fails and the message of "Invalid host name format!" is prompted.
LSOD08782
z
Condition: Enable dot1x function and some dot1x clients are on-line.
Description: The ports which have passed dot1x authentication will forward the unicast EAP
packets to the entire vlan.
LSOD08757
z
Condition: Enable NDP on a fabric system and many NDP adjacent devices attached to the same
port of the device.
Description: When getting the NDP neighbor information through SNMP, the usage of CPU of the
device is high.
LSOD08753
z
Condition: Enable NTP on a fabric system, the NTP server is connected to one port of the slave
device.
Description: When working in NTP multicast client modes, the stack device can not synchronize
the clock from NTP Server.
LSOD08892
z
Condition: The devices are in a fabric. Lots of VLAN and some MSTP instances are configured.
Execute the command "active region-configuration".
Description: There is little probability that the command fails and the device outputs the following
information: Command synchronization failed, please try later...
LSOD08819
z
Condition: The last port of a device in a fabric has a link-up state and is configured with link-delay.
Reboot the fabric after saving configuration.
Description: There is little probability that the port mentioned above can't send packets.
LSOD08905
z
Condition: Execute command "display memory" in a stack composed of multiple devices. Press
"Ctrl+C" before the display process completes.
Page 55 of 55
LSOD08907
z
LSOD08729
z
Condition: Set port-security as "and" mode in device. Some users do MAC and dot1x
authentication on several ports at the same time.
LSOD08843
z
Description: The CPU usage of device is up to 100%, and the information of port-mirroring can't
be normally displayed at web view.
LSOD08788
z
Condition: The 802.1x server is CAMS or iMC, the device enable DHCP snooping or DHCP relay,
the 802.1x client which is on-line requests ip address frequently.
Description: The device send accounting update packet to server frequently, which lead the
802.1x client off-line.
LSOD08808
z
Condition: The IP address of a WEB server is the same as that of the vlan-interface of a device.
Description: After user login through web-authentication, the user's layer-2 traffic can't be
forwarded normally.
LSOD08738
z
LSOD08679
z
Condition: Units A, B, and C are in the same stack. An 802.1x user logs in through Port X of unit
A, and Port X is assigned to the authorization VLAN (PVID or auto VLAN). Reboot unit B. Then
the user in unit A logs off, and Port X leaves the authorization VLAN.
Description: After the user logs off, execute the display interface command on units A and B to
display information about port X. It is showed that the port is no longer in the authorization VLAN.
Execute the display command on unit C, and it is showed that the port is still in the authorization
VLAN.
Page 56 of 56
LSOD08657
z
Condition: In a stack device, configure port security in autolearn mode for a port, and set the
max-mac-count limit. Let the port learn MAC addresses automatically, and make MAC count of
the port reach the limit.
Description: Try to add one more MAC address to the port using the mac-address security
command. Although a failure information is showed, the display mac-address command shows
that the additional MAC address is added actually, making the MAC count of the port exceed the
limit.
LSOD08665
z
Condition: In a stack, enable port security in autolearn mode and aging mode on ports. After the
security MAC is learnt, disable the port security feature when the security MAC is aging.
LSOD08631
z
Condition: Enable 802.1X and debugging for RADIUS packets. Lots of users log on and then log
off.
LSOD08656
z
Condition: Configure the multicast static-group command on a device configured with multicast
VLAN.
Description: When deleting the multicast static-group configuration, the IGMP snooping groups
can't be removed.
LSOD08713
z
Description: The COS value and DSCP value of the voice VLAN are incorrect.
LSOD08716
z
Condition: Configure the lldp compliance CDP command on a switch to communicate with a
Cisco device through Cisco CDP version 1.
LSOD08575
z
Condition: When non-flooding is enabled, the device acts as the NTP client in the multicast mode
to synchronize timekeeping.
Page 57 of 57
LSOD08674
z
Condition: In a stack, there is global am user-bind in the startup configuration file. After rebooting,
the minimum Unit ID is not that of the master. Configure global am user-bind again and then
delete all the global am user-bind from the slave units.
Description: The device displays the checksum different from that of unit 1 when you save the
configuration.
LSOD08652
z
Condition: Add a hybrid port to the Guest VLAN of 802.1x, and then use the undo port hybrid vlan
command to remove the port from the Guest VLAN.
Description: The display interface command shows that the port is still in the Guest VLAN.
Actually, the port is not in the VLAN.
LSOD08675
z
Condition: In a stack, a port in unit A is assigned to the guest VLAN (VLAN x) of port security.
Then send packets with authenticated MAC addresses as source MAC to the port continuously.
Description: After the port is removed from the guest VLAN, PVID of the port changes back to the
original VLAN y. Execute the display mac-address on unit B, and some dynamic MAC addresses
in VLAN y without authentication are displayed.
LSOD08678
z
LSOD08726
z
Condition: There are several units in a stack. Reboot the master device of the stack.
LSOD08667
z
Condition: Use the display transceiver xxx command to check the Copper SFP information.
Description: The device does not support displaying Copper SFP information.
LSOD08673
z
Description: The packets with authenticated MAC addresses as source MAC can not be
forwarded by the other units of the stack.
Page 58 of 58
LSOD08570
z
Condition: Enable the port security feature on a stack, and set the intrusion mode to blockmac.
After one port (for example, port A) learns some blocked MAC addresses, remove the device to
which port A belongs from the stack.
Description: Such blocked MAC addresses on the other devices of the stack can not be removed.
LSOD08734
z
Condition: Enable STP and loopback detection in both interface view and system view. A loop
occurs on the port.
LSOD08284
z
Description: After reboot, there is little probobility that some MAC entry information in the MAC
forwarding table cannot be displayed.
LSOD08291
z
Condition: Set the authentication mode with the command xrn-fabric authentication-mode md5
STRING<1-16> in a stack. Set the MD5 password twice, and the last configured password has
16 characters. Save the configuration and reboot a device in the stack.
Description: After startup, the stack cannot be established and the stack ports are in isolated
state (auth failure).
LSOD08603
z
Description: A user whose password has two characters cannot pass dot1x authentication.
LSOD08460
z
Condition: The device is enabled with voice VLAN, dot1x (or port-security with userlogin,
userloginext, userloginsecure mode) and DHCP-launch.
Page 59 of 59
LSOD08576
z
Condition: There are security MAC addresses in the switch. Then walk dot1qTpFdbStatus node
through SNMP.
LSOD08651
z
Condition: Enable DHCP-snooping on a ring-mode stack. The DHCP server and DHCP client
connect to different stacking units. The port connected to the DHCP server is configured with the
dhcp-snooping trust command and belongs to a link-aggregation group.
Description: The DHCP client will get duplicate DHCP ACK packets when requesting an IP
address.
LSOD08655
z
LSOD08646
z
Condition: The member ports of a link-aggregation group which belong to different units are
configured as mirrored ports. The mirroring-group monitor port and the link-aggregation group
master port are on the same unit.
Description: The LLDP information on the master port of the link-aggregation group is wrong.
LSOD08628
z
Description: The result is the same as ifAlias. In fact, that value should be the same as ifDesc.
Condition: The switch is the first-hop router of a multicast source, and another vendors device
(for example, IP 8800 of NEC) is the RP. The RP cannot create multicast entries through PIM null
register packets. When the link between the first-hop router and the RP breaks, the multicast
entries on the RP are aged out.
Description: When the link between the first-hop router and the RP recovers, the RP cannot
create multicast entries.
LSOD08193
z
Page 60 of 60
LSOD08145
z
Condition: Enable selective QinQ, and configure outer VLAN tag-to-inner VLAN tag mappings
until the system resources become insufficient.
Description: Configured mappings cannot be deleted. To delete them, you need to restart the
device.
Condition: Get the value of module0 under the entPhysicalVendorType MIB node.
LSOD07413
z
Condition: Two switches comprise a cluster. The header legal command is configured on the
member switch. Execute the cluster switch-to 1 command on the command switch to log into
the member switch.
Description: The login operation fails no matter whether "Y" or "N" is input.
LSOD07744
z
Condition: Modify RADIUS scheme configuration through the CLI and web interface respectively
when there exist online users.
Description: Modification through CLI fails, while modification through web interface succeeds.
LSOD07980/ LSOD07531/LSOD07749
z
Condition: A PC acts as an administrator user and its MAC address is configured as a static MAC
address on the switch.
Description: Logging into the web NM interface of the switch from the PC fails because the login
request is redirected to the EAD server.
LSOD07692
z
Condition: Configure the maximum hops of topology discovery with the ntdp hop xxx command.
If the new maximum hop number is less than the previous one, a cluster is built on the device.
Description: Devices beyond the maximum hops of topology discovery also join the cluster.
LSOD07939
z
Page 61 of 61
Condition: Local user User 1 sets the access-limit to N on the switch. Then, N local users except
for User 1 log into the switch (Local users can be FTP/ LAN-access/SSH/telnet/terminal users. If
a user logs into the switch through 2 ways at the same time, for example, FTP and telnet, the
user is counted as two logged-in users.).
LSOD08070
z
Condition: Configure the dot1x authentication-method eap command in system view, and
configure the port-security port-mode mac-and-userlogin-secure or port-security port-mode
mac-and-userlogin-secure-ext on a port that is connected to a PC. The PC passes 802.1X
authentication but fails MAC authentication .
Description: The PC goes online. (It is required that the PC can go online after passing both
802.1X authentication and MAC authentication.)
LSOD08034
z
Condition: The switch acts as the SSH/Telnet server, and SecureCRT acts as the SSH/Telnet
client. After the client logs into the server, copy a lot of configuration setting into the client window.
LSOD07962
z
Condition: Configure an ACL rule and configure a description for the rule. View ACL rule
information through the web interface.
Description: Two entries for the rule exist, and one entry is empty.
LSOD08035
z
Condition: A stacking switch serves as a DHCP client and gets an IP address from the DHCP
server. When the client renews its lease, the DHCP server returns a NAK packet.
Description: DHCP clients on the master and slave devices in the stack have different states.
LSOD08049
z
Condition: The switch receives a packet with a broadcast destination MAC address and a unicast
destination IP address other than the IP address of the receiving VLAN interface.
LSOD08101
z
Description: The device can't forward DHCP packets whose UDP source port is 68 and whose
UDP destination port is neither 67 nor 68.
Page 62 of 62
LSOD08106
z
Condition: Enable selective QinQ, and configure outer VLAN tag-to-inner VLAN tag mappings
until the system resources become insufficient.
Description: Configured mappings cannot be deleted. To delete them, you need to restart the
switch.
LSOD08118
z
Condition: Update the software from version A (V3.01.xx and V3.02.xx) to version B (V3.03.00,
V3.03.00p01 and V3.03.00p02).
Condition:
PC1 and PC2 communicate with each other at Layer-3 through Switch 1.
Configure a static ARP entry that has no VLAN ID or outbound interface specified for PC2 on Switch
1. After PC1 and PC2 communicate with each other, the egress port and VLAN ID (VLAN B) of the
ARP entry are learned.
Then change the network as follows:
Remove VLAN B from Switch 1, configure VLAN B on Switch 2, and move PC2 from Switch 1 to
Switch 2.
After that, all PC1, Switch 1, Switch 2 and PC2 communicate with one another at Layer-3.
The new network is shown below:
Description: The ping operation from PC1 to PC2 fails. To solve the problem, you have to reboot
Switch 1.
Page 63 of 63
LSOD07630
z
Condition: Perform EAD authentication on a port. Before authentication, the port's PVID is V1.
During authentication, the port is assigned a VLAN ID of V2. V2 and V1 are not in the same
MSTP instance.
LSOD07571
z
Condition: The switch works together with the CAMS server to implement RADIUS authentication.
The CAMS server assigns an SSL VPN group number to the switch.
Description: RADIUS authentication fails because the switch does not support the SSL VPN
group number attribute.
LSOD07676
z
Description: The TTL of the DHCP Discover packet sent on the VLAN interface is 1. Because the
DHCP relay agent drops packets with TTL being 1, the DHCP Discover packet can't be
forwarded to the DHCP server.
LSOD07670
z
Condition: A port (Ethernet1/0/28, for example) receives more than 500 error packets (CRC error
packets, for example) within one minute. Shutdown the port.
Description: The switch prints the information "The link partner of Ethernet1/0/28 may be bad,
sending lots of error packets", which means the shutdown port is still receiving error packets.
LSOD07668
z
Condition: Set forced mode, such as speed 100 and duplex full, for a lot of ports of the switch.
Save the configuration and reboot the switch.
LSOD07316
z
Condition: Perform 802.1X authentication on a user through the CAMS server. Before
authentication, the VLAN ID of the receiving port is V1. After authentication, the assigned VLAN
ID is V2.
LSOD07416/LSOD07422/LSOD07420/LSOD01108
z
Condition: Perform 802.1X authentication on a user in VLAN V1. VLAN V2 is assigned. V1 and
V2 belong to different MSTP instances.
Page 64 of 64
LSOD07375
z
Condition: Send UDP packets with destination port as 1645 or 1646 to the device.
LSOD07479
z
LSOD07124
z
Condition: A stack serves as a DHCP relay agent. After a PC gets an IP address through the
relay agent, it sends a DHCP Inform packet to get extra information.
Description: The DHCP relay agent does not process the DHCP ACK packet from the DHCP
server correctly, and thus the PC cannot process the DHCP ACK packet.
LSOD07425
z
Condition: Execute the debugging snmp-agent detail process 0 command in hidecmd view.
The CPU usage is high (>50%). Then, use IMC software to scan the interfaces on the device.
LSOD07313
z
Description: Use the display transceiver command to check the SFP module information, which
is updated.
LSOD07467
z
Condition: The outgoing traffic speed on port A is higher than its maximum speed.
LSOD07460
z
Condition: A stack is established, and the following conditions are met on a stacking device.
Description: A DHCP client connected to the device can't get an IP address successfully.
Page 65 of 65
Condition: The stack serves as a DHCP relay agent. After a PC gets its IP address from a DHCP
server through the DHCP relay agent, it sends a DHCP Inform packet to the DHCP server.
Description: When the PC requests an IP address again, it has to repeat the request operation
before it gets an IP address.
LSOD07240
z
Condition: Send DHCP request packets to the switch (a DHCP relay agent) continuously and
clear clients entries from the relay agent at the same time.
Description: The switch reboots or cannot create clients entries according to DHCP requests.
LSOD07138
z
Condition: A stack has DHCP snooping enabled. A PC gets an IP address from a DHCP server
through the stack.
Description: Display DHCP client information on Unit X with the display dhcp-snooping unit X
command. The remaining lease time is always 0.
LSOD07145
z
LSOD07184
z
Description: A memory leak of 512 bytes occurs on the slave device per minute.
LSOD07234
z
Condition: Execute the undo cluster enable command on a stacking device that also works as a
cluster member.
Description: The cluster configuration of the master device cannot be synchronized to the salve
device.
LSOD07128
z
Condition: A stack has STP BPDU protection enabled. An STP edge port on a slave device
becomes administratively down upon receiving BPDUs.
Description: Using the display stp portdown command cannot view information about the port.
Page 66 of 66
LSOD07143
z
Condition: Port A, which is not a STP edge port, is connected to a terminal. Port A goes up.
Description: The STP status of port A in MSTI changes from discarding to forwarding directly,
without passing the learning state.
LSOD07136
z
Description: The telnet user is hung up and the corresponding resources cannot be released.
LSOD07140
z
Condition: Two devices form a stack. Telnet to the slave device and execute the free userinterface vty command on its console port. Then, use the display users command to view the
user information on the master device.
LSOD06680/LSOD07269
z
Condition: The device has the default configuration file 'config.def', but has no startup
configuration file specified.
Description: The device does not use the auto-configuration function after startup, but runs the
default configuration file 'config.def'.
ZDD01517
z
Condition: Use the AT&T network management tool to backup the configuration on the device.
Description: A memory leak of 512K bytes occurs each time a backup operation is performed.
LSOD06530
z
Condition: The network diagram is shown below: The stack acts as an FTP client. Device A in the
stack is not directly connected to the FTP server. All devices in the figure are the S4500 series.
LSOD06010
z
Page 67 of 67
Condition: Configure a static route with the blackhole attribute on the device, and its next hop
address is a reachable valid IP address. For example, execute the ip route-static 1.1.1.0
255.255.255.0 2.2.2.2 blackhole command.
Description: IP packets matching the blackhole route are still forwarded normally.
Condition: Execute the undo shutdown or shutdown command on the combo port of a device
whose unit ID is not 1. .
Description: The output information shows that the unit ID is not correct.
Condition: Change the sysname in the default configuration file and reboot the device (the default
configuration file is used).
Description: After startup, the new sysname does not take effect.
LSOD03115
z
Description: The usage of memory increases continuously until it gets exhausted and no
command can be executed.
LSOD02840
z
Condition: The switch acts as the SSH server. SSH packets from the SSH client are fragmented
before reaching the SSH server.
Description: The SSH connection between client and server cant be established successfully, or
SSH doesnt work after the SSH connection is established.
OLSD31930
z
Description: display mac number in hardware and display mac hided in hardware cannot be
resolved.
OLSD31973
z
Page 68 of 68
Condition: The device receives broadcast packets destined to a subnet not directly connected.
Description: The switch processes these packets and thus extra system resources are consumed.
OLSD29599
z
Condition: Configure a sysname with a space through the web interface, for example, "4500
sysnametest".
Description: After the switch reboots, a syntax error is reported and the sysname is changed back
to the original sysname, because the sysname cannot contain any space.
OLSD30143
z
Description: An ACL rule in deny mode configured through CLI cannot be displayed on the web
interface, and you cannot configure an ACL rule in deny mode through the web interface.
Description: The switch keeps sending traps and the following information appears frequently.
%Apr 23 11:06:13:982 2000 11FL-Voice-SW2 DEV/5/DEV_LOG:- 1 Power 2 recovered
%Apr 23 11:06:15:547 2000 11FL-Voice-SW2 DEV/5/DEV_LOG:- 1 Power 2 is absent
Condition: Use FTP to download an application file to the switch that uses the Intel J3D flash, or
perform other write operations to the flash such as execute the display diagnostic-information
command.
Page 69 of 69
Description: Some errors occur and command executions fail. For example, if you download a
large file from the FTP server when there is enough space, the following prompt appears:
Local space is not enough !
System will delete the file which has been transferred, please wait...
...Error Writing Local File: not enough space!
On an S4500 device that has an Intel J3D flash installed and runs a version earlier than V3.01.00p01,
performing above-mentioned operations will fail.
Related Documentation
For the most up-to-date version of documentation:
1)
Go to http://www.3Com.com/downloads
2)
Software Upgrading
The device software can be upgraded through the console port, TFTP, and FTP.
Page 70 of 70
After getting the new application file, reboot the device to validate it.
Note that if you do not have enough Flash space, upgrade the Boot ROM program first, and then
download the application file to the device.
The following sections introduce some approaches to local upgrading.
Boot Menu
Upon power-on, the switch runs the Boot ROM program first. The following information will be
displayed on the terminal:
Starting......
******************************************************************
*
*
*
Switch 4500 PWR 50-Port BOOTROM, Version 1.00
*
*
******************************************************************
CPU type
: BCM4704
: 64MB
Mac Address
: 000fe2004500
After the screen displays Press Ctrl-B to enter Boot Menu..., you need to press <Ctrl+B> within 5
seconds to access the Boot menu. Otherwise, the system will start program decompression, and then
you have to reboot the switch to access the Boot menu.
Enter the correct password (no password is set by default) to access the Boot menu.
Page 71 of 71
BOOT
MENU
Step 2: Enter 3 to select the Xmodem protocol and press <Enter>. The following information appears:
Please select your download baudrate:
1. 9600
2. 19200
3. 38400
4. 57600
5. 115200
6. Exit
Enter your choice (0-5):
Step 3: Select the appropriate download baud rate. For example, enter 5 to select the download baud
rate of 115200 bps. Press <Enter> and the following information appears:
December 20, 2012
Page 72 of 72
Step 4: Configure the same baud rate on the console terminal, disconnect the terminal and reconnect
it. Then, press <Enter> to start downloading. The following information appears:
Are you sure to download file to flash? Yes or No(Y/N)y
Now please start transfer file with XMODEM protocol.
If you want to exit, Press <Ctrl+X>.
Downloading ... CCCCC
After the terminal baud rate is modified, it is necessary to disconnect and then re-connect the terminal
emulation program to validate the new setting.
Step 5: Select [Transfer\Send File] from the terminal window. Click <Browse> in the pop-up window
and select the software to be downloaded. Select Xmodem from the Protocol drop down list.
Page 73 of 73
Switch 4500 series are not shipped with the TFTP server program.
Step 3: Run the terminal emulation program on the PC, and start the switch, to access the Boot menu.
Step 4: Enter 1 in the Boot menu, and press <Enter> to enter the following menu.
Please set application file download protocol parameter:
1. Set TFTP protocol parameter
2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):1
Page 74 of 74
Step 5: Enter 1 to use TFTP, and press <Enter>. The following information appears:
Load File name
Switch IP address
(This address and the server IP address must be on the same network
segment)
Server IP address
Step 6: Input correct information and press <Enter>. The following information appears:
Are you sure to download file to flash? Yes or No(Y/N)
Step 7: Enter Y to start downloading the files. Enter N to return to the Boot menu. Take entering Y as
an example. Enter Y and press <Enter>, the system begins downloading programs. After downloading
completes, the system starts writing the programs to the flash. Upon completion of this operation, the
screen displays the following information to indicate that the downloading is completed:
Loading ........................................................done!
Writing to flash................................................done!
Step 5: Enter 2 to select FTP and press <Enter>. The following information appears:
Please modify your FTP protocol parameter:
Load File name
Switch IP address
Server IP address
FTP User Name
FTP User Password
Step 6: Input correct information and press <Enter>. The following information appears:
Are you sure to download file to flash? Yes or No(Y/N):
Page 75 of 75
Step 7: Enter Y to start downloading the files. Enter N to return to the Boot menu. Take the first case
as an example. Enter Y and press <Enter>, and the system begins downloading programs. After
downloading completes, the system starts writing the programs into the flash. Upon completion of this
operation, the screen displays the following information to indicate that the downloading is completed:
Loading ........................................................done!
Writing to flash................................................done!
Appendix
Details of Added or Modified CLI Commands in V3.03.02p06
dot1x unicast-trigger
Syntax
dot1x unicast-trigger
undo dot1x unicast-trigger
View
Ethernet interface view
Default Level
2: System level
Parameters
None
Description
Use the dot1x unicast-trigger command to enable the unicast trigger function of 802.1X on a port.
Use the undo dot1x unicast-trigger command to disable this function.
By default, the unicast trigger function is disabled.
Page 76 of 76
View
System view, Ethernet port view
Parameters
offline-detect-value: Offline detect timer, which specifies the idle timeout interval (in seconds) for users.
At this interval, the switch checks whether there is traffic from each user. If receiving no traffic from a
user within two consecutive intervals, the switch logs the user out and notifies the RADIUS server.
The value range for the offline-detect-value argument is 0 to 3000000. The default is 300 seconds.
Description
Use the mac-authentication timer offline-detect command to set the offline detect timer for MAC
authentication.
Use the undo mac-authentication timer offline-detect command to restore the default.
Note that:
z
The offline detect timer configured in system view applies to all MAC authentication-enabled
ports.
The offline detect timer configured in Ethernet port view applies to the current port only. You can
set the offline detect timer to different values on different Ethernet ports.
The offline detect timer configured in Ethernet port view takes precedence over the one
configured in system view.
If the offline-detect-value argument takes the value of 0, the offline detect timer is disabled.
bpdu-drop any
Syntax
bpdu-drop any
undo bpdu-drop any
View
Ethernet port view
Parameters
None
Description
Use the bpdu-drop any command to enable BPDU dropping on the Ethernet port.
Use the undo bpdu-drop any command to disable BPDU dropping on the Ethernet port.
By default, BPDU dropping is disabled.
December 20, 2012
Page 77 of 77
display link-delay
Syntax
display link-delay
View
Any view
Parameters
None
Page 78 of 78
Description
Use the display link-delay command to display information about ports configured with link state
change suppression, including the port name and the configured timer.
Related commands: link-delay, link-delay up, and link-delay updown.
Examples
# Display information about ports configured with link state change suppression.
<H3C>display link-delay
Interface
Up Delay Time
Ethernet1/0/2
Ethernet1/0/3
link-delay
Syntax
link-delay delay-time
undo link-delay
View
Ethernet port view
Parameters
delay-time: Link down suppression interval (in seconds), which ranges from 2 to 10.
Description
Use the link-delay command to enable physical link state change suppression and set the link down
suppression timer. When the physical link of the port goes down, the port starts the timer and does
not report link state changes to the system within the timer interval.
Use the undo link-delay command to disable link state change suppression.
By default, link state change suppression is disabled.
Examples
# Enable link down suppression on port Ethernet 1/0/5, and set the link down suppression interval to
8 seconds.
<Sysname> system-view
Enter system view, return to user view with Ctrl+Z.
[Sysname] interface Ethernet1/0/5
[Sysname-Ethernet1/0/5] link-delay 8
Page 79 of 79
link-delay up
Syntax
link-delay up delay-time
undo link-delay
View
Ethernet port view
Parameters
delay-time: Link up suppression interval (in seconds), which ranges from 2 to 10.
Description
Use the link-delay up command to enable physical link state change suppression and set the link up
suppression timer. When the physical link of the port goes up, the port starts the timer and does not
report link state changes to the system within the timer interval.
Use the undo link-delay command to disable link state change suppression.
By default, link state change suppression is disabled.
Examples
# Enable link up suppression on port Ethernet 1/0/5, and set the link up suppression interval to 8
seconds.
<Sysname> system-view
Enter system view, return to user view with Ctrl+Z.
[Sysname] interface Ethernet1/0/5
[Sysname-Ethernet1/0/5] link-delay up 8
link-delay updown
Syntax
link-delay updown delay-time
undo link-delay
View
Ethernet port view
Parameters
delay-time: Link state change suppression interval (in seconds), which ranges from 2 to 10.
Page 80 of 80
Description
Use the link-delay updown command to enable physical link state change suppression and set the
link up-down suppression timer. When the physical link of the port goes down or goes up, the port
starts the timer and does not report link state changes to the system within the timer interval.
Use the undo link-delay command to disable link state change suppression.
By default, link state change suppression is disabled.
Examples
# Enable link state change suppression on port Ethernet 1/0/5, and set the link up-down suppression
interval to 8 seconds.
<Sysname> system-view
Enter system view, return to user view with Ctrl+Z.
[Sysname] interface Ethernet1/0/5
[Sysname-Ethernet1/0/5] link-delay updown 8
Page 81 of 81
dot1x auth-fail-retry
Syntax
dot1x auth-fail-retry retry-value
undo dot1x auth-fail-retry
View
System view
Parameters
retry-value: For the MAC-Authenticated users that are online, specifies the maximum number of
attempts because of having failed 802.1X authentication, in the range of 0 to 50.
Page 82 of 82
Description
Use the dot1x auth-fail-retry command to set the maximum number of attempts because of having
failed 802.1X authentication, for the MAC-Authenticated users that are online. The default maximum
number of attempts is 5.
Use the undo dot1x auth-fail-retry command to restore the default.
Examples
# Set the maximum number of attempts because of having failed 802.1X authentication as 3.
<Sysname> system-view
[Sysname] dot1x auth-fail-retry 3
Unless otherwise stated, all passwords and keys, including those configured in plaintext, are stored in
encrypted form for security purposes .
Page 83 of 83
Change description
Before modification: The cipher and simple keywords are not supported. The key you enter must be a
plaintext string of 1 to 16 characters.
After modification: You can enter a key in encrypted form or plaintext form.
Page 84 of 84
For simple authentication, you can set only a plaintext password of 1 to 16 characters.
For MD5 authentication, you can set a plaintext or ciphertext password. A plaintext password
comprises 1 to 16 characters, and a ciphertext password is a ciphertext string corresponding
to the plaintext password.
After modification: Both simple authentication and MD5 authentication support plaintext or ciphertext
passwords. A plaintext password is a string of 1 to 16 characters, and a ciphertext password is a
string of 33 to 53 characters.
Page 85 of 85
key: Specifies an MD5 authentication key. You can enter the key in plaintext form or encrypted form.
In plaintext form, it must be a case-sensitive string of 1 to 16 characters. In encrypted form, it must be
a case-sensitive string of 24 characters. For security purposes, the plaintext form of the MD5
authentication key is encrypted before being stored.
simple: Specifies the simple authentication mode.
password: Specifies a password in plaintext form, a case-sensitive string of 1 to 16 characters. The
password is stored in plaintext form. This password storing strategy will not create security risks,
because the password is only useful for member chassis in the XRN fabric.
Change description
Before modification: You can enter the MD5 authentication key only in plaintext form.
After modification: MD5 authentication key can be entered in plaintext form or encrypted form.
Page 86 of 86
After modification: You can set a key in encrypted form or plaintext form to secure HWTACACS
authentication, authorization, or accounting communication.
Page 87 of 87
Views
System view
Parameters
nas-ip ip-address: Specifies the IP address of the network access server through which users can
access the local RADIUS authentication/authorization server. The IP address must be in dotted
decimal notation.
key [ simple | cipher ] password: Sets the key to share between the local RADIUS
authentication/authorization server and the network access server.
z
password: Specifies the key string. This argument is case sensitive. If simple is specified, it
must be a string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1
to 53 characters. If neither cipher nor simple is specified, you set a plaintext key string.
Change description
Before modification: The cipher and simple keywords are not supported. The key to share between
the local RADIUS authentication/authorization server and the network access server must be a
plaintext string of 1 to 16 characters.
After modification: You can set a key in encrypted form or plaintext form to share between the local
RADIUS authentication/authorization server and the network access server.
Page 88 of 88
without-hyphen: Uses the unhyphenated MAC address of a user, such as 0005e01c02e3, as the
username and password for MAC authentication of the user.
lowercase: Enters letters of the MAC address in lower case.
uppercase: Enters letters of the MAC address in upper case.
fixedpassword [ simple | cipher ] password: Uses a fixed password, instead of user MAC addresses,
for MAC authentication users.
z
password: Specifies the password string. This argument is case sensitive. If simple is
specified, it must be a string of 1 to 63 characters. If cipher is specified, it must be a ciphertext
string of 1 to 117 characters. If neither cipher nor simple is specified, you set a plaintext
password.
Change description
Before modification: The cipher and simple keywords are not supported. The password you enter
must be a plaintext string.
After modification: You can enter a password in encrypted form or plaintext form.
password: Specifies the password string. This argument is case sensitive. If simple is
specified, it must be a string of 1 to 63 characters. If cipher is specified, it must be a ciphertext
string of 1 to 117 characters. If neither cipher nor simple is specified, you set a plaintext
password.
Page 89 of 89
Change description
Before modification: The cipher and simple keywords are not supported. The password you enter
must be a plaintext string.
After modification: You can enter a password in encrypted form or plaintext form.
Page 90 of 90
Views
Remote-ping test group view
Parameters
cipher: Sets a ciphertext FTP password.
simple: Sets a plaintext FTP password.
password: Specifies the password string. This argument is case sensitive. If simple is specified, it
must be a string of 1 to 32 characters. If cipher is specified, it must be a ciphertext string of 1 to 73
characters. If neither cipher nor simple is specified, you set a plaintext password string.
Change description
Before modification: The cipher and simple keywords are not supported. The FTP password must be a
plaintext string of 1 to 32 characters.
After modification: You can set an FTP password in encrypted form or plaintext form.
Change description
Before modification: If cipher is specified, you can set an 88-character password or a password of 1 to
63 characters.
December 20, 2012
Page 91 of 91
After modification: If cipher is specified, you can set a password of 1 to 117 characters.
For MD5 authentication, the ciphertext password you set must comprise 24 characters.
After modification:
z
For simple authentication, the cipher keyword is added, which means you can set a ciphertext
password.
For MD5 authentication, the ciphertext password you set can comprise 33 to 53 characters.
Page 92 of 92
Page 93 of 93
Hexadecimal string
Non-hexadecimal string
MD5
32 characters
53 characters
SHA
40 characters
57 characters
privacy-mode: Specifies an encryption algorithm for privacy. The three encryption algorithms AES,
3DES, and DES are in descending order of security. Higher security means more complex
implementation mechanism and lower speed. DES is enough to meet general requirements.
z
priv-password: Specifies a case-sensitive plaintext or encrypted privacy key. A plaintext key is a string
of 1 to 64 characters. If the cipher keyword is specified, the encrypted privacy key length
requirements differ by authentication algorithm and key string format, as shown in Table 9.
Table 9 Encrypted privacy key length requirements
Authentication
algorithm
Encryption
algorithm
Hexadecimal string
Non-hexadecimal string
MD5
AES128 or DES56
32 characters
53 characters
SHA
AES128 or DES56
40 characters
53 characters
acl acl-number: Specifies a basic ACL to filter NMSs by source IPv4 address. The acl-number
argument represents a basic ACL number in the range of 2000 to 2999. Only the NMSs with the IPv4
addresses permitted in the ACL can use the specified username to access the SNMP agent.
local: Represents a local SNMP entity user.
engineid engineid-string: Specifies an SNMP engine ID as a hexadecimal string. The engineid-string
argument must comprise an even number of hexadecimal characters, in the range of 10 to 64. Allzero and all-F strings are invalid.
Change description
Before modification: Only authentication and privacy keys in hexadecimal format are supported.
After modification: Both hexadecimal and non-hexadecimal format authentication and privacy keys
are supported.
z
Page 94 of 94
Page 95 of 95