Abstract: This release notes describes the Switch 4500 V3.03.02p21 release with respect to version
Acronyms:
Table of Contents
List of Tables
Version Information
Version Number
Version Information: 3Com OS V3.03.02s168p21
Note: To view version information, use the display version command in any view. See Note①.
Version History
Table 1 Version history
Item Specifications
Product family Switch 4500 Series
Hardware platform 26-Port/50-Port/26-Port PWR/50-Port PWR
Minimum memory 64 MB
requirements
Minimum Flash 8 MB
requirements
Boot ROM version Version 4.06 (Note: It is required to use V1.00 or later, but V4.06 is
preferred. You can view the version number with the display version
command in any view. Please see Note②)
Item Specifications
Web version 5.01
Remarks None
z When a switch with a new version flash runs V3.01.00, using FTP to upload an application file to
the switch, or performing write operations on the flash of the switch such as executing the
display diagnostic-information command often fails. V3.01.00p01 and later have solved this
problem.
z A device running boot ROM V1.00 may get out of power during startup, which may cause the
loss of the application file. You are recommended to upgrade the boot ROM version to V1.01 to
solve this problem.
<4500>display version
3Com Corporation
Switch 4500 26-Port Software Version 3Com OS V3.xx.xx ------- Note①
Copyright (c) 2004-2008 3Com Corporation and its licensors, All rights reserved.
Switch 4500 26-Port uptime is 0 week, 0 day, 0 hour, 0 minute
6) A version prior to V3.03.02p21 might not support the cipher and simple keywords or use a
different password encryption algorithm than V3.03.02p21 or a later version. If you downgrade
the software from V3.03.02p21 or a later version to a version prior to V3.03.02p21, or upgrade it
to V3.03.02p21 or a later version and roll it back after saving the configuration file, the relevant
configuration commands might get lost or the passwords might become invalid. For more
information, see the change descriptions for the commands.
Feature List
Hardware Features
Table 3 Hardware features
Category Description
Dimensions (H × W × D) 43.6mm × 440mm × 260mm (1.72 × 17.32 ×10.24 in.) (devices without
PWR)
43.6mm × 440mm× 420mm (1.72 × 17.32 × 16.54 in.) (devices with
PWR)
Weight (full configuration) ≤3.5Kg (7.72 lb.) (26-port devices without PWR)
Software Features
Table 4 Software features
Features Description
Port auto-negotiation Supports both speed and duplex mode auto-negotiation.
Features Description
Flow control Supports IEEE 802.3x-compliant flow control for full-duplex, and back-
pressure based flow control for half-duplex.
Link aggregation Supports up to 8 aggregation groups, each of which supports up to 8 FE
ports or 4 GE ports.
Port internal/external The port internal loopback test detects the connectivity between switch
loopback test chips and PHY chips. The port external loopback test detects the
connectivity between PHY chips and network interfaces with the help of
the self-loop header. The two tests used together can determine whether
a fault is a switch fault or a link fault.
Combo ports
Unicast, multicast and Supports bandwidth ratio- and rate-based suppression modes on ports.
broadcast suppression
VLAN Supports port-based VLANs, and up to 256 IEEE 802.1Q-compliant
VLANs.
MAC address table Supports MAC address learning and up to 8K MAC addresses;
Complies with IEEE 802.1D;
Notifies MAC address changes to ARP.
RSTP Supports STP and complies with IEEE 802.1D.
802.1X authentication Supports PEAP/EAP/TLS/TTLS.
The main purpose of IEEE 802.1X is to implement authentication for
wireless LAN users, but its application in IEEE 802 LANs provides a
method of authenticating LAN users.
SSHv2 Secure Shell (SSH) offers an approach to logging into a remote device
securely. By encryption and strong authentication, it protects devices
against attacks such as IP spoofing and plain text password interception.
A switch can work as an SSH server to support connections with SSH
clients running on PCs.
Voice VLAN The voice VLAN feature adds ports into voice VLANs by identifying the
source MAC addresses of packets. It automatically assigns higher priority
for voice traffic to ensure voice quality. This feature supports two
application modes: manual and automatic.
DHCP relay agent Through a DHCP relay agent, DHCP clients in a subnet can
communicate with a DHCP server in another subnet to obtain valid IP
addresses. In this way, DHCP clients in different subnets can share one
DHCP server. This method saves costs and helps implement centralized
management.
ARP Supports up to 256 static ARP entries.
IP routing Supports static routing and RIP.
IGMP Snooping Internet Group Management Protocol Snooping (IGMP Snooping) is a
multicast constraining mechanism that runs on Layer 2 devices to
manage and control multicast groups.
Features Description
QoS Bandwidth management;
flow control with 64 bps granularity;
8 sending queues per port;
Traffic classification;
Traffic rate limit;
Port mirroring, which supports only one source mirroring port.
Software upload and Software upload and upgrade through the XMODEM protocol, FTP or
upgrade TFTP
Remote authentication To implement authentication on remote telnet, web, and console users,
you need to configure use names and passwords on a RADIUS server,
and configure RADIUS authentication on the access switch. When such
a user logs onto the switch, the switch sends the user name and
password to the RADIUS server for authentication. If the user passes
authentication, it can log it to the switch.
FTP, TFTP The switch can only works as a TFTP client.
System configuration Configuration methods supported: CLI, console port, telnet, and Modem;
and management
Features and functions supported: SNMP, remote monitoring (RMON)
1/2/3/9 group MIBs, system logging, hierarchical alarming, Syslog And
NTP.
Network maintenance Filtering, output and collection of alarm/debug information;
Diagnostic tools: Ping, Tracert, and so on;
Remote maintenance through Telnet and other ways
web
Fault diagnostics and Detects and reports hardware/software faults.
alarm output
Fast startup In fast startup mode, a switch can complete a startup process within 60
seconds by skipping the power-on self test (POST) and directly running
the APP program. You can set the startup mode to fast or normal in the
boot ROM menu.
Version Updates
Feature Updates
Syntax
View
System view
Description
Syntax
View
System view
Description
Example
[Switch] undo icmp acl-priority
Command 2:
Syntax
View
System view
Description
Example
[Switch] mirroring stp-collaboration
Command 3:
Syntax
View
RADIUS view
Description
Example
Syntax
View
Parameters
Description
Note that:
z If you execute the undo ip address
command without any parameter, the
switch deletes both primary and
secondary IP addresses of the
interface.
z The undo ip address ip-address
{ mask | mask-length } command is
used to delete the primary IP address.
z The undo ip address ip-address
{ mask | mask-length } sub command is
used to delete specified secondary IP
addresses.
z You can assign at most five IP address
to an interface, among which one is the
primary IP address and the others are
secondary IP addresses. A newly
specified primary IP address overwrites
the previous one if there is any.
z The primary and secondary IP
addresses of an interface cannot reside
on the same network segment; the IP
address of a VLAN interface must not
be in the same network segment as that
of a loopback interface on a device.
z A VLAN interface cannot be configured
with a secondary IP address if the
interface has been configured to obtain
an IP address through BOOTP or
DHCP.
Examples
Syntax
View
VLAN view
Parameters
Description
Examples
View:
user view
Reason
Syntax
View
Parameters
Examples
Syntax
View
Parameters
Description
Examples
Syntax
View
Any view
Parameters
Description
Syntax
View
Any view
Parameters
Description
Examples
Syntax
port-security enable
undo port-security enable
View
Parameters
None
Description
Caution
Enabling port security resets the following
configurations on the ports to the defaults
(as shown in parentheses below):
z 802.1x (disabled), port access control
method (macbased), and port access
control mode (auto)
z MAC authentication (disabled)
In addition, you cannot perform the above-
mentioned configurations manually because
these configurations change with the port
security mode automatically.
Examples
Syntax
View
Description
Note that:
MIB Updates
Table 7 MIB updates
Configuration Changes
None
After modification, if the switch is enabled with DHCP server and has assigned IP addresses, the
hwDHCPSIPInUseExTable and the hwDHCPSIPInUseTable MIB tables do not contain IP address
assignment data after an SNMP walk operation is performed on them.
1) The operation of set the maximum number of 802.1X authentication attempts for the MAC-
Authenticated users that are online
In early version: Unlimited.
In current version: Provide 'dot1x auth-fail-retry' command to set the maximum number of attempts.
By default, the maximum number of attempts is 5.
2) The operation of EAPOL V2
In early version: The system only supports to process the EAPOL packets of version 1, the EAPOL
packets of version 2 will be dropped.
In current version: The system supports to process the EAPOL packets of version 1 and the EAPOL
packets of version 2
3) The change to the max value of the dot1x re-authentication timer
The max value of the dot1x re-authentication timer is modified from 7200s (2 hours) to 86400s (24
hours).
4) The change to the value of Server-Type used in radius access request packets of MAC
authentication
To differentiate the user type, the value of Server-Type used in radius access request packets
changes from 2 to 10 in the case of MAC address authentication. The other authentication keeps the
original value 2.
5) The 'voice vlan lldp' and fabric aren't mutually exclusive any longer.
6) The change to ARP packet rate limit function
In early version: ARP packet rate limit can't work if ARP detection isn't enabled.
In current version: ARP packet rate limit works no matter ARP detection is enabled or not.
In current version: The syslog records both the user's name and the user's IP address after a WEB
user log in, such as:
%Apr 7 09:20:34:698 2010 switch WEB/5/USER:- 1 -web (1.1.1.1) login succeed
December 20, 2012 Page 34 of 34
3COM OS Switch 4500 V3.03.02p21 Release Notes
Switch serves as DHCP relay. If the packet received by the device whose length less than 300 bytes,
the device does not add padding automatically to make packet length to 300 bytes.
In current version:
Switch serves as DHCP relay. If the packet received by the device whose length less than 300 bytes,
the device add padding automatically to make packet length to 300 bytes.
2) Dot1x free-ip and stack aren't mutually exclusive any longer
DHCP server, DHCP snooping and DHCP Relay can not be enabled at the same time; otherwise PC
can't get IP address successfully.
In current version:
DHCP server, DHCP snooping and DHCP Relay can be enabled at the same time. PC can get IP
address successfully from switch, and of three functions can record its item.
In current version:
Executing this command, the mac-address synchronization function will also be enabled besides the
destination-hit function.
3) The change to the 'display mac-address'
In early version:
There is no 'unit id' option, only ‘display mac-address' can be executed to show the mac-addresses
on the current device.
In current version:
The 'unit id' option is introduced. Therefore, the mac-address on every unit can be displayed through
‘display mac-address unit id’.
Specific syslog messages will be sent to log server from every unit in a stack.
In current version:
Specific syslog messages will be sent to log server only from the master unit in a stack.
2) The change to VLAN number
In early version:
In current version:
Executing "Net2Startup" operation in "CONFIG-MAN-MIB", the filename can not contain directory.
In current version:
When the switch is configured as a DHCP client, the option60 field in DHCP discover packets sent by
the switch is filled only with the product series information.
In current version:
When the switch is configured as a DHCP client, the option60 field in DHCP discover packets sent by
the switch is filled with the product series information and other more detailed information.
3) Change to the source MAC address of Loopback-detection packet
From 3.03.02p03, the source MAC address of Loopback-detection packet is changed from the Bridge
MAC of the device to 00e0-fc09-bcf9.
4) The operation about Management address in LLDP packets
In early version:
If the LLDP management-address has not been configured, the IP address of the VLAN with smallest
ID which the port belongs to will be used. And if the IP address of the VLAN with smallest ID which
the port belong to has not been configured, the loopback IP (127.0.0.1) address will be used.
In current version:
(1) If the LLDP management-address has not been configured, the IP address of the smallest
permitted VLAN whose IP is configured will be used;
(2) If the LLDP management-address has been configured, and the port belongs to the VLAN with the
LLDP management-address, the IP address will be used;
Doing 802.1X re-authentication with a RADIUS server. Even if user-name changes, the device just
sends RADIUS Access-Request packet for the latter user-name, but does not send RADIUS
Accounting-Stop packet for the former user-name.
In current version:
Doing 802.1X re-authentication with a RADIUS server. If user-name changes, the device sends
RADIUS Accounting-Stop packet for the former user-name firstly, then sends RADIUS Access-
Request packet for the latter user-name.
After modification, the switch can recognize such modules and output corresponding debug
information .
By default, the IEEE 802.1t standard is used to calculate the default path costs of ports.
In current version:
By default, the legacy standard is used to calculate the default path costs of ports.
The switch will delete the "poe enable" configuration of a port if the port detects overload for three
consecutive times.
After modification:
The switch will not delete the "poe enable" configuration of a port if the port detects overload for three
consecutive times.
The interval for sending 802.1X multicast requests set with the dot1X timer tx-period command is in
the range 10 to 120 seconds. If a port joins the guest VLAN upon receiving no response for an
802.1X multicast request, the shortest time for the port to join the guest VLAN is about 10 seconds.
After Modification:
The interval for sending 802.1X multicast requests set with the dot1X timer tx-period command is in
the range 1 to 120 seconds. If a port joins to the guest VLAN upon receiving no response for an
802.1X multicast request, the shortest time for the port to join the guest VLAN is about 1 second.
After modification:
1) Info-center related configuration is placed at the end part of the configuration file.
2) The vlan-vpn enable command is exclusive with stack configuration only, and can coexist with
other protocols such as STP/GVRP.
3) The device is compatible with line feed characters "\r\n" and"\n", so that it can exchange files with
the TFTP server running on the UNIX system.
4) The ping operation performance is improved, but consequently the real time performance of
displaying port statistics is reduced, that is, a delay occurs when you view port statistics.
5) You can perform port mirroring and mirroring group configuration through the web interface.
6) The device forwards unknown EAP packets rather than discards them.
7) The sequence of matching web files is changed from main, backup, default to default, main,
backup.
8) The device no longer sends PortMstiStateDiscarding trap and log packets when a port goes
down.
LSOD010596
z Symptom: Because of the weak cryptographic algorithm there is a risk that the stored passwords
possibly be cracked.
z Condition: Configure password in ciphertext.
z Symptom: There is little possibility that some routes are correct in the FIB table but updated to
hardware incorrectly.
z Condition: There are lots of ECMP routes and ARP entrys on the device. Change the state of the
VLAN interface and refresh ARP entries frequently.
LSOD010570
LSOD010537
ZDD04632/ZDD04712
z Condition: In the Access-Accept packet from the RADIUS Server to the client, the sub-attributes
in Attribute 26(Vender-Specific) don't be encapsulated in the type-length-value (TLV) standard
format.
z Description: The RADIUS Server sends an Access-Accept response, but the switch drops this
packet because of wrong format. The user can't get online.
ZDD04483/ZDD04548
LSOD10526
LSOD10515
2) Add blackhole route with a subnet which covers next-hop IP of default route: ip route-static
1.1.0.0 255.255.0.0 NULL 0
3) Create a link-down VLAN interface with a subnet which covers next-hop IP of default Route ,
the VLAN interface state is changed from DOWN to UP: [switch-Vlan-interface100]1.1.1.10 24
LSOD10502
LSOD10493/LSOD10496
LSOD10482
ZDD04028
LSOD10465
LSOD10436
LSOD10460
ZDD04119/ZDD04171
LSOD10418/LSOD10425
LSOD10428
LSOD10395/LSOD10396
LSOD10391
2) Create a link-up VLAN interface with a subnet which covers the subnet IP in the above route:
[switch-Vlan-interface1]ip address 2.1.1.1 24
LSOD10340
LSOD10272/LSOD10301
LSOD10303/LSOD10306
LSOD10299/LSOD10302
LSOD10310/LSOD10311
LSOD10082/LSOD10232
LSOD10247/LSOD10274
ZDD03292/ZDD03331
LSOD10189/LSOD10187
z Description: The fiber module type is different between log information and the information
displayed by command 'display transceiver interface'.
LSOD10207
LSOD10180
LSOD10079
LSOD10077
LSOD10050
LSOD10083
LSOD10016
LSOD10023
ZDD02999
LSOD09955
LSOD09894
LSOD09928
LSOD09920
LSOD09911
LSOD09909
LSOD09745
LSOD09830
LSOD09837
ZDD02827
LSOD09587
interface Ethernet1/0/1
traffic-priority inbound ip-group 2000 rule 0 cos spare
traffic-priority inbound ip-group 2001 rule 0 cos background
z Description: After one ACL rule is removed from the port, the other ACL rules can’t be deleted.
Note: Action traffic-limit/traffic-remark-vlanid has similar problem.
LSOD09728
LSOD09619
LSOD09678
2. Https use this SSL server policy, example: ip https ssl-server-policy myssl1
3. Undo use this SSL server policy, example: undo ip https ssl-server-policy
z Description: This ssl server policy can't be deleted.
LSOD09700
LSOD09499
LSOD09555
LSOD09550
LSOD09598
LSOD09554
z Condition: The switch enables DHCP snooping and the up-link port of the switch is configured as
the trust port of DHCP snooping. The DHCP server and the user’s PC are connected to the up-
link port of the switch.
z Description: DHCP snooping record the user item on trust port.
LSOD09521
Note: Short-static ND entry is configured by command line. The entry doesn't have port information.
The port information will be learnt by ND packets. When the port information is learnt, the ND entry is
called short-static resolved ND entry.
LSOD09717/LSOD09709
LSOD09572/LSOD09605
LSOD09537
LSOD09483
LSOD09498
LSOD09434
LSOD09447
LSOD09406
LSOD09332
LSOD09048
LSOD09439
z Condition: Configure port-security auto learn mode on port A. Delete all MAC-address and
change the VLAN ID of the port A while there are background traffic.
z Description: The MAC of the old VLAN is left occasionally.
LSOD09268
LSOD09295
LSOD09204
LSOD09167
LSOD09156
LSOD08866
LSOD09143
LSOD09176
LSOD09145
ZDD02152
LSOD08964
LSOD09106
LSOD09080
LSOD08774
LSOD09095
LSOD09097
LSOD09102
LSOD09100
z Condition: Net management software, which is using SNMP, is connected to the slave device in a
stack.
z Description: Execute setting operation; the operation can be succeeding, but the device cannot
send SNMP response to the net management software.
LSOD09045
LSOD08988
LSOD08964
LSOD06917
z Description: The fabric can't ping the PC connected to the mirroring port successfully.
LSOD08776
LSOD08782
LSOD08757
LSOD08753
LSOD08892
LSOD08819
LSOD08905
LSOD08907
LSOD08729
LSOD08843
LSOD08788
LSOD08808
LSOD08738
LSOD08679
LSOD08657
LSOD08665
LSOD08631
LSOD08656
LSOD08713
LSOD08716
LSOD08575
LSOD08674
LSOD08652
LSOD08675
LSOD08678
LSOD08726
LSOD08667
LSOD08673
LSOD08570
LSOD08734
LSOD08284
LSOD08291
LSOD08603
LSOD08460
LSOD08576
LSOD08651
LSOD08655
LSOD08646
LSOD08628
LSOD08193
LSOD08145
LSOD07413
LSOD07744
LSOD07980/ LSOD07531/LSOD07749
LSOD07692
LSOD07939
z Condition: Local user User 1 sets the access-limit to N on the switch. Then, N local users except
for User 1 log into the switch (Local users can be FTP/ LAN-access/SSH/telnet/terminal users. If
a user logs into the switch through 2 ways at the same time, for example, FTP and telnet, the
user is counted as two logged-in users.).
z Description: User 1 cannot log in to the switch.
LSOD08070
LSOD08034
LSOD07962
LSOD08035
LSOD08049
LSOD08101
LSOD08106
LSOD08118
PC1 and PC2 communicate with each other at Layer-3 through Switch 1.
Configure a static ARP entry that has no VLAN ID or outbound interface specified for PC2 on Switch
1. After PC1 and PC2 communicate with each other, the egress port and VLAN ID (VLAN B) of the
ARP entry are learned.
Then change the network as follows:
Remove VLAN B from Switch 1, configure VLAN B on Switch 2, and move PC2 from Switch 1 to
Switch 2.
After that, all PC1, Switch 1, Switch 2 and PC2 communicate with one another at Layer-3.
The new network is shown below:
z Description: The ping operation from PC1 to PC2 fails. To solve the problem, you have to reboot
Switch 1.
LSOD07630
LSOD07571
LSOD07676
LSOD07670
LSOD07668
LSOD07316
LSOD07416/LSOD07422/LSOD07420/LSOD01108
LSOD07375
LSOD07479
LSOD07124
LSOD07425
LSOD07313
LSOD07467
LSOD07460
LSOD07240
LSOD07138
LSOD07145
LSOD07184
LSOD07234
LSOD07128
LSOD07143
LSOD07136
LSOD07140
LSOD06680/LSOD07269
ZDD01517
LSOD06530
LSOD06010
z Condition: Configure a static route with the blackhole attribute on the device, and its next hop
address is a reachable valid IP address. For example, execute the ip route-static 1.1.1.0
255.255.255.0 2.2.2.2 blackhole command.
z Description: IP packets matching the blackhole route are still forwarded normally.
LSOD03115
LSOD02840
OLSD31930
OLSD31973
OLSD29599
OLSD30143
z Description: Some errors occur and command executions fail. For example, if you download a
large file from the FTP server when there is enough space, the following prompt appears:
Local space is not enough !
System will delete the file which has been transferred, please wait...
...Error Writing Local File: not enough space!
On an S4500 device that has an Intel J3D flash installed and runs a version earlier than V3.01.00p01,
performing above-mentioned operations will fail.
Related Documentation
For the most up-to-date version of documentation:
1) Go to http://www.3Com.com/downloads
2) Select Documentation for Type of File and select Product Category.
Software Upgrading
The device software can be upgraded through the console port, TFTP, and FTP.
After getting the new application file, reboot the device to validate it.
Note that if you do not have enough Flash space, upgrade the Boot ROM program first, and then
download the application file to the device.
Boot Menu
Upon power-on, the switch runs the Boot ROM program first. The following information will be
displayed on the terminal:
Starting......
******************************************************************
* *
* Switch 4500 PWR 50-Port BOOTROM, Version 1.00 *
* *
******************************************************************
After the screen displays “Press Ctrl-B to enter Boot Menu...”, you need to press <Ctrl+B> within 5
seconds to access the Boot menu. Otherwise, the system will start program decompression, and then
you have to reboot the switch to access the Boot menu.
Enter the correct password (no password is set by default) to access the Boot menu.
BOOT MENU
Step 2: Enter 3 to select the Xmodem protocol and press <Enter>. The following information appears:
Please select your download baudrate:
1. 9600
2. 19200
3. 38400
4. 57600
5. 115200
6. Exit
Enter your choice (0-5):
Step 3: Select the appropriate download baud rate. For example, enter 5 to select the download baud
rate of 115200 bps. Press <Enter> and the following information appears:
Download baudrate is 115200 bps. Please change the terminal's baudrate to 115200 bps,
and select XMODEM protocol.
Press ENTER key when ready.
Step 4: Configure the same baud rate on the console terminal, disconnect the terminal and reconnect
it. Then, press <Enter> to start downloading. The following information appears:
Are you sure to download file to flash? Yes or No(Y/N)y
Now please start transfer file with XMODEM protocol.
If you want to exit, Press <Ctrl+X>.
Downloading ... CCCCC
After the terminal baud rate is modified, it is necessary to disconnect and then re-connect the terminal
emulation program to validate the new setting.
Step 5: Select [Transfer\Send File] from the terminal window. Click <Browse> in the pop-up window
and select the software to be downloaded. Select Xmodem from the Protocol drop down list.
Step 2: Run the TFTP server program on the PC, and put the program files into a file directory.
Switch 4500 series are not shipped with the TFTP server program.
Step 3: Run the terminal emulation program on the PC, and start the switch, to access the Boot menu.
Step 4: Enter 1 in the Boot menu, and press <Enter> to enter the following menu.
Please set application file download protocol parameter:
1. Set TFTP protocol parameter
2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):1
Step 5: Enter 1 to use TFTP, and press <Enter>. The following information appears:
Switch IP address (This address and the server IP address must be on the same network
segment)
Step 6: Input correct information and press <Enter>. The following information appears:
Are you sure to download file to flash? Yes or No(Y/N)
Step 7: Enter Y to start downloading the files. Enter N to return to the Boot menu. Take entering Y as
an example. Enter Y and press <Enter>, the system begins downloading programs. After downloading
completes, the system starts writing the programs to the flash. Upon completion of this operation, the
screen displays the following information to indicate that the downloading is completed:
Loading ........................................................done!
Writing to flash................................................done!
Step 2: Run the FTP server program on the PC, and put the program files into a file directory.
Step 3: Run the terminal emulation program on the PC, and start the switch to access the Boot menu.
Step 4: Enter 1 in the Boot menu and press <Enter> to access the following menu.
Please set application file download protocol parameter:
1. Set TFTP protocol parameter
2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):2
Step 5: Enter 2 to select FTP and press <Enter>. The following information appears:
Please modify your FTP protocol parameter:
Load File name
Switch IP address
Server IP address
FTP User Name
FTP User Password
Step 6: Input correct information and press <Enter>. The following information appears:
Are you sure to download file to flash? Yes or No(Y/N):
Step 7: Enter Y to start downloading the files. Enter N to return to the Boot menu. Take the first case
as an example. Enter Y and press <Enter>, and the system begins downloading programs. After
downloading completes, the system starts writing the programs into the flash. Upon completion of this
operation, the screen displays the following information to indicate that the downloading is completed:
Loading ........................................................done!
Writing to flash................................................done!
Appendix
Details of Added or Modified CLI Commands in V3.03.02p06
dot1x unicast-trigger
Syntax
dot1x unicast-trigger
View
Default Level
2: System level
Parameters
None
Description
Use the dot1x unicast-trigger command to enable the unicast trigger function of 802.1X on a port.
Syntax
View
Parameters
offline-detect-value: Offline detect timer, which specifies the idle timeout interval (in seconds) for users.
At this interval, the switch checks whether there is traffic from each user. If receiving no traffic from a
user within two consecutive intervals, the switch logs the user out and notifies the RADIUS server.
The value range for the offline-detect-value argument is 0 to 3000000. The default is 300 seconds.
Description
Use the mac-authentication timer offline-detect command to set the offline detect timer for MAC
authentication.
Use the undo mac-authentication timer offline-detect command to restore the default.
Note that:
z The offline detect timer configured in system view applies to all MAC authentication-enabled
ports.
z The offline detect timer configured in Ethernet port view applies to the current port only. You can
set the offline detect timer to different values on different Ethernet ports.
z The offline detect timer configured in Ethernet port view takes precedence over the one
configured in system view.
If the offline-detect-value argument takes the value of 0, the offline detect timer is disabled.
bpdu-drop any
Syntax
bpdu-drop any
View
Parameters
None
Description
Use the bpdu-drop any command to enable BPDU dropping on the Ethernet port.
Use the undo bpdu-drop any command to disable BPDU dropping on the Ethernet port.
Syntax
View
Parameters
None
Description
Use the voice vlan lldp command to enable automatic discovery of IP phones using LLDP on the
Ethernet port.
Use the undo voice vlan lldp command to disable automatic discovery of IP phones using LLDP on
the Ethernet port.
Examples
display link-delay
Syntax
display link-delay
View
Any view
Parameters
None
Description
Use the display link-delay command to display information about ports configured with link state
change suppression, including the port name and the configured timer.
Examples
# Display information about ports configured with link state change suppression.
<H3C>display link-delay
Interface Up Delay Time Down Delay Time
====================== ============== ==============
Ethernet1/0/1 0 3
Ethernet1/0/2 5 0
Ethernet1/0/3 4 4
link-delay
Syntax
link-delay delay-time
undo link-delay
View
Parameters
delay-time: Link down suppression interval (in seconds), which ranges from 2 to 10.
Description
Use the link-delay command to enable physical link state change suppression and set the link down
suppression timer. When the physical link of the port goes down, the port starts the timer and does
not report link state changes to the system within the timer interval.
Use the undo link-delay command to disable link state change suppression.
Examples
# Enable link down suppression on port Ethernet 1/0/5, and set the link down suppression interval to
8 seconds.
<Sysname> system-view
Enter system view, return to user view with Ctrl+Z.
[Sysname] interface Ethernet1/0/5
[Sysname-Ethernet1/0/5] link-delay 8
December 20, 2012 Page 79 of 79
3COM OS Switch 4500 V3.03.02p21 Release Notes
link-delay up
Syntax
link-delay up delay-time
undo link-delay
View
Parameters
delay-time: Link up suppression interval (in seconds), which ranges from 2 to 10.
Description
Use the link-delay up command to enable physical link state change suppression and set the link up
suppression timer. When the physical link of the port goes up, the port starts the timer and does not
report link state changes to the system within the timer interval.
Use the undo link-delay command to disable link state change suppression.
Examples
# Enable link up suppression on port Ethernet 1/0/5, and set the link up suppression interval to 8
seconds.
<Sysname> system-view
Enter system view, return to user view with Ctrl+Z.
[Sysname] interface Ethernet1/0/5
[Sysname-Ethernet1/0/5] link-delay up 8
link-delay updown
Syntax
undo link-delay
View
Parameters
delay-time: Link state change suppression interval (in seconds), which ranges from 2 to 10.
Description
Use the link-delay updown command to enable physical link state change suppression and set the
link up-down suppression timer. When the physical link of the port goes down or goes up, the port
starts the timer and does not report link state changes to the system within the timer interval.
Use the undo link-delay command to disable link state change suppression.
Examples
# Enable link state change suppression on port Ethernet 1/0/5, and set the link up-down suppression
interval to 8 seconds.
<Sysname> system-view
Enter system view, return to user view with Ctrl+Z.
[Sysname] interface Ethernet1/0/5
[Sysname-Ethernet1/0/5] link-delay updown 8
Syntax
View
System view
Parameters
None
Description
Use the mac-address station-move quick-notify enable command to enable ARP quick update.
Use the undo mac-address station-move quick-notify enable command to restore the default.
Examples
Syntax
View
System view
Parameters
Description
Use the arp rate-limit enable command to enable ARP packet rate limit on the port.
Use the undo arp rate-limit enable command to disable ARP packet rate limit on the port.
By default, ARP packet rate limit is disabled, and ARP packet rate is not limited on a port.
Without the noshut keyword, this command enables the switch to shut down the port when the
maximum rate is reached.
With the noshut keyword, this command enables the switch to discard incoming ARP packets
received on the port when the maximum rate is reached.
Note
We recommend you to set a small value for the maximum rate with command arp rate-limit rate.
dot1x auth-fail-retry
Syntax
View
System view
Parameters
retry-value: For the MAC-Authenticated users that are online, specifies the maximum number of
attempts because of having failed 802.1X authentication, in the range of 0 to 50.
Description
Use the dot1x auth-fail-retry command to set the maximum number of attempts because of having
failed 802.1X authentication, for the MAC-Authenticated users that are online. The default maximum
number of attempts is 5.
Examples
# Set the maximum number of attempts because of having failed 802.1X authentication as 3.
<Sysname> system-view
[Sysname] dot1x auth-fail-retry 3
Unless otherwise stated, all passwords and keys, including those configured in plaintext, are stored in
encrypted form for security purposes .
Old syntax
New syntax
Views
Parameters
port port-number: Specifies the port number of the BIMS server, in the range of 1 to 65534.
key: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a string
of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters. If
neither cipher nor simple is specified, you set a plaintext key string.
Change description
Before modification: The cipher and simple keywords are not supported. The key you enter must be a
plaintext string of 1 to 16 characters.
After modification: You can enter a key in encrypted form or plaintext form.
Old syntax
dhcp server bims-server ip ip-address [ port port-number ] sharekey key { interface interface-type
interface-number [ to interface-type interface-number ] | all }
New syntax
dhcp server bims-server ip ip-address [ port port-number ] sharekey [ cipher | simple ] key { interface
interface-type interface-number [ to interface-type interface-number ] | all }
Views
System view
Parameters
port port-number: Specifies the port number of the BIMS server, in the range of 1 to 65534.
key: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a string
of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters. If
neither cipher nor simple is specified, you set a plaintext key string.
Change description
Before modification: The cipher and simple keywords are not supported. The key you enter must be a
plaintext string of 1 to 16 characters.
After modification: You can enter a key in encrypted form or plaintext form.
Old syntax
New syntax
Views
System view
Parameters
simple: Specifies the simple authentication mode and sets a plaintext or ciphertext password.
md5: Specifies the MD5 authentication mode and sets a plaintext or ciphertext password.
password: Sets the password. This argument is case sensitive. It must be a plaintext string of 1 to 16
characters, or a ciphertext string of 33 to 53 characters.
Change description
Before modification:
z For simple authentication, you can set only a plaintext password of 1 to 16 characters.
z For MD5 authentication, you can set a plaintext or ciphertext password. A plaintext password
comprises 1 to 16 characters, and a ciphertext password is a ciphertext string corresponding
to the plaintext password.
After modification: Both simple authentication and MD5 authentication support plaintext or ciphertext
passwords. A plaintext password is a string of 1 to 16 characters, and a ciphertext password is a
string of 33 to 53 characters.
Syntax
Views
System view
Parameters
key: Specifies an MD5 authentication key. You can enter the key in plaintext form or encrypted form.
In plaintext form, it must be a case-sensitive string of 1 to 16 characters. In encrypted form, it must be
a case-sensitive string of 24 characters. For security purposes, the plaintext form of the MD5
authentication key is encrypted before being stored.
Change description
Before modification: You can enter the MD5 authentication key only in plaintext form.
After modification: MD5 authentication key can be entered in plaintext form or encrypted form.
Old syntax
New syntax
Views
Parameters
string: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a
string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 117 characters.
If neither cipher nor simple is specified, you set a plaintext key string.
Change description
Before modification: The cipher and simple keywords are not supported. The key for securing
HWTACACS authentication, authorization, or accounting communication must be a plaintext string of
1 to 16 characters.
December 20, 2012 Page 86 of 86
3COM OS Switch 4500 V3.03.02p21 Release Notes
After modification: You can set a key in encrypted form or plaintext form to secure HWTACACS
authentication, authorization, or accounting communication.
Old syntax
New syntax
Views
Parameters
string: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a
string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters. If
neither cipher nor simple is specified, you set a plaintext key string.
Change description
Before modification: The cipher and simple keywords are not supported. The key for securing RADIUS
authentication/authorization or accounting communication must be a plaintext string of 1 to 16
characters.
After modification: You can set a key in encrypted form or plaintext form to secure RADIUS
authentication/authorization or accounting communication.
Old syntax
New syntax
Views
System view
Parameters
nas-ip ip-address: Specifies the IP address of the network access server through which users can
access the local RADIUS authentication/authorization server. The IP address must be in dotted
decimal notation.
key [ simple | cipher ] password: Sets the key to share between the local RADIUS
authentication/authorization server and the network access server.
Change description
Before modification: The cipher and simple keywords are not supported. The key to share between
the local RADIUS authentication/authorization server and the network access server must be a
plaintext string of 1 to 16 characters.
After modification: You can set a key in encrypted form or plaintext form to share between the local
RADIUS authentication/authorization server and the network access server.
Old syntax
New syntax
Views
System view
Parameters
usernameformat: Specifies the username and password input format for MAC-based accounts.
with-hyphen: Uses the hyphenated MAC address of a user, such as 00-05-e0-1c-02-e3, as the
username and password for MAC authentication of the user.
December 20, 2012 Page 88 of 88
3COM OS Switch 4500 V3.03.02p21 Release Notes
without-hyphen: Uses the unhyphenated MAC address of a user, such as 0005e01c02e3, as the
username and password for MAC authentication of the user.
fixedpassword [ simple | cipher ] password: Uses a fixed password, instead of user MAC addresses,
for MAC authentication users.
Change description
Before modification: The cipher and simple keywords are not supported. The password you enter
must be a plaintext string.
After modification: You can enter a password in encrypted form or plaintext form.
Old syntax
New syntax
Views
System view
Parameters
[ cipher | simple ] password: Sets the password of the shared account for MAC authentication users.
Change description
Before modification: The cipher and simple keywords are not supported. The password you enter
must be a plaintext string.
After modification: You can enter a password in encrypted form or plaintext form.
Old syntax
New syntax
Views
System view
Parameters
value: Specifies the key string. This argument is case sensitive. If simple is specified, it must be a
string of 1 to 32 characters. If cipher is specified, it must be a ciphertext string of 1 to 73 characters. If
neither cipher nor simple is specified, you set a plaintext key string.
Change description
Before modification: The cipher and simple keywords are not supported. The key you enter must be a
plaintext string of 1 to 32 characters.
After modification: You can enter a key in encrypted form or plaintext form.
Old syntax
password password
New syntax
Views
Parameters
password: Specifies the password string. This argument is case sensitive. If simple is specified, it
must be a string of 1 to 32 characters. If cipher is specified, it must be a ciphertext string of 1 to 73
characters. If neither cipher nor simple is specified, you set a plaintext password string.
Change description
Before modification: The cipher and simple keywords are not supported. The FTP password must be a
plaintext string of 1 to 32 characters.
After modification: You can set an FTP password in encrypted form or plaintext form.
Syntax
Views
Parameters
Change description
Before modification: If cipher is specified, you can set an 88-character password or a password of 1 to
63 characters.
After modification: If cipher is specified, you can set a password of 1 to 117 characters.
Old syntax
rip authentication-mode { md5 { rfc2082 key-string key-id | rfc2453 key-string } | simple password }
New syntax
rip authentication-mode { md5 { rfc2082 [ cipher ] key-string key-id | rfc2453 [ cipher ] key-string } |
simple [ cipher ] password }
Views
Interface view
Parameters
cipher: Sets a ciphertext authentication key or password. If this keyword is not specified, you set a
plaintext authentication key or password.
key-string: Specifies the MD5 key string. This argument is case sensitive. It must be a plaintext string
of 1 to 16 characters, or a ciphertext string of 33 to 53 characters.
rfc2453: Uses the message format defined in RFC 2453 (IETF standard).
password: Sets the password in simple authentication mode. This argument is case sensitive. It must
be a plaintext string of 1 to 16 characters, or a ciphertext string of 33 to 53 characters.
Change description
Before modification:
z For simple authentication, the cipher keyword is added, which means you can set a ciphertext
password.
z For MD5 authentication, the ciphertext password you set can comprise 33 to 53 characters.
Syntax
Views
Parameters
key: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a
plaintext string of 1 to 16 characters. If cipher is specified, it can be a plaintext string of 1 to 16
characters or a ciphertext string of 17 to 53 characters.
Change description
Before modification: When you specify the cipher keyword, you can enter a string of 1 to 16
characters or a string of 24 characters as the password.
After modification: When you specify the cipher keyword, you can enter a string of 1 to 53 characters
as the password.
Syntax
Views
System view
Parameters
cipher: Specifies that auth-password and priv-password are encrypted keys, which can be calculated
to a hexadecimal string by using the snmp-agent calculate-password command. If this keyword is not
specified, auth-password and priv-password are plaintext keys.
authentication-mode: Specifies an authentication algorithm. MD5 is faster but less secure than SHA.
For more information about these algorithms, see Security Configuration Guide.
December 20, 2012 Page 93 of 93
3COM OS Switch 4500 V3.03.02p21 Release Notes
privacy-mode: Specifies an encryption algorithm for privacy. The three encryption algorithms AES,
3DES, and DES are in descending order of security. Higher security means more complex
implementation mechanism and lower speed. DES is enough to meet general requirements.
Authentication Encryption
Hexadecimal string Non-hexadecimal string
algorithm algorithm
AES128 or DES-
MD5 32 characters 53 characters
56
AES128 or DES-
SHA 40 characters 53 characters
56
acl acl-number: Specifies a basic ACL to filter NMSs by source IPv4 address. The acl-number
argument represents a basic ACL number in the range of 2000 to 2999. Only the NMSs with the IPv4
addresses permitted in the ACL can use the specified username to access the SNMP agent.
Change description
Before modification: Only authentication and privacy keys in hexadecimal format are supported.
After modification: Both hexadecimal and non-hexadecimal format authentication and privacy keys
are supported.
Syntax
Views
System view
Parameters
level user-level: Specifies a user privilege level in the range of 1 to 3. The default is 3.
key: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a
plaintext string of 1 to 16 characters. If cipher is specified, it can be a plaintext string of 1 to 16
characters or a ciphertext string of 17 to 53 characters.
Change description
Before modification: When you specify the cipher keyword, you can enter a string of 1 to 16
characters or a string of 24 characters as the password.
After modification: When you specify the cipher keyword, you can enter a string of 1 to 53 characters
as the password.