The cut access-user command cuts off one or more connections with users according to a specified condition.
cut access-user user-id start-no [ end-no ]
cut access-user ip-address ip-address [ end-ip-address ] [ vpn-instance instance-name ]
cut access-user mac-address mac-address
cut access-user slot slot-id
cut access-user ipv6-address ipv6-address [ vpn-instance instance-name ]
cut access-user interface { interface-name | interface-type interface-number } [ odd-mac | even-mac ]
cut access-user ipv6-prefix ipv6-prefix [ vpn-instance instance-name ]
cut access-user { username user-name { local | radius | radius-proxy | hwtacacs | none | all } | domain domain-name | interface { { interface-name | interface-type interface-number } [ pevlan pevlan-id [ cevlan cevlan-id ] ] } | ip-pool pool-name | ipv6-pool ipv6-pool | authen-method authen-method-type | { qos-profile qos-profile-name | family-qos-profile family-qos-profile-name | resource-insufficient user-queue } [ inbound | outbound | both ] | user-state { standby | active } } *
cut access-user { domain domain-name | username user-name [ local | radius | hwtacacs | none | all ] } *
| Parameter | Description | Value |
|---|---|---|
| end-no |
Specifies the end online index number. |
The value ranges from 0 to 4294967295. |
| ip-address ip-address |
Specifies an IP address, in dotted decimal notation. The format is X.X.X.X. |
The value is in dotted decimal notation. |
| end-ip-address |
Specifies the end IP address, in dotted decimal notation. The format is X.X.X.X. |
The value is in dotted decimal notation. |
| vpn-instance instance-name |
Specifies the name of a VPN instance. |
The value is a string of 1 to 31 characters. |
| mac-address mac-address |
Specifies a MAC address. |
The value is a 12-digit hexadecimal number, in the format of H-H-H. Each H is 4 digits. |
| slot slot-id |
Specifies the ID of the slot where an interface board resides. |
- |
| ipv6-address ipv6-address |
Specifies an IPv6 address, in the format of X:X::X:X. |
The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| interface |
Cuts off all connections with users on a specified interface. |
- |
| interface-type |
Specifies the interface type. |
- |
| interface-number |
Specifies the interface number. |
- |
| odd-mac |
Cuts off the connections with the users with odd MAC addresses on a specified interface. |
- |
| even-mac |
Cuts off the connections with the users with even MAC addresses on a specified interface. |
- |
| ipv6-prefix ipv6-prefix |
Specifies a prefix address and its length. |
The value is an integer that ranges from 1 to 128. |
| username user-name |
Specifies a user name, in the format of user name@domain name. |
The value is a string of 1 to 253 case-insensitive characters. |
| local |
Cuts off the connections with users to whom local authentication is applied. |
- |
| radius |
Cuts off the connections with users for whom RADIUS authentication is adopted. |
- |
| radius-proxy |
Specifies the authentication mode of access users as RADIUS proxy authentication. |
- |
| hwtacacs |
Cuts off the connections with users to whom HWTACACS authentication is applied. |
- |
| none |
Cuts off the connections with users that do not need to be authenticated. |
- |
| all |
Cuts off all connections. |
- |
| domain domain-name |
Cuts off all connections with users in a specified domain. |
The value is a string of 1 to 64 case-insensitive characters. |
| pevlan pevlan-id |
Specifies the ID of a VLAN. |
The value ranges from 0 to 4094. |
| cevlan cevlan-id |
Specifies the ID of a QinQ VLAN. If the value is 0, cuts off all connections with users with a single VLAN tag on a specified interface. |
The value ranges from 0 to 4094. |
| ip-pool pool-name |
Specifies the name of an IPv4 address pool. |
The value is a string of 1 to 128 case-insensitive characters. |
| ipv6-pool ipv6-pool |
Specifies the name of an IPv6 address pool. |
The value is a string of 1 to 32 case-insensitive characters. |
| authen-method authen-method-type |
Cuts off the connections with users with specified authentication mode. |
the value can be set to hwtacacs, local, none, radius, radius-proxy. |
| qos-profile qos-profile-name |
Cuts off the connections with users with specified qos profile. |
The value is a string of 1 to 63 characters. |
| family-qos-profile family-qos-profile-name |
Cuts off the connections with users with specified family profile. |
The value is a string of 1 to 63 characters. |
| resource-insufficient |
User-queue resource allocated fail. |
- |
| user-queue |
Cuts off the connections with users when the user's request fails. |
- |
| inbound |
Specifies inbound direction. |
- |
| outbound |
Specifies outbound direction. |
- |
| both |
Specifies inbound and outbound direction. |
- |
| user-state |
User status. |
- |
| standby |
Standby state. |
- |
| active |
Active state. |
- |
| user-id start-no |
Specifies the start online index number. |
The value ranges from 0 to 4294967295. |
Usage Scenario
Before you upgrade or restart a device, run the block command to block a domain and then the cut access-user command to disconnect users in the domain.
In some cases, users cannot go online again after being logged out abnormally. Therefore, you can run the cut access-user command to cut off the connections with these users so that they can go online again.Configuration Impact
When connections are cut off according to user names and authentication modes, if there are multiple connections satisfying the condition, they are cut off at the same time.
In inter-board trunk scenarios, if you run the cut access-user slot slot-id command to cut off connections with all users on a board, the specified board must be the main processing board. If other member boards are specified, the connections cannot be cut off. The main processing board of users is the board that responds to user detection packets. The User access slot field in the display access-user user-id command displays the main processing board of users.Precautions
The command cannot be configured while the qos-profile is in time-range mode.
<HUAWEI> system-view [~HUAWEI] aaa [~HUAWEI-aaa] cut access-user interface GigabitEthernet 0/1/8
<HUAWEI> system-view [~HUAWEI] aaa [~HUAWEI-aaa] cut access-user interface GigabitEthernet 0/1/8 even-mac
<HUAWEI> system-view [~HUAWEI] aaa [~HUAWEI-aaa] cut access-user interface GigabitEthernet 0/1/8 odd-mac
<HUAWEI> system-view [~HUAWEI] aaa [~HUAWEI-aaa] cut access-user username test123 local [~HUAWEI-aaa] cut access-user username test123 radius [~HUAWEI-aaa] cut access-user username test123 none [~HUAWEI-aaa] cut access-user username test123 all
<HUAWEI> system-view [~HUAWEI] aaa [~HUAWEI-aaa] cut access-user up-resource 1024