HP HSR6800 Routers Security Command Reference Part number: 5998-4511 Software version: HSR6800-CMW520-R3303P05 Document version: 6PW105-20140507
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents AAA configuration commands ···································································································································· 1 General AAA configuration commands ························································································································· 1 aaa nas-id profile ····················································································································································· 1 access-limi
password ································································································································································ 48 service-type····························································································································································· 49 state (local user view)············································································································································ 50
stop-accounting-buffer enable (HWTACACS scheme view) ··········································································· 106 timer quiet (HWTACACS scheme view) ··········································································································· 107 timer realtime-accounting (HWTACACS scheme view)··················································································· 107 timer response-timeout (HWTACACS scheme view) ··················································
portal auth-network destination ·························································································································· 164 portal delete-user ················································································································································· 165 portal device-id ···················································································································································· 165 portal domain
password-control length ······································································································································ 214 password-control login idle-time ························································································································ 215 password-control login-attempt ·························································································································· 215 password-control password update
pki import-certificate ············································································································································ 259 pki request-certificate domain ···························································································································· 259 pki retrieval-certificate ········································································································································· 260 pki retrieval-cr
IKE configuration commands ·································································································································· 318 authentication-algorithm ····································································································································· 318 authentication-method ········································································································································· 318 certificate domain ····
display ssh server-info ········································································································································· 359 exit ········································································································································································ 360 get ····································································································································································
display session statistics ······································································································································ 402 display session table ··········································································································································· 404 reset session ························································································································································· 406 reset se
defense syn-flood ip ············································································································································ 447 defense syn-flood rate-threshold ························································································································· 448 defense udp-flood action drop-packet ··············································································································· 449 defense udp-flood enable ·········
ARP automatic scanning and fixed ARP configuration commands ········································································· 491 arp fixup ······························································································································································· 491 arp scan ······························································································································································· 491 ARP gateway protection conf
display gdoi gm pubkey ····································································································································· 534 display gdoi gm rekey ········································································································································ 535 gdoi gm group ····················································································································································· 536 group ··············
AAA configuration commands General AAA configuration commands aaa nas-id profile Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs. Use undo aaa nas-id profile to remove a NAS ID profile. Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name Views System view Default command level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.
Views ISP domain view Default command level 2: System level Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646. Usage guidelines System resources are limited, and user connections may compete for network resources when there are many users. Setting a proper limit to the number of online users helps provide reliable system performance. Examples # Set a limit of 500 user connections for ISP domain test.
Examples # Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting. system-view [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac Related commands • accounting default • hwtacacs scheme accounting default Use accounting default to configure the default accounting method for an ISP domain. Use undo accounting default to restore the default.
[Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local Related commands • local-user • hwtacacs scheme • radius scheme accounting dvpn Use accounting dvpn to configure the accounting method for DVPN users. Use undo accounting dvpn to restore the default. Syntax accounting dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting dvpn Default The default accounting method for the ISP domain is used for DVPN users.
• radius scheme accounting lan-access Use accounting lan-access to configure the accounting method for LAN users. Use undo accounting lan-access to restore the default. Syntax accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo accounting lan-access Default The default accounting method for the ISP domain is used for LAN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local accounting.
accounting login Use accounting login to configure the accounting method for login users through the console, AUX, or Asyn port or through Telnet. Use undo accounting login to restore the default. Syntax accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting login Default The default accounting method for the ISP domain is used for login users.
accounting optional Use accounting optional to enable the accounting optional feature. Use undo accounting optional to disable the feature. Syntax accounting optional undo accounting optional Default The feature is disabled.
Default command level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for portal users.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for PPP users.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use local authentication for DVPN users. system-view [Sysname] domain test [Sysname-isp-test] authentication dvpn local # Configure ISP domain test to use RADIUS authentication scheme rd for DVPN users and use local authentication as the backup.
Examples # Configure ISP domain test to use local authentication for LAN users. system-view [Sysname] domain test [Sysname-isp-test] authentication lan-access local # Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup.
Examples # Configure ISP domain test to use local authentication for login users. system-view [Sysname] domain test [Sysname-isp-test] authentication login local # Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup.
[Sysname-isp-test] authentication portal local # Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup. system-view [Sysname] domain test [Sysname-isp-test] authentication portal radius-scheme rd local Related commands • local-user • authentication default • radius scheme authentication ppp Use authentication ppp to configure the authentication method for PPP users. Use undo authentication ppp to restore the default.
# Configure ISP domain test to use RADIUS authentication scheme rd for PPP users and use local authentication as the backup. system-view [Sysname] domain test [Sysname-isp-test] authentication ppp radius-scheme rd local Related commands • local-user • authentication default • hwtacacs scheme • radius scheme authentication super Use authentication super to configure the authentication method for user privilege level switching. Use undo authentication super to restore the default.
Related commands • hwtacacs scheme • radius scheme • super authentication-mode (Fundamentals Command Reference) authorization command Use authorization command to configure the command line authorization method. Use undo authorization command to restore the default. Syntax authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none } undo authorization command Default The default authorization method for the ISP domain is used for command line authorization.
• authorization default • hwtacacs scheme authorization default Use authorization default to configure the default authorization method for an ISP domain. Use undo authorization default to restore the default. Syntax authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization default Default The default authorization method for the ISP domain of an ISP domain is local.
• hwtacacs scheme • radius scheme authorization dvpn Use authorization dvpn to configure the authorization method for DVPN users. Use undo authorization dvpn to restore the default. Syntax authorization dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo authorization dvpn Default The default authorization method for the ISP domain is used for DVPN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authorization.
authorization lan-access Use authorization lan-access to configure the authorization method for LAN users. Use undo authorization lan-access to restore the default. Syntax authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo authorization lan-access Default The default authorization method for the ISP domain is used for LAN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authorization.
authorization login Use authorization login to configure the authorization method for login users through the console, AUX, or Asyn port, Telnet, or FTP. Use undo authorization login to restore the default. Syntax authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization login Default The default authorization method for the ISP domain is used for login users.
• hwtacacs scheme • radius scheme authorization portal Use authorization portal to configure the authorization method for portal users. Use undo authorization portal to restore the default. Syntax authorization portal { local | none | radius-scheme radius-scheme-name [ local ] } undo authorization portal Default The default authorization method for the ISP domain is used for portal users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authorization.
authorization ppp Use authorization ppp to configure the authorization method for PPP users. Use undo authorization ppp to restore the default. Syntax authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization ppp Default The default authorization method for the ISP domain is used for PPP users.
• radius scheme authorization-attribute user-profile Use authorization-attribute user-profile to specify the default authorization user profile for an ISP domain. Use undo authorization-attribute user-profile to restore the default. Syntax authorization-attribute user-profile profile-name undo authorization-attribute user-profile Default An ISP domain has no default authorization user profile.
cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name } [ chassis chassis-number slot slot-number ] Views System view Default command level 2: System level Parameters access-type: Specifies the user connections of the specified access type. • dot1x: Indicates 802.1X authentication.
its 802.1X users. To cut connections of such users, use the cut connection domain isp-name command, and specify the mandatory authentication domain. Examples # Tear down all connections of ISP domain test. system-view [Sysname] cut connection domain test Related commands • display connection • service-type display connection Use display connection to display information about AAA user connections.
ucibindex ucib-index: Specifies the user connection that uses the connection index, in the range of 0 to 4294967295. user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain name or the mandatory authentication domain. slot slot-number: Specifies a card by its slot number.
Total 1 connection(s) matched on slot 0. Total 1 connection(s) matched. # Display information about AAA user connections using the index of 0. display connection ucibindex 0 Slot: 0 Index=0 , Username=telnet@system IP=10.0.0.
Field Description Index Index of the connection. Username Username of the connection, in the format username@domain. MAC MAC address of the user. IP IPv4 address of the user. IPv6 IPv6 address of the user. Access User access type. ACL Group Authorization ACL group. When no authorization ACL group is assigned, this field displays Disable. User Profile Authorization user profile. CAR(kbps) Authorized CAR parameters.
Usage guidelines If you do not specify any ISP domain, the command displays the configuration of all ISP domains. Examples # Display the configuration of all ISP domains.
Field Description Accounting method Indicates whether accounting is required. If accounting is required, when no accounting server is available or when communication with the accounting server fails, user connections are torn down. Otherwise, users can continue to use network services. Default authentication scheme Default authentication method. Default authorization scheme Default authorization method. Default accounting scheme Default accounting method.
Views System view Default command level 3: Manage level Parameters isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain the slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), quotation marks ("), vertical bar (|), and at sign (@). Usage guidelines All ISP domains are in active state when they are created.
Usage guidelines There can be only one default ISP domain. The specified domain must already exist. Otherwise, users without a domain name in the username cannot pass authentication. To delete the ISP domain that is used as the default ISP domain, you must first change it to a non-default ISP domain by using the undo domain default enable command. Examples # Create a new ISP domain named test, and configure it as the default ISP domain.
If all the domains are unavailable, user authentication fails. NOTE: Support for the authentication domain configuration depends on the access module. You can specify an authentication domain for 802.1X, portal, or MAC address authentication. Examples # Specify the ISP domain test for users with unknown domain names.
[Sysname] domain test [Sysname-isp-test] idle-cut enable 50 1024 Related commands domain ip pool Use ip pool to configure an address pool for assigning addresses to PPP users. Use undo ip pool to delete an address pool. Syntax ip pool pool-number low-ip-address [ high-ip-address ] undo ip pool pool-number Default No IP address pool is configured for PPP users. Views ISP domain view Default command level 2: System level Parameters pool-number: Address pool number, ranging from 0 to 99.
Related commands • ip pool (Layer 2—WAN Command Reference) • remote address (Layer 2—WAN Command Reference) nas-id bind vlan Use nas-id bind vlan to bind a NAS ID with a VLAN. Use undo nas-id bind vlan to remove a NAS ID-VLAN binding. Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id Default No NAS ID-VLAN binding exists.
undo self-service-url enable Default The self-service server location function is disabled. Views ISP domain view Default command level 2: System level Parameters url-string: URL of the self-service server, a string of 1 to 64 characters that starts with http:// and contains no question mark. This URL was specified by the RADIUS server administrator during RADIUS server installation. Usage guidelines With the self-service function, users can manage and control their accounts and passwords.
Examples # Configure the device to include the idle cut time in the user online time uploaded to the server for ISP domain test. system-view [Sysname] domain test [Sysname-isp-test] session-time include-idle-time Related commands idle-cut enable state (ISP domain view) Use state to set the status of an ISP domain. Use undo state to restore the default. Syntax state { active | block } undo state Default An ISP domain is in active state.
Local user configuration commands access-limit Use access-limit to limit the number of concurrent users of the same local user account. Use undo access-limit to remove the limitation. Syntax access-limit max-user-number undo access-limit Default There is no limit to the number of users who concurrently use the same local user account.
undo authorization-attribute { acl | callback-number | idle-cut | level | user-profile | user-role | vlan | work-directory } * Default No authorization attribute is configured for a local user or user group. Views Local user view, user group view Default command level 3: Manage level Parameters acl acl-number: Specifies the authorization ACL. The ACL number must range from 2000 to 5999. After passing authentication, a local user is authorized to access the network resources specified by this ACL.
Authorization attributes configured for a user group are effective for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view. If an authorization attribute is configured in user group view but not in local user view, the setting in user group view takes effect.
ip ip-address: Specifies the IP address of the user. location port slot-number subslot-number port-number: Specifies the port to which the user is bound. The slot-number argument ranges from 0 to 255, the subslot-number argument ranges from 0 to 15, and the port-number argument ranges from 0 to 255. mac mac-address: Specifies the MAC address of the user in the format H-H-H. vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument ranges from 1 to 4094.
• ftp: FTP users. This keyword is not supported in FIPS mode. • lan-access: Users accessing the network through Ethernet, such as 802.1X users. This keyword is supported only on SAP interface modules. • portal: Portal users. • ppp: PPP users. • ssh: SSH users. • telnet: Telnet users. This keyword is not supported in FIPS mode. • terminal: Users logging in through the console port, AUX port, or Asyn port. state { active | block }: Specifies local users in active or blocked state.
Authorization attributes: Idle TimeOut: 10(min) Work Directory: cfa0:/ User Privilege: 3 Acl ID: 2000 Vlan ID: 100 User Profile: prof1 Expiration date: 12:12:12-2018/09/16 Password aging: Enabled (30 days) Password length: Enabled (4 characters) Password composition: Enabled (4 types, 2 characters per type) Total 1 local user(s) matched. # On the IRF fabric, display information about local user bbb on slot 0 of IRF member 2.
Field Description Access-limit Whether or not to limit the number of concurrent connections of the username. Current AccessNum Number of connections that currently use the username, either for all cards or for a specified card. Max AccessNum Maximum number of concurrent connections of the username. Bind attributes Binding attributes of the local user. VLAN ID VLAN to which the local user is bound. User Profile User profile for local user authorization.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any user group name, the command displays the configuration of all user groups. Examples # Display the configuration of user group abc.
undo expiration-date Default A local user has no expiration time, and no time validity checking is performed. Views Local user view Default command level 3: Manage level Parameters time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59.
Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Examples # Assign local user 111 to user group abc. system-view [Sysname] local-user 111 [Sysname-luser-111] group abc group-attribute allow-guest Use group-attribute allow-guest to set the guest attribute for a user group. Use undo group-attribute allow-guest to restore the default. Syntax group-attribute allow-guest undo group-attribute allow-guest Default The guest attribute is not set for a user group.
Views System view Default command level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@) and cannot be a, al, or all. all: Specifies all users. service-type: Specifies the users of a type. • ftp: FTP users.
Parameters hash: Enables hash-based encryption. cipher: Sets a ciphertext password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive. If hash is not specified, a ciphertext password must be a string of 1 to 117 characters and a plaintext password must be a string of 1 to 63 characters. If hash is specified, a ciphertext password must be a string of 1 to 110 characters and a plaintext password must be a string of 1 to 63 characters.
Syntax service-type { dvpn | ftp | lan-access | { ssh | telnet | terminal } * | portal | ppp } undo service-type { dvpn | ftp | lan-access | { ssh | telnet | terminal } * | portal | ppp } Default A user is authorized with no service. Views Local user view Default command level 3: Manage level Parameters dvpn: Authorizes the user to use the DVPN service. ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default.
Views Local user view Default command level 2: System level Parameters active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services. Usage guidelines By blocking a user, you disable the user from requesting network services. No other users are affected. Examples # Place local user user1 to the blocked state.
system-view [Sysname] user-group abc [Sysname-ugroup-abc] Related commands display user-group validity-date Use validity-date to set the validity time of a local user. Use undo validity-date to remove the configuration. Syntax validity-date time undo validity-date Default A local user has no validity time and no time validity checking is performed.
RADIUS configuration commands accounting-on enable Use accounting-on enable to configure the accounting-on feature. Use undo accounting-on enable to disable the accounting-on feature. Syntax accounting-on enable [ interval seconds | send send-times ] * undo accounting-on enable Default The accounting-on feature is disabled. Views RADIUS scheme view Default command level 2: System level Parameters seconds: Time interval for retransmitting an accounting-on packet in seconds, ranging from 1 to 15.
Use undo attribute 25 car to restore the default. Syntax attribute 25 car undo attribute 25 car Default RADIUS attribute 25 is not interpreted as CAR parameters. Views RADIUS scheme view Default command level 2: System level Examples # Specify the device to interpret RADIUS attribute 25 as CAR parameters.
Usage guidelines The unit for data flows and that for packets must be consistent with those on the RADIUS server. Otherwise, accounting cannot be performed correctly. Examples # Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets, respectively, in RADIUS scheme radius1.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the configuration of all RADIUS schemes. display radius scheme -----------------------------------------------------------------SchemeName : radius1 Index : 0 Type : extended Primary Auth Server: IP: 1.1.1.
Total 1 RADIUS scheme(s). Table 5 Command output Field Description SchemeName Name of the RADIUS scheme. Index Index number of the RADIUS scheme. Type of the RADIUS server supported on the router: • Extended—The RADIUS server uses the proprietary RADIUS protocol of Type HP for packet exchange. • Standard—The RADIUS server uses the standard RADIUS protocol for packet exchange. The protocol is compliant to RFC 2865 and RFC 2866 or later.
Field Description Retransmission times of stop-accounting packet Maximum number of stop-accounting attempts. Quiet-interval(min) Quiet interval for the primary server. Username format Format of the usernames to be sent to the RADIUS server. Data flow unit Unit for data flows sent to the RADIUS server. Packet unit Unit for packets sent to the RADIUS server. NAS-IP address Source IP address for RADIUS packets to be sent. Attribute 25 Interprets RADIUS attribute 25 as the CAR parameters.
Examples # Display statistics about RADIUS packets on the card in slot 0.
State Mismatch = 0 Other_Error = 0 No-response-acct-stop packet = 1 Discarded No-response-acct-stop packet for buffer overflow = 0 Table 6 Command output Field Description slot Number of the slot in which the card resides. state statistic User statistics, by state. DEAD Number of idle users. AuthProc Number of users waiting for authentication. AuthSucc Number of users who have passed authentication. AcctStart Number of users for whom accounting has been started.
Field Description PKT response Number of responses. Session ctrl pkt Number of session control messages. Normal author request Number of normal authorization requests. Set policy result Number of responses to the Set policy packets. Accounting on request Counts of accounting-on requests. Accounting on response Counts of accounting-on responses. Dynamic Author Ext request Counts of dynamic authorization extension requests. RADIUS sent messages statistic Statistics for sent RADIUS messages.
display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme.
Total 2 record(s) Matched # Dsplay information about the stop-accounting requests buffered for user abc on slot 0 of IRF member 1. (In IRF mode.
Usage guidelines For secrecy, all shared keys, including keys configured in plain text, are saved in cipher text. The shared keys specified during the configuration of the RADIUS servers take precedence. The shared keys configured on the device must match those configured on the RADIUS servers. Examples # For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text.
Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address. ipv6 ipv6-address: Specifies an IPv6 address. It must be a unicast address of the device and cannot be a link-local address. Usage guidelines The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address.
Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server, which must be a valid global unicast address. port-number: Specifies the service port number of the primary RADIUS accounting server, which is a UDP port number ranging from 1 to 65535 and defaults to 1813. key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary RADIUS accounting server.
Related commands • key (RADIUS scheme view) • vpn-instance (RADIUS scheme view) primary authentication (RADIUS scheme view) Use primary authentication to specify the primary RADIUS authentication/authorization server. Use undo primary authentication to remove the configuration.
Usage guidelines Make sure the port number and shared key settings of the primary RADIUS authentication/authorization server are the same as those configured on the server. The shared key configured by this command takes precedence over that configured by using the key authentication [ cipher | simple ] key command. For secrecy, all shared keys, including keys configured in plain text, are saved in cipher text.
Related commands • key (RADIUS scheme view) • vpn-instance (RADIUS scheme view) radius client Use radius client enable to enable the RADIUS client service. Use undo radius client to disable the RADIUS client service. Syntax radius client enable undo radius client Default The RADIUS client service is enabled.
Default The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface. Views System view Default command level 2: System level Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address. ipv6 ipv6-address: Specifies an IPv6 address. It must be a unicast address of the device and cannot be a link-local address.
Default No RADIUS scheme is defined. Views System view Default command level 3: Manage level Parameters radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. A RADIUS scheme referenced by ISP domains cannot be removed. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
authentication-server-down: Sends traps when the reachability of the authentication server changes. Usage guidelines With the trap function for RADIUS, a NAS sends a trap message in the following cases: • When the status of a RADIUS server changes. If a NAS sends a request but receives no response before the maximum number of attempts is exceeded, it places the server to the blocked state and sends a trap message.
reset stop-accounting-buffer (for RADIUS) Use reset stop-accounting-buffer to clear buffered stop-accounting requests for which no responses have been received.
retry Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Use undo retry to restore the default. Syntax retry retry-times undo retry Default The maximum number of RADIUS packet transmission attempts is 3. Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Maximum number of RADIUS packet transmission attempts, ranging from 1 to 20.
Default The maximum number of accounting attempts is 5. Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Maximum number of accounting attempts, ranging from 1 to 255. Usage guidelines A RADIUS server usually checks whether a user is online by using a timeout timer. If it receives no real-time accounting request for a user in the timeout period from the NAS, it considers that there may be line or device failures and stops accounting for the user.
undo retry stop-accounting Default The maximum number of stop-accounting request transmission attempts is 500. Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Maximum number of stop-accounting request transmission attempts, ranging from 10 to 65535. Usage guidelines The maximum number of stop-accounting request transmission attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets.
Default No secondary RADIUS accounting server is specified. Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server, which must be a valid global unicast address.
If you remove a secondary accounting server when the device has already sent a start-accounting request to the server, the communication with the secondary server times out, and the device looks for a server in active state from the primary server on. If you remove an accounting server being used by online users, the device can no longer send real-time accounting requests or stop-accounting requests for the users, and it does not buffer the stop-accounting requests.
port-number: Specifies the service port number of the secondary RADIUS authentication/authorization server, which is a UDP port number ranging from 1 to 65535 and defaults to 1812. key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary RADIUS authentication/authorization server.
If the maximum number of retries (specified by the retry command) is reached and the device still receives no response from the server, the device considers the server as unreachable. If the device receives a response from the server before the maximum number of retries is reached, the device considers the server as reachable. The device sets the status of the server to block or active according to the status detection result, regardless of the current status of the server. For 802.
Default No security policy server is specified for a RADIUS scheme. Views RADIUS scheme view Default command level 2: System level Parameters ip-address: Specifies a security policy server by its IP address. all: Specifies all security policy servers. Usage guidelines You can specify up to eight security policy servers for a RADIUS scheme. You can change security policy servers for a RADIUS scheme only when no user is using the scheme. Examples # Specify security policy server 10.110.1.
Examples # Configure the RADIUS server type of RADIUS scheme radius1 as standard. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] server-type standard state primary Use state primary to set the status of a primary RADIUS server. Syntax state primary { accounting | authentication } { active | block } Default The primary RADIUS server specified for a RADIUS scheme is in active state.
state secondary Use state secondary to set the status of a secondary RADIUS server. Syntax state secondary { accounting | authentication } [ ip ipv4-address | ipv6 ipv6-address ] { active | block } Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the status of the secondary RADIUS accounting server.
stop-accounting-buffer enable (RADIUS scheme view) Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function. Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable Default The device buffers stop-accounting requests to which no responses are received.
Views RADIUS scheme view Default command level 2: System level Parameters minutes: Server quiet period in minutes, ranging from 0 to 255. If you set this argument to 0, when the device attempts to send an authentication or accounting request but the current server is unreachable, the device sends the request to the next server in active state, without changing the current server's status.
Parameters minutes: Real-time accounting interval in minutes. The value can be 0 or a multiple of 3, ranging from 3 to 60. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command sets the interval.
Parameters seconds: RADIUS server response timeout period in seconds, ranging from 1 to 10. Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
Examples # Specify the device to remove the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] user-name-format without-domain Related commands radius scheme vpn-instance (RADIUS scheme view) Use vpn-instance to specify a VPN instance for a RADIUS scheme. Use undo vpn-instance to remove the configuration.
Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default The unit for data flows is byte and that for data packets is one-packet. Views HWTACACS scheme view Default command level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
Default command level 1: Monitor level Parameters hwtacacs-scheme-name: HWTACACS scheme name. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes. statistics: Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme. Without this keyword, the command displays the configuration of the HWTACACS scheme. slot slot-number: Specifies a card by its slot number. The slot-number argument represents the slot number of the card.
key authentication : ****** key authorization : ****** key accounting : ****** VPN instance : - Quiet-interval(min) : 5 Realtime-accounting-interval(min) : 12 Response-timeout-interval(sec) : 5 Acct-stop-PKT retransmit times : 100 Username format : with-domain Data traffic-unit : B Packet traffic-unit : one-packet -------------------------------------------------------------------- Table 8 Command output Field Description HWTACACS-server template name Name of the HWTACACS scheme.
---[HWTACACS template gy primary authentication]--HWTACACS server open number: 10 HWTACACS server close number: 10 HWTACACS authen client access request packet number: 10 HWTACACS authen client access response packet number: 6 HWTACACS authen client unknown type number: 0 HWTACACS authen client timeout number: 4 HWTACACS authen client packet dropped number: 4 HWTACACS authen client access request change password number: 0 HWTACACS authen client access request login number: 5 HWTACACS authen client access re
HWTACACS account client request command level number: 0 HWTACACS account client request connection number: 0 HWTACACS account client request EXEC number: 0 HWTACACS account client request network number: 0 HWTACACS account client request system event number: 0 HWTACACS account client request update number: 0 HWTACACS account client response error number: 0 HWTACACS account client round trip time(s): 0 Related commands hwtacacs scheme display stop-accounting-buffer (for HWTACACS) Use display stop-accountin
Examples # Display information about the stop-accounting requests buffered for HWTACACS scheme hwt1 on the card in slot 0. (In standalone mode.) display stop-accounting-buffer hwtacacs-scheme hwt1 slot 0 Slot 0: Total 0 record(s) Matched # Display information about the stop-accounting requests buffered for HWTACACS scheme hwt1 on slot 0 of IRF member 1. (In IRF mode.
the packet is the IP address of any managed NAS. If it is, the server processes the packet. If it is not, the server drops the packet. You can specify up to one public-network source IP address and 15 private-network source IP addresses. A newly specified public-network source IP address overwrites the previous one. Each VPN can have only one private-network source IP address specified. A private-network source IP address newly specified for a VPN overwrites the previous one.
key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to remove the configuration. Syntax key { accounting | authentication | authorization } [ cipher | simple ] key undo key { accounting | authentication | authorization } Default No shared key is configured.
# Set the shared key for secure HWTACACS accounting communication $c$3$jaeN0ej15fjuHKeuVh8mqicHzaHdMw== in cipher text for HWTACACS scheme hwt1. to system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key accounting cipher $c$3$jaeN0ej15fjuHKeuVh8mqicHzaHdMw== Related commands display hwtacacs nas-ip (HWTACACS scheme view) Use nas-ip to specify a source IP address for outgoing HWTACACS packets. Use undo nas-ip to restore the default.
Related commands hwtacacs nas-ip primary accounting (HWTACACS scheme view) Use primary accounting to specify the primary HWTACACS accounting server. Use undo primary accounting to remove the configuration. Syntax primary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] * undo primary accounting Default No primary HWTACACS accounting server is specified.
Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) primary authentication (HWTACACS scheme view) Use primary authentication to specify the primary HWTACACS authentication server. Use undo primary authentication to remove the configuration. Syntax primary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * undo primary authentication Default No primary HWTACACS authentication server is specified.
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) primary authorization Use primary authorization to specify the primary HWTACACS authorization server. Use undo primary authorization to remove the configuration. Syntax primary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * undo primary authorization Default No primary HWTACACS authorization server is specified.
system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) reset hwtacacs statistics Use reset hwtacacs statistics to clear HWTACACS statistics.
Syntax In standalone mode: reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] In IRF mode: reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ chassis chassis-number slot slot-number ] Views User view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme.
Parameters retry-times: Maximum number of stop-accounting request transmission attempts, ranging from 1 to 300. Examples # Set the maximum number of stop-accounting request transmission attempts to 50 for HWTACACS scheme hwt1.
You can remove an accounting server only when it is not used by any active TCP connection to send accounting packets. Removing an accounting server only affects accounting processes that occur after the remove operation. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. Examples # Specify the IP address and port number of the secondary accounting server for HWTACACS scheme hwt1 as 10.163.155.12 with TCP port number 49.
If you execute the command multiple times, the most recent configuration takes effect. You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets is using it. Removing an authentication server only affects authentication processes that occur after the remove operation. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
If the specified server resides on an MPLS VPN, you also must specify that VPN with the secondary authorization command to ensure normal communication with the server. The VPN specified here takes precedence over the VPN specified for the HWTACACS scheme. If you execute the command multiple times, the most recent configuration takes effect. You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets.
Related commands • reset stop-accounting-buffer • display stop-accounting-buffer timer quiet (HWTACACS scheme view) Use timer quiet to set the quiet timer for the primary server. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default The primary server quiet period is 5 minutes. Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Primary server quiet period. The value ranges from 1 to 255, in minutes.
Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Real-time accounting interval in minutes. The value can be 0 or a multiple of 3, ranging from 3 to 60. A value of 0 means "Do not send online user accounting information to the HWTACACS server." Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval.
Parameters seconds: HWTACACS server response timeout period in seconds, ranging from 1 to 300. Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server. Examples # Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
Examples # Specify the device to remove the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain vpn-instance (HWTACACS scheme view) Use vpn-instance to specify a VPN instance for an HWTACACS scheme. Use undo vpn-instance to remove the configuration.
802.1X commands 802.1X commands are supported only on a SAP module that is operating in bridge mode. display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics.
EAD quick deploy is enabled Configuration: Transmit Period Quiet Period Supp Timeout Reauth Period 30 s, Handshake Period 60 s, Quiet Period Timer is disabled 30 s, Server Timeout The maximal retransmitting times URL: http://192.168.19.23 Free IP: 192.168.19.0 255.255.255.0 EAD timeout: 30m The maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet3/0/1 100 s 3600 s EAD quick deploy configuration: is link-up 802.
Table 10 Command output Field Description Equipment 802.1X protocol is enabled Whether 802.1X is enabled globally. CHAP authentication is enabled Whether CHAP authentication is enabled. Proxy trap checker is disabled Whether the device sends a trap when detecting that a user is accessing the network through a proxy. Proxy logoff checker is disabled Whether the device logs off the user when detecting that the user is accessing the network through a proxy.
Field Description Authenticate Mode is Auto Authorization state of the port. Port Control Type is Port-based Access control method of the port. 802.1X Multicast-trigger is enabled Whether the 802.1X multicast-trigger function is enabled. Mandatory authentication domain Mandatory authentication domain on the port. Guest VLAN 802.1X guest VLAN configured on the port. NOT configured is displayed if no guest VLAN is configured. Auth-fail VLAN Auth-Fail VLAN configured on the port.
dot1x Use dot1x to enable 802.1X. Use undo dot1x to disable 802.1X. Syntax In system view: dot1x [ interface interface-list ] undo dot1x [ interface interface-list ] In Ethernet interface view: dot1x undo dot1x Default 802.1X is neither enabled globally nor enabled for any port. Views System view, Ethernet interface view Default command level 2: System level Parameters interface interface-list: Specifies a port list, which can contain multiple ports.
Or system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] dot1x [Sysname-GigabitEthernet3/0/1] quit [Sysname] interface gigabitethernet 3/0/5 [Sysname-GigabitEthernet3/0/5] dot1x [Sysname-GigabitEthernet3/0/5] quit [Sysname] interface gigabitethernet 3/0/6 [Sysname-GigabitEthernet3/0/6] dot1x [Sysname-GigabitEthernet3/0/6] quit [Sysname] interface gigabitethernet 3/0/7 [Sysname-GigabitEthernet3/0/7] dot1x # Enable 802.1X globally.
• In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server, and performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and "username+password" EAP authentication initiated by an iNode client. { { • PAP transports usernames and passwords in clear text.
Parameters authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide. Usage guidelines You must enable MAC-based VLAN for an Auth-Fail VLAN to take effect on a port that performs MAC-based access control.
Parameters vlan-id: Specifies a VLAN ID in the range of 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2 — LAN Switching Configuration Guide. Usage guidelines You can configure only one critical VLAN on a port. The MAC authentication critical VLANs on different ports can be different. When you change the access control method from MAC-based to port-based on the port, the mappings between MAC addresses and the 802.
Usage guidelines The dot1x critical recovery-action command takes effect only for the 802.1X users in the critical VLAN on a port. It enables the port to take one of the following actions to trigger 802.1X authentication after removing 802.1X users from the critical VLAN on detection of a reachable RADIUS authentication server: • If MAC-based access control is used, the port sends a unicast Identity EAP/Request to each 802.1X user.
Examples # Specify the characters @, /, and \ as domain name delimiters. system-view [Sysname] dot1x domain-delimiter @\/ dot1x guest-vlan Use dot1x guest-vlan to configure an 802.1X guest VLAN for the specified or all ports. A guest VLAN on a port accommodates users that have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
To delete a VLAN that has been configured as a guest VLAN, you must remove the guest VLAN configuration first. You can configure both an Auth-Fail VLAN and an 802.1X guest VLAN on a port. Examples # Specify VLAN 999 as the 802.1X guest VLAN for port GigabitEthernet 3/0/1 system-view [Sysname] dot1x guest-vlan 999 interface gigabitethernet 3/0/1 # Specify VLAN 10 as the 802.1X guest VLAN for ports GigabitEthernet 3/0/2 to GigabitEthernet 3/0/5.
HP recommends that you use the iNode client software to ensure the normal operation of the online user handshake function. Examples # Enable the online user handshake function. system-view [Sysname] interface gigabitethernet 3/0/4 [Sysname-GigabitEthernet3/0/4] dot1x handshake dot1x handshake secure Use dot1x handshake secure to enable the online user handshake security function. The function enables the device to prevent users from using illegal client software.
undo dot1x mandatory-domain Default No mandatory authentication domain is specified. Views Ethernet interface view Default command level 2: System level Parameters domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines When authenticating an 802.1X user trying to access the port, the system selects an authentication domain in the following order: the mandatory domain, the ISP domain specified in the username, and the default ISP domain.
Syntax In system view: dot1x max-user user-number [ interface interface-list ] undo dot1x max-user [ interface interface-list ] In Ethernet interface view: dot1x max-user user-number undo dot1x max-user Default The port supports a maximum of 1024 concurrent 802.1X users. Views System view, Ethernet interface view Default command level 2: System level Parameters user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1 to 1024.
Related commands display dot1x dot1x multicast-trigger Use dot1x multicast-trigger to enable the 802.1X multicast trigger function. The device acts as the initiator and periodically multicasts Identify EAP-Request packets out of a port to detect 802.1X clients and trigger authentication. Use undo dot1x multicast-trigger to disable the function. Syntax dot1x multicast-trigger undo dot1x multicast-trigger Default The multicast trigger function is enabled.
undo dot1x port-control Default The default port authorization state is auto. Views System view, Ethernet interface view Default command level 2: System level Parameters authorized-force: Places the specified or all ports in the authorized state, enabling users on the ports to access the network without authentication.
Use undo dot1x port-method to restore the default. Syntax In system view: dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ] In Ethernet interface view: dot1x port-method { macbased | portbased } undo dot1x port-method Default MAC-based access control applies.
[Sysname] dot1x port-method portbased interface gigabitethernet 3/0/2 to gigabitethernet 3/0/5 Related commands display dot1x dot1x quiet-period Use dot1x quiet-period to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. Use undo dot1x quiet-period to disable the timer. Syntax dot1x quiet-period undo dot1x quiet-period Default The quiet timer is disabled.
Default command level 2: System level Usage guidelines Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port. This function tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. You can use the dot1x timer reauth-period command to configure the interval for re-authentication. Examples # Enable the 802.
Examples # Set the maximum number of attempts for sending an authentication request to a client as 9. system-view [Sysname] dot1x retry 9 Related commands display dot1x dot1x supp-proxy-check Use dot1x supp-proxy-check to enable the proxy detection function and set the processing method on the specified ports or all ports. Use undo dot1x supp-proxy-check to disable the function on the specified ports or all ports.
Examples # Configure ports GigabitEthernet 3/0/1 to 1/8 to log off users accessing the network through a proxy. system-view [Sysname] dot1x supp-proxy-check logoff [Sysname] dot1x supp-proxy-check logoff interface gigabitethernet 3/0/1 to gigabitethernet 3/0/8 # Configure port GigabitEthernet 3/0/9 to send a trap when a user is detected accessing the network through a proxy.
supp-timeout-value: Sets the client timeout timer in seconds. It is in the range of 1 to 120. tx-period-value: Sets the username request timeout timer in seconds. It is in the range of 10 to 120. Usage guidelines You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response, or adjust the server timeout timer to adapt to the performance of different authentication servers.
Default The unicast trigger function is disabled. Views Ethernet interface view Default command level 2: System level Usage guidelines The unicast trigger function enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address.
Examples # Clear 802.1X statistics on port GigabitEthernet 3/0/1.
EAD fast deployment commands EAD fast deployment commands are supported only on a SAP module that is operating in bridge mode. dot1x free-ip Use dot1x free-ip to configure a free IP. Users can access the segment before passing 802.1X authentication. Use undo dot1x free-ip to remove the specified or all free IP addresses. Syntax dot1x free-ip ip-address { mask-address | mask-length } undo dot1x free-ip { ip-address { mask | mask-length } | all } Default No free IP is configured.
Syntax dot1x timer ead-timeout ead-timeout-value undo dot1x timer ead-timeout Default The timer is 30 minutes. Views System view Default command level 2: System level Parameters ead-timeout-value: Specifies the EAD rule timer in minutes. The value range is 1 to 1440. Usage guidelines EAD fast deployment automatically creates an ACL rule, or EAD rule, to open access to the redirect URL for each redirected user seeking to access the network. The EAD rule timer sets the lifetime of each ACL rule.
Default command level 2: System level Parameters url-string: Specifies the redirect URL, a case-sensitive string of 1 to 64 characters in the format http://string. Usage guidelines The redirect URL must be on the free IP subnet. If you configure the dot1x url command multiple times, the last configured URL takes effect. Examples # Configure the redirect URL as http://192.168.0.1. system-view [Sysname] dot1x url http://192.168.0.
MAC authentication configuration commands MAC authentication commands are available only for SAP modules that are operating in bridge mode. display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including global settings, and port-specific settings and MAC authentication and online user statistics.
Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index GigabitEthernet3/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 1024 Current online user number is 0 MAC Addr Authenticate state AuthIndex … Table 11 Command output Field Description MAC address authentication is
Field Description GigabitEthernet3/0/1 is link-up Status of the link on port GigabitEthernet 3/0/1. In this example, the link is up. MAC address authentication is enabled Whether MAC authentication is enabled on port GigabitEthernet 3/0/1. Authenticate success: 0, failed: 0 MAC authentication statistics, including the number of successful and unsuccessful authentication attempts. Max number of on-line users Maximum number of concurrent online users allowed on the port.
Default command level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number.
Parameters domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain name cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or at sign (@). Usage guidelines The global authentication domain is applicable to all MAC authentication enabled ports. A port specific authentication domain is applicable only to the port.
[Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] mac-authentication max-user 32 mac-authentication timer Use mac-authentication timer to set the MAC authentication timers. Use undo mac-authentication timer to restore the default settings.
Use undo mac-authentication user-name-format to restore the default. Syntax mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } undo mac-authentication user-name-format Default Each user's MAC address is used as the username and password for MAC authentication, and letters must be input in lower case. MAC addresses are not hyphenated.
Examples # Configure a shared account for MAC authentication users, and set the username as abc and password as a plaintext string of xyz. system-view [Sysname] mac-authentication user-name-format fixed account abc password simple xyz # Configure a shared account for MAC authentication users, and set the username as abc and password as a ciphertext string of $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg.
Portal configuration commands Portal on VLAN interfaces does not support accounting. Portal on other types of interfaces supports accounting. access-user detect Use access-user detect to configure the online portal user detection function. Use undo access-user detect to restore the default. Syntax access-user detect type { arp | icmp } retransmit number interval interval [ idle-time idletime ] undo access-user detect Default The portal user detection function is not configured on an interface.
Examples # Configure the portal user detection function on interface GigabitEthernet 3/0/1, specifying the probe packets as ARP requests, maximum number of probe attempts as 3, and probe interval as 10 seconds. system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] access-user detect type arp retransmit 3 interval 10 display portal acl Use display portal acl to display the ACLs on a specific interface.
Port : 50000 ~ 51000 MAC : 0000-0000-0000 Interface : any VLAN : 0 Destination: IP : 111.111.111.111 Mask : 255.255.255.255 Port : 40000 Rule 1 Inbound interface : GigabitEthernet3/0/1 Type : static Action : permit Protocol : 0 Source: IP : 0.0.0.0 Mask : 0.0.0.0 Port : 23 MAC : 0000-0000-0000 Interface : any VLAN : 0 Destination: IP : 192.168.0.111 Mask : 255.255.255.
Mask : 255.255.255.255 MAC : 000d-88f8-0eab Interface : GigabitEthernet3/0/1 VLAN : 0 Protocol : 0 Destination: IP : 0.0.0.0 Mask : 0.0.0.0 Author ACL: Number : 3001 Table 12 Command output Field Description Rule Sequence number of the portal ACL, which is numbered from 0 in ascending order. Inbound interface Interface to which the portal ACL is bound. Type Type of the portal ACL. Action Match action in the portal ACL. Protocol Transport layer protocol number in the portal ACL.
Syntax display portal connection statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
MSG_LOGIN_REQ 3 0 0 MSG_LOGOUT_REQ 2 0 0 MSG_LEAVING_REQ 0 0 0 MSG_ARPPKT 0 0 0 MSG_PORT_REMOVE 0 0 0 MSG_VLAN_REMOVE 0 0 0 MSG_IF_REMOVE 6 0 0 MSG_IF_SHUT MSG_IF_DISPORTAL 0 0 0 MSG_IF_UP 0 0 0 0 0 0 MSG_ACL_RESULT 0 MSG_AAACUTBKREQ 0 0 0 0 0 MSG_CUT_BY_USERINDEX 0 0 0 MSG_CUT_L3IF 0 0 0 MSG_IP_REMOVE 0 0 0 MSG_ALL_REMOVE 1 0 0 MSG_IFIPADDR_CHANGE 0 0 0 MSG_SOCKET_CHANGE 8 0 0 MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT 0 0 0 0 0
Field Description MSG_ARPPKT ARP message. MSG_PORT_REMOVE Users-of-a-Layer-2-port-removed message. MSG_VLAN_REMOVE VLAN user removed message. MSG_IF_REMOVE Users-removed message, indicating the users on a Layer 3 interface were removed because the Layer 3 interface was removed. MSG_IF_SHUT Layer 3 interface shutdown message. MSG_IF_DISPORTAL Portal-disabled-on-interface message. MSG_IF_UP Layer 3 interface came up message. MSG_ACL_RESULT ACL deployment failure message.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about portal-free rule 1. display portal free-rule 1 Rule-Number 1: Source: IP : 2.2.2.0 Mask : 255.255.255.0 Port : any MAC : 0000-0000-0000 Interface : any Vlan : 0 Destination: IP : 0.0.0.0 Mask : 0.0.0.
Field Description Destination Destination information in the portal-free rule. IP Destination IP address in the portal-free rule. Mask Subnet mask of the destination IP address in the portal-free rule. Port Destination transport layer port number in the portal-free rule. Protocol Transport layer protocol number in the portal-free rule. Related commands portal free-rule display portal interface Use display portal interface to display the portal configuration of an interface.
Table 15 Command output Field Description Portal configuration of interface Portal configuration on the interface. IPv4 IPv4 portal configuration. Status of the portal authentication on the interface: Status • Portal disabled—Portal authentication is disabled. • Portal enabled—Portal authentication is enabled but is not functioning. • Portal running—Portal authentication is functioning. Portal server Portal server referenced by the interface.
IP : 192.168.0.111 VPN instance : vpn1 Port : 50100 Key : ****** URL Server Type Status : http://192.168.0.111 : IMC : Up Table 16 Command output Field Description 1) Number of the portal server. aaa Name of the portal server. VPN instance MPLS L3VPN to which the portal server belongs. IP IP address of the portal server. Port Listening port on the portal server. Shared key for exchanges between the access device and portal server. Key URL • ****** is displayed if a key is configured.
Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
ACK_QUERY_STATE 0 0 0 RESERVED33 0 0 0 RESERVED35 0 0 0 Table 17 Command output Field Description Interface Interface referencing the portal server. Invalid packets Number of invalid packets. Pkt-Name Packet type. Total Total number of packets. Discard Number of discarded packets. Checkerr Number of erroneous packets. REQ_CHALLENGE Challenge request message the portal server sent to the access device.
Field Description AFF_NTF_USER_NOTIFY NTF_USER_NOTIFY acknowledgment message the access device sent to the portal server. NTF_AUTH Forced authentication notification message the portal server sent to the access device. ACK_NTF_AUTH NTF_AUTH acknowledgment message the access device sent to the portal server. REQ_QUERY_STATE User online state query message the portal server sent to the access device.
Connection State: SYN_RECVD: 0 ESTABLISHED: 0 CLOSE_WAIT: 0 LAST_ACK: 0 FIN_WAIT_1: 0 FIN_WAIT_2: 0 CLOSING: 0 Table 18 Command output Field Description TCP Cheat Statistic TCP spoofing statistics. Total Opens Total number of opened connections. Resets Connections Number of connections reset through RST packets. Current Opens Number of connections being set up. Packets Received Number of received packets. Packets Sent Number of sent packets.
interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Field Description Vlan VLAN to which the portal user belongs. Interface Interface to which the portal user is attached. Total 2 user(s) matched, 2 listed Total number of portal users. portal auth-network Use portal auth-network to configure a portal authentication source subnet on an interface. You can use this command to configure multiple portal authentication source subnets on an interface. Then, only HTTP packets from the subnets can trigger portal authentication on the interface.
[Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] portal auth-network 10.10.10.0 24 portal auth-network destination Use portal auth-network destination to configure an authentication destination subnet on an interface. Then, only users accessing the specified subnet (excluding the destination IP addresses and subnets specified in portal-free rules) trigger portal authentication on the interface. Users can access other networks through the interface without portal authentication.
portal delete-user Use portal delete-user to log off portal users. Syntax portal delete-user { ip-address | all | interface interface-type interface-number } Views System view Default command level 2: System level Parameters ip-address: Logs off the portal user with the specified IPv4 address. all: Logs off all portal users. interface interface-type interface-number: Logs off all IPv4 portal users on the specified interface. Examples # Log out the portal user whose IP address is 1.1.1.1.
Usage guidelines If the type of the portal server specified for Layer 3 portal authentication is CMCC, you must specify the device ID. Examples # Set the device's device ID to 0002.0010.100.00. system-view [Sysname] portal device-id 0002.0010.100.00 After this configuration, the redirection URL sent from the device to client 10.1.2.34 is as follows: http://www.portal.com?wlanuserip=10.1.2.34&wlanacname=0002.0010.100.
portal free-rule Use portal free-rule to configure a portal-free rule and specify the source filtering condition, destination filtering condition, or both. Use undo portal free-rule to remove a specific portal-free rule or all portal-free rules.
You cannot configure a portal-free rule to have the same filtering criteria as that of an existing one. When attempted, the system prompts that the rule already exists. Regardless of whether portal authentication is enabled on an interface, you can only add or remove a portal-free rule. You cannot modify it. A Layer 2 interface in an aggregation group cannot be specified as the source interface of a portal-free rule, and the source interface of a portal-free rule cannot be added to an aggregation group.
portal nas-id Use portal nas-id to specify the NAS ID value carried in a RADIUS request. Use undo portal nas-id to restore the default. Syntax portal nas-id nas-identifier undo portal nas-id Default The device name specified through the sysname command is used as the NAS ID of a RADIUS request. For information about the sysname command, see Fundamentals Command Reference.
Default command level 2: System level Parameters profile-name: Name of the profile that defines the binding relationship between VLANs and NAS IDs, a case-insensitive string of 1 to 16 characters. The profile can be configured by using the aaa nas-id profile command. For more information about this command, see "AAA configuration commands." Usage guidelines If an interface is specified with a NAS ID profile, the interface prefers to use the binding defined in the profile.
system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] portal nas-ip 2.2.2.2 portal nas-port-id Use portal nas-port-id to specify the NAS-Port-ID value carried in a RADIUS request. Use undo portal nas-port-id to restore the default.
Default The access port type of an interface is not specified, and the NAS-Port-Type value carried in RADIUS requests is the user access port type obtained by the access device. Views Interface view Default command level 2: System level Parameters ethernet: Specifies the access port type as Ethernet, which corresponds to code 15. wireless: Specifies the access port type as IEEE 802.11 standard wireless interface, which corresponds to code 19.
Examples # Configure the device to redirect a portal user to http://www.testpt.cn after the user passes portal authentication. system-view [Sysname] portal redirect-url http://www.testpt.cn portal server Use portal server to configure a portal server for Layer 3 portal authentication. Use undo portal server to remove a portal server, restore the default destination port and default URL address, or delete the shared key or the VPN instance configuration.
url url-string: Specifies the uniform resource locator (URL) to which HTTP packets are to be redirected. The default URL is in the http://ip-address format, where ip-address is the IP address of the portal server. You can also specify the domain name of the portal server, in which case you must use the portal free-rule command to configure the IP address of the DNS server as a portal authentication-free destination IP address.
Default command level 2: System level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. method: Specifies the authentication mode to be used. direct: Direct authentication. layer3: Cross-subnet authentication. redhcp: Re-DHCP authentication. Usage guidelines The specified portal server must exist. Examples # Enable Layer 3 portal authentication on interface GigabitEthernet 3/0/1, referencing portal server pts and setting the authentication mode to direct.
server-detect method { http | portal-heartbeat }: Specifies the portal server detection method. Two detection methods are available: • http: Probes HTTP connections. In this method, the access device periodically sends TCP connection requests to the HTTP service port of the portal servers enabled on its interfaces.
Deleting a portal server on the device will delete the detection function for the portal server. If you configure the detection function for a portal server for multiple times, the last configuration takes effect. If you do not specify an optional parameter, the default setting of the parameter is used. The portal server detection function takes effect only when the portal server is referenced on an interface.
retry retries: Specifies the maximum number of consecutive failed checks. The retries argument ranges from 1 to 5 and defaults to 4. If the access device finds that one of its users does not exist in the user synchronization packets from the portal server within N consecutive probe intervals (N = retries), it considers that the user does not exist on the portal server and logs the user off.
reset portal server statistics Use reset portal server statistics to clear portal server statistics on a specific interface or all interfaces. Syntax reset portal server statistics { all | interface interface-type interface-number } Views User view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Examples # Clear portal server statistics on interface GigabitEthernet 3/0/1.
Port security configuration commands The port security commands are available only for SAP modules that are operating in bridge mode. display port-security Use display port-security to display port security configuration information, operation information, and statistics for one or more ports.
RALM logfailure trap is enabled AutoLearn aging time is 1 minutes Disableport Timeout: 20s OUI value: Index is 1, OUI value is 000d1a Index is 2, OUI value is 003c12 GigabitEthernet3/0/1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is DisablePort Max MAC address number is 50 Stored MAC address number is 0 Authorization is ignored GigabitEthernet3/0/2 is link-down Port mode is noRestriction NeedToKnow mode is disabled Intrusion Portection mode is
Field Description AutoLearn aging time Secure MAC aging timer. The timer applies to sticky or dynamic secure MAC addresses. Disableport Timeout Silence timeout period of the port that receives illegal packets, in seconds. OUI value List of OUI values allowed. Port security mode: Port mode • • • • • • • • • • • • noRestrictions. autoLearn. macAddressWithRadius. macAddressElseUserLoginSecure. macAddressElseUserLoginSecureExt. secure. userLogin. userLoginSecure. userLoginSecureExt.
Related commands • port-security enable • port-security port-mode • port-security ntk-mode • port-security intrusion-mode • port-security max-mac-count • port-security mac-address security • port-security authorization ignore • port-security oui • port-security trap display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses.
--- On slot 2, no mac address found --000f-3d80-0d2d GigabitEthernet3/0/1 30 --- On slot 3, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display the count of all blocked MAC addresses. display port-security mac-address block count --- On slot 2, no mac address found --- --- On slot 3, 1 mac address(es) found ----- 1 mac address(es) found --- # Display information about all blocked MAC addresses in VLAN 30.
Field Description From Port Port having received frames with the blocked MAC address being the source address. VLAN ID ID of the VLAN to which the port belongs. 1 mac address(es) found Number of blocked MAC addresses on a slot. On slot 1, 1 mac address(es) found Number of blocked MAC addresses on slot 1(in standalone mode). On slot 2 in chassis 1, 2 mac address(es) found Number of blocked MAC addresses on slot 2 on IRF member device 1 (in IRF mode).
MAC ADDR VLAN ID STATE 0002-0002-0002 1 Security GigabitEthernet3/0/1 NOAGED 000d-88f8-0577 1 Security GigabitEthernet3/0/1 NOAGED --- 2 mac address(es) found PORT INDEX AGING TIME --- # Display only the count of the secure MAC addresses. display port-security mac-address security count This operation may take a few minutes, please wait...... --- 2 mac address(es) found --- # Display information about secure MAC addresses in VLAN 1.
port-security authorization ignore Use port-security authorization ignore to configure a port to ignore the authorization information received from the server (an RADIUS server or the local device). Use undo port-security authorization ignore to restore the default. Syntax port-security authorization ignore undo port-security authorization ignore Default A port uses the authorization information from the server.
Usage guidelines You must disable global 802.1X and MAC authentications before you enable port security on a port. Enabling or disabling port security resets the following security settings to the default: • 802.1X access control mode is MAC-based, and the port authorization state is auto. • Port security mode is noRestrictions. You cannot disable port security when online users are present. Examples # Enable port security.
Usage guidelines To restore the connection of the port, use the undo shutdown command. Examples # Configure port GigabitEthernet 3/0/1 to block the source MAC addresses of illegal frames after intrusion protection is triggered.
port-security mac-address dynamic Use port-security mac-address dynamic to enable the dynamic secure MAC function. This function converts sticky MAC addresses to dynamic, and disables saving them to the configuration file. Use undo port-security mac-address dynamic to disable the dynamic secure MAC function. Then, all dynamic secure MAC addresses are converted to sticky MAC addresses, and you can manually configure sticky MAC address.
undo port-security mac-address security [ sticky ] mac-address vlan vlan-id In system view: port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] Default No secure MAC address entry is configured.
Examples # Enable port security, set port GigabitEthernet 3/0/1 in autoLearn mode, and add a static secure MAC address 0001-0001-0002 in VLAN 10.
Usage guidelines In autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port. The maximum number set by this command cannot be smaller than the current number of MAC addresses saved on the port. In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port.
Usage guidelines The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, preventing illegal devices from intercepting network traffic. Examples # Set the NTK mode of port GigabitEthernet 3/0/1 to ntkonly, allowing the port to forward received packets to only devices passing authentication.
Related commands display port-security port-security port-mode Use port-security port-mode to set the port security mode of a port. Use undo port-security port-mode to restore the default.
Keyword Security mode Description mac-else-userlogin-secu re-ext macAddressElseUserL oginSecureExt Similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands.
Examples # Enable port security and set port GigabitEthernet 3/0/1 in secure mode. system-view [Sysname] port-security enable [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] port-security port-mode secure # Change the port security mode of port GigabitEthernet 3/0/1 to userLogin.
Syntax port-security timer disableport time-value undo port-security timer disableport Default The silence period is 20 seconds. Views System view Default command level 2: System level Parameters time-value: Specifies the silence period in seconds during which the port remains disabled. The value range is 20 to 300. Usage guidelines If you configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame, use this command to set the silence period.
Parameters addresslearned: Enables MAC address learning traps. The port security module sends traps when a port learns a new MAC address. dot1xlogfailure: Enables 802.1X authentication failure traps. The port security module sends traps when an 802.1X authentication fails. dot1xlogon: Enables 802.1X authentication success traps. The port security module sends traps when an 802.1X authentication is passed. dot1xlogoff: Enables 802.1X user logoff event traps. The port security module sends traps when an 802.
User profile configuration commands display user-profile Use display user-profile to display information about all user profiles that have been created. Syntax display user-profile [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Syntax user-profile profile-name enable undo user-profile profile-name enable Default A created user profile is disabled. Views System view Default command level 2: System level Parameters profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. The user profile must already exist. Usage guidelines Only enabled user profiles can be applied to authenticated users.
Parameters profile-name: Assigns a name to the user profile. The name is a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. A user profile name must be globally unique. Examples # Create user profile a123. system-view [Sysname] user-profile a123 [Sysname-user-profile-a123] # Enter the user profile view of a123.
Password control configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration information.
Password complexity: Disabled (username checking) Disabled (repeated characters checking) # Display the password control configuration for super passwords. display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 24 Command output Field Description Password control Whether the password control feature is enabled.
Views Any view Default command level 2: System level Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Syntax password undo password Views Local user view Default command level 2: System level Usage guidelines Valid characters for a local user password are from the following four types: • Uppercase letters A to Z. • Lowercase letters a to z. • Digits 0 to 9. • Special characters in Table 26.
[Sysname-luser-test] password Password:********** Confirm :********** Updating user(s) information, please wait.... password-control { aging | composition | history | length } enable Use password-control { aging | composition | history | length } enable to enable the password aging, composition restriction, history, or minimum password length restriction function. Use undo password-control { aging | composition | history | length } enable to disable the specified function.
[Sysname] password-control aging enable # Enable the minimum password length restriction function. [Sysname] password-control length enable # Enable the password history function. [Sysname] password-control history enable Related commands • password-control enable • display password-control password-control aging Use password-control aging to set the password aging time. Use undo password-control aging to restore the default.
[Sysname-ugroup-test] password-control aging 90 [Sysname-ugroup-test] quit # Set the password aging time for local user abc to 100 days. [Sysname] local-user abc [Sysname-luser-abc] password-control aging 100 Related commands • display password-control • local-user • user-group password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration.
Default The user authentication timeout time is 60 seconds. Views System view Default command level 2: System level Parameters authentication-timeout: Specifies the user authentication timeout time in seconds. The value range is 30 to 120. Examples # Set the user authentication timeout time to 40 seconds. system-view [Sysname] password-control authentication-timeout 40 password-control complexity Use password-control complexity to configure the password complexity checking policy.
password-control composition Use password-control composition to configure the password composition policy. Use undo password-control composition to restore the default.
[Sysname] user-group test [Sysname-ugroup-test] password-control composition type-number 3 type-length 5 [Sysname-ugroup-test] quit # Specify that the passwords of local user abc must contain at least three types of characters and each type must contain at least five characters.
Syntax password-control expired-user-login delay delay times times undo password-control expired-user-login Default A user can log in three times within 30 days after the password expires. Views System view Default command level 2: System level Parameters delay: Specifies the maximum number of days during which a user can log in using an expired password. It must be in the range of 1 to 90. times: Specifies the maximum number of times a user can log in after the password expires.
system-view [Sysname] password-control history 10 password-control length Use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length Default The global minimum password length is 10 characters. The minimum password length of a user group equals the global setting.
[Sysname-ugroup-test] password-control length 9 [Sysname-ugroup-test] quit # Set the minimum password length to 9 characters for local user abc. [Sysname] local-user abc [Sysname-luser-abc] password-control length 9 Related commands • display password-control • local-user • user-group password-control login idle-time Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, you can no longer use this account to log in to the device.
Syntax password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] undo password-control login-attempt Default The maximum number of consecutive failed login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again. Views System view Default command level 2: System level Parameters login-times: Specifies the maximum number of consecutive failed login attempts, in the range of 2 to 10.
system-view [Sysname] password-control login-attempt 2 exceed lock-time 3 Later, if a user tries to log in but fails two times, you can find it in the password control blacklist with its status changed from unlock to lock: [Sysname] display password-control blacklist Username: test IP: 192.168.44.1 Login failed times: 2 Lock flag: lock Total 1 blacklist item(s) matched. 1 listed. After 3 minutes, the user is removed from the password control blacklist and can log in again.
password-control super aging Use password-control super aging to set the aging time for super passwords. Use undo password-control super aging to restore the default. Syntax password-control super aging aging-time undo password-control super aging Default The aging time for super passwords is the same as the global password aging time. Views System view Default command level 2: System level Parameters aging-time: Specifies the super password aging time in days, in the range of 1 to 365.
Default command level 2: System level Parameters type-number type-number: Specifies the minimum number of character types for super passwords. The value range for the type-number argument is 1 to 4 in non-FIPS mode. The value range for the type-number argument is fixed to 4 in FIPS mode. type-length type-length: Specifies the minimum number of characters that are from each character type for super passwords. The value range for the type-length argument is 1 to 16.
If you have specified the minimum length of super passwords, the system applies the specified minimum length to super passwords. Examples # Set the minimum length for super passwords to 10 characters. system-view [Sysname] password-control super length 10 Related commands password-control length reset password-control blacklist Use reset password-control blacklist to remove all or one user from the password control blacklist.
Parameters user-name name: Specifies the username of the user whose password records are to be deleted. The name argument is a case-sensitive string of 1 to 80 characters. super: Deletes the history records of the super password specified by the level level option or the history records of all super passwords. level level: Specifies a user level in the range of 1 to 3. Usage guidelines With no arguments or keywords specified, this command deletes the history password records of all local users.
RSH configuration commands rsh Use rsh to execute an OS command on a remote host. Syntax rsh host [ user username ] command remote-command Views User view Default command level 0: Visit level Parameters host: IP address or host name of the remote host, a string of 1 to 20 characters. user username: Specifies the username for remote login, a string of 1 to 20 characters. If you do not specify a username, the system name of the device, which can be set by using the sysname command, applies.
2001-12-07 17:28 122,880 wrshdctl.exe 2003-06-21 10:51 192,512 wrshdnt.cpl 2001-12-09 16:41 38,991 wrshdnt.hlp 2001-12-09 16:26 1,740 wrshdnt.cnt 2003-06-22 11:14 452,230 wrshdnt.htm 2003-06-23 18:18 2003-06-23 18:18 2003-06-22 11:13 2001-09-02 15:41 49,152 wrshdrdr.exe 2003-06-21 10:32 69,632 wrshdrun.exe 2004-01-02 15:54 196,608 wrshdsp.exe 2004-01-02 15:54 102,400 wrshdnt.exe 2001-07-30 18:05 766 wrshdnt.ico 2004-07-13 09:10 3,253 INSTALL.LOG 4,803 wrshdnt_header.
Public key configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display the public key information of local asymmetric key pairs.
Time of Key pair created: 19:59:17 2007/10/25 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair.
display public-key peer Use display public-key peer to display information about the specified or all peer public keys on the local device. Syntax display public-key peer [ brief | name publickey-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all peer public keys. name publickey-name: Specifies a peer public key by its name, a case-sensitive string of 1 to 64 characters.
Table 28 Command output Field Description Key Name Name of the public key. Key Type Key type: RSA or DSA. Key Module Key modulus length in bits. Key Code Public key data. # Display brief information about all locally saved peer public keys. display public-key peer brief Type Module Name --------------------------RSA 1024 idrsa DSA 1024 10.1.1.1 Table 29 Command output Field Description Type Key type: RSA or DSA. Module Key modulus length in bits.
public-key-code begin Use public-key-code begin to enter public key code view. Then, enter the key data in the correct format to specify the peer public key. Spaces and carriage returns are allowed between characters, but are not saved. Syntax public-key-code begin Views Public key view Default command level 2: System level Usage guidelines If the peer device is an HP device, input the key data displayed by the display public-key local public command so that the key is format compliant.
Usage guidelines The system verifies the key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, the system saves the key. Examples # Exit public key code view and save the configured public key.
Table 30 Default local key pair names Type Default name RSA • Host key pair: hostkey • Server key pair: serverkey DSA dsakey Usage guidelines When using this command to create DSA or RSA key pairs, you are asked to provide the length of the key modulus. The modulus length is in the range of 512 to 2048 bits, and defaults to 1024 bits. In FIPS mode, the DSA key modulus length is at least 1024 bits, and the RSA key modulus length must be 2048 bits.
Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ +++ Related commands • public-key local destroy • display public-key local public public-key local destroy Use public-key local destroy to destroy a local asymmetric key pair. Syntax public-key local destroy { dsa | rsa } [ name key-name ] Views System view Default command level 2: System level Parameters dsa: Specifies the DSA key pair. rsa: Specifies the RSA key pair.
public-key local export Use public-key local export to display an RSA key pair in PEM format on the terminal. Syntax public-key local export rsa name key-name pem { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc } password Views System view Default command level 2: System level Parameters rsa: Specifies an RSA key pair. name key-name: Specifies an RSA key pair by its name. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-).
o3SfhX1NHyHBnr7c6SnIeUTG2g/qRdj40TD4HcRjgPaLaTGguZ553GyS6ODWAwL7 ZBTjv+vow9kfewZ74ocoBje2gLcWlbmiEKCJGV06zW4gv2AH6I8TAhv4GovIN/v1 lCsD2PscXnPOloLTE/8EDLRHNE8RpIYDWqI/YI8Yg6wlx29mf29+cj/9r4gPrDPy c/TQ0a0g95Khdy+yl4eDKaFiQQ+Kqn4zdzDTDNq7LRtqr7lGQzVw6srfrr71ib7J yJFdi2RXETEgOS/jE+xGtNqd38F/YzIRPax7NNMK+hAJC2MzdbN/BEoLWOqG7Plm hvCE3LFxelExLJU+0XfAX77TI2+5LEHBi1UiGLeH08fd1XUQCefARlIxGoRJdtTu gHP4+NF4PC9B1/GZoAYUp+171p1QwPk0vyU3TXijueqVUpQBUHGxSE0UW+SS1iwL 8vsSLHIwK4aZ77Z1o+Uw1QBoqw9jpubG4gUkX8RII8E8b13I6/QTH78E4
---- BEGIN SSH2 PUBLIC KEY ---Comment: "dsa-key-20070625" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatp RjxsSrhXFVIdRjxw59qZnKhl
Usage guidelines SSH1, SSH2.0 and OpenSSH are different public key formats for different requirements. Examples # Export the host public key of the local RSA key pairs in OpenSSH format to the file named key.pub. system-view [Sysname] public-key local export public rsa openssh key.pub # Display the host public key of the local RSA key pairs in SSH2.0 format.
Usage guidelines The system saves the imported RSA key pair at a different location from the default RSA key pair to avoid overwriting the default RSA key pair. The RSA key pair to be imported must be in PEM format so that it can be copied and pasted onto the terminal. After you execute the public-key local import command, copy the private key of the RSA key pair onto the terminal when prompted. The public key is included in the private key.
public-key peer Use public-key peer to specify a name for the peer public key and enter public key view. Use undo public-key peer to remove the public key. Syntax public-key peer keyname undo public-key peer keyname Views System view Default command level 2: System level Parameters keyname: Specifies a name for the peer public key on the local device, a case-sensitive string of 1 to 64 characters.
undo public-key peer keyname Views System view Default command level 2: System level Parameters keyname: Specifies a public key name, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file that saves the peer host public key. For more information about file name, see Fundamentals Configuration Guide. Usage guidelines After execution of this command, the system automatically transforms the peer host public key to the PKCS format, and imports the key.
PKI configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name. Use undo attribute to delete the attribute rules of one or all certificates.
Usage guidelines The attribute of the alternative certificate subject name does not appear as a distinguished name, and therefore the dn keyword is not available for the attribute. Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc.
Use undo certificate request entity to remove the configuration. Syntax certificate request entity entity-name undo certificate request entity Default No entity is specified for certificate request. Views PKI domain view Default command level 2: System level Parameters entity-name: Specifies an entity name for certificate request, a case-insensitive string of 1 to 15 characters. Examples # Specify the entity for certificate request as entity1.
Examples # Specify that the entity requests a certificate from the CA. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request from ca certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode Default Manual mode is used.
Related commands pki request-certificate certificate request polling Use certificate request polling to specify the certificate request polling interval and attempt limit. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } Default The polling is executed every 20 minutes for up to 50 times.
Default No URL is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters url-string: Specifies the server URL for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http://server_location/ca_script_location, where server_location must be an IP address and does not support domain name resolution.
country Use country to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China. Use undo country to remove the configuration. Syntax country country-code-str undo country Default No country code is specified. Views PKI entity view Default command level 2: System level Parameters country-code-str: Specifies a country code for the entity, a case-insensitive string of 2 characters. Examples # Set the country code of an entity to CN.
Usage guidelines CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted. Examples # Disable CRL checking.
Default No CRL distribution point URL is specified. Views PKI domain view Default command level 2: System level Parameters url-string: Specifies the URL of the CRL distribution point, a case-insensitive string of 1 to 125 characters in the format of ldap://server_location or http://server_location, where server_location must be an IP address or a domain name.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the local certificate. display pki certificate local domain 1 Certificate: Data: Version: 3 (0x2) Serial Number: 10B7D4E3 00010000 0086 Signature Algorithm: md5WithRSAEncryption Issuer: emailAddress=myca@aabbcc.
Field Description Issuer Issuer of the certificate. Validity Validity period of the certificate. Subject Entity holding the certificate. Subject Public Key Info Public key information of the entity. X509v3 extensions Extensions of the X.509 (version 3) certificate. X509v3 CRL Distribution Points Distribution points of X.509 (version 3) CRLs.
Table 32 Command output Field Description access-control-policy Name of the certificate attribute-based access control policy. rule number Number of the access control rule. display pki certificate attribute-group Use display pki certificate attribute-group to display information about one or all certificate attribute groups.
Field Description abc Value of attribute 1. issuer-name Name of the certificate issuer. fqdn FQDN of the entity. nctn Not-contain operations. app Value of attribute 2. display pki crl domain Use display pki crl domain to display the locally saved CRLs. Syntax display pki crl domain domain-name [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters domain-name: Specifies a PKI domain name, a string of 1 to 15 characters.
Revoked Certificates: Serial Number: 05a234448E… Revocation Date: Sep 6 12:33:22 2004 GMT CRL entry extensions:… Serial Number: 05a278445E… Revocation Date: Sep 7 12:33:22 2004 GMT CRL entry extensions:… Table 34 Command output Field Description Version Version of the CRL. Signature Algorithm Signature algorithm used by the CRLs. Issuer CA issuing the CRLs. Last Update Last update time. Next Update Next update time. CRL extensions Extensions of CRL.
Parameters name-str: Specifies a fully qualified domain name (FQDN) for an entity, a case-insensitive string of 1 to 127 characters. Usage guidelines An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address. Examples # Configure the FQDN of an entity as pki.domain-name.com. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] fqdn pki.domain-name.
Default No LDP server is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters ip-address: Specifies the IP address of the LDAP server, in dotted decimal format. port-number: Specifies the port number of the LDAP server. The value range is 1 to 65535, and the default is 389. version-number: Specifies LDAP version number: 2 or 3. The default is 2. Examples # Specify an LDAP server for PKI domain 1.
organization Use organization to configure the name of the organization to which the entity belongs. Use undo organization to remove the configuration. Syntax organization org-name undo organization Default No organization name is specified for an entity. Views PKI entity view Default command level 2: System level Parameters org-name: Specifies an organization name for an entity, a case-insensitive string of 1 to 31 characters. No comma can be included.
Examples # Configure the name of the organization unit to which an entity belongs as group1. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization-unit group1 pki certificate access-control-policy Use pki certificate access-control-policy to create a certificate attribute-based access control policy and enter its view. Use undo pki certificate access-control-policy to remove one or all certificate attribute-based access control policies.
Views System view Default command level 2: System level Parameters group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all. all: Specifies all certificate attribute groups. Examples # Create a certificate attribute group named mygroup and enter its view.
Default No PKI domain exists. Views System view Default command level 2: System level Parameters domain-name: Specifies a PKI domain name, a case-insensitive string of 1 to 15 characters. Usage guidelines You can create up to 32 PKI domains on a device. Examples # Create a PKI domain and enter its view. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] pki entity Use pki entity to create a PKI entity and enter its view. Use undo pki entity to remove a PKI entity.
pki import-certificate Use pki import-certificate to import a CA certificate or local certificate from a file and save it locally. Syntax pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] Views System view Default command level 2: System level Parameters ca: Specifies the CA certificate. local: Specifies the local certificate. domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. der: Specifies the certificate format of DER.
Views System view Default command level 2: System level Parameters domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. password: Specifies the password for certificate revocation, a case-sensitive string of 1 to 31 characters. pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.
local: Obtains the local certificate. domain-name: Specifies a PKI domain by its name. Examples # Obtain the CA certificate from the CA server. system-view [Sysname] pki retrieval-certificate ca domain 1 Related commands pki domain pki retrieval-crl domain Use pki retrieval-crl domain to obtain the latest CRLs from the server for CRL distribution.
Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Specifies the name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters. Usage guidelines The focus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked. Examples # Verify the validity of the local certificate.
# Configure a SHA1 fingerprint for verifying the validity of the CA root certificate. [Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 rule (PKI CERT ACP view) Use rule to create a certificate attribute access control rule. Use undo rule to delete one or all access control rules. Syntax rule [ id ] { deny | permit } group-name undo rule { id | all } Default No access control rule exists.
Syntax state state-name undo state Default No state or province is specified. Views PKI entity view Default command level 2: System level Parameters state-name: Specifies the state or province name, a case-insensitive string of 1 to 31 characters. No comma can be included. Examples # Specify the state where an entity resides.
IPsec configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol. Use undo ah authentication-algorithm to restore the default.
connection-name Use connection-name to configure an IPsec connection name. This name functions only as a description of the IPsec policy. Use undo connection-name to restore the default. Syntax connection-name name undo connection-name Default No IPsec connection name is configured. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters name: Specifies the IPsec connection name, a case-insensitive string of 1 to 32 characters.
Examples # Enable the encryption engine. system-view [Sysname] cryptoengine enable display ipsec policy Use display ipsec policy to display information about IPsec policies. Syntax display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all IPsec policies.
toccccc-1 isakmp 3003 tocccc IPsec Policy Name Mode ACL Local Address Remote Address -----------------------------------------------------------------------man-1 manual 3400 3.3.3.1 3.3.3.2 Table 35 Command output Field Description IPsec Policy Name Name and sequence number of the IPsec policy separated by hyphen. Negotiation mode of the IPsec policy: • • • • Mode manual—Manual mode. isakmp—IKE negotiation mode. template—IPsec policy template mode. gdoi—GDOI mode.
Interface: GigabitEthernet3/0/2 =========================================== ----------------------------------------IPsec policy name: "policy_man" sequence number: 10 acl version: ACL4 mode: manual ----------------------------------------encapsulation mode: tunnel security data flow : 3002 tunnel local address: 162.105.10.1 tunnel remote address: 162.105.10.
tunnel remote address: transform-set name: prop1 inbound AH setting: AH spi: AH string-key: AH authentication hex key: ****** inbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: ****** ESP authentication hex key: ****** outbound AH setting: AH spi: AH string-key: AH authentication hex key: outbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: ****** ESP authentication hex key: ****** =========================================== IPsec Policy Gro
Field Description IPsec packet encapsulation mode: encapsulation mode • tunnel—Tunnel mode. • transport—Transport mode. selector mode Data flow protection mode of the IPsec policy, standard or aggregation. ike-peer name IKE peer referenced by the IPsec policy. PFS Whether perfect forward secrecy is enabled. DH group Used DH group. Its value can be 1, 2, 5, or 14. tunnel local address Local IP address of the tunnel. tunnel remote address Remote IP address of the tunnel.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Table 38 Command output Field Description IPsec packet encapsulation mode: encapsulation mode • tunnel—Tunnel mode. • transport—Transport mode. security data flow ACL referenced by the IPsec policy template. ACL version: ACL's Version • acl4—IPv4 ACL. • acl6—IPv6 ACL. ike-peer name IKE peer referenced by the IPsec policy template. PFS Whether perfect forward secrecy is enabled. DH group Used DH group. Its value can be 1, 2, 5, or 14.
Usage guidelines If you do not specify any parameters, the command displays the configuration information of all IPsec profiles. Example # Display the configuration of all IPsec profiles.
Field Description Encapsulation mode for the IPsec profile: encapsulation mode • dvpn—DVPN tunnel mode. • tunnel—IPsec tunnel mode. ACL referenced by the IPsec profile. security data flow As an IPsec profile does not reference any ACL, no information is displayed for this field. ike-peer name IKE peer referenced by the IPsec profile. PFS Whether perfect forward secrecy is enabled. DH group Used DH group. Its value can be 1, 2, 5, or 14.
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays information about all IPsec SAs.
local address: 2.2.2.2 remote address: 1.1.1.2 flow: sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.
No duration limit for this sa [outbound AH SAs] spi: 0x12d683 (1234563) transform: AH-MD5HMAC96 in use setting: Transport connection id: 4 No duration limit for this sa =============================== Interface: GigabitEthernet1/0/1 path MTU: 1500 =============================== ----------------------------IPsec policy name: "r2" sequence number: 1 mode: gdoi ----------------------------PFS: N, DH group: none tunnel: local address: 2.2.2.2 remote address: 0.0.0.0 flow: sour addr: 192.168.2.0/255.255.
in use setting: Tunnel connection id: 7 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 anti-replay detection: Disabled udp encapsulation used for nat traversal: N/A status: active spi: 0xBC1D46C4(3156035268) transfrom: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 8 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 anti-replay detection: Disabled Table 41 Command output Field Descript
Field Description transform Security protocol and algorithms used by the IPsec transform set. in use setting IPsec SA attribute setting: transport or tunnel. connection id IPsec tunnel identifier. sa duration Lifetime of the IPsec SA. sa remaining duration Remaining lifetime of the SA. anti-replay detection Whether IPsec anti-replay detection is enabled. anti-replay window size(time based) Anti-replay window size (time-based), in seconds.
Examples # Display statistics for all IPsec packets.
Field Description dropped security packet detail Detailed information about inbound/outbound packets that get dropped. not enough memory Number of packets dropped due to lack of memory. can't find SA Number of packets dropped due to finding no security association. queue is full Number of packets dropped due to full queues. authentication has failed Number of packets dropped due to authentication failure. wrong length Number of packets dropped due to wrong packet length.
Examples # Display information about all IPsec transform sets. display ipsec transform-set IPsec transform-set name: tran1 encapsulation mode: tunnel ESN : disable ESN scheme: NO transform: esp-new ESP protocol: Integrity: md5-hmac-96 Encryption: des IPsec transform-set name: tran2 encapsulation mode: transport transform: esp-new ESP protocol: Integrity: md5-hmac-96 Encryption: des Table 43 Command output Field Description IPsec transform-set name Name of the IPsec transform set.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about IPsec tunnels.
Field Description perfect forward secrecy Perfect forward secrecy, indicating which DH group is to be used for fast negotiation mode in IKE phase 2. SA's SPI SPIs of the inbound and outbound SAs. tunnel Local and remote addresses of the tunnel. flow Data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol. as defined in acl 3001 The IPsec tunnel protects all data flows defined by ACL 3001.
esp authentication-algorithm Use esp authentication-algorithm to specify authentication algorithms for ESP. Use undo esp authentication-algorithm to restore the default. Syntax esp authentication-algorithm { md5 | sha1 } undo esp authentication-algorithm Default In FIPS mode, ESP uses the SHA-1 authentication algorithm. In non-FIPS mode, ESP uses no authentication algorithm.
Syntax esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des } undo esp encryption-algorithm Default In FIPS mode, ESP uses the AES-128 encryption algorithm. In non-FIPS mode, ESP uses no encryption algorithm. Views IPsec transform set view Default command level 2: System level Parameters 3des: Uses the triple Data Encryption Standard (3DES) in CBC mode, which uses a 168-bit key. This keyword is not supported in FIPS mode.
This command applies only to IKE negotiation mode. Syntax ike-peer peer-name undo ike-peer peer-name Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters peer-name: Specifies the IKE peer name, a string of 1 to 32 characters. Examples # Configure a reference to an IKE peer in an IPsec policy.
[Sysname] ipsec anti-replay check ipsec anti-replay window Use ipsec anti-replay window to set the size of the anti-replay window. Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The size of the anti-replay window is 32. Views System view Default command level 2: System level Parameters width: Specifies the size of the anti-replay window. It can be 32, 64, 128, 256, 512, or 1024.
Examples # Enable ACL checking of de-encapsulated IPsec packets. system-view [Sysname] ipsec decrypt check ipsec fragmentation before-encryption Use ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation before encryption. Use undo ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation after encryption.
Use undo ipsec invalid-spi-recovery enable to restore the default. Syntax ipsec invalid-spi-recovery enable undo ipsec invalid-spi-recovery enable Default The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs. Views System view Default command level 2: System level Usage guidelines Invalid SPI recovery enables an IPsec security gateway to send an INVALID SPI NOTIFY message to its peer when it receives an IPsec packet but cannot find any SA with the specified SPI.
For each packet to be sent out an IPsec protected interface, the system checks the IPsec policies of the IPsec policy group in the ascending order of sequence numbers. If it finds an IPsec policy whose ACL matches the packet, it uses the IPsec policy to protect the packet. If it finds no ACL of the IPsec policies matches the packet, it does not provide IPsec protection for the packet and sends the packet out directly. Examples # Apply IPsec policy group pg1 to interface Serial 2/1/2.
In a group encrypted transport VPN, you must configure IPsec GDOI policies on the group members. For more information about group encrypted transport VPN, see Security Configuration Guide. Examples # Create an IPsec policy with the name policy1 and sequence number 100, and specify to set up SAs through IKE negotiation. system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] # Create an IPsec policy with the name policy1 and specify the manual mode for it.
Related commands • ipsec policy (system view) • ipsec policy-template Examples # Create an IPsec policy with the name policy2 and sequence number 200 by referencing IPsec policy template temp1. system-view [Sysname] ipsec policy policy2 200 isakmp template temp1 ipsec policy-template Use ipsec policy-template to create an IPsec policy template and enter the IPsec policy template view. Use undo ipsec policy-template to delete the specified IPsec policy templates.
ipsec profile (system view) Use ipsec profile to create an IPsec profile and enter its view. An IPsec profile defines the IPsec transform sets to be used to protect the data and the IKE negotiation parameters used to set up the SAs. Use undo ipsec profile to delete an IPsec profile. Syntax ipsec profile profile-name undo ipsec profile profile-name Default No IPsec profile exists.
Default command level 2: System level Parameters profile-name: Specifies the name of the IPsec profile, a case-insensitive string of 1 to 15 characters. Usage guidelines Only one IPsec profile can be applied to a tunnel interface. To apply another IPsec profile to the tunnel interface, remove the original application first. An IPsec profile cannot be applied to the DVPN tunnel interface and the IPsec tunnel interface simultaneously. Examples # Apply IPsec profile vtiprofile to the IPsec tunnel interface.
kilobytes: Specifies the traffic-based global SA lifetime in kilobytes, in the range 2560 to 4294967295. Usage guidelines When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy or IPsec profile that it uses. If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime. When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by the remote.
Related commands display ipsec transform-set pfs Use pfs to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the feature when employing the IPsec policy or IPsec profile to initiate a negotiation. Use undo pfs to remove the configuration. Syntax pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } undo pfs Default The PFS feature is not used for negotiation.
policy enable Use policy enable to enable the IPsec policy. Use undo policy enable to disable the IPsec policy. Syntax policy enable undo policy enable Default The IPsec policy is enabled. Views IPsec policy view, IPsec policy template view Default command level 2: System level Usage guidelines The command is not applicable to manual IPsec policies. If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation.
Usage guidelines With the packet information pre-extraction feature enabled, QoS classifies a packet based on the header of the original IP packet—the header of the IP packet that has not been encapsulated by IPsec. Examples # Enable packet information pre-extraction.
IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the other direction is also automatically cleared. If you do not specify any parameter, the command clears all IPsec SAs. Examples # Clear all IPsec SAs. reset ipsec sa # Clear the IPsec SA with a remote IP address of 10.1.1.2. reset ipsec sa remote 10.1.1.2 # Clear all IPsec SAs of IPsec policy template policy1.
Syntax reverse-route [ remote-peer ip-address [ gateway | static ] | static ] undo reverse-route Default IPsec RRI is disabled. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters static: Enables static IPsec Reverse Route Inject (RRI). Static IPsec RRI creates static routes based on the ACL that the IPsec policy references. This keyword is available only in IPsec policy view.
Table 45 Possible IPsec RRI configurations and the generated routing information Command IPsec RRI mode Route destination Next hop address • Manual IPsec policy: Peer tunnel reverse-route static Static address set with the tunnel remote command. Destination IP address specified in a permit rule of the ACL that is referenced by the IPsec policy • IPsec policy that uses IKE: The remote Address identified by the ip-address argument.
[Sysname-ipsec-policy-isakmp-1-1] security acl 3000 [Sysname-ipsec-policy-isakmp-1-1] transform-set tran1 [Sysname-ipsec-policy-isakmp-1-1] ike-peer 1 [Sysname-ipsec-policy-isakmp-1-1] reverse-route static [Sysname-ipsec-policy-isakmp-1-1] quit [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] ipsec policy 1 [Sysname-GigabitEthernet3/0/1]quit # Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not shown.
# Configure dynamic IPsec RRI to create two static routes based on an IPsec SA: one to the peer private network 3.0.0.0/24 through the remote tunnel endpoint 1.1.1.2, and the other to the remote tunnel endpoint through 1.1.1.3. [Sysname]ipsec policy 1 1 isakmp [Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 gateway # Display the routing table. The expected routes appear in the routing table after the IPsec SA negotiation succeeds. (Other routes are not shown.
Related commands reverse-route reverse-route tag Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. This tag helps in implementing flexible route control through routing policies. Use undo reverse-route tag to restore the default. Syntax reverse-route tag tag-value undo reverse-route tag Default The tag value is 0 for the static routes created by IPsec RRI.
undo sa authentication-hex { inbound | outbound } { ah | esp } Views IPsec policy view Default command level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH. esp: Uses ESP. cipher: Sets a ciphertext authentication key. simple: Sets a plaintext authentication key. hex-key: Specifies the key string.
sa duration Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile. Use undo sa duration to restore the default. Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime. The time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.
[Sysname-ipsec-profile-profile1] sa duration traffic-based 20480 Related commands • ipsec sa global-duration • ipsec policy (system view) • ipsec profile (system view) sa encryption-hex Use sa encryption-hex to configure an encryption key for an SA. Use undo sa encryption-hex to remove the configuration.
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format (both in hexadecimal format or both in string format), and the keys must be specified in the same format for both ends of the tunnel. Examples # Configure the encryption keys for the inbound and outbound SAs that use ESP as 0x1234567890abcdef and 0xabcdefabcdef1234 in plain text.
• Within a certain network scope, each router must use the same SPI and keys for its inbound and outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group. Examples # Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec policy.
Usage guidelines This command applies to only manual IPsec policies. This command is not available in FIPS mode. When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs. The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA. Enter keys in the same format for the local and remote inbound and outbound SAs.
Default command level 2: System level Parameters ipv6: Specifies an IPV6 ACL. acl-number: Specifies the number of the ACL for the IPsec policy to reference, in the range of 3000 to 3999. aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the standard mode is used. This protection mode is not available for IPv6 data flow.
transform Use transform to specify a security protocol for an IPsec transform set. Use undo transform to restore the default. Syntax transform { ah | ah-esp | esp } undo transform Default The ESP protocol is used. Views IPsec transform set view Default command level 2: System level Parameters ah: Uses the AH protocol. ah-esp: Uses ESP first and then AH. esp: Uses the ESP protocol. Usage guidelines The IPsec transform sets at the two ends of an IPsec tunnel must use the same security protocol.
Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters transform-set-name&<1-6>: Specifies the name of the IPsec transform set, a string of 1 to 32 characters. &<1-6> means that you can specify up to six transform sets, which are separated by space. Usage guidelines The specified IPsec transform sets must already exist. A manual IPsec policy can reference only one IPsec transform set.
Default No local address is configured for an IPsec tunnel. Views IPsec policy view Default command level 2: System level Parameters ipv6: Specifies an IPv6 address. ip-address: Specifies the local address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies. The local address, if not configured, will be the address of the interface to which the IPsec policy is applied. Examples # Set the local address of the IPsec tunnel to the address of Loopback 0, 10.0.0.1.
ip-address: Specifies the remote address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies. If you execute this command multiple times, the most recent configuration takes effect. An IPsec tunnel is established between the local and remote ends. The remote IP address of the local end must be the same as that of the local IP address of the remote end. Examples # Set the remote address of the IPsec tunnel to 10.1.1.2.
IKE configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default.
undo authentication-method Default An IKE proposal uses the pre-shared key authentication method. Views IKE proposal view Default command level 2: System level Parameters pre-share: Uses the pre-shared key method. rsa-signature: Uses the RSA digital signature method. Examples # Specify that IKE proposal 10 uses the pre-shared key authentication method.
Related commands • authentication-method • pki domain dh Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal. Use undo dh to restore the default. Syntax dh { group1 | group2 | group5 | group14 } undo dh Default In FIPS mode, group2 (1024-bit Diffie-Hellman group) is used. In non-FIPS mode, group1 (768-bit Diffie-Hellman group) is used.
Views Any view Default command level 1: Monitor level Parameters dpd-name: Specifies the DPD name, a string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Default command level 1: Monitor level Parameters peer-name: Specifies the name of the IKE peer, a string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
display ike proposal Use display ike proposal to view the settings of all IKE proposals. Syntax display ike proposal [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
• ike proposal • encryption-algorithm • authentication-algorithm • dh • sa duration display ike sa Use display ike sa to display information about the current IKE SAs. Syntax display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters verbose: Displays detailed information.
flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT RK-REKEY Table 49 Command output Field Description total phase-1 SAs Total number of SAs for phase 1. connection-id Identifier of the ISAKMP SA. peer Remote IP address of the SA. Status of the SA: • RD (READY)—The SA has been established. • ST (STAYALIVE)—This end is the initiator of the tunnel negotiation. • RL (REPLACED)—The tunnel has been replaced by a new one and will be deleted later.
encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 86379 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO # Display detailed information about the IKE SA with the connection ID of 2. display ike sa verbose connection-id 2 --------------------------------------------vpn-instance: 1 transmitting entity: initiator --------------------------------------------local id type: IPV4_ADDR local id: 4.4.4.4 remote id type: IPV4_ADDR remote id: 4.4.4.
connection id: 2 authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 82236 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO Table 50 Command output Field Description vpn-instance MPLS L3VPN that the protected data belongs to. transmitting entity Entity in the IKE negotiation. local id type Identifier type of the local gateway. local id Identifier of the local gateway.
Syntax dpd dpd-name undo dpd Default No DPD detector is applied to an IKE peer. Views IKE peer view Default command level 2: System level Parameters dpd-name: Specifies the DPD detector name, a string of 1 to 32 characters. Examples # Apply dpd1 to IKE peer peer1. system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] dpd dpd1 encryption-algorithm Use encryption-algorithm to specify an encryption algorithm for an IKE proposal. Use undo encryption-algorithm to restore the default.
des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm. The DES algorithm uses 56-bit keys for encryption. This keyword is not supported in FIPS mode. Examples # Use 56-bit DES in CBC mode as the encryption algorithm for IKE proposal 10. system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] encryption-algorithm des-cbc Related commands • ike proposal • display ike proposal exchange-mode Use exchange-mode to select an IKE negotiation mode.
id-type Use id-type to select the type of the ID for IKE negotiation. Use undo id-type to restore the default. Syntax id-type { ip | name | user-fqdn } undo id-type Default The ID type is IP address. Views IKE peer view Default command level 2: System level Parameters ip: Uses an IP address as the ID during IKE negotiation. name: Uses a name of the Fully Qualified Domain Name (FQDN) type as the ID during IKE negotiation. user-fqdn: Uses a name of the user FQDN type as the ID during IKE negotiation.
Use undo ike dpd to remove a DPD detector. Syntax ike dpd dpd-name undo ike dpd dpd-name Views System view Default command level 2: System level Parameters dpd-name: Specifies the name for the DPD detector, a string of 1 to 32 characters. Usage guidelines DPD irregularly detects dead IKE peers. It works as follows: 1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer. 2.
Views System view Default command level 2: System level Parameters name: Specifies the name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters.
Examples # Disable Next payload field checking for the last payload of an IKE message. system-view [Sysname] ike next-payload check disabled ike peer (system view) Use ike peer to create an IKE peer and enter IKE peer view. Use undo ike peer to delete an IKE peer. Syntax ike peer peer-name undo ike peer peer-name Views System view Default command level 2: System level Parameters peer-name: Specifies the IKE peer name, a string of 1 to 32 characters.
Usage guidelines The system provides a default IKE proposal, which has the lowest priority. The following table shows the default settings for the default IKE proposal in non-FIPS mode and FIPS mode: Setting Non-FIPS mode FIPS mode Encryption algorithm DES-CBC AES_CBC_128 Authentication algorithm HMAC-SHA1 SHA Authentication method Pre-shared key Pre-shared key DH group MODP_768 MODP_1024 SA lifetime 86400 seconds 86400 seconds Examples # Create IKE proposal 10 and enter IKE proposal view.
system-view [Sysname] ike sa keepalive-timer interval 200 Related commands ike sa keepalive-timer timeout ike sa keepalive-timer timeout Use ike sa keepalive-timer timeout to set the ISAKMP SA keepalive timeout. Use undo ike sa keepalive-timer timeout to disable the function. Syntax ike sa keepalive-timer timeout seconds undo ike sa keepalive-timer timeout Default No keepalive packet is sent.
Default The NAT keepalive interval is 20 seconds. Views System view Default command level 2: System level Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300. Examples # Set the NAT keepalive interval to 5 seconds. system-view [Sysname] ike sa nat-keepalive-timer interval 5 interval-time Use interval-time to set the DPD query triggering interval for a DPD detector. Use undo interval-time to restore the default.
Syntax local { multi-subnet | single-subnet } undo local Default The subnet is a single one. Views IKE peer view Default command level 2: System level Parameters multi-subnet: Sets the subnet type to multiple. single-subnet: Sets the subnet type to single. Usage guidelines Use this command to enable interoperability with a NetScreen device. Examples # Set the subnet type of the local security gateway to multiple.
Examples # Set the IP address of the local security gateway to 1.1.1.1. system-view [Sysname] ike peer xhy [Sysname-ike-peer-xhy] local-address 1.1.1.1 local-name Use local-name to configure a name for the local security gateway to be used in IKE negation. Use undo local-name to restore the default. Syntax local-name name undo local-name Default The device name is used as the name of the local security gateway view.
nat traversal Use nat traversal to enable the NAT traversal function of IKE/IPsec. Use undo nat traversal to disable the NAT traversal function of IKE/IPsec. Syntax nat traversal undo nat traversal Default The NAT traversal function is disabled. Views IKE peer view Default command level 2: System level Examples # Enable the NAT traversal function for IKE peer peer1.
Examples # Set the subnet type of the peer security gateway to multiple. system-view [Sysname] ike peer xhy [Sysname-ike-peer-xhy] peer multi-subnet pre-shared-key Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation. Use undo pre-shared-key to remove the configuration. Syntax pre-shared-key [ cipher | simple ] key undo pre-shared-key Views IKE peer view Default command level 2: System level Parameters cipher: Sets a ciphertext pre-shared key.
undo proposal [ proposal-number ] Default An IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals configured in system view. Views IKE peer view Default command level 2: System level Parameters proposal-number&<1-6>: Specifies the sequence number of the IKE proposal for the IKE peer to reference, in the range of 1 to 65535. &<1-6> means that you can specify the proposal-number argument for up to six times.
hostname: Specifies the host name of the IPsec remote security gateway, a case-insensitive string of 1 to 255 characters. The host name uniquely identifies the remote IPsec peer and can be resolved to an IP address by the DNS server. dynamic: Specifies to use dynamic address resolution for the IPsec remote peer name. If you do not provide this keyword, the local end has the remote host name resolved only once after you configure the remote host name.
Views IKE peer view Default command level 2: System level Parameters name: Specifies the name of the peer security gateway for IKE negotiation, a string of 1 to 32 characters. Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator.
display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi ---------------------------------------------------------1 202.38.0.2 RD|ST 1 IPSEC 2 202.38.0.2 RD|ST 2 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT RK--REKEY reset ike sa 2 display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi ---------------------------------------------------------1 202.38.0.
Related commands • ike proposal • display ike proposal time-out Use time-out to set the DPD packet retransmission interval for a DPD detector. Use undo time-out to restore the default. Syntax time-out time-out undo time-out Views IKE DPD view Default command level 2: System level Parameters time-out: Specifies the DPD packet retransmission interval in seconds, in the range of 1 to 60. Usage guidelines The default DPD packet retransmission interval is 5 seconds.
SSH configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server configuration commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Table 51 Command output Field Description SSH Server Whether the SSH server function is enabled. SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. SSH Authentication retries Maximum number of SSH authentication attempts. SFTP Server Whether the Secure FTP (SFTP) server function is enabled.
display ssh user-information Use display ssh user-information on an SSH server to display information about SSH users. Syntax display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters username: Specifies an SSH username, a string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. |: Filters command output by specifying a regular expression.
Field Description Service-type Service type: SFTP, Stelnet, SCP, and all. If all authentication methods are supported, this field displays all. Related commands ssh user sftp server enable Use sftp server enable to enable the SFTP server function. Use undo sftp server enable to disable the SFTP server function. Syntax sftp server enable undo sftp server enable Default The SFTP server function is disabled.
Default command level 3: Manage level Parameters time-out-value: Specifies a timeout timer in minutes, in the range of 1 to 35791. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection. If many SFTP connections are established, you can set a smaller value so that the connection resources can be promptly released. Examples # Set the idle timeout timer for SFTP user connections to 500 minutes.
Examples # Set the maximum number of SSH connection authentication attempts to 4. system-view [Sysname] ssh server authentication-retries 4 Related commands display ssh server ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. Use undo ssh server authentication-timeout to restore the default.
Default The SSH server supports SSH1 clients. Views System view Default command level 3: Manage level Usage guidelines The configuration takes effect only for the clients at next login. Examples # Enable the SSH server to support SSH1 clients. system-view [Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server enable Use ssh server enable to enable the SSH server function so that the SSH clients use SSH to communicate with the server.
Use undo ssh server rekey-interval to restore the default. Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The update interval of the RSA server key is 0. The system does not update the RSA server key pairs. Views System view Default command level 3: Manage level Parameters hours: Specifies an interval for updating the server key pair in hours, in the range of 1 to 24. Usage guidelines This command is only available to SSH users that use SSH1 client software.
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. service-type: Specifies the service type of an SSH user: • all: Specifies Stelnet, SFTP, and SCP. • scp: Specifies the service type as SCP. • sftp: Specifies the service type as SFTP. • stelnet: Specifies the service type of Stelnet. authentication-type: Specifies the authentication method of an SSH user: • password: Specifies password authentication.
You can change parameters for an SSH user that has logged in, but your changes take effect for the user at next login. If an SFTP or SCP user has been assigned a public key or PKI domain, it is necessary to set a working folder for the user. The working folder of an SFTP or SCP user depends on the user authentication method. For a user using only password authentication, the working folder is the AAA authorized one.
Syntax cd [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters remote-path: Specifies a path on the server. If you do not specify this argument, the command displays the current working path. Usage guidelines You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system. Examples # Change the working path to new1.
Default command level 3: Manage level Parameters remote-file&<1-10>: Specifies one or more files to delete on the server. &<1-10> means that you can provide up to 10 filenames, which are separated by space. Usage guidelines This command functions as the remove command. Examples # Delete file temp.c from the server. sftp-client> delete temp.c The following files will be deleted: /temp.c Are you sure to delete it? [Y/N]:y This operation might take a long time. Please wait...
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2 display sftp client source Use display sftp client source to display the source IP address or source interface configured for the SFTP client.
Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Usage guidelines This command is also available on an SFTP client. When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication. If the authentication fails, you can use this command to examine the public key of the server saved on the client. Examples # Display the mappings between SSH servers and their host public keys on the client.
Syntax get remote-file [ local-file ] Views SFTP client view Default command level 3: Manage level Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file. If this argument is not specified, the file will be saved locally with the same name as that on the SFTP server. Examples # Download file temp1.c and save it as temp.c locally. sftp-client> get temp1.c temp.c Remote file:/temp1.c ---> Local file: temp.
Syntax ls [ -a | -l ] [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters -a: Displays the filenames and the folder names of the specified directory. -l: Displays in a list form detailed information of the files and folders of the specified directory. remote-path: Specifies the directory to be queried. If this argument is not specified, the command displays the file and folder information under the current working directory.
sftp-client> mkdir test New directory created put Use put to upload a local file to an SFTP server. Syntax put local-file [ remote-file ] Views SFTP client view Default command level 3: Manage level Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name for the file on an SFTP server. If this argument is not specified, the file will be saved remotely with the same name as the local one. Examples # Upload local file temp.c to the SFTP server and save it as temp1.c.
Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the bye and exit commands. Examples # Terminate the connection with the SFTP server. sftp-client> quit Bye Connection closed. remove Use remove to delete files from a remote server. Syntax remove remote-file&<1-10> Views SFTP client view Default command level 3: Manage level Parameters remote-file&<1-10>: Specifies one or more files to delete on an SFTP server.
Syntax rename oldname newname Views SFTP client view Default command level 3: Manage level Parameters oldname: Specifies the name of an existing file or directory. newname: Specifies a new name for the file or directory. Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp-client> rename temp1.c temp2.c File successfully renamed rmdir Use rmdir to delete the specified directories from an SFTP server.
| dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode: scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ destination-file-path ] [ identity-key rsa | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * Views User view Default command level 3
• sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode, and is dh-group14 in FIPS mode. • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not available in FIPS mode. • dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not available in FIPS mode.
{ md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * Views User view Default command
• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.This keyword is not available in FIPS mode. • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128. prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1-96.
undo sftp client ipv6 source Default An SFTP client uses the IPv6 address of the interface specified by the route of the device to access the SFTP server. Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, HP recommends that you specify a loopback interface as the source interface. Examples # Specify the source IP address of the SFTP client as 192.168.0.1. system-view [Sysname] sftp client source ip 192.168.0.
• zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm ZLIB@openssh.com. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. • 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. • aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. This keyword is not available in non-FIPS mode.
• The preferred server-to-client HMAC algorithm is sha1-96. Examples # Connect to server 2:5::8:9, using the following connection scheme: • The preferred key exchange algorithm is dh-group1. • The preferred server-to-client encryption algorithm is aes128. • The preferred client-to-server HMAC algorithm is md5. • The preferred server-to-client HMAC algorithm is sha1-96.
Related commands ssh client first-time enable ssh client first-time enable Use ssh client first-time enable to enable the first-time authentication function. Use undo ssh client first-time to disable the function. Syntax ssh client first-time enable undo ssh client first-time Default The function is enabled. Views System view Default command level 2: System level Usage guidelines Without first-time authentication, a client not configured with the server's host public key does not access the server.
Default An Stelnet client uses the IPv6 address of the interface specified by the route of the device to access the Stelnet server. Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, HP recommends that you specify a loopback interface as the source interface. Examples # Specify the source IPv4 address of the Stelnet client as 192.168.0.1. system-view [Sysname] ssh client source ip 192.168.0.
• zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm zlib@openssh.com. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. • 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. • aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. This keyword is not available in non-FIPS mode.
• The preferred server-to-client HMAC algorithm is sha1-96. Examples # Log in to Stelnet server 10.214.50.51, using the following connection scheme: • The preferred key exchange algorithm is dh-group1. • The preferred server-to-client encryption algorithm is aes128. • The preferred client-to-server HMAC algorithm is md5. • The preferred server-to-client HMAC algorithm is sha1-96. ssh2 10.214.50.
• zlib-openssh: Specifies the compression algorithm ZLIB@openssh.com. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. • 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. • aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. This keyword is not available in non-FIPS mode. • des: Specifies the encryption algorithm des-cbc.
Examples # Log in to Stelnet server 2000::1, using the following connection scheme: • The preferred key exchange algorithm is dh-group1. • The preferred server-to-client encryption algorithm is aes128. • The preferred client-to-server HMAC algorithm is md5. • The preferred server-to-client HMAC algorithm is sha1-96.
Firewall configuration commands Packet-filter firewall configuration commands display firewall ipv6 statistics Use display firewall ipv6 statistics to view the packet filtering statistics of the IPv6 firewall. Syntax display firewall ipv6 statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays the packet filtering statistics of all interfaces of the IPv6 firewall.
Table 55 Command output Field Description Interface Interface configured with the IPv6 packet filtering function. In-bound Policy Indicates that an IPv6 ACL is configured in the inbound direction of the interface. Out-bound Policy Indicates that an IPv6 ACL is configured in the outbound direction of the interface. acl6 IPv6 ACL number.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display packet filtering statistics on all interfaces. display firewall-statistics all firewall default Use firewall default to specify the default firewall filtering action of the IPv4 firewall.
Syntax Standalone mode: firewall enable { all | slot slot-number } undo firewall enable IRF mode: firewall enable { all | chassis chassis-number slot slot-number } undo firewall enable Default The IPv4 firewall function is disabled. Views System view Default command level 2: System level Parameters all: Specifies all interface cards. slot slot-number: Specifies the interface card in the specified slot. (In standalone mode.
Examples # Specify the default filtering action of the IPv6 firewall as denying packets to pass. system-view [Sysname] firewall ipv6 default deny firewall ipv6 enable Use firewall ipv6 enable to enable the IPv6 firewall function. Use undo firewall ipv6 enable to disable the IPv6 firewall function. Syntax firewall ipv6 enable undo firewall ipv6 enable Default The IPv6 firewall function is disabled.
name acl-name: Specifies the name of a basic or advanced IPv4 ACL; a case-insensitive string of 1 to 63 characters that must start with an English letter a to z or A to Z. To avoid confusion, the word "all" cannot be used as the ACL name. inbound: Filters packets received by the interface. outbound: Filters packets forwarded from the interface. Usage guidelines You can apply only one IPv4 ACL in one direction of an interface to filter packets.
[Sysname-GigabitEthernet3/0/1] firewall packet-filter ipv6 2500 outbound reset firewall ipv6 statistics Use reset firewall ipv6 statistics to clear the packet filtering statistics of the IPv6 firewall. Syntax reset firewall ipv6 statistics { all | interface interface-type interface-number } Views User view Default command level 1: Monitor level Parameters all: Clears the packet filtering statistics on all interfaces of the IPv6 firewall.
ASPF configuration commands aspf-policy Use aspf-policy to create an ASPF policy and enter its view. Use undo aspf-policy to remove an ASPF policy. Syntax aspf-policy aspf-policy-number undo aspf-policy aspf-policy-number Views System view Default command level 2: System level Parameters aspf-policy-number: Specifies an ASPF policy number in the range of 1 to 99. Usage guidelines A defined ASPF policy can be applied through its policy number.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about all ASPF policies.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
display aspf policy 1 [ASPF Policy Configuration] Policy Number 1: icmp-error drop tcp syn-check Table 58 Command output Field Description [ASPF Policy Configuration] ASPF policy configuration information. Policy Number ASPF policy number. icmp-error drop Drop ICMP error messages. tcp syn-check Drop non-SYN packet that is the first packet over a TCP connection. display port-mapping Use display port-mapping to view port mapping information.
h323 1720 system defined http 80 system defined rtsp 554 system defined smtp 25 system defined ike 500 system defined https 443 system defined vam 18000 system defined ssh 22 system defined Table 59 Command output Field Description SERVICE Application layer protocol that is mapped to a port. PORT Number of the port for the application layer protocol. ACL Number of the ACL specifying the host range. TYPE Port mapping type, system predefined or user customized.
icmp-error drop Use icmp-error drop to specify to drop ICMP error messages. Use undo icmp-error drop to restore the default. Syntax icmp-error drop undo icmp-error drop Default ICMP error messages are not dropped. Views ASPF policy view Default command level 2: System level Examples # Configure ASPF policy 1 to drop ICMP error messages.
acl acl-number: Specifies the IPv4 ACL for indicating the host range. The ACL number is in the range of 2000 to 2999. Examples # Map port 3456 to the FTP protocol. system-view [Sysname] port-mapping ftp port 3456 Related commands display port-mapping tcp syn-check Use tcp syn-check to specify to drop any non-SYN packet that is the first packet over a TCP connection. Use undo tcp syn-check to restore the default.
ALG configuration commands alg Use alg to enable ALG for a protocol. Use undo alg to disable ALG for a protocol. Syntax alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } undo alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } Default The ALG feature is enabled for all protocols. Views System view Default command level 2: System level Parameters all: Enables ALG for all protocols.
# Disable ALG for DNS.
Session management commands application aging-time Use application aging-time to set the aging timer for the sessions of an application layer protocol. Use undo application aging-time to restore the default. Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] Default The default session aging times for the application layer protocols vary with device models.
display application aging-time Use display application aging-time to display the session aging timers for the application layer protocols. Syntax display application aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Syntax display session aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Syntax In standalone mode: display session hardware slot slot-number [ | { begin | exclude | include } regular-expression ] In IRF mode: display session hardware chassis chassis-number slot slot-number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides. (In standalone mode.
Views Any view Default command level 1: Monitor level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument specifies the ID of the IRF member device. The slot-number argument specifies the number of the slot that holds the card.
Field Description TTL Remaining lifetime of the relationship table entry, in seconds. AllowConn Number of sessions allowed by the relationship table entry. Total find Total number of found relationship table entries. display session statistics Use display session statistics to display statistics for the sessions.
Current TCP session(s): 0 Half-Open: 0 Current Half-Close: 0 UDP session(s): 593951 Current ICMP session(s): 0 Current RAWIP session(s): 0 Current relation table(s): 50000 Session establishment rate: 184503/s TCP Session establishment rate: UDP Session establishment rate: 184503/s ICMP Session establishment rate: 0/s RAWIP Session establishment rate: 0/s Received TCP: Received UDP: 0/s 1538 packet(s) 86810494849 packet(s) 337567 byte(s) 4340524910260 byte(s) Received ICMP: Rec
Field Description Dropped TCP Counts of dropped TCP packets and bytes. Dropped UDP Counts of dropped UDP packets and bytes. Dropped ICMP Counts of dropped ICMP packets and bytes. Dropped RAWIP Counts of dropped Raw IP packets and bytes. display session table Use display session table to display information about sessions.
If no slot number is specified, the command displays the sessions on all cards. If multiple keywords are specified, the command displays the sessions that match all these criteria. This command is not supported by the FIP600 card. Examples # Display brief information about all sessions. display session table Initiator: Source IP/Port : 192.168.1.18/2048 Dest IP/Port Pro : 192.168.1.55/768 : ICMP(ICMP(1)) VPN-Instance/VLAN ID/VLL ID: Initiator: Source IP/Port : 192.168.1.
Total find: 2 Table 64 Command output Field Description Initiator: Session information of the initiator. Responder: Session information of the responder. Pro Transport layer protocol, TCP, UDP, ICMP, or Raw IP.. VPN-Instance/VLAN ID/VLL ID MPLS L3VPN that the session belongs to and the VLAN and INLINE that the session belongs to during Layer 2 forwarding. Application layer protocol, FTP, DNS, MSN or QQ. App Unknown indicates protocol type of a non-well-known port. Session status.
In IRF mode: reset session [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type { icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] Views User view Default command level 2: System level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides. (In standalone mode.
reset session statistics [ chassis chassis-number slot slot-number ] Views User view Default command level 2: System level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument specifies the slot where the card resides. (In standalone mode) chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument specifies the ID of the IRF member device. The slot-number argument specifies the number of the slot that holds the card.
rawip-open: Specifies the aging timer for the sessions in the RAWIP_OPEN state. rawip-ready: Specifies the aging timer for the sessions in the RAWIP_READY state. syn: Specifies the aging timer for the TCP sessions in the SYN_SENT or SYN_RCV state. tcp-est: Specifies the aging timer for the TCP sessions in the ESTABLISHED state. udp-open: Specifies the aging timer for the UDP sessions in the OPEN state. udp-ready: Specifies the aging timer for the UDP sessions in the READY state.
Default command level 2: System level Parameters all: Enables checksum verification for TCP, UDP, and ICMP packets. icmp: Enables checksum verification for ICMP packets. tcp: Enables checksum verification for TCP packets. udp: Enables checksum verification for UDP packets. Examples # Enable checksum verification for UDP packets. system-view [Sysname] session checksum udp session early-ageout Use session early-ageout to set the time value to shorten the session aging time.
If the difference between the session aging time and the value specified by the shorten-time argument is less than 5 seconds, the session aging time becomes 5 seconds. Examples # Configure the session aging time to shorten by 100 seconds when the session ratio exceeds 80 percent, and to restore the normal values when the session ratio equals or drops below 20 percent.
Default command level 2: System level Parameters acl acl-number: Specifies the ACL to be used to match sessions for logging. The value range for the acl-number argument is 2000 to 3999. Inbound: Specifies session logs in the inbound direction. outbound: Specifies session logs in the outbound direction. Usage guidelines If you do not specify the acl acl-number option, the command enables session logging for all sessions on the interface.
Examples # Set the packet count threshold for session logging to 10 mega-packets. system-view [Sysname] session log packets-active 10 session log time-active Use session log time-active to set the holdtime threshold for session logging. Use undo session log time-active to remove the setting. Syntax session log time-active time-value undo session log time-active Default The system does not output session logs based on holdtime threshold.
Views System view Default command level 2: System level Parameters max-entries: Specifies the maximum number of sessions. The value range is 1 to 10000000. slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument specifies the ID of the IRF member device.
Usage guidelines A never-age-out session is not removed until the device receives a connection close request from the initiator or responder, or you manually clear the session entries. A persistent session rule can reference only one ACL. Examples # Configure all sessions matching ACL 2000 as persistent sessions, setting the aging time of the sessions to 72 hours.
Connection limit configuration commands connection-limit apply policy Use connection-limit apply policy to apply a connection limit policy to the NAT module. Use undo connection-limit apply policy to remove the application. Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number Views System view Default command level 2: System level Parameters policy-number: Specifies the number of an existing connection limit policy. The value is 0.
Default command level 2: System level Parameters policy-number: Specifies the number of a connection limit policy. The value is 0. Usage guidelines A connection limit policy contains a set of rules for limiting the number of connections of a specific user. A policy number uniquely identifies a connection limit policy. After applying a connection limit policy in system view, you cannot modify, add, or remove connection limit rules in the policy.
limit 0 source ip 3.3.3.0 24 source-vpn vpn1 destination ip any protocol tcp max-connections 200 per-source Table 65 Command output Field Description Connection-limit policy Number of the connection limit policy. refcount 0, 1 limits Number of times that the policy is applied and number of rules in the policy. limit xxx Rule in the policy. For more information, see the limit command. Related commands limit limit Use limit to configure an IP address-based connection limit policy rule.
• dns: Specifies the DNS protocol. • http: Specifies the HTTP protocol. • ip: Specifies the IP protocol. • tcp: Specifies the TCP protocol. • udp: Specifies the UDP protocol. max-connections max-num: Specifies the maximum number of the connections. per-destination: Limits connections by destination IP address. per-source: Limits connections by source IP address. per-source-destination: Limits connections by source-destination IP address pair.
Web filtering configuration commands display firewall http activex-blocking Use display firewall http activex-blocking to display information about ActiveX blocking. Syntax display firewall http activex-blocking [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all ActiveX blocking suffix keywords. item keywords: Specifies a blocking suffix keyword.
---------------------------------------------1 5 .OCX 2 0 .vbs Table 66 Command output Field Description SN Serial number. Match-Times Number of times that a suffix keyword is matched. Keywords ActiveX blocking suffix keyword. # Display detailed ActiveX blocking information. display firewall http activex-blocking verbose ActiveX blocking is enabled. No ACL group has been configured. There are 5 packet(s) being filtered. There are 0 packet(s) being passed.
Examples # Display brief information about Java blocking. display firewall http java-blocking Java blocking is enabled. # Display Java blocking information for a specific suffix keyword. display firewall http java-blocking item .class The HTTP request packet including ".class" had been matched for 10 times. # Display Java blocking information for all suffix keywords.
item keywords: Specifies a filtering keyword, The keywords argument is a case-insensitive string of 1 to 80 characters. Valid characters include 0 to 9, a to z, A to Z, dot (.), hyphen (-), underline (_), and wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*). For meanings and usage guidelines of the wildcards, see the relevant description for command firewall http url-filter host url-address. verbose: Specifies detailed information.
Table 69 Command output Field Description Default method Default URL address filtering action, permit or deny. The support for IP address Support for website IP addresses, permit or deny. display firewall http url-filter parameter Use display firewall http url-filter parameter to display information about URL parameter filtering.
# Display URL parameter filtering information for all keywords. display firewall http url-filter parameter all SN Match-Times Keywords ---------------------------------------------1 0 ^select$ 2 0 ^insert$ 3 0 ^update$ 4 0 ^delete$ 5 0 ^drop$ 6 0 -- 7 0 ‘ 8 0 ^exec$ 9 10 %27 10 0 qqqqq Table 70 Command output Field Description SN Serial number. Match-Times Number of times that the keyword has been matched. Keywords URL parameter filtering keyword.
Usage guidelines After the command takes effect, all web requests containing any suffix keywords in the ActiveX blocking suffix list will be processed according to the ACL. You can specify multiple ACLs for ActiveX blocking, but only the last one takes effect. You can specify a non-existing ACL, but ActiveX blocking based on the ACL takes effect only after you create and configure the ACL correctly. Examples # Specify the ACL for ActiveX blocking as ACL 2003.
Syntax firewall http activex-blocking suffix keywords undo firewall http activex-blocking suffix keywords Views System view Default command level 2: System level Parameters keywords: Blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of 5 ActiveX blocking suffix keywords. You cannot add or remove the default suffix keyword ".
You can specify multiple ACLs for Java blocking, but only the last one takes effect. You can specify a non-existing ACL, but Java blocking based on the ACL takes effect only after you create and configure the ACL correctly. Examples # Specify the ACL for Java blocking as ACL 2002.
Views System view Default command level 2: System level Parameters keywords: Blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of five Java blocking suffix keywords. You cannot remove the default block suffix keywords .class and .jar. Examples # Add .js to the Java blocking suffix list.
Examples # Specify URL address filtering to permit web requests with website IP addresses permitted by ACL 2000. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 permit source 3.3.3.3 0.0.0.
Default The URL address filtering function is disabled. Views System view Default command level 2: System level Examples # Enable the URL address filtering function.
firewall http url-filter host url-address Use firewall http url-filter host url-address to add a URL address filtering entry and set the filtering action. Use undo firewall http url-filter host url-address to remove one or all URL address filtering entries. Syntax firewall http url-filter host url-address { deny | permit } url-address undo firewall http url-filter host url-address [ url-address ] Views System view Default command level 2: System level Parameters deny: Denies matched URL addresses.
• If asterisk (*) is present at the beginning of a filtering entry, it must be present in the format like *.xxx, where xxx represents a keyword, for example, *.com or *.webfilter.com. • A filtering entry with only numerals is invalid. To filter a website address like www.123.com, you can define a filtering entry like ^123$, www.123.com, or 123.com, instead of 123. HP recommends that you use exact match to filter numeral website addresses.
Wildcard Meaning Usage guidelines $ Matches parameters ending with the keyword It can be present once at the end of a filtering entry. & Stands for one valid character It can be present multiple times at any position of a filtering entry, consecutively or inconsecutively, and cannot be used next to an asterisk (*). If it is present at the beginning or end of a filtering entry, it must be next to a caret (^) or a dollar sign ($).
Views System view Default command level 2: System level Examples # Enable the URL parameter filtering function. system-view [Sysname] firewall http url-filter parameter enable Related commands display firewall http url-filter parameter reset firewall http Use reset firewall http to clear web filtering statistics.
Attack detection and protection configuration commands attack-defense apply policy Use attack-defense apply policy to apply an attack protection policy to an interface. Use undo attack-defense apply policy to restore the default. Syntax attack-defense apply policy policy-number undo attack-defense apply policy Default No attack protection policy is applied to an interface.
Syntax attack-defense logging enable undo attack-defense logging enable Default Attack protection logging is disabled. Views System view Default command level 2: System level Examples # Enable attack protection logging. system-view [Sysname] attack-defense logging enable attack-defense policy Use attack-defense policy to create an attack protection policy and enter attack protection policy view. Use undo attack-defense policy to remove an attack protection policy.
Related commands display attack-defense policy blacklist enable Use blacklist enable to enable the blacklist function. Use undo blacklist enable to restore the default. Syntax blacklist enable undo blacklist enable Default The blacklist function is disabled. Views System view Default command level 2: System level Usage guidelines After the blacklist function is enabled, you can add blacklist entries manually or configure the device to add blacklist entries automatically.
Default command level 2: System level Parameters source-ip-address: IP address to be added to the blacklist, used to match the source IP address of packets. all: Specifies all blacklist entries. timeout minutes: Specifies an aging time for the blacklist entry. minutes indicates the aging time, and the value range is 1 to 1000, in minutes. If you do not specify the aging time, the blacklist entry never gets aged and always exists unless you delete it manually.
Related commands • defense icmp-flood enable • defense icmp-flood ip • defense icmp-flood rate-threshold • display attack-defense policy defense icmp-flood enable Use defense icmp-flood enable to enable ICMP flood attack protection. Use undo defense icmp-flood enable to restore the default. Syntax defense icmp-flood enable undo defense icmp-flood enable Default ICMP flood attack protection is disabled.
Default No ICMP flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: IP address to be protected. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address. high rate-number: Sets the action threshold for ICMP flood attack protection of the specified IP address.
Syntax defense icmp-flood rate-threshold high rate-number [ low rate-number ] undo defense icmp-flood rate-threshold Default The global action threshold is 1000 packet per second and the global silence threshold is 750 packets per second. Views Attack protection policy view Default command level 2: System level Parameters high rate-number: Sets the global action threshold for ICMP flood attack protection.
Syntax defense scan add-to-blacklist undo defense scan add-to-blacklist Default The blacklist function for scanning attack protection is not enabled. Views Attack protection policy view Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address.
• defense scan max-rate defense scan blacklist-timeout Use defense scan blacklist-timeout to specify the aging time for entries blacklisted by scanning attack protection. Use undo defense scan blacklist-timeout to restore the default, which is 10 minutes. Syntax defense scan blacklist-timeout minutes undo defense scan blacklist-timeout Views Attack protection policy view Default command level 2: System level Parameters minutes: Aging time of blacklist entries, in the range of 1 to 1000, in minutes.
Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address. If the connection rate of an IP address reaches or exceeds the threshold (set by the defense scan max-rate command), the device considers the IP address a scanning attack source and drops subsequent packets from the IP address until it finds that the rate is less than the threshold. Examples # Enable scanning attack protection.
[Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense scan enable # Set the connection rate threshold for triggering scanning attack protection to 2000 connections per second.
defense syn-flood enable Use defense syn-flood enable to enable SYN flood attack protection. Use undo defense syn-flood enable to restore the default. Syntax defense syn-flood enable undo defense syn-flood enable Default SYN flood attack protection is disabled. Views Attack protection policy view Default command level 2: System level Examples # Enable SYN flood attack protection in attack protection policy 1.
high rate-number: Sets the action threshold for SYN flood attack protection of the specified IP address. The rate-number argument indicates the number of SYN packets sent to the specified IP address per second and is in the range of 1 to 64000. With SYN flood attack protection enabled, the device enters attack detection state.
Parameters high rate-number: Sets the global action threshold for SYN flood attack protection. The rate-number argument indicates the number of SYN packets sent to an IP address per second and is in the range of 1 to 64000. With the SYN flood attack protection enabled, the device enters attack detection state.
Examples # Configure attack protection policy 1 to drop UDP flood packets. system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense udp-flood action drop-packet Related commands • defense udp-flood enable • defense udp-flood ip • defense udp-flood rate-threshold • display attack-defense policy defense udp-flood enable Use defense udp-flood enable to enable UDP flood attack protection. Use undo defense udp-flood enable to restore the default.
Syntax defense udp-flood ip ip-address rate-threshold high rate-number [ low rate-number ] undo defense udp-flood ip ip-address [ rate-threshold ] Default No UDP flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: IP address to be protected. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address.
defense udp-flood rate-threshold Use defense udp-flood rate-threshold to configure the global action and silence thresholds for UDP flood attack protection. The device uses the global attack protection thresholds to protect the IP addresses for which you do not configure attack protection parameters specifically. Use undo defense udp-flood rate-threshold to restore the default.
• defense udp-flood enable • display attack-defense policy display attack-defense policy Use display attack-defense policy to display configuration information about one or all attack protection policies. Syntax display attack-defense policy [ policy-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters policy-number: Sequence number of an attack protection policy, in the range of 1 to 128.
Add to blacklist : Enabled Blacklist timeout : 10 minutes Max-rate : 1000 connections/s Signature-detect action : Drop-packet -------------------------------------------------------------------------ICMP flood attack-defense : Enabled ICMP flood action : Syslog ICMP flood high-rate : 2000 packets/s ICMP flood low-rate : 750 packets/s ICMP flood attack-defense for specific IP addresses: IP High-rate(packets/s) Low-rate(packets/s) 192.168.1.1 1000 500 192.168.2.
Filed Description WinNuke attack-defense Indicates whether WinNuke attack protection is enabled. LAND attack-defense Indicates whether Land attack protection is enabled. Source route attack-defense Indicates whether Source Route attack protection is enabled. Route record attack-defense Indicates whether Route Record attack protection is enabled. Scan attack-defense Indicates whether scanning attack protection is enabled.
50 None 128 GigabitEthernet3/0/2 Related commands attack-defense policy display attack-defense statistics interface Use display attack-defense statistics interface to display the attack protection statistics of an interface.
Route record packets dropped : 100 Source route attacks : 1 Source route packets dropped : 100 Smurf attacks : 1 Smurf packets dropped : 100 TCP flag attacks : 1 TCP flag packets dropped : 100 Tracert attacks : 1 Tracert packets dropped : 100 WinNuke attacks : 1 WinNuke packets dropped : 100 Scan attacks : 1 Scan attack packets dropped : 100 SYN flood attacks : 1 SYN flood packets dropped : 100 ICMP flood attacks : 1 ICMP flood packets dropped : 100 UDP flood attacks : 1
Field Description Tracert attacks Number of detected Tracert attacks. Tracert packets dropped Number of Tracert packets dropped. WinNuke attacks Number of detected WinNuke attacks. WinNuke packets dropped Number of WinNuke packets dropped. Scan attacks Number of detected scanning attacks. Scan attack packets dropped Number of scanning attack packets dropped. SYN flood attacks Number of detected SYN flood attacks. SYN flood attack packets dropped Number of SYN flood attack packets dropped.
slot slot-number: Displays information about the blacklist entries on a card. slot-number specifies the number of the slot that holds the card. If you do not specify this option, this command displays information about blacklist entries on all cards. (In standalone mode.) chassis chassis-number slot slot-number: Displays information about the blacklist entries on a card of an IRF member device. The chassis-number argument refers to the ID of the IRF member device.
Related commands • blacklist enable • blacklist ip display flow-statistics statistics Use display flow-statistics statistics to display traffic statistics on interfaces based on IP addresses.
Examples # Display the traffic statistics of source IP address 192.168.1.2. display flow-statistics statistics source-ip 192.168.1.2 Flow Statistics Information ----------------------------------------------------------IP Address : 192.168.1.
Views Any view Default command level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. inbound: Displays traffic statistics in the inbound direction of an interface. outbound: Displays traffic statistics in the outbound direction of an interface. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Field Description TCP session establishment rate TCP connection establishment rate. UDP sessions Number of UDP connections. UDP session establishment rate UDP connection establishment rate. ICMP sessions Number of ICMP connections. ICMP session establishment rate ICMP connection establishment rate. RAWIP sessions Number of RAWIP connections. RAWIP session establishment rate RAWIP connection establishment rate.
Table 78 Command output Field Description Protected IP IP address under the protection of TCP proxy. Destination port number of the TCP connection request. Port Number If the value of this field is any, the TCP proxy processes all TCP connection requests destined for the IP address. Type Type of the protected IP address. Dynamic indicates that the entry was dynamically added by the device. Lifetime(min) Remaining lifetime of the entry. If the value of this field is 0, the entry is deleted.
# You can use the following command to view statistics on packets sent out of the interface with the destination IP address being 2.2.2.2 (you can specify the destination IP address as needed). [Sysname-GigabitEthernet3/0/1] display flow-statistics statistics destination-ip 2.2.2.2 Related commands display flow-statistics statistics reset attack-defense statistics interface Use reset attack-defense statistics interface to clear the attack protection statistics of an interface.
Parameters fraggle: Specifies the Fraggle packet attack. icmp-redirect: Specifies the ICMP redirect packet attack. icmp-unreachable: Specifies the ICMP unreachable packet attack. land: Specifies the Land packet attack. large-icmp: Specifies the large ICMP packet attack. route-record: Specifies the route record packet attack. smurf: Specifies the Smurf packet attack. source-route: Specifies the source route packet attack. tcp-flag: Specifies the TCP flag packet attack.
Related commands display attack-defense policy signature-detect large-icmp max-length Use signature-detect large-icmp max-length to specify the ICMP packet length threshold that triggers large ICMP attack protection. Use undo signature-detect large-icmp max-length to restore the default. Syntax signature-detect large-icmp max-length length undo signature-detect large-icmp max-length Default An ICMP packet length of 4000 bytes triggers large ICMP attack protection.
Syntax tcp-proxy enable undo tcp-proxy enable Default The TCP proxy function is disabled on an interface. Views Interface view Default command level 2: System level Usage guidelines Usually, the TCP proxy function is used on a device's interfaces connected to external networks to protect internal servers from SYN flood attacks. When detecting a SYN flood attack, the device can take protection actions configured by using the defense syn-flood action command.
Parameters unidirection: Operates in the unidirectional mode. Examples # Set the TCP proxy operating mode to unidirectional.
TCP attack protection configuration commands display tcp status Use display tcp status to display status of all TCP connections for monitoring TCP connections. Syntax display tcp status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Chassis 2 Slot 1: 098c3280 0.0.0.0:23 0.0.0.0:0 Listening 098c3d20 0.0.0.0:646 0.0.0.0:0 Listening Table 79 Command output Field Description *: TCP MD5 Connection If the status information about a TCP connection contains an asterisk (*), the TCP adopts the MD5 algorithm for authentication. TCPCB TCP control block. Local Add:port Local IP address and port number. Foreign Add:port Remote IP address and port number. State State of the TCP connection.
Syntax tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number number undo tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number Default The maximum number of TCP connections in each state is 5. Views System view Default command level 2: System level Parameters closing: Specifies the CLOSING state of a TCP connection. established: Specifies the ESTABLISHED state of a TCP connection.
Syntax tcp syn-cookie enable undo tcp syn-cookie enable Default The SYN Cookie feature is enabled. Views System view Default command level 2: System level Examples # Enable the SYN Cookie feature. system-view [Sysname] tcp syn-cookie enable tcp timer check-state Use tcp timer check-state to configure the TCP connection state check interval. Use undo tcp timer check-state to restore the default.
[Sysname] tcp timer check-state 40 Related commands tcp anti-naptha enable 474
IP source guard configuration commands IP source guard configuration commands are available only for SAP interface modules operating in Layer 2 mode. display ip source binding Use display ip source binding to display IPv4 source guard entries.
Usage guidelines When you do not use the static keyword, the command displays both static and dynamic IPv4 source guard entries. If you specify neither a port nor an interface card, the command displays static and dynamic IPv4 source guard entries on all ports. When you use the static keyword, the command displays static IPv4 source guard entries. If you specify neither a port nor an interface card, the command displays static IPv4 source guard entries on all ports.
ip source binding Use ip source binding to configure a static IPv4 source guard entry on a port. Use undo ip source binding to delete a static IPv4 source guard entry from a port.
Syntax ip verify source { ip-address | ip-address mac-address | mac-address } undo ip verify source Default The IPv4 source guard function is disabled on a port. Views Ethernet interface view, VLAN interface view, port group view Default command level 2: System level Parameters ip-address: Binds source IPv4 addresses to the port. ip-address mac-address: Binds source IPv4 addresses and MAC addresses to the port. mac-address: Binds source MAC addresses to the port.
Syntax ip verify source max-entries number undo ip verify source max-entries Default No limit is set to the number of IPv4 source guard entries on a port. Views Layer 2 Ethernet port view Default command level 2: System level Parameters number: Maximum number of IPv4 source guard entries allowed on a port, in the range of 0 to 256.
ARP attack protection configuration commands IP flood protection configuration commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing. Use undo arp resolving-route enable to disable the function. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP blackhole routing is disabled. Views System view Default command level 2: System level Examples # Enable ARP blackhole routing.
Examples # Enable the ARP source suppression function. system-view [Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit Use arp source-suppression limit to set the maximum number of unresolvable IP packets that be received from a device in five seconds. Unresolvable IP packets refer to packets that cannot be resolved by ARP. Use undo arp source-suppression limit to restore the default value, which is 10.
Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Views System view Default command level 2: System level Parameters disable: Disables ARP packet rate limit. rate pps: Specifies the ARP packet rate in pps, in the range of 5 to 8192. drop: Discards the exceeded packets. slot slot-number: Specifies a card by its slot number. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument specifies the ID of the IRF member device.
Examples # Enable ARP packet source MAC address consistency check. system-view [Sysname] arp anti-attack valid-check enable ARP active acknowledgement configuration commands arp anti-attack active-ack enable Use arp anti-attack active-ack enable to enable the ARP active acknowledgement function. Use undo arp anti-attack active-ack enable to restore the default.
Syntax arp authorized enable undo arp authorized enable Default Authorized ARP is not enabled on the interface. Views Layer 3 Ethernet interface view Default command level 2: System level Examples # Enable authorized ARP on GigabitEthernet 3/0/1. system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp authorized enable ARP detection configuration commands NOTE: The commands of this feature are supported only when SAP modules operate in bridge mode.
permit: Permits the matching ARP packets. ip { any | ip-address [ ip-address-mask ] }: Specifies the sender IP address range. • any: Matches any sender IP address. • ip-address: Matches a sender IP address. • ip-address-mask: Specifies the mask for the sender IP address in dotted decimal format. If no mask is specified, the ip-address argument specifies a host IP address. mac { any | mac-address [ mac-address-mask ] }: Specifies the sender MAC address range. • any: Matches any sender MAC address.
Examples # Enable ARP detection for VLAN 2. system-view [Sysname] vlan 2 [Sysname-Vlan2] arp detection enable arp detection trust Use arp detection trust to configure the port as an ARP trusted port. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust Default The port is an ARP untrusted port. Views Layer 2 Ethernet interface view Default command level 2: System level Examples # Configure GigabitEthernet 3/0/1 as an ARP trusted port.
Parameters dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded. ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded.
Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Examples # Display the ARP detection statistics of all interfaces. display arp detection statistics State: U-Untrusted T-Trusted ARP packets dropped by ARP inspect checking: Interface(State) IP Src-MAC Dst-MAC Inspect GE3/0/1(U) 40 0 0 78 GE3/0/2(U) 0 0 0 0 GE3/0/3(T) 0 0 0 0 GE3/0/4(U) 0 0 30 0 Table 82 Command output Field Description Interface(State) State T or U identifies a trusted or untrusted port.
ARP automatic scanning and fixed ARP configuration commands arp fixup Use arp fixup to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static. Syntax arp fixup Views System view Default command level 2: System level Usage guidelines The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries.
Default command level 2: System level Parameters start-ip-address: Specifies the start IP address of the scanning range. end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address. Usage guidelines If the start IP and end IP addresses are specified, the device scans the specific address range for neighbors and learns their ARP entries, so that the scanning time is reduced.
undo arp filter source ip-address Default ARP gateway protection is disabled. Views Layer 2 Ethernet interface view, Layer 2 aggregate interface view Default command level 2: System level Parameters ip-address: Specifies the IP address of a protected gateway. Usage guidelines You can enable ARP gateway protection for up to eight gateways on a port. You cannot configure both arp filter source and arp filter binding commands on a port.
Parameters ip-address: Specifies a permitted sender IP address. mac-address: Specifies a permitted sender MAC address. Usage guidelines You can configure up to eight ARP filtering entries on a port. You cannot configure both arp filter source and arp filter binding commands on a port. Examples # Configure an ARP filtering entry with permitted sender IP address 1.1.1.1 and MAC address 2-2-2. system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp filter binding 1.
ND attack defense configuration commands ipv6 nd mac-check enable Use ipv6 nd mac-check enable to enable source MAC consistency check for ND packets. Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND packets. Syntax ipv6 nd mac-check enable undo ipv6 nd mac-check enable Default Source MAC consistency check is disabled for ND packets.
URPF configuration commands ip urpf Use ip urpf to enable URPF check on an interface to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. Syntax ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ] undo ip urpf Default URPF check is disabled. Views Interface view Default command level 2: System level Parameters loose: Enables loose URPF check.
FIPS configuration commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Default command level 1: Monitor level Examples # Display the current FIPS mode state. display fips status FIPS mode is enabled Related commands fips mode enable fips mode enable Use fips mode enable to enable FIPS mode. Use undo fips mode enable to disable FIPS mode.
1. Enable FIPS mode. 2. Enable the password control function. 3. Configure the username and password to log in to the device in FIPS mode. The password must include at least 10 characters and must contain uppercase and lowercase letters, digits, and special characters. 4. Delete all MD5-based digital certificates. 5. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs. 6. Save the configuration.
Default command Level 3: Manage level Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device automatically reboots. Examples # Trigger a self-test on the cryptographic algorithms. system-view [Sysname] fips self-test Self-tests are running. Please wait... Self-tests succeeded.
Group Domain VPN commands KS configuration commands display gdoi ks Use display gdoi ks to display GDOI KS information. Syntax display gdoi ks [ group group-name ] Views User view Default command level 1: Monitor level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays KS information for all GDOI KS groups. Examples # Display KS information for the GDOI KS group abc.
# Display KS information for all GDOI KS groups. display gdoi ks Group Name: abc Group identity : 8 Group members : 0 Redundancy : Enabled Local address : 105.112.100.2 Local version : 1.
Profile name : profile-xyz2 ACL configured : 3001 Table 83 Command output Field Description Group Name Name of the GDOI KS group. Group identity KS group identity, a number or an IPv4 address. If no identity is configured, this field is blank. Group members Number of online GMs in the GDOI KS group. Redundancy Redundancy information for the GDOI KS group. Role of the local KS in the redundancy: Local role • • • • Primary—Primary KS. Secondary—Secondary KS. Initial—In initializing state.
Examples # Display ACLs referenced by the GDOI KS group abc. display gdoi ks acl group abc Group Name: abc ACL abc rule 0 permit ip source 1.1.1.2 0 destination 2.2.2.3 0 rule 1 permit tcp source 1.1.0.0 0.0.255.255 destination 2.2.0.0 0.0.255.255 rule 2 permit ip # Display ACLs referenced by all GDOI KS groups. display gdoi ks acl Group Name: abc ACL abc rule 0 permit ip source 1.1.1.2 0 destination 2.2.2.3 0 rule 1 permit tcp source 1.1.0.0 0.0.255.255 destination 2.2.0.0 0.0.255.
Usage guidelines If you do not specify the group group-name option, the command displays information about online GMs with the specified IP address in all GDOI KS groups. If you do not specify the ip ip-address option, the command displays information about all online GMs in the specified GDOI KS group. If you do not specify any parameter, the command displays information about all online GMs in all GDOI KS groups. Examples # Display information about all online GMs in all GDOI KS groups.
display gdoi ks policy Use display gdoi ks policy to display policy information for GDOI KS groups. Syntax display gdoi ks policy [ group group-name ] Views User view Default command level 1: Monitor level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays policy information for all GDOI KS groups. Examples # Display policy information for all GDOI KS groups.
Field Description SPI SPI of the rekey SA or that of the IPsec SA. Lifetime KEK or TEK lifetime. Remaining lifetime Remaining time of the KEK or TEK lifetime. Signature key name Name of the key pair used for signature. Encapsulation IPsec encapsulation mode for IP packets: Tunnel or Transport. ACL Number or name of the ACL referenced. Transform Name of the IPsec transform set referenced.
Peer priority : Unknown Peer role : Unknown Peer status : Down Peer address : 172.1.1.1 Peer version : 1.0 Peer priority : 100 Peer role : Secondary Peer status : Ready Table 87 Command output Field Description Group Name GDOI KS group name. Role of the local KS in the redundancy: Local role • • • • Primary—Primary KS. Secondary—Secondary KS. Initial—In initializing state. Electing—Electing the primary KS. Primary address IP address of the primary KS. Peers Peer KS information.
Default command level 1: Monitor level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays rekey information for all GDOI KS groups. Examples # Display rekey information for all GDOI KS groups.
Table 88 Command output Field Description Group Name GDOI KS group name. IPsec 1 lifetime SA lifetime of IPsec policy 1, in seconds. Remaining lifetime Remaining time of the KEK or IPsec SA, in seconds. gdoi ks group Use gdoi ks group to create a GDOI KS group and enter GDOI KS group view. Use undo gdoi ks group to delete a GDOI KS group. Syntax gdoi ks group group-name undo gdoi ks group group-name Default No GDOI KS group exists.
Default The GDOI KS listens to UDP port 19000 for redundancy protocol packets. Views System view Default command level 2: System level Parameters port-number: Specifies a UDP port number in the range of 1 to 65535. Usage guidelines A GDOI KS uses the UDP port number configured in this command to send and receive redundancy protocol packets to and from other KSs. All KSs in the same GDOI KS group must use the same UDP port number.
Examples # Enforce the GDOI KS group abc to rekey. gdoi ks rekey group abc identity address Use identity address to configure an IP address for the GDOI KS group. Use undo identity to delete the IP address of the GDOI KS group. Syntax identity address address undo identity Default No IP address is configured for a GDOI KS group. Views GDOI KS group view Default command level 2: System level Parameters address: Specifies any valid IPv4 address to identify the GDOI KS group.
Default No number is configured for a GDOI KS group number. Views GDOI KS group view Default command level 2: System level Parameters number: Specifies a number in the range of 0 to 2147483647 to identify the GDOI KS group. Usage guidelines You can configure only one type of ID (either an IP address or a number) for a GDOI KS group. A GDOI KS group uses the IP address or the number, whichever is configured later. Examples # Configure the number of the GDOI KS group abc as 123456.
Deleting an IPsec policy from a GDOI KS group also deletes the TEK that corresponds to that IPsec policy. Examples # Create IPsec policy 10 for the GDOI KS group abc and enter its view. system-view [Sysname] gdoi ks group abc [Sysname-gdoi-ks-group-abc] ipsec 10 [Sysname-gdoi-ks-group-abc-ipsec-10] Related commands gdoi ks group local priority Use local priority to configure the GDOI KS local priority. Use undo local priority to restore the default.
Related commands • gdoi ks group • redundancy enable peer address Use peer address to specify the IP address of a peer KS. Use undo peer address to delete a peer KS IP address. Syntax peer address ip-address undo peer address ip-address Default No IP address of a peer KS is specified. Views GDOI KS group view Default command level 2: System level Parameters ip-address: Specifies the IP address of a peer KS.
Use undo profile to remove the IPsec profile referenced by the GDOI KS group IPsec policy. Syntax profile ipsec-profile-name undo profile Default A GDOI KS group IPsec policy does not reference any IPsec profile. Views GDOI KS group IPsec policy view Default command level 2: System level Parameters ipsec-profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 15 characters.
Usage guidelines GDOI KS redundancy enables a group of KSs to work together for high availability and load sharing. One KS is the primary KS, and others are secondary KSs. Secondary KSs back up data for the primary KS and can accept registrations from GMs. Examples # Enable KS redundancy in GDOI KS group abc.
When the primary KS detects a disconnection from a secondary KS, it informs the secondary KS of the disconnection through hello packets. The secondary KS tries to re-establish a connection with the primary KS if it receives the hello packet. If the connection cannot be established, primary KS re-election is triggered. Do not set a long hello packet sending interval. Otherwise, secondary KSs cannot timely detect a primary KS failure or a link failure.
On a not-so-good network, you can increase the retransmission interval or retransmission number to avoid KS split. If a KS loses contact with the primary KS, it will split from the KS group and elect itself as the primary KS. Then, the KS group might have multiple primary KSs. Examples # Set the redundancy protocol packets retransmission interval to 30 seconds, and the maximum number of retransmissions to 3.
[Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc] rekey acl 3000 Related commands • gdoi ks group • source address rekey authentication Use rekey authentication to specify the key pair to be used by the KS during a rekey. Use undo rekey authentication to remove the specified key pair. Syntax rekey authentication public-key rsa key-name undo rekey authentication Default No key pair is specified for a rekey.
Syntax rekey encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc } undo rekey encryption Default The encryption algorithm is 3des-cbc. Views GDOI KS group view Default command level 2: System level Usage guidelines If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure the rekey encryption algorithm as AES-CBC-192 for the GDOI KS group abc.
Examples # Configure the KEK lifetime as 3600 seconds for the GDOI KS group abc. system-view [Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc] rekey lifetime seconds 3600 Related commands gdoi ks group rekey retransmit Use rekey retransmit to specify the interval between rekey retransmissions and the maximum number of retransmissions.
undo rekey transport unicast Default The KS multicasts rekey messages. Views GDOI KS group view Default command level 2: System level Examples # Configure the GDOI KS group abc to unicast rekey messages. system-view [Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc] rekey transport unicast Related commands gdoi ks group reset gdoi ks Use reset gdoi ks to clear GDOI KS group information, including keys, online GMs, and the role in redundancy backup.
Views User view Default command level 2: System level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command clears GM information for all GDOI KS groups. Usage guidelines This command takes effect only on the primary KS. Examples # Clear GM information for the GDOI KS group abc.
Default No ACL is referenced. Views GDOI KS group IPsec policy view Default command level 2: System level Parameters access-list-number: Specifies an ACL by its number in the range of 3000 to 3999. name access-list-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines The GDOI KS sends the ACL to GMs, which use the ACL to filter traffic, so as to determine the traffic to be protected by TEKs.
Parameters ip-address: Specifies any valid IPv4 address. Usage guidelines Perform this task to specify the source address for GROUPKEY-PUSH protocol packets and redundancy protocol packets sent by the KS. Examples # Specify the source address for the GDOI KS group abc as 11.1.1.1. system-view [Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc]source address 11.1.1.
Related commands gdoi gm group display gdoi gm Use display gdoi gm to display GDOI GM group information, including GDOI configuration parameters, negotiation parameters, and the IPsec information obtained after successful registrations. Syntax display gdoi gm [ group group-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters group group-name: Displays information about the specified GDOI GM group.
Last rekey seq num : 3 Multicast rekeys received: 1 Allowable rekey cipher : Any Allowable rekey hash : Any Allowable transform : Any Rekeys Cumulative Total received : 5 After latest registration: 3 Rekey received (hh:mm:ss): 00:02:11 ACL Downloaded From KS 90.1.1.
Field Description IPsec SA direction: Both or Inbound (not supported at present). IPsec SA Direction Group Server List KS IP address list in the GDOI GM group. The list can contain eight addresses at most. Group Member IP address of the GM. VPN instance VPN instance name of the MPLS L3VPN to which the GM belongs. Registration status Registration status: Registered, Registering, or Not registered. Registered with IP address of the KS with which the GM registers.
Field Description rule 0 deny udp source-port eq 848 destination-port eq 848 Indicates that any UDP packets whose source and destination port numbers are both 848 do not need to be protected by IPsec. rule 1 deny ospf Indicates that OSPF protocol packets do not need to be protected by IPsec. rule 2 permit icmp Indicates that any ICMP packets need to be protected by IPsec. Rekey transport type Transport type of rekey messages: Multicast or Unicast. Lifetime (sec) KEK lifetime, in seconds.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Field Description rule 1 permit ip source 12.1.1.0 0.0.0.255 destination 12.1.1.0 0.0.0.255 Indicates that IPsec protects IP packets whose source and destination addresses are within subnet 12.1.1.0/24. rule 0 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 Indicates that IPsec does not protect IP packets whose source and destination addresses are within subnet 10.1.1.0/24. display gdoi gm ipsec sa Use display gdoi gm ipsec sa to display IPsec SA information obtained by GMs.
IPsec SA: SPI: 0xDCC66F7B(3703992187) Transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 SA timing: remaining key lifetime (sec): 190 Anti-replay detection: Disabled Table 91 Command output Field Description Interface Name of the interface bound to the IPsec SA. Transform Transform set. remaining key lifetime (sec) Remaining lifetime of the IPsec SA, in seconds. anti-replay window size(time based) Time-based anti-replay window size, in seconds.
Group Member Information For Group GDOI-GROUP1: IPsec SA Direction : Both Group Member : 80.1.1.1 VPN instance : vpn1 Registration status : Registered Registered with : 90.1.1.1 Re-register in : 308 sec Succeeded registrations : 1131 Attempted registrations : 1139 Last rekey from : 90.1.1.
Field Description Allowable rekey cipher The rekey encryption algorithm that the GM allows. Any indicates that the GM allows all encryption algorithms. Allowable rekey hash The rekey hash algorithm that the GM allows. Any indicates that the GM allows all hash algorithms. Allowable transform The rekey transform mode that the GM allows. Any indicates that the GM allows all transform modes. display gdoi gm pubkey Use display gdoi gm pubkey to display the public key information received by GMs.
Table 93 Command output Field Description Group Name GDOI GM group name. Conn-ID ID of the rekey SA. My Cookie Local cookie of the rekey SA. His Cookie Peer cookie of the rekey SA. display gdoi gm rekey Use display gdoi gm rekey to display rekey information for GMs.
Multicast destination address : 239.192.1.190 # Display detailed rekey information of all GMs. display gdoi gm rekey verbose Group Name: GDOI-GROUP1 (Multicast) Number of rekeys received (cumulative) : 1904 Number of rekeys received after registration : 889 Multicast destination address : 239.192.1.190 Rekey (KEK) SA Information: Source Conn-ID My Cookie His Cookie New : 239.192.1.190 Destination 90.1.1.1 9646 14406D26 8C58E504 Current : 239.192.1.190 90.1.1.
Views System view Default command level 2: System level Parameters group-name: Specifies a name for the GDOI GM group, a case-sensitive string of 1 to 63 characters. Usage guidelines A GDOI GM group includes the information that the GM uses to register with a KS, such as the group ID, KS address, and registration interface. The device supports 64 GDOI GM groups at most. Examples # Create a GDOI GM group named abc, and enter its view.
Examples # Configure a GDOI IPsec policy entry and enter its view. The IPsec policy name is map and the entry sequence number is 1. system-view [Sysname] ipsec policy map 1 gdoi # Reference GDOI GM group abc for the GDOI IPsec policy entry. [Sysname-ipsec-policy-gdoi-map-1] group abc Related commands gdoi gm group identity Use identity to configure an ID for the GDOI GM group. Use undo identity to delete the GDOI GM group ID.
reset gdoi gm Use reset gdoi gm to clear GDOI information that GMs downloaded from a KS, including the IKE SA, rekey SA, IPsec SA, and ACL, and trigger the GMs to re-register with the KS. Syntax reset gdoi gm [ group group-name ] Views User view Default command level 2: System level Parameters group group-name: Clears the GDOI information of GMs in a GDOI GM group. The group-name argument specifies the name of a GDOI GM group, a case-sensitive string of 1 to 63 characters.
Usage guidelines You must specify KSs for GMs in a GDOI GM group. A GDOI GM group can have up to eight KS addresses. A GM first sends a registration request to the first-specified KS. If the registration does not succeed before the register timer expires, the GM registers with other KSs one by one in the order they are configured until the registration succeeds. If all registration attempts fail, the GM repeats the registration process. Examples # Specify two KS addresses, 3.3.3.3 and 3.3.3.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHIKLMNOPQRSTUVW attribute 25 car,53 A authentication default,9 aaa nas-id profile,1 authentication dvpn,10 access-limit,38 authentication lan-access,11 access-limit enable,1 authentication login,12 access-user detect,147 authentication portal,13 accounting command,2 authentication ppp,14 accounting default,3 authentication super,15 accounting dvpn,4 authentication-algorithm,318 accounting lan-access,5 authentication-method,318 accounting login,6 authorization command,16 acc
connection-limit policy,416 display fips status,497 connection-name,266 display firewall http activex-blocking,420 country,245 display firewall http java-blocking,421 crl check,245 display firewall http url-filter host,422 crl update-period,246 display firewall http url-filter parameter,424 crl url,246 display firewall ipv6 statistics,381 cryptoengine enable,266 display firewall-statistics,382 cut connection,23 display flow-statistics statistics,460 D display flow-statistics statistics inte
dot1x multicast-trigger,126 display portal interface,155 display portal server,156 dot1x port-control,126 display portal server statistics,157 dot1x port-method,127 display portal tcp-cheat statistics,160 dot1x quiet-period,129 display portal user,161 dot1x re-authenticate,129 display port-mapping,391 dot1x retry,130 display port-security,180 dot1x supp-proxy-check,131 display port-security mac-address block,183 dot1x timer,132 display port-security mac-address security,185 dot1x timer ead-t
ipsec invalid-spi-recovery enable,290 fqdn,252 ipsec policy (interface view),291 G ipsec policy (system view),292 gdoi gm group,536 ipsec policy isakmp template,293 gdoi ks group,509 ipsec policy-template,294 gdoi ks redundancy port,509 ipsec profile (system view),295 gdoi ks rekey,510 ipsec profile (tunnel interface view),295 get,360 ipsec sa global-duration,296 group,537 ipsec transform-set,297 group,46 ipv6 nd mac-check enable,495 group-attribute allow-guest,47 K H key (HWTACACS sch
password-control { aging | composition | history | length } enable,207 portal server,173 password-control aging,208 portal server server-detect,175 password-control alert-before-expire,209 portal server user-sync,177 portal server method,174 password-control authentication-timeout,209 port-mapping,393 password-control complexity,210 port-security authorization ignore,187 password-control composition,211 port-security enable,187 password-control enable,212 port-security intrusion-mode,188 pass
radius scheme,70 reverse-route preference,305 radius trap,71 reverse-route tag,306 redundancy enable,515 rmdir,365 redundancy hello,516 root-certificate fingerprint,262 redundancy retransmit,517 rsh,222 rekey acl,518 rule (PKI CERT ACP view),263 rekey authentication,519 S rekey encryption,519 sa authentication-hex,306 rekey lifetime,520 sa duration,344 rekey retransmit,521 sa duration,308 rekey transport unicast,521 sa encryption-hex,309 remote-address,341 sa spi,310 remote-name,342
tcp syn-cookie enable,472 signature-detect,465 signature-detect action drop-packet,466 tcp timer check-state,473 signature-detect large-icmp max-length,467 tcp-proxy enable,467 source address,524 tcp-proxy mode,468 ssh client authentication server,373 time-out,345 ssh client first-time enable,374 timer quiet (HWTACACS scheme view),107 ssh client ipv6 source,374 timer quiet (RADIUS scheme view),84 ssh client source,375 timer realtime-accounting (HWTACACS scheme view),107 ssh server authenticat