HP FlexFabric 11900 Switch Series Security Command Reference Part number: 5998-5279 Software version: Release 2111 and later Document version: 6W100-20140110
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents AAA commands ··························································································································································· 1 General AAA commands ················································································································································· 1 aaa session-limit ·················································································································································
security-policy-server ············································································································································· 54 snmp-agent trap enable radius ···························································································································· 55 state primary ·························································································································································· 56 state secondar
dot1x retry ···························································································································································· 105 dot1x timer ··························································································································································· 106 dot1x unicast-trigger ··········································································································································· 108 r
public-key local create ········································································································································ 164 public-key local destroy ······································································································································ 168 public-key local export dsa ································································································································ 169 public-key local expor
encryption-algorithm············································································································································ 227 exchange-mode ··················································································································································· 229 ike dpd ································································································································································· 229 ike ide
mkdir ····································································································································································· 270 put ········································································································································································· 271 pwd ··························································································································································
arp restricted-forwarding enable ······················································································································· 315 display arp detection ·········································································································································· 315 display arp detection statistics ··························································································································· 316 reset arp detection statistic
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.
Examples # Set the maximum number of concurrent FTP users to 4. system-view [Sysname] aaa session-limit ftp 4 accounting command Use accounting command to specify the command line accounting method. Use undo accounting command to restore the default. Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting method of the ISP domain is used for command line accounting.
Syntax In non-FIPS mode: accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting default In FIPS mode: accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounti
[Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local Related commands • hwtacacs scheme • local-user • radius scheme accounting lan-access Use accounting lan-access to configure the accounting method for LAN users. Use undo accounting lan-access to restore the default.
Examples # Configure ISP domain test to use local accounting for LAN users. system-view [Sysname] domain test [Sysname-isp-test] accounting lan-access local # Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local accounting as the backup.
local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines Accounting is not supported for login users who use FTP. You can specify multiple default accounting methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication default Default The default authentication method of an ISP domain is local.
authentication lan-access Use authentication lan-access to configure the authentication method for LAN users. Use undo authentication lan-access to restore the default.
# Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup. system-view [Sysname] domain test [Sysname-isp-test] authentication lan-access radius-scheme rd local Related commands • authentication default • hwtacacs scheme • ldap scheme • local-user • radius scheme authentication login Use authentication login to specify the authentication method for login users. Use undo authentication login to restore the default.
none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify multiple default authentication methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.
In FIPS mode: authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local } undo authorization command Default The default authorization method of the ISP domain is used for command authorization. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization.
• local-user authorization default Use authorization default to specify the default authorization method for an ISP domain. Use undo authorization default to restore the default.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence.
none: Does not perform authorization. An authenticated LAN user directly accesses the network. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme. You can specify multiple authorization methods, one primary and multiple backup methods.
undo authorization login Default The default authorization method of the ISP domain is used for login users. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization.
Related commands • authorization default • hwtacacs scheme • local-user • radius scheme authorization-attribute (ISP domain view) Use authorization-attribute to configure authorization attributes for users in an ISP domain. Use undo authorization-attribute to restore the default of an authorization attribute.
display domain Use display domain to display the ISP domain configuration. Syntax display domain [ isp-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines If no ISP domain is specified, the command displays the configuration of all ISP domains. Examples # Display the configuration of all ISP domains.
Flow : 10240 (bytes) Default Domain Name: system Table 1 Command output Field Description Domain ISP domain name. State Status of the ISP domain. Access-limit Limit to the number of user connections. If the number is not limited, this field displays Disabled. Access-Count Number of online users. default Authentication Scheme Default authentication method. default Authorization Scheme Default authorization method. default Accounting Scheme Default accounting method.
Syntax domain isp-name undo domain isp-name Default There is a system-defined ISP domain named system. Views System view Predefined user roles network-admin mdc-admin Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain slash (/), back slash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Views System view Predefined user roles network-admin mdc-admin Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines There can be only one default ISP domain. The specified ISP domain must already exist. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command.
block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. Examples # Place the ISP domain test in blocked state.
Related commands display local-user authorization-attribute (local user view/user group view) Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to restore the default.
Usage guidelines Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes: • For LAN users, only the authorization attributes acl, idle-cut, and vlan are effective. • For Telnet and terminal users, only the authorization attribute user-role is effective. • For SSH and FTP users, only the authorization attributes user-role and work-directory are effective.
Use undo bind-attribute to remove binding attributes of a local user. Syntax bind-attribute { ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } * undo bind-attribute { ip | location | mac | vlan } * Default No binding attribute is configured for a local user. Views Local user view Predefined user roles network-admin mdc-admin Parameters ip ip-address: Specifies the IP address to which the user is bound.
display local-user Use display local-user to display the local user configuration and online user statistics. Syntax display local-user [ class { manage | network } | idle-cut { disable | enable } | service-type { ftp | lan-access | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters class: Specifies the local user type. • manage: Device management user.
Current access number: 1 User Group: system Bind Attributes: Authorization Attributes: Work Directory: flash: User Role List: network-admin Password control configurations: Password aging: Enabled (3 days) Network access user jj: State: Active Service Type: Lan-access User Group: system Bind Attributes: IP Address: 2.2.2.
Field Description This field appears only when password composition checking is enabled. It also displays the following information in parentheses: Password composition • Minimum number of character types that the password must contain. • Minimum number of characters from each type in the password. This field appears only when password complexity checking is enabled.
Idle TimeOut: 2 (min) Work Directory: flash:/ ACL Number: 2000 VLAN ID: 2 Password control configurations: Password aging: Enabled (2 days) Table 3 Command output Field Description Idle TimeOut Idle timeout period, in minutes. Work Directory Directory that FTP, SFTP, or SCP users in the group can access. ACL Number Authorization ACL. VLAN ID Authorized VLAN. Password control configurations Password control attributes that are configured for the user group.
Views Local user view Predefined user roles network-admin mdc-admin Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Examples # Assign device management user 111 to user group abc. system-view [Sysname] local-user 111 class manage [Sysname-luser-manage-111] group abc Related commands display local-user local-user Use local-user to add a local user and enter local user view. Use undo local-user to remove local users.
all: Specifies all users. service-type: Specifies the local users who use a specified type of service. • ftp: FTP users. • lan-access: LAN users who typically access the network through an Ethernet, such as 802.1X users. • ssh: SSH users. • telnet: Telnet users. • terminal: Terminal users who log in through console ports. Usage guidelines If you do not specify the class { manage | network } option, this command adds a device management user. Examples # Add a device management user named user1.
Predefined user roles network-admin mdc-admin Parameters cipher: Sets a ciphertext password. hash: Sets a hashed password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive. • • In non-FIPS mode: { A cipher password is a string of 1 to 117 characters. { A hashed password is a string of 1 to 110 characters. { A plaintext password is a string of 1 to 63 characters.
service-type Use service-type to specify the service types that a local user can use. Use undo service-type to delete service types configured for a local user.
state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Predefined user roles network-admin mdc-admin Parameters active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services.
Predefined user roles network-admin mdc-admin Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes are authorization attributes.
send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50. Usage guidelines The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device or card reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.
Usage guidelines The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect. Examples # In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
VPN : Not configured Second Auth Server: IP: Not configured Port: 1812 State: Block Port: 1813 State: Block VPN : Not configured Second Acct Server: IP: Not configured VPN : Not configured Security Policy Server: Server: 0 IP: 2.2.2.2 VPN: Not configured Server: 1 IP: 3.3.3.
Field Description retransmission interval(seconds) Interval at which the device retransmits accounting-on packets, in seconds. Timeout Interval(seconds) RADIUS server response timeout period, in seconds. Retransmission Times Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Retransmission Times for Accounting Update Maximum number of accounting attempts. Server Quiet Period(minutes) Quiet period for the servers, in minutes.
Account Stop: - 0 - Terminate Request: - - 0 Set Policy: - - 0 Packet With Response: 0 0 0 Packet Without Response: 0 0 - Access Rejects: 0 - - Dropped Packet: 0 0 0 Check Failures: 0 0 0 Table 5 Command output Field Description Auth. Authentication packets. Acct. Accounting packets. SessCtrl. Session-control packets. Request Packet Number of request packets. Retry Packet Number of retransmitted request packets. Timeout Packet Number of request packets timed out.
Default No shared key is configured. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters accounting: Sets the shared key for secure RADIUS accounting communication. authentication: Sets the shared key for secure RADIUS authentication communication. cipher: Sets a ciphertext shared key. simple: Sets a plaintext shared key. string: Specifies the shared key string. This argument is case sensitive.
Syntax nas-ip { ipv4-address | ipv6 ipv6-address } undo nas-ip [ ipv6 ] Default The source IP address of an outgoing RADIUS packet is that specified by using the radius nas-ip command in system view. If the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.
• radius nas-ip primary accounting (RADIUS scheme view) Use primary accounting to specify the primary RADIUS accounting server. Use undo primary accounting to remove the configuration. Syntax primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary accounting Default No primary RADIUS accounting server is specified.
The shared key configured by using this command takes precedence over the shared key configured with the key accounting command. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server. ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server. port-number: Specifies the service port number of the primary RADIUS authentication server, a UDP port number in the range of 1 to 65535. The default setting is 1812. key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS authentication server.
• secondary authentication (RADIUS scheme view) • vpn-instance (RADIUS scheme view) radius nas-ip Use radius nas-ip to specify a source address for outgoing RADIUS packets. Use undo radius nas-ip to delete a source address for outgoing RADIUS packets.
• The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme. • The setting configured by the radius nas-ip command in system view is for all RADIUS schemes. • The setting in RADIUS scheme view takes precedence over the setting in system view. Examples # Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1. system-view [Sysname] radius nas-ip 129.10.10.
Default No RADIUS scheme is defined. Views System view Predefined user roles network-admin mdc-admin Parameters radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. The device supports at most 16 RADIUS schemes. Examples # Create a RADIUS scheme named radius1 and enter its view.
retry Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Use undo retry to restore the default. Syntax retry retry-times undo retry Default The maximum number of RADIUS packet transmission attempts is 3. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.
Syntax retry realtime-accounting retry-times undo retry realtime-accounting Default The maximum number of accounting attempts is 5. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255. Usage guidelines Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer.
Syntax secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] Default No secondary RADIUS accounting server is specified. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out.
Predefined user roles network-admin mdc-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication server. port-number: Sets the service port number of the secondary RADIUS authentication server, a UDP port number in the range of 1 to 65535. The default setting is 1812.
[Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 # Specify two secondary authentication servers for RADIUS scheme radius2, with the server IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1812. system-view [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary authentication 10.110.1.1 1812 [Sysname-radius-radius2] secondary authentication 10.110.1.
system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] security-policy-server 10.110.1.2 Related commands display radius scheme snmp-agent trap enable radius Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS. Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.
• RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts. • RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.
Examples # Set the status of the primary authentication server in RADIUS scheme radius1 to blocked. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] state primary authentication block Related commands • display radius scheme • state secondary state secondary Use state secondary to set the status of a secondary RADIUS server.
• Starts a quiet timer for the server. • Tries to communicate with another secondary server in active state. When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the status of the server to blocked before the quiet timer times out, the status of the server cannot change back to active unless you manually set the status to active.
[Sysname] radius scheme radius1 [Sysname-radius-radius1] timer quiet 10 Related commands display radius scheme timer realtime-accounting (RADIUS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default. Syntax timer realtime-accounting minutes undo timer realtime-accounting Default The real-time accounting interval is 12 minutes.
Related commands retry realtime-accounting timer response-timeout (RADIUS scheme view) Use timer response-timeout to set the RADIUS server response timeout timer. Use undo timer response-timeout to restore the default. Syntax timer response-timeout seconds undo timer response-timeout Default The RADIUS server response timeout period is 3 seconds.
undo user-name-format Default The ISP domain name is included in the username. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters keep-original: Sends the username to the RADIUS server as it is entered. with-domain: Includes the ISP domain name in the username sent to the RADIUS server. without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.
Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters vpn-instance-name: Name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified here applies to all servers in the RADIUS scheme for which no VPN is specified. Examples # Specify VPN test for RADIUS scheme radius1.
Usage guidelines The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect. Examples # In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
IP : 2.2.2.2 Port: 49 State: Active VPN Instance: 2 Single-connection: Enabled Primary Author Server: IP : 2.2.2.2 Port: 49 State: Active VPN Instance: 2 Single-connection: Disabled Primary Acct Server: IP : Not Configured Port: 49 State: Block VPN Instance: Not configured Single-connection: Disabled VPN Instance : 2 NAS IP Address : 2.2.2.
Field Description Realtime Accounting Interval(minutes) Real-time accounting interval, in minutes. Response Timeout Interval(seconds) HWTACACS server response timeout period, in seconds. Format for the usernames sent to the HWTACACS server. Possible values include: Username Format • with-domain—Includes the domain name. • without-domain—Excludes the domain name. • keep-original—Forwards the username as it is entered.
• Zero or one public-network source IPv4 address. • Zero or one public-network source IPv6 address. • Private-network source IP addresses. A newly specified public-network source IP address overwrites the previous one. Each VPN can have at most one private-network source IPv4 address and one private-network source IPv6 address.
system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to remove the configuration. Syntax key { accounting | authentication | authorization } { cipher | simple } string undo key { accounting | authentication | authorization } Default No shared key is configured.
Examples # Set the shared key for secure HWTACACS authentication communication to 123456TESTauth&! in plain text for HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&! # Set the shared key for secure HWTACACS authorization communication to 123456TESTautr&! in plain text.
the packet is the IP address of a managed NAS. If it is, the server processes the packet. If it is not, the server drops the packet. When you use both the nas-ip and hwtacacs nas-ip commands, the following guidelines apply: • The setting configured by using the nas-ip command in HWTACACS scheme view is effective only for the HWTACACS scheme. • The setting configured by using the hwtacacs nas-ip command in system view is effective for all HWTACACS schemes.
• { In non-FIPS mode, the key is a string of 1 to 373 characters. { In FIPS mode, the key is a string of 15 to 373 characters. simple string: Sets a plaintext shared key. The string argument is case sensitive. { { In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
Syntax primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo primary authentication Default No primary HWTACACS authentication server is specified. Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext. Examples # Specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1.
• { In non-FIPS mode, the key is a string of 1 to 373 characters. { In FIPS mode, the key is a string of 15 to 373 characters. simple string: Sets a plaintext shared key. The string argument is case sensitive. { { In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
Syntax reset hwtacacs statistics { accounting | all | authentication | authorization } Views User view Predefined user roles network-admin mdc-admin Parameters accounting: Clears the HWTACACS accounting statistics. all: Clears all HWTACACS statistics. authentication: Clears the HWTACACS authentication statistics. authorization: Clears the HWTACACS authorization statistics. Examples # Clear all HWTACACS statistics.
port-number: Specifies the service port number of the secondary HWTACACS accounting server, a TCP port number in the range of 1 to 65535. The default setting is 49. key { cipher | simple } string: Specifies the shared key for secure communication with the secondary HWTACACS accounting server. • • cipher string: Sets a ciphertext shared key. The string argument is case sensitive. { In non-FIPS mode, the key is a string of 1 to 373 characters. { In FIPS mode, the key is a string of 15 to 373 characters.
Related commands • display hwtacacs scheme • key (HWTACACS scheme view) • primary accounting (HWTACACS scheme view) • vpn-instance (HWTACACS scheme view) secondary authentication (HWTACACS scheme view) Use secondary authentication to specify a secondary HWTACACS authentication server. Use undo secondary authentication to remove a secondary HWTACACS authentication server.
method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
undo secondary authorization [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ]* ] Default No secondary HWTACACS authorization server is specified. Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authorization server.
Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. You can remove an authorization server only when it is not used for user authorization.
system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer quiet 10 Related commands display hwtacacs scheme timer realtime-accounting (HWTACACS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default. Syntax timer realtime-accounting minutes undo timer realtime-accounting Default The real-time accounting interval is 12 minutes.
Related commands display hwtacacs scheme timer response-timeout (HWTACACS scheme view) Use timer response-timeout to set the HWTACACS server response timeout timer. Use undo timer response-timeout to restore the default. Syntax timer response-timeout seconds undo timer response-timeout Default The HWTACACS server response timeout time is 5 seconds.
Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters keep-original: Sends the username to the HWTACACS server as it is entered. with-domain: Includes the ISP domain name in the username sent to the HWTACACS server. without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server. Usage guidelines A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs.
mdc-admin Parameters vpn-instance-name: Name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified here takes effect for all servers in the HWTACACS scheme for which no VPN is specified. Examples # Specify VPN test for HWTACACS scheme hwt1.
[Sysname] ldap scheme ldap1 [Sysname-ldap-ldap1] authentication-server ccc Related commands • display ldap scheme • ldap server display ldap scheme Use display ldap scheme to display the LDAP scheme configuration. Syntax display ldap scheme [ scheme-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters scheme-name: LDAP scheme name, a case-insensitive string of 1 to 32 characters.
------------------------------------------------------------------ Table 9 Command output Field Description Authentication Server Name of the LDAP authentication server. If no server is configured, this field displays Not configured. IP IP address of the LDAP authentication server. If no authentication server is specified, this field displays Not configured. Port Port number of the authentication server. If no port number is specified, this field displays the default port number.
Parameters ip-address: Specifies the IP address of the LDAP server. port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the LDAP server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the LDAP server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines The LDAP service port configured on the device must be consistent with the service port of the LDAP server.
Related commands display ldap scheme ldap server Use ldap server to create an LDAP server and enter its view. Use undo ldap server to delete an LDAP server. Syntax ldap server server-name undo ldap server server-name Default No LDAP server exists. Views System view Predefined user roles network-admin mdc-admin Parameters server-name: LDAP server name, a case-insensitive string of 1 to 64 characters. Examples # Create an LDAP server ccc and enter its view.
Predefined user roles network-admin mdc-admin Parameters dn-string: Administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters. Usage guidelines The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server. If you change the administrator DN, the change is effective only for LDAP authentication that occurs after your change. Examples # Specify the administrator DN as uid=test, ou=people, o=example, c=city.
Usage guidelines This command is effective only after the login-dn command is configured. For security purposes, all passwords, including passwords configured in plain text, are saved in ciphertext. Examples # Configure the administrator password to abcdefg in plain text. system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] login-password simple abcdefg Related commands • display ldap scheme • login-dn protocol-version Use protocol-version to specify the LDAP version.
[Sysname] ldap server ccc [Sysname-ldap-server-ccc] protocol-version v2 Related commands display ldap scheme search-base-dn Use search-base-dn to specify the base DN for user search. Use undo search-base-dn to restore the default. Syntax search-base-dn base-dn undo search-base-dn Default No base DN is specified for user search.
Views LDAP server view Predefined user roles network-admin mdc-admin Parameters all-level: Specifies that the search goes through all sub-directories of the base DN. single-level: Specifies that the search goes through only the next lower level of sub-directories under the base DN. Examples # Specify the search scope for the LDAP authentication as all sub-directories of the base DN.
Examples # Set the LDAP server timeout period to 15 seconds. system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] server-timeout 15 Related commands display ldap scheme user-parameters Use user-parameters to configure LDAP user attributes, including the username attribute, username format, and user-defined user object class. Use undo user-parameters to restore the default.
[Sysname] ldap server ccc [Sysname-ldap-server-ccc] user-parameters user-object-class person Related commands • display ldap scheme • login-dn 94
802.1X commands display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics. interface interface-type interface-number: Specifies an interface by its type and number.
The port is an authenticator Authentication mode is Auto Port access control type is MAC-based 802.1X multicast-trigger is enabled Mandatory authentication domain: Not configured Max online users is 1024 EAPOL Packets: Tx 1087, Rx 986 Sent EAP Request/Identity Packets : 943 EAP Request/Challenge Packets: 60 EAP Success Packets: 29, Fail Packets: 55 Received EAPOL Start Packets : 60 EAPOL LogOff Packets: 24 EAP Response/Identity Packets : 724 EAP Response/Challenge Packets: 54 Error Packets: 0 1.
Field Description 802.1X unicast-trigger is enabled Specifies whether unicast trigger is enabled on the port. Periodic reauthentication is disabled Specifies whether periodic online user re-authentication is enabled on the port. The port is an authenticator Role of the port. Authenticate mode is Auto Authorization state of the port, which can be Force-Authorized, Auto, or Force-Unauthorized.
Predefined user roles network-admin mdc-admin Usage guidelines 802.1X must be enabled both globally and on the intended port. Otherwise, it does not function. Examples # Enable 802.1X globally. system-view [Sysname] dot1x # Enable 802.1X on Ten-GigabitEthernet 1/0/1.
• In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server. It performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and "username+password" EAP authentication initiated by an iNode client. { { • PAP transports usernames and passwords in plain text.
Usage guidelines The online user handshake function enables the device to periodically (set with the dot1x timer handshake-period command) send handshake messages to the client to verify the connectivity status of online 802.1X users. If no response is received from an online user after the maximum number of handshake attempts (set by the dot1x retry command) has been made, the network access device sets the user in the offline state.
Examples # Configure the mandatory authentication domain my-domain for 802.1X users on Ten-GigabitEthernet 1/0/1. system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x mandatory-domain my-domain Related commands display dot1x dot1x max-user Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port. Use undo dot1x max-user to restore the default.
Use undo dot1x multicast-trigger to disable the function. Syntax dot1x multicast-trigger undo dot1x multicast-trigger Default The multicast trigger function is enabled. Views Layer 2 Ethernet interface view Predefined user roles network-admin mdc-admin Usage guidelines The multicast trigger function enables the device to act as the initiator and periodically multicast Identify EAP-Request packets out of a port to detect 802.1X clients and trigger authentication.
Parameters authorized-force: Places the port in the authorized state, enabling users on the port to access the network without authentication. auto: Places the port initially in the unauthorized state to allow only EAPOL packets to pass, and after a user passes authentication, sets the port in the authorized state to allow access to the network. You can use this option in most scenarios. unauthorized-force: Places the port in the unauthorized state, denying any access requests from users on the port.
Examples # Configure Ten-GigabitEthernet 1/0/1 to implement port-based access control. system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x port-method portbased Related commands display dot1x dot1x quiet-period Use dot1x quiet-period to enable the quiet timer. Use undo dot1x quiet-period to disable the timer. Syntax dot1x quiet-period undo dot1x quiet-period Default The quiet timer is disabled.
Syntax dot1x re-authenticate undo dot1x re-authenticate Default The periodic online user re-authentication function is disabled. Views Layer 2 Ethernet interface view Predefined user roles network-admin mdc-admin Usage guidelines Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port. This function tracks the connection status of online users and updates the authorization attributes assigned by the server.
mdc-admin Parameters max-retry-value: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.
mdc-admin Parameters handshake-period handshake-period-value: Sets the handshake timer in seconds. The value range for the handshake-period-value argument is 5 to 1024. quiet-period quiet-period-value: Sets the quiet timer in seconds. The value range for the quiet-period-value argument is 10 to 120. reauth-period reauth-period-value: Sets the periodic re-authentication timer in seconds. The value range for the reauth-period-value argument is 60 to 7200.
Examples # Set the server timeout timer to 150 seconds. system-view [Sysname] dot1x timer server-timeout 150 Related commands display dot1x dot1x unicast-trigger Use dot1x unicast-trigger to enable the 802.1X unicast trigger function. Use undo dot1x unicast-trigger to disable the function. Syntax dot1x unicast-trigger undo dot1x unicast-trigger Default The unicast trigger function is disabled.
Syntax reset dot1x statistics [ interface interface-type interface-number ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies an interface by its type and number. Usage guidelines If a port is specified, the command clears 802.1X statistics for the port. If no port is specified, the command clears all 802.1X statistics. Examples # Clear 802.1X statistics on Ten-GigabitEthernet 1/0/1.
MAC authentication commands display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including the global settings, port-specific settings, MAC authentication statistics, and online user statistics.
Current number of online users is 1 Current authentication domain: Not configured MAC auth-delay period is 10s Authentication attempts: successful 1, failed 0 MAC Addr Auth state 00e0-fc12-3456 authenticated Table 11 Command output Field Description MAC authentication is enabled Whether MAC authentication is enabled globally. User account type: MAC-based or shared.
Field Description Current number of online users is 1 Number of online users on the port. Current authentication domain MAC authentication domain specified for the port. Status of MAC authentication delay: • If MAC authentication delay is disabled, this field displays MAC auth-delay is disabled. MAC auth-delay • If MAC authentication delay is enabled, this field displays the MAC authentication delay period in seconds.
Related commands display mac-authentication mac-authentication domain Use mac-authentication domain to specify a global or port-specific authentication domain. Use undo mac-authentication domain to restore the default. Syntax mac-authentication domain domain-name undo mac-authentication domain Default No authentication domain is specified for MAC authentication users. The system default authentication domain is used.
mac-authentication max-user Use mac-authentication max-user to set the maximum number of concurrent MAC authentication users on a port. Use undo mac-authentication max-user to restore the default. Syntax mac-authentication max-user user-number undo mac-authentication max-user Default The maximum number of concurrent MAC authentication users on a port is 1024.
Predefined user roles network-admin mdc-admin Parameters offline-detect offline-detect-value: Sets the offline detect timer in the range of 60 to 65535, in seconds. quiet quiet-value: Sets the quiet timer in the range of 1 to 3600, in seconds. server-timeout server-timeout-value: Sets the server timeout timer in the range of 100 to 300, in seconds.
Parameters time: Specifies the delay time for MAC authentication in seconds. The value range is 1 to 180. Usage guidelines When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is triggered or if 802.1X authentication fails within the delay period, the port continues to process MAC authentication.
password: Specifies the password for the shared user account: cipher: Sets a ciphertext password. simple: Sets a plaintext password. password: Specifies the password. This argument is case sensitive. If simple is specified, it must be a string of 1 to 117 characters. If cipher is specified, it must be a ciphertext string of 1 to 88 characters. mac-address: Uses MAC-based user accounts for MAC authentication users.
Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. Usage guidelines If no port is specified, the command clears all global and port-specific MAC authentication statistics. Examples # Clear MAC authentication statistics on port Ten-GigabitEthernet 1/0/1.
Port security commands display port-security Use display port-security to display port security configuration, operation information, and statistics for one or more ports. Syntax display port-security [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number.
Intrusion protection mode: NoAction Max number of secure MAC addresses: Not configured Current number of secure MAC addresses: 0 Authorization is permitted Table 12 Command output Field Description AutoLearn aging time Sticky MAC address aging timer, in minutes. Disableport Timeout Silence period (in seconds) of the port that receives illegal packets. Status of MAC move: MAC-move • If the function is enabled, this field displays MAC-move is permitted.
Field Description Current number of secure MAC addresses Number of secure MAC addresses stored. Whether the authorization information from the authentication server (RADIUS server or local device) is ignored or not: • permitted—Authorization information from the authentication Authorization server takes effect. • ignored—Authorization information from the authentication server does not take effect.
# In IRF mode, display information about all blocked MAC addresses. display port-security mac-address block MAC ADDR Port VLAN ID --- On slot 0 in chassis 1, no MAC address found --MAC ADDR 000f-3d80-0d2d Port VLAN ID Ten-GigabitEthernet1/0/1 30 --- On slot 1 in chassis 1, 1 MAC address(es) found --- --- 1 mac address(es) found --- # In standalone mode, display the count of all blocked MAC addresses.
--- 1 mac address(es) found --- # In standalone mode, display information about all blocked MAC addresses of port Ten-GigabitEthernet 1/0/1. display port-security mac-address block interface ten-gigabitethernet 1/0/1 MAC ADDR 000f-3d80-0d2d Port VLAN ID Ten-GigabitEthernet1/0/1 30 --- On slot 1, 1 MAC address(es) found ----- 1 mac address(es) found --- # In IRF mode, display information about all blocked MAC addresses of port Ten-GigabitEthernet 1/0/1.
Field Description number mac address(es) found Number of blocked MAC addresses. Related commands port-security intrusion-mode display port-security mac-address security Use display port-security mac-address security to display information about secure MAC addresses.
# Display information about secure MAC addresses in VLAN 1. display port-security mac-address security vlan 1 MAC ADDR TIME VLAN ID STATE PORT INDEX 0002-0002-0002 1 Security 000d-88f8-0577 1 Security --- 2 mac address(es) found AGING Ten-GigabitEthernet1/0/1 NOAGED Ten-GigabitEthernet1/0/1 28 --- # Display information about secure MAC addresses on port Ten-GigabitEthernet 1/0/1.
Syntax port-security authorization ignore undo port-security authorization ignore Default A port uses the authorization information from the server. Views Layer 2 Ethernet interface view Predefined user roles network-admin mdc-admin Usage guidelines After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user's account. For example, it can assign a VLAN.
Usage guidelines You must disable global 802.1X and MAC authentication before you enable port security on a port. Enabling or disabling port security resets the following security settings to the default: • 802.1X access control mode is MAC-based, and the port authorization state is auto. • Port security mode is noRestrictions. When online users are present on a port, disabling port security also logs off the online users. Examples # Enable port security.
disableport-temporarily: Disables the port for a specific period of time whenever it receives an illegal frame. Use port-security timer disableport to set the period. Usage guidelines To restore the connection of the port disabled by the intrusion protection feature, use the undo shutdown command. Examples # Configure port Ten-GigabitEthernet 1/0/1 to block the source MAC addresses of illegal frames after intrusion protection detects the illegal frames.
vlan vlan-id: Specifies the VLAN that has the secure MAC address. The vlan-id argument represents the ID of the VLAN in the range of 1 to 4094. Make sure that you have assigned the Layer 2 port to the specified VLAN. Usage guidelines Secure MAC addresses are MAC addresses configured or learned in autoLearn mode, and if saved, can survive a device reboot. You can bind a MAC address to only one port in a VLAN.
port-security mac-move permit Use port-security mac-move permit to enable MAC move on a device. Use undo port-security mac-move permit to restore the default. Syntax port-security mac-move permit undo port-security mac-move permit Default MAC move is denied on the device. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This command takes effect on both 802.1X and MAC authentication users. MAC move allows 802.
Views Layer 2 Ethernet interface view Predefined user roles network-admin mdc-admin Parameters count-value: Specifies the maximum number of secure MAC addresses that port security allows on the port. The value range is 1 to 1024. Make sure this value is no less than the number of MAC addresses currently saved on the port. Usage guidelines In autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port.
mdc-admin Parameters ntk-withbroadcasts: Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses. ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses. ntkonly: Forwards only unicast frames with authenticated destination MAC addresses.
An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC addresses, the first three octets are the OUI. Use this command when you configure a device to allow packets from certain devices to pass authentication. For example, when a company allows only IP phones of vendor A in the Intranet, use this command to specify the OUI of vendor A. The OUI values configured by this command apply only to the ports operating in userLoginWithOUI.
Parameters Keyword Security mode Description A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address but to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.
Keyword userlogin-secure-or-mac userlogin-secure-or-mac -ext userlogin-withoui Security mode Description macAddressOrUserL oginSecure macAddressOrUserL oginSecureExt This mode is the combination of the userLoginSecure and macAddressWithRadius modes. It allows one 802.1X authentication user and multiple MAC authentication users to log in. The port performs MAC authentication upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames.
port-security timer autolearn aging Use port-security timer autolearn aging to set the secure MAC aging timer. Use undo port-security timer autolearn aging to restore the default. Syntax port-security timer autolearn aging time-value undo port-security timer autolearn aging Default Secure MAC addresses do not age out. Views System view Predefined user roles network-admin mdc-admin Parameters time-value: Sets the aging timer in minutes for secure MAC addresses. The value is in the range of 0 to 129600.
Views System view Predefined user roles network-admin mdc-admin Parameters time-value: Specifies the silence period in seconds during which the port remains disabled. The value is in the range of 20 to 300. Usage guidelines If you configure the intrusion protection action as disabling the port temporarily whenever it receives an illegal frame (by using the port-security intrusion-mode disableport-temporarily command), use this command to set the silence period.
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 15 Command output Field Description Password control Whether the password control feature is enabled. Password aging Whether password expiration is enabled and, if enabled, the expiration time. Password length Whether the minimum password length restriction function is enabled and, if enabled, the setting.
network-operator mdc-admin mdc-operator Parameters user-name name: Specifies a user by its name, a case-sensitive string of 1 to 55 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines With no arguments provided, this command displays information about all users in the password control blacklist.
Syntax password-control { aging | composition | history | length } enable undo password-control { aging | composition | history | length } enable Default The password control functions (aging, composition, history, and length) are all enabled. Views System view Predefined user roles network-admin mdc-admin Parameters aging: Enables the password expiration function. composition: Enables the password composition restriction function. history: Enables the password history function.
• password-control enable password-control aging Use password-control aging to set the password expiration time. Use undo password-control aging to restore the default. Syntax password-control aging aging-time undo password-control aging Default A password expires after 90 days. The password expiration time for a user group equals the global setting, and the password expiration time for a local user equals that of the user group to which the local user belongs.
[Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control aging 100 Related commands • display local-user • display password-control • display user-group • password-control aging enable password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default.
Use undo password-control complexity to remove a password complexity checking item. Syntax password-control complexity { same-character | user-name } check undo password-control complexity { same-character | user-name } check Default The global password complexity checking policy is that both username checking and repeated character checking are disabled.
password-control composition Use password-control composition to configure the password composition policy. Use undo password-control composition to restore the default. Syntax password-control composition type-number type-number [ type-length type-length ] undo password-control composition Default In non-FIPS mode, the password using the global composition policy must contain at least one character type and at least one character for each type.
Character name Symbol Character name Symbol Left bracket [ Left parenthesis ( Minus sign - Percent sign % Plus sign + Pound sign # Quotation marks " Right angle bracket > Right brace } Right bracket ] Right parenthesis ) Semi-colon ; Slash / Tilde ~ Underscore _ Vertical bar | type-length type-length: Specifies the minimum number of characters for each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.
• display user-group • password-control composition enable password-control enable Use password-control enable to enable the password control feature globally. Use undo password-control enable to disable the password control feature globally. Syntax password-control enable undo password-control enable Default In non-FIPS mode, the password control feature is disabled globally. In FIPS mode, the password control feature is enabled globally and cannot be disabled.
undo password-control expired-user-login Default A user can log in three times within 30 days after the password expires. Views System view Predefined user roles network-admin mdc-admin Parameters delay delay: Sets the maximum number of days during which a user can log in using an expired password. The value range for the delay argument is 1 to 90. times times: Sets the maximum number of times a user can log in after the password expires.
Parameters max-record-num: Specifies the maximum number of history password records for each user. The value range is 2 to 15. Usage guidelines When the number of history password records reaches the set maximum number, the subsequent history record overwrites the earliest one. The system stops recording passwords after you execute the undo password-control history enable command, but it does not delete the prior records.
Parameters length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 15 to 32 in FIPS mode. Usage guidelines Before you execute this command, make sure the global password control feature and the minimum length function are enabled. Otherwise, your configuration cannot take effect. The minimum length setting depends on the view: • The setting in system view has global significance and applies to all user groups.
Default You cannot use a user account to log in to the device if the account has been idle for 90 days. Views System view Predefined user roles network-admin mdc-admin Parameters idle-time: Specifies the maximum account idle time in days in the range of 0 to 365. 0 means no restriction for account idle time. Usage guidelines If a user has not been logged in within the specified idle time since the last successful login, the user account becomes invalid.
mdc-admin Parameters login-times: Specifies the maximum number of consecutive failed login attempts. The value range is 2 to 10. exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts. lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging in. lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period of time before trying again.
IP: 192.168.44.1 Login failures: 4 Lock flag: lock Blacklist items matched: 1. The user can no longer log in. # Set the maximum number of login attempts to 2 and prohibit a user from logging in within 3 minutes if the user fails to log in after two attempts.
Examples # Set the super passwords to expire after 10 days. system-view [Sysname] password-control super aging 10 Related commands • display password-control • password-control aging password-control super composition Use password-control super composition to configure the composition policy for super passwords. Use undo password-control super composition to restore the default.
Related commands • display password-control • password-control composition password-control super length Use password-control super length to set the minimum length for super passwords. Use undo password-control super length to restore the default. Syntax password-control super length length undo password-control super length Default In non-FIPS mode, the minimum super password length is 10 characters. In FIPS mode, the minimum super password length is 15 characters.
Default The minimum password update interval is 24 hours. Views System view Predefined user roles network-admin mdc-admin Parameters interval: Specifies the minimum password update interval in hours in the range of 0 to 168. 0 means no requirements for password update interval. Usage guidelines The set minimum interval is not effective on a user who is prompted to change the password at the first login or after the password expires. Examples # Set the minimum password update interval to 36 hours.
reset password-control blacklist user-name test Are you sure to delete the specified user in blacklist? [Y/N]: Related commands display password-control blacklist reset password-control history-record Use reset password-control history-record to delete history password records.
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
FBF6A3D64DEB33E5CEBF2BCF26296778A26A84F4F4C5DBF8B656ACFA62CD96863474899BC1 2DA4C04EF5AE0835090203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2013/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ====
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BD
Key type: DSA Time when key pair created: 15:35:42 2013/05/12 Key code: 308201B83082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B4709
display public-key peer Use display public-key peer to display information about peer public keys. Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer public key, including its key code.
Field Description Key type Key type: RSA, DSA or ECDSA. Key modulus Key modulus length in bits. Key code Public key string. # Display brief information about all peer public keys. display public-key peer brief Type Modulus Name --------------------------RSA 1024 idrsa DSA 1024 10.1.1.1 Table 20 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits. Name Name of the peer public key.
system-view [Sysname] public-key peer key1 Public key view: return to System View with "peer-public-key end".
Table 21 Default local key pair names Type Default name RSA • Host key pair: hostkey • Server key pair: serverkey DSA dsakey ECDSA ecdsakey Usage guidelines The key algorithm must be the same as required by the security application. The key modulus length must be appropriate (see Table 22). The longer the key modulus length, the higher the security, and the longer the key generation time.
Examples # Create local RSA key pairs with default names. system-view [Sysname] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ...++++++ .++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Create a local DSA key pair with the default name.
system-view [Sysname] public-key local create dsa name dsa1 The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+..+................ .......+..........+..............+.............+...+.....+...............+..+... ...+.................+...
Related commands • display public-key local public • public-key local destroy public-key local destroy Use public-key local destroy to destroy local key pairs. Syntax public-key local destroy { dsa | ecdsa | rsa } [ name key-name ] Views System view Predefined user roles network-admin mdc-admin Parameters dsa: Specifies the DSA type. ecdsa: Specifies the ECDSA type. rsa: Specifies the RSA type. name key-name: Specifies the name of a local key pair.
# Destroy the local RSA key pair rsa1. system-view [Sysname] public-key local destroy rsa name rsa1 Confirm to destroy the key pair? [Y/N]:y # Destroy the local DSA key pair dsa1. system-view [Sysname] public-key local destroy dsa name dsa1 Confirm to destroy the key pair? [Y/N] :y # Destroy the local ECDSA key pair ecdsa1.
{ { Use the public-key local export dsa [ name key-name ] { openssh | ssh2 } command to display the local host public key in the specific format, copy and paste it to a file. Use the public-key local export dsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to the file. You cannot export the host public key to the folder pkey or its subfolders. 2. Transfer a copy of the file to the peer device, for example, by using FTP or TFTP in binary mode. 3.
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98 qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088
filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../. The name cannot be dots (.), hostkey, serverkey, dsakey, or ecdsakey, and cannot start with a slash (/).For more information about file name, see Fundamentals Configuration Guide. Usage guidelines Whether the command exports or displays the host public key depends on the presence of the filename argument.
# Display the host public key of the local RSA key pair rsa1 in SSH2.0 format.
2. Type the public key. 3. Execute the peer-public-key end command to save the public key and return to system view. The public key you type in the public key view must be in a correct format. If your device is an HP device, use the display public-key local public command to display and record its public key. Examples # Specify the name key1 for a peer public key and enter public key view.
In FIPS mode, the device supports importing public keys in the format of SSH2.0 and OpenSSH. Examples # Import the peer host public key key2 from the public key file key.pub. system-view [Sysname] public-key peer key2 import sshkey key.
IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
• For an IKE-based IPsec policy, the initiator sends the first AH authentication algorithm specified in the IPsec transform set to the peer end during the negotiation phase, and the responder matches the received algorithm against its local algorithms until a match is found. To ensure a successful IKE negotiation, the IPsec transform sets specified at both ends of the tunnel must have at least one same AH authentication algorithm.
Syntax display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters ipv6-policy: Displays information about IPv6 IPsec policies. policy: Displays information about IPv4 IPsec policies. policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535.
ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: AH string-key: AH authentication hex key: Outbound ESP setting: ESP SPI: 12345 (0x00003039) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: # Display information about all IPv6 IPsec policies.
ESP encryption hex key: ESP authentication hex key: Table 23 Command output Field Description IPsec Policy IPsec policy name. Interface Interface applied with the IPsec policy. Sequence number Sequence number of the IPsec policy entry. Negotiation mode of the IPsec policy: Mode • manual—Manual mode. • isakmp—IKE negotiation mode. IPsec policy configuration incomplete. Possible causes include: The policy configuration is incomplete • • • • • • The ACL is not configured.
Related commands ipsec { ipv6-policy | policy } display ipsec sa Use display ipsec sa to display information about IPsec SAs. Syntax display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy } policy-name [ seq-number ] | remote [ ipv6 ] ip-address ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about all IPsec SAs. count: Displays the number of IPsec SAs.
Table 24 Command output Field Description Interface/Global Interface where the IPsec SA belongs to or global IPsec SA. Dst Address Remote end IP address of the IPsec tunnel. SPI IPsec SA SPI. Protocol Security protocol used by IPsec. Stateful failover status of the IPsec SA: active or backup. Status In standalone mode, this field displays –. # Display the number of IPsec SAs. display ipsec sa count Total IPsec SAs count: 4 # Display information about all IPsec SAs.
Field Description Sequence number Sequence number of the IPsec policy entry. Negotiation mode used by the IPsec policy: Mode • manual • isakmp Tunnel id IPsec tunnel ID Encapsulation mode Encapsulation mode, transport or tunnel.
Related commands • ipsec sa global-duration • reset ipsec sa display ipsec statistics Use display ipsec statistics to display IPsec packet statistics. Syntax display ipsec statistics [ tunnel-id tunnel-id ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.
IPsec packet statistics: Received/sent packets: 5124/8231 Received/sent bytes: 52348/64356 Dropped packets (received/sent): 0/0 Dropped packets statistics No available SA: 0 Wrong SA: 0 Invalid length: 0 Authentication failure: 0 Encapsulation failure: 0 Decapsulation failure: 0 Replayed packets: 0 ACL check failure: 0 MTU check failure: 0 Loopback limit exceeded: 0 Table 26 Command output Field Description Received/sent packets Number of received/sent IPsec-protected packets.
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets. Examples # Display information about all IPsec transform sets.
Related commands ipsec transform-set display ipsec tunnel Use display ipsec tunnel to display information about IPsec tunnels. Syntax display ipsec tunnel { brief | count | tunnel-id tunnel-id } Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number of IPsec tunnels. tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295.
Field Description Stateful failover status of the IPsec SA: active or backup. Status This filed displays active. # Display the number of IPsec tunnels. display ipsec tunnel count Total IPsec Tunnel Count: 2 # Display information about all IPsec tunnels.
remote address: 2.2.2.2 Flow: as defined in ACL 3100 Table 29 Command output Field Description Tunnel ID IPsec ID, used to uniquely identify an IPsec tunnel. Status IPsec tunnel status. Only active is available.
Parameters transport: Uses the transport mode for IP packet encapsulation. tunnel: Uses the tunnel mode for IP packet encapsulation. Usage guidelines IPsec supports the following encapsulation modes: • Transport mode—The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header.
Views IPsec transform set view Predefined user roles network-admin mdc-admin Parameters md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key. sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key. Usage guidelines In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority. • For a manual IPsec policy, the first specified ESP authentication algorithm takes effect.
Default ESP does not use any encryption algorithms. Views IPsec transform set view Predefined user roles network-admin mdc-admin Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode, which uses a 168-bit key. aes-cbc-128: Uses the AES algorithm in CBC mode, which uses a 128- bit key. aes-cbc-192: Uses AES algorithm in CBC mode, which uses a 192-bit key. aes-cbc-256: Uses AES algorithm in CBC mode, which uses a 256-bit key. des-cbc: Uses the DES algorithm in CBC mode, which uses a 64-bit key.
Default An IPsec policy does not reference any IKE profile, and the device selects an IKE profile configured in system view for negotiation. If no IKE profile is configured, the globally configured IKE settings are used. Views IPsec policy view Predefined user roles network-admin mdc-admin Parameters profile-name: Specifies an IKE profile by its name, a case-insensitive string of 1 to 63 characters.
IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste. In some situations, service data packets are received in a different order than their original order. The IPsec anti-replay function drops them as replayed packets, which impacts communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required. IPsec anti-replay checking does not affect manually created IPsec SAs.
Related commands ipsec anti-replay check ipsec apply Use ipsec apply to apply an IPsec policy to an interface. Use undo ipsec apply to remove the application. Syntax ipsec apply { ipv6-policy | policy } policy-name undo ipsec apply { ipv6-policy | policy } Default No IPsec policy is applied to an interface. Views Interface view Predefined user roles network-admin mdc-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy.
Syntax ipsec decrypt-check enable undo ipsec decrypt-check enable Default ACL checking for de-encapsulated IPsec packets is enabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security.
Examples # Enable logging for IPsec packets. system-view [Sysname] ipsec logging packet enable ipsec df-bit Use ipsec df-bit to set the DF bit for outer IP headers of encapsulated IPsec packets on an interface. Use undo ipsec df-bit to restore the default. Syntax ipsec df-bit { clear | copy | set } undo ipsec df-bit Default The DF bit is not set for outer IP headers of encapsulated IPsec packets on an interface. The global DF bit is used.
ipsec global-df-bit Use ipsec global-df-bit to set the DF bit for outer IP headers of encapsulated IPsec packets on all interfaces. Use undo ipsec global-df-bit to restore the default. Syntax ipsec global-df-bit { clear | copy | set } undo ipsec global-df-bit Default The DF bit of original IP headers is copied to the outer IP headers for encapsulated IPsec packets. Views System view Predefined user roles network-admin mdc-admin Parameters clear: Clears the DF bit for outer IP headers.
undo ipsec { ipv6-policy | policy } policy-name [ seq-number ] Default No IPsec policy is created. Views System view Predefined user roles network-admin mdc-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535. isakmp: Establishes IPsec SAs through IKE negotiation.
ipsec { ipv6-policy | policy } local-address Use ipsec { ipv6-policy | policy } local-address to bind an IPsec policy to a source interface. Use undo ipsec { ipv6-policy | policy } local-address to remove the bindings of IPsec policies and source interfaces. Syntax ipsec { ipv6-policy | policy } policy-name local-address interface-type interface-number undo ipsec { ipv6-policy | policy } policy-name local-address Default No IPsec policy is bound to a source interface.
system-view [Sysname] ipsec policy map local-address loopback 11 Related commands ipsec { ipv6-policy | policy } ipsec sa global-duration Use ipsec sa global-duration to configure the global IPsec SA lifetime. Use undo ipsec sa global-duration to restore the default.
• sa duration ipsec sa idle-time Use ipsec sa idle-time to enable the global IPsec SA idle timeout function and set the idle timeout. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted. Use undo ipsec sa idle-time to restore the default. Syntax ipsec sa idle-time seconds undo ipsec sa idle-time Default The global IPsec SA idle timeout function is disabled.
Default No IPsec transform set exists. Views System view Predefined user roles network-admin mdc-admin Parameters transform-set-name: Specifies a name for the IPsec transform set, a case-insensitive string of 1 to 63 characters. Usage guidelines An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms.
ipv6 ipv6-address: Specifies the local IPv6 address for the IPsec tunnel. Usage guidelines The remote IP address on the IKE negotiation initiator must be the same as the local address on the IKE negotiation responder. Examples # Configure the local address 1.1.1.1 for the IPsec tunnel. system-view [Sysname] ipsec policy map 1 isakmp [Sysname-ipsec-policy-isakmp-map-1] local-address 1.1.1.
Usage guidelines In terms of security and necessary calculation time, the following groups are in descending order: 2048-bit and 256-bit subgroup Diffie-Hellman group (dh-group24), 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2), and 768-bit Diffie-Hellman group (dh-group1). The security level of the Diffie-Hellman group of the initiator must be higher than or equal to that of the responder.
qos pre-classify Use qos pre-classify to enable the QoS pre-classify feature. Use undo qos pre-classify to restore the default. Syntax qos pre-classify undo qos pre-classify Default The QoS pre-classify feature is disabled. QoS uses the new IP header of IPsec packets to perform traffic classification. Views IPsec policy view Predefined user roles network-admin mdc-admin Usage guidelines The QoS pre-classify feature enables QoS to classify packets by using the IP header of the original IP packets.
Parameters ipv6: Specifies a remote IPv6 address. Without this keyword, you specify an IPv4 address or host name. hostname: Specifies the remote host name, a case-insensitive string of 1 to 253 characters. The host name can be resolved to an IP address by the DNS server. ipv4-address: Specifies a remote IPv4 address. ipv6-address: Specifies a remote IPv6 address. Usage guidelines This remote IP address configuration is required on the IKE negotiation initiator and optional on the responder.
reset ipsec sa Use reset ipsec sa to clear IPsec SAs. Syntax reset ipsec sa [ { ipv6-policy | policy } policy-name [ seq-number ] | remote { ipv4-address | ipv6 ipv6-address } | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ] Views User view Predefined user roles network-admin mdc-admin Parameters { ipv6-policy | policy } policy-name [ seq-number ]: Clears IPsec SAs for the specified IPsec policy. • ipv6-policy: Specifies an IPv6 IPsec policy. • policy: Specifies an IPv4 IPsec policy.
Examples # Clear all IPsec SAs. reset ipsec sa # Clear the inbound and outbound IPsec SAs for the triplet of SPI 123, remote IP address 10.1.1.2, and security protocol AH. reset ipsec sa spi 10.1.1.2 ah 123 # Clear all IPsec SAs for the remote IP address 10.1.1.2. reset ipsec sa remote 10.1.1.2 # Clear all IPsec SAs for the entry 10 of the IPsec policy policy1. reset ipsec sa policy policy1 10 # Clear all IPsec SAs for the IPsec policy policy1.
undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy is the current global SA lifetime. Views IPsec policy view Predefined user roles network-admin mdc-admin Parameters time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds. traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes. Usage guidelines IKE prefers the SA lifetime of the IPsec policy over the global SA lifetime.
Default No authentication key is configured for manual IPsec SAs. Views IPsec policy view Predefined user roles network-admin mdc-admin Parameters inbound: Specifies a hexadecimal authentication key for inbound SAs. outbound: Specifies a hexadecimal authentication key for outbound SAs. ah: Uses AH. esp: Uses ESP. cipher key-value: Sets a ciphertext authentication key, a case-sensitive string of 1 to 85 characters. simple key-value: Sets a plaintext authentication key.
Use undo sa encryption-hex to remove the hexadecimal encryption key. Syntax sa hex-key encryption { inbound | outbound } esp { cipher | simple } key-value undo sa hex-key encryption { inbound | outbound } esp Default No encryption key is configured for manual IPsec SAs. Views IPsec policy view Predefined user roles network-admin mdc-admin Parameters inbound: Specifies a hexadecimal encryption key for inbound SAs. outbound: Specifies a hexadecimal encryption key for outbound SAs. esp: Uses ESP.
Related commands • display ipsec sa • sa string-key sa idle-time Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted. Use undo sa idle-time to restore the default. Syntax sa idle-time seconds undo sa idle-time Default An IPsec policy uses the global IPsec SA idle timeout.
Syntax sa spi { inbound | outbound } { ah | esp } spi-number undo sa spi { inbound | outbound } { ah | esp } Default No SPI is configured for IPsec SAs. Views IPsec policy view Predefined user roles network-admin mdc-admin Parameters inbound: Specifies an SPI for inbound SAs. outbound: Specifies an SPI for outbound SAs. ah: Uses AH. esp: Uses ESP. spi-number: Specifies a Security parameters index (SPI) in the range of 256 to 4294967295.
undo sa string-key { inbound | outbound } { ah | esp } Default No key string is configured for IPsec SAs. Views IPsec policy view Predefined user roles network-admin mdc-admin Parameters inbound: Sets a key string for inbound IPsec SAs. outbound: Sets a key string for outbound IPsec SAs. ah: Uses AH. esp: Uses ESP. cipher: Sets a ciphertext key. simple: Sets a plaintext key. key-value: Specifies a case-sensitive key string. If cipher is specified, it must be a string of 1 to 373 characters.
security acl Use security acl to reference an ACL for an IPsec policy. Use undo security acl to remove the ACL referenced by an IPsec policy. Syntax security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ] undo security acl Default An IPsec policy references no ACL. Views IPsec policy view Predefined user roles network-admin mdc-admin Parameters ipv6: Specifies an IPv6 ACL. acl-number: Specifies an ACL by its number in the range of 3000 to 3999.
[Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] security acl 3001 # Reference ACL 3002 for the IPsec policy policy2 and specify the data protection mode as aggregation. system-view [Sysname] acl number 3002 [Sysname-acl-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2 0.0.0.255 [Sysname-acl-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2 0.0.0.
policy-attach: Specifies SNMP notifications for events of applying IPsec policies to interfaces. policy-delete: Specifies SNMP notifications for events of deleting IPsec policies. policy-detach: Specifies SNMP notifications for events of removing IPsec policies from interfaces. tunnel-start: Specifies SNMP notifications for events of creating IPsec tunnels. tunnel-stop: Specifies SNMP notifications for events of deleting IPsec tunnels.
An IKE-based IPsec policy can reference six IPsec transform sets at most. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped. If you do not specify the transform-set-name argument, the undo transform-set command removes all referenced IPsec transform sets. Examples # Reference the IPsec transform set prop1 for the IPsec policy policy1.
IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
authentication-method Use authentication-method to specify an authentication method to be used in an IKE proposal. Use undo authentication-method to restore the default. Syntax authentication-method pre-share undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles network-admin mdc-admin Parameters pre-share: Specifies the pre-shared key as the authentication method.
undo dh In FIPS mode: dh group14 undo dh Default In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used. In FIPS mode, group14, the 2048-bit Diffie-Hellman group, is used. Views IKE proposal view Predefined user roles network-admin mdc-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group. group2: Uses the 1024-bit Diffie-Hellman group. group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.
Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal. Examples # Display the configuration information about all IKE proposals.
Syntax display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-name ] ] ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000. remote-address: Displays detailed information about IKE SAs with the specified remote address.
Field Description DOI Interpretation domain to which the SA belongs. # Display detailed information about the current IKE SAs. display ike sa verbose --------------------------------------------Connection ID: 2 Outside VPN: 1 Inside VPN: 1 Profile: prof1 Transmitting entity: Initiator --------------------------------------------Local IP: 4.4.4.4 Local ID type: IPV4_ADDR Local ID: 4.4.4.4 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.
Authentication-algorithm: SHA1 Encryption-algorithm: AES-CBC-128 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected Table 32 Command output Field Description Connection ID Identifier of the IKE SA. Outside VPN VPN instance name of the MPLS L3VPN to which the receiving interface belongs. Inside VPN VPN instance name of the MPLS L3VPN to which the protected data belongs.
Syntax dpd interval interval-seconds [ retry seconds ] { on-demand | periodic } undo dpd interval Default IKE DPD is disabled. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300. • If the on-demand keyword is specified, this parameter specifies the number of seconds during which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send.
Syntax In non-FIPS mode: encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc } undo encryption-algorithm In FIPS mode: encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 } undo encryption-algorithm Default In non-FIPS mode, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode. In FIPS mode, an IKE proposal uses the 128-bit AES encryption algorithm in CBC mode.
exchange-mode Use exchange-mode to select an IKE negotiation mode for phase 1. Use undo exchange-mode to restore the default. Syntax In non-FIPS mode: exchange-mode { aggressive | main } undo exchange-mode In FIPS mode: exchange-mode main undo exchange-mode Default Main mode is used for phase 1. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters aggressive: Specifies the aggressive mode. main: Specifies the main mode.
undo ike dpd interval Default IKE DPD is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300. • If the on-demand keyword is specified, this parameter specifies the number of seconds during which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send.
undo ike identity Default By default, the IP address of the interface where the IPsec policy applies is used for the IKE identity. Views System view Predefined user roles network-admin mdc-admin Parameters address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the identity. dn: Uses the DN in the digital signature as the identity. fqdn fqdn-name: Uses the FQDN name as the identity. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, www.test.com.
Predefined user roles network-admin mdc-admin Usage guidelines IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA.
The keepalive timeout time configured at the local must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout timer to three times as long as the keepalive interval.
ike keychain Use ike keychain to create an IKE keychain and enter IKE keychain view. Use undo ike keychain to delete an IKE keychain. Syntax ike keychain keychain-name [ vpn-instance vpn-name ] undo ike keychain keychain-name [ vpn-instance vpn-name ] Default No IKE keychain is configured. Views System view Predefined user roles network-admin mdc-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters.
Default There is no limit to the maximum number of IKE SAs. Views System view Predefined user roles network-admin mdc-admin Parameters max-negotiating-sa negotiation-limit: Specifies the maximum number of half-open IKE SAs, in the range of 1 to 99999. max-sa sa-limit: Specifies the maximum number of established IKE SAs, in the range of 1 to 99999. Usage guidelines The supported maximum number of half-open IKE SAs depends on the device's processing capability.
Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300. Usage guidelines This command takes effect only for a device behind a NAT server. When the device resides behind a NAT server, the IKE gateway behind the NAT server needs to send NAT keepalive packets to its peer IKE gateway to keep the NAT session alive. Examples # Set the NAT keepalive interval to 5 seconds.
Default The system has an IKE proposal that is used as the default IKE proposal. This proposal has the lowest priority and uses the following settings: • Encryption algorithm—DES-CBC in non-FIPS mode and AES-CBC-128 in FIPS mode. • Authentication method—HMAC-SHA1. • Authentication algorithm—Pre-shared key authentication. • DH group—Group1 in non-FIPS mode and group14 in FIPS mode. • IKE SA lifetime—86400 seconds. You cannot change the settings of the default IKE proposal.
Syntax inside-vpn vpn-instance vpn-name undo inside-vpn Default No inside VPN instance is specified for an IKE profile, and the device forwards protected data to the VPN instance with the same name as the VPN instance on the external network. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters vpn-instance vpn-name: Specifies the MPLS L3VPN to which the device forwards protected data. The vpn-name argument is a case-sensitive string of 1 to 31 characters.
Examples # Specify IKE profile 1 for IKE keychain abc. system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] keychain abc Related commands ike keychain local-identity Use local-identity to configure the local ID, the ID that the device uses to identify itself to the peer during IKE negotiation. Use undo local-identity to delete the local ID.
Examples # Set the local ID to IP address 2.2.2.2. system-view [Sysname] ike profile prof1 [Sysname-ike-profile-prof1] local-identity address 2.2.2.2 Related commands • match remote • ike identity match local address (IKE keychain view) Use match local address to specify a local interface or IP address to which an IKE keychain can be applied. Use undo match local address to restore the default.
IKE keychain A is preferred because IKE profile A was configured earlier. To use IKE profile B for the peer, you can use this command to restrict the application scope of IKE keychain B to address 2.2.2.2. Examples # Create IKE keychain key1. system-view [Sysname] ike keychain key1 # Specify that IKE keychain key1 be applied only to the interface with the IP address 2.2.2.2 in VPN vpn1. [sysname-ike-keychain-key1] match local address 2.2.2.
2.2.2.10 command for IKE profile B. For peer 2.2.2.2, IKE profile A is preferred because IKE profile A was configured earlier. To use IKE profile B for the peer, you can use this command to restrict the application scope of IKE profile B to address 2.2.2.2. Examples # Create IKE profile prof1. system-view [Sysname] ike profile prof1 # Specify that IKE profile prof1 be applied only to the interface with the IP address 2.2.2.2 in VPN vpn1. [sysname-ike-profile-prof1] match local address 2.2.2.
• address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address. • fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKE profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. • user-fqdn user-fqdn-name: Uses the peer's user FQDN as the peer ID for IKE profile matching.
Predefined user roles network-admin mdc-admin Parameters address: Specifies a peer by its address. ipv4-address: Specifies the IPv4 address of the peer. mask: Specifies the mask in dotted decimal notation. The default mask is 255.255.255.255. mask-length: Specifies the mask length in the range of 0 to 32. The default mask length is 32. ipv6: Specifies an IPv6 peer. ipv6-address: Specifies the IPv6 address of the peer. prefix-length: Specifies the prefix length in the range of 0 to 128.
priority (IKE keychain view) Use priority to specify a priority for an IKE keychain. Use undo priority to restore the default. Syntax priority number undo priority Default The priority of an IKE keychain is 100. Views IKE keychain view Predefined user roles network-admin mdc-admin Parameters priority number: Specifies a priority number in the range of 1 to 65535. The lower the priority number, the higher the priority.
Predefined user roles network-admin mdc-admin Parameters priority number: Specifies a priority number in the range of 1 to 65535. The smaller the priority number, the higher the priority. Usage guidelines To determine the priority of an IKE profile, the device examines the existence of the match local address command before examining the priority number.
Examples # Specify IKE proposal 10 for IKE profile prof1. system-view [Sysname] ike profile prof1 [Sysname-ike-profile-prof1] proposal 10 Related commands ike proposal reset ike sa Use reset ike sa to delete IKE SAs. Syntax reset ike sa [ connection-id connection-id ] Views User view Predefined user roles network-admin mdc-admin Parameters connection-id connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000.
Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT reset ike statistics Use reset ike statistics command to clear IKE statistics. Syntax reset ike statistics Views User view Predefined user roles network-admin mdc-admin Examples # Clears IKE statistics. reset ike statistics Related commands snmp-agent trap enable ike sa duration Use sa duration to set the IKE SA lifetime for an IKE proposal. Use undo sa duration to restore the default.
Before an IKE SA expires, IKE negotiates a new SA. The new SA takes effect immediately after it is negotiated. The old IKE SA will be cleared when it expires. Examples # Set the IKE SA lifetime to 600 seconds for IKE proposal 1. system-view [Sysname] ike proposal 1 [Sysname-ike-proposal-1] sa duration 600 Related commands display ike proposal snmp-agent trap enable ike Use snmp-agent trap enable ike command to enable SNMP notifications for IKE.
invalid-id: Specifies SNMP notifications for invalid-ID failures. invalid-proposal: Specifies SNMP notifications for invalid-IKE-proposal failures. invalid-protocol: Specifies SNMP notifications for invalid-protocol failures. invalid-sign: Specifies SNMP notifications for invalid-signature failures. no-sa-failure: Specifies SNMP notifications for SA-not-found failures. proposal-add: Specifies SNMP notifications for events of adding IKE proposals.
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Field Description SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server function is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer.
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured by using the ssh user command on the SSH server. Examples # Display information about all SSH users.
undo sftp server enable Default The SFTP server function is disabled. Views System view Predefined user roles network-admin mdc-admin Examples # Enable the SFTP server function. system-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default.
Related commands display ssh server ssh server acl Use ssh server acl to control access to the IPv4 SSH server. Use undo ssh server acl to restore the default. Syntax ssh server acl acl-number undo ssh server acl Default An SSH server allows all IPv4 SSH clients to access the server. Views System view Predefined user roles network-admin mdc-admin Parameters acl-number: Specifies an ACL number in the range of 2000 to 4999.
ssh server authentication-retries Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH users. Use undo ssh server authentication-retries to restore the default. Syntax ssh server authentication-retries times undo ssh server authentication-retries Default The maximum number of authentication attempts for SSH users is 3.
undo ssh server authentication-timeout Default The authentication timeout timer is 60 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters time-out-value: Specifies an authentication timeout timer in the range of 1 to 120 seconds. Usage guidelines If a user does not finish the authentication when the timeout timer expires, the connection cannot be established.
Usage guidelines This command is not available in FIPS mode. The configuration takes effect only on the clients at the next login. Examples # Enable the SSH server to support SSH1 clients. system-view [Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server dscp Use ssh server dscp to set the DSCP value in the IPv4 packets that the SSH server sends to the SSH clients. Use undo ssh server dscp to restore the default.
Syntax ssh server enable undo ssh server enable Default SSH server function is disabled. Views System view Predefined user roles network-admin mdc-admin Examples # Enable SSH server function. system-view [Sysname] ssh server enable Related commands display ssh server ssh server ipv6 acl Use ssh server ipv6 acl to control access to the IPv6 SSH server. Use undo ssh server ipv6 acl to restore the default.
• If the ACL has rules configured, only the IPv6 SSH clients whose request packets match the permit statement in this ACL can access the server. • If the ACL does not exist, or if the ACL does not have any statement, all the IPv6 SSH clients can access the server. The ACL filters only new SSH connections after the configuration. If you execute this command multiple times, the most recent configuration takes effect.
[Sysname] ssh server ipv6 dscp 30 ssh server rekey-interval Use ssh server rekey-interval to set an interval for updating the RSA server key pair. Use undo ssh server rekey-interval to restore the default. Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The interval for updating the RSA server key pair is 0, and the system does not update the RSA server key pair.
undo ssh user username In FIPS mode: ssh user username service-type { all | scp | sftp | stelnet } authentication-type { password | password-publickey assign publickey keyname } undo ssh user username Default No SSH users exist. Views System view Predefined user roles network-admin mdc-admin Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If the username contains ISP domain name, the form is pureusername@domain.
If the authentication method is password, you do not need to create an SSH user or local user. However, if you want to display all SSH users, including the password-only SSH users, for centralized management, you can use this command to create them. If you use the ssh user command to configure a host public key for a user who has already had a host public key, the new one overwrites the old one.
Views SFTP client view Predefined user roles network-admin mdc-admin Usage guidelines This command functions as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp> bye cd Use cd to change the working path on an SFTP server. Syntax cd [ remote-path ] Views SFTP client view Predefined user roles network-admin mdc-admin Parameters remote-path: Specifies the name of a path on the server. Usage guidelines You can use the cd ..
Views SFTP client view Predefined user roles network-admin mdc-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp> cdup Current Directory is:/ sftp> pwd Remote working directory: / sftp> delete Use delete to delete the specified files from the SFTP server.
Views SFTP client view Predefined user roles network-admin mdc-admin Parameters -a: Displays the names of the files and sub-directories under a directory. -l: Displays detailed information about the files and sub-directories under a directory in the form of a list. remote-path: Specifies the name of the directory to be queried. If this argument is not specified, the command displays detailed information about the files and sub-directories under the current working directory.
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display the source IP address configured for the SFTP client. display sftp client source The source IP address of the SFTP client is 192.168.0.1 The source IPv6 address of the SFTP client is 2:2::2:2.
exit Use exit to terminate the connection with an SFTP server and return to user view. Syntax exit Views SFTP client view Predefined user roles network-admin mdc-admin Usage guidelines This command functions as the bye and quit commands. Examples # Terminate the connection with the SFTP server. sftp> exit get Use get to download a file from an SFTP server and save it locally.
help Use help to display help information of an SFTP client command. Syntax help Views SFTP client view Predefined user roles network-admin mdc-admin Usage guidelines The help command functions as entering the question mark (?). Examples # Display help information.
Syntax ls [ -a | -l ] [ remote-path ] Views SFTP client view Predefined user roles network-admin mdc-admin Parameters -a: Displays the names of the files and sub-directories under a directory. -l: Displays detailed information about the files and sub-directories under a directory in the form of a list. remote-path: Specifies the name of the directory to be queried.
Syntax mkdir remote-path Views SFTP client view Predefined user roles network-admin mdc-admin Parameters remote-path: Specifies the name for the directory on an SFTP server Examples # Create a directory named test on the SFTP server. sftp> mkdir test put Use put to upload a local file to an SFTP server. Syntax put local-file [ remote-file ] Views SFTP client view Predefined user roles network-admin mdc-admin Parameters local-file: Specifies the name of a local file.
Syntax pwd Views SFTP client view Predefined user roles network-admin mdc-admin Examples # Display the current working directory of the SFTP server. sftp> pwd Remote working directory: / The output shows that the current working directory is the root directory. quit Use quit to terminate the connection with an SFTP server and return to user view. Syntax quit Views SFTP client view Predefined user roles network-admin mdc-admin Usage guidelines This command functions as the bye and exit commands.
mdc-admin Parameters remote-file: Specifies the files to delete from an SFTP server. Usage guidelines This command functions as the delete command. Examples # Delete the file temp.c from the SFTP server. sftp> remove temp.c Removing /temp.c rename Use rename to change the name of a file or directory on an SFTP server. Syntax rename old-name new-name Views SFTP client view Predefined user roles network-admin mdc-admin Parameters oldname: Specifies the name of an existing file or directory.
mdc-admin Parameters remote-path: Specifies the directories to delete from an SFTP server. Examples # Delete the sub-directory temp1 under the current directory on the SFTP server. sftp> rmdir temp1 scp Use scp to establish a connection to an IPv4 SCP server and transfer files with the server.
identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa. If the server uses publickey authentication, this keyword must be specified. • dsa: Specifies the public key algorithm dsa. • rsa: Specifies the public key algorithm rsa. prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib.
Examples # Connect an SCP client to the SCP server 200.1.1.1, specify the public key of the server as svkey, and download the file abc.txt from the server. The SCP client uses publickey authentication. Use the following algorithms: • Preferred key exchange algorithm is dh-group14. • Preferred server-to-client encryption algorithm is aes128. • Preferred client-to-server HMAC algorithm is sha1. • Preferred server-to-client HMAC algorithm is sha1-96.
number. This option is only used when the server uses a link-local address and the specified outgoing interface on the client must have a link-local address. get: Downloads the file. put: Uploads the file. source-file-name: Specifies the directory of the source file. destination-file-name: Specifies the directory of the target file. If this argument is not specified, the directory names of the source and target files are same.
interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IPv6 address to send packets. Ipv6 ipv6-address: Specifies a source IPv6 address. Usage guidelines When the client's authentication method is publickey, the client must get the local private key for digital signature.
Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa.
faults, use the specified loopback interface as the source interface, and either IP address of the two interfaces as the source IP address. interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IP address to send packets. ip ip-address: Specifies a source IPv4 address.
Usage guidelines The SFTP client uses the specified source IPv6 address to communicate with the server. If you execute the sftp client ipv6 source command multiple times, the most recent configuration takes effect. If you use the sftp ipv6 command to connect to an SFTP server and specify another source IPv6 address, the SFTP client uses the new source IPv6 address for the current connection instead of that specified by the sftp client ipv6 source command.
If you use the sftp command to connect to an SFTP server and specify another source IP address, the SFTP client uses the new source IPv6 address for the current connection instead of that specified by the sftp client source command. The source address specified by the sftp client source command applies to all SFTP connections, but the source address specifies by the sftp command applies only to the current connection. Examples # Specify the source IP address for the SFTP client as 192.168.0.1.
interface-number specifies the outgoing interface by its type and number. This option is used when the server uses a link-local address to provide the SFTP service for the client. identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa. If the server uses publickey authentication, this keyword must be specified. • dsa: Specifies the public key algorithm dsa. • rsa: Specifies the public key algorithm rsa.
Usage guidelines When the server adopts publickey authentication to authenticate a client, the client must get the local private key for digital signature. Because publickey authentication uses either RSA or DSA algorithm, you must specify a public key algorithm (by using the identity-key keyword) in order to get the correct data for the local private key. Examples # Connect an SFTP client to the IPv6 SFTP server 2000::1 and specify the public key of the server as svkey.
If you use the ssh2 ipv6 command to connect to an Stelnet server and specify another source IPv6 address, the Stelnet client uses the new source IPv6 address for the current connection instead of that specified by the ssh client ipv6 source command. The source address specified by the ssh client ipv6 source command applies to all Stelnet connections, and the source address specifies by the ssh2 ipv6 command applies only to the current connection.
Examples # Specify the source IPv4 address for the Stelnet client as 192.168.0.1. system-view [Sysname] ssh client source ip 192.168.0.1 Related commands display ssh client source ssh2 Use ssh2 to establish a connection to an IPv4 Stelnet server.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security strength and calculation time. • 3des: Specifies the encryption algorithm 3des-cbc. • aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. • des: Specifies the encryption algorithm des-cbc.
• Preferred server-to-client encryption algorithm is aes128. • Preferred client-to-server HMAC algorithm is sha1. • Preferred server-to-client HMAC algorithm is sha1-96. • Preferred compression algorithm between the server and client is zlib. ssh2 3.3.3.3 prefer-kex dh-group14 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib publickey svkey ssh2 ipv6 Use ssh2 ipv6 to establish a connection to an IPv6 Stelnet server.
• rsa: Specifies the public key algorithm rsa. prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security strength and calculation time.
Examples # Establish a connection to the IPv6 Stelnet server 2000::1 and specify the public key of the server as svkey. The SSH client uses publickey authentication. Use the following algorithms: • Preferred key exchange algorithm is dh-group14. • Preferred server-to-client encryption algorithm is aes128. • Preferred client-to-server HMAC algorithm is sha1. • Preferred server-to-client HMAC algorithm is sha1-96. • Preferred compression algorithm between the server and client is zlib.
IP source guard commands The IP source guard function is available on Layer 2 and Layer 3 Ethernet interfaces and VLAN interfaces. The term "interface" in this chapter collectively refers to these types of interfaces. You can use the port link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see Layer 2—LAN Switching Configuration Guide). display ip source binding Use display ip source binding to display IPv4 source guard binding entries.
vlan vlan-id: Display IPv4 source guard binding entries for a VLAN. The vlan-id argument represents the bound VLAN ID, in the range of 1 to 4094. interface interface-type interface-number: Displays IPv4 source guard binding entries on an interface. The interface-type interface-number argument is the interface type and the interface number. slot slot-number: Displays IPv4 source guard binding entries on a card. The slot-number argument is the number of the slot that holds the card. (In standalone mode.
Field Description Type of the IPv4 source guard binding entry: Type • • • • Static—Manually configured entry. DHCP relay—Entry dynamically created by DHCP relay. DHCP server—Entry dynamically created by DHCP server. DHCP snooping—Entry dynamically created by DHCP snooping. Related commands • ip source binding • ip verify source display ipv6 source binding static Use display ipv6 source binding static to display static IPv6 source guard binding entries.
chassis chassis-number slot slot-number: Displays static IPv6 source guard binding entries of a card on an IRF member device. The chassis-number argument refers to the ID of the IRF member device and the slot-number argument refers to the number of the slot that holds the card. (In IRF mode.) Usage guidelines In standalone mode, if you specify neither an interface nor a card, the command displays static IPv6 source guard binding entries that the MPU obtained from all interfaces.
undo ip source binding { all | ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ] Default No static IPv4 source guard binding entry exists on an interface. Views Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, VLAN interface view Predefined user roles network-admin mdc-admin Parameters all: Specifies all the static IPv4 source guard binding entries on the interface.
ip source binding (system view) Use ip source binding to configure a global static IPv4 source guard binding entry. Use undo ip source binding to delete one or all global static IPv4 source guard binding entries. Syntax ip source binding ip-address ip-address mac-address mac-address undo ip source binding { all | ip-address ip-address mac-address mac-address } Default No global static IPv4 source guard binding entry exists.
undo ip verify source Default The IPv4 source guard function is disabled on an interface. Views Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, VLAN interface view Predefined user roles network-admin mdc-admin Parameters ip-address: Filters packets by source IPv4 addresses. With this keyword specified, the IP source guard function on the interface filters a received packet by using source IP addresses of the IPv4 source guard binding entries.
system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] ip verify source ip-address mac-address # Enable IPv4 source guard on VLAN-interface 100 to filter packets received on the interface by using source IPv4 and MAC addresses of IPv4 source guard binding entries.
ip-address ipv6-address: Specifies an IPv6 address for the static IPv6 source guard binding entry. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address. mac-address mac-address: Specifies a MAC address for the static IPv6 source guard binding entry. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast address), or a multicast address. vlan vlan-id: Specifies a VLAN ID for the static IPv6 source guard binding entry.
mac-address mac-address: Specifies the MAC address for the static source guard. The MAC address is in the format H-H-H but cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address. all: Specifies all global static IPv6 source guard binding entries. Usage guidelines A global static IPv6 source guard binding entry takes effect on all interfaces. The maximum number of global static IPv6 source guard binding entries that can be configured depends on your device model.
mac-address: Filters packets by source MAC addresses. With this keyword specified, the IP source guard function on the interface filters a received packet by using source MAC addresses of the IPv6 source guard binding entries. If a match is found, the interface forwards the packet. Otherwise, the interface discards the packet.
ARP attack protection commands The ARP attack protection feature is available on Layer 2 and Layer 3 Ethernet interfaces and VLAN interfaces. The term "interface" in this chapter collectively refers to these types of interfaces. You can use the port link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see Layer 2—LAN Switching Configuration Guide).
arp source-suppression enable Use arp source-suppression enable to enable the ARP source suppression function. Use undo arp source-suppression enable to restore the default. Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression function is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines Configure this feature on the gateways. Examples # Enable the ARP source suppression function.
Parameters limit-value: Sets the maximum number of unresolvable packets that can be processed in 5 seconds. It is in the range of 2 to 1024. Usage guidelines If the number of unresolvable packets from a host within 5 seconds exceeds a specific threshold, the device stops processing packets from that host until the 5 seconds elapse. Examples # Set the maximum number of unresolvable packets that can be received from a device in 5 seconds to 100.
ARP packet rate limit commands arp rate-limit Use arp rate-limit to enable ARP packet rate limit on an interface and configure the rate limit. Exceeded packets are discarded. Use undo arp rate-limit pps to restore the default value of the ARP packet rate limit. Use undo arp rate-limit to disable ARP packet rate limit function. Syntax arp rate-limit [ pps ] undo arp rate-limit [ pps ] Default The ARP packet rate limit function is enabled, and the rate limit is 100 pps.
Predefined user roles network-admin mdc-admin Examples # Enable logging for ARP packet rate limit. system-view [Sysname] arp rate-limit log enable arp rate-limit log interval Use arp rate-limit log interval to set the notification and log message sending interval when the receiving rate of ARP packets on an interface exceeds the rate limit. Use undo arp rate-limit log interval to restore the default.
snmp-agent trap enable arp Use snmp-agent trap enable arp to enable sending notifications for ARP. Use undo snmp-agent trap enable arp to disable sending notifications for ARP. Syntax snmp-agent trap enable arp [ rate-limit ] undo snmp-agent trap enable arp [ rate-limit ] Default Notification sending for ARP is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters rate-limit: Specifies the ARP rate limit feature.
Default The source MAC-based ARP attack detection function is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters filter: Generates log messages and discards subsequent ARP packets from the MAC address. monitor: Only generates log message. Usage guidelines Configure this feature on the gateways. This function enables the router to check the source MAC address of ARP packets received from the same MAC address within 5 seconds against a specific threshold.
Examples # Set the aging time for ARP attack entries to 60 seconds. system-view [Sysname] arp source-mac aging-time 60 arp source-mac exclude-mac Use arp anti-attack source-mac exclude-mac to exclude specified MAC addresses from source MAC-based ARP attack detection. Use undo arp anti-attack source-mac exclude-mac to remove the excluded MAC addresses.
Default The default threshold for source MAC-based ARP attack detection is 30. Views System view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range is 1 to 5000. Examples # Configure the threshold for source MAC-based ARP attack detection as 30.
Usage guidelines On a centralized device, if you do not specify any interface, the display arp source-mac command displays ARP attack entries detected on all the interfaces. Examples # Display the ARP attack entries detected by source MAC-based ARP attack detection for the card in slot 1.
ARP active acknowledgement commands arp active-ack enable Use arp active-ack enable to enable the ARP active acknowledgement function. Use undo arp active-ack enable to restore the default. Syntax arp active-ack [ strict ] enable undo arp active-ack [ strict ] enable Default The ARP active acknowledgement function is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters Strict: Enables strict mode for ARP active acknowledgement.
Views Layer 3 Ethernet interface view Predefined user roles network-admin mdc-admin Examples # Enable authorized ARP on Ten-GigabitEthernet 1/0/1. system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-gigabitethernet1/0/1] arp authorized enable ARP detection commands arp detection enable Use arp detection enable to enable ARP detection. Use undo arp detection enable to restore the default.
undo arp detection trust Default An interface is an ARP untrusted interface. Views Layer 2 Ethernet interface view Predefined user roles network-admin mdc-admin Examples # Configure Ten-GigabitEthernet 1/0/1 as an ARP trusted interface. system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-gigabitethernet1/0/1] arp detection trust arp detection validate Use arp detection validate to enable ARP packet validity check.
Examples # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. system-view [Sysname] arp detection validate dst-mac src-mac ip arp restricted-forwarding enable Use arp restricted-forwarding enable to enable ARP restricted forwarding. Use undo arp restricted-forwarding enable to disable ARP restricted forwarding. Syntax arp restricted-forwarding enable undo arp restricted-forwarding enable Default ARP restricted forwarding is disabled.
display arp detection ARP detection is enabled in the following VLANs: 1-2, 4-5 Related commands arp detection enable display arp detection statistics Use display arp detection statistics to display ARP detection statistics.
XGE1/1/0/13(U) 0 0 0 0 XGE1/1/0/14(U) 0 0 0 0 XGE1/1/0/15(U) 0 0 0 0 XGE1/1/0/16(U) 0 0 0 0 XGE1/1/0/17(U) 0 0 0 0 XGE1/1/0/18(U) 0 0 0 0 XGE1/1/0/19(U) 0 0 0 0 XGE1/1/0/20(U) 0 0 0 0 ---- More ---- Table 39 Command output Field Description State • U—ARP untrusted interface. • T—ARP trusted interface. Interface(State) Inbound interface of ARP packets. State specifies the port state, trusted or untrusted.
ARP automatic scanning and fixed ARP commands arp fixup Use arp fixup to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static. Syntax arp fixup Views System view Predefined user roles network-admin mdc-admin Usage guidelines The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries.
mdc-admin Parameters start-ip-address: Specifies the start IP address of the scanning range. end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address. Usage guidelines If the start and end IP addresses are specified, the device scans the neighbor IP addresses in the specified address range to learn ARP entries.
Views Layer 2 Ethernet interface view Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies the IP address of a protected gateway. Usage guidelines You can enable ARP gateway protection for up to eight gateways on an interface. You cannot configure both arp filter source and arp filter binding commands on the same interface. Examples # Enable ARP gateway protection for the gateway with IP address 1.1.1.1.
You cannot configure both the arp filter source and arp filter binding commands on the same interface. Examples # Configure an ARP permitted entry. system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-gigabitethernet1/0/1] arp filter binding 1.1.1.
uRPF commands display ip urpf Use display ip urpf to display uRPF configuration. Syntax In standalone mode: display ip urpf [ slot slot-number ] In IRF mode: display ip urpf [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters slot slot-number: Specifies a card by slot number. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device.
ip urpf Use ip urpf to enable uRPF. Use undo ip urpf to disable uRPF. Syntax ip urpf { loose | strict } undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. strict: Enables strict uRPF check.
Crypto engine commands crypto-engine accelerator disable Use crypto-engine accelerator disable to disable hardware crypto engines. Use undo crypto-engine accelerator disable to enable hardware crypto engines. Syntax crypto-engine accelerator disable undo crypto-engine accelerator disable Default Hardware crypto engines are enabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines Crypto engines include hardware crypto engines and software crypto engines.
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines If the device does not have hardware crypto engines, this command displays information about only software crypto engines. Examples # Display information about crypto engines.
Crypto engine name: Software crypto engine Crypto engine state: Enabled Crypto engine type: Software Chassis ID: 1 Slot ID: 17 Crypto engine ID: 0 Symmetric algorithms: des-cbc des-ecb 3des-ecb aes-ecb sha1 sha2-256 sha1-hmac sha2-256-hmac Asymmetric algorithms: Random number generation function: Supported Table 41 Command output Field Description Crypto engine names: Crypto engine name • cavium crypto driver. • Software crypto engine. Hardware crypto engine states: Crypto engine state • Enabled.
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters engine-id engine-id: Specifies a crypto engine by its ID in the range of 0 to 4294967295. If you do not specify a crypto engine, this command displays statistics for all crypto engines. slot slot-number: Specifies a card by its slot number. If no card is specified, this command displays statistics for the crypto engines on all cards. (In standalone mode.
Failed sessions: 0 Symmetric operations: 0 Symmetric errors: 0 Asymmetric operations: 0 Asymmetric errors: 0 Get-random operations: 0 Get-random errors: 0 Table 42 Command output Field Description Submitted sessions Number of established sessions. Failed sessions Number of failed sessions. Symmetric operations Number of operations using symmetric algorithms. Symmetric errors Number of failed operations using symmetric algorithms.
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument specifies the IRF member device ID, and the slot-number argument specifies the number of the slot where the card resides. If this option is not specified, the command clears statistics for the crypto engines on all cards in the IRF fabric. (In IRF mode.) Examples # Clears statistics for all crypto engines.
FIPS commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display the current FIPS mode state. display fips status FIPS mode is enabled. Related commands fips mode enable fips mode enable Use fips mode enable to enable FIPS mode. Use undo fips mode enable to disable FIPS mode.
Usage guidelines After you enable FIPS mode and reboot the device, the device operates in FIPS mode. The FIPS device has strict security requirements, and performs self-tests on cryptography modules to verify that they are operating correctly. After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: • Automatic reboot Select the automatic reboot method. The system automatically performs the following tasks: a.
This method requires that you manually complete the configurations for entering non-FIPS mode, and then reboot the device. After the device reboots, you must enter user information according to the authentication mode to log in to the device. Examples # Enable FIPS mode, and choose the automatic reboot method to enter FIPS mode. system-view [Sysname] fips mode enable FIPS mode change requires a device reboot.
Predefined user roles network-admin mdc-admin Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. A successful self-test requires that all cryptographic algorithms pass the self-test. If the self-test fails, the card where the self-test process exists reboots. Examples # Trigger a self-test on the cryptographic algorithms.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHIKLMNPQRSTUV authorization default,13 A authorization lan-access,14 aaa session-limit,1 authorization login,15 access-limit,22 authorization-attribute (ISP domain view),17 accounting command,2 authorization-attribute (local user view/user group view),23 accounting default,2 accounting lan-access,4 B accounting login,5 bind-attribute,24 accounting-on enable,35 ah authentication-algorithm,176 bye,263 arp active-ack enable,312 C arp authorized enable,312 cd,264 arp detection en
display ipsec transform-set,185 fips mode enable,330 display ipsec tunnel,187 fips self-test,332 display ipv6 source binding static,293 G display ldap scheme,84 get,268 display local-user,26 group,29 display mac-authentication,110 display password-control,138 H display password-control blacklist,139 help,269 display port-security,119 hwtacacs nas-ip,65 display port-security mac-address block,121 hwtacacs scheme,66 display port-security mac-address security,124 I display public-key local
K password-control super composition,154 key (HWTACACS scheme view),67 password-control super length,155 password-control update-interval,155 key (RADIUS scheme view),40 peer-public-key end,163 keychain,238 pfs,204 L port-security authorization ignore,125 ldap scheme,87 port-security enable,126 ldap server,88 port-security intrusion-mode,127 local-address,203 port-security mac-address security,128 local-identity,239 port-security mac-move permit,130 local-user,30 port-security max-mac-cou
rename,273 sftp server enable,253 reset arp detection statistics,317 sftp server idle-timeout,254 reset crypto-engine statistics,328 snmp-agent trap enable arp,307 reset dot1x statistics,108 snmp-agent trap enable ike,249 reset hwtacacs statistics,73 snmp-agent trap enable ipsec,217 reset ike sa,247 snmp-agent trap enable radius,55 reset ike statistics,248 ssh client ipv6 source,284 reset ipsec sa,208 ssh client source,285 reset ipsec statistics,209 ssh server acl,255 reset mac-authenticat
