R211x-HP Flexfabric 11900 Security Command Reference
Table Of Contents
- Title Page
- Contents
- AAA commands
- General AAA commands
- aaa session-limit
- accounting command
- accounting default
- accounting lan-access
- accounting login
- authentication default
- authentication lan-access
- authentication login
- authentication super
- authorization command
- authorization default
- authorization lan-access
- authorization login
- authorization-attribute (ISP domain view)
- display domain
- domain
- domain default enable
- state (ISP domain view)
- Local user commands
- RADIUS commands
- accounting-on enable
- data-flow-format (RADIUS scheme view)
- display radius scheme
- display radius statistics
- key (RADIUS scheme view)
- nas-ip (RADIUS scheme view)
- primary accounting (RADIUS scheme view)
- primary authentication (RADIUS scheme view)
- radius nas-ip
- radius session-control enable
- radius scheme
- reset radius statistics
- retry
- retry realtime-accounting
- secondary accounting (RADIUS scheme view)
- secondary authentication (RADIUS scheme view)
- security-policy-server
- snmp-agent trap enable radius
- state primary
- state secondary
- timer quiet (RADIUS scheme view)
- timer realtime-accounting (RADIUS scheme view)
- timer response-timeout (RADIUS scheme view)
- user-name-format (RADIUS scheme view)
- vpn-instance (RADIUS scheme view)
- HWTACACS commands
- data-flow-format (HWTACACS scheme view)
- display hwtacacs scheme
- hwtacacs nas-ip
- hwtacacs scheme
- key (HWTACACS scheme view)
- nas-ip (HWTACACS scheme view)
- primary accounting (HWTACACS scheme view)
- primary authentication (HWTACACS scheme view)
- primary authorization
- reset hwtacacs statistics
- secondary accounting (HWTACACS scheme view)
- secondary authentication (HWTACACS scheme view)
- secondary authorization
- timer quiet (HWTACACS scheme view)
- timer realtime-accounting (HWTACACS scheme view)
- timer response-timeout (HWTACACS scheme view)
- user-name-format (HWTACACS scheme view)
- vpn-instance (HWTACACS scheme view)
- LDAP commands
- General AAA commands
- 802.1X commands
- MAC authentication commands
- Port security commands
- display port-security
- display port-security mac-address block
- display port-security mac-address security
- port-security authorization ignore
- port-security enable
- port-security intrusion-mode
- port-security mac-address security
- port-security mac-move permit
- port-security max-mac-count
- port-security ntk-mode
- port-security oui
- port-security port-mode
- port-security timer autolearn aging
- port-security timer disableport
- Password control commands
- display password-control
- display password-control blacklist
- password-control { aging | composition | history | length } enable
- password-control aging
- password-control alert-before-expire
- password-control complexity
- password-control composition
- password-control enable
- password-control expired-user-login
- password-control history
- password-control length
- password-control login idle-time
- password-control login-attempt
- password-control super aging
- password-control super composition
- password-control super length
- password-control update-interval
- reset password-control blacklist
- reset password-control history-record
- Public key management commands
- IPsec commands
- ah authentication-algorithm
- description
- display ipsec { ipv6-policy | policy }
- display ipsec sa
- display ipsec statistics
- display ipsec transform-set
- display ipsec tunnel
- encapsulation-mode
- esp authentication-algorithm
- esp encryption-algorithm
- ike-profile
- ipsec anti-replay check
- ipsec anti-replay window
- ipsec apply
- ipsec decrypt-check enable
- ipsec logging packet enable
- ipsec df-bit
- ipsec global-df-bit
- ipsec { ipv6-policy | policy }
- ipsec { ipv6-policy | policy } local-address
- ipsec sa global-duration
- ipsec sa idle-time
- ipsec transform-set
- local-address
- pfs
- protocol
- qos pre-classify
- remote-address
- reset ipsec sa
- reset ipsec statistics
- sa duration
- sa hex-key authentication
- sa hex-key encryption
- sa idle-time
- sa spi
- sa string-key
- security acl
- snmp-agent trap enable ipsec
- transform-set
- IKE commands
- authentication-algorithm
- authentication-method
- dh
- display ike proposal
- display ike sa
- dpd
- encryption-algorithm
- exchange-mode
- ike dpd
- ike identity
- ike invalid-spi-recovery enable
- ike keepalive interval
- ike keepalive timeout
- ike keychain
- ike limit
- ike nat-keepalive
- ike profile
- ike proposal
- inside-vpn
- keychain
- local-identity
- match local address (IKE keychain view)
- match local address (IKE profile view)
- match remote
- pre-shared-key
- priority (IKE keychain view)
- priority (IKE profile view)
- proposal
- reset ike sa
- reset ike statistics
- sa duration
- snmp-agent trap enable ike
- SSH commands
- SSH server commands
- display ssh server
- display ssh user-information
- sftp server enable
- sftp server idle-timeout
- ssh server acl
- ssh server authentication-retries
- ssh server authentication-timeout
- ssh server compatible-ssh1x enable
- ssh server dscp
- ssh server enable
- ssh server ipv6 acl
- ssh server ipv6 dscp
- ssh server rekey-interval
- ssh user
- SSH client commands
- SSH server commands
- IP source guard commands
- ARP attack protection commands
- Unresolvable IP attack protection commands
- ARP packet rate limit commands
- Source MAC-based ARP attack detection commands
- ARP packet source MAC consistency check commands
- ARP active acknowledgement commands
- Authorized ARP commands
- ARP detection commands
- ARP automatic scanning and fixed ARP commands
- ARP gateway protection commands
- ARP filtering commands
- uRPF commands
- Crypto engine commands
- FIPS commands
- Support and other resources
- Index
242
2.2.2.10 command for IKE profile B. For peer 2.2.2.2, IKE profile A is preferred because IKE profile A
was configured earlier. To use IKE profile B for the peer, you can use this command to restrict the
application scope of IKE profile B to address 2.2.2.2.
Examples
# Create IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
# Specify that IKE profile prof1 be applied only to the interface with the IP address 2.2.2.2 in VPN vpn1.
[sysname-ike-profile-prof1] match local address 2.2.2.2 vpn-instance vpn1
match remote
Use match remote to configure a peer ID for IKE profile matching.
Use undo match remote to delete a peer ID.
Syntax
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] |
range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range
low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-name ] | fqdn fqdn-name | user-fqdn
user-fqdn-name } }
undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ]
| range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range
low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-name ] | fqdn fqdn-name | user-fqdn
user-fqdn-name } }
Default
No peer ID is configured for IKE profile matching.
Views
IKE profile view
Predefined user roles
network-admin
mdc-admin
Parameters
certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID for IKE profile
matching. The policy-name argument is a string of 1 to 31 characters.
identity: Uses the specified information as the peer ID for IKE profile matching. The specified information
is configured on the peer by using the local-identity command.
• address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address
as the peer ID for IKE profile matching. The mask-length argument is in the range of 0 to 32.
• address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID
for IKE profile matching. The end address must be higher than the start address.
• address ipv6 ipv6-address [ prefix-length ] : Uses an IPv6 host address or an IPv6 subnet address
as the peer ID for IKE profile matching. The prefix-length argument is in the range of 0 to 128.