R211x-HP Flexfabric 11900 Security Command Reference
Table Of Contents
- Title Page
- Contents
- AAA commands
- General AAA commands
- aaa session-limit
- accounting command
- accounting default
- accounting lan-access
- accounting login
- authentication default
- authentication lan-access
- authentication login
- authentication super
- authorization command
- authorization default
- authorization lan-access
- authorization login
- authorization-attribute (ISP domain view)
- display domain
- domain
- domain default enable
- state (ISP domain view)
- Local user commands
- RADIUS commands
- accounting-on enable
- data-flow-format (RADIUS scheme view)
- display radius scheme
- display radius statistics
- key (RADIUS scheme view)
- nas-ip (RADIUS scheme view)
- primary accounting (RADIUS scheme view)
- primary authentication (RADIUS scheme view)
- radius nas-ip
- radius session-control enable
- radius scheme
- reset radius statistics
- retry
- retry realtime-accounting
- secondary accounting (RADIUS scheme view)
- secondary authentication (RADIUS scheme view)
- security-policy-server
- snmp-agent trap enable radius
- state primary
- state secondary
- timer quiet (RADIUS scheme view)
- timer realtime-accounting (RADIUS scheme view)
- timer response-timeout (RADIUS scheme view)
- user-name-format (RADIUS scheme view)
- vpn-instance (RADIUS scheme view)
- HWTACACS commands
- data-flow-format (HWTACACS scheme view)
- display hwtacacs scheme
- hwtacacs nas-ip
- hwtacacs scheme
- key (HWTACACS scheme view)
- nas-ip (HWTACACS scheme view)
- primary accounting (HWTACACS scheme view)
- primary authentication (HWTACACS scheme view)
- primary authorization
- reset hwtacacs statistics
- secondary accounting (HWTACACS scheme view)
- secondary authentication (HWTACACS scheme view)
- secondary authorization
- timer quiet (HWTACACS scheme view)
- timer realtime-accounting (HWTACACS scheme view)
- timer response-timeout (HWTACACS scheme view)
- user-name-format (HWTACACS scheme view)
- vpn-instance (HWTACACS scheme view)
- LDAP commands
- General AAA commands
- 802.1X commands
- MAC authentication commands
- Port security commands
- display port-security
- display port-security mac-address block
- display port-security mac-address security
- port-security authorization ignore
- port-security enable
- port-security intrusion-mode
- port-security mac-address security
- port-security mac-move permit
- port-security max-mac-count
- port-security ntk-mode
- port-security oui
- port-security port-mode
- port-security timer autolearn aging
- port-security timer disableport
- Password control commands
- display password-control
- display password-control blacklist
- password-control { aging | composition | history | length } enable
- password-control aging
- password-control alert-before-expire
- password-control complexity
- password-control composition
- password-control enable
- password-control expired-user-login
- password-control history
- password-control length
- password-control login idle-time
- password-control login-attempt
- password-control super aging
- password-control super composition
- password-control super length
- password-control update-interval
- reset password-control blacklist
- reset password-control history-record
- Public key management commands
- IPsec commands
- ah authentication-algorithm
- description
- display ipsec { ipv6-policy | policy }
- display ipsec sa
- display ipsec statistics
- display ipsec transform-set
- display ipsec tunnel
- encapsulation-mode
- esp authentication-algorithm
- esp encryption-algorithm
- ike-profile
- ipsec anti-replay check
- ipsec anti-replay window
- ipsec apply
- ipsec decrypt-check enable
- ipsec logging packet enable
- ipsec df-bit
- ipsec global-df-bit
- ipsec { ipv6-policy | policy }
- ipsec { ipv6-policy | policy } local-address
- ipsec sa global-duration
- ipsec sa idle-time
- ipsec transform-set
- local-address
- pfs
- protocol
- qos pre-classify
- remote-address
- reset ipsec sa
- reset ipsec statistics
- sa duration
- sa hex-key authentication
- sa hex-key encryption
- sa idle-time
- sa spi
- sa string-key
- security acl
- snmp-agent trap enable ipsec
- transform-set
- IKE commands
- authentication-algorithm
- authentication-method
- dh
- display ike proposal
- display ike sa
- dpd
- encryption-algorithm
- exchange-mode
- ike dpd
- ike identity
- ike invalid-spi-recovery enable
- ike keepalive interval
- ike keepalive timeout
- ike keychain
- ike limit
- ike nat-keepalive
- ike profile
- ike proposal
- inside-vpn
- keychain
- local-identity
- match local address (IKE keychain view)
- match local address (IKE profile view)
- match remote
- pre-shared-key
- priority (IKE keychain view)
- priority (IKE profile view)
- proposal
- reset ike sa
- reset ike statistics
- sa duration
- snmp-agent trap enable ike
- SSH commands
- SSH server commands
- display ssh server
- display ssh user-information
- sftp server enable
- sftp server idle-timeout
- ssh server acl
- ssh server authentication-retries
- ssh server authentication-timeout
- ssh server compatible-ssh1x enable
- ssh server dscp
- ssh server enable
- ssh server ipv6 acl
- ssh server ipv6 dscp
- ssh server rekey-interval
- ssh user
- SSH client commands
- SSH server commands
- IP source guard commands
- ARP attack protection commands
- Unresolvable IP attack protection commands
- ARP packet rate limit commands
- Source MAC-based ARP attack detection commands
- ARP packet source MAC consistency check commands
- ARP active acknowledgement commands
- Authorized ARP commands
- ARP detection commands
- ARP automatic scanning and fixed ARP commands
- ARP gateway protection commands
- ARP filtering commands
- uRPF commands
- Crypto engine commands
- FIPS commands
- Support and other resources
- Index
283
interface-number specifies the outgoing interface by its type and number. This option is used when the
server uses a link-local address to provide the SFTP service for the client.
identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa. If the
server uses publickey authentication, this keyword must be specified.
• dsa: Specifies the public key algorithm dsa.
• rsa: Specifies the public key algorithm rsa.
prefer-compress: Specifies the preferred compression algorithm between the server and the client. By
default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.
Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security
strength and calculation time.
• 3des: Specifies the encryption algorithm 3des-cbc.
• aes128: Specifies the encryption algorithm aes128-cbc.
• aes256: Specifies the encryption algorithm aes256-cbc.
• des: Specifies the encryption algorithm des-cbc.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1.
Algorithm sha1 features stronger security but costs more time in calculation than md5.
• md5: Specifies the HMAC algorithm hmac-md5.
• md5-96: Specifies the HMAC algorithm hmac-md5-96.
• sha1: Specifies the HMAC algorithm hmac-sha1.
• sha1-96
: Specifies the HMAC algorithm hm
ac-sha1-96.
prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in
non-FIPS mode and dh-group14 in FIPS mode. Algorithm dh-group14 features stronger security but costs
more time in calculation than dh-group1.
• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.
• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.
• dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1.
dscp dscp-value: Specifies the DSCP value in the IPv6 SFTP packets sent by the SFTP client, in the range
of 0 to 63. The default value is 48. The DSCP value determines the transmission priority of the packet.
publickey keyname: Specifies the host public key of the server, which is used to authenticate the server.
The keyname argument is a case-insensitive string of 1 to 64 characters.
source: Specifies a source IP address or source interface to connect to the server. By default, the device
automatically selects the source IP address from the routing table. To avoid the communication failure
between the client and the server due to interface faults, use the specified loopback interface as the
source interface, and either IP address of the two interfaces as the source IP address.
interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6
address of this interface is the source IP address to send packets.
ipv6 ipv6-address: Specifies a source IPv6 address.