HP FlexFabric 11900 Switch Series Security Command Reference Part number: 5998-4081 Software version: Release 2105 and later Document version: 6W100-20130515
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents AAA commands ··························································································································································· 1 General AAA commands ················································································································································· 1 aaa session-limit ·················································································································································
timer response-timeout (RADIUS scheme view) ·································································································· 48 user-name-format (RADIUS scheme view) ··········································································································· 49 vpn-instance (RADIUS scheme view) ··················································································································· 50 HWTACACS commands ··············································
reset password-control blacklist ··························································································································· 96 reset password-control history-record ·················································································································· 96 Public key management commands·························································································································· 98 display public-key local public ·······
ssh2 ······································································································································································· 147 ssh2 ipv6 ······························································································································································ 149 IP source guard commands ···································································································································· 152
display fips status ················································································································································ 181 IPsec commands ······················································································································································ 183 ah authentication-algorithm ································································································································ 183 description
exchange-mode ··················································································································································· 240 ike dpd ································································································································································· 241 ike identity ···························································································································································· 24
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through FTP, SSH, or Telnet. Use undo aaa session-limit to restore the default.
Use undo access-limit enable to restore the default. Syntax access-limit enable max-user-number undo access-limit enable Default There is no limit to the number of online users in an ISP domain. Views ISP domain view Predefined user roles network-admin Parameters max-user-number: Maximum number of online users that the ISP domain can accept. The value range is 1 to 4294967294.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The command line accounting function cooperates with the accounting server to record all commands that have been successfully executed on the device. Command line accounting can use only a remote HWTACACS server. Examples # Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The default accounting method is used for all users who support this method and do not have a specific accounting method configured.
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounting login Default The default accounting method of the ISP domain is used for login users. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
authentication default Use authentication default to specify the default authentication method for an ISP domain. Use undo authentication default to restore the default.
Examples # Configure the default authentication method for ISP domain test to use RADIUS scheme rd and use local authentication as the backup. system-view [Sysname] domain test [Sysname-isp-test] authentication default radius-scheme rd local Related commands • hwtacacs scheme • ldap scheme • local-user • radius scheme authentication login Use authentication login to specify the authentication method for login users. Use undo authentication login to restore the default.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify multiple default authentication methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.
Default The default authorization method of the ISP domain is used for command authorization. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. An authenticated user gets the default user role. For more information about the default user role, see Fundamentals Configuration Guide.
Syntax In non-FIPS mode: authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization default In FIPS mode: authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo
[Sysname] domain test [Sysname-isp-test] authorization default radius-scheme rd local Related commands • hwtacacs scheme • local-user • radius scheme authorization login Use authorization login to configure the authorization method for login users. Use undo authorization login to restore the default.
You can specify one authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup authorization methods, local authorization and no authorization.
Domain:system State: Active Access-limit: Disable Access-Count: 0 default Authentication Scheme: local default Authorization Scheme: local default Accounting Scheme: local Domain:dm State: Active Access-limit: 2222 Access-Count: 0 login Authentication Scheme: radius: rad login Authorization tacacs: hw Scheme: default Authentication Scheme: ldap: rad, local, none default Authorization Scheme: local default Accounting Scheme: none Default Domain Name: system Table 1 Command output Fiel
domain Use domain to create an ISP domain and enter its view. Use undo domain to remove an ISP domain. Syntax domain isp-name undo domain isp-name Default There is a system-defined ISP domain named system.
undo domain default enable Default The default ISP domain is the system-defined ISP domain system. Views System view Predefined user roles network-admin Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines There can be only one default ISP domain. The specified ISP domain must already exist.
Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. Examples # Place the ISP domain test in blocked state.
user-role role-name: Specifies the authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. The default user role for a local user created by a network-admin user is network-operator. Up to 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view. vlan vlan-id: Specifies the authorized VLAN.
Syntax display local-user [ class { manage | network } | idle-cut { disable | enable } | service-type { ftp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] Views Any view Predefined user roles network-admin network-operator Parameters class: Specifies the local user type. • manage: Device management user. • network: Network access user. idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled.
User Group: system Bind Attributes: IP Address: 2.2.2.2 Location Bound: 3/3/2 (slot/subslot/port) MAC Address: 0001-0001-0001 VLAN ID: 2 Authorization Attributes: Idle TimeOut: 33 (min) Work Directory: flash: ACL Number: 2000 User Role List: network-operator, level-0, level-3 Table 2 Command output Field Description State Status of the local user: active or blocked. Service Type Service types that the local user can use, including FTP, SSH, Telnet, and terminal.
Examples # Display the configuration of all user groups. display user-group Total 2 user groups matched. The contents of user group system: Authorization Attributes: Work Directory: flash: The contents of user group jj: Authorization Attributes: Idle TimeOut: 2 (min) Work Directory: flash:/ ACL Number: 2000 VLAN ID: 2 Table 3 Command output Field Description Idle TimeOut Idle timeout period, in minutes. Work Directory Directory that FTP/SFTP/SCP users in the group can access.
Related commands display local-user local-user Use local-user to add a local user and enter local user view. Use undo local-user to remove local users. Syntax local-user user-name [ class { manage | network } ] undo local-user { user-name class { manage | network } | all [ service-type { ftp | ssh | telnet | terminal } | class { manage | network } ] } Default No local user exists.
system-view [Sysname] local-user user2 class network [Sysname-luser-network-user2] Related commands • display local-user • service-type password Use password to configure a password for a local user. Use undo password to delete the password of a local user. Syntax In non-FIPS mode: password [ { cipher | hash | simple } password ] undo password In FIPS mode: password Default A local user has no password configured.
Examples # Set the password of the device management user user1 to 123456 in plain text. system-view [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] password simple 123456 # Set the password of the device management user test in interactive mode. system-view [Sysname] local-user test class manage [Sysname-luser-manage-test] password Password: Confirm : # Set the password of the network access user user2 to getapp in plain text.
terminal: Authorizes the user to use the terminal service, allowing the user to log in from a console port. Usage guidelines You can assign multiple service types to a user. Examples # Authorize the device management user user1 to use the Telnet and FTP services.
user-group Use user-group to create a user group and enter its view. Use undo user-group to delete a user group. Syntax user-group group-name undo user-group group-name Default There is a user group named system in the system. Views System view Predefined user roles network-admin Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes.
Default The accounting-on feature is disabled. Views RADIUS scheme view Predefined user roles network-admin Parameters interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds, in the range of 1 to 15. The default setting is 3 seconds. send send-times: Specifies the maximum number of accounting-on packet transmission attempts, in the range of 1 to 255. The default setting is 50.
Predefined user roles network-admin Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet. Usage guidelines The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers.
Index : 0 Primary Auth Server: IP : 2.2.2.2 Port: 1812 State: Active Port: 1813 State: Active Port: 1812 State: Block Port: 1813 State: Block VPN : vpn1 Primary Acct Server: IP: 1.1.1.1 VPN : Not configured Second Auth Server: IP: Not configured VPN : vpn1 Second Acct Server: IP: Not configured VPN : Not configured Security Policy Server: Server: 0 IP: 2.2.2.2 VPN: Not configured Server: 1 IP: 3.3.3.
Field Description IP IP address of the security policy server. VPN VPN to which the security policy server belongs. If no VPN is specified for the server, this field displays Not configured. Accounting-On function Whether the accounting-on feature is enabled. retransmission times Number of accounting-on packet transmission attempts. retransmission interval(seconds) Interval at which the device retransmits accounting-on packets, in seconds.
Access Challenge: 0 - - Account Start: - 0 - Account Update: - 0 - Account Stop: - 0 - Terminate Request: - - 0 Set Policy: - - 0 Packet With Response: 0 0 0 Packet Without Response: 0 0 - Access Rejects: 0 - - Dropped Packet: 0 0 0 Check Failures: 0 0 0 Table 5 Command output Field Description Auth. Authentication packets. Acct. Accounting packets. SessCtrl. Session-control packets. Request Packet Number of request packets.
undo key { accounting | authentication } Default No shared key is configured. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the shared key for secure RADIUS accounting communication. authentication: Sets the shared key for secure RADIUS authentication communication. cipher: Sets a ciphertext shared key. simple: Sets a plaintext shared key. string: Specifies the shared key string. This argument is case sensitive.
Default An outbound RADIUS packet uses the source IP address specified by the radius nas-ip command in system view. If the source IP address is not specified, the packet uses the IP address of the egress interface as the source IP address. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Syntax primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary accounting Default No primary RADIUS accounting server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server.
For security purpose, all shared keys, including shared keys configured in plain text, are saved in ciphertext. Examples # Specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456 for RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] primary accounting 10.110.1.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure that the service port and shared key settings of the primary RADIUS authentication server are the same as those configured on the server.
Predefined user roles network-admin Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
Predefined user roles network-admin Parameters radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. The device supports at most 16 RADIUS schemes. Examples # Create a RADIUS scheme named radius1 and enter its view.
Syntax reset radius statistics Views User view Predefined user roles network-admin Examples # Clear RADIUS statistics. reset radius statistics Related commands display radius statistics retry Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Use undo retry to restore the default. Syntax retry retry-times undo retry Default The maximum number of RADIUS packet transmission attempts is 3.
Related commands • radius scheme • timer response-timeout (RADIUS scheme view) retry realtime-accounting Use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default. Syntax retry realtime-accounting retry-times undo retry realtime-accounting Default The maximum number of accounting attempts is 5.
Related commands • retry • timer realtime-accounting (RADIUS scheme view) • timer response-timeout (RADIUS scheme view) secondary accounting (RADIUS scheme view) Use secondary accounting to specify a secondary RADIUS accounting server. Use undo secondary accounting to remove a secondary RADIUS accounting server.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings. The shared key configured by this command takes precedence over the shared key configured by using the key accounting command. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication server. port-number: Sets the service port number of the secondary RADIUS authentication server, a UDP port number in the range of 1 to 65535. The default setting is 1812.
[Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 # Specify two secondary authentication servers for RADIUS scheme radius2, with the server IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1812. system-view [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary authentication 10.110.1.1 1812 [Sysname-radius-radius2] secondary authentication 10.110.1.
[Sysname-radius-radius1] security-policy-server 10.110.1.2 Related commands display radius scheme state primary Use state primary to set the status of a primary RADIUS server. Syntax state primary { accounting | authentication } { active | block } Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the status of the primary RADIUS accounting server.
state secondary Use state secondary to set the status of a secondary RADIUS server. Syntax state secondary { accounting | authentication } [ ip-address [ port-number | vpn-instance vpn-instance-name ] * ] { active | block } Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the status of a secondary RADIUS accounting server.
• state primary timer quiet (RADIUS scheme view) Use timer quiet to set the quiet timer for the servers specified in an RADIUS scheme. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default The server quiet period is 5 minutes. Views RADIUS scheme view Predefined user roles network-admin Parameters minutes: Server quiet period in minutes, in the range of 1 to 255. Usage guidelines Make sure the server quiet timer is set correctly.
Predefined user roles network-admin Parameters minutes: Real-time accounting interval in minutes, in the range of 0 to 60. Usage guidelines When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.
Parameters seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds. Usage guidelines If a NAS does not receive a response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user. Examples # Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1.
HWTACACS commands data-flow-format (HWTACACS scheme view) Use data-flow-format to set the traffic statistics unit for data flows or data packets. Use undo data-flow-format to restore the default. Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default Traffic is counted in bytes and packets.
Predefined user roles network-admin network-operator Parameters hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. statistics: Displays the HWTACACS service statistics. If this option is not specified, the command displays the configuration of the HWTACACS scheme. Usage guidelines If no HWTACACS scheme name is specified, the command displays the configuration of all HWTACACS schemes.
Field Description Secondary Author Server Secondary HWTACACS authorization server. Secondary Acct Server Secondary HWTACACS accounting server. IP IP address of the HWTACACS server. If no server is configured, this field displays Not configured. Port Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number. State Status of the HWTACACS server: active or blocked. VPN Instance MPLS L3VPN to which the HWTACACS server or scheme belongs.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 address, do not specify this option.
Usage guidelines An HWTACACS scheme can be referenced by more than one ISP domain at the same time. You can configure up to 16 HWTACACS schemes. Examples # Create an HWTACACS scheme named hwt1 and enter its view. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to remove the configuration.
Examples # Set the shared key for secure HWTACACS authentication communication to 123456 in plain text for HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key authentication simple 123456 # Set the shared key for secure HWTACACS authorization communication to ok in plain text. [Sysname-hwtacacs-hwt1] key authorization simple ok # Set the shared key for secure HWTACACS accounting communication to hello in plain text.
effective for all HWTACACS schemes. The setting in HWTACACS scheme view takes precedence over the setting in system view. If you execute the command multiple times, the most recent configuration takes effect. Examples # Set the source address for outgoing HWTACACS packets to 10.1.1.1 for HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] nas-ip 10.1.1.
Usage guidelines Make sure that the port number and shared key settings of the primary HWTACACS accounting server are the same as those configured on the server. Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
port-number: Specifies the service port number of the primary HWTACACS authentication server, a TCP port number in the range of 1 to 65535. The default setting is 49. key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authentication server. • cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 373 characters. In FIPS mode, the key is a string of 15 to 373 characters.
undo primary authorization Default No primary HWTACACS authorization server is specified. Views HWTACACS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server. ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authorization server. port-number: Specifies the service port number of the primary HWTACACS authorization server, a TCP port number in the range of 1 to 65535. The default setting is 49.
Related commands • display hwtacacs scheme • key (HWTACACS scheme view) • secondary authorization • vpn-instance (HWTACACS scheme view) reset hwtacacs statistics Use reset hwtacacs statistics to clear HWTACACS statistics. Syntax reset hwtacacs statistics { accounting | all | authentication | authorization } Views User view Predefined user roles network-admin Parameters accounting: Clears the HWTACACS accounting statistics. all: Clears all HWTACACS statistics.
Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS accounting server. port-number: Specifies the service port number of the secondary HWTACACS accounting server, a TCP port number in the range of 1 to 65535. The default setting is 49.
Related commands • display hwtacacs scheme • key (HWTACACS scheme view) • primary accounting (HWTACACS scheme view) • vpn-instance (HWTACACS scheme view) secondary authentication (HWTACACS scheme view) Use secondary authentication to specify a secondary HWTACACS authentication server. Use undo secondary authentication to remove a secondary HWTACACS authentication server.
(a secondary HWTACACS authentication server configured earlier has a higher priority) and tries to communicate with it. If you use the undo secondary authentication command without specifying any parameter, the command removes all secondary authentication servers. Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.
Parameters ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authorization server. port-number: Specifies the service port number of the secondary HWTACACS authorization server, a TCP port number in the range of 1 to 65535. The default setting is 49. key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authorization server.
• vpn-instance (HWTACACS scheme view) timer quiet (HWTACACS scheme view) Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default The server quiet period is 5 minutes. Views HWTACACS scheme view Predefined user roles network-admin Parameters minutes: Server quiet period in minutes, in the range of 1 to 255. Examples # Set the server quiet timer to 10 minutes.
Parameters minutes: Real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.
Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server. Examples # Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
[Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain Related commands display hwtacacs scheme vpn-instance (HWTACACS scheme view) Use vpn-instance to specify a VPN for an HWTACACS scheme. Use undo vpn-instance to remove the configuration. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The HWTACACS scheme belongs to the public network.
Default No LDAP authentication server is specified. Views LDAP scheme view Predefined user roles network-admin Parameters server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters. Usage guidelines For an LDAP scheme, you can only specify one LDAP authentication server. If you execute the command for an LDAP scheme multiple times, the most recent configuration takes effect. Examples # Specify the LDAP authentication server as ccc.
-----------------------------------------------------------------LDAP Scheme Name : ldap-sch Authentication Server : cc IP : 2.2.2.
Use undo ip to delete the LDAP server IP address and port number. Syntax ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ip Default An LDAP server has no IP address. Views LDAP server view Predefined user roles network-admin Parameters ip-address: Specifies the IP address of the LDAP server. port port-number: Specifies the TCP port number of the LDAP server, which is in the range of 1 to 65535 and defaults to 389.
Views LDAP server view Predefined user roles network-admin Parameters ipv6-address: Specifies the IPv6 address of the LDAP server. port port-number: Specifies the TCP port number of the LDAP server, which is in the range of 1 to 65535 and defaults to 389. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the LDAP server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines An LDAP scheme can be referenced by more than one ISP domain at the same time. You can configure up to 16 LDAP schemes. Examples # Create an LDAP scheme named ldap1 and enter its view. system-view [Sysname] ldap scheme ldap1 [Sysname-ldap-ldap1] Related commands display ldap scheme ldap server Use ldap server to create an LDAP server and enter its view. Use undo ldap server to delete an LDAP server.
undo login-dn Default No administrator DN is specified. Views LDAP server view Predefined user roles network-admin Parameters dn-string: Administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters. Usage guidelines The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server. If you change the administrator DN, the change is effective only for LDAP authentication that occurs after your change.
password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 128 characters. If cipher is specified, it must be a ciphertext string of 1 to 201 characters. Usage guidelines This command is effective only after the login-dn command is configured. For security purpose, all passwords, including passwords configured in plain text, are saved in ciphertext. Examples # Configure the administrator password to abcdefg in plain text.
[Sysname] ldap server ccc [Sysname-ldap-server-ccc] protocol-version v2 Related commands display ldap scheme search-base-dn Use search-base-dn to specify the base DN for user search. Use undo search-base-dn to restore the default. Syntax search-base-dn base-dn undo search-base-dn Default No base DN is specified for user search. Views LDAP server view Predefined user roles network-admin Parameters base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters.
Predefined user roles network-admin Parameters all-level: Specifies that the search goes through all sub-directories of the base DN. single-level: Specifies that the search goes through only the next lower level of sub-directories under the base DN. Examples # Specify the search scope for the LDAP authentication as all sub-directories of the base DN.
Related commands display ldap scheme user-parameters Use user-parameters to configure LDAP user attributes, including the username attribute, username format, and user object class. Use undo user-parameters to restore the default.
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Table 10 Command output Field Description Password control Whether the password control feature is enabled. Password aging Whether password expiration is enabled and, if enabled, the expiration time. Password length Whether the minimum password length restriction function is enabled and, if enabled, the setting. Password composition Whether the password composition restriction function is enabled and, if enabled, the settings.
ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines With no arguments provided, this command displays information about all users in the password control blacklist. If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist. You can use this command to view information about these users in the blacklist.
Views System view Predefined user roles network-admin Parameters aging: Enables the password expiration function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines Before you enable a specific password control function, you must first enable the global password control feature.
Syntax password-control aging aging-time undo password-control aging Default A password expires after 90 days. The password expiration time of a user group equals the global setting, and the password expiration time of a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Predefined user roles network-admin Parameters aging-time: Specifies the password expiration time in days, in the range of 1 to 365.
Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days. Views System view Predefined user roles network-admin Parameters alert-time: Specifies the number of days before a user password expires during which the user is notified of the pending password expiration. The value range is 1 to 30. Usage guidelines FTP users can only have their passwords changed by the administrator.
user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough. Usage guidelines You can enable both username checking and repeated character checking. After the password complexity checking is enabled, complexity-incompliant passwords will be refused.
Usage guidelines The password composition policy in system view has global significance and applies to all user groups. The policy in user group view applies to all local users in the user group. The policy in local user view applies only to the local user. A password composition policy with a smaller application scope has higher priority. The system prefers to use the password composition policy in local user view for a local user.
Usage guidelines A specific password control function takes effect only after the global password control feature is enabled. Examples # Enable the password control feature globally.
password-control history Use password-control history to set the maximum number of history password records for each user. Use undo password-control history to restore the default. Syntax password-control history max-record-num undo password-control history Default The maximum number of history password records for each user is 4. Views System view Predefined user roles network-admin Parameters max-record-num: Specifies the maximum number of history password records for each user.
Default In non-FIPS mode, the global minimum password length is 10 characters. In FIPS mode, the global minimum password length is 15 characters. In both non-FIPS and FIPS modes, the minimum password length of a user group equals the global setting, and the minimum password length of a local user equals that of the user group to which the local user belongs.
Syntax password-control login idle-time idle-time undo password-control login idle-time Default You cannot use a user account to log in to the device if the account has been idle for 90 days. Views System view Predefined user roles network-admin Parameters idle-time: Specifies the maximum account idle time in days, in the range of 0 to 365. 0 means no restriction for account idle time.
exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts. lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging in. lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period of time before trying again. The time argument is in the range of 1 to 360 minutes.
Blacklist items matched: 1. After 3 minutes, the user is removed from the password control blacklist and can log in again. Related commands • display password-control • display password-control blacklist • reset password-control blacklist password-control super aging Use password-control super aging to set the expiration time for super passwords. Use undo password-control super aging to restore the default.
Default In non-FIPS mode, the super password composition policy is as follows: A super password must contain at least one type of characters from uppercase letters, lowercase letters, digits, or special characters (see Security Configuration Guide), and each type must contain at least one character. .
Predefined user roles network-admin Parameters length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-FIPS mode, and 15 to 63 in FIPS mode. Examples # Set the minimum length of super passwords to 10 characters.
reset password-control blacklist Use reset password-control blacklist to remove a specified user or all users from the password control blacklist. Syntax reset password-control blacklist [ user-name name ] Views User view Predefined user roles network-admin Parameters user-name name: Specifies the user to be removed from the password control blacklist. The name argument is the username, a case-sensitive string of 1 to 55 characters.
Without the role role name option, this command deletes the history records of all super passwords. Examples # Clear the history password records of all local users (enter Y to confirm).
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2012/06/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2012/06/12 Key code: 30819F300D06092A86488
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0E
308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B0202170
display public-key peer Use display public-key peer to display information about peer public keys. Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer public key, including its key code.
Field Description Key code Public key string. # Display brief information about all peer public keys. display public-key peer brief Type Modulus Name --------------------------RSA 1024 idrsa DSA 1024 10.1.1.1 Table 14 Command output Field Description Type Key type: RSA and DSA. Modulus Key modulus length in bits. Name Name of the peer public key.
[Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E 719D1643135877E13B1C531B4 [Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B 952ADF6B80EB5F52698FCF3D6 [Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050 BD4A9B1DDE675AC30CB020301 [Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands • display public-key local public • display public-key peer
The key modulus length must be appropriate (see Table 16). The longer the key modulus length, the higher the security, and the longer the key generation time. If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default.
# Create a local DSA key pair with the default name. system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+..+................ .......+..........+..............+.............+...+.....+.....
Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # Create a local RSA key pair with the default name in FIPS mode. system-view [Sysname] public-key local create rsa The range of public key modulus is (2048 ~ 2048). It will take a few minutes.Press CTRL+C to abort. Input the modulus length [default = 2024]: Generating Keys... ...
Parameters dsa: Specifies the DSA type. ecdsa: Specifies the ECDSA type. rsa: Specifies the RSA type. name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names.
Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles network-admin Parameters name key-name: Specifies the name of a local DSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is provided, the command displays or exports the host public key of the local DSA key pair with the default name. openssh: Uses the format of OpenSSH.
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxw vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190k
public-key local export rsa Use public-key local export rsa to display the local RSA host public key in a specific format, or export the key to a specific file. Syntax In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ] In FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles network-admin Parameters name key-name: Specifies the name of a local RSA key pair.
Examples # Export the host public key of the local RSA key pair with the default name in OpenSSH format to the file key.pub. system-view [Sysname] public-key local export rsa openssh key.pub # Display the host public key of the local RSA key pair with the default name in SSH2.0 format.
Use undo public-key peer to delete a peer public key. Syntax public-key peer keyname undo public-key peer keyname Default The local device has no peer public key. Views System view Predefined user roles network-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters. Usage guidelines After you execute the command to enter the public key view, type the public key. Spaces and carriage returns are allowed, but are not saved.
Default The device has no peer public key. Views System view Predefined user roles network-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../. The name cannot be dots (.), hostkey, serverkey, dsakey, or ecdsakey, and cannot start with a slash (/).
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server configuration commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Field Description SSH server key generating interval SSH server key pair update interval. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server function is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer. # Display the SSH server sessions. display ssh server session UserPid SessID Ver 184 0 2.
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured through the ssh user command on the SSH server. Examples # Display information about all SSH users.
Examples # Enable the SFTP server function. system-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default. Syntax sftp server idle-timeout time-out-value undo sftp server idle-timeout Default The idle timeout timer is 10 minutes.
Default All IPv4 SSH clients are allowed to initiate connections to the device. Views System view Predefined user roles network-admin Parameters acl-number: Specifies an ACL by its number, in the range of 2000 to 4999. Usage guidelines Use this command to specify an ACL to filter the IPv4 SSH clients' request packets. The filtering process is as follows: • If an ACL is specified, only the IPv4 SSH clients that match the permit statement in this ACL can access the device.
Parameters ipv6: Specifies ACL type as IPv6. If this keyword is not specified, Layer 2 ACL is applied. acl-number: Specifies an ACL by its number. If the ipv6 keyword is specified, the value of the acl-number argument is in the range of 2000 to 3999. If the ipv6 keyword is not specified, the value of the acl-number argument is in the range of 4000 to 4999. Usage guidelines Use this command to specify an ACL to filter the IPv6 SSH clients' request packets.
Usage guidelines You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only for the users at next login. The any authentication fails if the total number of authentication attempts (including both publickey and password authentication attempts) exceeds the upper limit configured by the ssh server authentication-retries command.
Related commands display ssh server ssh server compatible-ssh1x enable Use ssh server compatible-ssh1x enable to enable the SSH server to support SSH1 clients. Use undo ssh server compatible-ssh1x to disable the SSH server from supporting SSH1 clients. Syntax ssh server compatible-ssh1x enable undo ssh server compatible-ssh1x Default The SSH server supports SSH1 clients. Views System view Predefined user roles network-admin network-operator Usage guidelines This command is not available in FIPS mode.
Predefined user roles network-admin Examples # Enable SSH server function. system-view [Sysname] ssh server enable Related commands display ssh server ssh server rekey-interval Use ssh server rekey-interval to set an interval for updating the RSA server key pair. Use undo ssh server rekey-interval to restore the default.
Use undo ssh user to delete an SSH user. Syntax In non-FIPS mode: ssh user username service-type { all | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname } undo ssh user username In FIPS mode: ssh user username service-type { all | scp | sftp | stelnet } authentication-type { password | password-publickey assign publickey keyname } undo ssh user username Default No SSH users exist.
Usage guidelines To configure an SSH user that uses publickey authentication, you must create a local user that has the same username as the SSH user to assign the working directory and user role. To configure an SSH user that uses password authentication, you must configure a local user account by using the local-user command for local authentication, or configure an SSH user account on an authentication server, for example, a RADIUS server, for remote authentication.
SSH client configuration commands bye Use bye to terminate the connection with an SFTP server and return to user view. Syntax bye Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp> bye cd Use cd to change the working path on an SFTP server.
cdup Use cdup to return to the upper-level directory. Syntax cdup Views SFTP client view Predefined user roles network-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp> cdup Current Directory is:/ sftp> pwd Remote working directory: / sftp> delete Use delete to delete the specified files from the SFTP server.
Syntax dir [ -a | -l ] [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters -a: Displays the names of the files and sub-directories under a specified directory. -l: Displays detailed information about the files and sub-directories under a specified directory in the form of a list. remote-path: Specifies the name of the directory to be queried.
display sftp client source Use display sftp client source to display the source IP address or source interface configured for the SFTP client. Syntax display sftp client source Views Any view Predefined user roles network-admin network-operator Examples # Display the source IP address configured for the SFTP client. display sftp client source The source IP address of the SFTP client is 192.168.0.1 The source IPv6 address of the SFTP client is 2:2::2:2.
exit Use exit to terminate the connection with an SFTP server and return to user view. Syntax exit Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the bye and quit commands. Examples # Terminate the connection with the SFTP server. sftp> exit get Use get to download a file from an SFTP server and save it locally.
Syntax help Views SFTP client view Predefined user roles network-admin Usage guidelines The help command functions as entering the question mark (?). Examples # Display help information.
Predefined user roles network-admin Parameters -a: Displays the names of the files and sub-directories under a specified directory. -l: Displays detailed information about the files and sub-directories under a specified directory in the form of a list. remote-path: Specifies the name of the directory to be queried. Usage guidelines If the –a and –l keywords are not specified, the command displays the names of the files and sub-directories under a specified directory.
Parameters remote-path: Specifies the name for the directory on an SFTP server Examples # Create a directory named test on the SFTP server. sftp> mkdir test put Use put to upload a local file to an SFTP server. Syntax put local-file [ remote-file ] Views SFTP client view Predefined user roles network-admin Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name of a file on an SFTP server.
The output shows that the current working directory is the root directory. quit Use quit to terminate the connection with an SFTP server and return to user view. Syntax quit Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the bye and exit commands. Examples # Terminate the connection with the SFTP server. sftp> quit remove Use remove to delete the specified files from an SFTP server.
Views SFTP client view Predefined user roles network-admin Parameters oldname: Specifies the name of an existing file or directory. newname: Specifies the new name for the file or directory. Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp> dir aa.pub temp1.c sftp> rename temp1.c temp2.c sftp> dir aa.pub temp2.c rmdir Use rmdir to delete the specified directories from an SFTP server.
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 }] * [ publickey keyname | source { interface interface-type interface-number | ip ip-address } ] * Views User view Predefined user roles network-admin Parame
prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange in non-FIPS mode and is dh-group14 in FIPS mode. Algorithms dh-group-exchange, dh-group1, and dh-group14 are arranged in ascending order in the aspects of security strength and calculation time. • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. • dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.
sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 }] * [ publickey keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * In FIPS mode: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | pr
• des: Specifies the encryption algorithm des-cbc. prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithm sha1 features stronger security but costs more time in calculation than md5. • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm.
sftp Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view.
• md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange in non-FIPS mode and is dh-group14 in FIPS mode. Algorithms dh-group-exchange, dh-group1, and dh-group14 are arranged in ascending order in the aspects of security strength and calculation time.
Use undo sftp client ipv6 source to remove the configuration. Syntax sftp client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address } undo sftp client ipv6 source Default The SFTP client uses the IPv6 address of the interface specified by the route of the device to access the SFTP server.
Default The SFTP client uses the IPv4 address of the interface specified by the route of the device to access the SFTP server. Views System view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies the primary IP address of the interface as the source address. The interface-type interface-number argument specifies a source interface by its type and number. ip ip-address: Specifies a source IPv4 address.
| prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ipv6 ipv6-addres} ] * Views User view Predefined user roles network-admin Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies a port number of the server, in the range of 1 to 65535. The default is 22.
• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128. prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1. publickey keyname: Specifies the host public key of the server, which is used to authenticate the server.
Views System view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies the IPv6 address of the interface which matches the destination address of the outbound packets using the longest match criteria as the source IPv6 address. The interface-type interface-number argument specifies a source interface by its type and number. ipv6 ipv6-address: Specifies a source IPv6 address.
Parameters interface interface-type interface-number: Specifies the primary IP address of the interface as the source address. The interface-type interface-number argument specifies a source interface by its type and number. ip ip-address: Specifies a source IPv4 address. Usage guidelines The Stelnet client uses the specified source address to communicate with the server. If you execute the ssh client source command multiple times, the most recent configuration takes effect.
Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa.
faults, use the specified Loopback interface as the source interface, and either IP address of the two interfaces as the source IP address. interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IP address to send packets. ip ip-address: Specifies a source IPv4 address.
Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. -i interface-type interface-number: Specifies the outgoing interface used by the client to connect to the server.
source: Specifies a source IP address or source interface to connect to the server. By default, the device automatically selects the source IP address from the routing table. To avoid the communication failure between the client and the server due to interface faults, use the specified Loopback interface as the source interface, and either IP address of the two interfaces as the source IP address. interface interface-type interface-number: Specifies a source interface.
IP source guard commands display ip source binding Use display ip source binding to display IPv4 source guard binding entries.
chassis chassis-number slot slot-number: Displays IPv4 source guard binding entries of a card on an IRF member device. The chassis-number argument refers to the ID of the IRF member device and the slot-number argument refers to the number of the slot that holds the card. (In IRF mode.) Usage guidelines • In standalone mode, if you specify neither an interface nor a card, the command displays IPv4 source guard binding entries that the MPU obtained from all interfaces.
display ipv6 source binding static [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] In IRF mode: display ipv6 source binding static [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator Parameters ip-address ipv6-address: Displays static IPv
Field Description MAC Address MAC address in the static IPv6 source guard binding entry. N/A means that no MAC address is bound in the entry. Interface Interface of the static IPv6 source guard binding entry. VLAN VLAN information in the static IPv6 source guard binding entry. N/A means that the entry contains no VLAN information. Type Type of the static IPv6 source guard binding entry, where "static" indicates manually configured entry.
You cannot configure static IPv4 source guard binding entries on an interface that is in a service loopback group. Examples # On interface Ten-GigabitEthernet 1/0/1, configure a static IPv4 source binding entry to allow only the packets whose source IP address is 192.168.0.1 and source MAC address is 0001-0001-0001 to pass. system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.
The keywords specified in the ip verify source command take effect only to dynamic IPv4 source guard binding entries. They determine the information according to which the interface uses the dynamic IPv4 source guard binding entries to filter packets. For static IPv4 source guard binding entries, this command only enables packet filtering on an interface.
mac-address mac-address: Specifies a MAC address for the static binding entry. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast address), or a multicast address. vlan vlan-id: Specifies a VLAN ID for the static binding entry. The value range for the vlan-id argument is 1 to 4094. This option is only available in Layer 2 Ethernet interface view. Usage guidelines All the fields except the VLAN in a static IPv6 binding entry are used by IP source guard to filter packets.
You cannot enable dynamic IPv6 source guard on a service loopback interface. Examples # Enable IPv6 source guard on Layer 2 Ethernet port Ten-GigabitEthernet 1/0/1 to filter packets received on the port based on the source IPv6 and MAC addresses.
reset ip source binding vpn-instance 1 dhcp-relay # Clear the dynamic IPv4 source guard binding entries that are with the source IPv4 address 1.1.1.1 and created by DHCP relay. reset ip source binding dhcp-relay ip-address 1.1.1.1 Related commands • display ip source binding • ip source binding • ip verify source reset ipv6 source binding Use reset ipv6 source binding to clear IPv6 source guard binding entries.
ARP attack protection commands Unresolvable IP attack protection commands arp resolving-route enable Use arp resolving-route enable to enable ARP black hole routing. Use undo arp resolving-route enable to disable ARP black hole routing. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP black hole routing is enabled. Views System view Predefined user roles network-admin Usage guidelines Configure this feature on the gateways.
undo arp source-suppression enable Default ARP source suppression function is disabled. Views System view Predefined user role network-admin Usage guidelines Configure this feature on the gateway devices. Examples # Enable the ARP source suppression function.
system-view [Sysname] arp source-suppression limit 100 Related commands display arp source-suppression. display arp source-suppression Use display arp source-suppression to display information about the current ARP source suppression configuration. Syntax display arp source-suppression Views Any view Predefined user roles network-admin network-operator Examples # Display information about the current ARP source suppression configuration.
Views Layer 2 Ethernet interface view, Layer 2 aggregate interface view Predefined user roles network-admin Parameters pps: Specifies the upper limit for ARP packet rate in pps. The value range for this argument is 5 to 200. Examples # Specify the maximum ARP packet rate on Ten-GigabitEthernet 1/0/1 as 50 pps.
Examples # Enable the source MAC based ARP attack detection and specify the filter handling method. system-view [Sysname] arp source-mac filter arp source-mac aging-time Use arp source-mac aging-time to configure the aging time for ARP attack entries. Use undo arp anti-attack source-mac aging-time to restore the default. Syntax arp source-mac aging-time time undo arp source-mac aging-time Default The aging time for ARP attack entries is set to 300 seconds (5 minutes).
Parameters mac-address&<1-10>: MAC address list. The mac-address argument indicates an excluded MAC address in the format H-H-H. &<1-10> indicates the number of excluded MAC addresses that you can configure. Usage guidelines If no MAC address is specified, the undo arp source-mac exclude-mac command removes all excluded MAC addresses. Examples # Exclude a MAC address from source MAC based ARP attack detection.
In IRF mode: display arp source-mac { chassis chassis-number slot slot-number | interface interface-type interface number } Views Any view Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Displays ARP attack entries detected on the specified interface. slot slot-number: Displays ARP attack entries detected on the specified card. The slot-number argument specifies the slot number of the card. (In standalone mode.
Views System view Predefined user roles network-admin Usage guidelines Configure this feature on gateway devices. After you execute this command, the gateway device can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. Examples # Enable ARP packet source MAC address consistency check.
Authorized ARP commands arp authorized enable Use arp authorized enable to enable authorized ARP on an interface. Use undo arp authorized enable to restore the default. Syntax arp authorized enable undo arp authorized enable Default Authorized ARP is not enabled on the interface. Views Layer 3 Ethernet interface view Predefined user roles network-admin Examples # Enable authorized ARP on Ten-GigabitEthernet 1/0/1.
system-view [Sysname] vlan 2 [Sysname-vlan2] arp detection enable arp detection trust Use arp detection trust to configure a port as an ARP trusted port. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust Default An interface is an ARP untrusted interface. Views Layer 2 Ethernet interface view, Layer 2 aggregate interface view Predefined user roles network-admin Examples # Configure Ten-GigabitEthernet 1/0/1 as an ARP trusted interface.
Parameters dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded. ip: Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-zero, all-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded.
Predefined user roles network-admin network-operator Examples # Display the VLANs enabled with ARP detection. display arp detection ARP detection is enabled in the following VLANs: 1-2, 4-5 Related commands arp detection enable display arp detection statistics Use display arp detection statistics to display ARP detection statistics.
... Table 23 Command output Field Description State • U—ARP untrusted interface. • T—ARP trusted interface. Interface(State) Inbound interface of ARP packets. State specifies the port state, trusted or untrusted. IP Number of ARP packets discarded due to invalid source and destination IP addresses. Src-MAC Number of ARP packets discarded due to invalid source MAC address. Dst-MAC Number of ARP packets discarded due to invalid destination MAC address.
Predefined user roles network-admin Usage guidelines The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries. The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device might fail to change some dynamic ARP entries into static ARP entries.
The start IP address and end IP address must be on the same network as the primary IP address or manually configured secondary IP addresses of the interface. IP addresses already exist in ARP entries are not scanned. ARP automatic scanning might take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.
[Sysname-Ten-GigabitEthernet1/0/1] arp filter source 1.1.1.1 ARP filtering commands arp filter binding Use arp filter binding to configure an ARP permitted entry. If the sender IP and MAC addresses of an ARP packet match an ARP permitted entry, the ARP packet is permitted. If not, it is discarded. Use undo arp filter binding to remove an ARP permitted entry. Syntax arp filter binding ip-address mac-address undo arp filter binding ip-address Default No ARP permitted entry is configured.
uRPF commands display ip urpf Use display ip urpf to display uRPF configuration. Syntax In standalone mode: display ip urpf [ slot slot-number ] In IRF mode: display ip urpf [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator Parameters slot slot-number: Specifies a card by slot number. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device.
Syntax ip urpf { loose | strict } undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin Parameters loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry.
FIPS commands fips mode enable Use fips mode enable to enable FIPS mode. Use undo fips mode enable to disable FIPS mode. Syntax fips mode enable undo fips mode enable Default The FIPS mode is disabled. Views System view Predefined user roles network-admin Usage guidelines After you enable FIPS mode and reboot the device, the system has strict security requirements, and performs self-test on cryptography modules to make sure that they work correctly.
After the fips mode enable command is executed, the system prompts you to choose a startup method. If you do not make a choice within 30 seconds, the system uses the manual reboot method by default. To switch to non-FIPS mode, execute the undo fips mode enable command in system view, save the configuration, and reboot the device. Examples # Enable FIPS mode, and choose the automatic reboot method to enter FIPS mode.
Slot 1 in chassis 1: Starting Known-Answer tests in the user space. Known-answer test for SHA1 passed. Known-answer test for SHA224 passed. Known-answer test for SHA256 passed. Known-answer test for SHA384 passed. Known-answer test for SHA512 passed. Known-answer test for HMAC-SHA1 passed. Known-answer test for HMAC-SHA224 passed. Known-answer test for HMAC-SHA256 passed. Known-answer test for HMAC-SHA384 passed. Known-answer test for HMAC-SHA512 passed. Known-answer test for AES passed.
Syntax display fips status Views Any view Predefined user roles network-admin network-operator Examples # Display the current FIPS mode state. display fips status FIPS mode is enabled.
IPsec commands IPsec commands are supported only when the switch is operating in FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol. Use undo ah authentication-algorithm to remove all specified authentication algorithms for the AH protocols.
Examples # Create an IPsec transform set, and specify the AH authentication algorithm for the transform set as HMAC-SHA1. system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1 description Use description to configure description for an IPsec policy, IPsec policy template, or IPsec profile. Use undo description to restore the default. Syntax description text undo description Default No description is defined.
Parameters ipv6-policy: Displays information about IPv6 IPsec policies. policy: Displays information about IPv4 IPsec policies. policy-name: Specifies an IPsec policy by its name, a case-sensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number. The value range is 1 to 65535. Usage guidelines • If you do not specify any parameters, this command displays information about all IPsec policies.
ESP SPI: 1500 (0x000005dc) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------Sequence number: 2 Mode: isakmp ----------------------------The policy configuration is incomplete: Remote-address not set ACL not specified Transform-set not set Description: This is my first IPv4 Isakmp policy Security data flow: Selector mode: standard Local address: Remote address: Transform set: IKE profile: SA duration(time based): SA duration(traffic based): SA idle time:
Outbound AH setting: AH SPI: 6000 (0x00001770) AH string-key: ****** AH authentication hex key: Outbound ESP setting: ESP SPI: 8000 (0x00001f40) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------Sequence number: 2 Mode: isakmp ----------------------------Description: This is my complete policy Security data flow: 3200 Selector mode: standard Local address: Remote address: 5.3.6.
ESP authentication hex key: Outbound AH setting: AH SPI: 1237 (0x000004d5) AH string-key: ****** AH authentication hex key: Outbound ESP setting: ESP SPI: 1238 (0x000004d6) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Table 25 Command output Field Description IPsec Policy IPsec policy name. Interface Interface applied with the IPsec policy. Sequence number Sequence number of the IPsec policy entry. Negotiation mode of the IPsec policy: Mode • manual—Manual mode.
Field Description AH string-key AH string key (****** is displayed if the key is configured). AH authentication hex key AH authentication hex key (****** is displayed if the key is configured). ESP string-key ESP string key (****** is displayed if the key is configured). ESP encryption hex key ESP encryption hex key (****** is displayed if the key is configured). ESP authentication hex key ESP authentication hex key (****** is displayed if the key is configured).
----------------------------------------------IPsec Policy Template: template ----------------------------------------------- --------------------------------Sequence number: 1 --------------------------------Description: This is policy template Security data flow : IKE profile: None Remote address: 162.105.10.2 Transform set: testprop IPsec SA local duration(time based): 3600 seconds IPsec SA local duration(traffic based): 1843200 kilobytes # Display information about all IPv6 IPsec policy templates.
display ipsec profile Use display ipsec profile to display information about IPsec profiles. Syntax display ipsec profile [ profile-name ] Views Any view Predefined user roles network-admin network-operator Parameters profile-name: Specifies an IPsec profile by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec profiles. Examples # Display information about all IPsec profiles.
Table 27 Command output Field Description IPsec profile IPsec profile name. Mode Negotiation mode used by the IPsec profile. Only the manual mode is available. Description Description of the IPsec profile. Transform set IPsec transform set referenced by the IPsec profile. Related commands ipsec profile display ipsec sa Use display ipsec sa to display information about IPsec SAs.
Examples # Display brief information about IPsec SAs. display ipsec sa brief ----------------------------------------------------------------------Interface/Global Dst Address SPI Protocol Status ----------------------------------------------------------------------Vlan-int1 10.1.1.1 400 ESP active Vlan-int1 255.255.255.
[Inbound ESP SAs] SPI: 3564837569 (0xd47b1ac1) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 4294967295/604800 SA remaining duration (kilobytes/sec): 1843200/2686 Max received sequence-number: 5 Anti-replay check enable: Y Anti-replay window size: 32 UDP encapsulation used for NAT traversal: N Status: active [Outbound ESP SAs] SPI: 801701189 (0x2fc8fd45) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 4294967295/604800 SA remaining durati
Field Description Negotiation mode used by the IPsec policy: Mode • manual • isakmp Tunnel id IPsec tunnel ID Encapsulation mode Encapsulation mode, transport or tunnel.
• reset ipsec sa display ipsec statistics Use display ipsec statistics to display IPsec packet statistics. Syntax display ipsec statistics [ tunnel-id tunnel-id ] Views Any view Predefined user roles network-admin network-operator Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range is 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.
No available SA: 0 Wrong SA: 0 Invalid length: 0 Authentication failure: 0 Encapsulation failure: 0 Decapsulation failure: 0 Replayed packets: 0 ACL check failure: 0 MTU check failure: 0 Loopback limit exceeded: 0 Table 30 Command output Field Description Received/sent packets Number of received/sent IPsec-protected packets. Received/sent bytes Number of bytes of received/sent IPsec-protected packets. Dropped packets (received/sent) Number of dropped IPsec-protected packets (received/sent).
Parameters transform-set-name: Specifies an IPsec transform set by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets. Examples # Display information about all IPsec transform sets.
count: Displays the number of IPsec tunnels. tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range is 0 to 4294967295. Usage guidelines IPsec is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel. Examples # Display brief information about all IPsec tunnels.
Tunnel: local address: remote address: Flow: Tunnel ID: 1 Status: active Perfect forward secrecy: SA's SPI: outbound: 6000 (0x00001770) [AH] inbound: 5000 (0x00001388) [AH] outbound: 8000 (0x00001f40) [ESP] inbound: 7000 (0x00001b58) [ESP] Tunnel: local address: 1.2.3.1 remote address: 2.2.2.2 Flow: as defined in ACL 3100 # Display information about IPsec tunnel 1.
Field Description local address Local end IP address of the IPsec tunnel. remote address Remote end IP address of the IPsec tunnel. Flow Information about the data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol. as defined in ACL 3001 Range of data flow protected by the IPsec tunnel that is established manually. This information shows that the IPsec tunnel protects all data flows defined by ACL 3001.
are two hosts behind the gateways. The tunnel mode is typically used for protecting gateway-to-gateway communications. The IPsec transform sets at both ends of the IPsec tunnel must have the same encapsulation mode. The IPsec transform set referenced by the IPsec profile must use the transport mode for packet encapsulation. Examples # Configure the IPsec transform set tran1 to use the transport mode for IP packet encapsulation.
• For an IKE-based IPsec policy, the initiator sends all ESP authentication algorithms specified in the IPsec transform set to the peer end during the negotiation phase, and the responder matches the received algorithms against its local algorithms starting from the first one until a match is found. To ensure a successful IKE negotiation, the IPsec transform sets specified at both ends of the tunnel must have at least one same ESP authentication algorithm.
Usage guidelines You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority. • For a manual IPsec policy, the first specified ESP encryption algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP encryption algorithm.
Examples # Configure IPsec policy (policy1) to reference IKE profile (profile1). system-view [Sysname] ipsec policy policy1 10 isakmp [Sysname-ipsec-policy-isakmp-policy1-10] ike-profile profile1 Related commands ike profile ipsec anti-replay check Use ipsec anti-replay check to enable IPsec anti-replay checking. Use undo ipsec anti-replay check to disable IPsec anti-replay checking. Syntax ipsec anti-replay check undo ipsec anti-replay check Default IPsec anti-replay checking is enabled.
Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The anti-replay window size is 64. Views System view Predefined user roles network-admin Parameters width: Specifies the size for the anti-replay window. It can be 64, 128, 256, 512, or 1024 packets. Usage guidelines Changing the anti-replay window size affect only the IPsec SAs negotiated later.
Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Name of an IPsec policy, a case-sensitive string of 1 to 63 characters. Usage guidelines On an interface, you can apply only one IPsec policy. To apply a new IPsec policy to the interface, you must first remove the IPsec policy that is already applied to the interface.
ipsec logging packet enable Use ipsec logging packet enable to enable logging for IPsec packets. Use undo ipsec logging packet enable to disable logging for IPsec packets. Syntax ipsec logging packet enable undo ipsec logging packet enable Default Logging for IPsec packets is disabled.
copy: Copies the DF bit of the original IP headers to the outer IP headers. set: Sets the DF bit for outer IP headers. In this case, the encapsulated IPsec packets cannot be fragmented. Usage guidelines This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because outer IP headers are not added in transport mode. This command does not change the DF bit for the original IP headers of encapsulated packets.
Usage guidelines This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because outer IP headers are not added in transport mode. This command does not change the DF bit for the original IP headers of encapsulated packets. Packet fragmentation and re-assembly might cause packet forwarding delayed. If you set the DF bit for encapsulated IPsec packets, the packets will not be fragmented.
• An IPsec policy is a set of IPsec policy entries that have the same name but different sequence numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has a higher priority. • With the seq-number argument specified, the undo command deletes the specified IPsec policy entry. Without this argument, the undo command deletes all entries of the specified IPsec policy. • An IPv4 IPsec policy and IPv6 IPsec policy can have the same name.
isakmp template template-name: Specifies an IPsec policy template by its name, a case-sensitive string of 1 to 64 characters. The specified IPsec policy template must have been existed. Usage guidelines Without the seq-number argument specified, the undo command deletes all entries of the specified IPsec policy. An interface referencing an IPsec policy that is configured by using an IPsec policy template cannot initiate an SA negotiation, but it can respond to a negotiation request.
one interface fails and a link failover occurs, the other interface needs to take some time to re-negotiate SAs, resulting in service interruption. To solve the problems, bind a source interface to an IPsec policy and apply the policy to both interfaces. This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs. As long as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working, regardless of link failover.
seq-number: Specifies a sequence number for the IPsec policy template, in the range of 1 to 65535. A smaller number indicates a higher priority. Usage guidelines The parameters configurable for an IPsec policy template are the same as those you configure when directly configuring an IKE-based IPsec policy. The difference is that more parameters are optional for an IPsec policy template. Except the IPsec transform sets and the IKE peer, all other parameters are optional.
An IPsec profile is similar to a manual IPsec policy. It is dedicatedly used for IPsec protection for application protocols, including OSPFv3, IPv6 BGP, and RIPng. Examples # Create an IPsec profile named profile1. system-view [Sysname] ipsec profile profile1 manual [Sysname-ipsec-profile-profile1] Related commands display ipsec profile ipsec sa global-duration Use ipsec sa global-duration to configure the global IPsec SA lifetime. Use undo ipsec sa global-duration to restore the default.
# Configure the global IPsec SA lifetime as 10240 kilobytes. [Sysname] ipsec sa global-duration traffic-based 10240 Related commands • display ipsec sa • sa duration ipsec sa idle-time Use ipsec sa idle-time to enable the global IPsec SA idle timeout function and set the idle timeout. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted. Use undo ipsec sa idle-time to restore the default.
undo ipsec transform-set transform-set-name Default No IPsec transform set exists. Views System view Predefined user roles network-admin Parameters transform-set-name: Specifies a name for the IPsec transform set, a case-sensitive string of 1 to 63 characters. Usage guidelines An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, and the encryption and authentication algorithms.
Usage guidelines The remote IP address on the IKE negotiation initiator must be the same as the local address on the IKE negotiation responder. Examples # Configure the local address 1.1.1.1 for the IPsec tunnel. system-view [Sysname] ipsec policy map 1 isakmp [Sysname-ipsec-policy-isakmp-map-1] local-address 1.1.1.1 Related commands remote-address pfs Use pfs to enable the perfect forward secrecy (PFS) feature for an IPsec transform set, used for IKE negotiation.
The security level of local Diffie-Hellman group must be higher than or equal that of the peer. The end without the PFS feature performs SA negotiation according to the PFS requirements of the peer end. Examples # Enable PFS using 2048-bit Diffie-Hellman group for IPsec transform set tran1. system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] pfs dh-group14 protocol Use protocol to specify a security protocol for an IPsec transform set.
undo qos pre-classify Default The QoS pre-classify feature is disabled. That is, QoS uses the new IP header of IPsec packets to perform traffic classification. Views IPsec policy view, IPsec policy template view Predefined user roles network-admin Usage guidelines The QoS pre-classify feature enables QoS to classify packets by using the IP header of the original IP packets. Examples # Enable the QoS pre-classify feature.
A manual IPsec policy does not support DNS. Therefore, you must specify a remote IP address rather than a remote host name for the manual IPsec policy. If you configure a remote host name, the following scenarios apply: • If the host name is resolved by the DNS server, the local end sends a request to the DNS server to obtain the latest IP address corresponding to the host name when the domain name resolution period expires.
Parameters { ipv6-policy | policy } policy-name [ seq-number ]: Clears IPsec SAs for the specified IPsec policy. • ipv6-policy: Specifies an IPv6 IPsec policy. • policy: Specifies an IPv4 IPsec policy. • policy-name: Specifies the name of the IPsec policy, a case-sensitive string of 1 to 63 characters. • seq-number: Specifies the sequence number of an IPsec policy entry, in the range of 1 to 65535. If no seq-number is specified, all the entries in the IPsec policy are specified.
reset ipsec sa policy policy1 10 # Clear all IPsec SAs for the IPsec policy policy1. reset ipsec sa policy policy1 Related commands display ipsec sa reset ipsec statistics Use reset ipsec statistics to clear IPsec packet statistics. Syntax reset ipsec statistics[ tunnel-id tunnel-id ] Views User view Predefined user roles network-admin Parameters tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel.
traffic-based kilobytes: Specifies the traffic-based SA lifetime, in the range of 2560 to 4294967295 kilobytes. Usage guidelines IKE prefers the SA lifetime of the IPsec policy over the global SA lifetime. If the IPsec policy is not configured with the SA lifetime, IKE uses the global SA lifetime configured by the ipsec sa global-duration command for SA negotiation. During SA negotiation, IKE selects the shorter SA lifetime between the local SA lifetime and the remote SA lifetime.
cipher key-value: Sets a ciphertext authentication key, a case-sensitive string of 1 to 85 characters. simple key-value: Sets a plaintext authentication key. The key-value argument is case insensitive and must be a 16-byte hexadecimal string for HMAC-MD5, and a 20-byte hexadecimal string for HMAC-SHA1. Usage guidelines This command applies to only manual IPsec policies and IPsec profiles. You must set an authentication key for both the inbound and outbound SAs.
outbound: Specifies a hexadecimal encryption key for outbound SAs. esp: Uses ESP. cipher key-value: Sets a ciphertext encryption key, a case-sensitive string of 1 to 117 characters. simple key-value: Sets a plaintext encryption key. The key-value argument is case insensitive and must be an 8-byte hexadecimal string for DES-CBC, a 24-byte hexadecimal string for 3DES-CBC, a 16-byte hexadecimal string for AES128-CBC, a 24-byte hexadecimal string for AES192-CBC, and a 32-byte hexadecimal string for AES256-CBC.
Views IPsec policy view, IPsec policy template view Predefined user roles network-admin Parameters seconds: Specifies the IPsec SA idle timeout, in the range of 60 to 86400 seconds. Usage guidelines This function applies only to IPsec SAs negotiated by IKE and takes effect when the ipsec sa idle-time command has been configured.
Usage guidelines This command applies to only manual IPsec policies and IPsec profiles. You must configure an SPI for both inbound and outbound SAs, and make sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique. The local inbound SA must use the same SPI as the remote outbound SA, and the local outbound SA must use the same SPI as the remote inbound SA.
system automatically generates keys meeting the algorithm requirements. When the protocol is ESP, the system generates the keys for the authentication algorithm and encryption algorithm respectively. Usage guidelines This command applies to only manual IPsec policies and IPsec profiles. You must set a key for both inbound and outbound SAs. The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must use the same key as the remote inbound SA.
aggregation: Specifies the data protection mode as aggregation. The switch does not support protecting IPv6 data flows in aggregation mode. per-host: Specifies the data protection mode as per-host. Usage guidelines An IKE-based IPsec policy supports the following data flow protection modes: • Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it.
Predefined user roles network-admin Parameters transform-set-name&<1-6>: Specifies an IPsec transform set by its name, a case-sensitive string of 1 to 63 characters. &<1-6> means that you can specify up to six IPsec transform sets. Usage guidelines A manual IPsec policy can reference only one IPsec transform set. If you specify an IPsec transform set for the manual IPsec policy multiple times, the most recent one takes effect. An IKE-based IPsec policy can reference six IPsec transform sets at most.
IKE commands IKE commands are supported only when the switch is operating in FIPS mode. For more information about FIPS mode, see Security Configuration Guide. authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default.
Syntax authentication-method { dsa-signature | pre-share | rsa-signature } undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles network-admin Parameters dsa-signature: Specifies the DSA signatures as the authentication method. pre-share: Specifies the pre-shared key as the authentication method. rsa-signature: Specifies the RSA signatures as the authentication method.
Default Group1 (the 768-bit Diffie-Hellman group) is used. Views IKE proposal view Predefined user roles network-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group. group2: Uses the 1024-bit Diffie-Hellman group. group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup. group5: Uses the 1536-bit Diffie-Hellman group. Usage guidelines A DH group that uses more bits provides higher security but needs more time.
Usage guidelines This command displays the configuration information about all IKE proposals in the descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal. Examples # Display the configuration information about all IKE proposals.
network-operator Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID, in the range 1 to 2000000000. remote-address: Displays detailed information about IKE SAs with the specified remote address. ipv6: Specifies an IPv6 address. remote-address: Remote IP address. vpn-instance vpn-name: Displays detailed information about IKE SAs in an MPLS L3VPN. The vpn-name argument is a case-sensitive string of 1 to 31 characters.
Local IP: 4.4.4.4 Local ID type: IPV4_ADDR Local ID: 4.4.4.4 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.5 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: HASH-SHA1 Encryption-algorithm: AES-CBC-192 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 14 NAT traversal: Not detected # Display detailed information about the IKE SA with the remote address of 4.4.4.5. display ike sa verbose remote-address 4.4.
Field Description Outside VPN VPN instance name of the MPLS L3VPN to which the receiving interface belongs. Inside VPN VPN instance name of the MPLS L3VPN to which the protected data belongs. Profile Name of the matching IKE profile found in the IKE SA negotiation. If no matching profile is found, this field displays nothing. Transmitting entity Role of the IKE negotiation entity: Initiator or Responder. Local IP IP address of the local gateway.
Parameters interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300. • If the on-demand keyword is specified, this parameter specifies the number of seconds during which no IPsec packet is received before DPD is triggered if the local has IPsec traffic to send. • If the periodic keyword is specified, this parameter specifies a DPD triggering interval. retry seconds: Specifies the number of seconds between DPD retries if the DPD message fails.
Views IKE proposal view Predefined user roles network-admin Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption. aes-cbc-128: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 128-bit key for encryption. aes-cbc-192: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 192-bit key for encryption.
Parameters aggressive: Specifies the aggressive mode. main: Specifies the main mode. Usage guidelines When the user (for example, a dial-up user) at the local end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends that you set the IKE negotiation mode to aggressive at the local end. This command is only applicable to non-FIPS mode. In FIPS mode, the IKE negotiation mode for IKE negotiation phase 1 is fixed to the main mode.
Usage guidelines DPD is triggered periodically or on-demand. The on-demand mode is recommended when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodical triggering mode, which consumes more bandwidth and CPU. When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.
Usage guidelines The global identity can be used by the device for all IKE SA negotiations, and the local identity (set by the local-identity command) can be used only by the device that uses the IKE profile. In pre-shared key authentication, you cannot set the DN as the identity. In signature authentication: • You can set any type of the identity information.
Use caution when enabling the invalid SPI recovery feature because using this feature can result in a DoS attack. Attackers can fabric a great number of invalid SPI notifications to the same peer. Examples # Enable invalid SPI recovery. system-view [Sysname] ike invalid-spi-recovery enable ike keepalive interval Use ike keepalive interval to enable sending IKE keepalive messages and set the sending interval. Use undo ike keepalive interval to restore the default.
Syntax ike keepalive timeout seconds undo ike keepalive timeout Default The negotiated aging time for the IKE SA applies. Views System view Predefined user roles network-admin Parameters seconds: Specifies the number of seconds between IKE keepalive messages. The value is in the range of 20 to 28800. Usage guidelines If the local receives no keepalive packets from the peer during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IKE keychain belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters. To create an IKE keychain for the public network, do not specify this option. Usage guidelines To use pre-shared key authentication, you must create and specify an IKE keychain for the IKE profile.
The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system. Examples # Set the maximum number of half-open IKE SAs to 200. system-view [Sysname] ike limit max-negotiating-sa 200 # Set the maximum number of established IKE SAs to 200.
Syntax ike profile profile-name undo ike profile profile-name Default No IKE profile is configured. Views System view Predefined user roles network-admin Parameters profile-name: Specifies an IKE profile name, a case-insensitive string of 1 to 63 characters. Examples # Create IKE profile 1 and enter its view. system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] ike proposal Use ike proposal to create an IKE proposal and enter IKE proposal view.
Parameters proposal-number: Specifies an IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal. Usage guidelines During IKE negotiation: • The initiator sends its IKE proposals to the peer. { { • If the initiator is using an IPsec with an IKE profile, the initiator sends all IKE proposals referenced by the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority.
If the ike signature-identity from-certificate command is not configured, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration. Examples # Configure the local device to always obtain the identity information from the local certificate for signature authentication.
keychain Use keychain to specify an IKE keychain for pre-shared key authentication. Use undo keychain to remove the IKE keychain reference. Syntax keychain keychain-name undo keychain keychain-name Default No IKE keychain is specified for an IKE profile. Views IKE profile view Predefined user roles network-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. Usage guidelines An IKE profile can reference up to six IKE keychains.
Views IKE profile view Predefined user roles network-admin Parameters address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID. dn: Uses the DN in the local certificate as the local ID. fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.
Default An IKE keychain can be applied to any local interface or IP address. Views IKE keychain view Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs.
Default An IKE profile can be applied to any local interface or IP address. Views IKE profile view Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs.
undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } } Default No peer ID is configured. Views IKE profile view Predefined user roles network-admin Parameters certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID.
[Sysname] ike profile prof1 # Configure a peer ID with the identity type of FQDN and the value of www.test.com. [Sysname-ike-profile-prof1] match remote identity fqdn www.test.com # Configure a peer ID with the identity type of IP address and the value of 10.1.1.1. [Sysname-ike-profile-prof1] match remote identity address 10.1.1.1 Related commands local-identity pre-shared-key Use pre-shared-key to configure a pre-shared key. Use undo pre-shared-key to remove a pre-shared key.
cipher-key: Specifies a ciphertext key string. In non-FIPS mode, it is a case-sensitive string of 1 to 201 characters. In FIPS mode, it is a case-sensitive string of 15 to 201 characters. Usage guidelines The address option or the hostname option specifies with which peer the device can use the pre-shared key to perform IKE negotiation. Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.
Examples # Set the priority to 10 for IKE keychain key1. system-view [Sysname] ike keychain key1 [Sysname-ike-keychain-key1] priority 10 priority (IKE profile view) Use priority to specify a priority for an IKE profile. Use undo priority to restore the default. Syntax priority number undo priority Default The priority of an IKE profile is 100. Views IKE profile view Predefined user roles network-admin Parameters priority number: Specifies a priority number in the range of 1 to 65535.
Default An IKE profile references no IKE proposals and uses the IKE proposals configured in system view for IKE negotiation. Views IKE profile view Predefined user roles network-admin Parameters proposal-number&<1-6>: Specifies up to six IKE proposal numbers, each in the range of 1 to 65535. An IKE proposal specified earlier has a higher priority. Usage guidelines When acting as the initiator, the device sends the specified IKE proposals to its peer for IKE negotiation.
Connection-ID Remote Flag DOI ---------------------------------------------------------1 202.38.0.2 RD|ST IPSEC 2 202.38.0.3 RD|ST IPSEC Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT # Delete the IKE SA with the connection ID 2. reset ike sa 2 # Display the current IKE SAs. display ike sa Total IKE SAs: 1 Connection-ID Remote Flag DOI ---------------------------------------------------------1 202.38.0.
[Sysname-ike-proposal-1] sa duration 600 Related commands display ike proposal 261
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHIKLMNPQRSTUV A B aaa session-limit,1 bye,126 access-limit enable,1 C accounting command,2 cd,126 accounting default,3 cdup,127 accounting login,4 accounting-on enable,26 D ah authentication-algorithm,183 data-flow-format (HWTACACS scheme view),51 arp active-ack enable,168 data-flow-format (RADIUS scheme view),27 arp authorized enable,169 delete,127 arp detection enable,169 description,184 arp detection trust,170 dh,233 arp detection validate,170 dir,127 arp filter bindi
display public-key peer,102 ip,71 display radius scheme,28 ip source binding,155 display radius statistics,30 ip urpf,177 display sftp client source,129 ip verify source,156 display ssh client source,129 ipsec { ipv6-policy | policy },210 display ssh server,115 ipsec { ipv6-policy | policy } isakmp template,211 display ssh user-information,116 ipsec { ipv6-policy | policy } local-address,212 display user-group,20 ipsec { ipv6-policy-template | policy-template } policy-template,213 domain,15
nas-ip (RADIUS scheme view),32 radius nas-ip,36 P radius scheme,37 radius session-control enable,38 password,23 remote-address,220 password-control { aging | composition | history | length } enable,82 remove,134 rename,134 password-control aging,83 reset arp detection statistics,173 password-control alert-before-expire,84 reset hwtacacs statistics,61 password-control complexity,85 reset ike sa,259 password-control composition,86 reset ip source binding,159 password-control enable,87 reset i
sftp ipv6,143 T sftp server enable,117 timer quiet (HWTACACS scheme view),66 sftp server idle-timeout,118 timer quiet (RADIUS scheme view),47 ssh client ipv6 source,145 timer realtime-accounting (HWTACACS scheme view),66 ssh client source,146 ssh server acl,118 timer realtime-accounting (RADIUS scheme view),47 ssh server authentication-retries,120 timer response-timeout (HWTACACS scheme view),67 ssh server authentication-timeout,121 timer response-timeout (RADIUS scheme view),48 ssh server com
