HP FlexFabric 7900 Switch Series Security Command Reference Part number: 5998-4296 Software version: Release 2109 Document version: 6W100-20140122
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents AAA commands ··························································································································································· 1 General AAA commands ················································································································································· 1 aaa session-limit ·················································································································································
timer quiet (RADIUS scheme view) ······················································································································ 48 timer realtime-accounting (RADIUS scheme view) ····························································································· 49 timer response-timeout (RADIUS scheme view) ·································································································· 50 user-name-format (RADIUS scheme view) ·····························
IPsec commands ······················································································································································ 108 ah authentication-algorithm ································································································································ 108 description ···························································································································································· 109 display
ike keychain ························································································································································· 163 ike limit ································································································································································· 163 ike nat-keepalive ··················································································································································
ssh client source ··················································································································································· 203 ssh2 ······································································································································································· 204 IP source guard commands ···································································································································· 206 di
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.
system-view [Sysname] aaa session-limit ftp 4 accounting command Use accounting command to specify the command line accounting method. Use undo accounting command to restore the default. Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting method of the ISP domain is used for command line accounting.
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting default In FIPS mode: accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounting default Default The d
Related commands • hwtacacs scheme • local-user • radius scheme accounting login Use accounting login to specify the accounting method for login users. Use undo accounting login to restore the default.
RADIUS server is invalid, and does not perform accounting when both of the previous methods are invalid. Examples # Configure ISP domain test to use local accounting for login users. system-view [Sysname] domain test [Sysname-isp-test] accounting login local # Configure ISP domain test to use RADIUS scheme rd for login user accounting and use local accounting as the backup.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The default authentication method is used for all users who support this method and do not have a specific authentication method configured.
undo authentication login Default The default authentication method of the ISP is used for login users. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Use undo authentication super to restore the default. Syntax authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } * undo authentication super Default The default authentication method of the ISP domain is used for user role authentication. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
authorization command Use authorization command to specify the command authorization method. Use undo authorization command to restore the default.
[Sysname-isp-test] authorization command local # Configure ISP domain test to use HWTACACS scheme hwtac for command authorization and use local authorization as the backup authorization method.
Usage guidelines The default authorization method is used for all users who support this method and do not have a specific authorization method are configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one authorization method and multiple backup authorization methods.
Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. After passing authentication, FTP, SFTP, and SCP users use the root directory of the device as the work directory but cannot access it, and other login users get the default user role.
Use undo authorization-attribute to restore the default of an authorization attribute. Syntax authorization-attribute idle-cut minute [ flow ] undo authorization-attribute idle-cut Default No authorization attribute is configured for users in the ISP domain and the idle cut function is disabled. Views ISP domain view Predefined user roles network-admin Parameters idle-cut minute: Sets the idle timeout period in minutes. The value range for the minute argument is 1 to 600.
Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines If no ISP domain is specified, the command displays the configuration of all ISP domains. Examples # Display the configuration of all ISP domains.
Field Description Default accounting scheme Default accounting method. Login authentication scheme Authentication method for login users. Login authorization scheme Authorization method for login users. Login accounting scheme Accounting method for login users. Authorization attributes Authorization attributes for users in the ISP domain. Idle cut function status: Idle-cut • Enable—The function is enabled.
Usage guidelines All ISP domains are in active state when they are created. The system has a predefined ISP domain named system. You can modify but not remove its configuration. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command. Examples # Create ISP domain test and enter its view.
[Sysname] domain test [Sysname-isp-test] quit [Sysname] domain default enable test Related commands • display domain • domain state (ISP domain view) Use state to set the status of an ISP domain. Use undo state to restore the default. Syntax state { active | block } undo state Default An ISP domain is in active state. Views ISP domain view Predefined user roles network-admin Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.
Local user commands access-limit Use access-limit to set the maximum number of concurrent logins using the local user name. Use undo access-limit to restore the default. Syntax access-limit max-user-number undo access-limit Default The number of concurrent logins using the local user name is not limited. Views Local user view Predefined user roles network-admin Parameters max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.
Default No authorization ACL, idle timeout period, or authorized VLAN is configured for the local users. FTP, SFTP, or SCP users have the root directory of the NAS set as the working directory, but they do not have the access permission to the root directory. The local users created by a network-admin or level-15 user are assigned the network-operator user role. Views Local user view, user group view Predefined user roles network-admin Parameters acl acl-number: Specifies the authorization ACL.
Related commands • display local-user • display user-group display local-user Use display local-user to display the local user configuration and online user statistics. Syntax display local-user [ class manage | idle-cut { disable | enable } | service-type { ftp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] Views Any view Predefined user roles network-admin network-operator Parameters class manage: Specifies the device management users.
Bind Attributes: Authorization Attributes: Work Directory: flash: User Role List: network-admin Password control configurations: Password aging: Enabled (3 days) Table 2 Command output Field Description State Status of the local user: active or blocked. Service Type Service types that the local user can use, including FTP, SSH, Telnet, and terminal. Access limit Whether the concurrent login limit is enabled. Max access number Maximum number of concurrent logins using the local user name.
display user-group Use display user-group to display the user group configuration. Syntax display user-group [ group-name ] Views Any view Predefined user roles network-admin network-operator Parameters group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines If no user group name is specified, the command displays the configuration of all user groups. Examples # Display the configuration of all user groups.
Field Description Password length This field appears only when password length control is enabled. The minimum password length is displayed in parentheses. Password composition This field appears only when password composition checking is enabled. It also displays the following information in parentheses: • Minimum number of character types that the password must contain. • Minimum number of characters from each type in the password.
local-user Use local-user to add a local user and enter local user view. Use undo local-user to remove local users. Syntax local-user user-name [ class manage ] undo local-user { user-name class manage | all [ service-type { ftp | ssh | telnet | terminal } | class manage ] } Default No local user exists. Views System view Predefined user roles network-admin Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name.
Syntax In non-FIPS mode: password [ { hash | simple } password ] undo password In FIPS mode: password Default • In non-FIPS mode, there is no password configured for a local user and a local user can pass authentication after entering the correct username and passing attribute checks. • In FIPS mode, there is no password configured for a local user and a local user cannot pass authentication. Views Local user view Predefined user roles network-admin Parameters hash: Sets a hashed password.
[Sysname-luser-manage-test] password Password: Confirm : Related commands • display local-user • local-user password-display-mode service-type Use service-type to specify the service types that a local user can use. Use undo service-type to delete service types configured for a local user.
Related commands display local-user state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Predefined user roles network-admin Parameters active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services.
Views System view Predefined user roles network-admin Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes are authorization attributes.
send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50. Usage guidelines The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device or card reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.
Examples # In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet Related commands display radius scheme display radius scheme Use display radius scheme to display the configuration of RADIUS schemes.
Accounting-On function : Enabled retransmission times : 5 retransmission interval(seconds) : 2 Timeout Interval(seconds) : 3 Retransmission Times : 3 Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) : 5 Realtime Accounting Interval(minutes) : 22 NAS IP Address : 1.1.1.1 User Name Format : with-domain ------------------------------------------------------------------ Table 4 Command output Field Description Index Index number of the RADIUS scheme.
display radius statistics Use display radius statistics to display RADIUS packet statistics. Syntax display radius statistics Views Any view Predefined user roles network-admin network-operator Examples # Display RADIUS packet statistics. display radius statistics Auth. Acct. SessCtrl.
Field Description Account Update Number of accounting update packets. Account Stop Number of stop-accounting packets. Terminate Request Number of packets for logging off users forcibly. Set Policy Number of packets for updating user authorization information. Packet With Response Number of packets for which responses were received. Packet Without Response Number of packets for which no responses were received. Access Rejects Number of Access-Reject packets.
{ A plaintext shared key is a string of 15 to 64 characters that must contain digits, uppercase letters, lowercase letters, and special characters. Usage guidelines The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers. The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.
a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS. If it is, the server processes the packet. If it is not, the server drops the packet. When you use both the nas-ip and radius nas-ip commands, the following guidelines apply: • The setting configured by using the nas-ip command in RADIUS scheme view is effective only for the RADIUS scheme.
key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS accounting server. • • cipher string: Sets a ciphertext shared key. The string argument is case sensitive. { In non-FIPS mode, the key is a string of 1 to 117 characters. { In FIPS mode, the key is a string of 15 to 117 characters. simple string: Sets a plaintext shared key. The string argument is case sensitive. { { In non-FIPS mode, the key is a string of 1 to 64 characters.
Default No primary RADIUS authentication server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server. port-number: Specifies the service port number of the primary RADIUS authentication server, a UDP port number in the range of 1 to 65535. The default setting is 1812.
• secondary authentication (RADIUS scheme view) radius nas-ip Use radius nas-ip to specify a source address for outgoing RADIUS packets. Use undo radius nas-ip to delete a source address for outgoing RADIUS packets. Syntax radius nas-ip ipv4-address undo radius nas-ip ipv4-address Default The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.
Use undo radius session-control enable to restore the default. Syntax radius session-control enable undo radius session-control enable Default The session-control feature is disabled and the UDP port 1812 is closed. Views System view Predefined user roles network-admin Usage guidelines The session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC. Examples # Enable the session-control feature.
system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] Related commands display radius scheme reset radius statistics Use reset radius statistics to clear RADIUS statistics. Syntax reset radius statistics Views User view Predefined user roles network-admin Examples # Clear RADIUS statistics.
Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable. • If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request. • If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.
with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds.
{ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters. Usage guidelines Make sure that the port number and shared key settings of each secondary RADIUS accounting server are the same as those configured on the corresponding server. You can configure up to 16 secondary RADIUS accounting servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state.
undo secondary authentication [ ipv4-address [ port-number ] ] Default No secondary RADIUS authentication server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server. port-number: Sets the service port number of the secondary RADIUS authentication server, a UDP port number in the range of 1 to 65535. The default setting is 1812.
# Specify two secondary authentication servers for RADIUS scheme radius2, with the server IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1812. system-view [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary authentication 10.110.1.1 1812 [Sysname-radius-radius2] secondary authentication 10.110.1.
Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS. Syntax snmp-agent trap enable radius [ accounting-server-down | accounting-server-up authentication-error-threshold | authentication-server-down | authentication-server-up ] * | undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] * Default All types of notifications for RADIUS are enabled.
state primary Use state primary to set the status of a primary RADIUS server. Syntax state primary { accounting | authentication } { active | block } Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication server.
Syntax state secondary { accounting | authentication } [ ipv4-address [ port-number ] ] { active | block } Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the status of a secondary RADIUS accounting server. authentication: Sets the status of a secondary RADIUS authentication server. ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.
Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default The server quiet period is 5 minutes. Views RADIUS scheme view Predefined user roles network-admin Parameters minutes: Specifies the server quiet period in minutes, in the range of 1 to 255. Usage guidelines Make sure the server quiet timer is set correctly.
Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Usage guidelines When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.
Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval. The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300 seconds.
Examples # Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] user-name-format without-domain Related commands display radius scheme HWTACACS commands data-flow-format (HWTACACS scheme view) Use data-flow-format to set the data flow and packet measurement units for traffic statistics. Use undo data-flow-format to restore the default.
Related commands display hwtacacs scheme display hwtacacs scheme Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes. Syntax display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ] Views Any view Predefined user roles network-admin network-operator Parameters hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. statistics: Displays the HWTACACS service statistics.
Username Format : with-domain ------------------------------------------------------------------ Table 7 Command output Field Description Index Index number of the HWTACACS scheme. Primary Auth Server Primary HWTACACS authentication server. Primary Author Server Primary HWTACACS authorization server. Primary Acct Server Primary HWTACACS accounting server. Secondary Auth Server Secondary HWTACACS authentication server. Secondary Author Server Secondary HWTACACS authorization server.
Default The source IP address of a packet sent to the server is the IP address of the outbound interface. Views System view Predefined user roles network-admin Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Usage guidelines The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server.
Predefined user roles network-admin Parameters hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines An HWTACACS scheme can be referenced by more than one ISP domain at the same time. You can configure up to 16 HWTACACS schemes. Examples # Create an HWTACACS scheme named hwt1 and enter its view.
{ • A plaintext shared key is a string of 1 to 255 characters. In FIPS mode: { { A ciphertext shared key is a string of 15 to 373 characters. A plaintext shared key is a string of 15 to 255 characters that must contain digits, uppercase letters, lowercase letters, and special characters. Usage guidelines The shared keys configured on the device must match those configured on the HWTACACS servers.
Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Usage guidelines The source IP address of the HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address.
port-number: Specifies the service port number of the primary HWTACACS accounting server, a TCP port number in the range of 1 to 65535. The default setting is 49. key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS accounting server. • • cipher string: Sets a ciphertext shared key. The string argument is case sensitive. { In non-FIPS mode, the key is a string of 1 to 373 characters. { In FIPS mode, the key is a string of 15 to 373 characters.
Syntax primary authentication ipv4-address [ port-number | key { cipher | simple } string | single-connection ] * undo primary authentication Default No primary HWTACACS authentication server is specified. Views HWTACACS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server. port-number: Specifies the service port number of the primary HWTACACS authentication server, a TCP port number in the range of 1 to 65535.
[Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&! Related commands • display hwtacacs scheme • key (HWTACACS scheme view) • secondary authentication (HWTACACS scheme view) primary authorization Use primary authorization to specify the primary HWTACACS authorization server. Use undo primary authorization to remove the configuration.
Usage guidelines Make sure that the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server. Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings. You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.
secondary accounting (HWTACACS scheme view) Use secondary accounting to specify a secondary HWTACACS accounting server. Use undo secondary accounting to remove a secondary HWTACACS accounting server. Syntax secondary accounting ipv4-address [ port-number | key { cipher | simple } string | single-connection ] * undo secondary accounting [ ipv4-address [ port-number ] ] Default No secondary HWTACACS accounting server is specified.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings. You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext. Examples # Specify a secondary accounting server with IP address 10.163.155.
• simple string: Sets a plaintext shared key. The string argument is case sensitive. { { In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters. single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users.
undo secondary authorization [ ipv4-address [ port-number ] ] Default No secondary HWTACACS authorization server is specified. Views HWTACACS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server. port-number: Specifies the service port number of the secondary HWTACACS authorization server, a TCP port number in the range of 1 to 65535. The default setting is 49.
Examples # Specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.
Syntax timer realtime-accounting minutes undo timer realtime-accounting Default The real-time accounting interval is 12 minutes. Views HWTACACS scheme view Predefined user roles network-admin Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.
Default The HWTACACS server response timeout time is 5 seconds. Views HWTACACS scheme view Predefined user roles network-admin Parameters seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds. Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server. Examples # Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server. If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain.
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Password composition: Enabled (1 types, 1 characters per type) Table 9 Command output Field Description Password control Whether the password control feature is enabled. Password aging Whether password expiration is enabled and, if enabled, the expiration time. Password length Whether the minimum password length restriction function is enabled and, if enabled, the setting. Password composition Whether the password composition restriction function is enabled and, if enabled, the settings.
ip ipv4-address: Specifies the IPv4 address of a user. Usage guidelines With no arguments provided, this command displays information about all users in the password control blacklist. If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist. You can use this command to view information about these users in the blacklist.
Views System view Predefined user roles network-admin Parameters aging: Enables the password expiration function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines To enable a specific password control function, first enable the global password control feature.
Syntax password-control aging aging-time undo password-control aging Default A password expires after 90 days. The password expiration time for a user group equals the global setting, and the password expiration time for a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Predefined user roles network-admin Parameters aging-time: Specifies the password expiration time in days in the range of 1 to 365.
password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days.
Views System view, user group view, local user view Predefined user roles network-admin Parameters same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough. user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Default In non-FIPS mode, the password using the global composition policy must contain at least one character type and at least one character for each type. In FIPS mode, the password using the global composition policy must contain at least four character types and at least one character for each type.
type-length type-length: Specifies the minimum number of characters for each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode. Usage guidelines The password composition policy depends on the view: • The policy in system view has global significance and applies to all user groups. • The policy in user group view applies to all local users in the user group. • The policy in local user view applies only to the local user.
Default In non-FIPS mode, the password control feature is disabled globally. In FIPS mode, the password control feature is enabled globally and cannot be disabled. Views System view Predefined user roles network-admin Usage guidelines A specific password control function takes effect only after the global password control feature is enabled.
times times: Sets the maximum number of times a user can log in after the password expires. The value range is 0 to 10, and 0 means that a user cannot log in after the password expires. Usage guidelines This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires. Examples # Specify that a user can log in five times within 60 days after the password expires.
Related commands • display password-control • password-control history enable • reset password-control blacklist password-control length Use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length Default In non-FIPS mode, the global minimum password length is 10 characters. In FIPS mode, the global minimum password length is 15 characters.
system-view [Sysname] password-control length 16 # Set the minimum password length to 16 characters for user group test. [Sysname] user-group test [Sysname-ugroup-test] password-control length 16 [Sysname-ugroup-test] quit # Set the minimum password length to 16 characters for device management user abc.
Related commands display password-control password-control login-attempt Use password-control login-attempt to specify the maximum number of consecutive failed login attempts and the action to be taken when a user fails to log in after the specified number of attempts. Use undo password-control login-attempt to restore the default.
• If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs. • If no policy is configured for the user group, the system uses the global policy. If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist.
• display password-control • display password-control blacklist • display user-group • reset password-control blacklist password-control super aging Use password-control super aging to set the expiration time for super passwords. Use undo password-control super aging to restore the default. Syntax password-control super aging aging-time undo password-control super aging Default A super password expires after 90 days.
In FIPS mode, a super password must contain at least four character types and at least one character for each type. Views System view Predefined user roles network-admin Parameters type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode. type-length type-length: Specifies the minimum number of characters for each character type.
Parameters length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-FIPS mode, and 15 to 63 in FIPS mode. Examples # Set the minimum length of super passwords to 16 characters.
reset password-control blacklist Use reset password-control blacklist to remove a specified user or all users from the password control blacklist. Syntax reset password-control blacklist [ user-name name ] Views User view Predefined user roles network-admin Parameters user-name name: Specifies the user to be removed from the password control blacklist. The name argument is the username, a case-sensitive string of 1 to 55 characters.
Usage guidelines With no arguments or keywords specified, this command deletes the history password records of all local users. Without the role role name option, this command deletes the history records of all super passwords. Examples # Clear the history password records of all local users (enter Y to confirm).
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2013/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2013/05/12 Key code: 30819F300D06092A86488
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0E
308201B83082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B0202170
display public-key peer Use display public-key peer to display information about peer public keys. Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer public key, including its key code.
Field Description Key code Public key string. # Display brief information about all peer public keys. display public-key peer brief Type Modulus Name --------------------------RSA 1024 idrsa DSA 1024 10.1.1.1 Table 14 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits. Name Name of the peer public key.
[Sysname-pkey-public-key-key1]30819F300D06092A864886F70D010101050003818D0030818902818 100C0EC8014F82515F6335A0A [Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E 719D1643135877E13B1C531B4 [Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B 952ADF6B80EB5F52698FCF3D6 [Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050 BD4A9B1DDE675AC30CB020301 [Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1
Usage guidelines The key algorithm must be the same as required by the security application. The key modulus length must be appropriate (see Table 16). The longer the key modulus length, the higher the security, and the longer the key generation time. If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default.
.++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Create a local DSA key pair with the default name. system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+..+.............
...+.................+..........+...+....+.......+.....+............+.........+. ........................+........+..........+..............+.....+...+.......... ..............+.........+..........+...........+........+....+.................. .....+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys...
Views System view Predefined user roles network-admin Parameters dsa: Specifies the DSA type. ecdsa: Specifies the ECDSA type. rsa: Specifies the RSA type. name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names.
public-key local export dsa Use public-key local export dsa to display local DSA host public keys in a specific format, or export the key in a specific format to a file. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles network-admin Parameters name key-name: Specifies the name of a local DSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-).
# Display the host public key of the local DSA key pair with the default name in SSH2.0 format.
Related commands • public-key local create • public-key peer import sshkey public-key local export rsa Use public-key local export rsa to display the local RSA host public key in a specific format, or export the key to a specific file.
3. On the peer device, use the public-key peer import sshkey command to import the host public key from the file. SSH1.5, SSH2.0 and OpenSSH are different public key formats. Choose the proper format that is supported on the device where you import the host public key. In FIPS mode, the device only supports SSH2.0 and OpenSSH. Examples # Export the host public key of the local RSA key pair with the default name in OpenSSH format to the file key.pub.
• public-key peer import sshkey public-key peer Use public-key peer to specify a name for a peer public key and enter public key view. Use undo public-key peer to delete a peer public key. Syntax public-key peer keyname undo public-key peer keyname Default The local device has no peer public key. Views System view Predefined user roles network-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters.
Use undo public-key peer to remove the specified peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname Default The device has no peer public key. Views System view Predefined user roles network-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding .
IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
received algorithm against all its local algorithms until a match is found. To ensure a successful IKE negotiation, the IPsec transform sets specified at both ends of the tunnel must have at least one same AH authentication algorithm. Examples # Create an IPsec transform set, and specify the AH authentication algorithm for the transform set as HMAC-SHA1.
Predefined user roles network-admin network-operator Parameters policy: Displays information about IPv4 IPsec policies. policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535. Usage guidelines • If you do not specify any parameters, this command displays information about all IPsec policies.
ESP SPI: 12345 (0x00003039) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Table 17 Command output Field Description IPsec Policy IPsec policy name. Interface Interface applied with the IPsec policy. Sequence number Sequence number of the IPsec policy entry. Negotiation mode of the IPsec policy: Mode • manual—Manual mode. • isakmp—IKE negotiation mode. IPsec policy configuration incomplete.
Related commands ipsec policy display ipsec sa Use display ipsec sa to display information about IPsec SAs. Syntax display ipsec sa [ brief | count | interface interface-type interface-number | policy policy-name [ seq-number ] | remote ip-address ] Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all IPsec SAs. count: Displays the number of IPsec SAs.
Field Description Stateful failover status of the IPsec SA: active or backup. Status In standalone mode, this field displays –. # Display the number of IPsec SAs. display ipsec sa count Total IPsec SAs count: 4 # Display information about all IPsec SAs.
Field Description Encapsulation mode Encapsulation mode, transport or tunnel. Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: Perfect Forward Secrecy • • • • • 768-bit Diffie-Hellman group (dh-group1) 1024-bit Diffie-Hellman group (dh-group2) 1536-bit Diffie-Hellman group (dh-group5) 2048-bit Diffie-Hellman group (dh-group14) 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) Path MTU Path MTU of the IPsec SA.
display ipsec statistics Use display ipsec statistics to display IPsec packet statistics. Syntax display ipsec statistics [ tunnel-id tunnel-id ] Views Any view Predefined user roles network-admin network-operator Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.
Wrong SA: 0 Invalid length: 0 Authentication failure: 0 Encapsulation failure: 0 Decapsulation failure: 0 Replayed packets: 0 ACL check failure: 0 MTU check failure: 0 Loopback limit exceeded: 0 Table 20 Command output Field Description Received/sent packets Number of received/sent IPsec-protected packets. Received/sent bytes Number of bytes of received/sent IPsec-protected packets. Dropped packets (received/sent) Number of dropped IPsec-protected packets (received/sent).
Parameters transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets. Examples # Display information about all IPsec transform sets.
Syntax display ipsec tunnel { brief | count | tunnel-id tunnel-id } Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number of IPsec tunnels. tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. Usage guidelines IPsec transmits data in a secure channel established between two endpoints (such as two security gateways).
Perfect forward secrecy: SA's SPI: outbound: 2000 (0x000007d0) [AH] inbound: 1000 (0x000003e8) [AH] outbound: 4000 (0x00000fa0) [ESP] inbound: 3000 (0x00000bb8) [ESP] Tunnel: local address: remote address: Flow: Tunnel ID: 1 Status: active Perfect forward secrecy: SA's SPI: outbound: 6000 (0x00001770) [AH] inbound: 5000 (0x00001388) [AH] outbound: 8000 (0x00001f40) [ESP] inbound: 7000 (0x00001b58) [ESP] Tunnel: local address: 1.2.3.1 remote address: 2.2.2.
Field Description Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: Perfect Forward Secrecy • • • • • 768-bit Diffie-Hellman group (dh-group1) 1024-bit Diffie-Hellman group (dh-group2) 1536-bit Diffie-Hellman group (dh-group5) 2048-bit Diffie-Hellman group (dh-group14) 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) SA's SPI SPIs of the inbound and outbound SAs. Tunnel Local and remote addresses of the IPsec tunnel.
IP header. You can use the transport mode when end-to-end security protection is required (the secured transmission start and end points are the actual start and end points of the data). The transport mode is typically used for protecting host-to-host communications. • Tunnel mode—The security protocols protect the entire IP packet. The entire IP packet is used to calculate the security protocol headers.
Usage guidelines In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority. • For a manual IPsec policy, the first specified ESP authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP authentication algorithm.
aes-cbc-192: Uses AES algorithm in CBC mode, which uses a 192-bit key. aes-cbc-256: Uses AES algorithm in CBC mode, which uses a 256-bit key. des-cbc: Uses the DES algorithm in CBC mode, which uses a 64-bit key. null: Uses the NULL algorithm, which means encryption is not performed. Usage guidelines You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
Usage guidelines The IKE profile referenced by an IPsec policy defines the parameters used for IKE negotiation. An IPsec policy can reference only one IKE profile and they cannot reference any IKE profile that is already referenced by another IPsec policy. Examples # Specify IPsec policy policy1 to reference IKE profile profile1.
Related commands ipsec anti-replay window ipsec anti-replay window Use ipsec anti-replay window to set the anti-replay window size. Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The anti-replay window size is 64. Views System view Predefined user roles network-admin Parameters width: Specifies the size for the anti-replay window. It can be 64, 128, 256, 512, or 1024 packets.
Default No IPsec policy is applied to an interface. Views Interface view Predefined user roles network-admin Parameters policy-name: Specifies the name of an IPv4 IPsec policy, a case-insensitive string of 1 to 63 characters. Usage guidelines You can apply only one IPsec policy on an interface. To apply a new IPsec policy to the interface, you must first remove the IPsec policy that is already applied to the interface. An IKE-based IPsec policy can be applied to multiple interfaces.
network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security. Examples # Enable ACL checking for de-encapsulated IPsec packets. system-view [Sysname] ipsec decrypt-check enable ipsec logging packet enable Use ipsec logging packet enable to enable logging for IPsec packets. Use undo ipsec logging packet enable to disable logging for IPsec packets.
Views Interface view Predefined user roles network-admin Parameters clear: Clears the DF bit for outer IP headers. In this case, the encapsulated IPsec packets can be fragmented. copy: Copies the DF bit of the original IP headers to the outer IP headers. set: Sets the DF bit for outer IP headers. In this case, the encapsulated IPsec packets cannot be fragmented. Usage guidelines This command is effective only when the IPsec encapsulation mode is tunnel mode.
Parameters clear: Clears the DF bit for outer IP headers. In this case, the encapsulated IPsec packets can be fragmented. copy: Copies the DF bit of the original IP headers to the outer IP headers. set: Sets the DF bit for outer IP headers. In this case, the encapsulated IPsec packets cannot be fragmented. Usage guidelines This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because outer IP headers are not added in transport mode.
• You cannot change the SA setup mode of an existing IPsec policy. • An IPsec policy is a set of IPsec policy entries that have the same name but different sequence numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has a higher priority. • With the seq-number argument specified, the undo command deletes the specified IPsec policy entry. Without this argument, the undo command deletes all entries of the specified IPsec policy.
Usage guidelines For high availability, two interfaces might operate in backup or load sharing mode. After an IPsec policy is applied to the two interfaces, they negotiate with their peers to establish IPsec SAs respectively. When one interface fails and a link failover occurs, the other interface needs to take some time to re-negotiate SAs, resulting in service interruption. To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces.
traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires. Usage guidelines You can also configure IPsec SA lifetimes in IPsec policy view. The device prefers the IPsec SA lifetimes configured in IPsec policy view over the global IPsec SA lifetimes. When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer, whichever are smaller.
Examples # Set the IPsec SA idle timeout to 600 seconds. system-view [Sysname] ipsec sa idle-time 600 Related commands • display ipsec sa • sa idle-time ipsec transform-set Use ipsec transform-set to create an IPsec transform set and enter IPsec transform set view. Use undo ipsec transform-set to delete an IPsec transform set. Syntax ipsec transform-set transform-set-name undo ipsec transform-set transform-set-name Default No IPsec transform set exists.
Syntax local-address ipv4-address undo local-address Default The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4 address. Views IPsec policy view Predefined user roles network-admin Parameters ipv4-address: Specifies the local IPv4 address for the IPsec tunnel. Usage guidelines The remote IP address on the IKE negotiation initiator must be the same as the local address on the IKE negotiation responder. Examples # Configure the local address 1.1.1.
Predefined user roles network-admin Parameters dh-group1: Uses 768-bit Diffie-Hellman group. dh-group2: Uses 1024-bit Diffie-Hellman group. dh-group5: Uses 1536-bit Diffie-Hellman group. dh-group14: Uses 2048-bit Diffie-Hellman group. dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group.
ah: Specifies the AH protocol. Usage guidelines The two tunnel ends must use the same security protocol in the IPsec transform set. Examples # Specify the AH protocol for the IPsec transform set. system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] protocol ah qos pre-classify Use qos pre-classify to enable the QoS pre-classify feature. Use undo qos pre-classify to restore the default.
Default No remote IP address is specified for the IPsec tunnel. Views IPsec policy view Predefined user roles network-admin Parameters hostname: Specifies the remote host name, a case-insensitive string of 1 to 253 characters. The host name can be resolved to an IP address by the DNS server. ipv4-address: Specifies a remote IPv4 address. Usage guidelines This remote IP address configuration is required on the IKE negotiation initiator and optional on the responder.
Related commands • ip host (see Layer 3—IP Services Commands Reference) • local-address reset ipsec sa Use reset ipsec sa to clear IPsec SAs. Syntax reset ipsec sa [ policy policy-name [ seq-number ] | remote ipv4-address | spi ipv4-address { ah | esp } spi-num ] Views User view Predefined user roles network-admin Parameters policy policy-name [ seq-number ]: Clears IPsec SAs for the specified IPsec policy. • policy: Specifies an IPv4 IPsec policy.
Examples # Clear all IPsec SAs. reset ipsec sa # Clear the inbound and outbound IPsec SAs for the triplet of SPI 123, remote IP address 10.1.1.2, and security protocol AH. reset ipsec sa spi 10.1.1.2 ah 123 # Clear all IPsec SAs for the remote IP address 10.1.1.2. reset ipsec sa remote 10.1.1.2 # Clear all IPsec SAs for the entry 10 of the IPsec policy policy1. reset ipsec sa policy policy1 10 # Clear all IPsec SAs for the IPsec policy policy1.
Default The SA lifetime of an IPsec policy is the current global SA lifetime. Views IPsec policy view Predefined user roles network-admin Parameters time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds. traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes. Usage guidelines IKE prefers the SA lifetime of the IPsec policy over the global SA lifetime.
Views IPsec policy view Predefined user roles network-admin Parameters inbound: Specifies a hexadecimal authentication key for inbound SAs. outbound: Specifies a hexadecimal authentication key for outbound SAs. ah: Uses AH. esp: Uses ESP. cipher key-value: Sets a ciphertext authentication key, a case-sensitive string of 1 to 85 characters. simple key-value: Sets a plaintext authentication key.
undo sa hex-key encryption { inbound | outbound } esp Default No encryption key is configured for manual IPsec SAs. Views IPsec policy view Predefined user roles network-admin Parameters inbound: Specifies a hexadecimal encryption key for inbound SAs. outbound: Specifies a hexadecimal encryption key for outbound SAs. esp: Uses ESP. cipher key-value: Sets a ciphertext encryption key, a case-sensitive string of 1 to 117 characters. simple key-value: Sets a plaintext encryption key.
sa idle-time Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted. Use undo sa idle-time to restore the default. Syntax sa idle-time seconds undo sa idle-time Default An IPsec policy uses the global IPsec SA idle timeout. Views IPsec policy view Predefined user roles network-admin Parameters seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.
Views IPsec policy view Predefined user roles network-admin Parameters inbound: Specifies an SPI for inbound SAs. outbound: Specifies an SPI for outbound SAs. ah: Uses AH. esp: Uses ESP. spi-number: Specifies a Security parameters index (SPI) in the range of 256 to 4294967295. Usage guidelines This command applies to only manual IPsec policies.
Predefined user roles network-admin Parameters inbound: Sets a key string for inbound IPsec SAs. outbound: Sets a key string for outbound IPsec SAs. ah: Uses AH. esp: Uses ESP. cipher: Sets a ciphertext key. simple: Sets a plaintext key. key-value: Specifies a case-sensitive key string. If cipher is specified, it must be a string of 1 to 373 characters. If simple is specified, it must be a string of 1 to 255 characters.
Default An IPsec policy references no ACL. Views IPsec policy view Predefined user roles network-admin Parameters acl-number: Specifies an ACL by its number in the range of 3000 to 3999. name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. aggregation: Specifies the data protection mode as aggregation. per-host: Specifies the data protection mode as per-host.
Related commands • display ipsec sa • display ipsec tunnel snmp-agent trap enable ipsec Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec. Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec.
Examples To enable SNMP notifications when an IPsec tunnel is created, execute the following commands: # Enable SNMP notifications for IPsec globally. system-view [Sysname] snmp-agent trap enable ipsec global # Enable SNMP notifications for events of creating IPsec tunnels. [Sysname] snmp-agent trap enable ipsec tunnel-start transform-set Use transform-set to reference an IPsec transform set for an IPsec policy.
Related commands • ipsec policy • ipsec transform-set 149
IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
authentication-method Use authentication-method to specify an authentication method to be used in an IKE proposal. Use undo authentication-method to restore the default. Syntax authentication-method pre-share undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles network-admin Parameters pre-share: Specifies the pre-shared key as the authentication method.
In FIPS mode: dh group14 undo dh Default In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used. In FIPS mode, group14, the 2048-bit Diffie-Hellman group, is used. Views IKE proposal view Predefined user roles network-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group. group2: Uses the 1024-bit Diffie-Hellman group. group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.
Usage guidelines This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal. Examples # Display the configuration information about all IKE proposals.
Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000. remote-address remote-address: Displays detailed information about IKE SAs with the specified remote address. Usage guidelines If you do not specify any parameter, the command displays a summary about all IKE SAs. Examples # Display information about the current IKE SAs.
Authentication-algorithm: SHA1 Encryption-algorithm: AES-CBC-128 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Display detailed information about the IKE SA with the remote address of 4.4.4.5. display ike sa verbose remote-address 4.4.4.5 --------------------------------------------Connection ID: 2 Profile: prof1 Transmitting entity: Initiator --------------------------------------------Local IP: 4.4.4.
Field Description Authentication-method Authentication method used by the IKE proposal. Authentication-algorithm • MD5—HMAC-MD5 algorithm. • SHA1—HMAC-SHA1 algorithm. Encryption-algorithm Encryption algorithm used by the IKE proposal. Life duration(sec) Lifetime of the IKE SA in seconds. Remaining key duration(sec) Remaining lifetime of the IKE SA in seconds. Exchange-mode IKE negotiation mode in phase 1: main mode or aggressive mode.
When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply. It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry. Examples # Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond.
des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm. The DES algorithm uses a 56-bit key for encryption. Usage guidelines Different algorithms provide different levels of protection. Generally, an algorithm with a longer key is stronger. A stronger algorithm provides more resistance to decryption but uses more resources. The algorithm strength from low to high is des-cbc, 3des-cbc, aes-cbc-128, aes-cbc-192, and aes-cbc-256.
Examples # Specify that IKE negotiation operates in main mode. system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] exchange-mode main Related commands display ike proposal ike dpd Use ike dpd to enable sending DPD messages. Use undo ike dpd to disable the DPD feature. Syntax ike dpd interval interval-seconds [ retry seconds ] { on-demand | periodic } undo ike dpd interval Default IKE DPD is disabled.
Examples # Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond. system-view [Sysname] ike dpd interval 10 retry 5 on-demand Related commands dpd ike identity Use ike identity to specify the global identity used by the local end during IKE negotiations. Use undo ike identity to remove the configuration and restore the default.
ike invalid-spi-recovery enable Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery. Use undo ike invalid-spi-recovery enable to restore the default. Syntax ike invalid-spi-recovery enable undo ike invalid-spi-recovery enable Default SPI recovery is disabled. Views System view Predefined user roles network-admin Usage guidelines IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs).
Views System view Predefined user roles network-admin Parameters seconds: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800. Usage guidelines To detect the status of the peer, configure IKE DPD instead of the IKE keepalive function, unless IKE DPD is not supported on the peer. The keepalive timeout time configured at the local must be longer than the keepalive interval configured at the peer.
The keepalive timeout time configured at the local end must be longer than the keepalive interval configured at the peer. Since it seldom occurs that more than three consecutive packets are lost on a network, you can set the keepalive timeout timer to three times as long as the keepalive interval. Examples # Set the keepalive timeout time to 20 seconds.
Use undo ike limit to restore the default. Syntax ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit } undo ike limit { max-negotiating-sa | max-sa } Default There is no limit to the maximum number of IKE SAs. Views System view Predefined user roles network-admin Parameters max-negotiating-sa negotiation-limit: Specifies the maximum number of half-open IKE SAs, in the range of 1 to 99999. max-sa sa-limit: Specifies the maximum number of established IKE SAs, in the range of 1 to 99999.
Predefined user roles network-admin Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300. Usage guidelines This command takes effect only for a device behind a NAT server. When the device resides behind a NAT server, the IKE gateway behind the NAT server needs to send NAT keepalive packets to its peer IKE gateway to keep the NAT session alive. Examples # Set the NAT keepalive interval to 5 seconds.
undo ike proposal proposal-number Default The system has an IKE proposal that is used as the default IKE proposal. This proposal has the lowest priority and uses the following settings: • Encryption algorithm—DES-CBC in non-FIPS mode and AES-CBC-128 in FIPS mode. • Authentication method—HMAC-SHA1. • Authentication algorithm—Pre-shared key authentication. • DH group—Group1 in non-FIPS mode and group14 in FIPS mode. • IKE SA lifetime—86400 seconds.
Syntax keychain keychain-name undo keychain keychain-name Default No IKE keychain is specified for an IKE profile. Views IKE profile view Predefined user roles network-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. Usage guidelines An IKE profile can reference up to six IKE keychains. An IKE keychain specified earlier has a higher priority. Examples # Specify IKE profile 1 for IKE keychain abc.
Parameters address ipv4-address: Uses an IPv4 address as the local ID. dn: Uses the DN in the local certificate as the local ID. fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN. user-fqdn user-fqdn-name: Uses a user FQDN as the local ID.
Usage guidelines Use this command to specify which address or interface can use the IKE keychain for IKE negotiation. Specify the local address configured in IPsec policy view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that references the IPsec policy. You can specify up to six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority.
2.2.2.10 command for IKE profile B. For peer 2.2.2.2, IKE profile A is preferred because IKE profile A was configured earlier. To use IKE profile B for the peer, you can use this command to restrict the application scope of IKE profile B to address 2.2.2.2. Examples # Create IKE profile prof1. system-view [Sysname] ike profile prof1 match remote Use match remote to configure a peer ID for IKE profile matching. Use undo match remote to delete a peer ID.
To make sure only one IKE profile is matched for a peer, do not configure the same peer ID for two or more IKE profiles. If you configure the same peer ID for two or more IKE profiles, which IKE profile is selected for IKE negotiation is unpredictable. For an IKE profile, you can configure multiple peer IDs. A peer ID configured earlier has a higher priority. Examples # Create IKE profile prof1.
simple-key: Specifies a plaintext key. In non-FIPS mode, it is a case-sensitive string of 1 to 128 characters. In FIPS mode, it is a case-sensitive string of 15 to 128 characters, and it must contain uppercase and lowercase letters, digits, and special characters. cipher: Specifies a pre-shared key in cipher text. cipher-key: Specifies a ciphertext key. In non-FIPS mode, it is a case-sensitive string of 1 to 201 characters. In FIPS mode, it is a case-sensitive string of 15 to 201 characters.
Usage guidelines To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number. An IKE keychain with the match local address command configured has a higher priority than an IKE keychain that does not have the match local address command configured. Examples # Set the priority to 10 for IKE keychain key1.
Use undo proposal to remove the IKE proposal references. Syntax proposal proposal-number&<1-6> undo proposal Default An IKE profile references no IKE proposals and uses the IKE proposals configured in system view for IKE negotiation. Views IKE profile view Predefined user roles network-admin Parameters proposal-number&<1-6>: Specifies up to six IKE proposal numbers, each in the range of 1 to 65535. An IKE proposal specified earlier has a higher priority.
Usage guidelines When you delete an IKE SA, the device automatically sends a notification to the peer. Examples # Display the current IKE SAs. display ike sa Total IKE SAs: Connection-ID 2 Remote Flag DOI ---------------------------------------------------------1 202.38.0.2 RD|ST IPSEC 2 202.38.0.3 RD|ST IPSEC Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT # Delete the IKE SA with the connection ID 2. reset ike sa 2 # Display the current IKE SAs.
Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The IKE SA lifetime is 86400 seconds. Views IKE proposal view Predefined user roles network-admin Parameters seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800. Usage guidelines If the communicating peers are configured with different IKE SA lifetime settings, the smaller setting takes effect. Before an IKE SA expires, IKE negotiates a new SA.
Views System view Predefined user roles network-admin Parameters attr-not-support: Specifies SNMP notifications for attribute-unsupported failures. auth-failure: Specifies SNMP notifications for authentication failures. cert-type-unsupport: Specifies SNMP notifications for certificate-type-unsupported failures. cert-unavailable: Specifies SNMP notifications for certificate-unavailable failures. decrypt-failure: Specifies SNMP notifications for decryption failures.
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Field Description SSH server key generating interval SSH server key pair update interval. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server function is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer. # Display the SSH server sessions. display ssh server session UserPid SessID Ver 184 0 2.
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured by using the ssh user command on the SSH server. Examples # Display information about all SSH users.
Predefined user roles network-admin Examples # Enable the SFTP server function. system-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default. Syntax sftp server idle-timeout time-out-value undo sftp server idle-timeout Default The idle timeout timer is 10 minutes.
Syntax ssh server acl acl-number undo ssh server acl Default An SSH server allows all IPv4 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters acl-number: Specifies an ACL number in the range of 2000 to 4999.
Views System view Predefined user roles network-admin Parameters times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5. Usage guidelines You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only on the users at next login.
Usage guidelines If a user does not finish the authentication when the timeout timer expires, the connection cannot be established. You can set a small value for the timeout timer to prevent malicious occupation of TCP connections while authentications are suspended. Examples # Set the SSH user authentication timeout timer to 10 seconds.
Use undo ssh server dscp to restore the default. Syntax ssh server dscp dscp-value undo ssh server dscp Default The DSCP value in IPv4 packets sent by the SSH server is 48. Views System view Predefined user roles network-admin Parameters dscp-value: Specifies the DSCP value in the outbound IPv4 packets, in the range of 0 to 63. Usage guidelines The DSCP value of a packet specifies the priority of the packet and affects the transmission priority of the packet.
Related commands display ssh server ssh server rekey-interval Use ssh server rekey-interval to set an interval for updating the RSA server key pair. Use undo ssh server rekey-interval to restore the default. Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The interval for updating the RSA server key pair is 0, and the system does not update the RSA server key pair.
undo ssh user username In FIPS mode: ssh user username service-type { all | scp | sftp | stelnet } authentication-type { password | password-publickey assign publickey keyname } undo ssh user username Default No SSH users exist. Views System view Predefined user roles network-admin Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If the username contains ISP domain name, the form is pureusername@domain.
If the authentication method is password, you do not need to execute this command to configure them unless you want to use the display ssh user-information command to display all SSH users, including the password-only SSH users, for centralized management. If you use the ssh user command to configure a host public key for a user who has already had a host public key, the new one overwrites the old one.
Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp> bye cd Use cd to change the working path on an SFTP server. Syntax cd [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies the name of a path on the server. Usage guidelines You can use the cd .. command to return to the upper-level directory.
Predefined user roles network-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp> cdup Current Directory is:/ sftp> pwd Remote working directory: / sftp> delete Use delete to delete the specified files from the SFTP server.
Parameters -a: Displays the names of the files and sub-directories under a directory. -l: Displays detailed information about the files and sub-directories under a directory in the form of a list. remote-path: Specifies the name of the directory to be queried. If this argument is not specified, the command displays detailed information about the files and sub-directories under the current working directory.
Examples # Display the source IP address configured for the SFTP client. display sftp client source The source IP address of the SFTP client is 192.168.0.1 Related commands sftp client source display ssh client source Use display ssh client source to display the source IP address or source interface configured for the Stelnet client.
get Use get to download a file from an SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file. Usage guidelines If the local-file argument is not specified, the file will be saved locally with the same name as that on the server. Examples # Download the file temp1.c and save it as temp.c locally.
dir [-a|-l][path] Display remote directory listing -a List all filenames -l List filename including the specific information of the file exit Quit sftp get remote-path [local-path] Download file help Display this help text ls [-a|-l][path] Display remote directory -a List all filenames -l List filename including the specific information of the file mkdir path Create remote directory put local-path [remote-path] Upload file pwd Display remote working directory quit Quit sftp rename oldp
pubkey2 pubkey1 pub1 new1 new2 pub2 # Display detailed information about the files and sub-directories under the current working directory in the form of a list. sftp> ls -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.
Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name of a file on an SFTP server. Usage guidelines If the remote-file argument is not specified, the file will be remotely saved with the same name as the local one. Examples # Upload the local file startup.bak to the SFTP server and save it as startup01.bak. sftp> put startup.bak startup01.bak Uploading startup.bak to /startup01.bak startup01.bak 100% 1424 1.
sftp> quit remove Use remove to delete the specified files from an SFTP server. Syntax remove remote-file Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the files to delete from an SFTP server. Usage guidelines This command functions as the delete command. Examples # Delete the file temp.c from the SFTP server. sftp> remove temp.c Removing /temp.c rename Use rename to change the name of a file or directory on an SFTP server.
rmdir Use rmdir to delete the specified directories from an SFTP server. Syntax rmdir remote-path Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies the directories to delete from an SFTP server. Examples # Delete the sub-directory temp1 under the current directory on the SFTP server. sftp> rmdir temp1 scp Use scp to establish a connection to an IPv4 SCP server and transfer files with the server.
put: Uploads the file. source-file-path: Specifies the directory of the source file. destination-file-path: Specifies the directory of the target file. If this argument is not specified, the directory names of the source and target files are same. identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa. If the server uses publickey authentication, this keyword must be specified. • dsa: Specifies the public key algorithm dsa.
ip ip-address: Specifies a source IPv4 address. Usage guidelines When the client's authentication method is publickey, the client must get the local private key for digital signature. Because the publickey authentication uses either RSA or DSA algorithm, you must specify an algorithm (by using the identity-key keyword) in order to get the correct data for the local private key. Examples # Connect an SCP client to the SCP server 200.1.1.
• dsa: Specifies the public key algorithm dsa. • rsa: Specifies the public key algorithm rsa. prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.
specify a public key algorithm (by using the identity-key keyword) in order to get the correct data for the local private key. Examples # Connect an SFTP client to the IPv4 SFTP server 10.1.1.2 and specify the public key of the server as svkey. The SFTP client uses publickey authentication. Use the following algorithms: • Preferred key exchange algorithm is dh-group14. • Preferred server-to-client encryption algorithm is aes128. • Preferred client-to-server HMAC algorithm is sha1.
Examples # Specify the source IP address for the SFTP client as 192.168.0.1. system-view [Sysname] sftp client source ip 192.168.0.1 Related commands display sftp client source ssh client source Use ssh client source to specify the source IPv4 address or source interface for the Stelnet client. Use undo ssh client source to remove the configuration.
ssh2 Use ssh2 to establish a connection to an IPv4 Stelnet server.
• sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode. Algorithm dh-group14 features stronger security but costs more time in calculation than dh-group1. • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.
IP source guard commands The IP source guard function is available on Layer 2 and Layer 3 Ethernet interfaces and VLAN interfaces. The term "interface" in this chapter collectively refers to these types of interfaces. You can use the port link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see Layer 2—LAN Switching Configuration Guide). The switch has one built-in MPU. The slot number of this MPU is fixed at 0.
slot slot-number: Displays IPv4 source guard binding entries for a card. The slot-number argument specifies the number of the slot that holds the card. (In standalone mode.) chassis chassis-number slot slot-number: Displays IPv4 source guard binding entries for a card on an IRF member device. The chassis-number argument specifies the ID of the IRF member device. The slot-number argument specifies the number of the slot that holds the card. (In IRF mode.
ip source binding (interface view) Use ip source binding to configure a static IPv4 source guard binding entry on an interface. Use undo ip source binding to remove the static IPv4 source guard binding entries configured on an interface.
Related commands • display ip source binding • ip source binding (system view) ip source binding (system view) Use ip source binding to configure a global static IPv4 source guard binding entry. Use undo ip source binding to remove one or all global static IPv4 source guard binding entries. Syntax ip source binding ip-address ip-address mac-address mac-address undo ip source binding { all | ip-address ip-address mac-address mac-address } Default No global static IPv4 source guard binding entry exists.
Syntax ip verify source { ip-address | ip-address mac-address | mac-address } undo ip verify source Default The IPv4 source guard function is disabled on an interface. Views Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, VLAN interface view Predefined user roles network-admin Parameters ip-address: Filters packets by source IPv4 addresses.
system-view [Sysname] interface fortygige 1/0/1 [Sysname-FortyGigE1/0/1] ip verify source ip-address mac-address # Enable IPv4 source guard on VLAN-interface 100 to filter packets received on the interface by using source IPv4 and MAC addresses of IPv4 source guard binding entries.
ARP attack protection commands Unresolvable IP attack protection commands arp source-suppression enable Use arp source-suppression enable to enable the ARP source suppression function. Use undo arp source-suppression enable to restore the default. Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression function is disabled. Views System view Predefined user roles network-admin Usage guidelines Configure this feature on the gateways.
Views System view Predefined user roles network-admin Parameters limit-value: Sets the maximum number of unresolvable packets that can be processed in 5 seconds. It is in the range of 2 to 1024. Usage guidelines If the number of unresolvable packets from a host within 5 seconds exceeds a specific threshold, the device stops processing packets from that host until the 5 seconds elapse. Examples # Set the maximum number of unresolvable packets that can be received from a device in 5 seconds to 100.
ARP detection commands arp detection enable Use arp detection enable to enable ARP detection. Use undo arp detection enable to restore the default. Syntax arp detection enable undo arp detection enable Default ARP detection is disabled. Views VLAN view Predefined user roles network-admin Examples # Enable ARP detection for VLAN 2. system-view [Sysname] vlan 2 [Sysname-vlan2] arp detection enable arp detection trust Use arp detection trust to configure a port as an ARP trusted port.
arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line. Use undo arp detection validate to disable ARP packet validity check. If no keyword is specified, this command deletes all objects. Syntax arp detection validate { dst-mac | ip | src-mac } * undo arp detection validate [ dst-mac | ip | src-mac ] * Default ARP packet validity check is disabled.
Predefined user roles network-admin Examples # Enable ARP restricted forwarding in VLAN 2. system-view [Sysname] vlan 2 [Sysname-vlan2] arp restricted-forwarding enable display arp detection Use display arp detection to display the VLANs enabled with ARP detection. Syntax display arp detection Views Any view Predefined user roles network-admin network-operator Examples # Display the VLANs enabled with ARP detection.
Usage guidelines This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces. Examples # Display the ARP detection statistics for all interfaces.
Predefined user roles network-admin Parameters interface interface-type interface-number: Clears the ARP detection statistics of a specific interface. Usage guidelines If you do not specify any interface, this command clears the statistics of all interfaces. Examples # Clear the ARP detection statistics of all interfaces.
uRPF commands display ip urpf Use display ip urpf to display uRPF configuration. Syntax In standalone mode: display ip urpf [ slot slot-number ] In IRF mode: display ip urpf [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator Parameters slot slot-number: Specifies a card by slot number. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device.
ip urpf Use ip urpf to enable uRPF. Use undo ip urpf to disable uRPF. Syntax ip urpf { loose | strict } undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin Parameters loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. strict: Enables strict uRPF check.
FIPS commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator Examples # Display the current FIPS mode state. display fips status FIPS mode is enabled. Related commands fips mode enable fips mode enable Use fips mode enable to enable FIPS mode. Use undo fips mode enable to disable FIPS mode.
After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: • Automatic reboot Select the automatic reboot method. The system automatically performs the following tasks: a. Create a default FIPS configuration file named fips-startup.cfg. b. Specify the default file as the startup configuration file. c. Require you to configure the username and password for next login.
Examples # Enable FIPS mode, and choose the automatic reboot method to enter FIPS mode. system-view [Sysname] fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically.
Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. A successful self-test requires that all cryptographic algorithms pass the self-test. If the self-test fails, the card where the self-test process exists reboots. Examples # Trigger a self-test on the cryptographic algorithms.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHIKLMNPQRSTU dir,190 A display arp detection,216 aaa session-limit,1 display arp detection statistics,216 access-limit,18 display arp source-suppression,213 accounting command,2 display domain,13 accounting default,2 display fips status,221 accounting login,4 display hwtacacs scheme,53 accounting-on enable,28 display ike proposal,152 ah authentication-algorithm,108 display ike sa,153 arp detection enable,214 display ip source binding,206 arp detection trust,214 display ip ur
F L fips mode enable,221 local-address,133 fips self-test,223 local-identity,167 G local-user,24 ls,194 get,193 group,23 M H match local address (IKE keychain view),168 match local address (IKE profile view),169 help,193 match remote,170 hwtacacs nas-ip,54 mkdir,195 hwtacacs scheme,55 N I nas-ip (HWTACACS scheme view),57 ike dpd,159 nas-ip (RADIUS scheme view),34 ike identity,160 ike invalid-spi-recovery enable,161 P ike keepalive interval,161 password,24 ike keepalive timeout,162
public-key local create,97 secondary authentication (HWTACACS scheme view),64 public-key local destroy,100 secondary authentication (RADIUS scheme view),43 public-key local export dsa,102 secondary authorization,65 public-key local export rsa,104 public-key peer,106 security acl,145 public-key peer import sshkey,106 security-policy-server,45 service-type,26 put,195 sftp,200 pwd,196 sftp client source,202 Q sftp server enable,180 qos pre-classify,136 sftp server idle-timeout,181 quit,196 s
