HP 6600/HSR6600 Routers Security Command Reference Part number: 5998-1514 Software version: A6602-CMW520-R3103 A6600-CMW520-R3102-RPE A6600-CMW520-R3102-RSE HSR6602_MCP-CMW520-R3102 Document version: 6PW103-20130628
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents AAA configuration commands ···································································································································· 1 General AAA configuration commands ························································································································· 1 aaa nas-id profile ····················································································································································· 1 access-limi
expiration-date ······················································································································································· 49 group ······································································································································································ 50 group-attribute allow-guest ··································································································································· 51 lo
reset hwtacacs statistics ······································································································································ 109 reset stop-accounting-buffer (for HWTACACS) ································································································ 110 retry stop-accounting (HWTACACS scheme view) ·························································································· 111 secondary accounting (HWTACACS scheme view) ··················
display portal interface ······································································································································· 164 display portal server ··········································································································································· 165 display portal server statistics ···························································································································· 166 display portal tcp-
password-control authentication-timeout ··········································································································· 219 password-control complexity ······························································································································ 220 password-control composition···························································································································· 220 password-control enable·····················
pki certificate attribute-group ····························································································································· 263 pki delete-certificate ············································································································································ 264 pki domain ··························································································································································· 264 pki entity
transform······························································································································································· 321 transform-set ························································································································································· 321 tunnel local ··························································································································································
cdup ······································································································································································ 363 delete ···································································································································································· 363 dir ····························································································································································
firewall ipv6 enable ············································································································································ 406 firewall packet-filter ············································································································································· 406 firewall packet-filter ipv6 ···································································································································· 407 reset firewa
firewall http url-filter host acl ······························································································································ 450 firewall http url-filter host default ························································································································ 451 firewall http url-filter host enable ························································································································ 451 firewall http url-filt
ip verify source max-entries ································································································································ 498 ARP attack protection configuration commands ··································································································· 500 IP flood protection configuration commands············································································································· 500 arp resolving-route enable ·················
AAA configuration commands General AAA configuration commands aaa nas-id profile Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs. Use undo aaa nas-id profile to remove a NAS ID profile. Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name Views System view Default command level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.
Views ISP domain view Default command level 2: System level Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646. Usage guidelines System resources are limited, and user connections may compete for network resources when there are many users. Setting a proper limit to the number of online users helps provide reliable system performance. Examples # Set a limit of 500 user connections for ISP domain test.
Examples # Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting. system-view [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac Related commands • accounting default • hwtacacs scheme accounting default Use accounting default to configure the default accounting method for an ISP domain. Use undo accounting default to restore the default.
[Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local Related commands • local-user • hwtacacs scheme • radius scheme accounting dvpn Use accounting dvpn to configure the accounting method for DVPN users. Use undo accounting dvpn to restore the default. Syntax accounting dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting dvpn Default The default accounting method for the ISP domain is used for DVPN users.
• radius scheme accounting lan-access Use accounting lan-access to configure the accounting method for LAN users. Use undo accounting lan-access to restore the default. Syntax accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo accounting lan-access Default The default accounting method for the ISP domain is used for LAN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local accounting.
accounting login Use accounting login to configure the accounting method for login users through the console, AUX, or Asyn port or through Telnet. Use undo accounting login to restore the default. Syntax accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting login Default The default accounting method for the ISP domain is used for login users.
accounting optional Use accounting optional to enable the accounting optional feature. Use undo accounting optional to disable the feature. Syntax accounting optional undo accounting optional Default The feature is disabled.
Default command level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for portal users.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for PPP users.
Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters Usage guidelines The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 accounting ssl-vpn Yes Yes No The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use RADIUS accounting scheme rd for SSL VPN users.
Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured. The default authentication method is used for all users who support the specified authentication method and have no specific authentication method configured. Examples # Configure the default authentication method for ISP domain test to use RADIUS authentication scheme rd and use local authentication as the backup.
# Configure ISP domain test to use RADIUS authentication scheme rd for DVPN users and use local authentication as the backup. system-view [Sysname] domain test [Sysname-isp-test] authentication dvpn radius-scheme rd local Related commands • local-user • authentication default • radius scheme authentication lan-access Use authentication lan-access to configure the authentication method for LAN users. Use undo authentication lan-access to restore the default.
[Sysname-isp-test] authentication lan-access radius-scheme rd local Related commands • local-user • authentication default • radius scheme authentication login Use authentication login to configure the authentication method for login users through the console, AUX, or Asyn port, Telnet, or FTP. Use undo authentication login to restore the default.
Related commands • local-user • authentication default • hwtacacs scheme • radius scheme authentication portal Use authentication portal to configure the authentication method for portal users. Use undo authentication portal to restore the default. Syntax authentication portal { local | none | radius-scheme radius-scheme-name [ local ] } undo authentication portal Default The default authentication method for the ISP domain is used for portal users.
authentication ppp Use authentication ppp to configure the authentication method for PPP users. Use undo authentication ppp to restore the default. Syntax authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication ppp Default The default authentication method for the ISP domain is used for PPP users.
authentication ssl-vpn Use authentication ssl-vpn to configure the authentication RADIUS method for SSL VPN users. Use undo authentication ssl-vpn to restore the default. Syntax authentication ssl-vpn radius-scheme radius-scheme-name undo authentication ssl-vpn Default The default authentication method for the ISP domain is used for SSL VPN users.
Default The default authentication method for the ISP domain is used for user privilege level switching authentication. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated user can access only commands of Level 0. Usage guidelines The specified HWTACACS scheme must have been configured.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0.
Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured.
none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines This command is supported only on SAP interface modules that are operating in Layer 2 mode. The specified RADIUS scheme must have been configured.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Default command level 2: System level Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated portal user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured.
Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated PPP user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Views ISP domain view Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 authorization ssl-vpn Yes Yes No The specified RADIUS scheme must have been configured.
Parameters profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see Security Configuration Guide. Usage guidelines After a user of an ISP domain passes authentication, if the server (or the access device in the case of local authentication) does not authorize any user profile to the ISP domain, the system uses the user profile specified by the authorization-attribute user-profile command as that of the ISP domain.
ucibindex ucib-index: Specifies the user connection that uses the connection index, in the range of 0 to 4294967295. user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain or the mandatory authentication domain.
Default command level 1: Monitor level Parameters access-type: Specifies the user connections of the specified access type. • dot1x: Indicates 802.1X authentication. This keyword is supported only on the SAP interface modules that are operating in Layer 2 mode. • mac-authentication: Indicates MAC address authentication. This keyword is supported only on the SAP interface modules that are operating in Layer 2 mode. • portal: Indicates portal authentication.
authentication, authorization, and accounting for users who access the interface through the specified access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain.
Slot: 0 Index=0 , Username=telnet@system IP=10.0.0.1 IPv6=N/A Access=Admin ,AuthMethod=PAP Port Type=Virtual ,Port Name=N/A ACL Group=Disable User Profile=N/A CAR=Disable Priority=Disable SessionTimeout=60(s), Terminate-Action=Radius-Request Start=2009-07-16 10:53:03 ,Current=2009-07-16 10:57:06 ,Online=00h04m03s Total 1 connection matched. Slot: 1 Total 0 connection matched. Slot: 2 Total 0 connection matched.
display domain Use display domain to display the configuration of ISP domains. Syntax display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters isp-name: Name of an existing ISP domain, a string of 1 to 24 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Lan-access authorization scheme : hwtacacs:hw, local Lan-access accounting scheme : local Domain User Template: Idle-cut : Disabled Session-time : exclude-idle-time Self-service : Disabled Authorization attributes : User-profile : profile1 Default Domain Name: system Total 2 domain(s). Table 2 Command output Field Description Domain ISP domain name. State Status of the ISP domain: active or blocked.
Field Description Authorization attributes Default authorization attributes for the ISP domain. User-profile Default authorization user profile. Related commands • access-limit enable • domain • state domain Use domain to create an ISP domain and enter ISP domain view. Use undo domain to remove an ISP domain. Syntax domain isp-name undo domain isp-name Default There is a system predefined ISP domain named system in the system.
domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain. Use undo domain default enable to restore the default. Syntax domain default enable isp-name undo domain default enable Default The default ISP domain is the system predefined ISP domain system.
undo domain if-unknown Default No ISP domain is specified for users with unknown domain names. Views System view Default command level 3: Manage level Parameters isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain the slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), quotation marks ("), and at sign (@).
Views ISP domain view Default command level 2: System level Parameters minute: Idle timeout period, ranging from 1 to 600 minutes. flow: Minimum traffic during the idle timeout period in bytes. It ranges from 1 to 10240000 and defaults to 10240.
low-ip-address and high-ip-address: Start and end IP addresses of the address pool. Up to 1024 addresses are allowed for an address pool. If you do not specify the end IP address, there is only one IP address in the pool, which is the start IP address. Usage guidelines You can also configure an address pool for PPP users in system view. An IP address pool configured in system view is used to assign IP addresses to PPP users who do not need to be authenticated.
Usage guidelines The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 nas device-id Yes No No Configuring or changing the device ID of a device logs out all online users of the device. The two devices working in stateful failover mode must use the device IDs of 1 and 2. The device ID is the symbol for stateful failover mode. A router operating in standalone mode does not require any device ID.
system-view [Sysname] aaa nas-id profile aaa [Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2 Related commands aaa nas-id profile self-service-url enable Use self-service-url enable to enable the self-service server location function and specify the URL of the self-service server. Use undo self-service-url enable to restore the default. Syntax self-service-url enable url-string undo self-service-url enable Default The self-service server location function is disabled.
undo session-time include-idle-time Default The user online time uploaded to the server excludes the idle cut time. Views ISP domain view Default command level 2: System level Usage guidelines The device uploads to the server the online user time when a user is logged off. However, the online user time of an abnormally logged-off user can contain an idle timeout interval or a detection interval when the idle cut function or online portal user detection is enabled.
Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. Examples # Place the ISP domain test to the blocked state. system-view [Sysname] domain test [Sysname-isp-test] state block Local user configuration commands access-limit Use access-limit to limit the number of concurrent users of the same local user account. Use undo access-limit to remove the limitation.
authorization-attribute Use authorization-attribute to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to remove authorization attributes and restore the defaults.
commands. For more information, see Network Management and Monitoring Command Reference. vlan vlan-id: Specifies the authorized VLAN, where vlan-id ranges from 1 to 4094. After passing authentication, a local user can access the resources in this VLAN. work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP service. The directory-name argument is a case-insensitive string of 1 to 135 characters. The directory must already exist.
Views Local user view Default command level 3: Manage level Parameters call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users. subcall-number: Specifies the sub-calling number. The total length of the calling number and the sub-calling number cannot be more than 62 characters. ip ip-address: Specifies the IP address of the user.
Parameters idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled. service-type: Specifies the local users who use a specified type of service. • dvpn: DVPN tunnel users. • ftp: FTP users. This keyword is not supported in FIPS mode. • lan-access: Users accessing the network through Ethernet, such as 802.1X users. This keyword is supported only on SAP interface modules. • portal: Portal users. • ppp: PPP users. • ssh: SSH users.
Examples # On the 6602 router, display information about all local users. display local-user The contents of local user abc: State: Active ServiceType: ppp Access-limit: Enabled Max AccessNum: 300 User-group: system Current AccessNum: 0 Bind attributes: IP address: 1.2.3.
Field Description Expiration date Expiration time of the local user. Password aging Aging time of the local user password. Password length Minimum length of the local user password. Password composition Password composition policy of the local user. # On the HSR6602/6604/6608/6616 router, display the information of local user bbb on the card installed on slot 0.
Field Description VLAN ID VLAN to which the local user is bound. User Profile User profile for local user authorization. Calling Number Calling number of the ISDN user. Authorization attributes Authorization attributes of the local user. Idle TimeOut Idle timeout period of the user, in minutes. Callback-number Authorized PPP callback number of the local user. Work Directory Directory accessible to the FTP user. VLAN ID Authorized VLAN of the local user.
display user-group abc The contents of user group abc: Authorization attributes: Idle-cut: 120(min) Work Directory: cfa0: Level: 1 Acl Number: 2000 Vlan ID: 1 User-Profile: 1 Callback-number: 1 Password aging: Enabled (1 days) Password length: Enabled (4 characters) Password composition: Enabled (1 types, 1 characters per type) Total 1 user group(s) matched. Table 5 Command output Field Description Idle-cut Idle timeout interval, in minutes.
Default command level 3: Manage level Parameters time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted.
[Sysname] local-user 111 [Sysname-luser-111] group abc group-attribute allow-guest Use group-attribute allow-guest to set the guest attribute for a user group so that guest users created by a guest manager through the Web interface can join the group. Use undo group-attribute allow-guest to restore the default.
Default command level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@) and cannot be a, al, or all. all: Specifies all users. service-type: Specifies the users of a type. • ftp: FTP users.
Views Local user view Default command level 2: System level Parameters hash: Enables hash-based encryption. cipher: Sets a ciphertext password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive. If hash is not specified, a ciphertext password must be a string of 1 to 117 characters and a plaintext password must be a string of 1 to 63 characters.
service-type Use service-type to specify the service types that a user can use. Use undo service-type to delete one or all service types configured for a user. Syntax service-type { dvpn | ftp | lan-access | { ssh | telnet | terminal } * | portal | ppp | web } undo service-type { dvpn | ftp | lan-access | { ssh | telnet | terminal } * | portal | ppp | web } Default A user is authorized with no service.
state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Default command level 2: System level Parameters active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services.
Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes include password control attributes and authorization attributes. A user group with one or more local users cannot be removed.
system time is between the validity time and the expiration time. If it is, the device permits the user to access the network. Otherwise, the device denies the access request of the user. Examples # Set the validity time of user abc to 12:10:20 on April 30, 2008, and set the expiration time to 12:10:20 on May 31, 2008.
Examples # Enable the accounting-on feature for RADIUS authentication scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] accounting-on enable interval 5 send 15 Related commands radius scheme attribute 25 car Use attribute 25 car to specify the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters. Use undo attribute 25 car to restore the default.
Default The unit for data flows is byte and that for data packets is one-packet. Views RADIUS scheme view Default command level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines The following matrix shows the option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number No Yes Yes If you do not specify any RADIUS scheme, the command displays the configuration of all RADIUS schemes.
VPN instance : N/A Accounting-On packet disable, send times : 50 , interval : 3s Interval for timeout(second) : 3 Retransmission times for timeout : 3 Interval for realtime accounting(minute) : 12 Retransmission times of realtime-accounting packet : 5 Retransmission times of stop-accounting packet : 500 Quiet-interval(min) : 5 Username format : without-domain Data flow unit : Byte Packet unit : one NAS-IP address : 1.1.1.
Field Description Acct Server Encryption Key Shared key for secure accounting communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A. VPN instance MPLS L3VPN to which the scheme belongs. If no VPN instance is specified for the scheme, this field displays N/A. Accounting-On packet disable The accounting-on feature is disabled. send times Retransmission times of accounting-on packets.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
RADIUS sent messages statistic: Auth accept Num = 10 Auth reject Num = 14 Auth continue Num = 0 Account success Num = 4 Account failure Num = 3 Server ctrl req Num = 0 RecError_MSG_sum = 0 SndMSG_Fail_sum = 0 Timer_Err = 0 Alloc_Mem_Err = 0 State Mismatch = 0 Other_Error = 0 No-response-acct-stop packet = 1 Discarded No-response-acct-stop packet for buffer overflow = 0 Table 7 Command output Field Description state statistic User statistics, by state. DEAD Number of idle users.
Field Description RADIUS received messages statistic Statistics for received RADIUS messages. Normal auth request Counts of normal authentication requests. Auth request Counts of normal authentication requests. Account request Counts of accounting requests. Account off request Counts of stop-accounting requests. PKT auth timeout Counts of authentication timeout messages. PKT acct_timeout Counts of accounting timeout messages. Realtime Account timer Counts of real-time accounting requests.
AcctStart = 0 RLTSend = 0 RLTWait = 0 AcctStop = 0 OnLine = 0 Stop = 0 StateErr = 0 Received and Sent packets statistic: Sent PKT total = 1547 Received PKT total = 23 Resend Times Resend total 1 508 2 508 Total 1016 RADIUS received packets statistic: Code = 2 Num = 15 Err = 0 Code = 3 Num = 4 Err = 0 Code = 5 Num = 4 Err = 0 Code = 11 Num = 0 Err = 0 Running statistic: RADIUS received messages statistic: Auth request Num = 24 Err = 0 Succ = 24 Account request Num = 4 Er
Table 8 Command output Field Description slot Number of the slot in which the card resides. state statistic User statistics, by state. DEAD Number of idle users. AuthProc Number of users waiting for authentication. AuthSucc Number of users who have passed authentication. AcctStart Number of users for whom accounting has been started. RLTSend Number of users for whom the system sends real-time accounting packets. RLTWait Number of users waiting for real-time accounting.
Field Description Accounting on request Counts of accounting-on requests. Accounting on response Counts of accounting-on responses. Dynamic Author Ext request Counts of dynamic authorization extension requests. RADIUS sent messages statistic Statistics for sent RADIUS messages. Auth accept Number of accepted authentication packets. Auth reject Number of rejected authentication packets. Auth continue Number of authentication-continue packets received.
session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters. time-range start-time stop-time: Specifies the stop-accounting requests buffered in a time range. The start time and end time must be in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD. user-name user-name: Specifies the stop-accounting requests buffered for a user. The username is a case-sensitive string of 1 to 80 characters.
• user-name-format • retry • retry stop-accounting key (RADIUS scheme view) Use key to set the shared key for secure RADIUS authentication/authorization or accounting communication. Use undo key to remove the configuration. Syntax key { accounting | authentication } [ cipher | simple ] key undo key { accounting | authentication } Default No shared key is configured.
system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting ok # For RADIUS scheme radius1, set the shared key for secure authentication/authorization communication to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text.
The setting configured by the nas-backup-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas the setting configured by the radius nas-backup-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence. Examples # For a device working in stateful failover mode, set the source IP address and backup source IP address for outgoing RADIUS packets to 2.2.2.2 and 3.3.3.3, respectively.
The source IP address specified for outgoing RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS scheme. Otherwise, the source IP address configuration does not take effect. A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new one overwrites the old one.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 117 characters. • simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters. • If neither cipher nor simple is specified, you set a plaintext shared key string. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
undo primary authentication Default No primary RADIUS authentication/authorization server is specified. Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication/authorization server. ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication/authorization server, which must be a valid global unicast address.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. If you remove the primary authentication server when an authentication process is in progress, the communication with the primary server times out, and the device looks for a server in active state from the new primary server on.
undo radius client Default The RADIUS client service is enabled. Views System view Default command level 2: System level Usage guidelines When the RADIUS client service is disabled, the following events occur: • No more stop-accounting requests of online users can be sent out or buffered, and the RADIUS server can no longer receive logoff requests from online users. After a user goes offline, the RADIUS server still has the user's record during a certain period of time.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the backup source IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command specifies a private-network backup source IP address. With no VPN specified, the command specifies a public-network backup source IP address.
Default command level 2: System level Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address. ipv6 ipv6-address: Specifies an IPv6 address. It must be a unicast address of the device and cannot be a link-local address. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 address belongs.
Default command level 3: Manage level Parameters radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. A RADIUS scheme referenced by ISP domains cannot be removed. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
• When the status of a RADIUS server changes. If a NAS sends a request but receives no response before the maximum number of attempts is exceeded, it places the server to the blocked state and sends a trap message. If a NAS receives a response from a RADIUS server it considered unreachable, it considers that the RADIUS server is reachable again and also sends a trap message.
Syntax reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ] Views User view Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters.
Syntax retry retry-times undo retry Default The maximum number of RADIUS packet transmission attempts is 3. Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Maximum number of RADIUS packet transmission attempts, ranging from 1 to 20. Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable.
Default command level 2: System level Parameters retry-times: Maximum number of accounting attempts, ranging from 1 to 255. Usage guidelines A RADIUS server usually checks whether a user is online by using a timeout timer. If it receives no real-time accounting request for a user in the timeout period from the NAS, it considers that there may be line or device failures and stops accounting for the user. This may happen when some unexpected failure occurs.
Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Maximum number of stop-accounting request transmission attempts, ranging from 10 to 65535. Usage guidelines The maximum number of stop-accounting request transmission attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets.
Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server, which must be a valid global unicast address. port-number: Specifies the service port number of the secondary RADIUS accounting server, which is a UDP port number ranging from 1 to 65535 and defaults to 1813.
Examples # For RADIUS scheme radius1, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813. Set the shared keys to hello in plain text. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary accounting 10.110.1.1 1813 key hello [Sysname-radius-radius1] secondary accounting 10.110.1.2 1813 key hello # For RADIUS scheme radius2, set the IP address of the secondary accounting server to 10.110.1.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 117 characters. • simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters. • If neither cipher nor simple is specified, you set a plaintext shared key string. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication/authorization server belongs.
For 802.1X authentication, if the status of every server is block, the device assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide. To make sure the device can set the server to its actual status, set a longer quiet timer for the secondary server with the timer quiet command. If you set a short quiet timer and configure 802.
Default command level 2: System level Parameters ip-address: Specifies a security policy server by its IP address. all: Specifies all security policy servers. Usage guidelines You can specify up to eight security policy servers for a RADIUS scheme. You can change security policy servers for a RADIUS scheme only when no user is using the scheme. Examples # Specify security policy server 10.110.1.2 for RADIUS scheme radius1.
state primary Use state primary to set the status of a primary RADIUS server. Syntax state primary { accounting | authentication } { active | block } Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication/authorization server.
Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the status of the secondary RADIUS accounting server. authentication: Sets the status of the secondary RADIUS authentication/authorization server. ip ipv4-address: Specifies the IPv4 address of the secondary RADIUS server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS server.
Default The device buffers stop-accounting requests to which no responses are received. Views RADIUS scheme view Default command level 2: System level Usage guidelines Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers.
Usage guidelines The quiet timer controls whether the device changes the status of an unreachable server from active to blocked and how long the device keeps an unreachable server in blocked state. If you determine that the primary server is unreachable because the device's port connected to the server is out of service temporarily or the server is busy, you can set the server quiet period to 0 so that the device uses the primary server whenever possible. Be sure to set the server quiet timer properly.
Different real-time accounting intervals impose different performance requirements on the NAS and the RADIUS server. A shorter interval helps achieve higher accounting precision but requires higher performance. Use a longer interval when there are a large number of users (1000 or more).
Examples # Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer response-timeout 5 Related commands retry user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Syntax user-name-format { keep-original | with-domain | without-domain } Default The ISP domain name is included in the username.
vpn-instance (RADIUS scheme view) Use vpn-instance to specify a VPN instance for a RADIUS scheme. Use undo vpn-instance to remove the configuration. Syntax vpn-instance vpn-instance-name undo vpn-instance Views RADIUS scheme view Default command level 2: System level Parameters vpn-instance-name: Name of the MPLS VPN, a case-sensitive string of 1 to 31 characters.
Default command level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet. Usage guidelines The unit for data flows and that for packets must be consistent with those on the HWTACACS server.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines The following matrix shows the option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number No Yes Yes If no HWTACACS scheme is specified, the command displays the configuration of all HWTACACS schemes.
Packet traffic-unit : one-packet -------------------------------------------------------------------- Table 10 Command output Field Description HWTACACS-server template name Name of the HWTACACS scheme. Primary-authentication-server IP address and port number of the primary authentication server. If no primary authentication server is specified, this field displays 0.0.0.0:0. This rule also applies to the following eight fields.
HWTACACS authen client access request send authentication number: 0 HWTACACS authen client access request send password number: 0 HWTACACS authen client access connect abort number: 0 HWTACACS authen client access connect packet number: 5 HWTACACS authen client access response error number: 0 HWTACACS authen client access response failure number: 0 HWTACACS authen client access response follow number: 0 HWTACACS authen client access response getdata number: 0 HWTACACS authen client access response getpasswo
display stop-accounting-buffer (for HWTACACS) Use display stop-accounting-buffer to display information about buffered stop-accounting requests.
• retry stop-accounting hwtacacs nas-ip Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets. Use undo hwtacacs nas-ip to remove the configuration. Syntax hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ] undo hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ] Default The source IP address of a packet sent to the server is the IP address of the outbound interface.
hwtacacs scheme Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view. Use undo hwtacacs scheme to delete an HWTACACS scheme. Syntax hwtacacs scheme hwtacacs-scheme-name undo hwtacacs scheme hwtacacs-scheme-name Default No HWTACACS scheme exists. Views System view Default command level 3: Manage level Parameters hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.
Parameters accounting: Sets the shared key for secure HWTACACS accounting communication. authentication: Sets the shared key for secure HWTACACS authentication communication. authorization: Sets the shared key for secure HWTACACS authorization communication. cipher: Sets a ciphertext shared key. simple: Sets a plaintext shared key. key: Specifies the shared key string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 255 characters.
Default The source IP address of an outgoing HWTACACS packet is configured by the hwtacacs nas-ip command in system view. If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface. Views HWTACACS scheme view Default command level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address.
Default command level 2: System level Parameters ip-address: IP address of the primary HWTACACS accounting server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS accounting server. It is a TCP port in the range of 1 to 65535 and defaults to 49. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Views HWTACACS scheme view Default command level 2: System level Parameters ip-address: IP address of the primary HWTACACS authentication server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS authentication server. It is a TCP port in the range of 1 to 65535 and defaults to 49. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authentication server belongs.
Default No primary HWTACACS authorization server is specified. Views HWTACACS scheme view Default command level 2: System level Parameters ip-address: IP address of the primary HWTACACS authorization server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS authorization server. It is a TCP port in the range of 1 to 65535 and defaults to 49.
Views User view Default command level 1: Monitor level Parameters accounting: Specifies the HWTACACS accounting statistics. all: Specifies all HWTACACS statistics. authentication: Specifies the HWTACACS authentication statistics. authorization: Specifies the HWTACACS authorization statistics. slot slot-number: Specifies the HWTACACS statistics for the card in the specified slot.
Usage guidelines The following matrix shows the option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number No Yes Yes Examples # Clear the stop-accounting requests buffered for HWTACACS scheme hwt1.
secondary accounting (HWTACACS scheme view) Use secondary accounting to specify a secondary HWTACACS accounting server. Use undo secondary accounting to remove the configuration. Syntax secondary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary accounting Default No secondary HWTACACS accounting server is specified.
• vpn-instance (HWTACACS scheme view) secondary authentication (HWTACACS scheme view) Use secondary authentication to specify a secondary HWTACACS authentication server. Use undo secondary authentication to remove the configuration. Syntax secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary authentication Default No secondary HWTACACS authentication server is specified.
Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) secondary authorization Use secondary authorization to specify a secondary HWTACACS authorization server. Use undo secondary authorization to remove the configuration. Syntax secondary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary authorization Default No secondary HWTACACS authorization server is specified.
Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) stop-accounting-buffer enable (HWTACACS scheme view) Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function. Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable Default The device buffers stop-accounting requests to which no responses are received.
Default The primary server quiet period is 5 minutes. Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Primary server quiet period. The value ranges from 1 to 255, in minutes. Usage guidelines When the primary server is found unreachable, the device changes the status of the server from active to blocked and keeps the server in blocked state until the quiet timer expires. Examples # Set the quiet timer for the primary server to 10 minutes.
Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance. Use a longer interval when there are a large number of users (more than 1000, inclusive).
Related commands display hwtacacs user-name-format (HWTACACS scheme view) Use user-name-format to specify the format of the username to be sent to an HWTACACS server. Syntax user-name-format { keep-original | with-domain | without-domain } Default The ISP domain name is included in the username. Views HWTACACS scheme view Default command level 2: System level Parameters keep-original: Sends the username to the HWTACACS server as it is entered.
Syntax vpn-instance vpn-instance-name undo vpn-instance Views HWTACACS scheme view Default command level 2: System level Parameters vpn-instance-name: Name of MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN instance is specified. Examples # Specify VPN instance test for HWTACACS scheme hwt1.
802.1X commands 802.1X commands are supported only on a SAP module that is operating in bridge mode. display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics.
EAD quick deploy is enabled Configuration: Transmit Period Quiet Period Supp Timeout Reauth Period 30 s, Handshake Period 60 s, Quiet Period Timer is disabled 30 s, Server Timeout The maximal retransmitting times URL: http://192.168.19.23 Free IP: 192.168.19.0 255.255.255.0 EAD timeout: 30m The maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet3/0/1 100 s 3600 s EAD quick deploy configuration: is link-up 802.
Table 12 Command output Field Description Equipment 802.1X protocol is enabled Whether 802.1X is enabled globally. CHAP authentication is enabled Whether CHAP authentication is enabled. Proxy trap checker is disabled Whether the device sends a trap when detecting that a user is accessing the network through a proxy. Proxy logoff checker is disabled Whether the device logs off the user when detecting that the user is accessing the network through a proxy.
Field Description Authenticate Mode is Auto Authorization state of the port. Port Control Type is Port-based Access control method of the port. 802.1X Multicast-trigger is enabled Whether the 802.1X multicast-trigger function is enabled. Mandatory authentication domain Mandatory authentication domain on the port. Guest VLAN 802.1X guest VLAN configured on the port. NOT configured is displayed if no guest VLAN is configured. Auth-fail VLAN Auth-Fail VLAN configured on the port.
dot1x Use dot1x to enable 802.1X. Use undo dot1x to disable 802.1X. Syntax In system view: dot1x [ interface interface-list ] undo dot1x [ interface interface-list ] In Ethernet interface view: dot1x undo dot1x Default 802.1X is neither enabled globally nor enabled for any port. Views System view, Ethernet interface view Default command level 2: System level Parameters interface interface-list: Specifies a port list, which can contain multiple ports.
Or system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] dot1x [Sysname-GigabitEthernet3/0/1] quit [Sysname] interface gigabitethernet 3/0/5 [Sysname-GigabitEthernet3/0/5] dot1x [Sysname-GigabitEthernet3/0/5] quit [Sysname] interface gigabitethernet 3/0/6 [Sysname-GigabitEthernet3/0/6] dot1x [Sysname-GigabitEthernet3/0/6] quit [Sysname] interface gigabitethernet 3/0/7 [Sysname-GigabitEthernet3/0/7] dot1x # Enable 802.1X globally.
• In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server, and performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and "username+password" EAP authentication initiated by an iNode client. { { • PAP transports usernames and passwords in clear text.
Parameters authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide. Usage guidelines You must enable MAC-based VLAN for an Auth-Fail VLAN to take effect on a port that performs MAC-based access control.
Parameters vlan-id: Specifies a VLAN ID in the range of 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2 — LAN Switching Configuration Guide. Usage guidelines You can configure only one critical VLAN on a port. The MAC authentication critical VLANs on different ports can be different. When you change the access control method from MAC-based to port-based on the port, the mappings between MAC addresses and the 802.
Usage guidelines The dot1x critical recovery-action command takes effect only for the 802.1X users in the critical VLAN on a port. It enables the port to take one of the following actions to trigger 802.1X authentication after removing 802.1X users from the critical VLAN on detection of a reachable RADIUS authentication server: • If MAC-based access control is used, the port sends a unicast Identity EAP/Request to each 802.1X user.
Examples # Specify the characters @, /, and \ as domain name delimiters. system-view [Sysname] dot1x domain-delimiter @\/ dot1x guest-vlan Use dot1x guest-vlan to configure an 802.1X guest VLAN for the specified or all ports. A guest VLAN on a port accommodates users that have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
To delete a VLAN that has been configured as a guest VLAN, you must remove the guest VLAN configuration first. You can configure both an Auth-Fail VLAN and an 802.1X guest VLAN on a port. Examples # Specify VLAN 999 as the 802.1X guest VLAN for port GigabitEthernet 3/0/1 system-view [Sysname] dot1x guest-vlan 999 interface gigabitethernet 3/0/1 # Specify VLAN 10 as the 802.1X guest VLAN for ports GigabitEthernet 3/0/2 to GigabitEthernet 3/0/5.
HP recommends that you use the iNode client software to ensure the normal operation of the online user handshake function. Examples # Enable the online user handshake function. system-view [Sysname] interface gigabitethernet 3/0/4 [Sysname-GigabitEthernet3/0/4] dot1x handshake dot1x handshake secure Use dot1x handshake secure to enable the online user handshake security function. The function enables the device to prevent users from using illegal client software.
undo dot1x mandatory-domain Default No mandatory authentication domain is specified. Views Ethernet interface view Default command level 2: System level Parameters domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines When authenticating an 802.1X user trying to access the port, the system selects an authentication domain in the following order: the mandatory domain, the ISP domain specified in the username, and the default ISP domain.
Syntax In system view: dot1x max-user user-number [ interface interface-list ] undo dot1x max-user [ interface interface-list ] In Ethernet interface view: dot1x max-user user-number undo dot1x max-user Default The port supports a maximum of 1024 concurrent 802.1X users. Views System view, Ethernet interface view Default command level 2: System level Parameters user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1 to 1024.
Related commands display dot1x dot1x multicast-trigger Use dot1x multicast-trigger to enable the 802.1X multicast trigger function. The device acts as the initiator and periodically multicasts Identify EAP-Request packets out of a port to detect 802.1X clients and trigger authentication. Use undo dot1x multicast-trigger to disable the function. Syntax dot1x multicast-trigger undo dot1x multicast-trigger Default The multicast trigger function is enabled.
undo dot1x port-control Default The default port authorization state is auto. Views System view, Ethernet interface view Default command level 2: System level Parameters authorized-force: Places the specified or all ports in the authorized state, enabling users on the ports to access the network without authentication.
Use undo dot1x port-method to restore the default. Syntax In system view: dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ] In Ethernet interface view: dot1x port-method { macbased | portbased } undo dot1x port-method Default MAC-based access control applies.
[Sysname] dot1x port-method portbased interface gigabitethernet 3/0/2 to gigabitethernet 3/0/5 Related commands display dot1x dot1x quiet-period Use dot1x quiet-period to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. Use undo dot1x quiet-period to disable the timer. Syntax dot1x quiet-period undo dot1x quiet-period Default The quiet timer is disabled.
Default command level 2: System level Usage guidelines Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port. This function tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. You can use the dot1x timer reauth-period command to configure the interval for re-authentication. Examples # Enable the 802.
Examples # Set the maximum number of attempts for sending an authentication request to a client as 9. system-view [Sysname] dot1x retry 9 Related commands display dot1x dot1x supp-proxy-check Use dot1x supp-proxy-check to enable the proxy detection function and set the processing method on the specified ports or all ports. Use undo dot1x supp-proxy-check to disable the function on the specified ports or all ports.
Examples # Configure ports GigabitEthernet 3/0/1 to 1/8 to log off users accessing the network through a proxy. system-view [Sysname] dot1x supp-proxy-check logoff [Sysname] dot1x supp-proxy-check logoff interface gigabitethernet 3/0/1 to gigabitethernet 3/0/8 # Configure port GigabitEthernet 3/0/9 to send a trap when a user is detected accessing the network through a proxy.
supp-timeout-value: Sets the client timeout timer in seconds. It is in the range of 1 to 120. tx-period-value: Sets the username request timeout timer in seconds. It is in the range of 10 to 120. Usage guidelines You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response, or adjust the server timeout timer to adapt to the performance of different authentication servers.
Default The unicast trigger function is disabled. Views Ethernet interface view Default command level 2: System level Usage guidelines The unicast trigger function enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address.
Examples # Clear 802.1X statistics on port GigabitEthernet 3/0/1.
EAD fast deployment commands EAD fast deployment commands are supported only on a SAP module that is operating in bridge mode. dot1x free-ip Use dot1x free-ip to configure a free IP. Users can access the segment before passing 802.1X authentication. Use undo dot1x free-ip to remove the specified or all free IP addresses. Syntax dot1x free-ip ip-address { mask-address | mask-length } undo dot1x free-ip { ip-address { mask | mask-length } | all } Default No free IP is configured.
Syntax dot1x timer ead-timeout ead-timeout-value undo dot1x timer ead-timeout Default The timer is 30 minutes. Views System view Default command level 2: System level Parameters ead-timeout-value: Specifies the EAD rule timer in minutes. The value range is 1 to 1440. Usage guidelines EAD fast deployment automatically creates an ACL rule, or EAD rule, to open access to the redirect URL for each redirected user seeking to access the network. The EAD rule timer sets the lifetime of each ACL rule.
Default command level 2: System level Parameters url-string: Specifies the redirect URL, a case-sensitive string of 1 to 64 characters in the format http://string. Usage guidelines The redirect URL must be on the free IP subnet. If you configure the dot1x url command multiple times, the last configured URL takes effect. Examples # Configure the redirect URL as http://192.168.0.1. system-view [Sysname] dot1x url http://192.168.0.
MAC authentication configuration commands MAC authentication commands are available only for SAP modules that are operating in bridge mode. display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including global settings, and port-specific settings and MAC authentication and online user statistics.
Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index GigabitEthernet3/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 1024 Current online user number is 0 MAC Addr Authenticate state AuthIndex … Table 13 Command output Field Description MAC address authentication is
Field Description GigabitEthernet3/0/1 is link-up Status of the link on port GigabitEthernet 3/0/1. In this example, the link is up. MAC address authentication is enabled Whether MAC authentication is enabled on port GigabitEthernet 3/0/1. Authenticate success: 0, failed: 0 MAC authentication statistics, including the number of successful and unsuccessful authentication attempts. Max number of on-line users Maximum number of concurrent online users allowed on the port.
Default command level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number.
Parameters domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain name cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or at sign (@). Usage guidelines The global authentication domain is applicable to all MAC authentication enabled ports. A port specific authentication domain is applicable only to the port.
[Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] mac-authentication max-user 32 mac-authentication timer Use mac-authentication timer to set the MAC authentication timers. Use undo mac-authentication timer to restore the default settings.
Use undo mac-authentication user-name-format to restore the default. Syntax mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } undo mac-authentication user-name-format Default Each user's MAC address is used as the username and password for MAC authentication, and letters must be input in lower case. MAC addresses are not hyphenated.
Examples # Configure a shared account for MAC authentication users, and set the username as abc and password as a plaintext string of xyz. system-view [Sysname] mac-authentication user-name-format fixed account abc password simple xyz # Configure a shared account for MAC authentication users, and set the username as abc and password as a ciphertext string of $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg.
Portal configuration commands Portal on VLAN interfaces does not support accounting. Portal on other types of interfaces supports accounting. access-user detect Use access-user detect to configure the online portal user detection function. Use undo access-user detect to restore the default. Syntax access-user detect type arp retransmit number interval interval undo access-user detect Default The portal user detection function is not configured on an interface.
Examples # Configure the portal user detection function on interface GigabitEthernet 0/1, specifying the probe packets as ARP requests, maximum number of probe attempts as 3, and probe interval as 10 seconds. system-view [Sysname] interface gigabitethernet0/1 [Sysname-GigabitEthernet0/1] access-user detect type arp retransmit 3 interval 10 display portal acl Use display portal acl to display the ACLs on a specific interface.
Port : 50000 ~ 51000 MAC : 0000-0000-0000 Interface : any VLAN : 0 Destination: IP : 111.111.111.111 Mask : 255.255.255.255 Port : 40000 Rule 1 Inbound interface : GigabitEthernet3/0/1 Type : static Action : permit Protocol : 0 Source: IP : 0.0.0.0 Mask : 0.0.0.0 Port : 23 MAC : 0000-0000-0000 Interface : any VLAN : 0 Destination: IP : 192.168.0.111 Mask : 255.255.255.
Mask : 255.255.255.255 MAC : 000d-88f8-0eab Interface : GigabitEthernet3/0/1 VLAN : 0 Protocol : 0 Destination: IP : 0.0.0.0 Mask : 0.0.0.0 Author ACL: Number : 3001 Table 14 Command output Field Description Rule Sequence number of the portal ACL, which is numbered from 0 in ascending order. Inbound interface Interface to which the portal ACL is bound. Type Type of the portal ACL. Action Match action in the portal ACL. Protocol Transport layer protocol number in the portal ACL.
Syntax display portal connection statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
MSG_LOGIN_REQ 3 0 0 MSG_LOGOUT_REQ 2 0 0 MSG_LEAVING_REQ 0 0 0 MSG_ARPPKT 0 0 0 MSG_PORT_REMOVE 0 0 0 MSG_VLAN_REMOVE 0 0 0 MSG_IF_REMOVE 6 0 0 MSG_IF_SHUT MSG_IF_DISPORTAL 0 0 0 MSG_IF_UP 0 0 0 0 0 0 MSG_ACL_RESULT 0 MSG_AAACUTBKREQ 0 0 0 0 0 MSG_CUT_BY_USERINDEX 0 0 0 MSG_CUT_L3IF 0 0 0 MSG_IP_REMOVE 0 0 0 MSG_ALL_REMOVE 1 0 0 MSG_IFIPADDR_CHANGE 0 0 0 MSG_SOCKET_CHANGE 8 0 0 MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT 0 0 0 0 0
Field Description MSG_ARPPKT ARP message. MSG_PORT_REMOVE Users-of-a-Layer-2-port-removed message. MSG_VLAN_REMOVE VLAN user removed message. MSG_IF_REMOVE Users-removed message, indicating the users on a Layer 3 interface were removed because the Layer 3 interface was removed. MSG_IF_SHUT Layer 3 interface shutdown message. MSG_IF_DISPORTAL Portal-disabled-on-interface message. MSG_IF_UP Layer 3 interface came up message. MSG_ACL_RESULT ACL deployment failure message.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about portal-free rule 1. display portal free-rule 1 Rule-Number 1: Source: IP : 2.2.2.0 Mask : 255.255.255.0 Port : any MAC : 0000-0000-0000 Interface : any Vlan : 0 Destination: IP : 0.0.0.0 Mask : 0.0.0.
Field Description Destination Destination information in the portal-free rule. IP Destination IP address in the portal-free rule. Mask Subnet mask of the destination IP address in the portal-free rule. Port Destination transport layer port number in the portal-free rule. Protocol Transport layer protocol number in the portal-free rule. Related commands portal free-rule display portal interface Use display portal interface to display the portal configuration of an interface.
Table 17 Command output Field Description Portal configuration of interface Portal configuration on the interface. IPv4 IPv4 portal configuration. Status of the portal authentication on the interface: Status Portal server Portal backup-group • Portal disabled—Portal authentication is disabled. • Portal enabled—Portal authentication is enabled but is not functioning. • Portal running—Portal authentication is functioning. Portal server referenced by the interface.
display portal server aaa Portal server: 1)aaa: IP : 192.168.0.111 VPN instance : vpn1 Port : 50100 Key : ****** URL : http://192.168.0.111 Server Type Status : IMC : Up Table 18 Command output Field Description 1) Number of the portal server. aaa Name of the portal server. VPN instance MPLS L3VPN to which the portal server belongs. IP IP address of the portal server. Port Listening port on the portal server.
Views Any view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
NTF_AUTH 0 ACK_NTF_AUTH REQ_QUERY_STATE 0 0 ACK_QUERY_STATE 0 0 0 0 0 0 0 0 0 RESERVED33 0 0 0 RESERVED35 0 0 0 Table 19 Command output Field Description Interface Interface referencing the portal server. Invalid packets Number of invalid packets. Pkt-Name Packet type. Total Total number of packets. Discard Number of discarded packets. Checkerr Number of erroneous packets. REQ_CHALLENGE Challenge request message the portal server sent to the access device.
Field Description NTF_CHALLENGE Challenge request the access device sent to the portal server. NTF_USER_NOTIFY User information notification message the access device sent to the portal server. AFF_NTF_USER_NOTIFY NTF_USER_NOTIFY acknowledgment message the access device sent to the portal server. NTF_AUTH Forced authentication notification message the portal server sent to the access device. ACK_NTF_AUTH NTF_AUTH acknowledgment message the access device sent to the portal server.
Packets Sent: 0 Packets Retransmitted: 0 Packets Dropped: 0 HTTP Packets Sent: 0 Connection State: SYN_RECVD: 0 ESTABLISHED: 0 CLOSE_WAIT: 0 LAST_ACK: 0 FIN_WAIT_1: 0 FIN_WAIT_2: 0 CLOSING: 0 Table 20 Command output Field Description TCP Cheat Statistic TCP spoofing statistics. Total Opens Total number of opened connections. Resets Connections Number of connections reset through RST packets. Current Opens Number of connections being set up. Packets Received Number of received packets.
Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Field Description User's working mode: Work-mode • Primary. • Secondary. • Stand-alone. VPN instance MPLS L3VPN to which the portal server belongs. MAC MAC address of the portal user. IP IP address of the portal user. Vlan VLAN to which the portal user belongs. Interface Interface to which the portal user is attached. Total 2 user(s) matched, 2 listed Total number of portal users. portal auth-network Use portal auth-network to configure a portal authentication source subnet on an interface.
authentication source subnet for re-DHCP authentication (redhcp) is the one determined by the private IP address of the interface connecting the users. You can configure multiple authentication source subnets by executing the portal auth-network command. The system supports up to 16 authentication source subnets and destination subnets. Examples # Configure a portal authentication source subnet of 10.10.10.0/24 on GigabitEthernet 3/0/1 to allow users from subnet 10.10.10.
If both an authentication source subnet and destination subnet are configured on an interface, only the authentication destination subnet takes effect. Examples # Configure a portal authentication destination subnet of 2.2.2.0/24 on GigabitEthernet 3/0/1, so that only users accessing subnet 2.2.2.0/24 trigger portal authentication on the interface. Users can access other subnets through the interface without portal authentication.
Command 6602 HSR6602 6604/6608/6616 portal backup-group Yes Yes No Examples # In the stateful failover networking environment, add the portal service backup interface GigabitEthernet 0/0/1 to portal group 1 on the source backup device. system-view [Sysname] interface gigabitethernet 0/0/1 [Sysname-GigabitEthernet0/0/1] portal backup-group 1 On the peer device (destination backup device), you must also add the corresponding service backup interface in to portal group 1.
undo portal domain Default No authentication domain is specified for portal users on an interface. Views Interface view Default command level 2: System level Parameters domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain specified by this argument must already exist. Examples # Configure the authentication domain for IPv4 portal users on GigabitEthernet 3/0/1 as my-domain.
mask { mask-length | mask }: Specifies a mask or mask length for the IP address. The mask argument is a subnet mask in dotted decimal notation. The mask-length argument is a subnet mask length, an integer in the range of 0 to 32. tcp tcp-port-number [ to tcp-port-number ]: Specifies a range of TCP port numbers. The value range for the tcp-port-number argument is 0 to 65535. udp udp-port-number [ to udp-port-number ]: Specifies a range of UDP port numbers.
Use undo portal max-user to restore the default. Syntax portal max-user max-number undo portal max-user Default The maximum number of portal users is that supported by the system. Views System view Default command level 2: System level Parameters max-number: Maximum number of online portal users allowed in the system.
Views Interface view, system view Default command level 2: System level Parameters nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters. This value is used as the value of the NAS-Identifier attribute in the RADIUS request to be sent to the RADIUS server when a portal user logs on from an interface. Usage guidelines You can specify the NAS-identifier attribute value to be carried in a RADIUS request in system view or interface view.
• If a NAS ID is configured using the portal nas-id command, the device uses the configured NAS ID as that of the interface. • If the interface has no NAS ID configured, the device uses the device name as the interface NAS ID. Examples # Specify NAS ID profile aaa for VLAN-interface 2.
undo portal nas-port-id Default No NAS-Port-ID value is specified for an interface, and the device uses the information obtained from the physical interface where the portal user accesses as the NAS-Port-ID value in a RADIUS request. Views Interface view Default command level 2: System level Parameters nas-port-id-value: NAS-Port-ID value, a case-sensitive string of 1 to 253 characters.
wireless: Specifies the access port type as IEEE 802.11 standard wireless interface, which corresponds to code 19. This keyword is usually specified on an interface for wireless portal users, making sure that the NAS-Port-Type value delivered by the access device to the RADIUS server is wireless. Examples # Specify the NAS-Port-Type value of GigabitEthernet 3/0/1 as IEEE 802.11 standard wireless interface.
Syntax portal server server-name ip ip-address [ key [ cipher | simple ] key-string | port port-id | server-type { cmcc | imc } | url url-string | vpn-instance vpn-instance-name ] * undo portal server server-name [ key | port | server-type | url | vpn-instance ] Default No portal server is configured for Layer 3 portal authentication. Views System view Default command level 2: System level Parameters server-name: Specifies a name for the portal server, a case-sensitive string of 1 to 32 characters.
For security purposes, all passwords, including passwords configured in plain text, are saved in cipher text to the configuration file. Examples # Configure portal server pts, setting the IP address to 192.168.0.111, the key to portal in plain text, and the redirection URL to http://192.168.0.113/portal. system-view [Sysname] portal server pts ip 192.168.0.111 key simple portal url http://192.168.0.
Related commands display portal server portal server server-detect Use portal server server-detect to configure portal server detection, including the detection method, action, probe interval, and maximum number of probe attempts. When this function is configured, the device checks the status of the specified server periodically and takes the specified actions when the server status changes. Use undo portal server server-detect to cancel the detection of the specified portal server.
• log: Specifies the action as sending a log message. When the status (reachable/unreachable) of a portal server changes, the access device sends a log message. The log message contains the portal server name and the current state and original state of the portal server. • permit-all: Specifies the action as disabling portal authentication—enabling portal authentication bypass.
portal server user-sync Use portal server user-sync to configure portal user information synchronization with a specific portal server. When this function is configured, the device periodically checks and responds to the user synchronization packet received from the specified portal server, so as to keep the consistency of the online user information on the device and the portal server.
Examples # Configure the device to synchronize portal user information with portal server pts: • Setting the synchronization probe interval to 600 seconds • Specifying the device to log off users if information of the users does not exist in the user synchronization packets sent from the server in two consecutive probe intervals.
reset portal tcp-cheat statistics Use reset portal tcp-cheat statistics to clear TCP spoofing statistics. Syntax reset portal tcp-cheat statistics Views User view Default command level 1: Monitor level Examples # Clear TCP spoofing statistics.
Port security configuration commands The port security commands are available only for SAP modules that are operating in bridge mode. display port-security Use display port-security to display port security configuration information, operation information, and statistics for one or more ports.
RALM logfailure trap is enabled AutoLearn aging time is 1 minutes Disableport Timeout: 20s OUI value: Index is 1, OUI value is 000d1a Index is 2, OUI value is 003c12 GigabitEthernet3/0/1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is NeedToKnowOnly Intrusion Portection mode is DisablePort Max MAC address number is 50 Stored MAC address number is 0 Authorization is ignored GigabitEthernet3/0/2 is link-down Port mode is noRestriction NeedToKnow mode is disabled Intrusion Portection mode is
Field Description Disableport Timeout Silence timeout period of the port that receives illegal packets, in seconds. OUI value List of OUI values allowed. Port security mode: Port mode • • • • • • • • • • • • noRestrictions. autoLearn. macAddressWithRadius. macAddressElseUserLoginSecure. macAddressElseUserLoginSecureExt. secure. userLogin. userLoginSecure. userLoginSecureExt. macAddressOrUserLoginSecure. macAddressOrUserLoginSecureExt. userLoginWithOUI.
Related commands • port-security enable • port-security port-mode • port-security ntk-mode • port-security intrusion-mode • port-security max-mac-count • port-security mac-address security • port-security authorization ignore • port-security oui • port-security trap display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses.
000f-3d80-0d2d GigabitEthernet3/0/1 30 --- On slot 3, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display the count of all blocked MAC addresses. display port-security mac-address block count --- On slot 2, no mac address found ----- On slot 3, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses in VLAN 30.
Field Description VLAN ID ID of the VLAN to which the port belongs. On slot n, x mac address(es) found Number of blocked MAC addresses on slot n. x mac address(es) found Total number of blocked MAC addresses. Related commands port-security intrusion-mode display port-security mac-address security Use display port-security mac-address security to display information about secure MAC addresses.
--- 2 mac address(es) found --- # Display only the count of the secure MAC addresses. display port-security mac-address security count This operation may take a few minutes, please wait...... --- 2 mac address(es) found --- # Display information about secure MAC addresses in VLAN 1.
Use undo port-security authorization ignore to restore the default. Syntax port-security authorization ignore undo port-security authorization ignore Default A port uses the authorization information from the server. Views Ethernet interface view Default command level 2: System level Usage guidelines After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user's account. For example, it can assign a VLAN.
• Port security mode is noRestrictions. You cannot disable port security when online users are present. Examples # Enable port security.
Examples # Configure port GigabitEthernet 3/0/1 to block the source MAC addresses of illegal frames after intrusion protection is triggered.
port-security mac-address dynamic Use port-security mac-address dynamic to enable the dynamic secure MAC function. This function converts sticky MAC addresses to dynamic, and disables saving them to the configuration file. Use undo port-security mac-address dynamic to disable the dynamic secure MAC function. Then, all dynamic secure MAC addresses are converted to sticky MAC addresses, and you can manually configure sticky MAC address.
undo port-security mac-address security [ sticky ] mac-address vlan vlan-id In system view: port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] Default No secure MAC address entry is configured.
Examples # Enable port security, set port GigabitEthernet 3/0/1 in autoLearn mode, and add a static secure MAC address 0001-0001-0002 in VLAN 10.
Usage guidelines In autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port. The maximum number set by this command cannot be smaller than the current number of MAC addresses saved on the port. In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port.
Usage guidelines The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, preventing illegal devices from intercepting network traffic. Examples # Set the NTK mode of port GigabitEthernet 3/0/1 to ntkonly, allowing the port to forward received packets to only devices passing authentication.
Related commands display port-security port-security port-mode Use port-security port-mode to set the port security mode of a port. Use undo port-security port-mode to restore the default.
Keyword Security mode Description mac-else-userlogin-secu re-ext macAddressElseUserL oginSecureExt Similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands.
Examples # Enable port security and set port GigabitEthernet 3/0/1 in secure mode. system-view [Sysname] port-security enable [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] port-security port-mode secure # Change the port security mode of port GigabitEthernet 3/0/1 to userLogin.
Syntax port-security timer disableport time-value undo port-security timer disableport Default The silence period is 20 seconds. Views System view Default command level 2: System level Parameters time-value: Specifies the silence period in seconds during which the port remains disabled. The value range is 20 to 300. Usage guidelines If you configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame, use this command to set the silence period.
Parameters addresslearned: Enables MAC address learning traps. The port security module sends traps when a port learns a new MAC address. dot1xlogfailure: Enables 802.1X authentication failure traps. The port security module sends traps when an 802.1X authentication fails. dot1xlogon: Enables 802.1X authentication success traps. The port security module sends traps when an 802.1X authentication is passed. dot1xlogoff: Enables 802.1X user logoff event traps. The port security module sends traps when an 802.
User profile configuration commands display user-profile Use display user-profile to display information about all user profiles that have been created. Syntax display user-profile [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Syntax user-profile profile-name enable undo user-profile profile-name enable Default A created user profile is disabled. Views System view Default command level 2: System level Parameters profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. The user profile must already exist. Usage guidelines Only enabled user profiles can be applied to authenticated users.
Parameters profile-name: Assigns a name to the user profile. The name is a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. A user profile name must be globally unique. Examples # Create user profile a123. system-view [Sysname] user-profile a123 [Sysname-user-profile-a123] # Enter the user profile view of a123.
Password control configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration information.
Password complexity: Disabled (username checking) Disabled (repeated characters checking) # Display the password control configuration for super passwords. display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 26 Command output Field Description Password control Whether the password control feature is enabled.
Views Any view Default command level 2: System level Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Syntax password undo password Views Local user view Default command level 2: System level Usage guidelines Valid characters for a local user password are from the following four types: • Uppercase letters A to Z • Lowercase letters a to z • Digits 0 to 9 • Blank space and 31 special characters: tilde (~),back quote (`), exclamation point (!), at sign (@), pound sign (#), dollar sign ($), percent sign (%), caret (^), ampersand sign (&), asterisk (*), left parenthesis ("("), right parenthesis (")"),
Views System view Default command level 2: System level Parameters aging: Enables the password aging function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines For these four functions to take effect, the password control feature must be enabled globally. You must enable a function for its relevant configurations to take effect.
Default A password expires after 90 days globally. The password aging time of a user group equals the global setting. The password aging time of a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Default command level 2: System level Parameters aging-time: Specifies the password aging time in days, in the range of 1 to 365. Usage guidelines The setting in system view has global significance and applies to all user groups.
undo password-control alert-before-expire Default A user is notified of pending password expiration 7 days before the user's password expires. Views System view Default command level 2: System level Parameters alert-time: Specifies the number of days before a user's password expires during which the user is notified of the pending password expiration. The value range is 1 to 30.
password-control complexity Use password-control complexity to configure the password complexity checking policy. Complexity-incompliant passwords will be refused. Use undo password-control complexity check to remove a password complexity checking item.
In FIPS mode, the global password composition policy is as follows: A password must contain four types of characters from uppercase letters, lowercase letters, digits and special characters, and each type contains at least one character. In both FIPS and non-FIPS mode, the password composition policy of a user group is the same as the global policy, and the password composition policy of a local user is the same as that of the user group to which the local user belongs.
password-control enable Use password-control enable to enable the password control feature globally. Use undo password-control enable to disable the password control feature globally. Syntax password-control enable undo password-control enable Default The password control feature is disabled globally. Views System view Default command level 2: System level Usage guidelines The password control functions take effect only after the password control feature is enabled globally.
Parameters delay: Specifies the maximum number of days during which a user can log in using an expired password. It must be in the range of 1 to 90. times: Specifies the maximum number of times a user can log in after the password expires. The value range is 0 to 10. 0 means that a user cannot log in after the password expires. Examples # Specify that a user can log in five times within 60 days after the password expires.
Default The global minimum password length is 10 characters. The minimum password length of a user group equals the global setting. The minimum password length of a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Default command level 2: System level Parameters length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 8 to 32 in FIPS mode.
password-control login idle-time Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, you can no longer use this account to log in to the device. Use undo password-control login idle-time to restore the default. Syntax password-control login idle-time idle-time undo password-control login idle-time Default You cannot use a user account to log in to the device if the account has been idle for 90 days.
Parameters login-times: Specifies the maximum number of consecutive failed login attempts, in the range of 2 to 10. exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts. lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging in. lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period of time before trying again.
• display password-control blacklist • reset password-control blacklist password-control password update interval Use password-control password update interval to set the minimum password update interval, that is, the minimum interval at which users can change their passwords. Use undo password-control password update interval to restore the default.
Views System view Default command level 2: System level Parameters aging-time: Specifies the super password aging time in days, in the range of 1 to 365. Usage guidelines If you do not specify an aging time for super passwords, the system applies the global password aging time to super passwords. If you have specified an aging time for super passwords, the system applies the aging time to super passwords. Examples # Set the super passwords to expire after 10 days.
Usage guidelines If you do not specify a composition policy for super passwords, the system applies the global password composition policy to super passwords. If you have specified a composition policy for super passwords, the system applies the composition policy to super passwords. Examples # Specify that all super passwords must each contain at least three types of characters and each type contains at least five characters.
reset password-control blacklist Use reset password-control blacklist to remove all or one user from the password control blacklist. Syntax reset password-control blacklist { all | user-name name } Views User view Default command level 3: Manage level Parameters all: Clears all users from the password control blacklist. user-name name: Specifies the user to be removed from the password control blacklist. The name argument is the username, a case-sensitive string of 1 to 80 characters.
With the super keyword specified but the level argument not specified, this command deletes the history records of all super passwords. Examples # Clear the history password records of all local users (enter Y to confirm).
RSH configuration commands rsh Use rsh to execute an OS command on a remote host. Syntax rsh host [ user username ] command remote-command Views User view Default command level 0: Visit level Parameters host: IP address or host name of the remote host, a string of 1 to 20 characters. user username: Specifies the username for remote login, a string of 1 to 20 characters. If you do not specify a username, the system name of the device, which can be set by using the sysname command, applies.
2001-12-07 17:28 122,880 wrshdctl.exe 2003-06-21 10:51 192,512 wrshdnt.cpl 2001-12-09 16:41 38,991 wrshdnt.hlp 2001-12-09 16:26 1,740 wrshdnt.cnt 2003-06-22 11:14 452,230 wrshdnt.htm 2003-06-23 18:18 2003-06-23 18:18 2003-06-22 11:13 2001-09-02 15:41 49,152 wrshdrdr.exe 2003-06-21 10:32 69,632 wrshdrun.exe 2004-01-02 15:54 196,608 wrshdsp.exe 2004-01-02 15:54 102,400 wrshdnt.exe 2001-07-30 18:05 766 wrshdnt.ico 2004-07-13 09:10 3,253 INSTALL.LOG 4,803 wrshdnt_header.
Public key configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display the public key information of local asymmetric key pairs.
Time of Key pair created: 19:59:17 2007/10/25 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair.
Syntax display public-key peer [ brief | name publickey-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all peer public keys. name publickey-name: Displays information about a peer public key. publickey-name represents a public key by its name, a case-sensitive string of 1 to 64 characters. |: Filters command output by specifying a regular expression.
Field Description Key Code Public key data. # Display brief information about all locally saved peer public keys. display public-key peer brief Type Module Name --------------------------RSA 1024 idrsa DSA 1024 10.1.1.1 Table 30 Command output Field Description Type Key type: RSA or DSA. Module Key modulus length in bits. Name Name of the public key.
public-key-code begin Use public-key-code begin to enter public key code view. Then, enter the key data in the correct format to specify the peer public key. Spaces and carriage returns are allowed between characters, but are not saved. Syntax public-key-code begin Views Public key view Default command level 2: System level Usage guidelines If the peer device is an HP device, input the key data displayed by the display public-key local public command so that the key is format compliant.
Usage guidelines The system verifies the key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, the system saves the key. Examples # Exit public key code view and save the configured public key.
In FIPS mode, the DSA key modulus length is at least 1024 bits, and the RSA key modulus length must be 2048 bits. Examples # Create local RSA key pairs. system-view [Sysname] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ +++ # Create a local DSA key pair.
Parameters dsa: DSA key pair. rsa: RSA key pair. Examples # Destroy the local RSA key pairs. system-view [Sysname] public-key local destroy rsa Warning: Confirm to destroy these keys? [Y/N]:y # Destroy the local DSA key pair.
[Sysname] public-key local export dsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---Comment: "dsa-key-20070625" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAAC
Usage guidelines SSH1, SSH2.0 and OpenSSH are different public key formats for different requirements. Examples # Export the host public key of the local RSA key pairs in OpenSSH format to the file named key.pub. system-view [Sysname] public-key local export rsa openssh key.pub # Display the host public key of the local RSA key pairs in SSH2.0 format.
Usage guidelines To manually configure the peer public key on the local device, obtain the public key in hexadecimal from the peer device beforehand, and perform the following configurations on the local device: 1. Execute the public-key peer command, and then the public-key-code begin command to enter public key code view. 2. Type the peer public key. 3. Execute the public-key-code end command to save the public key and return to public key view. 4.
Examples # Import the peer host public key named key2 from the public key file key.pub. system-view [Sysname] public-key peer key2 import sshkey key.
PKI configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name. Use undo attribute to delete the attribute rules of one or all certificates.
Usage guidelines The attribute of the alternative certificate subject name does not appear as a distinguished name, and therefore the dn keyword is not available for the attribute. Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc.
Use undo certificate request entity to remove the configuration. Syntax certificate request entity entity-name undo certificate request entity Default No entity is specified for certificate request. Views PKI domain view Default command level 2: System level Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Examples # Specify the entity for certificate request as entity1.
system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request from ca certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode Default Manual mode is used.
Related commands pki request-certificate certificate request polling Use certificate request polling to specify the certificate request polling interval and attempt limit. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } Default The polling is executed every 20 minutes for up to 50 times.
Default No URL is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters url-string: URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http://server_location/ca_script_location, where server_location must be an IP address and does not support domain name resolution.
country Use country to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China. Use undo country to remove the configuration. Syntax country country-code-str undo country Default No country code is specified. Views PKI entity view Default command level 2: System level Parameters country-code-str: Country code for the entity, a 2-character case-insensitive string. Examples # Set the country code of an entity to CN.
Usage guidelines CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted. Examples # Disable CRL checking.
Default No CRL distribution point URL is specified. Views PKI domain view Default command level 2: System level Parameters url-string: URL of the CRL distribution point, a case-insensitive string of 1 to 125 characters in the format of ldap://server_location or http://server_location, where server_location must be an IP address or a domain name.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the local certificate. display pki certificate local domain 1 Certificate: Data: Version: 3 (0x2) Serial Number: 10B7D4E3 00010000 0086 Signature Algorithm: md5WithRSAEncryption Issuer: emailAddress=myca@aabbcc.
Field Description Issuer Issuer of the certificate. Validity Validity period of the certificate. Subject Entity holding the certificate. Subject Public Key Info Public key information of the entity. X509v3 extensions Extensions of the X.509 (version 3) certificate. X509v3 CRL Distribution Points Distribution points of X.509 (version 3) CRLs.
Table 32 Command output Field Description access-control-policy Name of the certificate attribute-based access control policy. rule number Number of the access control rule. display pki certificate attribute-group Use display pki certificate attribute-group to display information about one or all certificate attribute groups.
Field Description abc Value of attribute 1. issuer-name Name of the certificate issuer. fqdn FQDN of the entity. nctn Not-contain operations. app Value of attribute 2. display pki crl domain Use display pki crl domain to display the locally saved CRLs. Syntax display pki crl domain domain-name [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters domain-name: Name of the PKI domain, a string of 1 to 15 characters.
Revoked Certificates: Serial Number: 05a234448E… Revocation Date: Sep 6 12:33:22 2004 GMT CRL entry extensions:… Serial Number: 05a278445E… Revocation Date: Sep 7 12:33:22 2004 GMT CRL entry extensions:… Table 34 Command output Field Description Version Version of the CRL. Signature Algorithm Signature algorithm used by the CRLs. Issuer CA issuing the CRLs. Last Update Last update time. Next Update Next update time. CRL extensions Extensions of CRL.
Parameters name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters. Usage guidelines An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address. Examples # Configure the FQDN of an entity as pki.domain-name.com. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] fqdn pki.domain-name.
Default No LDP server is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters ip-address: Specifies the IP address of the LDAP server, in dotted decimal format. port-number: Specifies the port number of the LDAP server. The value range is 1 to 65535, and the default is 389. version-number: Specifies LDAP version number: 2 or 3. The default is 2. Examples # Specify an LDAP server for PKI domain 1.
organization Use organization to configure the name of the organization to which the entity belongs. Use undo organization to remove the configuration. Syntax organization org-name undo organization Default No organization name is specified for an entity. Views PKI entity view Default command level 2: System level Parameters org-name: Organization name, a case-insensitive string of 1 to 31 characters. No comma can be included.
Examples # Configure the name of the organization unit to which an entity belongs as group1. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization-unit group1 pki certificate access-control-policy Use pki certificate access-control-policy to create a certificate attribute-based access control policy and enter its view. Use undo pki certificate access-control-policy to remove one or all certificate attribute-based access control policies.
Views System view Default command level 2: System level Parameters group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all. all: Specifies all certificate attribute groups. Examples # Create a certificate attribute group named mygroup and enter its view.
Default No PKI domain exists. Views System view Default command level 2: System level Parameters domain-name: PKI domain name, a case-insensitive string of 1 to 15 characters. Usage guidelines You can create up to 32 PKI domains on a device. Examples # Create a PKI domain and enter its view. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] pki entity Use pki entity to create a PKI entity and enter its view. Use undo pki entity to remove a PKI entity.
pki import-certificate Use pki import-certificate to import a CA certificate or local certificate from a file and save it locally. Syntax pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] Views System view Default command level 2: System level Parameters ca: Specifies the CA certificate. local: Specifies the local certificate. domain-name: Name of the PKI domain, a string of 1 to 15 characters. der: Specifies the certificate format of DER.
Views System view Default command level 2: System level Parameters domain-name: Name of the PKI domain name, a string of 1 to 15 characters. password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters. pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.
local: Obtains the local certificate. domain-name: Name of the PKI domain used for certificate request. Examples # Obtain the CA certificate from the certificate issuing server. system-view [Sysname] pki retrieval-certificate ca domain 1 Related commands pki domain pki retrieval-crl domain Use pki retrieval-crl domain to obtain the latest CRLs from the server for CRL distribution.
Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters. Usage guidelines The focus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked. Examples # Verify the validity of the local certificate.
# Configure a SHA1 fingerprint for verifying the validity of the CA root certificate. [Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 rule (PKI CERT ACP view) Use rule to create a certificate attribute access control rule. Use undo rule to delete one or all access control rules. Syntax rule [ id ] { deny | permit } group-name undo rule { id | all } Default No access control rule exists.
Syntax state state-name undo state Default No state or province is specified. Views PKI entity view Default command level 2: System level Parameters state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be included. Examples # Specify the state where an entity resides.
IPsec configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol. Use undo ah authentication-algorithm to restore the default.
connection-name Use connection-name to configure an IPsec connection name. This name functions only as a description of the IPsec policy. Use undo connection-name to restore the default. Syntax connection-name name undo connection-name Default No IPsec connection name is configured. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters name: IPsec connection name, a case-insensitive string of 1 to 32 characters.
Parameters Specifies an interface card by its slot number. The following matrix shows the slot slot-number option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number No Yes Yes Examples # Enable the encryption engine. system-view [Sysname] cryptoengine enable display ipsec policy Use display ipsec policy to display information about IPsec policies.
display ipsec policy brief IPsec Policy Name Mode ACL IKE Peer Name Mapped Template -----------------------------------------------------------------------bbbbbbbbbbbbbbb-1 template aaaaaaaaaaaaaaa man-1 manual 3400 map-1 isakmp 3000 peer nat-1 isakmp 3500 nat test-1 isakmp 3200 test toccccc-1 isakmp 3003 tocccc IPsec Policy Name Mode ACL Local Address Remote Address -----------------------------------------------------------------------man-1 manual 3400 3.3.3.
synchronization inbound anti-replay-interval: 1000 packets synchronization outbound anti-replay-interval: 10000 packets IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes policy enable: True tfc enable: False =========================================== IPsec Policy Group: "policy_man" Interface: GigabitEthernet3/0/2 =========================================== ----------------------------------------IPsec policy name: "policy_man" sequence number: 10
IPsec policy name: "policy001" sequence number: 10 acl version: None mode: manual ----------------------------encapsulation mode: tunnel security data flow : tunnel local address: tunnel remote address: transform-set name: prop1 inbound AH setting: AH spi: AH string-key: AH authentication hex key: ****** inbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: ****** ESP authentication hex key: ****** outbound AH setting: AH spi: AH string-key: AH authentication hex key: outbou
Field Description Protocol Name of the protocol to which the IPsec policy is applied. (This field is not displayed when the IPsec policy is not applied to any routing protocol.) sequence number Sequence number of the IPsec policy. Negotiation mode of the IPsec policy: mode • • • • manual—Manual mode. isakmp—IKE negotiation mode. template—IPsec policy template mode. gdoi—GDOI mode. IPsec packet encapsulation mode: encapsulation mode • tunnel—Tunnel mode. • transport—Transport mode.
Parameters brief: Displays brief information about all IPsec policy templates. name: Displays detailed information about a specified IPsec policy template or IPsec policy template group. template-name: Name of the IPsec policy template, a string of 1 to 41 characters. seq-number: Sequence number of the IPsec policy template, in the range 1 to 10000. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
ACL’s Version: acl4 ike-peer name: per PFS: N transform-set name: testprop IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes Table 38 Command output Field Description IPsec packet encapsulation mode: encapsulation mode • tunnel—Tunnel mode. • transport—Transport mode. security data flow ACL referenced by the IPsec policy template. ACL version: ACL's Version • acl4—IPv4 ACL. • acl6—IPv6 ACL.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays the configuration information of all IPsec profiles. Example # Display the configuration of all IPsec profiles.
Table 39 Command output Field Description Interface Interface that references the IPsec profile. Encapsulation mode for the IPsec profile: encapsulation mode • dvpn—DVPN tunnel mode. • tunnel—IPsec tunnel mode. ACL referenced by the IPsec profile. security data flow As an IPsec profile does not reference any ACL, no information is displayed for this field. ike-peer name IKE peer referenced by the IPsec profile. PFS Whether perfect forward secrecy is enabled. DH group Used DH group.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
PFS: N, DH group: none tunnel: local address: 2.2.2.2 remote address: 1.1.1.2 flow: sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.
in use setting: Transport connection id: 3 No duration limit for this sa [outbound AH SAs] spi: 0x12d683 (1234563) transform: AH-MD5HMAC96 in use setting: Transport connection id: 4 No duration limit for this sa =============================== Interface: GigabitEthernet1/0/1 path MTU: 1500 =============================== ----------------------------IPsec policy name: "r2" sequence number: 1 mode: gdoi ----------------------------PFS: N, DH group: none tunnel: local address: 2.2.2.2 remote address: 0.0.0.
spi: 0x2FC8FD45(801701189) transfrom: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 7 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 anti-replay detection: Disabled udp encapsulation used for nat traversal: N/A status: active spi: 0xBC1D46C4(3156035268) transfrom: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 8 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 anti-
Field Description spi Security parameter index. transform Security protocol and algorithms used by the IPsec transform set. in use setting IPsec SA attribute setting: transport or tunnel. connection id IPsec tunnel identifier. sa duration Lifetime of the IPsec SA. sa remaining duration Remaining lifetime of the SA. anti-replay detection Whether IPsec anti-replay detection is enabled. anti-replay window size(time based) Anti-replay window size (time-based), in seconds.
Examples # Display statistics for all IPsec packets. display ipsec statistics the security packet statistics: input/output security packets: 47/62 input/output security bytes: 3948/5208 input/output dropped security packets: 0/45 dropped security packet detail: not enough memory: 0 can't find SA: 45 queue is full: 0 authentication has failed: 0 wrong length: 0 replay packet: 0 packet too long: 0 wrong SA: 0 decrypt/encrypt failed: 0 # Display IPsec packet statistics for Tunnel 3.
Field Description can't find SA Number of packets dropped due to finding no security association. queue is full Number of packets dropped due to full queues. authentication has failed Number of packets dropped due to authentication failure. wrong length Number of packets dropped due to wrong packet length. replay packet Number of packets replayed. packet too long Number of packets dropped due to excessive packet length. wrong SA Number of packets dropped due to improper SA.
ESN : disable ESN scheme: NO transform: esp-new ESP protocol: Integrity: md5-hmac-96 Encryption: des IPsec transform-set name: tran2 encapsulation mode: transport transform: esp-new ESP protocol: Integrity: md5-hmac-96 Encryption: des Table 43 Command output Field Description IPsec transform-set name Name of the IPsec transform set. encapsulation mode Encapsulation mode used by the IPsec transform set, transport or tunnel.
Examples # Display information about IPsec tunnels. display ipsec tunnel total tunnel : 2 -----------------------------------------------connection id: 3 perfect forward secrecy: SA's SPI: inbound: 187199087 (0xb286e6f) [ESP] outbound: 3562274487 (0xd453feb7) [ESP] tunnel: local address: 44.44.44.44 remote address : 44.44.44.55 flow: sour addr : 44.44.44.0/255.255.255.0 port: 0 protocol : IP dest addr : 44.44.44.0/255.255.255.
Field Description tunnel Local and remote addresses of the tunnel. flow Data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol. as defined in acl 3001 The IPsec tunnel protects all data flows defined by ACL 3001. encapsulation-mode Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets. Use undo encapsulation-mode to restore the default.
Syntax esp authentication-algorithm { md5 | sha1 } undo esp authentication-algorithm Default In FIPS mode, ESP uses the SHA-1 authentication algorithm. In non-FIPS mode, ESP uses no authentication algorithm. Views IPsec transform set view Default command level 2: System level Parameters md5: Uses the MD5 algorithm, which uses a 128-bit key. This keyword is not supported in FIPS mode. sha1: Uses the SHA-1 algorithm, which uses a 160-bit key.
In non-FIPS mode, ESP uses no encryption algorithm. Views IPsec transform set view Default command level 2: System level Parameters 3des: Uses the triple Data Encryption Standard (3DES) in CBC mode, which uses a 168-bit key. This keyword is not supported in FIPS mode. aes-cbc-128: Uses the Advanced Encryption Standard (AES) in CBC mode that uses a 128- bit key. aes-cbc-192: Uses AES in CBC mode that uses a 192-bit key. aes-cbc-256: Uses AES in CBC mode that uses a 256-bit key.
Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters peer-name: IKE peer name, a string of 1 to 32 characters. Examples # Configure a reference to an IKE peer in an IPsec policy. system-view [Sysname] ipsec policy policy1 10 isakmp [Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer1 # Configure a reference to an IKE peer in an IPsec profile.
Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The size of the anti-replay window is 32. Views System view Default command level 2: System level Parameters width: Size of the anti-replay window. It can be 32, 64, 128, 256, 512, or 1024. Usage guidelines Your configuration affects only IPsec SAs negotiated later. Examples # Set the size of the anti-replay window to 64.
ipsec fragmentation before-encryption Use ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation before encryption. Use undo ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation after encryption. Syntax ipsec fragmentation before-encryption enable undo ipsec fragmentation before-encryption enable Default IPsec packet fragmentation before encryption is enabled.
Default The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs. Views System view Default command level 2: System level Usage guidelines Invalid SPI recovery enables an IPsec security gateway to send an INVALID SPI NOTIFY message to its peer when it receives an IPsec packet but cannot find any SA with the specified SPI. When the peer receives the message, it deletes the SAs on its side. Then, subsequent traffic triggers the two peers to establish new SAs.
Examples # Apply IPsec policy group pg1 to interface Serial 2/1/2. system-view [Sysname] interface serial 2/1/2 [Sysname-Serial2/1/2] ipsec policy pg1 Related commands ipsec policy (system view) ipsec policy (system view) Use ipsec policy to create an IPsec policy and enter its view. Use undo ipsec policy to delete the specified IPsec policies. Syntax ipsec policy policy-name seq-number [gdoi | isakmp | manual ] undo ipsec policy policy-name [ seq-number ] Default No IPsec policy exists.
Examples # Create an IPsec policy with the name policy1 and sequence number 100, and specify to set up SAs through IKE negotiation. system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] # Create an IPsec policy with the name policy1 and specify the manual mode for it.
• ipsec policy-template Examples # Create an IPsec policy with the name policy2 and sequence number 200 by referencing IPsec policy template temp1. system-view [Sysname] ipsec policy policy2 200 isakmp template temp1 ipsec policy-template Use ipsec policy-template to create an IPsec policy template and enter the IPsec policy template view. Use undo ipsec policy-template to delete the specified IPsec policy templates.
Use undo ipsec profile to delete an IPsec profile. Syntax ipsec profile profile-name undo ipsec profile profile-name Default No IPsec profile exists. Views System view Default command level 2: System level Parameters profile-name: Name for the IPsec profile, a case-insensitive string of 1 to 15 characters. Usage guidelines IPsec profiles can be applied to only DVPN interfaces and IPsec tunnel interfaces. Examples # Create IPsec profile profile1 and enter its view.
Parameters profile-name: Name of the IPsec profile, a case-insensitive string of 1 to 15 characters. Usage guidelines Only one IPsec profile can be applied to a tunnel interface. To apply another IPsec profile to the tunnel interface, remove the original application first. An IPsec profile cannot be applied to the DVPN tunnel interface and the IPsec tunnel interface simultaneously. Examples # Apply IPsec profile vtiprofile to the IPsec tunnel interface.
Usage guidelines When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy or IPsec profile that it uses. If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime. When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by the remote. You can configure both a time-based and a traffic-based global SA lifetime.
pfs Use pfs to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the feature when employing the IPsec policy or IPsec profile to initiate a negotiation. Use undo pfs to remove the configuration. Syntax pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } undo pfs Default The PFS feature is not used for negotiation.
policy enable Use policy enable to enable the IPsec policy. Use undo policy enable to disable the IPsec policy. Syntax policy enable undo policy enable Default The IPsec policy is enabled. Views IPsec policy view, IPsec policy template view Default command level 2: System level Usage guidelines The command is not applicable to manual IPsec policies. If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation.
Usage guidelines With the packet information pre-extraction feature enabled, QoS classifies a packet based on the header of the original IP packet—the header of the IP packet that has not been encapsulated by IPsec. Examples # Enable packet information pre-extraction.
IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the other direction is also automatically cleared. If you do not specify any parameter, the command clears all IPsec SAs. Examples # Clear all IPsec SAs. reset ipsec sa # Clear the IPsec SA with a remote IP address of 10.1.1.2. reset ipsec sa remote 10.1.1.2 # Clear all IPsec SAs of IPsec policy template policy1.
Syntax reverse-route [ remote-peer ip-address [ gateway | static ] | static ] undo reverse-route Default IPsec RRI is disabled. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters static: Enables static IPsec Reverse Route Inject (RRI). Static IPsec RRI creates static routes based on the ACL that the IPsec policy references. This keyword is available only in IPsec policy view.
Table 45 Possible IPsec RRI configurations and the generated routing information Command IPsec RRI mode Route destination Next hop address • Manual IPsec policy: Peer tunnel reverse-route static Static address set with the tunnel remote command. Destination IP address specified in a permit rule of the ACL that is referenced by the IPsec policy • IPsec policy that uses IKE: The remote Address identified by the ip-address argument.
[Sysname-ipsec-policy-isakmp-1-1] security acl 3000 [Sysname-ipsec-policy-isakmp-1-1] transform-set tran1 [Sysname-ipsec-policy-isakmp-1-1] ike-peer 1 [Sysname-ipsec-policy-isakmp-1-1] reverse-route static [Sysname-ipsec-policy-isakmp-1-1] quit [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] ipsec policy 1 [Sysname-GigabitEthernet3/0/1]quit # Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not shown.
# Configure dynamic IPsec RRI to create two static routes based on an IPsec SA: one to the peer private network 3.0.0.0/24 via the remote tunnel endpoint 1.1.1.2, and the other to the remote tunnel endpoint via 1.1.1.3. [Sysname]ipsec policy 1 1 isakmp [Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 gateway # Display the routing table. The expected routes appear in the routing table after the IPsec SA negotiation succeeds. (Other routes are not shown.
Related commands reverse-route reverse-route tag Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. This tag helps in implementing flexible route control through routing policies. Use undo reverse-route tag to restore the default. Syntax reverse-route tag tag-value undo reverse-route tag Default The tag value is 0 for the static routes created by IPsec RRI.
undo sa authentication-hex { inbound | outbound } { ah | esp } Views IPsec policy view Default command level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH. esp: Uses ESP. cipher: Sets a ciphertext authentication key. simple: Sets a plaintext authentication key. hex-key: Specifies the key string.
sa duration Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile. Use undo sa duration to restore the default. Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime. The time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.
[Sysname] ipsec profile profile1 [Sysname-ipsec-profile-profile1] sa duration time-based 7200 # Set the SA lifetime for IPsec profile profile1 to 20480 kilobytes (20 Mbytes). system-view [Sysname] ipsec profile profile1 [Sysname-ipsec-profile-profile1] sa duration traffic-based 20480 sa encryption-hex Use sa encryption-hex to configure an encryption key for an SA. Use undo sa encryption-hex to remove the configuration.
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format (both in hexadecimal format or both in string format), and the keys must be specified in the same format for both ends of the tunnel. Examples # Configure the encryption keys for the inbound and outbound SAs that use ESP as 0x1234567890abcdef and 0xabcdefabcdef1234 in plain text.
• Within a certain network scope, each router must use the same SPI and keys for its inbound and outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group. Examples # Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec policy.
Usage guidelines This command applies to only manual IPsec policies. This command is not available in FIPS mode. When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs. The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA. Enter keys in the same format for the local and remote inbound and outbound SAs.
Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters ipv6: Specifies an IPV6 ACL. acl-number: Number of the ACL for the IPsec policy to reference, in the range 3000 to 3999. aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the standard mode is used. This protection mode is not available for IPv6 data flow.
transform Use transform to specify a security protocol for an IPsec transform set. Use undo transform to restore the default. Syntax transform { ah | ah-esp | esp } undo transform Default The ESP protocol is used. Views IPsec transform set view Default command level 2: System level Parameters ah: Uses the AH protocol. ah-esp: Uses ESP first and then AH. esp: Uses the ESP protocol. Usage guidelines The IPsec transform sets at the two ends of an IPsec tunnel must use the same security protocol.
Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters transform-set-name&<1-6>: Name of the IPsec transform set, a string of 1 to 32 characters. &<1-6> means that you can specify up to six transform sets, which are separated by space. Usage guidelines The specified IPsec transform sets must already exist. A manual IPsec policy can reference only one IPsec transform set.
Default No local address is configured for an IPsec tunnel. Views IPsec policy view Default command level 2: System level Parameters ipv6: Specifies an IPv6 address. ip-address: Local address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies. The local address, if not configured, will be the address of the interface to which the IPsec policy is applied. Examples # Set the local address of the IPsec tunnel to the address of Loopback 0, 10.0.0.1.
ip-address: Remote address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies. If you execute this command multiple times, the most recent configuration takes effect. An IPsec tunnel is established between the local and remote ends. The remote IP address of the local end must be the same as that of the local IP address of the remote end. Examples # Set the remote address of the IPsec tunnel to 10.1.1.2.
IKE configuration commands authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default. Syntax authentication-algorithm { md5 | sha } undo authentication-algorithm Default An IKE proposal uses the SHA-1 authentication algorithm. Views IKE proposal view Default command level 2: System level Parameters md5: Uses HMAC-MD5. This keyword is not supported in FIPS mode. sha: Uses HMAC- SHA-1.
Views IKE proposal view Default command level 2: System level Parameters pre-share: Uses the pre-shared key method. rsa-signature: Uses the RSA digital signature method. Examples # Specify that IKE proposal 10 uses the pre-shared key authentication method.
dh Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal. Use undo dh to restore the default. Syntax dh { group1 | group2 | group5 | group14 } undo dh Default In FIPS mode, group2 (1024-bit Diffie-Hellman group) is used. In non-FIPS mode, group1 (768-bit Diffie-Hellman group) is used. Views IKE proposal view Default command level 2: System level Parameters group1: Uses the 768-bit Diffie-Hellman group for key negotiation in phase 1.
Parameters dpd-name: DPD name, a string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Syntax display ike proposal [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
• dh • sa duration display ike sa Use display ike sa to display information about the current IKE SAs. Syntax display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID, in the range 1 to 2000000000.
Table 49 Command output Field Description total phase-1 SAs Total number of SAs for phase 1. connection-id Identifier of the ISAKMP SA. peer Remote IP address of the SA. Status of the SA: • RD (READY)—The SA has been established. • ST (STAYALIVE)—This end is the initiator of the tunnel negotiation. • RL (REPLACED)—The tunnel has been replaced by a new one and will be deleted flag later. • FD (FADING)—The soft lifetime is over but the tunnel is still in use.
remaining key duration(sec): 86379 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO # Display detailed information about the IKE SA with the connection ID of 2. display ike sa verbose connection-id 2 --------------------------------------------vpn-instance: 1 transmitting entity: initiator --------------------------------------------local id type: IPV4_ADDR local id: 4.4.4.4 remote id type: IPV4_ADDR remote id: 4.4.4.5 local ip: 4.4.4.4 remote ip: 4.4.4.
authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 82236 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO Table 50 Command output Field Description vpn-instance MPLS L3VPN that the protected data belongs to. transmitting entity Entity in the IKE negotiation. local id type Identifier type of the local gateway. local id Identifier of the local gateway. remote id type Identifier type of the remote gateway.
Default No DPD detector is applied to an IKE peer. Views IKE peer view Default command level 2: System level Parameters dpd-name: DPD detector name, a string of 1 to 32 characters. Examples # Apply dpd1 to IKE peer peer1. system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] dpd dpd1 encryption-algorithm Use encryption-algorithm to specify an encryption algorithm for an IKE proposal. Use undo encryption-algorithm to restore the default.
system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] encryption-algorithm des-cbc Related commands • ike proposal • display ike proposal exchange-mode Use exchange-mode to select an IKE negotiation mode. Use undo exchange-mode to restore the default. Syntax exchange-mode { aggressive | main } undo exchange-mode Default Main mode is used. Views IKE peer view Default command level 2: System level Parameters aggressive: Aggressive mode. This keyword is not available in FIPS mode.
Syntax id-type { ip | name | user-fqdn } undo id-type Default The ID type is IP address. Views IKE peer view Default command level 2: System level Parameters ip: Uses an IP address as the ID during IKE negotiation. name: Uses a name of the Fully Qualified Domain Name (FQDN) type as the ID during IKE negotiation. user-fqdn: Uses a name of the user FQDN type as the ID during IKE negotiation. Usage guidelines In main mode, only the ID type of IP address can be used in IKE negotiation and SA creation.
Views System view Default command level 2: System level Parameters dpd-name: Name for the DPD detector, a string of 1 to 32 characters. Usage guidelines DPD irregularly detects dead IKE peers. It works as follows: 1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer. 2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer. 3.
Parameters name: Name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters. Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation, and you must configure the ike local-name command in system view or the local-name command in IKE peer view on the local device.
ike peer (system view) Use ike peer to create an IKE peer and enter IKE peer view. Use undo ike peer to delete an IKE peer. Syntax ike peer peer-name undo ike peer peer-name Views System view Default command level 2: System level Parameters peer-name: IKE peer name, a string of 1 to 32 characters. Examples # Create an IKE peer named peer1 and enter IKE peer view.
Setting Non-FIPS mode FIPS mode Authentication algorithm HMAC-SHA1 SHA Authentication method Pre-shared key Pre-shared key DH group MODP_768 MODP_1024 SA lifetime 86400 seconds 86400 seconds Examples # Create IKE proposal 10 and enter IKE proposal view. system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] Related commands display ike proposal ike sa keepalive-timer interval Use ike sa keepalive-timer interval to set the ISAKMP SA keepalive interval.
ike sa keepalive-timer timeout Use ike sa keepalive-timer timeout to set the ISAKMP SA keepalive timeout. Use undo ike sa keepalive-timer timeout to disable the function. Syntax ike sa keepalive-timer timeout seconds undo ike sa keepalive-timer timeout Default No keepalive packet is sent. Views System view Default command level 2: System level Parameters seconds: ISAKMP SA keepalive timeout in seconds, in the range 20 to 28,800.
Default command level 2: System level Parameters seconds: NAT keepalive interval in seconds, in the range 5 to 300. Examples # Set the NAT keepalive interval to 5 seconds. system-view [Sysname] ike sa nat-keepalive-timer interval 5 interval-time Use interval-time to set the DPD query triggering interval for a DPD detector. Use undo interval-time to restore the default. Syntax interval-time interval-time undo interval-time Default The default DPD interval is 10 seconds.
Default The subnet is a single one. Views IKE peer view Default command level 2: System level Parameters multi-subnet: Sets the subnet type to multiple. single-subnet: Sets the subnet type to single. Usage guidelines Use this command to enable interoperability with a NetScreen device. Examples # Set the subnet type of the local security gateway to multiple.
[Sysname-ike-peer-xhy] local-address 1.1.1.1 local-name Use local-name to configure a name for the local security gateway to be used in IKE negation. Use undo local-name to restore the default. Syntax local-name name undo local-name Default The device name is used as the name of the local security gateway view. Views IKE peer view Default command level 2: System level Parameters name: Name for the local security gateway to be used in IKE negotiation, a case-sensitive string of 1 to 32 characters.
Syntax nat traversal undo nat traversal Default The NAT traversal function is disabled. Views IKE peer view Default command level 2: System level Examples # Enable the NAT traversal function for IKE peer peer1. system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] nat traversal peer Use peer to set the subnet type of the peer security gateway for IKE negotiation. Use undo peer to restore the default.
pre-shared-key Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation. Use undo pre-shared-key to remove the configuration. Syntax pre-shared-key [ cipher | simple ] key undo pre-shared-key Views IKE peer view Default command level 2: System level Parameters cipher: Sets a ciphertext pre-shared key. simple: Sets a plaintext pre-shared key. key: Specifies the key string. This argument is case sensitive.
Views IKE peer view Default command level 2: System level Parameters proposal-number&<1-6>: Sequence number of the IKE proposal for the IKE peer to reference, in the range 1 to 65535. &<1-6> means that you can specify the proposal-number argument for up to six times. An IKE proposal with a smaller sequence number has a higher priority. Usage guidelines In the IKE negotiation phase 1, the local end uses the IKE proposals specified for it, if any. An IKE peer can reference up to six IKE proposals.
low-ip-address: IP address of the IPsec remote security gateway. It is the lowest address in the address range if you want to specify a range of addresses. high-ip-address: Highest address in the address range if you want to specify a range of addresses.
Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.
display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi ---------------------------------------------------------1 202.38.0.2 RD|ST 1 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO——TIMEOUT RK--REKEY Related commands display ike sa sa duration Use sa duration to set the ISAKMP SA lifetime for an IKE proposal. Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The ISAKMP SA lifetime is 86400 seconds.
Syntax time-out time-out undo time-out Views IKE DPD view Default command level 2: System level Parameters time-out: DPD packet retransmission interval in seconds, in the range 1 to 60. Usage guidelines The default DPD packet retransmission interval is 5 seconds. Examples # Set the DPD packet retransmission interval to 1 second for dpd2.
SSH configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server configuration commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Table 51 Command output Field Description SSH Server Whether the SSH server function is enabled. SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. SSH Authentication retries Maximum number of SSH authentication attempts. SFTP Server Whether the Secure FTP (SFTP) server function is enabled.
display ssh user-information Use display ssh user-information on an SSH server to display information about SSH users. Syntax display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters username: Specifies an SSH username, a string of 1 to 80 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Related commands ssh user sftp server enable Use sftp server enable to enable the SFTP server function. Use undo sftp server enable to disable the SFTP server function. Syntax sftp server enable undo sftp server enable Default The SFTP server function is disabled. Views System view Default command level 3: Manage level Usage guidelines You can use the display ssh server command to display the status or session information of the SFTP server. Examples # Enable the SFTP server function.
Parameters time-out-value: Specifies a timeout timer in minutes, in the range of 1 to 35791. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection. If many SFTP connections are established, you can set a smaller value so that the connection resources can be properly released. Examples # Set the idle timeout timer for SFTP user connections to 500 minutes.
[Sysname] ssh server authentication-retries 4 Related commands display ssh server ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. If a user does not finish the authentication when the timer expires, the connection is down. Use undo ssh server authentication-timeout to restore the default.
Views System view Default command level 3: Manage level Usage guidelines The configuration takes effect only for the clients at next login. Examples # Enable the SSH server to support SSH1 clients. system-view [Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server enable Use ssh server enable to enable the SSH server function so that the SSH clients use SSH to communicate with the server. Use undo ssh server enable to disable the SSH server function.
Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The update interval of the RSA server key is 0. That is, the system does not update the RSA server key pairs. Views System view Default command level 3: Manage level Parameters hours: Specifies an interval for updating the server key pair in hours, in the range of 1 to 24. Usage guidelines This command is only available to SSH users that use SSH1 client software.
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. service-type: Specifies the service type of an SSH user: • all: Specifies Stelnet, SFTP, and SCP. • scp: Specifies the service type as SCP. • sftp: Specifies the service type as SFTP. • stelnet: Specifies the service type of Stelnet. authentication-type: Specifies the authentication method of an SSH user: • password: Specifies password authentication.
publickey authentication or using both publickey authentication and password authentication, the working folder is the one set by using the ssh user command.
Default command level 3: Manage level Parameters remote-path: Specifies a path on the server. If you do not specify this argument, the command displays the current working path. Usage guidelines You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system. Examples # Change the working path to new1. sftp-client> cd new1 Current Directory is: /new1 cdup Use cdup to return to the upper-level directory.
Parameters remote-file&<1-10>: Specifies one or more files to delete on the server. &<1-10> means that you can provide up to 10 filenames, which are separated by space. Usage guidelines This command functions as the remove command. Examples # Delete file temp.c from the server. sftp-client> delete temp.c The following files will be deleted: /temp.c Are you sure to delete it? [Y/N]:y This operation might take a long time. Please wait...
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2 display sftp client source Use display sftp client source to display the source IP address or source interface set for the SFTP client.
Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication. If the authentication fails, you can use this command to check the public key of the server saved on the client. Examples # Display the mappings between SSH servers and their host public keys on the client. display ssh server-info Server Name(IP) Server public key name ______________________________________________________ 192.168.0.1 abc_key01 192.168.0.
Views SFTP client view Default command level 3: Manage level Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file. Usage guidelines If you do not specify the local-file argument, the file will be saved locally with the same name as that on the SFTP server. Examples # Download file temp1.c and save it as temp.c locally. sftp-client> get temp1.c temp.c Remote file:/temp1.c ---> Local file: temp.
Syntax ls [ -a | -l ] [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters -a: Displays the filenames and the folder names of the specified directory. -l: Displays in a list form detailed information of the files and folders of the specified directory. remote-path: Specifies the directory to be queried.
Examples # Create a directory named test on the SFTP server. sftp-client> mkdir test New directory created put Use put to upload a local file to an SFTP server. Syntax put local-file [ remote-file ] Views SFTP client view Default command level 3: Manage level Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name for the file on an SFTP server.
quit Use quit to terminate the connection with an SFTP server and return to user view. Syntax quit Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the bye and exit commands. Examples # Terminate the connection with the SFTP server. sftp-client> quit Bye Connection closed. remove Use remove to delete files from a remote server.
File successfully Removed rename Use rename to change the name of a specified file or directory on an SFTP server. Syntax rename oldname newname Views SFTP client view Default command level 3: Manage level Parameters oldname: Specifies the name of an existing file or directory. newname: Specifies a new name for the file or directory. Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp-client> rename temp1.c temp2.
Syntax In non-FIPS mode: scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode: scp [ ipv6 ] server [ port-number ] { get | put }
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96. • md5: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode. • md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not available in FIPS mode. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm.
Syntax In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key r
prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode, and is dh-group14 in FIPS mode. • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not available in FIPS mode. • dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.This keyword is not available in FIPS mode. • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
Use undo sftp client ipv6 source to remove the configuration. Syntax sftp client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address } undo sftp client ipv6 source Default An SFTP client uses the IPv6 address of the interface specified by the route of the device to access the SFTP server. Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number.
Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ip ip-address: Specifies a source IPv4 address. Usage guidelines To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, HP recommends you to specify a loopback interface as the source interface. Examples # Specify the source IP address of the SFTP client as 192.168.0.1.
• rsa: Specifies the public key algorithm rsa. prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used. • zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm ZLIB@openssh.com. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. • 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode.
• The preferred client-to-server HMAC algorithm is sha1-96. • The preferred key exchange algorithm is dh-group14. • The preferred server-to-client encryption algorithm is aes128. • The preferred server-to-client HMAC algorithm is sha1-96. Examples # Connect to server 2:5::8:9, using the following connection scheme: • The preferred key exchange algorithm: dh-group1. • The preferred server-to-client encryption algorithm: aes128. • The preferred client-to-server HMAC algorithm: md5.
system-view [Sysname] ssh client authentication server 192.168.0.1 assign publickey key1 Related commands ssh client first-time enable ssh client first-time enable Use ssh client first-time enable to enable the first-time authentication function. Use undo ssh client first-time to disable the function. Syntax ssh client first-time enable undo ssh client first-time Default The function is enabled.
Default An Stelnet client uses the IPv6 address of the interface specified by the route of the device to access the Stelnet server. Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, HP recommends you to specify a loopback interface as the source interface. Examples # Specify the source IPv4 address of the Stelnet client as 192.168.0.1. system-view [Sysname] ssh client source ip 192.168.0.
prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used. • zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm zlib@openssh.com. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. • 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. • aes128: Specifies the encryption algorithm aes128-cbc.
• The preferred key exchange algorithm is dh-group14. • The preferred server-to-client encryption algorithm is aes128. • The preferred server-to-client HMAC algorithm is sha1-96. Examples # Log in to Stelnet server 10.214.50.51, using the following connection scheme: • The preferred key exchange algorithm: dh-group1. • The preferred server-to-client encryption algorithm: aes128. • The preferred client-to-server HMAC algorithm: md5. • The preferred server-to-client HMAC algorithm: sha1-96.
prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used. • zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm ZLIB@openssh.com. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. • 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. • aes128: Specifies the encryption algorithm aes128-cbc.
• The preferred key exchange algorithm is dh-group14. • The preferred server-to-client encryption algorithm is aes128. • The preferred server-to-client HMAC algorithm is sha1-96. Examples # Log in to Stelnet server 2000::1, using the following connection scheme: • The preferred key exchange algorithm: dh-group1. • The preferred server-to-client encryption algorithm: aes128. • The preferred client-to-server HMAC algorithm: md5. • The preferred server-to-client HMAC algorithm: sha1-96.
SSL configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA. rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5. rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.
system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] client-verify enable Related commands • client-verify weaken • display ssl server-policy client-verify weaken Use client-verify weaken to enable SSL client weak authentication. Use undo client-verify weaken to restore the default. Syntax client-verify weaken undo client-verify weaken Default SSL client weak authentication is disabled.
close-mode wait Use close-mode wait to set the SSL connection close mode to wait mode. In this mode, after sending a close-notify alert message to a client, the server does not close the connection until it receives a close-notify alert message from the client. Use undo close-mode wait to restore the default.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about SSL client policy policy1. display ssl client-policy policy1 SSL Client Policy: policy1 SSL Version: SSL 3.
Examples # Display information about SSL server policy policy1.
Syntax handshake timeout time undo handshake timeout Default The handshake timeout time is 3600 seconds. Views SSL server policy view Default command level 2: System level Parameters time: Handshake timeout time in seconds. The value range is 180 to 7200. Usage guidelines If the SSL server receives no packet from the SSL client before the handshake timeout time expires, the SSL server terminates the handshake process.
Usage guidelines If you do not specify a PKI domain for an SSL server policy, the SSL server generates and signs a certificate for itself rather than obtaining one from a CA server. Examples # Configure SSL server policy policy1 to use PKI domain server-domain. system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] pki-domain server-domain # Configure SSL client policy policy1 to use PKI domain client-domain.
rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA. rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.
Related commands display ssl client-policy session Use session to set the maximum number of cached sessions and the caching timeout time. Use undo session to restore the default. Syntax session { cachesize size | timeout time } * undo session { cachesize | timeout } * Default The maximum number of cached sessions is 500 and the caching timeout time is 3600 seconds.
Syntax ssl client-policy policy-name undo ssl client-policy { policy-name | all } Views System view Default command level 2: System level Parameters policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be a, al, or all. all: Specifies all SSL client policies. Examples # Create SSL client policy policy1 and enter its view.
system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] Related commands display ssl server-policy version Use version to specify the SSL protocol version for an SSL client policy. Use undo version to restore the default. Syntax In non-FIPS mode: version { ssl3.0 | tls1.0 } undo version In FIPS mode: version tls1.0 undo version Default The SSL protocol version for an SSL client policy is TLS 1.0.
SSL VPN configuration commands The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 SSL VPN commands Yes No Yes on routers with MCP MPU ssl-vpn enable Use ssl-vpn enable to enable the SSL VPN service. Use undo ssl-vpn enable to disable the SSL VPN service. Syntax ssl-vpn enable undo ssl-vpn enable Default The SSL VPN service is disabled.
Use undo ssl-vpn server-policy to restore the default. Syntax ssl-vpn server-policy server-policy-name [ port port-number ] undo ssl-vpn server-policy Default No SSL server policy is specified for the SSL VPN service. Views System view Default command level 2: System level Parameters server-policy-name: Name of the SSL server policy, a case-insensitive string of 1 to 16 characters. port port-number: Specifies the port number to be used by the SSL VPN service.
Firewall configuration commands Packet-filter firewall configuration commands display firewall ipv6 statistics Use display firewall ipv6 statistics to view the packet filtering statistics of the IPv6 firewall. Syntax display firewall ipv6 statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays the packet filtering statistics of all interfaces of the IPv6 firewall.
Table 57 Command output Field Description Interface Interface configured with the IPv6 packet filtering function. In-bound Policy Indicates that an IPv6 ACL is configured in the inbound direction of the interface. Out-bound Policy Indicates that an IPv6 ACL is configured in the outbound direction of the interface. acl6 IPv6 ACL number.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display packet filtering statistics on all interfaces. display firewall-statistics all firewall default Use firewall default to specify the default firewall filtering action of the IPv4 firewall.
Syntax firewall enable { all | slot slot-number } undo firewall enable Default The IPv4 firewall function is disabled. Views System view Default command level 2: System level Parameters all: Specifies that the configuration applies to all interface cards. slot slot-number: Specifies that the configuration applies to the interface card in the specified slot.
Examples # Specify the default filtering action of the IPv6 firewall as denying packets to pass. system-view [Sysname] firewall ipv6 default deny firewall ipv6 enable Use firewall ipv6 enable to enable the IPv6 firewall function. Use undo firewall ipv6 enable to disable the IPv6 firewall function. Syntax firewall ipv6 enable undo firewall ipv6 enable Default The IPv6 firewall function is disabled.
name acl-name: Specifies the name of a basic or advanced IPv4 ACL; a case-insensitive string of 1 to 63 characters that must start with an English letter a to z or A to Z. To avoid confusion, the word "all" cannot be used as the ACL name. inbound: Filters packets received by the interface. outbound: Filters packets forwarded from the interface. Usage guidelines You can apply only one IPv4 ACL in one direction of an interface to filter packets.
[Sysname-GigabitEthernet3/0/1] firewall packet-filter ipv6 2500 outbound reset firewall ipv6 statistics Use reset firewall ipv6 statistics to clear the packet filtering statistics of the IPv6 firewall. Syntax reset firewall ipv6 statistics { all | interface interface-type interface-number } Views User view Default command level 1: Monitor level Parameters all: Clears the packet filtering statistics on all interfaces of the IPv6 firewall.
ASPF configuration commands aspf-policy Use aspf-policy to create an ASPF policy and enter its view. Use undo aspf-policy to remove an ASPF policy. Syntax aspf-policy aspf-policy-number undo aspf-policy aspf-policy-number Views System view Default command level 2: System level Parameters aspf-policy-number: Specifies an ASPF policy number in the range of 1 to 99. Usage guidelines A defined ASPF policy can be applied through its policy number.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about all ASPF policies.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
display aspf policy 1 [ASPF Policy Configuration] Policy Number 1: icmp-error drop tcp syn-check Table 60 Command output Field Description [ASPF Policy Configuration] ASPF policy configuration information. Policy Number ASPF policy number. icmp-error drop Drop ICMP error messages. tcp syn-check Drop non-SYN packet that is the first packet over a TCP connection. display port-mapping Use display port-mapping to view port mapping information.
h323 1720 system defined http 80 system defined rtsp 554 system defined smtp 25 system defined ike 500 system defined https 443 system defined vam 18000 system defined ssh 22 system defined Table 61 Command output Field Description SERVICE Application layer protocol that is mapped to a port. PORT Number of the port for the application layer protocol. ACL Number of the ACL specifying the host range. TYPE Port mapping type, system predefined or user customized.
icmp-error drop Use icmp-error drop to specify to drop ICMP error messages. Use undo icmp-error drop to restore the default. Syntax icmp-error drop undo icmp-error drop Default ICMP error messages are not dropped. Views ASPF policy view Default command level 2: System level Examples # Configure ASPF policy 1 to drop ICMP error messages.
acl acl-number: Specifies the IPv4 ACL for indicating the host range. The ACL number is in the range of 2000 to 2999. Examples # Map port 3456 to the FTP protocol. system-view [Sysname] port-mapping ftp port 3456 Related commands display port-mapping tcp syn-check Use tcp syn-check to specify to drop any non-SYN packet that is the first packet over a TCP connection. Use undo tcp syn-check to restore the default.
ALG configuration commands alg Use alg to enable ALG for a protocol. Use undo alg to disable ALG for a protocol. Syntax alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } undo alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } Default The ALG feature is enabled for all protocols. Views System view Default command level 2: System level Parameters all: Enables ALG for all protocols.
# Disable ALG for DNS.
Session management commands application aging-time Use application aging-time to set the aging timer for the sessions of an application layer protocol. Use undo application aging-time to restore the default. Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] Default The default session aging times for the application layer protocols vary with device models.
display application aging-time Use display application aging-time to display the session aging timers for the application layer protocols. Syntax display application aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Syntax display session aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Syntax display session hardware slot slot-number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters slot slot-number: Displays the session count on the specified card. The slot-number argument represents the number of the slot where the card resides. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Parameters slot slot-number: Displays the relationship table entries on the specified card. The slot-number argument represents the number of the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 No HSR6602 Yes 6604/6608/6616 Yes |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Field Description TTL Remaining lifetime of the relationship table entry, in seconds. AllowConn Number of sessions allowed by the relationship table entry. Total find Total number of found relationship table entries. display session statistics Use display session statistics to display statistics for the sessions.
Current TCP session(s): 0 Half-Open: 0 Current Half-Close: 0 UDP session(s): 593951 Current ICMP session(s): 0 Current RAWIP session(s): 0 Current relation table(s): 50000 Session establishment rate: 184503/s TCP Session establishment rate: UDP Session establishment rate: 184503/s ICMP Session establishment rate: 0/s RAWIP Session establishment rate: 0/s Received TCP: Received UDP: 0/s 1538 packet(s) 86810494849 packet(s) 337567 byte(s) 4340524910260 byte(s) Received ICMP: Rec
Field Description Dropped TCP Counts of dropped TCP packets and bytes. Dropped UDP Counts of dropped UDP packets and bytes. Dropped ICMP Counts of dropped ICMP packets and bytes. Dropped RAWIP Counts of dropped Raw IP packets and bytes. display session table Use display session table to display information about sessions.
If no slot number is specified, the command displays the sessions on all cards. If multiple keywords are specified, the command displays the sessions that match all these criteria. This command is not supported by the SPE-FWM-200, SPE-IPS-200, SPE-ACG-200, and FIP600 cards. Examples # Display brief information about all sessions. display session table Initiator: Source IP/Port : 192.168.1.18/2048 Dest IP/Port Pro : 192.168.1.
Total find: 2 Table 66 Command output Field Description Initiator: Session information of the initiator. Responder: Session information of the responder. Pro Transport layer protocol, TCP, UDP, ICMP, or Raw IP.. VPN-Instance/VLAN ID/VLL ID MPLS L3VPN that the session belongs to and the VLAN and INLINE that the session belongs to during Layer 2 forwarding. Application layer protocol, FTP, DNS, MSN or QQ. App Unknown indicates protocol type of a non-well-known port. Session status.
Views User view Default command level 2: System level Parameters slot slot-number: Clears the sessions on the specified card. The slot-number argument represents the number of the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 No HSR6602 Yes 6604/6608/6616 Yes source-ip source-ip: Clears the sessions with the specified source IP address of the initiator.
Default command level 2: System level Parameters slot slot-number: Clears the session statistics on the specified card. The slot-number argument specifies the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 No HSR6602 Yes 6604/6608/6616 Yes Usage guidelines If no slot number is specified, the command clears the session statistics on all cards. Examples # Clear all session statistics.
rawip-open: Specifies the aging timer for the sessions in the RAWIP_OPEN state. rawip-ready: Specifies the aging timer for the sessions in the RAWIP_READY state. syn: Specifies the aging timer for the TCP sessions in the SYN_SENT or SYN_RCV state. tcp-est: Specifies the aging timer for the TCP sessions in the ESTABLISHED state. udp-open: Specifies the aging timer for the UDP sessions in the OPEN state. udp-ready: Specifies the aging timer for the UDP sessions in the READY state.
Default command level 2: System level Parameters all: Enables checksum verification for TCP, UDP, and ICMP packets. icmp: Enables checksum verification for ICMP packets. tcp: Enables checksum verification for TCP packets. udp: Enables checksum verification for UDP packets. Examples # Enable checksum verification for UDP packets. system-view [Sysname] session checksum udp session early-ageout Use session early-ageout to set the time value to shorten the session aging time.
If the difference between the session aging time and the value specified by the shorten-time argument is less than 5 seconds, the session aging time becomes 5 seconds. Examples # Configure the session aging time to shorten by 100 seconds when the session ratio exceeds 80 percent, and to restore the normal values when the session ratio equals or drops below 20 percent.
Default command level 2: System level Parameters acl acl-number: Specifies the ACL to be used to match sessions for logging. The value range for the acl-number argument is 2000 to 3999. Inbound: Specifies session logs in the inbound direction. outbound: Specifies session logs in the outbound direction. Usage guidelines If you do not specify the acl acl-number option, the command enables session logging for all sessions on the interface.
Examples # Set the packet count threshold for session logging to 10 mega-packets. system-view [Sysname] session log packets-active 10 session log time-active Use session log time-active to set the holdtime threshold for session logging. Use undo session log time-active to remove the setting. Syntax session log time-active time-value undo session log time-active Default The system does not output session logs based on holdtime threshold.
Parameters max-entries: Specifies the maximum number of sessions. The value range is 1 to 10000000. slot slot-number: Specifies a slot. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 No HSR6602 Yes 6604/6608/6616 Yes Usage guidelines For distributed devices, you can set the maximum number of sessions based on slots. The maximum number should not exceed the session count specification of a device or a card.
A persistent session rule can reference only one ACL. Examples # Configure all sessions matching ACL 2000 as persistent sessions, setting the aging time of the sessions to 72 hours.
Connection limit configuration commands connection-limit apply policy Use connection-limit apply policy to apply a connection limit policy to the NAT module. Use undo connection-limit apply policy to remove the application. Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number Views System view Default command level 2: System level Parameters policy-number: Number of an existing connection limit policy. The value is 0.
Default command level 2: System level Parameters policy-number: Specifies the number of a connection limit policy. The value is 0. Usage guidelines A connection limit policy contains a set of rules for limiting the number of connections of a specific user. A policy number uniquely identifies a connection limit policy. After applying a connection limit policy in system view, you cannot modify, add, or remove connection limit rules in the policy.
limit 0 source ip 3.3.3.0 24 source-vpn vpn1 destination ip any protocol tcp max-connections 200 per-source Table 67 Command output Field Description Connection-limit policy Number of the connection limit policy. refcount 0, 1 limits Number of times that the policy is applied and number of rules in the policy. limit xxx Rule in the policy. For more information, see the limit command. Related commands limit limit Use limit to configure an IP address-based connection limit policy rule.
• dns: Specifies the DNS protocol. • http: Specifies the HTTP protocol. • ip: Specifies the IP protocol. • tcp: Specifies the TCP protocol. • udp: Specifies the UDP protocol. max-connections max-num: Maximum number of the connections. per-destination: Limits connections by destination IP address. per-source: Limits connections by source IP address. per-source-destination: Limits connections by source-desitnation IP address pair.
Web filtering configuration commands display firewall http activex-blocking Use display firewall http activex-blocking to display information about ActiveX blocking. Syntax display firewall http activex-blocking [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all ActiveX blocking suffix keywords. item keywords: Specifies a blocking suffix keyword.
---------------------------------------------1 5 .OCX 2 0 .vbs Table 68 Command output Field Description SN Serial number. Match-Times Number of times that a suffix keyword is matched. Keywords ActiveX blocking suffix keyword. # Display detailed ActiveX blocking information. display firewall http activex-blocking verbose ActiveX blocking is enabled. No ACL group has been configured. There are 5 packet(s) being filtered. There are 0 packet(s) being passed.
Examples # Display brief information about Java blocking. display firewall http java-blocking Java blocking is enabled. # Display Java blocking information for a specific suffix keyword. display firewall http java-blocking item .class The HTTP request packet including ".class" had been matched for 10 times. # Display Java blocking information for all suffix keywords.
item keywords: Specifies a filtering keyword, The keywords argument is a case-insensitive string of 1 to 80 characters. Valid characters include 0 to 9, a to z, A to Z, dot (.), hyphen (-), underline (_), and wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*). For meanings and usage guidelines of the wildcards, see the relevant description for command firewall http url-filter host url-address. verbose: Specifies detailed information.
Table 71 Command output Field Description Default method Default URL address filtering action, permit or deny. The support for IP address Support for website IP addresses, permit or deny. display firewall http url-filter parameter Use display firewall http url-filter parameter to display information about URL parameter filtering.
# Display URL parameter filtering information for all keywords. display firewall http url-filter parameter all SN Match-Times Keywords ---------------------------------------------1 0 ^select$ 2 0 ^insert$ 3 0 ^update$ 4 0 ^delete$ 5 0 ^drop$ 6 0 -- 7 0 ‘ 8 0 ^exec$ 9 10 %27 10 0 qqqqq Table 72 Command output Field Description SN Serial number. Match-Times Number of times that the keyword has been matched. Keywords URL parameter filtering keyword.
Usage guidelines After the command takes effect, all web requests containing any suffix keywords in the ActiveX blocking suffix list will be processed according to the ACL. You can specify multiple ACLs for ActiveX blocking, but only the last one takes effect. You can specify a non-existing ACL, but ActiveX blocking based on the ACL takes effect only after you create and configure the ACL correctly. Examples # Specify the ACL for ActiveX blocking as ACL 2003.
Syntax firewall http activex-blocking suffix keywords undo firewall http activex-blocking suffix keywords Views System view Default command level 2: System level Parameters keywords: Blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of 5 ActiveX blocking suffix keywords. You cannot add or remove the default suffix keyword ".
You can specify multiple ACLs for Java blocking, but only the last one takes effect. You can specify a non-existing ACL, but Java blocking based on the ACL takes effect only after you create and configure the ACL correctly. Examples # Specify the ACL for Java blocking as ACL 2002.
Views System view Default command level 2: System level Parameters keywords: Blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of five Java blocking suffix keywords. You cannot remove the default block suffix keywords .class and .jar. Examples # Add .js to the Java blocking suffix list.
Examples # Specify URL address filtering to permit web requests with website IP addresses permitted by ACL 2000. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 permit source 3.3.3.3 0.0.0.
Default The URL address filtering function is disabled. Views System view Default command level 2: System level Examples # Enable the URL address filtering function.
firewall http url-filter host url-address Use firewall http url-filter host url-address to add a URL address filtering entry and set the filtering action. Use undo firewall http url-filter host url-address to remove one or all URL address filtering entries. Syntax firewall http url-filter host url-address { deny | permit } url-address undo firewall http url-filter host url-address [ url-address ] Views System view Default command level 2: System level Parameters deny: Denies matched URL addresses.
• If asterisk (*) is present at the beginning of a filtering entry, it must be present in the format like *.xxx, where xxx represents a keyword, for example, *.com or *.webfilter.com. • A filtering entry with only numerals is invalid. To filter a website address like www.123.com, you can define a filtering entry like ^123$, www.123.com, or 123.com, instead of 123. HP recommends that you use exact match to filter numeral website addresses.
Wildcard Meaning Usage guidelines $ Matches parameters ending with the keyword It can be present once at the end of a filtering entry. & Stands for one valid character It can be present multiple times at any position of a filtering entry, consecutively or inconsecutively, and cannot be used next to an asterisk (*). If it is present at the beginning or end of a filtering entry, it must be next to a caret (^) or a dollar sign ($).
Views System view Default command level 2: System level Examples # Enable the URL parameter filtering function. system-view [Sysname] firewall http url-filter parameter enable Related commands display firewall http url-filter parameter reset firewall http Use reset firewall http to clear web filtering statistics.
Attack detection and protection configuration commands attack-defense apply policy Use attack-defense apply policy to apply an attack protection policy to an interface. Use undo attack-defense apply policy to restore the default. Syntax attack-defense apply policy policy-number undo attack-defense apply policy Default No attack protection policy is applied to an interface.
Syntax attack-defense logging enable undo attack-defense logging enable Default Attack protection logging is disabled. Views System view Default command level 2: System level Examples # Enable attack protection logging. system-view [Sysname] attack-defense logging enable attack-defense policy Use attack-defense policy to create an attack protection policy and enter attack protection policy view. Use undo attack-defense policy to remove an attack protection policy.
Related commands display attack-defense policy blacklist enable Use blacklist enable to enable the blacklist function. Use undo blacklist enable to restore the default. Syntax blacklist enable undo blacklist enable Default The blacklist function is disabled. Views System view Default command level 2: System level Usage guidelines After the blacklist function is enabled, you can add blacklist entries manually or configure the device to add blacklist entries automatically.
Default command level 2: System level Parameters source-ip-address: IP address to be added to the blacklist, used to match the source IP address of packets. all: Specifies all blacklist entries. timeout minutes: Specifies an aging time for the blacklist entry. minutes indicates the aging time, and the value range is 1 to 1000, in minutes. If you do not specify the aging time, the blacklist entry never gets aged and always exists unless you delete it manually.
Related commands • defense icmp-flood enable • defense icmp-flood ip • defense icmp-flood rate-threshold • display attack-defense policy defense icmp-flood enable Use defense icmp-flood enable to enable ICMP flood attack protection. Use undo defense icmp-flood enable to restore the default. Syntax defense icmp-flood enable undo defense icmp-flood enable Default ICMP flood attack protection is disabled.
Default No ICMP flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: IP address to be protected. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address. high rate-number: Sets the action threshold for ICMP flood attack protection of the specified IP address.
Syntax defense icmp-flood rate-threshold high rate-number [ low rate-number ] undo defense icmp-flood rate-threshold Default The global action threshold is 1000 packet per second and the global silence threshold is 750 packets per second. Views Attack protection policy view Default command level 2: System level Parameters high rate-number: Sets the global action threshold for ICMP flood attack protection.
Syntax defense scan add-to-blacklist undo defense scan add-to-blacklist Default The blacklist function for scanning attack protection is not enabled. Views Attack protection policy view Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address.
• defense scan max-rate defense scan blacklist-timeout Use defense scan blacklist-timeout to specify the aging time for entries blacklisted by scanning attack protection. Use undo defense scan blacklist-timeout to restore the default, which is 10 minutes. Syntax defense scan blacklist-timeout minutes undo defense scan blacklist-timeout Views Attack protection policy view Default command level 2: System level Parameters minutes: Aging time of blacklist entries, in the range of 1 to 1000, in minutes.
Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address. If the connection rate of an IP address reaches or exceeds the threshold (set by the defense scan max-rate command), the device considers the IP address a scanning attack source and drops subsequent packets from the IP address until it finds that the rate is less than the threshold. Examples # Enable scanning attack protection.
[Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense scan enable # Set the connection rate threshold for triggering scanning attack protection to 2000 connections per second.
defense syn-flood enable Use defense syn-flood enable to enable SYN flood attack protection. Use undo defense syn-flood enable to restore the default. Syntax defense syn-flood enable undo defense syn-flood enable Default SYN flood attack protection is disabled. Views Attack protection policy view Default command level 2: System level Examples # Enable SYN flood attack protection in attack protection policy 1.
high rate-number: Sets the action threshold for SYN flood attack protection of the specified IP address. The rate-number argument indicates the number of SYN packets sent to the specified IP address per second and is in the range of 1 to 64000. With SYN flood attack protection enabled, the device enters attack detection state.
Parameters high rate-number: Sets the global action threshold for SYN flood attack protection. The rate-number argument indicates the number of SYN packets sent to an IP address per second and is in the range of 1 to 64000. With the SYN flood attack protection enabled, the device enters attack detection state.
Examples # Configure attack protection policy 1 to drop UDP flood packets. system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense udp-flood action drop-packet Related commands • defense udp-flood enable • defense udp-flood ip • defense udp-flood rate-threshold • display attack-defense policy defense udp-flood enable Use defense udp-flood enable to enable UDP flood attack protection. Use undo defense udp-flood enable to restore the default.
Syntax defense udp-flood ip ip-address rate-threshold high rate-number [ low rate-number ] undo defense udp-flood ip ip-address [ rate-threshold ] Default No UDP flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: IP address to be protected. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address.
defense udp-flood rate-threshold Use defense udp-flood rate-threshold to configure the global action and silence thresholds for UDP flood attack protection. The device uses the global attack protection thresholds to protect the IP addresses for which you do not configure attack protection parameters specifically. Use undo defense udp-flood rate-threshold to restore the default.
• defense udp-flood enable • display attack-defense policy display attack-defense policy Use display attack-defense policy to display configuration information about one or all attack protection policies. Syntax display attack-defense policy [ policy-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters policy-number: Sequence number of an attack protection policy, in the range of 1 to 128.
Add to blacklist : Enabled Blacklist timeout : 10 minutes Max-rate : 1000 connections/s Signature-detect action : Drop-packet -------------------------------------------------------------------------ICMP flood attack-defense : Enabled ICMP flood action : Syslog ICMP flood high-rate : 2000 packets/s ICMP flood low-rate : 750 packets/s ICMP flood attack-defense for specific IP addresses: IP High-rate(packets/s) Low-rate(packets/s) 192.168.1.1 1000 500 192.168.2.
Filed Description WinNuke attack-defense Indicates whether WinNuke attack protection is enabled. LAND attack-defense Indicates whether Land attack protection is enabled. Source route attack-defense Indicates whether Source Route attack protection is enabled. Route record attack-defense Indicates whether Route Record attack protection is enabled. Scan attack-defense Indicates whether scanning attack protection is enabled.
50 None 128 GigabitEthernet3/0/2 Related commands attack-defense policy display attack-defense statistics interface Use display attack-defense statistics interface to display the attack protection statistics of an interface.
Route record packets dropped : 100 Source route attacks : 1 Source route packets dropped : 100 Smurf attacks : 1 Smurf packets dropped : 100 TCP flag attacks : 1 TCP flag packets dropped : 100 Tracert attacks : 1 Tracert packets dropped : 100 WinNuke attacks : 1 WinNuke packets dropped : 100 Scan attacks : 1 Scan attack packets dropped : 100 SYN flood attacks : 1 SYN flood packets dropped : 100 ICMP flood attacks : 1 ICMP flood packets dropped : 100 UDP flood attacks : 1
Field Description Tracert attacks Number of detected Tracert attacks. Tracert packets dropped Number of Tracert packets dropped. WinNuke attacks Number of detected WinNuke attacks. WinNuke packets dropped Number of WinNuke packets dropped. Scan attacks Number of detected scanning attacks. Scan attack packets dropped Number of scanning attack packets dropped. SYN flood attacks Number of detected SYN flood attacks. SYN flood attack packets dropped Number of SYN flood attack packets dropped.
Option 6602 HSR6602 6604/6608/6616 slot slot-number No Yes Yes |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Related commands • blacklist enable • blacklist ip display flow-statistics statistics Use display flow-statistics statistics to display traffic statistics on interfaces based on IP addresses.
----------------------------------------------------------IP Address : 192.168.1.
Default command level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. inbound: Displays traffic statistics in the inbound direction of an interface. outbound: Displays traffic statistics in the outbound direction of an interface. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Field Description UDP session establishment rate UDP connection establishment rate. ICMP sessions Number of ICMP connections. ICMP session establishment rate ICMP connection establishment rate. RAWIP sessions Number of RAWIP connections. RAWIP session establishment rate RAWIP connection establishment rate. display tcp-proxy protected-ip Use display tcp-proxy protected-ip to display information about IP addresses protected by the TCP proxy function.
Field Description Type Type of the protected IP address. Dynamic indicates that the entry was dynamically added by the device. Lifetime(min) Remaining lifetime of the entry. If the value of this field is 0, the entry is deleted. Rejected packets Number of packets matching this entry that have been dropped by the TCP proxy function. flow-statistics enable Use flow-statistics enable to enable traffic statistics collection on an interface. Use undo flow-statistics enable to restore the default.
reset attack-defense statistics interface Use reset attack-defense statistics interface to clear the attack protection statistics of an interface. Syntax reset attack-defense statistics interface interface-type interface-number Views User view Default command level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. Examples # Clear the attack protection statistics of interface GigabitEthernet 3/0/1.
route-record: Specifies the route record packet attack. smurf: Specifies the Smurf packet attack. source-route: Specifies the source route packet attack. tcp-flag: Specifies the TCP flag packet attack. tracert: Specifies the Tracert packet attack. winnuke: Specifies the Winnuke packet attack. Examples # Enable signature detection of Fraggle attack in attack protection policy 1.
Syntax signature-detect large-icmp max-length length undo signature-detect large-icmp max-length Default An ICMP packet length of 4000 bytes triggers large ICMP attack protection. Views Attack protection policy view Default command level 2: System level Parameters length: Maximum length of an ICMP packet, in the range of 28 to 65534 bytes.
Default command level 2: System level Usage guidelines Usually, the TCP proxy function is used on a device's interfaces connected to external networks to protect internal servers from SYN flood attacks. When detecting a SYN flood attack, the device can take protection actions configured by using the defense syn-flood action command.
Related commands • tcp-proxy enable • display tcp-proxy protected-ip 490
TCP attack protection configuration commands display tcp status Use display tcp status to display status of all TCP connections for monitoring TCP connections. Syntax display tcp status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Use undo tcp anti-naptha enable to disable the protection against Naptha attack. Syntax tcp anti-naptha enable undo tcp anti-naptha enable Default The protection against Naptha attack is disabled. Views System view Default command level 2: System level Usage guidelines The configurations made by using the tcp state and tcp timer check-state commands are removed after the protection against Naptha attack is disabled. Examples # Enable the protection against Naptha attack.
last-ack: LAST_ACK state of a TCP connection. syn-received: SYN_RECEIVED state of a TCP connection. connection-number number: Maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500. Usage guidelines You need to enable the protection against Naptha attack before executing this command. Otherwise, an error is prompted. You can respectively configure the maximum number of TCP connections in each state.
Use undo tcp timer check-state to restore the default. Syntax tcp timer check-state time-value undo tcp timer check-state Default The TCP connection state check interval is 30 seconds. Views System view Default command level 2: System level Parameters time-value: TCP connection state check interval in seconds, in the range of 1 to 60. Usage guidelines The device periodically checks the number of TCP connections in each state.
IP source guard configuration commands IP source guard configuration commands are available only for SAP interface modules operating in Layer 2 mode. display ip source binding Use display ip source binding to display IPv4 source guard entries.
display ip source binding Total entries found: 5 MAC Address IP Address VLAN Interface Type 040a-0000-4000 10.1.0.9 2 GE3/0/1 Static 040a-0000-3000 10.1.0.8 2 GE3/0/1 DHCP-SNP 040a-0000-2000 10.1.0.7 2 GE3/0/1 DHCP-SNP 040a-0000-1000 10.1.0.6 N/A GE3/0/2 DHCP-RLY 040a-0000-0000 N/A N/A GE3/0/2 DHCP-RLY # Display all static IPv4 source guard entries.
Default No static IPv4 binding entry exists on a port. Views Layer 2 Ethernet interface view Default command level 2: System level Parameters ip-address ip-address: Specifies the IPv4 address for the static binding entry. The IPv4 address cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address. mac-address mac-address: Specifies the MAC address for the static binding in the format H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast address), or a multicast address.
Parameters ip-address: Binds source IPv4 addresses to the port. ip-address mac-address: Binds source IPv4 addresses and MAC addresses to the port. mac-address: Binds source MAC addresses to the port. Usage guidelines After you enable the IPv4 source guard function on a port, IPv4 source guard dynamically generates IPv4 source guard entries based on the DHCP snooping entries or the DHCP-relay entries, and all static IPv4 source guard entries on the port become effective.
Parameters number: Maximum number of IPv4 source guard entries allowed on a port, in the range of 0 to 256. Usage guidelines If the maximum number of IPv4 binding entries to be configured is smaller than the number of existing IPv4 binding entries on the port, the maximum number can be configured successfully and the existing entries will not be affected. New IPv4 binding entries, however, cannot be added any more unless the number of IPv4 binding entries on the port drops below the configured maximum.
ARP attack protection configuration commands IP flood protection configuration commands arp resolving-route enable Use arp resolving-route enable to enable ARP black hole routing. Use undo arp resolving-route enable to disable the function. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP black hole routing is disabled. Views System view Default command level 2: System level Examples # Enable ARP black hole routing.
Examples # Enable the ARP source suppression function. system-view [Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit Use arp source-suppression limit to set the maximum number of unresolvable IP packets that be received from a device in five seconds. Unresolvable IP packets refer to packets that cannot be resolved by ARP. Use undo arp source-suppression limit to restore the default value, which is 10.
Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Parameters disable: Disables ARP packet rate limit. rate pps: ARP packet rate in pps, in the range of 5 to 8192. drop: Discards the exceeded packets. slot slot-number: Specifies the slot number of the card. The following matrix shows the option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number No Yes Yes Examples # Specify the ARP packet rate for the card in slot 1 as 50 pps, and exceeded packets are discarded.
[Sysname] arp anti-attack valid-check enable ARP active acknowledgement configuration commands arp anti-attack active-ack enable Use arp anti-attack active-ack enable to enable the ARP active acknowledgement function. Use undo arp anti-attack active-ack enable to restore the default. Syntax arp anti-attack active-ack enable undo arp anti-attack active-ack enable Default The ARP active acknowledgement function is disabled.
Default Authorized ARP is not enabled on the interface. Views Layer 3 Ethernet interface view Default command level 2: System level Examples # Enable authorized ARP on GigabitEthernet 3/0/1. system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp authorized enable ARP detection configuration commands NOTE: The commands of this feature are supported only when SAP modules operate in bridge mode.
• ip-address: Matches a sender IP address. • ip-address-mask: Specifies the mask for the sender IP address in dotted decimal format. If no mask is specified, the ip-address argument specifies a host IP address. mac { any | mac-address [ mac-address-mask ] }: Specifies the sender MAC address range. • any: Matches any sender MAC address. • mac-address: Matches a sender MAC address, in the format of H-H-H. • mac-address-mask: Specifies the mask for the sender MAC address, in the format of H-H-H.
arp detection trust Use arp detection trust to configure the port as an ARP trusted port. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust Default The port is an ARP untrusted port. Views Layer 2 Ethernet interface view Default command level 2: System level Examples # Configure GigabitEthernet 3/0/1 as an ARP trusted port.
ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this keyword specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests are checked. src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC address in the Ethernet header. If they are identical, the packet is considered valid.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
GE3/0/1(U) 40 0 0 78 GE3/0/2(U) 0 0 0 0 GE3/0/3(T) 0 0 0 0 GE3/0/4(U) 0 0 30 0 Table 84 Command output Field Description Interface(State) State T or U identifies a trusted or untrusted port. IP Number of ARP packets discarded due to invalid source and destination IP addresses. Src-MAC Number of ARP packets discarded due to invalid source MAC address. Dst-MAC Number of ARP packets discarded due to invalid destination MAC address.
Syntax arp fixup Views System view Default command level 2: System level Usage guidelines The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries. The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device might fail to change all dynamic ARP entries into static ARP entries.
range contains multiple network segments, the sender IP address in the ARP request is the interface address on the smallest network segment. If no address range is specified, the device only scans the network where the primary IP address of the interface resides for neighbors. The sender IP address in the ARP requests is the primary IP address of the interface.
Parameters ip-address: IP address of a protected gateway. Usage guidelines You can enable ARP gateway protection for up to eight gateways on a port. You cannot configure both arp filter source and arp filter binding commands on a port. Examples # Enable ARP gateway protection for the gateway with IP address 1.1.1.1. system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp filter source 1.1.1.
system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp filter binding 1.1.1.
ND attack defense configuration commands ipv6 nd mac-check enable Use ipv6 nd mac-check enable to enable source MAC consistency check for ND packets. Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND packets. Syntax ipv6 nd mac-check enable undo ipv6 nd mac-check enable Default Source MAC consistency check is disabled for ND packets.
URPF configuration commands ip urpf Use ip urpf to enable URPF check on an interface to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. Syntax ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ] undo ip urpf Default URPF check is disabled. Views Interface view Default command level 2: System level Parameters loose: Enables loose URPF check.
FIPS configuration commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Default command level 1: Monitor level Examples # Display the current FIPS mode state. display fips status FIPS mode is enabled Related commands fips mode enable fips mode enable Use fips mode enable to enable FIPS mode. Use undo fips mode enable to disable FIPS mode.
1. Enable FIPS mode. 2. Enable the password control function. 3. Configure the username and password to log in to the device in FIPS mode. The password must comprise at least 10 characters and must contain uppercase and lowercase letters, digits, and special characters. 4. Delete all MD5-based digital certificates. 5. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs. 6. Save the configuration.
Default command Level 3: Manage level Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device automatically reboots. Examples # Trigger a self-test on the cryptographic algorithms. system-view [Sysname] fips self-test Self-tests are running. Please wait... Self-tests succeeded.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHIKLMNOPQRSTUVW attribute,246 A attribute 25 car,58 aaa nas-id profile,1 authentication default,10 access-limit,41 authentication dvpn,11 access-limit enable,1 authentication lan-access,12 access-user detect,156 authentication login,13 accounting command,2 authentication portal,14 accounting default,3 authentication ppp,15 accounting dvpn,4 authentication ssl-vpn,16 accounting lan-access,5 authentication super,16 accounting login,6 authentication-algorithm,325 accounting op
ciphersuite,388 display attack-defense statistics interface,477 client-verify enable,389 display blacklist,479 client-verify weaken,390 display connection,27 close-mode wait,391 display connection-limit policy,438 common-name,251 display domain,31 connection-limit apply policy,437 display dot1x,120 connection-limit policy,437 display fips status,517 connection-name,273 display firewall http activex-blocking,441 country,252 display firewall http java-blocking,442 crl check,252 display fire
dot1x re-authenticate,138 display port-security,190 display port-security mac-address block,193 dot1x retry,139 display port-security mac-address security,195 dot1x supp-proxy-check,140 display public-key local public,234 dot1x timer,141 display public-key peer,235 dot1x timer ead-timeout,145 display radius scheme,59 dot1x unicast-trigger,142 display radius statistics,62 dot1x url,146 display session aging-time,419 dpd,334 display session hardware,420 E display session relation-table,421 e
group,50 key (HWTACACS scheme view),104 group-attribute allow-guest,51 key (RADIUS scheme view),70 H L handshake timeout,393 ldap-server,260 help,368 limit,439 hwtacacs nas-ip,103 local,343 hwtacacs scheme,104 local-address,344 I locality,261 local-name,345 icmp-error drop,414 local-user,51 idle-cut enable,35 ls,368 id-type,336 ike dpd,337 M ike local-name,338 mac-authentication,150 ike next-payload check disabled,339 mac-authentication domain,151 ike peer (system view),340 mac-au
port-security max-mac-count,202 password-control login idle-time,225 password-control login-attempt,225 port-security ntk-mode,203 password-control password update interval,227 port-security oui,204 password-control super aging,227 port-security port-mode,205 password-control super composition,228 port-security timer autolearn aging,207 password-control super length,229 port-security timer disableport,207 peer,346 port-security trap,208 peer-public-key end,237 prefer-cipher,395 pfs,305 pre-s
reset firewall-statistics,408 self-service-url enable,39 reset hwtacacs statistics,109 server-type,90 reset ike sa,350 server-verify enable,396 reset ipsec sa,307 service-type,54 reset ipsec statistics,308 session,397 reset mac-authentication statistics,155 session aging-time,429 reset password-control blacklist,230 session checksum,430 reset password-control history-record,230 session early-ageout,431 reset portal connection statistics,188 session log bytes-active,432 reset portal server
stop-accounting-buffer enable (HWTACACS scheme view),115 timer response-timeout (RADIUS scheme view),95 stop-accounting-buffer enable (RADIUS scheme view),92 transform-set,321 transform,321 tunnel local,322 Subscription service,520 tunnel remote,323 T U tcp anti-naptha enable,491 user-group,55 tcp state,492 user-name-format (HWTACACS scheme view),118 tcp syn-check,415 user-name-format (RADIUS scheme view),96 tcp syn-cookie enable,493 user-profile,211 tcp timer check-state,493 user-profile
