HP 6600/HSR6600 Routers Security Command Reference Part number: 5998-1514 Software version: A6602-CMW520-R3303P05 A6600-CMW520-R3303P05-RPE A6600-CMW520-R3303P05-RSE HSR6602_MCP-CMW520-R3303P05 Document version: 6PW105-20140507
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents AAA configuration commands ···································································································································· 1 General AAA configuration commands ························································································································· 1 aaa nas-id profile ····················································································································································· 1 access-limi
expiration-date ······················································································································································· 49 group ······································································································································································ 50 group-attribute allow-guest ··································································································································· 51 lo
reset hwtacacs statistics ······································································································································ 109 reset stop-accounting-buffer (for HWTACACS) ································································································ 109 retry stop-accounting (HWTACACS scheme view) ·························································································· 110 secondary accounting (HWTACACS scheme view) ··················
display portal interface ······································································································································· 163 display portal server ··········································································································································· 164 display portal server statistics ···························································································································· 165 display portal tcp-
password-control alert-before-expire ················································································································· 219 password-control authentication-timeout ··········································································································· 219 password-control complexity ······························································································································ 220 password-control composition··················
organization························································································································································· 265 organization-unit·················································································································································· 265 pki certificate access-control-policy ··················································································································· 266 pki certificate
sa spi ···································································································································································· 320 sa string-key ························································································································································· 321 security acl ·······················································································································································
SSH client configuration commands ·························································································································· 365 bye ········································································································································································ 365 cd ··········································································································································································
firewall default ····················································································································································· 407 firewall enable ····················································································································································· 407 firewall ipv6 default ············································································································································ 408 fire
firewall http java-blocking acl ···························································································································· 451 firewall http java-blocking enable ····················································································································· 452 firewall http java-blocking suffix ························································································································ 452 firewall http url-filter host acl
IP source guard configuration commands ············································································································· 498 display ip source binding ··································································································································· 498 ip source binding ················································································································································ 499 ip verify source ·············
gdoi ks group······················································································································································· 532 gdoi ks redundancy port ···································································································································· 532 gdoi ks rekey ······················································································································································· 533 identity add
AAA configuration commands General AAA configuration commands aaa nas-id profile Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs. Use undo aaa nas-id profile to remove a NAS ID profile. Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name Views System view Default command level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.
Views ISP domain view Default command level 2: System level Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646. Usage guidelines System resources are limited, and user connections may compete for network resources when there are many users. Setting a proper limit to the number of online users helps provide reliable system performance. Examples # Set a limit of 500 user connections for ISP domain test.
Examples # Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting. system-view [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac Related commands • accounting default • hwtacacs scheme accounting default Use accounting default to configure the default accounting method for an ISP domain. Use undo accounting default to restore the default.
[Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local Related commands • local-user • hwtacacs scheme • radius scheme accounting dvpn Use accounting dvpn to configure the accounting method for DVPN users. Use undo accounting dvpn to restore the default. Syntax accounting dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting dvpn Default The default accounting method for the ISP domain is used for DVPN users.
• radius scheme accounting lan-access Use accounting lan-access to configure the accounting method for LAN users. Use undo accounting lan-access to restore the default. Syntax accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo accounting lan-access Default The default accounting method for the ISP domain is used for LAN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local accounting.
accounting login Use accounting login to configure the accounting method for login users through the console, AUX, or Asyn port or through Telnet. Use undo accounting login to restore the default. Syntax accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting login Default The default accounting method for the ISP domain is used for login users.
accounting optional Use accounting optional to enable the accounting optional feature. Use undo accounting optional to disable the feature. Syntax accounting optional undo accounting optional Default The feature is disabled.
Default command level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for portal users.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for PPP users.
Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters Usage guidelines The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 accounting ssl-vpn Yes Yes No The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use RADIUS accounting scheme rd for SSL VPN users.
Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured. The default authentication method is used for all users who support the specified authentication method and have no specific authentication method configured. Examples # Configure the default authentication method for ISP domain test to use RADIUS authentication scheme rd and use local authentication as the backup.
# Configure ISP domain test to use RADIUS authentication scheme rd for DVPN users and use local authentication as the backup. system-view [Sysname] domain test [Sysname-isp-test] authentication dvpn radius-scheme rd local Related commands • local-user • authentication default • radius scheme authentication lan-access Use authentication lan-access to configure the authentication method for LAN users. Use undo authentication lan-access to restore the default.
[Sysname-isp-test] authentication lan-access radius-scheme rd local Related commands • local-user • authentication default • radius scheme authentication login Use authentication login to configure the authentication method for login users through the console, AUX, or Asyn port, Telnet, or FTP. Use undo authentication login to restore the default.
Related commands • local-user • authentication default • hwtacacs scheme • radius scheme authentication portal Use authentication portal to configure the authentication method for portal users. Use undo authentication portal to restore the default. Syntax authentication portal { local | none | radius-scheme radius-scheme-name [ local ] } undo authentication portal Default The default authentication method for the ISP domain is used for portal users.
authentication ppp Use authentication ppp to configure the authentication method for PPP users. Use undo authentication ppp to restore the default. Syntax authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication ppp Default The default authentication method for the ISP domain is used for PPP users.
authentication ssl-vpn Use authentication ssl-vpn to configure the authentication RADIUS method for SSL VPN users. Use undo authentication ssl-vpn to restore the default. Syntax authentication ssl-vpn radius-scheme radius-scheme-name undo authentication ssl-vpn Default The default authentication method for the ISP domain is used for SSL VPN users.
Default The default authentication method for the ISP domain is used for user privilege level switching authentication. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated user can access only commands of Level 0. Usage guidelines The specified HWTACACS scheme must have been configured.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0.
Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured.
none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines This command is supported only on SAP interface modules that are operating in Layer 2 mode. The specified RADIUS scheme must have been configured.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Default command level 2: System level Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated portal user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured.
Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated PPP user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Views ISP domain view Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 authorization ssl-vpn Yes Yes No The specified RADIUS scheme must have been configured.
Parameters profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see Security Configuration Guide. Usage guidelines After a user of an ISP domain passes authentication, if the server (or the access device in the case of local authentication) does not authorize any user profile to the ISP domain, the system uses the user profile specified by the authorization-attribute user-profile command as that of the ISP domain.
ucibindex ucib-index: Specifies the user connection that uses the connection index, in the range of 0 to 4294967295. user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain or the mandatory authentication domain. slot slot-number: Specifies a card by its slot number.
Default command level 1: Monitor level Parameters access-type: Specifies the user connections of the specified access type. • dot1x: Indicates 802.1X authentication. This keyword is supported only on the SAP interface modules that are operating in Layer 2 mode. • mac-authentication: Indicates MAC address authentication. This keyword is supported only on the SAP interface modules that are operating in Layer 2 mode. • portal: Indicates portal authentication.
authentication, authorization, and accounting for users who access the interface through the specified access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain.
Slot: 0 Index=0 , Username=telnet@system IP=10.0.0.1 IPv6=N/A Access=Admin ,AuthMethod=PAP Port Type=Virtual ,Port Name=N/A ACL Group=Disable User Profile=N/A CAR=Disable Priority=Disable SessionTimeout=60(s), Terminate-Action=Radius-Request Start=2009-07-16 10:53:03 ,Current=2009-07-16 10:57:06 ,Online=00h04m03s Total 1 connection matched. Slot: 1 Total 0 connection matched. Slot: 2 Total 0 connection matched.
display domain Use display domain to display the configuration of ISP domains. Syntax display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters isp-name: Name of an existing ISP domain, a string of 1 to 24 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Lan-access authorization scheme : hwtacacs:hw, local Lan-access accounting scheme : local Domain User Template: Idle-cut : Disabled Session-time : exclude-idle-time Self-service : Disabled Authorization attributes : User-profile : profile1 Default Domain Name: system Total 2 domain(s). Table 2 Command output Field Description Domain ISP domain name. State Status of the ISP domain: active or blocked.
Field Description Authorization attributes Default authorization attributes for the ISP domain. User-profile Default authorization user profile. Related commands • access-limit enable • domain • state domain Use domain to create an ISP domain and enter ISP domain view. Use undo domain to remove an ISP domain. Syntax domain isp-name undo domain isp-name Default There is a system predefined ISP domain named system in the system.
domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain. Use undo domain default enable to restore the default. Syntax domain default enable isp-name undo domain default enable Default The default ISP domain is the system predefined ISP domain system.
undo domain if-unknown Default No ISP domain is specified for users with unknown domain names. Views System view Default command level 3: Manage level Parameters isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain the slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), quotation marks ("), and at sign (@).
Views ISP domain view Default command level 2: System level Parameters minute: Idle timeout period, ranging from 1 to 600 minutes. flow: Minimum traffic during the idle timeout period in bytes. It ranges from 1 to 10240000 and defaults to 10240.
low-ip-address and high-ip-address: Start and end IP addresses of the address pool. Up to 1024 addresses are allowed for an address pool. If you do not specify the end IP address, there is only one IP address in the pool, which is the start IP address. Usage guidelines You can also configure an address pool for PPP users in system view. An IP address pool configured in system view is used to assign IP addresses to PPP users who do not need to be authenticated.
Usage guidelines The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 nas device-id Yes Yes No Configuring or changing the device ID of a device logs out all online users of the device. The two devices working in stateful failover mode must use the device IDs of 1 and 2. The device ID is the symbol for stateful failover mode. A router operating in standalone mode does not require any device ID.
system-view [Sysname] aaa nas-id profile aaa [Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2 Related commands aaa nas-id profile self-service-url enable Use self-service-url enable to enable the self-service server location function and specify the URL of the self-service server. Use undo self-service-url enable to restore the default. Syntax self-service-url enable url-string undo self-service-url enable Default The self-service server location function is disabled.
undo session-time include-idle-time Default The user online time uploaded to the server excludes the idle cut time. Views ISP domain view Default command level 2: System level Usage guidelines The device uploads to the server the online user time when a user is logged off. However, the online user time of an abnormally logged-off user can contain an idle timeout interval or a detection interval when the idle cut function or online portal user detection is enabled.
Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. Examples # Place the ISP domain test to the blocked state. system-view [Sysname] domain test [Sysname-isp-test] state block Local user configuration commands access-limit Use access-limit to limit the number of concurrent users of the same local user account. Use undo access-limit to remove the limitation.
authorization-attribute Use authorization-attribute to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to remove authorization attributes and restore the defaults.
described in the information center commands. For more information, see Network Management and Monitoring Command Reference. • vlan vlan-id: Specifies the authorized VLAN, where vlan-id ranges from 1 to 4094. After passing authentication, a local user can access the resources in this VLAN. work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP service. The directory-name argument is a case-insensitive string of 1 to 135 characters.
Views Local user view Default command level 3: Manage level Parameters call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users. subcall-number: Specifies the sub-calling number. The total length of the calling number and the sub-calling number cannot be more than 62 characters. ip ip-address: Specifies the IP address of the user.
Parameters idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled. The following matrixes show the parameter and router compatibility: Parameter 6602 HSR6602 6604/6608/6616 idle-cut { disable | enable } No No Yes service-type: Specifies the local users who use a specified type of service. • dvpn: DVPN tunnel users. • ftp: FTP users. This keyword is not supported in FIPS mode. • lan-access: Users accessing the network through Ethernet, such as 802.
Examples # On the 6602 router, display information about all local users. display local-user The contents of local user abc: State: Active ServiceType: ppp Access-limit: Enabled Max AccessNum: 300 User-group: system Current AccessNum: 0 Bind attributes: IP address: 1.2.3.
Field Description Expiration date Expiration time of the local user. Password aging Aging time of the local user password. Password length Minimum length of the local user password. Password composition Password composition policy of the local user. # On the HSR6602/6604/6608/6616 router, display information about local user bbb on slot 0.
Field Description VLAN ID VLAN to which the local user is bound. User Profile User profile for local user authorization. Calling Number Calling number of the ISDN user. Authorization attributes Authorization attributes of the local user. Idle TimeOut Idle timeout period of the user, in minutes. Callback-number Authorized PPP callback number of the local user. Work Directory Directory accessible to the FTP user. VLAN ID Authorized VLAN of the local user.
display user-group abc The contents of user group abc: Authorization attributes: Idle-cut: 120(min) Work Directory: cfa0: Level: 1 Acl Number: 2000 Vlan ID: 1 User-Profile: 1 Callback-number: 1 Password aging: Enabled (1 days) Password length: Enabled (4 characters) Password composition: Enabled (1 types, 1 characters per type) Total 1 user group(s) matched. Table 5 Command output Field Description Idle-cut Idle timeout interval, in minutes.
Default command level 3: Manage level Parameters time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted.
[Sysname] local-user 111 [Sysname-luser-111] group abc group-attribute allow-guest Use group-attribute allow-guest to set the guest attribute for a user group. Use undo group-attribute allow-guest to restore the default. Syntax group-attribute allow-guest undo group-attribute allow-guest Default The guest attribute is not set for a user group.
Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@) and cannot be a, al, or all. all: Specifies all users. service-type: Specifies the users of a type. • ftp: FTP users. This keyword is not supported in FIPS mode.
password: Specifies the password string. This argument is case sensitive. If hash is not specified, a ciphertext password must be a string of 1 to 117 characters and a plaintext password must be a string of 1 to 63 characters. If hash is specified, a ciphertext password must be a string of 1 to 110 characters and a plaintext password must be a string of 1 to 63 characters. Usage guidelines If you do not specify any parameter, you enter the interactive mode to set a plaintext password string.
Views Local user view Default command level 3: Manage level Parameters dvpn: Authorizes the user to use the DVPN service. ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default. This keyword is not supported in FIPS mode. lan-access: Authorizes the user to use the LAN access service. The users are mainly Ethernet users such as 802.1X users. This keyword is supported only on SAP interface modules. ssh: Authorizes the user to use the SSH service.
block: Places the local user in blocked state to prevent the local user from requesting network services. Usage guidelines By blocking a user, you disable the user from requesting network services. No other users are affected. Examples # Place local user user1 to the blocked state. system-view [Sysname] local-user user1 [Sysname-luser-user1] state block Related commands local-user user-group Use user-group to create a user group and enter its view. Use undo user-group to remove a user group.
validity-date Use validity-date to set the validity time of a local user. Use undo validity-date to remove the configuration. Syntax validity-date time undo validity-date Default A local user has no validity time and no time validity checking is performed. Views Local user view Default command level 3: Manage level Parameters time: Validity time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS.
Use undo accounting-on enable to disable the accounting-on feature. Syntax accounting-on enable [ interval seconds | send send-times ] * undo accounting-on enable Default The accounting-on feature is disabled. Views RADIUS scheme view Default command level 2: System level Parameters seconds: Time interval for retransmitting an accounting-on packet in seconds, ranging from 1 to 15. The default is 3 seconds. send-times: Maximum number of accounting-on packet transmission attempts, ranging from 1 to 255.
Default RADIUS attribute 25 is not interpreted as CAR parameters. Views RADIUS scheme view Default command level 2: System level Examples # Specify the device to interpret RADIUS attribute 25 as CAR parameters. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] attribute 25 car Related commands • display radius scheme • display connection data-flow-format (RADIUS scheme view) Use data-flow-format to set the traffic statistics unit for data flows or packets.
system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet Related commands display radius scheme display radius scheme Use display radius scheme to display the configuration of RADIUS schemes.
VPN instance : 1 Probe username : N/A Probe interval : N/A Primary Acct Server: IP: 1.1.1.1 Port: 1813 State: active Port: 1812 State: active Port: 1812 State: active Port: 1813 State: block Encryption Key : ****** VPN instance : 1 Second Auth Server: IP: 1.1.2.1 Encryption Key : N/A VPN instance : N/A Probe username : N/A Probe interval : N/A IP: 1.1.3.1 Encryption Key : N/A VPN instance : N/A Probe username : N/A Probe interval : N/A Second Acct Server: IP: 1.1.2.
Field Description Type of the RADIUS server supported on the router: • Extended—The RADIUS server uses the proprietary RADIUS protocol of Type HP for packet exchange. • Standard—The RADIUS server uses the standard RADIUS protocol for packet exchange. The protocol is compliant to RFC 2865 and RFC 2866 or later. Primary Auth Server Information about the primary authentication server. Primary Acct Server Information about the primary accounting server.
Field Description Data flow unit Unit for data flows sent to the RADIUS server. Packet unit Unit for packets sent to the RADIUS server. NAS-IP address Source IP address for RADIUS packets to be sent. Attribute 25 Interprets RADIUS attribute 25 as the CAR parameters. Related commands radius scheme display radius statistics Use display radius statistics to display statistics about RADIUS packets.
Resend Times Resend total 1 508 2 508 Total 1016 RADIUS received packets statistic: Code = 2 Num = 15 Err = 0 Code = 3 Num = 4 Err = 0 Code = 5 Num = 4 Err = 0 Code = 11 Num = 0 Err = 0 Running statistic: RADIUS received messages statistic: Auth request Num = 24 Err = 0 Succ = 24 Account request Num = 4 Err = 0 Succ = 4 Account off request Num = 503 Err = 0 Succ = 503 PKT auth timeout Num = 15 Err = 5 Succ = 10 PKT acct_timeout Num = 1509 Err = 503 Succ = 1006 Real
Field Description AcctStart Number of users for whom accounting has been started. RLTSend Number of users for whom the system sends real-time accounting packets. RLTWait Number of users waiting for real-time accounting. AcctStop Number of users in the state of accounting waiting stopped. OnLine Number of online users. Stop Number of users in the state of stop. Received and Sent packets statistic Statistics for packets received and sent by the RADIUS module.
Field Description Auth reject Number of rejected authentication packets. Auth continue Number of authentication-continue packets received. Account success Number of accounting succeeded packets. Account failure Number of accounting failed packets. Server ctrl req Number of server control requests. RecError_MSG_sum Number of received packets in error. SndMSG_Fail_sum Number of packets that failed to be sent out. Timer_Err Number of packets for indicating timer startup failures.
PKT auth timeout Num = 15 Err = 5 Succ = 10 PKT acct_timeout Num = 1509 Err = 503 Succ = 1006 Realtime Account timer Num = 0 Err = 0 Succ = 0 PKT response Num = 23 Err = 0 Succ = 23 Session ctrl pkt Num = 0 Err = 0 Succ = 0 Normal author request Num = 0 Err = 0 Succ = 0 Set policy result Num = 0 Err = 0 Succ = 0 Accounting on request Num = 0 Err = 0 Succ = 0 Accounting on response Num = 0 Err = 0 Succ = 0 Dynamic Author Ext request Num = 0 Err = 0 Succ = 0 RADIUS sent
Field Description Received PKT total Number of packets received. Resend Times Number of transmission attempts. Resend total Number of packets retransmitted. RADIUS received packets statistic Statistics for RADIUS packets received by the RADIUS module. Code Packet type. Num Total number of packets. Err Number of packets that the device failed to process. Succ Number of messages that the device successfully processed.
Field Description Other_Error Number of packets for indicating other types of errors. No-response-acct-stop packet Number of times that no response was received for stop-accounting packets. Discarded No-response-acct-stop packet for buffer overflow Number of stop-accounting packets that were buffered but then discarded due to full memory.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If the device sends a stop-accounting request to a RADIUS server but receives no response, it retransmits it up to a certain number of times (defined by the retry command).
Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the shared key for secure RADIUS accounting communication. authentication: Sets the shared key for secure RADIUS authentication/authorization communication. cipher: Sets a ciphertext shared key. simple: Sets a plaintext shared key. key: Specifies the shared key string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 64 characters.
Use undo nas-backup-ip to restore the default. Syntax nas-backup-ip ip-address undo nas-backup-ip Default A RADIUS scheme is configured with no backup source IP address for outgoing RADIUS packets. Views RADIUS scheme view Default command level 2: System level Parameters ip-address: Backup source IP address for outgoing RADIUS packets. It must be the source IP address for outgoing RADIUS packets that is configured on the other device for stateful failover and cannot be 0.0.0.0, 255.255.255.
nas-ip (RADIUS scheme view) Use nas-ip to specify a source IP address for outgoing RADIUS packets. Use undo nas-ip to restore the default. Syntax nas-ip { ipv4-address | ipv6 ipv6-address } undo nas-ip Default The source IP address of an outgoing RADIUS packet is that configured by the radius nas-ip command in system view. If the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface.
primary accounting (RADIUS scheme view) Use primary accounting to specify the primary RADIUS accounting server. Use undo primary accounting to remove the configuration. Syntax primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * undo primary accounting Default No primary RADIUS accounting server is specified.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. If you change the primary accounting server when the device has already sent a start-accounting request to the server, the communication with the primary server times out, and the device looks for a server in active state from the new primary server on.
that contain numbers, uppercase letters, lowercase letters, and special characters, and is encrypted and decrypted by using 3DES. • cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 117 characters. • simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters. • If neither cipher nor simple is specified, you set a plaintext shared key string.
a port, the device might frequently change the server status, and the port might frequently join and leave the critical VLAN. Examples # For RADIUS scheme radius1, set the IP address of the primary authentication/authorization server to 10.110.1.1, the UDP port to 1812, and the shared key to hello in plain text. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] primary authentication 10.110.1.
Examples # Enable the RADIUS client service. system-view [Sysname] radius client enable radius nas-backup-ip Use radius nas-backup-ip to specify a backup source IP address for outgoing RADIUS packets. Use undo radius nas-backup-ip to restore the default. Syntax radius nas-backup-ip ip-address [ vpn-instance vpn-instance-name ] undo radius nas-backup-ip Default A device is configured with no backup source IP address for outgoing RADIUS packets.
Examples # For the device working in stateful failover mode, specify the source IP address and backup source IP address for RADIUS packets as 2.2.2.2 and 3.3.3.3, respectively. system-view [Sysname] radius nas-ip 2.2.2.2 [Sysname] radius nas-backup-ip 3.3.3.3 On the backup device, you must specify the source IP address and backup source IP address for RADIUS packets as 3.3.3.3 and 2.2.2.2, respectively.
The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence. Examples # Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1. system-view [Sysname] radius nas-ip 129.10.10.
Syntax radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down } undo radius trap { authentication-server-down } accounting-server-down | authentication-error-threshold | Default The trap function is disabled for RADIUS. Views System view Default command level 2: System level Parameters accounting-server-down: Sends traps when the reachability of the accounting server changes.
Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the slot number of the card. The following matrix shows the option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number No Yes Yes Examples # Clear RADIUS statistics.
Option 6602 HSR6602 6604/6608/6616 slot slot-number No Yes Yes Examples # Clear the stop-accounting requests buffered for user user0001@test. reset stop-accounting-buffer user-name user0001@test # Clear the stop-accounting requests buffered in the time range from 0:0:0 to 23:59:59 on August 31, 2006.
[Sysname-radius-radius1] retry 5 Related commands • radius scheme • timer response-timeout retry realtime-accounting Use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default. Syntax retry realtime-accounting retry-times undo retry realtime-accounting Default The maximum number of accounting attempts is 5.
[Sysname-radius-radius1] retry realtime-accounting 10 Related commands • retry • timer response-timeout • timer realtime-accounting retry stop-accounting (RADIUS scheme view) Use retry stop-accounting to set the maximum number of stop-accounting request transmission attempts. Use undo retry stop-accounting to restore the default. Syntax retry stop-accounting retry-times undo retry stop-accounting Default The maximum number of stop-accounting request transmission attempts is 500.
• timer response-timeout • display stop-accounting-buffer secondary accounting (RADIUS scheme view) Use secondary accounting to specify a secondary RADIUS accounting server. Use undo secondary accounting to remove the configuration. Syntax secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * undo secondary accounting [ ipv4-address | ipv6 ipv6-address ] Default No secondary RADIUS accounting server is specified.
The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version. The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails. The shared key configured by this command takes precedence over that configured by using the key accounting [ cipher | simple ] key command. For secrecy, all shared keys, including keys configured in plain text, are saved in cipher text.
Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication/authorization server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication/authorization server, which is a valid global unicast address. port-number: Specifies the service port number of the secondary RADIUS authentication/authorization server, which is a UDP port number ranging from 1 to 65535 and defaults to 1812.
The IP addresses of the primary and secondary authentication/authorization servers must be different from each other. Otherwise, the configuration fails. If you remove a secondary authentication server in use in the authentication process, the communication with the secondary server times out, and the device looks for a server in active state from the primary server on.
security-policy-server Use security-policy-server to specify a security policy server for a RADIUS scheme. Use undo security-policy-server to remove one or all security policy servers for a RADIUS scheme. Syntax security-policy-server ip-address undo security-policy-server { ip-address | all } Default No security policy server is specified for a RADIUS scheme. Views RADIUS scheme view Default command level 2: System level Parameters ip-address: Specifies a security policy server by its IP address.
Parameters extended: Specifies the extended RADIUS server (generally running on IMC), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the proprietary RADIUS protocol. standard: Specifies the standard RADIUS server, which requires the RADIUS client and RADIUS server to interact according to the procedures and packet format of the standard RADIUS protocol (RFC 2865 and 2866 or their successors).
system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] state primary authentication block Related commands • display radius scheme • state secondary state secondary Use state secondary to set the status of a secondary RADIUS server. Syntax state secondary { accounting | authentication } [ ip ipv4-address | ipv6 ipv6-address ] { active | block } Default Every secondary RADIUS server specified in a RADIUS scheme is in active state.
Related commands • display radius scheme • state primary stop-accounting-buffer enable (RADIUS scheme view) Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function. Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable Default The device buffers stop-accounting requests to which no responses are received.
Default The server quiet period is 5 minutes. Views RADIUS scheme view Default command level 2: System level Parameters minutes: Server quiet period in minutes, ranging from 0 to 255. If you set this argument to 0, when the device attempts to send an authentication or accounting request but the current server is unreachable, the device sends the request to the next server in active state, without changing the current server's status.
Default command level 2: System level Parameters minutes: Real-time accounting interval in minutes. The value can be 0 or a multiple of 3, ranging from 3 to 60. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command sets the interval.
Default command level 2: System level Parameters seconds: RADIUS server response timeout period in seconds, ranging from 1 to 10. Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one. Examples # Specify the device to remove the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1.
HWTACACS configuration commands data-flow-format (HWTACACS scheme view) Use data-flow-format to set the traffic statistics unit for data flows or packets. Use undo data-flow-format to restore the default. Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default The unit for data flows is byte and that for data packets is one-packet.
Views Any view Default command level 1: Monitor level Parameters hwtacacs-scheme-name: HWTACACS scheme name. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes. statistics: Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme. Without this keyword, the command displays the configuration of the HWTACACS scheme. slot slot-number: Specifies a card by its slot number.
VPN instance : - Current-accounting-server : 172.31.1.11:49 VPN instance : - NAS-IP-address : 0.0.0.
# Display the statistics for the servers specified in HWTACACS scheme gy.
HWTACACS account client unknown type number: 0 HWTACACS account client timeout number: 0 HWTACACS account client packet dropped number: 0 HWTACACS account client request command level number: 0 HWTACACS account client request connection number: 0 HWTACACS account client request EXEC number: 0 HWTACACS account client request network number: 0 HWTACACS account client request system event number: 0 HWTACACS account client request update number: 0 HWTACACS account client response error number: 0 HWTACACS accoun
Examples # On the 6602 router, display information about stop-accounting requests buffered for HWTACACS scheme hwt1. display stop-accounting-buffer hwtacacs-scheme hwt1 Total 0 record(s) Matched # On the HSR6602/6604/6608/6616 router, display information about the stop-accounting requests buffered for HWTACACS scheme hwt1 on the card in slot 0.
You can specify up to one public-network source IP address and 15 private-network source IP addresses. A newly specified public-network source IP address overwrites the previous one. Each VPN can have only one private-network source IP address specified. A private-network source IP address newly specified for a VPN overwrites the previous one.
key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to remove the configuration. Syntax key { accounting | authentication | authorization } [ cipher | simple ] key undo key { accounting | authentication | authorization } Default No shared key is configured.
# Set the shared key for secure HWTACACS accounting communication $c$3$jaeN0ej15fjuHKeuVh8mqicHzaHdMw== in cipher text for HWTACACS scheme hwt1. to system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key accounting cipher $c$3$jaeN0ej15fjuHKeuVh8mqicHzaHdMw== Related commands display hwtacacs nas-ip (HWTACACS scheme view) Use nas-ip to specify a source IP address for outgoing HWTACACS packets. Use undo nas-ip to restore the default.
Related commands hwtacacs nas-ip primary accounting (HWTACACS scheme view) Use primary accounting to specify the primary HWTACACS accounting server. Use undo primary accounting to remove the configuration. Syntax primary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] * undo primary accounting Default No primary HWTACACS accounting server is specified.
Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) primary authentication (HWTACACS scheme view) Use primary authentication to specify the primary HWTACACS authentication server. Use undo primary authentication to remove the configuration. Syntax primary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * undo primary authentication Default No primary HWTACACS authentication server is specified.
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) primary authorization Use primary authorization to specify the primary HWTACACS authorization server. Use undo primary authorization to remove the configuration. Syntax primary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * undo primary authorization Default No primary HWTACACS authorization server is specified.
system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) reset hwtacacs statistics Use reset hwtacacs statistics to clear HWTACACS statistics.
Syntax reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] Views User view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters. slot slot-number: Specifies a card by its slot number.
Parameters retry-times: Maximum number of stop-accounting request transmission attempts, ranging from 1 to 300. Examples # Set the maximum number of stop-accounting request transmission attempts to 50 for HWTACACS scheme hwt1.
You can remove an accounting server only when it is not used by any active TCP connection to send accounting packets. Removing an accounting server only affects accounting processes that occur after the remove operation. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. Examples # Specify the IP address and port number of the secondary accounting server for HWTACACS scheme hwt1 as 10.163.155.12 with TCP port number 49.
If you execute the command multiple times, the most recent configuration takes effect. You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets is using it. Removing an authentication server only affects authentication processes that occur after the remove operation. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
If the specified server resides on an MPLS VPN, you also must specify that VPN with the secondary authorization command to ensure normal communication with the server. The VPN specified here takes precedence over the VPN specified for the HWTACACS scheme. If you execute the command multiple times, the most recent configuration takes effect. You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets.
Related commands • reset stop-accounting-buffer • display stop-accounting-buffer timer quiet (HWTACACS scheme view) Use timer quiet to set the quiet timer for the primary server. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default The primary server quiet period is 5 minutes. Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Primary server quiet period. The value ranges from 1 to 255, in minutes.
Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Real-time accounting interval in minutes. The value can be 0 or a multiple of 3, ranging from 3 to 60. A value of 0 means "Do not send online user accounting information to the HWTACACS server." Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval.
Parameters seconds: HWTACACS server response timeout period in seconds, ranging from 1 to 300. Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server. Examples # Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
Examples # Specify the device to remove the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain vpn-instance (HWTACACS scheme view) Use vpn-instance to specify a VPN instance for an HWTACACS scheme. Use undo vpn-instance to remove the configuration.
802.1X commands 802.1X commands are supported only on a SAP module that is operating in bridge mode. display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics.
EAD quick deploy is enabled Configuration: Transmit Period Quiet Period Supp Timeout Reauth Period 30 s, Handshake Period 60 s, Quiet Period Timer is disabled 30 s, Server Timeout The maximal retransmitting times URL: http://192.168.19.23 Free IP: 192.168.19.0 255.255.255.0 EAD timeout: 30m The maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet3/0/1 100 s 3600 s EAD quick deploy configuration: is link-up 802.
Table 12 Command output Field Description Equipment 802.1X protocol is enabled Whether 802.1X is enabled globally. CHAP authentication is enabled Whether CHAP authentication is enabled. Proxy trap checker is disabled Whether the device sends a trap when detecting that a user is accessing the network through a proxy. Proxy logoff checker is disabled Whether the device logs off the user when detecting that the user is accessing the network through a proxy.
Field Description Authenticate Mode is Auto Authorization state of the port. Port Control Type is Port-based Access control method of the port. 802.1X Multicast-trigger is enabled Whether the 802.1X multicast-trigger function is enabled. Mandatory authentication domain Mandatory authentication domain on the port. Guest VLAN 802.1X guest VLAN configured on the port. NOT configured is displayed if no guest VLAN is configured. Auth-fail VLAN Auth-Fail VLAN configured on the port.
dot1x Use dot1x to enable 802.1X. Use undo dot1x to disable 802.1X. Syntax In system view: dot1x [ interface interface-list ] undo dot1x [ interface interface-list ] In Ethernet interface view: dot1x undo dot1x Default 802.1X is neither enabled globally nor enabled for any port. Views System view, Ethernet interface view Default command level 2: System level Parameters interface interface-list: Specifies a port list, which can contain multiple ports.
Or system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] dot1x [Sysname-GigabitEthernet3/0/1] quit [Sysname] interface gigabitethernet 3/0/5 [Sysname-GigabitEthernet3/0/5] dot1x [Sysname-GigabitEthernet3/0/5] quit [Sysname] interface gigabitethernet 3/0/6 [Sysname-GigabitEthernet3/0/6] dot1x [Sysname-GigabitEthernet3/0/6] quit [Sysname] interface gigabitethernet 3/0/7 [Sysname-GigabitEthernet3/0/7] dot1x # Enable 802.1X globally.
• In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server, and performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and "username+password" EAP authentication initiated by an iNode client. { { • PAP transports usernames and passwords in clear text.
Parameters authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide. Usage guidelines You must enable MAC-based VLAN for an Auth-Fail VLAN to take effect on a port that performs MAC-based access control.
Parameters vlan-id: Specifies a VLAN ID in the range of 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2 — LAN Switching Configuration Guide. Usage guidelines You can configure only one critical VLAN on a port. The MAC authentication critical VLANs on different ports can be different. When you change the access control method from MAC-based to port-based on the port, the mappings between MAC addresses and the 802.
Usage guidelines The dot1x critical recovery-action command takes effect only for the 802.1X users in the critical VLAN on a port. It enables the port to take one of the following actions to trigger 802.1X authentication after removing 802.1X users from the critical VLAN on detection of a reachable RADIUS authentication server: • If MAC-based access control is used, the port sends a unicast Identity EAP/Request to each 802.1X user.
Examples # Specify the characters @, /, and \ as domain name delimiters. system-view [Sysname] dot1x domain-delimiter @\/ dot1x guest-vlan Use dot1x guest-vlan to configure an 802.1X guest VLAN for the specified or all ports. A guest VLAN on a port accommodates users that have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
To delete a VLAN that has been configured as a guest VLAN, you must remove the guest VLAN configuration first. You can configure both an Auth-Fail VLAN and an 802.1X guest VLAN on a port. Examples # Specify VLAN 999 as the 802.1X guest VLAN for port GigabitEthernet 3/0/1 system-view [Sysname] dot1x guest-vlan 999 interface gigabitethernet 3/0/1 # Specify VLAN 10 as the 802.1X guest VLAN for ports GigabitEthernet 3/0/2 to GigabitEthernet 3/0/5.
HP recommends that you use the iNode client software to ensure the normal operation of the online user handshake function. Examples # Enable the online user handshake function. system-view [Sysname] interface gigabitethernet 3/0/4 [Sysname-GigabitEthernet3/0/4] dot1x handshake dot1x handshake secure Use dot1x handshake secure to enable the online user handshake security function. The function enables the device to prevent users from using illegal client software.
undo dot1x mandatory-domain Default No mandatory authentication domain is specified. Views Ethernet interface view Default command level 2: System level Parameters domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines When authenticating an 802.1X user trying to access the port, the system selects an authentication domain in the following order: the mandatory domain, the ISP domain specified in the username, and the default ISP domain.
Syntax In system view: dot1x max-user user-number [ interface interface-list ] undo dot1x max-user [ interface interface-list ] In Ethernet interface view: dot1x max-user user-number undo dot1x max-user Default The port supports a maximum of 1024 concurrent 802.1X users. Views System view, Ethernet interface view Default command level 2: System level Parameters user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1 to 1024.
Related commands display dot1x dot1x multicast-trigger Use dot1x multicast-trigger to enable the 802.1X multicast trigger function. The device acts as the initiator and periodically multicasts Identify EAP-Request packets out of a port to detect 802.1X clients and trigger authentication. Use undo dot1x multicast-trigger to disable the function. Syntax dot1x multicast-trigger undo dot1x multicast-trigger Default The multicast trigger function is enabled.
undo dot1x port-control Default The default port authorization state is auto. Views System view, Ethernet interface view Default command level 2: System level Parameters authorized-force: Places the specified or all ports in the authorized state, enabling users on the ports to access the network without authentication.
Use undo dot1x port-method to restore the default. Syntax In system view: dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ] In Ethernet interface view: dot1x port-method { macbased | portbased } undo dot1x port-method Default MAC-based access control applies.
[Sysname] dot1x port-method portbased interface gigabitethernet 3/0/2 to gigabitethernet 3/0/5 Related commands display dot1x dot1x quiet-period Use dot1x quiet-period to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. Use undo dot1x quiet-period to disable the timer. Syntax dot1x quiet-period undo dot1x quiet-period Default The quiet timer is disabled.
Default command level 2: System level Usage guidelines Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port. This function tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. You can use the dot1x timer reauth-period command to configure the interval for re-authentication. Examples # Enable the 802.
Examples # Set the maximum number of attempts for sending an authentication request to a client as 9. system-view [Sysname] dot1x retry 9 Related commands display dot1x dot1x supp-proxy-check Use dot1x supp-proxy-check to enable the proxy detection function and set the processing method on the specified ports or all ports. Use undo dot1x supp-proxy-check to disable the function on the specified ports or all ports.
Examples # Configure ports GigabitEthernet 3/0/1 to 1/8 to log off users accessing the network through a proxy. system-view [Sysname] dot1x supp-proxy-check logoff [Sysname] dot1x supp-proxy-check logoff interface gigabitethernet 3/0/1 to gigabitethernet 3/0/8 # Configure port GigabitEthernet 3/0/9 to send a trap when a user is detected accessing the network through a proxy.
supp-timeout-value: Sets the client timeout timer in seconds. It is in the range of 1 to 120. tx-period-value: Sets the username request timeout timer in seconds. It is in the range of 10 to 120. Usage guidelines You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response, or adjust the server timeout timer to adapt to the performance of different authentication servers.
Default The unicast trigger function is disabled. Views Ethernet interface view Default command level 2: System level Usage guidelines The unicast trigger function enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address.
Examples # Clear 802.1X statistics on port GigabitEthernet 3/0/1.
EAD fast deployment commands EAD fast deployment commands are supported only on a SAP module that is operating in bridge mode. dot1x free-ip Use dot1x free-ip to configure a free IP. Users can access the segment before passing 802.1X authentication. Use undo dot1x free-ip to remove the specified or all free IP addresses. Syntax dot1x free-ip ip-address { mask-address | mask-length } undo dot1x free-ip { ip-address { mask | mask-length } | all } Default No free IP is configured.
Syntax dot1x timer ead-timeout ead-timeout-value undo dot1x timer ead-timeout Default The timer is 30 minutes. Views System view Default command level 2: System level Parameters ead-timeout-value: Specifies the EAD rule timer in minutes. The value range is 1 to 1440. Usage guidelines EAD fast deployment automatically creates an ACL rule, or EAD rule, to open access to the redirect URL for each redirected user seeking to access the network. The EAD rule timer sets the lifetime of each ACL rule.
Default command level 2: System level Parameters url-string: Specifies the redirect URL, a case-sensitive string of 1 to 64 characters in the format http://string. Usage guidelines The redirect URL must be on the free IP subnet. If you configure the dot1x url command multiple times, the last configured URL takes effect. Examples # Configure the redirect URL as http://192.168.0.1. system-view [Sysname] dot1x url http://192.168.0.
MAC authentication configuration commands MAC authentication commands are available only for SAP modules that are operating in bridge mode. display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including global settings, and port-specific settings and MAC authentication and online user statistics.
Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index GigabitEthernet3/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 1024 Current online user number is 0 MAC Addr Authenticate state AuthIndex … Table 13 Command output Field Description MAC address authentication is
Field Description GigabitEthernet3/0/1 is link-up Status of the link on port GigabitEthernet 3/0/1. In this example, the link is up. MAC address authentication is enabled Whether MAC authentication is enabled on port GigabitEthernet 3/0/1. Authenticate success: 0, failed: 0 MAC authentication statistics, including the number of successful and unsuccessful authentication attempts. Max number of on-line users Maximum number of concurrent online users allowed on the port.
Default command level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number.
Parameters domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain name cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or at sign (@). Usage guidelines The global authentication domain is applicable to all MAC authentication enabled ports. A port specific authentication domain is applicable only to the port.
[Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] mac-authentication max-user 32 mac-authentication timer Use mac-authentication timer to set the MAC authentication timers. Use undo mac-authentication timer to restore the default settings.
Use undo mac-authentication user-name-format to restore the default. Syntax mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } undo mac-authentication user-name-format Default Each user's MAC address is used as the username and password for MAC authentication, and letters must be input in lower case. MAC addresses are not hyphenated.
Examples # Configure a shared account for MAC authentication users, and set the username as abc and password as a plaintext string of xyz. system-view [Sysname] mac-authentication user-name-format fixed account abc password simple xyz # Configure a shared account for MAC authentication users, and set the username as abc and password as a ciphertext string of $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg.
Portal configuration commands Portal on VLAN interfaces does not support accounting. Portal on other types of interfaces supports accounting. access-user detect Use access-user detect to configure the online portal user detection function. Use undo access-user detect to restore the default. Syntax access-user detect type { arp | icmp } retransmit number interval interval [ idle-time idletime ] undo access-user detect Default The portal user detection function is not configured on an interface.
Examples # Configure the portal user detection function on interface GigabitEthernet 3/0/1, specifying the probe packets as ARP requests, maximum number of probe attempts as 3, and probe interval as 10 seconds. system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] access-user detect type arp retransmit 3 interval 10 display portal acl Use display portal acl to display the ACLs on a specific interface.
Port : 50000 ~ 51000 MAC : 0000-0000-0000 Interface : any VLAN : 0 Destination: IP : 111.111.111.111 Mask : 255.255.255.255 Port : 40000 Rule 1 Inbound interface : GigabitEthernet3/0/1 Type : static Action : permit Protocol : 0 Source: IP : 0.0.0.0 Mask : 0.0.0.0 Port : 23 MAC : 0000-0000-0000 Interface : any VLAN : 0 Destination: IP : 192.168.0.111 Mask : 255.255.255.
Mask : 255.255.255.255 MAC : 000d-88f8-0eab Interface : GigabitEthernet3/0/1 VLAN : 0 Protocol : 0 Destination: IP : 0.0.0.0 Mask : 0.0.0.0 Author ACL: Number : 3001 Table 14 Command output Field Description Rule Sequence number of the portal ACL, which is numbered from 0 in ascending order. Inbound interface Interface to which the portal ACL is bound. Type Type of the portal ACL. Action Match action in the portal ACL. Protocol Transport layer protocol number in the portal ACL.
Syntax display portal connection statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
MSG_LOGIN_REQ 3 0 0 MSG_LOGOUT_REQ 2 0 0 MSG_LEAVING_REQ 0 0 0 MSG_ARPPKT 0 0 0 MSG_PORT_REMOVE 0 0 0 MSG_VLAN_REMOVE 0 0 0 MSG_IF_REMOVE 6 0 0 MSG_IF_SHUT MSG_IF_DISPORTAL 0 0 0 MSG_IF_UP 0 0 0 0 0 0 MSG_ACL_RESULT 0 MSG_AAACUTBKREQ 0 0 0 0 0 MSG_CUT_BY_USERINDEX 0 0 0 MSG_CUT_L3IF 0 0 0 MSG_IP_REMOVE 0 0 0 MSG_ALL_REMOVE 1 0 0 MSG_IFIPADDR_CHANGE 0 0 0 MSG_SOCKET_CHANGE 8 0 0 MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT 0 0 0 0 0
Field Description MSG_ARPPKT ARP message. MSG_PORT_REMOVE Users-of-a-Layer-2-port-removed message. MSG_VLAN_REMOVE VLAN user removed message. MSG_IF_REMOVE Users-removed message, indicating the users on a Layer 3 interface were removed because the Layer 3 interface was removed. MSG_IF_SHUT Layer 3 interface shutdown message. MSG_IF_DISPORTAL Portal-disabled-on-interface message. MSG_IF_UP Layer 3 interface came up message. MSG_ACL_RESULT ACL deployment failure message.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about portal-free rule 1. display portal free-rule 1 Rule-Number 1: Source: IP : 2.2.2.0 Mask : 255.255.255.0 Port : any MAC : 0000-0000-0000 Interface : any Vlan : 0 Destination: IP : 0.0.0.0 Mask : 0.0.0.
Field Description Destination Destination information in the portal-free rule. IP Destination IP address in the portal-free rule. Mask Subnet mask of the destination IP address in the portal-free rule. Port Destination transport layer port number in the portal-free rule. Protocol Transport layer protocol number in the portal-free rule. Related commands portal free-rule display portal interface Use display portal interface to display the portal configuration of an interface.
Table 17 Command output Field Description Portal configuration of interface Portal configuration on the interface. IPv4 IPv4 portal configuration. Status of the portal authentication on the interface: Status Portal server Portal backup-group • Portal disabled—Portal authentication is disabled. • Portal enabled—Portal authentication is enabled but is not functioning. • Portal running—Portal authentication is functioning. Portal server referenced by the interface.
display portal server aaa Portal server: 1)aaa: IP : 192.168.0.111 VPN instance : vpn1 Port : 50100 Key : ****** URL : http://192.168.0.111 Server Type Status : IMC : Up Table 18 Command output Field Description 1) Number of the portal server. aaa Name of the portal server. VPN instance MPLS L3VPN to which the portal server belongs. IP IP address of the portal server. Port Listening port on the portal server.
Views Any view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
NTF_AUTH 0 ACK_NTF_AUTH REQ_QUERY_STATE 0 0 ACK_QUERY_STATE 0 0 0 0 0 0 0 0 0 RESERVED33 0 0 0 RESERVED35 0 0 0 Table 19 Command output Field Description Interface Interface referencing the portal server. Invalid packets Number of invalid packets. Pkt-Name Packet type. Total Total number of packets. Discard Number of discarded packets. Checkerr Number of erroneous packets. REQ_CHALLENGE Challenge request message the portal server sent to the access device.
Field Description NTF_CHALLENGE Challenge request the access device sent to the portal server. NTF_USER_NOTIFY User information notification message the access device sent to the portal server. AFF_NTF_USER_NOTIFY NTF_USER_NOTIFY acknowledgment message the access device sent to the portal server. NTF_AUTH Forced authentication notification message the portal server sent to the access device. ACK_NTF_AUTH NTF_AUTH acknowledgment message the access device sent to the portal server.
Packets Sent: 0 Packets Retransmitted: 0 Packets Dropped: 0 HTTP Packets Sent: 0 Connection State: SYN_RECVD: 0 ESTABLISHED: 0 CLOSE_WAIT: 0 LAST_ACK: 0 FIN_WAIT_1: 0 FIN_WAIT_2: 0 CLOSING: 0 Table 20 Command output Field Description TCP Cheat Statistic TCP spoofing statistics. Total Opens Total number of opened connections. Resets Connections Number of connections reset through RST packets. Current Opens Number of connections being set up. Packets Received Number of received packets.
Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Field Description User's working mode: Work-mode • Primary. • Secondary. • Stand-alone. VPN instance MPLS L3VPN to which the portal server belongs. MAC MAC address of the portal user. IP IP address of the portal user. Vlan VLAN to which the portal user belongs. Interface Interface to which the portal user is attached. Total 2 user(s) matched, 2 listed Total number of portal users. portal auth-network Use portal auth-network to configure a portal authentication source subnet on an interface.
authentication source subnet for re-DHCP authentication (redhcp) is the one determined by the private IP address of the interface connecting the users. You can configure multiple authentication source subnets by executing the portal auth-network command. The system supports up to 16 authentication source subnets and destination subnets. Examples # Configure a portal authentication source subnet of 10.10.10.0/24 on GigabitEthernet 3/0/1 to allow users from subnet 10.10.10.
If both an authentication source subnet and destination subnet are configured on an interface, only the authentication destination subnet takes effect. Examples # Configure a portal authentication destination subnet of 2.2.2.0/24 on GigabitEthernet 3/0/1, so that only users accessing subnet 2.2.2.0/24 trigger portal authentication on the interface. Users can access other subnets through the interface without portal authentication.
Command 6602 HSR6602 6604/6608/6616 portal backup-group Yes Yes No Examples # In the stateful failover networking environment, add the portal service backup interface GigabitEthernet 0/0/1 to portal group 1 on the source backup device. system-view [Sysname] interface gigabitethernet 0/0/1 [Sysname-GigabitEthernet0/0/1] portal backup-group 1 On the peer device (destination backup device), you must also add the corresponding service backup interface in to portal group 1.
Default A device is not configured with a device ID. Views System view Default command level 2: System level Parameters id-value: Device ID of the device, a case-sensitive string of 1 to 16 characters. This device ID value is carried in the redirection URL to be sent to the clients. Usage guidelines If the type of the portal server specified for Layer 3 portal authentication is CMCC, you must specify the device ID. Examples # Set the device's device ID to 0002.0010.100.00.
Examples # Configure the authentication domain for IPv4 portal users on GigabitEthernet 3/0/1 as my-domain. system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] portal domain my-domain Related commands display portal interface portal free-rule Use portal free-rule to configure a portal-free rule and specify the source filtering condition, destination filtering condition, or both.
Keyword 6602 HSR6602 6604/6608/6616 vlan vlan-id No No Yes if the SAP interface module is configured. all: Specifies all portal-free rules. Usage guidelines If you specify both a source IP address and a source MAC address in a portal-free rule, the IP address must be a host address with a 32-bit mask. Otherwise, the specified MAC address does not take effect. If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN.
Parameters max-number: Maximum number of online portal users allowed in the system.
Examples # Specify the NAS ID of a RADIUS request to be sent on GigabitEthernet 3/0/1 as 0002053110000460. system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] portal nas-id 0002053110000460 portal nas-id-profile Use portal nas-id-profile to specify a NAS ID profile for the interface. Use undo portal nas-id-profile to cancel the configuration.
Syntax portal nas-ip ip-address undo portal nas-ip Default No source IP address is specified for outgoing portal packets on an interface, and the interface uses the IP address of the user access interface as the source IP address for outgoing portal packets. Views Interface view Default command level 2: System level Parameters ip-address: Specifies a source IP address for outgoing portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.
Usage guidelines If the device uses a RADIUS server for authentication, authorization, and accounting of portal users, when a portal user logs on from an interface, the device sends a RADIUS request that carries the NAS-Port-ID attribute to the RADIUS server. Examples # Specify the NAS-Port-ID value of GigabitEthernet 3/0/1 as ap1.
Syntax portal redirect-url url-string undo portal redirect-url Default An authenticated portal user is redirected to the URL that the user entered in the address bar before portal authentication. Views System view Default command level 2: System level Parameters url-string: Autoredirection URL for authenticated portal users, a string of 1 to 127 characters. It must start with http:// or https:// and must be a fully qualified URL.
ip ip-address: Specifies the IP address of the portal server. In portal stateful failover environments, HP recommends specifying the virtual IP address of the VRRP group to which the downlink belongs as the portal server IP address. key: Specifies a shared key for communication with the portal server. Portal packets exchanged between the access device and the portal server carry an authenticator, which is generated with the shared key.
• portal device-id portal server method Use portal server method to enable Layer 3 portal authentication on an interface, and specify the portal server and the authentication mode to be used. Use undo portal to disable Layer 3 portal authentication on an interface. Syntax portal server server-name method { direct | layer3 | redhcp } undo portal Default Layer 3 portal authentication is disabled on an interface.
Syntax portal server server-name server-detect method { http | portal-heartbeat } * action { log | permit-all | trap } * [ interval interval ] [ retry retries ] undo portal server server-name server-detect Default The portal server detection function is not configured. Views System view Default command level 2: System level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.
• trap: Specifies the action as sending a trap message. When the status (reachable/unreachable) of a portal server changes, the access device sends a trap message to the network management server (NMS). Trap message contains the portal server name and the current state of the portal server. interval interval: Interval at which probe attempts are made. The interval argument ranges from 20 to 600 and defaults to 20, in seconds. retry retries: Maximum number of probe attempts.
undo portal server server-name user-sync Default The portal user synchronization function is not configured. Views System view Default command level 2: System level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed. user-sync: Enables the portal user synchronization function. interval interval: Specifies the interval at which the device checks the user synchronization packets.
reset portal connection statistics Use reset portal connection statistics to clear portal connection statistics on a specific interface or all interfaces. Syntax reset portal connection statistics { all | interface interface-type interface-number } Views User view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number.
Views User view Default command level 1: Monitor level Examples # Clear TCP spoofing statistics.
Port security configuration commands The port security commands are available only for SAP modules that are operating in bridge mode. display port-security Use display port-security to display port security configuration information, operation information, and statistics for one or more ports.
RALM logfailure trap is enabled AutoLearn aging time is 1 minutes Disableport Timeout: 20s OUI value: Index is 1, OUI value is 000d1a Index is 2, OUI value is 003c12 GigabitEthernet3/0/1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is DisablePort Max MAC address number is 50 Stored MAC address number is 0 Authorization is ignored GigabitEthernet3/0/2 is link-down Port mode is noRestriction NeedToKnow mode is disabled Intrusion Portection mode is
Field Description Disableport Timeout Silence timeout period of the port that receives illegal packets, in seconds. OUI value List of OUI values allowed. Port security mode: Port mode • • • • • • • • • • • • noRestrictions. autoLearn. macAddressWithRadius. macAddressElseUserLoginSecure. macAddressElseUserLoginSecureExt. secure. userLogin. userLoginSecure. userLoginSecureExt. macAddressOrUserLoginSecure. macAddressOrUserLoginSecureExt. userLoginWithOUI.
Related commands • port-security enable • port-security port-mode • port-security ntk-mode • port-security intrusion-mode • port-security max-mac-count • port-security mac-address security • port-security authorization ignore • port-security oui • port-security trap display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses.
000f-3d80-0d2d GigabitEthernet3/0/1 30 --- On slot 3, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display the count of all blocked MAC addresses. display port-security mac-address block count --- On slot 2, no mac address found ----- On slot 3, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses in VLAN 30.
Field Description VLAN ID ID of the VLAN to which the port belongs. 1 mac address(es) found Number of blocked MAC addresses on a slot. On slot 1, 1 mac address(es) found Number of blocked MAC addresses on slot 1. Related commands port-security intrusion-mode display port-security mac-address security Use display port-security mac-address security to display information about secure MAC addresses.
--- 2 mac address(es) found --- # Display only the count of the secure MAC addresses. display port-security mac-address security count This operation may take a few minutes, please wait...... --- 2 mac address(es) found --- # Display information about secure MAC addresses in VLAN 1.
Use undo port-security authorization ignore to restore the default. Syntax port-security authorization ignore undo port-security authorization ignore Default A port uses the authorization information from the server. Views Ethernet interface view Default command level 2: System level Usage guidelines After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user's account. For example, it can assign a VLAN.
• Port security mode is noRestrictions. You cannot disable port security when online users are present. Examples # Enable port security.
Examples # Configure port GigabitEthernet 3/0/1 to block the source MAC addresses of illegal frames after intrusion protection is triggered.
port-security mac-address dynamic Use port-security mac-address dynamic to enable the dynamic secure MAC function. This function converts sticky MAC addresses to dynamic, and disables saving them to the configuration file. Use undo port-security mac-address dynamic to disable the dynamic secure MAC function. Then, all dynamic secure MAC addresses are converted to sticky MAC addresses, and you can manually configure sticky MAC address.
undo port-security mac-address security [ sticky ] mac-address vlan vlan-id In system view: port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] Default No secure MAC address entry is configured.
Examples # Enable port security, set port GigabitEthernet 3/0/1 in autoLearn mode, and add a static secure MAC address 0001-0001-0002 in VLAN 10.
Usage guidelines In autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port. The maximum number set by this command cannot be smaller than the current number of MAC addresses saved on the port. In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port.
Usage guidelines The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, preventing illegal devices from intercepting network traffic. Examples # Set the NTK mode of port GigabitEthernet 3/0/1 to ntkonly, allowing the port to forward received packets to only devices passing authentication.
Related commands display port-security port-security port-mode Use port-security port-mode to set the port security mode of a port. Use undo port-security port-mode to restore the default.
Keyword Security mode Description mac-else-userlogin-secu re-ext macAddressElseUserL oginSecureExt Similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands.
Examples # Enable port security and set port GigabitEthernet 3/0/1 in secure mode. system-view [Sysname] port-security enable [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] port-security port-mode secure # Change the port security mode of port GigabitEthernet 3/0/1 to userLogin.
Syntax port-security timer disableport time-value undo port-security timer disableport Default The silence period is 20 seconds. Views System view Default command level 2: System level Parameters time-value: Specifies the silence period in seconds during which the port remains disabled. The value range is 20 to 300. Usage guidelines If you configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame, use this command to set the silence period.
Parameters addresslearned: Enables MAC address learning traps. The port security module sends traps when a port learns a new MAC address. dot1xlogfailure: Enables 802.1X authentication failure traps. The port security module sends traps when an 802.1X authentication fails. dot1xlogon: Enables 802.1X authentication success traps. The port security module sends traps when an 802.1X authentication is passed. dot1xlogoff: Enables 802.1X user logoff event traps. The port security module sends traps when an 802.
User profile configuration commands display user-profile Use display user-profile to display information about all user profiles that have been created. Syntax display user-profile [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Syntax user-profile profile-name enable undo user-profile profile-name enable Default A created user profile is disabled. Views System view Default command level 2: System level Parameters profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. The user profile must already exist. Usage guidelines Only enabled user profiles can be applied to authenticated users.
Parameters profile-name: Assigns a name to the user profile. The name is a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. A user profile name must be globally unique. Examples # Create user profile a123. system-view [Sysname] user-profile a123 [Sysname-user-profile-a123] # Enter the user profile view of a123.
Password control configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration information.
Password complexity: Disabled (username checking) Disabled (repeated characters checking) # Display the password control configuration for super passwords. display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 26 Command output Field Description Password control Whether the password control feature is enabled.
Views Any view Default command level 2: System level Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Syntax password undo password Views Local user view Default command level 2: System level Usage guidelines Valid characters for a local user password are from the following types: • Uppercase letters A to Z. • Lowercase letters a to z. • Digits 0 to 9. • Special characters in Table 28.
[Sysname-luser-test] password Password:********** Confirm :********** Updating user(s) information, please wait.... password-control { aging | composition | history | length } enable Use password-control { aging | composition | history | length } enable to enable the password aging, composition restriction, history, or minimum password length restriction function. Use undo password-control { aging | composition | history | length } enable to disable the specified function.
[Sysname] password-control aging enable # Enable the minimum password length restriction function. [Sysname] password-control length enable # Enable the password history function. [Sysname] password-control history enable Related commands • password-control enable • display password-control password-control aging Use password-control aging to set the password aging time. Use undo password-control aging to restore the default.
[Sysname-ugroup-test] password-control aging 90 [Sysname-ugroup-test] quit # Set the password aging time for local user abc to 100 days. [Sysname] local-user abc [Sysname-luser-abc] password-control aging 100 Related commands • display password-control • local-user • user-group password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration.
Default The user authentication timeout time is 60 seconds. Views System view Default command level 2: System level Parameters authentication-timeout: Specifies the user authentication timeout time in seconds. The value range is 30 to 120. Examples # Set the user authentication timeout time to 40 seconds. system-view [Sysname] password-control authentication-timeout 40 password-control complexity Use password-control complexity to configure the password complexity checking policy.
password-control composition Use password-control composition to configure the password composition policy. Use undo password-control composition to restore the default.
[Sysname] user-group test [Sysname-ugroup-test] password-control composition type-number 3 type-length 5 [Sysname-ugroup-test] quit # Specify that the passwords of local user abc must contain at least three types of characters and each type must contain at least five characters.
Syntax password-control expired-user-login delay delay times times undo password-control expired-user-login Default A user can log in three times within 30 days after the password expires. Views System view Default command level 2: System level Parameters delay: Specifies the maximum number of days during which a user can log in using an expired password. It must be in the range of 1 to 90. times: Specifies the maximum number of times a user can log in after the password expires.
system-view [Sysname] password-control history 10 password-control length Use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length Default The global minimum password length is 10 characters. The minimum password length of a user group equals the global setting.
[Sysname-ugroup-test] password-control length 9 [Sysname-ugroup-test] quit # Set the minimum password length to 9 characters for local user abc. [Sysname] local-user abc [Sysname-luser-abc] password-control length 9 Related commands • display password-control • local-user • user-group password-control login idle-time Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, you can no longer use this account to log in to the device.
Syntax password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] undo password-control login-attempt Default The maximum number of consecutive failed login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again. Views System view Default command level 2: System level Parameters login-times: Specifies the maximum number of consecutive failed login attempts, in the range of 2 to 10.
system-view [Sysname] password-control login-attempt 2 exceed lock-time 3 Later, if a user tries to log in but fails two times, you can find it in the password control blacklist with its status changed from unlock to lock: [Sysname] display password-control blacklist Username: test IP: 192.168.44.1 Login failed times: 2 Lock flag: lock Total 1 blacklist item(s) matched. 1 listed. After 3 minutes, the user is removed from the password control blacklist and can log in again.
password-control super aging Use password-control super aging to set the aging time for super passwords. Use undo password-control super aging to restore the default. Syntax password-control super aging aging-time undo password-control super aging Default The aging time for super passwords is the same as the global password aging time. Views System view Default command level 2: System level Parameters aging-time: Specifies the super password aging time in days, in the range of 1 to 365.
Default command level 2: System level Parameters type-number type-number: Specifies the minimum number of character types for super passwords. The value range for the type-number argument is 1 to 4 in non-FIPS mode. The value range for the type-number argument is fixed to 4 in FIPS mode. type-length type-length: Specifies the minimum number of characters that are from each character type for super passwords. The value range for the type-length argument is 1 to 16.
If you have specified the minimum length of super passwords, the system applies the specified minimum length to super passwords. Examples # Set the minimum length for super passwords to 10 characters. system-view [Sysname] password-control super length 10 Related commands password-control length reset password-control blacklist Use reset password-control blacklist to remove all or one user from the password control blacklist.
Parameters user-name name: Specifies the username of the user whose password records are to be deleted. The name argument is a case-sensitive string of 1 to 80 characters. super: Deletes the history records of the super password specified by the level level option or the history records of all super passwords. level level: Specifies a user level in the range of 1 to 3. Usage guidelines With no arguments or keywords specified, this command deletes the history password records of all local users.
RSH configuration commands rsh Use rsh to execute an OS command on a remote host. Syntax rsh host [ user username ] command remote-command Views User view Default command level 0: Visit level Parameters host: IP address or host name of the remote host, a string of 1 to 20 characters. user username: Specifies the username for remote login, a string of 1 to 20 characters. If you do not specify a username, the system name of the device, which can be set by using the sysname command, applies.
2001-12-07 17:28 122,880 wrshdctl.exe 2003-06-21 10:51 192,512 wrshdnt.cpl 2001-12-09 16:41 38,991 wrshdnt.hlp 2001-12-09 16:26 1,740 wrshdnt.cnt 2003-06-22 11:14 452,230 wrshdnt.htm 2003-06-23 18:18 2003-06-23 18:18 2003-06-22 11:13 2001-09-02 15:41 49,152 wrshdrdr.exe 2003-06-21 10:32 69,632 wrshdrun.exe 2004-01-02 15:54 196,608 wrshdsp.exe 2004-01-02 15:54 102,400 wrshdnt.exe 2001-07-30 18:05 766 wrshdnt.ico 2004-07-13 09:10 3,253 INSTALL.LOG 4,803 wrshdnt_header.
Public key configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display the public key information of local asymmetric key pairs.
Time of Key pair created: 19:59:17 2007/10/25 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair.
display public-key peer Use display public-key peer to display information about the specified or all peer public keys on the local device. Syntax display public-key peer [ brief | name publickey-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all peer public keys. name publickey-name: Specifies a peer public key by its name, a case-sensitive string of 1 to 64 characters.
Table 30 Command output Field Description Key Name Name of the public key. Key Type Key type: RSA or DSA. Key Module Key modulus length in bits. Key Code Public key data. # Display brief information about all locally saved peer public keys. display public-key peer brief Type Module Name --------------------------RSA 1024 idrsa DSA 1024 10.1.1.1 Table 31 Command output Field Description Type Key type: RSA or DSA. Module Key modulus length in bits.
public-key-code begin Use public-key-code begin to enter public key code view. Then, enter the key data in the correct format to specify the peer public key. Spaces and carriage returns are allowed between characters, but are not saved. Syntax public-key-code begin Views Public key view Default command level 2: System level Usage guidelines If the peer device is an HP device, input the key data displayed by the display public-key local public command so that the key is format compliant.
Usage guidelines The system verifies the key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, the system saves the key. Examples # Exit public key code view and save the configured public key.
Table 32 Default local key pair names Type Default name RSA • Host key pair: hostkey • Server key pair: serverkey DSA dsakey Usage guidelines When using this command to create DSA or RSA key pairs, you are asked to provide the length of the key modulus. The modulus length is in the range of 512 to 2048 bits, and defaults to 1024 bits. In FIPS mode, the DSA key modulus length is at least 1024 bits, and the RSA key modulus length must be 2048 bits.
Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ +++ Related commands • public-key local destroy • display public-key local public public-key local destroy Use public-key local destroy to destroy a local asymmetric key pair. Syntax public-key local destroy { dsa | rsa } [ name key-name ] Views System view Default command level 2: System level Parameters dsa: Specifies the DSA key pair. rsa: Specifies the RSA key pair.
public-key local export Use public-key local export to display an RSA key pair in PEM format on the terminal. Syntax public-key local export rsa name key-name pem { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc } password Views System view Default command level 2: System level Parameters rsa: Specifies an RSA key pair. name key-name: Specifies an RSA key pair by its name. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-).
o3SfhX1NHyHBnr7c6SnIeUTG2g/qRdj40TD4HcRjgPaLaTGguZ553GyS6ODWAwL7 ZBTjv+vow9kfewZ74ocoBje2gLcWlbmiEKCJGV06zW4gv2AH6I8TAhv4GovIN/v1 lCsD2PscXnPOloLTE/8EDLRHNE8RpIYDWqI/YI8Yg6wlx29mf29+cj/9r4gPrDPy c/TQ0a0g95Khdy+yl4eDKaFiQQ+Kqn4zdzDTDNq7LRtqr7lGQzVw6srfrr71ib7J yJFdi2RXETEgOS/jE+xGtNqd38F/YzIRPax7NNMK+hAJC2MzdbN/BEoLWOqG7Plm hvCE3LFxelExLJU+0XfAX77TI2+5LEHBi1UiGLeH08fd1XUQCefARlIxGoRJdtTu gHP4+NF4PC9B1/GZoAYUp+171p1QwPk0vyU3TXijueqVUpQBUHGxSE0UW+SS1iwL 8vsSLHIwK4aZ77Z1o+Uw1QBoqw9jpubG4gUkX8RII8E8b13I6/QTH78E4
---- BEGIN SSH2 PUBLIC KEY ---Comment: "dsa-key-20070625" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatp RjxsSrhXFVIdRjxw59qZnKhl
Usage guidelines SSH1, SSH2.0 and OpenSSH are different public key formats for different requirements. Examples # Export the host public key of the local RSA key pairs in OpenSSH format to the file named key.pub. system-view [Sysname] public-key local export public rsa openssh key.pub # Display the host public key of the local RSA key pairs in SSH2.0 format.
Usage guidelines The system saves the imported RSA key pair at a different location from the default RSA key pair to avoid overwriting the default RSA key pair. The RSA key pair to be imported must be in PEM format so that it can be copied and pasted onto the terminal. After you execute the public-key local import command, copy the private key of the RSA key pair onto the terminal when prompted. The public key is included in the private key.
public-key peer Use public-key peer to specify a name for the peer public key and enter public key view. Use undo public-key peer to remove the public key. Syntax public-key peer keyname undo public-key peer keyname Views System view Default command level 2: System level Parameters keyname: Specifies a name for the peer public key on the local device, a case-sensitive string of 1 to 64 characters.
undo public-key peer keyname Views System view Default command level 2: System level Parameters keyname: Specifies a public key name, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file that saves the peer host public key. For more information about file name, see Fundamentals Configuration Guide. Usage guidelines After execution of this command, the system automatically transforms the peer host public key to the PKCS format, and imports the key.
PKI configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name. Use undo attribute to delete the attribute rules of one or all certificates.
Usage guidelines The attribute of the alternative certificate subject name does not appear as a distinguished name, and therefore the dn keyword is not available for the attribute. Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc.
Use undo certificate request entity to remove the configuration. Syntax certificate request entity entity-name undo certificate request entity Default No entity is specified for certificate request. Views PKI domain view Default command level 2: System level Parameters entity-name: Specifies an entity name for certificate request, a case-insensitive string of 1 to 15 characters. Examples # Specify the entity for certificate request as entity1.
Examples # Specify that the entity requests a certificate from the CA. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request from ca certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode Default Manual mode is used.
Related commands pki request-certificate certificate request polling Use certificate request polling to specify the certificate request polling interval and attempt limit. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } Default The polling is executed every 20 minutes for up to 50 times.
Default No URL is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters url-string: Specifies the server URL for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http://server_location/ca_script_location, where server_location must be an IP address and does not support domain name resolution.
country Use country to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China. Use undo country to remove the configuration. Syntax country country-code-str undo country Default No country code is specified. Views PKI entity view Default command level 2: System level Parameters country-code-str: Specifies a country code for the entity, a case-insensitive string of 2 characters. Examples # Set the country code of an entity to CN.
Usage guidelines CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted. Examples # Disable CRL checking.
Default No CRL distribution point URL is specified. Views PKI domain view Default command level 2: System level Parameters url-string: Specifies the URL of the CRL distribution point, a case-insensitive string of 1 to 125 characters in the format of ldap://server_location or http://server_location, where server_location must be an IP address or a domain name.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the local certificate. display pki certificate local domain 1 Certificate: Data: Version: 3 (0x2) Serial Number: 10B7D4E3 00010000 0086 Signature Algorithm: md5WithRSAEncryption Issuer: emailAddress=myca@aabbcc.
Field Description Issuer Issuer of the certificate. Validity Validity period of the certificate. Subject Entity holding the certificate. Subject Public Key Info Public key information of the entity. X509v3 extensions Extensions of the X.509 (version 3) certificate. X509v3 CRL Distribution Points Distribution points of X.509 (version 3) CRLs.
Table 34 Command output Field Description access-control-policy Name of the certificate attribute-based access control policy. rule number Number of the access control rule. display pki certificate attribute-group Use display pki certificate attribute-group to display information about one or all certificate attribute groups.
Field Description abc Value of attribute 1. issuer-name Name of the certificate issuer. fqdn FQDN of the entity. nctn Not-contain operations. app Value of attribute 2. display pki crl domain Use display pki crl domain to display the locally saved CRLs. Syntax display pki crl domain domain-name [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters domain-name: Specifies a PKI domain name, a string of 1 to 15 characters.
Revoked Certificates: Serial Number: 05a234448E… Revocation Date: Sep 6 12:33:22 2004 GMT CRL entry extensions:… Serial Number: 05a278445E… Revocation Date: Sep 7 12:33:22 2004 GMT CRL entry extensions:… Table 36 Command output Field Description Version Version of the CRL. Signature Algorithm Signature algorithm used by the CRLs. Issuer CA issuing the CRLs. Last Update Last update time. Next Update Next update time. CRL extensions Extensions of CRL.
Parameters name-str: Specifies a fully qualified domain name (FQDN) for an entity, a case-insensitive string of 1 to 127 characters. Usage guidelines An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address. Examples # Configure the FQDN of an entity as pki.domain-name.com. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] fqdn pki.domain-name.
Default No LDP server is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters ip-address: Specifies the IP address of the LDAP server, in dotted decimal format. port-number: Specifies the port number of the LDAP server. The value range is 1 to 65535, and the default is 389. version-number: Specifies LDAP version number: 2 or 3. The default is 2. Examples # Specify an LDAP server for PKI domain 1.
organization Use organization to configure the name of the organization to which the entity belongs. Use undo organization to remove the configuration. Syntax organization org-name undo organization Default No organization name is specified for an entity. Views PKI entity view Default command level 2: System level Parameters org-name: Specifies an organization name for an entity, a case-insensitive string of 1 to 31 characters. No comma can be included.
Examples # Configure the name of the organization unit to which an entity belongs as group1. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization-unit group1 pki certificate access-control-policy Use pki certificate access-control-policy to create a certificate attribute-based access control policy and enter its view. Use undo pki certificate access-control-policy to remove one or all certificate attribute-based access control policies.
Views System view Default command level 2: System level Parameters group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all. all: Specifies all certificate attribute groups. Examples # Create a certificate attribute group named mygroup and enter its view.
Default No PKI domain exists. Views System view Default command level 2: System level Parameters domain-name: Specifies a PKI domain name, a case-insensitive string of 1 to 15 characters. Usage guidelines You can create up to 32 PKI domains on a device. Examples # Create a PKI domain and enter its view. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] pki entity Use pki entity to create a PKI entity and enter its view. Use undo pki entity to remove a PKI entity.
pki import-certificate Use pki import-certificate to import a CA certificate or local certificate from a file and save it locally. Syntax pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] Views System view Default command level 2: System level Parameters ca: Specifies the CA certificate. local: Specifies the local certificate. domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. der: Specifies the certificate format of DER.
Views System view Default command level 2: System level Parameters domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. password: Specifies the password for certificate revocation, a case-sensitive string of 1 to 31 characters. pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.
local: Obtains the local certificate. domain-name: Specifies a PKI domain by its name. Examples # Obtain the CA certificate from the CA server. system-view [Sysname] pki retrieval-certificate ca domain 1 Related commands pki domain pki retrieval-crl domain Use pki retrieval-crl domain to obtain the latest CRLs from the server for CRL distribution.
Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Specifies the name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters. Usage guidelines The focus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked. Examples # Verify the validity of the local certificate.
# Configure a SHA1 fingerprint for verifying the validity of the CA root certificate. [Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 rule (PKI CERT ACP view) Use rule to create a certificate attribute access control rule. Use undo rule to delete one or all access control rules. Syntax rule [ id ] { deny | permit } group-name undo rule { id | all } Default No access control rule exists.
Syntax state state-name undo state Default No state or province is specified. Views PKI entity view Default command level 2: System level Parameters state-name: Specifies the state or province name, a case-insensitive string of 1 to 31 characters. No comma can be included. Examples # Specify the state where an entity resides.
IPsec configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol. Use undo ah authentication-algorithm to restore the default.
connection-name Use connection-name to configure an IPsec connection name. This name functions only as a description of the IPsec policy. Use undo connection-name to restore the default. Syntax connection-name name undo connection-name Default No IPsec connection name is configured. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters name: Specifies the IPsec connection name, a case-insensitive string of 1 to 32 characters.
Parameters slot slot-number: Specifies an interface card by its slot number. The following matrix shows the slot slot-number option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number No Yes Yes Examples # Enable the encryption engine. system-view [Sysname] cryptoengine enable display ipsec policy Use display ipsec policy to display information about IPsec policies.
display ipsec policy brief IPsec Policy Name Mode ACL IKE Peer Name Mapped Template -----------------------------------------------------------------------bbbbbbbbbbbbbbb-1 template aaaaaaaaaaaaaaa man-1 manual 3400 map-1 isakmp 3000 peer nat-1 isakmp 3500 nat test-1 isakmp 3200 test toccccc-1 isakmp 3003 tocccc IPsec Policy Name Mode ACL Local Address Remote Address -----------------------------------------------------------------------man-1 manual 3400 3.3.3.
synchronization inbound anti-replay-interval: 1000 packets synchronization outbound anti-replay-interval: 10000 packets IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes policy enable: True tfc enable: False =========================================== IPsec Policy Group: "policy_man" Interface: GigabitEthernet3/0/2 =========================================== ----------------------------------------IPsec policy name: "policy_man" sequence number: 10
IPsec policy name: "policy001" sequence number: 10 acl version: None mode: manual ----------------------------encapsulation mode: tunnel security data flow : tunnel local address: tunnel remote address: transform-set name: prop1 inbound AH setting: AH spi: AH string-key: AH authentication hex key: ****** inbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: ****** ESP authentication hex key: ****** outbound AH setting: AH spi: AH string-key: AH authentication hex key: outbou
Field Description Protocol Name of the protocol to which the IPsec policy is applied. (This field is not displayed when the IPsec policy is not applied to any routing protocol.) sequence number Sequence number of the IPsec policy. Negotiation mode of the IPsec policy: mode • • • • manual—Manual mode. isakmp—IKE negotiation mode. template—IPsec policy template mode. gdoi—GDOI mode. IPsec packet encapsulation mode: encapsulation mode • tunnel—Tunnel mode. • transport—Transport mode.
Parameters brief: Displays brief information about all IPsec policy templates. name: Displays detailed information about a specific IPsec policy template or IPsec policy template group. template-name: Specifies the name of the IPsec policy template, a string of 1 to 41 characters. seq-number: Specifies the sequence number of the IPsec policy template, in the range of 1 to 10000. |: Filters command output by specifying a regular expression.
ACL’s Version: acl4 ike-peer name: per PFS: N transform-set name: testprop IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes Table 40 Command output Field Description IPsec packet encapsulation mode: encapsulation mode • tunnel—Tunnel mode. • transport—Transport mode. security data flow ACL referenced by the IPsec policy template. ACL version: ACL's Version • acl4—IPv4 ACL. • acl6—IPv6 ACL.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays the configuration information of all IPsec profiles. Example # Display the configuration of all IPsec profiles.
Table 41 Command output Field Description Interface Interface that references the IPsec profile. Encapsulation mode for the IPsec profile: encapsulation mode • dvpn—DVPN tunnel mode. • tunnel—IPsec tunnel mode. ACL referenced by the IPsec profile. security data flow As an IPsec profile does not reference any ACL, no information is displayed for this field. ike-peer name IKE peer referenced by the IPsec profile. PFS Whether perfect forward secrecy is enabled. DH group Used DH group.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
PFS: N, DH group: none tunnel: local address: 2.2.2.2 remote address: 1.1.1.2 flow: sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.
in use setting: Transport connection id: 3 No duration limit for this sa [outbound AH SAs] spi: 0x12d683 (1234563) transform: AH-MD5HMAC96 in use setting: Transport connection id: 4 No duration limit for this sa =============================== Interface: GigabitEthernet1/0/1 path MTU: 1500 =============================== ----------------------------IPsec policy name: "r2" sequence number: 1 mode: gdoi ----------------------------PFS: N, DH group: none tunnel: local address: 2.2.2.2 remote address: 0.0.0.
spi: 0x2FC8FD45(801701189) transfrom: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 7 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 anti-replay detection: Disabled udp encapsulation used for nat traversal: N/A status: active spi: 0xBC1D46C4(3156035268) transfrom: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 8 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 anti-
Field Description spi Security parameter index. transform Security protocol and algorithms used by the IPsec transform set. in use setting IPsec SA attribute setting: transport or tunnel. connection id IPsec tunnel identifier. sa duration Lifetime of the IPsec SA. sa remaining duration Remaining lifetime of the SA. anti-replay detection Whether IPsec anti-replay detection is enabled. anti-replay window size(time based) Anti-replay window size (time-based), in seconds.
Examples # Display statistics for all IPsec packets.
Field Description dropped security packet detail Detailed information about inbound/outbound packets that get dropped. not enough memory Number of packets dropped due to lack of memory. can't find SA Number of packets dropped due to finding no security association. queue is full Number of packets dropped due to full queues. authentication has failed Number of packets dropped due to authentication failure. wrong length Number of packets dropped due to wrong packet length.
Examples # Display information about all IPsec transform sets. display ipsec transform-set IPsec transform-set name: tran1 encapsulation mode: tunnel ESN : disable ESN scheme: NO transform: esp-new ESP protocol: Integrity: md5-hmac-96 Encryption: des IPsec transform-set name: tran2 encapsulation mode: transport transform: esp-new ESP protocol: Integrity: md5-hmac-96 Encryption: des Table 45 Command output Field Description IPsec transform-set name Name of the IPsec transform set.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about IPsec tunnels.
Field Description perfect forward secrecy Perfect forward secrecy, indicating which DH group is to be used for fast negotiation mode in IKE phase 2. SA's SPI SPIs of the inbound and outbound SAs. tunnel Local and remote addresses of the tunnel. flow Data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol. as defined in acl 3001 The IPsec tunnel protects all data flows defined by ACL 3001.
esp authentication-algorithm Use esp authentication-algorithm to specify authentication algorithms for ESP. Use undo esp authentication-algorithm to restore the default. Syntax esp authentication-algorithm { md5 | sha1 } undo esp authentication-algorithm Default In FIPS mode, ESP uses the SHA-1 authentication algorithm. In non-FIPS mode, ESP uses no authentication algorithm.
Syntax esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des } undo esp encryption-algorithm Default In FIPS mode, ESP uses the AES-128 encryption algorithm. In non-FIPS mode, ESP uses no encryption algorithm. Views IPsec transform set view Default command level 2: System level Parameters 3des: Uses the triple Data Encryption Standard (3DES) in CBC mode, which uses a 168-bit key. This keyword is not supported in FIPS mode.
This command applies only to IKE negotiation mode. Syntax ike-peer peer-name undo ike-peer peer-name Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters peer-name: Specifies the IKE peer name, a string of 1 to 32 characters. Examples # Configure a reference to an IKE peer in an IPsec policy.
[Sysname] ipsec anti-replay check ipsec anti-replay window Use ipsec anti-replay window to set the size of the anti-replay window. Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The size of the anti-replay window is 32. Views System view Default command level 2: System level Parameters width: Specifies the size of the anti-replay window. It can be 32, 64, 128, 256, 512, or 1024.
Examples # Enable ACL checking of de-encapsulated IPsec packets. system-view [Sysname] ipsec decrypt check ipsec fragmentation before-encryption Use ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation before encryption. Use undo ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation after encryption.
Use undo ipsec invalid-spi-recovery enable to restore the default. Syntax ipsec invalid-spi-recovery enable undo ipsec invalid-spi-recovery enable Default The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs. Views System view Default command level 2: System level Usage guidelines Invalid SPI recovery enables an IPsec security gateway to send an INVALID SPI NOTIFY message to its peer when it receives an IPsec packet but cannot find any SA with the specified SPI.
For each packet to be sent out an IPsec protected interface, the system checks the IPsec policies of the IPsec policy group in the ascending order of sequence numbers. If it finds an IPsec policy whose ACL matches the packet, it uses the IPsec policy to protect the packet. If it finds no ACL of the IPsec policies matches the packet, it does not provide IPsec protection for the packet and sends the packet out directly. Examples # Apply IPsec policy group pg1 to interface Serial 2/1/2.
In a group encrypted transport VPN, you must configure IPsec GDOI policies on the group members. For more information about group encrypted transport VPN, see Security Configuration Guide. Examples # Create an IPsec policy with the name policy1 and sequence number 100, and specify to set up SAs through IKE negotiation. system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] # Create an IPsec policy with the name policy1 and specify the manual mode for it.
Related commands • ipsec policy (system view) • ipsec policy-template Examples # Create an IPsec policy with the name policy2 and sequence number 200 by referencing IPsec policy template temp1. system-view [Sysname] ipsec policy policy2 200 isakmp template temp1 ipsec policy-template Use ipsec policy-template to create an IPsec policy template and enter the IPsec policy template view. Use undo ipsec policy-template to delete the specified IPsec policy templates.
ipsec profile (system view) Use ipsec profile to create an IPsec profile and enter its view. An IPsec profile defines the IPsec transform sets to be used to protect the data and the IKE negotiation parameters used to set up the SAs. Use undo ipsec profile to delete an IPsec profile. Syntax ipsec profile profile-name undo ipsec profile profile-name Default No IPsec profile exists.
Default command level 2: System level Parameters profile-name: Specifies the name of the IPsec profile, a case-insensitive string of 1 to 15 characters. Usage guidelines Only one IPsec profile can be applied to a tunnel interface. To apply another IPsec profile to the tunnel interface, remove the original application first. An IPsec profile cannot be applied to the DVPN tunnel interface and the IPsec tunnel interface simultaneously. Examples # Apply IPsec profile vtiprofile to the IPsec tunnel interface.
kilobytes: Specifies the traffic-based global SA lifetime in kilobytes, in the range 2560 to 4294967295. Usage guidelines When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy or IPsec profile that it uses. If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime. When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by the remote.
Related commands display ipsec transform-set pfs Use pfs to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the feature when employing the IPsec policy or IPsec profile to initiate a negotiation. Use undo pfs to remove the configuration. Syntax pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } undo pfs Default The PFS feature is not used for negotiation.
policy enable Use policy enable to enable the IPsec policy. Use undo policy enable to disable the IPsec policy. Syntax policy enable undo policy enable Default The IPsec policy is enabled. Views IPsec policy view, IPsec policy template view Default command level 2: System level Usage guidelines The command is not applicable to manual IPsec policies. If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation.
Usage guidelines With the packet information pre-extraction feature enabled, QoS classifies a packet based on the header of the original IP packet—the header of the IP packet that has not been encapsulated by IPsec. Examples # Enable packet information pre-extraction.
IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the other direction is also automatically cleared. If you do not specify any parameter, the command clears all IPsec SAs. Examples # Clear all IPsec SAs. reset ipsec sa # Clear the IPsec SA with a remote IP address of 10.1.1.2. reset ipsec sa remote 10.1.1.2 # Clear all IPsec SAs of IPsec policy template policy1.
Syntax reverse-route [ remote-peer ip-address [ gateway | static ] | static ] undo reverse-route Default IPsec RRI is disabled. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters static: Enables static IPsec Reverse Route Inject (RRI). Static IPsec RRI creates static routes based on the ACL that the IPsec policy references. This keyword is available only in IPsec policy view.
Table 47 Possible IPsec RRI configurations and the generated routing information Command IPsec RRI mode Route destination Next hop address • Manual IPsec policy: Peer tunnel reverse-route static Static address set with the tunnel remote command. Destination IP address specified in a permit rule of the ACL that is referenced by the IPsec policy • IPsec policy that uses IKE: The remote Address identified by the ip-address argument.
[Sysname-ipsec-policy-isakmp-1-1] security acl 3000 [Sysname-ipsec-policy-isakmp-1-1] transform-set tran1 [Sysname-ipsec-policy-isakmp-1-1] ike-peer 1 [Sysname-ipsec-policy-isakmp-1-1] reverse-route static [Sysname-ipsec-policy-isakmp-1-1] quit [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] ipsec policy 1 [Sysname-GigabitEthernet3/0/1]quit # Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not shown.
# Configure dynamic IPsec RRI to create two static routes based on an IPsec SA: one to the peer private network 3.0.0.0/24 through the remote tunnel endpoint 1.1.1.2, and the other to the remote tunnel endpoint through 1.1.1.3. [Sysname]ipsec policy 1 1 isakmp [Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 gateway # Display the routing table. The expected routes appear in the routing table after the IPsec SA negotiation succeeds. (Other routes are not shown.
Related commands reverse-route reverse-route tag Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. This tag helps in implementing flexible route control through routing policies. Use undo reverse-route tag to restore the default. Syntax reverse-route tag tag-value undo reverse-route tag Default The tag value is 0 for the static routes created by IPsec RRI.
undo sa authentication-hex { inbound | outbound } { ah | esp } Views IPsec policy view Default command level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH. esp: Uses ESP. cipher: Sets a ciphertext authentication key. simple: Sets a plaintext authentication key. hex-key: Specifies the key string.
sa duration Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile. Use undo sa duration to restore the default. Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime. The time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.
[Sysname-ipsec-profile-profile1] sa duration traffic-based 20480 Related commands • ipsec sa global-duration • ipsec policy (system view) • ipsec profile (system view) sa encryption-hex Use sa encryption-hex to configure an encryption key for an SA. Use undo sa encryption-hex to remove the configuration.
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format (both in hexadecimal format or both in string format), and the keys must be specified in the same format for both ends of the tunnel. Examples # Configure the encryption keys for the inbound and outbound SAs that use ESP as 0x1234567890abcdef and 0xabcdefabcdef1234 in plain text.
• Within a certain network scope, each router must use the same SPI and keys for its inbound and outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group. Examples # Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec policy.
Usage guidelines This command applies to only manual IPsec policies. This command is not available in FIPS mode. When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs. The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA. Enter keys in the same format for the local and remote inbound and outbound SAs.
Default command level 2: System level Parameters ipv6: Specifies an IPV6 ACL. acl-number: Specifies the number of the ACL for the IPsec policy to reference, in the range of 3000 to 3999. aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the standard mode is used. This protection mode is not available for IPv6 data flow.
transform Use transform to specify a security protocol for an IPsec transform set. Use undo transform to restore the default. Syntax transform { ah | ah-esp | esp } undo transform Default The ESP protocol is used. Views IPsec transform set view Default command level 2: System level Parameters ah: Uses the AH protocol. ah-esp: Uses ESP first and then AH. esp: Uses the ESP protocol. Usage guidelines The IPsec transform sets at the two ends of an IPsec tunnel must use the same security protocol.
Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters transform-set-name&<1-6>: Specifies the name of the IPsec transform set, a string of 1 to 32 characters. &<1-6> means that you can specify up to six transform sets, which are separated by space. Usage guidelines The specified IPsec transform sets must already exist. A manual IPsec policy can reference only one IPsec transform set.
Default No local address is configured for an IPsec tunnel. Views IPsec policy view Default command level 2: System level Parameters ipv6: Specifies an IPv6 address. ip-address: Specifies the local address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies. The local address, if not configured, will be the address of the interface to which the IPsec policy is applied. Examples # Set the local address of the IPsec tunnel to the address of Loopback 0, 10.0.0.1.
ip-address: Specifies the remote address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies. If you execute this command multiple times, the most recent configuration takes effect. An IPsec tunnel is established between the local and remote ends. The remote IP address of the local end must be the same as that of the local IP address of the remote end. Examples # Set the remote address of the IPsec tunnel to 10.1.1.2.
IKE configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default.
undo authentication-method Default An IKE proposal uses the pre-shared key authentication method. Views IKE proposal view Default command level 2: System level Parameters pre-share: Uses the pre-shared key method. rsa-signature: Uses the RSA digital signature method. Examples # Specify that IKE proposal 10 uses the pre-shared key authentication method.
Related commands • authentication-method • pki domain dh Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal. Use undo dh to restore the default. Syntax dh { group1 | group2 | group5 | group14 } undo dh Default In FIPS mode, group2 (1024-bit Diffie-Hellman group) is used. In non-FIPS mode, group1 (768-bit Diffie-Hellman group) is used.
Views Any view Default command level 1: Monitor level Parameters dpd-name: Specifies the DPD name, a string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Default command level 1: Monitor level Parameters peer-name: Specifies the name of the IKE peer, a string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
display ike proposal Use display ike proposal to view the settings of all IKE proposals. Syntax display ike proposal [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
• ike proposal • encryption-algorithm • authentication-algorithm • dh • sa duration display ike sa Use display ike sa to display information about the current IKE SAs. Syntax display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters verbose: Displays detailed information.
flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT RK-REKEY Table 51 Command output Field Description total phase-1 SAs Total number of SAs for phase 1. connection-id Identifier of the ISAKMP SA. peer Remote IP address of the SA. Status of the SA: • RD (READY)—The SA has been established. • ST (STAYALIVE)—This end is the initiator of the tunnel negotiation. • RL (REPLACED)—The tunnel has been replaced by a new one and will be deleted later.
life duration(sec): 86400 remaining key duration(sec): 86379 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO # Display detailed information about the IKE SA with the connection ID of 2. display ike sa verbose connection-id 2 --------------------------------------------vpn-instance: 1 transmitting entity: initiator --------------------------------------------local id type: IPV4_ADDR local id: 4.4.4.4 remote id type: IPV4_ADDR remote id: 4.4.4.5 local ip: 4.4.4.4 remote ip: 4.
authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 82236 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO Table 52 Command output Field Description vpn-instance MPLS L3VPN that the protected data belongs to. transmitting entity Entity in the IKE negotiation. local id type Identifier type of the local gateway. local id Identifier of the local gateway.
undo dpd Default No DPD detector is applied to an IKE peer. Views IKE peer view Default command level 2: System level Parameters dpd-name: Specifies the DPD detector name, a string of 1 to 32 characters. Examples # Apply dpd1 to IKE peer peer1. system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] dpd dpd1 encryption-algorithm Use encryption-algorithm to specify an encryption algorithm for an IKE proposal. Use undo encryption-algorithm to restore the default.
Examples # Use 56-bit DES in CBC mode as the encryption algorithm for IKE proposal 10. system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] encryption-algorithm des-cbc Related commands • ike proposal • display ike proposal exchange-mode Use exchange-mode to select an IKE negotiation mode. Use undo exchange-mode to restore the default. Syntax exchange-mode { aggressive | main } undo exchange-mode Default Main mode is used.
Use undo id-type to restore the default. Syntax id-type { ip | name | user-fqdn } undo id-type Default The ID type is IP address. Views IKE peer view Default command level 2: System level Parameters ip: Uses an IP address as the ID during IKE negotiation. name: Uses a name of the Fully Qualified Domain Name (FQDN) type as the ID during IKE negotiation. user-fqdn: Uses a name of the user FQDN type as the ID during IKE negotiation.
undo ike dpd dpd-name Views System view Default command level 2: System level Parameters dpd-name: Specifies the name for the DPD detector, a string of 1 to 32 characters. Usage guidelines DPD irregularly detects dead IKE peers. It works as follows: 1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer. 2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer. 3.
Default command level 2: System level Parameters name: Name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters. Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation, and you must configure the ike local-name command in system view or the local-name command in IKE peer view on the local device.
ike peer (system view) Use ike peer to create an IKE peer and enter IKE peer view. Use undo ike peer to delete an IKE peer. Syntax ike peer peer-name undo ike peer peer-name Views System view Default command level 2: System level Parameters peer-name: Specifies the IKE peer name, a string of 1 to 32 characters. Examples # Create an IKE peer named peer1 and enter IKE peer view.
Setting Non-FIPS mode FIPS mode Authentication algorithm HMAC-SHA1 SHA Authentication method Pre-shared key Pre-shared key DH group MODP_768 MODP_1024 SA lifetime 86400 seconds 86400 seconds Examples # Create IKE proposal 10 and enter IKE proposal view. system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] Related commands display ike proposal ike sa keepalive-timer interval Use ike sa keepalive-timer interval to set the ISAKMP SA keepalive interval.
ike sa keepalive-timer timeout Use ike sa keepalive-timer timeout to set the ISAKMP SA keepalive timeout. Use undo ike sa keepalive-timer timeout to disable the function. Syntax ike sa keepalive-timer timeout seconds undo ike sa keepalive-timer timeout Default No keepalive packet is sent. Views System view Default command level 2: System level Parameters seconds: Specifies the ISAKMP SA keepalive timeout in seconds, in the range of 20 to 28800.
Default command level 2: System level Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300. Examples # Set the NAT keepalive interval to 5 seconds. system-view [Sysname] ike sa nat-keepalive-timer interval 5 interval-time Use interval-time to set the DPD query triggering interval for a DPD detector. Use undo interval-time to restore the default. Syntax interval-time interval-time undo interval-time Default The default DPD interval is 10 seconds.
Default The subnet is a single one. Views IKE peer view Default command level 2: System level Parameters multi-subnet: Sets the subnet type to multiple. single-subnet: Sets the subnet type to single. Usage guidelines Use this command to enable interoperability with a NetScreen device. Examples # Set the subnet type of the local security gateway to multiple.
[Sysname-ike-peer-xhy] local-address 1.1.1.1 local-name Use local-name to configure a name for the local security gateway to be used in IKE negation. Use undo local-name to restore the default. Syntax local-name name undo local-name Default The device name is used as the name of the local security gateway view.
Syntax nat traversal undo nat traversal Default The NAT traversal function is disabled. Views IKE peer view Default command level 2: System level Examples # Enable the NAT traversal function for IKE peer peer1. system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] nat traversal peer Use peer to set the subnet type of the peer security gateway for IKE negotiation. Use undo peer to restore the default.
pre-shared-key Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation. Use undo pre-shared-key to remove the configuration. Syntax pre-shared-key [ cipher | simple ] key undo pre-shared-key Views IKE peer view Default command level 2: System level Parameters cipher: Sets a ciphertext pre-shared key. simple: Sets a plaintext pre-shared key. key: Specifies the key string. This argument is case sensitive.
Views IKE peer view Default command level 2: System level Parameters proposal-number&<1-6>: Specifies the sequence number of the IKE proposal for the IKE peer to reference, in the range of 1 to 65535. &<1-6> means that you can specify the proposal-number argument for up to six times. An IKE proposal with a smaller sequence number has a higher priority. Usage guidelines In the IKE negotiation phase 1, the local end uses the IKE proposals specified for it, if any.
low-ip-address: Specifies the IP address of the IPsec remote security gateway. It is the lowest address in the address range if you want to specify a range of addresses. high-ip-address: Specifies the highest address in the address range if you want to specify a range of addresses.
Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.
display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi ---------------------------------------------------------1 202.38.0.2 RD|ST 1 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO——TIMEOUT RK--REKEY Related commands display ike sa sa duration Use sa duration to set the ISAKMP SA lifetime for an IKE proposal. Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The ISAKMP SA lifetime is 86400 seconds.
Syntax time-out time-out undo time-out Views IKE DPD view Default command level 2: System level Parameters time-out: Specifies the DPD packet retransmission interval in seconds, in the range of 1 to 60. Usage guidelines The default DPD packet retransmission interval is 5 seconds. Examples # Set the DPD packet retransmission interval to 1 second for dpd2.
SSH configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server configuration commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Table 53 Command output Field Description SSH Server Whether the SSH server function is enabled. SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. SSH Authentication retries Maximum number of SSH authentication attempts. SFTP Server Whether the Secure FTP (SFTP) server function is enabled.
display ssh user-information Use display ssh user-information on an SSH server to display information about SSH users. Syntax display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters username: Specifies an SSH username, a string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. |: Filters command output by specifying a regular expression.
Field Description Service-type Service type: SFTP, Stelnet, SCP, and all. If all authentication methods are supported, this field displays all. Related commands ssh user sftp server enable Use sftp server enable to enable the SFTP server function. Use undo sftp server enable to disable the SFTP server function. Syntax sftp server enable undo sftp server enable Default The SFTP server function is disabled.
Default command level 3: Manage level Parameters time-out-value: Specifies a timeout timer in minutes, in the range of 1 to 35791. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection. If many SFTP connections are established, you can set a smaller value so that the connection resources can be promptly released. Examples # Set the idle timeout timer for SFTP user connections to 500 minutes.
Examples # Set the maximum number of SSH connection authentication attempts to 4. system-view [Sysname] ssh server authentication-retries 4 Related commands display ssh server ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. Use undo ssh server authentication-timeout to restore the default.
Default The SSH server supports SSH1 clients. Views System view Default command level 3: Manage level Usage guidelines The configuration takes effect only for the clients at next login. Examples # Enable the SSH server to support SSH1 clients. system-view [Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server enable Use ssh server enable to enable the SSH server function so that the SSH clients use SSH to communicate with the server.
Use undo ssh server rekey-interval to restore the default. Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The update interval of the RSA server key is 0. The system does not update the RSA server key pairs. Views System view Default command level 3: Manage level Parameters hours: Specifies an interval for updating the server key pair in hours, in the range of 1 to 24. Usage guidelines This command is only available to SSH users that use SSH1 client software.
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. service-type: Specifies the service type of an SSH user: • all: Specifies Stelnet, SFTP, and SCP. • scp: Specifies the service type as SCP. • sftp: Specifies the service type as SFTP. • stelnet: Specifies the service type of Stelnet. authentication-type: Specifies the authentication method of an SSH user: • password: Specifies password authentication.
You can change parameters for an SSH user that has logged in, but your changes take effect for the user at next login. If an SFTP or SCP user has been assigned a public key or PKI domain, it is necessary to set a working folder for the user. The working folder of an SFTP or SCP user depends on the user authentication method. For a user using only password authentication, the working folder is the AAA authorized one.
Syntax cd [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters remote-path: Specifies a path on the server. If you do not specify this argument, the command displays the current working path. Usage guidelines You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system. Examples # Change the working path to new1.
Default command level 3: Manage level Parameters remote-file&<1-10>: Specifies one or more files to delete on the server. &<1-10> means that you can provide up to 10 filenames, which are separated by space. Usage guidelines This command functions as the remove command. Examples # Delete file temp.c from the server. sftp-client> delete temp.c The following files will be deleted: /temp.c Are you sure to delete it? [Y/N]:y This operation might take a long time. Please wait...
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2 display sftp client source Use display sftp client source to display the source IP address or source interface configured for the SFTP client.
Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Usage guidelines This command is also available on an SFTP client. When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication. If the authentication fails, you can use this command to examine the public key of the server saved on the client. Examples # Display the mappings between SSH servers and their host public keys on the client.
Syntax get remote-file [ local-file ] Views SFTP client view Default command level 3: Manage level Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file. If this argument is not specified, the file will be saved locally with the same name as that on the SFTP server. Examples # Download file temp1.c and save it as temp.c locally. sftp-client> get temp1.c temp.c Remote file:/temp1.c ---> Local file: temp.
Syntax ls [ -a | -l ] [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters -a: Displays the filenames and the folder names of the specified directory. -l: Displays in a list form detailed information of the files and folders of the specified directory. remote-path: Specifies the directory to be queried. If this argument is not specified, the command displays the file and folder information under the current working directory.
sftp-client> mkdir test New directory created put Use put to upload a local file to an SFTP server. Syntax put local-file [ remote-file ] Views SFTP client view Default command level 3: Manage level Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name for the file on an SFTP server. If this argument is not specified, the file will be saved remotely with the same name as the local one. Examples # Upload local file temp.c to the SFTP server and save it as temp1.c.
Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the bye and exit commands. Examples # Terminate the connection with the SFTP server. sftp-client> quit Bye Connection closed. remove Use remove to delete files from a remote server. Syntax remove remote-file&<1-10> Views SFTP client view Default command level 3: Manage level Parameters remote-file&<1-10>: Specifies one or more files to delete on an SFTP server.
Syntax rename oldname newname Views SFTP client view Default command level 3: Manage level Parameters oldname: Specifies the name of an existing file or directory. newname: Specifies a new name for the file or directory. Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp-client> rename temp1.c temp2.c File successfully renamed rmdir Use rmdir to delete the specified directories from an SFTP server.
| dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode: scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ destination-file-path ] [ identity-key rsa | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * Views User view Default command level 3
• sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode, and is dh-group14 in FIPS mode. • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not available in FIPS mode. • dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not available in FIPS mode.
{ md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * Views User view Default command
• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.This keyword is not available in FIPS mode. • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128. prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1-96.
undo sftp client ipv6 source Default An SFTP client uses the IPv6 address of the interface specified by the route of the device to access the SFTP server. Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, HP recommends that you specify a loopback interface as the source interface. Examples # Specify the source IP address of the SFTP client as 192.168.0.1. system-view [Sysname] sftp client source ip 192.168.0.
• zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm ZLIB@openssh.com. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. • 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. • aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. This keyword is not available in non-FIPS mode.
• The preferred server-to-client HMAC algorithm is sha1-96. Examples # Connect to server 2:5::8:9, using the following connection scheme: • The preferred key exchange algorithm is dh-group1. • The preferred server-to-client encryption algorithm is aes128. • The preferred client-to-server HMAC algorithm is md5. • The preferred server-to-client HMAC algorithm is sha1-96.
Related commands ssh client first-time enable ssh client first-time enable Use ssh client first-time enable to enable the first-time authentication function. Use undo ssh client first-time to disable the function. Syntax ssh client first-time enable undo ssh client first-time Default The function is enabled. Views System view Default command level 2: System level Usage guidelines Without first-time authentication, a client not configured with the server's host public key does not access the server.
Default An Stelnet client uses the IPv6 address of the interface specified by the route of the device to access the Stelnet server. Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, HP recommends that you specify a loopback interface as the source interface. Examples # Specify the source IPv4 address of the Stelnet client as 192.168.0.1. system-view [Sysname] ssh client source ip 192.168.0.
• zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm zlib@openssh.com. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. • 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. • aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. This keyword is not available in non-FIPS mode.
• The preferred server-to-client HMAC algorithm is sha1-96. Examples # Log in to Stelnet server 10.214.50.51, using the following connection scheme: • The preferred key exchange algorithm is dh-group1. • The preferred server-to-client encryption algorithm is aes128. • The preferred client-to-server HMAC algorithm is md5. • The preferred server-to-client HMAC algorithm is sha1-96. ssh2 10.214.50.
• zlib-openssh: Specifies the compression algorithm ZLIB@openssh.com. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. • 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. • aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. This keyword is not available in non-FIPS mode. • des: Specifies the encryption algorithm des-cbc.
Examples # Log in to Stelnet server 2000::1, using the following connection scheme: • The preferred key exchange algorithm is dh-group1. • The preferred server-to-client encryption algorithm is aes128. • The preferred client-to-server HMAC algorithm is md5. • The preferred server-to-client HMAC algorithm is sha1-96.
SSL configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSL commands are supported only on 6602 router. ciphersuite Use ciphersuite to specify the cipher suites for an SSL server policy to support.
rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA. Usage guidelines With no keyword specified, the command configures an SSL server policy to support all cipher suites. If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure SSL server policy policy1 to support cipher suites rsa_rc4_128_md5 and rsa_rc4_128_sha.
Related commands • client-verify weaken • display ssl server-policy client-verify weaken Use client-verify weaken to enable SSL client weak authentication. Use undo client-verify weaken to restore the default. Syntax client-verify weaken undo client-verify weaken Default SSL client weak authentication is disabled.
Use undo close-mode wait to restore the default. Syntax close-mode wait undo close-mode wait Default An SSL server sends a close-notify alert message to the client and closes the connection without waiting for the close-notify alert message from the client. Views SSL server policy view Default command level 2: System level Examples # Set the SSL connection close mode to wait.
Examples # Display information about SSL client policy policy1. display ssl client-policy policy1 SSL Client Policy: policy1 SSL Version: SSL 3.0 PKI Domain: 1 Prefer Ciphersuite: RSA_RC4_128_SHA Server-verify: enabled Table 57 Command output Field Description SSL Client Policy SSL client policy name. SSL Version Version of the protocol used by the SSL client policy, SSL 3.0 or TLS 1.0. PKI Domain PKI domain of the SSL client policy.
PKI Domain: domain1 Ciphersuite: RSA_RC4_128_MD5 RSA_RC4_128_SHA RSA_DES_CBC_SHA RSA_3DES_EDE_CBC_SHA RSA_AES_128_CBC_SHA RSA_AES_256_CBC_SHA Handshake Timeout: 3600 Close-mode: wait disabled Session Timeout: 3600 Session Cachesize: 500 Client-verify: disabled Client-verify weaken: disabled Table 58 Command output Field Description SSL Server Policy SSL server policy name. PKI domain used by the SSL server policy.
Views SSL server policy view Default command level 2: System level Parameters time: Specifies the handshake timeout time in seconds. The value range is 180 to 7200. Usage guidelines If the SSL server receives no packet from the SSL client before the handshake timeout time expires, the SSL server terminates the handshake process. Examples # Set the handshake timeout time of SSL server policy policy1 to 3000 seconds.
[Sysname-ssl-server-policy-policy1] pki-domain server-domain # Configure SSL client policy policy1 to use PKI domain client-domain. system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] pki-domain client-domain Related commands • display ssl server-policy • display ssl client-policy prefer-cipher Use prefer-cipher to specify the preferred cipher suite for an SSL client policy. Use undo prefer-cipher to restore the default.
rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA. rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5. rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA. Examples # Set the preferred cipher suite for SSL client policy policy1 to rsa_aes_128_cbc_sha.
Syntax session { cachesize size | timeout time } * undo session { cachesize | timeout } * Default The maximum number of cached sessions is 500 and the caching timeout time is 3600 seconds. Views SSL server policy view Default command level 2: System level Parameters cachesize size: Specifies the maximum number of cached sessions. The value range is 100 to 1000. timeout time: Specifies the caching timeout time in seconds. The value range is 1800 to 72000.
Parameters policy-name: Specifies an SSL client policy name, a case-insensitive string of 1 to 16 characters. The string cannot be a, al, or all. all: Specifies all SSL client policies. Examples # Create SSL client policy policy1 and enter its view. system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] Related commands display ssl client-policy ssl server-policy Use ssl server-policy to create an SSL server policy and enter its view.
version Use version to specify the SSL protocol version for an SSL client policy. Use undo version to restore the default. Syntax In non-FIPS mode: version { ssl3.0 | tls1.0 } undo version In FIPS mode: version tls1.0 undo version Default The SSL protocol version for an SSL client policy is TLS 1.0. Views SSL client policy view Default command level 2: System level Parameters ssl3.0: Specifies SSL 3.0. tls1.0: Specifies TLS 1.0.
SSL VPN configuration commands The SSL VPN commands are available on 6602 router. ssl-vpn enable Use ssl-vpn enable to enable the SSL VPN service. Use undo ssl-vpn enable to disable the SSL VPN service. Syntax ssl-vpn enable undo ssl-vpn enable Default The SSL VPN service is disabled.
undo ssl-vpn server-policy Default No SSL server policy is specified for the SSL VPN service. Views System view Default command level 2: System level Parameters server-policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 16 characters. port port-number: Specifies the port number to be used by the SSL VPN service. The port-number argument is in the range of 1 to 65535 and defaults to 443. Usage guidelines The specified SSL server policy must have been created.
Firewall configuration commands Packet-filter firewall configuration commands display firewall ipv6 statistics Use display firewall ipv6 statistics to view the packet filtering statistics of the IPv6 firewall. Syntax display firewall ipv6 statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays the packet filtering statistics of all interfaces of the IPv6 firewall.
Table 59 Command output Field Description Interface Interface configured with the IPv6 packet filtering function. In-bound Policy Indicates that an IPv6 ACL is configured in the inbound direction of the interface. Out-bound Policy Indicates that an IPv6 ACL is configured in the outbound direction of the interface. acl6 IPv6 ACL number.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display packet filtering statistics on all interfaces. display firewall-statistics all firewall default Use firewall default to specify the default firewall filtering action of the IPv4 firewall.
undo firewall enable Default The IPv4 firewall function is disabled. Views System view Default command level 2: System level Parameters all: Specifies all interface cards. slot slot-number: Specifies the interface card in the specified slot. The following matrix shows the all keyword, the slot slot-number option, and hardware compatibility: Hardware Compatibility 6602 No HSR6602 Yes 6604/6608/6616 Yes Examples # Enable the IPv4 firewall function.
[Sysname] firewall ipv6 default deny firewall ipv6 enable Use firewall ipv6 enable to enable the IPv6 firewall function. Use undo firewall ipv6 enable to disable the IPv6 firewall function. Syntax firewall ipv6 enable undo firewall ipv6 enable Default The IPv6 firewall function is disabled. Views System view Default command level 2: System level Examples # Enable the IPv6 firewall function.
inbound: Filters packets received by the interface. outbound: Filters packets forwarded from the interface. Usage guidelines You can apply only one IPv4 ACL in one direction of an interface to filter packets. Examples # Apply ACL 2001 to interface GigabitEthernet 3/0/1 to filter outbound packets.
reset firewall ipv6 statistics Use reset firewall ipv6 statistics to clear the packet filtering statistics of the IPv6 firewall. Syntax reset firewall ipv6 statistics { all | interface interface-type interface-number } Views User view Default command level 1: Monitor level Parameters all: Clears the packet filtering statistics on all interfaces of the IPv6 firewall. interface interface-type interface-number: Clears the packet filtering statistics on the specified interface of the IPv6 firewall.
ASPF configuration commands aspf-policy Use aspf-policy to create an ASPF policy and enter its view. Use undo aspf-policy to remove an ASPF policy. Syntax aspf-policy aspf-policy-number undo aspf-policy aspf-policy-number Views System view Default command level 2: System level Parameters aspf-policy-number: Specifies an ASPF policy number in the range of 1 to 99. Usage guidelines A defined ASPF policy can be applied through its policy number.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about all ASPF policies.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
display aspf policy 1 [ASPF Policy Configuration] Policy Number 1: icmp-error drop tcp syn-check Table 62 Command output Field Description [ASPF Policy Configuration] ASPF policy configuration information. Policy Number ASPF policy number. icmp-error drop Drop ICMP error messages. tcp syn-check Drop non-SYN packet that is the first packet over a TCP connection. display port-mapping Use display port-mapping to view port mapping information.
h323 1720 system defined http 80 system defined rtsp 554 system defined smtp 25 system defined ike 500 system defined https 443 system defined vam 18000 system defined ssh 22 system defined Table 63 Command output Field Description SERVICE Application layer protocol that is mapped to a port. PORT Number of the port for the application layer protocol. ACL Number of the ACL specifying the host range. TYPE Port mapping type, system predefined or user customized.
icmp-error drop Use icmp-error drop to specify to drop ICMP error messages. Use undo icmp-error drop to restore the default. Syntax icmp-error drop undo icmp-error drop Default ICMP error messages are not dropped. Views ASPF policy view Default command level 2: System level Examples # Configure ASPF policy 1 to drop ICMP error messages.
acl acl-number: Specifies the IPv4 ACL for indicating the host range. The ACL number is in the range of 2000 to 2999. Examples # Map port 3456 to the FTP protocol. system-view [Sysname] port-mapping ftp port 3456 Related commands display port-mapping tcp syn-check Use tcp syn-check to specify to drop any non-SYN packet that is the first packet over a TCP connection. Use undo tcp syn-check to restore the default.
ALG configuration commands alg Use alg to enable ALG for a protocol. Use undo alg to disable ALG for a protocol. Syntax alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } undo alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } Default The ALG feature is enabled for all protocols. Views System view Default command level 2: System level Parameters all: Enables ALG for all protocols.
# Disable ALG for DNS.
Session management commands application aging-time Use application aging-time to set the aging timer for the sessions of an application layer protocol. Use undo application aging-time to restore the default. Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] Default The default session aging times for the application layer protocols vary with device models.
display application aging-time Use display application aging-time to display the session aging timers for the application layer protocols. Syntax display application aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Syntax display session aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Syntax display session hardware slot slot-number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 No HSR6602 Yes 6604/6608/6616 Yes |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Field Description TTL Remaining lifetime of the relationship table entry, in seconds. AllowConn Number of sessions allowed by the relationship table entry. Total find Total number of found relationship table entries. display session statistics Use display session statistics to display statistics for the sessions.
Current TCP session(s): 0 Half-Open: 0 Current Half-Close: 0 UDP session(s): 593951 Current ICMP session(s): 0 Current RAWIP session(s): 0 Current relation table(s): 50000 Session establishment rate: 184503/s TCP Session establishment rate: UDP Session establishment rate: 184503/s ICMP Session establishment rate: 0/s RAWIP Session establishment rate: 0/s Received TCP: Received UDP: 0/s 1538 packet(s) 86810494849 packet(s) 337567 byte(s) 4340524910260 byte(s) Received ICMP: Rec
Field Description Dropped TCP Counts of dropped TCP packets and bytes. Dropped UDP Counts of dropped UDP packets and bytes. Dropped ICMP Counts of dropped ICMP packets and bytes. Dropped RAWIP Counts of dropped Raw IP packets and bytes. display session table Use display session table to display information about sessions.
If no slot number is specified, the command displays the sessions on all cards. If multiple keywords are specified, the command displays the sessions that match all these criteria. This command is not supported by the FIP600 card. Examples # Display brief information about all sessions. display session table Initiator: Source IP/Port : 192.168.1.18/2048 Dest IP/Port Pro : 192.168.1.55/768 : ICMP(ICMP(1)) VPN-Instance/VLAN ID/VLL ID: Initiator: Source IP/Port : 192.168.1.
Total find: 2 Table 68 Command output Field Description Initiator: Session information of the initiator. Responder: Session information of the responder. Pro Transport layer protocol, TCP, UDP, ICMP, or Raw IP.. VPN-Instance/VLAN ID/VLL ID MPLS L3VPN that the session belongs to and the VLAN and INLINE that the session belongs to during Layer 2 forwarding. Application layer protocol, FTP, DNS, MSN or QQ. App Unknown indicates protocol type of a non-well-known port. Session status.
Views User view Default command level 2: System level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 No HSR6602 Yes 6604/6608/6616 Yes source-ip source-ip: Clears the sessions with the specified source IP address of the initiator.
Default command level 2: System level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument specifies the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 No HSR6602 Yes 6604/6608/6616 Yes Usage guidelines If no slot number is specified, the command clears the session statistics on all cards. Examples # Clear all session statistics.
rawip-open: Specifies the aging timer for the sessions in the RAWIP_OPEN state. rawip-ready: Specifies the aging timer for the sessions in the RAWIP_READY state. syn: Specifies the aging timer for the TCP sessions in the SYN_SENT or SYN_RCV state. tcp-est: Specifies the aging timer for the TCP sessions in the ESTABLISHED state. udp-open: Specifies the aging timer for the UDP sessions in the OPEN state. udp-ready: Specifies the aging timer for the UDP sessions in the READY state.
Default command level 2: System level Parameters all: Enables checksum verification for TCP, UDP, and ICMP packets. icmp: Enables checksum verification for ICMP packets. tcp: Enables checksum verification for TCP packets. udp: Enables checksum verification for UDP packets. Examples # Enable checksum verification for UDP packets. system-view [Sysname] session checksum udp session early-ageout Use session early-ageout to set the time value to shorten the session aging time.
If the difference between the session aging time and the value specified by the shorten-time argument is less than 5 seconds, the session aging time becomes 5 seconds. Examples # Configure the session aging time to shorten by 100 seconds when the session ratio exceeds 80 percent, and to restore the normal values when the session ratio equals or drops below 20 percent.
Default command level 2: System level Parameters acl acl-number: Specifies the ACL to be used to match sessions for logging. The value range for the acl-number argument is 2000 to 3999. Inbound: Specifies session logs in the inbound direction. outbound: Specifies session logs in the outbound direction. Usage guidelines If you do not specify the acl acl-number option, the command enables session logging for all sessions on the interface.
Examples # Set the packet count threshold for session logging to 10 mega-packets. system-view [Sysname] session log packets-active 10 session log time-active Use session log time-active to set the holdtime threshold for session logging. Use undo session log time-active to remove the setting. Syntax session log time-active time-value undo session log time-active Default The system does not output session logs based on holdtime threshold.
Parameters max-entries: Specifies the maximum number of sessions. The value range is 1 to 10000000. slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 No HSR6602 Yes 6604/6608/6616 Yes Usage guidelines For distributed devices, you can set the maximum number of sessions based on slots.
Usage guidelines Persistent sessions will not be removed because they are not matched with any packets within the aging time. You can manually remove such sessions when necessary. A persistent session rule can reference only one ACL. Examples # Configure all sessions matching ACL 2000 as persistent sessions, setting the aging time of the sessions to 72 hours.
Connection limit configuration commands connection-limit apply policy Use connection-limit apply policy to apply a connection limit policy to the NAT module. Use undo connection-limit apply policy to remove the application. Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number Views System view Default command level 2: System level Parameters policy-number: Specifies the number of an existing connection limit policy. The value is 0.
Default command level 2: System level Parameters policy-number: Specifies the number of a connection limit policy. The value is 0. Usage guidelines A connection limit policy contains a set of rules for limiting the number of connections of a specific user. A policy number uniquely identifies a connection limit policy. After applying a connection limit policy in system view, you cannot modify, add, or remove connection limit rules in the policy.
limit 0 source ip 3.3.3.0 24 source-vpn vpn1 destination ip any protocol tcp max-connections 200 per-source Table 69 Command output Field Description Connection-limit policy Number of the connection limit policy. refcount 0, 1 limits Number of times that the policy is applied and number of rules in the policy. limit xxx Rule in the policy. For more information, see the limit command. Related commands limit limit Use limit to configure an IP address-based connection limit policy rule.
• dns: Specifies the DNS protocol. • http: Specifies the HTTP protocol. • ip: Specifies the IP protocol. • tcp: Specifies the TCP protocol. • udp: Specifies the UDP protocol. max-connections max-num: Specifies the maximum number of the connections. per-destination: Limits connections by destination IP address. per-source: Limits connections by source IP address. per-source-destination: Limits connections by source desitnation IP address pair.
Web filtering configuration commands display firewall http activex-blocking Use display firewall http activex-blocking to display information about ActiveX blocking. Syntax display firewall http activex-blocking [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all ActiveX blocking suffix keywords. item keywords: Specifies a blocking suffix keyword.
---------------------------------------------1 5 .OCX 2 0 .vbs Table 70 Command output Field Description SN Serial number. Match-Times Number of times that a suffix keyword is matched. Keywords ActiveX blocking suffix keyword. # Display detailed ActiveX blocking information. display firewall http activex-blocking verbose ActiveX blocking is enabled. No ACL group has been configured. There are 5 packet(s) being filtered. There are 0 packet(s) being passed.
Examples # Display brief information about Java blocking. display firewall http java-blocking Java blocking is enabled. # Display Java blocking information for a specific suffix keyword. display firewall http java-blocking item .class The HTTP request packet including ".class" had been matched for 10 times. # Display Java blocking information for all suffix keywords.
item keywords: Specifies a filtering keyword, The keywords argument is a case-insensitive string of 1 to 80 characters. Valid characters include 0 to 9, a to z, A to Z, dot (.), hyphen (-), underline (_), and wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*). For meanings and usage guidelines of the wildcards, see the relevant description for command firewall http url-filter host url-address. verbose: Specifies detailed information.
Table 73 Command output Field Description Default method Default URL address filtering action, permit or deny. The support for IP address Support for website IP addresses, permit or deny. display firewall http url-filter parameter Use display firewall http url-filter parameter to display information about URL parameter filtering.
# Display URL parameter filtering information for all keywords. display firewall http url-filter parameter all SN Match-Times Keywords ---------------------------------------------1 0 ^select$ 2 0 ^insert$ 3 0 ^update$ 4 0 ^delete$ 5 0 ^drop$ 6 0 -- 7 0 ‘ 8 0 ^exec$ 9 10 %27 10 0 qqqqq Table 74 Command output Field Description SN Serial number. Match-Times Number of times that the keyword has been matched. Keywords URL parameter filtering keyword.
Usage guidelines After the command takes effect, all web requests containing any suffix keywords in the ActiveX blocking suffix list will be processed according to the ACL. You can specify multiple ACLs for ActiveX blocking, but only the last one takes effect. You can specify a non-existing ACL, but ActiveX blocking based on the ACL takes effect only after you create and configure the ACL correctly. Examples # Specify the ACL for ActiveX blocking as ACL 2003.
Syntax firewall http activex-blocking suffix keywords undo firewall http activex-blocking suffix keywords Views System view Default command level 2: System level Parameters keywords: Blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of 5 ActiveX blocking suffix keywords. You cannot add or remove the default suffix keyword ".
You can specify multiple ACLs for Java blocking, but only the last one takes effect. You can specify a non-existing ACL, but Java blocking based on the ACL takes effect only after you create and configure the ACL correctly. Examples # Specify the ACL for Java blocking as ACL 2002.
Views System view Default command level 2: System level Parameters keywords: Blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of five Java blocking suffix keywords. You cannot remove the default block suffix keywords .class and .jar. Examples # Add .js to the Java blocking suffix list.
Examples # Specify URL address filtering to permit web requests with website IP addresses permitted by ACL 2000. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 permit source 3.3.3.3 0.0.0.
Default The URL address filtering function is disabled. Views System view Default command level 2: System level Examples # Enable the URL address filtering function.
firewall http url-filter host url-address Use firewall http url-filter host url-address to add a URL address filtering entry and set the filtering action. Use undo firewall http url-filter host url-address to remove one or all URL address filtering entries. Syntax firewall http url-filter host url-address { deny | permit } url-address undo firewall http url-filter host url-address [ url-address ] Views System view Default command level 2: System level Parameters deny: Denies matched URL addresses.
• If asterisk (*) is present at the beginning of a filtering entry, it must be present in the format like *.xxx, where xxx represents a keyword, for example, *.com or *.webfilter.com. • A filtering entry with only numerals is invalid. To filter a website address like www.123.com, you can define a filtering entry like ^123$, www.123.com, or 123.com, instead of 123. HP recommends that you use exact match to filter numeral website addresses.
Wildcard Meaning Usage guidelines $ Matches parameters ending with the keyword It can be present once at the end of a filtering entry. & Stands for one valid character It can be present multiple times at any position of a filtering entry, consecutively or inconsecutively, and cannot be used next to an asterisk (*). If it is present at the beginning or end of a filtering entry, it must be next to a caret (^) or a dollar sign ($).
Views System view Default command level 2: System level Examples # Enable the URL parameter filtering function. system-view [Sysname] firewall http url-filter parameter enable Related commands display firewall http url-filter parameter reset firewall http Use reset firewall http to clear web filtering statistics.
Attack detection and protection configuration commands attack-defense apply policy Use attack-defense apply policy to apply an attack protection policy to an interface. Use undo attack-defense apply policy to restore the default. Syntax attack-defense apply policy policy-number undo attack-defense apply policy Default No attack protection policy is applied to an interface.
Syntax attack-defense logging enable undo attack-defense logging enable Default Attack protection logging is disabled. Views System view Default command level 2: System level Examples # Enable attack protection logging. system-view [Sysname] attack-defense logging enable attack-defense policy Use attack-defense policy to create an attack protection policy and enter attack protection policy view. Use undo attack-defense policy to remove an attack protection policy.
Related commands display attack-defense policy blacklist enable Use blacklist enable to enable the blacklist function. Use undo blacklist enable to restore the default. Syntax blacklist enable undo blacklist enable Default The blacklist function is disabled. Views System view Default command level 2: System level Usage guidelines After the blacklist function is enabled, you can add blacklist entries manually or configure the device to add blacklist entries automatically.
Default command level 2: System level Parameters source-ip-address: IP address to be added to the blacklist, used to match the source IP address of packets. all: Specifies all blacklist entries. timeout minutes: Specifies an aging time for the blacklist entry. minutes indicates the aging time, and the value range is 1 to 1000, in minutes. If you do not specify the aging time, the blacklist entry never gets aged and always exists unless you delete it manually.
Related commands • defense icmp-flood enable • defense icmp-flood ip • defense icmp-flood rate-threshold • display attack-defense policy defense icmp-flood enable Use defense icmp-flood enable to enable ICMP flood attack protection. Use undo defense icmp-flood enable to restore the default. Syntax defense icmp-flood enable undo defense icmp-flood enable Default ICMP flood attack protection is disabled.
Default No ICMP flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: IP address to be protected. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address. high rate-number: Sets the action threshold for ICMP flood attack protection of the specified IP address.
Syntax defense icmp-flood rate-threshold high rate-number [ low rate-number ] undo defense icmp-flood rate-threshold Default The global action threshold is 1000 packet per second and the global silence threshold is 750 packets per second. Views Attack protection policy view Default command level 2: System level Parameters high rate-number: Sets the global action threshold for ICMP flood attack protection.
Syntax defense scan add-to-blacklist undo defense scan add-to-blacklist Default The blacklist function for scanning attack protection is not enabled. Views Attack protection policy view Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address.
• defense scan max-rate defense scan blacklist-timeout Use defense scan blacklist-timeout to specify the aging time for entries blacklisted by scanning attack protection. Use undo defense scan blacklist-timeout to restore the default, which is 10 minutes. Syntax defense scan blacklist-timeout minutes undo defense scan blacklist-timeout Views Attack protection policy view Default command level 2: System level Parameters minutes: Aging time of blacklist entries, in the range of 1 to 1000, in minutes.
Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address. If the connection rate of an IP address reaches or exceeds the threshold (set by the defense scan max-rate command), the device considers the IP address a scanning attack source and drops subsequent packets from the IP address until it finds that the rate is less than the threshold. Examples # Enable scanning attack protection.
[Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense scan enable # Set the connection rate threshold for triggering scanning attack protection to 2000 connections per second.
defense syn-flood enable Use defense syn-flood enable to enable SYN flood attack protection. Use undo defense syn-flood enable to restore the default. Syntax defense syn-flood enable undo defense syn-flood enable Default SYN flood attack protection is disabled. Views Attack protection policy view Default command level 2: System level Examples # Enable SYN flood attack protection in attack protection policy 1.
high rate-number: Sets the action threshold for SYN flood attack protection of the specified IP address. The rate-number argument indicates the number of SYN packets sent to the specified IP address per second and is in the range of 1 to 64000. With SYN flood attack protection enabled, the device enters attack detection state.
Parameters high rate-number: Sets the global action threshold for SYN flood attack protection. The rate-number argument indicates the number of SYN packets sent to an IP address per second and is in the range of 1 to 64000. With the SYN flood attack protection enabled, the device enters attack detection state.
Examples # Configure attack protection policy 1 to drop UDP flood packets. system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense udp-flood action drop-packet Related commands • defense udp-flood enable • defense udp-flood ip • defense udp-flood rate-threshold • display attack-defense policy defense udp-flood enable Use defense udp-flood enable to enable UDP flood attack protection. Use undo defense udp-flood enable to restore the default.
Syntax defense udp-flood ip ip-address rate-threshold high rate-number [ low rate-number ] undo defense udp-flood ip ip-address [ rate-threshold ] Default No UDP flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: IP address to be protected. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address.
defense udp-flood rate-threshold Use defense udp-flood rate-threshold to configure the global action and silence thresholds for UDP flood attack protection. The device uses the global attack protection thresholds to protect the IP addresses for which you do not configure attack protection parameters specifically. Use undo defense udp-flood rate-threshold to restore the default.
• defense udp-flood enable • display attack-defense policy display attack-defense policy Use display attack-defense policy to display configuration information about one or all attack protection policies. Syntax display attack-defense policy [ policy-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters policy-number: Sequence number of an attack protection policy, in the range of 1 to 128.
Add to blacklist : Enabled Blacklist timeout : 10 minutes Max-rate : 1000 connections/s Signature-detect action : Drop-packet -------------------------------------------------------------------------ICMP flood attack-defense : Enabled ICMP flood action : Syslog ICMP flood high-rate : 2000 packets/s ICMP flood low-rate : 750 packets/s ICMP flood attack-defense for specific IP addresses: IP High-rate(packets/s) Low-rate(packets/s) 192.168.1.1 1000 500 192.168.2.
Filed Description WinNuke attack-defense Indicates whether WinNuke attack protection is enabled. LAND attack-defense Indicates whether Land attack protection is enabled. Source route attack-defense Indicates whether Source Route attack protection is enabled. Route record attack-defense Indicates whether Route Record attack protection is enabled. Scan attack-defense Indicates whether scanning attack protection is enabled.
50 None 128 GigabitEthernet3/0/2 Related commands attack-defense policy display attack-defense statistics interface Use display attack-defense statistics interface to display the attack protection statistics of an interface.
Route record packets dropped : 100 Source route attacks : 1 Source route packets dropped : 100 Smurf attacks : 1 Smurf packets dropped : 100 TCP flag attacks : 1 TCP flag packets dropped : 100 Tracert attacks : 1 Tracert packets dropped : 100 WinNuke attacks : 1 WinNuke packets dropped : 100 Scan attacks : 1 Scan attack packets dropped : 100 SYN flood attacks : 1 SYN flood packets dropped : 100 ICMP flood attacks : 1 ICMP flood packets dropped : 100 UDP flood attacks : 1
Field Description Tracert attacks Number of detected Tracert attacks. Tracert packets dropped Number of Tracert packets dropped. WinNuke attacks Number of detected WinNuke attacks. WinNuke packets dropped Number of WinNuke packets dropped. Scan attacks Number of detected scanning attacks. Scan attack packets dropped Number of scanning attack packets dropped. SYN flood attacks Number of detected SYN flood attacks. SYN flood attack packets dropped Number of SYN flood attack packets dropped.
Option 6602 HSR6602 6604/6608/6616 slot slot-number No Yes Yes |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Related commands • blacklist enable • blacklist ip display flow-statistics statistics Use display flow-statistics statistics to display traffic statistics on interfaces based on IP addresses.
----------------------------------------------------------IP Address : 192.168.1.
Default command level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. inbound: Displays traffic statistics in the inbound direction of an interface. outbound: Displays traffic statistics in the outbound direction of an interface. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Field Description UDP session establishment rate UDP connection establishment rate. ICMP sessions Number of ICMP connections. ICMP session establishment rate ICMP connection establishment rate. RAWIP sessions Number of RAWIP connections. RAWIP session establishment rate RAWIP connection establishment rate. display tcp-proxy protected-ip Use display tcp-proxy protected-ip to display information about IP addresses protected by the TCP proxy function.
Field Description Type Type of the protected IP address. Dynamic indicates that the entry was dynamically added by the device. Lifetime(min) Remaining lifetime of the entry. If the value of this field is 0, the entry is deleted. Rejected packets Number of packets matching this entry that have been dropped by the TCP proxy function. flow-statistics enable Use flow-statistics enable to enable traffic statistics collection on an interface. Use undo flow-statistics enable to restore the default.
reset attack-defense statistics interface Use reset attack-defense statistics interface to clear the attack protection statistics of an interface. Syntax reset attack-defense statistics interface interface-type interface-number Views User view Default command level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. Examples # Clear the attack protection statistics of interface GigabitEthernet 3/0/1.
route-record: Specifies the route record packet attack. smurf: Specifies the Smurf packet attack. source-route: Specifies the source route packet attack. tcp-flag: Specifies the TCP flag packet attack. tracert: Specifies the Tracert packet attack. winnuke: Specifies the Winnuke packet attack. Examples # Enable signature detection of Fraggle attack in attack protection policy 1.
Syntax signature-detect large-icmp max-length length undo signature-detect large-icmp max-length Default An ICMP packet length of 4000 bytes triggers large ICMP attack protection. Views Attack protection policy view Default command level 2: System level Parameters length: Maximum length of an ICMP packet, in the range of 28 to 65534 bytes.
Default command level 2: System level Usage guidelines Usually, the TCP proxy function is used on a device's interfaces connected to external networks to protect internal servers from SYN flood attacks. When detecting a SYN flood attack, the device can take protection actions configured by using the defense syn-flood action command.
Related commands • tcp-proxy enable • display tcp-proxy protected-ip 493
TCP attack protection configuration commands display tcp status Use display tcp status to display status of all TCP connections for monitoring TCP connections. Syntax display tcp status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Use undo tcp anti-naptha enable to disable the protection against Naptha attack. Syntax tcp anti-naptha enable undo tcp anti-naptha enable Default The protection against Naptha attack is disabled. Views System view Default command level 2: System level Usage guidelines The configurations made by using the tcp state and tcp timer check-state commands are removed after the protection against Naptha attack is disabled. Examples # Enable the protection against Naptha attack.
last-ack: Specifies the LAST_ACK state of a TCP connection. syn-received: Specifies the SYN_RECEIVED state of a TCP connection. connection-number number: Specifies the maximum number of TCP connections in a certain state, in the range of 0 to 500. Usage guidelines You need to enable the protection against Naptha attack before executing this command. Otherwise, an error is prompted. You can configure the maximum number of TCP connections in each state.
Use undo tcp timer check-state to restore the default. Syntax tcp timer check-state time-value undo tcp timer check-state Default The TCP connection state check interval is 30 seconds. Views System view Default command level 2: System level Parameters time-value: Specifies the TCP connection state check interval in seconds, in the range of 1 to 60. Usage guidelines The device periodically checks the number of TCP connections in each state.
IP source guard configuration commands IP source guard configuration commands are available only for SAP interface modules operating in Layer 2 mode. display ip source binding Use display ip source binding to display IPv4 source guard entries.
display ip source binding Total entries found: 5 MAC Address IP Address VLAN Interface Type 040a-0000-4000 10.1.0.9 2 GE3/0/1 Static 040a-0000-3000 10.1.0.8 2 GE3/0/1 DHCP-SNP 040a-0000-2000 10.1.0.7 2 GE3/0/1 DHCP-SNP 040a-0000-1000 10.1.0.6 N/A GE3/0/2 DHCP-RLY 040a-0000-0000 N/A N/A GE3/0/2 DHCP-RLY # Display all static IPv4 source guard entries.
Default No static IPv4 binding entry exists on a port. Views Layer 2 Ethernet interface view Default command level 2: System level Parameters ip-address ip-address: Specifies the IPv4 address for the static binding entry. The IPv4 address cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address. mac-address mac-address: Specifies the MAC address for the static binding in the format H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast address), or a multicast address.
Parameters ip-address: Binds source IPv4 addresses to the port. ip-address mac-address: Binds source IPv4 addresses and MAC addresses to the port. mac-address: Binds source MAC addresses to the port. Usage guidelines After you enable the IPv4 source guard function on a port, IPv4 source guard dynamically generates IPv4 source guard entries based on the DHCP snooping entries or the DHCP-relay entries, and all static IPv4 source guard entries on the port become effective.
Parameters number: Maximum number of IPv4 source guard entries allowed on a port, in the range of 0 to 256. Usage guidelines If the maximum number of IPv4 binding entries to be configured is smaller than the number of existing IPv4 binding entries on the port, the maximum number can be configured successfully and the existing entries will not be affected. New IPv4 binding entries, however, cannot be added any more unless the number of IPv4 binding entries on the port drops below the configured maximum.
ARP attack protection configuration commands IP flood protection configuration commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing. Use undo arp resolving-route enable to disable the function. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP blackhole routing is disabled. Views System view Default command level 2: System level Examples # Enable ARP blackhole routing.
Examples # Enable the ARP source suppression function. system-view [Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit Use arp source-suppression limit to set the maximum number of unresolvable IP packets that be received from a device in five seconds. Unresolvable IP packets refer to packets that cannot be resolved by ARP. Use undo arp source-suppression limit to restore the default value, which is 10.
Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Parameters disable: Disables ARP packet rate limit. rate pps: Specifies the ARP packet rate in pps, in the range of 5 to 8192. drop: Discards the exceeded packets. slot slot-number: Specifies a card by its slot number. The following matrix shows the option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number No Yes Yes Examples # Specify the ARP packet rate for the card in slot 1 as 50 pps, and exceeded packets are discarded.
[Sysname] arp anti-attack valid-check enable ARP active acknowledgement configuration commands arp anti-attack active-ack enable Use arp anti-attack active-ack enable to enable the ARP active acknowledgement function. Use undo arp anti-attack active-ack enable to restore the default. Syntax arp anti-attack active-ack enable undo arp anti-attack active-ack enable Default The ARP active acknowledgement function is disabled.
Default Authorized ARP is not enabled on the interface. Views Layer 3 Ethernet interface view Default command level 2: System level Examples # Enable authorized ARP on GigabitEthernet 3/0/1. system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp authorized enable ARP detection configuration commands NOTE: The commands of this feature are supported only when SAP modules operate in bridge mode.
• ip-address-mask: Specifies the mask for the sender IP address in dotted decimal format. If no mask is specified, the ip-address argument specifies a host IP address. mac { any | mac-address [ mac-address-mask ] }: Specifies the sender MAC address range. • any: Matches any sender MAC address. • mac-address: Matches a sender MAC address, in the format of H-H-H. • mac-address-mask: Specifies the mask for the sender MAC address, in the format of H-H-H.
arp detection trust Use arp detection trust to configure the port as an ARP trusted port. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust Default The port is an ARP untrusted port. Views Layer 2 Ethernet interface view Default command level 2: System level Examples # Configure GigabitEthernet 3/0/1 as an ARP trusted port.
ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this keyword specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests are checked. src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC address in the Ethernet header. If they are identical, the packet is considered valid.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
GE3/0/1(U) 40 0 0 78 GE3/0/2(U) 0 0 0 0 GE3/0/3(T) 0 0 0 0 GE3/0/4(U) 0 0 30 0 Table 86 Command output Field Description Interface(State) State T or U identifies a trusted or untrusted port. IP Number of ARP packets discarded due to invalid source and destination IP addresses. Src-MAC Number of ARP packets discarded due to invalid source MAC address. Dst-MAC Number of ARP packets discarded due to invalid destination MAC address.
Syntax arp fixup Views System view Default command level 2: System level Usage guidelines The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries. The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device might fail to change all dynamic ARP entries into static ARP entries.
range contains multiple network segments, the sender IP address in the ARP request is the interface address on the smallest network segment. If no address range is specified, the device only scans the network where the primary IP address of the interface resides for neighbors. The sender IP address in the ARP requests is the primary IP address of the interface.
Parameters ip-address: Specifies the IP address of a protected gateway. Usage guidelines You can enable ARP gateway protection for up to eight gateways on a port. You cannot configure both arp filter source and arp filter binding commands on a port. Examples # Enable ARP gateway protection for the gateway with IP address 1.1.1.1. system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp filter source 1.1.1.
system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp filter binding 1.1.1.
ND attack defense configuration commands ipv6 nd mac-check enable Use ipv6 nd mac-check enable to enable source MAC consistency check for ND packets. Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND packets. Syntax ipv6 nd mac-check enable undo ipv6 nd mac-check enable Default Source MAC consistency check is disabled for ND packets.
URPF configuration commands ip urpf Use ip urpf to enable URPF check on an interface to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. Syntax ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ] undo ip urpf Default URPF check is disabled. Views Interface view Default command level 2: System level Parameters loose: Enables loose URPF check.
FIPS configuration commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Default command level 1: Monitor level Examples # Display the current FIPS mode state. display fips status FIPS mode is enabled Related commands fips mode enable fips mode enable Use fips mode enable to enable FIPS mode. Use undo fips mode enable to disable FIPS mode.
1. Enable FIPS mode. 2. Enable the password control function. 3. Configure the username and password to log in to the device in FIPS mode. The password must include at least 10 characters and must contain uppercase and lowercase letters, digits, and special characters. 4. Delete all MD5-based digital certificates. 5. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs. 6. Save the configuration.
Default command Level 3: Manage level Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device automatically reboots. Examples # Trigger a self-test on the cryptographic algorithms. system-view [Sysname] fips self-test Self-tests are running. Please wait... Self-tests succeeded.
Group Domain VPN commands KS configuration commands display gdoi ks Use display gdoi ks to display GDOI KS information. Syntax display gdoi ks [ group group-name ] Views User view Default command level 1: Monitor level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays KS information for all GDOI KS groups. Examples # Display KS information for the GDOI KS group abc.
# Display KS information for all GDOI KS groups. display gdoi ks Group Name: abc Group identity : 8 Group members : 0 Redundancy : Enabled Local address : 105.112.100.2 Local version : 1.
Profile name : profile-xyz2 ACL configured : 3001 Table 87 Command output Field Description Group Name Name of the GDOI KS group. Group identity KS group identity, a number or an IPv4 address. If no identity is configured, this field is blank. Group members Number of online GMs in the GDOI KS group. Redundancy Redundancy information for the GDOI KS group. Role of the local KS in the redundancy: Local role • • • • Primary—Primary KS. Secondary—Secondary KS. Initial—In initializing state.
Examples # Display ACLs referenced by the GDOI KS group abc. display gdoi ks acl group abc Group Name: abc ACL abc rule 0 permit ip source 1.1.1.2 0 destination 2.2.2.3 0 rule 1 permit tcp source 1.1.0.0 0.0.255.255 destination 2.2.0.0 0.0.255.255 rule 2 permit ip # Display ACLs referenced by all GDOI KS groups. display gdoi ks acl Group Name: abc ACL abc rule 0 permit ip source 1.1.1.2 0 destination 2.2.2.3 0 rule 1 permit tcp source 1.1.0.0 0.0.255.255 destination 2.2.0.0 0.0.255.
Usage guidelines If you do not specify the group group-name option, the command displays information about online GMs with the specified IP address in all GDOI KS groups. If you do not specify the ip ip-address option, the command displays information about all online GMs in the specified GDOI KS group. If you do not specify any parameter, the command displays information about all online GMs in all GDOI KS groups. Examples # Display information about all online GMs in all GDOI KS groups.
display gdoi ks policy Use display gdoi ks policy to display policy information for GDOI KS groups. Syntax display gdoi ks policy [ group group-name ] Views User view Default command level 1: Monitor level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays policy information for all GDOI KS groups. Examples # Display policy information for all GDOI KS groups.
Field Description SPI SPI of the rekey SA or that of the IPsec SA. Lifetime KEK or TEK lifetime. Remaining lifetime Remaining time of the KEK or TEK lifetime. Signature key name Name of the key pair used for signature. Encapsulation IPsec encapsulation mode for IP packets: Tunnel or Transport. ACL Number or name of the ACL referenced. Transform Name of the IPsec transform set referenced.
Peer priority : Unknown Peer role : Unknown Peer status : Down Peer address : 172.1.1.1 Peer version : 1.0 Peer priority : 100 Peer role : Secondary Peer status : Ready Table 91 Command output Field Description Group Name GDOI KS group name. Role of the local KS in the redundancy: Local role • • • • Primary—Primary KS. Secondary—Secondary KS. Initial—In initializing state. Electing—Electing the primary KS. Primary address IP address of the primary KS. Peers Peer KS information.
Default command level 1: Monitor level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays rekey information for all GDOI KS groups. Examples # Display rekey information for all GDOI KS groups.
Table 92 Command output Field Description Group Name GDOI KS group name. IPsec 1 lifetime SA lifetime of IPsec policy 1, in seconds. Remaining lifetime Remaining time of the KEK or IPsec SA, in seconds. gdoi ks group Use gdoi ks group to create a GDOI KS group and enter GDOI KS group view. Use undo gdoi ks group to delete a GDOI KS group. Syntax gdoi ks group group-name undo gdoi ks group group-name Default No GDOI KS group exists.
Default The GDOI KS listens to UDP port 19000 for redundancy protocol packets. Views System view Default command level 2: System level Parameters port-number: Specifies a UDP port number in the range of 1 to 65535. Usage guidelines A GDOI KS uses the UDP port number configured in this command to send and receive redundancy protocol packets to and from other KSs. All KSs in the same GDOI KS group must use the same UDP port number.
Examples # Enforce the GDOI KS group abc to rekey. gdoi ks rekey group abc identity address Use identity address to configure an IP address for the GDOI KS group. Use undo identity to delete the IP address of the GDOI KS group. Syntax identity address address undo identity Default No IP address is configured for a GDOI KS group. Views GDOI KS group view Default command level 2: System level Parameters address: Specifies any valid IPv4 address to identify the GDOI KS group.
Default No number is configured for a GDOI KS group number. Views GDOI KS group view Default command level 2: System level Parameters number: Specifies a number in the range of 0 to 2147483647 to identify the GDOI KS group. Usage guidelines You can configure only one type of ID (either an IP address or a number) for a GDOI KS group. A GDOI KS group uses the IP address or the number, whichever is configured later. Examples # Configure the number of the GDOI KS group abc as 123456.
Deleting an IPsec policy from a GDOI KS group also deletes the TEK that corresponds to that IPsec policy. Examples # Create IPsec policy 10 for the GDOI KS group abc and enter its view. system-view [Sysname] gdoi ks group abc [Sysname-gdoi-ks-group-abc] ipsec 10 [Sysname-gdoi-ks-group-abc-ipsec-10] Related commands gdoi ks group local priority Use local priority to configure the GDOI KS local priority. Use undo local priority to restore the default.
Related commands • gdoi ks group • redundancy enable peer address Use peer address to specify the IP address of a peer KS. Use undo peer address to delete a peer KS IP address. Syntax peer address ip-address undo peer address ip-address Default No IP address of a peer KS is specified. Views GDOI KS group view Default command level 2: System level Parameters ip-address: Specifies the IP address of a peer KS.
Use undo profile to remove the IPsec profile referenced by the GDOI KS group IPsec policy. Syntax profile ipsec-profile-name undo profile Default A GDOI KS group IPsec policy does not reference any IPsec profile. Views GDOI KS group IPsec policy view Default command level 2: System level Parameters ipsec-profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 15 characters.
Usage guidelines GDOI KS redundancy enables a group of KSs to work together for high availability and load sharing. One KS is the primary KS, and others are secondary KSs. Secondary KSs back up data for the primary KS and can accept registrations from GMs. Examples # Enable KS redundancy in GDOI KS group abc.
When the primary KS detects a disconnection from a secondary KS, it informs the secondary KS of the disconnection through hello packets. The secondary KS tries to re-establish a connection with the primary KS if it receives the hello packet. If the connection cannot be established, primary KS re-election is triggered. Do not set a long hello packet sending interval. Otherwise, secondary KSs cannot timely detect a primary KS failure or a link failure.
On a not-so-good network, you can increase the retransmission interval or retransmission number to avoid KS split. If a KS loses contact with the primary KS, it will split from the KS group and elect itself as the primary KS. Then, the KS group might have multiple primary KSs. Examples # Set the redundancy protocol packets retransmission interval to 30 seconds, and the maximum number of retransmissions to 3.
[Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc] rekey acl 3000 Related commands • gdoi ks group • source address rekey authentication Use rekey authentication to specify the key pair to be used by the KS during a rekey. Use undo rekey authentication to remove the specified key pair. Syntax rekey authentication public-key rsa key-name undo rekey authentication Default No key pair is specified for a rekey.
Syntax rekey encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc } undo rekey encryption Default The encryption algorithm is 3des-cbc. Views GDOI KS group view Default command level 2: System level Usage guidelines If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure the rekey encryption algorithm as AES-CBC-192 for the GDOI KS group abc.
Examples # Configure the KEK lifetime as 3600 seconds for the GDOI KS group abc. system-view [Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc] rekey lifetime seconds 3600 Related commands gdoi ks group rekey retransmit Use rekey retransmit to specify the interval between rekey retransmissions and the maximum number of retransmissions.
undo rekey transport unicast Default The KS multicasts rekey messages. Views GDOI KS group view Default command level 2: System level Examples # Configure the GDOI KS group abc to unicast rekey messages. system-view [Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc] rekey transport unicast Related commands gdoi ks group reset gdoi ks Use reset gdoi ks to clear GDOI KS group information, including keys, online GMs, and the role in redundancy backup.
Views User view Default command level 2: System level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command clears GM information for all GDOI KS groups. Usage guidelines This command takes effect only on the primary KS. Examples # Clear GM information for the GDOI KS group abc.
Default No ACL is referenced. Views GDOI KS group IPsec policy view Default command level 2: System level Parameters access-list-number: Specifies an ACL by its number in the range of 3000 to 3999. name access-list-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines The GDOI KS sends the ACL to GMs, which use the ACL to filter traffic, so as to determine the traffic to be protected by TEKs.
Parameters ip-address: Specifies any valid IPv4 address. Usage guidelines Perform this task to specify the source address for GROUPKEY-PUSH protocol packets and redundancy protocol packets sent by the KS. Examples # Specify the source address for the GDOI KS group abc as 11.1.1.1. system-view [Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc]source address 11.1.1.
Related commands gdoi gm group display gdoi gm Use display gdoi gm to display GDOI GM group information, including GDOI configuration parameters, negotiation parameters, and the IPsec information obtained after successful registrations. Syntax display gdoi gm [ group group-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters group group-name: Displays information about the specified GDOI GM group.
Last rekey seq num : 3 Multicast rekeys received: 1 Allowable rekey cipher : Any Allowable rekey hash : Any Allowable transform : Any Rekeys Cumulative Total received : 5 After latest registration: 3 Rekey received (hh:mm:ss): 00:02:11 ACL Downloaded From KS 90.1.1.
Field Description IPsec SA direction: Both or Inbound (not supported at present). IPsec SA Direction Group Server List KS IP address list in the GDOI GM group. The list can contain eight addresses at most. Group Member IP address of the GM. VPN instance VPN instance name of the MPLS L3VPN to which the GM belongs. Registration status Registration status: Registered, Registering, or Not registered. Registered with IP address of the KS with which the GM registers.
Field Description rule 0 deny udp source-port eq 848 destination-port eq 848 Indicates that any UDP packets whose source and destination port numbers are both 848 do not need to be protected by IPsec. rule 1 deny ospf Indicates that OSPF protocol packets do not need to be protected by IPsec. rule 2 permit icmp Indicates that any ICMP packets need to be protected by IPsec. Rekey transport type Transport type of rekey messages: Multicast or Unicast. Lifetime (sec) KEK lifetime, in seconds.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Field Description rule 1 permit ip source 12.1.1.0 0.0.0.255 destination 12.1.1.0 0.0.0.255 Indicates that IPsec protects IP packets whose source and destination addresses are within subnet 12.1.1.0/24. rule 0 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 Indicates that IPsec does not protect IP packets whose source and destination addresses are within subnet 10.1.1.0/24. display gdoi gm ipsec sa Use display gdoi gm ipsec sa to display IPsec SA information obtained by GMs.
IPsec SA: SPI: 0xDCC66F7B(3703992187) Transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 SA timing: remaining key lifetime (sec): 190 Anti-replay detection: Disabled Table 95 Command output Field Description Interface Name of the interface bound to the IPsec SA. Transform Transform set. remaining key lifetime (sec) Remaining lifetime of the IPsec SA, in seconds. anti-replay window size(time based) Time-based anti-replay window size, in seconds.
Group Member Information For Group GDOI-GROUP1: IPsec SA Direction : Both Group Member : 80.1.1.1 VPN instance : vpn1 Registration status : Registered Registered with : 90.1.1.1 Re-register in : 308 sec Succeeded registrations : 1131 Attempted registrations : 1139 Last rekey from : 90.1.1.
Field Description Allowable rekey cipher The rekey encryption algorithm that the GM allows. Any indicates that the GM allows all encryption algorithms. Allowable rekey hash The rekey hash algorithm that the GM allows. Any indicates that the GM allows all hash algorithms. Allowable transform The rekey transform mode that the GM allows. Any indicates that the GM allows all transform modes. display gdoi gm pubkey Use display gdoi gm pubkey to display the public key information received by GMs.
Table 97 Command output Field Description Group Name GDOI GM group name. Conn-ID ID of the rekey SA. My Cookie Local cookie of the rekey SA. His Cookie Peer cookie of the rekey SA. display gdoi gm rekey Use display gdoi gm rekey to display rekey information for GMs.
Multicast destination address : 239.192.1.190 # Display detailed rekey information of all GMs. display gdoi gm rekey verbose Group Name: GDOI-GROUP1 (Multicast) Number of rekeys received (cumulative) : 1904 Number of rekeys received after registration : 889 Multicast destination address : 239.192.1.190 Rekey (KEK) SA Information: Source Conn-ID My Cookie His Cookie New : 239.192.1.190 Destination 90.1.1.1 9646 14406D26 8C58E504 Current : 239.192.1.190 90.1.1.
Views System view Default command level 2: System level Parameters group-name: Specifies a name for the GDOI GM group, a case-sensitive string of 1 to 63 characters. Usage guidelines A GDOI GM group includes the information that the GM uses to register with a KS, such as the group ID, KS address, and registration interface. The device supports 64 GDOI GM groups at most. Examples # Create a GDOI GM group named abc, and enter its view.
Examples # Configure a GDOI IPsec policy entry and enter its view. The IPsec policy name is map and the entry sequence number is 1. system-view [Sysname] ipsec policy map 1 gdoi # Reference GDOI GM group abc for the GDOI IPsec policy entry. [Sysname-ipsec-policy-gdoi-map-1] group abc Related commands gdoi gm group identity Use identity to configure an ID for the GDOI GM group. Use undo identity to delete the GDOI GM group ID.
reset gdoi gm Use reset gdoi gm to clear GDOI information that GMs downloaded from a KS, including the IKE SA, rekey SA, IPsec SA, and ACL, and trigger the GMs to re-register with the KS. Syntax reset gdoi gm [ group group-name ] Views User view Default command level 2: System level Parameters group group-name: Clears the GDOI information of GMs in a GDOI GM group. The group-name argument specifies the name of a GDOI GM group, a case-sensitive string of 1 to 63 characters.
Usage guidelines You must specify KSs for GMs in a GDOI GM group. A GDOI GM group can have up to eight KS addresses. A GM first sends a registration request to the first-specified KS. If the registration does not succeed before the register timer expires, the GM registers with other KSs one by one in the order they are configured until the registration succeeds. If all registration attempts fail, the GM repeats the registration process. Examples # Specify two KS addresses, 3.3.3.3 and 3.3.3.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHIKLMNOPQRSTUVW attribute,249 A attribute 25 car,57 aaa nas-id profile,1 authentication default,10 access-limit,41 authentication dvpn,11 access-limit enable,1 authentication lan-access,12 access-user detect,155 authentication login,13 accounting command,2 authentication portal,14 accounting default,3 authentication ppp,15 accounting dvpn,4 authentication ssl-vpn,16 accounting lan-access,5 authentication super,16 accounting login,6 authentication-algorithm,328 accounting op
ciphersuite,391 display attack-defense policy,477 client registration interface,548 display attack-defense statistics interface,480 client-verify enable,392 display blacklist,482 client-verify weaken,393 display connection,27 close-mode wait,393 display connection-limit policy,441 common-name,254 display domain,31 connection-limit apply policy,440 display dot1x,119 connection-limit policy,440 display fips status,520 connection-name,276 display firewall http activex-blocking,444 country,255
dot1x critical recovery-action,127 display pki certificate,257 display pki certificate access-control-policy,259 dot1x critical vlan,126 display pki certificate attribute-group,260 dot1x domain-delimiter,128 display pki crl domain,261 dot1x free-ip,144 display portal acl,156 dot1x guest-vlan,129 display portal connection statistics,158 dot1x handshake,130 display portal free-rule,161 dot1x handshake secure,131 display portal interface,163 dot1x mandatory-domain,131 display portal server,164
ip pool,36 firewall http url-filter host ip-address,455 firewall http url-filter host url-address,456 ip source binding,499 firewall http url-filter parameter,457 ip urpf,519 firewall http url-filter parameter enable,458 ip verify source,500 firewall ipv6 default,408 ip verify source max-entries,501 firewall ipv6 enable,409 ipsec,535 firewall packet-filter,409 ipsec anti-replay check,298 firewall packet-filter ipv6,410 ipsec anti-replay window,299 flow-statistics enable,488 ipsec decrypt che
nas-id bind vlan,38 portal auth-network destination,172 nas-ip (HWTACACS scheme view),105 portal backup-group,173 nas-ip (RADIUS scheme view),72 portal delete-user,174 nat traversal,348 portal device-id,174 O portal domain,175 portal free-rule,176 organization,265 portal max-user,177 organization-unit,265 portal nas-id,178 P portal nas-id-profile,179 password,215 portal nas-ip,179 password,52 portal nas-port-id,180 password-control { aging | composition | history | length } enable,217 p
reset mac-authentication statistics,154 public-key local export public rsa,244 public-key local import,245 reset password-control blacklist,230 public-key peer,247 reset password-control history-record,230 public-key peer import sshkey,247 reset portal connection statistics,188 public-key-code begin,238 reset portal server statistics,188 public-key-code end,238 reset portal tcp-cheat statistics,188 put,373 reset radius statistics,80 pwd,373 reset session,430 Q reset session statistics,431 re
stop-accounting-buffer enable (HWTACACS scheme view),114 session,399 session aging-time,432 stop-accounting-buffer enable (RADIUS scheme view),92 session checksum,433 session early-ageout,434 session log bytes-active,435 Subscription service,564 session log enable,435 T session log packets-active,436 tcp anti-naptha enable,494 session log time-active,437 tcp state,495 session max-entries,437 tcp syn-check,418 session persist acl,438 tcp syn-cookie enable,496 session-time include-idle-time,39
