R3303-HP 6600/HSR6600 Routers Security Command Reference
Table Of Contents
- Title Page
- Contents
- AAA configuration commands
- aaa nas-id profile
- access-limit enable
- accounting command
- accounting default
- accounting dvpn
- accounting lan-access
- accounting login
- accounting optional
- accounting portal
- accounting ppp
- accounting ssl-vpn
- authentication default
- authentication dvpn
- authentication lan-access
- authentication login
- authentication portal
- authentication ppp
- authentication ssl-vpn
- authentication super
- authorization command
- authorization default
- authorization dvpn
- authorization lan-access
- authorization login
- authorization portal
- authorization ppp
- authorization ssl-vpn
- authorization-attribute user-profile
- cut connection
- display connection
- display domain
- domain
- domain default enable
- domain if-unknown
- idle-cut enable
- ip pool
- nas device-id
- nas-id bind vlan
- self-service-url enable
- session-time include-idle-time
- state (ISP domain view)
- access-limit
- authorization-attribute
- bind-attribute
- display local-user
- display user-group
- expiration-date
- group
- group-attribute allow-guest
- local-user
- password
- service-type
- state (local user view)
- user-group
- validity-date
- accounting-on enable
- attribute 25 car
- data-flow-format (RADIUS scheme view)
- display radius scheme
- display radius statistics
- display stop-accounting-buffer (for RADIUS)
- key (RADIUS scheme view)
- nas-backup-ip
- nas-ip (RADIUS scheme view)
- primary accounting (RADIUS scheme view)
- primary authentication (RADIUS scheme view)
- radius client
- radius nas-backup-ip
- radius nas-ip
- radius scheme
- radius trap
- reset radius statistics
- reset stop-accounting-buffer (for RADIUS)
- retry
- retry realtime-accounting
- retry stop-accounting (RADIUS scheme view)
- secondary accounting (RADIUS scheme view)
- secondary authentication (RADIUS scheme view)
- security-policy-server
- server-type
- state primary
- state secondary
- stop-accounting-buffer enable (RADIUS scheme view)
- timer quiet (RADIUS scheme view)
- timer realtime-accounting (RADIUS scheme view)
- timer response-timeout (RADIUS scheme view)
- user-name-format (RADIUS scheme view)
- vpn-instance (RADIUS scheme view)
- data-flow-format (HWTACACS scheme view)
- display hwtacacs
- display stop-accounting-buffer (for HWTACACS)
- hwtacacs nas-ip
- hwtacacs scheme
- key (HWTACACS scheme view)
- nas-ip (HWTACACS scheme view)
- primary accounting (HWTACACS scheme view)
- primary authentication (HWTACACS scheme view)
- primary authorization
- reset hwtacacs statistics
- reset stop-accounting-buffer (for HWTACACS)
- retry stop-accounting (HWTACACS scheme view)
- secondary accounting (HWTACACS scheme view)
- secondary authentication (HWTACACS scheme view)
- secondary authorization
- stop-accounting-buffer enable (HWTACACS scheme view)
- timer quiet (HWTACACS scheme view)
- timer realtime-accounting (HWTACACS scheme view)
- timer response-timeout (HWTACACS scheme view)
- user-name-format (HWTACACS scheme view)
- vpn-instance (HWTACACS scheme view)
- 802.1X commands
- display dot1x
- dot1x
- dot1x authentication-method
- dot1x auth-fail vlan
- dot1x critical vlan
- dot1x critical recovery-action
- dot1x domain-delimiter
- dot1x guest-vlan
- dot1x handshake
- dot1x handshake secure
- dot1x mandatory-domain
- dot1x max-user
- dot1x multicast-trigger
- dot1x port-control
- dot1x port-method
- dot1x quiet-period
- dot1x re-authenticate
- dot1x retry
- dot1x supp-proxy-check
- dot1x timer
- dot1x unicast-trigger
- reset dot1x statistics
- EAD fast deployment commands
- MAC authentication configuration commands
- Portal configuration commands
- access-user detect
- display portal acl
- display portal connection statistics
- display portal free-rule
- display portal interface
- display portal server
- display portal server statistics
- display portal tcp-cheat statistics
- display portal user
- portal auth-network
- portal auth-network destination
- portal backup-group
- portal delete-user
- portal device-id
- portal domain
- portal free-rule
- portal max-user
- portal nas-id
- portal nas-id-profile
- portal nas-ip
- portal nas-port-id
- portal nas-port-type
- portal redirect-url
- portal server
- portal server method
- portal server server-detect
- portal server user-sync
- reset portal connection statistics
- reset portal server statistics
- reset portal tcp-cheat statistics
- Port security configuration commands
- display port-security
- display port-security mac-address block
- display port-security mac-address security
- port-security authorization ignore
- port-security enable
- port-security intrusion-mode
- port-security mac-address aging-type inactivity
- port-security mac-address dynamic
- port-security mac-address security
- port-security max-mac-count
- port-security ntk-mode
- port-security oui
- port-security port-mode
- port-security timer autolearn aging
- port-security timer disableport
- port-security trap
- User profile configuration commands
- Password control configuration commands
- display password-control
- display password-control blacklist
- password
- password-control { aging | composition | history | length } enable
- password-control aging
- password-control alert-before-expire
- password-control authentication-timeout
- password-control complexity
- password-control composition
- password-control enable
- password-control expired-user-login
- password-control history
- password-control length
- password-control login idle-time
- password-control login-attempt
- password-control password update interval
- password-control super aging
- password-control super composition
- password-control super length
- reset password-control blacklist
- reset password-control history-record
- RSH configuration commands
- Public key configuration commands
- display public-key local public
- display public-key peer
- peer-public-key end
- public-key-code begin
- public-key-code end
- public-key local create
- public-key local destroy
- public-key local export
- public-key local export public dsa
- public-key local export public rsa
- public-key local import
- public-key peer
- public-key peer import sshkey
- PKI configuration commands
- attribute
- ca identifier
- certificate request entity
- certificate request from
- certificate request mode
- certificate request polling
- certificate request url
- common-name
- country
- crl check
- crl update-period
- crl url
- display pki certificate
- display pki certificate access-control-policy
- display pki certificate attribute-group
- display pki crl domain
- fqdn
- ip (PKI entity view)
- ldap-server
- locality
- organization
- organization-unit
- pki certificate access-control-policy
- pki certificate attribute-group
- pki delete-certificate
- pki domain
- pki entity
- pki import-certificate
- pki request-certificate domain
- pki retrieval-certificate
- pki retrieval-crl domain
- pki validate-certificate
- root-certificate fingerprint
- rule (PKI CERT ACP view)
- state
- IPsec configuration commands
- ah authentication-algorithm
- connection-name
- cryptoengine enable
- display ipsec policy
- display ipsec policy-template
- display ipsec profile
- display ipsec sa
- display ipsec statistics
- display ipsec transform-set
- display ipsec tunnel
- encapsulation-mode
- esp authentication-algorithm
- esp encryption-algorithm
- ike-peer (IPsec policy view/IPsec policy template view/IPsec profile view)
- ipsec anti-replay check
- ipsec anti-replay window
- ipsec decrypt check
- ipsec fragmentation before-encryption
- ipsec invalid-spi-recovery enable
- ipsec policy (interface view)
- ipsec policy (system view)
- ipsec policy isakmp template
- ipsec policy-template
- ipsec profile (system view)
- ipsec profile (tunnel interface view)
- ipsec sa global-duration
- ipsec transform-set
- pfs
- policy enable
- qos pre-classify
- reset ipsec sa
- reset ipsec statistics
- reverse-route
- reverse-route preference
- reverse-route tag
- sa authentication-hex
- sa duration
- sa encryption-hex
- sa spi
- sa string-key
- security acl
- transform
- transform-set
- tunnel local
- tunnel remote
- IKE configuration commands
- authentication-algorithm
- authentication-method
- certificate domain
- dh
- display ike dpd
- display ike peer
- display ike proposal
- display ike sa
- dpd
- encryption-algorithm
- exchange-mode
- id-type
- ike dpd
- ike local-name
- ike next-payload check disabled
- ike peer (system view)
- ike proposal
- ike sa keepalive-timer interval
- ike sa keepalive-timer timeout
- ike sa nat-keepalive-timer interval
- interval-time
- local
- local-address
- local-name
- nat traversal
- peer
- pre-shared-key
- proposal (IKE peer view)
- remote-address
- remote-name
- reset ike sa
- sa duration
- time-out
- SSH configuration commands
- display ssh server
- display ssh user-information
- sftp server enable
- sftp server idle-timeout
- ssh server authentication-retries
- ssh server authentication-timeout
- ssh server compatible-ssh1x enable
- ssh server enable
- ssh server rekey-interval
- ssh user
- bye
- cd
- cdup
- delete
- dir
- display sftp client source
- display ssh client source
- display ssh server-info
- exit
- get
- help
- ls
- mkdir
- put
- pwd
- quit
- remove
- rename
- rmdir
- scp
- sftp
- sftp client ipv6 source
- sftp client source
- sftp ipv6
- ssh client authentication server
- ssh client first-time enable
- ssh client ipv6 source
- ssh client source
- ssh2
- ssh2 ipv6
- SSL configuration commands
- SSL VPN configuration commands
- Firewall configuration commands
- display firewall ipv6 statistics
- display firewall-statistics
- firewall default
- firewall enable
- firewall ipv6 default
- firewall ipv6 enable
- firewall packet-filter
- firewall packet-filter ipv6
- reset firewall ipv6 statistics
- reset firewall-statistics
- aspf-policy
- display aspf all
- display aspf interface
- display aspf policy
- display port-mapping
- firewall aspf
- icmp-error drop
- port-mapping
- tcp syn-check
- ALG configuration commands
- Session management commands
- application aging-time
- display application aging-time
- display session aging-time
- display session hardware
- display session relation-table
- display session statistics
- display session table
- reset session
- reset session statistics
- session aging-time
- session checksum
- session early-ageout
- session log bytes-active
- session log enable
- session log packets-active
- session log time-active
- session max-entries
- session persist acl
- Connection limit configuration commands
- Web filtering configuration commands
- display firewall http activex-blocking
- display firewall http java-blocking
- display firewall http url-filter host
- display firewall http url-filter parameter
- firewall http activex-blocking acl
- firewall http activex-blocking enable
- firewall http activex-blocking suffix
- firewall http java-blocking acl
- firewall http java-blocking enable
- firewall http java-blocking suffix
- firewall http url-filter host acl
- firewall http url-filter host default
- firewall http url-filter host enable
- firewall http url-filter host ip-address
- firewall http url-filter host url-address
- firewall http url-filter parameter
- firewall http url-filter parameter enable
- reset firewall http
- Attack detection and protection configuration commands
- attack-defense apply policy
- attack-defense logging enable
- attack-defense policy
- blacklist enable
- blacklist ip
- defense icmp-flood action drop-packet
- defense icmp-flood enable
- defense icmp-flood ip
- defense icmp-flood rate-threshold
- defense scan add-to-blacklist
- defense scan blacklist-timeout
- defense scan enable
- defense scan max-rate
- defense syn-flood action
- defense syn-flood enable
- defense syn-flood ip
- defense syn-flood rate-threshold
- defense udp-flood action drop-packet
- defense udp-flood enable
- defense udp-flood ip
- defense udp-flood rate-threshold
- display attack-defense policy
- display attack-defense statistics interface
- display blacklist
- display flow-statistics statistics
- display flow-statistics statistics interface
- display tcp-proxy protected-ip
- flow-statistics enable
- reset attack-defense statistics interface
- signature-detect
- signature-detect action drop-packet
- signature-detect large-icmp max-length
- tcp-proxy enable
- tcp-proxy mode
- TCP attack protection configuration commands
- IP source guard configuration commands
- ARP attack protection configuration commands
- arp resolving-route enable
- arp source-suppression enable
- arp source-suppression limit
- display arp source-suppression
- arp rate-limit
- arp anti-attack valid-ack enable
- arp anti-attack active-ack enable
- arp authorized enable
- arp detection
- arp detection enable
- arp detection trust
- arp detection validate
- arp restricted-forwarding enable
- display arp detection
- display arp detection statistics
- reset arp detection statistics
- arp fixup
- arp scan
- arp filter source
- arp filter binding
- ND attack defense configuration commands
- URPF configuration commands
- FIPS configuration commands
- Group Domain VPN commands
- display gdoi ks
- display gdoi ks acl
- display gdoi ks members
- display gdoi ks policy
- display gdoi ks redundancy
- display gdoi ks rekey
- gdoi ks group
- gdoi ks redundancy port
- gdoi ks rekey
- identity address
- identity number
- ipsec
- local priority
- peer address
- profile (GDOI KS group IPsec policy view)
- redundancy enable
- redundancy hello
- redundancy retransmit
- rekey acl
- rekey authentication
- rekey encryption
- rekey lifetime
- rekey retransmit
- rekey transport unicast
- reset gdoi ks
- reset gdoi ks members
- reset gdoi ks redundancy role
- security acl (GDOI KS group IPsec policy view)
- source address
- client registration interface
- display gdoi gm
- display gdoi gm acl
- display gdoi gm ipsec sa
- display gdoi gm members
- display gdoi gm pubkey
- display gdoi gm rekey
- gdoi gm group
- group
- identity
- reset gdoi gm
- server address
- Support and other resources
- Index
176
Examples
# Configure the authentication domain for IPv4 portal users on GigabitEthernet 3/0/1 as my-domain.
<Sysname> system-view
[Sysname] interface gigabitethernet 3/0/1
[Sysname-GigabitEthernet3/0/1] portal domain my-domain
Related commands
display portal interface
portal free-rule
Use portal free-rule to configure a portal-free rule and specify the source filtering condition, destination
filtering condition, or both.
Use undo portal free-rule to remove a specific portal-free rule or all portal-free rules.
Syntax
portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | mask } | any } [ tcp
tcp-port-number [ to tcp-port-number ] | udp udp-port-number [ to udp-port-number ] ] } | source { any |
[ interface interface-type interface-number | ip { ip-address mask { mask-length | mask } | any } [ tcp
tcp-port-number [ to tcp-port-number ] | udp udp-port-number [ to udp-port-number ] ] | mac mac-address
| vlan vlan-id ] ] * } } *
undo portal free-rule { rule-number | all }
Views
System view
Default command level
2: System level
Parameters
rule-number: Number for the portal-free rule, in the range of 0 to 1023.
any: Imposes no limitation on the previous keyword.
ip ip-address: Specifies an IP address for the portal-free rule.
mask { mask-length | mask }: Specifies a mask or mask length for the IP address. The mask argument is
a subnet mask in dotted decimal notation. The mask-length argument is a subnet mask length, an integer
in the range of 0 to 32.
tcp tcp-port-number [ to tcp-port-number ]: Specifies a range of TCP port numbers. The value range for the
tcp-port-number argument is 0 to 65535.
udp udp-port-number [ to udp-port-number ]: Specifies a range of UDP port numbers. The value range for
the udp-port-number argument is 0 to 65535.
interface interface-type interface-number: Specifies a source interface.
mac mac-address: Specifies a source MAC address in the format H-H-H.
vlan vlan-id: Specifies a source VLAN ID. The following matrix shows the vlan vlan-id option and router
compatibility: