HP MSR Router Series Security Command Reference(V5) Part number: 5998-2046 Software version: CMW520-R2511 Document version: 6PW103-20140128
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents AAA configuration commands ···································································································································· 1 General AAA configuration commands ························································································································· 1 aaa nas-id profile ····················································································································································· 1 access-limi
display local-user ··················································································································································· 46 display user-group ················································································································································· 48 expiration-date (local user view) ·························································································································· 49 group ········
reset stop-accounting-buffer (for HWTACACS) ································································································ 104 retry stop-accounting (HWTACACS scheme view) ·························································································· 104 secondary accounting (HWTACACS scheme view) ························································································ 105 secondary authentication (HWTACACS scheme view)···········································
mac-authentication user-name-format ················································································································ 153 reset mac-authentication statistics ······················································································································ 154 Port security configuration commands ··················································································································· 156 display port-security ····················
ipsec profile (system view) ·································································································································· 213 ipsec profile (tunnel interface view) ··················································································································· 214 ipsec sa global-duration ····································································································································· 214 ipsec session idle-time ····
pre-shared-key······················································································································································ 261 proposal (IKE peer view) ···································································································································· 262 remote-address····················································································································································· 262 remote-name ·
certificate request mode······································································································································ 309 certificate request polling ··································································································································· 310 certificate request url ··········································································································································· 311 common-name ·····
display portal interface ······································································································································· 357 display portal local-server ·································································································································· 358 display portal server ··········································································································································· 359 display portal ser
detect ···································································································································································· 403 display aspf all ···················································································································································· 404 display aspf interface ·········································································································································· 405
SSL configuration commands ································································································································· 448 ciphersuite ···························································································································································· 448 client-verify enable ·············································································································································· 449 client-ver
defense icmp-flood enable ································································································································· 483 defense icmp-flood ip ·········································································································································· 484 defense icmp-flood rate-threshold ······················································································································ 485 defense scan add-to-blacklist·
password-control length ······································································································································ 533 password-control login idle-time ························································································································ 534 password-control login-attempt ·························································································································· 535 password-control password update
GM configuration commands ····································································································································· 574 client registration interface ································································································································· 574 display gdoi gm ·················································································································································· 574 display gdoi gm a
AAA configuration commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The following matrix shows the FIPS and hardware compatibility: Hardware FIPS mode MSR900 No. MSR93X No. MSR20-1X No. MSR20 Yes. MSR30 Yes (except the MSR30-16). MSR50 Yes. MSR1000 Yes.
Related commands nas-id bind vlan access-limit enable Use access-limit enable to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users are accepted. Use undo access-limit enable to restore the default. Syntax access-limit enable max-user-number undo access-limit enable Default There is no limit to the number of online users in an ISP domain.
Default The default accounting method for the ISP domain is used for command line accounting. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified HWTACACS scheme must have been configured. Command line accounting can use only an HWTACACS scheme.
Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured.
Views ISP domain view Default command level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for DVPN users.
Views ISP domain view Default command level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for LAN users.
Default The default accounting method for the ISP domain is used for login users. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Default The feature is disabled. Views ISP domain view Default command level 2: System level Usage guidelines After you configure the accounting optional command for a domain, a user who would otherwise be disconnected can continue to use the network resources when no accounting server is available or when communication with the current accounting server fails. However, the device no longer sends real-time accounting updates for the user.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for portal users. system-view [Sysname] domain test [Sysname-isp-test] accounting portal local # Configure ISP domain test to use RADIUS scheme rd for accounting on portal users and use local accounting as the backup.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for PPP users.
Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use RADIUS accounting scheme rd for SSL VPN users.
[Sysname] domain test [Sysname-isp-test] accounting voip radius-scheme rd Related commands • accounting default • radius scheme authentication default Use authentication default to configure the default authentication method for an ISP domain. Use undo authentication default to restore the default.
[Sysname] domain test [Sysname-isp-test] authentication default radius-scheme rd local Related commands • local-user • hwtacacs scheme • radius scheme authentication dvpn Use authentication dvpn to configure the authentication method for DVPN users. Use undo authentication dvpn to restore the default.
[Sysname-isp-test] authentication dvpn radius-scheme rd local Related commands • local-user • authentication default • radius scheme authentication lan-access Use authentication lan-access to configure the authentication method for LAN users. Use undo authentication lan-access to restore the default.
Related commands • local-user • authentication default • radius scheme authentication login Use authentication login to configure the authentication method for login users through the console, AUX, or Asyn port, Telnet, or FTP. Use undo authentication login to restore the default.
# Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup. system-view [Sysname] domain test [Sysname-isp-test] authentication login radius-scheme rd local Related commands • local-user • authentication default • hwtacacs scheme • radius scheme authentication portal Use authentication portal to configure the authentication method for portal users. Use undo authentication portal to restore the default.
# Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup. system-view [Sysname] domain test [Sysname-isp-test] authentication portal radius-scheme rd local Related commands • local-user • authentication default • radius scheme authentication ppp Use authentication ppp to configure the authentication method for PPP users. Use undo authentication ppp to restore the default.
system-view [Sysname] domain test [Sysname-isp-test] authentication ppp local # Configure ISP domain test to use RADIUS authentication scheme rd for PPP users and use local authentication as the backup.
authentication voip Use authentication voip to configure the authentication method for VoIP users. Use undo authentication voip to restore the default. Syntax authentication voip radius-scheme radius-scheme-name undo authentication voip Default The default authentication method for the ISP domain is used for VoIP users.
Default The default authentication method for the ISP domain is used for user privilege level switching authentication. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated user can access only commands of Level 0. Usage guidelines The specified HWTACACS scheme must have been configured.
undo authorization default Default The default authorization method for the ISP domain of an ISP domain is local. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange.
undo authorization dvpn In FIPS mode: authorization dvpn { local | radius-scheme radius-scheme-name [ local ] } undo authorization dvpn Default The default authorization method for the ISP domain is used for DVPN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly.
Syntax In non-FIPS mode: authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo authorization lan-access In FIPS mode: authorization lan-access { local | radius-scheme radius-scheme-name [ local ] } undo authorization lan-access Default The default authorization method for the ISP domain is used for LAN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authorization.
authorization login Use authorization login to configure the authorization method for login users through the console, AUX, or Asyn port, Telnet, or FTP. Use undo authorization login to restore the default.
[Sysname] domain test [Sysname-isp-test] authorization login radius-scheme rd local Related commands • local-user • authorization default • hwtacacs scheme • radius scheme authorization portal Use authorization portal to configure the authorization method for portal users. Use undo authorization portal to restore the default.
[Sysname-isp-test] authorization portal local # Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local authorization as the backup. system-view [Sysname] domain test [Sysname-isp-test] authorization portal radius-scheme rd local Related commands • local-user • authorization default • radius scheme authorization ppp Use authorization ppp to configure the authorization method for PPP users. Use undo authorization ppp to restore the default.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. Examples # Configure ISP domain test to use local authorization for PPP users. system-view [Sysname] domain test [Sysname-isp-test] authorization ppp local # Configure ISP domain test to use RADIUS authorization scheme rd for PPP users and use local authorization as the backup.
[Sysname] domain test [Sysname-isp-test] authorization ssl-vpn radius-scheme rd Related commands • authorization default • radius scheme authorization voip Use authorization voip to configure the authorization method for VoIP users. Use undo authorization voip to restore the default. Syntax authorization voip radius-scheme radius-scheme-name undo authorization voip Default The default authorization method for the ISP domain is used for VoIP users.
authorization-attribute user-profile Use authorization-attribute user-profile to specify the default authorization user profile for an ISP domain. Use undo authorization-attribute user-profile to restore the default. Syntax authorization-attribute user-profile profile-name undo authorization-attribute user-profile Default An ISP domain has no default authorization user profile.
Parameters access-type: Specifies the user connections of the specified access type. • dot1x: Indicates 802.1X authentication. • mac-authentication: Indicates MAC address authentication. • portal: Indicates portal authentication. all: Specifies all user connections. domain isp-name: Specifies the user connections of an ISP domain. The isp-name argument represents the name of an existing ISP domain and is a string of 1 to 24 characters.
display connection Use display connection to display information about AAA user connections.
If you specify the ucibindex ucib-index option, this command displays detailed information. Otherwise, this command displays brief information. If an interface is configured with a mandatory authentication domain (for example, an 802.1X mandatory authentication domain), the device uses the mandatory authentication domain to perform authentication, authorization, and accounting for users who access the interface through the specified access type.
Parameters isp-name: Specifies the name of an existing ISP domain, a string of 1 to 24 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Field Description State Status of the ISP domain: active or blocked. Users in an active ISP domain can request network services, and users in a blocked ISP domain cannot. Access-limit Limit on the number of user connections. If there is no limit on the number, this field displays Disabled. Accounting method Indicates whether accounting is required. If accounting is required, when no accounting server is available or when communication with the accounting server fails, user connections are torn down.
Views System view Default command level 3: Manage level Parameters isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain the slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), vertical bar (|), right angle bracket (>), quotation marks ("), and at sign (@). Usage guidelines All ISP domains are in active state when they are created.
The specified domain must already exist. Otherwise, users without a domain name in the username cannot pass authentication. To delete the ISP domain that is used as the default ISP domain, you must first change it to a non-default ISP domain by using the undo domain default enable command. Examples # Create a new ISP domain named test, and configure it as the default ISP domain.
NOTE: Support for the authentication domain configuration depends on the access module. You can specify an authentication domain for 802.1X, portal, or MAC address authentication. Examples # Specify the ISP domain test for users with unknown domain names. system-view [Sysname] domain if-unknown test Related commands domain default enable idle-cut enable Use idle-cut enable to enable the idle cut function and set the relevant parameters. Use undo idle-cut enable to restore the default.
Related commands domain ip pool Use ip pool to configure an address pool for assigning addresses to PPP users. Use undo ip pool to delete an address pool. Syntax ip pool pool-number low-ip-address [ high-ip-address ] undo ip pool pool-number Default No IP address pool is configured for PPP users. Views ISP domain view Default command level 2: System level Parameters pool-number: Specifies the address pool number in the range of 0 to 99.
nas-id bind vlan Use nas-id bind vlan to bind a NAS ID with a VLAN. Use undo nas-id bind vlan to remove a NAS ID-VLAN binding. Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id Default No NAS ID-VLAN binding exists. Views NAS ID profile view Default command level 2: System level Parameters nas-identifier: Specifies the NAS ID, a case-sensitive string of 1 to 20 characters vlan-id: Specifies the ID of the VLAN to be bound with the NAS ID.
Views ISP domain view Default command level 2: System level Parameters url-string: Specifies the URL of the self-service server, a string of 1 to 64 characters that starts with http:// and contains no question mark. This URL was specified by the RADIUS server administrator during RADIUS server installation. Usage guidelines With the self-service function, users can manage and control their accounts and passwords. Only the RADIUS server systems provided by IMC support the self-service function.
system-view [Sysname] domain test [Sysname-isp-test] session-time include-idle-time Related commands idle-cut enable state (ISP domain view) Use state to set the status of an ISP domain. Use undo state to restore the default. Syntax state { active | block } undo state Default An ISP domain is in active state. Views ISP domain view Default command level 2: System level Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.
undo access-limit Default There is no limit to the number of users who concurrently use the same local user account. Views Local user view Default command level 3: Manage level Parameters max-user-number: Specifies the maximum number of concurrent users of the same local user account. The value range is 1 to 1024. Usage guidelines This command takes effect only when local accounting is used for the user account. This limit has no effect on FTP users because accounting is not available for FTP users.
Parameters acl acl-number: Specifies the authorization ACL. The ACL number is in the range of 2000 to 5999. After passing authentication, a local user is authorized to access the network resources specified by this ACL. callback-number callback-number: Specifies the authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user. idle-cut minute: Sets the idle timeout period.
If only one user is playing the role of security log administrator in the system, you cannot delete the user account or remove or change the user's role, unless you first configure another user as a security log administrator. A local user can play only one role at a time. If you execute the command multiple times, the most recent configuration takes effect. Examples # Configure the authorized VLAN of local user abc as VLAN 2.
Usage guidelines Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the user fails checking and authentication. Binding attribute checking does not take the service types of users into account. A configured binding attribute is effective for all types of users. Configure binding attributes for different types of local users with caution. For example, an IP address binding applies only to 802.
• terminal: Users logging in through the console port, AUX port, or Asyn port. • web: Web users. state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot. user-name user-name: Specifies all local users using the specified username. The username is a case-sensitive string of 1 to 55 characters, and it does not contain the domain name. vlan vlan-id: Specifies all local users in a VLAN.
Table 3 Command output Field Description State Status of the local user: active or blocked. ServiceType Service types that the local user can use, including DVPN, FTP, LAN access, PAD, PPP, portal, SSH, Telnet, terminal, and Web. Access-limit Whether or not to limit the number of concurrent connections of the username. Current AccessNum Number of connections that use the username. Max AccessNum Maximum number of concurrent connections of the username.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any user group name, the command displays the configuration of all user groups. Examples # Display the configuration of user group abc.
Syntax expiration-date time undo expiration-date Default A local user has no expiration time, and no time validity checking is performed. Views Local user view Default command level 3: Manage level Parameters time: Specifies the expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH is in the range of 0 to 23, and MM and SS are in the range of 0 to 59.
Views Local user view Default command level 3: Manage level Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Examples # Assign local user 111 to user group abc. system-view [Sysname] local-user 111 [Sysname-luser-111] group abc local-user Use local-user to add a local user and enter local user view. Use undo local-user to remove the specified local users.
• telnet: Telnet users. This parameter is not supported in FIPS mode. • terminal: Users logging in through the console, AUX, or Asyn port. This parameter is required in FIPS mode. • web: Web users. Examples # Add a local user named user1. system-view [Sysname] local-user user1 [Sysname-luser-user1] Related commands • display local-user • service-type Related commands • display local-user • password password (local user view) Use password to configure a password for a local user.
Usage guidelines If you do not specify any parameter, you enter the interactive mode to set a plaintext password. The interactive mode is available only on devices that support the password control feature. For more information about password control commands, see "Password control configuration commands.
ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default. lan-access: Authorizes the user to use the LAN access service. The users are mainly Ethernet users such as 802.1X users. pad: Authorizes the user to use the PAD service. ssh: Authorizes the user to use the SSH service. telnet: Authorizes the user to use the Telnet service. terminal: Authorizes the user to use the terminal service, allowing the user to log in from the console, AUX or Asyn port.
Examples # Place local user user1 in blocked state. system-view [Sysname] local-user user1 [Sysname-luser-user1] state block Related commands local-user user-group Use user-group to create a user group and enter its view. Use undo user-group to remove a user group. Syntax user-group group-name undo user-group group-name Views System view Default command level 3: Manage level Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Syntax validity-date time undo validity-date Default A local user has no validity time and no time validity checking is performed. Views Local user view Default command level 3: Manage level Parameters time: Specifies the validity time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH is in the range of 0 to 23, and MM and SS are in the range of 0 to 59.
Default The accounting-on feature is disabled. Views RADIUS scheme view Default command level 2: System level Parameters seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range is 1 to 15, and the default is 3. send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range is 1 to 255, and the default is 50.
Default command level 2: System level Examples # Specify the device to interpret RADIUS attribute 25 as CAR parameters. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] attribute 25 car Related commands • display radius scheme • display connection data-flow-format (RADIUS scheme view) Use data-flow-format to set the traffic statistics unit for data flows or packets. Use undo data-flow-format to restore the default.
display radius scheme Use display radius scheme to display the configuration of RADIUS schemes. Syntax display radius scheme [ radius-scheme-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters radius-scheme-name: Specifies the RADIUS scheme name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Encryption Key : N/A VPN instance : N/A Probe username : N/A Probe interval : N/A Second Acct Server: IP: 1.1.2.
Field Description Encryption Key Shared key for secure authentication or accounting communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A. VPN instance MPLS L3VPN to which the server belongs. If no VPN instance is specified for the server, this field does not appear. Probe username Username used for server status detection. Probe interval Server status detection interval, in minutes.
Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Account failure Num = 3 Server ctrl req Num = 0 RecError_MSG_sum = 0 SndMSG_Fail_sum = 0 Timer_Err = 0 Alloc_Mem_Err = 0 State Mismatch = 0 Other_Error = 0 No-response-acct-stop packet = 1 Discarded No-response-acct-stop packet for buffer overflow = 0 Table 6 Command output Field state statistic DEAD Description User statistics, by state. The value range is 0 to 1024. Number of idle users. The value range is 0 to 1024. AuthProc Number of users waiting for authentication.
Field Description Account request Counts of accounting requests. Account off request Counts of stop-accounting requests. PKT auth timeout Counts of authentication timeout messages. PKT acct_timeout Counts of accounting timeout messages. Realtime Account timer Counts of real-time accounting requests. PKT response Counts of responses from servers. Session ctrl pkt Counts of session control messages. Normal author request Counts of normal authorization requests.
Views Any view Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters. session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters.
key (RADIUS scheme view) Use key to set the shared key for secure RADIUS authentication/authorization or accounting communication. Use undo key to remove the configuration. Syntax key { accounting | authentication } [ cipher | simple ] key undo key { accounting | authentication } Default No shared key is configured. Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the shared key for secure RADIUS accounting communication.
[Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting ok # For RADIUS scheme radius1, set the shared key for secure authentication/authorization communication to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in ciphertext.
The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence. Examples # Set the source IP address for outgoing RADIUS packets to 10.1.1.1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] nas-ip 10.1.1.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.
Default No primary RADIUS authentication/authorization server is specified. Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication/authorization server. ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication/authorization server, which must be a valid global unicast address.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. If you remove the primary authentication server when an authentication process is in progress, the communication with the primary server times out, and the device looks for a server in active state from the new primary server on.
undo radius client Default The RADIUS client service is enabled. Views System view Default command level 2: System level Usage guidelines When the RADIUS client service is disabled, the following events occur: • No more stop-accounting requests of online users can be sent out or buffered, and the RADIUS server can no longer receive logoff requests from online users. After a user goes offline, the RADIUS server still has the user's record during a certain period of time.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command specifies a private-network source IPv4 address. With no VPN specified, the command specifies a public-network source IPv4 address. Usage guidelines You can specify up to one public-network source IP address and 15 private-network source IP addresses.
Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] Related commands display radius scheme radius trap Use radius trap to enable the trap function for RADIUS. Use undo radius trap to disable the trap function for RADIUS.
reset radius statistics Use reset radius statistics to clear RADIUS statistics. Syntax reset radius statistics Views User view Default command level 2: System level Examples # Clear RADIUS statistics. reset radius statistics Related commands display radius statistics reset stop-accounting-buffer (for RADIUS) Use reset stop-accounting-buffer to clear buffered stop-accounting requests for which no responses have been received.
# Clear the stop-accounting requests buffered in the time range of 0:0:0 to 23:59:59 on August 31, 2006. reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006 Related commands • stop-accounting-buffer enable • display stop-accounting-buffer retry Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Use undo retry to restore the default.
retry realtime-accounting Use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default. Syntax retry realtime-accounting retry-times undo retry realtime-accounting Default The maximum number of accounting attempts is 5. Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255.
retry stop-accounting (RADIUS scheme view) Use retry stop-accounting to set the maximum number of stop-accounting request transmission attempts. Use undo retry stop-accounting to restore the default. Syntax retry stop-accounting retry-times undo retry stop-accounting Default The maximum number of stop-accounting request transmission attempts is 500.
Use undo secondary accounting to remove the configuration. Syntax secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * undo secondary accounting [ ipv4-address | ipv6 ipv6-address ] Default No secondary RADIUS accounting server is specified. Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.
In FIPS mode, the shared key specified in this command is encrypted and decrypted through 3DES. If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication/authorization server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication/authorization server, which is a valid global unicast address. port-number: Specifies the service port number of the secondary RADIUS authentication/authorization server, which is a UDP port number. The value range for the port number is 1 to 65535, and the default is 1812.
The IP addresses of the primary and secondary authentication/authorization servers must be different from each other. Otherwise, the configuration fails. If you remove a secondary authentication server in use in the authentication process, the communication with the secondary server times out, and the device looks for a server in active state from the primary server on. For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.
• state • vpn-instance (RADIUS scheme view) security-policy-server Use security-policy-server to specify a security policy server for a RADIUS scheme. Use undo security-policy-server to remove one or all security policy servers for a RADIUS scheme. Syntax security-policy-server ip-address undo security-policy-server { ip-address | all } Default No security policy server is specified for a RADIUS scheme.
Default command level 2: System level Parameters extended: Specifies the extended RADIUS server (generally running on IMC), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the proprietary RADIUS protocol. standard: Specifies the standard RADIUS server, which requires the RADIUS client and RADIUS server to interact according to the procedures and packet format of the standard RADIUS protocol (RFC 2865 and 2866 or their successors).
Examples # Set the status of the primary server in RADIUS scheme radius1 to blocked. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] state primary authentication block Related commands • display radius scheme • state secondary state secondary Use state secondary to set the status of a secondary RADIUS server.
[Sysname] radius scheme radius1 [Sysname-radius-radius1] state secondary authentication block Related commands • display radius scheme • state primary stop-accounting-buffer enable (RADIUS scheme view) Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function.
undo timer quiet Default The server quiet period is 5 minutes. Views RADIUS scheme view Default command level 2: System level Parameters minutes: Specifies the server quiet period in minutes, in the range of 0 to 255. If you set this argument to 0, when the device attempts to send an authentication or accounting request but the current server is unreachable, the device sends the request to the next server in active state, without changing the current server's status.
Default command level 2: System level Parameters minutes: Specifies the real-time accounting interval in minutes. The value can be 0 or a multiple of 3, in the range of 3 to 60. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command sets the interval.
Default command level 2: System level Parameters seconds: Specifies the RADIUS server response timeout period in seconds, in the range of 1 to 10. Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one. For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect and the device does not change the usernames from clients before forwarding them to the RADIUS server.
HWTACACS configuration commands data-flow-format (HWTACACS scheme view) Use data-flow-format to set the traffic statistics unit for data flows or packets. Use undo data-flow-format to restore the default. Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default The unit for data flows is byte and that for data packets is one-packet.
Views Any view Default command level 1: Monitor level Parameters hwtacacs-scheme-name: Specifies the HWTACACS scheme name. statistics: Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme. Without this keyword, the command displays the configuration of the HWTACACS scheme. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
VPN instance : - Key : ****** Current-accounting-server : 172.31.1.11:49 VPN instance : - Key : ****** NAS-IP-address : 0.0.0.
Field Description Accounting key Shared key for accounting, displayed as a series of asterisks (******). If no key is configured, this field displays N/A. Acct-stop-PKT retransmit times Number of stop-accounting packet transmission attempts. Data traffic-unit Unit for data flows. Packet traffic-unit Unit for data packets. # Display the statistics for the servers specified in HWTACACS scheme gy.
HWTACACS author client response VPDN number: 0 HWTACACS author client round trip time(s): 3 ---[HWTACACS template gy primary accounting]--HWTACACS server open number: 0 HWTACACS server close number: 0 HWTACACS account client request packet number: 0 HWTACACS account client response packet number: 0 HWTACACS account client unknown type number: 0 HWTACACS account client timeout number: 0 HWTACACS account client packet dropped number: 0 HWTACACS account client request command level number: 0 HWTACACS account c
display stop-accounting-buffer hwtacacs-scheme hwt1 Total 0 record(s) Matched Related commands • reset stop-accounting-buffer • stop-accounting-buffer enable • retry stop-accounting hwtacacs nas-ip Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets. Use undo hwtacacs nas-ip to remove the configuration.
system-view [Sysname] hwtacacs nas-ip 129.10.10.1 Related commands nas-ip hwtacacs scheme Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view. Use undo hwtacacs scheme to delete an HWTACACS scheme. Syntax hwtacacs scheme hwtacacs-scheme-name undo hwtacacs scheme hwtacacs-scheme-name Default No HWTACACS scheme exists.
Views HWTACACS scheme view Default command level 2: System level Parameters accounting: Sets the shared key for secure HWTACACS accounting communication. authentication: Sets the shared key for secure HWTACACS authentication communication. authorization: Sets the shared key for secure HWTACACS authorization communication. cipher: Sets a ciphertext shared key. simple: Sets a plaintext shared key. key: Specifies the shared key string. This argument is case sensitive.
Syntax nas-ip ip-address undo nas-ip Default The source IP address of an outgoing HWTACACS packet is configured by the hwtacacs nas-ip command in system view. If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface. Views HWTACACS scheme view Default command level 2: System level Parameters ip-address: Specifies an IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.
Default No primary HWTACACS accounting server is specified. Views HWTACACS scheme view Default command level 2: System level Parameters ip-address: Specifies the IP address of the primary HWTACACS accounting server in dotted decimal notation. The default is 0.0.0.0. port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the port number is 1 to 65535, and the default is 49.
[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 key simple abCD1@ Related commands • display hwtacacs • key (HWTACACS scheme view) • vpn-instance (HWTACACS scheme view) primary authentication (HWTACACS scheme view) Use primary authentication to specify the primary HWTACACS authentication server. Use undo primary authentication to remove the configuration.
The shared key configured by this command takes precedence over that configured by using the key authentication [ cipher | simple ] key command. If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance vpn-instance-name option. If you execute the command multiple times, the most recent configuration takes effect. You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary HWTACACS authorization server. • cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 373 characters. • simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 255 characters. • If neither cipher nor simple is specified, you set a plaintext shared key string.
Views User view Default command level 1: Monitor level Parameters accounting: Specifies the HWTACACS accounting statistics. all: Specifies all HWTACACS statistics. authentication: Specifies the HWTACACS authentication statistics. authorization: Specifies the HWTACACS authorization statistics. Examples # Clear all HWTACACS statistics.
Syntax retry stop-accounting retry-times undo retry stop-accounting Default The maximum number of stop-accounting request transmission attempts is 100. Views HWTACACS scheme view Default command level 2: System level Parameters retry-times: Specifies the maximum number of stop-accounting request transmission attempts, in the range of 1 to 300. Examples # Set the maximum number of stop-accounting request transmission attempts to 50 for HWTACACS scheme hwt1.
port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the port number is 1 to 65535, and the default is 49. key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary HWTACACS accounting server. • cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 373 characters.
Syntax secondary authentication ip-address [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * undo secondary authentication Default No secondary HWTACACS authentication server is specified. Views HWTACACS scheme view Default command level 2: System level Parameters ip-address: Specifies the IP address of the secondary HWTACACS authentication server in dotted decimal notation. The default is 0.0.0.0.
Examples # Specify the IP address and port number of the secondary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 with TCP port number 49. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple abCD1@ Related commands • display hwtacacs • key (HWTACACS scheme view) • vpn-instance (HWTACACS scheme view) secondary authorization Use secondary authorization to specify a secondary HWTACACS authorization server.
Usage guidelines Make sure the port number and shared key settings of the secondary HWTACACS authorization server are the same as those configured on the server. The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails. If the specified server resides on an MPLS VPN, you also must specify that VPN with the secondary authorization command to ensure normal communication with the server.
receives no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or until the number of transmission attempts reaches the configured limit. In the latter case, the NAS discards the packet. Examples # In HWTACACS scheme hwt1, enable the device to buffer the stop-accounting requests that receive no responses.
timer realtime-accounting (HWTACACS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default. Syntax timer realtime-accounting minutes undo timer realtime-accounting Default The real-time accounting interval is 12 minutes. Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Specifies the real-time accounting interval in minutes.
Syntax timer response-timeout seconds undo timer response-timeout Default The HWTACACS server response timeout time is 5 seconds. Views HWTACACS scheme view Default command level 2: System level Parameters seconds: Specifies the HWTACACS server response timeout period in seconds, in the range of 1 to 300. Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.
Usage guidelines A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot recognize a username that includes an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.
Related commands display hwtacacs RADIUS server configuration commands The following matrix shows the command and router compatibility: Command MSR900 MSR93X MSR201X MSR20 MSR30 MSR50 MSR1000 RADIUS server configuration commands No No Yes Yes Yes No Yes authorization-attribute (RADIUS-server user view) Use authorization-attribute to specify the authorization attributes (ACL and VLAN) that the RADIUS server assigns to the RADIUS client in a response message after the RADIUS user passes RADIU
description (RADIUS-server user view) Use description to configure a description for the RADIUS user. The description is used for user information management. Use undo description to remove the user description. Syntax description text undo description Default No description is configured for the RADIUS user. Views RADIUS-server user view Default command level 2: System level Parameters text: Description of the RADIUS user, a case-sensitive string of 1 to 255 characters.
Parameters time: Specifies the expiration time of the RADIUS user, in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD. HH:MM:SS indicates the time, where HH is in the range of 0 to 23, and MM and SS are in the range of 0 to 59. YYYY/MM/DD indicates the date, where YYYY is in the range of 2000 to 2035, MM is in the range of 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2010/2/2 equals 02:02:00-2010/02/02.
Usage guidelines For security purposes, all passwords, including passwords configured in plain text, are saved in ciphertext. Examples # Set the password to 123456 in plain text for RADIUS user user1. system-view [Sysname] radius-server user user1 [Sysname-rdsuser-user1] password simple 123456 # Set the password to $c$3$joGi2vMNJMbTEjpMA1J7Nuv2+iif3Q== in ciphertext for RADIUS user user2.
For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext. You can specify multiple RADIUS clients. The maximum number of RADIUS clients that can be configured depends on the storage space. Examples # Specify RADIUS client 10.1.1.1 and the shared key to 1234 in plain text. system-view [Sysname] radius-server client-ip 10.1.1.1 key simple 1234 radius-server user Use radius-server user to create a RADIUS user and enter RADIUS-server user view.
802.1X commands display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics. interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports.
Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout Reauth Period 100 s 3600 s The maximal retransmitting times 3 The maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 Ethernet4/0 is link-up 802.1X protocol is enabled Proxy trap checker is disabled Proxy logoff checker is disabled Handshake is disabled Handshake secure is disabled 802.
Field Description Transmit Period Username request timeout timer in seconds. Handshake Period Handshake timer in seconds. Reauth Period Periodic online user re-authentication timer in seconds. Quiet Period Quiet timer in seconds. Quiet Period Timer is disabled Status of the quiet timer. In this example, the quiet timer is enabled. Supp Timeout Client timeout timer in seconds. Server Timeout Server timeout timer in seconds.
Field Description Critical recovery-action Action that the port takes when an active (reachable) authentication server is detected available for the 802.1X users in the critical VLAN: • reinitialize—The port triggers authentication. • NOT configured—The port does not trigger authentication. Max number of on-line users Maximum number of concurrent 802.1X users on the port. EAPOL Packet Number of sent (Tx) and received (Rx) EAPOL packets.
Default 802.1X is neither enabled globally nor enabled for any port. Views System view, Ethernet interface view Default command level 2: System level Parameters interface interface-list: Specifies a port list, which can contain multiple ports.
Related commands display dot1x dot1x authentication-method Use dot1x authentication-method to specify an EAP message handling method. Use undo dot1x authentication-method to restore the default. Syntax dot1x authentication-method { chap | eap | pap } undo dot1x authentication-method Default The network access device performs EAP termination and uses CHAP to communicate with the RADIUS server.
Local authentication supports PAP and CHAP. If RADIUS authentication is used, you must configure the network access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server. Examples # Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.
system-view [Sysname] interface ethernet 1/1 [Sysname-Ethernet1/1] dot1x auth-fail vlan 3 Related commands • dot1x • dot1x port-method dot1x critical vlan Use dot1x critical vlan to configure an 802.1X critical VLAN on a port for users that fail 802.1X authentication because all the RADIUS servers in their ISP domains have been unreachable. Use undo dot1x critical vlan to restore the default.
dot1x critical recovery-action Use dot1x critical recovery-action to configure the action that a port takes when an active (reachable) RADIUS authentication server is detected for users in the 802.1X critical VLAN. Use undo dot1x critical recovery-action to restore the default. Syntax dot1x critical recovery-action reinitialize undo dot1x critical recovery-action Default When a reachable RADIUS server is detected, the system removes the port or 802.
Default The access device supports only the at sign (@) delimiter for 802.1X users. Views System view Default command level 2: System level Parameters string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (/), and forward slash (\). Usage guidelines The delimiter set you configured overrides the default setting.
Default command level 2: System level Parameters guest-vlan-id: Specifies the ID of the VLAN to be specified as the 802.1X guest VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide. interface interface-list: Specifies a port list.
dot1x handshake Use dot1x handshake to enable the online user handshake function. The function enables the device to periodically send handshake messages to the client to check whether a user is online. Use undo dot1x handshake to disable the function. Syntax dot1x handshake undo dot1x handshake Default The function is enabled. Views Ethernet Interface view Default command level 2: System level Usage guidelines The 802.1X proxy detection function depends on the online user handshake function.
Usage guidelines The online user handshake security function is implemented based on the online user handshake function. To bring the security function into effect, make sure the online user handshake function is enabled. HP recommends that you use the iNode client software and IMC server to ensure the normal operation of the online user handshake security function. Examples # Enable the online user handshake security function.
[Sysname-Ethernet1/1] dot1x mandatory-domain my-domain # After 802.1X user usera passes the authentication, execute the display connection command to display the user connection information on Ethernet 1/1. For more information about the display connection command, see "AAA configuratio commands." [Sysname-Ethernet1/1] display connection interface ethernet 1/1 Index=68 ,Username=usera@my-domian MAC=00-15-E9-A6-7C-FE IP=3.3.3.3 IPv6=N/A Total 1 connection(s) matched.
Usage guidelines In system view: • If you do not specify the interface-list argument, the command applies to all ports. • If you specify the interface-list argument, the command applies to the specified ports. In Ethernet port view, the interface interface-list option is not available and the command applies to only the Ethernet port. Examples # Set the maximum number of concurrent 802.1X users on port Ethernet 1/1 to 32.
system-view [Sysname] interface ethernet 1/1 [Sysname-Ethernet1/1] dot1x multicast-trigger Related commands display dot1x dot1x port-control Use dot1x port-control to set the authorization state for the specified or all ports. Use undo dot1x port-control to restore the default.
system-view [Sysname] dot1x port-control unauthorized-force interface ethernet 1/1 Or system-view [Sysname] interface ethernet 1/1 [Sysname-Ethernet1/1] dot1x port-control unauthorized-force # Set the authorization state of ports Ethernet 1/2 through Ethernet 1/5 to unauthorized-force.
or port ranges for this argument. The start port number must be smaller than the end number and the two ports must be the same type. Usage guidelines In system view, if no interface is specified, the command applies to all ports. Examples # Configure port Ethernet 1/1 to implement port-based access control.
dot1x re-authenticate Use dot1x re-authenticate to enable the periodic online user re-authentication function. Use undo dot1x re-authenticate to disable the function. Syntax dot1x re-authenticate undo dot1x re-authenticate Default The periodic online user re-authentication function is disabled. Views Ethernet interface view Default command level 2: System level Usage guidelines Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port.
Default command level 2: System level Parameters max-retry-value: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.
Parameters logoff: Logs off a user accessing the network through a proxy. trap: Sends a trap to the network management system when a user is detected accessing the network through a proxy. interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports.
Default The handshake timer is 15 seconds, the quiet timer is 60 seconds, the periodic re-authentication timer is 3600 seconds, the server timeout timer is 100 seconds, the client timeout timer is 30 seconds, and the username request timeout timer is 30 seconds. Views System view Default command level 2: System level Parameters handshake-period-value: Sets the handshake timer in seconds. It is in the range of 5 to 1024. quiet-period-value: Sets the quiet timer in seconds. It is in the range of 10 to 120.
Examples # Set the server timeout timer to 150 seconds. system-view [Sysname] dot1x timer server-timeout 150 Related commands display dot1x dot1x unicast-trigger Use dot1x unicast-trigger to enable the 802.1X unicast trigger function. Use undo dot1x unicast-trigger to disable the function. Syntax dot1x unicast-trigger undo dot1x unicast-trigger Default The unicast trigger function is disabled.
Views User view Default command level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges.
EAD fast deployment commands dot1x free-ip Use dot1x free-ip to configure a free IP. Users can access the segment before passing 802.1X authentication. Use undo dot1x free-ip to remove the specified or all free IP addresses. Syntax dot1x free-ip ip-address { mask-address | mask-length } undo dot1x free-ip { ip-address { mask | mask-length } | all } Default No free IP is configured.
Related commands display dot1x dot1x timer ead-timeout Use dot1x timer ead-timeout to set the EAD rule timer. Use undo dot1x timer ead-timeout to restore the default. Syntax dot1x timer ead-timeout ead-timeout-value undo dot1x timer ead-timeout Default The timer is 30 minutes. Views System view Default command level 2: System level Parameters ead-timeout-value: Specifies the EAD rule timer in minutes. The value range is 1 to 1440.
dot1x url Use dot1x url to configure a redirect URL. When a user uses a Web browser to access networks other than the free IP, the device redirects the user to the redirect URL. Use undo dot1x url to remove the redirect URL. Syntax dot1x url url-string undo dot1x url Default No redirect URL is defined. Views System view Default command level 2: System level Parameters url-string: Specifies the redirect URL, a case-sensitive string of 1 to 64 characters in the format http://string.
MAC authentication configuration commands display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including global settings, and port-specific settings and MAC authentication and online user statistics.
Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index Ethernet1/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 256 Current online user number is 0 MAC Addr Authenticate state AuthIndex ……(output omitted) Table 11 Command output Field Description MAC address authentication is enabled Whether MAC authentication is enabled.
Field Description Authenticate success: 0, failed: 0 MAC authentication statistics, including the number of successful and unsuccessful authentication attempts. Max number of on-line users Maximum number of concurrent online users allowed on the port. If MAC authentication is not enabled on the port, the field displays 0. Current online user number Number of online users on the port. MAC Addr MAC address of the online user. User status.
number must be greater than the start port number. A port range defined without the to interface-type interface-number option comprises only one port. The following matrix shows the option and router compatibility: Option MSR900 MSR93X MSR20-1 X MSR20 MSR30 MSR50 MSR1000 interface interface-list Yes No Yes Yes Yes Yes No Usage guidelines To use MAC authentication on a port, you must enable the function both globally and on the port. Examples # Enable MAC authentication globally.
Parameters domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain name cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or at sign (@). Usage guidelines The global authentication domain is applicable to all MAC authentication enabled ports. A port specific authentication domain is applicable only to the port.
in multiple VLANs, frequent MAC re-authentication can downgrade the system performance and affect data transmission quality. Examples # Enable MAC authentication multi-VLAN mode on GigabitEthernet 1/1. system-view [Sysname] interface gigabitethernet 1/1 [Sysname-GigabitEthernet1/1] mac-authentication host-mode multi-vlan mac-authentication max-user Use mac-authentication max-user to set the maximum number of concurrent MAC authentication users on a port.
undo mac-authentication timer { offline-detect | quiet | server-timeout } Default The offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds. Views System view Default command level 2: System level Parameters offline-detect offline-detect-value: Sets the offline detect timer in the range of 60 to 65535 seconds. This timer sets the interval that the device waits for traffic from a user before it regards the user idle.
Parameters time: Specifies the delay time for MAC authentication in seconds. The value range is 1 to 180. Usage guidelines When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is triggered or if 802.1X authentication fails within the delay period, the port continues to process MAC authentication.
simple: Sets a plaintext password. password: Specifies the password. This argument is case sensitive. If simple is specified, it must be a string of 1 to 63 characters. If cipher is specified, it must be a ciphertext string of 1 to 117 characters. mac-address: Uses MAC-based user accounts for MAC authentication users. If this option is specified, you must create one user account for each user, and use the MAC address of the user as both the username and password for the account.
Views User view Default command level 2: System level Parameters interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number.
Port security configuration commands display port-security Use display port-security to display port security configuration information, operation information, and statistics for one or more ports.
Intrusion Portection mode is disableport-temporarily Max MAC address number is 50 Stored MAC address number is 0 Authorization is ignored Security MAC address learning mode is sticky Security MAC address aging type is absolute GigabitEthernet1/2 is link-down GigabitEthernet1/3 is link-down Table 12 Command output Field Description Equipment port-security Whether the port security is enabled or not. Trap Whether trapping for MAC address learning is enabled or not.
Field Description Intrusion protection action mode, which can be one of the following modes: • BlockMacAddress—Adds the source MAC address of the illegal packet to the blocked MAC address list. Intrusion mode • DisablePort—Shuts down the port that receives illegal packets permanently. • DisablePortTemporarily—Shuts down the port that receives illegal packets for some time. • NoAction—Performs no intrusion protection.
Default command level 2: System level Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. count: Displays only the count of the blocked MAC addresses. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
MAC ADDR 000d-88f8-0577 --- From Port VLAN ID Ethernet1/1 1 mac address(es) found 1 --- Table 13 Command output Field Description MAC ADDR Blocked MAC address. From Port Port having received frames with the blocked MAC address being the source address. VLAN ID ID of the VLAN to which the port belongs. x mac address(es) found Number of blocked MAC addresses.
Examples # Display information about all secure MAC addresses. display port-security mac-address security MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 0002-0002-0002 1 Security Ethernet1/1 NOAGED 000d-88f8-0577 1 Security Ethernet1/1 NOAGED --- 2 mac address(es) found --- # Display only the count of the secure MAC addresses. display port-security mac-address security count 2 mac address(es) found # Display information about secure MAC addresses in VLAN 1.
display port-security preshared-key user Use display port-security preshared-key user to display information about pre-shared key (PSK) user information. Syntax display port-security preshared-key user [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters interface interface-type interface-number: Specifies a port by its type and number.
port-security authorization ignore Use port-security authorization ignore to configure a port to ignore the authorization information received from the server (an RADIUS server or the local device). Use undo port-security authorization ignore to restore the default. Syntax port-security authorization ignore undo port-security authorization ignore Default A port uses the authorization information from the server.
Usage guidelines You must disable global 802.1X and MAC authentication before you enable port security on a port. Enabling or disabling port security resets the following security settings to the default: • 802.1X access control mode is MAC-based, and the port authorization state is auto. • Port security mode is noRestrictions. You cannot disable port security when online users are present. Examples # Enable port security.
disableport-temporarily: Disables the port for a specific period of time whenever it receives an illegal frame. Use port-security timer disableport to set the period. Usage guidelines To restore the connection of the port, use the undo shutdown command. Examples # Configure port GigabitEthernet 1/1 to block the source MAC addresses of illegal frames after intrusion protection is triggered.
Related commands • port-security timer autolearn aging • port-security mac-address dynamic port-security mac-address dynamic Use port-security mac-address dynamic to enable the dynamic secure MAC function. This function converts sticky MAC addresses to dynamic, and disables saving them to the configuration file. Use undo port-security mac-address dynamic to disable the dynamic secure MAC function.
Syntax In Layer 2 Ethernet interface view: port-security mac-address security [ sticky ] mac-address vlan vlan-id undo port-security mac-address security [ sticky ] mac-address vlan vlan-id In system view: port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] Default No secure MAC address entry is configured.
To enable port security on a port, use the port-security enable command, and to set the port in autoLearn mode, use the port-security port-mode autolearn command. When the dynamic secure MAC function is enabled (using the port-security mac-address dynamic command), you cannot manually configure sticky MAC addresses. Examples # Enable port security, set port GigabitEthernet 1/1 in autoLearn mode, and add a static secure MAC address 0001-0001-0002 in VLAN 10.
Parameters count-value: Specifies the maximum number of MAC addresses that port security allows on the port. The value range is 1 to 1024. Usage guidelines In autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port. In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port.
Usage guidelines The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, preventing illegal devices from intercepting network traffic. If a wireless port has online users, you cannot change its NTK settings.
example, when a company allows only IP phones of vendor A in the Intranet, use this command to set the OUI of vendor A. Examples # Configure an OUI value of 000d2a, setting the index to 4. system-view [Sysname] port-security oui 000d-2a10-0033 index 4 Related commands display port-security port-security port-mode Use port-security port-mode to set the port security mode of a port. Use undo port-security port-mode to restore the default.
Keyword Security mode Description mac-authentication macAddressWithRad ius In this mode, a port performs MAC authentication for users and services multiple users. This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. mac-else-userlogin-secu re macAddressElseUserL oginSecure • For wired users, the port performs MAC authentication 30 seconds after receiving non-802.1X frames.
Keyword Security mode Description userlogin-secure-or-mac -ext macAddressOrUserL oginSecureExt Similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. Similar to the userLoginSecure mode. In addition, a port in this mode also permits frames from a user whose MAC address contains a specific OUI (organizationally unique identifier). userlogin-withoui • For wired users, the port performs 802.
Keyword MSR9 00 MSR 93X MSR20 -1X MSR 20 MSR30 MSR50 MSR1 000 autolearn No No No No Only available on MSR30-11E and MSR30-11F routers No No secure No No No No Only available on MSR30-11E and MSR30-11F routers No No Yes Only available on other MSR30 series with FSW modules installed Only available on MSR50 routers with FSW modules installed Yes userlogin Yes Yes Yes Examples # Enable port security and set port GigabitEthernet 1/1 in secure mode.
Parameters time-value: Sets the aging timer in minutes for secure MAC addresses. The value is in the range of 0 to 129600. To disable the aging timer, set the timer to 0. Examples # Set the secure MAC aging timer to 30 minutes. system-view [Sysname] port-security timer autolearn aging 30 Related commands • display port-security • port-security mac-address security port-security preshared-key Use port-security preshared-key to configure a PSK.
• If neither cipher nor simple is specified, you set a plaintext key to be displayed in cipher text. The key can be a character string of 8 to 63 displayable characters or a hexadecimal string of 64 characters. • For security purposes, all PSKs, including PSKs configured in plain text, are saved in cipher text to the configuration file. Examples # Configure the plaintext PSK abcdefgh on port WLAN-BSS 1.
Examples # Configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame and set the silence period to 30 seconds. system-view [Sysname] port-security timer disableport 30 [Sysname] interface gigabitethernet 1/1 [Sysname-GigabitEthernet1/1] port-security intrusion-mode disableport-temporarily Related commands display port-security port-security trap Use port-security trap to enable port security traps.
NOTE: RALM (RADIUS Authenticated Login using MAC-address) means RADIUS authentication based on MAC address. Usage guidelines You can enable certain port security traps for monitoring user behaviors. Examples # Enable MAC address learning traps. system-view [Sysname] port-security trap addresslearned Related commands display port-security port-security tx-key-type 11key Use port-security tx-key-type 11key to enable key negotiation of the 11key type.
IPsec configuration commands The MSR series routers support ACL-based IPsec in either standard or aggregation data flow protection mode. The following matrix shows the FIPS and hardware compatibility: Hardware FIPS mode MSR900 No. MSR93X No. MSR20-1X No. MSR20 Yes. MSR30 Yes (except the MSR30-16). MSR50 Yes. MSR1000 Yes. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Usage guidelines You must use the transform command to specify the AH security protocol or both AH and ESP before you specify authentication algorithms for AH. Examples # Configure IPsec transform set prop1 to use AH and SHA1.
undo cryptoengine enable Default The encryption engine is enabled. Views System view Default command level 2: System level Examples # Enable the encryption engine. system-view [Sysname] cryptoengine enable display ipsec policy Use display ipsec policy to display information about IPsec policies.
Examples # Display brief information about all IPsec policies.
ike-peer name: per PFS: N transform-set name: prop1 synchronization inbound anti-replay-interval: 1000 packets synchronization outbound anti-replay-interval: 10000 packets IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes policy enable: True tfc enable: False =========================================== IPsec Policy Group: "policy_man" Interface: Ethernet1/2 =========================================== ----------------------------------------IPsec p
=========================================== ----------------------------IPsec policy name: "policy001" sequence number: 10 acl version: None mode: manual ----------------------------encapsulation mode: tunnel security data flow : tunnel local address: tunnel remote address: transform-set name: prop1 inbound AH setting: AH spi: AH string-key: AH authentication hex key: inbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: ****** ESP authentication hex key: ****** outbound AH
Field Description Interface Interface to which the IPsec policy is applied. Protocol Name of the protocol to which the IPsec policy is applied. (This field is not displayed when the IPsec policy is not applied to any routing protocol.) sequence number Sequence number of the IPsec policy. ACL version: acl version • ACL4—IPv4 ACL. • ACL6—IPv6 ACL. If no ACL is referenced, this field displays None. Negotiation mode of the IPsec policy: mode • • • • manual—Manual mode. isakmp—IKE negotiation mode.
Syntax display ipsec policy-template [ brief | name template-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all IPsec policy templates. name: Displays detailed information about a specified IPsec policy template or IPsec policy template group. template-name: Specifies the name of the IPsec policy template, a string of 1 to 41 characters.
IPsec Policy Template Group: "test" =============================================== --------------------------------Policy template name: "test" sequence number: 1 --------------------------------encapsulation mode: tunnel security data flow : ACL’s Version: acl4 ike-peer name: per PFS: N transform-set name: testprop synchronization inbound anti-replay-interval: 1000 packets synchronization outbound anti-replay-interval: 10000 packets IPsec sa local duration(time based): 3600 seconds IPsec sa local du
Views Any view Default command level 1: Monitor level Parameters name profile-name: Displays the configuration information of an IPsec profile. The profile-name argument specifies the name of the IPsec profile and is a case-insensitive string of 1 to 15 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
=========================================== ----------------------------IPsec profile name: "btoa" mode: tunnel ----------------------------encapsulation mode: tunnel security data flow : ike-peer name: btoa PFS: N transform-set name: method1 synchronization inbound anti-replay-interval: 1000 packets synchronization outbound anti-replay-interval: 10000 packets IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes policy enable: True tfc enable: Fals
display ipsec sa Use display ipsec sa to display information about IPsec SAs. Syntax display ipsec sa [ brief | policy policy-name [ seq-number ] | remote ip-address ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all IPsec SAs. policy: Displays detailed information about IPsec SAs created by using a specified IPsec policy.
Table 22 Command output Field Src Address Dst Address Description Local IP address. If this address is not concerned, this field displays an em dash (—). Remote IP address. If this address is not concerned, this field displays an em dash (—). SPI Security parameter index. Protocol Security protocol used by IPsec. Algorithm Authentication algorithm and encryption algorithm used by the security protocol, where E indicates the encryption algorithm and A indicates the authentication algorithm.
tunnel-id : 3 session idle time/total duration (sec) : 36/300 session flow : (8 times matched) Sour Addr : 15.15.15.1 Sour Port: 0 Protocol : 1 Dest Addr : 15.15.15.2 Dest Port: 0 Protocol : 1 -----------------------------------------------------------tunnel-id : 4 session idle duration/total duration (sec) : 7/300 session flow : (3 times matched) Sour Addr : 12.12.12.1 Sour Port: 0 Protocol : 1 Dest Addr : 13.13.13.
display ipsec statistics Use display ipsec statistics to display IPsec packet statistics. Syntax display ipsec statistics [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters tunnel-id integer: Specifies an IPsec tunnel by its ID in the range of to 2000000000. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
input/output security packets: 5124/8231 input/output security bytes: 52348/64356 input/output dropped security packets: 0/0 dropped security packet detail: not enough memory: 0 queue is full: 0 authentication has failed: 0 wrong length: 0 replay packet: 0 packet too long: 0 wrong SA: 0 ACL check failure: 0 Table 24 Command output Field Description Connection ID ID of the tunnel. input/output security packets Counts of inbound and outbound IPsec protected packets.
Default command level 1: Monitor level Parameters transform-set-name: Specifies the name of an IPsec transform set, a string of 1 to 32 characters. If you do not specify an IPsec transform set, the command displays information about all IPsec transform sets. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
display ipsec tunnel Use display ipsec tunnel to display information about IPsec tunnels. Syntax display ipsec tunnel [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
flow: current Encrypt-card: # Display information about IPsec tunnels in aggregation mode. display ipsec tunnel total tunnel: 2 -----------------------------------------------connection id: 4 perfect forward secrecy: SA's SPI: inbound : 2454606993 (0x924e5491) [ESP] outbound : 675720232 (0x2846ac28) [ESP] tunnel : local address: 44.44.44.44 remote address : 44.44.44.
Default command level 2: System level Parameters transport: Uses transport mode. tunnel: Uses tunnel mode. Usage guidelines IPsec for IPv6 routing protocols supports only the transport mode. When IPsec uses IKEv1, this command can be used only in IPsec transform set view, and its related commands include only ipsec transform-set.
Usage guidelines The anti-replay function works based on sequence numbers. The ESN function extends the size of the sequence number from 32 bits to 64 bits. When a great quantity of traffic needs IPsec protection, this extension can help prevent the sequence number resource from being depleted due to frequent rekeying. The ESN function takes effect only when it is enabled on both the initiator and responder. Examples # Enable ESN for IPsec transform set prop1.
system-view [Sysname] ipsec transform-set prop1 [Sysname-ipsec-transform-set-prop1] transform esp [Sysname-ipsec-transform-set-prop1] esp authentication-algorithm sha1 Related commands • ipsec transform-set • esp encryption-algorithm esp encryption-algorithm Use esp encryption-algorithm to specify encryption algorithms for ESP. Use undo esp encryption-algorithm to restore the default.
In FIPS mode, you must configure both ESP authentication and encryption. If you delete the specified authentication algorithm or encryption algorithm, ESP uses the default authentication algorithm or encryption algorithm. Examples # Configure IPsec transform set prop1 to use ESP and specify 3DES as the encryption algorithm for ESP.
system-view [Sysname] ipsec policy policy1 10 isakmp [Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer1 # Configure a reference to multiple IKE peers in an IPsec policy. system-view [Sysname] ipsec policy policy1 10 isakmp [Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer1 [Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer2 # Configure a reference to multiple IKE peers in an IPsec policy, and specify a primary IKE peer.
Examples # Specify IKEv2 profile profile1 for an IPsec policy. system-view [Sysname] ipsec policy map 1 isakmp [Sysname-ipsec-policy-isakmp-map-1] ikev2 profile profile1 Related commands • ikev2 profile (system view) • ipsec policy (system view) • ipsec profile (system view) ipsec anti-replay check Use ipsec anti-replay check to enable IPsec anti-replay checking. Use undo ipsec anti-replay check to disable IPsec anti-replay checking.
Default command level 2: System level Parameters width: Specifies the size of the anti-replay window. It can be 32, 64, 128, 256, 512, or 1024. Usage guidelines Your configuration affects only IPsec SAs negotiated later. Examples # Set the size of the anti-replay window to 64. system-view [Sysname] ipsec anti-replay window 64 ipsec binding policy Use ipsec binding policy to bind an IPsec policy, IPsec policy group or IPsec profile to the encryption card interface.
An IPsec policy template cannot be bound to an encryption card interface, but an IPsec policy originating from an IPsec policy template can. You can specify an encryption card as the primary card when binding an IPsec policy, IPsec policy group, or IPsec profile to the card. You can perform this configuration multiple times, but only the most recent configuration takes effect.
• ipsec profile (system view) ipsec cpu-backup enable Use ipsec cpu-backup enable to enable the IPsec module backup function. Use undo ipsec cpu-backup enable to disable the IPsec module backup function. Syntax ipsec cpu-backup enable undo ipsec cpu-backup enable Default The IPsec module backup function is enabled.
Default command level 2: System level Examples # Enable ACL checking of de-encapsulated IPsec packets. system-view [Sysname] ipsec decrypt check ipsec fragmentation before-encryption Use ipsec fragmentation before-encryption enable to enable fragmentation before encapsulation. Use undo ipsec fragmentation before-encryption enable to enable fragmentation after encapsulation.
undo ipsec invalid-spi-recovery enable Default The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs. Views System view Default command level 2: System level Usage guidelines Invalid SPI recovery enables an IPsec security gateway to send an INVALID SPI NOTIFY message to its peer when it receives an IPsec packet but cannot find any SA with the specified SPI. When the peer receives the message, it deletes the SAs on its side.
ipsec policy (interface view) Use ipsec policy to apply an IPsec policy group to an interface. Use undo ipsec policy to remove the application. Syntax ipsec policy policy-name undo ipsec policy [ policy-name ] Views Interface view Default command level 2: System level Parameters policy-name: Specifies the name of the existing IPsec policy group to be applied to the interface, a string of 1 to 15 characters. Usage guidelines Only one IPsec policy group can be applied to an interface.
Views System view Default command level 2: System level Parameters policy-name: Specifies the name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No minus sign (-) can be included. seq-number: Specifies the sequence number for the IPsec policy, in the range of 1 to 65535. gdoi: Sets up SAs through GDOI negotiation. isakmp: Sets up SAs through IKE negotiation. manual: Sets up SAs manually. Usage guidelines When creating an IPsec policy, you must specify the generation mode.
Views System view Default command level 2: System level Parameters policy-name: Specifies the name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No minus sign (-) can be included. seq-number: Specifies the sequence number for the IPsec policy, in the range of 1 to 65535. isakmp template template-name: Specifies the name of the IPsec policy template to be referenced. Usage guidelines In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
loopback number: Specifies a loopback interface by giving its number. Usage guidelines The IPsec policy group and loopback interface to be referenced must have been created. The IPsec policy group to be referenced must have been configured with one or more IPsec policies.
Usage guidelines Using the undo command without the seq-number argument deletes an IPsec policy template group. In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority. Examples # Create an IPsec policy template with the name template1 and the sequence number 100.
ipsec profile (tunnel interface view) Use ipsec profile to apply an IPsec profile to a DVPN tunnel interface or an IPsec tunnel interface. Use undo ipsec profile to remove the application. Syntax ipsec profile profile-name undo ipsec profile Default No IPsec profile is applied to a DVPN tunnel interface or an IPsec tunnel interface, and no IPsec protection is provided.
Syntax ipsec sa global-duration { time-based seconds | traffic-based kilobytes } undo ipsec sa global-duration { time-based | traffic-based } Default The time-based global SA lifetime is 3600 seconds, and the traffic-based global SA lifetime is 1843200 kilobytes. Views System view Default command level 2: System level Parameters seconds: Specifies the time-based global SA lifetime in seconds, in the range of 180 to 604800.
Views System view Default command level 2: System level Parameters seconds: Specifies the IPsec session idle timeout in seconds, in the range of 60 to 3600. Examples # Set the IPsec session idle timeout to 600 seconds. system-view [Sysname] ipsec session idle-time 600 ipsec transform-set Use ipsec transform-set to create an IPsec transform set and enter IPsec transform set view. Use undo ipsec transform-set to delete an IPsec transform set.
Syntax local-address { ipv4-address | ipv6 ipv6-address } undo local-address Default The IP address of the interface to which the IPsec policy is applied is used as the local gateway IP address. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the local security gateway. ipv6 ipv6-address: Specifies the IPv6 address of the local security gateway.
dh-group5: Uses 1536-bit Diffie-Hellman group. dh-group14: Uses 2048-bit Diffie-Hellman group. Usage guidelines In terms of security and necessary calculation time, the following four groups are in the descending order: 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2) and 768-bit Diffie-Hellman group (dh-group1).
[Sysname-ipsec-policy-isakmp-policy1-100] policy enable Related commands • ipsec policy (system view) • ipsec policy-template qos pre-classify Use qos pre-classify to enable packet information pre-extraction. Use undo qos pre-classify to restore the default. Syntax qos pre-classify undo qos pre-classify Default Packet information pre-extraction is disabled.
Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters ipv6: Specifies an IPv6 address. Without this keyword, you must specify an IPv4 address. hostname: Specifies the host name of the remote security gateway, a case-insensitive string of 1 to 255 characters. The host name uniquely identifies the remote IPsec peer and can be resolved to an IP address by the DNS server. dynamic: Uses dynamic address resolution for the remote gateway host name.
policy-name: Specifies the name of the IPsec policy or IPsec profile, a case-sensitive string of 1 to 15 alphanumeric characters. seq-number: Specifies the sequence number of the IPsec policy, in the range of 1 to 65535. If no seq-number is specified, all the policies in the IPsec policy group named policy-name are specified. remote: Specifies SAs to or from the specified remote address, in dotted decimal notation. ip-address: Specifies the remote address.
Parameters integer: Specifies the ID of the IPsec tunnel, in the range of 1 to 2000000000. Examples # Clear all IPsec sessions. reset ipsec session # Clear the sessions of IPsec tunnel 5. reset ipsec session tunnel-id 5 Related commands display ipsec session reset ipsec statistics Use reset ipsec statistics to clear IPsec packet statistics. Syntax reset ipsec statistics Views User view Default command level 1: Monitor level Examples # Clear IPsec packet statistics.
Parameters static: Enables static IPsec Reverse Route Inject (RRI). Static IPsec RRI creates static routes based on the ACL that the IPsec policy references. This keyword is available only in IPsec policy view. If this keyword is not specified, you enable dynamic IPsec RRI, which creates static routes based on IPsec SAs. remote-peer ip-address: Specifies a next hop for the static routes. To use the static routes for route backup and load balancing, specify this option.
IPsec RRI mode Command Route destination Next hop address • For the route destined for the • Protected peer private reverse-route remote-peer ip-address gateway network Dynamic protected peer private network, the next hop is the remote tunnel endpoint. • For the route destined for the remote • Remote tunnel endpoint tunnel endpoint, the next hop address is the address specified by the ip-address argument (outgoing interface: the interface where the IPsec policy is applied).
[Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 static [Sysname-ipsec-policy-isakmp-1-1] quit # Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not shown.) [Sysname] display ip routing-table ... Destination/Mask Proto 3.0.0.0/24 Static 60 Pre Cost NextHop Interface 0 1.1.1.3 Eth1/1 # Configure dynamic IPsec RRI to create static routes based on IPsec SAs.
reverse-route preference Use reverse-route preference to change the preference of the static routes created by IPsec RRI. Use undo reverse-route preference to restore the default. Syntax reverse-route preference preference-value undo reverse-route preference Views IPsec policy view Default command level 2: System level Parameters preference-value: Sets a preference value for the static routes created by IPsec RRI. The value range is 1 to 255. A smaller value represents a higher priority.
Default command level 2: System level Parameters tag-value: Sets a route tag for the static routes, in the range of 1 to 4294967295. Usage guidelines This command makes sense only when used together with the reverse-route command. When you change the route tag, static IPsec RRI deletes all static routes it has created and creates new static routes. In contrast, dynamic IPsec RRI applies the new route tag only to subsequent static routes. It does not delete or modify static routes it has created.
string for SHA2, or a 16-byte hexadecimal string for AES-XBC-MAC. If neither cipher nor simple is specified, you set a plaintext authentication key string. Usage guidelines This command applies to only manual IPsec policies. When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.
Parameters seconds: Specifies the time-based SA lifetime in seconds, in the range of 180 to 604800. kilobytes: Specifies the traffic-based SA lifetime in kilobytes, in the range of 2560 to 4294967295. Usage guidelines When negotiating to set up an SA, IKE prefers the lifetime settings of the IPsec policy or IPsec profile that it uses.
Default command level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. esp: Uses ESP. cipher: Sets a ciphertext encryption key. simple: Sets a plaintext encryption key. hex-key: Specifies the key string. If cipher is specified, this argument is case sensitive and must be a ciphertext string of 1 to 117 characters.
Use undo sa spi to remove the configuration. Syntax sa spi { inbound | outbound } { ah | esp } spi-number undo sa spi { inbound | outbound } { ah | esp } Default An SA does not have an SPI. Views IPsec policy view Default command level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH. esp: Uses ESP.
sa string-key Use sa string-key to set a key string for an SA. Use undo sa string-key to remove the configuration. Syntax sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string-key undo sa string-key { inbound | outbound } { ah | esp } Views IPsec policy view Default command level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
• Enter the keys in the same format on all routers. For example, if you enter the keys in hexadecimal format on one router, do so across the defined scope. Examples # Configure the inbound and outbound SAs that use AH to use the plaintext keys abcdef and efcdab, respectively.
An IPsec policy references only one ACL. If you specify more than one ACL for an IPsec policy, the IPsec policy references the one last specified. In a GDOI IPsec policy view, you cannot specify an IPv6 ACL, nor specify the aggregation keyword. Packets matching a permit rule of the specified ACL are discarded. Examples # Configure IPsec policy policy1 to reference ACL 3001. system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.
Usage guidelines The TFC padding function helps conceal the length of the original packets, but might adversely affect the packet encapsulation and de-encapsulation performance. This function applies to only two types of IP packets: • IP packets that are encapsulated by ESP in tunnel mode • IP packets that carry UDP datagrams and are encapsulated by ESP in transport mode. Examples # Enable the TFC padding function.
transform-set Use transform-set to specify an IPsec transform set for the IPsec policy or IPsec profile to reference. Use undo transform-set to remove an IPsec transform set referenced by the IPsec policy or IPsec profile. Syntax transform-set transform-set-name&<1-6> undo transform-set [ transform-set-name ] Default An IPsec policy or IPsec profile references no IPsec transform set.
tunnel local Use tunnel local to configure the local address of an IPsec tunnel. Use undo tunnel local to remove the configuration. Syntax tunnel local ip-address undo tunnel local Default No local address is configured for an IPsec tunnel. Views IPsec policy view Default command level 2: System level Parameters ip-address: Specifies the local address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies.
Views IPsec policy view Default command level 2: System level Parameters ip-address: Specifies the remote address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies. If you configure the remote address multiple times, the most recent configuration takes effect. An IPsec tunnel is established between the local and remote ends. The remote IP address of the local end must be the same as that of the local IP address of the remote end.
IKE configuration commands The following matrix shows the FIPS and hardware compatibility: Hardware FIPS mode MSR900 No. MSR93X No. MSR20-1X No. MSR20 Yes. MSR30 Yes (except the MSR30-16). MSR50 Yes. MSR1000 Yes. authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default.
authentication-method Use authentication-method to specify an authentication method for an IKE proposal. Use undo authentication-method to restore the default. Syntax authentication-method { pre-share | rsa-signature } undo authentication-method Default An IKE proposal uses the pre-shared key authentication method. Views IKE proposal view Default command level 2: System level Parameters pre-share: Uses the pre-shared key method. rsa-signature: Uses the RSA digital signature method.
Examples # Configure the PKI domain as abcde for IKE negotiation. system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] certificate domain abcde Related commands • authentication-method • pki domain dh Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal. Use undo dh to restore the default. Syntax dh { group1 | group2 | group5 | group14 } undo dh Default In FIPS mode, IKE phase 1 key negotiation uses group2, the 1024-bit Diffie-Hellman group.
display ike dpd Use display ike dpd to display information about Dead Peer Detection (DPD) detectors. Syntax display ike dpd [ dpd-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters dpd-name: Specifies the DPD name, a string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
display ike peer Use display ike peer to display information about IKE peers. Syntax display ike peer [ peer-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters peer-name: Specifies the name of the IKE peer, a string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Field Description local ip address IP address of the local security gateway. peer name Name of the remote security gateway. nat traversal Whether NAT traversal is enabled. dpd Name of the peer DPD detector. Related commands ike peer display ike proposal Use display ike proposal to view the settings of all IKE proposals.
Field Description authentication method Authentication method used by the IKE proposal. authentication algorithm Authentication algorithm used by the IKE proposal. encryption algorithm Encryption algorithm used by the IKE proposal. Diffie-Hellman group DH group used in IKE negotiation phase 1. duration (seconds) ISAKMP SA lifetime (in seconds) of the IKE proposal.
Usage guidelines If you do not specify any parameters or keywords, the command displays brief information about the current IKE SAs. Examples # Display brief information about the current IKE SAs. display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi ---------------------------------------------------------1 202.38.0.2 RD|ST 1 IPSEC 2 202.38.0.
Field Description Interpretation domain the SA belongs to. • IPSEC—The SA is negotiated through IKE. • GROUP—The SA is negotiated through GDOI. doi # Display detailed information about the current IKE SAs. display ike sa verbose --------------------------------------------connection id: 2 vpn-instance: transmitting entity: --------------------------------------------local ip: 4.4.4.4 local id type: IPV4_ADDR local id: 4.4.4.4 remote ip: 4.4.4.5 remote id type: IPV4_ADDR remote id: 4.4.4.
life duration(sec): 86400 remaining key duration(sec): 82480 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO # Display detailed information about the IKE SA with the remote address of 4.4.4.5. display ike sa verbose remote-address 4.4.4.5 --------------------------------------------connection id: 2 vpn-instance: transmitting entity: initiator local ip: 4.4.4.4 local id type: IPV4_ADDR local id: 4.4.4.4 remote ip: 4.4.4.5 remote id type: IPV4_ADDR remote id: 4.4.4.
Field Description life duration(sec) Lifetime of the ISAKMP SA in seconds. remaining key duration(sec) Remaining lifetime of the ISAKMP SA in seconds. exchange-mode IKE negotiation mode in phase 1. diffie-hellman group DH group used for key negotiation in IKE phase 1. nat traversal Whether NAT traversal is enabled. Related commands • ike proposal • ike peer dpd Use dpd to apply a DPD detector to an IKE peer. Use undo dpd to remove the application.
Default In FIPS mode, DES-CBC and 3DES-CBC are not supported, and an IKE proposal uses the 128-bit AES algorithm in CBC mode for encryption. In non-FIPS mode, an IKE proposal uses the 56-bit DES algorithm in CBC mode for encryption. Views IKE proposal view Default command level 2: System level Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses 168-bit keys for encryption. aes-cbc: Uses the AES algorithm in CBC mode as the encryption algorithm.
Parameters aggressive: Specifies the aggressive mode. This keyword is not available for FIPS mode. main: Specifies the main mode. Usage guidelines When the user (for example, a dial-up user) at the remote end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends setting the IKE negotiation mode to aggressive at the local end. In FIPS mode, the aggressive mode is not supported. Examples # Specify that IKE negotiation operates in main mode.
Examples # Use the ID type of name during IKE negotiation. system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] id-type name Related commands • local-name • ike local-name • remote-name • remote-address • local-address • exchange-mode ike dpd Use ike dpd to create a DPD detector and enter IKE DPD view. Use undo ike dpd to remove a DPD detector.
[Sysname] ike dpd dpd2 Related commands • display ike dpd • interval-time • time-out ike local-name Use ike local-name to configure a name for the local security gateway. Use undo ike local-name to restore the default. Syntax ike local-name name undo ike local-name Default The device name is used as the name of the local security gateway.
ike next-payload check disabled Use ike next-payload check disabled to disable the checking of the Next payload field in the last payload of an IKE message during IKE negotiation, gaining interoperation with products assigning the field a value other than zero. Use undo ike next-payload check disabled to restore the default. Syntax ike next-payload check disabled undo ike next-payload check disabled Default The Next payload field is checked.
ike proposal Use ike proposal to create an IKE proposal and enter IKE proposal view. Use undo ike proposal to delete an IKE proposal. Syntax ike proposal proposal-number undo ike proposal proposal-number Views System view Default command level 2: System level Parameters proposal-number: Specifies the IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal.
Views System view Default command level 2: System level Parameters seconds: Specifies the transmission interval of ISAKMP SA keepalives in seconds, in the range of 20 to 28800. Usage guidelines The keepalive interval configured at the local end must be shorter than the keepalive timeout configured at the remote end. Examples # Set the keepalive interval to 200 seconds.
Related commands ike sa keepalive-timer interval ike sa nat-keepalive-timer interval Use ike sa nat-keepalive-timer interval to set the NAT keepalive interval. Use undo ike sa nat-keepalive-timer interval to disable the function. Syntax ike sa nat-keepalive-timer interval seconds undo ike sa nat-keepalive-timer interval Default The NAT keepalive interval is 20 seconds.
Examples # Set the DPD interval to 1 second for dpd2. system-view [Sysname] ike dpd dpd2 [Sysname-ike-dpd-dpd2] interval-time 1 local Use local to set the subnet type of the local security gateway for IKE negotiation. Use undo local to restore the default. Syntax local { multi-subnet | single-subnet } undo local Default The subnet is a single one. Views IKE peer view Default command level 2: System level Parameters multi-subnet: Sets the subnet type to multiple.
Views IKE peer view Default command level 2: System level Parameters ip-address: Specifies the IP address of the local security gateway to be used in IKE negotiation. Examples # Set the IP address of the local security gateway to 1.1.1.1. system-view [Sysname] ike peer xhy [Sysname-ike-peer-xhy] local-address 1.1.1.1 local-name Use local-name to configure a name for the local security gateway to be used in IKE negation. Use undo local-name to restore the default.
[Sysname-ike-peer-peer1] local-name localgw Related commands • remote-name • id-type nat traversal Use nat traversal to enable the NAT traversal function of IKE/IPsec. Use undo nat traversal to disable the NAT traversal function of IKE/IPsec. Syntax nat traversal undo nat traversal Default The NAT traversal function is disabled. Views IKE peer view Default command level 2: System level Examples # Enable the NAT traversal function for IKE peer peer1.
single-subnet: Sets the subnet type to single. Usage guidelines Use this command to enable interoperability with a NetScreen device. Examples # Set the subnet type of the peer security gateway to multiple. system-view [Sysname] ike peer xhy [Sysname-ike-peer-xhy] peer multi-subnet pre-shared-key Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation. Use undo pre-shared-key to remove the configuration.
proposal (IKE peer view) Use proposal to specify the IKE proposals for the IKE peer to reference. Use undo proposal to remove one or all IKE proposals referenced by the IKE peer. Syntax proposal proposal-number&<1-6> undo proposal [ proposal-number ] Default An IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals configured in system view.
Default command level 2: System level Parameters hostname: Specifies the host name of the IPsec remote security gateway, a case-insensitive string of 1 to 255 characters. The host name uniquely identifies the remote IPsec peer and can be resolved to an IP address by the DNS server. dynamic: Specifies to use dynamic address resolution for the IPsec remote peer name. If you do not provide this keyword, the local end has the remote host name resolved only once after you configure the remote host name.
Syntax remote-name name undo remote-name Views IKE peer view Default command level 2: System level Parameters name: Specifies the name of the peer security gateway for IKE negotiation, a string of 1 to 255 characters.
When you clear a local IPsec SA, its ISAKMP SA can transmit the Delete message to notify the remote end to delete the paired IPsec SA. If the ISAKMP SA has been cleared, the local end cannot notify the remote end to clear the paired IPsec SA, and you must manually clear the remote IPsec SA. Examples # Clear the IKE SA that uses connection ID 2. display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi ---------------------------------------------------------1 202.38.0.
Examples # Specify the ISAKMP SA lifetime for IKE proposal 10 as 600 seconds (10 minutes). system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] sa duration 600 Related commands • ike proposal • display ike proposal time-out Use time-out to set the DPD packet retransmission interval for a DPD detector. Use undo time-out to restore the default.
IKEv2 configuration commands address Use address to configure a peer host address or address range. When working as an IKEv2 negotiation initiator, the local end uses this information to identify a peer. Use undo address to delete a peer host address or address range. Syntax address { ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] } undo address { ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] } Default An IKEv2 peer has no peer host address or address range.
Syntax authentication { local | remote } { pre-share | rsa-sig } undo authentication { local | remote { pre-share | rsa-sig } } Default Both the local end and remote end use the pre-shared key authentication method. Views IKEv2 profile view Default command level 2: System level Parameters local: Specifies the local identity authentication method. remote: Specifies the remote identity authentication method. pre-share: Uses the pre-shared key authentication method.
client configuration address respond Use client configuration address respond to enable the device to accept the IP address allocation requests from IKEv2 negotiation initiators. Use undo client configuration address respond to restore the default. Syntax client configuration address respond undo client configuration address respond Default The device does not accept the IP address allocation requests from initiators.
Views IKEv2 profile view Default command level 2: System level Usage guidelines In a scenario where remote users need to use IPsec VPN to access the enterprise network and the remote hosts need temporary IP addresses for IPsec communication, the branch gateways must generate and send address allocation requests to the headquarters gateway, and the headquarters gateway must accept the requests. Examples # Create an IKEv2 profile named profile1.
Usage guidelines With no parameter specified, the command displays the configuration information of all IKEv2 policies, including all user-defined policies and the system predefined policy. Examples # Display the configuration information of all IKEv2 policies. display ikev2 policy IKEv2 policy : 1 Match local : 1.1.1.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines With no parameter specified, the command displays all IKEv2 profiles' configuration information. Examples # Display the configuration information of all IKEv2 profiles. display ikev2 profile IKEv2 profile Match : 1 : match address local 1.1.1.
Parameters proposal-name: Specifies the IKEv2 proposal name, a case-insensitive string of 1 to 32 characters. default: Specifies the system predefined IKEv2 proposal default. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
display ikev2 sa Use display ikev2 sa to display the current IKEv2 SA information. Syntax display ikev2 sa [ { local | remote } { ipv4-address | ipv6 ipv6-address } ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters local: Displays information about the IKEv2 SAs that use a specified local address. remote: Displays information about the IKEv2 SAs that use a specified remote address.
transmitting entity : initiator local spi : 8f8af3dbf5023a00 remote spi : 0131565b9b3155fa ----------------------------------------------local ip : 1.1.1.1 local id type : ID_FQDN local id : router_a remote ip : 1.1.1.
Field Description remaining key duration(sec) Remaining time of the IKEv2 SA in seconds. local req msg id Sequence number of the local request. remote req msg id Sequence number of the remote request. local next msg id Sequence number of the next message the local end is expecting. remote next msg id Sequence number of the next message the remote end is expecting. display ikev2 statistics Use display ikev2 statistics to display IKEv2 negotiation statistics.
Field Description Max in nego Maximum number of IKEv2 SAs that can be concurrently negotiated. Total IKEv2 SA Count Total number of IKEv2 SAs. active Number of IKEv2 SAs established. negotiating Number of IKEv2 SAs under negotiation. Rejected IKEv2 Requests Total number of rejected IKEv2 negotiation requests. SA limit Number of IKEv2 negotiation requests rejected because the maximum number of IKEv2 SAs was reached.
Examples # Create an IKEv2 profile named profile1. system-view [Sysname] ikev2 profile profile1 # Configure on-demand IKEv2 DPD and set the interval to 15 seconds. [Sysname-ikev2-profile-profile1] dpd 15 on-demand Related commands • display ikev2 profile • ikev2 dpd encryption Use encryption to specify encryption algorithms for an IKEv2 proposal. Use undo encryption to restore the default.
Usage guidelines A stronger algorithm provides higher security but requires more resources. The algorithms, in ascending order of security strength, include DES, 3DES, 128-bit AES-CBC, 192-bit AES-CBC, 256-bit AES-CBC. You can specify multiple encryption algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority. IMPORTANT: You must specify at least one encryption algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless.
You can specify multiple DH groups for an IKEv2 proposal. A group specified earlier has a higher priority. IMPORTANT: You must specify at least one DH group for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. Examples # Create an IKEv2 proposal named prop1. system-view [Sysname] ikev2 proposal prop1 # Specify the DH groups 5 and 2 for the proposal, with group 5 preferred.
# Configure the host name test for the peer. [Sysname-ikev2-keyring-keyr1-peer-peer1] hostname test Related commands peer (IKEv2 keyring view) identity (IKEv2 peer view) Use identity to specify an ID for an IKEv2 peer. When working as an IKEv2 negotiation responder, the device uses this information to identify an IKEv2 peer and search for the pre-shared key. When initiating an IKEv2 negotiation, the initiator does not know the ID of a peer. Use undo identity to delete the ID.
Related commands peer (IKEv2 keyring view) identity local Use identity local to configure the local identity information. The device uses this information as its own ID during the IKE_AUTH exchange. Use undo identity local to delete the local identity information.
[Sysname-ikev2-profile-profile1] identity local address 2.2.2.2 Related commands display ikev2 profile ikev2 { ip-pool | ipv6-pool } Use ikev2 { ip-pool | ipv6-pool } to configure an address pool for IKEv2 to use to assign addresses to peers. Use undo ikev2 { ip-pool | ipv6-pool } to delete an address pool.
[Sysname] ikev2 ipv6-pool ipv6pool 1:1::1:1 1:1::1:2 Related commands client configuration address respond ikev2 cookie-challenge Use ikev2 cookie-challenge to enable the cookie challenging function and set the maximum number of half-open IKE SAs. This function can protect an IKEv2 responder against DoS attacks that use a large number of source IP addresses to forge IKE_INIT_SA requests.
Default command level 2: System level Parameters interval: Specifies the IKEv2 DPD interval in seconds, in the range of 1 to 300. on-demand: Specifies DPD in on-demand mode. periodic: Specifies DPD in periodic mode. Usage guidelines In on-demand mode, the DPD function works as follows: 1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer. 2.
Usage guidelines For the device to work as an initiator, you must configure the peer's host name, host IP address, or address range. For the device to work as a responder, you must configure the peer's host IP address, address range, or ID. Examples # Create an IKEv2 keyring named keyr1. system-view [Sysname] ikev2 keyring keyr1 # Create a peer named peer1 for the keyring, configure the IP address range 3.3.3.0/24 as the identity information of the peer, and set the pre-shared key to abcdef.
Parameters max-in-negotiation-sa limit: Specifies the maximum number of half-open IKEv2 SAs, in the range of 1 to 2000. IKEv2 SAs being rekeyed are not counted in the number. max-sa limit: Specifies the maximum number of established IKEv2 SAs at the local end, in the range of 100 to 20000. Rekeyed IKEv2 SAs are not counted in the number if the old ones are already counted. Examples # Set the maximum number of half-open IKEv2 SAs to 100.
When IKEv2 policies are matched according to local IP address, an IKEv2 policy with a local address configured takes precedence over an IKEv2 policy with no local address configured. If no IKEv2 policy is configured, IKEv2 uses the system predefined IKEv2 policy default. Examples # Create an IKEv2 policy named prop1, assign IKEv2 proposal prop1 to it, and specify the local address 2.2.2.2 for it.
Views System view Default command level 2: System level Parameters profile-name: Specifies the IKEv2 profile name, a case-insensitive string of 1 to 32 characters. Examples # Create an IKEv2 profile named profile1, and enter its view.
• DH groups 2 and 5 A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group. In an IKEv2 proposal, you can configure multiple algorithms of the same type. As a result, you get multiple sets of security parameters, which are combinations of the algorithms. If you want to use only one set of security parameters, configure only one set of algorithms for the IKEv2 proposal.
# On the intended IKEv2 negotiation responder, configure an IKEv2 proposal named propb that includes the encryption algorithms AES-CBC-128 and 3DES, integrity protection algorithms MD5 and SHA1, PRF algorithms MD5 and SHA1, and DH groups 5 and 2.
Usage guidelines You can specify multiple integrity protection algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority. IMPORTANT: You must specify at least one integrity protection algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. Examples # Create an IKEv2 proposal named prop1. system-view [Sysname] ikev2 proposal prop1 # Specify the integrity protection algorithms MD5 and SHA1 for the proposal, with MD5 preferred.
ip-pool Use ip-pool to specify an IPv4 address pool for an IKEv2 profile. Use undo ip-pool to remove the configuration. Syntax ip-pool pool-name undo ip-pool Default An IKEv2 profile references no address pool. Views IKEv2 profile view Default command level 2: System level Parameters pool-name: Specifies the IPv4 address pool name, a case-insensitive string of 1 to 32 characters.
Default command level 2: System level Parameters prefix-length: Specifies the prefix length for the IPv6 addresses in the local IPv6 address pool, in the range of 0 to 128. Examples # Set the prefix length of the IPv6 address pool referenced by IKEv2 profile profile1 to 64. system-view [Sysname] ikev2 profile profile1 [Sysname-ikev2-profile-profile1] ipv6-mask 64 Related commands • ikev2 ipv6-pool • ipv6-pool ipv6-pool Use ipv6-pool to specify an IPv6 address pool for an IKEv2 profile.
• ipv6-mask keyring Use keyring to specify an IKEv2 keyring for an IKEv2 profile. Use undo keyring to remove the configuration. Syntax keyring keyring-name undo keyring Default An IKEv2 profile references no keyring. Views IKEv2 profile view Default command level 2: System level Parameters keyring-name: Specifies the name of an existing IKEv2 keyring, a case-insensitive string of 1 to 32 characters. It can consist of only English letters and digits.
Default The IKEv2 SA lifetime is 86400 seconds. Views IKEv2 profile view Default command level 2: System level Parameters seconds: Specifies the IKEv2 SA lifetime in seconds, in the range of 120 to 86400. Usage guidelines An IKEv2 SA can be used for subsequent IKEv2 negotiations before its lifetime expires, saving a lot of negotiation time. However, the longer the lifetime, the higher the possibility that attacks collect enough information and initiate attacks.
Parameters address local: Uses the local identity information for IKEv2 profile matching. A responder using the RSA digital signature authentication method uses its local identity information to search for an IKEv2 profile and to initiate the certificate request.
Related commands • display ikev2 profile • identity local match address local Use match address local to specify a local address used for IKEv2 policy matching. Use undo match address local to delete a local address used for IKEv2 policy matching. Syntax match address local { ipv4-address | ipv6 ipv6-address } undo match address local { ipv4-address | ipv6 ipv6-address } Default No local address is used for IKEv2 policy matching, and the policy matches any local address.
Views IKEv2 profile view Default command level 2: System level Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600. Usage guidelines When a NAT gateway exists between two IKEv2 peers, each end using a private address periodically sends NAT keepalive packets to the other end to prevent its NAT entry from being aged out. Examples # Create an IKEv2 profile named profile1.
Examples # Create an IKEv2 keyring named keyr1. system-view [Sysname] ikev2 keyring keyr1 # Create an IKEv2 peer named peer1. Related commands • address • hostname • identity • pre-shared-key (IKEv2 peer view) pki domain (IKEv2 profile view) Use pki domain to specify a PKI domain for an IKEv2 profile. Use undo pki domain to remove a PKI domain specified for an IKEv2 profile.
# Use PKI domain pki-local for certificate signing and PKI domain pki-remote for certificate authentication. Related commands • display ikev2 profile • authentication • pki domain pre-shared-key (IKEv2 peer view) Use pre-shared-key to configure a pre-shared key for a peer. Use undo pre-shared-key to delete a pre-shared key of a peer. Syntax pre-shared-key [ local | remote ] [ cipher | simple ] key undo pre-shared-key [ local | remote ] Default An IKEv2 peer has no pre-shared key.
# Use the plaintext pre-shard key 111-key for both certificate signing and certificate authentication. [Sysname-ikev2-keyring-keyr1-peer-peer1] pre-shared-key simple 111-key [Sysname-ikev2-keyring-keyr1-peer-peer1] quit # Create an IKEv2 peer named peer2. [Sysname-ikev2-keyring-keyr1] peer peer2 # Use the plaintext pre-shard key 111-key-a for certificate signing and 111-key-b for certificate authentication.
Parameters aes-xcbc-mac: Uses the AES-XCBC algorithm. md5: Uses the MD5 algorithm. sha1: Uses the SHA1 algorithm. sha2-256: Uses the SHA2-256 algorithm. Usage guidelines You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority. IMPORTANT: You must specify at least one PRF algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. Examples # Create an IKEv2 proposal named prop1.
You can specify up to six IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority. With no argument specified, the undo proposal command removes all IKEv2 proposal references. Examples # Specify IKEv2 proposals proposal1 and proposal2 for IKEv2 policy policy1, with proposal1 preferred.
Syntax reset ikev2 statistics Views User view Default command level 2: System level Examples # Reset IKEv2 negotiation statistics.
PKI configuration commands The following matrix shows the FIPS and hardware compatibility: Hardware FIPS mode MSR900 No. MSR93X No. MSR20-1X No. MSR20 Yes. MSR30 Yes (except the MSR30-16). MSR50 Yes. MSR1000 Yes. attribute Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name. Use undo attribute to delete the attribute rules of one or all certificates.
ctn: Specifies the contain operation. equ: Specifies the equal operation. nctn: Specifies the not-contain operation. nequ: Specifies the not-equal operation. attribute-value: Sets an attribute value for the rule, a case-insensitive string of 1 to 128 characters. all: Specifies all certificate attributes. Usage guidelines The attribute of the alternative certificate subject name does not appear as a distinguished name, and therefore the dn keyword is not available for the attribute.
Examples # Specify the trusted CA as new-ca. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] ca identifier new-ca certificate request entity Use certificate request entity to specify the entity for certificate request. Use undo certificate request entity to remove the configuration. Syntax certificate request entity entity-name undo certificate request entity Default No entity is specified for certificate request.
Views PKI domain view Default command level 2: System level Parameters ca: Specifies the CA to accept certificate requests. ra: Specifies the RA to accept certificate requests. Examples # Specify that the entity requests a certificate from the CA. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request from ca certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default.
password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 31 characters. If cipher is specified, it must be a ciphertext string of 1 to 73 characters. manual: Specifies the certificate request mode as manual.. Usage guidelines In auto request mode, an entity automatically requests a certificate from a CA if the entity does not have a local certificate.
Usage guidelines After an applicant makes a certificate request, the CA might need a long period of time if it verifies the certificate request manually. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed. Examples # Specify the polling interval as 15 minutes and the maximum number of attempts as 40.
Use undo common-name to remove the configuration. Syntax common-name name undo common-name Default No common name is specified. Views PKI entity view Default command level 2: System level Parameters name: Specifies a common name, a case-insensitive string of 1 to 31 characters. No comma can be included. Examples # Configure the common name of an entity as test.
crl check Use crl check to enable or disable CRL checking. Syntax crl check { disable | enable } Default CRL checking is enabled. Views PKI domain view Default command level 2: System level Parameters disable: Disables CRL checking. enable: Enables CRL checking. Usage guidelines CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires.
Examples # Set the CRL update period to 20 hours. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] crl update-period 20 crl url Use crl url to specify the URL of the CRL distribution point. Use undo crl url to remove the configuration. Syntax crl url url-string undo crl url Default No CRL distribution point URL is specified.
Default command level 1: Monitor level Parameters ca: Displays the CA certificate. local: Displays the local certificate. domain-name: Specifies the name of a PKI domain, a string of 1 to 15 characters. request-status: Displays the status of a certificate request. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
X509v3 Subject Alternative Name: DNS: hyf.xxyyzz.net X509v3 CRL Distribution Points: URI:http://1.1.1.1:447/myca.crl … … Table 37 Command output Field Description Version Version of the certificate. Serial Number Serial number of the certificate. Issuer Issuer of the certificate. Validity Validity period of the certificate. Subject Entity holding the certificate. Subject Public Key Info Public key information of the entity. X509v3 extensions Extensions of the X.509 (version 3) certificate.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about the certificate access control policy named mypolicy. display pki certificate access-control-policy mypolicy access-control-policy name: mypolicy rule 1 deny mygroup1 rule 2 permit mygroup2 Table 38 Command output Field Description access-control-policy Name of the certificate access control policy. rule number Number of the access control rule.
Table 39 Command output Field Description attribute group name Name of the certificate attribute group. attribute number Number of the attribute rule. subject-name Name of the certificate subject. dn DN of the entity. ctn Contain operations. abc Value of attribute 1. issuer-name Name of the certificate issuer. fqdn FQDN of the entity. nctn Not-contain operations. app Value of attribute 2. display pki crl domain Use display pki crl domain to display the locally saved CRLs.
CN=A Test Root Last Update: Jan 5 08:44:19 2004 GMT Next Update: Jan 5 21:42:13 2004 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC Revoked Certificates: Serial Number: 05a234448E… Revocation Date: Sep 6 12:33:22 2004 GMT CRL entry extensions:… Serial Number: 05a278445E… Revocation Date: Sep 7 12:33:22 2004 GMT CRL entry extensions:… Table 40 Command output Field Description Version Version of the CRL. Issuer CA issuing the CRLs.
Views PKI entity view Default command level 2: System level Parameters name-str: Specifies an FQDN, a case-insensitive string of 1 to 127 characters. Usage guidelines An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address. Examples # Configure the FQDN of an entity as pki.domain-name.com. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] fqdn pki.domain-name.
Syntax ldap-server ip ip-address [ port port-number ] [ version version-number ] undo ldap-server Default No LDP server is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters ip-address: Specifies the IP address of an LDAP server in dotted decimal format. port-number: Specifies the port number of an LDAP server. The value range is 1 to 65535, and the default is 389. version-number: Specifies the LDAP version number, either 2 or 3. The default is 2.
[Sysname] pki entity 1 [Sysname-pki-entity-1] locality city organization Use organization to configure the name of the organization to which the entity belongs. Use undo organization to remove the configuration. Syntax organization org-name undo organization Default No organization name is specified for an entity. Views PKI entity view Default command level 2: System level Parameters org-name: Specifies an organization name, a case-insensitive string of 1 to 31 characters. No comma can be included.
Parameters org-unit-name: Specifies an organization unit name for identifying a department or a unit in an organization, a case-insensitive string of 1 to 31 characters. No comma can be included. Examples # Configure the name of the organization unit to which an entity belongs as group1.
Views System view Default command level 2: System level Parameters group-name: Specifies a group name, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all. all: Specifies all certificate attribute groups. Examples # Create a certificate attribute group named mygroup and enter its view.
Default No PKI domain exists. Views System view Default command level 2: System level Parameters domain-name: Specifies a PKI domain name, a case-insensitive string of 1 to 15 characters. Usage guidelines You can create up to 32 PKI domains on a device. Examples # Create a PKI domain and enter its view. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] pki entity Use pki entity to create a PKI entity and enter its view. Use undo pki entity to remove a PKI entity.
pki import-certificate Use pki import-certificate to import a CA certificate or local certificate from a file and save it locally. Syntax pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] Views System view Default command level 2: System level Parameters ca: Specifies the CA certificate. local: Specifies the local certificate. domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. der: Specifies the certificate format of DER.
Views System view Default command level 2: System level Parameters domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. password: Specifies the password for certificate revocation, a case-sensitive string of 1 to 31 characters. pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.
domain-name: Specifies a PKI domain by its name. Usage guidelines The retrieved certificates are stored in the root directory of the device, with the file name as domain-name_ca.cer or domain-name_local.cer according to the certificate type. Examples # Retrieve the CA certificate from the certificate issuing server.
Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. Usage guidelines The focus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked. Examples # Verify the validity of the local certificate.
[Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 rule (PKI CERT ACP view) Use rule to create a certificate attribute access control rule. Use undo rule to delete one or all access control rules. Syntax rule [ id ] { deny | permit } group-name undo rule { id | all } Default No access control rule exists.
Default No state or province is specified. Views PKI entity view Default command level 2: System level Parameters state-name: Specifies a state name or a province name, a case-insensitive string of 1 to 31 characters. No comma can be included. Examples # Specify the state where an entity resides.
Public key configuration commands The following matrix shows the FIPS and hardware compatibility: Hardware FIPS mode MSR900 No. MSR93X No. MSR20-1X No. MSR20 Yes. MSR30 Yes (except the MSR30-16). MSR50 Yes. MSR1000 Yes. display public-key local public Use display public-key local public to display the public key information of local asymmetric key pairs.
Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100BC4C392A97734A633BA0F1DB01F 84EB51228EC86ADE1DBA597E0D9066FDC4F04776CEA3610D2578341F5D049143656F1287502C06D39D39F 28F0F5CBA630DA8CD1C16ECE8A7A65282F2407E8757E7937DCCDB5DB620CD1F471401B711713970234844 4A2D8900497A87B8D5F13D61C4DEFA3D14A7DC07624791FC1D226F62DF30203010001 ===================================================== Time of Key pair c
Field Description Key code Public key data. Related commands public-key local create display public-key peer Use display public-key peer to display information about the specified or all peer public keys on the local device. Syntax display public-key peer [ brief | name publickey-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all peer public keys.
30819D300D06092A864886F70D010101050003818B00308187028181009C46A8710216CEC0C01C7CE136B A76C79AA6040E79F9E305E453998C7ADE8276069410803D5974F708496947AB39B3F39C5CE56C95B6AB74 42D56393BF241F99A639DD02D9E29B1F5C1FD05CC1C44FBD6CFFB58BE6F035FAA2C596B27D1231D159846 B7CB9A7757C5800FADA9FD72F65672F4A549EE99F63095E11BD37789955020123 Table 42 Command output Field Description Key Name Name of the public key. Key Type Key type: RSA or DSA. Key Module Key modulus length in bits. Key Code Public key data.
[Sysname] public-key peer key1 [Sysname-pkey-public-key] peer-public-key end [Sysname] public-key-code begin Use public-key-code begin to enter public key code view. Then, enter the key data in the correct format to specify the peer public key. Spaces and carriage returns are allowed between characters, but are not saved.
Default command level 2: System level Usage guidelines The system verifies the key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, the system saves the key. Examples # Exit public key code view and save the configured public key.
Table 44 Default local key pair names Type Default name RSA • Host key pair: hostkey • Server key pair: serverkey DSA dsakey Usage guidelines The key algorithm must be the same as that required by the security application. The key modulus length must be appropriate (see Table 45). A longer key modulus length value means higher security level and longer key generation time.
Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ +++ # Create a local DSA key pair with the default name. system-view [Sysname] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
Default command level 2: System level Parameters dsa: DSA key pair. rsa: RSA key pair. name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names. Examples # Destroy the local RSA key pairs with the default names.
aes-cbc-192: Specifies the 192-bit AES_CBC encryption algorithm. aes-cbc-256: Specifies the 256-bit AES_CBC encryption algorithm. password: Specifies a password used to encrypt the RSA key pair. Usage guidelines You must specify an encryption algorithm and password to encrypt the specified RSA key pair. The router does not support displaying RSA key pairs in plaintext. You cannot display the default RSA key pair.
Syntax public-key local export public dsa { openssh | ssh2 } [ filename ] Views System view Default command level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the local public key. For more information about file name, see Fundamentals Configuration Guide. Usage guidelines SSH2.0 and OpenSSH are different public key formats.
• public-key local destroy public-key local export public rsa Use public-key local export public rsa without the filename argument to display the host public key of the local RSA key pairs in a specific key format. Use public-key local export public rsa with the filename argument to export the host public key of the local RSA key pairs to a specific file.
Related commands • public-key local create • public-key local destroy public-key local import Use public-key local import to import an RSA key pair in PEM format. Syntax public-key local import rsa name key-name pem Views System view Default command level 2: System level Parameters rsa: Specifies an RSA key pair. name key-name: Specifies a name for the imported RSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-).
c/TQ0a0g95Khdy+yl4eDKaFiQQ+Kqn4zdzDTDNq7LRtqr7lGQzVw6srfrr71ib7J yJFdi2RXETEgOS/jE+xGtNqd38F/YzIRPax7NNMK+hAJC2MzdbN/BEoLWOqG7Plm hvCE3LFxelExLJU+0XfAX77TI2+5LEHBi1UiGLeH08fd1XUQCefARlIxGoRJdtTu gHP4+NF4PC9B1/GZoAYUp+171p1QwPk0vyU3TXijueqVUpQBUHGxSE0UW+SS1iwL 8vsSLHIwK4aZ77Z1o+Uw1QBoqw9jpubG4gUkX8RII8E8b13I6/QTH78E4/FgAmIQ HTYnE2RDHXkhPGR5FGJsZnd21XLvd2BEkGGmhTk80nDeiI2XH3D48E6UahQwcam/ q/txd/KsLnp0rpJkc/WhOTprioeLQQEBayixKRWzNLsZt3L6lqYbA01Z1THho+EV 0Ng0EZKQyiRV1j7gsBYFRinbSAsIpeYlr7gDAnBCRJdSfPNBKG+ewg==
Examples # Specify the name for the peer public key as key1 and enter public key view. system-view [Sysname] public-key peer key1 [Sysname-pkey-public-key] Related commands • public-key-code begin • public-key-code end • peer-public-key end • display public-key peer public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key.
Use undo public-key to remove the configuration. Syntax public-key rsa general name key-name undo public-key Default The RSA key pair with the default name is used for certificate request. Views PKI domain view Default command level 2: System level Parameters name key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. It can include only letters, digits, and hyphens (-).
RSH configuration commands rsh Use rsh to execute an OS command on a remote host. Syntax rsh host [ user username ] command remote-command Views User view Default command level 0: Visit level Parameters host: IP address or host name of the remote host, a string of 1 to 20 characters. user username: Specifies the username for remote login, a string of 1 to 20 characters. If you do not specify a username, the system name of the device, which can be set by using the sysname command, applies.
2003-06-21 10:51 192,512 wrshdnt.cpl 2001-12-09 16:41 38,991 wrshdnt.hlp 2001-12-09 16:26 1,740 wrshdnt.cnt 2003-06-22 11:14 452,230 wrshdnt.htm 2003-06-23 18:18 2003-06-23 18:18 2003-06-22 11:13 2001-09-02 15:41 2003-06-21 10:32 2004-01-02 15:54 196,608 wrshdsp.exe 2004-01-02 15:54 102,400 wrshdnt.exe 2001-07-30 18:05 766 wrshdnt.ico 2004-07-13 09:10 4,803 wrshdnt_header.htm 178 wrshdnt_filelist.xml 156,472 wrshdnt.pdf 49,152 wrshdrdr.exe 69,632 wrshdrun.exe 3,253 INSTALL.
Portal configuration commands access-user detect Use access-user detect to configure the online portal user detection function. Use undo access-user detect to restore the default. Syntax access-user detect type arp retransmit number interval interval undo access-user detect Default The portal user detection function is not configured on an interface. Views Interface view Default command level 2: System level Parameters type arp: Uses ARP requests as probe packets.
display portal acl Use display portal acl to display the ACLs on a specific interface. Syntax display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays all portal ACLs, including dynamic and static portal ACLs. dynamic: Displays dynamic portal ACLs—ACLs generated dynamically after a user passes portal authentication.
Port : any Rule 1 Inbound interface : Ethernet1/1 Type : static Action : redirect Protocol : 6 Source: IP : 0.0.0.0 Mask : 0.0.0.0 Port : any MAC : 0000-0000-0000 Interface: any VLAN : 2 Destination: IP : 0.0.0.0 Mask : 0.0.0.0 Port : 80 Rule 2 Inbound interface : Ethernet1/1 Type : dynamic Action : permit Source: IP : 2.2.2.2 Mask : 255.255.255.255 MAC : 000d-88f8-0eab Interface: Ethernet1/1 VLAN : 0 Protocol : 0 Destination: IP : 0.0.0.0 Mask : 0.0.0.
Field Description MAC Source MAC address in the portal ACL. Interface Source interface in the portal ACL. VLAN Source VLAN in the portal ACL. Protocol Protocol type in the portal ACL. Destination Destination information in the portal ACL. IP Destination IP address in the portal ACL. Port Destination transport layer port number in the portal ACL. Mask Subnet mask of the destination IP address in the portal ACL. Author ACL Authorization ACL information.
State-Name User-Num VOID 0 DISCOVERED 0 WAIT_AUTHEN_ACK 0 WAIT_AUTHOR_ACK 0 WAIT_LOGIN_ACK 0 WAIT_ACL_ACK 0 WAIT_NEW_IP 0 WAIT_USERIPCHANGE_ACK 0 ONLINE 1 WAIT_LOGOUT_ACK 0 WAIT_LEAVING_ACK 0 Message statistics: Msg-Name Err Discard MSG_AUTHEN_ACK 3 Total 0 0 MSG_AUTHOR_ACK 3 0 0 MSG_LOGIN_ACK 3 0 0 MSG_LOGOUT_ACK 2 0 0 MSG_LEAVING_ACK 0 0 0 MSG_CUT_REQ 0 0 0 MSG_AUTH_REQ 3 0 0 MSG_LOGIN_REQ 3 0 0 MSG_LOGOUT_REQ 2 0 0 MSG_LEAVING_REQ 0 0 0
Field Description State-Name Name of a user state. User-Num Number of users in a specific state. Message statistics Statistics on messages. Msg-Name Message type. Total Total number of messages of a specific type. Err Number of erroneous messages of a specific type. Discard Number of discarded messages of a specific type. MSG_AUTHEN_ACK Authentication acknowledgment message. MSG_AUTHOR_ACK Authorization acknowledgment message. MSG_LOGIN_ACK Accounting acknowledgment message.
Field Description MSG_SETPOLICY_RESULT Set policy response message. display portal free-rule Use display portal free-rule to display information about a specific portal-free rule or all portal-free rules. Syntax display portal free-rule [ rule-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters rule-number: Specifies the number of a portal-free rule, in the range of 0 to 255.
Field Description IP Source IP address in the portal-free rule. Mask Subnet mask of the source IP address in the portal-free rule. Port Source transport layer port number in the portal-free rule. MAC Source MAC address in the portal-free rule. Interface Source interface in the portal-free rule. Vlan Source VLAN in the portal-free rule. Destination Destination information in the portal-free rule. IP Destination IP address in the portal-free rule.
Status: Portal running Portal server: servername Portal backup-group: 1 Authentication type: Layer3 Authentication domain: my-domain Authentication network: Source IP: 1.1.1.1 Mask : 255.255.0.0 Table 49 Command output Field Description Portal configuration of interface Portal configuration on the interface. IPv4 IPv4 portal configuration. IPv6 IPv6 portal configuration. Status of the portal authentication on the interface: Status • Portal disabled—Portal authentication is disabled.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display configuration information about the local portal server. display portal local-server Protocol: HTTP Bind SSID list: ssid1: file1.zip ssid2: file1.zip Table 50 Command output Field Description Protocol Protocol supported by the local portal server, HTTP or HTTPS. The MSR deices support only HTTP.
Portal server: 1)aaa: IP : 192.168.0.111 VPN instance : vpn1 Port : 50100 Key : ****** URL Status : http://192.168.0.111 : Up Table 51 Command output Field Description 1) Number of the portal server. aaa Name of the portal server. VPN instance MPLS L3VPN to which the portal server belongs. IP IP address of the portal server. Port Listening port on the portal server. Shared key for exchanges between the access device and portal server.
Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
ACK_MACBINDING_INFO 0 NTF_USER_LOGON 0 0 RESERVED33 0 NTF_USER_LOGOUT 0 0 0 0 PT_TYPE_REQ_USER_OFFLINE 0 0 0 RESERVED35 0 0 0 0 0 0 0 Table 52 Command output Field Description Interface Interface referencing the portal server. Server name Name of the portal server. Invalid packets Number of invalid packets. Pkt-Name Packet type. Total Total number of packets. Discard Number of discarded packets. Checkerr Number of erroneous packets.
Field Description NTF_USER_NOTIFY User information notification message the access device sent to the portal server. AFF_NTF_USER_NOTIFY NTF_USER_NOTIFY acknowledgment message the access device sent to the portal server. NTF_AUTH Forced authentication notification message the portal server sent to the access device. ACK_NTF_AUTH NTF_AUTH acknowledgment message the access device sent to the portal server. REQ_QUERY_STATE User online state query message the portal server sent to the access device.
Examples # Display TCP spoofing statistics. display portal tcp-cheat statistics TCP Cheat Statistic: Total Opens: 0 Resets Connections: 0 Current Opens: 0 Packets Received: 0 Packets Sent: 0 Packets Retransmitted: 0 Packets Dropped: 0 HTTP Packets Sent: 0 Connection State: SYN_RECVD: 0 ESTABLISHED: 0 CLOSE_WAIT: 0 LAST_ACK: 0 FIN_WAIT_1: 0 FIN_WAIT_2: 0 CLOSING: 0 Table 53 Command output Field Description TCP Cheat Statistic TCP spoofing statistics.
display portal user Use display portal user to display information about portal users on a specific interface or all interfaces. Syntax display portal user { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression.
Field Description User's working mode: Work-mode • Primary. • Secondary. • Stand-alone. The MSR routers do not support this field, and the field is always "Stand-alone." VPN instance MPLS L3VPN to which the portal server belongs. MAC MAC address of the portal user. IP IP address of the portal user. Vlan VLAN to which the portal user belongs. Interface Interface to which the portal user is attached. Total 1 user(s) matched, 1 listed Total number of portal users.
Usage guidelines This command is only applicable for cross-subnet authentication (layer3). The portal authentication source subnet for direct authentication (direct) can be any source IP address, and the portal authentication source subnet for re-DHCP authentication (redhcp) is the one determined by the private IP address of the interface connecting the users. You can configure multiple authentication source subnets.
You can configure up to 16 authentication destination subnets. If both an authentication source subnet and destination subnet are configured on an interface, only the authentication destination subnet takes effect. Examples # Configure a portal authentication destination subnet of 2.2.2.0/24 on Ethernet 1/2, so that only users accessing subnet 2.2.2.0/24 trigger portal authentication on the interface. Users can access other subnets through the interface without portal authentication.
Default No authentication domain is specified for portal users on an interface. Views Interface view Default command level 2: System level Parameters domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain specified by this argument must already exist. Examples # Configure the authentication domain for IPv4 portal users on Ethernet 1/1 as my-domain.
vlan vlan-id: Specifies a source VLAN ID. all: Specifies all portal-free rules. Usage guidelines If you specify both a source IP address and a source MAC address in a portal-free rule, the IP address must be a host address with a 32-bit mask. Otherwise, the specified MAC address does not take effect. If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. Otherwise, the rule does not take effect.
Usage guidelines When executing this command, the local portal server loads the default authentication page file, which is supposed to be saved in the root directory of the device. To make sure the local portal server uses the user-defined default authentication pages, edit and save them correctly before executing this command. Otherwise, the system default authentication pages are used.
all: Specifies all the bound SSIDs. Usage guidelines If no SSID-to-customized page file binding is configured on the device, the local portal server pushes the default authentication pages to a user that access the portal page. If there is such a binding configured on the device, the local portal server pushes the corresponding authentication pages to the client based on the customized page file that is bound with the SSID of the user logon interface.
deployment of 802.1X on the port. For information about port security and 802.1X features, see Security Configuration Guide. Before enabling portal authentication on a Layer 2 port, be sure to specify the listening IP address of the local portal server.
A loopback interface does not forward received packets. This can avoid impacting system performance when there are many network access requests. • The following matrix shows the command and router compatibility: Command portal local-server ip MSR900 No MSR93X No MSR20-1X No MSR20 MSR30 MSR50 MSR1000 No Supported on MIM-FSW modules, MSR30-11E, and MSR30-11F No No Examples # Specify 1.1.1.1 as the listening IP address of the local portal server for Layer 2 portal authentication.
MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000 MPUF: Value range: 1 to 512 Value range: 1 to 512 Value range: 1 to 512 Value range: 1 to 512 Value range: 1 to 512 Default: 512 Default: 512 Default: 512 Default: 512 Default: 512 1 to 512, 512 by default MPU-G2: 1 to 4096, 4096 by default Value range: 1 to 512 Default: 512 Examples # Set the maximum number of portal users allowed in the system to 100.
Command portal move-mode auto MSR900 No MSR93X No MSR20-1X No MSR20 MSR30 MSR50 MSR1000 No Supported on MIM-FSW modules, MSR30-11E, and MSR30-11F No No Examples # Enable support for portal user moving. system-view [Sysname] portal move-mode auto portal nas-id-profile Use portal nas-id-profile to specify a NAS ID profile for the interface. Use undo portal nas-id-profile to cancel the configuration.
portal nas-ip Use portal nas-ip to configure an interface to use a specific source IP address for outgoing portal packets. Use undo portal nas-ip to delete the specified source IP address. If you do not specify the ipv6 keyword, this command deletes the specified source IPv4 address.
Parameters nas-port-id-value: NAS-Port-ID value, a case-sensitive string of 1 to 253 characters. This value is used as the value of the NAS-Port-ID attribute in the RADIUS request to be sent to the RADIUS server when a portal user logs on from an interface.
portal offline-detect interval Use portal offline-detect interval to set the online Layer 2 portal user detection interval. Then, after a Layer 2 portal user gets online, the device starts a detection timer for the user, and checks whether the user has sent any packet to the device at this interval.
Default command level 2: System level Parameters url-string: Autoredirection URL for authenticated portal users, a string of 1 to 127 characters. It must start with http:// and must be a fully qualified URL. period: Time that the device must wait before redirecting an authenticated portal user to the autoredirection URL. The value range for this argument is 1 to 90 seconds, and the default is 5 seconds.
simple: Sets a plaintext shared key. key-string: Specifies the shared key. This argument is case sensitive. If simple is specified, it must be a string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters. If neither simple nor cipher is specified, you set a plaintext shared key. url url-string: Specifies the uniform resource locator (URL) to which HTTP packets are to be redirected.
Views System view Default command level 2: System level Parameters banner-string: Welcome banner for the webpage, a case-sensitive string of 1 to 50 characters. It cannot contain the less-than sign (<) or the and sign (&). If multiple continuous spaces exist in the string, the browser recognizes them as one. Usage guidelines The configured welcome banner is applied to only the default authentication pages, rather than the customized authentication pages.
For the local portal server, the re-DHCP authentication mode can be configured but does not take effect. Examples # Enable Layer 3 portal authentication on interface Ethernet 1/1, referencing portal server pts and setting the authentication mode to direct.
portal server is reachable; otherwise, it considers that the probe fails and the portal server is unreachable. This method is effective to only portal servers that support the portal heartbeat function. Now, only the IMC portal server supports this function.
• Specifying the device to send a server unreachable trap message, send a log message and disable portal authentication to permit unauthenticated portal users, if two consecutive probes fail. system-view [Sysname] portal server pts server-detect method http portal-heartbeat action log permit-all trap interval 600 retry 2 portal server user-sync Use portal server user-sync to configure portal user information synchronization with a specific portal server.
If you configure the user synchronization function for a portal server for multiple times, the last configuration takes effect. If you do not specify an optional parameter, the default setting of the parameter is used. For redundant user information on the device—information of the users considered as nonexistent on the portal server, the device deletes the information during the (N+1)th probe interval, where N equals to the value of retries configured in the portal server user-sync command.
• If the Web proxy server port 80 is added on the device, clients that do not use a proxy server can trigger portal authentication only when they access a reachable host enabled with the HTTP service. • Authorized ACLs to be assigned to the users who have passed portal authentication must contain a rule that permits the Web proxy server's IP address. Otherwise, the user cannot receive heartbeat packets from the remote portal server.
Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Examples # Clear portal server statistics on interface Ethernet 1/1. reset portal server statistics interface ethernet 1/1 reset portal tcp-cheat statistics Use reset portal tcp-cheat statistics to clear TCP spoofing statistics.
Parameters url-string: URL address to which a Web access request is to be redirected. Interval: Redirection interval in the range of 60 to 86400 seconds. The default is 86400 seconds. Usage guidelines You cannot configure both the portal function and the mandatory webpage pushing function on an interface. If you do so, the function configured later does not take effect. If you execute this command multiple times, the most recent configuration takes effect.
Firewall configuration commands Packet-filter firewall configuration commands display firewall ethernet-frame-filter Use display firewall ethernet-frame-filter to view the Ethernet frame filtering statistics. Syntax display firewall ethernet-frame-filter { all | dlsw | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameter all: Displays the Ethernet frame filtering statistics of all interfaces.
0 packets, 0 bytes, 0% permitted, 0 packets, 0 bytes, 0% denied, 0 packets, 0 bytes, 0% permitted default, 0 packets, 0 bytes, 0% denied default, Totally 0 packets, 0 bytes, 0% permitted, Totally 0 packets, 0 bytes, 0% denied. Table 55 Command output Field Description Interface Name of the interface configured with Ethernet frame filtering. In-bound Policy Indicates an inbound ACL rule has been configured on the interface.
0 packets, 0 bytes, 0% denied default Totally 0 packets, 0 bytes, 0% permitted Totally 0 packets, 0 bytes, 0% denied Table 56 Command output Field Description Interface Interface configured with the IPv6 packet filtering function. In-bound Policy Indicates that an IPv6 ACL is configured in the inbound direction of the interface. Out-bound Policy Indicates that an IPv6 ACL is configured in the outbound direction of the interface. acl6 IPv6 ACL number.
interface interface-type interface-number: Displays the packet filtering statistics of the specified interface of the IPv4 firewall. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Parameters deny: Specifies the filtering action as denying packets to pass the firewall. permit: Specifies the filtering action as permitting packets to pass the firewall. all: Specifies that the configuration applies to all interface cards. slot slot-number: Specifies that the configuration applies to the interface card in the specified slot. Examples # Specify the default filtering action of the IPv4 firewall as denying packets to pass.
Default command level 2: System level Parameters acl-number: Ethernet frame header ACL number in the range of 4000 to 4999. name acl-name: Specifies the Ethernet frame header ACL name, a case-insensitive string of 1 to 63 characters that must start with an alphabetical character a to z or A to Z. To avoid confusion, the word all cannot be used as the ACL name. inbound: Filters packets received by the interface. outbound: Filters packets forwarded from the interface.
Usage guidelines Be default, fragments inspection is disabled. Examples # Enable fragments inspection. system-view [Sysname] firewall fragments-inspect Related commands • display firewall-statistics fragments-inspect • firewall packet-filter firewall fragments-inspect { high | low } Use firewall fragments-inspect { high | low } to set the high and low threshold values for fragments inspection. Use undo firewall fragments-inspect { high | low } to restore the defaults.
• firewall packet-filter firewall ipv6 default Use firewall ipv6 default to specify the default firewall filtering action of the IPv6 firewall. Syntax firewall ipv6 default { deny | permit } Default The default filtering action of IPv6 firewall is permitting packets to pass (permit). Views System view Default command level 2: System level Parameters deny: Specifies the filtering action as denying packets to pass the firewall.
firewall ipv6 fragments-inspect Use firewall ipv6 fragments-inspect to enable IPv6 fragments inspection. Use undo firewall ipv6 fragments-inspect to disable IPv6 fragments inspection. Syntax firewall ipv6 fragments-inspect undo firewall ipv6 fragments-inspect Default IPv6 fragments inspection is disabled. Views System view Default command level 2: System level Examples # Enable IPv6 fragments inspection.
• exactly: Specifies the exact match mode. • normally: Specifies the normal match mode. Usage guidelines Packets are not filtered on an interface by default. You can apply only one IPv4 ACL in one direction of an interface to filter packets. Examples # Apply ACL 2001 to interface Serial 2/0 to filter outbound packets.
[Sysname-Ethernet1/1] firewall packet-filter ipv6 2500 outbound reset firewall ethernet-frame-filter Use reset firewall ethernet-frame-filter to clear the Ethernet frame filtering statistics. Syntax reset firewall ethernet-frame-filter { all | dlsw | interface interface-type interface-number } Views User view Default command level 1: Monitor level Parameters all: Clears all Ethernet frame filtering statistics. dlsw: Clears the Ethernet frame filtering statistics of the DLSw module.
reset firewall-statistics Use reset firewall-statistics to clear the packet filtering statistics of the IPv4 firewall. Syntax reset firewall-statistics { all | interface interface-type interface-number } Views User view Default command level 1: Monitor level Parameters all: Clears the packet filtering statistics on all interfaces of the IPv4 firewall. interface interface-type interface-number: Clears the packet filtering statistics on the specified interface of the IPv4 firewall.
tcp: Specifies the TCP session idle timeout period. udp: Specifies the UDP session idle timeout period. seconds: Timeout period, in seconds. The value range is 5 to 43200. Usage guidelines Within the timeout period, the system maintains the session. Examples # Create an ASPF policy with the policy number 1, and enter ASPF policy view. system-view [Sysname] aspf-policy 1 # Set the TCP session termination delay time of the TCP session to 10 seconds.
Examples # Create an ASPF policy and enter the corresponding ASPF policy view. system-view [Sysname] aspf-policy 1 [Sysname-aspf-policy-1] detect Use detect to configure ASPF detection for the application layer protocol or transport layer protocol. Use undo detect to restore the default.
Examples # Specify ASPF policy 1 for the HTTP protocol, enable Java blocking, and configure ACL 2000 so that the ASPF policy can filter Java applets from the server 10.1.1.1. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.
Detect Protocols: ftp timeout 3600 s tcp timeout 3600 s [Interface Configuration] Interface InboundPolicy OutboundPolicy --------------------------------------------------------------Ethernet1/1 none 1 [Established Sessions] Session Initiator Responder Application Status -------------------------------------------------------------------------73A4844 1.1.1.50:1025 2.2.2.
Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Examples # Display the configuration information of ASPF policy 1. display aspf policy 1 [ASPF Policy Configuration] Policy Number 1: Log: disable SYN timeout: 30 s FIN timeout: 5 s TCP timeout: 3600 s UDP timeout: 30 s Detect Protocols ftp timeout 120 s tcp timeout 3600 s Table 60 Command output Field Description [ASPF Policy Configuration] ASPF policy configuration information. Policy Number ASPF policy number. SYN timeout TCP connection SYN status timeout time.
Examples # Display the related information of the current ASPF session. display aspf session [Established Sessions] Session Initiator Responder Application Status 212BA84 169.254.1.121:1427 169.254.1.52:0 ftp-data TCP_DOWN 7148124 100.1.1.1:1027 200.1.1.2:21 ftp FTP_CONXN_UP # Display the detailed information of the current ASPF session. display aspf session verbose [Session 0x7148124] Initiator: 100.1.1.1:1027 Responder: 200.1.1.
display port-mapping Use display port-mapping to view port mapping information. Syntax display port-mapping [ application-name | port port-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters application-name: Name of the application to be used for port mapping. Available applications include FTP, H323, HTTP, HTTPS, IKE, RTSP, SMTP, SSH, and VAM.
Field Description TYPE Port mapping type, system predefined or user customized. Related commands port-mapping firewall aspf Use firewall aspf to apply the specified ASPF policy to the specified direction of the current interface. Use undo firewall aspf to remove the specified ASPF policy on the current interface. Syntax firewall aspf aspf-policy-number { inbound | outbound } undo firewall aspf aspf-policy-number { inbound | outbound } Default No ASPF policy is applied on the interface.
undo log enable Default The ASPF session logging function is disabled. Views ASPF policy view Default command level 2: System level Examples # Enable the ASPF session logging function. system-view [Sysname] aspf-policy 1 [Sysname-aspf-policy-1] log enable Related commands • display aspf all • display aspf interface • display aspf policy • display aspf session port-mapping Use port-mapping to map a port to an application layer protocol.
Examples # Map port 3456 to the FTP protocol. system-view [Sysname] port-mapping ftp port 3456 Related commands display port-mapping reset aspf session Use reset aspf session to clear ASPF sessions. Syntax reset aspf session Views User view Default command level 2: System level Examples # Clear ASPF sessions.
SSH configuration commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The following matrix shows the FIPS and hardware compatibility: Hardware FIPS mode MSR900 No. MSR93X No. MSR20-1X No. MSR20 Yes. MSR30 Yes (except the MSR30-16). MSR50 Yes. MSR1000 Yes.
Examples # Display the SSH server status. display ssh server status SSH Server: Disable SSH version : 1.99 SSH authentication-timeout : 60 second(s) SSH server key generating interval : 0 hour(s) SSH Authentication retries : 3 time(s) SFTP Server: Disable SFTP Server Idle-Timeout: 10 minute(s) Table 63 Command output Field Description SSH Server Whether the SSH server function is enabled. SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99.
Field Description Service type: • SFTP. • Secure Telnet (Stelnet). • Secure copy (SCP). SerType Username Name of a user for login. Related commands • ssh server authentication-retries • ssh server authentication-timeout • ssh server compatible-ssh1x enable • ssh server enable • ssh server rekey-interval display ssh user-information Use the display ssh user-information command on an SSH server to display information about SSH users.
Username Authentication-type User-public-key-name Service-type yemx password null stelnet test publickey pubkey sftp Table 65 Command output Field Description Username Name of the user. Authentication method: Authentication-type • • • • Password authentication. Publickey authentication. Password-publickey authentication. Any authentication. User-public-key-name Public key of the user or name of the PKI domain which verifies the client certificate.
sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections. Use undo sftp server idle-timeout to restore the default. Syntax sftp server idle-timeout time-out-value undo sftp server idle-timeout Default The idle timeout timer is 10 minutes. Views System view Default command level 3: Manage level Parameters time-out-value: Specifies a timeout timer in the range of 1 to 35791 minutes.
Default command level 3: Manage level Parameters times: Specifies the maximum number of authentication attempts, in the range of 1 to 5. Usage guidelines You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only on the users at next login. Authentication fails if the number of authentication attempts (including both publickey and password authentication) exceeds the upper limit configured by this command.
Examples # Set the SSH user authentication timeout timer to 10 seconds. system-view [Sysname] ssh server authentication-timeout 10 Related commands display ssh server ssh server compatible-ssh1x enable Use ssh server compatible-ssh1x enable to enable the SSH server to support SSH1 clients. Use undo ssh server compatible-ssh1x to disable the SSH server from supporting SSH1 clients.
Views System view Default command level 3: Manage level Examples # Enable SSH server. system-view [Sysname] ssh server enable Related commands display ssh server ssh server rekey-interval Use ssh server rekey-interval to set the interval for updating the RSA server key pair. Use undo ssh server rekey-interval to restore the default. Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The interval for updating the RSA server key pair is 0.
ssh user Use ssh user to create an SSH user and specify the service type and authentication method. Use undo ssh user to delete an SSH user.
completes automatically without the need of entering any password. This method is not supported in FIPS mode. assign: Specifies parameters that are used to verify the client. • pki-domain pkiname: Specifies the PKI domain which verifies the client certificate. The pkiname argument is a case-insensitive string of 1 to 15 characters. The server uses the CA certificate that is saved in the PKI domain to verify one or multiple client certificates without saving clients' public keys in advance.
SSH client configuration commands bye Use bye to terminate the connection with the SFTP server and return to user view. Syntax bye Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp-client> bye Bye Connection closed. cd Use cd to change the working path on an SFTP server.
cdup Use cdup to return to the upper-level directory. Syntax cdup Views SFTP client view Default command level 3: Manage level Examples # Return to the upper-level directory from the current working directory /new1. sftp-client> cdup Current Directory is: / delete Use delete to delete files from a server. Syntax delete remote-file&<1-10> Views SFTP client view Default command level 3: Manage level Parameters remote-file&<1-10>: Specifies the names of files on the server.
Syntax dir [ -a | -l ] [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters -a: Displays the names of the files and sub-directories under a directory. -l: Displays the detailed information about the files and sub-directories under a directory in the form of a list. remote-path: Specifies the name of the directory to be queried.
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
display ssh server-info Use display ssh server-info on a client to display mappings between SSH servers and their host public keys on an SSH client. Syntax display ssh server-info [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Syntax exit Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the bye and quit commands. Examples # Terminate the connection with the SFTP server. sftp-client> exit Bye Connection closed. get Use get to download a file from the SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view Default command level 3: Manage level Parameters remote-file: Specifies the name of a file on the SFTP server.
Default command level 3: Manage level Parameters all: Displays all commands. command-name: Specifies a command. Usage guidelines With neither the argument nor the keyword specified, the command displays all commands in a list. Examples # Display the help information of the get command. sftp-client> help get get remote-path [local-path] Download file.Default local-path is the same as remote-path ls Use ls to display file and folder information under a directory.
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2 mkdir Use mkdir to create a directory on the SFTP server. Syntax mkdir remote-path Views SFTP client view Default command level 3: Manage level Parameters remote-path: Specifies the name of a directory on the SFTP server. Examples # Create a directory named test on the SFTP server. sftp-client> mkdir test New directory created put Use put to upload a local file to an SFTP server.
Syntax pwd Views SFTP client view Default command level 3: Manage level Examples # Display the current working directory of the SFTP server. sftp-client> pwd / quit Use quit to terminate the connection with an SFTP server and return to user view. Syntax quit Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the bye and exit commands. Examples # Terminate the connection with the SFTP server. sftp-client> quit Bye Connection closed.
Parameters remote-file&<1-10>: Specifies the names of files on an SFTP server. &<1-10> means that you can provide up to 10 filenames, which are separated by space. Usage guidelines This command functions as the delete command. Examples # Delete file temp.c from the server. sftp-client> remove temp.c The following files will be deleted: /temp.c Are you sure to delete it? [Y/N]:y This operation might take a long time.Please wait...
Parameters remote-path&<1-10>: Specifies the names of directories on the remote SFTP server. &<1-10> means that you can provide up to 10 directory names that are separated by space. Examples # On the SFTP server, delete directory temp1 in the current directory. sftp-client> rmdir temp1 Directory successfully removed scp Use scp to transfer files with an SCP server.
Parameters ipv6: Specifies the type of the server as IPv6. If this keyword is not specified, the server is an IPv4 server. server: Specifies an IPv4 or IPv6 server by its address or host name. For an IPv4 server, it is a case-insensitive string of 1 to 20 characters. For an IPv6 server, it is a case-insensitive string of 1 to 46 characters. port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22. get: Downloads the file. put: Uploads the file.
must specify an algorithm of the client (by using the identity-key keyword) in order to get the correct data for the local private key. Examples # Connect to the SCP server 192.168.0.1, download the file remote.bin from the server, and save it locally to the file local.bin scp 192.168.0.1 get remote.bin local.bin sftp Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa. • dsa: Specifies the public key algorithm dsa. This keyword is not available in FIPS mode. • rsa: Specifies the public key algorithm rsa.
• The preferred server-to-client encryption algorithm is aes128. • The preferred client-to-server HMAC algorithm is md5. • The preferred server-to-client HMAC algorithm is sha1-96. sftp 10.1.1.2 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96 Input Username: sftp client ipv6 source Use sftp client ipv6 source to specify the source IPv6 address or source interface for the SFTP client. Use undo sftp client ipv6 source to remove the configuration.
undo sftp client source Default An SFTP client uses the IP address of the interface specified by the route of the device to access the SFTP server. Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ip ip-address: Specifies a source IPv4 address.
Preferred algorithm In non-FIPS mode In FIPS mode Preferred client-to-server encryption algorithm aes128 aes128 Preferred client-to-server HMAC algorithm sha1-96 sha1-96 Preferred key exchange algorithm dh-group-exchange dh-group14 Preferred server-to-client encryption algorithm aes128 aes128 Preferred server-to-client HMAC algorithm sha1-96 sha1-96 Views User view Default command level 3: Manage level Parameters server: Specifies a server by its IPv6 address or host name, a case-insensi
prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange in non-FIPS mode, and dh-group14 in FIPS mode. • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not available in FIPS mode. • dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not available in FIPS mode. • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
Parameters server: Specifies a server by its IP address or host name, a string of 1 to 80 characters. assign publickey keyname: Specifies the name of the host public key of the server, a string of 1 to 64 characters. Usage guidelines If the client does not support first-time authentication, it will reject unauthenticated servers.
system-view [Sysname] ssh client first-time enable ssh client ipv6 source Use ssh client ipv6 source to specify the source IPv6 address or source interface for the Stelnet client. Use undo ssh client ipv6 source to remove the configuration. Syntax ssh client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address } undo ssh client ipv6 source Default An Stelnet client uses the IPv6 address of the interface specified by the route of the device to access the Stelnet server.
Default An Stelnet client uses the IP address of the interface specified by the route of the device to access the Stelnet server. Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ip ip-address: Specifies a source IPv4 address.
Preferred algorithm In non-FIPS mode In FIPS mode Public key algorithm dsa rsa Preferred client-to-server encryption algorithm aes128 aes128 Preferred client-to-server HMAC algorithm sha1-96 sha1-96 Preferred key exchange algorithm dh-group-exchange dh-group14 Preferred server-to-client encryption algorithm aes128 aes128 Preferred server-to-client HMAC algorithm sha1-96 sha1-96 Views User view Default command level 0: Visit level Parameters server: Specifies a server by its IPv4 addre
• sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange in non-FIPS mode, and dh-group14 in FIPS mode. • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not available in FIPS mode. • dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not available in FIPS mode.
Default The following matrix shows the default algorithms used in non-FIPS and FIPS and modes: Preferred algorithm In non-FIPS mode In FIPS mode Public key algorithm dsa rsa Preferred client-to-server encryption algorithm aes128 aes128 Preferred client-to-server HMAC algorithm sha1-96 sha1-96 Preferred key exchange algorithm dh-group-exchange dh-group14 Preferred server-to-client encryption algorithm aes128 aes128 Preferred server-to-client HMAC algorithm sha1-96 sha1-96 Views User view
• md5: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode. • md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not available in FIPS mode. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange in non-FIPS mode, and dh-group14 in FIPS mode.
SSL configuration commands For encryption, SSL needs an encryption daughter card. MSR900, MSR93X and MSR20-1X routers do not support encryption daughter cards. The following matrix shows the FIPS and hardware compatibility: Hardware FIPS mode MSR900 No. MSR93X No. MSR20-1X No. MSR20 Yes. MSR30 Yes (except the MSR30-16). MSR50 Yes. MSR1000 Yes. ciphersuite Use ciphersuite to specify the cipher suites for an SSL server policy to support.
rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA. rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.
client must pass authentication before accessing the SSL server; otherwise, the client can access the SSL server without authentication. If you configure the client-verify enable command but disable the SSL client weak authentication function, the SSL client must pass authentication before accessing the SSL server. Examples # Configure the SSL server to require certificate-based SSL client authentication.
Related commands • client-verify enable • display ssl server-policy close-mode wait Use close-mode wait to set the SSL connection close mode to wait mode. In this mode, after sending a close-notify alert message to a client, the server does not close the connection until it receives a close-notify alert message from the client. Use undo close-mode wait to restore the default.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about SSL server policy policy1.
Syntax handshake timeout time undo handshake timeout Default The handshake timeout time is 3600 seconds. Views SSL server policy view Default command level 2: System level Parameters time: Specifies the handshake timeout time in seconds. The value range is 180 to 7200. Usage guidelines If the SSL server receives no packet from the SSL client before the handshake timeout time expires, the SSL server terminates the handshake process.
Usage guidelines If you do not specify a PKI domain for an SSL server policy, the SSL server generates and signs a certificate for itself rather than obtaining one from a CA server. Examples # Configure SSL server policy policy1 to use PKI domain server-domain. system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] pki-domain server-domain # Configure SSL client policy policy1 to use PKI domain client-domain.
rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA. rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.
Related commands display ssl client-policy session Use session to set the maximum number of cached sessions and the caching timeout time. Use undo session to restore the default. Syntax session { cachesize size | timeout time } * undo session { cachesize | timeout } * Default The maximum number of cached sessions is 500 and the caching timeout time is 3600 seconds.
Syntax ssl client-policy policy-name undo ssl client-policy { policy-name | all } Views System view Default command level 2: System level Parameters policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be a, al, or all. all: Specifies all SSL client policies. Examples # Create SSL client policy policy1 and enter its view.
system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] Related commands display ssl server-policy version Use version to specify the SSL protocol version for an SSL client policy. Use undo version to restore the default. Syntax In non-FIPS mode: version { ssl3.0 | tls1.0 } undo version In FIPS mode: version tls1.0 undo version Default The SSL protocol version for an SSL client policy is TLS 1.0.
SSL VPN configuration commands ssl-vpn enable Use ssl-vpn enable to enable the SSL VPN service. Use undo ssl-vpn enable to disable the SSL VPN service. Syntax ssl-vpn enable undo ssl-vpn enable Default The SSL VPN service is disabled. Views System view Default command level 2: System level Usage guidelines Before you execute this command, make sure an SSL server policy has been specified for the SSL VPN service by using the ssl-vpn server-policy command.
Default No SSL server policy is specified for the SSL VPN service. Views System view Default command level 2: System level Parameters server-policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 16 characters. port port-number: Specifies the port number to be used by the SSL VPN service. The value range is 1 to 65535, and the default is 443. Usage guidelines The specified SSL server policy must have been created.
User profile configuration commands display user-profile Use display user-profile to display information about all user profiles that have been created. Syntax display user-profile [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Syntax user-profile profile-name enable undo user-profile profile-name enable Default A created user profile is disabled. Views System view Default command level 2: System level Parameters profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. The user profile must already exist. Usage guidelines Only enabled user profiles can be applied to authenticated users.
Parameters profile-name: Assigns a name to the user profile. The name is a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. A user profile name must be globally unique. Examples # Create user profile a123. system-view [Sysname] user-profile a123 [Sysname-user-profile-a123] # Enter the user profile view of a123.
ARP attack protection configuration commands IP flood protection configuration commands arp source-suppression enable Use arp source-suppression enable to enable the ARP source suppression function. Use undo arp source-suppression enable to disable the function. Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression function is disabled. Views System view Default command level 2: System level Examples # Enable the ARP source suppression function.
Default command level 2: System level Parameters limit-value: Sets the maximum number of unresolvable packets that can be received from a device in 5 seconds. The value range is 2 to 1024. Usage guidelines If the number of unresolvable packets from a host within 5 seconds exceeds the specified threshold, the device stops resolving packets from the host until the 5 seconds elapse. Examples # Set the maximum number of unresolvable packets that the device can receive in 5 seconds to 100.
Table 70 Command output Field Description Current suppression limit Maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in 5 seconds. Current cache length Size of cache used to record source suppression information. Source MAC-based ARP attack detection configuration commands arp anti-attack source-mac Use arp anti-attack source-mac to enable the source MAC-based ARP attack detection and specify a handling method.
arp anti-attack source-mac aging-time Use arp anti-attack source-mac aging-time to configure the age time for source MAC-based ARP attack detection entries. Use undo arp anti-attack source-mac aging-time to restore the default. Syntax arp anti-attack source-mac aging-time time undo arp anti-attack source-mac aging-time Default The age time for ARP attack entries is 300 seconds (5 minutes).
Usage guidelines If no MAC address is specified in the undo arp anti-attack source-mac exclude-mac command, all excluded MAC addresses are removed. Examples # Exclude a MAC address from source MAC-based ARP attack detection. system-view [Sysname] arp anti-attack source-mac exclude-mac 2-2-2 arp anti-attack source-mac threshold Use arp anti-attack source-mac threshold to configure the threshold for source MAC-based ARP attack detection.
Default command level 1: Monitor level Parameters interface interface-type interface-number: Displays ARP attack entries detected on the interface. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Default command level 2: System level Usage guidelines After you execute the arp anti-attack valid-check enable command, the gateway device can filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message. Examples # Enable ARP packet source MAC address consistency check.
ARP automatic scanning and fixed ARP configuration commands arp fixup Use arp fixup to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static. Syntax arp fixup Views System view Default command level 2: System level Usage guidelines The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries.
Parameters start-ip-address: Specifies the start IP address of the scanning range. end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address. Usage guidelines If you specify the start IP and end IP addresses, the device scans the specific address range for neighbors and learns their ARP entries, so that the scanning time is reduced.
IP source guard configuration commands display ip source binding Use display ip source binding to display IPv4 source guard binding entries. Syntax display ip source binding [ static ] [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters static: Displays static IPv4 source guard binding entries.
Hardware Command compatibility MSR20 No. Yes on the following models: • MSR30 routers installed with MIM-FSW or DMIM-FSW modules. • MSR30-11E Layer 2 fixed Ethernet ports. • MSR30-11F Layer 2 fixed Ethernet ports. MSR30 MSR50 Yes on MSR50 routers installed with FIC-FSW or DFIC-FSW modules. MSR1000 Yes on Layer 2 fixed Ethernet ports. Examples # Display all IPv4 source guard binding entries.
ip source binding Use ip source binding to configure a static IPv4 source guard binding entry on a port. Use undo ip source binding to delete a static IPv4 source guard binding entry from a port.
Command compatibility Supported keywords Maximum static binding entries Yes on MSR30-11E Layer 2 fixed Ethernet ports. • ip-address • mac-address • vlan 192 Yes on MSR30-11F Layer 2 fixed Ethernet ports. • ip-address • mac-address 384 MSR50 Yes on MSR50 routers installed with FIC-FSW or DFIC-FSW modules. • ip-address • mac-address • vlan 8 MSR1000 Yes on Layer 2 fixed Ethernet ports. mac-address 200 Hardware Examples # Configure a static IPv4 IP-MAC binding entry on port Ethernet 1/1.
After you configure the IPv4 source guard function on a port, IPv4 source guard dynamically generates IPv4 source guard binding entries based on the DHCP snooping entries (on a Layer 2 Ethernet port), and all static IPv4 source guard binding entries on the port become effective. The keywords specified in the ip verify source command are only for instructing the generation of dynamic IPv4 source guard binding entries. It does not affect static IP source guard binding entries.
Default The maximum number of IPv4 source guard binding entries allowed on a port is not set. Views Layer 2 Ethernet port view Default command level 2: System level Parameters number: Maximum number of IPv4 source guard binding entries allowed on a port. Usage guidelines When the number of IPv4 binding entries on a port reaches the maximum, the router does not generates more IPv4 binding entries on the port.
Attack detection and protection configuration commands attack-defense apply policy Use attack-defense apply policy to apply an attack protection policy to an interface. Use undo attack-defense apply policy to restore the default. Syntax attack-defense apply policy policy-number undo attack-defense apply policy Default No attack protection policy is applied to an interface.
Syntax attack-defense policy policy-number [ interface interface-type interface-number ] undo attack-defense policy policy-number [ interface interface-type interface-number ] Default No attack protection policy is created. Views System view Default command level 2: System level Parameters policy-number: Specifies the sequence number of an attack protection policy, in the range of 1 to 128. interface interface-type interface-number: Specifies the interface that uses the policy exclusively.
protection function or the user login authentication function. For configuration information about scanning attack protection, see the defense scan add-to-blacklist command. Examples # Enable the blacklist function. system-view [Sysname] blacklist enable Related commands • defense scan • display attack-defense policy blacklist ip Use blacklist ip to add a blacklist entry. After an IP address is added to the blacklist, the device filters all packets from it.
Related commands • blacklist enable • display blacklist defense icmp-flood action drop-packet Use defense icmp-flood action drop-packet to configure the device to drop ICMP flood attack packets. Use undo defense icmp-flood action to restore the default. Syntax defense icmp-flood action drop-packet undo defense icmp-flood action Default The device only outputs alarm logs if detecting an ICMP flood attack.
Default command level 2: System level Examples # Enable ICMP flood attack protection in attack protection policy 1.
packets destined for the specified IP address drops below the silence threshold, it considers that the attack is over, returns to attack detection state, and stops the protection actions. Usage guidelines You can configure ICMP flood attack protection thresholds for a maximum of 32 IP addresses in an attack protection policy. Examples # Enable ICMP flood attack protection for IP address 192.168.1.
packets destined for an IP address drops below the silence threshold, it considers that the attack to the IP address is over, returns to attack detection state, and stops the protection actions. Usage guidelines Adjust the thresholds according to the actual network conditions. Usually, ICMP traffic is smaller than TCP traffic and UDP traffic. You can set a smaller action threshold for ICMP flood protection.
If you delete an entry blacklisted by scanning attack protection short after the entry is added (within 1 second), the system does not add the entry again. This is because the system considers the subsequent packets matching the entry the packets of the same attack. Examples # Enable scanning attack protection.
[Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense scan blacklist-timeout 20 Related commands • blacklist enable • defense scan add-to-blacklist • defense scan enable • defense scan max-rate defense scan enable Use defense scan enable to enable scanning attack protection. Use undo defense scan enable to restore the default. Syntax defense scan enable undo defense scan enable Default Scanning attack protection is disabled.
Use undo defense scan max-rate to restore the default, which is 4000 connections per second. Syntax defense scan max-rate rate-number undo defense scan max-rate Views Attack protection policy view Default command level 2: System level Parameters rate-number: Specifies the threshold of the connection establishment rate (number of connections established in a second) that triggers scanning attack protection, in the range of 1 to 10000.
Views Attack protection policy view Default command level 2: System level Parameters drop-packet: Drops all subsequence connection requests to the attacked IP address. Examples # Configure the SYN flood protection policy to drop SYN flood attack packets.
Use undo defense syn-flood ip to remove the configuration. Syntax defense syn-flood ip ip-address rate-threshold high rate-number [ low rate-number ] undo defense syn-flood ip ip-address [ rate-threshold ] Default No SYN flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: Specifies the IP address to be protected. This IP address cannot be a broadcast address, 127.0.0.
defense syn-flood rate-threshold Use defense syn-flood rate-threshold to configure the global action and silence thresholds for SYN flood attack protection. The device uses the global attack protection thresholds to protect the IP addresses for which you do not configure attack protection parameters specifically. Use undo defense syn-flood rate-threshold to restore the default.
defense udp-flood action drop-packet Use defense udp-flood action drop-packet to configure the device to drop UDP flood attack packets. Use undo defense udp-flood action to restore the default. Syntax defense udp-flood action drop-packet undo defense udp-flood action Default The device only outputs alarm logs if it detects a UDP flood attack. Views Attack protection policy view Default command level 2: System level Examples # Configure attack protection policy 1 to drop UDP flood packets.
system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense udp-flood enable Related commands • defense udp-flood action drop-packet • defense udp-flood rate-threshold • defense udp-flood ip • display attack-defense policy defense udp-flood ip Use defense udp-flood ip to configure the action and silence thresholds for UDP flood attack protection of a specific IP address. Use undo defense udp-flood ip to remove the configuration.
Examples # Configure UDP flood attack protection for IP address 192.168.1.2, and set the action threshold to 2000 packets per second and the silence threshold to 1000 packets per second. system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense udp-flood ip 192.168.1.
conditions, or attack-sensitive networks, you can set a smaller action threshold. If the link bandwidth of the protected network is small, you can set a smaller silence threshold to help release the network traffic pressure. Examples # Configure UDP flood attack protection, set the global action threshold to 3000 packets per second and the global silence threshold to 1000 packets per second.
Smurf attack-defense : Enabled ICMP redirect attack-defense : Disabled ICMP unreachable attack-defense : Disabled Large ICMP attack-defense : Enabled Max-length : 250 bytes TCP flag attack-defense : Enabled Tracert attack-defense : Enabled Fraggle attack-defense : Enabled WinNuke attack-defense : Enabled LAND attack-defense : Enabled Source route attack-defense : Enabled Route record attack-defense : Enabled Scan attack-defense : Enabled Add to blacklist : Enabled Blacklist timeo
Filed Description Bound interfaces Interfaces to which the attack protection policy is applied. Smurf attack-defense Indicates whether Smurf attack protection is enabled. ICMP redirect attack-defense Indicates whether ICMP redirect attack protection is enabled. ICMP unreachable attack-defense Indicates whether ICMP unreachable attack protection is enabled. Large ICMP attack-defense Indicates whether large ICMP attack protection is enabled. Max-length Maximum length allowed for an ICMP packet.
Filed Description SYN flood action Action to be taken when a SYN flood attack is detected. It can be Drop-packet (dropping subsequent packets) or Syslog (outputting an alarm log). SYN flood high-rate Global action threshold for SYN flood attack protection. SYN flood low-rate Global silence threshold for SYN flood attack protection. SYN flood attack on IP SYN flood attack protection settings for specific IP addresses. # Display summary configuration information about all attack protection policies.
-----------------------------------------------------------Interface : GigabitEthernet1/1 -----------------------------------------------------------Attack policy number : 1 Fraggle attacks : 1 Fraggle packets dropped : 100 ICMP redirect attacks : 1 ICMP redirect packets dropped : 100 ICMP unreachable attacks : 1 ICMP unreachable packets dropped : 100 LAND attacks : 1 LAND attack packets dropped : 100 Large ICMP attacks : 1 Large ICMP packets dropped : 100 Route record attacks : 1
Field Description LAND attack packets dropped Number of Land packets dropped. Large ICMP attacks Number of detected large ICMP attacks. Large ICMP packets dropped Number of large ICMP packets dropped. Route record attacks Number of detected Route Record attacks. Route record packets dropped Number of Route Record attack packets dropped. Source route attacks Number of detected Source Route attacks. Source route packets dropped Number of Source Route attack packets dropped.
Parameters ip source-ip-address: Displays information about the blacklist entry for an IP address. source-ip-address indicates the IP address, which cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address. all: Displays information about all blacklist entries. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
display flow-statistics statistics Use display flow-statistics statistics to display traffic statistics on interfaces based on IP addresses.
RAWIP sessions : 10 RAWIP session establishment rate : 10/s Table 75 Command output Field Description IP Address Source IP address. Total number of existing sessions Total number of connections. Session establishment rate Connection establishment rate. TCP sessions Number of TCP connections. Half-open TCP sessions Number of half-open connections. Half-close TCP sessions Number of half-close connections. TCP session establishment rate TCP connection establishment rate.
Examples # Display the inbound traffic statistics of interface GigabitEthernet 1/1.
Default The traffic statistics collection function is disabled on an interface. Views Interface view Default command level 2: System level Parameters destination-ip: Collects statistics on packets sent out of the current interface by destination IP address. inbound: Collects statistics on packets received on the interface. outbound: Collects statistics on packets sent out of the interface. source-ip: Collects statistics on packets received on the current interface by source IP address.
Related commands display attack-defense statistics interface signature-detect Use signature-detect to enable signature detection of a single-packet attack. Use undo signature-detect to disable signature detection of a single-packet attack.
signature-detect action drop-packet Use signature-detect action drop-packet to configure the device to drop single-packet attack packets. Use undo signature-detect action to restore the default. Syntax signature-detect action drop-packet undo signature-detect action Default The device only outputs alarm logs if it detects a single-packet attack. Views Attack protection policy view Default command level 2: System level Examples # Configure attack protection policy 1 to drop single-packet attack packets.
Usage guidelines With signature detection of large ICMP attack enabled, a device considers all ICMP packets longer than the specified maximum length as large ICMP attack packets. This command is effective only when signature detection of large ICMP attack is enabled. Examples # Enable signature detection of large ICMP attack, set the ICMP packet length threshold that triggers large ICMP attack protection to 5000 bytes, and configure the device to drop ICMP packets longer than the specified maximum length.
TCP attack protection configuration commands display tcp status Use display tcp status to display status of all TCP connections for monitoring TCP connections. Syntax display tcp status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Use undo tcp anti-naptha enable to disable the protection against Naptha attack. Syntax tcp anti-naptha enable undo tcp anti-naptha enable Default The protection against Naptha attack is disabled. Views System view Default command level 2: System level Usage guidelines The configurations made by using the tcp state and tcp timer check-state commands are removed after the protection against Naptha attack is disabled. Examples # Enable the protection against Naptha attack.
last-ack: Specifies the LAST_ACK state of a TCP connection. syn-received: Specifies the SYN_RECEIVED state of a TCP connection. connection-number number: Specifies the maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500. Usage guidelines You must enable the protection against Naptha attack before executing this command. Otherwise, an error is prompted. You can respectively configure the maximum number of TCP connections in each state.
Syntax tcp timer check-state time-value undo tcp timer check-state Default The TCP connection state check interval is 30 seconds. Views System view Default command level 2: System level Parameters time-value: Specifies the TCP connection state check interval in seconds, in the range of 1 to 60. Usage guidelines The device periodically checks the number of TCP connections in each state.
Connection limit configuration commands connection-limit default action Use connection-limit default action to specify the default connection limit action, that is, to specify whether to limit connections that do not match the connection limit rule in the policy. Use undo connection-limit default action to restore the default.
Default command level 2: System level Parameters upper-limit max-amount: Specifies the upper connection limit in the range of 1 to 4294967295. lower-limit min-amount: Specifies the lower connection limit in the range of 0 to 4294967294. min-amount must be less than max-amount. Examples # Set the default upper connection limit to 200 and the lower connection limit to 50.
display connection-limit policy Use display connection-limit policy to display information about a specific or all connection limit policies. Syntax display connection-limit policy { policy-number | all } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters policy-number: Specifies the connection limit policy number in the range of 0 to 19. all: Displays all connection limit policies.
Syntax display connection-limit statistics [ source src-address { mask-length | mask } ] [ destination dst-address { mask-length | mask } ] [ destination-port { eq | gt | lt | neq | range } port-number ] [ vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters source src-address: Specifies the source IP address of the connections.
Table 79 Command output Field Description source-ip Source IP address. "---" means no such information is available. dest-ip Destination IP address. "---" means no such information is available. dest-port Destination port number. "---" means no such information is available. vpn-instance MPLS L3VPN instance. "---" means that the connection belongs to the public network. NAT The NAT module to which the connection limit policy applies. amount Number of connections established.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the connections belong, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the connections are in the public network, do not specify this keyword and argument combination. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Views Connection limit policy view Default command level 2: System level Parameters limit-id: Specifies the ID of a rule in the connection limit policy, in the range of 0 to 255. acl-number: Specifies an ACL number in the range of 2000 to 3999. Connections matching this ACL are to be limited. per-destination: Limits connections by destination IP address. per-service: Limits connections by service type or application. per-source: Limits connections by source IP address.
Syntax nat connection-limit-policy policy-number undo nat connection-limit-policy policy-number Views System view Default command level 2: System level Parameters policy-number: Specifies the number of an existing connection limit policy, in the range of 0 to 19. Usage guidelines To modify a connection limit rule in the policy that is already applied to the NAT module, use the undo nat connection-limit policy command to remove the application first.
Password control configuration commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The following matrix shows the FIPS and hardware compatibility: Hardware FIPS mode MSR900 No. MSR93X No. MSR20-1X No. MSR20 Yes. MSR30 Yes (except the MSR30-16). MSR50 Yes. MSR1000 Yes.
Global password control configurations: Password control: Disabled Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, Password history: Enabled (max history records:4) 1 characters per type) Early notice on password expiration: 7 days User authentication timeout: 60 seconds Maximum failed login attempts: 3 times Login attempt-failed action: Lock for 1 minutes Minimum password update time: 24 hours User account idle-time: 90
Field Description Whether the following password complexity checking is enabled: • username checking—Checks whether a password contains the Password complexity username or the reverse of the username. • repeated characters checking—Checks whether a password contains any character that is repeated consecutively three or more times.
Table 82 Command output Field Description Username Username of the user. IP IP address of the user. Login failed times Number of login failures. Whether the user is prohibited from logging in: • unlock—Not prohibited. • lock—Prohibited temporarily or permanently, depending on the Lock flag password-control login-attempt command. password Use password to set a password for a local user in interactive mode. Use undo password to remove the password for a local user.
Character name Symbol Character name Symbol Minus sign - Percent sign % Plus sign + Pound sign # Quotation marks " Right angle bracket > Right brace } Right bracket ] Right parenthesis ) Semi-colon ; Slash / Tilde ~ Underscore _ Vertical bar | A local user password configured in interactive mode must meet the password control requirement. For example, if the minimum password length is set to 8, the password must contain at least 8 characters.
length: Enables the minimum password length restriction function. Usage guidelines For these four functions to take effect, the password control feature must be enabled globally. You must enable a function for its relevant configurations to take effect. For example, if the minimum password length restriction function is not enabled, the setting by the password-control length command does not take effect.
Views System view, user group view, local user view Default command level 2: System level Parameters aging-time: Specifies the password aging time in days, in the range of 1 to 365. Usage guidelines The aging time depends on the view: • The time in system view has global significance and applies to all user groups. • The time in user group view applies to all local users in the user group. • The time in local user view applies only to the local user.
Default A user is notified of pending password expiration 7 days before the user's password expires. Views System view Default command level 2: System level Parameters alert-time: Specifies the number of days before a user's password expires during which the user is notified of the pending password expiration. The value range is 1 to 30. Examples # Configure the device to notify a user about pending password expiration 10 days before the user's password expires.
Syntax password-control complexity { same-character | user-name } check undo password-control complexity { same-character | user-name } check Default No user password complexity checking is performed, and a password can contain the username, the reverse of the username, or a character repeated three or more times consecutively. Views System view Default command level 2: System level Parameters same-character: Refuses a password that contains any character repeated consecutively three or more times.
In both non-FIPS and FIPS modes, the password composition policy for a user group is the same as the global policy, and the password composition policy for a local user is the same as that of the user group to which the local user belongs. Views System view, user group view, local user view Default command level 2: System level Parameters type-number type-number: Specifies the minimum number of character types in the password.
Use undo password-control enable to disable the password control feature globally. Syntax password-control enable undo password-control enable Default In non-FIPS mode, the password control feature is disabled globally. In FIPS mode, the password control feature is enabled globally and cannot be disabled. Views System view Default command level 2: System level Usage guidelines The password control functions take effect only after the password control feature is enabled globally.
times: Specifies the maximum number of times a user can log in after the password expires. The value range is 0 to 10, and 0 means that a user cannot log in after the password expires. Examples # Specify that a user can log in 5 times within 60 days after the password expires.
Views System view, user group view, local user view Default command level 2: System level Parameters length: Specifies the minimum password length in characters. The value range is 4 to 32 in non-FIPS mode, and 8 to 32 in FIPS mode. Usage guidelines In non-FIPS mode, the minimum password length for a user group and a local user is four characters. In FIPS mode, the minimum password length for a user group and a local user is eight characters.
Syntax password-control login idle-time idle-time undo password-control login idle-time Default You cannot use a user account to log in to the device if the account has been idle for 90 days. Views System view Default command level 2: System level Parameters idle-time: Specifies the maximum account idle time in days, in the range of 0 to 365. 0 means no restriction for account idle time. Examples # Set the maximum account idle time to 30 days.
lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period of time before trying again. The time argument is in minutes and in the range of 1 to 360. unlock: Allows a user who fails to log in after the specified number of attempts to continue trying to log in. Usage guidelines If prohibited permanently, a user can log in only after you remove the user from the password control blacklist.
password-control password update interval Use password-control password update interval to set the minimum password update interval, that is, the minimum interval at which users can change their passwords. Use undo password-control password update interval to restore the default. Syntax password-control password update interval interval undo password-control password update interval Default The minimum password update interval is 24 hours.
Default command level 2: System level Parameters aging-time: Specifies the super password aging time in days, in the range of 1 to 365. Usage guidelines If you do not specify an aging time for super passwords, the system applies the global password aging time to super passwords. If you have specified an aging time for super passwords, the system applies the aging time to super passwords. Examples # Set the aging time for super passwords to 10 days.
Examples # Specify that each super password must contain at least three character types and at least five characters for each type. system-view [Sysname] password-control super composition type-number 3 type-length 5 Related commands password-control composition password-control super length Use password-control super length to set the minimum length for super passwords. Use undo password-control super length to restore the default.
Syntax reset password-control blacklist [ all | user-name name ] Views User view Default command level 3: Manage level Parameters all: Clears all users in the password control blacklist. user-name name: Specifies the user to be removed from the password control blacklist. The name argument is the username, a case-sensitive string of 1 to 80 characters. Examples # Delete the user named test from the password control blacklist.
Are you sure to delete all local user's history records? [Y/N]: 541
HABP configuration commands display habp Use display habp to display HABP configuration information. Syntax display habp [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
display habp table Use display habp table to display HABP MAC address table entries. Syntax display habp table [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Parameters vlan-id: Specifies the ID of the VLAN in which HABP packets are to be transmitted. The value range is 1 to 4094. Examples # Specify the HABP client to belong to VLAN 2. system-view [Sysname] habp client vlan 2 habp enable Use habp enable to enable HABP. Use undo habp enable to disable HABP. Syntax habp enable undo habp enable Default HABP is enabled. Views System view Default command level 2: System level Examples # Enable HABP.
Parameters vlan-id: Specifies the ID of the VLAN in which HABP packets are to be transmitted. The value range is 1 to 4094. Usage guidelines In a cluster, if a member device with 802.1X authentication or MAC authentication enabled is attached to some other member devices of the cluster, you must also configure HABP server on this device. Otherwise, the cluster management device will not be able to manage the devices attached to this member device.
URPF configuration commands ip urpf Use ip urpf to enable URPF check on an interface to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. Syntax ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ] undo ip urpf Default URPF check is disabled. Views Interface view Default command level 2: System level Parameters loose: Enables loose URPF check. To pass loose URPF check, the source address of a packet must match the destination address of a FIB entry.
WLAN client isolation commands wlan-client-isolation enable Use wlan-client-isolation enable to enable WLAN client isolation. Use undo wlan-client-isolation enable to disable WLAN client isolation. Syntax wlan-client-isolation enable undo wlan-client-isolation enable Default WLAN client isolation is disabled. Views System view Default command level 2: System level Examples # Disable WLAN client isolation.
Group domain VPN commands KS configuration commands display gdoi ks Use display gdoi ks to display GDOI KS information. Syntax display gdoi ks [ group group-name ] Views User view Default command level 1: Monitor level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays KS information for all GDOI KS groups. Examples # Display KS information for the GDOI KS group abc.
# Display KS information for all GDOI KS groups. display gdoi ks Group Name: abc Group identity : 8 Group members : 0 Redundancy : Enabled Local address : 105.112.100.2 Local version : 1.
Profile name : profile-xyz2 ACL configured : 3001 Table 87 Command output Field Description Group Name Name of the GDOI KS group. Group identity GDOI KS group identity, a number or an IPv4 address. If no identity is configured, this field is blank. Group members Number of online GMs in the GDOI KS group. Redundancy Redundancy information for the GDOI KS group. Role of the local KS in the redundancy: Local role • • • • Primary—Primary KS. Secondary—Secondary KS. Initial—In initializing state.
Examples # Display ACLs referenced by the GDOI KS group abc. display gdoi ks acl group abc Group Name: abc ACL abc rule 0 permit ip source 1.1.1.2 0 destination 2.2.2.3 0 rule 1 permit tcp source 1.1.0.0 0.0.255.255 destination 2.2.0.0 0.0.255.255 rule 2 permit ip # Display ACLs referenced by all GDOI KS groups. display gdoi ks acl Group Name: abc ACL abc rule 0 permit ip source 1.1.1.2 0 destination 2.2.2.3 0 rule 1 permit tcp source 1.1.0.0 0.0.255.255 destination 2.2.0.0 0.0.255.
Usage guidelines If you do not specify the group group-name option, the command displays information about online GMs with the specified IP address in all GDOI KS groups. If you do not specify the ip ip-address option, the command displays information about all online GMs in the specified GDOI KS group. If you do not specify any parameter, the command displays information about all online GMs in all GDOI KS groups. Examples # Display information about all online GMs in all GDOI KS groups.
display gdoi ks policy Use display gdoi ks policy to display policy information for GDOI KS groups. Syntax display gdoi ks policy [ group group-name ] Views User view Default command level 1: Monitor level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays policy information for all GDOI KS groups. Examples # Display policy information for all GDOI KS groups.
Field Description SPI SPI of the rekey SA or that of the IPsec SA. Lifetime KEK or TEK lifetime. Remaining lifetime Remaining time of the KEK or TEK lifetime. Signature key name Name of the key pair used for signature. Encapsulation IPsec encapsulation mode for IP packets: Tunnel or Transport. ACL Number or name of the ACL referenced. Transform Name of the IPsec transform set referenced.
Peer role : Unknown Peer status : Down Peer address : 172.1.1.1 Peer version : 1.0 Peer priority : 100 Peer role : Secondary Peer status : Ready Table 91 Command output Field Description Group Name GDOI KS group name. Role of the local KS in the redundancy: Local role • • • • Primary—Primary KS. Secondary—Secondary KS. Initial—In initializing state. Electing—Electing the primary KS. Primary address IP address of the primary KS. Peers Peer KS information. Peer address Peer KS address.
Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays rekey information for all GDOI KS groups. Examples # Display rekey information for all GDOI KS groups.
Table 92 Command output Field Description Group Name GDOI KS group name. IPsec 1 lifetime SA lifetime of IPsec policy 1, in seconds. Remaining lifetime Remaining time of the KEK or IPsec SA, in seconds. gdoi ks group Use gdoi ks group to create a GDOI KS group and enter GDOI KS group view. Use undo gdoi ks group to delete a GDOI KS group. Syntax gdoi ks group group-name undo gdoi ks group group-name Default No GDOI KS group exists.
Views System view Default command level 2: System level Parameters port-number: Specifies a UDP port number in the range of 1 to 65535. Usage guidelines A GDOI KS uses the UDP port number configured in this command to send and receive redundancy protocol packets to and from the other KSs. All KSs in the same GDOI KS group must use the same UDP port number. Otherwise, redundancy protocol packets cannot be exchanged between the KSs.
identity address Use identity address to configure an IP address for the GDOI KS group. Use undo identity to delete the IP address of the GDOI KS group. Syntax identity address address undo identity Default No IP address is configured for a GDOI KS group. Views GDOI KS group view Default command level 2: System level Parameters address: Specifies any valid IPv4 address to identify the GDOI KS group.
Default command level 2: System level Parameters number: Specifies a number in the range of 0 to 2147483647 to identify the GDOI KS group. Usage guidelines You can configure only one type of ID (either an IP address or a number) for a GDOI KS group. A GDOI KS group uses the IP address or the number, whichever is configured later. Examples # Configure the number of the GDOI KS group abc as 123456.
[Sysname-gdoi-ks-group-abc] ipsec 10 [Sysname-gdoi-ks-group-abc-ipsec-10] Related commands gdoi ks group local priority Use local priority to configure the GDOI KS local priority. Use undo local priority to restore the default. Syntax local priority priority undo local Default The local priority of the GDOI KS is 1. Views GDOI KS group view Default command level 2: System level Parameters priority: Specifies the local priority of the GDOI KS, in the range of 1 to 65535.
peer address Use peer address to specify the IP address of a peer KS. Use undo peer address to delete a peer KS IP address. Syntax peer address ip-address undo peer address ip-address Default No IP address of a peer KS is specified. Views GDOI KS group view Default command level 2: System level Parameters ip-address: Specifies the IP address of a peer KS. Usage guidelines You can specify multiple peer KS IP addresses by executing this command multiple times.
Default A GDOI KS group IPsec policy does not reference any IPsec profile. Views GDOI KS group IPsec policy view Default command level 2: System level Parameters ipsec-profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 15 characters. Examples # Create IPsec policy 10 for GDOI KS group abc, and reference IPsec profile profile1 for the IPsec policy.
[Sysname-gdoi-ks-group-abc] redundancy enable [Sysname-gdoi-ks-group-abc] Related commands gdoi ks group redundancy hello Use redundancy hello to configure the redundancy hello packet sending interval, and the maximum number of consecutive failures allowed in receiving redundancy hello packets before the secondary KS considers itself disconnected from the primary KS. Use undo redundancy enable to restore the default.
Examples # Set the redundancy hello packet sending interval to 30 seconds, and the maximum number of consecutive failures in receiving redundancy hello packets to 3. system-view [Sysname] gdoi ks group abc [Sysname-gdoi-ks-group-abc] redundancy hello interval 30 number 3 Related commands display gdoi ks redundancy retransmit Use redundancy retransmit to configure the redundancy protocol packet retransmission interval and the maximum number of retransmissions.
[Sysname-gdoi-ks-group-abc] redundancy retransmit interval 30 number 3 Related commands display gdoi ks rekey acl Use rekey acl to specify the rekey ACL, which specifies the source and destination addresses for multicast rekey messages. Use undo rekey acl to remove the rekey ACL. Syntax rekey acl { access-list-number | name access-list-name } undo rekey acl Default No source or destination address is specified for multicast rekey messages.
Use undo rekey authentication to remove the specified key pair. Syntax rekey authentication public-key rsa key-name undo rekey authentication Default No key pair is specified for a rekey. Views GDOI KS group view Default command level 2: System level Parameters public-key: Specifies the local key pair. rsa: Specifies the public key algorithm as RSA. key-name: Specifies the key pair name, a case-insensitive string of 1 to 64 characters.
Usage guidelines If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure the rekey encryption algorithm as AES-CBC-192 for the GDOI KS group abc. system-view [Sysname] gdoi ks group abc [Sysname-gdoi-ks-group-abc] rekey encryption aes-cbc-192 Related commands gdoi ks group rekey lifetime Use rekey lifetime to configure the KEK lifetime. Use undo rekey lifetime to restore the default.
Syntax rekey retransmit { interval interval | number number } * undo rekey retransmit [ interval | number ] Default The retransmission interval is 10 seconds, and the maximum number of retransmissions is 2. Views GDOI KS group view Default command level 2: System level Parameters interval interval: Specifies the rekey retransmission interval in the range of 10 to 60 seconds. The default interval is 10 seconds. number number: Specifies the maximum number of rekey retransmissions, in the range of 1 to 10.
[Sysname-gdoi-ks-group-abc] rekey transport unicast Related commands gdoi ks group reset gdoi ks Use reset gdoi ks to clear GDOI KS group information, including keys, online GMs, and the role in redundancy backup. Syntax reset gdoi ks [ group group-name ] Views User view Default command level 2: System level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
reset gdoi ks members group abc reset gdoi ks redundancy role Use reset gdoi ks redundancy role to reset GDOI KS redundancy roles. Syntax reset gdoi ks redundancy role [ group group-name ] Views User view Default command level 2: System level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines If you specify a GDOI KS group, the command resets KS redundancy roles in the specified GDOI KS group.
Examples # Configure IPsec policy 10 for the GDOI KS group abc, and then reference ACL 3000 for the IPsec policy. system-view [Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc] ipsec 10 [Sysname-gdoi-ks-group-abc-ipsec-10] security acl 3000 [Sysname-gdoi-ks-group-abc-ipsec-10] Related commands • gdoi ks group • ipsec source address Use source address to specify the source address for packets sent by the KS. Use undo source address to delete the source address specified for the KS.
GM configuration commands client registration interface Use client registration interface to specify a registration interface for the GM in a GDOI GM group. The GM uses the registration interface to send packets to the KS. Use undo client registration interface to delete the registration interface specified for the GM.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Key size : 128 Sig hash algorithm : SHA1 Sig key length (bit) : 1024 TEK Policy: Interface Ethernet1/1: IPsec SA: SPI: 0x9AE5951E(2598737182) Transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 SA timing: remaining key lifetime (sec): 190 Anti-replay detection: Disabled IPsec SA: SPI: 0x12C55CFF(314924287) Transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 SA timing: remaining key lifetime (sec): 402 Anti-replay detection: Disabled Table 93 Command output Field Description Group Name GDOI GM group name.
Field Description Multicast rekeys received Number of multicast rekeys received. This field is displayed only when the GDOI GM group is a multicast group. Unicast rekeys received Number of unicast rekeys received. This field is displayed only when the GDOI GM group is a unicast group. Rekey ACKs sent Number of rekey ACK messages sent. This field is displayed only when the GDOI GM group is a unicast group. Allowable rekey cipher The rekey encryption algorithm that the GM allows.
Field Description Time-based anti-replay window size, in seconds. anti-replay window size(time based) This field is displayed only when anti-replay detection is enabled. Traffic-based anti-replay window size: 32, 64, 128, 256, 512, or 1024, in packets. anti-replay window size(counter based) This field is displayed only when anti-replay detection is enabled. display gdoi gm acl Use display gdoi gm acl to display ACL information for GMs.
rule 1 permit ip source 12.1.1.0 0.0.0.255 destination 12.1.1.0 0.0.0.255 ACL Configured Locally: IPsec Policy Name: gdoi-group1 ACL Identifier: 3001 rule 0 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 Group Name: 123 ACL Downloaded From KS 12.1.1.100: rule 1 permit ip source 13.1.1.0 0.0.0.255 destination 13.1.2.0 0.0.0.255 # Display the ACL information that GMs downloaded from the KS. display gdoi gm acl download Group Name: abc ACL Downloaded From KS 12.1.1.
Parameters group group-name: Displays IPsec SA information obtained by GMs of a GDOI GM group. The group-name argument is the GDOI GM group name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays IPsec SA information obtained by all GMs. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
display gdoi gm members Use display gdoi gm members to display brief information about GMs. Syntax display gdoi gm members [ group group-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters group group-name: Displays brief GM information about a GDOI GM group. The group-name argument is the GDOI GM group name, a case-sensitive string of 1 to 63 characters.
Field Description Group Member IP address of the GM. VPN instance VPN instance name of the MPLS L3VPN to which the GM belongs. Registration status Registration status: Registered, Registering, or Not registered. Registered with IP address of the KS with which the GM registers. Re-register in Period of time after which the GM re-registers with a KS. Succeeded registrations Number of successful registrations. Attempted registrations Number of registration attempts.
Parameters group group-name: Displays the public key information received by GMs of a GDOI GM group. The group-name argument is the GDOI GM group name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays the public key information received by all GMs. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Parameters verbose: Displays the detailed rekey information for GMs. If you do not specify this keyword, the command displays the brief rekey information for GMs. group group-name: Displays rekey information for GMs of a GDOI GM group. The group-name argument is the GDOI GM group name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays rekey information for all GMs. |: Filters command output by specifying a regular expression.
Field Description Multicast destination address Multicast destination address of the rekey messages. Rekey (KEK) SA information SA that protects the rekey messages. Destination Destination IP address of the rekey SA. Source Source IP address of the rekey SA. Conn-ID ID of the rekey SA. My Cookie Local cookie of the rekey SA. His Cookie Peer cookie of the rekey SA. New Information about the new rekey SA. Current Information about the currently used rekey SA.
group Use group to specify the GDOI GM group to be referenced by the GDOI IPsec policy. Use undo group to remove the GDOI GM group referenced by the GDOI IPsec policy. Syntax group group-name undo group Default A GDOI IPsec policy does not reference any GDOI GM group. Views GDOI IPsec policy entry view Default command level 2: System level Parameters group-name: Specifies the name of a GDOI GM group, a case-sensitive string of 1 to 63 characters. The group must have existed.
Views GDOI GM group view Default command level 2: System level Parameters address ip-address: Specifies any valid IPv4 address to identify the GDOI GM group. number number: Specifies a number in the range of 0 to 2147483647 to identify the GDOI GM group. Usage guidelines You can configure only one type of ID (either an IP address or a number) for a GDOI GM group. If you execute this command multiple times, the most recent configuration takes effect. Examples # Set the ID of GDOI GM group abc to 123456.
reset gdoi gm group abc Related commands display gdoi gm server address Use server address to specify the IP address of the KS with which a GM will register itself. Use undo server address to delete the specified KS IP address. Syntax server address ip-address undo server address ip-address Default No KS IP address is specified. Views GDOI GM group view Default command level 2: System level Parameters ip-address: Specifies the IP address of the KS.
FIPS commands The following matrix shows the FIPS and hardware compatibility: Hardware FIPS mode MSR900 No MSR93X No MSR20-1X No MSR20 Yes MSR30 Yes (except the MSR30-16) MSR50 Yes MSR1000 Yes display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Default command level 1: Monitor level Examples # Display the current FIPS mode state.
Default The FIPS mode is disabled. Views System view Default command level 2: System level Usage guidelines The FIPS mode complies with FIPS 140-2. To enter the FIPS mode, follow these steps: 1. Enable FIPS mode. 2. Enable the password control function. 3. Configure a username and password used to log in to the device. The password must include at least 10 characters that must contain uppercase and lowercase letters, digits, and special characters. 4.
[Sysname] FIPS mode change requires a device reboot. Continue?[Y/N]:y Change the configuration to meet FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter FIPS mode. # Disable FIPS mode. system-view [Sysname] undo fips mode enable [Sysname] FIPS mode change requires a device reboot.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHIKLMNOPQRSTUVW authentication login,15 A authentication portal,16 aaa nas-id profile,1 authentication ppp,17 access-limit,42 authentication ssl-vpn,18 access-limit enable,2 authentication super,19 access-user detect,350 authentication voip,19 accounting command,2 authentication-algorithm,239 accounting default,3 authentication-method,240 accounting dvpn,4 authorization command,20 accounting lan-access,5 authorization default,21 accounting login,6 authorization dvpn,22 acco
client configuration address respond,269 display aspf interface,405 client registration interface,574 display aspf policy,406 client-verify enable,449 display aspf session,407 client-verify weaken,450 display attack-defense policy,496 close-mode wait,451 display attack-defense statistics interface,499 common-name,311 display blacklist,501 connect auto,269 display connection,32 connection-limit default action,514 display connection-limit policy,516 connection-limit default amount,514 display
display ipsec profile,187 Documents,592 display ipsec sa,190 domain,35 display ipsec session,191 domain default enable,36 display ipsec statistics,193 domain if-unknown,37 display ipsec transform-set,194 dot1x,122 display ipsec tunnel,196 dot1x authentication-method,124 display local-user,46 dot1x auth-fail vlan,125 display mac-authentication,146 dot1x critical recovery-action,127 display nat connection-limit,518 dot1x critical vlan,126 display password-control,522 dot1x domain-delimiter,
firewall default,393 ike proposal,255 firewall enable,394 ike sa keepalive-timer interval,255 firewall ethernet-frame-filter,394 ike sa keepalive-timer timeout,256 firewall fragments-inspect,395 ike sa nat-keepalive-timer interval,257 firewall fragments-inspect { high | low },396 ike-peer (IPsec policy view/IPsec policy template view/IPsec profile view),201 firewall ipv6 default,397 ikev2 { ip-pool | ipv6-pool },283 firewall ipv6 enable,397 ikev2 cookie-challenge,284 firewall ipv6 fragments-in
ipv6-mask,293 password (local user view),52 ipv6-pool,294 password (RADIUS-server user view),116 K password-control { aging | composition | history | length } enable,526 key (HWTACACS scheme view),97 password-control aging,527 key (RADIUS scheme view),66 password-control alert-before-expire,528 keyring,295 password-control authentication-timeout,529 L password-control complexity,529 ldap-server,320 password-control composition,530 password-control enable,531 lifetime,295 password-control ex
portal local-server ip,373 public-key local destroy,339 portal max-user,374 public-key local export,340 portal move-mode auto,375 public-key local export public dsa,341 portal nas-id-profile,376 public-key local export public rsa,343 portal nas-ip,377 public-key local import,344 portal nas-port-id,377 public-key peer,345 portal nas-port-type,378 public-key peer import sshkey,346 portal offline-detect interval,379 public-key rsa,346 portal redirect-url,379 public-key-code begin,336 portal s
reset gdoi ks members,571 security acl,233 reset gdoi ks redundancy role,572 security acl (GDOI KS group IPsec policy view),572 reset hwtacacs statistics,103 security-policy-server,83 reset ike sa,264 self-service-url enable,40 reset ikev2 sa,304 server address,588 reset ikev2 statistics,304 server-type (RADIUS scheme view),83 reset ipsec sa,220 server-verify enable,456 reset ipsec session,221 service-type,53 reset ipsec statistics,222 session,457 reset mac-authentication statistics,154 s
Subscription service,592 tunnel remote,237 T U tcp anti-naptha enable,510 user-group,55 tcp state,511 user-name-format (HWTACACS scheme view),112 tcp syn-cookie enable,512 user-name-format (RADIUS scheme view),89 tcp timer check-state,512 user-profile,463 tfc enable (IPsec policy view/ IPsec policy template view/IPsec profile view),234 user-profile enable,462 V time-out,266 validity-date,55 timer quiet (HWTACACS scheme view),110 version,459 timer quiet (RADIUS scheme view),86 vpn-instance
