HP MSR2000/3000/4000 Router Series Security Command Reference (V7) Part number: 5998-4017 Software version: CMW710-R0007P02 Document version: 6PW100-20130927
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents AAA commands ··························································································································································· 1 General AAA commands ················································································································································· 1 aaa session-limit ·················································································································································
retry ········································································································································································· 51 retry realtime-accounting ······································································································································ 52 secondary accounting (RADIUS scheme view) ··································································································· 53 secondary authentication
mac-authentication timer auth-delay ·················································································································· 104 mac-authentication user-name-format ················································································································ 105 reset mac-authentication statistics ······················································································································ 106 Password control commands ··················
locality ·································································································································································· 165 organization························································································································································· 166 organization-unit·················································································································································· 16
protocol ································································································································································ 233 qos pre-classify ···················································································································································· 234 remote-address····················································································································································· 235
SSH commands ······················································································································································· 283 SSH server commands ················································································································································· 283 display ssh server ················································································································································ 283 displ
reset aspf session················································································································································· 331 tcp syn-check ························································································································································ 332 APR commands························································································································································ 333 app
arp source-suppression limit ······························································································································· 393 display arp source-suppression ·························································································································· 394 ARP packet rate limit commands ································································································································ 394 arp rate-limit ··············
portal enable························································································································································ 433 portal fail-permit server ······································································································································· 434 portal free-all except destination························································································································ 435 portal free-rule·
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method. Use undo aaa session-limit to restore the default.
[Sysname] aaa session-limit ftp 4 access-limit enable Use access-limit enable to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users are accepted. Use undo access-limit enable to restore the default. Syntax access-limit enable max-user-number undo access-limit enable Default There is no limit to the number of online users in an ISP domain.
Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The command line accounting function works with the accounting server to record all commands that have been successfully executed on the device. Command line accounting can use only a remote HWTACACS server.
Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
accounting lan-access { local | radius-scheme radius-scheme-name [ local ] } undo accounting lan-access Default The default accounting method for the ISP domain is used for LAN users. Views ISP domain view Predefined user roles network-admin Parameters local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Syntax In non-FIPS mode: accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting login In FIPS mode: accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounting log
[Sysname] domain test [Sysname-isp-test] accounting login radius-scheme rd local Related commands • accounting default • hwtacacs scheme • local-user • radius scheme accounting ppp Use accounting ppp to configure the accounting method for PPP users. Use undo accounting ppp to restore the default.
system-view [Sysname] domain test [Sysname-isp-test] accounting ppp local # Configure ISP domain test to use RADIUS accounting scheme rd for PPP users and use local accounting as the backup. system-view [Sysname] domain test [Sysname-isp-test] accounting ppp radius-scheme rd local Related commands • accounting default • local-user • radius scheme authentication default Use authentication default to specify the default authentication method for an ISP domain.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The default authentication method is used for all users who support this method and do not have a specific authentication method configured. You can specify multiple default authentication methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
Parameters local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify multiple authentication methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
undo authentication login Default The default authentication method of the ISP is used for login users. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Use undo authentication ppp to restore the default. Syntax In non-FIPS mode: authentication ppp { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication ppp In FIPS mode: authentication ppp { local | radius-scheme radius-scheme-name [ local ] } undo authentication ppp Default The default authentication method for the ISP domain is used for PPP users. Views ISP domain view Predefined user roles network-admin Parameters local: Performs local authentication.
• radius scheme authentication super Use authentication super to specify a method for user role authentication. Use undo authentication super to restore the default. Syntax authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } * undo authentication super Default The default authentication method of the ISP domain is used for user role authentication.
Related commands • authentication default • hwtacacs scheme • radius scheme authorization command Use authorization command to specify the command authorization method. Use undo authorization command to restore the default.
Examples # Configure ISP domain test to use local command authorization. system-view [Sysname] domain test [Sysname-isp-test] authorization command local # Configure ISP domain test to use HWTACACS scheme hwtac for command authorization and use local authorization as the backup authorization method.
none: Does not perform authorization. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Views ISP domain view Predefined user roles network-admin Parameters local: Performs local authorization. none: Does not perform authorization. An authenticated LAN user directly accesses the network. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization login In FIPS mode: authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authorization login Default T
[Sysname] domain test [Sysname-isp-test] authorization login radius-scheme rd local Related commands • authorization default • hwtacacs scheme • local-user • radius scheme authorization ppp Use authorization ppp to configure the authorization method for PPP users. Use undo authorization ppp to restore the default.
system-view [Sysname] domain test [Sysname-isp-test] authorization ppp local # Configure ISP domain test to use RADIUS authorization scheme rd for PPP users and use local authorization as the backup.
authorization-attribute command in the ISP domain. For information about IP address allocation for PPP users, see Layer 2—WAN Access Configuration Guide. You can configure multiple authorization attributes for users in an ISP domain. If you execute the command multiple times with the same keyword specified, the most recent configuration takes effect.
Domain:test State: Active Access-limit: Disable Access-Count: 0 login Authentication Scheme: local login Authorization local super Authentication Scheme: Scheme: tacacs: test command Authorization Scheme: tacacs: test command Accounting Scheme: tacacs: test default Authentication Scheme: local default Authorization Scheme: local default Accounting Scheme: local Authorization attributes : Idle-cut : Enable Idle Timeout : 10 (min) Flow : 10000 (bytes) IP-pool : test Default Domain Name
Field Description tacacs HWTACACS scheme. local Local scheme. none No authentication, no authorization, or no accounting. Command Authorization Scheme Command line authorization method. Command Accounting Scheme Command line accounting method. Super Authentication Scheme Authentication method for obtaining a temporary user role. domain Use domain to create an ISP domain and enter its view. Use undo domain to remove an ISP domain.
• domain default enable • state (ISP domain view) domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain. Use undo domain default enable to restore the default. Syntax domain default enable isp-name undo domain default enable Default The default ISP domain is the system-defined ISP domain system.
undo state Default An ISP domain is in active state. Views ISP domain view Predefined user roles network-admin Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected.
Parameters max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024. Usage guidelines This command takes effect only when local accounting is configured for the local user. It does not apply to FTP users, who do not support accounting. Examples # Set the maximum number of concurrent logins to 5 using the local user name abc.
see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view. vlan vlan-id: Specifies the authorized VLAN. The vlan-id argument is in the range of 1 to 4094. After a passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN. work-directory directory-name: Specifies the work directory for FTP users.
[Sysname-ugroup-abc] authorization-attribute vlan 3 # Assign the security-audit user role to device management user xyz as the authorized user role. system-view [Sysname] local-user xyz class manage [Sysname-luser-manage-xyz] authorization-attribute user-role security-audit This operation will delete all other roles of the user. Are you sure? [Y/N]:y Related commands • display local-user • display user-group bind-attribute Use bind-attribute to configure binding attributes for a local user.
When you configure binding attributes for a local user, make sure the device can obtain from the user's packet all attributes for checking. For example, you can configure an IP address binding for an 802.1X user, because 802.1X authentication can include the user's IP address in the packet. However, you cannot configure IP address bindings for MAC authentication users, because MAC authentication does not use IP addresses. Examples # Bind IP address 3.3.3.3 with the network access user abc.
user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name. vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094. Usage guidelines If no parameter is specified, the command displays information about all local users. Examples # Display information about all local users. display local-user Total 2 local users matched.
Field Description Current access number Current number of concurrent logins using the local user name. User Group Group to which the local user belongs. Bind attributes Binding attributes of the local user. Authorization attributes Authorization attributes of the local user. Idle TimeOut Idle timeout period of the user, in minutes. Callback-number Authorized PPP callback number of the local user. Work Directory Directory that the FTP, SFTP, or SCP user can access.
Parameters group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines If no user group name is specified, the command displays the configuration of all user groups. Examples # Display the configuration of all user groups. display user-group Total 2 user groups matched.
Field Description Maximum login attempts Maximum number of consecutive failed login attempts. Action for exceeding login attempts Action to take on the user who failed to log in after using up all login attempts. group Use group to assign a local user to a user group. Use undo group to restore the default. Syntax group group-name undo group Default A local user belongs to the system-defined user group system.
Views System view Predefined user roles network-admin Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain back slash (\), slash (/), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@), and cannot be a, al, or all. class: Specifies the local user type.
password Use password to configure a password for a local user. Use undo password to delete the password of a local user. Syntax In non-FIPS mode: password [ { cipher | hash | simple } password ] undo password In FIPS mode: password Default In non-FIPS mode, there is no password configured for a local user and the user can pass authentication after entering the correct username and passing attribute checks.
Examples # Set the password of the device management user user1 to 123456TESTplat&! in plain text. system-view [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] password simple 123456TESTplat&! # Set the password of the device management user test in interactive mode. system-view [Sysname] local-user test class manage [Sysname-luser-manage-test] password Password: Confirm : Updating user information. Please wait... ...
lan-access: Authorizes the user to use the LAN access service. The users are mainly Ethernet users, for example, 802.1X users. ssh: Authorizes the user to use the SSH service. telnet: Authorizes the user to use the Telnet service. terminal: Authorizes the user to use the terminal service and log in from a console, AUX, or async port. portal: Authorizes the user to use the portal service. ppp: Authorizes the user to use the PPP service. Usage guidelines You can assign multiple service types to a user.
[Sysname] local-user user1 class manage [Sysname-luser-manage-user1] state block Related commands display local-user user-group Use user-group to create a user group and enter its view. Use undo user-group to delete a user group. Syntax user-group group-name undo user-group group-name Default There is a user group named system in the system. Views System view Predefined user roles network-admin Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Use undo accounting-on enable to restore the default. Syntax accounting-on enable [ interval seconds | send send-times ] * undo accounting-on enable Default The accounting-on feature is disabled. Views RADIUS scheme view Predefined user roles network-admin Parameters interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default setting is 3 seconds.
Default Traffic is counted in bytes and packets. Views RADIUS scheme view Predefined user roles network-admin Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Examples # Display the configuration of all RADIUS schemes. display radius scheme Total 1 RADIUS schemes -----------------------------------------------------------------RADIUS Scheme Name : radius1 Index : 0 Primary Auth Server: IP : 2.2.2.2 Port: 1812 State: Active Port: 1813 State: Active Port: 1812 State: Block Port: 1813 State: Block VPN : vpn1 Primary Acct Server: IP: 1.1.1.1 VPN : Not configured Second Auth Server: IP: 2.2.2.2 VPN : vpn1 Second Acct Server: IP: 1.1.1.
Field Description IP IP address of the server. If no server is configured, this field displays Not configured. Port Service port number of the server. If no port number is specified, this field displays the default port number. State Status of the server: active or blocked. VPN VPN to which the server belongs. If no VPN is specified for the server, this field displays Not configured. Server: n Member ID of the security policy server. IP IP address of the security policy server.
Predefined user roles network-admin network-operator Examples # Display RADIUS packet statistics. display radius statistics Auth. Acct. SessCtrl.
Field Description Check Failures Number of packets with checksum errors. Related commands reset radius statistics key (RADIUS scheme view) Use key to set the shared key for secure RADIUS communication. Use undo key to restore the default. Syntax key { accounting | authentication } { cipher | simple } string undo key { accounting | authentication } Default No shared key is configured.
Examples # For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting simple ok Related commands display radius scheme nas-ip (RADIUS scheme view) Use nas-ip to specify a source IP address for outgoing RADIUS packets. Use undo nas-ip to delete a source IP address for outgoing RADIUS packets.
A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new address overwrites the old one. Examples # Set the source IP address for outgoing RADIUS packets to 10.1.1.1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] nas-ip 10.1.1.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.
Default No primary RADIUS authentication server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server. ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server. port-number: Specifies the service port number of the primary RADIUS authentication server, a UDP port number in the range of 1 to 65535. The default setting is 1812.
system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&! Related commands • display radius scheme • key (RADIUS scheme view) • secondary authentication (RADIUS scheme view) • vpn-instance (RADIUS scheme view) radius nas-ip Use radius nas-ip to specify a source address for outgoing RADIUS packets. Use undo radius nas-ip to delete a source address for outgoing RADIUS packets.
specified public-network source IP address overwrites the previous one. Each VPN can have at most one private-network source IPv4 address and one private-network source IPv6 address. The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence over the setting in system view.
Default No RADIUS scheme is defined. Views System view Predefined user roles network-admin Parameters radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. The device supports at most 16 RADIUS schemes. Examples # Create a RADIUS scheme named radius1 and enter its view.
Syntax retry retry-times undo retry Default The maximum number of RADIUS packet transmission attempts is 3. Views RADIUS scheme view Predefined user roles network-admin Parameters retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20. Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable.
Predefined user roles network-admin Parameters retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255. Usage guidelines Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If it does not receive a real-time accounting request for a user in the timeout period from the NAS, it considers that line or device failures occur and stops accounting for the user.
Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server. port-number: Specifies the service port number of the secondary RADIUS accounting server, a UDP port number in the range of 1 to 65535. The default setting is 1813.
Examples # For RADIUS scheme radius1, specify a secondary accounting server with the IP address 10.110.1.1 and the UDP port 1813. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary accounting 10.110.1.1 1813 # For RADIUS scheme radius2, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813. system-view [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary accounting 10.
• { In non-FIPS mode, the key is a string of 1 to 117 characters. { In FIPS mode, the key is a string of 15 to 117 characters. simple string: Sets a plaintext shared key. The string argument is case sensitive. { { In non-FIPS mode, the key is a string of 1 to 64 characters. In FIPS mode, the key is a string of 15 to 64 characters that must contain digits, uppercase letters, lowercase letters, and special characters.
• primary authentication (RADIUS scheme view) • vpn-instance (RADIUS scheme view) security-policy-server Use security-policy-server to specify a security policy server. Use undo security-policy-server to remove a security policy server. Syntax security-policy-server { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] undo security-policy-server { { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] | all } Default No security policy server is specified.
Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state.
Predefined user roles network-admin Parameters accounting: Sets the status of a secondary RADIUS accounting server. authentication: Sets the status of a secondary RADIUS authentication server. ip-address: Specifies the IPv4 address of a secondary RADIUS server. port-number: Service port number of a secondary RADIUS server, a UDP port number in the range of 1 to 65535. The default port number of a secondary accounting server is 1813 and that of a secondary authentication is 1812.
Default The server quiet period is 5 minutes. Views RADIUS scheme view Predefined user roles network-admin Parameters minutes: Specifies the server quiet period in minutes, in the range of 1 to 255. Usage guidelines Make sure the server quiet timer is set correctly. Too short a quiet timer might result in frequent authentication or accounting failures because the device keeps attempting to communicate with an unreachable server that is in active state.
RADIUS accounting server at the real-time accounting interval configured on the server (if any) or does not send online user accounting information. Consider the performance of the NAS and the RADIUS server when you set the real-time accounting interval. A short interval helps improve accounting precision but requires many system resources.
Examples # Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer response-timeout 5 Related commands • display radius scheme • retry user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Use undo user-name-format to restore the default.
Examples # Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] user-name-format without-domain Related commands display radius scheme vpn-instance (RADIUS scheme view) Use vpn-instance to specify a VPN for a RADIUS scheme. Use undo vpn-instance to remove the configuration.
Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default Traffic is counted in bytes and packets. Views HWTACACS scheme view Predefined user roles network-admin Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
statistics: Displays the HWTACACS service statistics. If this option is not specified, the command displays the configuration of the HWTACACS scheme. Usage guidelines If no HWTACACS scheme name is specified, the command displays the configuration of all HWTACACS schemes. Examples # Displays the configuration of all HWTACACS schemes.
Field Description Port Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number. State Status of the HWTACACS server: active or blocked. VPN Instance MPLS L3VPN to which the HWTACACS server or scheme belongs. If no VPN is specified for the server or scheme, this field displays Not configured. NAS IP Address Source IP address for outgoing HWTACACS packets. Server Quiet Period Quiet period for the primary servers, in minutes.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 address, do not specify this option. Usage guidelines The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address.
You can configure up to 16 HWTACACS schemes. Examples # Create an HWTACACS scheme named hwt1 and enter its view. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to remove the configuration.
For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext. Examples # Set the shared key for secure HWTACACS authentication communication to 123456TESTauth&! in plain text for HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&! # Set the shared key for secure HWTACACS authorization communication to 123456TESTauth&! in plain text.
the packet is the IP address of a managed NAS. If it is, the server processes the packet. If it is not, the server drops the packet. The setting configured by using the nas-ip command in HWTACACS scheme view is effective only for the HWTACACS scheme, whereas that configured by using the hwtacacs nas-ip command in system view is effective for all HWTACACS schemes. The setting in HWTACACS scheme view takes precedence over the setting in system view.
{ { In non-FIPS mode, the shared key is a string of 1 to 255 characters. In FIPS mode, the shared key is a string of 15 to 255 characters that must contain digits, uppercase letters, lowercase letters, and special characters. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Views HWTACACS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server. ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server. port-number: Specifies the service port number of the primary HWTACACS authentication server, a TCP port number in the range of 1 to 65535. The default setting is 49.
Related commands • display hwtacacs scheme • key (HWTACACS scheme view) • secondary authentication (HWTACACS scheme view) • vpn-instance (HWTACACS scheme view) primary authorization Use primary authorization to specify the primary HWTACACS authorization server. Use undo primary authorization to remove the configuration.
Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. You can remove an authorization server only when it is not used for user authorization.
Related commands display hwtacacs scheme secondary accounting (HWTACACS scheme view) Use secondary accounting to specify a secondary HWTACACS accounting server. Use undo secondary accounting to remove a secondary HWTACACS accounting server.
(a secondary HWTACACS accounting server configured earlier has a higher priority) and tries to communicate with it. If you use the undo secondary accounting command without specifying any parameter, the command removes all secondary accounting servers. Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
Parameters ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server. port-number: Specifies the service port number of the secondary HWTACACS authentication server, a TCP port number in the range of 1 to 65535. The default setting is 49. key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authentication server.
Related commands • display hwtacacs scheme • key (HWTACACS scheme view) • primary authentication (HWTACACS scheme view) • vpn-instance (HWTACACS scheme view) secondary authorization Use secondary authorization to specify a secondary HWTACACS authorization server. Use undo secondary authorization to remove a secondary HWTACACS authorization server.
Usage guidelines Make sure that the port number and shared key settings of the secondary HWTACACS authorization server are the same as those configured on the server. You can configure up to 16 secondary HWTACACS authorization servers for an HWTACACS scheme. With the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary HWTACACS authorization server configured earlier has a higher priority) and tries to communicate with it.
Predefined user roles network-admin Parameters minutes: Specifies the server quiet period in minutes, in the range of 1 to 255. Examples # Set the server quiet timer to 10 minutes. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer quiet 10 Related commands display hwtacacs scheme timer realtime-accounting (HWTACACS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default.
Number of users Real-time accounting interval 1000 or more 15 minutes or longer Examples # Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer realtime-accounting 51 Related commands display hwtacacs scheme timer response-timeout (HWTACACS scheme view) Use timer response-timeout to set the HWTACACS server response timeout timer. Use undo timer response-timeout to restore the default.
Use undo user-name-format to restore the default. Syntax user-name-format { keep-original | with-domain | without-domain } undo user-name-format Default The ISP domain name is included in the username. Views HWTACACS scheme view Predefined user roles network-admin Parameters keep-original: Sends the username to the HWTACACS server as it is entered. with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.
Default The HWTACACS scheme belongs to the public network. Views HWTACACS scheme view Predefined user roles network-admin Parameters vpn-instance-name: Name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified here takes effect for all servers in the HWTACACS scheme for which no VPN is specified. Examples # Specify VPN test for HWTACACS scheme hwt1.
802.1X commands The commands in this chapter are available only on the routers with Layer 2 Ethernet switching interface module installed. For more information about the Layer 2 Ethernet switching interface modules, see HP MSR Router Series Interface Module Guide. display dot1x Use display dot1x to display information about 802.1X.
Periodic reauthentication is disabled The port is an authenticator Authentication mode is Auto Port access control type is MAC-based 802.
Field Description Handshake is disabled Specifies whether handshake is enabled on the port. 802.1X unicast-trigger is enabled Specifies whether unicast trigger is enabled on the port. Periodic reauthentication is disabled Specifies whether periodic online user re-authentication is enabled on the port. The port is an authenticator Role of the port. Authenticate mode is Auto Authorization state of the port, which can be Force-Authorized, Auto, or Force-Unauthorized.
Predefined user roles network-admin Usage guidelines 802.1X must be enabled both globally and on the intended port. Otherwise, it does not function. Examples # Enable 802.1X globally. system-view [Sysname] dot1x # Enable 802.1X on Ethernet 1/1. [Sysname] interface ethernet 1/1 [Sysname-Ethernet1/1] dot1x [Sysname-Ethernet1/1] quit Related commands display dot1x dot1x authentication-method Use dot1x authentication-method to specify an EAP message handling method.
authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and "username+password" EAP authentication initiated by an iNode client. { { • PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an HP iNode 802.1X client. CHAP transports username in plaintext and encrypted password over the network. It is more secure than PAP.
handshake attempts (set by the dot1x retry command) has been made, the network access device sets the user in the offline state. Examples # Enable the online user handshake function on Ethernet 1/1. system-view [Sysname] interface ethernet 1/1 [Sysname-Ethernet1/1] dot1x handshake Related commands • display dot1x • dot1x timer handshake-period • dot1x retry dot1x mandatory-domain Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port.
dot1x max-user Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port. Use undo dot1x max-user to restore the default. Syntax dot1x max-user user-number undo dot1x max-user Default The maximum number of concurrent 802.1X users is 256 on a port. Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1 to 256.
Predefined user roles network-admin Usage guidelines The multicast trigger function enables the device to act as the initiator and periodically multicast Identify EAP-Request packets out of a port to detect 802.1X clients and trigger authentication. You can use the dot1x timer tx-period command to set the interval for sending multicast Identify EAP-Request packets. Disable the multicast trigger in a wireless LAN. Wireless clients and the wireless module of the network access device can both initiate 802.
Usage guidelines You can use this command to set the port authorization state to determine whether a client is granted access to the network. Examples # Set the authorization state of port Ethernet 1/1 to unauthorized-force. system-view [Sysname] interface ethernet 1/1 [Sysname-Ethernet1/1] dot1x port-control unauthorized-force Related commands display dot1x dot1x port-method Use dot1x port-method to specify an access control method for the port.
Related commands display dot1x dot1x quiet-period Use dot1x quiet-period to enable the quiet timer. Use undo dot1x quiet-period to disable the timer. Syntax dot1x quiet-period undo dot1x quiet-period Default The quiet timer is disabled. Views System view Predefined user roles network-admin Usage guidelines When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client.
Views Layer 2 Ethernet interface view Predefined user roles network-admin Usage guidelines Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port. This function tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile. You can use the dot1x timer reauth-period command to configure the interval for re-authentication. Examples # Enable the 802.
dot1x timer supp-timeout supp-timeout-value command for the EAP-Request MD5 Challenge packet), the device retransmits the authentication request. The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response. Examples # Set the maximum number of attempts for sending an authentication request to a client to 9.
tx-period tx-period-value: Sets the username request timeout timer in seconds. The value range for the tx-period-value argument is 10 to 120. Usage guidelines You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response, or adjust the server timeout timer to adapt to the performance of different authentication servers. In most cases, the default settings are sufficient.
Default The unicast trigger function is disabled. Views Layer 2 Ethernet interface view Predefined user roles network-admin Usage guidelines The unicast trigger function enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address.
Related commands display dot1x 98
MAC authentication commands The commands in this chapter are available only on the routers with Layer 2 Ethernet switching interface module installed. For more information about the Layer 2 Ethernet switching interface modules, see HP MSR Router Series Interface Module Guide. display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including the global settings, port-specific settings, MAC authentication statistics, and online user statistics.
Max number of online users is 256 Current number of online users is 1 Current authentication domain: Not configured MAC auth-delay period is 10s Authentication attempts: successful 1, failed 0 MAC Addr Auth state 00e0-fc12-3456 authenticated Table 10 Command output Field Description MAC authentication is enabled Indicates whether MAC authentication is enabled globally. User account type: MAC-based or shared.
Field Description Current authentication domain MAC authentication domain specified for the port. Status of MAC authentication delay: MAC auth-delay • If MAC authentication delay is disabled, this field displays MAC auth-delay is disabled. • If MAC authentication delay is enabled, this field displays the MAC authentication delay period in seconds.
mac-authentication domain Use mac-authentication domain to specify a global authentication domain in system view or a port-specific authentication domain in Layer 2 Ethernet interface view for MAC authentication users. Use undo mac-authentication domain to restore the default. Syntax mac-authentication domain domain-name undo mac-authentication domain Default No authentication domain is specified for MAC authentication users. The system default authentication domain is used.
Syntax mac-authentication max-user user-number undo mac-authentication max-user Default The maximum number of concurrent MAC authentication users on a port is 256. Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters user-number: Sets the maximum number of concurrent MAC authentication users on the port. The value range for this argument is 1 to 256. Examples # Configure port Ethernet 1/1 to support up to 32 concurrent MAC authentication users.
Usage guidelines MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle within the interval, the device logs the user out and stops accounting for the user. • Quiet timer—Sets the interval that the device must wait before it can perform MAC authentication for a user who has failed MAC authentication.
Do not set the port security mode to mac-else-userlogin-secure or mac-else-userlogin-secure-ext when you want to use MAC authentication delay. The delay does not take effect on a port in either of the two modes. For more information about port security modes, see "Port security commands." Examples # Enable MAC authentication delay on interface Ethernet 1/1 and set the delay time to 10 seconds.
• without-hyphen—Excludes hyphens from the MAC address, for example, xxxxxxxxxxxx. • lowercase—Enters letters in lower case. • uppercase—Enters letters in upper case. Usage guidelines If you specify the MAC-based user account, the device uses the MAC address of a user as the username and password for MAC authentication of the user.
reset mac-authentication statistics interface ethernet 1/1 Related commands display mac-authentication 107
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Password composition: Enabled (1 types, 1 characters per type) Table 11 Command output Field Description Password control Whether the password control feature is enabled. Password aging Whether password expiration is enabled and, if enabled, the expiration time. Password length Whether the minimum password length restriction function is enabled and, if enabled, the setting. Password composition Whether the password composition restriction function is enabled and, if enabled, the settings.
ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines With no arguments provided, this command displays information about all users in the password control blacklist. If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist. You can use this command to view information about these users in the blacklist.
Views System view Predefined user roles network-admin Parameters aging: Enables the password expiration function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines To enable a specific password control function, first enable the global password control feature.
Syntax password-control aging aging-time undo password-control aging Default A password expires after 90 days. The password expiration time of a user group equals the global setting, and the password expiration time of a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Predefined user roles network-admin Parameters aging-time: Specifies the password expiration time in days in the range of 1 to 365.
password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days.
Views System view, user group view, local user view Predefined user roles network-admin Parameters same-character: Refuses a password that contains any character repeated consecutively three or more times. For example, the password aaabc is not complex enough. user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
In FIPS mode, the password using the global composition policy must contain at least four character types and at least one character for each type. In both non-FIPS and FIPS modes, the password composition policy for a user group is the same as the global policy, and the password composition policy for a local user is the same as that of the user group to which the local user belongs.
Usage guidelines The password composition policy depends on the view: • The policy in system view has global significance and applies to all user groups. • The policy in user group view applies to all local users in the user group. • The policy in local user view applies only to the local user. A password composition policy with a smaller application scope has higher priority. The system prefers to use the password composition policy in local user view for a local user.
Views System view Predefined user roles network-admin Usage guidelines A specific password control function takes effect only after the global password control feature is enabled. After the global password control feature is enabled, you cannot display the password and super password configurations for device management users by using the corresponding display commands. However, the configuration for network access user passwords can be displayed.
Usage guidelines This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires. Examples # Specify that a user can log in five times within 60 days after the password expires. system-view [Sysname] password-control expired-user-login delay 60 times 5 Related commands display password-control password-control history Use password-control history to set the maximum number of history password records for each user.
• reset password-control blacklist password-control length Use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length Default In non-FIPS mode, the global minimum password length is 10 characters. In FIPS mode, the global minimum password length is 15 characters.
[Sysname-ugroup-test] quit # Set the minimum password length to 16 characters for device management user abc. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control length 16 Related commands • display local-user • display password-control • display user-group • password-control length enable password-control login idle-time Use password-control login idle-time to set the maximum account idle time.
password-control login-attempt Use password-control login-attempt to specify the maximum number of consecutive failed login attempts and the action to be taken when a user fails to log in after the specified number of attempts. Use undo password-control login-attempt to restore the default.
If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist. If a user fails to provide the correct password after the specified number of consecutive attempts, the system takes one of the following actions: • If prohibited permanently, the user can log in only after you remove the username from the password control blacklist by using the reset password-control blacklist command.
• reset password-control blacklist password-control super aging Use password-control super aging to set the expiration time for super passwords. Use undo password-control super aging to restore the default. Syntax password-control super aging aging-time undo password-control super aging Default A super password expires after 90 days. Views System view Predefined user roles network-admin Parameters aging-time: Specifies the super password expiration time in days in the range of 1 to 365.
Predefined user roles network-admin Parameters type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode. type-length type-length: Specifies the minimum number of characters for each character type. The value range for the type-length argument is 1 to 64 in non-FIPS mode, and 1 to 15 in FIPS mode.
[Sysname] password-control super length 16 Related commands • display password-control • password-control length password-control update-interval Use password-control update-interval to set the minimum password update interval, which is the minimum interval at which users can change their passwords. Use undo password-control update-interval to restore the default.
Predefined user roles network-admin Parameters user-name name: Specifies the user to be removed from the password control blacklist. The name argument is the username, a case-sensitive string of 1 to 55 characters. Usage guidelines For a user blacklisted due to excessive login attempts, you can use this command to remove the user from the password control blacklist and allow the user to log in again. Examples # Remove the user named test from the password control blacklist.
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2011/05/12 Key code: 30819F300D06092A86488
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0E
308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B0202170
display public-key peer Use display public-key peer to display information about peer public keys. Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer public key, including its key code.
Field Description Key code Public key string. # Display brief information about all peer public keys. display public-key peer brief Type Modulus Name --------------------------RSA 1024 idrsa DSA 1024 10.1.1.1 Table 16 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits. Name Name of the peer public key.
[Sysname-pkey-public-key-key1]30819F300D06092A864886F70D010101050003818D0030818902818 100C0EC8014F82515F6335A0A [Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E 719D1643135877E13B1C531B4 [Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B 952ADF6B80EB5F52698FCF3D6 [Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050 BD4A9B1DDE675AC30CB020301 [Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1
Usage guidelines The key algorithm must be the same as required by the security application. The key modulus length must be appropriate (see Table 18). The longer the key modulus length, the higher the security, and the longer the key generation time. If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default.
..++++++++ ....++++++++ Create the key pair successfully. # Create a local DSA key pair with the default name. system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+..+................ ....
........................+........+..........+..............+.....+...+.......... ..............+.........+..........+...........+........+....+.................. .....+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # Create a local RSA key pair with the default name in FIPS mode.
Views System view Predefined user roles network-admin Parameters dsa: Specifies the DSA type. ecdsa: Specifies the ECDSA type. rsa: Specifies the RSA type. name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names.
Related commands public-key local create public-key local export dsa Use public-key local export dsa to display local DSA host public keys in a specific format, or export the key in a specific format to a file. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles network-admin Parameters name key-name: Specifies the name of a local DSA key pair.
system-view [Sysname] public-key local export dsa openssh key.pub # Display the host public key of the local DSA key pair with the default name in SSH2.0 format.
bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98 qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088NEY ZullatZRH0km+DdpZ7CrcV+ft7UUvBF0FV3W4HOx/LOidJ5sX+qBAD4WcpSX0OrZEF4+dq dsa-key Related commands • public-key local create • public-key peer import sshkey public-key local export rsa Use public-key local export rsa to display the local RSA host public key in a specific format, or export the key to a specific file.
{ Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to the file. You cannot export the host public key to the folder pkey and its subfolders. 2. Transfer a copy of the file to the peer device, for example, by using FTP or TFTP in binary mode. 3. On the peer device, use the public-key peer import sshkey command to import the host public key from the file. SSH1.5, SSH2.0 and OpenSSH are different public key formats.
q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8b a8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ== rsa-key Related commands • public-key local create • public-key peer import sshkey public-key peer Use public-key peer to specify a name for a peer public key and enter public key view. Use undo public-key peer to delete a peer public key. Syntax public-key peer keyname undo public-key peer keyname Default The local device has no peer public key.
public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname Default The device has no peer public key. Views System view Predefined user roles network-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters.
PKI commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure an attribute rule for certificate issuer name, subject name, or alternative subject name. Use undo attribute to remove an attribute rule.
• Each of the subject name and the issuer name can contain only one DN, but can contain multiple FQDNs and IP addresses. • The alternative subject name cannot contain the DN, but can contain multiple FQDNs and IP addresses. Different combinations of attribute fields and operation keywords make different matching criteria, as listed in Table 19. Table 19 Combinations of attribute fields and operation keywords Operation DN FQDN/IP ctn The DN contains the specified attribute value.
Syntax ca identifier name undo ca identifier Default No trusted CA is specified. Views PKI domain view Predefined user roles network-admin Parameters name: Specifies the name of the trusted CA, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate, you must specify the trusted CA name. The trusted CA name is contained in SCEP messages and typically ignored by the CA server.
Usage guidelines A PKI entity describes the identity attributes of an entity for certificate request, including the common name, the organization, the unit in the organization, the locality, the state and country where the entity resides, FQDN, and IP address. You can specify only one PKI entity for a PKI domain. If you configure this command for a PKI domain multiple times, the most recent configuration takes effect. Examples # Specify the PKI entity for certificate request as en1.
certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ password { cipher | simple } password ] | manual } undo certificate request mode Default The certificate request mode is manual. Views PKI domain view Predefined user roles network-admin Parameters auto: Specifies the certificate request mode as auto. password: Specifies a password for certificate revocation.
[Sysname-pki-domain-aaa] certificate request mode auto password simple 123456 Related commands pki request-certificate certificate request polling Use certificate request polling to set the polling interval and the maximum number of attempts for querying certificate request status. Use undo certificate request polling to restore the defaults.
certificate request url Use certificate request url to specify the URL of the registration server for certificate request through the SCEP protocol. Use undo certificate request url to remove the configuration. Syntax certificate request url url-string [ vpn-instance vpn-instance-name ] undo certificate request url Default The URL of the registration server is not specified.
Use undo common-name to remove the configuration. Syntax common-name common-name-sting undo common-name Default No common name is set for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set the username of the PKI entity as the common name. Examples # Set test as the common name of the PKI entity en.
[Sysname-pki-entity-en] country CN crl check Use crl check enable to enable CRL checking. Use undo crl check enable to disable CRL checking. Syntax crl check enable undo crl check enable Default CRL checking is enabled. Views PKI domain view Predefined user roles network-admin Usage guidelines A CRL is a file issued by a CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires.
Views PKI domain view Predefined user roles network-admin Parameters url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters in the format of ldap://server_location or http://server_location, where server_location can be an IP address or a domain name. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the CRL repository belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Views Any view Predefined user roles network-admin network-operator mdc-operator Parameters policy-name: Specifies the name of a certificate access control policy, a case-insensitive string of 1 to 31 characters. Usage guidelines If no policy name is specified, this command displays information about all certificate access control policies. Examples # Display information about the certificate access control policy mypolicy.
display pki certificate attribute-group Use display pki certificate attribute-group to display information about certificate attribute groups. Syntax display pki certificate attribute-group [ group-name ] Views Any view Predefined user roles network-admin network-operator Parameters group-name: Specifies the name of a certificate attribute group, a case-insensitive string of 1 to 31 characters.
Related commands • attribute • pki certificate attribute-group display pki certificate domain Use display pki certificate domain to display information about certificates. Syntax display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] } Views Any view Predefined user roles network-admin network-operator Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.
Validity Not Before: Jan 6 02:51:41 2011 GMT Not After : Dec 7 03:12:05 2013 GMT Subject: C=cn, O=ccc, OU=ppp, CN=rootca Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0: 28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40: 4a:9e:8d:c0:cb:d9:10:9b:61:eb:0c:e0:22:ce:f6: 57:7c:bb:bb:1b:1d:b6:81:ad:90:77:3d:25:21:e6: 7e:11:0a:d8:1d:3c:8e:a4:17:1e:8c:38:da:97:f6: 6d:be:09:e3:5f:21:c5:a0:6f:27:4b:e3:fb:9f:cd: c1:91:18:ff:16:ee:
12:a4:30:ad:ae:72:57:a7:ba:fb:bc:ac:20:8a:21: 46:ea:e8:93:55:f3:41:49:e9:9d:cc:ec:76:13:fd: a5:8d:cb:5b:45:08:b7:d1:c5:b5:58:89:47:ce:12: bd:5c:ce:b6:17:2f:e0:fc:c0:3e:b7:c4:99:31:5b: 8a:f0:ea:02:fd:2d:44:7a:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape
cb:af:e3:02:d1:b6:59:5f:95:52:6d:00:00:a0:cb:75:cf:b4: 50:c5:50:00:65:f4:7d:69:cc:2d:68:a4:13:5c:ef:75:aa:8f: 3f:ca:fa:eb:4d:d5:5d:27:db:46:c7:f4:7d:3a:b2:fb:a7:c9: de:18:9d:c1 # Display brief information about all peer certificates in the PKI domain aaa. display pki certificate domain aaa peer Total peer certificates: 1 Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver # Display detailed information about a specific peer certificate in the PKI domain aaa.
DNS:docm.com X509v3 Subject Key Identifier: 3C:76:95:9B:DD:C2:7F:5F:98:83:B7:C7:A0:F8:99:1E:4B:D7:2F:26 X509v3 CRL Distribution Points: Full Name: URI:http://s03130.ccc.hp.com:447/ssl.
Status: Pending Key usage: General Remain polling attempts: 10 Next polling attempt after : 1191 seconds # Display certificate request statuses for all PKI domains.
Views Any view Predefined user roles network-admin network-operator Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe ('). Usage guidelines Use this command to check whether a certificate has been revoked.
52:d0:6f:5c:09:59:15:be:b8:68:65:0c:5d:1b:a1:f8:42:04: ba:aa Table 23 Command output Field Description Version CRL version number. Signature Algorithm Signature algorithm used by the CA to sign the CRL. Issuer Name of the CA that issues the CRL. Last Update Last CRL update time. Next Update Next CRL update time. X509v3 Authority Key Identifier X509v3 ID of the CA that issues the CRL. Key ID. keyid One CA might have multiple key pairs. This field identifies the key pair used to sign the CRL.
[Sysname] pki entity en [Sysname-pki-entity-en] fqdn abc@pki.domain.com ip Use ip to configure the IP address for a PKI entity. Use undo ip to remove the configuration. Syntax ip { ip-address | interface interface-type interface-number } undo ip Default No IP address is configured for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters ip-address: Configures an IPv4 address.
Views PKI domain view Predefined user roles network-admin Parameters host host-name: Specifies the host name of an LDAP server, a case-sensitive string of 1 to 255 characters. It can be an IPv4 or IPv6 address or a domain name. port port-number: Specifies the port number of an LDAP server, in the range of 1 to 65535. The default setting is 389.
Default No locality is set for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters locality-name: Specifies a locality, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set a city name as the locality. Examples # Set Beijing as the locality of the PKI entity en. system-view [Sysname] pki entity en [Sysname-pki-entity-en] locality BeiJing organization Use organization to set the organization name for a PKI entity.
Use undo organization-unit to remove the configuration. Syntax organization-unit org-unit-name undo organization-unit Default No organization unit name is set for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters org-unit-name: Sets an organization unit name for identifying a department or a unit in an organization, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Sets rdtest as the organization unit name for the PKI entity en.
[Sysname] pki abort-certificate- request domain 1 The certificate request is in process. Confirm to abort it? [Y/N]:y Related commands • display pki certificate request-status • pki request-certificate domain pki certificate access-control-policy Use pki certificate access-control-policy to create a certificate access control policy and enter its view. Use undo pki certificate access-control-policy to remove a specified certificate access control policy.
undo pki certificate attribute-group group-name Default No certificate attribute group exists. Views System view Predefined user roles network-admin Parameters group-name: Specifies a group name, a case-insensitive string of 1 to 31 characters. Usage guidelines A certificate attribute group is a set of attribute rules (defined by using the attribute command). Each attribute rule defines a matching criterion for the issuer names, subject names, and alternative subject names of certificates.
peer: Specifies the peer certificates. serial serial-num: Specifies the serial number of a peer certificate. The serial-num argument is a case-insensitive string of 1 to 127 characters and uniquely identifies a peer certificate among the certificates issued by a CA. If you do not specify a peer certificate, this command removes all peer certificates in the PKI domain.
undo pki domain domain-name Default No PKI domain exists. Views System view Predefined user roles network-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Examples # Create a PKI entity named en and enter its view. system-view [Sysname] pki entity en [Sysname-pki-entity-en] Related commands pki domain pki export Use pki export to export the CA certificate and the local certificates in a PKI domain to local files or display them on a terminal.
pempasswordstring: Specifies a password for encrypting the private key of a local certificate in PEM format. filename filename: Specifies a file name for storing a certificate. The file name is a case-insensitive string. If you do not specify a file name for the certificates in PEM format, this command displays the certificates on the terminal.
# Export the local certificates in the PKI domain to a file named cert-lo.der in DER format. system-view [Sysname] pki export domain domain1 der local filename cert-lo.der # Export all certificates in the PKI domain to a file named cert-all.p7b in DER format. system-view [Sysname] pki export domain domain1 der all filename cert-all.p7b # Export the CA certificate in the PKI domain to a file named cacert in PEM format.
VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12 X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK 7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw== -----END CERTIFICATE----Bag Attributes friendlyName: loca
cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0 CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOc
Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIcUSKSW9GVmICAggA MBEGBSsOAwIHBAi5QZM+lSYWPASCAoBKDYulE5f2BXL9ZhI9zWAJpx2cShz/9PsW 5Qm106D+xSj1eAzkx/m4Xb4xRU8oOAuzu1DlWfSHKXoaa0OoRSiOEX1eg0eo/2vv CHCvKHfTJr4gVSSa7i4I+aQ6AItrI6q99WlkN/e/IE5U1UE4ZhcsIiFJG+IvG7S8 f9liWQ2CImy/hjgFCD9nqSLN8wUzP7O2SdLVlUb5z4FR6VISZdgTFE8j7ko2HtUs HVSg0nm114EwPtPMMb
Y24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ0wCwYDVQQDEwRhYWNhMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcuJsWhAJXEDmowGb5z7VDVms54TKi xnaNJCWvBOrU64ftvpVB7xQekbkjgAS9FjDyXlLQ8IyIsYIp5ebJr8P+n9i9Pl7j lBx5mi4XeIldyv2OjfNx5oSQ+gWY9/m1R8uv13RS05r3rxPg+7EvKBjmiy0Giddw vu3Y3WrjBPp6GQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJrQddzVQEiy4AcgtzUL ltkmlmWoz87+jUsgFB+H+xeyiZE4sancf2UwH8kXWqZ5AuReFCCBC2fkvvQvUGnV cso7JXAhfw8sUFok9eHz2R+GSoEk5BZFzZ8eCmNyGq9ln6mJsO1hAqMpsCW6G2zh 5mus7FTHhywXpJ22/fnHg61m -----END CERTIFICATE---------BEG
pki import Use pki import to import the CA certificate, local certificates, or peer certificates for a PKI domain. Syntax pki import domain domain-name { der { ca | local | peer } filename filename | p12 local filename filename | pem { ca | local | peer } [ filename filename ] } Views System view Predefined user roles network-admin Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.
• If the local certificates or peer certificates to be imported contain the CA certificate chain, you can import the CA certificate and the local certificates or peer certificates at the same time. If the certificate of the CA that issues the local certificates or peer certificates already exists in a PKI domain, the system displays a prompt to ask you whether to overwrite the existing CA certificate.
[Sysname] pki import domain bbb pem ca filename aca_pem.cer [Sysname] # Import the local certificate file local-ca.p12 in PKCS12 format to the PKI domain bbb. The certificate file contains a key pair. system-view [Sysname] pki import domain bbb p12 local filename local-ca.p12 Please input challenge password: ****** [Sysname] # Import the local certificate in PEM format to the PKI domain bbb by copying and pasting the contents of the certificate.
N3aTKV7NDndIOk0PpiikYPgxVih/geMXR3iYaANbcvRX07/FMDINWHJnBAZhCDvp rFO552loGiPyl0wmFMK12TSL7sHvrxr0OdrFrqtWlbW+DsNGNcFSKZy3RvIngC2k ZZqBeFPUytP185JUhbOrVaUDlisZi6NNshcIjd2BAgMBAAGjgbowgbcwHwYDVR0j BBgwFoAUmoMpEynZYoPLQdR1LlKhZjg8kBEwDgYDVR0PAQH/BAQDAgP4MBEGCWCG SAGG+EIBAQQEAwIGQDASBgNVHREECzAJggdoM2MuY29tMB0GA1UdDgQWBBQ8dpWb 3cJ/X5iDt8eg+JkeS9cvJjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vczAzMTMw LmgzYy5odWF3ZWktM2NvbS5jb206NDQ3L3NzbC5jcmwwDQYJKoZIhvcNAQEFBQAD gYEAYS15x0kW474lu4twNzEy5dPjMSwtwfm/UK01S8GQjGV5tl9ZNiTHF
pki request-certificate Use pki request-certificate to submit a local certificate request or generate a certificate request in PKCS#10 format. Syntax pki request-certificate domain domain-name [ password password ] [ pkcs10 [ filename filename ] ] Views System view Predefined user roles network-admin Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.
# Request the local certificates. [Sysname] pki request-certificate domain openca Start to request the general certificate ... … Request certificate of domain openca successfully Related commands display pki certificate pki retrieve-certificate Use pki retrieve-certificate to obtain a certificate from the certificate distribution server.
The trusted CA's finger print is: MD5 fingerprint:5C41 E657 A0D6 ECB4 6BD6 1823 7473 AABC SHA1 fingerprint:1616 E7A5 D89A 2A99 9419 1C12 D696 8228 87BC C266 Is the finger print correct?(Y/N):y # Obtain the local certificates from the certificate distribution server. system-view [Sysname] pki retrieve-certificate domain aaa local # Obtain the certificate of the peer entity en1 from the certificate distribution server.
• If the PKI domain is not configured with the CRL repository, the device looks up the local certificates and then the CA certificate for the CRL repository. If a CRL repository is found, the device obtains CRLs from the point. Otherwise, the device obtains CRLs through the SCEP protocol. Examples # Obtain CRLs from the CRL repository.
system-view [Sysname] pki storage certificates flash:/pki-new # Specifies pki-new as the storage path for the CRLs. system-view [Sysname] pki storage crls pki-new pki validate-certificate Use pki validate-certificate to verify the validity of certificates.
CN=rootca Subject: C=cn O=abc OU=test CN=aca Verify result: OK Verifying certificate...... Serial Number: 5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6 Issuer: C=cn O=ccc OU=ppp CN=rootca Subject: C=cn O=ccc OU=ppp CN=rootca Verify result: OK # Verify the local certificates in the PKI domain aaa. system-view [Sysname] pki validate-certificate domain aaa local Verifying certificate......
Use undo public-key to remove the configuration. Syntax public-key dsa name key-name [ length key-length ] undo public-key Default No key pair is specified. Views PKI domain view Predefined user roles network-admin Parameters name key-name: Specifies a key pair by its name, a case-insensitive string of 1 to 64 characters, which can include only letters, digits, and hyphen (-). length key-length: Specifies the key length, in bits.
public-key rsa Use public-key rsa to specify an RSA key pair for certificate request. Use undo public-key to remove the configuration. Syntax public-key rsa { { encryption name encryption-key-name [ length key-length ] | signature name signature-key-name [ length key-length ] } * | general name key-name [ length key-length ] } undo public-key Default No key pair is specified. Views PKI domain view Predefined user roles network-admin Parameters encryption: Specifies a key pair for encryption.
The specified length is effective on only a key pair to be generated. If the device already has a key pair or a key pair is contained in an imported certificate, using this command to specify the key length for the key pair does not take effect. Examples # Specify the RSA key pair abc with the purpose general and key length 2048 bits for certificate request.
string: Sets the fingerprint information in hexadecimal notation. If you specify the MD5 keyword, the fingerprint is a string of 32 characters. If you specify the SHA1 keyword, the fingerprint is a string of 40 characters. Usage guidelines If you set the certificate request mode to auto, but the PKI domain does not have a CA certificate, you must use this command to set the fingerprint for verifying the validity of the CA root certificate.
Predefined user roles network-admin Parameters id: Assigns a number to the statement, in the range of 1 to 16. The default setting is the smallest unused number in this range. Rules in a policy are sorted in ascending order and a rule with a smaller number is compared first. deny: Denies the certificates that match the associated certificate group. permit: Permits the certificates that match the associated certificate group.
Parameters ip ip-address: Specifies a source IPv4 address. ipv6 ip-address: Specifies a source IPv6 address interface interface-type interface-number: Specifies the primary IPv4 address or the lowest IPv6 address of an interface as the source IP address. The interface-type interface-number argument specifies an interface. Usage guidelines Use this command to specify the source IP address for PKI protocol packets so that the CA server accepts the certificate requests from a specific IP address or subnet.
Views PKI entity view Predefined user roles network-admin Parameters state-name: Specifies a state name or a province name, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Set countryA as the state name of the PKI entity en. system-view [Sysname] pki entity en [Sysname-pki-entity-en] state countryA usage Use usage to specify the extension for certificates. Use undo usage to remove the configuration.
[Sysname-pki-domain-aaa] usage ike 196
IPsec commands Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol. Use undo ah authentication-algorithm to remove all specified authentication algorithms for the AH protocols.
Examples # Create an IPsec transform set, and specify the AH authentication algorithm for the transform set as HMAC-SHA1. system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1 description Use description to configure description for an IPsec policy, IPsec policy template, or IPsec profile. Use undo description to restore the default. Syntax description text undo description Default No description is defined.
network-operator Parameters ipv6-policy: Displays information about IPv6 IPsec policies. policy: Displays information about IPv4 IPsec policies. policy-name: Specifies an IPsec policy by its name, a case-sensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number. The value range is 1 to 65535. Usage guidelines • If you do not specify any parameters, this command displays information about all IPsec policies.
Outbound ESP setting: ESP SPI: 1500 (0x000005dc) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------Sequence number: 2 Mode: isakmp ----------------------------The policy configuration is incomplete: Remote-address not set ACL not specified Transform-set not set Description: This is my first IPv4 Isakmp policy Security data flow: Selector mode: standard Local address: Remote address: Transform set: IKE profile: SA duration(time based): SA duration(traffic
ESP authentication hex key: Outbound AH setting: AH SPI: 6000 (0x00001770) AH string-key: ****** AH authentication hex key: Outbound ESP setting: ESP SPI: 8000 (0x00001f40) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------Sequence number: 2 Mode: isakmp ----------------------------Description: This is my complete policy Security data flow: 3200 Selector mode: standard Local address: Remote address: 5.3.6.
ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: 1237 (0x000004d5) AH string-key: ****** AH authentication hex key: Outbound ESP setting: ESP SPI: 1238 (0x000004d6) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Table 24 Command output Field Description IPsec Policy IPsec policy name. Interface Interface applied with the IPsec policy. Sequence number Sequence number of the IPsec policy entry.
Field Description SA idle time Idle expiration time of the IPsec SA, in seconds. AH string-key AH string key (****** is displayed if the key is configured). AH authentication hex key AH authentication hex key (****** is displayed if the key is configured). ESP string-key ESP string key (****** is displayed if the key is configured). ESP encryption hex key ESP encryption hex key (****** is displayed if the key is configured).
display ipsec policy-template ----------------------------------------------IPsec Policy Template: template ----------------------------------------------- --------------------------------Sequence number: 1 --------------------------------Description: This is policy template Security data flow : IKE profile: None Remote address: 162.105.10.
Related commands ipsec { ipv6-policy | policy } isakmp template display ipsec profile Use display ipsec profile to display information about IPsec profiles. Syntax display ipsec profile [ profile-name ] Views Any view Predefined user roles network-admin network-operator Parameters profile-name: Specifies an IPsec profile by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec profiles.
ESP encryption hex key: ****** ESP authentication hex key: ****** Table 26 Command output Field Description IPsec profile IPsec profile name. Mode Negotiation mode used by the IPsec profile. Only the manual mode is available. Description Description of the IPsec profile. Transform set IPsec transform set referenced by the IPsec profile. Related commands ipsec profile display ipsec sa Use display ipsec sa to display information about IPsec SAs.
Usage guidelines If you do not specify any parameters, this command displays information about all IPsec SAs. Examples # Display brief information about IPsec SAs. display ipsec sa brief ----------------------------------------------------------------------Interface/Global Dst Address SPI Protocol Status ----------------------------------------------------------------------Eth0/1 10.1.1.1 400 ESP active Eth0/1 255.255.255.
Flow: sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.
Field Description Sequence number Sequence number of the IPsec policy entry. Negotiation mode used by the IPsec policy: Mode • manual • isakmp Tunnel id IPsec tunnel ID Encapsulation mode Encapsulation mode, transport or tunnel.
Related commands • ipsec sa global-duration • reset ipsec sa display ipsec statistics Use display ipsec statistics to display IPsec packet statistics. Syntax display ipsec statistics [ tunnel-id tunnel-id ] Views Any view Predefined user roles network-admin network-operator Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.
Dropped packets (received/sent): 0/0 Dropped packets statistics No available SA: 0 Wrong SA: 0 Invalid length: 0 Authentication failure: 0 Encapsulation failure: 0 Decapsulation failure: 0 Replayed packets: 0 ACL check failure: 0 MTU check failure: 0 Loopback limit exceeded: 0 Table 29 Command output Field Description Received/sent packets Number of received/sent IPsec-protected packets. Received/sent bytes Number of bytes of received/sent IPsec-protected packets.
network-operator Parameters transform-set-name: Specifies an IPsec transform set by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets. Examples # Display information about all IPsec transform sets.
Syntax display ipsec tunnel { brief | count | tunnel-id tunnel-id } Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number of IPsec tunnels. tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. Usage guidelines IPsec is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways).
Total IPsec Tunnel Count: 2 # Display information about all IPsec tunnels.
Table 32 Command output Field Description Tunnel ID IPsec ID, used to uniquely identify an IPsec tunnel. Status IPsec tunnel status. Only active is available.
Usage guidelines IPsec supports the following encapsulation modes: • Transport mode—The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header.
Views IPsec transform set view Predefined user roles network-admin Parameters md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key. sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key. Usage guidelines In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority. • For a manual IPsec policy, the first specified ESP authentication algorithm takes effect.
Views IPsec transform set view Predefined user roles network-admin Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode, which uses a 168-bit key. aes-cbc-128: Uses the AES algorithm in CBC mode, which uses a 128- bit key. aes-cbc-192: Uses AES algorithm in CBC mode, which uses a 192-bit key. aes-cbc-256: Uses AES algorithm in CBC mode, which uses a 256-bit key. des-cbc: Uses the DES algorithm in CBC mode, which uses a 64-bit key. null: Uses the NULL algorithm, which means encryption is not performed.
Views IPsec policy view, IPsec policy template view Predefined user roles network-admin Parameters profile-name: Specifies an IKE profile by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines The IKE profile referenced by an IPsec policy or IPsec policy template defines the parameters used for IKE negotiation.
communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required. IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol, only IPsec SAs negotiated by IKE support anti-replay checking. Examples # Enable IPsec anti-replay checking.
ipsec apply Use ipsec apply to apply an IPsec policy to an interface. Use undo ipsec apply to remove the application. Syntax ipsec apply { ipv6-policy | policy } policy-name undo ipsec apply { ipv6-policy | policy } Default No IPsec policy is applied to an interface. Views Interface view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Name of an IPsec policy, a case-sensitive string of 1 to 63 characters.
Default ACL checking for de-encapsulated IPsec packets is enabled. Views System view Predefined user roles network-admin Usage guidelines In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets.
ipsec df-bit Use ipsec df-bit to set the DF bit for outer IP headers of encapsulated IPsec packets on an interface. Use undo ipsec df-bit to restore the default. Syntax ipsec df-bit { clear | copy | set } undo ipsec df-bit Default The DF bit is not set for outer IP headers of encapsulated IPsec packets on an interface. The global DF bit is used. Views Interface view Predefined user roles network-admin Parameters clear: Clears the DF bit for outer IP headers.
ipsec global-df-bit Use ipsec global-df-bit to set the DF bit for outer IP headers of encapsulated IPsec packets on all interfaces. Use undo ipsec global-df-bit to restore the default. Syntax ipsec global-df-bit { clear | copy | set } undo ipsec global-df-bit Default The DF bit of original IP headers is copied to the outer IP headers for encapsulated IPsec packets. Views System view Predefined user roles network-admin Parameters clear: Clears the DF bit for outer IP headers.
Syntax ipsec { ipv6-policy | policy } policy-name seq-number [ isakmp | manual ] undo ipsec { ipv6-policy | policy } policy-name [ seq-number ] Default No IPsec policy is created. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-sensitive string of 1 to 63 characters.
ipsec { ipv6-policy | policy } isakmp template Use ipsec { ipv6-policy | policy } isakmp template to create an IKE-based IPsec policy by referencing an IPsec policy template. Use undo ipsec { ipv6-policy | policy } to delete the specified IPsec policy. Syntax ipsec { ipv6-policy | policy } policy-name seq-number isakmp template template-name undo ipsec { ipv6-policy | policy } policy-name [ seq-number ] Default No IPsec policy is created.
ipsec { ipv6-policy | policy } local-address Use ipsec { ipv6-policy | policy } local-address to bind an IPsec policy to a source interface. Use undo ipsec { ipv6-policy | policy } local-address to remove the bindings of IPsec policies and source interfaces. Syntax ipsec { ipv6-policy | policy } policy-name local-address interface-type interface-number undo ipsec { ipv6-policy | policy } policy-name local-address Default No IPsec policy is bound to a source interface.
Related commands ipsec { ipv6-policy | policy } ipsec { ipv6-policy-template | policy-template } policy-template Use ipsec { ipv6-policy-template | policy-template } to create an IPsec policy template, and enter IPsec policy template view. Use undo ipsec { ipv6-policy-template | policy-template } to delete the specified IPsec policy template.
• ipsec { ipv6-policy | policy } • ipsec { ipv6-policy | policy } isakmp template ipsec profile Use ipsec profile to create an IPsec profile, and enter IPsec profile view. Use undo ipsec profile to delete the specified IPsec profile. Syntax ipsec profile profile-name [ manual ] undo ipsec profile profile-name Default No IPsec profile is created.
Default The time-based global lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 bytes. Views System view Predefined user roles network-admin Parameters time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds. traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires.
Views System view Predefined user roles network-admin Parameters seconds: Specifies the IPsec SA idle timeout, in the range of 60 to 86400 seconds. Usage guidelines This function applies only to IPsec SAs negotiated by IKE. The IPsec SA idle timeout can also be configured in IPsec policy view or IPsec policy template view, which takes precedence over the global IPsec SA timeout. Examples # Set the IPsec SA idle timeout to 600 seconds.
system-view [Sysname] ipsec transform-set tran1 [Sysname-transform-set-tran1] Related commands display ipsec transform-set local-address Use local-address to configure the local IP address for the IPsec tunnel. Use undo local-address to restore the default.
Syntax In non-FIPS mode: pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 } undo pfs In FIPS mode: pfs dh-group14 undo pfs Default The PFS feature is disabled for the IPsec transform set. Views IPsec transform set view Predefined user roles network-admin Parameters dh-group1: Uses 768-bit Diffie-Hellman group. dh-group2: Uses 1024-bit Diffie-Hellman group. dh-group5: Uses 1536-bit Diffie-Hellman group. dh-group14: Uses 2048-bit Diffie-Hellman group.
Syntax protocol { ah | ah-esp | esp } undo protocol Default The IPsec transform set uses the ESP protocol. Views IPsec transform set view Predefined user roles network-admin Parameters ah: Specifies the AH protocol. ah-esp: Specifies using the ESP protocol first and then using the AH protocol. ah: Specifies the AH protocol. Usage guidelines The two tunnel ends must use the same security protocol in the IPsec transform set. Examples # Specify the AH protocol for the IPsec transform set.
Examples # Enable the QoS pre-classify feature. system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] qos pre-classify remote-address Use remote-address to configure the remote IP address for the IPsec tunnel. Use undo remote-address to restore the default.
the remote-address command. Otherwise, the local end cannot obtain the latest IP address of the remote host. For example, the local end has a static domain name resolution entry, which maps the host name test to the IP address 1.1.1.1. Configure the following commands: # Configure the remote host name to test for the IPsec tunnel in the IPsec policy policy1. [Sysname] ipsec policy policy1 1 isakmp [Sysname-ipsec-policy-isakmp-policy1-1] remote-address test # Change the IP address for the host test to 2.2.
profile profile-name: Clears IPsec SAs for the IPsec profile specified by its name, a case-sensitive string of 1 to 63 characters. remote: Clears IPsec SAs for the specified remote address. • ipv4-address: Specifies a remote IPv4 address. • ipv6 ipv6-address: Specifies a remote IPv6 address. spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ]: Clears IPsec SAs matching the specified SA triplet: the local address, the security protocol, and the SPI.
reset ipsec statistics Use reset ipsec statistics to clear IPsec packet statistics. Syntax reset ipsec statistics[ tunnel-id tunnel-id ] Views User view Predefined user roles network-admin Parameters tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. If no tunnel ID is specified, the command clears all IPsec packet statistics. Examples # Clear IPsec packet statistics.
To display the static routes created by RRI, use the display ip routing-table command. Examples # Enable IPsec RRI to create a static route according to the IPsec SA negotiated by the specified IPsec policy. The destination IP address is the protected peer private network 3.0.0.0/24, and the next hop is the IP address (1.1.1.2) of the remote tunnel interface.
[Sysname] ipsec policy 1 1 isakmp [Sysname-ipsec-policy-isakmp-1-1] reverse-route preference 100 Related commands • ipsec policy • ipsec policy-template reverse-route tag Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. This tag helps in implementing flexible route control through routing policies. Use undo reverse-route tag to restore the default.
undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy or an IPsec policy template is the current global SA lifetime. Views IPsec policy view, IPsec policy template view Predefined user roles network-admin Parameters time-based seconds: Specifies the time-based SA lifetime, in the range of 180 to 604800 seconds. traffic-based kilobytes: Specifies the traffic-based SA lifetime, in the range of 2560 to 4294967295 kilobytes.
Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: Specifies a hexadecimal authentication key for inbound SAs. outbound: Specifies a hexadecimal authentication key for outbound SAs. ah: Uses AH. esp: Uses ESP. cipher key-value: Sets a ciphertext authentication key, a case-sensitive string of 1 to 85 characters. simple key-value: Sets a plaintext authentication key.
Syntax sa hex-key encryption { inbound | outbound } esp { cipher | simple } key-value undo sa hex-key encryption { inbound | outbound } esp Default No encryption key is configured for manual IPsec SAs. Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: Specifies a hexadecimal encryption key for inbound SAs. outbound: Specifies a hexadecimal encryption key for outbound SAs. esp: Uses ESP.
Related commands • display ipsec sa • sa string-key sa idle-time Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy or IPsec policy template. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted. Use undo sa idle-time to restore the default. Syntax sa idle-time seconds undo sa idle-time Default An IPsec policy or IPsec policy template uses the global IPsec SA idle timeout.
undo sa spi { inbound | outbound } { ah | esp } Default No SPI is configured for IPsec SAs. Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: Specifies an SPI for inbound SAs. outbound: Specifies an SPI for outbound SAs. ah: Uses AH. esp: Uses ESP. spi-number: Specifies a Security parameters index (SPI), in the range of 256 to 4294967295. Usage guidelines This command applies to only manual IPsec policies and IPsec profiles.
Syntax sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string-key undo sa string-key { inbound | outbound } { ah | esp } Default No key string is configured for IPsec SAs. Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: Sets a key string for inbound IPsec SAs. outbound: Sets a key string for outbound IPsec SAs. ah: Uses AH. esp: Uses ESP. cipher: Sets a ciphertext key. simple: Sets a plaintext key.
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab # In an IPsec policy for an IPv6 routing protocol, configure the inbound and outbound SAs that use AH to use the plaintext key abcdef.
consumes more system resources when multiple data flows exist between two subnets to be protected. A manual IPsec policy supports only the standard mode. Examples # Reference ACL 3001 for the IPsec policy policy1. system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.
Parameters auth-failure: Specifies SNMP notifications for authentication failures. decrypt-failure: Specifies SNMP notifications for decryption failures. encrypt-failure: Specifies SNMP notifications for encryption failures. global: Specifies SNMP notifications globally. invalid-sa-failure: Specifies SNMP notifications for invalid-SA failures. no-sa-failure: Specifies SNMP notifications for SA-not-found failures. policy-add: Specifies SNMP notifications for events of adding IPsec policies.
Predefined user roles network-admin Parameters transform-set-name&<1-6>: Specifies an IPsec transform set by its name, a case-sensitive string of 1 to 63 characters. &<1-6> means that you can specify up to six IPsec transform sets. Usage guidelines A manual IPsec policy can reference only one IPsec transform set. If you specify an IPsec transform set for the manual IPsec policy multiple times, the most recent configuration takes effect.
IKE commands Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default.
Syntax authentication-method { dsa-signature | pre-share | rsa-signature } undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles network-admin Parameters dsa-signature: Specifies the DSA signatures as the authentication method. pre-share: Specifies the pre-shared key as the authentication method. rsa-signature: Specifies the RSA signatures as the authentication method.
Default No PKI domain is specified for IKE negotiation. Views IKE profile view Predefined user roles network-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. If no PKI domain is specified, all PKI domains configured on the device are used for enrollment, authentication, certificate issuing, validation, and signature. Usage guidelines You can specify up to 6 PKI domains for an IKE profile.
In FIPS mode: dh group14 undo dh Default In non-FIPS mode, group 1, the 768-bit Diffie-Hellman group, is used. In FIPS mode, group 14, the 2048-bit Diffie-Hellman group, is used. Views IKE proposal view Predefined user roles network-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group. group2: Uses the 1024-bit Diffie-Hellman group. group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.
network-operator Usage guidelines This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal. Examples # Display the configuration information about all IKE proposals.
Predefined user roles network-admin network-operator Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID, in the range of 1 to 2000000000. remote-address: Displays detailed information about IKE SAs with the specified remote address. ipv6: Specifies an IPv6 address. remote-address: Remote IP address. vpn-instance vpn-name: Displays detailed information about IKE SAs in an MPLS L3VPN.
Profile: prof1 Transmitting entity: Initiator --------------------------------------------Local IP: 4.4.4.4 Local ID type: IPV4_ADDR Local ID: 4.4.4.4 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.
Table 35 Command output Field Description Connection ID Identifier of the IKE SA. Outside VPN VPN instance name of the MPLS L3VPN to which the receiving interface belongs. Inside VPN VPN instance name of the MPLS L3VPN to which the protected data belongs. Profile Name of the matching IKE profile found in the IKE SA negotiation. If no matching profile is found, this field is blank. Transmitting entity Role of the IKE negotiation entity: Initiator or Responder.
Predefined user roles network-admin Parameters interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300. • If the on-demand keyword is specified, this parameter specifies the number of seconds during which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send. • If the periodic keyword is specified, this parameter specifies a DPD triggering interval.
Default In non-FIPS mode, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode. In FIPS mode, an IKE proposal uses the 128-bit AES encryption algorithm in CBC mode. Views IKE proposal view Predefined user roles network-admin Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption. aes-cbc-128: Uses the AES algorithm in CBC mode as the encryption algorithm.
undo exchange-mode Default Main mode is used for phase 1. Views IKE profile view Predefined user roles network-admin Parameters aggressive: Specifies the aggressive mode. main: Specifies the main mode. Usage guidelines When the user (for example, a dial-up user) at the local end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends setting the IKE negotiation mode to aggressive at the local end.
• If the periodic keyword is specified, this parameter specifies a DPD triggering interval. retry seconds: Specifies the number of seconds between DPD retries if the DPD message fails. The value for the second argument is from 1 to 60 seconds, and it defaults to 5 seconds. on-demand: Sends DPD messages on demand. periodic: Sends DPD messages at regular intervals. Usage guidelines DPD is triggered periodically or on-demand.
fqdn fqdn-name: Uses the FQDN name as the identity. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN. user-fqdn user-fqdn-name: Uses the user FQDN name as the identity. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, abc@test.com.
cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. When no IKE SA is available, the notification is not sent. The originating peer continues sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.
ike keepalive timeout Use ike keepalive timeout to set the IKE keepalive timeout time. Use undo ike keepalive timeout to restore the default. Syntax ike keepalive timeout seconds undo ike keepalive timeout Default The negotiated aging time for the IKE SA applies. Views System view Predefined user roles network-admin Parameters seconds: Specifies the number of seconds between IKE keepalives. The value is in the range of 20 to 28800.
Views System view Predefined user roles network-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IKE keychain belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters. To create an IKE keychain for the public network, do not specify this option.
Usage guidelines The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency. The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system.
ike profile Use ike profile to create an IKE profile and enter IKE profile view. Use undo ike profile to delete an IKE profile. Syntax ike profile profile-name undo ike profile profile-name Default No IKE profile is configured. Views System view Predefined user roles network-admin Parameters profile-name: Specifies an IKE profile name, a case-insensitive string of 1 to 63 characters. Examples # Create IKE profile 1 and enter its view.
Views System view Predefined user roles network-admin Parameters proposal-number: Specifies an IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal. Usage guidelines During IKE negotiation: • The initiator sends its IKE proposals to the peer. { { • If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals referenced by the IKE profile to the peer.
Predefined user roles network-admin Usage guidelines If the aggressive IKE SA negotiation mode and signature authentication are used, configure this command on the local device when the device interconnects with a peer device that runs a Comware V5-based release supporting only DN for signature authentication. If the ike signature-identity from-certificate command is not configured, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration.
Examples # Set the inside VPN instance to vpn1 for IKE profile prof1. system-view [Sysname] ike profile prof1 [Sysname-ike-profile-prof1] inside-vpn vpn-instance vpn1 keychain Use keychain to specify an IKE keychain for pre-shared key authentication. Use undo keychain to remove the IKE keychain reference. Syntax keychain keychain-name undo keychain keychain-name Default No IKE keychain is specified for an IKE profile.
undo local-identity Default No local ID is configured for an IKE profile. An IKE profile uses the local ID configured in system view (by using the ike identity command). If the local ID is not configured in system view either, the IKE profile uses the IP address of the interface to which the IPsec policy or IPsec policy template is applied as the local ID.
Syntax match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-name ] } undo match local address Default An IKE keychain can be applied to any local interface or IP address. Views IKE keychain view Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface.
Syntax match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-name ] } undo match local address Default An IKE profile can be applied to any local interface or IP address. Views IKE profile view Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface.
Syntax match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } } undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range l
For an IKE profile, you can configure multiple peer IDs. A peer ID configured earlier has a higher priority. Examples # Create IKE profile prof1. system-view [Sysname] ike profile prof1 # Configure a peer ID with the identity type of FQDN and the value of www.test.com. [Sysname-ike-profile-prof1] match remote identity fqdn www.test.com # Configure a peer ID with the identity type of IP address and the value of 10.1.1.1. [Sysname-ike-profile-prof1] match remote identity address 10.1.1.
simple-key: Specifies a plaintext key. In non-FIPS mode, it is a case-sensitive string of 1 to 128 characters. In FIPS mode, it is a case-sensitive string of 15 to 128 characters, and it must contain uppercase and lowercase letters, digits, and special characters. cipher: Specifies a pre-shared key in cipher text. cipher-key: Specifies a ciphertext key. In non-FIPS mode, it is a case-sensitive string of 1 to 201 characters. In FIPS mode, it is a case-sensitive string of 15 to 201 characters.
Usage guidelines To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number. An IKE keychain with the match local address command configured has a higher priority than an IKE keychain that does not have the match local address command configured. Examples # Set the priority to 10 for IKE keychain key1.
Use undo proposal to remove the IKE proposal references. Syntax proposal proposal-number&<1-6> undo proposal Default An IKE profile references no IKE proposals and uses the IKE proposals configured in system view for IKE negotiation. Views IKE profile view Predefined user roles network-admin Parameters proposal-number&<1-6>: Specifies up to six IKE proposal numbers, each in the range of 1 to 65535. An IKE proposal specified earlier has a higher priority.
Usage guidelines When you delete an IKE SA, the device automatically sends a notification to the peer. Examples # Display the current IKE SAs. display ike sa Total IKE SAs: Connection-ID 2 Remote Flag DOI ---------------------------------------------------------1 202.38.0.2 RD|ST IPSEC 2 202.38.0.3 RD|ST IPSEC Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT # Delete the IKE SA with the connection ID 2. reset ike sa 2 # Display the current IKE SAs.
Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The IKE SA lifetime is 86400 seconds. Views IKE proposal view Predefined user roles network-admin Parameters Seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800. Usage guidelines If the communicating peers are configured with different IKE SA lifetime settings, the smaller setting takes effect. Before an IKE SA expires, IKE negotiates a new SA.
Views System view Predefined user roles network-admin Parameters attr-not-support: Specifies SNMP notifications for attribute-unsupported failures. auth-failure: Specifies SNMP notifications for authentication failures. cert-type-unsupport: Specifies SNMP notifications for certificate-type-unsupported failures. cert-unavailable: Specifies SNMP notifications for certificate-unavailable failures. decrypt-failure: Specifies SNMP notifications for decryption failures.
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Field Description SSH server key generating interval SSH server key pair update interval. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server function is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer. # Display the SSH server sessions. display ssh server session UserPid SessID Ver 184 0 2.
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured through the ssh user command on the SSH server. Examples # Display information about all SSH users.
Predefined user roles network-admin Examples # Enable the SFTP server function. system-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default. Syntax sftp server idle-timeout time-out-value undo sftp server idle-timeout Default The idle timeout timer is 10 minutes.
Syntax ssh server acl acl-number undo ssh server acl Default An SSH server allows all IPv4 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters acl-number: Specifies an ACL by its number in the range of 2000 to 4999.
Views System view Predefined user roles network-admin Parameters times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5. Usage guidelines You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only on the users at next login.
Usage guidelines If a user does not finish the authentication when the timeout timer expires, the connection cannot be established. You can set a small value for the timeout timer to prevent malicious occupation of TCP connections while authentications are suspended. Examples # Set the SSH user authentication timeout timer to 10 seconds.
Syntax ssh server dscp dscp-value undo ssh server dscp Default The DSCP value in IPv4 packets sent by the SSH server is 48. Views System view Predefined user roles network-admin Parameters dscp-value: Specifies the DSCP value in the outbound IPv4 packets, in the range of 0 to 63. Usage guidelines The DSCP value of a packet specifies the priority of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
ssh server ipv6 acl Use ssh server ipv6 acl to control access to the IPv6 SSH server. Use undo ssh server ipv6 acl to restore the default. Syntax ssh server ipv6 acl [ ipv6 ]acl-number undo ssh server ipv6 acl Default An SSH server allows all IPv6 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters ipv6: Specifies ACL type as IPv6. If this keyword is not specified, Layer 2 ACL is applied. acl-number: Specifies an ACL by its number.
ssh server ipv6 dscp Use ssh server ipv6 dscp to set the DSCP value in the IPv6 packets that the SSH server sends to the SSH clients. Use undo ssh server ipv6 dscp to restore the default. Syntax ssh server ipv6 dscp dscp-value undo ssh server ipv6 dscp Default The DSCP value in IPv6 packets sent by the SSH server is 48. Views System view Predefined user roles network-admin Parameters dscp-value: Specifies the DSCP value in the outbound IPv6 packets, in the range of 0 to 63.
Parameters hours: Specifies an interval for updating the server key pair, in the range of 1 to 24 hours. Usage guidelines This command is not available in FIPS mode. Updating the RSA server key pair periodically can prevent malicious hacking to the key pair and enhance security of the SSH connections. This command takes effect only on SSH clients that use SSH1 client software. Examples # Set the RSA server key pair update interval to 3 hours.
• sftp: Specifies the service type as SFTP. • stelnet: Specifies the service type of Stelnet. authentication-type: Specifies an authentication method for an SSH user: • password: Specifies password authentication. This authentication method features easy and fast encryption, but it is vulnerable. It can work with AAA to implement user authentication, authorization, and accounting. • any: Specifies either password authentication or publickey authentication.
[Sysname] ssh user user1 service-type sftp authentication-type password-publickey assign publickey key1 # Create a local device management user named user1, set the password as 123456TESTplat&! in plain text and the service type as ssh, and assign the working directory as flash:, the user role as network-admin.
Predefined user roles network-admin Parameters remote-path: Specifies the name of a path on the server. Usage guidelines You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system. Examples # Change the working path to new1. sftp> cd new1 Current Directory is:/new1 sftp> pwd Remote working directory: /new1 sftp> cdup Use cdup to return to the upper-level directory.
Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the files to delete from the server. Usage guidelines This command functions as the remove command. Examples # Delete the file temp.c from the server. sftp> delete temp.c Removing /temp.c dir Use dir to display information about the files and sub-directories under a directory.
new2 pub2 # Display detailed information about the files and sub-directories under the current working directory in the form of a list. sftp> dir –l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.
Views Any view Predefined user roles network-admin network-operator Examples # Display the source IP address configured for the Stelnet client. display ssh client source The source IP address of the SSH client is 192.168.0.1 The source IPv6 address of the SSH client is 2:2::2:2. Related commands • ssh client ipv6 source • ssh client source exit Use exit to terminate the connection with an SFTP server and return to user view.
Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file. Usage guidelines If the local-file argument is not specified, the file will be saved locally with the same name as that on the server. Examples # Download the file temp1.c and save it as temp.c locally. sftp> get temp1.c temp.c Fetching /temp1.c to temp.c /temp.c 100% 1424 1.4KB/s help Use help to display help information of an SFTP client command.
put local-path [remote-path] Upload file pwd Display remote working directory quit Quit sftp rename oldpath newpath Rename remote file remove path Delete remote file rmdir path Delete remote empty directory ? Synonym for help ls Use ls to display information about the files and sub-directories under a directory. Syntax ls [ -a | -l ] [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters -a: Displays the names of the files and sub-directories under a directory.
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2 mkdir Use mkdir to create a directory on an SFTP server. Syntax mkdir remote-path Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies the name for the directory on an SFTP server Examples # Create a directory named test on the SFTP server.
pwd Use pwd to display the current working directory of an SFTP server. Syntax pwd Views SFTP client view Predefined user roles network-admin Examples # Display the current working directory of the SFTP server. sftp> pwd Remote working directory: / The output shows that the current working directory is the root directory. quit Use quit to terminate the connection with an SFTP server and return to user view.
Predefined user roles network-admin Parameters remote-file: Specifies the files to delete from an SFTP server. Usage guidelines This command functions as the delete command. Examples # Delete the file temp.c from the SFTP server. sftp> remove temp.c Removing /temp.c rename Use rename to change the name of a file or directory on an SFTP server.
Parameters remote-path: Specifies the directories to delete from an SFTP server. Examples # Delete the sub-directory temp1 under the current directory on the SFTP server. sftp> rmdir temp1 scp Use scp to establish a connection to an IPv4 SCP server and transfer files with the server.
• rsa: Specifies the public key algorithm rsa. prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security strength and calculation time.
Examples # Connect an SCP client to the SCP server 200.1.1.1, specify the public key of the server as svkey, and download the file abc.txt from the server. The SCP client uses publickey authentication. Use the following algorithms: • Preferred key exchange algorithm is dh-group14. • Preferred server-to-client encryption algorithm is aes128. • Preferred client-to-server HMAC algorithm is sha1. • Preferred server-to-client HMAC algorithm is sha1-96.
get: Downloads the file. put: Uploads the file. source-file-path: Specifies the directory of the source file. destination-file-path: Specifies the directory of the target file. If this argument is not specified, the directory names of the source and target files are same. identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa. If the server uses publickey authentication, this keyword must be specified. • dsa: Specifies the public key algorithm dsa.
interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IPv6 address to send packets. Ipv6 ipv6-address: Specifies a source IPv6 address. Usage guidelines When the client's authentication method is publickey, the client must get the local private key for digital signature.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa. If the server uses publickey authentication, this keyword must be specified. • dsa: Specifies the public key algorithm dsa.
ip ip-address: Specifies a source IPv4 address. Usage guidelines When the server adopts publickey authentication to authenticate a client, the client must get the local private key for digital signature. Because publickey authentication uses RSA or DSA algorithm, you must specify a public key algorithm (by using the identity-key keyword) in order to get the correct data for the local private key. Examples # Connect an SFTP client to the IPv4 SFTP server 10.1.1.
If you use the sftp ipv6 command to connect to an SFTP server and specify another source IPv6 address, the SFTP client uses the new source IPv6 address for the current connection instead of that specified by the sftp client ipv6 source command. The source address specified by the sftp client ipv6 source command applies to all SFTP connections, but the source address specifies by the sftp ipv6 command applies only to the current connection.
Examples # Specify the source IP address for the SFTP client as 192.168.0.1. system-view [Sysname] sftp client source ip 192.168.0.1 Related commands display sftp client source sftp ipv6 Use sftp ipv6 to connect an SFTP client to an IPv6 SFTP server and enter SFTP client view.
prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security strength and calculation time. • 3des: Specifies the encryption algorithm 3des-cbc.
Examples # Connect an SFTP client to the IPv6 SFTP server 2:5::8:9 and specify the public key of the server as svkey. The SFTP client uses publickey authentication. Use the following algorithms: • Preferred key exchange algorithm is dh-group14. • Preferred server-to-client encryption algorithm is aes128. • Preferred client-to-server HMAC algorithm is sha1. • Preferred server-to-client HMAC algorithm is sha1-96. • Preferred compression algorithm between the server and client is zlib.
Examples # Specify the source IPv6 address as 2:2::2:2 for the Stelnet client. system-view [Sysname] ssh client ipv6 source ipv6 2:2::2:2 Related commands display ssh client source ssh client source Use ssh client source to specify the source IPv4 address or source interface for the Stelnet client. Use undo ssh client source to remove the configuration.
ssh2 Use ssh2 to establish a connection to an IPv4 Stelnet server.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithm sha1 features stronger security but costs more time in calculation than md5. • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm.
ssh2 ipv6 Use ssh2 ipv6 to establish a connection to an IPv6 Stelnet server.
• aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. • des: Specifies the encryption algorithm des-cbc. prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithm sha1 features stronger security but costs more time in calculation than md5. • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1.
ssh2 ipv6 2000::1 prefer-kex dh-group14 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib publickey svkey 321
ASPF commands aspf Use aspf to apply an ASPF policy to an interface. Use undo aspf to remove an ASPF policy from an interface. Syntax aspf policy aspf-policy-number { inbound | outbound } undo aspf policy aspf-policy-number { inbound | outbound } Default No ASPF policy exists on an interface. Views Interface view Predefined user roles network-admin Parameters aspf-policy-number: Specifies an ASPF policy number. The value range for this argument is 1 to 256.
Use undo aspf policy to remove an ASPF policy. Syntax aspf policy aspf-policy-number undo aspf policy aspf-policy-number Default No ASPF policy exists. Views System view Predefined user roles network-admin Parameters aspf-policy-number: Assigns a number for the ASPF policy. The value range for this argument is 1 to 256. Examples # Create ASPF policy 1 and enter ASPF policy view.
gtp: Specifies GTP, an application layer protocol. h323: Specifies H.323 protocol stack, application layer protocols. icmp: Specifies ICMP, a transport layer protocol. icmpv6: Specifies ICMPv6, a transport layer protocol. rawip: Specifies Raw IP, a transport layer protocol. rstp: Specifies RSTP, an application layer protocol. sctp: Specifies SCTP, a transport layer protocol. sip: Specifies SIP, an application layer protocol. tcp: Specifies TCP, a transport layer protocol.
Examples # Display the configuration of all ASPF policies and their applications. display aspf all ASPF policy configuration: Policy number: 1 Enable ICMP error message check Disable TCP SYN packet check Detect these protocols: FTP TCP Interface configuration: Ethernet1/1 Inbound policy : 1 Outbound policy: none Table 39 Command output Field Description Enable ICMP error message check Drop ICMP error messages.
network-operator Examples # Display ASPF policies applied to interfaces. display aspf interface Interface configuration: Ethernet0/1 Inbound policy : 1 Outbound policy: none Table 40 Command output Field Description Interface configuration ASPF policies applied to interfaces. Inbound policy Number of the inbound ASPF policy. Outbound policy Number of the outbound ASPF policy.
Table 41 Command output Field Description Enable ICMP error message check Drop ICMP error messages. Enable TCP SYN packet check Drop any non-SYN packet that is the first packet over a TCP connection. Disable ICMP error message check Do not drop ICMP error messages. Disable TCP SYN packet check Do not drop any non-SYN packet that is the first packet over a TCP connection. Detect these protocols Protocols inspected by ASPF.
Destination IP/port: 192.168.1.55/2048 VPN instance/VLAN ID/VLL ID: -/-/Protocol: ICMP(1) Total sessions found: 2 # Display general information for IPv4 ASPF sessions. (MSR4000) display aspf session ipv4 Slot 0: Initiator: Source IP/port: 192.168.1.18/1877 Destination IP/port: 192.168.1.55/22 VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.
Destination IP/port: 192.168.1.18/0 VPN instance/VLAN ID/VLL ID: -/-/Protocol: ICMP(1) State: ICMP_REPLY Application: INVALID Start time: 2011-07-29 19:12:33 TTL: 55s Interface(in) : Ethernet0/1 Interface(out): Ethernet0/2 Initiator->Responder: 1 packets 60 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 2 # Display detailed information for IPv4 ASPF sessions. (MSR4000) display aspf session ipv4 verbose Slot 0: Source IP/port: 192.168.1.
Responder->Initiator: 0 packets 0 bytes Total sessions found: 2 Table 42 Command output Field Description Initiator Session information for the connection from initiator to responder. Responder Session information for the connection from responder to initiator. Source IP/port Source IP address and port number. Dest IP/port Destination IP address and port number. VPN-instance/VLAN ID/VLL ID • VPN-instance—MPLS L3VPN where the session is initiated.
Default The ICMP error message check is disabled. Views ASPF policy view Predefined user roles network-admin Usage guidelines A normal ICMP error message carries information about the corresponding connection. If the information does not match the connection, the ASPF permits or discards the packet as configured. Examples # Configure ASPF policy 1 to drop faked ICMP error messages.
tcp syn-check Use tcp syn-check to configure ASPF to drop any non-SYN packet that is the first packet over a TCP connection. Use undo tcp syn-check to restore the default. Syntax tcp syn-check undo tcp syn-check Default ASPF does not drop any non-SYN packet that is the first packet over a TCP connection. Views ASPF policy view Predefined user roles network-admin Usage guidelines An ASPF supports first packet inspection for TCP connection.
APR commands app-group Use app-group to create an application group and enter application group view. Use undo app-group to remove the specified application group. Syntax app-group group-name undo app-group group-name Default Multiple pre-defined application groups exist on the device. Views System view Predefined user roles network-admin Parameters group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters.
Syntax application statistics enable [ inbound | outbound ] undo application statistics enable [ inbound | outbound ] Default The application statistics function is disabled on an interface. Views Layer 3 interface view Predefined user roles network-admin Parameters inbound: Specifies the inbound direction of the interface. outbound: Specifies the outbound direction of the interface.
Views Application group view Predefined user roles network-admin Parameters group-name: Specifies the name of the source application group, a case-insensitive string of 1 to 63 characters. Usage guidelines Execute this command multiple times to copy application protocols in different groups to the current group. Examples # Copy application protocols in group bcd to group abc.
Related commands app-group display app-group Use display app-group to display information about the specified application groups. Syntax display app-group [ name group-name | pre-defined | user-defined ] Views User view Predefined user roles network-admin network-operator Parameters name group-name: Specifies an application group by its name. The group-name argument is a case-insensitive string of 1 to 63 characters. pre-defined: Specifies the predefined application groups.
p2p Pre-defined productivity-tools Pre-defined routing 0x00000006 0x00000012 Pre-defined shopping-and-bank Pre-defined 0x00000011 0x0000000c stock Pre-defined 0x0000000b voip Pre-defined 0x00000007 # Display information about all application groups.
Field Description Group ID ID of the application group. Attribute of the application protocol or application group: Type • Pre-defined. • User-defined. Application count Number of application protocols in the application group. Include application list Application protocol list of the application group. Application name Name of the application protocol. App ID ID of the application protocol.
aol Pre-defined appleqtc 0x00000003 Pre-defined bgp 0x00000004 Pre-defined bittorrent Pre-defined 0x00000005 0x00000006 No No No No No No No No bootpc Pre-defined 0x00000007 No No bootps Pre-defined 0x00000008 No No ... # Display information about all user-defined application protocols.
Field Description Attribute of the application protocol: Type • Pre-defined. • User-defined. App ID/Application ID ID of the application protocol. Tunnel Whether the protocol is a tunnel protocol (for example, L2TP). Encrypted Whether the protocol is a cryptographic protocol (for example, HTTPS). Related commands • app-group • include display application statistics Use display application statistics to display statistics for the specified application protocols.
name application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If no option or keyword is specified, this command displays statistics for application protocols on all interfaces in both the inbound and outbound directions. This command displays statistics for application protocols only after the application statistics function is enabled on the specified interfaces.
Application In/Out Packets Bytes PPS BPS appaaaaasg IN 190023111111111111 252334402111111111 2342222222 3411222222 app2 IN 2195 18560000 300 654222 APP3 IN 2195 17560000 300 45161 # Display application statistics in the outbound direction of interface Ethernet 1/1.
display application statistics top Use display application statistics top to display statistics for application protocols on an interface in descending order based on the specified criteria.
appaaaaasg app2 aPP3 IN 190023111111111111 252334402111111111 2342222222 3411222222 OUT 170034 270011351 3211 451134 IN 2196 18560000 300 654222 OUT 21986666666 655555555123123101 55551 5454125111 IN 2195 17560000 300 45161 OUT 21986666666 5555555551231231 55551 5454125111 # Display the top three application protocols that have received and sent the most bytes on interface Ethernet 1/1.
Field Description Interface direction: In/Out • In. • Out. Packets Number of packets received or sent by the interface. Bytes Number of bytes received or sent by the interface. PPS Packets received or sent per second. BPS Bytes received or sent per second. Related commands • app-group • application statistics enable display port-mapping pre-defined Use display port-mapping pre-defined to display the pre-defined port-mappings.
Field Description Protocol Transport layer protocol. Port Port number to which the application protocol is mapped. Related commands • display port-mapping • port-mapping display port-mapping user-defined Use display port-mapping user-defined to display the user-defined port mappings.
Table 48 Command output Field Description Application Application protocol using port mapping. Port Port number to which the application protocol is mapped. Protocol Transport layer protocol. Match types: • ---—No match types or match conditions are specified, and all packets are recognized as the packets of the specified application protocol. • IPv4 host—A match based on the destination IPv4 addresses of the packet.
Parameters application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. Valid characters include digits, letters, hyphens (-), and underlines (_). "invalid" or "other" are not allowed. Usage guidelines Execute this command multiple times to add multiple pre-defined or user-defined application protocols to a user-defined application group. A maximum of 65535 user-defined application protocols can be added to an application group.
• sctp: Specifies SCTP. • tcp: Specifies TCP. • udp: Specifies UDP. • udp-lite: Specifies UDP-Lite. Usage guidelines If no transport layer protocol is specified, all packets encapsulated by the transport layer protocols are recognized as the packets of the specified application protocol. If the destination port of a packet matches a general port mapping, APR recognizes the packet as that of the specified application protocol.
• sctp: Specifies SCTP. • tcp: Specifies TCP. • udp: Specifies UDP. • udp-lite: Specifies UDP-Lite. acl [ ipv6 ] acl-number: Specifies the number of an ACL, in the range of 2000 to 2999. To specify an IPv6 ACL, include the ipv6 keyword. To specify an IPv4 ACL, do not include the ipv6 keyword. Usage guidelines If no transport layer protocol is specified, all packets encapsulated by the transport layer protocols are recognized as the packets of the specified application protocol.
protocol protocol-name: Specifies a transport layer protocol by its name, including: • dccp: Specifies DCCP. • sctp: Specifies SCTP. • tcp: Specifies TCP. • udp: Specifies UDP. • udp-lite: Specifies UDP-Lite. { ip | ipv6 } start-ip-address [ end-ip-address ]: Specifies a range of IPv4 or IPv6 addresses. The ip keyword specifies the IPv4 addresses, and the ipv6 keyword specifies the IPv6 addresses. To specify only one IP address, provide only the start IP address.
undo port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ] Default An application protocol is mapped to a well-known port. Views System view Predefined user roles network-admin Parameters application application-name: Specifies an application protocol by its name, a case-insensitive string. The name must be recognizable to the device.
[Sysname] port-mapping application ftp port 3456 subnet ip 1.1.1.0 24 # Create a mapping of port 3456 to FTP for the packets sent to the IPv6 hosts on subnet 1:: /120. system-view [Sysname] port-mapping application ftp port 3456 subnet ipv6 1:: 120 Related commands display port-mapping user-defined reset application statistics Use reset application statistics to clear application statistics for an interface or all interfaces.
Session management commands display session aging-time application Use display session aging-time application to display the aging time for sessions of different application layer protocols. Syntax display session aging-time application Views Any view Predefined user roles network-admin network-operator Examples # Display the aging time for sessions of different application layer protocols.
Views Any view Predefined user roles network-admin network-operator Examples # Display the aging time for sessions in different protocol states.
MSR4000: display session relation-table { ipv4 | ipv6 } [slot slot-number ] Views Any view Predefined user roles network-admin network-operator Parameters ipv4: Specifies IPv4 relation entries. ipv6: Specifies IPv6 relation entries. slot slot-number: Specifies a card by its slot number. (MSR4000) Usage guidelines If no card is specified, this command displays relation entries on all cards. (MSR4000) Examples # Display all IPv4 relation entries.
Total entries found: 2 # Display all IPv6 relation entries. (MSR2000/MSR3000) display session relation-table ipv6 Source IP: 2011::0002 Destination IP/port: 2011::0008/1212 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) TTL: 567s Total entries found: App: FTP-DATA 1 # Display all IPv6 relation entries.
Syntax MSR2000/MSR3000: display session statistics MSR4000: display session statistics [ slot slot-number ] Views Any view Predefined user roles network-admin network-operator Parameters slot slot-number: Specifies a card by its slot number. (MSR4000) Usage guidelines If no card is specified, this command displays session statistics for all cards. (MSR4000) Examples # Display session statistics.
DCCP sessions: 0 DCCP_REQUEST: 0 DCCP_RESPOND: 0 DCCP_PARTOPEN: 0 DCCP_OPEN: 0 DCCP_CLOSEREQ: 0 DCCP_CLOSING: 0 DCCP_TIMEWAIT: 0 RAWIP sessions: 0 RAWIP_OPEN: 0 RAWIP_READY: 0 Current relation-table entries: 0 Session establishment rate: 0 TCP: 0/s UDP: 0/s ICMP: 0/s ICMPv6: 0/s UDP-Lite: 0/s SCTP: 0/s DCCP: 0/s RAWIP: 0/s Received TCP : 0 packets 0 bytes Received UDP : 118 packets 13568 bytes Received ICMP : 105 packets 8652 bytes Received ICMPv6 : 0 packets 0 bytes
Field Description DCCP sessions Number of DCCP sessions and number of DCCP sessions in different states. RAWIP sessions Number of Raw IP sessions and number of Raw IP sessions in different states. Current relation-table entries Total number of relation entries. Session establishment rate Session establishment rate, and rates for establishing sessions of different protocols. Received TCP Number of received TCP packets and packet bytes.
destination-ip destination-ip: Specifies a destination IP address. The destination-ip argument specifies the destination IP address of a session from the initiator to the responder. verbose: Displays detailed information about session entries. If you do not provide this keyword, this command displays brief information about session entries. Usage guidelines If no card is specified, this command displays the session entries that match specific criteria on all cards.
Protocol: TCP(6) Responder: Source IP/port: 192.168.1.55/22 Destination IP/port: 192.168.1.18/1877 VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) State: TCP_SYN_SENT Application: SSH Start time: 2011-07-29 19:12:36 TTL: 28s Interface(in) : Ethernet0/2 Interface(out): Ethernet0/1 Initiator->Responder: 1 packets 48 bytes Responder->Initiator: 0 packets 0 bytes Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.
Start time: 2011-07-29 19:12:36 TTL: 28s Interface(in) : Ethernet1/2 Interface(out): Ethernet1/8 Initiator->Responder: 1 packets 48 bytes Responder->Initiator: 0 packets 0 bytes Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 VPN instance/VLAN ID/VLL ID: -/-/Protocol: ICMP(1) Responder: Source IP/port: 192.168.1.55/1792 Destination IP/port: 192.168.1.
Source IP/port: 2011::2/58473 Destination IP/port: 2011::8/32768 VPN instance/VLAN ID/VLL ID: -/-/Protocol: IPV6-ICMP(58) Responder: Source IP/port: 2011::8/58473 Destination IP/port: 2011::2/33024 VPN instance/VLAN ID/VLL ID: -/-/Protocol: IPV6-ICMP(58) State: ICMPV6_REQUEST Application: OTHER Start time: 2011-07-29 19:23:41 TTL: 55s Interface(in) : Ethernet0/2 Interface(out): Ethernet0/2 Initiator->Responder: 1 packets 104 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 1
Field Description MPLS L3VPN to which the session belongs. VPN instance/VLAN ID/VLL ID VLAN and INLINE to which the session belongs during Layer 2 forwarding. If any of them is not specified, a hyphens (-) is displayed for the proper field. Transport layer protocol: Protocol • • • • • • • • DCCP. ICMP. ICMPv6. Raw IP. SCTP. TCP. UDP. UDP-Lite. The number in the brackets indicates the protocol number. State Session state. Application layer protocol, FTP or DNS.
Predefined user roles network-admin Parameters slot slot-number: Specifies a card by its slot number. (MSR4000) source-ip source-ip: Specifies a source IPv4 address. The source-ip argument specifies the source IPv4 address of a session from the initiator to the responder. destination-ip destination-ip: Specifies a destination IPv4 address. The destination-ip argument specifies the destination IPv4 address of a session from the initiator to the responder.
reset session table ipv6 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] Views User view Predefined user roles network-admin Parameters slot slot-number: Specifies a card by its slot number. (MSR4000) source-ip source-ip: Specifies a source IPv6 address.
reset session table MSR4000: reset session table [ slot slot-number ] Views User view Predefined user roles network-admin Parameters slot slot-number: Specifies a card by its slot number. (MSR4000) Usage guidelines If no card is specified, this command clears the session entries on all cards. (MSR4000) Examples # Clear all IPv4 and IPv6 session entries.
Related commands display session statistics reset session relation-table Use reset session relation-table to clear relation entries. Syntax MSR2000/MSR3000: reset session relation-table [ ipv4 | ipv6 ] MSR4000: reset session relation-table [ ipv4 | ipv6 ] [ slot slot-number ] Views User view Predefined user roles network-admin Parameters ipv4: Specifies IPv4 relation entries. ipv6: Specifies IPv6 relation entries. slot slot-number: Specifies a card by its slot number.
Default The aging time for sessions of application layer protocols is as follows: • DNS sessions: 60 seconds. • FTP sessions: 3600 seconds. • GTP: 60 seconds. • H.225: 3600 seconds. • H.245: 3600 seconds. • RAS: 300 seconds. • RSTP: 3600 seconds. • SIP sessions: 300 seconds. • TFTP: 60 seconds. Views System view Predefined user roles network-admin Parameters dns: Specifies the DNS protocol. ftp: Specifies the FTP protocol. gtp: Specifies the GTP protocol. h225: Specifies the H.
• session aging-time state • session persistent acl session aging-time state Use session aging-time state to set the aging time for the sessions in a protocol state. Use undo session aging-time state to restore the default. If no protocol state is specified, this command restores all aging time for sessions in different protocol states to the default.
Usage guidelines This command sets the aging time for stable sessions of the application layer protocols that are not supported by the session aging-time application command. For persistent sessions, the aging time is set by the session persistent acl command. Examples # Set the aging time for TCP sessions in SYN-SENT and SYN-RCV states to 60 seconds.
• session log time-active session log enable Use session log enable to enable session logging. Use undo session log enable to disable session logging. Syntax session log enable { ipv4 | ipv6 } [ acl acl-number ] { inbound | outbound } undo session log enable { ipv4 | ipv6 } [ acl acl-number ] { inbound | outbound } Default Session logging is disabled. Views Interface view Predefined user roles network-admin Parameters ipv4: Logs IPv4 sessions. ipv6: Logs IPv6 sessions.
# Enable session logging on GigabitEthernet 1/3 for IPv6 sessions that match ACL 2050 in the outbound direction. system-view [Sysname] interface gigabitethernet 1/3 [Sysname-GigabitEthernet1/3] session log enable ipv6 acl 2050 outbound Related commands • session log bytes-active • session log packets-active • session log time-active session log packets-active Use session log packets-active to set the packet-based threshold for traffic-based logging.
session log time-active Use session log time-active to set the time-based session logging. Use undo session log time-active to restore the default. Syntax session log time-active time-value undo session log time-active Default The device does not output session logs. Views System view Predefined user roles network-admin Parameters time-value: Sets the interval in minutes. The value range for the time-value argument is 10 to 120 and the value must be integer times of 10.
Views System view Predefined user roles network-admin Parameters ipv6: Specifies an IPv6 ACL. To specify an IPv4 ACL, do not specify this keyword. acl-number: Specifies an ACL by its number in the range of 2000 to 3999. aging-time time-value: Sets the aging time for persistent sessions in hours. The value range for the time-value argument is 0 to 360, and the default value is 24. To disable the aging for persistent sessions, set the value to 0 hours.
Views System view Predefined user roles network-admin Parameters max-value: Sets the maximum number of sessions. The value range is from 0 to 1000000. Usage guidelines Excessive session entries occupy memory resources and might adversely affect other services. Set a proper upper limit according to the use of your device memory. When the number of sessions on the device reaches the upper limit, the device does not create more sessions until the number of sessions drops below the upper limit.
Connection limit configuration commands connection-limit apply Use connection-limit apply to apply a connection limit policy to an interface. Use undo connection-limit apply to remove the application. Syntax connection-limit apply { ipv6-policy | policy } policy-id undo connection-limit apply { ipv6-policy | policy } Default No connection limit policy is applied to an interface. Views Interface view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 connection limit policy.
connection-limit apply global Use connection-limit apply global to apply a connection limit policy globally. Use undo connection-limit apply global to remove the application. Syntax connection-limit apply global { ipv6-policy | policy } policy-id undo connection-limit apply global { ipv6-policy | policy } Default No connection limit policy is applied globally. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 connection limit policy.
Default No connection limit policy exists. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 connection limit policy. policy: Specifies an IPv4 connection limit policy. policy-id: Specifies the ID of a connection limit policy. An IPv4 or IPv6 connection limit policy has its own number. The value range for this argument is 1 to 32. Examples # Create IPv4 connection limit policy 1 and enter its view.
policy-id: Specifies the ID of a connection limit policy. The value range for this argument is 1 to 32. all: Displays all connection limit policies. Examples # Display information about all IPv4 connection limit policies.
3 Src 100 90 3020 200 -- 100000 89000 2005 # Display information about the IPv6 connection limit policy 3. display connection-limit ipv6-policy 3 IPv6 connection limit policy 3 has been applied 3 times, and has 2 limit rules.
display connection-limit ipv6-stat-nodes Use display connection-limit ipv6-stat-nodes to display statistics about IPv6 connections matching connection limit rules globally or on an interface.
Examples # (MSR2000/MSR3000.) Display statistics about all IPv6 connections matching the connection limit rule on Ethernet 1/1.
display connection-limit ipv6-stat-nodes interface vlan-interface 10 slot 2 count Slot 2: Current limit statistic nodes count is 1. Table 55 Command output Field Description Src IP address Source IP address. Dst IP address Destination IP address. VPN instance MPLS L3VPN to which the IP address belongs. "---" indicates that IP address is on the public network. Tunnel ID ID of DS Lite Tunnel. "---" indicates that the connection does not belong to any DS Lite Tunnel.
network-operator Parameters global: Displays the global connection limit statistics. interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Displays the connection limit statistics on a specified card or a virtual interface, where the slot-number argument represents the number of the slot that holds the card. This option is visible only when you specify the global keyword or specify a virtual interface (such as a tunnel interface). (MSR4000.
MSR4000: display connection-limit stat-nodes { global | interface interface-type interface-number } [ slot slot-number ] [ destination destination-ip | service-port port-number | source source-ip ] * [ count ] Views User view Predefined user roles network-admin network-operator Parameters global: Displays statistics about IPv4 connections matching connection limit rules globally. interface interface-type interface-number: Specifies an interface by its type and number.
Limit rule ID : 100(ACL: 3001) Sessions threshold Hi/Lo: 1100000/980000 Sessions count : 1050000 New session flag : Permit # (MSR2000/MSR3000.) Display statistics about all IPv4 connections matching the connection limit rule on VLAN-interface 2. display connection-limit stat-nodes interface vlan-interface 2 Src IP address : 100.100.100.100 VPN instance : 0123456789012345678901234567890 Dst IP address : 200.200.200.
Field Description VPN instance MPLS L3VPN to which the IP address belongs. "---" indicates that IP address is on the public network. Tunnel ID ID of DS Lite Tunnel. "---" indicates that the connection does not belong to any DS Lite Tunnel. Service Protocol name and service port number. An unwell-known protocol is displayed as "unknown(xx)," where "xx" indicates the protocol number.
ipv6: References an IPv6 ACL. If this keyword is not specified, an IPv4 ACL is referenced. This keyword exists only in IPv6 connection limit policy view. acl-number: Specifies the ACL number in the range of 2000 to 3999. name acl-name: Specifies the ACL name. per-destination: Limits connections by destination IP address. per-service: Limits connections by service port. per-source: Limits connections by source IP address. max-amount: Specifies the upper connection limit in the range of 1 to 1000000.
[Sysname-acl6-basic-2001] rule permit source 2:1::/96 [Sysname-acl6-basic-2001] quit [Sysname] connection-limit ipv6-policy 12 [Sysname-connlmt-ipv6-policy-12] limit 2 acl ipv6 2001 per-destination amount 200 100 Related commands • connection-limit • display connection-limit reset connection-limit statistics Use reset connection-limit statistics to clear the connection limit statistics globally or on an interface.
ARP attack protection commands Unresolvable IP attack protection commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing. Use undo arp resolving-route enable to disable ARP blackhole routing. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP blackhole routing is enabled. Views System view Predefined user roles network-admin Usage guidelines Configure this feature on the gateways.
undo arp source-suppression enable Default ARP source suppression function is disabled. Views System view Predefined user roles network-admin Usage guidelines Configure this feature on the gateways. Examples # Enable the ARP source suppression function.
system-view [Sysname] arp source-suppression limit 100 Related commands display arp source-suppression. display arp source-suppression Use display arp source-suppression to display information about the current ARP source suppression configuration. Syntax display arp source-suppression Views Any view Predefined user roles network-admin network-operator Examples # Display information about the current ARP source suppression configuration.
undo arp rate-limit [ pps ] Default ARP packet rate limit function is enabled. The rate limit varies by device model. Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters pps: Specifies the upper limit for ARP packet rate in pps, in the range of 10 to 5000. Examples # Specify the maximum ARP packet rate on Ethernet 1/1 as 50 pps.
Syntax arp rate-limit log interval seconds undo arp rate-limit log interval Default The device sends notifications or outputs log messages at an interval of 60 seconds when the receiving rate of ARP packets on an interface exceeds the rate limit. Views System view Predefined user roles network-admin Parameters Seconds: Specifies an interval for sending notifications and outputting log messages. The value range is 1 to 86400 seconds.
Predefined user roles network-admin Usage guidelines Use the command together with the snmp-agent target-host command. The snmp-agent target-host command specifies the notification type (inform or trap) and the destination host. Examples # Enable the device to send notifications for ARP rate limit.
Examples # Enable the source MAC-based ARP attack detection and specify the filter handling method. system-view [Sysname] arp source-mac filter arp source-mac aging-time Use arp source-mac aging-time to configure the aging time for ARP attack entries. Use undo arp anti-attack source-mac aging-time to restore the default. Syntax arp source-mac aging-time time undo arp source-mac aging-time Default The aging time for ARP attack entries is set to 300 seconds (5 minutes).
Parameters mac-address&<1-n>: MAC address list. The mac-address argument indicates an excluded MAC address in the format H-H-H. &<1-n> indicates the number of excluded MAC addresses that you can configure. The value of the n argument is 64. Usage guidelines If you do not specify any MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses. Examples # Exclude a MAC address from source MAC-based ARP attack detection.
display arp source-mac [ interface interface-type interface-number ] MSR4000: display arp source-mac { slot slot-number | interface interface-type interface-number } Views Any view Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Displays ARP attack entries detected on a specific interface. slot slot-number: Displays ARP attack entries detected on a specific card. The slot-number argument specifies the slot number of the card.
Views System view Predefined user roles network-admin Usage guidelines Configure this feature on gateways. After you execute this command, the gateway device can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. Examples # Enable ARP packet source MAC address consistency check.
Authorized ARP commands arp authorized enable Use arp authorized enable to enable authorized ARP on an interface. Use undo arp authorized enable to restore the default. Syntax arp authorized enable undo arp authorized enable Default Authorized ARP is not enabled on the interface. Views Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view Predefined user roles network-admin Examples # Enable authorized ARP on Ethernet 1/1.
Predefined user roles network-admin Examples # Enable ARP detection for VLAN 2. system-view [Sysname] vlan 2 [Sysname-vlan2] arp detection enable arp detection trust Use arp detection trust to configure a port as an ARP trusted port. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust Default An interface is an ARP untrusted interface.
Predefined user roles network-admin Parameters dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded. ip: Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-zero, all-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded.
Views Any view Predefined user roles network-admin network-operator Examples # Display the VLANs enabled with ARP detection. display arp detection ARP detection is enabled in the following VLANs: 1-2, 4-5 Related commands arp detection enable display arp detection statistics Use display arp detection statistics to display ARP detection statistics.
Table 59 Command output Field Description State of an interface: State • U—ARP untrusted interface. • T—ARP trusted interface. Interface(State) Inbound interface of ARP packets. State specifies the port state, trusted or untrusted. IP Number of ARP packets discarded due to invalid source and destination IP addresses. Src-MAC Number of ARP packets discarded due to invalid source MAC address. Dst-MAC Number of ARP packets discarded due to invalid destination MAC address.
Predefined user roles network-admin Usage guidelines The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries. The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device might fail to change some dynamic ARP entries into static ARP entries.
The start IP address and end IP address must be on the same network as the primary IP address or manually configured secondary IP addresses of the interface. IP addresses already exist in ARP entries are not scanned. ARP automatic scanning might take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.
Examples # Enable ARP gateway protection for the gateway with IP address 1.1.1.1. system-view [Sysname] interface ethernet 1/1 [Sysname-Ethernet1/1] arp filter source 1.1.1.1 ARP filtering commands NOTE: ARP filtering is not supported in the current release, and it is reserved for future use. arp filter binding Use arp filter binding to configure an ARP permitted entry. If the sender IP and MAC addresses of an ARP packet match an ARP permitted entry, the ARP packet is permitted.
Crypto engine commands crypto-engine accelerator disable Use crypto-engine accelerator disable to disable hardware crypto engines. Use undo crypto-engine accelerator disable to enable hardware crypto engines. Syntax crypto-engine accelerator disable undo crypto-engine accelerator disable Default Hardware crypto engines are enabled. Views System view Predefined user roles network-admin Usage guidelines Crypto engines include hardware crypto engines and software crypto engines.
display crypto-engine Use display crypto-engine to display information about crypto engines, including crypto engine names and supported algorithms. Syntax display crypto-engine Views Any view Predefined user roles network-admin network-operator Usage guidelines If the device does not have hardware crypto engines, this command displays information about only software crypto engines. Examples # Display information about crypto engines.
Field Crypto engine state Description Hardware crypto engine state: Enabled or Disabled. Software crypto engine state: Enabled. Crypto engine types: Crypto engine type • Hardware • Software Slot ID ID of the LPU that holds the crypto engine. Symmetric algorithms Supported symmetric algorithms. Asymmetric algorithms Supported asymmetric algorithms.
Examples # Display statistics for all crypto engines. display crypto-engine statistics Submitted sessions: 0 Failed sessions: 0 Symmetric operations: 0 Symmetric errors: 0 Asymmetric operations: 0 Asymmetric errors: 0 Get-random operations: 0 Get-random errors: 0 # (MSR4000) Display statistics for crypto engine 1 on card 2.
reset crypto-engine statistics [ engine-id engine-id slot slot-number ] Views Any view Predefined user roles network-admin Parameters engine-id engine-id: Specifies a crypto engine by its ID in the range of 0 to 4294967295. If you do not specify a crypto engine, this command clears statistics for all crypto engines. slot slot-number: Specifies a card by its slot number. If no card is specified, this command clears statistics for the crypto engines on all cards.
Portal commands display portal interface Use display portal interface to display portal configuration and portal running state on an interface. Syntax display portal interface interface-type interface-number Views Any view Predefined user roles network-admin network-operator Parameters interface-type interface-number: Specifies an interface by its type and number. Examples # Display portal configuration and portal running state on interface Ethernet 1/1.
Authentication domain: my-domain Bas-ipv6:Not configured User detection: Type: ICMPV6 Interval: 300s Attempts: 5 Idle time: 180s Action for sever detection: Server type Server name Action Web server wbsv6 fail-permit Portal server ptsv6 fail-permit Layer3 source network: IP address Prefix length 11::5 64 Destination authentication subnet: IP address Prefix length Table 62 Command output Field Description Portal information of interface Portal configuration on the interface.
Field Description Destination authentication subnet Information of the portal authentication destination subnet. IP address IP address of the portal authentication subnet. Mask Subnet mask of the portal authentication subnet. Prefix length Prefix length of the IPv6 portal authentication subnet address.
ACK_CHALLENGE 3 0 0 REQ_AUTH 3 0 0 ACK_AUTH 3 0 0 REQ_LOGOUT 1 0 0 ACK_LOGOUT 1 0 0 AFF_ACK_AUTH 3 0 0 NTF_LOGOUT 1 0 0 REQ_INFO 6 0 0 ACK_INFO 6 0 0 NTF_USERDISCOVER 0 0 0 NTF_USERIPCHANGE 0 0 0 AFF_NTF_USERIPCHAN 0 0 0 ACK_NTF_LOGOUT 1 0 0 NTF_USER_HEARTBEAT 2 0 0 ACK_NTF_USER_HEARTBEAT 0 0 0 NTF_CHALLENGE 0 0 0 NTF_USER_NOTIFY 0 0 0 AFF_NTF_USER_NOTIFY 0 0 0 Table 63 Command output Field Description Portal server Name of the porta
Field Description ACK_INFO Information acknowledgement packet. NTF_USERDISCOVER User discovery notification packet the portal authentication server sent to the access device. NTF_USERIPCHANGE User IP change notification packet the access device sent to the portal authentication server. AFF_NTF_USERIPCHAN User IP change success notification packet the portal authentication server sent to the access device.
dynamic: Displays dynamic portal rules, which are generated after users pass portal authentication. These rules allow packets with specific source IP addresses to pass the interface. static: Displays static portal rules, which are generated after portal authentication is enabled. The interface filters packets by these rules when portal authentication is enabled. interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number.
Interface : Ethernet1/1 VLAN : Any Protocol : TCP Destination: IP : 0.0.0.0 Mask : 0.0.0.0 Port : 80 Rule 4: Type : Static Action : Deny Status : Active Source: IP : 0.0.0.0 Mask : 0.0.0.0 Interface : Ethernet1/1 VLAN : Any Destination: IP : 0.0.0.0 Mask : 0.0.0.
Author ACL: Number : 3001 Rule 3 Type : Static Action : Redirect Status : Active Source: IP : :: Prefix length : 0 Interface : Ethernet1/1 VLAN : Any Protocol : TCP Destination: IP : :: Prefix length : 0 Port : 80 Rule 4: Type : Static Action : Deny Status : Active Source: IP : :: Prefix length : 0 Interface : Ethernet1/1 VLAN : Any Destination: IP : :: Prefix length : 0 Table 64 Command output Field Description Rule Number of the portal rule.
Field Description Status of the portal rule: Status • Active—The portal rule is effective. • Unactuated—The portal rule is not activated. Source Source information of the portal rule. IP Source IP address. Mask Subnet mask of the source IPv4 address. Prefix length Prefix length of the source IPv6 address. Port Source transport layer port number. MAC Source MAC address. Interface Layer 2 or Layer 3 interface on which the portal rule is implemented. VLAN Source VLAN ID.
Usage guidelines If you do not specify the server-name argument, this command displays information about all portal authentication servers. Examples # Display information about portal authentication server pts. display portal server pts Portal server: pts IP : 192.168.0.
Syntax display portal user { all | interface interface-type interface-number } Views Any view Predefined user roles network-admin network-operator Parameters all: Displays information about portal users on all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Examples # Display information about portal users on all interfaces.
Field Description MAC MAC address of the portal user. IP IP address of the portal user. VLAN VLAN where the portal user resides. Interface Access interface of the portal user. Related commands portal enable display portal web-server Use display portal web-server to display information about portal Web servers.
Field Description URL parameters URL parameters for the portal Web server. VPN instance Name of the MPLS L3VPN where the portal Web server resides. Parameters for portal Web server detection: Server detection • Detection interval in seconds. • Maximum number of detection attempts. • Action (log) triggered by the reachability status change of the portal Web server. Current state of the portal Web server: • N/A—Portal Web server detection is disabled.
cipher: Sets a ciphertext shared key. simple: Sets a plaintext shared key. key-string: Specifies the shared key. A plaintext shared key is a case-sensitive string of 1 to 64 characters. A ciphertext shared key is a case-sensitive string of 33 to 117 characters. Usage guidelines A portal authentication server has only one IP address. Therefore, in portal authentication server view, only one IP address exists. A newly configured IP address (IPv4 or IPv6) overrides the old address.
generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets. cipher: Sets a ciphertext shared key. simple: Sets a plaintext shared key. key-string: Specifies the shared key. A plaintext shared key is a case-sensitive string of 1 to 64 characters. A ciphertext shared key is a case-sensitive string of 33 to 117 characters. Usage guidelines A portal authentication server has only one IP address.
Examples # Configure the destination UDP port number as 50000 for the device to send unsolicited portal packets to portal authentication server pts. system-view [Sysname] portal server pts [Sysname-portal-server-pts] port 50000 Related commands portal server portal { bas-ip | bas-ipv6 } Use portal { bas-ip | bas-ipv6 } to configure the BAS-IP or BAS-IPv6 attribute carried in the portal packets sent to a portal authentication server on an interface.
same. Otherwise, portal authentication will fail. To ensure normal authentication for users, you can configure the BAS-IP or BAS-IPv6 attribute for the interface, and specify the attribute value as the portal device IPv4 or IPv6 address specified on the portal authentication server.
Examples # Reference portal Web server wbs on interface Ethernet 1/1 for portal authentication. system-view [Sysname] interface ethernet 1/1 [Sysname-Ethernet1/1] portal apply web-server wbs Related commands • display portal interface • portal fail-permit server • portal web-server portal delete-user Use portal delete-user to log out portal users.
Default No portal authentication domain is configured on the interface. Views Interface view Predefined user roles network-admin Parameters ipv6: Specifies an authentication domain for IPv6 portal users. Do not specify this keyword for IPv4 portal users. domain-name: Specifies an ISP authentication domain by its name, a case-insensitive string of 1 to 24 characters. Usage guidelines You can specify both an IPv4 portal authentication domain and an IPv6 portal authentication domain on the interface.
method: Specifies an authentication mode: • direct—Direct authentication. • layer3—Cross-subnet authentication. • redhcp—Re-DHCP authentication. Usage guidelines Make sure the device supports IPv6 ACL and IPv6 forwarding before you enable IPv6 portal authentication on the interface. IPv6 portal authentication does not support the re-DHCP authentication mode. Do not add an authentication-enabled interface to an aggregation group. Otherwise, portal authentication cannot take effect on the interface.
Usage guidelines When portal fail-permit is enabled for a portal authentication server and a portal Web server on an interface, the interface disables portal authentication for portal users if either server is unreachable. Portal authentication resumes on the interface when both servers become reachable. After portal authentication resumes, unauthenticated portal users need to pass authentication to access network resources.
You can configure multiple authentication destination subnets. If you do not specify the ipv4-network-address argument in the undo portal free-all except destination command, this commands deletes all IPv4 portal authentication destination subnets on the interface. Re-DHCP authentication does not support authentication destination subnets. If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.
{ mask-length | mask }: Specifies the subnet mask of the IPv4 address. The value range for the mask-length argument is 0 to 32. The mask argument is in dotted decimal format. ipv6 ipv6-address: Specifies an IPv6 address for the portal-free rule. prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128. ip any: Represents any IPv4 address. ipv6 any: Represents any IPv6 address.
Default No source-based portal-free rule is configured. Views System view Predefined user roles network-admin Parameters rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295. interface interface-type interface-number: Specifies a source interface by its type and number for the portal-free rule. mac mac-address: Specifies a source MAC address for the portal-free rule, in the form of H-H-H. vlan vlan-id: Specifies a source VLAN ID for the portal-free rule.
Parameters ipv6-network-address: Specifies an IPv6 portal authentication destination subnet. prefix-length: Specifies the prefix length of the IPv6 subnet, in the range of 0 to 128. Usage guidelines Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules). The users can access other subnets without portal authentication. You can configure multiple authentication destination subnets.
Usage guidelines With IPv6 authentication source subnets configured, only packets from IPv6 users on the authentication source subnets can trigger portal authentication. If an unauthenticated IPv6 user is not on any authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule.
interval interval: Sets a detection interval in the range of 1 to 1200 seconds. The default interval is 3 seconds. idle time: Sets the user idle timeout in the range of 60 to 3600 seconds. The default is 180 seconds. When the timeout expires, online detection of portal users is restarted. Usage guidelines After online detection of portal users is enabled on the interface, the device periodically sends detection packets of the specified type to login portal users to verify if they are online.
Predefined user roles network-admin Parameters ipv4-network-address: Specifies an IPv4 portal authentication source subnet address. mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32. mask: Specifies the subnet mask in dotted decimal format. Usage guidelines With IPv4 authentication source subnets configured, only packets from IPv4 users on the authentication source subnets can trigger portal authentication.
Parameters max-number: Specifies the maximum number of online portal users. The value range for this argument is 1 to 4294967295. Usage guidelines If you configure a maximum number of portal users smaller than the number of online portal users, this command still takes effect. The online users are not affected by this command, but the system forbids new portal users to log in. This command set the maximum number of online IPv4 and IPv6 portal users in all.
portal server Use portal server to create a portal authentication server and enter its view. Use undo portal server to delete the specified portal authentication server. Syntax portal server server-name undo portal server server-name Default No portal authentication server is configured on the device. Views System view Predefined user roles network-admin Parameters server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
undo portal user-detect Default Online detection of IPv4 portal users is disabled on the interface. Views Interface view Predefined user roles network-admin Parameters type: Specifies the type of detection packets. • arp—ARP packets. • icmp—ICMP packets. retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10, and the default is 3. If the device receives no reply from a portal user when this threshold is reached, it logs out the portal user.
portal web-server Use portal web-server to create a portal Web server and enter its view. Use undo portal web-server to delete the specified portal Web server. Syntax portal web-server server-name undo portal web-server server-name Default No portal Web server is configured on the device. Views System view Predefined user roles network-admin Parameters server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters.
Parameters server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines If you do not specify the server server-name argument, this command clears packet statistics for all portal authentication servers. Examples # Clear packet statistics for portal authentication server pts.
Examples # Enable server detection for portal authentication server pts: • Set the detection timeout to 600 seconds • Configure the device to send a log message if the server reachability status changes. system-view [Sysname] portal server pts [Sysname-portal-server-pts] server-detect timeout 600 log Related commands portal server server-detect (portal Web server view) Use server-detect to enable portal Web server detection. Use undo server-detect to restore the default.
system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] server-detect interval 600 retry 2 log Related commands portal web-server url Use url to configure a URL for a portal Web server. Use undo url to delete the URL for the portal Web server. Syntax url url-string undo url Default No URL is specified for the portal Web server.
undo url-parameter param-name Default URL parameters for the portal Web server are not configured. Views Portal Web server view Predefined user roles network-admin Parameters param-name: Specifies a URL parameter name, a case-sensitive string of 1 to 32 characters. Content of the parameter is determined by the following keyword you specify. original-url: Specifies the URL of the original web page that a portal user visits. source-address: Specifies the user IP address.
Use undo user-sync to restore the default. Syntax user-sync timeout timeout undo user-sync Default Portal user synchronization is disabled for the portal authentication server. Views Portal authentication server view Predefined user roles network-admin Parameters timeout timeout: Sets a detection timeout for synchronization packets, in the range of 60 to 18000 seconds. The default is 1200 seconds.
Use undo vpn-instance to delete the MPLS L3VPN for the portal Web server. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The portal Web server is considered on the public network. Views Portal Web server view Predefined user roles network-admin Parameters vpn-instance-name: Specifies the name of the MPLS L3VPN where the portal Web server resides, a case-sensitive string of 1 to 31 characters. Usage guidelines A portal Web server belongs to only one MPLS L3VPN.
FIPS commands fips mode enable Use fips mode enable to enable FIPS mode. Use undo fips mode enable to disable FIPS mode. Syntax fips mode enable undo fips mode enable Default The FIPS mode is disabled. Views System view Predefined user roles network-admin Usage guidelines After you enable FIPS mode and reboot the device, the device operates in FIPS mode. The FIPS device has strict security requirements, and performs self-tests on cryptography modules to verify that they are operating correctly.
g. Add a local user account for device management, including the following items: − A username. − A password that must comply with the password control policies. − A user role of network-admin. − A service type of terminal. h. Delete the FIPS-incompliant local user service types Telnet and FTP. i. Save the configuration file and specify it as the startup configuration file. j. Delete the original startup configuration file in binary format. k. Reboot the device.
The system will create a new startup configuration file for non-FIPS mode and then reboot automatically. Continue? [Y/N]:y Waiting for reboot... After reboot, the device will enter non-FIPS mode. # Disable FIPS mode, and choose the manual reboot method to enter non-FIPS mode. [Sysname] undo fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y The system will create a new startup configuration file for non-FIPS mode, and then reboot automatically.
Known-answer test for AES passed. Known-answer test for RSA(signature/verification) passed. Known-answer test for RSA(encrypt/decrypt) passed. Known-answer test for DSA(signature/verification) passed. Known-answer test for random number generator passed. Known-Answer tests in the user space passed. Starting Known-Answer tests in the kernel. Known-answer test for SHA1 passed. Known-answer test for HMAC-SHA1 passed. Known-answer test for AES passed. Known-answer test for random number generator passed.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHIKLMNOPQRSTUVW authentication lan-access,9 A authentication login,10 aaa session-limit,1 authentication ppp,11 access-limit,25 authentication super,13 access-limit enable,2 authentication-algorithm,251 accounting command,2 authentication-method,251 accounting default,3 authorization command,14 accounting lan-access,4 authorization default,15 accounting login,5 authorization lan-access,16 accounting ppp,7 authorization login,17 accounting-on enable,38 authorization ppp,19 a
data-flow-format (HWTACACS scheme view),63 display pki certificate attribute-group,155 data-flow-format (RADIUS scheme view),39 display pki certificate domain,156 delete,296 display pki certificate request-status,160 description,335 display pki crl,161 description,198 display portal interface,415 detect,323 display portal packet statistics,417 dh,253 display portal rule,419 dir,297 display portal server,423 display app-group,336 display portal user,424 display application,338 display port
ipsec decrypt-check enable,221 encapsulation-mode,215 encryption-algorithm,259 ipsec df-bit,223 esp authentication-algorithm,216 ipsec global-df-bit,224 esp encryption-algorithm,217 ipsec logging packet enable,222 exchange-mode,260 ipsec profile,229 exit,299 ipsec sa global-duration,229 F ipsec sa idle-time,230 ipsec transform-set,231 fips mode enable,453 ipv6,428 fips self-test,455 K fqdn,163 key (HWTACACS scheme view),68 G key (RADIUS scheme view),44 get,299 keychain,271 group,33 L
password-control aging,111 portal server,444 password-control alert-before-expire,113 portal user-detect,444 password-control complexity,113 portal web-server,446 password-control composition,114 port-mapping,348 password-control enable,116 port-mapping acl,349 password-control expired-user-login,117 port-mapping host,350 password-control history,118 port-mapping subnet,351 password-control length,119 pre-shared-key,276 password-control login idle-time,120 primary accounting (HWTACACS schem
reset ike sa,279 session aging-time state,371 reset ike statistics,280 session log bytes-active,372 reset ipsec sa,236 session log enable,373 reset ipsec statistics,238 session log packets-active,374 reset mac-authentication statistics,106 session log time-active,375 reset password-control blacklist,125 session max-entries,376 reset password-control history-record,126 session persistent acl,375 reset portal packet statistics,446 sftp,309 reset radius statistics,51 sftp client ipv6 source,31
timer response-timeout (HWTACACS scheme view),81 user-name-format (RADIUS scheme view),62 timer response-timeout (RADIUS scheme view),61 user-sync,450 transform-set,249 V U vpn-instance,451 url,449 vpn-instance (HWTACACS scheme view),82 url-parameter,449 vpn-instance (RADIUS scheme view),63 usage,195 W user-group,38 Websites,457 user-name-format (HWTACACS scheme view),81 465