HP MSR Router Series Security Command Reference(V7) Part number: 5998-5697 Software version: CMW710-R0106 Document version: 6PW100-20140607
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents AAA commands ··························································································································································· 1 General AAA commands ················································································································································· 1 aaa session-limit ·················································································································································
key (RADIUS scheme view)··································································································································· 53 nas-ip (RADIUS scheme view) ······························································································································ 54 port ·········································································································································································· 55 primary accounti
search-base-dn ····················································································································································· 105 search-scope ························································································································································ 106 server-timeout ······················································································································································· 106 us
ipv6 ······································································································································································· 162 port ········································································································································································ 163 portal { bas-ip | bas-ipv6 }·································································································································
password-control length ······································································································································ 216 password-control login idle-time ························································································································ 217 password-control login-attempt ·························································································································· 218 password-control super aging ····
pki storage ··························································································································································· 284 pki validate-certificate ········································································································································· 285 public-key dsa ······················································································································································ 287 pub
security acl ··························································································································································· 344 snmp-agent trap enable ipsec ···························································································································· 346 transform-set ························································································································································· 347 IKE comm
ssh user ································································································································································· 391 SSH client commands ·················································································································································· 393 bye ··································································································································································
icmp-error drop ···················································································································································· 440 reset aspf session················································································································································· 441 tcp syn-check ························································································································································ 442 APR
network (IPv6 address object group view) ······································································································· 505 object-group ························································································································································· 507 port (port object group view) ····························································································································· 508 service (service object group vi
display crypto-engine ·········································································································································· 543 display crypto-engine statistics ··························································································································· 545 reset crypto-engine statistics ······························································································································· 546 FIPS commands ········
http-flood action ··················································································································································· 620 http-flood detect ··················································································································································· 621 http-flood detect non-specific ······························································································································ 622 http-flood
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.
system-view [Sysname] aaa session-limit ftp 4 access-limit enable Use access-limit enable to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users are accepted. Use undo access-limit enable to restore the default. Syntax access-limit enable max-user-number undo access-limit enable Default There is no limit to the number of online users in an ISP domain.
Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The command line accounting function works with the accounting server to record all commands that have been successfully executed on the device. Command line accounting can use only a remote HWTACACS server.
Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The default accounting method is used for all users who support this method and do not have an accounting method configured.
In FIPS mode: accounting lan-access { local | radius-scheme radius-scheme-name [ local ] } undo accounting lan-access Default The default accounting method for the ISP domain is used for LAN users. Views ISP domain view Predefined user roles network-admin Parameters local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Syntax In non-FIPS mode: accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting login In FIPS mode: accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounting log
[Sysname] domain test [Sysname-isp-test] accounting login radius-scheme rd local Related commands • accounting default • hwtacacs scheme • local-user • radius scheme accounting portal Use accounting portal to specify the accounting method for portal users. Use undo accounting portal to restore the default.
system-view [Sysname] domain test [Sysname-isp-test] accounting portal local # Configure ISP domain test to use RADIUS scheme rd for portal user accounting and use local accounting as the backup. system-view [Sysname] domain test [Sysname-isp-test] accounting portal radius-scheme rd local Related commands • accounting default • local-user • radius scheme accounting ppp Use accounting ppp to configure the accounting method for PPP users.
Usage guidelines You can specify one primary accounting method and multiple backup accounting methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid.
Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication.
authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication lan-access In FIPS mode: authentication lan-access { ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] } undo authentication lan-access Default The default authentication method for the ISP domain is used for LAN users.
• ldap scheme • local-user • radius scheme authentication login Use authentication login to specify the authentication method for login users. Use undo authentication login to restore the default.
authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid. Examples # Configure ISP domain test to use local authentication for login users. system-view [Sysname] domain test [Sysname-isp-test] authentication login local # Configure ISP domain test to use RADIUS scheme rd for login users and use local authentication as the backup.
local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
undo authentication ppp Default The default authentication method for the ISP domain is used for PPP users. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Use undo authentication super to restore the default. Syntax authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } * undo authentication super Default The default authentication method of the ISP domain is used for user role authentication. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
authorization command Use authorization command to specify the command authorization method. Use undo authorization command to restore the default.
and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid. Examples # Configure ISP domain test to use local command authorization.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The following default authorization information applies after users pass authentication: • Non-login users can access the network. • FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory, but they do not have the access permission to the root directory.
authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization lan-access In FIPS mode: authorization lan-access { local | radius-scheme radius-scheme-name [ local ] } undo authorization lan-access Default The default authorization method for the ISP domain is used for LAN users. Views ISP domain view Predefined user roles network-admin Parameters local: Performs local authorization. none: Does not perform authorization.
authorization login Use authorization login to configure the authorization method for login users. Use undo authorization login to restore the default.
local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid. Examples # Configure ISP domain test to use local authorization for login users. system-view [Sysname] domain test [Sysname-isp-test] authorization login local # Configure ISP domain test to use RADIUS scheme rd for login user authorization and use local authorization as the backup.
Usage guidelines The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one primary authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence.
Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary authorization method and multiple backup authorization methods.
undo authorization-attribute { idle-cut | ip-pool } Default No IP address pool is specified for PPP users in the ISP domain and the idle cut function is disabled. Views ISP domain view Predefined user roles network-admin Parameters idle-cut minute: Sets the idle timeout period in minutes. The value range for the minute argument is 1 to 600. flow: Specifies the minimum traffic that must be generated in the idle timeout period in bytes, in the range of 1 to 10240000. The default is 10240 bytes.
Predefined user roles network-admin network-operator Parameters isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains. Examples # Display the configuration of all ISP domains.
Field Description Access limit Limit to the number of user connections. If the number is not limited, this field displays Disabled. Access count Number of online users. Default authentication scheme Default authentication method. Default authorization scheme Default authorization method. Default accounting scheme Default accounting method. Login authentication scheme Authentication method for login users. Login authorization scheme Authorization method for login users.
undo domain isp-name Default There is a system-defined ISP domain named system. Views System view Predefined user roles network-admin Parameters isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Default The default ISP domain is the system-defined ISP domain system. Views System view Predefined user roles network-admin Parameters isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. Usage guidelines There can be only one default ISP domain. The specified ISP domain must already exist. An ISP domain cannot be deleted when it is used as the default ISP domain.
Parameters isp-domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain the forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). Usage guidelines The device chooses an authentication domain for each user in the following order: • The authentication domain specified for the access module.
If the user goes offline due to connection failure or malfunction, the user online duration sent to the server is not the same as the actual online duration. • If the session-time include-idle-time command is configured, the device adds the idle cut period or user online detection interval to the actual online duration. The user online detection period is supported only by portal authentication. The online duration sent to the server is longer than the actual online duration of the user.
[Sysname] domain test [Sysname-isp-test] state block Related commands display domain Local user commands access-limit Use access-limit to set the maximum number of concurrent logins using the local user name. Use undo access-limit to restore the default. Syntax access-limit max-user-number undo access-limit Default The number of concurrent logins using the local user name is not limited.
Syntax authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | user-role role-name | vlan vlan-id | work-directory directory-name } * undo authorization-attribute { acl | callback-number | idle-cut | user-role role-name | vlan | work-directory } * Default No authorization ACL, idle timeout period, or authorized VLAN is configured for the local users.
Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view. To ensure that FTP, SFTP, and SCP users can access the directory after an active/standby switchover, do not specify slot information for the working directory on the MSR4000 routers.
location interface interface-type interface-number: Specifies the interface to which the user is bound. The interface-type argument represents the interface type, and the interface-number argument represents the interface number. To pass authentication, the user must access the network through the bound interface. mac mac-address: Specifies the MAC address of the user in the format H-H-H. vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094.
service-type: Specifies the local users who use a specific type of service. • ftp: FTP users. • lan-access: LAN users who typically access the network through an Ethernet, such as 802.1X users. • portal: Portal users. • ppp: PPP users. • ssh: SSH users. • telnet: Telnet users. • terminal: Terminal users who log in through console ports, AUX ports, or async ports. state { active | block }: Specifies local users in active or blocked state.
Work Directory: flash: ACL Number: 2000 User Role List: network-operator, level-0, level-3 Table 2 Command output Field Description State Status of the local user: active or blocked. Service Type Service types that the local user can use, including FTP, LAN access, portal, PPP, SSH, Telnet, and terminal. Access limit Whether the concurrent login limit is enabled. Max access number Maximum number of concurrent logins using the local user name.
Syntax display user-group [ group-name ] Views Any view Predefined user roles network-admin network-operator Parameters group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a user group, this command displays the configuration of all user groups. Examples # Display the configuration of all user groups. display user-group Total 2 user groups matched.
Field Description Password composition This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: • Minimum number of character types that the password must contain. • Minimum number of characters from each type in the password. This field appears only when password complexity checking is enabled.
Use undo local-user to remove local users. Syntax local-user user-name [ class { manage | network } ] undo local-user { user-name class { manage | network } | all [ service-type { ftp | lan-access |portal | ppp | ssh | telnet | terminal } | class { manage | network } ] } Default No local user exists. Views System view Predefined user roles network-admin Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name.
[Sysname] local-user user2 class network [Sysname-luser-network-user2] Related commands • display local-user • service-type password Use password to configure a password for a local user. Use undo password to delete the password of a local user. Syntax In non-FIPS mode: password [ { cipher | hash | simple } password ] undo password In FIPS mode: password Default • In non-FIPS mode, there is no password configured for a local user.
In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user. In FIPS mode, only password-protected users can pass authentication. Device management users support plaintext and hashed passwords. Network access users support plaintext and ciphertext passwords.
Predefined user roles network-admin Parameters ftp: Authorizes the user to use the FTP service. By default, the user can use the root directory of the FTP, SFTP, or SCP server. The authorized directory can be modified by using the authorization-attribute work-directory command. lan-access: Authorizes the user to use the LAN access service. The users are typically Ethernet users, for example, 802.1X users. ssh: Authorizes the user to use the SSH service.
block: Places the local user in blocked state to prevent the local user from requesting network services. Usage guidelines This command only applies to the local user. Examples # Place the device management user user1 in blocked state. system-view [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] state block Related commands display local-user user-group Use user-group to create a user group and enter user group view. Use undo user-group to delete a user group.
RADIUS commands accounting-on enable Use accounting-on enable to configure the accounting-on feature. Use undo accounting-on enable to restore the default. Syntax accounting-on enable [ interval seconds | send send-times ] * undo accounting-on enable Default The accounting-on feature is disabled. Views RADIUS scheme view Predefined user roles network-admin Parameters interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds.
Syntax attribute 15 check-mode { loose | strict } undo attribute 15 check-mode Default The strict check mode applies. Views RADIUS scheme view Predefined user roles network-admin Parameters loose: Specifies the loose check mode to match the SSH, FTP, and terminal services to the standard Login-Service attribute value of 0. strict: Specifies the strict check mode to match the SSH, FTP, and terminal services to the extended Login-Service attribute values of 50, 51, and 52, respectively.
Usage guidelines Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control. Examples # Enter the view of RADIUS scheme test, and configure the device to interpret the RADIUS class attribute as CAR parameters. system-view [Sysname] radius scheme test [Sysname-radius-test] attribute 25 car Related commands display radius scheme client Use client to specify a RADIUS DAE client.
You can execute the client command multiple times to specify multiple DAE clients for the DAE server. Examples # Specify the DAE client as 10.110.1.2 in MPLS L3VPN abc. Set the shared key to 123456 in plain text for secure communication between the DAE server and client. system-view [Sysname] radius dynamic-author server [Sysname-radius-da-server] client ip 10.110.1.
display radius scheme Use display radius scheme to display the configuration of RADIUS schemes. Syntax display radius scheme [ radius-scheme-name ] Views Any view Predefined user roles network-admin network-operator Parameters radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes. Examples # Display the configuration of all RADIUS schemes.
Accounting-On function : Enabled retransmission times : 5 retransmission interval(seconds) : 2 Timeout Interval(seconds) : 3 Retransmission Times : 3 Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) : 5 Realtime Accounting Interval(minutes) : 22 NAS IP Address : 1.1.1.
Field Description retransmission times Number of accounting-on packet transmission attempts. retransmission interval(seconds) Interval at which the device retransmits accounting-on packets, in seconds. Timeout Interval(seconds) RADIUS server response timeout period, in seconds. Retransmission times Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Retransmission Times for Accounting Update Maximum number of accounting attempts.
display radius statistics Auth. Acct. SessCtrl. Request Packet: 0 0 0 Retry Packet: 0 0 - Timeout Packet: 0 0 - Access Challenge: 0 - - Account Start: - 0 - Account Update: - 0 - Account Stop: - 0 - Terminate Request: - - 0 Set Policy: - - 0 Packet With Response: 0 0 0 Packet Without Response: 0 0 - Access Rejects: 0 - - Dropped Packet: 0 0 0 Check Failures: 0 0 0 Table 5 Command output Field Description Auth. Authentication packets.
key (RADIUS scheme view) Use key to set the shared key for secure RADIUS communication. Use undo key to restore the default. Syntax key { accounting | authentication } { cipher | simple } string undo key { accounting | authentication } Default No shared key is configured. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the shared key for secure RADIUS accounting communication. authentication: Sets the shared key for secure RADIUS authentication communication.
Related commands display radius scheme nas-ip (RADIUS scheme view) Use nas-ip to specify a source IP address for outgoing RADIUS packets. Use undo nas-ip to delete a source IP address for outgoing RADIUS packets. Syntax nas-ip { ipv4-address | ipv6 ipv6-address } undo nas-ip [ ipv6 ] Default The source IP address of an outgoing RADIUS packet is the IP address specified by using the radius nas-ip command in system view.
A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new address overwrites the old one. Examples # Set the source IP address for outgoing RADIUS packets to 10.1.1.1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] nas-ip 10.1.1.1 Related commands • display radius scheme • radius nas-ip port Use port to specify the RADIUS DAE server port.
Use undo primary accounting to remove the configuration. Syntax primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary accounting Default No primary RADIUS accounting server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either. The device can generate incorrect accounting results. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext. Examples # Specify the primary accounting server with IP address 10.110.1.
• simple string: Sets a plaintext shared key. The string argument is case sensitive. { { In non-FIPS mode, the key is a string of 1 to 64 characters. In FIPS mode, the key is a string of 15 to 64 characters. The string must contain digits, uppercase letters, lowercase letters, and special characters. test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument specifies the test profile name, which is a case-sensitive string of 1 to 31 characters.
Use undo radius-server test-profile to remove the specified test profile. Syntax radius-server test-profile profile-name username name [ interval interval ] undo radius-server test-profile profile-name Default No test profile is configured for detecting the RADIUS server status. Views System view Predefined user roles network-admin Parameters profile-name: Specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters.
Default The RADIUS DAE server feature is disabled. Views System view Predefined user roles network-admin Usage guidelines When you enable the RADIUS DAE server feature, the device listens to UDP port 3799 to receive DAE packets from specified DAE clients. Examples # Enable the RADIUS DAE server feature and enter RADIUS DAE server view.
Examples # Set the DSCP priority of IPv4 RADIUS packets to 10. system-view [Sysname] radius dscp 10 radius nas-ip Use radius nas-ip to specify a source address for outgoing RADIUS packets. Use undo radius nas-ip to delete a source address for outgoing RADIUS packets.
A newly specified public-network source IP address overwrites the previous one. Each VPN can have at most one private-network source IPv4 address and one private-network source IPv6 address. When you use both the nas-ip command and radius nas-ip command, the following guidelines apply: • The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme. • The setting configured by the radius nas-ip command in system view is for all RADIUS schemes.
undo radius scheme radius-scheme-name Default No RADIUS scheme is defined. Views System view Predefined user roles network-admin Parameters radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. The device supports at most 16 RADIUS schemes. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
Syntax retry retry-times undo retry Default The maximum number of RADIUS packet transmission attempts is 3. Views RADIUS scheme view Predefined user roles network-admin Parameters retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20. Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable.
Predefined user roles network-admin Parameters retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255. Usage guidelines Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period from the NAS, it considers that a line or device failure has occurred, and stops accounting for the user.
Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server. port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535, and the default setting is 1813.
Examples # For RADIUS scheme radius1, specify a secondary accounting server with the IP address 10.110.1.1 and the UDP port 1813. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary accounting 10.110.1.1 1813 # For RADIUS scheme radius2, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813. system-view [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary accounting 10.
• { In non-FIPS mode, the key is a string of 1 to 117 characters. { In FIPS mode, the key is a string of 15 to 117 characters. simple string: Sets a plaintext shared key. The string argument is case sensitive. { { In non-FIPS mode, the key is a string of 1 to 64 characters. In FIPS mode, the key is a string of 15 to 64 characters. The string must contain digits, uppercase letters, lowercase letters, and special characters.
Related commands • display radius scheme • key (RADIUS scheme view) • primary authentication (RADIUS scheme view) • radius-server test-profile • vpn-instance (RADIUS scheme view) security-policy-server Use security-policy-server to specify a security policy server. Use undo security-policy-server to remove a security policy server.
snmp-agent trap enable radius Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS. Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.
system-view [Sysname] snmp-agent trap enable radius accounting-server-down state primary Use state primary to set the status of a primary RADIUS server. Syntax state primary { accounting | authentication } { active | block } Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the status of the primary RADIUS accounting server.
Related commands • display radius scheme • radius-server test-profile • state secondary state secondary Use state secondary to set the status of a secondary RADIUS server. Syntax state secondary { accounting | authentication } [ ip-address [ port-number | vpn-instance vpn-instance-name ] * ] { active | block } Default Every secondary RADIUS server specified in a RADIUS scheme is in active state.
This command can affect the RADIUS server status detection function when a valid test profile is specified for a secondary RADIUS authentication server. • If you set the status of the server to blocked, the device stops detecting the status of the server. • If you set the status of the server to active, the device starts to detect the status of the server. Examples # Set the status of all the secondary authentication servers in RADIUS scheme radius1 to blocked.
Related commands display radius scheme timer realtime-accounting (RADIUS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default. Syntax timer realtime-accounting minutes undo timer realtime-accounting Default The real-time accounting interval is 12 minutes.
timer response-timeout (RADIUS scheme view) Use timer response-timeout to set the RADIUS server response timeout timer. Use undo timer response-timeout to restore the default. Syntax timer response-timeout seconds undo timer response-timeout Default The RADIUS server response timeout period is 3 seconds. Views RADIUS scheme view Predefined user roles network-admin Parameters seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.
Views RADIUS scheme view Predefined user roles network-admin Parameters keep-original: Sends the username to the RADIUS server as the username is entered. with-domain: Includes the ISP domain name in the username sent to the RADIUS server. without-domain: Excludes the ISP domain name from the username sent to the RADIUS server. Usage guidelines A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs.
Views RADIUS scheme view Predefined user roles network-admin Parameters vpn-instance-name: Name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified here applies to all servers in the RADIUS scheme for which no VPN is specified. Examples # Specify VPN test for RADIUS scheme radius1.
Usage guidelines The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect. Examples # In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
Single-connection: Disabled Primary Acct Server: IP : Not Configured Port: 49 State: Block VPN Instance: Not configured Single-connection: Disabled VPN Instance : 2 NAS IP Address : 2.2.2.3 Server Quiet Period(minutes) : 5 Realtime Accounting Interval(minutes) : 12 Response Timeout Interval(seconds) : 5 Username Format : with-domain ------------------------------------------------------------------ Table 7 Command output Field Description Index Index number of the HWTACACS scheme.
Field Description Format for the usernames sent to the HWTACACS server. Possible values include: Username Format • with-domain—Includes the domain name. • without-domain—Excludes the domain name. • keep-original—Forwards the username as the username is entered. Related commands reset hwtacacs statistics hwtacacs nas-ip Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets. Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.
• Zero or one public-network source IPv4 address. • Zero or one public-network source IPv6 address. • Private-network source IP addresses. A newly specified public-network source IP address overwrites the previous one. Each VPN can have at most one private-network source IPv4 address and one private-network source IPv6 address.
system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to remove the configuration. Syntax key { accounting | authentication | authorization } { cipher | simple } string undo key { accounting | authentication | authorization } Default No shared key is configured.
Examples # Set the shared key for secure HWTACACS authentication communication to 123456TESTauth&! in plain text for HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&! # Set the shared key for secure HWTACACS authorization communication to 123456TESTautr&! in plain text.
• If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet. • If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet. When you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply: • The setting configured by using the nas-ip command in HWTACACS scheme view is effective only for the HWTACACS scheme.
• • cipher string: Sets a ciphertext shared key. The string argument is case sensitive. { In non-FIPS mode, the key is a string of 1 to 373 characters. { In FIPS mode, the key is a string of 15 to 373 characters. simple string: Sets a plaintext shared key. The string argument is case sensitive. { { In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters.
Syntax primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo primary authentication Default No primary HWTACACS authentication server is specified. Views HWTACACS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext. Examples # Specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1.
• simple string: Sets a plaintext shared key. The string argument is case sensitive. { { In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters. The string must contain digits, uppercase letters, lowercase letters, and special characters. single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users.
Views User view Predefined user roles network-admin Parameters accounting: Clears the HWTACACS accounting statistics. all: Clears all HWTACACS statistics. authentication: Clears the HWTACACS authentication statistics. authorization: Clears the HWTACACS authorization statistics. Examples # Clear all HWTACACS statistics.
{ • In FIPS mode, the key is a string of 15 to 373 characters. simple string: Sets a plaintext shared key. The string argument is case sensitive. { { In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters. The string must contain digits, uppercase letters, lowercase letters, and special characters.
secondary authentication (HWTACACS scheme view) Use secondary authentication to specify a secondary HWTACACS authentication server. Use undo secondary authentication to remove a secondary HWTACACS authentication server.
You can configure up to 16 secondary HWTACACS authentication servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured. If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.
Parameters ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authorization server. port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535, and the default setting is 49. key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authorization server.
system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&! Related commands • display hwtacacs scheme • key (HWTACACS scheme view) • primary authorization • vpn-instance (HWTACACS scheme view) timer quiet (HWTACACS scheme view) Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme. Use undo timer quiet to restore the default.
Default The real-time accounting interval is 12 minutes. Views HWTACACS scheme view Predefined user roles network-admin Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically.
Views HWTACACS scheme view Predefined user roles network-admin Parameters seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds. Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server. Examples # Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user. If the HWTACACS scheme is used for wireless users, specify the format of the username to be sent from the access device to the HWTACACS server as keep-original. Otherwise, authentication of the wireless users might fail.
LDAP commands authentication-server Use authentication-server to specify the LDAP authentication server for an LDAP scheme. Use undo authentication-server to remove the LDAP authentication server. Syntax authentication-server server-name undo authentication-server server-name Default No LDAP authentication server is specified. Views LDAP scheme view Predefined user roles network-admin Parameters server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters.
network-operator Parameters scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an LDAP scheme, this command displays the configuration of all LDAP schemes. Examples # Display the configuration of all LDAP schemes. display ldap scheme Total 1 LDAP schemes -----------------------------------------------------------------LDAP Scheme Name : ldap-sch Authentication Server : cc IP : 2.2.2.
Field Description User Searching Parameters User search parameters. User Object Class User object class for user DN search. If no user object class is configured, this field displays Not configured. Username Attribute User account attribute for login. Username Format Format for the username sent to the server. ip Use ip to configure the IP address and port number of the LDAP server. Use undo ip to delete the LDAP server IP address and port number.
ipv6 Use ipv6 to configure the IPv6 address and port number of the LDAP server. Use undo ipv6 to delete the LDAP server IPv6 address and port number. Syntax ipv6 ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ipv6 Default An LDAP server does not have an IP address. Views LDAP server view Predefined user roles network-admin Parameters ipv6-address: Specifies the IPv6 address of the LDAP server. port port-number: Specifies the TCP port number of the LDAP server.
Default No LDAP scheme is defined. Views System view Predefined user roles network-admin Parameters ldap-scheme-name: LDAP scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines An LDAP scheme can be referenced by more than one ISP domain at the same time. You can configure up to 16 LDAP schemes. Examples # Create an LDAP scheme named ldap1 and enter LDAP scheme view.
Related commands display ldap scheme login-dn Use login-dn to specify the administrator DN. Use undo login-dn to remove the configuration. Syntax login-dn dn-string undo login-dn Default No administrator DN is specified. Views LDAP server view Predefined user roles network-admin Parameters dn-string: Administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters.
Default No administrator password is configured. Views LDAP server view Predefined user roles network-admin Parameters cipher: Sets a ciphertext password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive. • If simple is specified, the password must be a string of 1 to 128 characters. • If cipher is specified, the password must be a ciphertext string of 1 to 201 characters.
Parameters v2: Specifies the LDAP version LDAPv2. v3: Specifies the LDAP version LDAPv3. Usage guidelines For successful LDAP authentication, the LDAP version used by the device must be consistent with the version used by the LDAP server. If you change the LDAP version, the change is effective only for LDAP authentication that occurs after your change. A Microsoft LDAP server supports only LDAPv3. Examples # Specify the LDAP version as LDAPv2.
search-scope Use search-scope to specify the user search scope. Use undo search-scope to restore the default. Syntax search-scope { all-level | single-level } undo search-scope Default The user search scope is all-level. Views LDAP server view Predefined user roles network-admin Parameters all-level: Specifies that the search goes through all subdirectories of the base DN. single-level: Specifies that the search goes through only the next lower level of subdirectories under the base DN.
Predefined user roles network-admin Parameters time-interval: Specifies the LDAP server timeout period in the range of 5 to 20 seconds. Usage guidelines If you change the LDAP server timeout period, the change is effective only for LDAP authentication that occurs after your change. Examples # Set the LDAP server timeout period to 15 seconds.
Usage guidelines If the username on the LDAP server does not contain the domain name, specifies the without-domain keyword. If the username contains the domain name, specify the with-domain keyword. Examples # Set the user object class to person.
802.1X commands In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The commands configured in Ethernet interface view are available only on the following ports: The ports on the HMIM-24GSW/24GSWP and HMIM-8GSW Layer 2 switching modules installed on MSR routers. display dot1x Use display dot1x to display information about 802.1X.
SmartOn supp timeout : 30 s SmartOn retry counts : 3 Domain delimiter : @ Max 802.1X users : 1024 per slot Online 802.1X users : 1 GigabitEthernet2/1/1 is link-down 802.
Field Description EAP authentication: Enabled Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. If CHAP or PAP is enabled, this field is not available. PAP authentication: Enabled Performs EAP termination and uses PAP to communicate with the RADIUS server. If CHAP or EAP is enabled, this field is not available. Max-tx period Username request timeout timer in seconds. Handshake period Handshake timer in seconds.
Field Description 802.1X guest VLAN configured on the port. Guest VLAN If no 802.1X guest VLAN is configured on the port, this field displays Not configured. 802.1X Auth-Fail VLAN configured on the port. Auth-Fail VLAN If no 802.1X Auth-Fail VLAN is configured on the port, this field displays Not configured. 802.1X critical VLAN configured on the port. Critical VLAN If no 802.1X critical VLAN is configured on the port, this field displays Not configured.
Views Any view Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. slot slot-number: Specifies a card by its slot number. (MSR4000.) user-name name-string: Specifies an 802.1X user by its name. The name-string argument represents the username, a case-sensitive string of 1 to 253 characters. user-mac mac-addr: Specifies an 802.1X user by its MAC address.
Username: ias Authentication domain: HP Authentication method: CHAP Initial VLAN: 1 Authorization untagged VLAN: N/A Authorization tagged VLAN list: 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33 35 37 40 to 100 Authorization ACL ID: 3001 Termination action: Default Session timeout period: 2 s Online from: 2013/03/02 13:14:15 Online duration: 0h 2m 15s Total 1 connection(s) matched. Table 11 Command output Field Description Slot ID Slot number of the card. (MSR4000.
Field Description Action attribute assigned by the server when the session timeout timer expires. • Default—Logs off the online authenticated 802.1X user. This attribute does not take effect when periodic online user reauthentication is enabled and the periodic reauthentication timer is shorter than the session timeout timer.
Related commands display dot1x dot1x authentication-method Use dot1x authentication-method to specify an EAP message handling method. Use undo dot1x authentication-method to restore the default. Syntax dot1x authentication-method { chap | eap | pap } undo dot1x authentication-method Default The network access device performs EAP termination and uses CHAP to communicate with the RADIUS server.
Some network access devices provide the EAP server function so you can use EAP relay even if the RADIUS server does not support any EAP authentication method or no RADIUS server is available. Local authentication supports PAP and CHAP. If RADIUS authentication is used, you must configure the network access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server. Examples # Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.
Related commands display dot1x dot1x critical vlan Use dot1x critical vlan to configure an 802.1X critical VLAN on a port. Use undo dot1x critical vlan to restore the default. Syntax dot1x critical vlan vlan-id undo dot1x critical vlan Default No 802.1X critical VLAN is configured on any port. Views Ethernet interface view Predefined user roles network-admin Parameters vlan-id: Specifies the ID of the 802.1X critical VLAN on the port. The value range for the VLAN ID is 1 to 4094.
Default The device supports only the at sign (@) delimiter for 802.1X users. Views System view Predefined user roles network-admin Parameters string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (\), and forward slash (/). Usage guidelines Any character in the configured set can be used as the domain name delimiter for 802.1X authentication users.
Parameters guest-vlan-id: Specifies the ID of the 802.1X guest VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created. Usage guidelines An 802.1X guest VLAN accommodates users who have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
[Sysname-GigabitEthernet2/1/1] dot1x handshake Related commands • display dot1x • dot1x timer handshake-period • dot1x retry dot1x handshake secure Use dot1x handshake secure to enable the online user handshake security function. Use undo dot1x handshake secure to disable the function. Syntax dot1x handshake secure undo dot1x handshake secure Default The online user handshake security function is disabled.
Syntax dot1x mandatory-domain domain-name undo dot1x mandatory-domain Default No mandatory authentication domain is specified. Views Ethernet interface view Predefined user roles network-admin Parameters domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. Usage guidelines When the system authenticates an 802.1X user trying to access a port, it selects an authentication domain in the following order: 1. Mandatory domain. 2.
Parameters user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1 to 256. Usage guidelines Set the maximum number of concurrent 802.1X users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent 802.1X users. Examples # Set the maximum number of concurrent 802.1X users on GigabitEthernet 2/1/1 to 32.
• dot1x unicast-trigger dot1x port-control Use dot1x port-control to set the authorization state for the port. Use undo dot1x port-control to restore the default. Syntax dot1x port-control { authorized-force | auto | unauthorized-force } undo dot1x port-control Default The default port authorization state is auto.
Default MAC-based access control applies. Views Ethernet interface view Predefined user roles network-admin Parameters macbased: Uses MAC-based access control on the port to separately authenticate each user attempting to access the network. Using this method, when an authenticated user logs off, no other online users are affected. portbased: Uses port-based access control on the port. Using this method, once an 802.
Usage guidelines When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. You can use the dot1x timer quiet-period command to set the quieter timer. Examples # Enable the quiet timer and set the quiet timer to 100 seconds.
dot1x re-authenticate server-unreachable keep-online Use dot1x re-authenticate server-unreachable keep-online to enable the keep-online feature on a port. This feature keeps authenticated 802.1X users online when no server is reachable for 802.1X reauthentication. Use undo dot1x re-authenticate server-unreachable to restore the default. Syntax dot1x re-authenticate server-unreachable keep-online undo dot1x re-authenticate server-unreachable Default The keep-online feature is disabled.
Parameters max-retry-value: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.
[Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] dot1x smarton Related commands • display dot1x • dot1x smarton switched • dot1x smarton password dot1x smarton password Use dot1x smarton password to configure a SmartOn password. Use undo dot1x smarton password to restore the default. Syntax dot1x smarton password { cipher cipher-string | simple plain-string } undo dot1x smarton password Default No SmartOn password is configured.
• dot1x smarton switched dot1x smarton retry Use dot1x smarton retry to configure EAP-Request/Notification packet to a client. the maximum attempts for retransmitting an Use undo dot1x smarton retry to restore the default. Syntax dot1x smarton retry retries undo dot1x smarton retry Default The device allows a maximum of three attempts for retransmitting an EAP-Request/Notification packet to a client.
Default No SmartOn switch ID is configured. Views System view Predefined user roles network-admin Parameters switch-string: Specifies the SmartOn switch ID, a case-sensitive string of 1 to 30 characters. Usage guidelines The device checks the SmartOn switch ID in each received EAP-Response/Notification packet. If the switch ID is not the same as the switch ID on the device, the device stops the 802.1X authentication process for the client that sends this packet.
timer interval, it retransmits the EAP-Request/Notification packet. After the device has made the maximum retransmission attempts but received no response, it stops the 802.1X authentication process for the client. Examples # Set the SmartOn client timeout timer to 20 seconds. system-view [Sysname] dot1x smarton timer supp-timeout 20 Related commands • display dot1x • dot1x smarton retry dot1x timer Use dot1x timer to set 802.1X timers. Use undo dot1x timer to restore the defaults.
server-timeout server-timeout-value: Sets the server timeout timer in seconds. The value range for the server-timeout-value argument is 100 to 300. supp-timeout supp-timeout-value: Sets the client timeout timer in seconds. The value range for the supp-timeout-value argument is 1 to 120. tx-period tx-period-value: Sets the username request timeout timer in seconds. The value range for the tx-period-value argument is 10 to 120. Usage guidelines In most cases, the default settings are sufficient.
dot1x unicast-trigger Use dot1x unicast-trigger to enable the 802.1X unicast trigger function. Use undo dot1x unicast-trigger to disable the function. Syntax dot1x unicast-trigger undo dot1x unicast-trigger Default The unicast trigger function is disabled. Views Ethernet interface view Predefined user roles network-admin Usage guidelines The unicast trigger function enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address.
Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies the MAC address of an 802.1X user in the guest VLAN. Examples # Remove the 802.1X user with MAC address 1-1-1 from the 802.1X guest VLAN on port GigabitEthernet 2/1/1. reset dot1x guest-vlan interface gigabitethernet 2/1/1 mac-address 1-1-1 Related commands dot1x guest-vlan reset dot1x statistics Use reset dot1x statistics to clear 802.1X statistics.
MAC authentication commands In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The commands configured in Ethernet interface view are available only on the following ports: The ports on the HMIM-24GSW/24GSWP and HMIM-8GSW Layer 2 switching modules installed on MSR routers. display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics.
MAC address VLAN ID From port Port index 0001-0000-0000 100 GigabitEthernet2/1/2 21 0001-0000-0000 2 GigabitEthernet2/1/3 20 0001-0000-0000 12 GigabitEthernet2/1/4 301 GigabitEthernet2/1/1 is link-up MAC authentication : Enabled Authentication domain : Not configured Auth-delay timer : Enabled Auth-delay period : 60 s Re-auth server-unreachable : Logoff Host mode : Multiple VLAN Max online users : 256 Authentication attempts : successful 2, failed 3 Current online users : 2
Field Description Max MAC-auth users Maximum number of MAC authentication users each card supports. Online MAC-auth users Number of online MAC authentication users. Silent MAC users Information about silent MAC addresses. MAC address Silent MAC address. VLAN ID ID of the VLAN to which the silent MAC address belongs. From port Name of the port that marks the MAC address as a silent MAC address. Port index Index of the port that marks the MAC address as a silent MAC address.
Views Any view Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays information about the online MAC authentication users on all ports. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information about the online MAC authentication users on all cards. (MSR4000.
Online duration: 0h 2m 15s Total 1 connection(s) matched. Table 13 Command output Field Description Slot ID Slot number of the card. (MSR4000.) User MAC address MAC address of the user. Access interface Interface through which the user accesses the device. Authentication domain MAC authentication domain to which the user belongs. Initial VLAN VLAN that holds the user before MAC authentication. Authorization untagged VLAN Untagged VLAN authorized to the user.
Views System view, Ethernet interface view Predefined user roles network-admin Usage guidelines To use MAC authentication on a port, you must enable the feature both globally and on the port. Examples # Enable MAC authentication globally. system-view [Sysname] mac-authentication # Enable MAC authentication on port GigabitEthernet 2/1/1.
2. Global authentication domain specified in system view. 3. Default authentication domain. Examples # Specify domain domain1 as the global MAC authentication domain. system-view [Sysname] mac-authentication domain domain1 # Specify domain aabbcc as the MAC authentication domain on port GigabitEthernet 2/1/1.
Related commands display mac-authentication mac-authentication max-user Use mac-authentication max-user to set the maximum number of concurrent MAC authentication users on a port. Use undo mac-authentication max-user to restore the default. Syntax mac-authentication max-user user-number undo mac-authentication max-user Default The maximum number of concurrent MAC authentication users on a port is 256.
Views Ethernet interface view Predefined user roles network-admin Usage guidelines This command takes effect only after the server assigns the Radius-request action attribute to the authenticated MAC authentication user (see "display mac-authentication connection"). The access device will reauthenticate the user when the session timeout timer expires.
Usage guidelines MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before the device regards the user idle. If a user connection has been idle within the interval, the device logs the user out and stops accounting for the user. • Quiet timer—Sets the interval that the device must wait before the device can perform MAC authentication for a user who has failed MAC authentication.
Examples # Enable MAC authentication delay on interface GigabitEthernet 2/1/1 and set the delay time to 10 seconds. system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] mac-authentication timer auth-delay 10 Related commands • display mac-authentication • port-security port-mode mac-authentication user-name-format Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users.
• lowercase—Enters letters in lower case. • uppercase—Enters letters in upper case. Usage guidelines If you specify the MAC-based user account, the device uses the MAC address of a user as the username and password for MAC authentication of the user. This user account type ensures high authentication security. However, you must create on the authentication server a user account for each user, using the MAC address of the user as both the username and password.
Related commands display mac-authentication 148
Portal commands display portal interface Use display portal interface to display portal configuration and portal running state on an interface. Syntax display portal interface interface-type interface-number Views Any view Predefined user roles network-admin network-operator Parameters interface-type interface-number: Specifies an interface by its type and number. Examples # Display portal configuration and portal running state on interface GigabitEthernet 2/1/1.
Authentication domain: my-domain BAS-IPv6:Not configured User detection: Type: ICMPv6 Interval: 300s Attempts: 5 Idle time: 180s Action for server detection: Server type Server name Action Web server wbsv6 fail-permit Portal server ptsv6 fail-permit Layer3 source network: IP address Prefix length 11::5 64 Destination authentication subnet: IP address Prefix length Table 14 Command output Field Description Portal information of interface Portal configuration on the interface.
Field Description Destination authentication subnet Information of the portal authentication destination subnet. IP address IP address of the portal authentication subnet. Mask Subnet mask of the portal authentication subnet. Prefix length Prefix length of the IPv6 portal authentication subnet address.
REQ_AUTH 3 0 0 ACK_AUTH 3 0 0 REQ_LOGOUT 1 0 0 ACK_LOGOUT 1 0 0 AFF_ACK_AUTH 3 0 0 NTF_LOGOUT 1 0 0 REQ_INFO 6 0 0 ACK_INFO 6 0 0 NTF_USERDISCOVER 0 0 0 NTF_USERIPCHANGE 0 0 0 AFF_NTF_USERIPCHAN 0 0 0 ACK_NTF_LOGOUT 1 0 0 NTF_HEARTBEAT 0 0 0 NTF_USER_HEARTBEAT 2 0 0 ACK_NTF_USER_HEARTBEAT 0 0 0 NTF_CHALLENGE 0 0 0 NTF_USER_NOTIFY 0 0 0 AFF_NTF_USER_NOTIFY 0 0 0 Table 15 Command output Field Description Portal server Name of the porta
Field Description ACK_INFO Information acknowledgement packet. NTF_USERDISCOVER User discovery notification packet the portal authentication server sent to the access device. NTF_USERIPCHANGE User IP change notification packet the access device sent to the portal authentication server. AFF_NTF_USERIPCHAN User IP change success notification packet the portal authentication server sent to the access device.
dynamic: Displays dynamic portal rules, which are generated after users pass portal authentication. These rules allow packets with specific source IP addresses to pass the interface. static: Displays static portal rules, which are generated after portal authentication is enabled. The interface filters packets by these rules when portal authentication is enabled. interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number.
Interface : GigabitEthernet2/1/1 VLAN : Any Protocol : TCP Destination: IP : 0.0.0.0 Mask : 0.0.0.0 Port : 80 Rule 4: Type : Static Action : Deny Status : Active Source: IP : 0.0.0.0 Mask : 0.0.0.0 Interface : GigabitEthernet2/1/1 VLAN : Any Destination: IP : 0.0.0.0 Mask : 0.0.0.
Author ACL: Number : 3001 Rule 3 Type : Static Action : Redirect Status : Active Source: IP : :: Prefix length : 0 Interface : GigabitEthernet2/1/1 VLAN : Any Protocol : TCP Destination: IP : :: Prefix length : 0 Port : 80 Rule 4: Type : Static Action : Deny Status : Active Source: IP : :: Prefix length : 0 Interface : GigabitEthernet2/1/1 VLAN : Any Destination: IP : :: Prefix length : 0 Table 16 Command output Field Description Rule Number of the portal rule.
Field Description Status of the portal rule: Status • Active—The portal rule is effective. • Unactuated—The portal rule is not activated. Source Source information of the portal rule. IP Source IP address. Mask Subnet mask of the source IPv4 address. Prefix length Prefix length of the source IPv6 address. Port Source transport layer port number. MAC Source MAC address. Interface Layer 2 or Layer 3 interface on which the portal rule is implemented. VLAN Source VLAN ID.
Examples # Display information about portal authentication server pts. display portal server pts Portal server: pts IP : 192.168.0.111 VPN instance : vpn1 Port : 50100 Server detection : Timeout 60s User synchronization : Timeout 200s Status : Up Action: log, trap Table 17 Command output Field Description Portal server Name of the portal authentication server. IP IP address of the portal authentication server.
Predefined user roles network-admin network-operator Parameters all: Displays information about portal users on all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Examples # Display information about portal users on all interfaces. display portal user all Total portal users: 2 Username: abc Portal server: pts State: Online Authorization ACL: None VPN instance: -MAC IP VLAN Interface 000d-88f8-0eab 2.2.2.
Field Description Interface Access interface of the portal user. Related commands portal enable display portal web-server Use display portal web-server to display information about portal Web servers. Syntax display portal web-server [ server-name ] Views Any view Predefined user roles network-admin network-operator Parameters server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters.
Field Description Parameters for portal Web server detection: Server detection • Detection interval in seconds. • Maximum number of detection attempts. • Actions (log and trap) triggered by the reachability status change of the portal Web server. Current state of the portal Web server: • N/A—Portal Web server detection is disabled. Reachability status of the server is IPv4/IPv6 status unknown. • Up—Portal Web server detection is enabled. The server is reachable.
key-string: Specifies the shared key. A plaintext shared key is a case-sensitive string of 1 to 64 characters. A ciphertext shared key is a case-sensitive string of 33 to 117 characters. Usage guidelines A portal authentication server has only one IP address. Therefore, in portal authentication server view, only one IP address exists. A newly configured IP address (IPv4 or IPv6) overrides the old address. Do not configure the same IP address and MPLS L3VPN for different portal authentication servers.
key-string: Specifies the shared key. A plaintext shared key is a case-sensitive string of 1 to 64 characters. A ciphertext shared key is a case-sensitive string of 33 to 117 characters. Usage guidelines A portal authentication server has only one IP address. Therefore in portal authentication server view, only one IP address exists. A newly configured IP address (IPv4 or IPv6) overrides the old address. Do not configure the same IP address and MPLS L3VPN for different portal authentication servers.
[Sysname-portal-server-pts] port 50000 Related commands portal server portal { bas-ip | bas-ipv6 } Use portal { bas-ip | bas-ipv6 } to configure the BAS-IP or BAS-IPv6 attribute carried in the portal packets sent to a portal authentication server on an interface. Use undo portal { bas-ip | bas-ipv6 } to delete the BAS-IP or BAS-IPv6 attribute on the interface.
You must configure the BAS-IP/BAS-IPv6 attribute on an authentication-enabled interface if the portal device IPv4 or IPv6 address specified on an HP IMC portal authentication server is not the IPv4 or IPv6 address of the interface. Examples # Configure the BAS-IP attribute of outgoing portal packets as 2.2.2.2 on interface GigabitEthernet 2/1/1. system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] portal bas-ip 2.2.2.
system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] portal apply web-server wbs Related commands • display portal interface • portal fail-permit server • portal web-server portal delete-user Use portal delete-user to log out portal users.
Views Interface view Predefined user roles network-admin Parameters ipv6: Specifies an authentication domain for IPv6 portal users. Do not specify this keyword for IPv4 portal users. domain-name: Specifies an ISP authentication domain by its name, a case-insensitive string of 1 to 255 characters. Usage guidelines You can specify both an IPv4 portal authentication domain and an IPv6 portal authentication domain on the interface. Do not specify the ipv6 keyword for IPv4 portal users.
• direct—Direct authentication. • layer3—Cross-subnet authentication. • redhcp—Re-DHCP authentication. Usage guidelines Make sure the device supports IPv6 ACL and IPv6 forwarding before you enable IPv6 portal authentication on the interface. IPv6 portal authentication does not support the re-DHCP authentication mode. Do not add an authentication-enabled interface to an aggregation group. Otherwise, portal authentication cannot take effect on the interface.
Usage guidelines When portal fail-permit is enabled for a portal authentication server and a portal Web server on an interface, the interface disables portal authentication for portal users if either server is unreachable. Portal authentication resumes on the interface when both servers become reachable. After portal authentication resumes, unauthenticated portal users need to pass authentication to access network resources.
You can configure multiple authentication destination subnets. If you do not specify the ipv4-network-address argument in the undo portal free-all except destination command, this commands deletes all IPv4 portal authentication destination subnets on the interface. Re-DHCP authentication does not support authentication destination subnets. If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.
ipv6 ipv6-address: Specifies an IPv6 address for the portal-free rule. prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128. ip any: Represents any IPv4 address. ipv6 any: Represents any IPv6 address. tcp tcp-port-number: Specifies a TCP port number for the portal-free rule, in the range of 0 to 65535. udp udp-port-number: Specifies a UDP port number for the portal-free rule, in the range of 0 to 65535. all: Specifies all portal-free rules.
Views System view Predefined user roles network-admin Parameters rule-number: Specifies a portal-free rule number in the range of 0 to 4294967295. interface interface-type interface-number: Specifies a source interface by its type and number for the portal-free rule. mac mac-address: Specifies a source MAC address for the portal-free rule, in the form of H-H-H. vlan vlan-id: Specifies a source VLAN ID for the portal-free rule. all: Specifies all portal-free rules.
Usage guidelines Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules). The users can access other subnets without portal authentication. You can configure multiple authentication destination subnets.
authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule. If you do not specify the ipv6-network-address argument in the undo portal ipv6 layer3 source command, this command deletes all IPv6 portal authentication source subnets on the interface. Only cross-subnet authentication supports authentication source subnets.
Usage guidelines After online detection of portal users is enabled on the interface, the device periodically sends detection packets of the specified type to login portal users to verify if they are online. The detection process is as follows: When the device receives no packets from a portal user within the configured idle time, the device sends detection packets to the user.
mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32. mask: Specifies the subnet mask in dotted decimal format. Usage guidelines With IPv4 authentication source subnets configured, only packets from IPv4 users on the authentication source subnets can trigger portal authentication. If an unauthenticated IPv4 user is not on any authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule.
This command set the maximum number of online IPv4 and IPv6 portal users in all. Examples # Set the maximum number of online portal users allowed in the system to 100. system-view [Sysname] portal max-user 100 Related commands display portal user portal roaming enable Use portal roaming enable to enable portal roaming. Use undo portal roaming enable to disable portal roaming. Syntax portal roaming enable undo portal roaming enable Default Portal roaming is disabled.
Default No portal authentication server is configured on the device. Views System view Predefined user roles network-admin Parameters server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines In portal authentication server view, you can configure the following parameters and functions for the portal authentication server: • IP address of the server. • MPLS L3VPN where the portal authentication server resides.
Parameters type: Specifies the type of detection packets. • arp—ARP packets. • icmp—ICMP packets. retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10, and the default is 3. If the device receives no reply from a portal user when this threshold is reached, it logs out the portal user. interval interval: Sets a detection interval in the range of 1 to 1200 seconds. The default interval is 3 seconds. idle time: Sets a user idle timeout in the range of 60 to 3600 seconds.
Default No portal Web server is configured on the device. Views System view Predefined user roles network-admin Parameters server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines The portal Web server pushes portal authentication pages to portal users during authentication. The access device redirects HTTP requests of unauthenticated portal users to the portal Web server.
Related commands display portal packet statistics server-detect (portal authentication server view) Use server-detect to enable portal authentication server detection. After server detection is enabled for a portal authentication server, the device periodically detects portal packets from the server to identify its reachability status. Use undo server-detect to restore the default.
[Sysname-portal-server-pts] server-detect timeout 600 log trap Related commands portal server server-detect (portal Web server view) Use server-detect to enable portal Web server detection. Use undo server-detect to restore the default. Syntax server-detect [ interval interval ] [ retry retries ] { log | trap } * undo server-detect Default Portal Web server detection is disabled.
[Sysname-portal-websvr-wbs] server-detect interval 600 retry 2 log trap Related commands portal web-server url Use url to configure a URL for a portal Web server. Use undo url to delete the URL for the portal Web server. Syntax url url-string undo url Default No URL is specified for the portal Web server. Views Portal Web server view Predefined user roles network-admin Parameters url-string: Specifies a URL for the portal Web server, a case-sensitive string of 1 to 256 characters.
Default URL parameters for the portal Web server are not configured. Views Portal Web server view Predefined user roles network-admin Parameters param-name: Specifies a URL parameter name, a case-sensitive string of 1 to 32 characters. Content of the parameter is determined by the following keyword you specify. original-url: Specifies the URL of the original web page that a portal user visits. source-address: Specifies the user IP address. source-mac: Specifies the user MAC address.
Syntax user-sync timeout timeout undo user-sync Default Portal user synchronization is disabled for the portal authentication server. Views Portal authentication server view Predefined user roles network-admin Parameters timeout timeout: Sets a detection timeout for synchronization packets, in the range of 60 to 18000 seconds. The default is 1200 seconds. Usage guidelines Portal user synchronization requires that the portal authentication server support the portal user heartbeat function.
Syntax vpn-instance vpn-instance-name undo vpn-instance Default The portal Web server is considered on the public network. Views Portal Web server view Predefined user roles network-admin Parameters vpn-instance-name: Specifies the name of the MPLS L3VPN where the portal Web server resides, a case-sensitive string of 1 to 31 characters. Usage guidelines A portal Web server belongs to only one MPLS L3VPN. Examples # Configure the MPLS L3VPN for portal Web server wbs as abc.
Port security commands In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The commands configured in Layer 2 Ethernet interface view are available only on the following ports: The ports on the HMIM-24GSW/24GSWP and HMIM-8GSW switching modules installed on MSR routers.
Authorization : Permitted Table 20 Command output Field Description Port security Status of the port security feature: Enabled or Disabled. AutoLearn aging time Sticky MAC address aging timer, in minutes. Disableport timeout Silence period (in seconds) of the port that receives illegal packets. Status of MAC move: MAC move • If the function is enabled, this field displays Permitted. • If the function is disabled, this field displays Denied.
Field Description Indicates whether the authorization information from the authentication server (RADIUS server or local device) is ignored or not: • Permitted—Authorization information from the authentication Authorization server takes effect. • Ignored—Authorization information from the authentication server does not take effect. display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses.
--- On slot 2, 1 MAC address(es) found ----- 1 mac address(es) found --- # Display the count of all blocked MAC addresses on the MSR2000 or MSR3000 router. display port-security mac-address block count --- 2 mac address(es) found --- # Display the count of all blocked MAC addresses on the MSR4000 router.
000f-3d80-0d2d GE2/1/1 30 --- On slot 2, 1 MAC address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses of port GigabitEthernet 2/1/1 in VLAN 1 on the MSR2000 or MSR3000 router.
network-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. count: Displays only the count of the secure MAC addresses. Usage guidelines If you do not specify any parameters, the command displays information about all secure MAC addresses.
Table 22 Command output Field Description MAC ADDR Secure MAC address. VLAN ID ID of the VLAN to which the port belongs. STATE Type of the MAC address added. Security means it is a secure MAC address. PORT INDEX Port to which the secure MAC address belongs. Period of time before the secure MAC address ages out. • If the secure MAC address is a static MAC address, this field AGING TIME displays NOAGED.
[Sysname-GigabitEthernet2/1/1] port-security authorization ignore Related commands display port-security port-security enable Use port-security enable to enable port security. Use undo port-security enable to disable port security. Syntax port-security enable undo port-security enable Default Port security is disabled. Views System view Predefined user roles network-admin Usage guidelines You must disable global 802.1X and MAC authentication before you enable port security on a port.
Syntax port-security intrusion-mode { blockmac | disableport | disableport-temporarily } undo port-security intrusion-mode Default Intrusion protection is disabled. Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This action implements illegal traffic filtering on the port.
In system view: port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] Default No secure MAC address entry is configured. Views Layer 2 Ethernet interface view, system view Predefined user roles network-admin Parameters sticky mac-address: Specifies a sticky MAC address, in H-H-H format.
[Sysname] port-security enable [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] port-security max-mac-count 100 [Sysname-GigabitEthernet2/1/1] port-security port-mode autolearn # Specify MAC address 0001-0002-0003 in VLAN 4 as a sticky MAC address.
Related commands display port-security port-security max-mac-count Use port-security max-mac-count to set the maximum number of secure MAC addresses that port security allows on a port. Use undo port-security max-mac-count to restore the default. Syntax port-security max-mac-count count-value undo port-security max-mac-count Default Port security does not limit the number of secure MAC addresses on a port.
port-security ntk-mode Use port-security ntk-mode to configure the NTK feature. Use undo port-security ntk-mode to restore the default. Syntax port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } undo port-security ntk-mode Default NTK is disabled on a port and all frames are allowed to be sent.
Default No OUI value is configured. Views System view Predefined user roles network-admin Parameters index-value: Specifies the OUI index, in the range of 1 to 16. oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value. Usage guidelines You can configure multiple OUI values. An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor.
Predefined user roles network-admin Parameters Keyword Security mode Description A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address but to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.
Keyword Security mode Description This mode is the combination of the userLoginSecure and macAddressWithRadius modes. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. userlogin-secure-or-mac macAddressOrUserL oginSecure • For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames. • For wireless users, the port performs 802.1X authentication first.
[Sysname-GigabitEthernet2/1/1] undo port-security port-mode [Sysname-GigabitEthernet2/1/1] port-security port-mode userlogin Related commands • display port-security • port-security max-mac-count port-security timer autolearn aging Use port-security timer autolearn aging to set the secure MAC aging timer. Use undo port-security timer autolearn aging to restore the default.
Syntax port-security timer disableport time-value undo port-security timer disableport Default The port silence period is 20 seconds. Views System view Predefined user roles network-admin Parameters time-value: Specifies the silence period in seconds during which the port remains disabled. The value is in the range of 20 to 300.
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Table 23 Command output Field Description Password control Whether the password control feature is enabled. Password aging Whether password expiration is enabled and, if enabled, the expiration time. Password length Whether the minimum password length restriction function is enabled and, if enabled, the setting. Password composition Whether the password composition restriction function is enabled and, if enabled, the settings.
ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines If you do not specify any arguments, this command displays information about all users in the password control blacklist. If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist. You can use this command to view information about these users in the blacklist.
Views System view Predefined user roles network-admin Parameters aging: Enables the password expiration function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines To enable a specific password control function, first enable the global password control feature.
Syntax password-control aging aging-time undo password-control aging Default A password expires after 90 days. The password expiration time for a user group equals the global setting. The password expiration time for a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Predefined user roles network-admin Parameters aging-time: Specifies the password expiration time in days, in the range of 1 to 365.
password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days.
Views System view, user group view, local user view Predefined user roles network-admin Parameters same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough. user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Default In non-FIPS mode, the password using the global composition policy must contain at least one character type and at least one character for each type. In FIPS mode, the password using the global composition policy must contain at least four character types and at least one character for each type. In both non-FIPS and FIPS modes, the password composition policy for a user group is the same as the global policy.
type-length type-length: Specifies the minimum number of characters that are from each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode. Usage guidelines The password composition policy depends on the view: • The policy in system view has global significance and applies to all user groups. • The policy in user group view applies to all local users in the user group. • The policy in local user view applies only to the local user.
Default In non-FIPS mode, the password control feature is disabled globally. In FIPS mode, the password control feature is enabled globally and cannot be disabled. Views System view Predefined user roles network-admin Usage guidelines A specific password control function takes effect only after the global password control feature is enabled.
times times: Sets the maximum number of times a user can log in after the password expires. The value range is 0 to 10 and 0 means that a user cannot log in after the password expires. Usage guidelines This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires. Examples # Specify that a user can log in five times within 60 days after the password expires.
Related commands • display password-control • password-control history enable • reset password-control blacklist password-control length Use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length Default In non-FIPS mode, the global minimum password length is 10 characters. In FIPS mode, the global minimum password length is 15 characters.
system-view [Sysname] password-control length 16 # Set the minimum password length to 16 characters for user group test. [Sysname] user-group test [Sysname-ugroup-test] password-control length 16 [Sysname-ugroup-test] quit # Set the minimum password length to 16 characters for device management user abc.
password-control login-attempt Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached. Use undo password-control login-attempt to restore the default.
Whether a blacklisted user and user account are locked depends on the locking setting: • If a user account is permanently locked for a user, the user cannot use this account unless this user account is removed from the password control blacklist. To remove a user account, use the reset password-control blacklist command. • To use a temporarily locked user account, the user can do either of the following operations: • { Wait until the locking timer expires.
• display password-control • display password-control blacklist • display user-group • reset password-control blacklist password-control super aging Use password-control super aging to set the expiration time for super passwords. Use undo password-control super aging to restore the default. Syntax password-control super aging aging-time undo password-control super aging Default A super password expires after 90 days.
Views System view Predefined user roles network-admin Parameters type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode. type-length type-length: Specifies the minimum number of characters that are from each character type. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.
Examples # Set the minimum length of super passwords to 16 characters. system-view [Sysname] password-control super length 16 Related commands • display password-control • password-control length password-control update-interval Use password-control update-interval to set the minimum password update interval, which is the minimum interval at which users can change their passwords. Use undo password-control update-interval to restore the default.
Views User view Predefined user roles network-admin Parameters user-name name: Specifies the username of a user account to be removed from the password control blacklist. The username is a case-sensitive string of 1 to 55 characters. Usage guidelines Use this command to remove a user account that is blacklisted due to excessive login failures. Then the blacklisted user can use this user account to log in. Examples # Remove the user account named test from the password control blacklist.
Related commands password-control history 224
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2011/05/12 Key code: 30819F300D06092A86488
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0E
308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B0202170
display public-key peer Use display public-key peer to display information about peer public keys. Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer public key, including its key code.
Field Description Key code Public key string. # Display brief information about all peer public keys. display public-key peer brief Type Modulus Name --------------------------RSA 1024 idrsa DSA 1024 10.1.1.1 Table 28 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits. Name Name of the peer public key.
[Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E 719D1643135877E13B1C531B4 [Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B 952ADF6B80EB5F52698FCF3D6 [Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050 BD4A9B1DDE675AC30CB020301 [Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands • display public-key local public • display public-key peer
The key modulus length must be appropriate (see Table 30). The longer the key modulus length, the higher the security, and the longer the key generation time. If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default. The name of a key pair must be unique among all manually named key pairs that use the same key algorithm.
# Create a local DSA key pair with the default name. system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+..+................ .......+..........+..............+.............+...+.....+.....
Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # In FIPS mode, create a local RSA key pair with the default name. system-view [Sysname] public-key local create rsa The range of public key modulus is (2048 ~ 2048). It will take a few minutes.Press CTRL+C to abort. Input the modulus length [default = 2024]: Generating Keys... ...
Parameters dsa: Specifies the DSA type. ecdsa: Specifies the ECDSA type. rsa: Specifies the RSA type. name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names.
public-key local export dsa Use public-key local export dsa to display local DSA host public keys in a specific format, or export the key in a specific format to a file. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles network-admin Parameters name key-name: Specifies the name of a local DSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-).
system-view [Sysname] public-key local export dsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---Comment: "dsa-key-2011/05/12" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsA
Related commands • public-key local create • public-key peer import sshkey public-key local export rsa Use public-key local export rsa to display the local RSA host public key in a specific format, or export the key to a specific file.
3. On the peer device, use the public-key peer import sshkey command to import the host public key from the file. SSH1.5, SSH2.0 and OpenSSH are different public key formats. Choose the proper format that is supported on the device where you import the host public key. In FIPS mode, the device only supports SSH2.0 and OpenSSH. Examples # Export the host public key of the local RSA key pair with the default name in OpenSSH format to the file key.pub.
• public-key peer import sshkey public-key peer Use public-key peer to specify a name for a peer public key and enter public key view. Use undo public-key peer to delete a peer public key. Syntax public-key peer keyname undo public-key peer keyname Default The device has no peer public keys. Views System view Predefined user roles network-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters.
Syntax public-key peer keyname import sshkey filename undo public-key peer keyname Default The device has no peer public keys. Views System view Predefined user roles network-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters. filename: Specifies a file for saving the local host public key. The file name is a case-insensitive string of 1 to 128 characters, which cannot be hostkey, serverkey, dsakey, ecdsakey, or all dots (.).
PKI commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. By default, the device provides low encryption. To obtain high encryption, you must install the Strong Cryptography feature license. This feature provides stronger cryptography, additional IPsec tunnels, and higher encryption performance.
nequ: Specifies the not-equal operation. attribute-value: Sets an attribute value, a case-insensitive string of 1 to 128 characters. Usage guidelines Different attributes contains different attribute fields: • Each of the subject name and the issuer name can contain only one DN, but they can contain multiple FQDNs and IP addresses. • The alternative subject name cannot contain the DN, but it can contain multiple FQDNs and IP addresses.
ca identifier Use ca identifier to specify the trusted CA. Use undo ca identifier to remove the trusted CA. Syntax ca identifier name undo ca identifier Default No trusted CA is specified. Views PKI domain view Predefined user roles network-admin Parameters name: Specifies the name of the trusted CA, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate, you must specify the trusted CA name.
Predefined user roles network-admin Parameters entity-name: Specifies the name of the entity for certificate request, a case-insensitive string of 1 to 31 characters. Usage guidelines A PKI entity describes the identity attributes of an entity for certificate request, including the following information: • Common name. • Organization. • Unit in the organization. • Locality. • State and country where the entity resides. • FQDN. • IP address.
Parameters ca: Specifies the CA to accept certificate requests. ra: Specifies the RA to accept certificate requests. Usage guidelines The CA server determines which authority, CA or RA, accepts certificate requests. This authority setting must be consistent with the setting on the CA server. An independent RA is recommended as the authority to accept certificate requests. Examples # Specify the RA to accept certificate requests.
performs identity authentication. You can set a password for certificate revocation if the CA server policy requires one. • Manual request mode—You must manually obtain the CA certificate and submit certificate requests. For security purposes, all keys, including keys configured in plain text, are saved in cipher text. Examples # Set the certificate request mode to auto.
querying the certificate request status after it obtains the certificate or if the maximum number of query attempts is reached. The latter case means the certificate request fails. If the CA server automatically issues certificates, the PKI entity can obtain the certificate immediately after it submits a certificate request. In this case, the PKI entity does not send queries to the CA server. Examples # Set the polling interval to 15 minutes, and the maximum number of query attempts to 40.
Examples # Specify the URL of the registration server as http://169.254.0.100/certsrv/mscep/mscep.dll. system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request url http://169.254.0.100/certsrv/mscep/mscep.dll # Specify the URL of the registration http://mytest.net/certsrv/mscep/mscep.dll. server in VPN instance vpn1 as system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request url http:// mytest.net /certsrv/mscep/mscep.
Default No country code is set for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters country-code-string: Specifies a country code, a case-sensitive string of two characters, for example, CN for China. Examples # Set CN as the country code of the PKI entity en. system-view [Sysname] pki entity en [Sysname-pki-entity-en] country CN crl check Use crl check enable to enable CRL checking. Use undo crl check enable to disable CRL checking.
• pki validate-certificate crl url Use crl url to specify the URL of the CRL repository. Use undo crl url to remove the configuration. Syntax crl url url-string [ vpn-instance vpn-instance-name ] undo crl url Default The URL of the CRL repository is not specified.
system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] crl url http://169.254.0.30 # Specify the URL of the CRL repository as ldap://169.254.0.30 in VPN instance vpn1. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] crl url ldap://169.254.0.
Table 32 Command output Field Description Total PKI certificate access control policies Total number of certificate access control policies. permit If the attributes of a certificate match the attribute rules defined in the attribute group that the policy references, the certificate passes the check and is regarded valid. deny If the attributes of a certificate match the attribute rules defined in the attribute group that the policy references, the certificate fails the check and is regarded invalid.
Attribute 2 issuer-name fqdn nctn app Attribute group name: mygroup2 Attribute 1 subject-name dn ctn def Attribute 2 issuer-name fqdn nctn fqd Table 33 Command output Field Description Total PKI certificate attribute groups Total number of certificate attribute groups. ctn Contain operation. nctn Not-contain operation. equ Equal operation. nequ Not-equal operation. Attribute 1 subject-name dn Attribute rule 1 defines that the DN in the subject name contains the string of abc.
If you specify the local keyword, this command displays information about all local certificates in the domain If you specify the peer keyword without a serial number, this command displays brief information about all peer certificates. If you specify a serial number, this command display detailed information about the specified peer certificate. Examples # Display information about the CA certificate in the PKI domain aaa.
Serial Number: bc:05:70:1f:0e:da:0d:10:16:1e Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, O=sec, OU=software, CN=ipsec Validity Not Before: Jan 7 20:05:44 2011 GMT Not After : Jan 7 20:05:44 2012 GMT Subject: O=OpenCA Labs, OU=Users, CN=fips fips-sec Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:b2:38:ad:8c:7d:78:38:37:88:ce:cc:97:17:39: 52:e1:99:b3:de:73:8b:ad:a8:04:f9:a1:f9:0d:67: d8:95:e2:26:a4:0b:c2:8c:63:32:5d:38:3e:fd:b7: 4a:83:69:0e:
Full Name: URI:http://titan/pki/pub/crl/cacrl.
97:4c:26:14:c2:b5:d9:34:8b:ee:c1:ef:af:1a:f4: 39:da:c5:ae:ab:56:95:b5:be:0e:c3:46:35:c1:52: 29:9c:b7:46:f2:27:80:2d:a4:65:9a:81:78:53:d4: ca:d3:f5:f3:92:54:85:b3:ab:55:a5:03:96:2b:19: 8b:a3:4d:b2:17:08:8d:dd:81 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:9A:83:29:13:29:D9:62:83:CB:41:D4:75:2E:52:A1:66:38:3C:90:11 X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement Netscape Cert Type: SSL Server X509v3 Subj
network-operator Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), backslash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe ('). Usage guidelines If no PKI domain is specified, this command displays status of all certificate requests.
Related commands • certificate request polling • pki domain • pki retrieve-certificate display pki crl Use display pki crl domain to display information about the locally saved CRLs. Syntax display pki crl domain domain-name Views Any view Predefined user roles network-admin network-operator Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.
Serial Number: FCADFA81E1F56F43D3F2D3EF7EB56DE5 Revocation Date: Apr 28 01:33:28 2011 GMT CRL entry extensions: Invalidity Date: Apr 28 01:33:09 2011 GMT Signature Algorithm: sha1WithRSAEncryption 57:ac:00:3e:1e:e2:5f:59:62:04:05:9b:c7:61:58:2a:df:a4: 5c:e5:c0:14:af:c8:e7:de:cf:2a:0a:31:7d:32:da:be:cd:6a: 36:b5:83:e8:95:06:bd:b4:c0:36:fe:91:7c:77:d9:00:0f:9e: 99:03:65:9e:0c:9c:16:22:ef:4a:40:ec:59:40:60:53:4a:fc: 8e:47:57:23:e0:75:0a:a4:1c:0e:2f:3d:e0:b2:87:4d:61:8a: 4a:cb:cb:37:af:51:bd:53:78:76:a1:16:3d:0
Predefined user roles network-admin Parameters fqdn-name-string: Specifies an FQDN, a case-sensitive string of 1 to 255 characters. Usage guidelines An FQDN uniquely identifies a PKI entity on a network. It consists of a host name and a domain name in the format of hostname@domainname. Examples # Set pki.domain-name.com as the FQDN of the PKI entity en. system-view [Sysname] pki entity en [Sysname-pki-entity-en] fqdn abc@pki.domain.com ip Use ip to assign an IP address to a PKI entity.
ldap-server Use ldap-server to specify an LDAP server for a PKI domain. Use undo ldap-server to remove the configuration. Syntax ldap-server host hostname [ port port-number ] [ vpn-instance vpn-instance-name ] undo ldap-server Default No LDAP server is specified for a domain. Views PKI domain view Predefined user roles network-admin Parameters host host-name: Specifies the host name of an LDAP server, a case-sensitive string of 1 to 255 characters. It can be an IPv4 or IPv6 address or a domain name.
locality Use locality to set the locality for a PKI entity. Use undo locality to remove the configuration. Syntax locality locality-name undo locality Default No locality is set for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters locality-name: Specifies a locality, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set a city name as the locality. Examples # Set Beijing as the locality of the PKI entity en.
Examples # Set abc as the organization name of the PKI entity en. system-view [Sysname] pki entity en [Sysname-pki-entity-en] organization abc organization-unit Use organization-unit to set the organization unit name for a PKI entity. Use undo organization-unit to remove the configuration. Syntax organization-unit org-unit-name undo organization-unit Default No organization unit name is set for a PKI entity.
vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe ('). Usage guidelines You can abort a certificate request if you want to change some parameters, such as common name, country code, or FQDN, in the certificate request before the CA issues the certificate. Use the display pki certificate request-status command to display the certificate request status. Examples # Abort the certificate request for the PKI domain 1.
• rule pki certificate attribute-group Use pki certificate attribute-group to create a certificate attribute group and enter its view. Use undo pki certificate attribute-group to remove a specified certificate attribute group. Syntax pki certificate attribute-group group-name undo pki certificate attribute-group group-name Default No certificate attribute group exists.
Predefined user roles network-admin Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), backslash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe ('). ca: Specifies the CA certificate. local: Specifies the local certificates. peer: Specifies the peer certificates.
pki domain Use pki domain to create a PKI domain and enter its view. Use undo pki domain to remove a PKI domain. Syntax pki domain domain-name undo pki domain domain-name Default No PKI domain exists. Views System view Predefined user roles network-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), backslash (\), vertical bar (|), colon (:), dot (.
Parameters entity-name: Specifies the name of a PKI entity, a case-insensitive string of 1 to 31 characters. Usage guidelines You can configure a variety of attributes for a PKI entity, such as common name, organization, organization unit, locality, state, country, FQDN, and IP address. When you request a certificate, the PKI entity information will be used by the CA as the subject contents in the certificate. Examples # Create a PKI entity named en and enter its view.
all: Specifies all certificates, including the CA certificate and local certificates in the PKI domain, excluding the RA certificate. ca: Specifies the CA certificate. local :Specifies the local certificates or the local certificates and their private keys. passphrase p12passwordstring: Specifies a password for encrypting the private key of a local PKCS12 certificate. 3des-cbc: Specifies 3DES_CBC for encrypting the private key of a local certificate.
When you export the local certificates or all certificates in PEM format, if you do not specify the cryptographic algorithm and the challenge password for the private key, this command does not export the private keys of the local certificates. If you specify the cryptographic algorithm and the password, and the local certificates have their private keys, this command can export the local certificates with their private keys.
A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGB
system-view [Sysname] pki export domain domain1 pem all des-cbc 111 %The signature usage local certificate: Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd -----BEGIN CERTIFICATE----MIIEqjCCA5KgAwIBAgILAOhID4rI04kBfYgwDQYJKoZIhvcNAQELBQAwRTELMAkG A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0Mj
BwUnFYRlvGe7bSQpXjwi8LTyxHPy+dDVjO5CP+rXx5IiToFy1YGWewkyn/WeswDf Yx7ZludNus5vKWTihgx2Qalgb+sqUMwI/WUET7ghO2dRxPUdUbgIYF0saTndKPYd 4oBgl6M0SMsHhe9nF5UCAwEAAaOCAVowggFWMA8GA1UdEwEB/wQFMAMBAf8wCwYD VR0PBAQDAgEGMB0GA1UdDgQWBBQzEQ58yIC54wxodp6JzZvn/gx0CDAfBgNVHSME GDAWgBQzEQ58yIC54wxodp6JzZvn/gx0CDAZBgNVHREEEjAQgQ5wa2lAb3BlbmNh Lm9yZzAZBgNVHRIEEjAQgQ5wa2lAb3BlbmNhLm9yZzCBgQYIKwYBBQUHAQEEdTBz MDIGCCsGAQUFBzAChiZodHRwOi8mdcGl0YW4vcGtpL3B1Yi9jYWNlcnQvY2FjZXJ0 LmNydDAeBggrBgEFBQcwAYYSaHR0cDovL3RpdGFuOjI1NjAvMB0GCCsG
dCvNIUYXXVOGca2iaSOElqCF4CQfV9zLrBtA7giHD49T+JbxLrrJLmdIQMJ+vYdC sCxIp3YMAiuCahVLZeXklooqwqIXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAElm7 W2Lp9Xk4nZVIpVV76CkNe8/C+Id00GCRUUVQFSMvo7Pded76bmYX2KzJSz+DlMqy TdVrgG9Fp6XTFO80aKJGe6NapsfhJHKS+Q7mL0XpXeMONgK+e3dX7rsDxsY7hF+j 0gwsHrjV7kWvwJvDlhzGW6xbpr4DRmdcao19Cr6o= -----END CERTIFICATE----- # Export the CA certificate in the PKI domain to a file named cacert in PEM format.
14nKIEbexbPONspebtznxv4/xTjd1aM2rfQ95jJ/SN8H8KIyiYZyIs3t5Q+V35x1 cef+NMWgZBzwXOSP0wC9+pC2ZNiIpg== -----END CERTIFICATE----- # Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format. The password for the private keys is 123. system-view [Sysname] pki export domain domain1 pkcs12 local passphrase 123 filename cert-lo.der # Export all certificates in the PKI domain to a file named cert-all.p7b in PKCS12 format.
• Use a certificate that is packed with the server generated key pair in a single file. Only certificate files in PKCS12 or PEM format might contain key pairs. Before you import the certificates, complete the following tasks: • Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not available, you can import the certificates by copying and pasting the certificate contents through the terminal.
The import operation automatically updates or generates the proper key pair. When you perform the import operation, be sure to save the configuration file to avoid data loss. Examples # Import the CA certificate file rootca_pem.cer in PEM format to the PKI domain aaa. The certificate file contains the root certificate. system-view [Sysname] pki import domain aaa pem ca filename rootca_pem.
Xqd9zEFlBPpoJFtJqXwxHUCKgw6kJeC4CxHvi9ZCJU/upg9IpiguFPoaDOPia+Pm GbRqSyy55clVde5GOccGN1DZ94DW7AypazgLpBbrkIYAdjFPRmq+zMOdyqsGMTNj jnheI5l784pNOAKuGi0i/uXmRRcfoMh6qAnK6YZGS7rOLC9CfPmy8fgY+/Sl9d9x Q00ruO1psxzh9c2YfuaiXFIx0auKl6o5+ZZYn7Rg/xy2Y0awVP+dO925GoAcHO40 cCl6jA/HsGAU9HkpwKHL35lmBDRLEzQeBFcaGwSm1JvRfE4tkJM7+Uz2QHJOfP10 0VLqMgxMlpk3TvBWgzHGJDe7TdzFCDPMPhod8pi4P8gGXmQd01PbyQ== -----END RSA PRIVATE KEY----Bag Attributes localKeyID: 01 00 00 00 subject=/CN=sldsslserver issuer=/C=cn/O=ccc/OU=sec/CN=ssl -----
Overwrite it? [Y/N]:y The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name [default name: bbb]: The key pair already exists.
Examples # Display information about the certificate request in the PKCS#10 format.
• You can obtain the CA certificate through the SCEP protocol. If a CA certificate already exists locally, do not obtain the CA certificate again. To obtain a new one, use the pki delete-certificate command to remove the CA certificate and local certificates, and then obtain the CA certificate again. • You can obtain local certificates or peer certificates through the LDAP protocol.
vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe ('). Usage guidelines CRLs are used to verify the validity of the local certificates and the peer certificates in a PKI domain. To obtain CRLs, a PKI domain must have the proper CA certificate. The device can obtain CRLs from the CRL repository through the HTTP, LDAP, or SCEP protocol.
crls: Specifies a storage path for the CRLs. dir-path: Specifies a storage path, a case-sensitive string, which cannot start with a slash (/) or contains two dots plus a slash (../). The dir-path argument specifies an absolute path or a relative path, and the path must exist. Usage guidelines The specified storage path is a path on the active MPU rather than on other MPUs.
• To verify the local certificates, if the PKI domain has no CRLs, the device looks up the locally save CRLs. If a proper CRL is found, the device loads the CRL to the PKI domain. Otherwise, the device obtains the proper CRL from the CA server and saves it locally. • To verify the CA certificate, CRL checking is performed for the CA certificate chain from the current CA to the root CA. Examples # Verify the validity of the CA certificate in the PKI domain aaa.
O=sec OU=software CN=bca Subject: O=OpenCA Labs OU=Users CN=fips fips-sec Verify result: OK Related commands • crl check • pki domain public-key dsa Use public-key dsa to specify a DSA key pair for certificate request. Use undo public-key to remove the configuration. Syntax public-key dsa name key-name [ length key-length ] undo public-key Default No key pair is specified.
• If RSA is used, a PKI domain can have two key pairs: one is the signing key pair, and the other is the encryption key pair. • In a PKI domain, key pairs for different purposes (RSA signing and RSA encryption) do not overwrite each other. • For DSA, the most recent configuration takes effect. The specified length is effective on only a key pair to be generated.
length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024. In FIPS mode, the value must be 2048. A longer key means higher security but more public key calculation time. Usage guidelines You can specify a nonexistent key pair in this command. You can get a key pair in any of the following ways: • Use the public-key local create command to generate a key pair.
undo root-certificate fingerprint In FIPS mode: root-certificate fingerprint sha1 string undo root-certificate fingerprint Default No fingerprint is set. Views PKI domain view Predefined user roles network-admin Parameters md5: Sets an MD5 fingerprint. sha1: Sets a SHA1 fingerprint. string: Sets the fingerprint information in hexadecimal notation. If you specify the MD5 keyword, the fingerprint is a string of 32 characters. If you specify the SHA1 keyword, the fingerprint is a string of 40 characters.
Related commands • certificate request mode • pki import • pki retrieve-certificate rule Use rule to create a rule (or statement). Use undo rule to remove a statement. Syntax rule [ id ] { deny | permit } group-name undo rule id Default No statement exists. Views PKI certificate access control policy view Predefined user roles network-admin Parameters id: Assigns a number to the statement, in the range of 1 to 16. The default setting is the smallest unused number in this range.
• pki certificate attribute-group source Use source to specify the source IP address for PKI protocol packets. Use undo source to remove the configuration. Syntax source { ip | ipv6 } { ip-address | interface interface-type interface-number } undo source Default The source IP address is the outgoing interface IP address of the route to the CA. Views PKI domain view Predefined user roles network-admin Parameters ip ip-address: Specifies a source IPv4 address.
[Sysname] pki domain aaa [Sysname-pki-domain-aaa] source ip interface gigabitethernet 1/0/1 # Specify the IPv6 address of the interface GigabitEthernet 1/0/1 as the source IPv6 address of PKI protocol packets. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] source ipv6 interface gigabitethernet 1/0/1 state Use state to set the state or province name for a PKI entity. Use undo state to remove the configuration.
Views PKI domain view Predefined user roles network-admin Parameters ike: Specifies the IKE certificate extension so IKE peers can use the certificates. ssl-client: Specifies the SSL client certificate extension so the SSL client ends can use the certificates. ssl-server: Specifies the SSL server certificate extension so the SSL server ends can use the certificates. Usage guidelines If you do not specify any keywords, the undo usage command removes all extensions.
IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. By default, the device provides low encryption. To obtain high encryption, you must install the Strong Cryptography feature license. This feature provides stronger cryptography, additional IPsec tunnels, and higher encryption performance.
Examples # Create an IPsec transform set, and specify the AH authentication algorithm for the transform set as HMAC-SHA1. system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1 description Use description to configure description for an IPsec policy, IPsec policy template, or IPsec profile. Use undo description to restore the default. Syntax description text undo description Default No description is defined.
Parameters ipv6-policy: Displays information about IPv6 IPsec policies. policy: Displays information about IPv4 IPsec policies. policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535. Usage guidelines • If you do not specify any parameters, this command displays information about all IPsec policies.
Outbound ESP setting: ESP SPI: 1500 (0x000005dc) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------Sequence number: 2 Mode: isakmp ----------------------------The policy configuration is incomplete: Remote-address not set ACL not specified Transform-set not set Description: This is my first IPv4 Isakmp policy Security data flow: Selector mode: standard Local address: Remote address: Transform set: IKE profile: SA duration(time based): SA duration(traffic
Outbound AH setting: AH SPI: 6000 (0x00001770) AH string-key: ****** AH authentication hex key: Outbound ESP setting: ESP SPI: 8000 (0x00001f40) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------Sequence number: 2 Mode: isakmp ----------------------------Description: This is my complete policy Security data flow: 3200 Selector mode: standard Local address: Remote address: 5.3.6.
ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: 1237 (0x000004d5) AH string-key: ****** AH authentication hex key: Outbound ESP setting: ESP SPI: 1238 (0x000004d6) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Table 36 Command output Field Description IPsec Policy IPsec policy name. Sequence number Sequence number of the IPsec policy entry. Negotiation mode of the IPsec policy: Mode • manual—Manual mode. • isakmp—IKE negotiation mode.
Field Description AH string-key AH string key (****** is displayed if the key is configured). AH authentication hex key AH authentication hex key (****** is displayed if the key is configured). ESP string-key ESP string key (****** is displayed if the key is configured). ESP encryption hex key ESP encryption hex key (****** is displayed if the key is configured). ESP authentication hex key ESP authentication hex key (****** is displayed if the key is configured).
IPsec Policy Template: template ------------------------------------------------------------------------------Sequence number: 1 --------------------------------Description: This is policy template Security data flow : IKE profile: None Remote address: 162.105.10.2 Transform set: testprop IPsec SA local duration(time based): 3600 seconds IPsec SA local duration(traffic based): 1843200 kilobytes # Display information about all IPv6 IPsec policy templates.
display ipsec profile Use display ipsec profile to display information about IPsec profiles. Syntax display ipsec profile [ profile-name ] Views Any view Predefined user roles network-admin network-operator Parameters profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec profiles. Examples # Display information about all IPsec profiles.
Table 38 Command output Field Description IPsec profile IPsec profile name. Mode Negotiation mode used by the IPsec profile. Only the manual mode is available. Description Description of the IPsec profile. Transform set IPsec transform set referenced by the IPsec profile. Related commands ipsec profile display ipsec sa Use display ipsec sa to display information about IPsec SAs.
Examples # Display brief information about IPsec SAs. display ipsec sa brief ----------------------------------------------------------------------Interface/Global Dst Address SPI Protocol Status ----------------------------------------------------------------------GE2/1/1 10.1.1.1 400 ESP active GE2/1/1 255.255.255.
[Inbound ESP SAs] SPI: 3564837569 (0xd47b1ac1) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 4294967295/604800 SA remaining duration (kilobytes/sec): 1843200/2686 Max received sequence-number: 5 Anti-replay check enable: Y Anti-replay window size: 32 UDP encapsulation used for NAT traversal: N Status: active [Outbound ESP SAs] SPI: 801701189 (0x2fc8fd45) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 4294967295/604800 SA remaining durati
Field Description Negotiation mode used by the IPsec policy: Mode • manual • isakmp Tunnel id IPsec tunnel ID Encapsulation mode Encapsulation mode, transport or tunnel.
• reset ipsec sa display ipsec statistics Use display ipsec statistics to display IPsec packet statistics. Syntax display ipsec statistics [ tunnel-id tunnel-id ] Views Any view Predefined user roles network-admin network-operator Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel ID is 0 to 4294967295. You can use the display ipsec tunnel brief command to display the IDs of established IPsec tunnels.
Dropped packets statistics No available SA: 0 Wrong SA: 0 Invalid length: 0 Authentication failure: 0 Encapsulation failure: 0 Decapsulation failure: 0 Replayed packets: 0 ACL check failure: 0 MTU check failure: 0 Loopback limit exceeded: 0 Crypto speed limit exceeded: 0 Table 41 Command output Field Description Received/sent packets Number of received/sent IPsec-protected packets. Received/sent bytes Number of bytes of received/sent IPsec-protected packets.
Predefined user roles network-admin network-operator Parameters transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets. Examples # Display information about all IPsec transform sets.
display ipsec tunnel Use display ipsec tunnel to display information about IPsec tunnels. Syntax display ipsec tunnel { brief | count | tunnel-id tunnel-id } Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number of IPsec tunnels. tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel ID is 0 to 4294967295.
Field Description Stateful failover status of the IPsec SA: active or backup. Status In the current version, this field always displays active. # Display the number of IPsec tunnels. display ipsec tunnel count Total IPsec Tunnel Count: 2 # Display information about all IPsec tunnels.
remote address: 2.2.2.2 Flow: as defined in ACL 3100 Table 44 Command output Field Description Tunnel ID IPsec ID, used to uniquely identify an IPsec tunnel. Status IPsec tunnel status. Only active is available.
tunnel: Uses the tunnel mode for IP packet encapsulation. Usage guidelines IPsec supports the following encapsulation modes: • Transport mode—The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header.
Views IPsec transform set view Predefined user roles network-admin Parameters md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key. sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key. Usage guidelines In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority. For a manual or IKEv1-based IPsec policy, the first specified ESP authentication algorithm takes effect.
Views IPsec transform set view Predefined user roles network-admin Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode, which uses a 168-bit key. aes-cbc-128: Uses the AES algorithm in CBC mode, which uses a 128- bit key. aes-cbc-192: Uses AES algorithm in CBC mode, which uses a 192-bit key. aes-cbc-256: Uses AES algorithm in CBC mode, which uses a 256-bit key. des-cbc: Uses the DES algorithm in CBC mode, which uses a 64-bit key. null: Uses the NULL algorithm, which means encryption is not performed.
Parameters profile-name: Specifies an IKE profile by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines The IKE profile referenced by an IPsec policy or IPsec policy template defines the parameters used for IKE negotiation. An IPsec policy or IPsec policy template can reference only one IKE profile and they cannot reference any IKE profile that is already referenced by another IPsec policy or IPsec policy template.
[Sysname] ipsec anti-replay check Related commands ipsec anti-replay window ipsec anti-replay window Use ipsec anti-replay window to set the anti-replay window size. Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The anti-replay window size is 64. Views System view Predefined user roles network-admin Parameters width: Specifies the size for the anti-replay window. It can be 64, 128, 256, 512, or 1024 packets.
Default No IPsec policy is applied to an interface. Views Interface view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Name of an IPsec policy, a case-insensitive string of 1 to 63 characters. Usage guidelines You can apply only one IPsec policy on an interface. To apply a new IPsec policy to the interface, you must first remove the IPsec policy that is already applied to the interface.
Usage guidelines In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security. Examples # Enable ACL checking for de-encapsulated IPsec packets.
Default The DF bit is not set for outer IP headers of encapsulated IPsec packets on an interface. The global DF bit is used. Views Interface view Predefined user roles network-admin Parameters clear: Clears the DF bit for outer IP headers. In this case, the encapsulated IPsec packets can be fragmented. copy: Copies the DF bit of the original IP headers to the outer IP headers. set: Sets the DF bit for outer IP headers. In this case, the encapsulated IPsec packets cannot be fragmented.
Views System view Predefined user roles network-admin Parameters clear: Clears the DF bit for outer IP headers. In this case, the encapsulated IPsec packets can be fragmented. copy: Copies the DF bit of the original IP headers to the outer IP headers. set: Sets the DF bit for outer IP headers. In this case, the encapsulated IPsec packets cannot be fragmented. Usage guidelines This command is effective only when the IPsec encapsulation mode is tunnel mode.
policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535. isakmp: Establishes IPsec SAs through IKE negotiation. manual: Establishes IPsec SAs manually. Usage guidelines When you create an IPsec policy, you must specify the SA setup mode (isakmp or manual).
Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535. A smaller number indicates a higher priority. isakmp template template-name: Specifies an IPsec policy template by its name, a case-insensitive string of 1 to 64 characters.
Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Name of an IPsec policy, a case-insensitive string of 1 to 63 characters. local-address interface-type interface-number: Specifies the shared source interface by its type and number. Usage guidelines For high availability, two interfaces can operate in backup or load sharing mode.
Predefined user roles network-admin Parameters ipv6-policy-template: Specifies an IPv6 IPsec policy template. policy-template: Specifies an IPv4 IPsec policy template. template-name: Specifies a name for the IPsec policy template, a case-insensitive string of 1 to 64 characters. seq-number: Specifies a sequence number for the IPsec policy template, in the range of 1 to 65535. A smaller number indicates a higher priority.
Predefined user roles network-admin Parameters profile-name: Specifies a name for the IPsec profile, a case-insensitive string of 1 to 63 characters. manual: Specifies the IPsec SA setup mode as manual. Usage guidelines When you create an IPsec profile, you must specify the IPsec SA setup mode (manual). When you enter the view of an existing IPsec profile, you do not need to specify the IPsec SA setup mode. An IPsec profile is similar to a manual IPsec policy.
When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer, whichever are smaller. An IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires. Before the IPsec SA expires, IKE negotiates a new IPsec SA, which takes over immediately after its creation. Examples # Configure the global IPsec SA lifetime as 7200 seconds.
Related commands • display ipsec sa • sa idle-time ipsec transform-set Use ipsec transform-set to create an IPsec transform set and enter IPsec transform set view. Use undo ipsec transform-set to delete an IPsec transform set. Syntax ipsec transform-set transform-set-name undo ipsec transform-set transform-set-name Default No IPsec transform set exists.
Default The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4 address. The first IPv6 address of the interface to which the IPsec policy is applied is used as the local IPv6 address. Views IPsec policy view, IPsec policy template view Predefined user roles network-admin Parameters ipv4-address: Specifies the local IPv4 address for the IPsec tunnel. ipv6 ipv6-address: Specifies the local IPv6 address for the IPsec tunnel.
Predefined user roles network-admin Parameters dh-group1: Uses 768-bit Diffie-Hellman group. dh-group2: Uses 1024-bit Diffie-Hellman group. dh-group5: Uses 1536-bit Diffie-Hellman group. dh-group14: Uses 2048-bit Diffie-Hellman group. dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group.
Usage guidelines The two tunnel ends must use the same security protocol in the IPsec transform set. Examples # Specify the AH protocol for the IPsec transform set. system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] protocol ah qos pre-classify Use qos pre-classify to enable the QoS pre-classify feature. Use undo qos pre-classify to restore the default. Syntax qos pre-classify undo qos pre-classify Default The QoS pre-classify feature is disabled.
Views IPsec policy view, IPsec policy template view Predefined user roles network-admin Parameters ipv6: Specifies a remote IPv6 address. If you do not specify this keyword, you specify an IPv4 address or host name. hostname: Specifies the remote host name, a case-insensitive string of 1 to 255 characters. The host name can be resolved to an IP address by the DNS server. ipv4-address: Specifies a remote IPv4 address. ipv6-address: Specifies a remote IPv6 address.
Related commands • ip host (see Layer 3—IP Services Commands Reference) • local-address reset ipsec sa Use reset ipsec sa to clear IPsec SAs.
address, the security protocol, and the SPI, where the remote IP address can be any valid address if the SAs are established by IPsec profiles. To clear IPsec SAs by specifying a triplet in the inbound direction, you should provide the SPI and use any valid values for the other two parameters. After a manual IPsec SA is cleared, the system automatically creates a new SA based on the parameters of the IPsec policy.
reverse-route dynamic Use reverse-route dynamic to enable the IPsec reverse route inject (RRI) feature. Use undo reverse-route dynamic to disable IPsec RRI. Syntax reverse-route dynamic undo reverse-route dynamic Default IPsec RRI is disabled. Views IPsec policy view, IPsec policy template view Predefined user roles network-admin Usage guidelines IPsec RRI is usually used on a gateway device at the headquarters side in an IPsec VPN.
reverse-route preference Use reverse-route preference to change the preference of the static routes created by IPsec RRI. Use undo reverse-route preference to restore the default. Syntax reverse-route preference number undo reverse-route preference Default The preference for the static routes created by IPsec RRI is 60. Views IPsec policy view, IPsec policy template view Predefined user roles network-admin Parameters number: Sets a preference value. The value range is 1 to 255.
Predefined user roles network-admin Parameters tag-value: Sets a tag value. The value range is 1 to 4294967295. Usage guidelines When you change this tag value in an IPsec policy, the device deletes all IPsec SAs created by this IPsec policy, and all associated static routes. Examples # Set the tag value to 50 for the static routes created by IPsec RRI.
Examples # Set the SA lifetime for the IPsec policy policy1 to 7200 seconds. system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200 # Set the SA lifetime for the IPsec policy policy1 to 20 MB. The IPsec SA expires after transmitting 20480 bytes.
In an IPsec profile to be applied to an IPv6 routing protocol, the local authentication keys of the inbound and outbound SAs must be identical. If you configure a key in different formats, only the most recent configuration takes effect. The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
Usage guidelines This command applies to only manual IPsec policies and IPsec profiles. You must set an encryption key for both the inbound and outbound SAs. The local inbound SA must use the same encryption key as the remote outbound SA, and the local outbound SA must use the same encryption key as the remote inbound SA. In an IPsec profile to be applied to an IPv6 routing protocol, the local encryption keys of the inbound and outbound SAs must be identical.
Usage guidelines This function applies only to IPsec SAs negotiated by IKE and takes effect when the ipsec sa idle-time command has been configured. The IPsec SA idle timeout configured in IPsec policy view or IPsec policy template view takes precedence over the global IPsec SA timeout configured by the ipsec sa idle-time command. Examples # Set the IPsec SA idle timeout to 600 seconds for the IPsec policy.
When you configure an IPsec policy or IPsec profile for an IPv6 routing protocol, follow these guidelines: • The local inbound and outbound SAs must use the same SPI. • The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by protocols. For OSPF, the scope consists of OSPF neighbors or an OSPF area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group.
Usage guidelines This command applies to only manual IPsec policies and IPsec profiles. You must set a key for both inbound and outbound SAs. The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must use the same key as the remote inbound SA. If you configure a key in different formats, only the most recent configuration takes effect. The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format).
Views IPsec policy view, IPsec policy template view Predefined user roles network-admin Parameters ipv6: Specifies an IPv6 ACL. acl-number: Specifies an ACL by its number in the range of 3000 to 3999. name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. aggregation: Specifies the data protection mode as aggregation. The device does not support protecting IPv6 data flows in aggregation mode. per-host: Specifies the data protection mode as per-host.
• display ipsec tunnel snmp-agent trap enable ipsec Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec. Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec.
Examples To enable SNMP notifications when an IPsec tunnel is created, execute the following commands: # Enable SNMP notifications for IPsec globally. system-view [Sysname] snmp-agent trap enable ipsec global # Enable SNMP notifications for events of creating IPsec tunnels. [Sysname] snmp-agent trap enable ipsec tunnel-start transform-set Use transform-set to reference an IPsec transform set for an IPsec policy, IPsec policy template, or IPsec profile.
Related commands • ipsec { ipv6-policy | policy } • ipsec profile • ipsec transform-set 348
IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. By default, the device provides low encryption. To obtain high encryption, you must install the Strong Cryptography feature license. This feature provides stronger cryptography, additional IPsec tunnels, and higher encryption performance.
authentication-method Use authentication-method to specify an authentication method to be used in an IKE proposal. Use undo authentication-method to restore the default. Syntax authentication-method { dsa-signature | pre-share | rsa-signature } undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles network-admin Parameters dsa-signature: Specifies the DSA signatures as the authentication method.
Syntax certificate domain domain-name undo certificate domain domain-name Default No PKI domain is specified for IKE negotiation. Views IKE profile view Predefined user roles network-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. If you do not specify this argument, all PKI domains configured on the device are used for enrollment, authentication, certificate issuing, validation, and signature.
dh { group1 | group14 | group2 | group24 | group5 } undo dh In FIPS mode: dh group14 undo dh Default In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used. In FIPS mode, group14, the 2048-bit Diffie-Hellman group, is used. Views IKE proposal view Predefined user roles network-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group. group2: Uses the 1024-bit Diffie-Hellman group.
Predefined user roles network-admin network-operator Usage guidelines This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal. Examples # Display the configuration information about all IKE proposals.
Predefined user roles network-admin network-operator Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000. remote-address: Displays detailed information about IKE SAs with the specified remote address. ipv6: Specifies an IPv6 address. remote-address: Remote IP address. vpn-instance vpn-name: Displays detailed information about IKE SAs in an MPLS L3VPN.
Profile: prof1 Transmitting entity: Initiator --------------------------------------------Local IP: 4.4.4.4 Local ID type: IPV4_ADDR Local ID: 4.4.4.4 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.
Table 47 Command output Field Description Connection ID Identifier of the IKE SA. Outside VPN VPN instance name of the MPLS L3VPN to which the receiving interface belongs. Inside VPN VPN instance name of the MPLS L3VPN to which the protected data belongs. Profile Name of the matching IKE profile found in the IKE SA negotiation. If no matching profile is found, this field displays nothing. Transmitting entity Role of the IKE negotiation entity: Initiator or Responder.
Predefined user roles network-admin Parameters interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300. • If the on-demand keyword is specified, this parameter specifies the number of seconds during which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send. • If the periodic keyword is specified, this parameter specifies a DPD triggering interval.
encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 } undo encryption-algorithm Default For low encryption, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode. For high encryption in non-FIPS mode, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode. In FIPS mode, an IKE proposal uses the 128-bit AES encryption algorithm in CBC mode.
exchange-mode { aggressive | main } undo exchange-mode In FIPS mode: exchange-mode main undo exchange-mode Default Main mode is used for phase 1. Views IKE profile view Predefined user roles network-admin Parameters aggressive: Specifies the aggressive mode. main: Specifies the main mode. Usage guidelines When a user at the local end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends specifying the aggressive mode at the local end.
Parameters interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300. • If the on-demand keyword is specified, this parameter specifies the number of seconds during which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send. • If the periodic keyword is specified, this parameter specifies a DPD triggering interval. retry seconds: Specifies the number of seconds between DPD retries if the DPD message fails.
Parameters address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the identity. dn: Uses the DN in the digital signature as the identity. fqdn fqdn-name: Uses the FQDN name as the identity. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN. user-fqdn user-fqdn-name: Uses the user FQDN name as the identity.
Usage guidelines IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. When no IKE SA is available, the notification is not sent.
Related commands ike keepalive timeout ike keepalive timeout Use ike keepalive timeout to set the IKE keepalive timeout time. Use undo ike keepalive timeout to restore the default. Syntax ike keepalive timeout seconds undo ike keepalive timeout Default The negotiated aging time for the IKE SA applies. Views System view Predefined user roles network-admin Parameters seconds: Specifies the number of seconds between IKE keepalives. The value is in the range of 20 to 28800.
Default No IKE keychain is configured. Views System view Predefined user roles network-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IKE keychain belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters. To create an IKE keychain for the public network, do not specify this option.
Usage guidelines The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency. The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system.
ike profile Use ike profile to create an IKE profile and enter IKE profile view. Use undo ike profile to delete an IKE profile. Syntax ike profile profile-name undo ike profile profile-name Default No IKE profile is configured. Views System view Predefined user roles network-admin Parameters profile-name: Specifies an IKE profile name, a case-insensitive string of 1 to 63 characters. Examples # Create IKE profile 1 and enter its view.
Predefined user roles network-admin Parameters proposal-number: Specifies an IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal. Usage guidelines During IKE negotiation: • The initiator sends its IKE proposals to the peer. { { • If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals referenced by the IKE profile to the peer.
Usage guidelines If the aggressive IKE SA negotiation mode and signature authentication are used, configure this command on the local device when the device interconnects with a peer device that runs a Comware V5-based release. The V5-based release supports only DN for signature authentication. If the ike signature-identity from-certificate command is not configured, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration.
[Sysname-ike-profile-prof1] inside-vpn vpn-instance vpn1 keychain Use keychain to specify an IKE keychain for pre-shared key authentication. Use undo keychain to remove the IKE keychain reference. Syntax keychain keychain-name undo keychain keychain-name Default No IKE keychain is specified for an IKE profile. Views IKE profile view Predefined user roles network-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters.
Views IKE profile view Predefined user roles network-admin Parameters address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID. dn: Uses the DN in the local certificate as the local ID. fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.
Views IKE keychain view Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters.
Views IKE profile view Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters.
Default No peer ID is configured for IKE profile matching. Views IKE profile view Predefined user roles network-admin Parameters certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID for IKE profile matching. The policy-name argument is a string of 1 to 31 characters. identity: Uses the specified information as the peer ID for IKE profile matching. The specified information is configured on the peer by using the local-identity command.
Related commands local-identity pre-shared-key Use pre-shared-key to configure a pre-shared key. Use undo pre-shared-key to remove a pre-shared key. Syntax pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key { cipher cipher-key | simple simple-key } undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } Default No pre-shared key is configured.
For security purposes, all pre-shared keys, including those configured in plain text, are saved in cipher text to the configuration file. Examples # Create IKE keychain key1 and enter IKE keychain view. system-view [Sysname] ike keychain key1 # Set the pre-shared key to be used for IKE negotiation with peer 1.1.1.2 to 123456TESTplat&!. [Sysname-ike-keychain-key1] pre-shared-key address 1.1.1.2 255.255.255.
priority (IKE profile view) Use priority to specify a priority for an IKE profile. Use undo priority to restore the default. Syntax priority number undo priority Default The priority of an IKE profile is 100. Views IKE profile view Predefined user roles network-admin Parameters priority number: Specifies a priority number in the range of 1 to 65535. The smaller the priority number, the higher the priority.
Predefined user roles network-admin Parameters proposal-number&<1-6>: Specifies a space-separated list of up to six IKE proposals by their numbers in the range of 1 to 65535. An IKE proposal specified earlier has a higher priority. Usage guidelines When acting as the initiator, the device sends the specified IKE proposals to its peer for IKE negotiation. When acting as the responder, the device uses the IKE proposals configured in system view to match the IKE proposals received from the initiator.
# Delete the IKE SA with the connection ID 2. reset ike sa 2 # Display the current IKE SAs. display ike sa Total IKE SAs: 1 Connection-ID Remote Flag DOI ---------------------------------------------------------1 202.38.0.2 RD|ST IPSEC Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT reset ike statistics Use reset ike statistics command to clear IKE MIB statistics.
Parameters Seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800. Usage guidelines If the communicating peers are configured with different IKE SA lifetime settings, the smaller setting takes effect. Before an IKE SA expires, IKE negotiates a new SA. The new SA takes effect immediately after it is negotiated. The old IKE SA will be cleared when it expires. Examples # Set the IKE SA lifetime to 600 seconds for IKE proposal 1.
encrypt-failure: Specifies SNMP notifications for encryption failures. global: Specifies SNMP notifications globally. invalid-cert-auth: Specifies SNMP notifications for invalid-certificate-authentication failures. invalid-cookie: Specifies SNMP notifications for invalid-cookie failures. invalid-id: Specifies SNMP notifications for invalid-ID failures. invalid-proposal: Specifies SNMP notifications for invalid-IKE-proposal failures.
SSH commands Some MSR routers support the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. By default, the device provides low encryption. To obtain high encryption, you must install the Strong Cryptography feature license. This feature provides stronger cryptography, additional IPsec tunnels, and higher encryption performance.
Table 48 Command output Field Description SSH server Whether the SSH server function is enabled. SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server function is enabled.
Views Any view Predefined user roles network-admin network-operator Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured by using the ssh user command on the SSH server. Examples # Display information about all SSH users.
undo sftp server enable Default The SFTP server function is disabled. Views System view Predefined user roles network-admin Examples # Enable the SFTP server function. system-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default.
ssh server acl Use ssh server acl to control access to the IPv4 SSH server. Use undo ssh server acl to restore the default. Syntax ssh server acl acl-number undo ssh server acl Default An SSH server allows all IPv4 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters acl-number: Specifies an ACL number in the range of 2000 to 4999.
Syntax ssh server authentication-retries times undo ssh server authentication-retries Default The maximum number of authentication attempts for SSH users is 3. Views System view Predefined user roles network-admin Parameters times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5. Usage guidelines You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only on the users at the next login.
Parameters time-out-value: Specifies an authentication timeout timer in the range of 1 to 120 seconds. Usage guidelines If a user does not finish the authentication when the timeout timer expires, the connection cannot be established. You can set a small value for the timeout timer to prevent malicious occupation of TCP connections while authentications are suspended. Examples # Set the SSH user authentication timeout timer to 10 seconds.
ssh server dscp Use ssh server dscp to set the DSCP value in the IPv4 packets that the SSH server sends to the SSH clients. Use undo ssh server dscp to restore the default. Syntax ssh server dscp dscp-value undo ssh server dscp Default The DSCP value in IPv4 packets sent by the SSH server is 48. Views System view Predefined user roles network-admin Parameters dscp-value: Specifies the DSCP value in the outbound IPv4 packets, in the range of 0 to 63.
system-view [Sysname] ssh server enable Related commands display ssh server ssh server ipv6 acl Use ssh server ipv6 acl to control access to the IPv6 SSH server. Use undo ssh server ipv6 acl to restore the default. Syntax ssh server ipv6 acl [ ipv6 ] acl-number undo ssh server ipv6 acl Default An SSH server allows all IPv6 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters ipv6: Specifies an IPv6 ACL.
ssh server ipv6 dscp Use ssh server ipv6 dscp to set the DSCP value in the IPv6 packets that the SSH server sends to the SSH clients. Use undo ssh server ipv6 dscp to restore the default. Syntax ssh server ipv6 dscp dscp-value undo ssh server ipv6 dscp Default The DSCP value in IPv6 packets sent by the SSH server is 48. Views System view Predefined user roles network-admin Parameters dscp-value: Specifies the DSCP value in the outbound IPv6 packets, in the range of 0 to 63.
Parameters hours: Specifies an interval for updating the server key pair, in the range of 1 to 24 hours. Usage guidelines This command is not available in FIPS mode. Updating the RSA server key pair periodically can prevent malicious hacking to the key pair and enhance security of the SSH connections. This command takes effect only on SSH clients that use SSH1 client software. Examples # Set the RSA server key pair update interval to 3 hours.
• scp: Specifies the service type as SCP. • sftp: Specifies the service type as SFTP. • stelnet: Specifies the service type as Stelnet. authentication-type: Specifies an authentication method for an SSH user: • password: Specifies password authentication. This authentication method features easy and fast encryption, but it is vulnerable. It can work with AAA to implement user authentication, authorization, and accounting. • any: Specifies either password authentication or publickey authentication.
• If the authentication method is publickey or password-publickey, the working directory is specified by the authorization-attribute command in the associated local user view. For an SSH user, the user role also depends on the authentication method: • If the authentication method is password, the user role is authorized by the remote AAA server or the local device.
sftp> bye cd Use cd to change the working path on an SFTP server. Syntax cd [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies the name of a path on the server. Usage guidelines You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system. Examples # Change the working path to new1.
sftp> pwd Remote working directory: / sftp> delete Use delete to delete a file from the SFTP server. Syntax delete remote-file Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies a file to delete from the server. Usage guidelines This command functions as the remove command. Examples # Delete the file temp.c from the server. sftp> delete temp.c Removing /temp.c dir Use dir to display information about the files and subdirectories under a directory.
Examples # Display detailed information about the files and subdirectories under the current working directory. sftp> dir -rwxrwxrwx 1 1 1 301 Dec 18 14:11 010.pub -rwxrwxrwx 1 1 1 301 Dec 18 14:12 011.pub -rwxrwxrwx 1 1 1 301 Dec 18 14:12 012.pub # Display detailed information about the files and subdirectories under the current working directory in a list. sftp> dir -a drwxrwxrwx 2 1 1 512 Dec 18 14:12 . drwxrwxrwx 2 1 1 512 Dec 18 14:12 .. -rwxrwxrwx 1 1 1 301 Dec 18 14:11 010.
display ssh client source Use display ssh client source to display the source IP address or source interface configured for the Stelnet client. Syntax display ssh client source Views Any view Predefined user roles network-admin network-operator Examples # Display the source IP address configured for the Stelnet client. display ssh client source The source IP address of the SSH client is 192.168.0.1 The source IPv6 address of the SSH client is 2:2::2:2.
Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file. If this argument is not specified, the file will be saved locally with the same name as the file on the server. Examples # Download the file temp1.c and save it as temp.c locally. sftp> get temp1.c temp.c Fetching /temp1.c to temp.c /temp.c 100% 1424 1.
information of the file mkdir path Create remote directory put local-path [remote-path] Upload file pwd Display remote working directory quit Quit sftp rename oldpath newpath Rename remote file remove path Delete remote file rmdir path Delete remote empty directory ? Synonym for help ls Use ls to display information about the files and subdirectories under a directory.
-rwxrwxrwx 1 1 1 301 Dec 18 14:11 010.pub -rwxrwxrwx 1 1 1 301 Dec 18 14:12 011.pub -rwxrwxrwx 1 1 1 301 Dec 18 14:12 012.pub mkdir Use mkdir to create a directory on an SFTP server. Syntax mkdir remote-path Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies the name for the directory on an SFTP server Examples # Create a directory named test on the SFTP server. sftp> mkdir test put Use put to upload a local file to an SFTP server.
Syntax pwd Views SFTP client view Predefined user roles network-admin Examples # Display the current working directory of the SFTP server. sftp> pwd Remote working directory: / The output shows that the current working directory is the root directory. quit Use quit to terminate the connection with an SFTP server and return to user view. Syntax quit Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the bye and exit commands.
Usage guidelines This command functions as the delete command. Examples # Delete the file temp.c from the SFTP server. sftp> remove temp.c Removing /temp.c rename Use rename to change the name of a file or directory on an SFTP server. Syntax rename old-name new-name Views SFTP client view Predefined user roles network-admin Parameters oldname: Specifies the name of an existing file or directory. newname: Specifies the new name for the file or directory.
scp Use scp to establish a connection to an IPv4 SCP server and transfer files with the server.
prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is des in low encryption and aes128 in high encryption. Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security strength and calculation time.
Examples # Connect an SCP client to the SCP server 200.1.1.1. Specify the public key of the server as svkey, and download the file abc.txt from the server. The SCP client uses publickey authentication. Use the following algorithms: • Preferred key exchange algorithm is dh-group14. • Preferred server-to-client encryption algorithm is aes128. • Preferred client-to-server HMAC algorithm is sha1. • Preferred server-to-client HMAC algorithm is sha1-96.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. -i interface-type interface-number: Specifies an output interface by its type and number. This option is only used when the server uses a link-local address.
publickey keyname: Specifies the host public key of the sever, which is used to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters. source: Specifies a source IPv6 address or source interface for IPv6 SCP packets. By default, the IPv6 SCP packets automatically select an IPv6 address as their source address in compliance with RFC 3484. For successful SCP connections, use one of the following methods: • Specify the loopback interface as the source interface.
In FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number s | ip ip-address } ] * Views User view Predefined user roles network-admin Parameters server: Specifies a server by its IPv4 addre
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is des in low encryption and aes128 in high encryption. prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1. dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets, in the range of 0 to 63. The default value is 48. The DSCP value determines the transmission priority of the packet.
Views System view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies a source interface by its type and number. The SFTP packets use the longest-matching IPv6 address of the specified interface as their source address. ipv6 ipv6-address: Specifies a source IPv6 address. Usage guidelines If you execute this command multiple times, the most recent configuration takes effect. This command takes effect on all IPv6 SFTP connections.
Usage guidelines If you execute this command multiple times, the most recent configuration takes effect. This command takes effect on all SFTP connections. The source IP address specified in the sftp command takes effect only on the current SFTP connection. If you specify the source IP address both in this command and the sftp command, the source IP address specified in the sftp command takes effect. Examples # Specify the source IP address for SFTP packets as 192.168.0.1.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. -i interface-type interface-number: Specifies an output interface by its type and number for IPv6 SFTP packets. The specified output interface must have a link-local address.
• Specify the loopback interface or dialer interface as the source interface. • Specify the IPv6 address of the loopback interface or dialer interface as the source IPv6 address. interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IP address to send packets. ipv6 ipv6-address: Specifies a source IPv6 address.
This command takes effect on all IPv6 Stelnet connections. The source IPv6 address specified in the ssh2 ipv6 command takes effect only on the current IPv6 Stelnet connection. If you specify the source IPv6 address both in this command and the ssh ipv6 command, the source IPv6 address specified in the ssh ipv6 command takes effect. Examples # Specify the source IPv6 address as 2:2::2:2 for SSH packets.
Related commands display ssh client source ssh2 Use ssh2 to establish a connection to an IPv4 Stelnet server.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is des in low encryption and aes128 in high encryption. Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security strength and calculation time. • 3des: Specifies the encryption algorithm 3des-cbc. • aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. • des: Specifies the encryption algorithm des-cbc.
• Preferred key exchange algorithm is dh-group14. • Preferred server-to-client encryption algorithm is aes128. • Preferred client-to-server HMAC algorithm is sha1. • Preferred server-to-client HMAC algorithm is sha1-96. • Preferred compression algorithm between the server and client is zlib. ssh2 3.3.3.
-i interface-type interface-number: Specifies an output interface by its type and number for IPv6 SSH packets. The specified output interface must have a link-local address. This option is used when the server uses a link-local address to provide the SSH service for the client. identity-key: Specifies a public key algorithm for the client, either dsa or rsa. The default is dsa. If the server uses publickey authentication, this keyword must be specified. • dsa: Specifies the public key algorithm dsa.
interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IP address of the IPv6 SSH packets. ipv6 ipv6-address: Specifies a source IPv6 address. Usage guidelines In publickey authentication, the client must get the local private key for digital signature. Because publickey authentication uses either RSA or DSA algorithm, you must specify a public key algorithm by using the identity-key keyword.
SSL commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. By default, the device provides low encryption. To obtain high encryption, you must install the Strong Cryptography feature license. This feature provides stronger cryptography, additional IPsec tunnels, and higher encryption performance.
Parameters dhe_rsa_aes_128_cbc_sha: Specifies the export cipher suite that uses the key exchange algorithm DHE RSA, the data encryption algorithm 128-bit AES, and the MAC algorithm SHA. dhe_rsa_aes_256_cbc_sha: Specifies the export cipher suite that uses the key exchange algorithm DHE RSA, the data encryption algorithm 256-bit AES, and the MAC algorithm SHA.
• Key exchange algorithm RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] ciphersuite dhe_rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha Related commands • display ssl server-policy • prefer-cipher client-verify enable Use client-verify enable to enable the SSL server to use digital certificates to authenticate clients. Use undo client-verify enable to restore the default.
display ssl server-policy Use display ssl server-policy to display SSL server policy information. Syntax display ssl server-policy [ policy-name ] Views Any view Predefined user roles network-admin network-operator Parameters policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify this argument, the command displays information about all SSL server policies. Examples # Display information about the SSL server policy policy1.
Predefined user roles network-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you use this command to specify a PKI domain for an SSL server policy, the SSL server that references the SSL server policy will obtain its digital certificate through the specified PKI domain. Examples # Specify PKI domain server-domain for the SSL server policy policy1.
[Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] session cachesize 600 Related commands display ssl server-policy ssl server-policy Use ssl server-policy to create an SSL server policy and enter SSL server policy view. Use undo ssl server-policy to delete an SSL server policy. Syntax ssl server-policy policy-name undo ssl server-policy policy-name Default No SSL server policy exists on the device.
Views Any view Predefined user roles network-admin network-operator Parameters policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify this argument, the command displays information about all SSL client policies. Examples # Display information about the SSL client policy policy1. display ssl client-policy policy1 SSL client policy: policy1 SSL version: SSL 3.
Usage guidelines If you use this command to specify a PKI domain for an SSL client policy, the SSL client that references the SSL client policy will obtain its digital certificate through the specified PKI domain. Examples # Specify the PKI domain client-domain for the SSL client policy policy1.
Parameters dhe_rsa_aes_128_cbc_sha: Specifies the export cipher suite that uses the key exchange algorithm DHE RSA, the data encryption algorithm 128-bit AES, and the MAC algorithm SHA. dhe_rsa_aes_256_cbc_sha: Specifies the export cipher suite that uses the key exchange algorithm DHE RSA, the data encryption algorithm 256-bit AES, and the MAC algorithm SHA.
[Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha Related commands • ciphersuite • display ssl client-policy server-verify enable Use server-verify enable to enable the SSL client to use digital certificates to authenticate SSL servers. Use undo server-verify enable to disable authentication. That is, the client does not authenticate any server.
Default No SSL client policy exists on the device. Views System view Predefined user roles network-admin Parameters policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines This command creates an SSL client policy for which you can configure SSL parameters that the client uses to establish a connection to the server. The parameters include a PKI domain and a preferred cipher suite.
Parameters ssl3.0: Specifies SSL 3.0. tls1.0: Specifies TLS 1.0. Usage guidelines If you execute this command multiple times, the most recent configuration takes effect. Examples # Specify the SSL version for SSL client policy policy1 as TLS 1.0. system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] version tls1.
ASPF commands In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. aspf apply policy Use aspf apply policy to apply an ASPF policy to an interface. Use undo aspf apply policy to remove an ASPF policy application from an interface.
aspf policy Use aspf policy to create an ASPF policy and enter its view. Use undo aspf policy to remove an ASPF policy. Syntax aspf policy aspf-policy-number undo aspf policy aspf-policy-number Default No ASPF policy exists. Views System view Predefined user roles network-admin Parameters aspf-policy-number: Assigns a number to the ASPF policy. The value range for this argument is 1 to 256. Examples # Create ASPF policy 1 and enter ASPF policy view.
Parameters dccp: Specifies Datagram Congestion Control Protocol (DCCP), a transport layer protocol. ftp: Specifies FTP, an application layer protocol. gtp: Specifies GPRS Tunneling Protocol (GTP), an application layer protocol. h323: Specifies H.323 protocol stack, application layer protocols. icmp: Specifies ICMP, a transport layer protocol. icmpv6: Specifies ICMPv6, a transport layer protocol. ils: Specifies Internet Locator Service (ILS), an application layer protocol.
display aspf all Use display aspf all to display the configuration of all ASPF policies and their applications. Syntax display aspf all Views Any view Predefined user roles network-admin network-operator Examples # Display the configuration of all ASPF policies and their applications.
display aspf interface Use display aspf interface to display ASPF policy application on interfaces. Syntax display aspf interface Views Any view Predefined user roles network-admin network-operator Examples # Display ASPF policy application on interfaces. display aspf interface Interface configuration: GigabitEthernet2/1/1 Inbound policy : 1 Outbound policy: none Table 54 Command output Field Description Interface configuration Interfaces where ASPF policy is applied.
Examples # Display the configuration of ASPF policy 1. display aspf policy 1 ASPF policy configuration: Policy number: 1 Disable ICMP error message check Disable TCP SYN packet check Detect these protocols: FTP TCP Table 55 Command output Field Description Enable ICMP error message check ICMP error message check is enabled. Enable TCP SYN packet check TCP SYN check is enabled. Disable ICMP error message check ICMP error message check is disabled.
display aspf session ipv4 Initiator: Source IP/port: 192.168.1.18/1877 Destination IP/port: 192.168.1.55/22 VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 VPN instance/VLAN ID/VLL ID: -/-/Protocol: ICMP(1) Total sessions found: 2 # (MSR4000.) Display brief information about IPv4 ASPF sessions. display aspf session ipv4 Slot 1: Initiator: Source IP/port: 192.168.1.
Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 VPN instance/VLAN ID/VLL ID: -/-/Protocol: ICMP(1) Responder: Source IP/port: 192.168.1.55/1792 Destination IP/port: 192.168.1.
Protocol: ICMP(1) App: INVALID State: ICMP_REQUEST Start time: 2011-07-29 19:12:33 TTL: 55s Interface(in) : GigabitEthernet2/1/1 Interface(out): GigabitEthernet2/1/2 Initiator->Responder: 1 packets 6048 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 2 Table 56 Command output Field Description Initiator Session information from initiator to responder. Responder Session information from responder to initiator. Source IP/port Source IP address and port number.
Use undo icmp-error drop to restore the default. Syntax icmp-error drop undo icmp-error drop Default The ICMP error message check is disabled. Views ASPF policy view Predefined user roles network-admin Usage guidelines An ICMP error message carries information about the corresponding connection. ICMP error message check verifies the information. If the information does not match the connection, ASPF drops the message. Examples # Enable ICMP error message check for ASPF policy 1.
Related commands display aspf session tcp syn-check Use tcp syn-check to enable TCP SYN check. TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet. If the first packet is not a SYN packet, ASPF drops the packet. Use undo tcp syn-check to restore the default. Syntax tcp syn-check undo tcp syn-check Default TCP SYN check is disabled. ASPF does not drop a non-SYN packet that is the first packet to establish a TCP connection.
APR commands app-group Use app-group to create an application group and enter application group view. Use undo app-group to remove the specified application group. Syntax app-group group-name undo app-group group-name Default Multiple pre-defined application groups exist on the device. Views System view Predefined user roles network-admin Parameters group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters.
undo application statistics enable [ inbound | outbound ] Default The application statistics function is disabled on an interface. Views Layer 3 interface view Predefined user roles network-admin Parameters inbound: Specifies the inbound direction of the interface. outbound: Specifies the outbound direction of the interface. Usage guidelines IMPORTANT: The application statistics function consumes a large amount of system memory.
Syntax copy app-group group-name Views Application group view Predefined user roles network-admin Parameters group-name: Specifies the name of the source application group, a case-insensitive string of 1 to 63 characters. Usage guidelines Execute this command multiple times to copy application protocols in different groups to the current group. Examples # Copy application protocols in group bcd to group abc.
[Sysname] app-group aaa [Sysname-app-group-aaa] description User defined aaa group Related commands app-group display app-group Use display app-group to display information about the specified application groups. Syntax display app-group [ name group-name | pre-defined | user-defined ] Views User view Predefined user roles network-admin network-operator Parameters name group-name: Specifies an application group by its name. The group-name argument is a case-insensitive string of 1 to 63 characters.
news Pre-defined p2p Pre-defined productivity-tools 0x0000000d 0x00000006 Pre-defined routing 0x00000012 Pre-defined shopping-and-bank Pre-defined stock 0x00000011 0x0000000c Pre-defined voip 0x0000000b Pre-defined 0x00000007 # Display information about all application groups.
Table 57 Command output Field Description Group name Application group name. Group ID Application group ID. Type • Pre-defined. • User-defined. Application protocol or application group attribute: Application count Number of application protocols in the application group. Include application list Application group application protocol list. Application name Application protocol name. App ID Application protocol ID.
ambit-lm Pre-defined amdsched 0x000000b9 Pre-defined amidxtape Pre-defined amiganetfs Pre-defined amp No No 0x000000bb Pre-defined aminet No 0x000000ba No 0x000000bc 0x000000bd Pre-defined No No No No No 0x000000be No No No amt-soap-https Pre-defined 0x000000cc No Yes appserv-http Pre-defined 0x00000122 No No appserv-https Pre-defined 0x00000123 No Yes ktelnet Pre-defined 0x000009ae No No l2c-connect Pre-defined 0x000009b6 No No l2c-info Pre-defined 0x00
display application name telnet Application name: telnet Application ID: 0x000012b7 Tunnel: No Encrypted: No Table 58 Command output Field Description Total count Total number of application protocols. Pre-defined count Number of pre-defined application protocols. User-defined count Number of user-defined application protocols. Application name Name of the application protocol. Attribute of the application protocol: Type • Pre-defined. • User-defined.
Parameters direction: Specifies the direction of the interface. inbound: Specifies the inbound direction. outbound: Specifies the outbound direction. interface interface-type interface-number: Specifies an interface by its type and number. name application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters.
Application In/Out appaaaaasg IN app2 IN APP3 IN Packets Bytes 190023111111111111 OUT 170034 21986666666 OUT 451134 300 655555555123123101 17560000 21986666666 3411222222 3211 18560000 2195 BPS 2342222222 270011351 2195 OUT PPS 252334402111111111 654222 55551 5454125111 300 5555555551231231 45161 55551 5454125111 # Display application statistics in the inbound direction of interface GigabitEthernet 2/1/1.
Field Description Packets Number of packets received or sent by the interface. Bytes Number of bytes received or sent by the interface. PPS Packets received or sent per second. BPS Bytes received or sent per second. Related commands • app-group • application statistics enable display application statistics top Use display application statistics top to display statistics for application protocols on an interface in descending order, based on the specified criteria.
Interface : GigabitEthernet2/1/1 Application In/Out Packets appaaaaasg IN IN IN 270011351 2196 OUT aPP3 PPS BPS 190023111111111111 252334402111111111 2342222222 OUT 170034 app2 654222 Bytes 18560000 21986666666 2195 OUT 3411222222 3211 451134 300 655555555123123101 55551 17560000 21986666666 5454125111 300 5555555551231231 45161 55551 5454125111 # Display the top three application protocols that have received and sent the most bytes on interface GigabitEthernet 2/1/1.
Table 60 Command output Field Description Interface Interface name. Application Name of the application protocol. Interface direction: In/Out • In. • Out. Packets Number of packets received or sent by the interface. Bytes Number of bytes received or sent by the interface. PPS Packets received or sent per second. BPS Bytes received or sent per second.
Field Description Protocol Transport layer protocol. Port Port number to which the application protocol is mapped. Related commands • display port-mapping • port-mapping display port-mapping user-defined Use display port-mapping user-defined to display information about the user-defined port mappings.
Table 62 Command output Field Description Application Application protocol using port mapping. Port Port number to which the application protocol is mapped. Protocol Transport layer protocol. Match types: • ---—No match types or match conditions are specified, and all packets that have the specified port are recognized as the packets of the specified application protocol. • IPv4 host—A match based on the destination IPv4 addresses of the packet.
Parameters application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. Valid characters include digits, letters, hyphens (-), and underlines (_). "invalid" or "other" are not allowed. Usage guidelines Execute this command multiple times to add multiple pre-defined or user-defined application protocols to a user-defined application group. A maximum of 65536 user-defined application protocols can be added to an application group.
• sctp: Specifies SCTP. • tcp: Specifies TCP. • udp: Specifies UDP. • udp-lite: Specifies UDP-Lite. Usage guidelines If no transport layer protocol is specified, packets encapsulated by any transport layer protocol and that have the specified port are recognized as the specified application protocol's packets. If the destination port of a packet matches a general port mapping, APR recognizes the packet as the specified application protocol's packet.
• sctp: Specifies SCTP. • tcp: Specifies TCP. • udp: Specifies UDP. • udp-lite: Specifies UDP-Lite. acl [ ipv6 ] acl-number: Specifies the number of an ACL, in the range of 2000 to 2999. To specify an IPv6 ACL, include the ipv6 keyword. To specify an IPv4 ACL, do not include the ipv6 keyword.
protocol protocol-name: Specifies a transport layer protocol by its name, including: • dccp: Specifies DCCP. • sctp: Specifies SCTP. • tcp: Specifies TCP. • udp: Specifies UDP. • udp-lite: Specifies UDP-Lite. { ip | ipv6 } start-ip-address [ end-ip-address ]: Specifies a range of IPv4 or IPv6 addresses. The ip keyword specifies the IPv4 addresses, and the ipv6 keyword specifies the IPv6 addresses. To specify only one IP address, provide only the start IP address.
undo port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ] Default An application protocol is mapped to a well-known port. Views System view Predefined user roles network-admin Parameters application application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters.
[Sysname] port-mapping application ftp port 3456 subnet ip 1.1.1.0 24 # Create a mapping of port 3456 to FTP for the packets sent to the IPv6 hosts on subnet 1:: /120. system-view [Sysname] port-mapping application ftp port 3456 subnet ipv6 1:: 120 Related commands display port-mapping user-defined reset application statistics Use reset application statistics to clear application statistics for an interface or all interfaces.
Session management commands In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. display session aging-time application Use display session aging-time application to display the aging time for sessions of different application layer protocols.
Field Description Aging Time(s) Aging time in seconds. Related commands application aging-time display session aging-time state Use display session aging-time stat to display the aging time for sessions in different protocol states. Syntax display session aging-time state Views Any view Predefined user roles network-admin network-operator Examples # Display the aging time for sessions in different protocol states.
Field Description Aging Time(s) Aging time in seconds. Related commands session aging-time state display session relation-table Use display session relation-table to display relation entries. Syntax MSR2000/MSR3000: display session relation-table { ipv4 | ipv6 } MSR4000: display session relation-table { ipv4 | ipv6 } [ slot slot-number ] Views Any view Predefined user roles network-admin network-operator Parameters ipv4: Specifies IPv4 relation entries. ipv6: Specifies IPv6 relation entries.
# (MSR4000.) Display all IPv4 relation entries. display session relation-table ipv4 Slot 1: Source IP/port: 192.168.1.100/- Destination IP/port: 192.168.2.100/99 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: 1/-/Protocol: TCP(6) TTL: 1234s Application: FTP-DATA Source IP/port: -/- Destination IP/port: 192.168.2.200/1212 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) TTL: 3100s Application: FTP-DATA Total entries found: 2 # (MSR2000/MSR3000.
Field Description DS-Lite tunnel peer Peer tunnel interface address of the DS-Lite tunnel to which the session belongs. If no peer tunnel interface address is specified, a hyphen (-) is displayed. MPLS L3VPN to which the relation entry belongs. VPN instance/VLAN ID/VLL ID VLAN and INLINE to which the relation entry belongs during Layer 2 forwarding. If any of them is not specified, a hyphen (-) is displayed for the proper field. Protocol Transport layer protocol.
RAWIP sessions: 0 Current relation-table entries: 0 Session establishment rate: 0/s TCP: 0/s UDP: 0/s ICMP: 0/s ICMPv6: 0/s UDP-Lite: 0/s SCTP: 0/s DCCP: 0/s RAWIP: 0/s Received TCP : 0 packets 0 bytes Received UDP : 118 packets 13568 bytes Received ICMP : 105 packets 8652 bytes Received ICMPv6 : 0 packets 0 bytes Received UDP-Lite : 0 packets 0 bytes Received SCTP : 0 packets 0 bytes Received DCCP : 0 packets 0 bytes Received RAWIP : 0 packets 0 bytes Table
Field Description Received TCP Number of received TCP packets and packet bytes. Received UDP Number of received UDP packets and packet bytes. Received ICMP Number of received ICMP packets and packet bytes. Received ICMPv6 Number of received ICMPv6 packets and packet bytes. Received UDP-Lite Number of received UDP-Lite packets and packet bytes. Received SCTP Number of received SCTP packets and packet bytes. Received DCCP Number of received DCCP packets and packet bytes.
Examples # (MSR2000/MSR3000.) Display brief information about all IPv4 session entries. display session table ipv4 Initiator: Source IP/port: 192.168.1.18/1877 Destination IP/port: 192.168.1.55/22 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: ICMP(1) Total sessions found: 2 # (MSR4000.
DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) State: TCP_SYN_SENT Application: SSH Start time: 2011-07-29 19:12:36 TTL: 28s Interface(in) : GigabitEthernet2/1/1 Interface(out): GigabitEthernet2/1/2 Initiator->Responder: 1 packets 48 bytes Responder->Initiator: 0 packets 0 bytes Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: ICMP(1) Responder: Source IP/port: 192.168.1.
Application: SSH Start time: 2011-07-29 19:12:36 TTL: 28s Interface(in) : GigabitEthernet2/1/1 Interface(out): GigabitEthernet2/1/2 Initiator->Responder: 1 packets 48 bytes Responder->Initiator: 0 packets 0 bytes Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: ICMP(1) Responder: Source IP/port: 192.168.1.55/1792 Destination IP/port: 192.168.1.
Total sessions found: 1 # (MSR2000/MSR3000.) Display detailed information about all IPv6 session entries.
Table 67 Command output Field Description Initiator Information about the session from the initiator to the responder. Responder Information about the session from the responder to the initiator. Address of the DS-Lite tunnel peer. DS-Lite tunnel peer When the session does not belong to any DS-Lite tunnels, this field displays a hyphen (-). MPLS L3VPN to which the session belongs. VPN instance/VLAN ID/VLL ID VLAN and INLINE to which the session belongs during Layer 2 forwarding.
MSR4000: reset session table ipv4 ] [ destination-ip destination-ip ] [ destination-port destination-port ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ slot slot-number ] [ source-ip source-ip ] [ source-port source-port ] [ vpn-instance vpn-instance-name ] Views User view Predefined user roles network-admin Parameters slot slot-number: Specifies a card by its slot number.
reset session table ipv6 [ destination-ip destination-ip ] [ destination-port destination-port ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-ip source-ip ] [ source-port source-port ] [ vpn-instance vpn-instance-name ] MSR4000: reset session table ipv6 [ destination-ip destination-ip ] [ destination-port destination-port ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } [ slot slot-number ]] [ source-ip source-ip ] [ source-port source-port ] [ vpn-inst
Syntax MSR2000/MSR3000: reset session table MSR4000: reset session table [ slot slot-number ] Views User view Predefined user roles network-admin Parameters slot slot-number: Specifies a card by its slot number. If no card is specified, this command clears the session entries on all cards. (MSR4000.) Examples # Clear all IPv4 and IPv6 session entries.
reset session relation-table Use reset session relation-table to clear relation entries. Syntax MSR2000/MSR3000: reset session relation-table [ ipv4 | ipv6 ] MSR4000: reset session relation-table [ ipv4 | ipv6 ] [ slot slot-number ] Views User view Predefined user roles network-admin Parameters ipv4: Specifies IPv4 relation entries. ipv6: Specifies IPv6 relation entries. slot slot-number: Specifies a card by its slot number. If no card is specified, this command clears the relation entries on all cards.
• GTP sessions: 60 seconds. • H.225 sessions: 3600 seconds. • H.245ssessions: 3600 seconds. • RAS sessions: 300 seconds. • RTSP sessions: 3600 seconds. • SIP sessions: 3600 seconds. • TFTP sessions: 60 seconds. • ILS sessions: 3600 seconds. • MGCP sessions: 60 seconds. • NBT sessions: 3600 second. • PPTP sessions: 3600 seconds. • RSH sessions: 60 seconds. • SCCP sessions: 3600 seconds. • SQLNET sessions: 600 seconds. • XDMCP sessions: 3600 seconds.
time-value: Sets the aging time in seconds. The value range for the time-value argument is 5 to 100000. Usage guidelines This command sets the aging time for stable sessions of the specified application layer protocols. For TCP sessions, the stable state is ESTABLISHED. For UDP sessions, the stable state is READY. For sessions of application layer protocols that are not supported by this command, the aging time is set by the session aging-time state command.
Parameters fin: Specifies the TCP FIN_WAIT state. icmp-reply: Specifies the ICMP REPLY state. icmp-request: Specifies the IGMP REQUEST state. rawip-open: Specifies the RAWIP-OPEN state. rawip-ready: Specifies the RAWIP-READY state. syn: Specifies the TCP SYN-SENT and SYN-RCV states. tcp-est: Specifies the TCP ESTABLISHED state. udp-open: Specifies the UDP OPEN state. udp-ready: Specifies the UDP READY state. time-value: Sets the aging time in seconds.
Usage guidelines If you set both the traffic-based and time-based logging, the device outputs a session log when whichever is reached. After outputting a session log, the device resets the traffic counter and restarts the interval for the session. If you set both the byte-based and packet-based thresholds, the last configuration takes effect. Examples # Configure the device to output session logs on a per-10-MB basis.
Examples # Enable IPv4 session logging in the inbound direction of GigabitEthernet 2/1/1. system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] session log enable ipv4 inbound # Enable session logging on GigabitEthernet 2/1/2 for IPv4 sessions that match ACL 2050 in the outbound direction.
Examples # Configure the device to output session logs on a per-10-mega-packet basis. system-view [Sysname] session log packets-active 10 Related commands • session log enable • session log time-active session log time-active Use session log time-active to set the time-based session logging. Use undo session log time-active to restore the default. Syntax session log time-active time-value undo session log time-active Default The device does not output session logs.
Syntax session persistent acl [ ipv6 ] acl-number [ aging-time time-value ] undo session persistent acl [ ipv6 ] Default No persistent sessions are specified. Views System view Predefined user roles network-admin Parameters ipv6: Specifies an IPv6 ACL. To specify an IPv4 ACL, do not specify this keyword. acl-number: Specifies an ACL by its number in the range of 2000 to 3999. aging-time time-value: Sets the aging time for persistent sessions in hours.
Connection limit commands In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. connection-limit apply Use connection-limit apply to apply a connection limit policy to an interface. Use undo connection-limit apply to remove the application.
connection-limit apply global Use connection-limit apply global to apply a connection limit policy globally. Use undo connection-limit apply global to remove the application. Syntax connection-limit apply global { ipv6-policy | policy } policy-id undo connection-limit apply global { ipv6-policy | policy } Default No connection limit policy is applied globally. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 connection limit policy.
Default No connection limit policy exists. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 connection limit policy. policy: Specifies an IPv4 connection limit policy. policy-id: Specifies a connection limit policy by its ID, in the range of 1 to 32. An IPv4 or IPv6 connection limit policy has its own number. Examples # Create IPv4 connection limit policy 1 and enter its view.
policy-id: Specifies a connection limit policy by its ID in the range of 1 to 32. all: Specifies all connection limit policies. Examples # Display information about all IPv4 connection limit policies.
3 Src 100 90 3020 200 -- 100000 89000 2005 # Display information about the IPv6 connection limit policy 3. display connection-limit ipv6-policy 3 IPv6 connection limit policy 3 has been applied 3 times, and has 2 limit rules.
display connection-limit ipv6-stat-nodes Use display connection-limit ipv6-stat-nodes to display statistics about IPv6 connections that match connection limit rules globally or on an interface.
If you specify none of the source source-ip, destination destination-ip, and service-port port-number options, this command displays statistics about all IPv6 connections that match connection limit rules. Examples # (MSR2000/MSR3000.) Display statistics about all IPv6 connections that match the connection limit rule on GigabitEthernet 2/1/1.
Slot 2: Current limit statistic nodes count is 1. Table 69 Command output Field Description Src IP address Source IPv6 address. Dst IP address Destination IPv6 address. VPN instance MPLS L3VPN to which the IP address belongs. "---" indicates that IP address is on the public network. Service Protocol name and service port number. An unwell-known protocol is displayed as "unknown(xx)," where "xx" indicates the protocol number.
interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card or virtual interface by its slot number. This option is available only when you specify the global keyword or specify a virtual interface (such as a VLAN interface or tunnel interface). (MSR4000.) Examples # (MSR2000/MSR3000.) Display the global connection limit statistics.
Predefined user roles network-admin network-operator Parameters global: Displays statistics about IPv4 connections that match connection limit rules globally. interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number. This option is available only when you specify the global keyword or specify a virtual interface (such as a VLAN interface or tunnel interface). (MSR4000.
New session flag : Permit # (MSR2000/MSR3000.) Display statistics about all IPv4 connections that match the connection limit rule on VLAN-interface 2. display connection-limit stat-nodes interface vlan-interface 2 Src IP address : 100.100.100.100 VPN instance : 0123456789012345678901234567890 Dst IP address : 200.200.200.
Field Description Service Protocol name and service port number. An unwell-known protocol is displayed as "unknown(xx)," where "xx" indicates the protocol number. For the ICMP protocol, "xx" indicates the hexadecimal number of the type and code field, which is represented in decimal notation. Sessions threshold Hi/Lo Upper connection limit/lower connection limit. Sessions count Number of current connections.
per-service: Limits connections by service in terms of transport layer protocol and service port. per-source: Limits connections by source IP address. max-amount: Specifies the upper connection limit in the range of 1 to 1000000. When user connections in a range or of a type exceed the upper connection limit, new connections cannot be created. min-amount: Specifies the lower connection limit in the range of 1 to 1000000. The lower connection limit cannot be greater than the upper connection limit.
6. Verify that when the connection number exceeds 200, new connections cannot be established until the connection number drops below 100. (Details not shown.) Related commands • connection-limit • display connection-limit reset connection-limit statistics Use reset connection-limit statistics to clear the connection limit statistics globally or on an interface.
Object group commands description Use description to configure a description for an object group. Use undo description to delete the description for an object group. Syntax description text undo description Default An object group does not have a description. Views Object group view Predefined user roles network-admin Parameters text: Configures an object group description, a case-sensitive string of 1 to 127 characters. Examples # Configure a description for IPv4 address object group ipgroup.
ipv6 address: Specifies the IPv6 address object group. port: Specifies the port object group. service: Specifies the service object group. default: Specifies the default object group. name object-group-name: Specifies an object group by its name, a case-insensitive string of 1 to 31 characters. Examples # Display information about all object groups. display object-group IP address object group obj1: 0 object(in use) IP address object group obj2: 5 objects(out of use) 0 network host address 1.1.1.
0 network host address 1.1.1.1 10 network host name host 20 network subnet 1.1.1.1 255.255.255.0 30 network range 1.1.1.1 1.1.1.2 40 network group-object obj1 # Display information about all IPv4 object groups. display object-group ip address Ip address object-group obj1: 0 object(in use) Ip address object-group obj2: 5 objects(out of use) 0 network host address 1.1.1.1 10 network host name host 20 network subnet 1.1.1.1 255.255.255.0 30 network range 1.1.1.1 1.1.1.
Predefined user roles network-admin Parameters Object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not specify an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30. host: Configures an IPv4 address object with the host address or name. address ip-address: Specifies an IPv4 host address.
# Configure an IPv4 address object with the host name of pc3. system-view [Sysname] object-group ip address ipgroup [Sysname-obj-grp-ip-ipgroup] network host name pc3 # Configure an IPv4 address object with the IPv4 address of 192.167.0.0 and mask length of 24. system-view [Sysname] object-group ip address ipgroup [Sysname-obj-grp-ip-ipgroup] network subnet 192.167.0.0 24 # Configure an IPv4 address object with the IPv4 address of 192.167.0.0 and mask of 255.255.0.0.
address ipv6-address: Specifies an IPv6 host address. name host-name: Specifies a host name, a case-insensitive string of 1 to 60 characters. subnet ipv6-address prefix-length: Configures an IPv6 address object with the subnet address followed by the prefix length in the range of 1 to 128.
# Configure an IPv6 address object with the address range of 1:1:1::1 to 1:1:1::100 system-view [Sysname] object-group ipv6 address ipv6group [Sysname-obj-grp-ipv6-ipv6group] network range 1:1:1::1 1:1:1::100 # Configure an IPv6 address object referencing object group ipv6group2.
• If the specified group exists but the group type is different from that in the command, the command fails. • If the specified object group is being referenced by an ACL, object policy, or object group, the command fails. Examples # Configure an IPv4 address object group named ipgroup. system-view [Sysname] object-group ip address ipgroup # Configure an IPv6 address object group named ipv6group.
range port1 port2: Configures a port object with a port range starting with port1 and ending with port2. The value range for the port1 and port2 arguments is 0 to 65535. group-object object-group-name: Specifies a port object group to be referenced by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines This command fails if you use it to configure or change a port object to be identical with an existing object.
system-view [Sysname] object-group port portgroup [Sysname-obj-grp-port-portgroup] port gt 60000 # Configure a port object with a port number in the range of 1000 to 2000. system-view [Sysname] object-group port portgroup [Sysname-obj-grp-port-portgroup] port range 1000 2000 # Configure a port object referencing object group portgroup2.
port: Specifies a port number in the range of 0 to 65535. range port1 port2: Configures a service object with a port range starting with port1 and ending with port2. The value range for the port1 and port2 arguments is 0 to 65535. icmp-type icmp-code: Configures the ICMP message type in the range of 0 to 255, and the message code in the range of 0 to 255. icmpv6-type icmpv6-code: Configures the ICMPv6 message type in the range of 0 to 255, and the message code in the range of 0 to 255.
# Configure a service object with the source and destination port numbers for the TCP service. system-view [Sysname] object-group service servicegroup [Sysname-obj-grp-service-servicegroup] service tcp source eq 100 destination range 10 100 # Configure a service object with the message type and code for the ICMP service.
IP source guard commands In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The IP source guard commands are supported on the following hardware: MSR routers installed with the Layer 2 switching module HMIM-24GSW/24GSWP or HMIM-8GSW. display ip source binding Use display ip source binding to display IPv4 source guard binding entries.
slot slot-number: Specifies the number of the slot that holds the card. (MSR4000) Usage guidelines If you do not specify any parameter, this command displays the following entries: • Static and dynamic IPv4 source guard binding entries on all interfaces on the public network. • Global static IPv4 source guard binding entries. If you specify neither an interface nor a card, the command displays IPv4 source guard binding entries that the MPU obtained from all interfaces.
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] MSR4000: display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] Views Any view Predefined user roles network-admin
Table 74 Command output Field Description Total entries found Total number of IPv6 source guard binding entries. IPv6 Address IPv6 address in the IPv6 source guard binding entry. If no IPv6 address is bound in the entry, this field displays N/A. MAC Address MAC address in the IPv6 source guard binding entry. If no MAC address is bound in the entry, this field displays N/A. Interface Interface of the IPv6 source guard binding entry.
vlan vlan-id: Specifies a VLAN ID for the static binding entry. The value range is 1 to 4094. Usage guidelines IP source guard can use static IPv4 source guard binding entries on an interface to implement the following functions: • Filter incoming IPv4 packets on the interface. • Check user validity by cooperating with the ARP detection feature.
Dynamic IP source guard obtains user information from other modules to generate dynamic binding entries, and uses the entries to filter incoming packets based on the matching criteria. The matching criteria specified in the ip verify source command takes effect on only dynamic IP source guard. Static IPv4 source guard filters incoming packets by all matching criteria in a static binding entry. To configure a static IPv4 source guard binding, use the ip source binding command.
mac-address mac-address: Specifies a MAC address for the static binding entry. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast address), or a multicast address. vlan vlan-id: Specifies a VLAN ID for the static binding entry. The value range is 1 to 4094. Usage guidelines IP source guard can use static IPv6 source guard binding entries on an interface to implement the following functions: • Filter incoming IPv6 packets on the interface.
Dynamic IPv6 source guard obtains information from DHCPv6 snooping entries to generate dynamic binding entries, and uses the entries to filter incoming packets based on the matching criteria. The matching criteria specified in the ipv6 verify source command takes effect on only dynamic IPv6 source guard. Static IPv6 source guard filters incoming packets by all matching criteria in a static binding entry. To configure a static IPv6 source guard binding, use the ipv6 source binding command.
ARP attack protection commands In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Unresolvable IP attack protection commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing. Use undo arp resolving-route enable to disable ARP blackhole routing.
Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression function is disabled. Views System view Predefined user roles network-admin Usage guidelines Configure this feature on the gateways. Examples # Enable the ARP source suppression function.
Examples # Set the maximum number of unresolvable packets that can be received from a device in 5 seconds to 100. system-view [Sysname] arp source-suppression limit 100 Related commands display arp source-suppression. display arp source-suppression Use display arp source-suppression to display information about the current ARP source suppression configuration.
undo arp source-mac [ filter | monitor ] Default The source MAC-based ARP attack detection function is disabled. Views System view Predefined user roles network-admin Parameters filter: Generates log messages and discards subsequent ARP packets from the MAC address. monitor: Only generates log messages. Usage guidelines Configure this feature on the gateways. This function checks the number of ARP packets delivered to the CPU.
system-view [Sysname] arp source-mac aging-time 60 arp source-mac exclude-mac Use arp anti-attack source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection. Use undo arp anti-attack source-mac exclude-mac to remove the excluded MAC addresses. Syntax arp source-mac exclude-mac mac-address&<1-n> undo arp source-mac exclude-mac [ mac-address&<1-n> ] Default No MAC address is excluded from source MAC-based ARP attack detection.
Views System view Predefined user roles network-admin Parameters threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range is 1 to 5000. Examples # Configure the threshold for source MAC-based ARP attack detection as 30. system-view [Sysname] arp source-mac threshold 30 display arp source-mac Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP attack detection.
ARP packet source MAC consistency check commands arp valid-check enable Use arp valid-check enable to enable ARP packet source MAC address consistency check on the gateway. Use undo arp valid-check enable to disable ARP packet source MAC address consistency check. Syntax arp valid-check enable undo arp valid-check enable Default ARP packet source MAC address consistency check is disabled. Views System view Predefined user roles network-admin Usage guidelines Configure this feature on gateways.
Predefined user roles network-admin Parameters Strict: Enables strict mode for ARP active acknowledgement. Usage guidelines Configure this feature on gateways to prevent user spoofing. In strict mode, a gateway can learn an entry only when ARP active acknowledgement is successful based on the correct ARP resolution. Examples # Enable the ARP active acknowledgement function.
arp detection enable Use arp detection enable to enable ARP detection. Use undo arp detection enable to restore the default. Syntax arp detection enable undo arp detection enable Default ARP detection is disabled. Views VLAN view Predefined user roles network-admin Examples # Enable ARP detection for VLAN 2. system-view [Sysname] vlan 2 [Sysname-vlan2] arp detection enable arp detection trust Use arp detection trust to configure a port as an ARP trusted port.
arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line. Use undo arp detection validate to disable ARP packet validity check. If no keyword is specified, this command deletes all objects. Syntax arp detection validate { dst-mac | ip | src-mac } * undo arp detection validate [ dst-mac | ip | src-mac ] * Default ARP packet validity check is disabled.
Predefined user roles network-admin Examples # Enable ARP restricted forwarding in VLAN 2. system-view [Sysname] vlan 2 [Sysname-vlan2] arp restricted-forwarding enable display arp detection Use display arp detection to display the VLANs enabled with ARP detection. Syntax display arp detection Views Any view Predefined user roles network-admin network-operator Examples # Display the VLANs enabled with ARP detection.
Usage guidelines This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces. Examples # Display the ARP detection statistics for all interfaces.
ARP scanning and fixed ARP commands arp fixup Use arp fixup to convert existing dynamic ARP entries to static ARP entries. Syntax arp fixup Views System view Predefined user roles network-admin Usage guidelines The ARP conversion is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static. The static ARP entries converted from dynamic ARP entries have the same attributes as the manually configured static ARP entries.
Parameters start-ip-address: Specifies the start IP address of the scanning range. end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address. Usage guidelines ARP scanning automatically creates ARP entries for devices in the specified address range. IP addresses already in existing ARP entries are not scanned.
Predefined user roles network-admin Parameters ip-address: Specifies the IP address of a protected gateway. Usage guidelines You can enable ARP gateway protection for up to eight gateways on an interface. You cannot configure both arp filter source and arp filter binding commands on the same interface. Examples # Enable ARP gateway protection for the gateway with IP address 1.1.1.1. system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] arp filter source 1.1.1.
[Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] arp filter binding 1.1.1.
IPv4 uRPF commands In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. display ip urpf Use display ip urpf to display uRPF configuration.
Allow default route Link check Suppress drop ACL: 3000 Table 77 Command output Field Description uRPF configuration information of interface uRPF configuration on the interface. Check type uRPF check mode: loose or strict. Allow default route Allow use of the default route. Link check Link layer check is enabled. Suppress drop ACL ACL used for drop suppression. ip urpf Use ip urpf to enable uRPF. Use undo ip urpf to disable uRPF.
For asymmetrical routing where the interface receiving upstream traffic is different from the interface forwarding downstream traffic on a PE device, configure loose uRPF to avoid discarding valid packets. If the two interfaces are the same (symmetrical routing), configure strict uRPF. An ISP usually adopts symmetrical routing on a PE device. Typically, you do not need to configure the allow-default-route keyword on a PE device, because it has no default route pointing to a CE.
IPv6 uRPF commands In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. display ipv6 urpf Use display ipv6 urpf to display IPv6 uRPF configuration.
Allow default route Suppress drop ACL: 2000 Table 78 Command output Field Description IPv6 uRPF configuration information of interface IPv6 uRPF configuration on the interface. Check type IPv6 uRPF check mode: loose or strict. Allow default route Allow use of the default route. Suppress drop ACL IPv6 ACL used for drop suppression. ipv6 urpf Use ipv6 urpf to enable IPv6 uRPF. Use undo ipv6 urpf to disable IPv6 uRPF.
You can use an ACL to match specific packets, so they are forwarded even if they fail to pass IPv6 uRPF check. Examples # Configure strict IPv6 uRPF check on interface GigabitEthernet 2/1/2, which allows using the default route and uses IPv6 ACL 2999 to match packets. system-view [Sysname]interface gigabitethernet 2/1/2 [Sysname-GigabitEthernet2/1/2]ipv6 urpf strict allow-default-route acl 2999 # Configure loose IPv6 uRPF check on interface GigabitEthernet 2/1/1.
Crypto engine commands In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. crypto-engine accelerator disable Use crypto-engine accelerator disable to disable hardware crypto engines. Use undo crypto-engine accelerator disable to enable hardware crypto engines. Syntax crypto-engine accelerator disable undo crypto-engine accelerator disable Default Hardware crypto engines are enabled.
Views Any view Predefined user roles network-admin network-operator Examples # Display information about crypto engines.
Field Description Slot ID ID of the LPU that holds the crypto engine. CPU ID ID of the CPU that holds the crypto engine. Symmetric algorithms Supported symmetric algorithms. Asymmetric algorithms Supported asymmetric algorithms. Whether random number generation function is supported: Random number generation function • Supported. • Not supported.
Asymmetric operations: 0 Asymmetric errors: 0 Get-random operations: 0 Get-random errors: 0 # (MSR4000.) Display statistics for crypto engine 1 on card 2. display crypto-engine statistics engine-id 1 slot 2 Submitted sessions: 0 Failed sessions: 0 Symmetric operations: 0 Symmetric errors: 0 Asymmetric operations: 0 Asymmetric errors: 0 Get-random operations: 0 Get-random errors: 0 Table 80 Command output Field Description Submitted sessions Number of established sessions.
Parameters engine-id engine-id: Specifies a crypto engine by its ID in the range of 0 to 4294967295. If you do not specify a crypto engine, this command clears statistics for all crypto engines. slot slot-number: Specifies a card by its slot number. If you do not specify any card, this command clears statistics for the crypto engines on all cards. (MSR4000.) Examples # Clears statistics for all crypto engines.
FIPS commands The device that provides low encryption does not support FIPS. display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator Examples # Display the current FIPS mode state. display fips status FIPS mode is enabled. Related commands fips mode enable fips mode enable Use fips mode enable to enable FIPS mode. Use undo fips mode enable to disable FIPS mode.
After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: • Automatic reboot Select the automatic reboot method. The system automatically performs the following tasks: a. Create a default FIPS configuration file named fips-startup.cfg. b. Specify the default file as the startup configuration file. c. Require you to configure the username and password for next login.
Examples # Enable FIPS mode, and choose the automatic reboot method to enter FIPS mode. system-view [Sysname] fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically.
Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. A successful self-test requires that all cryptographic algorithms pass the self-test. If the self-test fails, the card where the self-test process exists reboots. Examples # Trigger a self-test on the cryptographic algorithms.
Known-answer test for RSA(signature/verification) passed. Known-answer test for RSA(encrypt/decrypt) passed. Known-answer test for DSA(signature/verification) passed. Known-answer test for random number generator passed. Known-Answer tests in the user-space passed. Starting Known-Answer tests in the kernel. Known-answer test for SHA1 passed. Known-answer test for HMAC-SHA1 passed. Known-answer test for AES passed. Known-answer test for SHA1 passed. Known-Answer tests in the kernel passed.
Known-answer test for HMAC-SHA1 passed. Known-answer test for HMAC-SHA224 passed. Known-answer test for HMAC-SHA256 passed. Known-answer test for HMAC-SHA384 passed. Known-answer test for HMAC-SHA512 passed. Known-answer test for AES passed. Known-answer test for RSA(signature/verification) passed. Known-answer test for RSA(encrypt/decrypt) passed. Known-answer test for DSA(signature/verification) passed. Known-answer test for random number generator passed. Known-Answer tests in the user-space passed.
Attack detection and prevention commands In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. ack-flood action Use ack-flood action to specify global actions against ACK flood attacks. Use undo ack-flood action to restore the default. Syntax ack-flood action { client-verify | drop | logging } * undo ack-flood action Default No action is taken against detected ACK flood attacks.
• client-verify tcp enable ack-flood detect Use ack-flood detect to configure IP-specific ACK flood attack detection. Use undo ack-flood detect to remove the ACK flood attack detection configuration for an IP address.
Examples # Configure ACK flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1. system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] ack-flood detect ip 192.168.1.
ack-flood threshold Use ack-flood threshold to set the global threshold for triggering ACK flood attack prevention. Use undo ack-flood threshold to restore the default. Syntax ack-flood threshold threshold-value undo ack-flood threshold Default The global threshold is 1000 for triggering ACK flood attack prevention. Views Attack defense policy view Predefined user roles network-admin Parameters threshold-value: Specifies the threshold for triggering ACK flood attack prevention.
Default No attack defense policy is applied to any interface. Views Layer 3 interface view Predefined user roles network-admin Parameters policy-name: Specifies the name of an attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). Usage guidelines An interface can have only one attack defense policy applied.
Usage guidelines Applying an attack defense policy to a device can improve the efficiency of processing attack packets destined for the device. Each device can have only one attack defense policy applied. If you use this command multiple times, the most recent configuration takes effect. An attack defense policy can be applied to the device locally and to multiple interfaces. If a device and its interfaces have attack defense policies applied, a packet destined for the device is processed as follows: 1.
Related commands • attack-defense apply policy • display attack-defense policy attack-defense signature log non-aggregate Use attack-defense signature log non-aggregate to enable non-aggregated log output for single-packet attack events. Use undo attack-defense signature log non-aggregate to restore the default. Syntax attack-defense signature log non-aggregate undo attack-defense signature log non-aggregate Default The system outputs aggregated logs for single-packet attack events.
Syntax blacklist enable undo blacklist enable Default The blacklist function on an interface is disabled. Views Layer 3 interface view Predefined user roles network-admin Usage guidelines If the global blacklist function is enabled, the blacklist function is enabled on all interfaces. If the global blacklist function is disabled, you must use this command to enable the blacklist function on individual interfaces. Examples # Enable the blacklist function on interface GigabitEthernet 2/1/1.
system-view [Sysname] blacklist global enable Related commands • blacklist enable • blacklist ip blacklist ip Use blacklist ip to add an IPv4 blacklist entry. Use undo blacklist ip to delete a manually added IPv4 blacklist entry. Syntax blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] [ timeout minutes ] undo blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] Default No IPv4 blacklist entry exists.
blacklist ipv6 Use blacklist ipv6 to add an IPv6 blacklist entry. Use undo blacklist ipv6 to delete a manually added IPv6 blacklist entry. Syntax blacklist ipv6 source-ipv6-address [ vpn-instance vpn-instance-name ] [ timeout minutes ] undo blacklist ipv6 source-ipv6-address [ vpn-instance vpn-instance-name ] Default No IPv6 blacklist entry exists. Views System view Predefined user roles network-admin Parameters source-ipv6-address: Specifies an IPv6 address for the blacklist entry.
Syntax blacklist logging enable undo blacklist logging enable Default Logging is disabled for the blacklist function. Views System view Predefined user roles network-admin Usage guidelines With logging enabled for the blacklist function, the system outputs logs in the following situations: • A blacklist entry is manually added. • A blacklist entry is dynamically added by the scanning attack detection function. • A blacklist entry is manually deleted. • A blacklist entry ages out.
Use undo client-verify dns enable to restore the default. Syntax client-verify dns enable undo client-verify dns enable Default DNS client verification is disabled on an interface. Views Layer 3 interface view Predefined user roles network-admin Usage guidelines Enable DNS client verification on the interface that connects to the external network. This function protects internal DNS servers against DNS flood attacks.
Usage guidelines Enable HTTP client verification on the interface that connects to the external network. This function protects internal HTTP servers against HTTP flood attacks. To configure the HTTP client verification to collaborate with HTTP flood attack prevention, specify client-verify as the HTTP flood attack prevention action. In collaboration, upon detecting an HTTP flood attack, the device adds the victim IP addresses to the protected IP list and verifies the suspected sources.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network. port port-number: Specifies the port to be protected, in the range of 1 to 65535.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network. port port-number: Specifies the port to be protected, in the range of 1 to 65535.
TCP client verification supports the following modes: • Safe reset—Enables unidirectional TCP proxy for packets only from TCP connection initiators. • SYN cookie—Enables bidirectional TCP proxy for packets from both TCP clients and TCP servers. Choose a TCP proxy mode according to the network scenarios. • If packets from clients pass through the TCP proxy device, but packets from servers do not, specify the safe reset mode.
dns-flood: Specifies DNS flood attack. fin-flood: Specifies FIN flood attack. flood: Specifies all IPv4 flood attacks. http-flood: Specifies HTTP flood attack. icmp-flood: Specifies ICMP flood attack. rst-flood: Specifies RST flood attack. syn-ack-flood: Specifies SYN-ACK flood attack. syn-flood: Specifies SYN flood attack. udp-flood: Specifies UDP flood attack. ip-address: Specifies an IPv4 address.
201.55.7.44 -- GE2/1/4 DNS-FLOOD Normal 1000 111111111 192.168.11.4 -- GE2/1/5 ACK-FLOOD Normal 1000 22222222 VPN Detected on Detect type State PPS Dropped slot 2: IP address 192.168.100.221 a0123456789 GE2/1/2 SYN-ACK-FLOOD Normal 1000 4294967295 201.55.7.45 asd GE2/1/2 SYN-ACK-FLOOD Normal 1000 111111111 192.168.11.5 -- GE2/1/3 ACK-FLOOD Normal 1000 222222222 201.55.7.44 -- GE2/1/4 DNS-FLOOD Normal 1000 111111111 192.168.11.
MSR4000: display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ interface interface-type interface-number | local ] [ slot slot-number ] [ count ] Views Any view Predefined user roles network-admin network-operator Parameters ack-flood: Specifies ACK flood attack. dns-flood: Specifies DNS flood attack. fin-flood: Specifies FIN flood attack.
1::3 -- GE2/1/3 SYN-ACK-FLOOD Normal 1000 222222222 1::4 -- GE2/1/4 ACK-FLOOD Normal 1000 111111111 1::5 -- GE2/1/5 SYN-FLOOD Normal 1000 22222222 # (MSR4000.) Display flood attack detection and prevention statistics for all IPv6 addresses.
display attack-defense policy Use display attack-defense policy to display attack defense policy configuration. Syntax display attack-defense policy [ policy-name ] Views Any view Predefined user roles network-admin network-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Ping of death Disabled Low L Large ICMP Disabled Medium L,D Low L Max length Large ICMPv6 Max length 4000 bytes Disabled 4000 bytes TCP invalid flags Disabled medium L,D TCP null flag Disabled Low L TCP all flags Enabled Info L TCP SYN-FIN flags Disabled Info L TCP FIN only flag Enabled Info L TCP Land Disabled Info L Winnuke Disabled Info L UDP Bomb Disabled Info L UDP Snork Disabled Info L UDP Fraggle Enabled Info L IP option record route Disabled Info
Actions: L Flood attack defense configuration: Flood type Global thres(pps) Global actions Service ports Non-specific SYN flood 1000(default) - - Disabled ACK flood 1000(default) - - Enabled SYN-ACK flood 1000(default) - - Disabled RST flood 200 - - Enabled FIN flood 1000(default) L,D - Disabled UDP flood 1000(default) - - Disabled ICMP flood 1000(default) - - Disabled ICMPv6 flood 1000(default) CV - Disabled DNS flood 10000 - 30,61 to 62 Enabled HTTP flood
Field Description Prevention actions against the single-packet attack: Actions • L—Logging. • D—Dropping packets. • N—No action. Scan attack defense configuration Configuration information about scanning attack detection and prevention. Defense Whether attack detection is enabled. Level Level of the scanning attack detection, low, medium, or high. Prevention actions against the scanning attack: Actions Flood attack defense configuration • BS—Blocking sources. • D—Dropping packets. • L—Logging.
Field Description Thres(pps) Threshold for triggering the flood attack prevention, in units of packets sent to the IP address per second. If no threshold is specified, this field displays a hyphen (-). Prevention actions against the flood attack: • • • • • Actions BS—Blocking sources. CV—Client verification. D—Dropping packets. L—Logging. N—No action. Ports that are protected against the flood attack. This field displays port numbers only for the DNS and HTTP flood attacks.
display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ] Views Any view Predefined user roles network-admin network-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters.
# (MSR4000.) Display information about all IPv4 addresses protected by flood attack detection and prevention in attack defense policy abc. display attack-defense policy abc flood ip Slot 0: IP address VPN instance Type Rate threshold(PPS) Dropped 123.123.123.123 a012345678901234 SYN-ACK-FLOOD 100 4294967295 201.55.7.45 -- ICMP-FLOOD 100 10 192.168.11.5 -- DNS-FLOOD 23 100 Slot 1: Totally 3 flood protected IP addresses.
Syntax MSR2000/MSR3000: display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ count ] MSR4000: display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ] Views
Examples # (MSR2000/MSR3000.) Display information about all IPv6 addresses protected by flood attack detection and prevention in attack defense policy abc. display attack-defense policy abc flood ipv6 IPv6 address VPN instance 2013::127f a012345678901234 SYN-ACK-FLOOD 100 Type Rate threshold(PPS) Dropped 4294967295 2::5 -- ACK-FLOOD 100 10 1::5 -- ACK-FLOOD 100 23 # (MSR4000.
display attack-defense scan attacker ip Use display attack-defense scan attacker ip to display information about IPv4 scanning attacker.
Totally 3 attackers. # (MSR4000.) Display the number of IPv4 scanning attackers. display attack-defense scan attacker ip count Slot 0: Totally 3 attackers. Slot 1: Totally 3 attackers. Table 87 Command output Field Description Totally 3 attackers Total number of IPv4 scanning attackers. IP address IPv4 address of the attacker. VPN instance MPLS L3VPN instance to which the attacker's IPv4 address belongs. If the IPv4 address is on the public network, this field displays hyphens (--).
local: Specifies the device. slot slot-number: Specifies a card by its slot number. This option is available only when you specify a global interface, such as a VLAN interface or tunnel interface. (MSR4000.) count: Displays the number of matching IPv6 scanning attackers. Usage guidelines If no parameter is specified, this command displays information about all IPv6 scanning attacker entries. Examples # (MSR2000/MSR3000.) Display information about all IPv6 scanning attackers.
• scan detect display attack-defense scan victim ip Use display attack-defense scan victim ip to display information about IPv4 scanning attack victims.
display attack-defense scan victim ip count Totally 3 victim IP addresses. # (MSR4000.) Display the number of IPv4 scanning attack victims. display attack-defense scan victim ip count Slot 0: Totally 3 victim IP addresses. Slot 1: Totally 3 victim IP addresses. Table 89 Command output Field Description Totally 3 victim IP addresses Total number of IPv4 scanning attack victims. IP address IPv4 address of the victim.
count: Displays the number of matching IPv6 scanning attack victims. Usage guidelines If no parameter is specified, this command displays information about all IPv6 scanning attack victims. Examples # (MSR2000/MSR3000.) Display information about all IPv6 scanning attack victims. display attack-defense scan victim ipv6 IPv6 address VPN instance Detected on Duration(min) 2013::2 -- GE2/1/4 210 1230::22 -- GE2/1/4 13 # (MSR4000.
display attack-defense statistics interface Use display attack-defense statistics interface to display attack detection and prevention statistics on an interface.
IP option record route 1 100 IP option security 2 0 IP option stream ID 3 0 IP option internet timestamp 4 1 IP option loose source routing 5 0 IP option strict source routing 6 0 IP option route alert 3 0 Fragment 1 0 Impossible 1 1 Teardrop 1 1 Tiny fragment 1 0 IP options abnormal 3 0 Smurf 1 0 Ping of death 1 0 Traceroute 1 0 Large ICMP 1 0 TCP NULL flag 1 0 TCP all flags 1 0 TCP SYN-FIN flags 1 0 TCP FIN only flag 1 0 TCP invalid flag 1 0 T
ICMPv6 packet too big 1 0 # (MSR4000.) Display attack detection and prevention statistics on interface GigabitEthernet 2/1/1 for the card in slot 0.
UDP Bomb 1 0 Snork 1 0 Fraggle 1 0 Large ICMPv6 1 0 ICMP echo request 1 0 ICMP echo reply 1 0 ICMP source quench 1 0 ICMP destination unreachable 1 0 ICMP redirect 2 0 ICMP time exceeded 3 0 ICMP parameter problem 4 0 ICMP timestamp request 5 0 ICMP timestamp reply 6 0 ICMP information request 7 0 ICMP information reply 4 0 ICMP address mask request 2 0 ICMP address mask reply 1 0 ICMPv6 echo request 1 1 ICMPv6 echo reply 1 1 ICMPv6 group membership q
Predefined user roles network-admin network-operator Parameters slot slot-number: Specifies a card by its slot number. If no card is specified, this command displays attack detection and prevention statistics for the device on all cards. (MSR4000.) Examples # (MSR2000/MSR3000.) Display attack detection and prevention statistics for the device.
TCP all flags 1 0 TCP SYN-FIN flags 1 0 TCP FIN only flag 1 0 TCP invalid flag 1 0 TCP Land 1 0 Winnuke 1 0 UDP Bomb 1 0 Snork 1 0 Fraggle 1 0 Large ICMPv6 1 0 ICMP echo request 1 0 ICMP echo reply 1 0 ICMP source quench 1 0 ICMP destination unreachable 1 0 ICMP redirect 2 0 ICMP time exceeded 3 0 ICMP parameter problem 4 0 ICMP timestamp request 5 0 ICMP timestamp reply 6 0 ICMP information request 7 0 ICMP information reply 4 0 ICMP address ma
UDP flood 1 0 ICMP flood 1 0 ICMPv6 flood 1 0 DNS flood 1 0 HTTP flood 1 0 Signature attack defense statistics: AttackType AttackTimes Dropped IP option record route 1 100 IP option security 2 0 IP option stream ID 3 0 IP option internet timestamp 4 1 IP option loose source routing 5 0 IP option strict source routing 6 0 IP option route alert 3 0 Fragment 1 0 Impossible 1 1 Teardrop 1 1 Tiny fragment 1 0 IP options abnormal 3 0 Smurf 1 0 Ping of death
ICMPv6 echo reply 1 1 ICMPv6 group membership query 1 0 ICMPv6 group membership report 1 0 ICMPv6 group membership reduction 1 0 ICMPv6 destination unreachable 1 0 ICMPv6 time exceeded 1 0 ICMPv6 parameter problem 1 0 ICMPv6 packet too big 1 0 Slot 1: Attack policy name: abc Scan attack defense statistics: AttackType AttackTimes Dropped Port scan 2 23 IP sweep 3 33 Distribute port scan 1 10 Flood attack defense statistics: AttackType AttackTimes Dropped SYN flood 1 0
TCP FIN only flag 1 0 TCP invalid flag 1 0 TCP Land 1 0 Winnuke 1 0 UDP Bomb 1 0 Snork 1 0 Fraggle 1 0 Large ICMPv6 1 0 ICMP echo request 1 0 ICMP echo reply 1 0 ICMP source quench 1 0 ICMP destination unreachable 1 0 ICMP redirect 2 0 ICMP time exceeded 3 0 ICMP parameter problem 4 0 ICMP timestamp request 5 0 ICMP timestamp reply 6 0 ICMP information request 7 0 ICMP information reply 4 0 ICMP address mask request 2 0 ICMP address mask reply 1
MSR4000: display blacklist ip [ source-ip-address [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ count ] Views Any view Predefined user roles network-admin network-operator Parameters source-ip-address: Specifies the IPv4 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Field Description VPN instance MPLS L3VPN instance to which the blacklisted IPv4 address belongs. If the blacklisted IPv4 address is on the public network, this field displays hyphens (--). Peer address of the DS-Lite tunnel. DS-Lite tunnel peer If the device is the AFTR of a DS-Lite tunnel, this field displays the B4's address from which the packet comes. In other situations, this field displays hyphens (--). Type Type of the IPv4 blacklist entry, Manual or Dynamic.
Examples # (MSR2000/MSR3000.) Display all IPv6 blacklist entries. display blacklist ipv6 Totally 3 blacklist entries. IPv6 address VPN instance Type TTL(sec) Dropped 2013:fe07:221a:4011: a0123456789012345 Dynamic 123 2013:fe07:221a:4011 67890123456789 1::4 -- Manual 1::5 -- Dynamic 10 Never 4294967295 14478 353452 # (MSR4000.) Display IPv6 blacklist entries on the card in slot 0. display blacklist ipv6 slot 0 Slot 0: Totally 3 blacklist entries.
Syntax MSR2000/MSR3000: display client-verify { dns | http | tcp } protected ip [ ip-address [ vpn vpn-instance-name ] ] [ port port-number ] [ count ] MSR4000: display client-verify { dns | http | tcp } protected ip [ ip-address [ vpn vpn-instance-name ] ] [ port port-number ] [ slot slot-number ] [ count ] Views Any view Predefined user roles network-admin network-operator Parameters dns: Specifies the DNS client verification function. http: Specifies the HTTP client verification function.
IP address VPN instance Port 123.123.123.123 VPN1 65535 Dynamic 4294967295 Type Requested 15151 201.55.7.45 -- 10 Manual 222 192.168.11.5 -- 23 Dynamic 353452 15000 Trusted 555 # (MSR2000/MSR3000.) Display the number of protected IPv4 addresses for TCP client verification. display client-verify tcp protected ip count Totally 3 protected IP addresses. # (MSR4000.) Display the number of protected IPv4 addresses for TCP client verification.
# (MSR4000.) Display the protected IPv4 list for HTTP client verification. display client-verify http protected ip Slot 0: IP address VPN instance Port Type Requested 123.123.123.123 VPN1 80 Dynamic 4294967295 15151 201.55.7.45 -- 8080 Manual 222 192.168.11.5 -- 80 Dynamic 353452 555 IP address VPN instance Port Type Trusted 123.123.123.123 VPN1 80 Dynamic 4294967295 15151 201.55.7.45 -- 8080 Manual 222 192.168.11.
MSR4000: display client-verify { dns | http | tcp } protected ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ port port-number ] [ slot slot-number ] [ count ] Views Any view Predefined user roles network-admin network-operator Parameters dns: Specifies the DNS client verification function. http: Specifies the HTTP client verification function. tcp: Specifies the TCP client verification function. ipv6-address: Specifies a protected IPv6 address.
# (MSR4000.) Display the number of protected IPv6 addresses for TCP client verification. display client-verify tcp protected ipv6 count Slot 0: Totally 3 protected IPv6 addresses. Slot 1 Totally 3 protected IPv6 addresses. # (MSR2000/MSR3000.) Display the protected IPv6 list for DNS client verification.
display client-verify http protected ipv6 count Totally 3 protected IPv6 addresses. # (MSR4000.) Display the number of protected IPv6 addresses for HTTP client verification. display client-verify http protected ipv6 count Slot 0: Totally 3 protected IPv6 addresses. Slot 1 Totally 3 protected IPv6 addresses. Table 96 Command output Field Description Totally 3 protected IPv6 addresses Total number of protected IPv6 addresses. IPv6 address Protected IPv6 address.
http: Specifies the HTTP client verification function. tcp: Specifies the TCP client verification function. ip-address: Specifies a trusted IPv4 address. If no IPv4 address is specified, this command displays all matching trusted IPv4 addresses. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the trusted IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
11.1.1.2 vpn1 -- 123.123.123.123 a012345678901234567 1234:1234::1234:1234 3600 3550 Slot 1: IP address VPN instance DS-Lite tunnel peer TTL(sec) 11.1.1.2 vpn1 -- 3600 # (MSR2000/MSR3000.) Display the number of trusted IPv4 addresses for HTTP client verification. display client-verify http trusted ip count Totally 3 trusted IP addresses. # (MSR4000.) Display the number of trusted IPv4 addresses for HTTP client verification.
Field Description Peer address of the DS-Lite tunnel. DS-Lite tunnel peer If the device is the AFTR of a DS-Lite tunnel, this field displays the B4's address from which the packet comes. In other situations, this field displays hyphens (--). TTL(sec) Remaining aging time of the trusted IPv4 address, in seconds. If no aging time is set, this field displays Never. display client-verify trusted ipv6 Use display client-verify trusted ipv6 to display trusted IPv6 addresses for client verification.
# (MSR4000.) Display the trusted IPv6 list for DNS client verification. display client-verify dns trusted ipv6 Slot 0: IPv6 address VPN instance TTL(sec) 1::3 vpn1 1643 1234::1234 a012345678901234 1234 Slot 1: IPv6 address VPN instance TTL(sec) 1::3 vpn1 1643 # (MSR2000/MSR3000.) Display the number of trusted IPv6 addresses for DNS client verification. display client-verify dns trusted ipv6 count Totally 3 trusted IPv6 addresses. # (MSR4000.
1234::1234 a012345678901234 1234 # (MSR4000.) Display the trusted IPv6 list for TCP client verification. display client-verify tcp trusted ipv6 Slot 0: IPv6 address VPN instance TTL(sec) 1::3 vpn1 1643 1234::1234 a012345678901234 1234 Slot 1: IPv6 address VPN instance TTL(sec) 1::3 vpn1 1643 # (MSR2000/MSR3000.) Display the number of trusted IPv6 addresses for TCP client verification. display client-verify tcp trusted ipv6 count Totally 3 trusted IPv6 addresses.
Parameters client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client verification is enabled, the device provides proxy services for protected servers. drop: Drops subsequent DNS packets destined for the victim IP addresses. logging: Enables logging for DNS flood attack events. The log information records the detection interface, victim IP address, MPLS L3VPN instance name, current packet statistics, prevention actions, and start time of the attack.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network. port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number.
Default DNS flood attack detection is not enabled for non-specific IP addresses. Views Attack defense policy view Predefined user roles network-admin Usage guidelines This command enables global DNS flood attack detection. It applies to all IP addresses except for those specified by the dns-flood detect command. The system uses the global trigger threshold set by the dns-flood threshold command and global actions specified by the dns-flood action command.
The global ports apply to DNS flood attack detection for non-specific IP addresses and IP-specific DNS flood attack detection with no port specified. Examples # Specify port 53 and 61000 as the global ports to be protected against DNS flood attacks in attack defense policy atk-policy-1.
Related commands • dns-flood action • dns-flood detect • dns-flood detect non-specific exempt acl Use exempt acl to configure attack detection exemption. Use undo exempt acl to restore the default. Syntax exempt acl [ ipv6 ] { acl-number | name acl-name } undo exempt acl [ ipv6 ] Default Attack defense exemption is not configured. The attack defense policy applies to all incoming packets. Views Attack defense policy view Predefined user roles network-admin Parameters ipv6: Specifies an IPv6 ACL.
Related commands attack-defense policy fin-flood action Use fin-flood action to specify global actions against FIN flood attacks. Use undo fin-flood action to restore the default. Syntax fin-flood action { client-verify | drop | logging } * undo fin-flood action Default No action is taken against detected FIN flood attacks. Views Attack defense policy view Predefined user roles network-admin Parameters client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification.
Use undo fin-flood detect to remove the FIN flood attack detection configuration for an IP address. Syntax fin-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { client-verify | drop | logging } * ] undo fin-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default FIN flood attack detection is not configured for any IP address.
Related commands • fin-flood action • fin-flood detect non-specific • fin-flood threshold fin-flood detect non-specific Use fin-flood detect non-specific to enable FIN flood attack detection for non-specific IP addresses. Use undo fin-flood detect non-specific to restore the default. Syntax fin-flood detect non-specific undo fin-flood detect non-specific Default FIN flood attack detection is not enabled for non-specific IP addresses.
Default The global threshold is 1000 for triggering FIN flood attack prevention. Views Attack defense policy view Predefined user roles network-admin Parameters threshold-value: Specifies the threshold for triggering FIN flood attack prevention. The value range is 1 to 1000000 in units of FIN packets sent to an IP address per second. Usage guidelines The global threshold applies to FIN flood attack detection for non-specific IP addresses. Adjust the threshold according to the application scenarios.
Parameters client-verify: Adds the victim IP addresses to the protected IP list for HTTP client verification. If HTTP client verification is enabled, the device provides proxy services for protected servers. drop: Drops subsequent HTTP packets destined for the victim IP addresses. logging: Enables logging for HTTP flood attack events. The log information records the detection interface, victim IP address, MPLS L3VPN instance name, current packet statistics, prevention actions, and start time of the attack.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network. port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number.
Default HTTP flood attack detection is not enabled for non-specific IP addresses. Views Attack defense policy view Predefined user roles network-admin Usage guidelines This command enables global HTTP flood attack detection. It applies to all IP addresses except for those specified by the http-flood detect command. The system uses the global trigger threshold set by the http-flood threshold command and global actions specified by the http-flood action command.
The global ports apply to HTTP flood attack detection for non-specific IP addresses and IP-specific HTTP flood attack detection with no port specified. Examples # Specify port 80 and 8080 as the global ports to be protected against HTTP flood attacks in attack defense policy atk-policy-1.
Related commands • http-flood action • http-flood detect • http-flood detect non-specific icmp-flood action Use icmp-flood action to specify global actions against ICMP flood attacks. Use undo icmp-flood action to restore the default. Syntax icmp-flood action { drop | logging } * undo icmp-flood action Default No action is taken against detected ICMP flood attacks.
undo icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ] Default ICMP flood attack detection is not configured for any IP address. Views Attack defense policy view Predefined user roles network-admin Parameters ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Use undo icmp-flood detect non-specific to restore the default. Syntax icmp-flood detect non-specific undo icmp-flood detect non-specific Default ICMP flood attack detection is not enabled for non-specific IPv4 addresses. Views Attack defense policy view Predefined user roles network-admin Usage guidelines This command enables global ICMP flood attack detection. It applies to all IP addresses except for those specified by the icmp-flood detect ip command.
Parameters threshold-value: Specifies the threshold for triggering ICMP flood attack prevention. The value range is 1 to 1000000 in units of ICMP packets sent to an IP address per second. Usage guidelines The global threshold applies to ICMP flood attack detection for non-specific IP addresses. Adjust the threshold according to the application scenarios. If the number of ICMP packets to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold.
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood action drop Related commands • icmpv6-flood detect ipv6 • icmpv6-flood detect non-specific • icmpv6-flood threshold icmpv6-flood detect ipv6 Use icmpv6-flood detect ipv6 to configure IPv6-specific ICMPv6 flood attack detection. Use undo icmpv6-flood detect ipv6 to remove the ICMPv6 flood attack detection configuration for an IPv6 address.
address. When the rate is below the silence threshold (three-fourths of the threshold), the device considers that the threat is over and returns to the attack detection state. Examples # Configure ICMPv6 flood attack detection for 2012::12 in attack defense policy atk-policy-1.
• icmpv6-flood threshold icmpv6-flood threshold Use icmpv6-flood threshold to set the global threshold for triggering ICMPv6 flood attack prevention. Use undo icmpv6-flood threshold to restore the default. Syntax icmpv6-flood threshold threshold-value undo icmpv6-flood threshold Default The global threshold is 1000 for triggering ICMPv6 flood attack prevention.
Views User view Predefined user roles network-admin network-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). ip: Clears flood attack detection and prevention statistics for IPv4 addresses. ipv6: Clears flood attack detection and prevention statistics for IPv6 addresses.
reset attack-defense statistics local Use reset attack-defense statistics local to clear attack detection and prevention statistics for the device. Syntax reset attack-defense statistics local Views User view Predefined user roles network-admin network-operator Examples Clear attack detection and prevention statistics for the device.
Related commands display blacklist ip reset blacklist ipv6 Use rest blacklist ipv6 to clear dynamic IPv6 blacklist entries. Syntax reset blacklist ipv6 { source-ipv6-address [ vpn-instance vpn-instance-name ] | all } Views User view Predefined user roles network-admin network-operator Parameters source-ipv6-address: Specifies the IPv6 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs.
reset blacklist statistics Related commands • display blacklist ip • display blacklist ipv6 reset client-verify protected statistics Use reset client-verify protected statistics to clear protected IP statistics for client verification. Syntax reset client-verify { dns | http | tcp } protected { ip | ipv6 } statistics Views User view Predefined user roles network-admin network-operator Parameters dns: Specifies the DNS client verification function.
Parameters dns: Specifies the DNS client verification function. http: Specifies the HTTP client verification function. tcp: Specifies the TCP client verification function. ip: Specifies the trusted IPv4 list. ipv6: Specifies the trusted IPv6 list. Examples # Clear the trusted IPv4 list for DNS client verification.
system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] rst-flood action drop Related commands • client-verify tcp enable • rst-flood detect • rst-flood detect non-specific • rst-flood threshold rst-flood detect Use rst-flood detect to configure IP-specific RST flood attack detection. Use undo rst-flood detect to remove the RST flood attack detection configuration for an IP address.
Usage guidelines You can configure RST flood attack detection for multiple IP addresses in one attack defense policy. With RST flood attack detection configured, the device is in attack detection state. An attack occurs when the device detects that the sending rate of RST packets to a protected IP address reaches or exceeds the threshold. The device enters prevention state and takes actions to protect the target IP address.
Related commands • rst-flood action • rst-flood detect • rst-flood threshold rst-flood threshold Use rst-flood threshold to set the global threshold for triggering RST flood attack prevention. Use undo rst-flood threshold to restore the default. Syntax rst-flood threshold threshold-value undo rst-flood threshold Default The global threshold is 1000 for triggering RST flood attack prevention.
Syntax scan detect level { high | low | medium } action { { block-source [ timeout minutes ] | drop } | logging } * undo scan detect level { high | low | medium } Default Scanning attack detection is disabled. Views Attack defense policy view Predefined user roles network-admin Parameters level: Specifies the level of the scanning attack detection. low: Specifies the low level. This level provides basic scanning attack detection.
system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] scan detect level low action logging block-source timeout 10 Related commands • blacklist enable • blacklist global enable signature { large-icmp | large-icmpv6 } max-length Use signature { large-icmp | large-icmpv6 } max-length to set the maximum length of safe ICMP or ICMPv6 packets.
Syntax signature detect { fraggle | fragment | impossible | ip-option-abnormal | land | large-icmp | large-icmpv6 | ping-of-death | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | teardrop | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ] undo signature detect { fraggle | fragment | impossible | ip-option-abnormal | land | large-icmp | large-icmpv6 | ping-of-death | smurf | snork | tcp-all-flags | tcp-fin-only | tc
• destination-unreachable: Specifies the ICMP destination unreachable type. • echo-reply: Specifies the ICMP echo reply type. • echo-request: Specifies the ICMP echo request type. • information-reply: Specifies the ICMP information reply type. • information-request: Specifies the ICMP information request type. • parameter-problem: Specifies the ICMP parameter problem type. • redirect: Specifies the ICMP redirect type. • source-quench: Specifies the ICMP source quench type.
ping-of-death: Specifies the ping-of-death attack. smurf: Specifies the smurf attack. snork: Specifies the UDP snork attack. tcp-all-flags: Specifies the attack where a TCP packet has all flags set. tcp-fin-only: Specifies the attack where a single TCP FIN packet is sent to a privileged port (port number lower than 1024). tcp-invalid-flags: Specifies the attack that uses TCP packets with invalid flags. tcp-null-flag: Specifies the attack where a single TCP packet has no TCP flags set.
Default For informational-level and low-level single-packet attacks, the action is logging. For medium-level and high-level single-packet attacks, the actions are logging and drop. Views Attack defense policy view Predefined user roles network-admin Parameters high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level. info: Specifies the informational level. For example, large ICMP packet attack is of this level. low: Specifies the low level.
Default Signature detection is disabled for all levels of single-packet attacks. Views Attack defense policy view Predefined user roles network-admin Parameters high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level. info: Specifies the informational level. For example, large ICMP packet attack is of this level. low: Specifies the low level. For example, the traceroute attack is of this level. medium: Specifies the medium level.
Views Attack defense policy view Predefined user roles network-admin Parameters client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers. drop: Drops subsequent SYN-ACK packets destined for the victim IP addresses. logging: Enables logging for SYN-ACK flood attack events.
Parameters ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. The ipv6-address argument cannot be a multicast address or all 0s. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
undo syn-ack-flood detect non-specific Default SYN-ACK flood attack detection is not enabled for non-specific IP addresses. Views Attack defense policy view Predefined user roles network-admin Usage guidelines This command enables global SYN-ACK flood attack detection. It applies to all IP addresses except for those specified by the syn-ack-flood detect command.
Usage guidelines The global threshold applies to SYN-ACK flood attack detection for non-specific IP addresses. Adjust the threshold according to the application scenarios. If the number of SYN-ACK packets to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
Examples # Specify drop as the global action against SYN flood attacks in attack defense policy atk-policy-1. system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] syn-flood action drop Related commands • syn-flood detect • syn-flood detect non-specific • syn-flood threshold syn-flood detect Use syn-flood detect to configure IP-specific SYN flood attack detection.
Usage guidelines You can configure SYN flood attack detection for multiple IP addresses in one attack defense policy. With SYN flood attack detection configured, the device is in attack detection state. An attack occurs when the device detects that the sending rate of SYN packets to a protected IP address reaches or exceeds the threshold. The device enters prevention state and takes actions to protect the target IP address.
Related commands • syn-flood action • syn-flood detect • syn-flood threshold syn-flood threshold Use syn-flood threshold to set the global threshold for triggering SYN flood attack prevention. Use undo syn-flood threshold to restore the default. Syntax syn-flood threshold threshold-value undo syn-flood threshold Default The global threshold is 1000 for triggering SYN flood attack prevention.
Syntax udp-flood action { drop | logging } * undo udp-flood action Default No action is taken against detected UDP flood attacks. Views Attack defense policy view Predefined user roles network-admin Parameters drop: Drops subsequent UDP packets destined for the victim IP addresses. logging: Enables logging for UDP flood attack events.
Parameters ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. The ipv6-address argument cannot be a multicast address or all 0s. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Views Attack defense policy view Predefined user roles network-admin Usage guidelines This command enables global UDP flood attack detection. It applies to all IP addresses except for those specified by the udp-flood detect command. The system uses the global trigger threshold set by the udp-flood threshold command and global actions specified by the udp-flood action command. Examples # Enable UDP flood attack detection for non-specific IP addresses in attack defense policy atk-policy-1.
Examples # Set the global threshold to 100 for triggering UDP flood attack prevention in attack defense policy atk-policy-1.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point. Represents a mesh access point.
Index ABCDEFGHIKLMNOPQRSTUVW attack-defense apply policy,557 A attack-defense local apply policy,558 aaa session-limit,1 attack-defense policy,559 access-limit,32 attack-defense signature log non-aggregate,560 access-limit enable,2 attribute,242 accounting command,2 attribute 15 check-mode,45 accounting default,3 attribute 25 car,46 accounting lan-access,4 authentication default,9 accounting login,5 authentication lan-access,10 accounting portal,7 authentication login,12 accounting ppp,8
certificate domain,350 display aspf session,437 certificate request entity,244 display attack-defense flood statistics ip,569 certificate request from,245 display attack-defense flood statistics ipv6,571 certificate request mode,246 display attack-defense policy,574 certificate request polling,247 display attack-defense policy ip,578 certificate request url,248 display attack-defense policy ipv6,580 ciphersuite,420 display attack-defense scan attacker ip,583 client,47 display attack-defense s
domain if-unknown,29 display mac-authentication,136 display mac-authentication connection,138 dot1x,115 display object group,501 dot1x authentication-method,116 display password-control,205 dot1x auth-fail vlan,117 display password-control blacklist,206 dot1x critical vlan,118 display pki certificate access-control-policy,252 dot1x domain-delimiter,118 display pki certificate attribute-group,253 dot1x guest-vlan,119 display pki certificate domain,254 dot1x handshake,120 display pki certificat
ipsec { ipv6-policy-template | policy-template } policy-template,325 get,397 group,39 ipsec anti-replay check,317 H ipsec anti-replay window,318 help,398 ipsec apply,318 http-flood action,620 ipsec decrypt-check enable,319 http-flood detect,621 ipsec df-bit,320 http-flood detect non-specific,622 ipsec global-df-bit,321 http-flood port,623 ipsec logging packet enable,320 http-flood threshold,624 ipsec profile,326 hwtacacs nas-ip,80 ipsec sa global-duration,327 hwtacacs scheme,81 ipsec sa
mac-authentication user-name-format,146 pki retrieve-certificate,282 match local address (IKE keychain view),370 pki retrieve-crl,283 match local address (IKE profile view),371 pki storage,284 match remote,372 pki validate-certificate,285 mkdir,400 pki-domain (SSL client policy view),426 N pki-domain (SSL server policy view),423 port,55 nas-ip (HWTACACS scheme view),83 port,163 nas-ip (RADIUS scheme view),54 port (port object group view),508 network (IPv4 address object group view),503 port
primary accounting (RADIUS scheme view),55 reset crypto-engine statistics,546 primary authentication (HWTACACS scheme view),85 reset dot1x guest-vlan,134 primary authentication (RADIUS scheme view),57 reset dot1x statistics,135 primary authorization,87 reset hwtacacs statistics,88 priority (IKE keychain view),375 reset ike sa,377 priority (IKE profile view),376 reset ike statistics,378 proposal,376 reset ipsec sa,334 protocol,331 reset ipsec statistics,335 protocol-version,104 reset mac-aut
secondary accounting (RADIUS scheme view),65 ssh server ipv6 acl,389 secondary authentication (HWTACACS scheme view),91 ssh server ipv6 dscp,390 secondary authentication (RADIUS scheme view),67 ssh user,391 ssh server rekey-interval,390 secondary authorization,92 ssh2,415 security acl,344 ssh2 ipv6,417 security-policy-server,69 ssl client-policy,429 server-detect (portal authentication server view),181 ssl server-policy,425 server-detect (portal Web server view),182 state,293 server-timeout
user-sync,184 vpn-instance (HWTACACS scheme view),97 V vpn-instance (RADIUS scheme view),76 version,430 W vpn-instance,185 Websites,658 668
