Page 1: Command Reference
HP FlexFabric 7900 Switch Series Security Command Reference Part number: 5998-4296 Software version: Release 2109 Document version: 6W100-20140122...
Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Page 3: Table Of Contents
Contents AAA commands ··························································································································································· 1 General AAA commands ················································································································································· 1 aaa session-limit ······················································································································································· 1 accounting command ··············································································································································· 2 accounting default ···················································································································································· 2 accounting login ······················································································································································· 4 authentication default ··············································································································································· 5 authentication login ·················································································································································· 6 ...
Page 4 timer quiet (RADIUS scheme view) ······················································································································ 48 timer realtime-accounting (RADIUS scheme view) ····························································································· 49 timer response-timeout (RADIUS scheme view) ·································································································· 50 user-name-format (RADIUS scheme view) ··········································································································· 51 HWTACACS commands ··············································································································································· 52 data-flow-format (HWTACACS scheme view) ···································································································· 52 ...
Page 5 IPsec commands ······················································································································································ 108 ah authentication-algorithm ································································································································ 108 description ···························································································································································· 109 display ipsec policy ············································································································································ 109 display ipsec sa ··················································································································································· 112 display ipsec statistics ········································································································································· 115 display ipsec transform-set ································································································································· 116 display ipsec tunnel ············································································································································· 117 ...
Page 6 ike keychain ························································································································································· 163 ike limit ································································································································································· 163 ike nat-keepalive ·················································································································································· 164 ike profile ····························································································································································· 165 ike proposal ························································································································································· 165 keychain ······························································································································································· 166 local-identity ························································································································································· 167 match local address (IKE keychain view)·········································································································· 168 ...
Page 7 ················································································································································ 221 fips mode enable ················································································································································· 221 fips self-test ··························································································································································· 223 Support and other resources ·································································································································· 225 Contacting HP ······························································································································································ 225 Subscription service ············································································································································ 225 Related information ······················································································································································ 225 Documents ···························································································································································· 225 ...
Page 8: Aaa Commands
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.
Page 9: Accounting Command
<Sysname> system-view [Sysname] aaa session-limit ftp 4 accounting command Use accounting command to specify the command line accounting method. Use undo accounting command to restore the default. Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting method of the ISP domain is used for command line accounting. Views ISP domain view Predefined user roles...
Page 10 accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting default In FIPS mode: accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }...
Page 11: Accounting Login
Related commands hwtacacs scheme • local-user • • radius scheme accounting login Use accounting login to specify the accounting method for login users. Use undo accounting login to restore the default. Syntax In non-FIPS mode: accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting login...
Page 12: Authentication Default
RADIUS server is invalid, and does not perform accounting when both of the previous methods are invalid. Examples # Configure ISP domain test to use local accounting for login users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting login local # Configure ISP domain test to use RADIUS scheme rd for login user accounting and use local accounting as the backup.
Page 13: Authentication Login
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 14: Authentication Super
undo authentication login Default The default authentication method of the ISP is used for login users. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication.
Page 15 Use undo authentication super to restore the default. Syntax authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } undo authentication super Default The default authentication method of the ISP domain is used for user role authentication. Views ISP domain view Predefined user roles network-admin Parameters...
Page 16: Authorization Command
authorization command Use authorization command to specify the command authorization method. Use undo authorization command to restore the default. Syntax In non-FIPS mode: authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none } undo authorization command In FIPS mode:...
Page 17: Authorization Default
[Sysname-isp-test] authorization command local # Configure ISP domain test to use HWTACACS scheme hwtac for command authorization and use local authorization as the backup authorization method. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization command hwtacacs-scheme hwtac local Related commands authorization accounting (Fundamentals Command Reference) •...
Page 18: Authorization Login
Usage guidelines The default authorization method is used for all users who support this method and do not have a specific authorization method are configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one authorization method and multiple backup authorization methods.
Page 19: Authorization-Attribute (Isp Domain View)
Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. After passing authentication, FTP, SFTP, and SCP users use the root directory of the device as the work directory but cannot access it, and other login users get the default user role.
Page 20: Display Domain
Use undo authorization-attribute to restore the default of an authorization attribute. Syntax authorization-attribute idle-cut minute [ flow ] undo authorization-attribute idle-cut Default No authorization attribute is configured for users in the ISP domain and the idle cut function is disabled. Views ISP domain view Predefined user roles...
Page 21 Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines If no ISP domain is specified, the command displays the configuration of all ISP domains. Examples # Display the configuration of all ISP domains. <Sysname> display domain Total 2 domain(s) Domain:system State: Active...
Page 22: Domain
Field Description Default accounting scheme Default accounting method. Login authentication scheme Authentication method for login users. Login authorization scheme Authorization method for login users. Login accounting scheme Accounting method for login users. Authorization attributes Authorization attributes for users in the ISP domain. Idle cut function status: •...
Page 23: Domain Default Enable
Usage guidelines All ISP domains are in active state when they are created. The system has a predefined ISP domain named system. You can modify but not remove its configuration. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command.
Page 24: State (Isp Domain View)
[Sysname] domain test [Sysname-isp-test] quit [Sysname] domain default enable test Related commands display domain • domain • state (ISP domain view) Use state to set the status of an ISP domain. Use undo state to restore the default. Syntax state { active | block } undo state Default An ISP domain is in active state.
Page 25: Local User Commands
Local user commands access-limit Use access-limit to set the maximum number of concurrent logins using the local user name. Use undo access-limit to restore the default. Syntax access-limit max-user-number undo access-limit Default The number of concurrent logins using the local user name is not limited. Views Local user view Predefined user roles...
Page 26 Default No authorization ACL, idle timeout period, or authorized VLAN is configured for the local users. FTP, SFTP, or SCP users have the root directory of the NAS set as the working directory, but they do not have the access permission to the root directory. The local users created by a network-admin or level- 1 5 user are assigned the network-operator user role.
Page 27: Display Local-User
Related commands display local-user • display user-group • display local-user Use display local-user to display the local user configuration and online user statistics. Syntax display local-user [ class manage | idle-cut { disable | enable } | service-type { ftp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] Views Any view...
Page 28 Bind Attributes: Authorization Attributes: Work Directory: flash: User Role List: network-admin Password control configurations: Password aging: Enabled (3 days) Table 2 Command output Field Description State Status of the local user: active or blocked. Service types that the local user can use, including FTP, SSH, Telnet, and Service Type terminal.
Page 29: Display User-Group
display user-group Use display user-group to display the user group configuration. Syntax display user-group [ group-name ] Views Any view Predefined user roles network-admin network-operator Parameters group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines If no user group name is specified, the command displays the configuration of all user groups.
Page 30: Group
Field Description This field appears only when password length control is enabled. The Password length minimum password length is displayed in parentheses. This field appears only when password composition checking is enabled. It also displays the following information in parentheses: Password composition •...
Page 31: Local-User
local-user Use local-user to add a local user and enter local user view. Use undo local-user to remove local users. Syntax local-user user-name [ class manage ] undo local-user { user-name class manage | all [ service-type { ftp | ssh | telnet | terminal } | class manage ] } Default No local user exists.
Page 32 Syntax In non-FIPS mode: password [ { hash | simple } password ] undo password In FIPS mode: password Default • In non-FIPS mode, there is no password configured for a local user and a local user can pass authentication after entering the correct username and passing attribute checks. In FIPS mode, there is no password configured for a local user and a local user cannot pass •...
Page 33: Service-Type
[Sysname-luser-manage-test] password Password: Confirm : Related commands display local-user • local-user password-display-mode • service-type Use service-type to specify the service types that a local user can use. Use undo service-type to delete service types configured for a local user. Syntax In non-FIPS mode: service-type { ftp | { ssh | telnet | terminal } * } undo service-type { ftp | { ssh | telnet | terminal } * }...
Page 34: State (Local User View)
Related commands display local-user state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Predefined user roles...
Page 35: Radius Commands
Views System view Predefined user roles network-admin Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.
Page 36: Data-Flow-Format (Radius Scheme View)
send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50. Usage guidelines The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device or card reboot.
Page 37: Display Radius Scheme
Examples # In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet Related commands display radius scheme display radius scheme Use display radius scheme to display the configuration of RADIUS schemes.
Page 38 Accounting-On function : Enabled retransmission times retransmission interval(seconds) Timeout Interval(seconds) Retransmission Times Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 22 NAS IP Address : 1.1.1.1 User Name Format : with-domain ------------------------------------------------------------------ Table 4 Command output Field Description Index...
Page 39: Display Radius Statistics
display radius statistics Use display radius statistics to display RADIUS packet statistics. Syntax display radius statistics Views Any view Predefined user roles network-admin network-operator Examples # Display RADIUS packet statistics. <Sysname> display radius statistics Auth. Acct. SessCtrl. Request Packet: Retry Packet: Timeout Packet: Access Challenge: Account Start:...
Page 40: Key (Radius Scheme View)
Field Description Account Update Number of accounting update packets. Account Stop Number of stop-accounting packets. Terminate Request Number of packets for logging off users forcibly. Set Policy Number of packets for updating user authorization information. Packet With Response Number of packets for which responses were received. Packet Without Response Number of packets for which no responses were received.
Page 41: Nas-Ip (Radius Scheme View)
A plaintext shared key is a string of 15 to 64 characters that must contain digits, uppercase letters, lowercase letters, and special characters. Usage guidelines The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.
Page 42: Primary Accounting (Radius Scheme View)
If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. HP recommends you to configure a loopback interface address as the source IP address for outgoing RADIUS packets.
Page 43: Primary Authentication (Radius Scheme View)
key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS accounting server. cipher string: Sets a ciphertext shared key. The string argument is case sensitive. • In non-FIPS mode, the key is a string of 1 to 1 17 characters. In FIPS mode, the key is a string of 15 to 1 17 characters.
Page 44 Default No primary RADIUS authentication server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server. port-number: Specifies the service port number of the primary RADIUS authentication server, a UDP port number in the range of 1 to 65535.
Page 45: Radius Nas-Ip
secondary authentication (RADIUS scheme view) • radius nas-ip Use radius nas-ip to specify a source address for outgoing RADIUS packets. Use undo radius nas-ip to delete a source address for outgoing RADIUS packets. Syntax radius nas-ip ipv4-address undo radius nas-ip ipv4-address Default The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.
Page 46: Radius Scheme
Use undo radius session-control enable to restore the default. Syntax radius session-control enable undo radius session-control enable Default The session-control feature is disabled and the UDP port 1812 is closed. Views System view Predefined user roles network-admin Usage guidelines The session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC.
Page 47: Reset Radius Statistics
<Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] Related commands display radius scheme reset radius statistics Use reset radius statistics to clear RADIUS statistics. Syntax reset radius statistics Views User view Predefined user roles network-admin Examples # Clear RADIUS statistics. <Sysname> reset radius statistics Related commands display radius statistics retry...
Page 48: Retry Realtime-Accounting
Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response • timeout period, it retransmits the RADIUS request. •...
Page 49: Secondary Accounting (Radius Scheme View)
with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds.
Page 50: Secondary Authentication (Radius Scheme View)
In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters. Usage guidelines Make sure that the port number and shared key settings of each secondary RADIUS accounting server are the same as those configured on the corresponding server.
Page 51 undo secondary authentication [ ipv4-address [ port-number ] ] Default No secondary RADIUS authentication server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server. port-number: Sets the service port number of the secondary RADIUS authentication server, a UDP port number in the range of 1 to 65535.
Page 52: Security-Policy-Server
# Specify two secondary authentication servers for RADIUS scheme radius2, with the server IP addresses of 10.1 10.1.1 and 10.1 10.1.2, and the UDP port number of 1812. <Sysname> system-view [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary authentication 10.110.1.1 1812 [Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 Related commands display radius scheme •...
Page 53 Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS. Syntax snmp-agent trap enable radius accounting-server-down accounting-server-up authentication-error-threshold | authentication-server-down | authentication-server-up ] * undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] * Default All types of notifications for RADIUS are enabled.
Page 54: State Primary
state primary Use state primary to set the status of a primary RADIUS server. Syntax state primary { accounting | authentication } { active | block } Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles...
Page 55: Timer Quiet (Radius Scheme View)
Syntax state secondary { accounting | authentication } [ ipv4-address [ port-number ] ] { active | block } Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the status of a secondary RADIUS accounting server.
Page 56: Timer Realtime-Accounting (Radius Scheme View)
Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default The server quiet period is 5 minutes. Views RADIUS scheme view Predefined user roles network-admin Parameters minutes: Specifies the server quiet period in minutes, in the range of 1 to 255. Usage guidelines Make sure the server quiet timer is set correctly.
Page 57: Timer Response-Timeout (Radius Scheme View)
Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Usage guidelines When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval. When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server.
Page 58: User-Name-Format (Radius Scheme View)
Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
Page 59: Hwtacacs Commands
Examples # Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] user-name-format without-domain Related commands display radius scheme HWTACACS commands data-flow-format (HWTACACS scheme view) Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Page 60: Display Hwtacacs Scheme
Related commands display hwtacacs scheme display hwtacacs scheme Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes. Syntax display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ] Views Any view Predefined user roles network-admin network-operator Parameters hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 61: Hwtacacs Nas-Ip
Username Format : with-domain ------------------------------------------------------------------ Table 7 Command output Field Description Index Index number of the HWTACACS scheme. Primary Auth Server Primary HWTACACS authentication server. Primary Author Server Primary HWTACACS authorization server. Primary Acct Server Primary HWTACACS accounting server. Secondary Auth Server Secondary HWTACACS authentication server.
Page 62: Hwtacacs Scheme
Default The source IP address of a packet sent to the server is the IP address of the outbound interface. Views System view Predefined user roles network-admin Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Page 63: Key (Hwtacacs Scheme View)
Predefined user roles network-admin Parameters hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines An HWTACACS scheme can be referenced by more than one ISP domain at the same time. You can configure up to 16 HWTACACS schemes. Examples # Create an HWTACACS scheme named hwt1 and enter its view.
Page 64: Nas-Ip (Hwtacacs Scheme View)
A plaintext shared key is a string of 1 to 255 characters. • In FIPS mode: A ciphertext shared key is a string of 15 to 373 characters. A plaintext shared key is a string of 15 to 255 characters that must contain digits, uppercase letters, lowercase letters, and special characters.
Page 65: Primary Accounting (Hwtacacs Scheme View)
Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Usage guidelines The source IP address of the HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server.
Page 66: Primary Authentication (Hwtacacs Scheme View)
TCP connection each time it exchanges accounting packets with the primary accounting server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 67 TCP connection each time it exchanges authentication packets with the primary authentication server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 68: Primary Authorization
TCP connection each time it exchanges authorization packets with the primary authorization server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 69: Reset Hwtacacs Statistics
Usage guidelines Make sure that the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server. Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.
Page 70: Secondary Accounting (Hwtacacs Scheme View)
TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 71: Secondary Authentication (Hwtacacs Scheme View)
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings. You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
Page 72: Secondary Authorization
TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 73 TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 74: Timer Quiet (Hwtacacs Scheme View)
Examples # Specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&! Related commands •...
Page 75: Timer Response-Timeout (Hwtacacs Scheme View)
Syntax timer realtime-accounting minutes undo timer realtime-accounting Default The real-time accounting interval is 12 minutes. Views HWTACACS scheme view Predefined user roles network-admin Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.
Page 76: User-Name-Format (Hwtacacs Scheme View)
Default The HWTACACS server response timeout time is 5 seconds. Views HWTACACS scheme view Predefined user roles network-admin Parameters seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds. Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.
Page 77 recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server. If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain.
Page 78: Password Control Commands
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Page 79: Display Password-Control Blacklist
Password composition: Enabled (1 types, 1 characters per type) Table 9 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the Password aging expiration time. Whether the minimum password length restriction function is enabled Password length and, if enabled, the setting.
Page 80: Password-Control { Aging | Composition | History | Length } Enable
ip ipv4-address: Specifies the IPv4 address of a user. Usage guidelines With no arguments provided, this command displays information about all users in the password control blacklist. If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist.
Page 81: Password-Control Aging
Views System view Predefined user roles network-admin Parameters aging: Enables the password expiration function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines To enable a specific password control function, first enable the global password control feature. The system stops recording history passwords after you execute the undo password-control history enable command, but it does not delete the prior records.
Page 82 Syntax password-control aging aging-time undo password-control aging Default A password expires after 90 days. The password expiration time for a user group equals the global setting, and the password expiration time for a local user equals that of the user group to which the local user belongs.
Page 83: Password-Control Alert-Before-Expire
password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days.
Page 84: Password-Control Composition
Views System view, user group view, local user view Predefined user roles network-admin Parameters same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough. user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Page 85 Default In non-FIPS mode, the password using the global composition policy must contain at least one character type and at least one character for each type. In FIPS mode, the password using the global composition policy must contain at least four character types and at least one character for each type.
Page 86: Password-Control Enable
type-length type-length: Specifies the minimum number of characters for each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode. Usage guidelines The password composition policy depends on the view: The policy in system view has global significance and applies to all user groups.
Page 87: Password-Control Expired-User-Login
Default In non-FIPS mode, the password control feature is disabled globally. In FIPS mode, the password control feature is enabled globally and cannot be disabled. Views System view Predefined user roles network-admin Usage guidelines A specific password control function takes effect only after the global password control feature is enabled.
Page 88: Password-Control History
times times: Sets the maximum number of times a user can log in after the password expires. The value range is 0 to 10, and 0 means that a user cannot log in after the password expires. Usage guidelines This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires.
Page 89: Password-Control Length
Related commands display password-control • password-control history enable • • reset password-control blacklist password-control length Use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length Default In non-FIPS mode, the global minimum password length is 10 characters.
Page 90: Password-Control Login Idle-Time
<Sysname> system-view [Sysname] password-control length 16 # Set the minimum password length to 16 characters for user group test. [Sysname] user-group test [Sysname-ugroup-test] password-control length 16 [Sysname-ugroup-test] quit # Set the minimum password length to 16 characters for device management user abc. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control length 16 Related commands...
Page 91: Password-Control Login-Attempt
Related commands display password-control password-control login-attempt Use password-control login-attempt to specify the maximum number of consecutive failed login attempts and the action to be taken when a user fails to log in after the specified number of attempts. Use undo password-control login-attempt to restore the default. Syntax password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] undo password-control login-attempt...
Page 92 If no policy is configured for the local user, the system uses the policy for the user group to which the • local user belongs. If no policy is configured for the user group, the system uses the global policy. •...
Page 93: Password-Control Super Aging
display password-control • • display password-control blacklist display user-group • reset password-control blacklist • password-control super aging Use password-control super aging to set the expiration time for super passwords. Use undo password-control super aging to restore the default. Syntax password-control super aging aging-time undo password-control super aging Default A super password expires after 90 days.
Page 94: Password-Control Super Length
In FIPS mode, a super password must contain at least four character types and at least one character for each type. Views System view Predefined user roles network-admin Parameters type-number type-number: Specifies the minimum number of character types that a super password must contain.
Page 95: Password-Control Update-Interval
Parameters length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-FIPS mode, and 15 to 63 in FIPS mode. Examples # Set the minimum length of super passwords to 16 characters. <Sysname>...
Page 96: Reset Password-Control Blacklist
reset password-control blacklist Use reset password-control blacklist to remove a specified user or all users from the password control blacklist. Syntax reset password-control blacklist [ user-name name ] Views User view Predefined user roles network-admin Parameters user-name name: Specifies the user to be removed from the password control blacklist. The name argument is the username, a case-sensitive string of 1 to 55 characters.
Page 97 Usage guidelines With no arguments or keywords specified, this command deletes the history password records of all local users. Without the role role name option, this command deletes the history records of all super passwords. Examples # Clear the history password records of all local users (enter Y to confirm). <Sysname>...
Page 98: Public Key Management Commands
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Page 99 Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2013/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2013/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7 9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03 92D8C6D940890BF4290203010001 # Display all local DSA public keys.
Page 100 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys. <Sysname> display public-key local ecdsa public ============================================= Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2013/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2013/05/12...
Page 101 308201B83082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of the local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2013/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58...
Page 102: Display Public-Key Peer
display public-key peer Use display public-key peer to display information about peer public keys. Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name.
Page 103: Peer-Public-Key End
Field Description Key code Public key string. # Display brief information about all peer public keys. <Sysname> display public-key peer brief Type Modulus Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 14 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits.
Page 104: Public-Key Local Create
[Sysname-pkey-public-key-key1]30819F300D06092A864886F70D010101050003818D0030818902818 100C0EC8014F82515F6335A0A [Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E 719D1643135877E13B1C531B4 [Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B 952ADF6B80EB5F52698FCF3D6 [Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050 BD4A9B1DDE675AC30CB020301 [Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands • display public-key local public display public-key peer • • public-key peer public-key local create Use public-key local create to create local asymmetric key pairs. Syntax public-key local create { dsa | ecdsa | rsa } [ name key-name ] Default...
Page 105 The key pairs are automatically saved and can survive system reboots. Table 16 A comparison of different types of asymmetric key pairs Type Number of key pairs Modulus length HP recommendation • In non-FIPS mode: If you specify a key pair name, the •...
Page 106 .++++++ ..++++++++ ..++++++++ Create the key pair successfully. # Create a local DSA key pair with the default name. <Sysname> system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 107: Public-Key Local Destroy
...+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. <Sysname> system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # In FIPS mode, create a local RSA key pair with the default name. <Sysname>...
Page 108 Views System view Predefined user roles network-admin Parameters dsa: Specifies the DSA type. ecdsa: Specifies the ECDSA type. rsa: Specifies the RSA type. name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names.
Page 109: Public-Key Local Export Dsa
public-key local export dsa Use public-key local export dsa to display local DSA host public keys in a specific format, or export the key in a specific format to a file. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles...
Page 110 # Display the host public key of the local DSA key pair with the default name in SSH2.0 format. <Sysname> system-view [Sysname] public-key local export dsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "dsa-key-2013/05/12" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxw vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= ---- END SSH2 PUBLIC KEY ----...
Page 111: Public-Key Local Export Rsa
Related commands public-key local create • public-key peer import sshkey • public-key local export rsa Use public-key local export rsa to display the local RSA host public key in a specific format, or export the key to a specific file. Syntax In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ]...
Page 112 On the peer device, use the public-key peer import sshkey command to import the host public key from the file. SSH1.5, SSH2.0 and OpenSSH are different public key formats. Choose the proper format that is supported on the device where you import the host public key. In FIPS mode, the device only supports SSH2.0 and OpenSSH.
Page 113: Public-Key Peer
Execute the peer-public-key end command to save the public key and return to system view. The public key you type in the public key view must be in a correct format. If your device is an HP device, use the display public-key local public command to display and record its public key.
Page 114 Use undo public-key peer to remove the specified peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname Default The device has no peer public key. Views System view Predefined user roles network-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file for saving the local host public key.
Page 115: Ipsec Commands
IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
Page 116: Description
received algorithm against all its local algorithms until a match is found. To ensure a successful IKE negotiation, the IPsec transform sets specified at both ends of the tunnel must have at least one same AH authentication algorithm. Examples # Create an IPsec transform set, and specify the AH authentication algorithm for the transform set as HMAC-SHA1.
Page 117 Predefined user roles network-admin network-operator Parameters policy: Displays information about IPv4 IPsec policies. policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec policies.
Page 118 ESP SPI: 12345 (0x00003039) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Table 17 Command output Field Description IPsec Policy IPsec policy name. Interface Interface applied with the IPsec policy. Sequence number Sequence number of the IPsec policy entry. Negotiation mode of the IPsec policy: •...
Page 119: Display Ipsec Sa
Related commands ipsec policy display ipsec sa Use display ipsec sa to display information about IPsec SAs. Syntax display ipsec sa [ brief | count | interface interface-type interface-number | policy policy-name [ seq-number ] | remote ip-address ] Views Any view Predefined user roles network-admin...
Page 120 Field Description Stateful failover status of the IPsec SA: active or backup. Status In standalone mode, this field displays –. # Display the number of IPsec SAs. <Sysname> display ipsec sa count Total IPsec SAs count: 4 # Display information about all IPsec SAs. <Sysname>...
Page 121 Field Description Encapsulation mode Encapsulation mode, transport or tunnel. Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: • 768-bit Diffie-Hellman group (dh-group1) • 1024-bit Diffie-Hellman group (dh-group2) Perfect Forward Secrecy • 1536-bit Diffie-Hellman group (dh-group5) • 2048-bit Diffie-Hellman group (dh-group14) •...
Page 122: Display Ipsec Statistics
display ipsec statistics Use display ipsec statistics to display IPsec packet statistics. Syntax display ipsec statistics [ tunnel-id tunnel-id ] Views Any view Predefined user roles network-admin network-operator Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.
Page 123: Display Ipsec Transform-Set
Wrong SA: 0 Invalid length: 0 Authentication failure: 0 Encapsulation failure: 0 Decapsulation failure: 0 Replayed packets: 0 ACL check failure: 0 MTU check failure: 0 Loopback limit exceeded: 0 Table 20 Command output Field Description Received/sent packets Number of received/sent IPsec-protected packets. Received/sent bytes Number of bytes of received/sent IPsec-protected packets.
Page 124: Display Ipsec Tunnel
Parameters transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets. Examples # Display information about all IPsec transform sets. <Sysname>...
Page 125 Syntax display ipsec tunnel { brief | count | tunnel-id tunnel-id } Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number of IPsec tunnels. tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. Usage guidelines IPsec transmits data in a secure channel established between two endpoints (such as two security gateways).
Page 126 Perfect forward secrecy: SA's SPI: outbound: 2000 (0x000007d0) [AH] inbound: 1000 (0x000003e8) [AH] outbound: 4000 (0x00000fa0) [ESP] inbound: 3000 (0x00000bb8) [ESP] Tunnel: local address: remote address: Flow: Tunnel ID: 1 Status: active Perfect forward secrecy: SA's SPI: outbound: 6000 (0x00001770) [AH] inbound: 5000...
Page 127: Encapsulation-Mode
Field Description Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: • 768-bit Diffie-Hellman group (dh-group1) • 1024-bit Diffie-Hellman group (dh-group2) Perfect Forward Secrecy • 1536-bit Diffie-Hellman group (dh-group5) • 2048-bit Diffie-Hellman group (dh-group14) • 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) SA's SPI SPIs of the inbound and outbound SAs.
Page 128: Esp Authentication-Algorithm
IP header. You can use the transport mode when end-to-end security protection is required (the secured transmission start and end points are the actual start and end points of the data). The transport mode is typically used for protecting host-to-host communications. •...
Page 129: Esp Encryption-Algorithm
Usage guidelines In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority. For a manual IPsec policy, the first specified ESP authentication algorithm takes effect. To make sure •...
Page 130: Ike-Profile
aes-cbc-192: Uses AES algorithm in CBC mode, which uses a 192-bit key. aes-cbc-256: Uses AES algorithm in CBC mode, which uses a 256-bit key. des-cbc: Uses the DES algorithm in CBC mode, which uses a 64-bit key. null: Uses the NULL algorithm, which means encryption is not performed. Usage guidelines You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
Page 131: Ipsec Anti-Replay Check
Usage guidelines The IKE profile referenced by an IPsec policy defines the parameters used for IKE negotiation. An IPsec policy can reference only one IKE profile and they cannot reference any IKE profile that is already referenced by another IPsec policy. Examples # Specify IPsec policy policy1 to reference IKE profile profile1.
Page 132: Ipsec Anti-Replay Window
Related commands ipsec anti-replay window ipsec anti-replay window Use ipsec anti-replay window to set the anti-replay window size. Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The anti-replay window size is 64. Views System view Predefined user roles...
Page 133: Ipsec Decrypt-Check Enable
IPsec policy that is already applied to the interface. An IKE-based IPsec policy can be applied to multiple interfaces. However, HP recommends that you apply an IKE-based IPsec policy to only one interface. A manual IPsec policy can be applied to only one interface.
Page 134: Ipsec Logging Packet Enable
network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security. Examples # Enable ACL checking for de-encapsulated IPsec packets. <Sysname> system-view [Sysname] ipsec decrypt-check enable ipsec logging packet enable Use ipsec logging packet enable to enable logging for IPsec packets.
Page 135: Ipsec Global-Df-Bit
Views Interface view Predefined user roles network-admin Parameters clear: Clears the DF bit for outer IP headers. In this case, the encapsulated IPsec packets can be fragmented. copy: Copies the DF bit of the original IP headers to the outer IP headers. set: Sets the DF bit for outer IP headers.
Page 136: Ipsec Policy
Parameters clear: Clears the DF bit for outer IP headers. In this case, the encapsulated IPsec packets can be fragmented. copy: Copies the DF bit of the original IP headers to the outer IP headers. set: Sets the DF bit for outer IP headers. In this case, the encapsulated IPsec packets cannot be fragmented.
Page 137: Ipsec Policy Local-Address
You cannot change the SA setup mode of an existing IPsec policy. • • An IPsec policy is a set of IPsec policy entries that have the same name but different sequence numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has a higher priority.
Page 138: Ipsec Sa Global-Duration
A source interface can be bound to multiple IPsec policies. HP recommends that you use a stable interface, such as a Loopback interface, as a source interface. Examples # Bind the IPsec policy map to source interface Loopback 1 1.
Page 139: Ipsec Sa Idle-Time
traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires. Usage guidelines You can also configure IPsec SA lifetimes in IPsec policy view. The device prefers the IPsec SA lifetimes configured in IPsec policy view over the global IPsec SA lifetimes.
Page 140: Ipsec Transform-Set
Examples # Set the IPsec SA idle timeout to 600 seconds. <Sysname> system-view [Sysname] ipsec sa idle-time 600 Related commands display ipsec sa • sa idle-time • ipsec transform-set Use ipsec transform-set to create an IPsec transform set and enter IPsec transform set view. Use undo ipsec transform-set to delete an IPsec transform set.
Page 141: Pfs
Syntax local-address ipv4-address undo local-address Default The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4 address. Views IPsec policy view Predefined user roles network-admin Parameters ipv4-address: Specifies the local IPv4 address for the IPsec tunnel. Usage guidelines The remote IP address on the IKE negotiation initiator must be the same as the local address on the IKE negotiation responder.
Page 142: Protocol
Predefined user roles network-admin Parameters dh-group1: Uses 768-bit Diffie-Hellman group. dh-group2: Uses 1024-bit Diffie-Hellman group. dh-group5: Uses 1536-bit Diffie-Hellman group. dh-group14: Uses 2048-bit Diffie-Hellman group. dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group. Usage guidelines In terms of security and necessary calculation time, the following groups are in descending order: 2048-bit and 256-bit subgroup Diffie-Hellman group (dh-group24), 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2), and 768-bit Diffie-Hellman group (dh-group1).
Page 143: Qos Pre-Classify
ah: Specifies the AH protocol. Usage guidelines The two tunnel ends must use the same security protocol in the IPsec transform set. Examples # Specify the AH protocol for the IPsec transform set. <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] protocol ah qos pre-classify Use qos pre-classify to enable the QoS pre-classify feature.
Page 144 Default No remote IP address is specified for the IPsec tunnel. Views IPsec policy view Predefined user roles network-admin Parameters hostname: Specifies the remote host name, a case-insensitive string of 1 to 253 characters. The host name can be resolved to an IP address by the DNS server. ipv4-address: Specifies a remote IPv4 address.
Page 145: Reset Ipsec Sa
Related commands ip host (see Layer 3—IP Services Commands Reference) • local-address • reset ipsec sa Use reset ipsec sa to clear IPsec SAs. Syntax reset ipsec sa [ policy policy-name [ seq-number ] | remote ipv4-address | spi ipv4-address { ah | esp } spi-num ] Views User view...
Page 146: Reset Ipsec Statistics
Examples # Clear all IPsec SAs. <Sysname> reset ipsec sa # Clear the inbound and outbound IPsec SAs for the triplet of SPI 123, remote IP address 10.1.1.2, and security protocol AH. <Sysname> reset ipsec sa spi 10.1.1.2 ah 123 # Clear all IPsec SAs for the remote IP address 10.1.1.2.
Page 147: Sa Hex-Key Authentication
Default The SA lifetime of an IPsec policy is the current global SA lifetime. Views IPsec policy view Predefined user roles network-admin Parameters time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds. traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes.
Page 148: Sa Hex-Key Encryption
Views IPsec policy view Predefined user roles network-admin Parameters inbound: Specifies a hexadecimal authentication key for inbound SAs. outbound: Specifies a hexadecimal authentication key for outbound SAs. ah: Uses AH. esp: Uses ESP. cipher key-value: Sets a ciphertext authentication key, a case-sensitive string of 1 to 85 characters. simple key-value: Sets a plaintext authentication key.
Page 149 undo sa hex-key encryption { inbound | outbound } esp Default No encryption key is configured for manual IPsec SAs. Views IPsec policy view Predefined user roles network-admin Parameters inbound: Specifies a hexadecimal encryption key for inbound SAs. outbound: Specifies a hexadecimal encryption key for outbound SAs. esp: Uses ESP.
Page 150: Sa Idle-Time
sa idle-time Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted. Use undo sa idle-time to restore the default. Syntax sa idle-time seconds undo sa idle-time...
Page 151: Sa String-Key
Views IPsec policy view Predefined user roles network-admin Parameters inbound: Specifies an SPI for inbound SAs. outbound: Specifies an SPI for outbound SAs. ah: Uses AH. esp: Uses ESP. spi-number: Specifies a Security parameters index (SPI) in the range of 256 to 4294967295. Usage guidelines This command applies to only manual IPsec policies.
Page 152: Security Acl
Predefined user roles network-admin Parameters inbound: Sets a key string for inbound IPsec SAs. outbound: Sets a key string for outbound IPsec SAs. ah: Uses AH. esp: Uses ESP. cipher: Sets a ciphertext key. simple: Sets a plaintext key. key-value: Specifies a case-sensitive key string. If cipher is specified, it must be a string of 1 to 373 characters.
Page 153 Default An IPsec policy references no ACL. Views IPsec policy view Predefined user roles network-admin Parameters acl-number: Specifies an ACL by its number in the range of 3000 to 3999. name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. aggregation: Specifies the data protection mode as aggregation.
Page 154: Snmp-Agent Trap Enable Ipsec
Related commands display ipsec sa • display ipsec tunnel • snmp-agent trap enable ipsec Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec. Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec. Syntax snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach tunnel-start | tunnel-stop] *...
Page 155: Transform-Set
Examples To enable SNMP notifications when an IPsec tunnel is created, execute the following commands: # Enable SNMP notifications for IPsec globally. <Sysname> system-view [Sysname] snmp-agent trap enable ipsec global # Enable SNMP notifications for events of creating IPsec tunnels. [Sysname] snmp-agent trap enable ipsec tunnel-start transform-set Use transform-set to reference an IPsec transform set for an IPsec policy.
Page 156 Related commands ipsec policy • ipsec transform-set •...
Page 157: Ike Commands
IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
Page 158: Authentication-Method
authentication-method Use authentication-method to specify an authentication method to be used in an IKE proposal. Use undo authentication-method to restore the default. Syntax authentication-method pre-share undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles network-admin...
Page 159: Display Ike Proposal
In FIPS mode: dh group14 undo dh Default In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used. In FIPS mode, group14, the 2048-bit Diffie-Hellman group, is used. Views IKE proposal view Predefined user roles network-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group.
Page 160: Display Ike Sa
Usage guidelines This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal. Examples # Display the configuration information about all IKE proposals. <Sysname>...
Page 161 Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000. remote-address remote-address: Displays detailed information about IKE SAs with the specified remote address. Usage guidelines If you do not specify any parameter, the command displays a summary about all IKE SAs. Examples # Display information about the current IKE SAs.
Page 162 Authentication-algorithm: SHA1 Encryption-algorithm: AES-CBC-128 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Display detailed information about the IKE SA with the remote address of 4.4.4.5. <Sysname> display ike sa verbose remote-address 4.4.4.5 --------------------------------------------- Connection ID: 2 Profile: prof1...
Page 163: Dpd
Field Description Authentication-method Authentication method used by the IKE proposal. Authentication algorithm used by the IKE proposal: • Authentication-algorithm MD5—HMAC-MD5 algorithm. • SHA1—HMAC-SHA1 algorithm. Encryption-algorithm Encryption algorithm used by the IKE proposal. Life duration(sec) Lifetime of the IKE SA in seconds. Remaining key duration(sec) Remaining lifetime of the IKE SA in seconds.
Page 164: Encryption-Algorithm
When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply. It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry.
Page 165: Exchange-Mode
When the user (for example, a dial-up user) at the local end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends that you set the IKE negotiation mode to aggressive at the local end.
Page 166: Ike Dpd
Examples # Specify that IKE negotiation operates in main mode. <Sysname> system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] exchange-mode main Related commands display ike proposal ike dpd Use ike dpd to enable sending DPD messages. Use undo ike dpd to disable the DPD feature. Syntax ike dpd interval interval-seconds [ retry seconds ] { on-demand | periodic } undo ike dpd interval...
Page 167: Ike Identity
Examples # Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond. <Sysname> system-view [Sysname] ike dpd interval 10 retry 5 on-demand Related commands ike identity Use ike identity to specify the global identity used by the local end during IKE negotiations. Use undo ike identity to remove the configuration and restore the default.
Page 168: Ike Invalid-Spi-Recovery Enable
ike invalid-spi-recovery enable Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery. Use undo ike invalid-spi-recovery enable to restore the default. Syntax ike invalid-spi-recovery enable undo ike invalid-spi-recovery enable Default SPI recovery is disabled. Views System view Predefined user roles network-admin Usage guidelines...
Page 169: Ike Keepalive Timeout
Views System view Predefined user roles network-admin Parameters seconds: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800. Usage guidelines To detect the status of the peer, configure IKE DPD instead of the IKE keepalive function, unless IKE DPD is not supported on the peer.
Page 170: Ike Keychain
The keepalive timeout time configured at the local end must be longer than the keepalive interval configured at the peer. Since it seldom occurs that more than three consecutive packets are lost on a network, you can set the keepalive timeout timer to three times as long as the keepalive interval. Examples # Set the keepalive timeout time to 20 seconds.
Page 171: Ike Nat-Keepalive
Use undo ike limit to restore the default. Syntax ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit } undo ike limit { max-negotiating-sa | max-sa } Default There is no limit to the maximum number of IKE SAs. Views System view Predefined user roles network-admin Parameters...
Page 172: Ike Profile
Predefined user roles network-admin Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300. Usage guidelines This command takes effect only for a device behind a NAT server. When the device resides behind a NAT server, the IKE gateway behind the NAT server needs to send NAT keepalive packets to its peer IKE gateway to keep the NAT session alive.
Page 173: Keychain
undo ike proposal proposal-number Default The system has an IKE proposal that is used as the default IKE proposal. This proposal has the lowest priority and uses the following settings: Encryption algorithm—DES-CBC in non-FIPS mode and AES-CBC- 1 28 in FIPS mode. •...
Page 174: Local-Identity
Syntax keychain keychain-name undo keychain keychain-name Default No IKE keychain is specified for an IKE profile. Views IKE profile view Predefined user roles network-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. Usage guidelines An IKE profile can reference up to six IKE keychains.
Page 175: Match Local Address (Ike Keychain View)
Parameters address ipv4-address: Uses an IPv4 address as the local ID. dn: Uses the DN in the local certificate as the local ID. fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
Page 176: Match Local Address (Ike Profile View)
Usage guidelines Use this command to specify which address or interface can use the IKE keychain for IKE negotiation. Specify the local address configured in IPsec policy view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that references the IPsec policy.
Page 177: Match Remote
2.2.2.10 command for IKE profile B. For peer 2.2.2.2, IKE profile A is preferred because IKE profile A was configured earlier. To use IKE profile B for the peer, you can use this command to restrict the application scope of IKE profile B to address 2.2.2.2. Examples # Create IKE profile prof1.
Page 178: Pre-Shared-Key
To make sure only one IKE profile is matched for a peer, do not configure the same peer ID for two or more IKE profiles. If you configure the same peer ID for two or more IKE profiles, which IKE profile is selected for IKE negotiation is unpredictable.
Page 179: Priority (Ike Keychain View)
simple-key: Specifies a plaintext key. In non-FIPS mode, it is a case-sensitive string of 1 to 128 characters. In FIPS mode, it is a case-sensitive string of 15 to 128 characters, and it must contain uppercase and lowercase letters, digits, and special characters. cipher: Specifies a pre-shared key in cipher text.
Page 180: Priority (Ike Profile View)
Usage guidelines To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number. An IKE keychain with the match local address command configured has a higher priority than an IKE keychain that does not have the match local address command configured.
Page 181: Reset Ike Sa
Use undo proposal to remove the IKE proposal references. Syntax proposal proposal-number&<1-6> undo proposal Default An IKE profile references no IKE proposals and uses the IKE proposals configured in system view for IKE negotiation. Views IKE profile view Predefined user roles network-admin Parameters proposal-number&<1-6>: Specifies up to six IKE proposal numbers, each in the range of 1 to 65535.
Page 182: Reset Ike Statistics
Usage guidelines When you delete an IKE SA, the device automatically sends a notification to the peer. Examples # Display the current IKE SAs. <Sysname> display ike sa Total IKE SAs: Connection-ID Remote Flag ---------------------------------------------------------- 202.38.0.2 RD|ST IPSEC 202.38.0.3 RD|ST IPSEC Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT...
Page 183: Snmp-Agent Trap Enable Ike
Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The IKE SA lifetime is 86400 seconds. Views IKE proposal view Predefined user roles network-admin Parameters seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800. Usage guidelines If the communicating peers are configured with different IKE SA lifetime settings, the smaller setting takes effect.
Page 184 Views System view Predefined user roles network-admin Parameters attr-not-support: Specifies SNMP notifications for attribute-unsupported failures. auth-failure: Specifies SNMP notifications for authentication failures. cert-type-unsupport: Specifies SNMP notifications for certificate-type-unsupported failures. cert-unavailable: Specifies SNMP notifications for certificate-unavailable failures. decrypt-failure: Specifies SNMP notifications for decryption failures. encrypt-failure: Specifies SNMP notifications for encryption failures.
Page 185: Ssh Commands
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Page 186: Display Ssh User-Information
Field Description SSH server key generating interval SSH server key pair update interval. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server function is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer. # Display the SSH server sessions.
Page 187: Sftp Server Enable
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured by using the ssh user command on the SSH server.
Page 188: Sftp Server Idle-Timeout
Predefined user roles network-admin Examples # Enable the SFTP server function. <Sysname> system-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default.
Page 189: Ssh Server Authentication-Retries
Syntax ssh server acl acl-number undo ssh server acl Default An SSH server allows all IPv4 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters acl-number: Specifies an ACL number in the range of 2000 to 4999. Usage guidelines You can use this command to filter the IPv4 SSH clients' request packets by referencing an ACL: If the ACL has rules configured, only the IPv4 SSH clients whose request packets match the permit...
Page 190: Ssh Server Authentication-Timeout
Views System view Predefined user roles network-admin Parameters times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5. Usage guidelines You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only on the users at next login.
Page 191: Ssh Server Compatible-Ssh1X Enable
Usage guidelines If a user does not finish the authentication when the timeout timer expires, the connection cannot be established. You can set a small value for the timeout timer to prevent malicious occupation of TCP connections while authentications are suspended. Examples # Set the SSH user authentication timeout timer to 10 seconds.
Page 192: Ssh Server Enable
Use undo ssh server dscp to restore the default. Syntax ssh server dscp dscp-value undo ssh server dscp Default The DSCP value in IPv4 packets sent by the SSH server is 48. Views System view Predefined user roles network-admin Parameters dscp-value: Specifies the DSCP value in the outbound IPv4 packets, in the range of 0 to 63.
Page 193: Ssh Server Rekey-Interval
Related commands display ssh server ssh server rekey-interval Use ssh server rekey-interval to set an interval for updating the RSA server key pair. Use undo ssh server rekey-interval to restore the default. Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The interval for updating the RSA server key pair is 0, and the system does not update the RSA server key pair.
Page 194 undo ssh user username In FIPS mode: ssh user username service-type { all | scp | sftp | stelnet } authentication-type { password | password-publickey assign publickey keyname } undo ssh user username Default No SSH users exist. Views System view Predefined user roles network-admin Parameters...
Page 195: Ssh Client Commands
If the authentication method is password, you do not need to execute this command to configure them unless you want to use the display ssh user-information command to display all SSH users, including the password-only SSH users, for centralized management. If you use the ssh user command to configure a host public key for a user who has already had a host public key, the new one overwrites the old one.
Page 196: Cdup
Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp> bye <Sysname> Use cd to change the working path on an SFTP server. Syntax cd [ remote-path ] Views...
Page 197: Delete
Predefined user roles network-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp> cdup Current Directory is:/ sftp> pwd Remote working directory: / sftp>...
Page 198: Display Sftp Client Source
Parameters -a: Displays the names of the files and sub-directories under a directory. -l: Displays detailed information about the files and sub-directories under a directory in the form of a list. remote-path: Specifies the name of the directory to be queried. If this argument is not specified, the command displays detailed information about the files and sub-directories under the current working directory.
Page 199: Display Ssh Client Source
Examples # Display the source IP address configured for the SFTP client. <Sysname> display sftp client source The source IP address of the SFTP client is 192.168.0.1 Related commands sftp client source display ssh client source Use display ssh client source to display the source IP address or source interface configured for the Stelnet client.
Page 200: Get
Use get to download a file from an SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file.
Page 201 dir [-a|-l][path] Display remote directory listing List all filenames List filename including the specific information of the file exit Quit sftp get remote-path [local-path] Download file help Display this help text ls [-a|-l][path] Display remote directory List all filenames List filename including the specific information of the file mkdir path Create remote directory...
Page 202: Mkdir
pubkey2 pubkey1 pub1 new1 new2 pub2 # Display detailed information about the files and sub-directories under the current working directory in the form of a list. sftp> ls -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx...
Page 203: Pwd
Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name of a file on an SFTP server. Usage guidelines If the remote-file argument is not specified, the file will be remotely saved with the same name as the local one.
Page 204: Remove
sftp> quit <Sysname> remove Use remove to delete the specified files from an SFTP server. Syntax remove remote-file Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the files to delete from an SFTP server. Usage guidelines This command functions as the delete command. Examples # Delete the file temp.c from the SFTP server.
Page 205: Rmdir
rmdir Use rmdir to delete the specified directories from an SFTP server. Syntax rmdir remote-path Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies the directories to delete from an SFTP server. Examples # Delete the sub-directory temp1 under the current directory on the SFTP server. sftp>...
Page 206 put: Uploads the file. source-file-path: Specifies the directory of the source file. destination-file-path: Specifies the directory of the target file. If this argument is not specified, the directory names of the source and target files are same. identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa. If the server uses publickey authentication, this keyword must be specified.
Page 207: Sftp
ip ip-address: Specifies a source IPv4 address. Usage guidelines When the client's authentication method is publickey, the client must get the local private key for digital signature. Because the publickey authentication uses either RSA or DSA algorithm, you must specify an algorithm (by using the identity-key keyword) in order to get the correct data for the local private key.
Page 208 dsa: Specifies the public key algorithm dsa. • • rsa: Specifies the public key algorithm rsa. prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm.
Page 209: Sftp Client Source
specify a public key algorithm (by using the identity-key keyword) in order to get the correct data for the local private key. Examples # Connect an SFTP client to the IPv4 SFTP server 10.1.1.2 and specify the public key of the server as svkey. The SFTP client uses publickey authentication.
Page 210: Ssh Client Source
Examples # Specify the source IP address for the SFTP client as 192.168.0.1. <Sysname> system-view [Sysname] sftp client source ip 192.168.0.1 Related commands display sftp client source ssh client source Use ssh client source to specify the source IPv4 address or source interface for the Stelnet client. Use undo ssh client source to remove the configuration.
Page 211: Ssh2
ssh2 Use ssh2 to establish a connection to an IPv4 Stelnet server. Syntax In non-FIPS mode: ssh2 server [ port-number ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | publickey keyname | source { interface interface-type interface-number | ip ip-address } ] *...
Page 212 sha1: Specifies the HMAC algorithm hmac-sha1. • • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode. Algorithm dh-group14 features stronger security but costs more time in calculation than dh-group1.
Page 213: Ip Source Guard Commands
IP source guard commands The IP source guard function is available on Layer 2 and Layer 3 Ethernet interfaces and VLAN interfaces. The term "interface" in this chapter collectively refers to these types of interfaces. You can use the port link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see Layer 2—LAN Switching Configuration Guide).
Page 214 slot slot-number: Displays IPv4 source guard binding entries for a card. The slot-number argument specifies the number of the slot that holds the card. (In standalone mode.) chassis chassis-number slot slot-number: Displays IPv4 source guard binding entries for a card on an IRF member device.
Page 215: Ip Source Binding (Interface View)
ip source binding (interface view) Use ip source binding to configure a static IPv4 source guard binding entry on an interface. Use undo ip source binding to remove the static IPv4 source guard binding entries configured on an interface. Syntax ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ] undo ip source binding { all | ip-address ip-address | ip-address ip-address mac-address mac-address...
Page 216: Ip Source Binding (System View)
Related commands display ip source binding • ip source binding (system view) • ip source binding (system view) Use ip source binding to configure a global static IPv4 source guard binding entry. Use undo ip source binding to remove one or all global static IPv4 source guard binding entries. Syntax ip source binding ip-address ip-address mac-address mac-address undo ip source binding { all | ip-address ip-address mac-address mac-address }...
Page 217 Syntax ip verify source { ip-address | ip-address mac-address | mac-address } undo ip verify source Default The IPv4 source guard function is disabled on an interface. Views Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, VLAN interface view Predefined user roles network-admin Parameters...
Page 218 <Sysname> system-view [Sysname] interface fortygige 1/0/1 [Sysname-FortyGigE1/0/1] ip verify source ip-address mac-address # Enable IPv4 source guard on VLAN-interface 100 to filter packets received on the interface by using source IPv4 and MAC addresses of IPv4 source guard binding entries. <Sysname>...
Page 219: Arp Attack Protection Commands
ARP attack protection commands Unresolvable IP attack protection commands arp source-suppression enable Use arp source-suppression enable to enable the ARP source suppression function. Use undo arp source-suppression enable to restore the default. Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression function is disabled.
Page 220: Display Arp Source-Suppression
Views System view Predefined user roles network-admin Parameters limit-value: Sets the maximum number of unresolvable packets that can be processed in 5 seconds. It is in the range of 2 to 1024. Usage guidelines If the number of unresolvable packets from a host within 5 seconds exceeds a specific threshold, the device stops processing packets from that host until the 5 seconds elapse.
Page 221: Arp Detection Commands
ARP detection commands arp detection enable Use arp detection enable to enable ARP detection. Use undo arp detection enable to restore the default. Syntax arp detection enable undo arp detection enable Default ARP detection is disabled. Views VLAN view Predefined user roles network-admin Examples # Enable ARP detection for VLAN 2.
Page 222: Arp Detection Validate
arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line. Use undo arp detection validate to disable ARP packet validity check. If no keyword is specified, this command deletes all objects.
Page 223: Display Arp Detection
Predefined user roles network-admin Examples # Enable ARP restricted forwarding in VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] arp restricted-forwarding enable display arp detection Use display arp detection to display the VLANs enabled with ARP detection. Syntax display arp detection Views Any view Predefined user roles...
Page 224: Reset Arp Detection Statistics
Usage guidelines This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces. Examples # Display the ARP detection statistics for all interfaces. <Sysname>...
Page 225 Predefined user roles network-admin Parameters interface interface-type interface-number: Clears the ARP detection statistics of a specific interface. Usage guidelines If you do not specify any interface, this command clears the statistics of all interfaces. Examples # Clear the ARP detection statistics of all interfaces. <Sysname>...
Page 226: Urpf Commands
uRPF commands display ip urpf Use display ip urpf to display uRPF configuration. Syntax In standalone mode: display ip urpf [ slot slot-number ] In IRF mode: display ip urpf [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator Parameters...
Page 227: Ip Urpf
ip urpf Use ip urpf to enable uRPF. Use undo ip urpf to disable uRPF. Syntax ip urpf { loose | strict } undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin Parameters loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
Page 228: Fips Commands
FIPS commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled.
Page 229 After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: Automatic reboot • Select the automatic reboot method. The system automatically performs the following tasks: Create a default FIPS configuration file named fips-startup.cfg. Specify the default file as the startup configuration file.
Page 230: Fips Self-Test
Examples # Enable FIPS mode, and choose the automatic reboot method to enter FIPS mode. <Sysname> system-view [Sysname] fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically.
Page 231 Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. A successful self-test requires that all cryptographic algorithms pass the self-test. If the self-test fails, the card where the self-test process exists reboots.
Page 232: Support And Other Resources
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Page 233: Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 234 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 235: Index
Index A B C D E F G H I K L M N P Q R S T U dir,190 display arp detection,216 session-limit,1 display arp detection statistics,216 access-limit,18 display arp source-suppression,213 accounting command,2 display domain,13 accounting default,2 display fips status,221 accounting login,4...
Page 236 fips mode enable,221 local-address,133 fips self-test,223 local-identity,167 local-user,24 ls,194 get,193 group,23 match local address (IKE keychain view),168 match local address (IKE profile view),169 help,193 match remote,170 hwtacacs nas-ip,54 mkdir,195 hwtacacs scheme,55 nas-ip (HWTACACS scheme view),57 dpd,159 nas-ip (RADIUS scheme view),34 identity,160 ike invalid-spi-recovery enable,161...
Page 237 public-key local create,97 secondary authentication (HWTACACS scheme view),64 public-key local destroy,100 secondary authentication (RADIUS scheme view),43 public-key local export dsa,102 secondary authorization,65 public-key local export rsa,104 security acl,145 public-key peer,106 security-policy-server,45 public-key peer import sshkey,106 service-type,26 put,195 sftp,200 pwd,196 sftp client source,202 sftp server enable,180...

HP FlexFabric 7900 Series Command Reference Manual

Quick Links

Command Reference

Related Manuals for HP FlexFabric 7900 Series

Summary of Contents for HP FlexFabric 7900 Series