Page 1 HPE FlexNetwork MSR Router Series Comware 7 Security Command Reference Part number: 5200-3000 Software version: MSR-CMW710-R0413 Document version: 6W102-20170101...
Page 2 © Copyright 2017 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents AAA commands ···············································································1 General AAA commands ··············································································································· 1 aaa nas-id profile ··················································································································· 1 aaa session-limit ··················································································································· 1 accounting advpn ·················································································································· 2 accounting command ············································································································· 3 accounting default ················································································································· 4 accounting ipoe ····················································································································· 5 accounting lan-access ············································································································ 7 accounting login ···················································································································· 8 accounting portal ·················································································································...
Page 4: Table Of Contents
local-guest email format ········································································································ 63 local-guest email sender ······································································································· 64 local-guest email smtp-server ································································································ 65 local-guest generate ············································································································ 65 local-guest manager-email ···································································································· 67 local-guest send-email ········································································································· 68 local-guest timer ·················································································································· 68 local-user ··························································································································· 69 local-user-export ················································································································· 70 local-user-import ················································································································· 71 password ···························································································································...
Page 5: Table Of Contents
nas-ip (HWTACACS scheme view) ······················································································· 121 primary accounting (HWTACACS scheme view) ····································································· 122 primary authentication (HWTACACS scheme view) ································································· 123 primary authorization ········································································································· 125 reset hwtacacs statistics ····································································································· 126 secondary accounting (HWTACACS scheme view)·································································· 127 secondary authentication (HWTACACS scheme view) ····························································· 128 secondary authorization ······································································································...
Page 6: Table Of Contents
dot1x retry························································································································ 178 dot1x smarton ··················································································································· 179 dot1x smarton password ····································································································· 180 dot1x smarton retry ············································································································ 181 dot1x smarton switchid ······································································································· 181 dot1x smarton timer supp-timeout ························································································· 182 dot1x timer ······················································································································· 183 dot1x unicast-trigger ·········································································································· 185 reset dot1x guest-vlan ········································································································ 186 reset dot1x statistics ··········································································································...
Page 7: Table Of Contents
portal apply mac-trigger-server ···························································································· 267 portal apply web-server ······································································································ 268 portal authorization strict-checking ························································································ 269 portal client-traffic-report interval ·························································································· 270 portal delete-user ·············································································································· 271 portal device-id ················································································································· 271 portal domain ··················································································································· 272 portal enable ···················································································································· 273 portal extend-auth domain··································································································· 274 portal extend-auth-server ····································································································...
Page 8: Table Of Contents
Port security commands ································································ 322 display port-security ··········································································································· 322 display port-security mac-address block ················································································ 325 display port-security mac-address security ············································································· 328 port-security authorization ignore ·························································································· 330 port-security authorization-fail offline ····················································································· 331 port-security enable ··········································································································· 331 port-security intrusion-mode ································································································ 332 port-security mac-address aging-type inactivity ······································································· 333 port-security mac-address dynamic·······················································································...
Page 9: Table Of Contents
public-key local export dsa ·································································································· 391 public-key local export ecdsa ······························································································· 393 public-key local export rsa ··································································································· 394 public-key peer ················································································································· 396 public-key peer import sshkey ······························································································ 397 PKI commands ············································································ 398 attribute ··························································································································· 398 ca identifier ······················································································································ 399 certificate request entity ······································································································ 400 certificate request from ·······································································································...
Page 10: Table Of Contents
display ipsec tunnel ··········································································································· 473 encapsulation-mode ·········································································································· 475 esn enable ······················································································································· 476 esp authentication-algorithm ································································································ 477 esp encryption-algorithm ····································································································· 478 ike-profile ························································································································· 480 ikev2-profile ····················································································································· 480 ipsec anti-replay check ······································································································· 481 ipsec anti-replay window ····································································································· 482 ipsec apply ······················································································································· 482 ipsec decrypt-check enable ·································································································...
Page 11: Table Of Contents
exchange-mode ················································································································ 530 ike address-group·············································································································· 531 ike dpd ···························································································································· 532 ike identity························································································································ 532 ike invalid-spi-recovery enable ····························································································· 533 ike keepalive interval ·········································································································· 534 ike keepalive timeout ········································································································· 535 ike keychain ····················································································································· 535 ike limit ···························································································································· 536 ike logging negotiation enable ······························································································ 537 ike nat-keepalive ···············································································································...
Page 12: Table Of Contents
match vrf (IKEv2 profile view) ······························································································ 585 nat-keepalive ···················································································································· 586 peer ································································································································ 587 pre-shared-key ················································································································· 588 prf ·································································································································· 589 priority (IKEv2 policy view) ·································································································· 590 priority (IKEv2 profile view) ·································································································· 591 proposal ·························································································································· 591 reset ikev2 sa ··················································································································· 592 reset ikev2 statistics ··········································································································· 593 sa duration ·······················································································································...
Page 13: Table Of Contents
ssh2 ipv6 ························································································································· 636 SSH2 commands ····················································································································· 639 display ssh2 algorithm ········································································································ 639 ssh2 algorithm cipher ········································································································· 639 ssh2 algorithm key-exchange ······························································································ 640 ssh2 algorithm mac············································································································ 641 ssh2 algorithm public-key ···································································································· 642 SSL commands ··········································································· 644 certificate-chain-sending enable ··························································································· 644 ciphersuite ·······················································································································...
Page 14: Table Of Contents
port-mapping acl ··············································································································· 699 port-mapping host ············································································································· 700 port-mapping subnet ·········································································································· 701 reset application statistics ··································································································· 703 service-port ······················································································································ 703 signature ························································································································· 704 source ····························································································································· 705 update schedule ················································································································ 706 Session management commands ···················································· 708 display session aging-time application ··················································································· 708 display session aging-time state ···························································································...
Page 15: Table Of Contents
Object policy commands ································································ 792 accelerate ························································································································ 792 description ······················································································································· 793 display object-policy accelerate ···························································································· 793 display object-policy ip ······································································································· 794 display object-policy ipv6 ···································································································· 795 display object-policy statistics zone-pair security ····································································· 796 display object-policy zone-pair security ·················································································· 797 move rule························································································································· 798 object-policy apply ip ··········································································································...
Page 16: Table Of Contents
dns-flood port ··················································································································· 884 dns-flood threshold ············································································································ 885 exempt acl ······················································································································· 886 fin-flood action ·················································································································· 887 fin-flood detect ·················································································································· 888 fin-flood detect non-specific ································································································· 889 fin-flood threshold ·············································································································· 890 http-flood action ················································································································ 891 http-flood detect ················································································································ 891 http-flood detect non-specific ······························································································· 893 http-flood port ···················································································································...
Page 17: Table Of Contents
ARP attack protection commands ···················································· 936 Unresolvable IP attack protection commands ················································································ 936 arp resolving-route enable··································································································· 936 arp resolving-route probe-count ··························································································· 936 arp resolving-route probe-interval ························································································· 937 arp source-suppression enable ···························································································· 938 arp source-suppression limit ································································································ 938 display arp source-suppression ···························································································· 939 Source MAC-based ARP attack detection commands ·····································································...
Page 18: Table Of Contents
Accessing updates ··················································································································· 975 Websites ························································································································· 976 Customer self repair ·········································································································· 976 Remote support ················································································································ 976 Documentation feedback ···································································································· 976 Index ························································································· 978...
Page 19: Aaa Nas-Id Profile
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa nas-id profile Use aaa nas-id profile to create a NAS-ID profile and enter its view, or enter the view of an existing NAS-ID profile.
Page 20: Accounting Advpn
Syntax In non-FIPS mode: aaa session-limit { ftp | http | https | ssh | telnet } max-sessions undo aaa session-limit { ftp | http | https | ssh | telnet } In FIPS mode: aaa session-limit { https | ssh } max-sessions undo aaa session-limit { https | ssh } Default The maximum number of concurrent users is 32 for the FTP, SSH, and Telnet services.
Page 21: Accounting Command
undo accounting advpn Default The default accounting method of the ISP domain is used for ADVPN users. Views ISP domain view Predefined user roles network-admin Parameters local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 22: Accounting Default
Default The default accounting method of the ISP domain is used for command line accounting. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The command line accounting feature works with the accounting server to record all valid commands that have been successfully executed on the device.
Page 23: Accounting Ipoe
Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 24 accounting ipoe broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] | local | radius-scheme radius-scheme-name [ local ] } undo accounting ipoe Default The default accounting method for the ISP domain is used for IPoE users. Views ISP domain view Predefined user roles network-admin Parameters...
Page 25: Accounting Lan-Access
# In ISP domain test, broadcast accounting requests of IPoE users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting ipoe broadcast radius-scheme rd1 radius-scheme rd2 local Related commands accounting default local-user...
Page 26: Accounting Login
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid.
Page 27 accounting login hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounting login Default The default accounting method of the ISP domain is used for login users. Views ISP domain view Predefined user roles...
Page 28: Accounting Portal
accounting portal Use accounting portal to specify the accounting method for portal users. Use undo accounting portal to restore the default. Syntax In non-FIPS mode: accounting portal broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo accounting portal In FIPS mode:...
Page 29: Accounting Ppp
• The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure. Examples # In ISP domain test, perform local accounting for portal users.
Page 30 Predefined user roles network-admin Parameters broadcast: Broadcasts accounting requests to servers in RADIUS schemes. radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 31: Accounting Quota-Out
Related commands accounting default hwtacacs scheme local-user radius scheme accounting quota-out Use accounting quota-out to configure access control for users who have used up their data quotas. Use undo accounting quota-out to restore the default. Syntax accounting quota-out { offline | online } undo accounting quota-out Default The device logs off users who have used up their data quotas.
Page 32: Accounting Update-Fail
Predefined user roles network-admin Parameters offline: Logs off users who encounter account-start failures. online: Does not perform actions on users who encounter account-start failures. Examples # In ISP domain test, configure the device not to perform actions on users who encounter accounting-start failures.
Page 33 Syntax In non-FIPS mode: authentication advpn { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication advpn In FIPS mode: authentication advpn { local | radius-scheme radius-scheme-name [ local ] } undo authentication advpn Default The default authentication method of the ISP domain is used for ADVPN users.
Page 34: Authentication Default
authentication default Use authentication default to specify the default authentication method for an ISP domain. Use undo authentication default to restore the default. Syntax In non-FIPS mode: authentication default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local none none radius-scheme...
Page 35: Authentication Ike
Examples # In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use local authentication as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication default radius-scheme rd local Related commands hwtacacs scheme ldap scheme local-user radius scheme authentication ike...
Page 36: Authentication Ipoe
Examples # In ISP domain test, configure the device to perform local authentication through IKE extended authentication. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication ike local # In ISP domain test, perform IKE extended authentication based on RADIUS scheme rd and use local authentication as the backup.
Page 37: Authentication Lan-Access
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ipoe radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid.
Page 38: Authentication Login
none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication).
Page 39: Authentication Portal
Default The default authentication method of the ISP is used for login users. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 40 Syntax In non-FIPS mode: authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication portal In FIPS mode: authentication portal { ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] } undo authentication portal Default...
Page 41: Authentication Ppp
local-user radius scheme authentication ppp Use authentication ppp to configure the authentication method for PPP users. Use undo authentication ppp to restore the default. Syntax In non-FIPS mode: authentication hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication ppp In FIPS mode:...
Page 42: Authentication Super
# In ISP domain test, perform RADIUS authentication for PPP users based on scheme rd and use local authentication as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication ppp radius-scheme rd local Related commands authentication default hwtacacs scheme local-user radius scheme authentication super Use authentication super to specify a method for user role authentication.
Page 43: Authorization Advpn
Examples # In ISP domain test, perform user role authentication based on HWTACACS scheme tac. <Sysname> system-view [Sysname] super authentication-mode scheme [Sysname] domain test [Sysname-isp-test] authentication super hwtacacs-scheme tac Related commands authentication default hwtacacs scheme radius scheme authorization advpn Use authorization advpn to configure the authorization method for ADVPN users. Use undo authorization advpn to restore the default.
Page 44: Authorization Command
authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid. Examples # In ISP domain test, perform local authorization for ADVPN users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization advpn local # In ISP domain test, perform RADIUS authorization for ADVPN users based on scheme rd and use local authorization as the backup.
Page 45: Authorization Default
Usage guidelines Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted. When local command authorization is configured, the device compares each entered command with the user's configuration on the device.
Page 46 authorization default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authorization default Default The default authorization method of an ISP domain is local. Views ISP domain view Predefined user roles network-admin Parameters...
Page 47: Authorization Ike
authorization ike Use authorization ike to configure the authorization method for IKE extended authentication. Use undo authorization ike to restore the default. Syntax In non-FIPS mode: authorization ike { local [ none ] | none } undo authorization ike In FIPS mode: authorization ike local undo authorization ike Default...
Page 48: Authorization Lan-Access
In FIPS mode: authorization ipoe { local | radius-scheme radius-scheme-name [ local ] } undo authorization ipoe Default The default authorization method for the ISP domain is used for IPoE users. Views ISP domain view Predefined user roles network-admin Parameters local: Performs local authorization.
Page 49 Syntax In non-FIPS mode: authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization lan-access In FIPS mode: authorization lan-access { local | radius-scheme radius-scheme-name [ local ] } undo authorization lan-access Default The default authorization method for the ISP domain is used for LAN users.
Page 50: Authorization Login
authorization login Use authorization login to configure the authorization method for login users. Use undo authorization login to restore the default. Syntax In non-FIPS mode: authorization login hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization login In FIPS mode:...
Page 51: Authorization Portal
Examples # In ISP domain test, perform local authorization for login users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization login local # In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup. <Sysname>...
Page 52: Authorization Ppp
You can specify one primary authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization portal radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization).
Page 53: Authorization-Attribute (Isp Domain View)
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary authorization method and multiple backup authorization methods.
Page 54 Default No authorization attributes are configured for users in the ISP domain and the idle cut feature is disabled. Views ISP domain view Predefined user roles network-admin Parameters acl acl-number: Specifies an ACL to filter traffic for users. The value range for the acl-number argument is 2000 to 5999.
Page 55: Display Domain
secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for users. This option is applicable only to IPoE and PPP users. session-group-profile session-group-profile-name: Specifies an authorization session group profile for users. The session-group-profile-name argument is a case-sensitive string of 1 to 31 characters.
Page 56 Predefined user roles network-admin network-operator Parameters isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains. Examples # Display the configuration of all ISP domains.
Page 57 Idle timeout: 2 minutes Flow: 10240 bytes IP pool: appy User profile: test Inbound CAR: CIR 64000 bps PIR 640000 bps Outbound CAR: CIR 64000 bps PIR 640000 bps ACL number: 3000 User group: ugg IPv6 prefix: 1::1/34 IPv6 pool: ipv6pool Primary DNS server: 6.6.6.6 Secondary DNS server: 3.6.2.3 URL: http://portal...
Page 58 Field Description ADVPN authentication scheme Authentication method for ADVPN users. ADVPN authorization scheme Authorization method for ADVPN users. ADVPN accounting scheme Accounting method for ADVPN users. Login authentication scheme Authentication method for login users. Login authorization scheme Authorization method for login users. Login accounting scheme Accounting method for login users.
Page 59: Domain
Field Description Local Local scheme. None No authentication, no authorization, or no accounting. Authentication method for obtaining another user role without Super authentication scheme reconnecting to the device. PPP authentication scheme Authentication method for PPP users. PPP authorization scheme Authorization method for PPP users. PPP accounting scheme Accounting method for PPP users.
Page 60: Domain Default Enable
• The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). • The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.
Page 61: Domain If-Unknown
Usage guidelines The system has only one default ISP domain. An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
Page 62: Ita-Policy
If the chosen domain does not exist on the device, the device searches for the ISP domain that accommodates users who are assigned to nonexistent domains. If no such ISP domain is configured, user authentication fails. NOTE: Support for the authentication domain configuration depends on the access module. Examples # Specify ISP domain test to accommodate users who are assigned to nonexistent domains.
Page 63: Nas-Id Bind Vlan
nas-id bind vlan Use nas-id bind vlan to bind a NAS-ID with a VLAN. Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding. Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id Default No NAS-ID and VLAN bindings exist. Views NAS-ID profile view Predefined user roles...
Page 64: Session-Time Include-Idle-Time
Predefined user roles network-admin Parameters hsi: Specifies the High-Speed Internet (HSI) service. This service is applicable to PPP, 802.1X, and IPoE leased line users. stb: Specifies the Set Top Box (STB) service. This service is applicable to STB users. voip: Specifies the Voice over IP (VoIP) service. This service is applicable to IP phone users. Usage guidelines You can configure only one service type for one ISP domain.
Page 65: State (Isp Domain View)
• If the session-time include-idle-time command is configured, the device adds the idle cut period or user online detection interval to the actual online duration. The user online detection period is supported only by portal authentication. The online duration sent to the server is longer than the actual online duration of the user.
Page 66: User-Address-Type
user-address-type Use user-address-type to specify the user address type in the ISP domain. Use undo user-address-type to restore the default. Syntax user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 } undo user-address-type Default No user address type is specified for the ISP domain.
Page 67: Authorization-Attribute (Local User View/User Group View)
Default The number of concurrent logins using the local user name is not limited. Views Local user view Predefined user roles network-admin Parameters max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024. Usage guidelines This command takes effect only when local accounting is configured for the local user.
Page 68 Parameters acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL. callback-number callback-number: Specifies an authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters.
Page 69 • For PPP users, only the following authorization attributes take effect: callback-number, idle-cut, ip, ip-pool, ipv6-pool, ipv6-prefix, primary-dns, secondary-dns, session-timeout, url, user-profile, and vpn-instance. • For IPoE users, only the following authorization attributes take effect: acl, idle-cut, ip-pool, ipv6-pool, ipv6-prefix, primary-dns, secondary-dns, session-timeout, user-profile, and vpn-instance.
Page 70: Bind-Attribute
# Assign the security-audit user role to device management user xyz as the authorized user role. <Sysname> system-view [Sysname] local-user xyz class manage [Sysname-luser-manage-xyz] authorization-attribute user-role security-audit This operation will delete all other roles of the user. Are you sure? [Y/N]:y Related commands display local-user display user-group...
Page 71: Company
because 802.1X authentication can include the user's IP address in the packet. However, you cannot configure IP address bindings for MAC authentication users, because MAC authentication does not use IP addresses. The binding interface type must meet the requirements of the local user. Configure the binding interface based on the service type of the user.
Page 72: Description
description Use description to configure a description for a network access user. Use undo description to restore the default. Syntax description text undo description Default No description is configured for a network access user. Views Network access user view Predefined user roles network-admin Parameters text: Configures a description, case-sensitive string of 1 to 255 characters.
Page 73: Display Local-User
Usage guidelines On the Web registration page, users submit local guest registration requests for approval. The guest manager can add supplementary information to the guest accounts and approves the requests. The device then creates local guest accounts based on the approved requests. Examples # Display all pending registration requests for local guests.
Page 74 network: Network access user. guest: Guest user account. idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled. service-type: Specifies the local users who use a specific type of service. • advpn: ADVPN tunnel users. •...
Page 75 Bind attributes: IP address: 2.2.2.2 Location bound: GigabitEthernet1/0/1 MAC address: 0001-0001-0001 VLAN ID: Calling number: Authorization attributes: Idle timeout: 33 minutes Work directory: flash: ACL number: 2000 User profile: User role list: network-operator, level-0, level-3 Network access guest user user1: State: Active Service type:...
Page 76 Field Description Authorization attributes Authorization attributes of the local user. Idle timeout Idle timeout period of the user, in minutes. Session-timeout Session timeout timer of the user, in minutes. Callback number Authorized PPP callback number of the local user. Work directory Directory that the FTP, SFTP, or SCP user can access.
Page 77: Display User-Group
Field Description Email Email address of the local guest. Phone Phone number of the local guest. Description Description of the local guest. Sponsor full name Name of the guest sponsor. Sponsor department Department of the guest sponsor. Sponsor email Email address of the guest sponsor. Period of validity Validity period of the local guest.
Page 78 Password aging: Enabled (2 days) Table 4 Command output Field Description Authorization attributes Authorization attributes of the user group. Idle timeout Idle timeout period, in minutes. Session-timeout Session timeout timer, in minutes. Callback number Authorized PPP callback number. Work directory Directory that FTP, SFTP, or SCP users in the group can access.
Page 79: Email
email Use email to configure an email address for a local guest. Use undo email to restore the default. Syntax email email-string undo email Default No email address is configured for a local guest. Views Local guest view Predefined user roles network-admin Parameters email-string: Specifies the email address for the local guest, a case-sensitive string of 1 to 255...
Page 80: Group
Parameters name-string: Specifies the local guest name, a case-sensitive string of 1 to 255 characters. Examples # Configure the name as abc Snow for local guest abc. <Sysname> system-view [Sysname] local-user abc class network guest [Sysname-luser-network(guest)-abc] full-name abc Snow Related commands display local-user group Use group to assign a local user to a user group.
Page 81: Local-Guest Email Format
Default The guest auto-delete feature is disabled. Views System view Predefined user roles network-admin Usage guidelines This feature enables the device to automatically delete the local guest accounts when they expire. Examples # Enable the guest auto-delete feature. <Sysname> system-view [Sysname] local-guest auto-delete enable Related commands validity-datetime...
Page 82: Local-Guest Email Sender
Usage guidelines Email notifications need to be sent to notify the local guests, guest sponsors, or guest managers of the guest account information or guest registration requests. Use this command to configure the subject and body for the email notifications to be sent by the device. You can configure one subject and one body for each email recipient.
Page 83: Local-Guest Email Smtp-Server
[Sysname] local-guest email sender abc@yyy.com Related commands local-guest email format local-guest email smtp-server local-guest manager-email local-guest send-email local-guest email smtp-server Use local-guest email smtp-server to specify an SMTP server to send email notifications of local guests. Use undo local-guest email smtp-server to restore the default. Syntax local-guest email smtp-server url-string undo local-guest email smtp-server...
Page 84 Syntax local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suffix-number [ group group-name ] count user-count validity-datetime start-date start-time to expiration-date expiration-time Views System view Predefined user roles network-admin Parameters username-prefix name-prefix: Specifies the name prefix. The name-prefix argument is a case-sensitive string of 1 to 45 characters.
Page 85: Local-Guest Manager-Email
Examples # Create 20 local guests in batch with user names abc01 through abc20 for user group visit. The user accounts are effective from 2014/10/01 00:00:00 to 2015/10/02 12:00:00. <Sysname> system-view [Sysname] local-guest generate username-prefix abc suffix 01 group visit count 20 validity-datetime 2014/10/01 00:00:00 to 2015/10/02 12:00:00 Related commands local-user...
Page 86: Local-Guest Send-Email
local-guest send-email Use local-guest send-email to send emails to a local guest or guest sponsor. Syntax local-guest send-email user-name user-name to { guest | sponsor } Views User view Predefined user roles network-admin Parameters user-name user-name: Specifies a local guest by user name, a case-sensitive string of 1 to 55 characters.
Page 87: Local-User
Usage guidelines The waiting-approval timeout timer starts when the registration request of a local guest is sent for approval. If the request is not approved within the timer, the device deletes the registration request. Examples # Set the waiting-approval timeout timer to 12 hours. <Sysname>...
Page 88: Local-User-Export
• lan-access: LAN users who typically access the network through an Ethernet, such as 802.1X users. • pad: X.25 PAD users. • portal: Portal users. • ppp: PPP users. • ssh: SSH users. • telnet: Telnet users. • terminal: Terminal users who log in through console ports, AUX ports, or async ports. Usage guidelines If you do not specify the class { manage | network } option, this command adds a device management user.
Page 89: Local-User-Import
Usage guidelines You can import the user account information back to the device or to other devices that support the local-user-import command. Before the import, you can edit the .csv file as needed. However, you must follow the restrictions in "local-user-import." The device supports TFTP and FTP file transfer modes.
Page 90 start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035. start-time: Specifies the start time of the validity period, in the format of hh:mm:ss.
Page 91: Password
Table 6 URL formats Protocol URL format Description Specify a TFTP server by IP address or tftp://server/path/filename TFTP hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv. • Specify an FTP server by IP address or With user name hostname. password: ftp://username:password@server/ The device ignores the domain name in the...
Page 92: Phone
hash: Specifies a password encrypted by the hash algorithm. simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form. string: Specifies the password string. This argument is case sensitive. •...
Page 93: Reset Local-Guest Waiting-Approval
Default No phone number is specified for a local guest. Views Local guest view Predefined user roles network-admin Parameters phone-number: Specifies the phone number, a string of 1 to 32 characters that can contain only digits and hyphens (-). Examples # Specify the phone number as 138-137239201 for local guest abc.
Page 94 service-type { advpn | ftp | ike | ipoe | lan-access | { http | https | pad | ssh | telnet | terminal } * | portal | ppp } undo service-type { advpn | ftp | ike | ipoe | lan-access | { http | https | pad | ssh | telnet | terminal } * | portal | ppp } In FIPS mode: service-type { advpn | ike | ipoe | lan-access | { https | pad | ssh | terminal } * | portal | ppp }...
Page 95: Sponsor-Department
sponsor-department Use sponsor-department to specify the department of the guest sponsor for a local guest. Use undo sponsor-department to restore the default. Syntax sponsor-department department-string undo sponsor-department Default No department is specified for the guest sponsor. Views Local guest view Predefined user roles network-admin Parameters...
Page 96: Sponsor-Full-Name
Examples # Specify the email address as Sam@a.com for the guest sponsor of local guest abc. <Sysname> system-view [Sysname] local-user abc class network guest [Sysname-luser-network(guest)-abc] sponsor-email Sam@a.com Related commands display local-user sponsor-full-name Use sponsor-full-name to specify the guest sponsor name for a local guest. Use undo sponsor-full-name to restore the default.
Page 97: User-Group
Views Local user view Predefined user roles network-admin Parameters active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services.
Page 98: Validity-Datetime
Examples # Create a user group named abc and enter user group view. <Sysname> system-view [Sysname] user-group abc [Sysname-ugroup-abc] Related commands display user-group validity-datetime Use validity-datetime to specify the validity period for a local guest. Use undo validity-datetime to restore the default. Syntax validity-datetime start-date start-time to expiration-date expiration-time undo validity-datetime...
Page 99: Radius Commands
[Sysname-luser-network(guest)-abc] validity-datetime 2014/10/01 00:00:00 to 2015/10/02 12:00:00 Related commands display local-user RADIUS commands aaa device-id Use aaa device-id to configure the device ID. Use undo aaa device-id to restore the default. Syntax aaa device-id device-id undo aaa device-id Default The device ID is 0. Views System view Predefined user roles...
Page 100: Accounting-On Extended
Default The accounting-on feature is disabled. Views RADIUS scheme view Predefined user roles network-admin Parameters interval interval: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the interval argument is 1 to 15, and the default setting is 3 seconds. send send-times: Specifies the maximum number of accounting-on packet transmission attempts.
Page 101: Attribute 15 Check-Mode
Usage guidelines The extended accounting-on feature enhances the accounting-on feature by applying to the scenario that an SPU reboots but the device does not reboot. For the extended accounting-on feature to take effect, you must enable the accounting-on feature. The extended accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after an SPU reboot.
Page 102: Attribute 25 Car
Usage guidelines Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users. Examples # Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.
Page 103: Client
Syntax attribute remanent-volume unit { byte | giga-byte | kilo-byte | mega-byte } undo attribute remanent-volume unit Default The data measurement unit is kilobyte for the Remanent_Volume attribute. Views RADIUS scheme view Predefined user roles network-admin network-operator Parameters byte: Specifies the unit as byte. giga-byte: Specifies the unit as gigabyte.
Page 104: Data-Flow-Format (Radius Scheme View)
Parameters ip ipv4-address: Specifies a DAE client by its IPv4 address. ipv6 ipv6-address: Specifies a DAE client by its IPv6 address. key: Specifies the shared key for secure communication between the RADIUS DAE client and server. Make sure the shared key is the same as the key configured on the RADIUS DAE client. If the RADIUS DAE client does not have any shared key, do not specify this option.
Page 105: Display Radius Scheme
Predefined user roles network-admin Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Page 106 State: Active Test profile: 132 Probe username: test Probe interval: 60 minutes Primary accounting server: IP : 1.1.1.1 Port: 1813 VPN : Not configured State: Active Second authentication server: IP : 3.3.3.3 Port: 1812 VPN : Not configured State: Block Test profile: Not configured Second accounting server: IP : 3.3.3.3...
Page 107 Field Description Service port number of the server. If no port number is specified, this field Port displays the default port number. MPLS L3VPN instance to which the server belongs. If no VPN instance is specified for the server, this field displays Not configured. Status of the server: •...
Page 108: Display Radius Statistics
Field Description Attribute Remanent-Volume Data measurement unit for the RADIUS Remanent_Volume attribute. unit display radius statistics Use display radius statistics to display RADIUS packet statistics. Syntax display radius statistics Views Any view Predefined user roles network-admin network-operator Examples # Display RADIUS packet statistics. <Sysname>...
Page 109: Key (Radius Scheme View)
Field Description Account Start Number of start-accounting packets. Account Update Number of accounting update packets. Account Stop Number of stop-accounting packets. Terminate Request Number of packets for logging off users forcibly. Set Policy Number of packets for updating user authorization information. Packet With Response Number of packets for which responses were received.
Page 110: Nas-Ip (Radius Scheme View)
Usage guidelines The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers. The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.
Page 111: Port
As a best practice to avoid RADIUS packet loss caused by physical port errors, specify a loopback interface address as the source IP address for outgoing RADIUS packets. If you use both the nas-ip command and radius nas-ip command, the following guidelines apply: •...
Page 112: Primary Accounting (Radius Scheme View)
[Sysname] radius dynamic-author server [Sysname-radius-da-server] port 3790 Related commands client radius dynamic-author server primary accounting (RADIUS scheme view) Use primary accounting to specify the primary RADIUS accounting server. Use undo primary accounting to restore the default. Syntax primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary accounting Default...
Page 113: Primary Authentication (Radius Scheme View)
The shared key configured by using this command takes precedence over the shared key configured with the key accounting command. If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
Page 114 key: Specifies the shared key for secure communication with the primary RADIUS authentication server. cipher: Specifies the key in encrypted form. simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key.
Page 115: Radius Dscp
radius dscp Use radius dscp to change the DSCP priority of RADIUS packets. Use undo radius dscp to restore the default. Syntax radius [ ipv6 ] dscp dscp-value undo radius [ ipv6 ] dscp Default The DSCP priority of RADIUS packets is 0. Views System view Predefined user roles...
Page 116: Radius Nas-Ip
Usage guidelines When you enable the RADIUS DAE server feature, the device listens to UDP port 3799 to receive DAE packets from specified DAE clients. Examples # Enable the RADIUS DAE server feature and enter RADIUS DAE server view. <Sysname> system-view [Sysname] radius dynamic-author server [Sysname-radius-da-server] Related commands...
Page 117: Radius Scheme
If you use both the nas-ip command and radius nas-ip command, the following guidelines apply: • The setting configured by the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme. • The setting configured by the radius nas-ip command in system view applies to all RADIUS schemes.
Page 118: Radius Session-Control Client
[Sysname] radius scheme radius1 [Sysname-radius-radius1] Related commands display radius scheme radius session-control client Use radius session-control client to specify a RADIUS session-control client. Use undo radius session-control client to remove the specified RADIUS session-control clients. Syntax radius session-control client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo radius session-control client { all | { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }...
Page 119: Radius Session-Control Enable
The IP, VPN instance, and shared key settings of the session-control client must be the same as the settings of the RADIUS server. The system supports multiple RADIUS session-control clients. Examples # Specify a session-control client with IP address 10.110.1.2 and shared key 12345 in plaintext form. <Sysname>...
Page 120: Reset Radius Statistics
Predefined user roles network-admin Parameters profile-name: Specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters. username name: Specifies the username in the detection packets. The name argument is a case-sensitive string of 1 to 253 characters. interval interval: Specifies the interval for sending a detection packet, in minutes.
Page 121: Retry
retry Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Use undo retry to restore the default. Syntax retry retries undo retry Default The maximum number of RADIUS packet transmission attempts is 3. Views RADIUS scheme view Predefined user roles...
Page 122: Retry Realtime-Accounting
retry realtime-accounting Use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default. Syntax retry realtime-accounting retries undo retry realtime-accounting Default The maximum number of accounting attempts is 5. Views RADIUS scheme view Predefined user roles network-admin Parameters...
Page 123 Use undo secondary accounting to remove a secondary RADIUS accounting server. Syntax secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] Default No secondary RADIUS accounting servers are specified.
Page 124: Secondary Authentication (Radius Scheme View)
If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for accounting.
Page 125 port-number: Sets the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812. key: Specifies the shared key for secure communication with the secondary RADIUS authentication server.
Page 126: Snmp-Agent Trap Enable Radius
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 Related commands display radius scheme key (RADIUS scheme view) primary authentication (RADIUS scheme view) radius-server test-profile vpn-instance (RADIUS scheme view) snmp-agent trap enable radius Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS. Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.
Page 127: State Primary
• RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires. • Excessive authentication failures notification—RADIUS generates this notification when the number of authentication failures to the total number of authentication attempts exceeds the specified threshold.
Page 128: State Secondary
Examples # In RADIUS scheme radius1, set the primary authentication server to the blocked state. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] state primary authentication block Related commands display radius scheme radius-server test-profile state secondary state secondary Use state secondary to set the status of a secondary RADIUS server. Syntax state secondary { accounting | authentication } [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }...
Page 129: Timer Quiet (Radius Scheme View)
When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.
Page 130: Timer Realtime-Accounting (Radius Scheme View)
[Sysname] radius scheme radius1 [Sysname-radius-radius1] timer quiet 10 Related commands display radius scheme timer realtime-accounting (RADIUS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default. Syntax timer realtime-accounting interval [ second ] undo timer realtime-accounting Default The real-time accounting interval is 12 minutes.
Page 131: Timer Response-Timeout (Radius Scheme View)
Related commands retry realtime-accounting timer response-timeout (RADIUS scheme view) Use timer response-timeout to set the RADIUS server response timeout timer. Use undo timer response-timeout to restore the default. Syntax timer response-timeout seconds undo timer response-timeout Default The RADIUS server response timeout period is 3 seconds. Views RADIUS scheme view Predefined user roles...
Page 132: User-Name-Format (Radius Scheme View)
user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Use undo user-name-format to restore the default. Syntax user-name-format { keep-original | with-domain | without-domain } undo user-name-format Default The ISP domain name is included in the usernames sent to the RADIUS servers. Views RADIUS scheme view Predefined user roles...
Page 133: Hwtacacs Commands
Use undo vpn-instance to restore the default. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The RADIUS scheme belongs to the public network. Views RADIUS scheme view Predefined user roles network-admin Parameters vpn-instance-name: Specifies an MPLS L3VPN instance by the name, a case-sensitive string of 1 to 31 characters.
Page 134: Display Hwtacacs Scheme
Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Page 135 Single-connection: Enabled Primary Author Server: : 2.2.2.2 Port: 49 State: Active VPN Instance: 2 Single-connection: Disabled Primary Acct Server: : Not Configured Port: 49 State: Block VPN Instance: Not configured Single-connection: Disabled VPN Instance NAS IP Address : 2.2.2.3 Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 12 Response Timeout Interval(seconds) Username Format...
Page 136: Hwtacacs Nas-Ip
Field Description Response Timeout Interval(seconds) HWTACACS server response timeout period, in seconds. Format for the usernames sent to the HWTACACS server. Possible values include: • with-domain—Includes the domain name. Username Format • without-domain—Excludes the domain name. • keep-original—Forwards the username as the username is entered.
Page 137: Hwtacacs Scheme
As a best practice to avoid HWTACACS packet loss caused by physical port errors, specify a loopback interface address as the source IP address for outgoing HWTACACS packets. If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply: •...
Page 138: Key (Hwtacacs Scheme View)
Examples # Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.
Page 139: Nas-Ip (Hwtacacs Scheme View)
[Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&! # Set the shared key to 123456TESTautr&! in plaintext form for secure HWTACACS authorization communication. [Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&! # Set the shared key to 123456TESTacct&! in plaintext form for secure HWTACACS accounting communication.
Page 140: Primary Accounting (Hwtacacs Scheme View)
• The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme. • The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes. • The setting in HWTACACS scheme view takes precedence over the setting in system view. only You can specify one source IPv4 address and one source IPv6 address for an HWTACACS...
Page 141: Primary Authentication (Hwtacacs Scheme View)
• In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters. • In FIPS mode, the encrypted form of the key is a string of 15 to 373 characters. The plaintext form of the key is a string of 15 to 255 characters.
Page 142 Views HWTACACS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server. ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server. port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535.
Page 143: Primary Authorization
Related commands display hwtacacs scheme key (HWTACACS scheme view) secondary authentication (HWTACACS scheme view) vpn-instance (HWTACACS scheme view) primary authorization Use primary authorization to specify the primary HWTACACS authorization server. Use undo primary authorization to restore the default. Syntax primary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo primary authorization Default...
Page 144: Reset Hwtacacs Statistics
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure that the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server.
Page 145: Secondary Accounting (Hwtacacs Scheme View)
Related commands display hwtacacs scheme secondary accounting (HWTACACS scheme view) Use secondary accounting to specify a secondary HWTACACS accounting server. Use undo secondary accounting to remove a secondary HWTACACS accounting server. Syntax secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]...
Page 146: Secondary Authentication (Hwtacacs Scheme View)
Usage guidelines Make sure that the port number and shared key settings of the secondary HWTACACS accounting server are the same as those configured on the server. An HWTACACS scheme supports a maximum of 16 secondary HWTACACS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state.
Page 147 ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server. port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49. key: Specifies the shared key for secure communication with the secondary HWTACACS authentication server.
Page 148: Secondary Authorization
key (HWTACACS scheme view) primary authentication (HWTACACS scheme view) vpn-instance (HWTACACS scheme view) secondary authorization Use secondary authorization to specify a secondary HWTACACS authorization server. Use undo secondary authorization to remove a secondary HWTACACS authorization server. Syntax secondary authorization { ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo secondary authorization [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]...
Page 149: Timer Quiet (Hwtacacs Scheme View)
Usage guidelines Make sure that the port number and shared key settings of the secondary HWTACACS authorization server are the same as those configured on the server. An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authorization servers. If the primary server fails, the device tries to communicate with a secondary server in active state.
Page 150: Timer Realtime-Accounting (Hwtacacs Scheme View)
Examples # In HWTACACS scheme hwt1, set the server quiet timer to 10 minutes. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer quiet 10 Related commands display hwtacacs scheme timer realtime-accounting (HWTACACS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default.
Page 151: Timer Response-Timeout (Hwtacacs Scheme View)
Related commands display hwtacacs scheme timer response-timeout (HWTACACS scheme view) Use timer response-timeout to set the HWTACACS server response timeout timer. Use undo timer response-timeout to restore the default. Syntax timer response-timeout seconds undo timer response-timeout Default The HWTACACS server response timeout time is 5 seconds. Views HWTACACS scheme view Predefined user roles...
Page 152: Vpn-Instance (Hwtacacs Scheme View)
Views HWTACACS scheme view Predefined user roles network-admin Parameters keep-original: Sends the username to the HWTACACS server as the username is entered. with-domain: Includes the ISP domain name in the username sent to the HWTACACS server. without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.
Page 153: Attribute-Map
Parameters vpn-instance-name: Specifies an MPLS L3VPN instance by the name, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN instance specified for an HWTACACS scheme applies to all servers in that scheme. If a VPN instance is also configured for an individual HWTACACS server, the VPN instance specified for the HWTACACS scheme does not take effect on that server.
Page 154: Authentication-Server
<Sysname> system-view [Sysname] ldap scheme test [Sysname-ldap-test] attribute-map map1 Related commands display ldap-scheme ldap attribute-map authentication-server Use authentication-server to specify the LDAP authentication server for an LDAP scheme. Use undo authentication-server to restore the default. Syntax authentication-server server-name undo authentication-server Default No LDAP authentication server is specified.
Page 155: Display Ldap Scheme
Default No LDAP authorization server is specified. Views LDAP scheme view Predefined user roles network-admin Parameters server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters. Usage guidelines You can specify only one LDAP authorization server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
Page 156 : 1.1.1.1 Port : 111 VPN instance : Not configured LDAP protocol version : LDAPv3 Server timeout interval : 10 seconds Login account DN : Not configured Base DN : Not configured Search scope : all-level User searching parameters: User object class : Not configured Username attribute : cn...
Page 157 Field Description User DN search scope, including: • all-level—All subdirectories. Search scope • single-level—Next lower level of subdirectories under the base User searching parameters User search parameters. User object class for user DN search. If no user object class is User object class configured, this field displays Not configured.
Page 158: Ipv6
Related commands ldap server ipv6 Use ipv6 to configure the IPv6 address and port number of the LDAP server. Use undo ipv6 to restore the default. Syntax ipv6 ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ipv6 Default An LDAP server does not have an IPv6 address or port number.
Page 159: Ldap Scheme
undo ldap attribute-map map-name Default No LDAP attribute maps exist. Views System view Predefined user roles network-admin Parameters map-name: Specifies the name of the LDAP attribute map, a case-insensitive string of 1 to 31 characters. Usage guidelines Execute this command multiple times to create multiple LDAP attribute maps. You can add multiple mapping entries to an LDAP attribute map.
Page 160: Ldap Server
Usage guidelines An LDAP scheme can be used by more than one ISP domain at the same time. You can configure a maximum of 16 LDAP schemes. Examples # Create an LDAP scheme named ldap1 and enter LDAP scheme view. <Sysname>...
Page 161: Login-Password
Default No administrator DN is specified. Views LDAP server view Predefined user roles network-admin Parameters dn-string: Specifies the administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters. Usage guidelines The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server.
Page 162 Usage guidelines This command is effective only after the login-dn command is configured. Examples # Specify the administrator password as abcdefg in plaintext form for LDAP server ccc. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] login-password simple abcdefg Related commands display ldap scheme login-dn Use map to configure mapping entries in an LDAP attribute map.
Page 163: Protocol-Version
Examples # In LDAP attribute map map1, map a partial value string of the LDAP attribute named memberof to AAA attribute named user-group. <Sysname> system-view [Sysname] ldap attribute-map map1 [Sysname-ldap-map-map1] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group Related commands ldap attribute-map user-group user-profile...
Page 164: Search-Base-Dn
search-base-dn Use search-base-dn to specify the base DN for user search. Use undo search-base-dn to restore the default. Syntax search-base-dn base-dn undo search-base-dn Default No base DN is specified for user search. Views LDAP server view Predefined user roles network-admin Parameters base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters.
Page 165: Server-Timeout
single-level: Specifies that the search goes through only the next lower level of subdirectories under the base DN. Examples # Specify the search scope for the LDAP authentication as all subdirectories of the base DN for LDAP server ccc. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] search-scope all-level Related commands...
Page 166: Accounting-Level
Use undo user-parameters to restore the default of an LDAP user attribute. Syntax user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name } undo user-parameters { user-name-attribute | user-name-format | user-object-class } Default The LDAP username attribute is cn and the username format is without-domain.
Page 167: Accounting-Merge Enable
undo accounting-level [ level ] Default No traffic levels are specified for ITA accounting. Views ITA policy view Predefined user roles network-admin Parameters level: Specifies a traffic level in the range of 1 to 8. ipv4: Counts the traffic as IPv4 traffic. ipv6: Counts the traffic as IPv6 traffic.
Page 168: Accounting-Method
Usage guidelines When accounting merge is enabled, the device merges accounting statistics for the ITA traffic of all levels in the ITA policy. It reports the traffic as the lowest level of the policy to the accounting server. Examples # Enable the accounting merge feature for ITA policy ita1. <Sysname>...
Page 169: Ita Policy
Related commands ita policy radius scheme ita policy Use ita policy to create an ITA policy and enter its view, or enter the view of an existing ITA policy. Use undo ita policy to delete an ITA policy. Syntax ita policy policy-name undo ita policy policy-name Default No ITA policies exist.
Page 170: Traffic-Separate
online: Permits users to access the authorized IP subnets after their ITA data quotas are used up. Examples # In ITA policy ita1, prohibit users from accessing the authorized IP subnets after their ITA data quotas are used up. <Sysname> system-view [Sysname] ita policy ita1 [Sysname-ita-policy-ita1] traffic-quota-out offline Related commands...
Page 171: Display Dot1X
802.1X commands This feature is supported only on the following ports: • Layer 2 Ethernet ports on Ethernet switching modules. • Fixed Layer 2 Ethernet ports of the following routers: MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A).  MSR958 (JH300A/JH301A).  MSR2004-24/2004-48.  MSR1002-4/1003-8S.  Commands and descriptions for centralized devices apply to the following routers: •...
Page 172 ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model.
Page 173 Port access control : Port-based Multicast trigger : Enabled Mandatory auth domain : Not configured Guest VLAN Auth-Fail VLAN : Not configured Critical VLAN : Not configured Re-auth server-unreachable : Logoff Max online users : 256 SmartOn : Disabled EAPOL packets: Tx 3, Rx 3 Sent EAP Request/Identity packets : 1 EAP Request/Challenge packets: 1 EAP Success packets: 1...
Page 174 Table 13 Command output Field Description Global 802.1X parameters Global 802.1X configuration. 802.1X authentication Whether 802.1X is enabled globally. Performs EAP termination and uses CHAP to communicate with the RADIUS server. CHAP authentication If EAP or PAP is enabled, this field is not available. Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server.
Page 175 Field Description Unicast trigger Whether the 802.1X unicast trigger is enabled on the port. Periodic reauth Whether periodic online user reauthentication is enabled on the port. Port role Role of the port. The port functions only as an Authenticator. Authorization state of the port, which can be Force-Authorized, Auto, Authorization mode or Force-Unauthorized.
Page 176: Display Dot1X Connection
Field Description SSID with which users are associated. SSID This field is not available for MSR4060/4080 routers. ID of the BSS with which users are associated. BSSID This field is not available for MSR4060/4080 routers. display dot1x connection Use display dot1x connection to display information about online 802.1X users. Syntax Wireless devices: Centralized devices in stanslone mode:...
Page 177 slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays online 802.1X user information for all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays online 802.1X user information for all member devices.
Page 178 Authorization VLAN : N/A Authorization ACL number : 3001 Termination action : Default Session timeout period : 2 sec Online from : 2013/03/02 13:14:15 Online duration : 0 h 2 m 15 s # (Distributed devices in standalone mode.) Display information about all online 802.1X users. <Sysname>...
Page 179 User MAC address : 0015-e9a6-7cfe AP name : ap1 Radio ID SSID : wlan_dot1x_ssid BSSID : 0015-e9a6-7cf0 User name : ias Authentication domain IPv4 address : 192.168.1.1 IPv6 address : 2000:0:0:0:1:2345:6789:abcd Authentication method : CHAP Initial VLAN Authorization VLAN : N/A Authorization ACL number : 3001 Termination action...
Page 180 Field Description Name of the AP with which the user is associated. AP name This field is not available for MSR4060/4080 routers. ID of the radio with which the user is associated. Radio ID This field is not available for MSR4060/4080 routers. SSID with which the user is associated.
Page 181: Dot1X
dot1x Use dot1x to enable 802.1X globally or on a port. Use undo dot1x to disable 802.1X globally or on a port. Syntax dot1x undo dot1x Default 802.1X is neither enabled globally nor enabled for any port. Views System view Ethernet interface view Predefined user roles network-admin...
Page 182: Dot1X Auth-Fail Vlan
Parameters chap: Configures the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server. eap: Configures the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.
Page 183: Dot1X Critical Vlan
Default No 802.1X Auth-Fail VLAN exists. Views Ethernet interface view Predefined user roles network-admin Parameters authfail-vlan-id: Specifies the ID of the 802.1X Auth-Fail VLAN on the port. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
Page 184: Dot1X Domain-Delimiter
Usage guidelines An 802.1X critical VLAN accommodates users who fail 802.1X authentication because all the RADIUS servers in their ISP domains are unreachable. To delete a VLAN that has been configured as an 802.1X critical VLAN, you must first use the undo dot1x critical vlan command.
Page 185: Dot1X Ead-Assistant Enable
Examples # Specify the at sign (@) and forward slash (/) as domain name delimiters. <Sysname> system-view [Sysname] dot1x domain-delimiter @/ Related commands display dot1x dot1x ead-assistant enable Use dot1x ead-assistant enable to enable the EAD assistant feature. Use undo dot1x ead-assistant enable to disable the EAD assistant feature. Syntax dot1x ead-assistant enable undo dot1x ead-assistant enable...
Page 186: Dot1X Ead-Assistant Free-Ip
[Sysname] dot1x ead-assistant enable Related commands display dot1x dot1x ead-assistant free-ip dot1x ead-assistant url dot1x ead-assistant free-ip Use dot1x ead-assistant free-ip to configure a free IP. Use undo dot1x ead-assistant free-ip to remove the specified or all free IP addresses. Syntax dot1x ead-assistant free-ip ip-address { mask-address | mask-length } undo dot1x ead-assistant free-ip { ip-address { mask-address | mask-length } | all }...
Page 187: Dot1X Ead-Assistant Url
<Sysname> system-view [Sysname] dot1x ead-assistant free-ip 192.168.1.1 255.255.0.0 Related commands display dot1x dot1x ead-assistant enable dot1x ead-assistant url dot1x ead-assistant url Use dot1x ead-assistant url to configure a redirect URL. Use undo dot1x ead-assistant url to restore the default. Syntax dot1x ead-assistant url url-string undo dot1x ead-assistant url Default...
Page 188: Dot1X Guest-Vlan
<Sysname> system-view [Sysname] dot1x ead-assistant url http://test.com Related commands display dot1x dot1x ead-assistant enable dot1x ead-assistant free-ip dot1x guest-vlan Use dot1x guest-vlan to configure an 802.1X guest VLAN on a port. Use undo dot1x guest-vlan to restore the default. Syntax dot1x guest-vlan guest-vlan-id undo dot1x guest-vlan Default...
Page 189: Dot1X Handshake Reply Enable
Syntax dot1x handshake undo dot1x handshake Default The online user handshake feature is enabled. Views Ethernet interface view Predefined user roles network-admin Usage guidelines The online user handshake feature enables the device to periodically send EAP-Request/Identity packets to the client for verifying the connectivity status of online 802.1X users. The device sets a user to the offline state if it does not receive an EAP-Response/Identity packet from the user after making the maximum attempts within the handshake timer.
Page 190: Dot1X Handshake Secure
Usage guidelines This command enables the device to reply to 802.1X clients' EAP-Response/Identity packets with EAP-Success packets during the online handshake process. As a best practice, use this command only if 802.1X clients will go offline without receiving EAP-Success packets from the device. Examples # Enable the 802.1X online user handshake reply feature on GigabitEthernet 1/0/1.
Page 191: Dot1X Mandatory-Domain
dot1x mandatory-domain Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port. Use undo dot1x mandatory-domain to restore the default. Syntax dot1x mandatory-domain domain-name undo dot1x mandatory-domain Default No mandatory 802.1X authentication domain is specified on a port. Views Ethernet interface view Predefined user roles...
Page 192: Dot1X Multicast-Trigger
Predefined user roles network-admin Parameters max-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1 to 4294967295. Usage guidelines Set the maximum number of concurrent 802.1X users on a port to prevent the system resources from being overused.
Page 193: Dot1X Port-Control
Related commands display dot1x dot1x timer tx-period dot1x unicast-trigger dot1x port-control Use dot1x port-control to set the authorization state for the port. Use undo dot1x port-control to restore the default. Syntax dot1x port-control { authorized-force | auto | unauthorized-force } undo dot1x port-control Default The default port authorization state is auto.
Page 194: Dot1X Quiet-Period
Syntax dot1x port-method { macbased | portbased } undo dot1x port-method Default MAC-based access control applies. Views Ethernet interface view Predefined user roles network-admin Parameters macbased: Uses MAC-based access control on the port to separately authenticate each user attempting to access the network. Using this method, when an authenticated user logs off, no other online users are affected.
Page 195: Dot1X Re-Authenticate
Default The quiet timer is disabled. Views System view Predefined user roles network-admin Usage guidelines When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. You can use the dot1x timer quiet-period command to set the quiet timer.
Page 196: Dot1X Re-Authenticate Server-Unreachable Keep-Online
[Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] dot1x re-authenticate Related commands display dot1x dot1x timer dot1x re-authenticate server-unreachable keep-online Use dot1x re-authenticate server-unreachable keep-online to enable the keep-online feature on a port. Use undo dot1x re-authenticate server-unreachable to restore the default. Syntax dot1x re-authenticate server-unreachable keep-online undo dot1x re-authenticate server-unreachable Default...
Page 197: Dot1X Smarton
Views System view Predefined user roles network-admin Parameters retries: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10. Usage guidelines The access device retransmits an authentication request to a client in any of the following situations: •...
Page 198: Dot1X Smarton Password
SmartOn password. The device compares the digest in the packet with the digest on the device. If they are the same, the device continues to perform 802.1X authentication for the client. Otherwise, the device denies the client's 802.1X authentication request. Examples # Enable the SmartOn feature on port GigabitEthernet 1/0/1.
Page 199: Dot1X Smarton Retry
Related commands display dot1x dot1x smarton dot1x smarton switched dot1x smarton retry Use dot1x smarton retry to set the maximum number of attempts for retransmitting an EAP-Request/Notification packet to a client. Use undo dot1x smarton retry to restore the default. Syntax dot1x smarton retry retries undo dot1x smarton retry...
Page 200: Dot1X Smarton Timer Supp-Timeout
undo dot1x smarton switchid Default No SmartOn switch ID exists. Views System view Predefined user roles network-admin Parameters switch-string: Specifies the SmartOn switch ID, a case-sensitive string of 1 to 30 characters. Usage guidelines The device checks the SmartOn switch ID in each received EAP-Response/Notification packet. If the switch ID is not the same as the switch ID on the device, the device stops the 802.1X authentication process for the client that sends this packet.
Page 201: Dot1X Timer
within the timer interval, it retransmits the EAP-Request/Notification packet. After the device has made the maximum retransmission attempts but received no response, it stops the 802.1X authentication process for the client. To set the maximum retransmission attempts, use the dot1x smarton retry command.
Page 202 Hardware Option compatibility MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 MSR1002-4/1003-8S handshake-period handshake-period-value: Specifies the handshake timer in seconds. The value range for the handshake-period-value argument is 5 to 1024. quiet-period quiet-period-value: Specifies the quiet timer in seconds. The value range for the quiet-period-value argument is 10 to 120.
Page 203: Dot1X Unicast-Trigger
• Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5-Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client. • Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request.
Page 204: Reset Dot1X Guest-Vlan
dot1x retry dot1x timer reset dot1x guest-vlan Use reset dot1x guest-vlan to remove users from the 802.1X guest VLAN on a port. Syntax reset dot1x guest-vlan interface interface-type interface-number [ mac-address mac-address ] Views User view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies a port by its type and number.
Page 205 interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears 802.1X statistics on all ports. Examples # Clear 802.1X statistics on GigabitEthernet 1/0/1. <Sysname> reset dot1x statistics interface gigabitethernet 1/0/1 Related commands display dot1x...
Page 206: Display Mac-Authentication
MAC authentication commands MAC authentication commands are supported only on the following ports: • Layer 2 Ethernet ports on the following modules: HMIM-8GSW.  HMIM-24GSW.  HMIM-24GSWP.  SIC-4GSW.  SIC-4GSWP  • Fixed Layer 2 Ethernet ports on the following routers: MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A).
Page 207 network-operator Parameters ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify an AP, this command displays MAC authentication settings and statistics for all APs.
Page 208 MAC authentication : Enabled Authentication domain : Not configured Max online users : 256 Authentication attempts : successful 1, failed 0 Current online users MAC address Auth state 0001-0000-0002 Authenticated 0001-0000-0003 Unauthenticated Table 15 Command output Field Description MAC authentication Whether MAC authentication is enabled globally.
Page 209: Display Mac-Authentication Connection
Field Description Status of the link on port GigabitEthernet 1/0/1. In this example, the GigabitEthernet1/0/1 is link-up link is up. MAC authentication Whether MAC authentication is enabled on the port. Whether user IP addresses are included in MAC authentication Carry User-IP requests.
Page 210 Centralized devices in IRF mode: display mac-authentication connection [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | slot slot-number | user-mac mac-addr | user-name user-name ] Wired devices: Centralized devices in standalone mode: display mac-authentication connection [ interface interface-type interface-number | user-mac mac-addr | user-name user-name ] Distributed devices in standalone mode/centralized devices in IRF mode: display mac-authentication connection [ interface interface-type interface-number | slot...
Page 211 not specify an online MAC authentication user, this commands displays all online MAC authentication user information. Examples # (Centralized devices in standalone mode.) Display information about all online MAC authentication users. <Sysname> display mac-authentication connection Total connections: 1 User MAC address: 0015-e9a6-7cfe Access interface: GigabitEthernet1/0/1 Username: ias Authentication domain: test...
Page 212 Authorization ACL ID: 3001 Termination action: Radius-request Session timeout period: 2 s Online from: 2013/03/02 13:14:15 Online duration: 0h 2m 15s # (Centralized devices in IRF mode.) Display information about all online MAC authentication users. <Sysname> display mac-authentication connection Total connections: 1 Slot ID: 0 User MAC address: 0015-e9a6-7cfe Access interface: GigabitEthernet1/0/1...
Page 213 Authorization untagged VLAN: 100 Authorization tagged VLAN : N/A Authorization ACL ID: 3001 Termination action: Radius-request Session timeout period: 2 s Online from: 2013/03/02 13:14:15 Online duration: 0h 2m 15s Table 16 Command output Field Description Total connections Total number of online MAC authentication users. User MAC address MAC address of the user.
Page 214: Mac-Authentication
mac-authentication Use mac-authentication to enable MAC authentication globally or on a port. Use undo mac-authentication to disable MAC authentication globally or on a port. Syntax mac-authentication undo mac-authentication Default MAC authentication is not enabled globally or on any port. Views System view Ethernet interface view Predefined user roles...
Page 215: Mac-Authentication Domain
Usage guidelines This command solves the IP conflict problem which might be caused by users' IP address modification. After you configure this command, users cannot pass MAC authentication if the IP and MAC information in the authentication requests do not match the users' IP-MAC mappings on the IMC server.
Page 216: Mac-Authentication Host-Mode
[Sysname] mac-authentication domain domain1 # Specify the ISP domain aabbcc as the MAC authentication domain on port GigabitEthernet 1/0/1. [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] mac-authentication domain aabbcc Related commands display mac-authentication domain default enable mac-authentication host-mode Use mac-authentication host-mode multi-vlan to enable MAC authentication multi-VLAN mode on a port.
Page 217: Mac-Authentication Re-Authenticate Server-Unreachable Keep-Online
Use undo mac-authentication max-user to restore the default. Syntax mac-authentication max-user max-number undo mac-authentication max-user Default The device allows a maximum of 4294967295 concurrent MAC authentication users on a port. Views Ethernet interface view Predefined user roles network-admin Parameters max-number: Specifies the maximum number of concurrent MAC authentication users on the port. The value range for this argument is 1 to 4294967295.
Page 218: Mac-Authentication Timer
Usage guidelines The keep-online feature keeps authenticated MAC authentication users online when no server is reachable for MAC reauthentication. This command takes effect only after the server assigns the Radius-request action attribute to the authenticated MAC authentication user (see "display mac-authentication connection").
Page 219: Mac-Authentication Timer Auth-Delay
are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance. • Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server before the device regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.
Page 220: Mac-Authentication User-Name-Format
Related commands display mac-authentication port-security port-mode mac-authentication user-name-format Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users. Use undo mac-authentication user-name-format to restore the default. Syntax mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } string ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } undo mac-authentication user-name-format Default...
Page 221: Reset Mac-Authentication Statistics
authentication, you only need to create one account on the authentication server. This user account type is suitable for trusted networks. Examples # Configure a shared account for MAC authentication users, set the username to abc and password to plaintext string of xyz. <Sysname>...
Page 222: Aaa-Fail Nobinding Enable
Portal commands WLAN is not supported on the following routers: • MSR4060. • MSR4080. Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. The term "AP"...
Page 223: Aging-Time
Related commands display mac-trigger-server aging-time Use aging-time to set the aging time for MAC-trigger entries. Use undo aging-time to restore the default. Syntax aging-time seconds undo aging-time Default The aging time for MAC-trigger entries is 300 seconds. Views MAC binding server view Predefined user roles network-admin Parameters...
Page 224: App-Key
Syntax app-id app-id undo app-id Default An APP ID for QQ authentication exists. Views QQ authentication server view Predefined user roles network-admin Parameters app-id: Specifies the APP ID for QQ authentication. Usage guidelines To use QQ authentication for portal users, you must go to the Tencent Open Platform (http://connect.qq.com/intro/login) to finish the following tasks: Register as a developer by using a valid QQ account.
Page 225: Authentication-Timeout
Predefined user roles network-admin Parameters cipher: Specifies the APP key in encrypted form. simple: Specifies the APP key in plaintext form. app-key: Specifies the APP key string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters. Usage guidelines To use QQ authentication for portal users, you must go to the Tencent Open Platform (http://connect.qq.com/intro/login) to finish the following tasks:...
Page 226: Auth-Url
Parameters minutes: Specifies the authentication timeout in the range of 1 to 15 minutes. Usage guidelines On receiving the MAC binding query response from the MAC binding server, the device starts the timeout timer for portal authentication. If the user passes portal authentication before the timer expires, the device immediately deletes the MAC-trigger entry for the user.
Page 227: Binding-Retry
binding-retry Use binding-retry to specify the maximum number of attempts and the interval for sending MAC binding queries to the MAC binding server. Use undo binding-retry to restore the default. Syntax binding-retry { retries | interval interval } * undo binding-retry Default The maximum number of query attempts is 3 and the query interval is 1 second.
Page 228: Default-Logon-Page
Views Portal Web server view Predefined user roles network-admin Parameters optimize: Enables the optimized captive-bypass feature. Usage guidelines With the captive-bypass feature enabled, the device does not automatically push the portal authentication page to iOS devices and some Android devices when they are connected to the network.
Page 229: Display Portal
Parameters file-name: Specifies the default authentication page file by the file name (without the file storage directory). The file name is a case-sensitive string of 1 to 91 characters. Valid characters are letters, digits, dots (.) and underscores (_). Usage guidelines You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.
Page 230 Hardware Option compatibility MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 interface-type interface-number: Specifies an interface by its type and number. Examples # Display portal configuration and portal running state on GigabitEthernet 1/0/1. (Wired application.) <Sysname> display portal interface gigabitethernet 1/0/1 Portal information of GigabitEthernet1/0/1 NAS-ID profile: aaa VSRP instance : instance1 VSRP state...
Page 231 Authentication type: Layer3 Portal VSRP status: M_Alone Portal Web server: wbsv6(active) Secondary portal Web server: Not configured Authentication domain: my-domain Pre-auth domain: abc Extend-auth domain: Not configured User-dhcp-only: Enabled Pre-auth IP pool: ab Max portal users: Not configured Bas-ipv6:Not configured User detection: Type: ICMPv6 Interval: 300s Attempts: 5...
Page 232 2.2.2.2 255.255.0.0 IPv6: Portal status: Enabled Authentication type: Direct Portal Web server: wbsv6(active) Secondary portal Web server: Not configured Authentication domain: my-domain Extend-auth domain: Not configured User-dhcp-only: Disabled Max portal users: 512 Bas-ipv6: 2000::1 Action for sever detection: Server type Server name Action Web server...
Page 233 Portal status: Disabled Authentication type: Disabled Portal Web server: Not configured Authentication domain: Not configured Secondary portal Web server: Not configured Pre-auth domain: Not configured User-dhcp-only: Disabled Pre-auth IP pool: Not configured Extend-auth domain: Not configured Max portal users: Not configured Bas-ipv6: Not configured User detection: Not configured Portal temp-pass: Disabled...
Page 234 Field Description Portal authentication status on the interface: • Disabled—Portal authentication is disabled. • Enabled—Portal authentication is enabled. Portal status • Authorized—The portal authentication server or portal Web server is unreachable. The interface allows users to have network access without authentication. Status of the portal VSRP on the interface: •...
Page 235: Display Portal Extend-Auth-Server
Field Description Authentication domain configured for third-party authentication on an Extend-auth domain interface or service template. Pre-auth domain Preauthentication domain for portal users on the interface. Status of the user-dhcp-only feature: • Enabled: Only users with IP addresses obtained through DHCP can perform portal authentication.
Page 236: Display Portal Local-Binding Mac-Address
Views Any view Predefined user roles network-admin network-operator Parameters all: Specifies all third-party authentication servers. qq: Specifies the QQ authentication server. mail: Specifies the email authentication server. Examples # Display information about all third-party authentication servers. <Sysname> display portal extend-auth-server all Portal extend-auth-server: qq Authentication URL : http://graph.qq.com APP ID...
Page 237: Display Portal Mac-Trigger-Server
network-operator Parameters mac-address: Specifies the MAC address of a portal user, in the format H-H-H. all: Specifies all local MAC-account binding entries. Examples # Display information about all local MAC-account binding entries. <Sysname> display portal local-binding mac-address all Total MAC addresses: MAC address Username 0015-e9a6-7cfe...
Page 238 Examples # Display information about all MAC binding servers. <Sysname> display portal mac-trigger-server all Portal mac-trigger server: ms1 Version : 2.0 Server type : IMC : 10.1.1.1 Port : 100 VPN instance : vpn1 Aging time : 120 seconds Free-traffic threshold : 1000 bytes NAS-Port-Type : 255...
Page 239: Display Portal Packet Statistics
Table 20 Command output Field Description Portal mac-trigger-server Name of the MAC binding server. Version of the portal protocol: • 1.0—Version 1. Version • 2.0—Version 2. • 3.0—Version 3. Type of the MAC binding server. This field always displays IMC ,which Server type indicates the HPE IMC server or HPE CAMS server.
Page 240 Parameters mac-trigger-server server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters. If you do not specify a MAC binding server, this command displays packet statistics for the specified portal authentication server. server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Page 241 Table 21 Command output Field Description Portal server Name of the portal authentication server. Invalid packets Number of invalid packets. Pkt-Type Packet type. Total Total number of packets. Drops Number of dropped packets. Errors Number of packets that carry error information. Challenge request packet the portal authentication server sent to the REQ_CHALLENGE access device.
Page 242: Display Portal Redirect Statistics
Field Description User information notification packet the access device sent to the portal NTF_USER_NOTIFY authentication server. NTF_USER_NOTIFY acknowledgment packet the portal authentication AFF_NTF_USER_NOTIFY server sent to the access device. MAC-trigger server Name of the MAC binding server. MAC binding request packet the access device sent to the MAC binding REQ MACBIND server.
Page 243: Display Portal Rule
argument represents the slot number of the card. If you do not specify a card, this command displays portal redirect packet statistics for all cards. (Distributed devices in IRF mode.) Examples # (Centralized devices in standalone mode.) Display portal redirect packet statistics. <Sysname>...
Page 244 network-operator Parameters all: Displays all portal packet filtering rules, including dynamic and static portal packet filtering rules. dynamic: Displays dynamic portal packet filtering rules, which are generated after users pass portal authentication. These rules allow packets with specific source IP addresses to pass the interface. static: Displays static portal packet filtering rules, which are generated after portal authentication is enabled.
Page 245 Mask : 0.0.0.0 Port : Any : 0000-0000-0000 Interface : GigabitEthernet1/0/1 VLAN : Any Destination: : 192.168.0.111 Mask : 255.255.255.255 Port : Any Rule 2 Type : Dynamic Action : Permit Status : Active Source: : 2.2.2.2 : 000d-88f8-0eab Interface : GigabitEthernet1/0/1 VLAN : Any...
Page 246 Mask : 0.0.0.0 IPv6 portal rules on GigabitEthernet1/0/1: Rule 1 Type : Static Action : Permit Protocol : Any Status : Active Source: : :: Prefix length Port : Any : 0000-0000-0000 Interface : GigabitEthernet1/0/1 VLAN : Any Destination: : 3000::1 Prefix length : 64 Port...
Page 247 Type : Static Action : Deny Status : Active Source: : :: Prefix length Interface : GigabitEthernet1/0/1 VLAN : Any Destination: : :: Prefix length Rule 5: Type : Static Action : Match pre-auth ACL Status : Active Source: Interface : GigabitEthernet1/0/1 Pre-auth ACL: Number...
Page 248 Source: : 2.2.2.2 : 000d-88f8-0eab Interface : WLAN-BSS1/0/1 VLAN Author ACL: Number : N/A Rule 3 Type : Static Action : Redirect Status : Active Source: : 0.0.0.0 Mask : 0.0.0.0 Interface : WLAN-BSS1/0/1 VLAN : any Protocol : TCP Destination: : 0.0.0.0 Mask...
Page 249 Port : Any : 0000-0000-0000 Interface : GigabitEthernet1/0/1 VLAN : Any Destination: : 192.168.0.111 Mask : 255.255.255.255 Port : Any Rule 2 Type : Dynamic Action : Permit Status : Active Source: : 2.2.2.2 : 000d-88f8-0eab Interface : GigabitEthernet1/0/1 VLAN : Any Author ACL: Number...
Page 250 IPv6 portal rules on GigabitEthernet1/0/1: Rule 1 Type : Static Action : Permit Protocol : Any Status : Active Source: : :: Prefix length Port : Any : 0000-0000-0000 Interface : GigabitEthernet1/0/1 VLAN : Any Destination: : 3000::1 Prefix length : 64 Port : Any...
Page 251 Action : Deny Status : Active Source: : :: Prefix length Interface : GigabitEthernet1/0/1 VLAN : Any Destination: : :: Prefix length Rule 5: Type : Static Action : Match pre-auth ACL Status : Active Source: Interface : GigabitEthernet1/0/1 Pre-auth ACL: Number : 3002 # (Distributed devices in standalone mode/centralized in IRF mode.) Display all portal packet filtering...
Page 252 Mask : 255.255.255.255 : 000d-88f8-0eab Interface : WLAN-BSS1/0/1 VLAN Author ACL: Number : N/A Rule 3 Type : Static Action : Redirect Status : Active Source: : 0.0.0.0 Mask : 0.0.0.0 Port : Any : 0000-0000-0000 Interface : WLAN-BSS1/0/1 VLAN : any Protocol : TCP...
Page 253: Display Portal Safe-Redirect Statistics
Field Description Action triggered by the portal rule: • Permit—The interface allows packets to pass. • Redirect—The interface redirects packets. Action • Deny—The interface forbids packets to pass. • Match pre-auth ACL—The interface matches packets against the authorized ACL rules in the preauthentication domain. Transport layer protocol permitted by the portal rule: •...
Page 254 display portal safe-redirect statistics [ slot slot-number ] Distributed devices in IRF mode: display portal safe-redirect statistics [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator Parameters slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics for all cards.
Page 255 User agent statistics: Safari: 3 Chrome: 2 User URL statistics: www.qq.com: 4 # (Distributed devices in IRF mode.) Display portal safe-redirect packet statistics on chassis 1 slot 0. <Sysname> display portal safe-redirect statistics chassis 1 slot 0 Slot 0 in chassis 1: Redirect statistics: Success: 3 Failure: 5...
Page 256: Display Portal Server
display portal server Use display portal server to display information about portal authentication servers. Syntax display portal server [ server-name ] Views Any view Predefined user roles network-admin network-operator Parameters server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Page 257: Display Portal User
Field Description Reachability status of the portal authentication server: • N/A—Portal authentication server detection is disabled. Reachability status of the server is unknown. • Status Up—Portal authentication server detection is enabled. The server is reachable. • Down—Portal authentication server detection is enabled. The server is unreachable.
Page 258 Hardware Option compatibility MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 interface interface-type interface-number: Displays information about portal users on the specified interface. ip ipv4-address: Specifies the IPv4 address of a portal user. ipv6 ipv6-address: Specifies the IPv6 address of a portal user. pre-auth: Displays information about preauthentication portal users. A preauthentication user is a user who is authorized with the authorization attributes in a preauthentication domain before portal authentication.
Page 259 Field Description Username Name of the user. Portal server Name of the portal authentication server. Current state of the portal user: • Initialized—The user is initialized and ready for authentication. • Authenticating—The user is being authenticated. • Waiting SetRule—The user is waiting for authorization information. •...
Page 260 Original IP address: 30.30.30.2 Username: user1@hrss User ID: 0x28000002 Access interface: eth3/2/2 Service-VLAN/Customer-VLAN: -/- MAC address: 0000-0000-0001 Domain: hrss VPN instance: 123 Status: Online Portal server: test Authentication type: Direct AAA: Realtime accounting interval: 60s, retry times: 3 Idle-cut: 180 sec, 10240 bytes Session duration: 500 sec, remaining: 300 sec Remaining traffic: 10240000 bytes Login time: 2014-01-19...
Page 261 Field Description MAC address MAC address of the portal user. Domain ISP domain name for portal authentication. MPLS L3VPN to which the portal user belongs. If the portal user is on a VPN instance public network, this field displays N/A. Status of the portal user: •...
Page 262 Field Description Authorized user profile: • N/A—The AAA server authorizes no user profile. • active—The AAA server has authorized the user profile User profile successfully. • inactive—The AAA server failed to authorize the user profile or the user profile does not exist on the device. Max multicast addresses Maximum number of multicast groups the portal user can join.
Page 263 Field Description SSID Service set identifier. Portal server Name of the portal authentication server. Current state of the portal user: • Initialized—The user is initialized and ready for authentication. • Authenticating—The user is being authenticated. State • Authorizing—The user is being authorized. •...
Page 264 Original IP address: 18.18.0.20 Username: chap1 User ID: 0x10000001 Access interface: WLAN_BSS1/0/1 Service-VLAN/Customer-VLAN: 50/- MAC address: 7854-2e1c-c59e Domain name: portal VPN instance: N/A Status: Online Portal server: pt Authentication type: Direct AAA: Realtime accounting interval: 720s, retry times: 5 Idle cut: N/A Session duration: 0 sec, remaining: 0 sec Remaining traffic: N/A Online duration (hh:mm:ss): 1:53:7...
Page 265 Field Description MPLS L3VPN to which the portal user belongs. If the portal user is on a VPN instance public network, this field displays N/A. Status of the portal user: • Authenticating—The user is being authenticated. • Authorizing—The user is being authorized. •...
Page 266: Display Portal Web-Server
Field Description Authorized user profile: • N/A—The AAA server authorizes no user profile. • active—The AAA server has authorized the user profile User profile successfully. • inactive—The AAA server failed to authorize the user profile or the user profile does not exist on the device. Max multicast addresses Maximum number of multicast groups the portal user can join.
Page 267: Display Web-Redirect Rule
IPv4 status : Up IPv6 status : N/A Captive-bypass : Enabled If-match : original-url: http://2.2.2.2, redirect-url: http://192.168.56.2 Table 30 Command output Field Description Portal Web server type: • CMCC—CMCC server. Type • IMC—IMC server. Portal Web server Name of the portal Web server. URL of the portal Web server.
Page 268 Distributed devices in standalone mode/centralized devices in IRF mode: display web-redirect rule interface { ap ap-name [ radio radio-id ] | interface-type interface-number [ slot slot-number ] } Distributed devices in IRF mode: display web-redirect rule interface { ap ap-name [ radio radio-id ] | interface-type interface-number [ chassis chassis-number slot slot-number ] } Views Any view...
Page 269 Action : Permit Status : Active Source: : 192.168.2.114 VLAN : Any Rule 2: Type : Static Action : Redirect Status : Active Source: VLAN : Any Protocol : TCP Destination: Port : 80 IPv6 web-redirect rules on GigabitEthernet1/0/1: Rule 1: Type : Static Action...
Page 270: Exclude-Attribute
Table 31 Command output Field Description Rule Number of the Web redirect rule. Type of the Web redirect rule: • Static—Static Web redirect rule, generated when the Web redirect feature takes effect. Type • Dynamic—Dynamic Web redirect rule, generated when a user visits a redirect webpage.
Page 271 ack-logout: Excludes the attribute from ACK_LOGOUT packets. ntf-logout: Excludes the attribute from NTF_LOGOUT packets. Usage guidelines Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate.
Page 272: Free-Traffic Threshold
Name Number Description An EAP attribute that needs to be transported transparently. This EAP-Message attribute applicable authentication. Multiple EAP-Message attributes can exist in a portal authentication packet. Value of the hw_User_Notify attribute in a RADIUS accounting User-Notify response. This attribute needs to be transported transparently. IPv6 address of the access device.
Page 273: If-Match
When traffic is detected from the user again, the device re-creates a MAC-trigger entry for the user and repeats the previous procedure. In wireless networks where APs are configured to forward client data traffic, APs report traffic statistics to the AC at a regular interval. The AC can determine whether a user's traffic exceed the free-traffic threshold only after receiving the traffic statistics report from the associated AP.
Page 274 string: Specifies the case-sensitive key string. The string length varies by the selected encryption method: • If des cipher is specified, the string length is 41 characters. • If des simple is specified, the string length is 8 characters. • If aes cipher is specified, the string length is 1 to 73 characters.
Page 275: Ip (Mac Binding Server View)
ip (MAC binding server view) Use ip to specify the IP address of a MAC binding server. Use undo ip to restore the default. Syntax ip ipv4-address [ vpn-instance ipv4-vpn-instance-name ] [ key { cipher | simple } string ] undo ip Default The IP address of the MAC binding server is not specified.
Page 276 Syntax ip ipv4-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ] undo ip Default The IP address of the IPv4 portal authentication server is not specified. Views Portal authentication server view Predefined user roles network-admin Parameters ipv4-address: Specifies the IP address of the IPv4 portal authentication server.
Page 277: Local-Binding Aging-Time
Syntax ipv6 ipv6-address [ vpn-instance ipv6-vpn-instance-name ] [ key { cipher | simple } string ] undo ipv6 Default The IP address of the IPv6 portal authentication server is not specified. Views Portal authentication server view Predefined user roles network-admin Parameters ipv6-address: Specifies the IP address of the IPv6 portal authentication server.
Page 278: Local-Binding Enable
Syntax local-binding aging-time hours undo local-binding aging-time Default The aging time for local MAC-account binding entries is 12 hours. Views MAC binding server view Predefined user roles network-admin Parameters hours: Specifies the aging time for local MAC-account binding entries. The value range for this argument is 1 to 2160 hours.
Page 279: Logon-Page Bind
Usage guidelines This feature enables the device to act as a local MAC binding server to provide local MAC-trigger authentication for local portal users. After a user passes portal authentication for the first time, the access device (local MAC binding server) generates a local MAC binding entry for the user.
Page 280: Mail-Protocol
Usage guidelines This command implements customized authentication page pushing for portal users. After you configure this command, the device pushes authentication pages to users according to the user SSID or endpoint type. When a Web user triggers local portal authentication, the device searches for a binding that matches the user's SSID or endpoint type.
Page 281: Nas-Port-Type
Predefined user roles network-admin Parameters imap: Specifies the Internet Message Access Protocol (IMAP). pop3: Specifies the Post Office Protocol 3 (POP3). Usage guidelines This command specifies email protocols that the device uses to interact with the email authentication server to perform authentication and authorization on portal users who uses email authentication. Examples # Specify the POP3 protocol for email authentication.
Page 282: Port (Mac Binding Server View)
Related commands display mac-trigger-server port (MAC binding server view) Use port to set the UDP port number the MAC binding server uses to listen for MAC binding query packets. Use undo port to restore the default. Syntax port port-number undo port Default The MAC binding server listens for MAC binding query packets on UDP port 50100.
Page 283: Portal { Bas-Ip | Bas-Ipv6 }
Views Portal authentication server view Predefined user roles network-admin Parameters port-number: Specifies a destination UDP port number the device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534. Usage guidelines The specified port must be the port that listens to portal packets on the portal authentication server.
Page 284: Portal { Ipv4-Max-User | Ipv6-Max-User }
Parameters ipv4-address: Specifies BAS-IP for portal packets sent to the portal authentication server. This attribute must be the IPv4 address of an interface on the device. It cannot be 0.0.0.0, 1.1.1.1, a class D address, a class E address, or a loopback address. ipv6-address: Specifies BAS-IPv6 for portal packets sent to the portal authentication server.
Page 285: Portal Apply Mac-Trigger-Server
portal ipv4-max-user max-number undo portal ipv4-max-user Default The maximum number of portal users allowed on an interface or a service template is not limited. Views Interface view Service template view Predefined user roles network-admin Parameters max-number: Specifies the maximum number of portal users allowed on an interface or a service template, in the range of 1 to 4294967295.
Page 286: Portal Apply Web-Server
Views Interface view Service template view Predefined user roles network-admin Parameters server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines Only direct portal authentication supports MAC-based quick portal authentication. For MAC-based quick portal authentication to take effect, perform the following tasks: •...
Page 287: Portal Authorization Strict-Checking
Parameters ipv6: Specifies an IPv6 portal Web server. If the server is an IPv4 portal Web server, do not specify this keyword. secondary: Specifies the backup portal Web server. If you do not specify this keyword, the specified server is the primary portal Web server. server-name: Specifies a portal Web server to be specified on the interface by its name, a case-sensitive string of 1 to 32 characters.
Page 288: Portal Client-Traffic-Report Interval
Default Strict checking mode on portal authentication information is disabled. If an authorized ACL or user profile does not exist on the device or the ACL or user profile fails to be deployed, the user will not be logged out. Views Interface view Service template view...
Page 289: Portal Delete-User
Predefined user roles network-admin Parameters interval: Specifies the interval at which an AP reports traffic statistics to the device, in the range of 1 to 3600 seconds. Usage guidelines Before you execute this command, make sure the client traffic forwarding location is at APs. Examples # Set the interval at which an AP reports traffic statistic to the device to 120 seconds.
Page 290: Portal Domain
Syntax portal device-id device-id undo portal device-id Default A device is not configured with a device ID. Views System view Predefined user roles network-admin Parameters device-id: Specifies a device ID for the device, a case-sensitive string of 1 to 63 characters. Usage guidelines The portal authentication server uses device IDs to identify the device that sends protocol packets to the portal server.
Page 291: Portal Enable
Parameters ipv6: Specifies an authentication domain for IPv6 portal users. Do not specify this keyword for IPv4 portal users. domain-name: Specifies an ISP authentication domain by its name, a case-insensitive string of 1 to 255 characters. Usage guidelines You can specify both an IPv4 portal authentication domain and an IPv6 portal authentication domain on an interface or a service template.
Page 292: Portal Extend-Auth Domain
Parameters ipv6: Enables IPv6 portal authentication. Do not specify this keyword for IPv4 portal authentication. method: Specifies an authentication mode: • direct—Direct authentication. • layer3—Cross-subnet authentication. • redhcp—Re-DHCP authentication. Usage guidelines To modify the portal authentication mode, first execute the undo form of this command to disable portal authentication.
Page 293: Portal Extend-Auth-Server
Predefined user roles network-admin Parameters domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. Usage guidelines The specified ISP domain takes effect only on IPv4 portal users that use third-party authentication. Examples # Specify authentication domain my-domain for third-party authentication on GigabitEthernet 1/0/1. (Wired application.) <Sysname>...
Page 294: Portal Fail-Permit Server
device interacts with the local portal Web server to complete the remaining process of portal authentication. Only direct portal authentication that uses a local portal Web portal server supports third-party authentication. Examples # Create a QQ authentication server and enter its view. <Sysname>...
Page 295: Portal Fail-Permit Web-Server
access network resources. Portal users who have passed authentication can continue accessing network resources. If you execute this command multiple times, the most recent configuration takes effect. Examples # Enable portal fail-permit for portal authentication server pts1 on GigabitEthernet 1/0/1. <Sysname>...
Page 296: Portal Free-All Except Destination
Hardware Interface view Service template view MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 When portal fail-permit is enabled for a portal authentication server and portal Web servers, the interface disables portal authentication in either of the following conditions: • Both the primary and backup portal Web servers are unreachable. •...
Page 297: Portal Free-Rule
Parameters ipv4-network-address: Specifies an IPv4 portal authentication subnet address. mask-length: Specifies the subnet mask length for the authentication subnet address, in the range of 0 to 32. mask: Specifies the subnet mask in dotted decimal format. Usage guidelines Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules).
Page 298 Parameters rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295. destination: Specifies the destination information. source: Specifies the source information. ip ip-address: Specifies an IPv4 address for the portal-free rule. { mask-length | mask }: Specifies the subnet mask of the IPv4 address. The value range for the mask-length argument is 0 to 32.
Page 299: Portal Free-Rule Destination
[Sysname] portal free-rule 2 destination ipv6 2001::1 128 tcp 23 source ip 2000::1 64 interface gigabitethernet 1/0/1 With this rule, users in subnet 2000::1/64 do not need to pass portal authentication through GigabitEthernet 1/0/1 when they access services provided on TCP port 23 of host 2001::1. Related commands display portal rule portal free-rule destination...
Page 300: Portal Free-Rule Source
Examples # Configure a destination-based portal-free rule: specify the rule number as 4 and host name as www.abc.com. This rule allows the portal user who sends the HTTP/HTTPS request that carries the host name www.abc.com to access network resources without authentication. <Sysname>...
Page 301: Portal Host-Check Enable
portal host-check enable Use portal host-check enable to enable validity check on wireless portal clients. Use undo portal host-check enable to disable validity check on wireless portal clients. Syntax portal host-check enable undo portal host-check enable Default Validity check on wireless portal clients is disabled. The device checks wireless portal client validity according to ARP entries only.
Page 302: Portal Ipv6 Free-All Except Destination
portal ipv6 free-all except destination Use portal ipv6 free-all except destination to configure an IPv6 portal authentication destination subnet on an interface. Use undo portal ipv6 free-all except destination to delete IPv6 portal authentication destination subnets on the interface. Syntax portal ipv6 free-all except destination ipv6-network-address prefix-length undo portal ipv6 free-all except destination [ ipv6-network-address ] Default...
Page 303: Portal Ipv6 User-Detect
Syntax portal ipv6 layer3 source ipv6-network-address prefix-length undo portal ipv6 layer3 source [ ipv6-network-address ] Default No IPv6 portal authentication source subnet is configured on the interface. Portal users from any IPv6 subnet must pass portal authentication. Views Interface view Predefined user roles network-admin Parameters...
Page 304 Views Interface view Predefined user roles network-admin Parameters type: Specifies the detection type. • icmpv6—ICMPv6 detection. • nd—ND detection. retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10. The default value is 3. interval interval: Sets a detection interval in the range of 1 to 1200 seconds.
Page 305: Portal Layer3 Source
portal layer3 source Use portal layer3 source to configure an IPv4 portal authentication source subnet. Use undo portal layer3 source to delete IPv4 portal authentication source subnets. Syntax portal layer3 source ipv4-network-address { mask-length | mask } undo portal layer3 source [ ipv4-network-address ] Default No IPv4 portal authentication source subnet is configured.
Page 306 Syntax portal local-web-server { http | https [ ssl-server-policy policy-name ] } undo portal local-web-server { http | https } Default No local portal Web servers exist. Views System view Predefined user roles network-admin Parameters http: Configures the local portal Web server to use HTTP to exchange authentication information with clients.
Page 307: Portal Mac-Trigger-Server
Related commands default-logon-page portal local-web-server ssl server-policy portal mac-trigger-server Use portal mac-trigger-server to create a MAC binding server and enter its view, or enter the view of an existing MAC binding server. Use undo portal mac-trigger-server to delete the MAC binding server. Syntax portal mac-trigger-server server-name undo portal mac-trigger-server server-name...
Page 308: Portal Nas-Id Profile
Default The total number of portal users allowed in the system is not limited. Views System view Predefined user roles network-admin Parameters max-number: Specifies the maximum number of total portal users in the system. The value range for this argument is 1 to 4294967295. Usage guidelines If you configure the maximum total number smaller than the number of current online portal users on the device, this command still takes effect.
Page 309: Portal Nas-Port-Id Format
Usage guidelines A NAS-ID profile defines the binding relationship between VLANs and NAS-IDs. To configure a NAS-ID profile, use the aaa nas-id profile command. Portal access matches only the inner VLAN ID of QinQ packets. For more information about QinQ, see Layer 2—LAN Switching Configuration Guide.
Page 310: Portal Nas-Port-Type
Examples # Set the format of the NAS-Port-ID attribute to format 1. <Sysname> system-view [Sysname] portal nas-port-id format 1 portal nas-port-type Use portal nas-port-type to specify the NAS-Port-Type value carried in RADIUS requests sent to the RADIUS server. Use undo portal nas-port-type to restore the default. Syntax portal nas-port-type { ethernet | wireless } undo portal nas-port-type...
Page 311: Portal Outbound-Filter Enable
Examples # On VLAN-interface 2, specify the NAS-Port-Type value in RADIUS requests sent to the RADIUS server as WLAN-IEEE 802.11. <Sysname> system-view [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] portal nas-port-type wireless # On service template service1, specify the NAS-Port-Type value in RADIUS requests sent to the RADIUS server as WLAN-IEEE 802.11.
Page 312: Portal Pre-Auth Domain
portal pre-auth domain Use portal [ ipv6 ] pre-auth domain to specify a preauthentication domain for portal users. Use undo portal [ ipv6 ] pre-auth domain to restore the default. Syntax portal [ ipv6 ] pre-auth domain domain-name undo portal [ ipv6 ] pre-auth domain Default No preauthentication domain is specified for portal users.
Page 313: Portal Packet Log Enable
If the ACL in the preauthentication domain does not exist or the ACL has no rules, the device does not control user access. Users can access any network resources without passing portal authentication. Follow these guidelines when you configure a preauthentication ACL rule: •...
Page 314: Portal Pre-Auth Ip-Pool
portal pre-auth ip-pool Use portal pre-auth ip-pool to specify a preauthentication IP address pool for portal users. Use undo portal pre-auth ip-pool to restore the default. Syntax portal [ ipv6 ] pre-auth ip-pool pool-name undo portal [ ipv6 ] pre-auth ip-pool Default No preauthentication IP address pool is specified for portal users.
Page 315: Portal Refresh Enable
Syntax portal redirect log enable undo portal redirect log enable Default Portal redirect logging is disabled. Views System view Predefined user roles network-admin Usage guidelines This feature logs information about portal redirect packets, including the user IP address, MAC address, SSID, BAS IP, and Web server IP address. For portal log messages to be sent correctly, you must also configure the information center on the device.
Page 316: Portal Roaming Enable
• ARP or ND entries for portal users who pass authentication after this feature is enabled are converted to Rule ARP or ND entries. Rule ARP or ND entries will not be aged. • ARP or ND entries for portal users who pass authentication before this feature is enabled will be aged when their respective aging timers expire.
Page 317: Portal Safe-Redirect Forbidden-Url
Syntax portal safe-redirect enable undo portal safe-redirect enable Default The portal safe-redirect feature is disabled. Views System view Predefined user roles network-admin Usage guidelines Portal redirects all HTTP requests except HTTP requests that match portal-free rules to the portal Web server, which might overload the server. Portal safe-redirect filters HTTP requests by HTTP request method, browser type (in HTTP User Agent), and destination URL, and redirects only the permitted HTTP requests.
Page 318: Portal Safe-Redirect Method
Usage guidelines You can execute this command multiple times to configure multiple portal safe-redirect forbidden URLs. The device does not redirect HTTP requests destined for the specified URLs to the portal Web server. Before you execute this command, make sure the portal safe-redirect feature is enabled. Examples # Specify http://www.abc.com as a portal safe-redirect forbidden URL.
Page 319: Portal Safe-Redirect User-Agent
portal safe-redirect user-agent Use portal safe-redirect user-agent to specify a browser type for portal safe-redirect. Use undo portal safe-redirect user-agent to delete a browser type for portal safe-redirect. Syntax portal safe-redirect user-agent user-agent-string undo portal safe-redirect user-agent user-agent-string Default After portal safe-redirect is enabled, the device redirects the HTTP packets matching any browser types in Table Views...
Page 320: Portal Server
Examples # Specify browser types Chrome and Safari for portal safe-redirect. <Sysname> system-view [Sysname] portal safe-redirect user-agent Chrome [Sysname] portal safe-redirect user-agent Safari Related commands portal safe-redirect enable portal server Use portal server to create a portal authentication server and enter its view, or enter the view of an existing portal authentication server.
Page 321: Portal Temp-Pass Enable
portal temp-pass enable Use portal temp-pass enable to enable portal temporary pass and set the temporary pass period. Use undo portal temp-pass enable to disable portal temporary pass. Syntax portal temp-pass [ period period-value ] enable undo portal temp-pass enable Default Portal temporary pass is disabled.
Page 322: Portal User-Detect
undo portal traffic-accounting disable Default Traffic accounting for portal users is enabled. Views System view Predefined user roles network-admin Usage guidelines The accounting server might perform time-based or traffic-based accounting, or it might not perform accounting. If the accounting server does not perform traffic-based accounting, disable traffic accounting for portal users on the device.
Page 323: Portal User-Dhcp-Only
Usage guidelines If the device receives no packets from a portal user within the configured idle time, the device detects the user's online status as follows: • ICMP detection—Sends ICMP requests to the user at configurable intervals to detect the user status.
Page 324: Portal User-Logoff After-Client-Offline Enable
Default Both users with IP addresses obtained through DHCP or users with static IP addresses can pass portal authentication to get online. IPv6 wireless users use IPv6 temporary addresses to access the IPv6 network even though they have been assigned DHCPv6 addresses. To prevent such IPv6 users from failing authentication when the user-dhcp-only feature is enabled, make sure the IPv6 temporary address feature is disabled on the terminal devices.
Page 325: Portal User Log Enable
Views System view Predefined user roles network-admin Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A) MSR958 (JH300A/JH301A) MSR1002-4/1003-8S MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 After automatic logout is enabled for wireless portal users, the device will automatically log out a portal user after the user is disconnected from the wireless network.
Page 326: Portal Web-Server
Examples # Enable logging for portal user logins and logouts. <Sysname> system-view [Sysname] portal user log enable Related commands portal packet log enable portal redirect log enable portal web-server Use portal web-server to create a portal Web server and enter its view, or enter the view of an existing portal Web server.
Page 327: Reset Portal Packet Statistics
Syntax redirect-url url-string undo redirect-url Default The redirection URL for QQ authentication success is http://lvzhou.h3c.com/portal/qqlogin.html. Views QQ authentication server view Predefined user roles network-admin Parameters url-string: Specifies the redirection URL for QQ authentication success, a case-sensitive string of 1 to 256 characters.
Page 328: Reset Portal Redirect Statistics
Usage guidelines If you do not specify any parameters, this command clears packet statistics for all portal authentication servers and MAC binding servers. Examples # Clear packet statistics for portal authentication server pts. <Sysname> reset portal packet statistics server pts # Clear packet statistics for MAC binding server newps.
Page 329: Reset Portal Safe-Redirect Statistics
Related commands display portal safe-redirect statistics reset portal safe-redirect statistics Use reset portal safe-redirect statistics to clear portal safe-redirect packet statistics. Syntax Centralized devices in standalone mode: reset portal safe-redirect statistics Distributed devices in standalone mode/centralized devices in IRF mode: reset portal safe-redirect statistics [ slot slot-number ] Distributed devices in IRF mode: reset portal safe-redirect statistics [ chassis chassis-number slot slot-number ]...
Page 330: Server-Detect (Portal Web Server View)
undo server-detect Default Portal authentication server detection is disabled. Views Portal authentication server view Predefined user roles network-admin Parameters timeout timeout: Specifies the detection timeout in the range of 10 to 3600 seconds. The default is 60 seconds. { log | trap } *: Specifies the action to be taken after the device detects reachability status change of the portal authentication server.
Page 331: Server-Type (Mac Binding Server View)
undo server-detect Default Portal Web server detection is disabled. Views Portal Web server view Predefined user roles network-admin Parameters interval interval: Specifies a detection interval in the range of 1 to 1200 seconds. The default is 5 seconds. retry retries: Specifies the maximum number of consecutive detection failures, in the range of 1 to 10.
Page 332: Server-Type(Portal Server View/Portal Web Server View)
Default The type of the MAC binding server is IMC. Views MAC binding server view Predefined user roles network-admin Parameters imc: Specifies the MAC binding server type as IMC. Examples # Specify the type of the MAC binding server as imc. <Sysname>...
Page 333: Tcp-Port
Related commands display portal server tcp-port Use tcp-port to configure a listening TCP port for the local portal Web server. Use undo tcp-port to restore the default. Syntax tcp-port port-number undo tcp-port Default The listening TCP port number for HTTP is 80 and that for HTTPS is 443. Views Local portal Web server view Predefined user roles...
Page 334: Url-Parameter
Syntax url url-string undo url Default No URL is specified for a portal Web server. Views Portal Web server view Predefined user roles network-admin Parameters url-string: Specifies a URL for the portal Web server, a case-sensitive string of 1 to 256 characters. Usage guidelines This command specifies a URL that can be accessed through standard HTTP or HTTPS.
Page 335 nas-port-id: Specifies the NAS-Port-ID. original-url: Specifies the URL of the original webpage that a portal user visits. source-address: Specifies the user IP address. ssid: Specifies the SSID of the AP. ap-mac: Specifies the MAC address of the AP. source-mac: Specifies the user MAC address. encryption: Specifies the encryption algorithm to encrypt the MAC address of the AP or user.
Page 336: User-Sync
<Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] url-parameter userip source-address [Sysname-portal-websvr-wbs] url-parameter userurl value http://www.abc.com/welcome # Configure the URL parameter usermac for the portal Web server wbs. Configure the value of the usermac parameter as source-mac (the MAC addresses of users) and specify DES to encrypt the MAC addresses.
Page 337: Version
For information of the users considered as nonexistent on the portal authentication server, the device deletes the information after the configured detection timeout expires. If the user information from the portal authentication server does not exist on the device, the device encapsulates IP addresses of the users in user heartbeat reply packets to the server.
Page 338: Vpn-Instance
vpn-instance Use vpn-instance to specify an MPLS L3VPN instance for a portal Web server. Use undo vpn-instance to restore the default. Syntax vpn-instance vpn-instance-name undo vpn-instance Default A portal Web server belongs to the public network. Views Portal Web server view Predefined user roles network-admin Parameters...
Page 339 Parameters ipv6: Specifies the IPv6 Web redirect feature. Do not specify this keyword for the IPv4 Web redirect feature. url url-string: Specifies the URL to which the user is redirected. The URL is required to be complete and begins with http:// or https://, a string of 1 to 256 characters. interval interval: Specifies the time interval at which the user is redirected to the specified URL.
Page 340: Display Port-Security
Port security commands This feature is supported only on the following ports: • Layer 2 Ethernet ports on Ethernet switching modules. • Fixed Layer 2 Ethernet ports of the following routers: MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A).  MSR958 (JH300A/JH301A).  MSR2004-24/2004-48.  MSR1002-4/1003-8S. ...
Page 341 Dot1x-failure trap : Disabled Dot1x-logon trap : Disabled Dot1x-logoff trap : Enabled Intrusion trap : Disabled Address-learned trap : Enabled Mac-auth-failure trap : Disabled Mac-auth-logon trap : Enabled Mac-auth-logoff trap : Disabled OUI value list Index : Value : 123401 GigabitEthernet1/0/1 is link-up Port mode : userLogin...
Page 342 Field Description Whether SNMP notifications for MAC authentication failures are Mac-auth-failure trap enabled. Whether SNMP notifications for MAC authentication successes are Mac-auth-logon trap enabled. Whether SNMP notifications for MAC authentication user logoffs Mac-auth-logoff trap are enabled. OUI value list List of OUI values allowed for authentication. Port security mode: •...
Page 343: Display Port-Security Mac-Address Block
Field Description Whether the authorization information from the authentication server (RADIUS server or local device) is ignored: • Permitted—Authorization information from the authentication Authorization server takes effect. • Ignored—Authorization information from the authentication server does not take effect. NAS-ID profile NAS-ID profile applied to the port.
Page 344 --- On slot 1, 1 MAC address(es) found --- --- 1 mac address(es) found --- # (Distributed devices in IRF mode.) Display information about all blocked MAC addresses. <Sysname> display port-security mac-address block MAC ADDR Port VLAN ID --- On slot 0 in chassis 1, no MAC address found --- MAC ADDR Port VLAN ID...
Page 345 MAC ADDR Port VLAN ID --- On slot 0, no MAC address found --- MAC ADDR Port VLAN ID 000f-3d80-0d2d GE1/0/1 --- On slot 1, 1 MAC address(es) found --- --- 1 mac address(es) found --- # (Distributed devices in IRF mode.) Display information about all blocked MAC addresses in VLAN <Sysname>...
Page 346: Display Port-Security Mac-Address Security
<Sysname> display port-security mac-address block interface gigabitethernet 1/0/1 vlan MAC ADDR Port VLAN ID 000d-88f8-0577 GE1/0/1 1 mac address(es) found # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all blocked MAC addresses of GigabitEthernet 1/0/1 in VLAN 30. <Sysname>...
Page 347 Syntax display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] Views Any view Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its ID. The value range is 1 to 4094. count: Displays only the count of the secure MAC addresses.
Page 348: Port-Security Authorization Ignore
<Sysname> display port-security mac-address security interface gigabitethernet 1/0/1 vlan MAC ADDR VLAN ID STATE PORT INDEX AGING TIME 000d-88f8-0577 Security GE1/0/1 NOAGED 1 mac address(es) found Table 36 Command output Field Description MAC ADDR Secure MAC address. VLAN ID ID of the VLAN to which the port belongs. Type of the MAC address added.
Page 349: Port-Security Authorization-Fail Offline
Examples # Configure GigabitEthernet 1/0/1 to ignore the authorization information from the authentication server. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port-security authorization ignore Related commands display port-security port-security authorization-fail offline Use port-security authorization-fail offline to enable the authorization-fail-offline feature. Use undo port-security authorization-fail offline to disable the authorization-fail-offline feature.
Page 350: Port-Security Intrusion-Mode
Syntax port-security enable undo port-security enable Default Port security is disabled. Views System view Predefined user roles network-admin Usage guidelines You must disable global 802.1X and MAC authentication before you enable port security on a port. Enabling or disabling port security resets the following security settings to the default: •...
Page 351: Port-Security Mac-Address Aging-Type Inactivity
Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This action implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for 3 minutes, which is not user configurable.
Page 352: Port-Security Mac-Address Dynamic
Default The inactivity aging feature is disabled for secure MAC addresses. Views Layer 2 Ethernet interface view Predefined user roles network-admin Usage guidelines If only the aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC addresses.
Page 353: Port-Security Mac-Address Security
You can display dynamic secure MAC addresses by using the display port-security mac-address security command. The undo port-security mac-address dynamic command converts all dynamic secure MAC addresses on the port to sticky MAC addresses. You can manually configure sticky MAC addresses. Examples # Enable the dynamic secure MAC feature on GigabitEthernet 1/0/1.
Page 354: Port-Security Mac-Move Permit
You can add important or frequently used MAC addresses as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication failure. To successfully add secure MAC addresses on a port, first complete the following tasks: •...
Page 355: Port-Security Max-Mac-Count
undo port-security mac-move permit Default MAC move is disabled on the device. Views System view Predefined user roles network-admin Usage guidelines This command takes effect on both 802.1X and MAC authentication users. MAC move allows 802.1X or MAC authenticated users to move between ports on a device. For example, if an 802.1X-authenticated user moves to another 802.1X-enabled port on the device, the authentication session is deleted from the first port.
Page 356: Port-Security Nas-Id-Profile
In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port. The actual maximum number of concurrent users that the port accepts equals the smaller of the following values: •...
Page 357: Port-Security Ntk-Mode
Examples # Apply the NAS-ID profile aaa to GigabitEthernet 1/0/1 for port security. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port-security nas-id-profile aaa # Globally apply the NAS-ID profile aaa to port security. <Sysname> system-view [Sysname] port-security nas-id-profile aaa Related commands aaa nas-id profile port-security ntk-mode Use port-security ntk-mode to configure the NTK feature.
Page 358: Port-Security Oui
MSR1002-4/1003-8S.  The NTK feature checks the destination MAC addresses in outbound frames. This feature allows frames to be sent only to devices passing authentication, preventing illegal devices from intercepting network traffic. Examples # Set the NTK mode of GigabitEthernet 1/0/1 to ntkonly, allowing the port to forward received packets only to devices passing authentication.
Page 359: Port-Security Port-Mode
Related commands display port-security port-security port-mode Use port-security port-mode to set the port security mode of a port. Use undo port-security port-mode to restore the default. Syntax port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui } undo port-security port-mode Default...
Page 360 Keyword Security mode Description Same as the macAddressElseUserLoginSecure mode mac-else-userlogin-s macAddressElseUse except that a port in this mode supports multiple 802.1X ecure-ext rLoginSecureExt and MAC authentication users. In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic...
Page 361: Port-Security Timer Autolearn Aging
MSR958 (JH300A/JH301A).  MSR2004-24/2004-48.  MSR1002-4/1003-8S.  To change the security mode for a port security enabled port, you must set the port in noRestrictions mode first. Do not change port security mode when the port has online users. IMPORTANT: If you are configuring the autoLearn mode, first set port security's limit on the number of secure MAC addresses by using the port-security max-mac-count command.
Page 362: Port-Security Timer Disableport
Parameters time-value: Specifies the aging timer in minutes for secure MAC addresses. The value is in the range of 0 to 129600. To disable the aging timer, set the timer to 0. Usage guidelines The timer applies to all sticky secure MAC addresses and those automatically learned by a port. A short aging time improves port access security and port resource utility but affects online user stability.
Page 363: Snmp-Agent Trap Enable Port-Security
MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A).  MSR958 (JH300A/JH301A).  MSR2004-24/2004-48.  MSR1002-4/1003-8S.  If you configure the intrusion protection action as disabling the port temporarily, use this command to set the silence period. Examples # Configure the intrusion protection action on GigabitEthernet 1/0/1 as disabling the port temporarily, and set the port silence period to 30 seconds.
Page 364 Usage guidelines To report critical port security events to an NMS, enable SNMP notifications for port security. For port security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.
Page 365: Display User-Profile
User profile commands Commands and descriptions for centralized devices apply to the following routers: • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. display user-profile Use display user-profile to display configuration and online user information for user profiles.
Page 366 Examples # (Centralized devices in standalone mode.) Display configuration and online user information for user profile aaa. <Sysname> display user-profile name aaa User-Profile: aaa Inbound: CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps) Policy: p1 Outbound: CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps) Policy: p2 Connection-limit amount: 1000...
Page 367 Failed action list: Inbound: Policy p1 Inbound: CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps) Connection-limit rate: 100 User user_2: Authentication type: Portal Network attributes: Interface : GigabitEthernet1/0/3 IP address : 172.16.187.16 : N/A Service VLAN : 100 User-Profile: bbb Inbound: CIR 512 (kbps), CBS 1024 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
Page 368 Authentication type: Portal Network attributes: Interface : GigabitEthernet1/2/0/3 IP address : 172.16.187.16 : N/A Service VLAN : 100 # (Distributed devices in IRF mode.) Display configuration and online user information for user profile bbb. <Sysname> display user-profile name bbb User-Profile: bbb Inbound: CIR 512 (kbps), CBS 1024 (Bytes), EBS 0 (Bytes), PIR 888 (kbps) Policy: p3...
Page 369 MAC address : 0000-1111-2222 Failed action list: Inbound: Policy p1 Chassis 1 Slot 5: User user_6: Authentication type: PPP Network attributes: Interface : GigabitEthernet1/2/0/3 User-Profile: bbb Inbound: CIR 512 (kbps), CBS 1024 (Bytes), EBS 0 (Bytes), PIR 888 (kbps) Policy: p3 Connection-limit rate: 200 Chassis 1 Slot 5: User user_7:...
Page 370: User-Profile
Field Description Authentication type: • 802.1X—802.1X authentication. • Portal—Portal authentication. Authentication type • PPP—PPP authentication. • MACA—MAC authentication. Network attributes Online user information. Failed action list Actions that failed to be applied to the user. user-profile Use user-profile to create a user profile and enter its view, or enter the view of an existing user profile.
Page 371: Display Password-Control
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Page 372: Display Password-Control Blacklist
Table 38 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the Password aging expiration time. Whether the minimum password length restriction feature is enabled Password length and, if enabled, the setting. Whether the password composition restriction feature is enabled Password composition and, if enabled, the settings.
Page 373: Password-Control { Aging | Composition | History | Length } Enable
Usage guidelines If you do not specify any parameters, this command displays information about all users in the password control blacklist. The users' IP addresses and user accounts are added to the password control blacklist when the users fail authentication. You can use this command to view information about blacklisted FTP, Web, and virtual terminal line (VTY) users.
Page 374: Password-Control Aging
Predefined user roles network-admin Parameters aging: Enables the password expiration feature. composition: Enables the password composition restriction feature. history: Enables the password history feature. length: Enables the minimum password length restriction feature. Usage guidelines For a specific password control feature to take effect, make sure the global password control and the specific password control feature are both enabled.
Page 375 Default A password expires after 90 days. The password expiration time for a user group equals the global setting. The password expiration time for a local user equals that of the user group to which the local user belongs. Views System view User group view Local user view...
Page 376: Password-Control Alert-Before-Expire
password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days.
Page 377: Password-Control Composition
User group view Local user view Predefined user roles network-admin Parameters same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough. user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Page 378 In FIPS mode: The password using the global composition policy must contain a minimum of four character types and a minimum of one character for each type. In both non-FIPS and FIPS modes: The password composition policy for a user group is the same as the global policy. The password composition policy for a local user is the same as that of the user group to which the local user belongs.
Page 379: Password-Control Enable
type-length type-length: Specifies the minimum number of characters that are from each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode. Usage guidelines The password composition policy depends on the view: •...
Page 380: Password-Control Expired-User-Login
The password control feature is disabled globally. In FIPS mode: The password control feature is enabled globally and cannot be disabled. Views System view Predefined user roles network-admin Usage guidelines A specific password control feature takes effect only after the global password control feature is enabled.
Page 381: Password-Control History
Usage guidelines This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires. Examples # Allow a user to log in five times within 60 days after the password expires. <Sysname>...
Page 382: Password-Control Length
password-control history enable reset password-control blacklist password-control length Use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length Default In non-FIPS mode: The global minimum password length is 10 characters. In FIPS mode: The global minimum password length is 15 characters.
Page 383: Password-Control Login Idle-Time
# Set the minimum password length to 16 characters for the user group test. [Sysname] user-group test [Sysname-ugroup-test] password-control length 16 [Sysname-ugroup-test] quit # Set the minimum password length to 16 characters for the device management user abc. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control length 16 Related commands display local-user...
Page 384: Password-Control Login-Attempt
password-control login-attempt Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached. Use undo password-control login-attempt to restore the default. Syntax password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] undo password-control login-attempt...
Page 385 Whether a blacklisted user and user account are locked depends on the locking setting: • If a user account is permanently locked for a user, the user cannot use this account unless this account is removed from the password control blacklist. To remove the user account, use the reset password-control blacklist command.
Page 386: Password-Control Super Aging
Related commands display local-user display password-control display password-control blacklist display user-group reset password-control blacklist password-control super aging Use password-control super aging to set the expiration time for super passwords. Use undo password-control super aging to restore the default. Syntax password-control super aging aging-time undo password-control super aging Default A super password expires after 90 days.
Page 387: Password-Control Super Length
A super password must contain a minimum of one character type and a minimum of one character for each type. In FIPS mode: A super password must contain a minimum of four character types and a minimum of one character for each type.
Page 388: Password-Control Update-Interval
Predefined user roles network-admin Parameters length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-FIPS mode, and 15 to 63 in FIPS mode. Examples # Set the minimum length of super passwords to 16 characters. <Sysname>...
Page 389: Reset Password-Control Blacklist
reset password-control blacklist Use reset password-control blacklist to remove blacklisted users. Syntax reset password-control blacklist [ user-name user-name ] Views User view Predefined user roles network-admin Parameters user-name user-name: Specifies the username of a user account to be removed from the password control blacklist.
Page 390 <Sysname> reset password-control history-record Are you sure to delete all local user's history records? [Y/N]:y Related commands password-control history...
Page 391: Accept-Lifetime Utc
Keychain commands accept-lifetime utc Use accept-lifetime utc to set the receiving lifetime for a key of a keychain in absolute time mode. Use undo accept-lifetime to restore the default. Syntax accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date } undo accept-lifetime Default...
Page 392: Authentication-Algorithm
[Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] accept-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21 authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for a key. Use undo authentication-algorithm to restore the default. Syntax authentication-algorithm { hmac-md5 | md5 } undo authentication-algorithm Default No authentication algorithm is specified for a key.
Page 393 Parameters name keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters. If you do not specify a keychain, this command displays information about all keychains. key key-id: Specifies a key by its ID in the range of 0 to 281474976710655. If you do not specify a key, this command displays information about all keys in a keychain.
Page 394: Keychain
Field Description Authentication algorithm for the key: hmac-md5 or md5. Algorithm Send lifetime Sending lifetime for the key. Send status Status of the send key: Active or Inactive. Accept lifetime Receiving lifetime for the key. Accept status Status of the accept key: Active or Inactive. Use key to create a key for a keychain and enter its view, or enter the view of an existing key.
Page 395: Key-String
Views System view Predefined user roles network-admin Parameters keychain-name: Specifies a keychain name, a case-sensitive string of 1 to 63 characters. mode: Specifies a time mode. absolute: Specifies the absolute time mode. In this mode, each time point during a key's lifetime is the UTC time and is not affected by the system's time zone or daylight saving time.
Page 396: Send-Lifetime Utc
Examples # Set the key to 123456 in plaintext form for key 1. <Sysname> system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] key-string plain 123456 send-lifetime utc Use send-lifetime utc to set the sending lifetime for a key of a keychain in absolute time mode. Use undo send-lifetime to restore the default.
Page 397 [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] send-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21...
Page 398: Display Public-Key Local Public
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Page 399 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7 9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03 92D8C6D940890BF4290203010001 # Display all local DSA public keys. <Sysname> display public-key local dsa public ============================================= Key name: dsakey (default) Key type: DSA...
Page 400 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys. <Sysname> display public-key local ecdsa public ============================================= Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2011/05/12 Key code:...
Page 401: Display Public-Key Peer
7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58...
Page 402 Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer host public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer host public key, including its key code.
Page 403: Peer-Public-Key End
Table 44 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits. Name Name of the peer host public key. Related commands public-key peer public-key peer import sshkey peer-public-key end Use peer-public-key end to exit public key view to system view and save the configured peer host public key.
Page 404: Public-Key Local Create
Related commands display public-key local public display public-key peer public-key peer public-key local create Use public-key local create to create local key pairs. Syntax In non-FIPS mode: public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 ] | rsa } [ name key-name ] In FIPS mode: public-key local create { dsa | ecdsa [ secp256r1 | secp384r1 ] | rsa } [ name key-name ]...
Page 405 When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, the longer the key generation time. When you create an ECDSA key pair, choose the appropriate elliptic curve. The elliptic curve determines the ECDSA key length.
Page 406 Create the key pair successfully. # Create a local DSA key pair with the default name. <Sysname> system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 407: Public-Key Local Destroy
..+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair named ecdsa1. <Sysname> system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # In FIPS mode, create a local RSA key pair with the default name. <Sysname>...
Page 408 Predefined user roles network-admin Parameters dsa: Specifies the DSA key pair type. ecdsa: Specifies the ECDSA key pair type. rsa: Specifies the RSA key pair type. name key-name: Specifies a local key pair by its name, a case-insensitive string of 1 to 64 characters.
Page 409: Public-Key Local Export Dsa
public-key local export dsa Use public-key local export dsa to export a local DSA host public key. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles network-admin Parameters name key-name: Specifies a local DSA key pair by its name, a case-insensitive string of 1 to 64...
Page 410 Comment: "dsa-key-2011/05/12" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxw vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local DSA key pair with the default name in OpenSSH format. <Sysname> system-view [Sysname] public-key local export dsa openssh ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz...
Page 411: Public-Key Local Export Ecdsa
public-key local export ecdsa Use public-key local export ecdsa to export a local ECDSA host public key. Syntax public-key local export ecdsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles network-admin Parameters name key-name: Specifies a local ECDSA key pair by its name, a case-insensitive string of 1 to 64...
Page 412: Public-Key Local Export Rsa
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "ecdsa-sha2-nistp256-2014/07/06" AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBREw5tkARpbV+sYArt/xcW+UJEAevx7O ckTtTLPBiLP5bWkSdKbvo+3oHRuIyZqmNTIcxuBjuBap+pHc919C58= ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local ECDSA key pair with the default name in OpenSSH format. <Sysname> system-view [Sysname] public-key local export ecdsa openssh ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBREw5tkARpbV+sYArt/xcW+UJEAevx7O ckTtTLPBiLP5bWkSdKbvo+3oHRuIyZqmNTIcxuBjuBap+pHc919C58=...
Page 413 Save the exported local host public key to a file by using one of the following methods: Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } command to  export the key, and then copy and paste it to a file. Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } filename ...
Page 414: Public-Key Peer
[Sysname] public-key local export rsa name rsa1 openssh ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+ q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8b a8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ== rsa-key Related commands public-key local create public-key peer import sshkey public-key peer Use public-key peer to assign a name to a peer host public key and enter public key view, or enter the view of an existing peer host public key.
Page 415: Public-Key Peer Import Sshkey
display public-key peer peer-public-key end public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from a public key file. Use undo public-key peer to remove a peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname Default No peer host public keys exist.
Page 416: Attribute
PKI commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure a rule to filter certificates based on an attribute in the certificate issuer name, subject name, or alternative subject name field.
Page 417: Ca Identifier
Table 47 Combinations of attribute-value pairs and operation keywords Operation FQDN/IP The DN contains the specified Any FQDN or IP address contains the specified attribute attribute value. value. The DN does not contain the None of the FQDNs or IP addresses contain the specified nctn specified attribute value.
Page 418: Certificate Request Entity
Predefined user roles network-admin Parameters name: Specifies the trusted CA by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate in a PKI domain, you must specify the trusted CA name. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the CA server specified for the PKI domain.
Page 419: Certificate Request From
You can specify only one PKI entity for a PKI domain. If you execute this command multiple times, the most recent configuration takes effect. Examples # Specify PKI entity en1 for certificate request in PKI domain aaa. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request entity en1 Related commands pki entity...
Page 420 undo certificate request mode Default The certificate request mode is manual. Views PKI domain view Predefined user roles network-admin Parameters auto: Specifies the auto certificate request mode. password: Specifies a password for certificate revocation as required by the CA policy. cipher: Specifies a password in encrypted form.
Page 421: Certificate Request Polling
[Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request mode auto # Set the certificate request mode to auto, and set the certificate revocation password in plain text to 123456. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request mode auto password simple 123456 # Set the certificate request mode to auto, and set the certificate revocation password in plain text to 123456.
Page 422: Certificate Request Url
<Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request polling interval 15 [Sysname-pki-domain-aaa] certificate request polling count 40 Related commands display pki certificate request-status certificate request url Use certificate request url to specify the URL of the certificate request reception authority (CA or RA) to which the device should send SCEP certificate requests.
Page 423: Common-Name
[Sysname-pki-domain-aaa] certificate request url http://mytest.net /certsrv/mscep/mscep.dll vpn-instance vpn1 common-name Use common-name to set the common name for a PKI entity. Use undo common-name to restore the default. Syntax common-name common-name-sting undo common-name Default No common name is set for a PKI entity. Views PKI entity view Predefined user roles...
Page 424: Crl Check
Examples # Set the country code to CN for PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] country CN crl check Use crl check enable to enable CRL checking. Use undo crl check enable to disable CRL checking. Syntax crl check enable undo crl check enable...
Page 425: Display Pki Certificate Access-Control-Policy
Views PKI domain view Predefined user roles network-admin Parameters url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters. The URL format is ldap://server_location or http://server_location. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller.
Page 426: Display Pki Certificate Attribute-Group
Predefined user roles network-admin network-operator Parameters policy-name: Specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you do not specify a policy name, this command displays information about all certificate-based access control policies.
Page 427 Predefined user roles network-admin network-operator Parameters group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you do not specify a certificate attribute group, this command displays information about all certificate attribute groups.
Page 428: Display Pki Certificate Domain
Related commands attribute pki certificate attribute-group display pki certificate domain Use display pki certificate domain to display information about certificates. Syntax display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] } Views Any view Predefined user roles network-admin network-operator...
Page 429 Version: 1 (0x0) Serial Number: 5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=docm, OU=rnd, CN=rootca Validity Not Before: Jan 6 02:51:41 2011 GMT Not After : Dec 7 03:12:05 2013 GMT Subject: C=cn, O=ccc, OU=ppp, CN=rootca Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0:...
Page 430 Modulus: 00:b2:38:ad:8c:7d:78:38:37:88:ce:cc:97:17:39: 52:e1:99:b3:de:73:8b:ad:a8:04:f9:a1:f9:0d:67: d8:95:e2:26:a4:0b:c2:8c:63:32:5d:38:3e:fd:b7: 4a:83:69:0e:3e:24:e4:ab:91:6c:56:51:88:93:9e: 12:a4:30:ad:ae:72:57:a7:ba:fb:bc:ac:20:8a:21: 46:ea:e8:93:55:f3:41:49:e9:9d:cc:ec:76:13:fd: a5:8d:cb:5b:45:08:b7:d1:c5:b5:58:89:47:ce:12: bd:5c:ce:b6:17:2f:e0:fc:c0:3e:b7:c4:99:31:5b: 8a:f0:ea:02:fd:2d:44:7a:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs...
Page 431 43:c6:d7:72:92:e8:13:87:38:9a:9c:cd:54:38:b2:ad:ba:aa: f9:a4:68:b5:2a:df:9a:31:2f:42:80:0c:0c:d9:6d:b3:ab:0f: dd:a0:2c:c0:aa:16:81:aa:d9:33:ca:01:75:94:92:44:05:1a: 65:41:fa:1e:41:b5:8a:cc:2b:09:6e:67:70:c4:ed:b4:bc:28: 04:50:a6:33:65:6d:49:3c:fc:a8:93:88:53:94:4c:af:23:64: cb:af:e3:02:d1:b6:59:5f:95:52:6d:00:00:a0:cb:75:cf:b4: 50:c5:50:00:65:f4:7d:69:cc:2d:68:a4:13:5c:ef:75:aa:8f: 3f:ca:fa:eb:4d:d5:5d:27:db:46:c7:f4:7d:3a:b2:fb:a7:c9: de:18:9d:c1 # Display brief information about all peer certificates in PKI domain aaa. <Sysname> display pki certificate domain aaa peer Total peer certificates: 1 Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver # Display detailed information about a peer certificate in PKI domain aaa. <Sysname>...
Page 432: Display Pki Certificate Renew-Status
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement Netscape Cert Type: SSL Server X509v3 Subject Alternative Name: DNS:docm.com X509v3 Subject Key Identifier: 3C:76:95:9B:DD:C2:7F:5F:98:83:B7:C7:A0:F8:99:1E:4B:D7:2F:26 X509v3 CRL Distribution Points: Full Name: URI:http://s03130.ccc.sec.com:447/ssl.crl Signature Algorithm: sha1WithRSAEncryption 61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3: 31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59: 36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c: 85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5: 17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72: ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2: ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8: f0:a5...
Page 433 Character name Symbol Character name Symbol Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe Examples # Display the certificate renewal status for all PKI domains. <Sysname> display pki certificate renew-status Domain Name: domain1 Renew Time : 03:12:05 2016-06-13 Renew public key: Key type: RSA Time when key pair created: 15:40:48 2016/06/13...
Page 434: Display Pki Certificate Request-Status
Field Description Key code Public key data. display pki certificate request-status Use display pki certificate request-status to display certificate request status. Syntax display pki certificate request-status [ domain domain-name ] Views Any view Predefined user roles network-admin network-operator Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 53 Special characters...
Page 435: Display Pki Crl Domain
Remain polling attempts: 10 Next polling attempt after : 1191 seconds Certificate Request Transaction 2 Domain name: domain2 Status: Pending Key usage: Signature Remain polling attempts: 10 Next polling attempt after : 188 seconds Table 54 Command output Field Description Certificate Request Transaction number Certificate request transaction number, starting from 1.
Page 436 Table 55 Special characters Character name Symbol Character name Symbol Tilde Asterisk Left angle bracket < Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe Usage guidelines Use this command to identify whether a certificate has been revoked. Examples # Display information about the CRL saved at the local for PKI domain aaa.
Page 437: Fqdn
Table 56 Command output Field Description Version CRL version number. Signature Algorithm Signature algorithm used by the CA to sign the CRL. Issuer Name of the CA that issued the CRL. Last Update Most recent CRL update time. Next Update Next CRL update time.
Page 438: Ldap-Server
Use ip to assign an IP address to a PKI entity. Use undo ip to restore the default. Syntax ip { ip-address | interface interface-type interface-number } undo ip Default No IP address is assigned to the PKI entity. Views PKI entity view Predefined user roles network-admin...
Page 439: Locality
Parameters host hostname: Specifies an LDAP server by its IPv4 address, IPv6 address, or domain name. The domain name is a case-sensitive string of 1 to 255 characters. port port-number: Specifies the port number of the LDAP server. The value range is 1 to 65535, and the default is 389.
Page 440: Organization
Parameters locality-name: Specifies a locality, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set a city name as the locality. Examples # Set the locality to pukras for PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] locality pukras organization...
Page 441: Pki Abort-Certificate-Request
Predefined user roles network-admin Parameters org-unit-name: Specifies an organization unit name, a case-sensitive string of 1 to 63 characters. No commas can be included. Examples # Set the organization unit name to rdtest for PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] organization-unit rdtest pki abort-certificate-request Use pki abort-certificate-request to abort the certificate request for a PKI domain.
Page 442: Pki Certificate Access-Control-Policy
Related commands display pki certificate request-status pki request-certificate domain pki certificate access-control-policy Use pki certificate access-control-policy to create a certificate-based access control policy and enter its view, or enter the view of an existing certificate-based access control policy. Use undo pki certificate access-control-policy to remove a certificate-based access control policy.
Page 443: Pki Delete-Certificate
Default No certificate attribute groups exist. Views System view Predefined user roles network-admin Parameters group-name: Specifies a group name, a case-insensitive string of 1 to 31 characters. Usage guidelines A certificate attribute group is a set of attribute rules configured by using the attribute command. Each attribute rule defines a matching criterion for an attribute in the issuer name, subject name, or alternative subject name field of certificates.
Page 444 Character name Symbol Character name Symbol Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe ca: Specifies the CA certificate. local: Specifies the local certificates. peer: Specifies the peer certificates. serial serial-num: Specifies a peer certificate by its serial number, a case-insensitive string of 1 to 127 characters.
Page 445: Pki Domain
pki domain Use pki domain to create a PKI domain and enter its view, or enter the view of an existing PKI domain. Use undo pki domain to remove a PKI domain. Syntax pki domain domain-name undo pki domain domain-name Default No PKI domains exist.
Page 446: Pki Export
Default No PKI entities exist. Views System view Predefined user roles network-admin Parameters entity-name: Specifies a name for a PKI entity, a case-insensitive string of 1 to 31 characters. Usage guidelines A PKI entity includes the identity information that can be used by a CA to identify a certificate applicant.
Page 447 Character name Symbol Character name Symbol Vertical bar Quotation marks " Colon Apostrophe der: Specifies the DER certificate file format, including PKCS#7. p12: Specifies the PKCS#12 certificate file format. pem: Specifies the PEM certificate file format. all: Specifies both CA and local certificates. The RA certificate is excluded. ca: Specifies the CA certificate.
Page 448 • If the PKI domain has both the CA certificate and local certificates, you get the following results: If you specify a file name, each local certificate is exported to a separate file with their  associated CA certificate chain. If you do not specify a file name, the local certificates and CA certificate or CA certificate ...
Page 449 friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd -----BEGIN CERTIFICATE----- MIIEqjCCA5KgAwIBAgILAOhID4rI04kBfYgwDQYJKoZIhvcNAQELBQAwRTELMAkG A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0...
Page 450 u9x9hhp5Ns23bwyNP135qTNjx9i/CZMKvLKywm3Yg+Bgg8Df4bBrFrsH1U0ifmmp ir2+OuhlC+GbHOxWNeBCa8iAq91k6FGFJ0OLA2oIvhCnh45tM7BjjKTHk+RZdMiA 0TKSWuOyihrwxdUEWh999GKUpkwDHLZJFd21z/kWspqThodEx8ea -----END ENCRYPTED PRIVATE KEY----- # Display all certificates in the PKI domain in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111. <Sysname> system-view [Sysname] pki export domain domain1 pem all des-cbc 111 %The signature usage local certificate: Bag Attributes friendlyName:...
Page 451 DARhYmNkMB4XDTExMDQxODExNDQ0N1oXDTEzMDQxNzExNDQ0N1owRTELMAkGA1UE BhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2FyZTEN MAsGA1UEAwwEYWJjZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1g vomMF8S4u6q51bOwjKFUBwxyvOy4D897LmOSedaCyDt6Lvp+PBEHfwWBYBpsHhk7 kmnSNhX5dZ6NxunHaARZ2VlcctsYKyvAQapuaThy1tuOcphAB+jQQL9dPoqdk0xp jvmPDlW+k832Konn9U4dIivS0n+/KMGh0g5UyzHGqUUOo7s9qFuQf5EjQon40TZg BwUnFYRlvGe7bSQpXjwi8LTyxHPy+dDVjO5CP+rXx5IiToFy1YGWewkyn/WeswDf Yx7ZludNus5vKWTihgx2Qalgb+sqUMwI/WUET7ghO2dRxPUdUbgIYF0saTndKPYd 4oBgl6M0SMsHhe9nF5UCAwEAAaOCAVowggFWMA8GA1UdEwEB/wQFMAMBAf8wCwYD VR0PBAQDAgEGMB0GA1UdDgQWBBQzEQ58yIC54wxodp6JzZvn/gx0CDAfBgNVHSME GDAWgBQzEQ58yIC54wxodp6JzZvn/gx0CDAZBgNVHREEEjAQgQ5wa2lAb3BlbmNh Lm9yZzAZBgNVHRIEEjAQgQ5wa2lAb3BlbmNhLm9yZzCBgQYIKwYBBQUHAQEEdTBz MDIGCCsGAQUFBzAChiZodHRwOi8mdcGl0YW4vcGtpL3B1Yi9jYWNlcnQvY2FjZXJ0 LmNydDAeBggrBgEFBQcwAYYSaHR0cDovL3RpdGFuOjI1NjAvMB0GCCsGAQUFBzAM hhFodHRwOi8mdcGl0YW46ODMwLzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vMTky LjE2OC40MC4xMjgvcGtpL3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBCwUA A4IBAQC0q0SSmvQNfa5ELtRKYF62C/Y8QTLbk6lZDTZuIzN15SGKQcbNM970ffCD Lk1zosyEVE7PLnii3bZ5khcGO3byyXfluAqRyOGVJcudaw7uIQqgv0AJQ+zaQSHi d4kQf5QWgYkQ55/C5puOmcMRgCbMpR2lYkqXLDjTIAZIHRZ/sTp6c+ie2bFxi/YT 3xYbO0wDMuGOKJJpsyKTKcbG9NdfbDyFgzEYAobyYqAUB3C0/bMfBduwhQWKSoYE 6vZsPGAEisCmAl3dIp49jPgVkixoShraYF1jLsWzJGlzem8QvWYzOqKEDwq3SV0Z cXK8gzDBcsobcUMkwIYPAmd1kAPX -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: <No Attributes>...
Page 452 MIIB+TCCAWICEQDMbgjRKygg3vpGFVY6pa3ZMA0GCSqGSIb3DQEBBQUAMD0xCzAJ BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxETAPBgNVBAsTCGgzYy10ZXN0MQ0wCwYD VQQDEwQ4MDQzMB4XDTExMDMyMjA0NDQyNFoXDTE0MDMyMzA0MzUyNFowPTELMAkG A1UEBhMCY24xDDAKBgNVBAoTA2gzYzERMA8GA1UECxMIaDNjLXRlc3QxDTALBgNV BAMTBDgwNDMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOvDAYQhyc++G7h5 eNDzJs22OQjCn/4JqnNKIdKz1BbaJT8/+IueSn9JIsg64Ex2WBeCd/tcmnSW57ag dCvNIUYXXVOGca2iaSOElqCF4CQfV9zLrBtA7giHD49T+JbxLrrJLmdIQMJ+vYdC sCxIp3YMAiuCahVLZeXklooqwqIXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAElm7 W2Lp9Xk4nZVIpVV76CkNe8/C+Id00GCRUUVQFSMvo7Pded76bmYX2KzJSz+DlMqy TdVrgG9Fp6XTFO80aKJGe6NapsfhJHKS+Q7mL0XpXeMONgK+e3dX7rsDxsY7hF+j 0gwsHrjV7kWvwJvDlhzGW6xbpr4DRmdcao19Cr6o= -----END CERTIFICATE----- # Export the CA certificate in the PKI domain to a file named cacert in PEM format. <Sysname> system-view [Sysname] pki export domain domain1 pem ca filename cacert # Display the CA certificate or the CA certificate chain in the PKI domain on the monitor screen.
Page 453: Pki Import
EwJjbjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNoM2MxDzANBgNVBAMTBnJvb3Rj YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxP2XLFE230zq6MhwZvAomOxa 7tc1r4bESXZu3UBKno3Ay9kQm2HrDOAizvZXfLu7Gx22ga2Qdz0lIeZ+EQrYHTyO pBcejDjal/ZtvgnjXyHFoG8nS+P7n83BkRj/Fu7Yz4zjTKMbCF2EfhEyXxr4NSXA fhC9qg9S23vNXStmWvsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBtsU7X77sdZ1Nn 0I98lh0qA5g7SEEIpI+pwZjjrH0FVHw01e4JWhHjyHqrOyfXYqe7vH4SXp5MHEqf 14nKIEbexbPONspebtznxv4/xTjd1aM2rfQ95jJ/SN8H8KIyiYZyIs3t5Q+V35x1 cef+NMWgZBzwXOSP0wC9+pC2ZNiIpg== -----END CERTIFICATE----- # Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format. The password for the private keys is 123. <Sysname> system-view [Sysname] pki export domain domain1 p12 local passphrase 123 filename cert-lo.der # Export all certificates in the PKI domain to a file named cert-all.p7b in PKCS12 format.
Page 454 ca: Specifies the CA certificate. local: Specifies the local certificates. peer: Specifies the peer certificates. filename filename: Specifies a certificate file name, a case-insensitive string. For a certificate in PEM format, you can also choose to copy and paste the certificate contents on the terminal instead of importing from a file.
Page 455 c. Encryption key pair. • If the purpose of the key pair is signature, the device uses the key pair to replace the local key pair that is found in this order: d. General-purpose key pair. e. Signature key pair. •...
Page 456 Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,8DCE37F0A61A4B8C k9C3KHY5S3EtnF5iQymvHYYrVFy5ZdjSasU5y4XFubjdcvmpFHQteMjD0GKX6+xO kuKbvpyCnWsPVg56sL/PDRyrRmqLmtUV3bpyQsFXgnc7p+Snj3CG2Ciow9XApybW Ec1TDCD75yuQckpVQdhguTvoPQXf9zHmiGu5jLkySp2k7ec/Mc97Ef+qqpfnHpQp GDmMqnFpp59ZzB21OGlbGzlPcsjoT+EGpZg6B1KrPiCyFim95L9dWVwX9sk+U1s2 +8wqac8jETwwM0UZ1NGJ50JJz1QYIzMbcrw+S5WlPxACTIz1cldlBlb1kpc+7mcX 4W+MxFzsL88IJ99T72eu4iUNsy26g0BZMAcc1sJA3A4w9RNhfs9hSG43S3hAh5li JPp720LfYBlkQHn/MgMCZASWDJ5G0eSXQt9QymHAth4BiT9v7zetnQqf4q8plfd/ Xqd9zEFlBPpoJFtJqXwxHUCKgw6kJeC4CxHvi9ZCJU/upg9IpiguFPoaDOPia+Pm GbRqSyy55clVde5GOccGN1DZ94DW7AypazgLpBbrkIYAdjFPRmq+zMOdyqsGMTNj jnheI5l784pNOAKuGi0i/uXmRRcfoMh6qAnK6YZGS7rOLC9CfPmy8fgY+/Sl9d9x Q00ruO1psxzh9c2YfuaiXFIx0auKl6o5+ZZYn7Rg/xy2Y0awVP+dO925GoAcHO40 cCl6jA/HsGAU9HkpwKHL35lmBDRLEzQeBFcaGwSm1JvRfE4tkJM7+Uz2QHJOfP10 0VLqMgxMlpk3TvBWgzHGJDe7TdzFCDPMPhod8pi4P8gGXmQd01PbyQ== -----END RSA PRIVATE KEY----- Bag Attributes localKeyID: 01 00 00 00 subject=/CN=sldsslserver issuer=/C=cn/O=ccc/OU=sec/CN=ssl -----BEGIN CERTIFICATE----- MIICjzCCAfigAwIBAgIRAJoDN+shVrofVHbk11SlqfcwDQYJKoZIhvcNAQEFBQAw NzELMAkGA1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYD VQQDEwNzc2wwHhcNMTAxMDE1MDEyMzA2WhcNMTIwNzI2MDYzMDU0WjAXMRUwEwYD VQQDEwxzbGRzc2xzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLP N3aTKV7NDndIOk0PpiikYPgxVih/geMXR3iYaANbcvRX07/FMDINWHJnBAZhCDvp rFO552loGiPyl0wmFMK12TSL7sHvrxr0OdrFrqtWlbW+DsNGNcFSKZy3RvIngC2k ZZqBeFPUytP185JUhbOrVaUDlisZi6NNshcIjd2BAgMBAAGjgbowgbcwHwYDVR0j BBgwFoAUmoMpEynZYoPLQdR1LlKhZjg8kBEwDgYDVR0PAQH/BAQDAgP4MBEGCWCG SAGG+EIBAQQEAwIGQDASBgNVHREECzAJggdoM2MuY29tMB0GA1UdDgQWBBQ8dpWb 3cJ/X5iDt8eg+JkeS9cvJjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vczAzMTMw LmgzYy5odWF3ZWktM2NvbS5jb206NDQ3L3NzbC5jcmwwDQYJKoZIhvcNAQEFBQAD...
Page 457: Pki Request-Certificate
tKQAfpXCPIkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBWsaMgRbBMtYNrrYCMjY6g c7PBjvajVOKNUMxaDalePmXfKCxl91+PKM7+i8I/zLcoQO+sHbva26a2/C4sNvoJ 2QZs6GtAOahP6CDqXC5VuNBU6eTKNKjL+mf6uuDeMxrlDNha0iymdrXXVIp5cuIu fl7xgArs8Ks6aXDXM1o4DQ== -----END CERTIFICATE----- Please input the password:******** Local certificate already exist, confirm to overwrite it? [Y/N]:y The PKI domain already has a CA certificate. If it is overwritten, local certificates, peer certificates and CRL of this domain will also be deleted. Overwrite it? [Y/N]:y The system is going to save the key pair.
Page 458: Pki Retrieve-Certificate
Character name Symbol Character name Symbol Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe password password: Sets the password for certificate revocation, a case-sensitive string of 1 to 31 characters. The password is contained in the certificate request and must be provided if the certificate is revoked.
Page 459 Syntax pki retrieve-certificate domain domain-name { ca | local | peer entity-name } Views System view Predefined user roles network-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 63 Special characters Character name...
Page 460: Pki Retrieve-Crl
<Sysname> system-view [Sysname] pki retrieve-certificate domain aaa local # Obtain the certificate of peer entity en1 from the certificate distribution server. <Sysname> system-view [Sysname] pki retrieve-certificate domain aaa peer en1 Related commands display pki certificate pki delete-certificate pki retrieve-crl Use pki retrieve-crl to obtain CRLs and save them locally. Syntax pki retrieve-crl domain domain-name Views...
Page 461: Pki Storage
• If the PKI domain is not configured with the CRL repository, the device looks up the local certificates and then the CA certificate for the CRL repository. If a CRL repository is found, the device obtains CRLs from the CRL repository. If no CRL repository is found, the device obtains CRLs through the SCEP protocol.
Page 462: Pki Validate-Certificate
<Sysname> system-view [Sysname] pki storage certificates flash:/pki-new # Specifies pki-new as the storage path for CRLs. <Sysname> system-view [Sysname] pki storage crls pki-new pki validate-certificate Use pki validate-certificate to verify the validity of certificates. Syntax pki validate-certificate domain domain-name { ca | local } Views System view Predefined user roles...
Page 463 Examples # Verify the validity of the CA certificate in PKI domain aaa. <Sysname> system-view [Sysname] pki validate-certificate domain aaa ca Verifying certificates..Serial Number: f6:3c:15:31:fe:bb:ec:94:dc:3d:b9:3a:d9:07:70:e5 Issuer: C=cn O=ccc OU=ppp CN=rootca Subject: C=cn O=abc OU=test CN=aca Verify result: OK Verifying certificates..Serial Number: 5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6 Issuer:...
Page 464: Public-Key Dsa
CN=fips fips-sec Verify result: OK Related commands crl check pki domain public-key dsa Use public-key dsa to specify a DSA key pair for certificate request. Use undo public-key to restore the default. Syntax public-key dsa name key-name [ length key-length ] undo public-key Default No key pair is specified for certificate request.
Page 465: Public-Key Ecdsa
Examples # Specify 2048-bit DSA key pair abc for certificate request. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] public-key dsa name abc length 2048 Related commands pki import public-key local create (see Security Command Reference) public-key ecdsa Use public-key ecdsa to specify an ECDSA key pair for certificate request. Use undo public-key to restore the default.
Page 466: Public-Key Rsa
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, ECDSA, or RSA). • If DSA or ECDSA is used, a PKI domain can have only one key pair. If you configure a DSA or ECDSA key pair multiple times, the most recent configuration takes effect.
Page 467: Root-Certificate Fingerprint
name key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-). length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024.
Page 468 Syntax In non-FIPS mode: root-certificate fingerprint { md5 | sha1 } string undo root-certificate fingerprint In FIPS mode: root-certificate fingerprint sha1 string undo root-certificate fingerprint Default No fingerprint is set for verifying the root CA certificate. Views PKI domain view Predefined user roles network-admin Parameters...
Page 469: Rule
[Sysname] pki domain aaa [Sysname-pki-domain-aaa] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 Related commands certificate request mode pki import pki retrieve-certificate rule Use rule to create an access control rule. Use undo rule to remove an access control rule. Syntax rule [ id ] { deny | permit } group-name undo rule id Default No access control rules exist.
Page 470: Source
[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup Related commands attribute display pki certificate access-control-policy pki certificate attribute-group source Use source to specify the source IP address for PKI protocol packets. Use undo source to restore the default. Syntax source { ip | ipv6 } { ip-address | interface interface-type interface-number } undo source Default The source IP address of PKI protocol packets is the IP address of their outgoing interface.
Page 471: State
[Sysname] pki domain aaa [Sysname-pki-domain-aaa] source ip interface gigabitethernet 1/0/1 # Set the source IP address to the IPv6 address of GigabitEthernet 1/0/1 for PKI protocol packets. <Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] source ipv6 interface gigabitethernet 1/0/1 state Use state to set the state or province name for a PKI entity.
Page 472: Usage
Parameters dn-string: Specifies the DN for the PKI entity, a case-insensitive string of 1 to 511 characters. Usage guidelines The subject DN string is a sequence of attribute=value pairs separated by commas. Each attribute can be specified multiple times with different values. Supported DN attributes are: •...
Page 473 Default No certificate extensions are specified. A certificate can be used for IKE, SSL clients, and SSL servers. Views PKI domain view Predefined user roles network-admin Parameters ike: Specifies the IKE certificate extension so IKE peers can use the certificates. ssl-client: Specifies the SSL client certificate extension so the SSL client can use the certificates.
Page 474: Ah Authentication-Algorithm
IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Page 475 description Use description to configure a description for an IPsec policy, IPsec policy template, or IPsec profile. Use undo description to restore the default. Syntax description text undo description Default No description is configured. Views IPsec policy view IPsec policy template view IPsec profile view Predefined user roles network-admin...
Page 476 seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec policies. If you specify an IPsec policy name and a sequence number, this command displays information about the specified IPsec policy entry.
Page 477 Sequence number: 2 Mode: ISAKMP ----------------------------- The policy configuration is incomplete: Remote-address not set ACL not specified Transform-set not set Description: This is my first IPv4 Isakmp policy Traffic Flow Confidentiality: Enabled Security data flow: Selector mode: standard Local address: Remote address: Transform set: IKE profile:...
Page 478 Outbound ESP setting: ESP SPI: 8000 (0x00001f40) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------- Sequence number: 2 Mode: ISAKMP ----------------------------- Description: This is my complete policy Traffic Flow Confidentiality: Enabled Security data flow: 3200 Selector mode: standard Local address: Remote address: 5.3.6.9 Transform set:...
Page 479 Outbound AH setting: AH SPI: 1237 (0x000004d5) AH string-key: ****** AH authentication hex key: Outbound ESP setting: ESP SPI: 1238 (0x000004d6) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Table 66 Command output Field Description IPsec Policy IPsec policy name.
Page 480: Display Ipsec { Ipv6-Policy-Template | Policy-Template }
Field Description SA idle time Idle timeout of the IPsec SA, in seconds. AH string key. This field displays ****** if the key is configured AH string-key and it is empty if the key is not configured. AH authentication hexadecimal key. This field displays ****** if AH authentication hex key the key is configured and it is empty if the key is not configured.
Page 481 Examples # Display information about all IPv4 IPsec policy templates. <Sysname> display ipsec policy-template ----------------------------------------------- IPsec Policy Template: template ----------------------------------------------- --------------------------------- Sequence number: 1 --------------------------------- Description: This is policy template Traffic Flow Confidentiality: Disabled Security data flow : Selector mode: standard Local address: IKE profile: IKEv2 profile:...
Page 482: Display Ipsec Profile
Field Description Sequence number Sequence number of the IPsec policy template entry. Description Description of the IPsec policy template. Traffic Flow Confidentiality Whether Traffic Flow Confidentiality (TFC) padding is enabled. Security data flow ACL used by the IPsec policy template. Data flow protection mode of the IPsec policy template: •...
Page 483: Display Ipsec Sa
Mode: Manual ----------------------------------------------- Transform set: prop1 Inbound AH setting: AH SPI: 12345 (0x00003039) AH string-key: AH authentication hex key: ****** Inbound ESP setting: ESP SPI: 23456 (0x00005ba0) ESP string-key: ESP encryption hex-key: ****** ESP authentication hex-key: ****** Outbound AH setting: AH SPI: 12345 (0x00003039) AH string-key: AH authentication hex key: ******...
Page 484 Parameters brief: Displays brief information about all IPsec SAs. count: Displays the number of IPsec SAs. interface interface-type interface-number: Specifies an interface by its type and number. ipv6-policy: Displays detailed information about IPsec SAs created by using a specified IPv6 IPsec policy.
Page 485 # Display detailed information about all IPsec SAs. <Sysname> display ipsec sa ------------------------------- Interface: GigabitEthernet1/0/1 ------------------------------- ----------------------------- IPsec policy: r2 Sequence number: 1 Mode: ISAKMP Flow table status: Active ----------------------------- Tunnel id: 3 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VRF: vp1 Extended Sequence Number enable: Y Traffic Flow Confidentiality enable: N Path MTU: 1443...
Page 486 Global IPsec SA ------------------------------- ----------------------------- IPsec profile: profile Mode: Manual ----------------------------- Encapsulation mode: transport [Inbound AH SAs] SPI: 1234563 (0x0012d683) Connection ID: 9 Transform set: AH-SHA1 No duration limit for this SA [Outbound AH SAs] SPI: 1234563 (0x002d683) Connection ID: 10 Transform set: AH-SHA1 No duration limit for this SA Table 70 Command output...
Page 487 Field Description Path MTU Path MTU of the IPsec SA. Local and remote addresses of the IPsec tunnel. Tunnel This field is not displayed if the negotiation mode is GDOI. local address Local end IP address of the IPsec tunnel. remote address Remote end IP address of the IPsec tunnel.
Page 488: Display Ipsec Statistics
display ipsec statistics Use display ipsec statistics to display IPsec packet statistics. Syntax display ipsec statistics [ tunnel-id tunnel-id ] Views Any view Predefined user roles network-admin network-operator Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967295.
Page 489: Display Ipsec Transform-Set
Wrong SA: 0 Invalid length: 0 Authentication failure: 0 Encapsulation failure: 0 Decapsulation failure: 0 Replayed packets: 0 ACL check failure: 0 MTU check failure: 0 Loopback limit exceeded: 0 Crypto speed limit exceeded: 0 Table 71 Command output Field Description Received/sent packets Number of received/sent IPsec-protected packets.
Page 490 Parameters transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets. Examples # Display information about all IPsec transform sets. <Sysname>...
Page 491: Display Ipsec Tunnel
Field Description Integrity Authentication algorithm used by the security protocol. Encryption Encryption algorithm used by the security protocol. Related commands ipsec transform-set display ipsec tunnel Use display ipsec tunnel to display information about IPsec tunnels. Syntax display ipsec tunnel { brief | count | tunnel-id tunnel-id } Views Any view Predefined user roles...
Page 492 Field Description Valid SPI in the inbound direction of the IPsec tunnel. Inbound SPI If the tunnel uses two security protocols, two SPIs in the inbound direction are displayed in two lines. Valid SPI in the outbound direction of the IPsec tunnel. Outbound SPI If the tunnel uses two security protocols, two SPIs in the outbound direction are displayed in two lines.
Page 493: Encapsulation-Mode
SA's SPI: outbound: 6000 (0x00001770) [AH] inbound: 5000 (0x00001388) [AH] outbound: 8000 (0x00001f40) [ESP] inbound: 7000 (0x00001b58) [ESP] Tunnel: local address: 1.2.3.1 remote address: 2.2.2.2 Flow: as defined in ACL 3100 Table 74 Command output Field Description Tunnel ID IPsec ID, used to uniquely identify an IPsec tunnel. IPsec tunnel status: Active or Standby.
Page 494: Esn Enable
Default IP packets are encapsulated in tunnel mode. Views IPsec transform set view Predefined user roles network-admin Parameters transport: Uses the transport mode for IP packet encapsulation. tunnel: Uses the tunnel mode for IP packet encapsulation. Usage guidelines IPsec supports the following encapsulation modes: •...
Page 495: Esp Authentication-Algorithm
Views IPsec transform set view Predefined user roles network-admin Parameters both: Specifies IPsec to support both extended sequence number and traditional sequence number. If you do not specify this keyword, IPsec only supports extended sequence number. Usage guidelines The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents the sequence number space from being exhausted when large volumes of data are transmitted at high speeds over an IPsec SA.
Page 496: Esp Encryption-Algorithm
sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key. sha256: Uses the HMAC-SHA256 algorithm, which uses a 256-bit key. sha384: Uses the HMAC-SHA384 algorithm, which uses a 384-bit key. sha512: Uses the HMAC-SHA512 algorithm, which uses a 512-bit key. Usage guidelines In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
Page 497 aes-cbc-192: Uses the AES algorithm in CBC mode, which uses a 192-bit key. aes-cbc-256: Uses the AES algorithm in CBC mode, which uses a 256-bit key. aes-ctr-128: Uses the AES algorithm in CTR mode, which uses a 128-bit key. This keyword is available only for IKEv2.
Page 498: Ike-Profile
ike-profile Use ike-profile to specify an IKE profile for an IPsec policy, IPsec policy template, or IPsec profile. Use undo ike-profile to restore the default. Syntax ike-profile profile-name undo ike-profile Default No IKE profile is specified. The IPsec policy, IPsec policy template, or IPsec profile uses the globally IKE settings for negotiation.
Page 499: Ipsec Anti-Replay Check
IPsec policy template view Predefined user roles network-admin Parameters profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines The IKEv2 profile specified for an IPsec policy or IPsec policy template defines the parameters used for IKEv2 negotiation.
Page 500: Ipsec Anti-Replay Window
Only IPsec SAs negotiated by IKE support anti-replay checking. Manually created IPsec SAs do not support anti-replay checking. Enabling or disabling IPsec anti-replay checking does not affect manually created IPsec SAs. Examples # Enable IPsec anti-replay checking. <Sysname> system-view [Sysname] ipsec anti-replay check Related commands ipsec anti-replay window ipsec anti-replay window...
Page 501: Ipsec Decrypt-Check Enable
Syntax ipsec apply { ipv6-policy | policy } policy-name undo ipsec apply { ipv6-policy | policy } Default No IPsec policy is applied to an interface. Views Interface view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy.
Page 502: Ipsec Df-Bit
Usage guidelines In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets.
Page 503: Ipsec Fragmentation
Related commands ipsec global-df-bit ipsec fragmentation Use ipsec fragmentation to configure the IPsec fragmentation feature. Use undo ipsec fragmentation to restore the default. Syntax ipsec fragmentation { after-encryption | before-encryption } undo ipsec fragmentation Default The device fragments packets before IPsec encapsulation. Views System view Predefined user roles...
Page 504: Ipsec Limit Max-Tunnel
Views System view Predefined user roles network-admin Parameters clear: Clears the DF bit in the outer IP header. IPsec packets can be fragmented. copy: Copies the DF bit setting of the original IP header to the outer IP header. set: Sets the DF bit in the outer IP header. IPsec packets cannot be fragmented. Usage guidelines This command is effective only when the IPsec encapsulation mode is tunnel mode.
Page 505: Ipsec Logging Negotiation Enable
Examples # Set the maximum number of IPsec tunnels to 5000. <Sysname> system-view [Sysname] ipsec limit max-tunnel 5000 Related commands ike limit ipsec logging negotiation enable Use ipsec logging negotiation enable to enable logging for IPsec negotiation. Use undo ipsec logging negotiation packet enable to disable logging for IPsec negotiation. Syntax ipsec logging negotiation enable undo ipsec logging negotiation enable...
Page 506: Ipsec { Ipv6-Policy | Policy }
Usage guidelines After logging for IPsec packets is enabled, the device outputs a log when an IPsec packet is discarded. IPsec packets might be discarded due to lack of inbound SA, AH/ESP authentication failure, or ESP encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason it was discarded.
Page 507: Ipsec { Ipv6-Policy | Policy } Isakmp Template
Examples # Create an IKE-based IPsec policy entry and enter the IPsec policy view. The policy name is policy1 and the sequence number is 100. <Sysname> system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] # Create a manual IPsec policy entry and enter the IPsec policy view. The policy name is policy1 and the sequence number is 101.
Page 508: Ipsec { Ipv6-Policy | Policy } Local-Address
Usage guidelines If you do not specify the seq-number argument, the undo command deletes the specified IPsec policy. An interface applied with an IPsec policy that is configured by using an IPsec policy template cannot initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the template are determined by the initiator.
Page 509: Ipsec { Ipv6-Policy-Template | Policy-Template }
IPsec SAs. As long as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working, regardless of link failover. After an IPsec policy is applied to a service interface and IPsec SAs have been established, if you bind the IPsec policy to a source interface, the existing IPsec SAs are deleted.
Page 510: Ipsec Profile
An IPsec policy template is a set of IPsec policy template entries that have the same name but different sequence numbers. With the seq-number argument specified, the undo command deletes an IPsec policy template entry. An IPv4 IPsec policy template and an IPv6 IPsec policy template can have the same name. Examples # Create an IPsec policy template entry and enter the IPsec policy template view.
Page 511: Ipsec Redundancy Enable
Examples # Create a manual IPsec profile named profile1. <Sysname> system-view [Sysname] ipsec profile profile1 manual [Sysname-ipsec-profile-manual-profile1] # Create an IKE-based IPsec profile named profile1. <Sysname> system-view [Sysname] ipsec profile profile1 isakmp [Sysname-ipsec-profile-isakmp-profile1] Related commands display ipsec profile ipsec redundancy enable Use ipsec redundancy enable to enable IPsec redundancy.
Page 512: Ipsec Sa Idle-Time
Use undo ipsec sa global-duration to restore the default. Syntax ipsec sa global-duration { time-based seconds | traffic-based kilobytes } undo ipsec sa global-duration { time-based | traffic-based } Default The time-based global IPsec SA lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 kilobytes.
Page 513: Ipsec Transform-Set
Default The global IPsec SA idle timeout feature is disabled. Views System view Predefined user roles network-admin Parameters seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds. Usage guidelines This feature applies only to IPsec SAs negotiated by IKE. The IPsec SA idle timeout can also be configured in IPsec policy view, IPsec policy template view, or IPsec profile view, which takes precedence over the global IPsec SA timeout.
Page 514: Local-Address
Examples # Create an IPsec transform set named tran1 and enter its view. <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-transform-set-tran1] Related commands display ipsec transform-set local-address Use local-address to configure the local IP address for the IPsec tunnel. Use undo local-address to restore the default. Syntax local-address { ipv4-address | ipv6 ipv6-address } undo local-address...
Page 515: Protocol
Use undo pfs to restore the default. Syntax In non-FIPS mode: pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 | dh-group19 | dh-group20 } undo pfs In FIPS mode: pfs { dh-group14 | dh-group19 | dh-group20 } undo pfs Default The PFS feature is disabled for the IPsec transform set.
Page 516: Qos Pre-Classify
Use undo protocol to restore the default. Syntax protocol { ah | ah-esp | esp } undo protocol Default The IPsec transform set uses the ESP protocol. Views IPsec transform set view Predefined user roles network-admin Parameters ah: Specifies the AH protocol. ah-esp: Specifies using the ESP protocol first and then using the AH protocol.
Page 517: Redundancy Replay-Interval
Examples # Enable the QoS pre-classify feature. <Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] qos pre-classify redundancy replay-interval Use redundancy replay-interval to set the anti-replay window lower bound value synchronization interval for inbound packets and the sequence number synchronization interval for outbound packets.
Page 518: Remote-Address
ipsec anti-replay window ipsec redundancy enable remote-address Use remote-address to configure the remote IP address for the IPsec tunnel. Use undo remote-address to restore the default. Syntax remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address } undo remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address } Default No remote IP address is configured for the IPsec tunnel.
Page 519: Reset Ipsec Sa
In this case, you must reconfigure the remote host name for the IPsec policy policy1 so that the local end can obtain the latest IP address of the remote host. # Reconfigure the remote host name to test for the IPsec tunnel in the IPsec policy policy1. [Sysname] ipsec policy policy1 1 isakmp [Sysname -ipsec-policy-isakmp-policy1-1] remote-address test Examples...
Page 520: Reset Ipsec Statistics
• spi-num: Specifies the security parameter index in the range of 256 to 4294967295. Usage guidelines If you do not specify any parameters, this command clears all IPsec SAs. If you specify an SA triplet, this command clears the IPsec SA matching the triplet, and all the other IPsec SAs that were established during the same negotiation process, including the corresponding IPsec SA in the other direction, and the inbound and outbound IPsec SAs using the other security protocol (AH or ESP).
Page 521: Reverse-Route Dynamic
<Sysname> reset ipsec statistics Related commands display ipsec statistics reverse-route dynamic Use reverse-route dynamic to enable IPsec reverse route inject (RRI). Use undo reverse-route dynamic to disable IPsec RRI. Syntax reverse-route dynamic undo reverse-route dynamic Default IPsec RRI is disabled. Views IPsec policy view IPsec policy template view...
Page 522: Reverse-Route Preference
ipsec policy ipsec policy-template reverse-route preference Use reverse-route preference to set the preference of the static routes created by IPsec RRI. Use undo reverse-route preference to restore the default. Syntax reverse-route preference number undo reverse-route preference Default The preference for the static routes created by IPsec RRI is 60. Views IPsec policy view IPsec policy template view...
Page 523: Sa Duration
Views IPsec policy view IPsec policy template view Predefined user roles network-admin Parameters tag-value: Specifies a tag value. The value range is 1 to 4294967295. Usage guidelines The tag value set by this command helps in implementing flexible route control through routing policies.
Page 524: Sa Hex-Key Authentication
Usage guidelines IKE prefers the SA lifetime of the IPsec policy, IPsec policy template, or IPsec profile over the global SA lifetime configured by the ipsec sa global-duration command. If the IPsec policy, IPsec policy template, or IPsec profile is not configured with the SA lifetime, IKE uses the global SA lifetime for SA negotiation.
Page 525: Sa Hex-Key Encryption
simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key. Its plaintext form is case insensitive and must be a 16-byte hexadecimal string for HMAC-MD5, a 20-byte hexadecimal string for HMAC-SHA1. Usage guidelines This command applies only to manual IPsec policies and IPsec profiles.
Page 526: Sa Idle-Time
outbound: Specifies a hexadecimal encryption key for outbound SAs. esp: Uses ESP. cipher: Specifies a key in encrypted form. simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key.
Page 527 Syntax sa idle-time seconds undo sa idle-time Default An IPsec policy, IPsec policy template, or IPsec profile uses the global IPsec SA idle timeout. Views IPsec policy view IPsec policy template view IPsec profile view Predefined user roles network-admin Parameters seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.
Page 528: Sa String-Key
Predefined user roles network-admin Parameters inbound: Specifies an SPI for inbound SAs. outbound: Specifies an SPI for outbound SAs. ah: Uses AH. esp: Uses ESP. spi-number: Specifies a security parameters index (SPI) in the range of 256 to 4294967295. Usage guidelines This command applies only to manual IPsec policies and IPsec profiles.
Page 529 IPsec profile view Predefined user roles network-admin Parameters inbound: Sets a key string for inbound IPsec SAs. outbound: Sets a key string for outbound IPsec SAs. ah: Uses AH. esp: Uses ESP. cipher: Specifies a key string in encrypted form. simple: Specifies a key string in plaintext form.
Page 530: Security Acl
sa hex-key security acl Use security acl to specify an ACL for an IPsec policy or IPsec policy template. Use undo security acl to restore the default. Syntax security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ] undo security acl Default An IPsec policy or IPsec policy template does not use any ACL.
Page 531: Snmp-Agent Trap Enable Ipsec
[Sysname-acl-ipv4-adv-3001] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] security acl 3001 # Specify IPv4 advanced ACL 3002 for the IPsec policy policy2 and specify the data protection mode as aggregation. <Sysname> system-view [Sysname] acl advanced 3002 [Sysname-acl-ipv4-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2 0.0.0.255 [Sysname-acl-ipv4-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2 0.0.0.255...
Page 532: Tfc Enable
policy-delete: Specifies notifications about events of deleting IPsec policies. policy-detach: Specifies notifications about events of removing IPsec policies from interfaces. tunnel-start: Specifies notifications about events of creating IPsec tunnels. tunnel-stop: Specifies notifications about events of deleting IPsec tunnels. Usage guidelines If you do not specify any keywords, this command enables or disables all SNMP notifications for IPsec.
Page 533: Transform-Set
Related commands display ipsec ipv6-policy display ipsec policy transform-set Use transform-set to specify an IPsec transform set for an IPsec policy, IPsec policy template, or IPsec profile. Use undo transform-set to remove the IPsec transform set specified for an IPsec policy, IPsec policy template, or IPsec profile.
Page 534: Tunnel Protection Ipsec
tunnel protection ipsec Use tunnel protection ipsec to apply an IPsec profile to a tunnel interface. Use undo tunnel protection ipsec to restore the default. Syntax tunnel protection ipsec profile profile-name undo tunnel protection ipsec profile Default No IPsec profile is applied to a tunnel interface. Views Tunnel interface view Predefined user roles...
Page 535: Aaa Authorization
IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. aaa authorization Use aaa authorization to enable IKE AAA authorization.
Page 536 Examples # Create the IKE profile profile1. <Sysname> system-view [Sysname] ike profile profile1 # Enable AAA authorization. Specify the ISP domain abc and the username test. [Sysname-ike-profile-profile1] aaa authorization domain abc username test authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default.
Page 537: Authentication-Method
authentication-method Use authentication-method to specify an authentication method to be used in an IKE proposal. Use undo authentication-method to restore the default. Syntax authentication-method { dsa-signature | pre-share | rsa-signature } undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles...
Page 538 Syntax certificate domain domain-name undo certificate domain domain-name Default No PKI domains are specified for signature authentication. Views IKE profile view Predefined user roles network-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. Usage guidelines You can specify a maximum of six PKI domains for an IKE profile by executing this command multiple times.
Page 539: Client-Authentication
client-authentication Use client-authentication to enable client authentication. Use undo client-authentication to disable client authentication. Syntax client-authentication xauth undo client-authentication Default Client authentication is disabled. Views IKE profile view Predefined user roles network-admin Parameters xauth: Uses Extended Authentication within ISAKMP/Oakley (XAUTH) for authentication. Usage guidelines The client authentication feature provides additional authentication in IKE negotiation for secure remote access to an IPsec VPN.
Page 540 Views IKE proposal view Predefined user roles network-admin Parameters text: Specifies the description, a case-sensitive string of 1 to 80 characters. Usage guidelines You can configure different descriptions for IKE proposals to distinguish them. Examples # Configure a description of test for IKE proposal 1. <Sysname>...
Page 541: Display Ike Proposal
Usage guidelines A DH group with a higher group number provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose a proper Diffie-Hellman group for your network. Examples # Specify the 2048-bit Diffie-Hellman group group1 to be used for key negotiation in IKE phase 1 in the IKE proposal 1.
Page 542: Display Ike Sa
Field Description Authentication algorithm used in the IKE proposal: • MD5—HMAC-MD5 algorithm. • SHA1—HMAC-SHA1 algorithm. Authentication algorithm • SHA256—HMAC-SHA256 algorithm. • SHA384—HMAC-SHA384 algorithm. • SHA512—HMAC-SHA512 algorithm. Encryption algorithm used by the IKE proposal: • 3DES-CBC—168-bit 3DES algorithm in CBC mode. •...
Page 543 Examples # Display summary information about all IKE SAs. <Sysname> display ike sa Connection-ID Remote Flag ---------------------------------------------------------- 202.38.0.2 IPSEC Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING Table 76 Command output Field Description Connection-ID Identifier of the IKE SA. Remote Remote IP address of the SA. Status of the SA: •...
Page 544 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected Extend authentication: Enabled Assigned IP address: 192.168.2.1 # Display detailed information about the IKE SA with the remote address of 4.4.4.5. <Sysname> display ike sa verbose remote-address 4.4.4.5 --------------------------------------------- Connection ID: 2 Outside VPN: 1 Inside VPN: 1 Profile: prof1...
Page 545: Display Ike Statistics
Field Description Local ID Identifier of the local gateway. Remote IP IP address of the remote gateway. Remote ID type Identifier type of the remote gateway. Remote ID Identifier of the remote security gateway. Authentication-method Authentication method used by the IKE proposal. Authentication algorithm used by the IKE proposal: •...
Page 546 Unavailable certificate: 0 Unsupported DOI: 0 Unsupported situation: 0 Invalid proposal syntax: 0 Invalid SPI: 0 Invalid protocol ID: 0 Invalid certificate: 0 Authentication failure: 0 Invalid flags: 0 Invalid message id: 0 Invalid cookie: 0 Invalid transform ID: 0 Malformed payload: 0 Invalid key information: 0 Invalid hash information: 0...
Page 547: Encryption-Algorithm
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval. periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval. Usage guidelines DPD is triggered periodically or on-demand.
Page 548: Exchange-Mode
aes-cbc-192: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 192-bit key for encryption. aes-cbc-256: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 256-bit key for encryption. des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm.
Page 549: Ike Address-Group
[Sysname-ike-profile-1] exchange-mode main Related commands display ike proposal ike address-group Use ike address-group to configure an IKE IPv4 address pool for assigning IPv4 addresses to remote peers. Use undo ike address-group to delete an IKE IPv4 address pool. Syntax ike address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ] undo ike address-group group-name Default No IKE IPv4 address pools exist.
Page 550: Ike Identity
ike dpd Use ike dpd to configure global IKE DPD. Use undo ike dpd to disable global IKE DPD. Syntax ike dpd interval interval [ retry seconds ] { on-demand | periodic } undo ike dpd interval Default Global IKE DPD is disabled. Views System view Predefined user roles...
Page 551: Ike Invalid-Spi-Recovery Enable
undo ike identity Default The IP address of the interface where the IPsec policy applies is used as the IKE identity. Views System view Predefined user roles network-admin Parameters address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the identity. dn: Uses the DN in the digital signature as the identity.
Page 552: Ike Keepalive Interval
Default Invalid SPI recovery is disabled. Views System view Predefined user roles network-admin Usage guidelines IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered.
Page 553: Ike Keepalive Timeout
The keepalive timeout time configured at the local must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout time to three times as long as the keepalive interval. Examples # Set the keepalive interval to 200 seconds <Sysname>...
Page 554: Ike Limit
Use undo ike keychain to delete an IKE keychain. Syntax ike keychain keychain-name [ vpn-instance vpn-instance-name ] undo ike keychain keychain-name [ vpn-instance vpn-instance-name ] Default No IKE keychains exist. Views System view Predefined user roles network-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IKE keychain belongs.
Page 555: Ike Logging Negotiation Enable
Parameters max-negotiating-sa negotiation-limit: Specifies the maximum number of half-open IKE SAs and IPsec SAs. The value range for the negotiation-limit argument is 1 to 99999. max-sa sa-limit: Specifies the maximum number of established IKE SAs. The value range for the sa-limit argument is 1 to 99999.
Page 556: Ike Nat-Keepalive
ike nat-keepalive Use ike nat-keepalive to set the NAT keepalive interval. Use undo ike nat-keepalive to restore the default. Syntax ike nat-keepalive seconds undo ike nat-keepalive Default The NAT keepalive interval is 20 seconds. Views System view Predefined user roles network-admin Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300.
Page 557: Ike Proposal
Examples # Create IKE profile 1 and enter its view. <Sysname> system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] ike proposal Use ike proposal to create an IKE proposal and enter its view, or enter the view of an existing IKE proposal. Use undo ike proposal to delete an IKE proposal.
Page 558: Ike Signature-Identity From-Certificate
[Sysname] ike proposal 1 [Sysname-ike-proposal-1] Related commands display ike proposal ike signature-identity from-certificate Use ike signature-identity from-certificate to configure the local device to obtain the identity information from the local certificate for signature authentication. Use undo ike signature-identity from-certificate to restore the default. Syntax ike signature-identity from-certificate undo ike signature-identity from-certificate...
Page 559 undo inside-vpn Default No inside VPN instance is specified for an IKE profile. The device forwards protected data to the VPN instance where the interface that receives the data resides. Views IKE profile view Predefined user roles network-admin Parameters vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the device forwards protected data.
Page 560: Local-Identity
Examples # Specify the IKE keychain abc for IKE profile 1. <Sysname> system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] keychain abc Related commands ike keychain local-identity Use local-identity to configure the local ID, the ID that the device uses to identify itself to the peer during IKE negotiation.
Page 561: Match Local Address (Ike Keychain View)
Examples # Set the local ID to IP address 2.2.2.2. <Sysname> system-view [Sysname] ike profile prof1 [Sysname-ike-profile-prof1] local-identity address 2.2.2.2 Related commands match remote ike identity match local address (IKE keychain view) Use match local address to specify a local interface or IP address to which an IKE keychain can be applied.
Page 562: Match Local Address (Ike Profile View)
Examples # Create the IKE keychain key1. <Sysname> system-view [Sysname] ike keychain key1 # Apply the IKE keychain key1 to the interface with the IP address 2.2.2.2 in the VPN instance vpn1. [sysname-ike-keychain-key1] match local address 2.2.2.2 vpn-instance vpn1 match local address (IKE profile view) Use match local address to specify a local interface or IP address to which an IKE profile can be applied.
Page 563: Match Remote
<Sysname> system-view [Sysname] ike profile prof1 # Apply the IKE profile prof1 to the interface with the IP address 2.2.2.2 in the VPN instance vpn1. [sysname-ike-profile-prof1] match local address 2.2.2.2 vpn-instance vpn1 match remote Use match remote to configure a peer ID for IKE profile matching. Use undo match remote to delete a peer ID for IKE profile matching.
Page 564: Pre-Shared-Key
name, a case-sensitive string of 1 to 31 characters. If the address or addresses belong to the public network, do not specify this option. Usage guidelines When an end needs to select an IKE profile, it compares the peer's ID received with the peer IDs of its local IKE profiles.
Page 565: Priority (Ike Keychain View)
Parameters address: Specifies a peer by its address. ipv4-address: Specifies the IPv4 address of the peer. mask: Specifies the mask in dotted decimal notation. The default mask is 255.255.255.255. mask-length: Specifies the mask length in the range of 0 to 32. The default mask length is 32. ipv6: Specifies an IPv6 peer.
Page 566: Priority (Ike Profile View)
Default The priority of an IKE keychain is 100. Views IKE keychain view Predefined user roles network-admin Parameters priority priority: Specifies a priority number in the range of 1 to 65535. The lower the priority number, the higher the priority. Usage guidelines To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number.
Page 567: Proposal
<Sysname> system-view [Sysname] ike profile prof1 [Sysname-ike-profile-prof1] priority 10 proposal Use proposal to specify IKE proposals for an IKE profile. Use undo proposal to restore the default. Syntax proposal proposal-number&<1-6> undo proposal Default No IKE proposals are specified for an IKE profile and the IKE proposals configured in system view are used for IKE negotiation.
Page 568: Reset Ike Statistics
Parameters connection-id connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000. Usage guidelines When you delete an IKE SA, the device automatically sends a notification to the peer. Examples # Display the current IKE SAs. <Sysname>...
Page 569 sa duration Use sa duration to set the IKE SA lifetime for an IKE proposal. Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The IKE SA lifetime is 86400 seconds for an IKE proposal. Views IKE proposal view Predefined user roles...
Page 570 Views System view Predefined user roles network-admin Parameters attr-not-support: Specifies notifications about attribute-unsupported failures. auth-failure: Specifies notifications about authentication failures. cert-type-unsupport: Specifies notifications about certificate-type-unsupported failures. cert-unavailable: Specifies notifications about certificate-unavailable failures. decrypt-failure: Specifies notifications about decryption failures. encrypt-failure: Specifies notifications about encryption failures. global: Specifies notifications globally.
Page 571 IKEv2 commands aaa authorization Use aaa authorization to enable IKEv2 AAA authorization. Use undo aaa authorization to disable IKEv2 AAA authorization. Syntax aaa authorization domain domain-name username user-name undo aaa authorization Default IKEv2 AAA authorization is disabled. Views IKEv2 profile view Predefined user roles network-admin Parameters...
Page 572: Address
[Sysname-ikev2-profile-profile1] aaa authorization domain abc username test Related commands display ikev2 profile address Use address to specify the IP address or IP address range of an IKEv2 peer. Use undo address to restore the default. Syntax address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } undo address Default The IKEv2 peer's IP address or IP address range is not specified.
Page 573 Use undo authentication-method to remove the local or remote identity authentication method. Syntax authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share | rsa-signature } undo authentication-method local undo authentication-method remote { dsa-signature | ecdsa-signature | pre-share | rsa-signature } Default No local or remote identity authentication method is specified.
Page 574: Certificate Domain
[Sysname-ikev2-profile-profile1] keychain keychain1 Related commands display ikev2 profile certificate domain (ikev2 profile view) keychain (ikev2 profile view) certificate domain Use certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation. Use undo certificate domain to remove a PKI domain for signature authentication in IKEv2 negotiation.
Page 575: Config-Exchange
pki domain config-exchange Use config-exchange to enable configuration exchange. Use undo config-exchange to disable configuration exchange. Syntax config-exchange { request | set { accept | send } } undo config-exchange { request | set { accept | send } } Default Configuration exchange is disabled.
Page 576: Display Ikev2 Policy
display ikev2 profile display ikev2 policy Use display ikev2 policy to display the IKEv2 policy configuration. Syntax display ikev2 policy [ policy-name | default ] Views Any view Predefined user roles network-admin network-operator Parameters policy-name: Specifies an IKEv2 policy by its name, a case-insensitive string of 1 to 63 characters. default: Specifies the default IKEv2 policy.
Page 577: Display Ikev2 Profile
display ikev2 profile Use display ikev2 profile to display the IKEv2 profile configuration. Syntax display ikev2 profile [ profile-name ] Views Any view Predefined user roles network-admin network-operator Parameters profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an IKEv2 profile, this command displays the configuration of all IKEv2 profiles.
Page 578: Display Ikev2 Proposal
Field Description Match criteria Criteria for looking up the IKEv2 profile. Local identity ID of the local end. Local authentication method Method that the local end uses for authentication. Remote authentication methods Methods that the remote end uses for authentication. Keychain IKEv2 keychain that the IKEv2 profile uses.
Page 579: Display Ikev2 Sa
default: Specifies the default IKEv2 proposal. Usage guidelines This command displays IKEv2 proposals in descending order of priorities. If you do not specify any parameters, this command displays the configuration of all IKEv2 proposals. Examples # Display the configuration of all IKEv2 proposals. <Sysname>...
Page 580 remote: Displays IKEv2 SA information for a remote IP address. ipv4-address: Specifies a local or remote IPv4 address. ipv6 ipv6-address: Specifies a local or remote IPv6 address. vpn-instance vpn-instance-name: Displays information about the IKEv2 SAs in a VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
Page 581 Remote IP/Port: 1.1.1.2/500 Outside VRF: - Inside VRF: - Local SPI: 8f8af3dbf5023a00 Remote SPI: 0131565b9b3155fa Local ID type: FQDN Local ID: device_a Remote ID type: FQDN Remote ID: device_b Auth sign method: Pre-shared key Auth verify method: Pre-shared key Integrity algorithm: HMAC_MD5 PRF algorithm: HMAC_MD5 Encryption algorithm: AES-CBC-192 Life duration: 86400 secs...
Page 582 Auth sign method: Pre-shared key Auth verify method: Pre-shared key Integrity algorithm: HMAC_MD5 PRF algorithm: HMAC_MD5 Encryption algorithm: AES-CBC-192 Life duration: 86400 secs Remaining key duration: 85604 secs Diffie-Hellman group: MODP1024/Group2 NAT traversal: Not detected DPD: Interval 30 secs, retry 10 secs Transmitting entity: Initiator Local window: 1 Remote window: 1...
Page 583: Display Ikev2 Statistics
Field Description Verification method that the IKEv2 proposal uses in Auth verify method authentication. Integrity algorithm Integrity protection algorithms that the IKEv2 proposal uses. PRF algorithm PRF algorithms that the IKEv2 proposal uses. Encryption algorithm Encryption algorithms that the IKEv2 proposal uses. Life duration Lifetime of the IKEv2 SA, in seconds.
Page 584 Examples # Display IKEv2 statistics. <Sysname> display ikev2 statistics Unsupported critical payload: 0 Invalid IKE SPI: 0 Invalid major version: 0 Invalid syntax: 0 Invalid message ID: 0 Invalid SPI: 0 No proposal chosen: 0 Invalid KE payload: 0 Authentication failed: 0 Single pair required: 0 TS unacceptable: 0 Invalid selectors: 0...
Page 585 Views IKEv2 proposal view Predefined user roles network-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group2: Uses the 1024-bit Diffie-Hellman group. group5: Uses the 1536-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group. group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup. group19: Uses 256-bit ECP Diffie-Hellman group.
Page 586: Encryption
Parameters interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds. retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds. on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.
Page 587: Hostname
aes-cbc-128: Uses the AES algorithm in CBC mode, which uses a 128-bit key. aes-cbc-192: Uses the AES algorithm in CBC mode, which uses a 192-bit key. aes-cbc-256: Uses the AES algorithm in CBC mode, which uses a 256-bit key. aes-ctr-128: Uses the AES algorithm in CTR mode, which uses a 128-bit key. aes-ctr-192: Uses the AES algorithm in CTR mode, which uses a 192-bit key.
Page 588: Identity
Examples # Create an IKEv2 keychain named key1. <Sysname> system-view [Sysname] ikev2 keychain key1 # Create an IKEv2 peer named peer1. [Sysname-ikev2-keychain-key1] peer peer1 # Specify the host name test of the IKEv2 peer. [Sysname-ikev2-keychain-key1-peer-peer1] hostname test Related commands ikev2 keychain peer identity Use identity to specify the ID of an IKEv2 peer.
Page 589: Identity Local
[Sysname] ikev2 keychain key1 # Create an IKEv2 peer named peer1. [Sysname-ikev2-keychain-key1] peer peer1 # Specify the peer IPv4 address 1.1.1.2 as the ID of the IKEv2 peer. [Sysname-ikev2-keychain-key1-peer-peer1] identity address 1.1.1.2 Related commands ikev2 keychain peer identity local Use identity local to configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2 negotiation..
Page 590: Ikev2 Address-Group
[Sysname-ikev2-profile-profile1] identity local address 2.2.2.2 Related commands peer ikev2 address-group Use ikev2 address-group to configure an IKEv2 IPv4 address pool for assigning IPv4 addresses to remote peers. Use undo ikev2 address-group to delete an IKEv2 IPv4 address pool. Syntax ikev2 address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ] undo ikev2 address-group group-name Default No IKEv2 IPv4 address pools exist.
Page 591: Ikev2 Dpd
Use undo ikev2 cookie-challenge to disable the cookie challenging feature. Syntax ikev2 cookie-challenge number undo ikev2 cookie-challenge Default The cookie challenging feature is disabled. Views System view Predefined user roles network-admin Parameters number: Specifies the threshold for triggering the cookie challenging feature. The value range for this argument is 1 to 1000 half-open IKE SAs.
Page 592: Ikev2 Ipv6-Address-Group
retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds. on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval. periodic: Triggers DPD at regular intervals.
Page 593: Ikev2 Keychain
assign-len assign-len: Specifies the assigned prefix length. The value range for the assign-len argument is 0 to 128, and the value must be greater than or equal to prefix-len. The difference between assign-len and prefix-len must be no more than 16. Usage guidelines Different from the IKEv2 IPv4 address pool, the device assigns an IPv6 subnet to a peer from the IKEv2 IPv6 address pool.
Page 594: Ikev2 Nat-Keepalive
ikev2 nat-keepalive Use ikev2 nat-keepalive to set the NAT keepalive interval. Use undo ikev2 nat-keepalive to restore the default. Syntax ikev2 nat-keepalive seconds undo ikev2 nat-keepalive Default The NAT keepalive interval is 10 seconds. Views System view Predefined user roles network-admin Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.
Page 595: Ikev2 Profile
Parameters policy-name: Specifies a name for the IKEv2 policy. The policy name is a case-insensitive string of 1 to 63 characters. Usage guidelines Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2 policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs.
Page 596: Ikev2 Proposal
Usage guidelines An IKEv2 profile contains the IKEv2 SA parameters that are not negotiated, such as the identity information and authentication methods of the peers, and the matching criteria for profile lookup. Examples # Create an IKEv2 profile named profile1 and enter IKEv2 profile view. <Sysname>...
Page 597: Inside-Vrf
An IKEv2 proposal must have a minimum of one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group. In an IKEv2 proposal, you can specify multiple parameters of the same type. The parameters of different types combine and form multiple sets of security parameters.
Page 598: Integrity
Examples # Create an IKEv2 profile named profile1. <Sysname> system-view [Sysname] ikev2 profile profile1 # Specify the inside VPN instance vpn1. [Sysname-ikev2-profile-profile1] inside-vrf vpn1 integrity Use integrity to specify integrity protection algorithms for an IKEv2 proposal. Use undo integrity to restore the default. Syntax In non-FIPS mode: integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *...
Page 599 Related commands ikev2 proposal keychain Use keychain to specify an IKEv2 keychain for pre-shared key authentication. Use undo keychain to restore the default. Syntax keychain keychain-name undo keychain Default No IKEv2 keychain is specified for an IKEv2 profile. Views IKEv2 profile view Predefined user roles network-admin Parameters...
Page 600: Match Local Address (Ikev2 Policy View)
Default An IKEv2 profile can be applied to any local interface or local IP address. Views IKEv2 profile view Predefined user roles network-admin Parameters address: Specifies a local interface or IP address to which an IKEv2 profile can be applied. interface-type interface-number: Specifies a local interface by its type and number.
Page 601 Default No local interface or address is specified, and the IKEv2 policy matches any local interface or local address. Views IKEv2 policy view Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface.
Page 602 Parameters certificate policy-name: Uses the information in the peer's digital certificate as the peer ID for IKEv2 profile matching. The policy-name argument specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters. identity: Uses the specified information as the peer ID for IKEv2 profile matching. The specified information is configured on the peer by using the local-identity command.
Page 603: Match Vrf (Ikev2 Policy View)
match vrf (IKEv2 policy view) Use match vrf to specify a VPN instance that an IKEv2 policy matches. Use undo match vrf to restore the default. Syntax match vrf { name vrf-name | any } undo match vrf Default No VPN instance is specified, and the IKEv2 policy matches all local IP addresses in the public network.
Page 604: Nat-Keepalive
Default The IKEv2 profile belongs to the public network. Views IKEv2 profile view Predefined user roles network-admin Parameters name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. any: Specifies the public network and all VPN instances. Usage guidelines If an IKEv2 profile belongs to a VPN instance, only interfaces in the VPN instance can use the IKEv2 profile for IKEv2 negotiation.
Page 605: Peer
The NAT keepalive interval must be shorter than the NAT session lifetime. Examples # Create an IKEv2 profile named profile1. <Sysname> system-view [Sysname] ikev2 profile profile1 # Set the NAT keepalive interval to 1200 seconds. [Sysname-ikev2-profile-profile1]nat-keepalive 1200 Related commands display ikev2 profile ikev2 nat-keepalive peer Use peer to create an IKEv2 peer and enter its view, or enter the view of an existing IKEv2 peer.
Page 606 ikev2 keychain pre-shared-key Use pre-shared-key to configure a pre-shared key. Use undo pre-shared-key to delete a pre-shared key. Syntax pre-shared-key [ local | remote ] { ciphertext | plaintext } string undo pre-shared-key [ local | remote ] Default No pre-shared key exists. Views IKEv2 peer view Predefined user roles...
Page 607 [Sysname-ikev2-keychain-key1] peer peer2 # Configure asymmetric plaintext pre-shared keys. The key for certificate signing is 11-key-a and the key for certificate authentication is 111-key-b. [Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key local plaintext 111-key-a [Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key remote plaintext 111-key-b • On the responder: # Create an IKEv2 keychain named telecom. <Sysname>...
Page 608: Priority (Ikev2 Policy View)
Parameters aes-xcbc-mac: Uses the HMAC-AES-XCBC-MAC algorithm. md5: Uses the HMAC-MD5 algorithm. sha1: Uses the HMAC-SHA1 algorithm. sha256: Uses the HMAC-SHA256 algorithm. sha384: Uses the HMAC-SHA384 algorithm. sha512: Uses the HMAC-SHA512 algorithm. Usage guidelines You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.
Page 609: Priority (Ikev2 Profile View)
[Sysname] ikev2 policy policy1 [Sysname-ikev2-policy-policy1] priority 10 Related commands display ikev2 policy priority (IKEv2 profile view) Use priority to set a priority for an IKEv2 profile. Use undo priority to restore the default. Syntax priority priority undo priority Default The priority of an IKEv2 profile is 100. Views IKEv2 profile view Predefined user roles...
Page 610: Reset Ikev2 Sa
Predefined user roles network-admin Parameters proposal-name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority. Examples # Specify the IKEv2 proposal proposal1 for the IKEv2 policy policy1.
Page 611: Reset Ikev2 Statistics
If you do not specify any parameters, this command deletes all IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs. Examples # Display information about IKEv2 SAs. <Sysname> display ikev2 sa Tunnel ID Local Remote Status -------------------------------------------------------------------- 1.1.1.1/500 1.1.1.2/500 2.2.2.1/500 2.2.2.2/500...
Page 612 undo sa duration Default The IKEv2 SA lifetime is 86400 seconds. Views IKEv2 profile view Predefined user roles network-admin Parameters seconds: Specifies the IKEv2 SA lifetime in seconds, in the range of 120 to 86400. Usage guidelines An IKEv2 SA can be used for subsequent IKEv2 negotiations before its lifetime expires, saving a lot of negotiation time.
Page 613: Display Ssh Server
SSH commands Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode.
Page 614 chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays SSH server session information for the global active MPU.
Page 615: Display Ssh User-Information
Field Description Session state: • Init—Initialization. • Ver-exchange—Version negotiation. • Keys-exchange—Key exchange. State • Auth-request—Authentication request. • Serv-request—Session service request. • Established—The session is established. • Disconnected—The session is terminated. Retries Number of authentication failures. Service type: • SCP. • Serv SFTP.
Page 616: Scp Server Enable
Table 85 Command output Field Description Total ssh users Total number of SSH users. Authentication methods: • Password authentication. • Publickey authentication. Authentication-type • Password-publickey authentication. • Any authentication. Public key name of the user. User-public-key-name This field is empty if the authentication method is password authentication.
Page 617: Sftp Server Enable
sftp server enable Use sftp server enable to enable the SFTP server. Use undo sftp server enable to disable the SFTP server. Syntax sftp server enable undo sftp server enable Default The SFTP server is disabled. Views System view Predefined user roles network-admin Examples # Enable the SFTP server.
Page 618: Ssh Ip Alias
<Sysname> system-view [Sysname] sftp server idle-timeout 500 Related commands display ssh server ssh ip alias Use ssh ip alias to associate an SSH redirect listening port with an IP address. Use undo ssh ip alias to delete the IP address associated with the SSH redirect listening port. Syntax ssh ip alias ip-address port-number undo ssh ip alias ip-address...
Page 619: Ssh Redirect Disconnect
If you specify multiple SSH redirect listening ports for an IP address, the most recent configuration takes effect. Examples # Associate SSH redirect listening port 4000 with IP address 1.1.1.1. <Sysname> system-view [Sysname] ssh ip alias 1.1.1.1 4000 Related commands ssh redirect disconnect ssh redirect listen-port ssh redirect disconnect...
Page 620: Ssh Redirect Enable
ssh redirect enable Use ssh redirect enable to enable SSH redirect for a user line. Use undo ssh redirect enable to disable SSH redirect for a user line. Syntax ssh redirect enable undo ssh redirect enable Default SSH redirect is disabled for a user line. Views AUX line view TTY line view...
Page 621: Ssh Redirect Listen-Port
ssh redirect listen-port Use ssh redirect listen-port to set a listening port of SSH redirect. Use undo ssh redirect listen-port to restore the default. Syntax ssh redirect listen-port port-number undo ssh redirect listen-port Default The SSH redirect listening port number is the absolute user line number plus 4000. Views AUX line view TTY line view...
Page 622: Ssh Redirect Timeout
ssh redirect timeout Use ssh redirect timeout to set the idle-timeout timer for the redirected SSH connection. Use undo ssh redirect timeout to restore the default. Syntax ssh redirect timeout time undo ssh redirect timeout Default The idle-timeout timer is 360 seconds. Views AUX line view TTY line view...
Page 623: Ssh Server Authentication-Retries
Use undo ssh server acl to restore the default. Syntax ssh server acl { basic-acl-number | advanced-acl-number | mac mac-acl-number } undo ssh server acl Default No ACLs are specified and all IPv4 SSH clients can initiate SSH connections to the server. Views System view Predefined user roles...
Page 624: Ssh Server Authentication-Timeout
Default The maximum number of authentication attempts is 3 for SSH users. Views System view Predefined user roles network-admin Parameters retries: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to Usage guidelines Setting the maximum number of authentication attempts prevents malicious hacking of usernames and passwords.
Page 625: Ssh Server Compatible-Ssh1X Enable
Parameters time-out-value: Specifies an authentication timeout timer in the range of 1 to 120 seconds. Usage guidelines If a user does not finish the authentication when the timeout timer expires, the connection cannot be established. To prevent malicious occupation of TCP connections, set the authentication timeout timer to a small value.
Page 626: Ssh Server Dscp
ssh server dscp Use ssh server dscp to set the DSCP value in the IPv4 SSH packets that the SSH server sends to SSH clients. Use undo ssh server dscp to restore the default. Syntax ssh server dscp dscp-value undo ssh server dscp Default The DSCP value is 48 in IPv4 SSH packets.
Page 627: Ssh Server Ipv6 Acl
[Sysname] ssh server enable Related commands display ssh server ssh server ipv6 acl Use ssh server ipv6 acl to specify an ACL to control IPv6 SSH connections to the server. Use undo ssh server ipv6 acl to restore the default. Syntax ssh server ipv6 acl { ipv6 basic-acl-number | ipv6 advanced-acl-number | mac mac-acl-number } undo ssh server ipv6 acl...
Page 628: Ssh Server Ipv6 Dscp
ssh server ipv6 dscp Use ssh server ipv6 dscp to set the DSCP value in the IPv6 SSH packets that the SSH server sends to SSH clients. Use undo ssh server ipv6 dscp to restore the default. Syntax ssh server ipv6 dscp dscp-value undo ssh server ipv6 dscp Default The DSCP value is 48 in IPv6 SSH packets.
Page 629: Ssh User
Usage guidelines Periodically updating the RSA server key pair prevents malicious hacking to the key pair and enhances security of the SSH connections. This command takes effect only on SSH1 clients. The system starts to count down the configured minimum update interval after the first SSH1 user logs in to the server.
Page 630 service-type: Specifies a service type for the SSH user. • all: Specifies service types Stelnet, SFTP, SCP, and NETCONF. • scp: Specifies the service type SCP. • sftp: Specifies the service type SFTP. • stelnet: Specifies the service type Stelnet. •...
Page 631 You do not need to create an SSH user by using the ssh user command. However, if you want to display all SSH users, including the password-only SSH users, for centralized management, you can use this command to create them. If such an SSH user has been created, make sure you have specified the correct service type and authentication method.
Page 632: Ssh Client Commands
SSH client commands Use bye to terminate the connection with the SFTP server and return to user view. Syntax Views SFTP client view Predefined user roles network-admin Usage guidelines This command has the same function as the exit and quit commands. Examples # Terminate the connection with the SFTP server.
Page 633: Cdup
cdup Use cdup to return to the upper-level directory. Syntax cdup Views SFTP client view Predefined user roles network-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp>...
Page 634: Display Sftp Client Source
Syntax dir [ -a | -l ] [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters -a: Displays detailed information about files and subdirectories under a directory in a list, including the files and subdirectories with names starting with dots (.). -l: Displays detailed information about the files and subdirectories under a directory in a list, excluding the files and subdirectories with names starting with dots (.).
Page 635: Display Ssh Client Source
Predefined user roles network-admin network-operator Examples # Display the source IP address configured for the SFTP client. <Sysname> display sftp client source The source IP address of the SFTP client is 192.168.0.1 The source IPv6 address of the SFTP client is 2:2::2:2. Related commands sftp client ipv6 source sftp client source...
Page 636: Help
Usage guidelines This command has the same function as the bye and quit commands. Examples # Terminate the SFTP connection. sftp> exit <Sysname> Use get to download a file from the SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view Predefined user roles...
Page 637 cd [path] Change remote directory to 'path' cdup Change remote directory to the parent directory delete path Delete remote file dir [-a|-l][path] Display remote directory listing List all filenames List filename including the specific information of the file exit Quit sftp get remote-path [local-path] Download file help Display this help text...
Page 638: Mkdir
Examples # Display detailed information about the files and subdirectories under the current directory, including the files and subdirectories with names starting with dots (.). sftp> ls -a drwxrwxrwx 512 Dec 18 14:12 . drwxrwxrwx 512 Dec 18 14:12 .. -rwxrwxrwx 301 Dec 18 14:11 010.pub -rwxrwxrwx...
Page 639: Quit
Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name of a file on an SFTP server. If you do not specify this argument, the file will be remotely saved with the same name as the local file. Examples # Upload the local file startup.bak to the SFTP server and save it as startup01.bak.
Page 640: Remove
remove Use remove to delete a file from the SFTP server. Syntax remove remote-file Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies a file by its name. Usage guidelines This command has the same function as the delete command. Examples # Delete the file temp.c from the SFTP server.
Page 641 Syntax rmdir remote-path Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies a directory. Examples # Delete the subdirectory temp1 under the current directory on the SFTP server. sftp> rmdir temp1 Use scp to establish a connection to an IPv4 SCP server and transfer files with the server. Syntax In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name...
Page 642 destination-file-name: Specifies the name of the target file. If you do not specify this argument, the target file uses the same file name as the source file. identity-key: Specifies a public key algorithm for the client. The default is dsa in non-FIPS mode and is rsa in FIPS mode.
Page 643: Scp Ipv6
interface interface-type interface-number: Specifies a source interface by its type and number. The IPv4 address of this interface is the source IPv4 address of the SCP packets. ip ip-address: Specifies a source IPv4 address. Examples # Connect the SCP client to the SCP server 200.1.1.1. Specify the public key of the server as svkey, and download the file abc.txt from the server.
Page 644 -i interface-type interface-number: Specifies an output interface by its type and number for SCP packets. This option is used only when the server uses a link-local address to provide the SCP service for the client. The specified output interface on the SCP client must have a link-local address. get: Downloads the file.
Page 645: Sftp
publickey keyname: Specifies the host public key of the server, which is used to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters. source: Specifies a source IPv6 address or source interface for IPv6 SCP packets. By default, the device automatically selects a source IPv6 address for IPv6 SCP packets in compliance with RFC 3484.
Page 646 port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. identity-key: Specifies a public key algorithm for the client.
Page 647: Sftp Client Ipv6 Source
source: Specifies a source IPv4 address or source interface for the SFTP packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source IPv4 address of SFTP packets. As a best practice to ensure successful IPv4 SFTP connections, specify a loopback interface or dialer interface as the source interface or specify that interface's IPv4 address as the source IPv4 address.
Page 648: Sftp Client Source
Examples # Specify 2:2::2:2 as the source IPv6 address for SFTP packets. <Sysname> system-view [Sysname] sftp client ipv6 source ipv6 2:2::2:2 Related commands display sftp client source sftp client source Use sftp client source to configure the source IPv4 address for SFTP packets. Use undo sftp client source to restore the default.
Page 649 Syntax In non-FIPS mode: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | public-key keyname | source { interface...
Page 650 prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithms sha1 and sha1-96 provide stronger security but cost more computation time than algorithms md5 and md5-96. • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. •...
Page 651: Ssh Client Ipv6 Source
ssh client ipv6 source Use ssh client ipv6 source to configure the source IPv6 address for SSH packets that are sent by the Stelnet client. Use undo ssh client ipv6 source to restore the default. Syntax ssh client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address } undo ssh client ipv6 source Default The source IPv6 address for SSH packets is not configured.
Page 652: Ssh2
Default The source IPv4 address for SSH packets is not configured. The Stelnet client uses the primary IPv4 address of the output interface in the routing entry as the source address of the SSH packets. Views System view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies a source interface by its type and number.
Page 653 Predefined user roles network-admin Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
Page 654: Ssh2 Ipv6
dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet. escape character: Specifies a case-sensitive escape character. By default, the escape character is a tilde (~).
Page 655 md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | escape character | public-key keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * In FIPS mode: ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14-sha1 | prefer-stoc-cipher { aes128-cbc | aes256-cbc } | prefer-stoc-hmac { sha1 | sha1-96 } ] *...
Page 656 • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies preferred exchange algorithm. default dh-group-exchange-sha1 in non-FIPS mode and dh-group14-sha1 in FIPS mode. • dh-group-exchange-sha1: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. • dh-group1-sha1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. • dh-group14-sha1: Specifies the key exchange algorithm diffie-hellman-group14-sha1. The algorithm dh-group14-sha1 provides stronger security but costs more computation time than the algorithm dh-group1-sha1.
Page 657: Display Ssh2 Algorithm
<Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey escape $ SSH2 commands display ssh2 algorithm Use display ssh2 algorithm to display algorithms used by SSH2 in the algorithm negotiation stage. Syntax display ssh2 algorithm Views Any view Predefined user roles...
Page 658: Ssh2 Algorithm Key-Exchange
Syntax In non-FIPS mode: ssh2 algorithm cipher { aes128-cbc | aes256-cbc | 3des-cbc | des-cbc } * undo ssh2 algorithm cipher In FIPS mode: ssh2 algorithm cipher { aes128-cbc | aes256-cbc } * undo ssh2 algorithm cipher Default In non-FIPS mode: SSH2 uses the encryption algorithms aes128-cbc, aes256-cbc, 3des-cbc, and des-cbc in descending order of priority for algorithm negotiation.
Page 659: Ssh2 Algorithm Mac
Syntax In non-FIPS mode: ssh2 algorithm key-exchange dh-group-exchange-sha1 dh-group14-sha1 dh-group1-sha1 } * undo ssh2 algorithm key-exchange In FIPS mode: ssh2 algorithm key-exchange dh-group14-sha1 undo ssh2 algorithm key-exchange Default In non-FIPS mode: SSH2 uses the key exchange algorithms dh-group-exchange-sha1, dh-group14-sha1, and dh-group1-sha1 in descending order of priority for algorithm negotiation.
Page 660: Ssh2 Algorithm Public-Key
Syntax In non-FIPS mode: ssh2 algorithm mac { sha1 | sha1-96 | md5 | md5-96 } * undo ssh2 algorithm mac In FIPS mode: ssh2 algorithm mac { sha1 | sha1-96 } * undo ssh2 algorithm mac Default In non-FIPS mode: SSH2 uses the MAC algorithms sha1, sha1-96, md5, and md5-96 in descending order of priority for algorithm negotiation.
Page 661 Syntax In non-FIPS mode: ssh2 algorithm public-key { ecdsa | dsa | rsa } * undo ssh2 algorithm public-key In FIPS mode: ssh2 algorithm public-key { ecdsa | rsa } * undo ssh2 algorithm public-key Default In non-FIPS mode: SSH2 uses the public key algorithms ecdsa, dsa, and rsa in descending order of priority for algorithm negotiation.
Page 662: Certificate-Chain-Sending Enable
SSL commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. certificate-chain-sending enable Use certificate-chain-sending enable to enable the SSL server to send the complete certificate chain to the client during SSL negotiation.
Page 663 Default An SSL server policy supports all cipher suites. Views SSL server policy view Predefined user roles network-admin Parameters dhe_rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA. dhe_rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES, and MAC algorithm SHA.
Page 664: Client-Verify
Examples # Configure SSL server policy policy1 to support the following cipher suites: • Key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA. • Key exchange algorithm RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA. <Sysname>...
Page 665: Display Ssl Client-Policy
If SSL client authentication is disabled, the SSL server does not authenticate SSL clients regardless of whether the clients submit digital certificates or not. SSL clients can access the SSL server without authentication. When authenticating a client by using the digital certificate, the SSL server performs the following operations: •...
Page 666: Display Ssl Server-Policy
Preferred ciphersuite: RSA_AES_128_CBC_SHA Server-verify: enabled Table 88 Command output Field Description Indicates whether the client is enabled to use digital certificates to Server-verify authenticate servers. display ssl server-policy Use display ssl server-policy to display SSL server policy information. Syntax display ssl server-policy [ policy-name ] Views Any view Predefined user roles...
Page 667: Pki-Domain
pki-domain Use pki-domain to specify a PKI domain for an SSL client policy or an SSL server policy. Use undo pki-domain to restore the default. Syntax pki-domain domain-name undo pki-domain Default No PKI domain is specified for an SSL client policy or an SSL server policy. Views SSL client policy view SSL server policy view...
Page 668 prefer-cipher dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } undo prefer-cipher In FIPS mode: prefer-cipher { rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha } undo prefer-cipher Default In non-FIPS mode: The preferred cipher suite of an SSL client policy is rsa_rc4_128_md5. In FIPS mode: The preferred cipher suite of an SSL client policy is rsa_aes_128_cbc_sha.
Page 669: Server-Verify Enable
3DES_EDE_CBC, AES_CBC, and RC4. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key. • Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity. Commonly used MAC algorithms include MD5 and SHA. When using a MAC algorithm, the SSL server and the SSL client must use the same key.
Page 670: Session
<Sysname> system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] server-verify enable Related commands display ssl client-policy session Use session to set the maximum number of sessions that the SSL server can cache and the timeout time for cached sessions. Use undo session to restore the default. Syntax session { cachesize size | timeout time } * undo session { cachesize | timeout } *...
Page 671: Ssl Renegotiation Disable
Syntax ssl client-policy policy-name undo ssl client-policy policy-name Default No SSL client policies exist. Views System view Predefined user roles network-admin Parameters policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines This command creates an SSL client policy for which you can configure SSL parameters that the client uses to establish a connection to the server.
Page 672: Ssl Server-Policy
Disabling session renegotiation causes more computational overhead to the system but it can avoid potential risks. Disable SSL session renegotiation only when explicitly required. Examples #Disable SSL session renegotiation. <Sysname> system-view [Sysname] ssl renegotiation disable ssl server-policy Use ssl server-policy to create an SSL server policy and enter its view, or enter the view of an existing SSL server policy.
Page 673 Default SSL 3.0 is enabled on the device. Views System view Predefined user roles network-admin Usage guidelines Use this command to disable SSL 3.0 on a device to enhance system security. • An SSL server supports only TLS 1.0 after SSL 3.0 is disabled. •...
Page 674 You can specify SSL 3.0 or TLS 1.0 for an SSL client policy: • If TLS 1.0 is specified and SSL 3.0 is not disabled, the client first uses TLS 1.0 to connect to the SSL server. If the connection attempt fails, the client uses SSL 3.0. •...
Page 675: Aspf Apply Policy (Interface View)
ASPF commands Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. aspf apply policy (interface view) Use aspf apply policy to apply an ASPF policy to an interface.
Page 676: Aspf Apply Policy (Zone Pair View)
display aspf all display aspf interface aspf apply policy (zone pair view) Use aspf apply policy to apply an ASPF policy to a zone pair. Use undo aspf apply policy to remove an ASPF policy application from a zone pair. Syntax aspf apply policy aspf-policy-number undo aspf apply policy aspf-policy-number...
Page 677: Aspf Icmp-Error Reply
aspf icmp-error reply Use aspf icmp-error reply to enable the device to send ICMP error messages for packet dropping by security policies applied to zone pairs. Use undo aspf icmp-error reply to restore the default. Syntax aspf icmp-error reply undo aspf icmp-error reply Default The device does not send ICMP error messages when the device drops packets that do not match security policies applied to zone pairs.
Page 678: Detect
Examples # Create ASPF policy 1 and enter its view. <Sysname> system-view [Sysname] aspf policy 1 [Sysname-aspf-policy-1] Related commands display aspf all display aspf policy detect Use detect to configure ASPF inspection for an application layer protocol. Use undo detect to restore the default. Syntax detect { { dns [ action { drop | logging } * ] | ftp | h323 | http | sccp | sip | smtp } [ action drop ] | gtp | ils | mgcp | nbt | pptp | rsh | rtsp | sqlnet | tftp | xdmcp }...
Page 679: Display Aspf All
xdmcp: Specifies X Display Manager Control Protocol (XDMCP), an application layer protocol. action: Specifies an action on the packets that do not pass the protocol status validity check. If you do not specify an action, ASPF does not perform the protocol status validity check, and it only maintains connection status information.
Page 680: Display Aspf Interface
ASPF policy configuration: Policy default: ICMP error message check: Disabled TCP SYN packet check: Disabled Inspected protocol Action None Policy number: 1 ICMP error message check: Disabled TCP SYN packet check: Disabled Inspected protocol Action None Interface configuration: GigabitEthernet1/0/1 Inbound policy : 1 Outbound policy: none Table 90 Command output Field...
Page 681: Display Aspf Policy
Predefined user roles network-admin network-operator Examples # Display ASPF policy application on interfaces. <Sysname> display aspf interface Interface configuration: GigabitEthernet1/0/1 Inbound policy : 1 Outbound policy: none Table 91 Command output Field Description Interface configuration Interfaces where ASPF policy is applied. Inbound policy Inbound ASPF policy number.
Page 682: Display Aspf Session
Drop HTTP None Table 92 Command output Field Description ICMP error message check Whether ICMP error message check is enabled. TCP SYN packet check Whether TCP SYN check is enabled. Inspected protocol Protocols to be inspected by ASPF. Actions on the detected illegal packets: •...
Page 683 argument represents the slot number of the card. If you do not specify a card, this command displays ASPF sessions for all cards. (Distributed devices in IRF mode.) verbose: Displays detailed information about ASPF sessions. If you do not specify this keyword, the command displays the brief information about ASPF sessions.
Page 684 Total sessions found: 2 # (Distributed devices in IRF mode.) Display brief information about IPv4 ASPF sessions. <Sysname> display aspf session ipv4 Slot 1 in chassis 1: Initiator: Source IP/port: 192.168.1.18/1877 Destination IP/port: 192.168.1.55/22 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1 Source security zone: SrcZone...
Page 685 Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet1/0/1 Source security zone: SrcZone Responder: Source IP/port: 192.168.1.55/1792 Destination IP/port: 192.168.1.18/0 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet1/0/2 Source security zone: DestZone...
Page 686 Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet1/0/1 Source security zone: SrcZone Responder: Source IP/port: 192.168.1.55/1792 Destination IP/port: 192.168.1.18/0 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet1/0/2 Source security zone: DestZone...
Page 687 Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet1/0/1 Source security zone: SrcZone Responder: Source IP/port: 192.168.1.55/1792 Destination IP/port: 192.168.1.18/0 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet1/0/2 Source security zone: DestZone...
Page 688: Icmp-Error Drop
Field Description State Protocol status of the session. Application layer protocol, including FTP and DNS. Application If it is an unknown protocol identified by an unknown port, this field displays OTHER. Start time Establishment time of the session. Remaining lifetime of the session, in seconds. Initiator->Responder Number of packets and bytes from initiator to responder.
Page 689: Reset Aspf Session
reset aspf session Use reset aspf session to clear ASPF session statistics. Syntax Centralized devices in standalone mode: reset aspf session [ ipv4 | ipv6 ] Distributed devices in standalone mode/centralized devices in IRF mode: reset aspf session [ ipv4 | ipv6 ] [ slot slot-number ] Distributed devices in IRF mode: reset aspf session [ ipv4 | ipv6 ] [ chassis chassis-number slot slot-number ] Views...
Page 690 Default TCP SYN check is disabled. Views ASPF policy view Predefined user roles network-admin Usage guidelines TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet. If the first packet is not a SYN packet, ASPF drops the packet. When a router attached to the network is started up, it can receive a non-SYN packet of an existing TCP connection for the first time.
Page 691: App-Group
APR commands Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. app-group Use app-group to create an application group and enter its view, or enter the view of an existing application group.
Page 692: Application Statistics Enable
application statistics enable Use application statistics enable to enable the application statistics feature on the specified direction of an interface. Use undo application statistics enable to disable the application statistics feature on the specified direction of an interface. Syntax application statistics enable [ inbound | outbound ] undo application statistics enable [ inbound | outbound ] Default The application statistics feature is disabled on both directions of an interface.
Page 693: Apr Signature Auto-Update
Related commands display application statistics apr signature auto-update Use apr signature auto-update to enable automatic update for the APR signature database and enter auto-update configuration view. Use undo apr signature auto-update to disable automatic update for the APR signature database. Syntax apr signature auto-update undo apr signature auto-update...
Page 694: Apr Signature Rollback
Usage guidelines This command starts the automatic APR signature database update process and backs up the current APR signature file. This command is independent of the apr signature auto-update command. Use this command to update the APR signature database if you find a new version of APR signature database at the Hewlett Packard Enterprise website.
Page 695 Predefined user roles network-admin Parameters override-current: Overwrites the old APR signature file. If you do not specify this keyword, the old APR signature file will be saved as a backup signature file on the device after the update. file-path: Specifies the path of the new APR signature file, a case-insensitive string of 1 to 256 characters.
Page 696 Update scenario Format of file-path Remarks The username argument represents the FTP login username. The password argument represents the FTP login password. The server address argument represents the IP address or host name of the FTP server. If an FTP login username or password includes update file ftp://username:password@s...
Page 697: Copy App-Group
[Sysname] apr signature update dpi/apr-1.0.23-en.dat copy app-group Use copy app-group to copy all application protocols in an application group to another group. Syntax copy app-group group-name Views Application group view Predefined user roles network-admin Parameters group-name: Specifies the name of the source application group, a case-insensitive string of 1 to 63 characters.
Page 698: Description (Nbar Rule View)
Usage guidelines Configure descriptions for different application groups for identification and management purposes. Examples # Configure a description for application group aaa. <Sysname> system-view [Sysname] app-group aaa [Sysname-app-group-aaa] description "User defined aaa group" Related commands app-group description (NBAR rule view) Use description to configure a description for a user-defined NBAR rule.
Page 699: Direction
Syntax destination { ip ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] } undo destination Default A user-defined NBAR rule matches packets destined for all IP addresses. Views NBAR rule view Predefined user roles network-admin Parameters ip ipv4-address: Specifies a destination IPv4 address or IPv4 subnet, in dotted decimal notation. mask-length: Specifies the mask length for IPv4 addresses, in the range of 0 to 32.
Page 700: Disable
Parameters to-client: Specifies the direction from server to client. to-server: Specifies the direction from client to server. Usage guidelines If you execute this command multiple times for the same NBAR rule, the most recent configuration takes effect. Examples # Configure user-defined NBAR rule abcd to match packets from client to server. <Sysname>...
Page 701 Syntax display app-group [ name group-name ] Views Any view Predefined user roles network-admin network-operator Parameters name group-name: Specifies an application group by its name. The group-name argument is a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed. If you do not specify any parameters, this command displays information about all application groups.
Page 702: Display Application
Related commands app-group include display application Use display application to display information about the specified application protocols. Syntax display application [ name application-name | pre-defined | user-defined ] Views Any view Predefined user roles network-admin network-operator Parameters name application-name: Specifies an application protocol by its name. The application-name argument is a case-insensitive string of 1 to 63 characters.
Page 703 139_mobile_weibo_commen Pre-defined 0x000001da t_HTTP 139_mobile_weibo_login_ Pre-defined 0x000001d9 HTTP 139_mobile_weibo_login_ Pre-defined 0x00000444 ---- More ---- # Display information about all user-defined application protocols. <Sysname> display application user-defined User-defined count: 4 Application name Type App ID Tunnel Encrypted DetectLen User-defined 0x00800002 dfer User-defined 0x00800003 efer...
Page 704 178Game_Application_HTT Pre-defined 0x00000222 17K_fiction_Application Pre-defined 0x00000330 _HTTP 19lou_Login_http_stream Pre-defined 0x000002c0 19lou_Publish_Or_Reply_ Pre-defined 0x000002c2 http_stream1 19lou_Publish_Or_Reply_ Pre-defined 0x000002c3 http_stream2 19lou_View_http_stream Pre-defined 0x000002c1 1ting_Music_Application Pre-defined 0x000001bc _Mobile_HTTP 21CN_Email_Read_HTTP Pre-defined 0x000003fb 21CN_Email_Send_HTTP Pre-defined 0x000003fc ---- More ---- # Display information about application protocol Telnet. <Sysname>...
Page 705: Display Application Statistics
Field Description Whether or not the protocol is a tunnel protocol: • Tunnel Yes. • Whether or not the protocol is a cryptographic protocol: • Yes. Encrypted • Length of data to be inspected for application recognition. The length can be predefined or user defined. DetectLen The measurement unit is byte.
Page 706 display application statistics [ direction { inbound | outbound } | interface interface-type interface-number | name application-name ] * Distributed devices in standalone mode/centralized devices in IRF mode: display application statistics [ direction { inbound | outbound } | interface interface-type interface-number [ slot slot-number ] | name application-name ] * Distributed devices in IRF mode: display application statistics [ direction { inbound | outbound } | interface interface-type...
Page 707 app2 2195 18560000 654222 21986666666 655555555123123101 55551 5454125111 aPP3 2195 17560000 45161 21986666666 5555555551231231 55551 5454125111 Interface : GigabitEthernet1/0/2 Application In/Out Packets Bytes app4 1900231111111 252334402111 2342222222 3411222222 170034 270011351 3211 451134 app2 2195 18560000 654222 21986666666 65555555512 55551 45412 App123456981200 2195 17560000...
Page 708: Display Application Statistics Top
Application In/Out Packets Bytes app1 190023111111111111 252334402111111111 2342222222 3411222222 170034 270011351 3211 451134 Interface : GigabitEthernet1/0/2 Application In/Out Packets Bytes app1 190023111111111111 252334402111111111 2342222222 3411222222 170034 270011351 3211 451134 Interface : GigabitEthernet1/0/3 Application In/Out Packets Bytes app1 190023111111111111 252334402111111111 2342222222 3411222222 Table 96 Command output Field...
Page 709 Views Any view Predefined user roles network-admin network-operator Parameters number: Specifies the number of application statistics entries to be displayed. bytes: Sorts application protocols by traffic size in bytes. bps: Sorts application protocols by traffic rate in bps. packets: Sorts application protocols by traffic size in packet count. pps: Sorts application protocols by traffic rate in pps.
Page 710 appaaaaasg 190023111111111111 252334402111111111 2342222222 3411222222 170034 270011351 3211 451134 app2 2196 18560000 654222 OUT 21986666666 155555555123123101 55551 5454125111 aPP3 2195 17560000 45161 21986666666 5555555551231231 55551 5454125111 # Display the top three application protocols that have received and sent the most packets per second on GigabitEthernet 1/0/1.
Page 711: Display Apr Signature Information
Related commands app-group application statistics enable display apr signature information Use display apr signature information to display APR signature database information. Syntax display apr signature information Views Any view Predefined user roles network-admin network-operator Examples # Display APR signature database information. <Sysname>...
Page 712: Display Port-Mapping User-Defined
network-operator Examples # Display information about all predefined port mappings. <Sysname> display port-mapping pre-defined Application Protocol Port tacacs-ds net-bios-dgm 137, 138, 139 137, 138, 139 tftp Table 99 Command output Field Description Application Application protocol using the port mapping. Protocol Transport layer protocol.
Page 713: Include Application
<Sysname> display port-mapping user-defined Application Port Protocol Match Type Match Condition ------------------------------------------------------------- IPv4 host 10.10.10.1(vpn1) 2121 IPv4 host [11.10.10.1, 11.10.10.10](vpn2) IPv4 subnet 10.10.10.1/24 SCTP IPv6 host 2000:fdb8::1:00ab:853c:39ab HTTP IPv4 ACL 2002 HTTP SCTP IPv6 ACL 2002 Table 100 Command output Field Description Application...
Page 714: Nbar Application
Default An application group does not contain any application protocols. Views Application group view Predefined user roles network-admin Parameters application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed. Usage guidelines Execute this command multiple times to add multiple predefined or user-defined application protocols to an application group.
Page 715: Override-Current
Parameters application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The following names are not allowed: • invalid. • other. • Names of predefined application protocols. http: Specifies HTTP packets to which the NBAR rule is applied. tcp: Specifies TCP packets to which the NBAR rule is applied.
Page 716: Port-Mapping
Predefined user roles network-admin Usage guidelines Use this command only if the device memory is insufficient. This command disables the APR signature database from being rolled back to the last version. Do not use this command if the device memory is sufficient. Examples # Overwrite the current APR signature file for a regular online auto-update operation.
Page 717: Port-Mapping Acl
If the destination port of a packet matches a general port mapping, APR recognizes the packet as the specified application protocol's packet. If two port mappings are configured with the same port number and transport layer protocol, but with different application protocols, the most recent configuration takes effect. A mapping with the transport layer protocol specified has a higher priority than one without it.
Page 718: Port-Mapping Host
• The packet's destination IP address matches the specified source IP address defined in the ACL. • The packet's destination port matches the specified port in the mapping. • The transport layer protocol that encapsulates the packet matches the specified transport layer protocol if you specify a transport layer protocol in the mapping.
Page 719: Port-Mapping Subnet
provide both the start and end IP addresses, and make sure the end IP address is bigger than the start IP address. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you configure a mapping for the public network, do not specify this option.
Page 720 Parameters application application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed. port port-number: Specifies a port by its number, in the range of 0 to 65535. protocol protocol-name: Specifies a transport layer protocol by its name, including: •...
Page 721: Reset Application Statistics
reset application statistics Use reset application statistics to clear application statistics for interfaces. Syntax reset application statistics [ interface interface-type interface-number ] Views User view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears application statistics for all interfaces.
Page 722: Signature
Usage guidelines Whether the specified port number or port range is used to match the packets' source or destination ports depends on the configuration of the direction command: • This command applies to the source ports if the direction command is not configured or the direction to-client command is configured.
Page 723 signature from the beginning. If you also specify the field field-name option, the offset begins from the protocol field. hex hex-vector: Specifies a hexadecimal vector as the match pattern. regex regex-pattern: Specifies a regular expression as the match pattern. The regex-pattern argument is a case-sensitive string of 3 to 512 characters.
Page 724: Update Schedule
The ipv6 ipv6-address option is not supported in the current software version. If you specify this option, the command does not take effect. Examples # Configure user-defined NBAR rule abcd to match packets sourced from the IPv4 subnet 192.168.2.0/24. <Sysname> system-view [Sysname] nbar application abcd protocol http [Sysname-nbar-application-abcd] source ip 192.168.2.0 24 Related commands...
Page 725 For example, if the specified start time is 23:10:00 and the tolerance time is 10 minutes, the update starts during the period from 23:00:00 to 23:20:00. Examples # Configure the device to automatically update the APR signature database at 23:10:00 every Monday with a tolerance time of 10 minutes.
Page 726: Display Session Aging-Time Application
Session management commands Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. display session aging-time application Use display session aging-time application to display the aging time for sessions of different application layer protocols or applications.
Page 727: Display Session Aging-Time State
netbios-ssn 3600 pptp 3600 rtsp 3600 sccp 3600 snmp snmptrap sqlnet stun syslog tacacs-ds tftp xdmcp 3600 others: 1200 Table 101 Command output Field Description Application Name of an application layer protocol or an application. Aging time(s) Aging time in seconds. All application layer protocols and applications with the aging time of others:1200 1200 seconds is displayed as others.
Page 728: Display Session Relation-Table
State Aging Time(s) TCP-EST 3600 UDP-OPEN UDP-READY ICMP-REQUEST ICMP-REPLY RAWIP-OPEN RAWIP-READY UDPLITE-OPEN UDPLITE-READY DCCP-REQUEST DCCP-EST 3600 DCCP-CLOSEREQ SCTP-INIT SCTP-EST 3600 SCTP-SHUTDOWN ICMPV6-REQUEST ICMPV6-REPLY TCP-TIME-WAIT TCP-CLOSE Table 102 Command output Field Description State Protocol state. Aging Time(s) Aging time in seconds. Related commands session aging-time state display session relation-table...
Page 729 network-operator Parameters ipv4: Specifies IPv4 relation entries. ipv6: Specifies IPv6 relation entries. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays relation entries for all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID.
Page 730: Display Session Statistics Ipv4
<Sysname> display session relation-table ipv6 Source IP: 2011::0002 Destination IP/port: 2011::0008/1212 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) TTL: 567s App: FTP-DATA Total entries found: # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display all IPv6 relation entries.
Page 731 display session statistics ipv4 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * Distributed devices in standalone mode/centralized devices in IRF mode: display session statistics ipv4 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * [ slot slot-number ]...
Page 732: Display Session Statistics Ipv6
UDP-Lite sessions: SCTP sessions: DCCP sessions: RAWIP sessions: # Display statistics for IPv4 unicast TCP sessions. <Sysname> display session statistics ipv4 protocol tcp Slot 1: Current sessions: 3 TCP sessions: UDP sessions: ICMP sessions: ICMPv6 sessions: UDP-Lite sessions: SCTP sessions: DCCP sessions: RAWIP sessions: Table 104 Command output...
Page 733 display session statistics ipv6 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * [ slot slot-number ] Distributed devices in IRF mode: display session statistics ipv6 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * [ chassis chassis-number slot slot-number ]...
Page 734: Display Session Statistics Multicast
# Display statistics for IPv6 unicast TCP sessions. <Sysname> display session statistics ipv6 protocol tcp Slot 1: Current sessions: 3 TCP sessions: UDP sessions: ICMP sessions: ICMPv6 sessions: UDP-Lite sessions: SCTP sessions: DCCP sessions: RAWIP sessions: Table 105 Command output Field Description Current sessions...
Page 735 Predefined user roles network-admin network-operator Parameters slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays multicast session statistics for all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays multicast session statistics for all member devices.
Page 736: Display Session Statistics Summary
Sent 0 packets 0 bytes Slot 2 in chassis 1: Current sessions: 0 Session establishment rate: 0/s Received: 0 packets 0 bytes Sent 0 packets 0 bytes Table 106 Command output Field Description Current sessions Total number of multicast sessions. Session establishment rate Rate of multicast session creation.
Page 737: Display Session Table Ipv4
Examples # (Centralized devices in standalone mode.) Display summary information about unicast session statistics. <Sysname> display session statistics summary Slot Sessions Rate TCP rate UDP rate # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display summary information about unicast session statistics. <Sysname>...
Page 738 tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-name ] [ verbose ] Distributed devices in IRF mode: display session table ipv4 [ chassis chassis-number slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-name ] [ verbose ]...
Page 739 Slot 0: Initiator: Source IP/port: 192.168.1.18/1877 Destination IP/port: 192.168.1.55/22 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1 Source security zone: Trust Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet1/0/1 Source security zone: Trust...
Page 740 Source IP/port: 192.168.1.18/1877 Destination IP/port: 192.168.1.55/22 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1 Source security zone: Trust Responder: Source IP/port: 192.168.1.55/22 Destination IP/port: 192.168.1.18/1877 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/2 Source security zone: Local...
Page 741 Initiator: Source IP/port: 192.168.1.18/1877 Destination IP/port: 192.168.1.55/22 DS-Lite tunnel peer:- VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1 Source security zone: Trust Responder: Source IP/port: 192.168.1.55/22 Destination IP/port: 192.168.1.18/1877 DS-Lite tunnel peer:- VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/2 Source security zone: Local State: TCP_SYN_SENT...
Page 742: Display Session Table Ipv6
Table 108 Command output Field Description Initiator Information about the unicast session from the initiator to the responder. Responder Information about the unicast session from the responder to the initiator. Address of the DS-Lite tunnel peer. DS-Lite tunnel peer When the unicast session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
Page 743 Distributed devices in standalone mode/centralized devices in IRF mode: display session table ipv6 [ slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-name ] [ verbose ] Distributed devices in IRF mode:...
Page 744 Examples # (Centralized devices in standalone mode.) Display brief information about all IPv6 unicast session entries. <Sysname> display session table ipv6 Slot 0: Initiator: Source IP/port: 2011::2/58473 Destination IP/port: 2011::8/32768 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: IPV6-ICMP(58) Inbound interface: GigabitEthernet1/0/1 Source security zone: Trust Total sessions found: 1...
Page 745 State: ICMPV6_REQUEST Application: OTHER Start time: 2011-07-29 19:23:41 TTL: 55s Initiator->Responder: 1 packets 104 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 1 # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about all IPv6 unicast session entries. <Sysname>...
Page 746: Display Session Table Multicast Ipv4
Field Description Transport layer protocol: • DCCP. • ICMP. • ICMPv6. • Raw IP. Protocol • SCTP. • TCP. • UDP. • UDP-Lite. The number in the brackets indicates the protocol number. Security zone to which the inbound interface belongs. If the inbound Source security zone interface does not belong to any security zone, this field displays a hyphen (-).
Page 747 Views Any view Predefined user roles network-admin network-operator Parameters slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information for all member devices.
Page 748 GigabitEthernet1/0/2 GigabitEthernet1/0/3 Total sessions found: 3 # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display brief information about all IPv4 multicast session entries. <Sysname> display session table multicast ipv4 Slot 0: Total sessions found: 0 Slot 1: Total sessions found: 0 Slot 2: Inbound initiator: Source...
Page 749 Outbound initiator: Source IP/port: 3.3.3.4/1609 Destination IP/port: 232.0.0.1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound responder: Source IP/port: 232.0.0.1/1025 Destination IP/port: 3.3.3.4/1609 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound interface: GigabitEthernet1/0/2 Destination security zone: aaa State: UDP_OPEN Application: OTHER...
Page 750 Slot 2: Inbound initiator: Source IP/port: 3.3.3.4/1609 Destination IP/port: 232.0.0.1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Inbound responder: Source IP/port: 232.0.0.1/1025 Destination IP/port: 3.3.3.4/1609 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Inbound interface: GigabitEthernet1/0/1 Source security zone: Trust State: UDP_OPEN...
Page 751 Destination IP/port: 3.3.3.4/1609 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound interface: GigabitEthernet1/0/3 Destination security zone: bbb State: UDP_OPEN Application: OTHER Start time: 2014-03-03 15:59:22 TTL: 18s Initiator->Responder: 1 packets 84 bytes Total sessions found: 3 Table 110 Command output Field Description...
Page 752: Display Session Table Multicast Ipv6
Field Description Outbound interface Outbound interface of the first packet from the initiator to responder. Outbound interface list Outbound interfaces of the first packet from the initiator to responder. Security zone to which the inbound interface belongs. If the inbound Source security zone interface does not belong to any security zone, this field displays a hyphen (-).
Page 753 argument represents the slot number of the card. If you do not specify a card, this command displays information for all cards. (Distributed devices in IRF mode.) source-ip start-source-ip [ end-source-ip ]: Specifies a source IPv6 address or IPv6 address range for a multicast session from the initiator to the responder.
Page 754 Inbound initiator: Source IP/port: 3::4/1617 Destination IP/port: FF0E::1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Inbound interface: GigabitEthernet1/0/1 Outbound interface list: GigabitEthernet1/0/2 GigabitEthernet1/0/3 Total sessions found: 3 # (Centralized devices in standalone mode.) Display detailed information about all IPv6 multicast session entries.
Page 755 Destination security zone: bbb State: UDP_OPEN Application: OTHER Start time: 2014-03-03 16:10:58 TTL: 23s Initiator->Responder: 5 packets 520 bytes Outbound initiator: Source IP/port: 3::4/1617 Destination IP/port: FF0E::1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound responder: Source IP/port: FF0E::1/1025 Destination IP/port: 3::4/1617...
Page 756 Inbound interface: GigabitEthernet1/0/1 Source security zone: Trust State: UDP_OPEN Application: OTHER Start time: 2014-03-03 16:10:58 TTL: 23s Initiator->Responder: 5 packets 520 bytes Outbound initiator: Source IP/port: 3::4/1617 Destination IP/port: FF0E::1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound responder: Source IP/port: FF0E::1/1025...
Page 757 <Sysname> display session table multicast ipv6 verbose Slot 0 in chassis 1: Total sessions found: 0 Slot 1 in chassis 1: Total sessions found: 0 Slot 2 in chassis 1: Inbound initiator: Source IP/port: 3::4/1617 Destination IP/port: FF0E::1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Inbound responder:...
Page 758 Destination IP/port: FF0E::1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound responder: Source IP/port: FF0E::1/1025 Destination IP/port: 3::4/1617 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound interface: GigabitEthernet1/0/3 Destination security zone: ccc State: UDP_OPEN Application: OTHER Start time: 2014-03-03 16:10:58...
Page 759: Reset Session Relation-Table
Field Description Application layer protocol, FTP or DNS. Application If it is an unknown protocol identified by an unknown port, this field displays OTHER. Start time Time when the multicast session was created. Remaining lifetime of the multicast session, in seconds. Inbound interface Inbound interface of the first packet from the initiator to responder.
Page 760: Reset Session Statistics
chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears relation entries for all cards.
Page 761: Reset Session Statistics Multicast
reset session statistics multicast Use reset session statistics multicast to clear multicast session statistics. Syntax Centralized devices in standalone mode: reset session statistics multicast Distributed devices in standalone mode/centralized devices in IRF mode: reset session statistics multicast [ slot slot-number ] Distributed devices in IRF mode: reset session statistics multicast [ chassis chassis-number slot slot-number ] Views...
Page 762: Reset Session Table Ipv4
Predefined user roles network-admin Parameters slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears unicast session entries for all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears unicast session entries for all member devices.
Page 763: Reset Session Table Ipv6
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears information for all member devices. (Centralized devices in IRF mode.) chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device.
Page 764: Reset Session Table Multicast
reset session table ipv6 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] source-port source-port destination-port destination-port vpn-instance vpn-instance-name ] Views...
Page 765: Reset Session Table Multicast Ipv4
Syntax Centralized devices in standalone mode: reset session table multicast Distributed devices in standalone mode/centralized devices in IRF mode: reset session table multicast [ slot slot-number ] Distributed devices in IRF mode: reset session table multicast [ chassis chassis-number slot slot-number ] Views User view Predefined user roles...
Page 766: Reset Session Table Multicast Ipv6
udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] Views User view Predefined user roles network-admin Parameters slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears information for all cards.
Page 767 Syntax Centralized devices in standalone mode: reset session table multicast ipv6 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] Distributed devices in standalone mode/centralized devices in IRF mode: reset session table multicast ipv6 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip...
Page 768: Session Aging-Time Application
Examples # Clear all IPv6 multicast session entries. <Sysname> reset session table multicast ipv6 # Clear the IPv6 multicast session entries with the source IP address of 2011::0002. <Sysname> reset session table multicast ipv6 source-ip 2011::0002 Related commands display session table multicast ipv6 session aging-time application Use session aging-time application to set the aging time for sessions of an application layer protocol or an application.
Page 769 • RAS sessions: 300 seconds. • RIP sessions: 120 seconds. • RSH sessions: 60 seconds. • RTSP sessions: 3600 seconds. • SCCP sessions: 3600 seconds. • SIP sessions: 300 seconds. • SNMP sessions: 120 seconds. • SNMPTRAP sessions: 120 seconds. •...
Page 770: Session Aging-Time State
nbar application port-mapping port-mapping acl port-mapping host port-mapping subnet session aging-time state session persistent acl session aging-time state Use session aging-time state to set the aging time for the sessions in a protocol state. Use undo session aging-time state to restore the default for the sessions in a protocol state. If you do not specify a protocol state, this command restores all aging time for sessions in different protocol states to the default.
Page 771: Session Log Bytes-Active
syn: Specifies the TCP SYN-SENT and SYN-RCV states. tcp-close: Specifies the TCP CLOSE state. tcp-est: Specifies the TCP ESTABLISHED state. tcp-time-wait: Specifies the TCP TIME-WAIT state. udp-open: Specifies the UDP OPEN state. udp-ready: Specifies the UDP READY state. time-value: Specifies the aging time in seconds. The value range is 1 to 100000. Usage guidelines This command sets the aging time for stable sessions of the application layer protocols that are not supported by the session aging-time application command.
Page 772: Session Log Enable
Examples # Configure the device to output session logs on a per-10-MB basis. <Sysname> system-view [Sysname] session log bytes-active 10 Related commands session log enable session log time-active session log enable Use session log enable to enable session logging. Use undo session log enable to disable session logging. Syntax session log enable { ipv4 | ipv6 } [ acl acl-number ] { inbound | outbound } undo session log enable { ipv4 | ipv6 } [ acl acl-number ] { inbound | outbound }...
Page 773: Session Log Flow-Begin
[Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] session log enable ipv4 inbound # Enable session logging on GigabitEthernet 1/0/2 for IPv4 sessions that match ACL 2050 in the outbound direction. <Sysname> system-view [Sysname] session log flow-begin [Sysname] session log flow-end [Sysname] interface gigabitethernet 1/0/2 [Sysname-GigabitEthernet1/0/2] session log enable ipv4 acl 2050 outbound # Enable session logging on GigabitEthernet 1/0/3 for IPv6 sessions that match ACL 2050 in the outbound direction.
Page 774: Session Log Flow-End
Related commands session log enable session log flow-end Use session log flow-end to enable logging for session deletion. Use undo session log flow-end to disable logging for session deletion. Syntax session log flow-end undo session log flow-end Default Logging for session deletion is disabled. Views System view Predefined user roles...
Page 775: Session Log Time-Active
Usage guidelines If you set both the traffic-based and time-based logging, the device outputs a session log when whichever is reached. After outputting a session log, the device resets the traffic counter and restarts the interval for the session. Only one traffic-based threshold can take effect. If you set both the byte-based and packet-based thresholds, the most recent configuration takes effect.
Page 776: Session Persistent Acl
session persistent acl Use session persistent acl to specify persistent sessions. Use undo session persistent acl to restore the default. Syntax session persistent acl [ ipv6 ] acl-number [ aging-time time-value ] undo session persistent acl [ ipv6 ] acl-number Default No persistent sessions exist.
Page 777: Session State-Machine Mode Loose
session state-machine mode loose Use session state-machine mode loose to set the mode of session state machine to loose. Use undo session state-machine mode loose to restore the default. Syntax session state-machine mode loose undo session state-machine mode loose Default The session state machine is in strict mode.
Page 778 Examples # Enable session statistics collection. <Sysname> system-view [Sysname] session statistics enable Related commands display session statistics display session table...
Page 779: Connection-Limit
Connection limit commands Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. connection-limit Use connection-limit to create a connection limit policy and enter its view, or enter the view of an existing connection limit policy.
Page 780: Connection-Limit Apply
connection-limit apply global display connection-limit limit connection-limit apply Use connection-limit apply to apply a connection limit policy to an interface. Use undo connection-limit apply to remove the application. Syntax connection-limit apply { ipv6-policy | policy } policy-id undo connection-limit apply { ipv6-policy | policy } Default No connection limit policy is applied to an interface.
Page 781 Syntax connection-limit apply global { ipv6-policy | policy } policy-id undo connection-limit apply global { ipv6-policy | policy } Default No connection limit policy is applied globally. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 connection limit policy. policy: Specifies an IPv4 connection limit policy.
Page 782: Display Connection-Limit
Predefined user roles network-admin Parameters text: Specifies a description, a case-sensitive string of 1 to 127 characters. Usage guidelines If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure the description as CenterToA for IPv4 connection limit policy 1. <Sysname>...
Page 783 3004 500000 498000 2002 Port 1500 1400 3100 3000 3101 Src-Dst 3102 Src-Port 3200 Description list: Policy Description -------------------------------------------------------------------------------- IPv4Description1 Description for IPv4 28 # Display information about IPv4 connection limit policy 1. <Sysname> display connection-limit policy 1 IPv4 connection limit policy 1 has been applied 5 times, and has 5 limit rules. Description: IPv4Description1 Limit rule list: Policy...
Page 784 Description: IPv6Description3 Limit rule list: Policy Rule Stat Type HiThres LoThres Rate -------------------------------------------------------------------------------- Src-Dst 1000 3010 3001 Application list: GigabitEthernet2/0/1 Vlan-interface1 Tunnel0 Table 112 Command output Field Description Limit rule list Connection limit policy information. Policy Number of the connection limit policy. Rule Number of the connection limit rule.
Page 785: Display Connection-Limit Ipv6-Stat-Nodes
display connection-limit ipv6-stat-nodes Use display connection-limit ipv6-stat-nodes to display statistics about IPv6 connections that match connection limit rules globally or on an interface. Syntax Centralized devices in standalone mode: display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ destination destination-ip | service-port port-number | source source-ip ] * [ count ] Distributed devices in standalone mode/centralized devices in IRF mode: display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ slot slot-number ] [ destination destination-ip | service-port port-number | source source-ip ] *...
Page 786 • Matching connection limit rules. • Number of current connections. • Whether or not new connections can be created. To further filter the output statistics, specify the following options in the command: • source source-ip. • destination destination-ip. • service-port port-number. For example, if you specify the source source-ip and destination destination-ip combination, this command displays statistics about IPv6 connections that match connection limit rules by source IP address and destination IP address.
Page 787 <Sysname> display connection-limit ipv6-stat-nodes interface vlan-interface 10 slot 2 Slot 2: Src IP address : 112::2 VPN instance : -- Dst IP address : Any VPN instance : -- Service : udp/300 Limit rule ID : 0(ACL: 3571) Sessions threshold Hi/Lo: 3000/2900 Sessions count : 2002 Sessions limit rate...
Page 788: Display Connection-Limit Statistics
Slot 2: Current limit statistic nodes count is 1. # (Centralized devices in IRF mode.) Display the number of limit rule-based statistics sets on IRF member device 2. <Sysname> display connection-limit ipv6-stat-nodes global slot 2 count Slot 2: Current limit statistic nodes count is 0. # (Distributed devices in IRF mode.) Display the number of limit rule-based statistics sets of IRF member device 1 on the card in slot 2.
Page 789 Syntax Centralized devices in standalone mode: display connection-limit statistics { global | interface interface-type interface-number } Distributed devices in standalone mode/centralized devices in IRF mode: display connection-limit statistics { global | interface interface-type interface-number } [ slot slot-number ] Distributed devices in IRF mode: display connection-limit statistics { global | interface interface-type interface-number } [ chassis chassis-number slot slot-number ] Views...
Page 790: Display Connection-Limit Stat-Nodes
Dropped IPv6 packets: 58174 # (Distributed devices in IRF mode.) Display the connection limit statistics of VLAN-interface 10 of the card in slot 1 on IRF member device 2. <Sysname> display connection-limit statistics interface vlan-interface 10 chassis 2 slot Connection limit statistics (Vlan-interface10, slot 1 in chassis 2): Dropped IPv4 packets: 12345 Dropped IPv6 packets:...
Page 791 Predefined user roles network-admin network-operator Parameters global: Displays statistics about IPv4 connections that match connection limit rules globally. interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN interface or tunnel interface.
Page 792 Examples # (Centralized devices in standalone mode.) Display statistics about all IPv4 connections that match the connection limit rule on GigabitEthernet 2/0/1. <Sysname> display connection-limit stat-nodes interface gigabitethernet 2/0/1 Slot 2 : Src IP address : 100.100.100.100 VPN instance : 0123456789012345678901234567890 Dst IP address : 200.200.200.200 VPN instance...
Page 793 Sessions limit rate New session flag : Permit # (Centralized devices in IRF mode.) Display statistics about IPv4 connections that match the connection limit rule on IRF member device 2. <Sysname> display connection-limit stat-nodes global slot 2 Slot 2: Src IP address : Any VPN instance : Vpn1...
Page 794: Limit
<Sysname> display connection-limit stat-nodes global chassis 1 slot 2 count Slot 2 in chassis 1: Current limit statistic nodes count is 0. Table 115 Command output Field Description Src IP address Source IP address. Dst IP address Destination IP address. MPLS L3VPN instance to which the IP address belongs.
Page 795 In IPv6 connection limit policy view: limit limit-id acl ipv6 { acl-number | name acl-name } [ per-destination | per-service | per-source ] * { amount max-amount min-amount | rate rate } * [ description text ] undo limit limit-id Default No connection limit rules exist.
Page 796 When you configure a connection limit rule, follow these guidelines: • Different rules in the same connection limit policy must use different ACLs. • If you specify none of the per-destination, per-source, and per-service keywords, all connections that match the specified ACL are limited by the specified value. •...
Page 797: Reset Connection-Limit Statistics
reset connection-limit statistics Use reset connection-limit statistics to clear the connection limit statistics globally or on an interface. Syntax Centralized devices in standalone mode: reset connection-limit statistics { global | interface interface-type interface-number } Distributed devices in standalone mode/centralized devices in IRF mode: reset connection-limit statistics { global | interface interface-type interface-number } [ slot slot-number ] Distributed devices in IRF mode:...
Page 798 <Sysname> reset connection-limit statistics global slot 2 # (Distributed devices in IRF mode.) Clear the global connection limit statistics of the card in slot 2 on IRF member device 1. <Sysname> reset connection-limit statistics global chassis 1 slot 2 Related commands display connection-limit statistics...
Page 799 Object group commands description Use description to configure a description for an object group. Use undo description to restore the default. Syntax description text undo description Default No description is configured for an object group. Views Object group view Predefined user roles network-admin Parameters text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Page 800 name object-group-name: Specifies an object group by its name, a case-insensitive string of 1 to 31 characters. Examples # Display information about all object groups. <Sysname> display object-group IP address object group obj1: 0 object(in use) IP address object group obj2: 5 objects(out of use) 0 network host address 1.1.1.1 10 network host name host 20 network subnet 1.1.1.1 255.255.255.0...
Page 801: Network (Ipv4 Address Object Group View)
<Sysname> display object-group ip address IP address object-group obj1: 0 object(in use) IP address object-group obj2: 5 objects(out of use) 0 network host address 1.1.1.1 10 network host name host 20 network subnet 1.1.1.1 255.255.255.0 30 network range 1.1.1.1 1.1.1.2 40 network group-object obj1 # Display information about IPv6 address object group obj4.
Page 802 address ip-address: Specifies an IPv4 host address. name host-name: Specifies a host name, a case-insensitive string of 1 to 60 characters. subnet ip-address { mask-length | mask }: Configures an IPv4 address object with the subnet address followed by a mask length in the range of 0 to 32 or a mask in dotted decimal notation. range ip-address1 ip-address2: Configures an IPv4 address object with the address range.
Page 803: Network (Ipv6 Address Object Group View)
# Configure an IPv4 address object with the address range of 192.165.0.100 to 192.165.0.200. <Sysname> system-view [Sysname] object-group ip address ipgroup [Sysname-obj-grp-ip-ipgroup] network range 192.165.0.100 192.165.0.200 # Configure an IPv4 address object using object group ipgroup2. <Sysname> system-view [Sysname] object-group ip address ipgroup [Sysname-obj-grp-ip-ipgroup] network group-object ipgroup2 network (IPv6 address object group view) Use network to configure an IPv6 address object.
Page 804: Object-Group
When you use the range ipv6-address1 ipv6-address2 option, follow these guidelines: • If ipv6-address1 is equal to ipv6-address2, the system configures the object with a host address. • If ipv6-address1 is not equal to ipv6-address2, the system compares the two IPv6 addresses, configures a range starting with the lower IPv6 address, and performs the following operations: Configures the object with an address range if the two addresses are in different subnets.
Page 805 Default Default object groups exist. Views System view Predefined user roles network-admin Parameters ip address: Configures an IPv4 address object group. ipv6 address: Configures an IPv6 address object group. port: Configures a port object group. service: Configures a service object group. object-group-name: Specifies a globally unique object group name, a case-insensitive string of 1 to 31 characters.
Page 806: Port (Port Object Group View)
port (port object group view) Use port to configure a port object. Use undo port to delete a port object. Syntax [ object-id ] port { { eq | lt | gt } port | range port1 port2 | group-object object-group-name } undo port { { eq | lt | gt } port | range port1 port2 | group-object object-group-name } undo object-id Default...
Page 807: Service (Service Object Group View)
• If port1 is equal to port2, the system configures the object with the port number port1. • If port1 is smaller than port2, the system configures the object with the port number range. • If port1 is greater than port2, the system changes the range to [port2, port1] and configures the object with the changed port number range.
Page 808 undo service { protocol [ { source { { eq | lt | gt } port | range port1 port2 } | destination { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] | group-object object-group-name } undo object-id Default...
Page 809 • If the value of port is in the range of 0 to 65533, the system configures the object with a port number range of [port+1, 65535]. When you use the range port1 port2 option, follow these guidelines: • If port1 is equal to port2, the system configures the object with the port number port1. •...
Page 810: Accelerate
Object policy commands Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. accelerate Use accelerate to enable rule matching acceleration for an object policy.
Page 811 description Use description to configure a description for an object policy. Use undo description to restore the default. Syntax description text undo description Default No description is configured for an object policy. Views Object policy view Predefined user roles network-admin Parameters text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Page 812: Display Object-Policy Ip
Views Any view Predefined user roles network-admin network-operator Parameters summary: Displays brief acceleration information. verbose: Displays detailed acceleration information. ip: Displays acceleration information for IPv4 object policies. ipv6: Displays acceleration information for IPv6 object policies. object-policy-name: Specifies an object policy by its name, a case-insensitive string of 1 to 63 characters.
Page 813: Display Object-Policy Ipv6
network-operator Parameters object-policy-name: Specifies an object policy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an object policy name, this command displays information about all IPv4 object policies. Usage guidelines This command displays IPv4 object policy rules in the order they were configured. Examples # Display information about all IPv4 object policies.
Page 814: Display Object-Policy Statistics Zone-Pair Security
Usage guidelines This command displays IPv6 object policy rules in the order they were configured. Examples # Display information about all IPv6 object policies. <Sysname> display object-policy ipv6 Object-policy ipv6 pass This is an IPv6 object policy for the zone-pair security source office destination library Object-policy accelerated rule 5 pass source-ip sourceipv6 rule 5 comment This rule is used for source-ip sourceipv6...
Page 815: Display Object-Policy Zone-Pair Security
Usage guidelines If you specify neither the ip keyword nor the ipv6 keyword, the system displays statistics for all object policies applied to the specified zone pair. Examples # Display statistics for all object policies applied to the zone pair with source security zone office and destination security zone library.
Page 816: Move Rule
destination destination-zone-name: Specifies a destination security zone name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you do not specify a zone pair, the system displays information about the object policies applied to all zone pairs. Examples # Display information about the object policies applied to all zone pairs.
Page 817: Object-Policy Apply Ip
object-policy ip rule (IPv4 object policy view) rule (IPv6 object policy view) object-policy apply ip Use object-policy apply ip to apply an IPv4 object policy to a zone pair. Use undo object-policy apply ip to restore the default. Syntax object-policy apply ip object-policy-name undo object-policy apply ip object-policy-name Default IPv4 object policies are not applied to a zone pair.
Page 818: Object-Policy Ip
undo object-policy apply ipv6 object-policy-name Default IPv6 object policies are not applied to a zone pair. Views Zone pair view Predefined user roles network-admin Parameters object-policy-name: Specifies an IPv6 object policy by its name, a case-insensitive string of 1 to 63 characters.
Page 819: Object-Policy Ipv6
Parameters object-policy-name: Specifies an IPv4 object policy name, a case-insensitive string of 1 to 63 characters. Usage guidelines The IPv4 object policy name is unchangeable once configured. You cannot delete an IPv4 object policy that has been applied to a zone pair. Examples # Configure an IPv4 object policy and enter its view.
Page 820: Reset Object-Policy Statistics
object-policy ip reset object-policy statistics Use reset object-policy statistics to clear statistics for the object policies applied to zone pairs. Syntax reset object-policy statistics [ zone-pair security source source-zone-name destination destination-zone-name ] [ ip | ipv6 ] Views User view Predefined user roles network-admin Parameters...
Page 821 Default No rules are configured for an IPv4 object policy. Views IPv4 object policy view Predefined user roles network-admin Parameters rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify an ID for the rule, the system automatically assigns the rule an integer next to the greatest ID being used.
Page 822: Rule (Ipv6 Object Policy View)
Usage guidelines If the specified rule ID does not exist, this command creates a rule. Otherwise, this command changes the configuration of the specified rule. If you do not configure any object groups in a rule, the rule applies to all packets. If you do not specify any options in the undo rule command, the command deletes the entire rule.
Page 823 Default No rules are configured for an IPv6 object policy. Views IPv6 object policy view Predefined user roles network-admin Parameters rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify an ID for the rule, the system automatically assigns the rule an integer next to the greatest ID being used.
Page 824: Rule Comment
Usage guidelines If the specified rule ID does not exist, this command creates a rule. Otherwise, this command changes the configuration of the specified rule. If you do not configure any object groups in a rule, the rule applies to all packets. If you do not specify any options in the undo rule command, the command deletes the entire rule.
Page 825 Views Object policy view Predefined user roles network-admin Parameters rule-id: Specifies a rule by its ID in the range of 0 to 65534. text: Specifies a description, a case-sensitive string of 1 to 127 characters. Usage guidelines If the specified rule does not exist, this command fails. If the rule does not have a description, this command configures the description.
Page 826: Ack-Flood Action
Attack detection and prevention commands Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. ack-flood action Use ack-flood action to specify global actions against ACK flood attacks.
Page 827: Ack-Flood Detect
Related commands ack-flood threshold ack-flood detect ack-flood detect non-specific client-verify tcp enable ack-flood detect Use ack-flood detect to configure IP address-specific ACK flood attack detection. Use undo ack-flood detect to remove IP address-specific ACK flood attack detection configuration. Syntax ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ] undo ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default...
Page 828: Ack-Flood Detect Non-Specific
<Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] ack-flood detect ip 192.168.1.2 threshold 2000 Related commands ack-flood action ack-flood detect non-specific ack-flood threshold client-verify tcp enable ack-flood detect non-specific Use ack-flood detect non-specific to enable global ACK flood attack detection. Use undo ack-flood detect non-specific to disable global ACK flood attack detection. Syntax ack-flood detect non-specific undo ack-flood detect non-specific...
Page 829: Attack-Defense Apply Policy
Syntax ack-flood threshold threshold-value undo ack-flood threshold Default The global threshold is 1000 for triggering ACK flood attack prevention. Views Attack defense policy view Predefined user roles network-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ACK packets sent to an IP address per second.
Page 830: Attack-Defense Local Apply Policy
Predefined user roles network-admin Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). Usage guidelines An interface can have only one attack defense policy applied.
Page 831: Attack-Defense Login Reauthentication-Delay
An attack defense policy can be applied to the device itself and to multiple interfaces. If a device and its interfaces have attack defense policies applied, a packet destined for the device is processed as follows: The policy applied to the receiving interface processes the packet. If the packet is not dropped by the receiving interface, the policy applied to the device processes the packet.
Page 832: Attack-Defense Signature Log Non-Aggregate
Syntax attack-defense policy policy-name undo attack-defense policy policy-name Default No attack defense policies exist. Views System view Predefined user roles network-admin Parameters policy-name: Assigns a name to the attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Page 833: Blacklist Enable
• Source and destination IP addresses. • VPN instance to which the victim IP address belongs. As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console. Examples # Enable log non-aggregation for single-packet attack events. <Sysname>...
Page 834: Blacklist Ip
Syntax blacklist global enable undo blacklist global enable Default The global blacklist feature is disabled. Views System view Predefined user roles network-admin Usage guidelines If you enable the global blacklist feature, the blacklist feature is enabled on all interfaces. Examples # Enable the global blacklist feature.
Page 835: Blacklist Ipv6
timeout minutes: Specifies the aging time in minutes for the blacklist entry, in the range of 1 to 1000. If you do not specify this option, the blacklist entry never ages out. You must delete it manually. Usage guidelines The undo blacklist ip command deletes only manually added IPv4 blacklist entries. To delete dynamically added IPv4 blacklist entries, use the reset blacklist ip command.
Page 836: Blacklist Logging Enable
Examples # Add a blacklist entry for the IPv6 address 2012::12:25 and set the aging time to 10 minutes for the entry. <Sysname> system-view [Sysname] blacklist ipv6 2012::12:25 timeout 10 Related commands blacklist enable blacklist global enable blacklist ip blacklist logging enable Use blacklist logging enable to enable logging for the blacklist feature.
Page 837: Blacklist Object-Group
%Mar 13 03:47:49:736 2013 Sysname BLS/5/BLS_ENTRY_ADD:SrcIPAddr(1003)=192.168.100.12; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=--; TTL(1051)=; Reason(1052)=Configuration. # Delete 192.168.1.2 from the blacklist. A log is output for the deletion event. [Sysname] undo blacklist ip 192.168.100.12 %Mar 13 03:49:52:737 2013 Sysname BLS/5/BLS_ENTRY_DEL:SrcIPAddr(1003)=192.168.100.12; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=--; Reason(1052)=Configuration. Related commands blacklist ip blacklist ipv6 blacklist object-group...
Page 838: Client-Verify Dns Enable
Default No user blacklist entries exist. Views System view Predefined user roles network-admin Parameters user-name: Specifies a user by the username, a case-sensitive string of 1 to 55 characters. Packets sourced from this user will be dropped. timeout minutes: Specifies the aging time for the blacklist entry, in the range of 1 to 1000 minutes. If you do not specify this option, the blacklist entry never ages out.
Page 839: Client-Verify Http Enable
can use the display client-verify dns protected ip command to display the protected IP list for DNS client verification. Examples # Enable DNS client verification on interface GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] client-verify dns enable Related commands client-verify dns protected ip display client-verify dns protected ip client-verify http enable...
Page 840: Client-Verify Protected Ip
client-verify protected ip Use client-verify protected ip to specify an IPv4 address to be protected by the client verification feature. Use undo client-verify protected ip to remove an IPv4 address protected by the client verification feature. Syntax client-verify { dns | http | tcp } protected ip destination-ip-address [ vpn-instance vpn-instance-name ] [ port port-number ] undo client-verify { dns | http | tcp } protected ip destination-ip-address [ vpn-instance vpn-instance-name ] [ port port-number ]...
Page 841: Client-Verify Protected Ipv6
client-verify protected ipv6 Use client-verify protected ipv6 to specify an IPv6 address to be protected by the client verification feature. Use undo client-verify protected ipv6 to remove an IPv6 address protected by the client verification feature. Syntax client-verify { dns | http | tcp } protected ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ] [ port port-number ] undo client-verify { dns | http | tcp } protected ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ] [ port port-number ]...
Page 842: Client-Verify Tcp Enable
client-verify tcp enable Use client-verify tcp enable to enable TCP client verification on an interface. Use undo client-verify tcp enable to disable TCP client verification on an interface. Syntax client-verify tcp enable [ mode { syn-cookie | safe-reset } ] undo client-verify tcp enable Default TCP client verification is disabled on an interface.
Page 843: Display Attack-Defense Flood Statistics Ip
display client-verify tcp protected ip display attack-defense flood statistics ip Use display attack-defense flood statistics ip to display IPv4 flood attack detection and prevention statistics. Syntax Centralized devices in standalone mode: display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ interface interface-type interface-number | local ] [ count ] Distributed devices in standalone mode/centralized devices in IRF mode:...
Page 844 slot slot-number: Specifies a card by its slot number. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays IPv4 flood attack detection and prevention statistics for all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID.
Page 845 192.168.100.221 a0123456789 GE1/1/0/2 SYN-ACK-FLOOD Normal 1000 4294967295 201.55.7.45 GE1/1/0/2 SYN-ACK-FLOOD Normal 1000 111111111 192.168.11.5 GE1/1/0/3 ACK-FLOOD Normal 1000 222222222 201.55.7.44 GE1/1/0/4 DNS-FLOOD Normal 1000 111111111 192.168.11.4 GE1/1/0/5 ACK-FLOOD Normal 1000 22222222 slot 2 in chassis 2: IP address Detected on Detect type State Dropped...
Page 846: Display Attack-Defense Flood Statistics Ipv6
display attack-defense flood statistics ipv6 Use display attack-defense flood statistics ipv6 to display IPv6 flood attack detection and prevention statistics. Syntax Centralized devices in standalone mode: display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ interface interface-type interface-number | local ] [ count ] Distributed devices in standalone mode/centralized devices in IRF mode:...
Page 847 slot slot-number: Specifies a card by its slot number. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays IPv6 flood attack detection and prevention statistics for all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID.
Page 848 2000::1011 a0123456789 GE1/1/0/2 SYN-FLOOD Normal 4294967295 1::2 1222232 GE1/1/0/2 DNS-FLOOD Normal 1000 111111111 1::3 GE1/1/0/3 SYN-ACK-FLOOD Normal 1000 222222222 1::4 GE1/1/0/4 ACK-FLOOD Normal 1000 111111111 1::5 GE1/1/0/5 SYN-FLOOD Normal 1000 22222222 Slot 2 in chassis 2: IPv6 address Detected on Detect type State Dropped...
Page 849: Display Attack-Defense Policy
display attack-defense policy Use display attack-defense policy to display attack defense policy configuration. Syntax display attack-defense policy [ policy-name ] Views Any view Predefined user roles network-admin network-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters.
Page 850 Large ICMP Disabled Medium Max length 4000 bytes Large ICMPv6 Disabled Max length 4000 bytes TCP invalid flags Disabled medium TCP null flag Disabled TCP all flags Enabled Info TCP SYN-FIN flags Disabled Info TCP FIN only flag Enabled Info TCP Land Disabled Info...
Page 851 Flood attack defense configuration: Flood type Global thres(pps) Global actions Service ports Non-specific SYN flood 1000(default) Disabled ACK flood 1000(default) Enabled SYN-ACK flood 1000(default) Disabled RST flood Enabled FIN flood 1000(default) Disabled UDP flood 1000(default) Disabled ICMP flood 1000(default) Disabled ICMPv6 flood 1000(default) Disabled...
Page 852 Field Description Scan attack defense Configuration information about scanning attack detection configuration prevention. Defense Whether scanning attack detection is enabled. Level Level of the scanning attack detection, low, medium, or high. Prevention actions against the scanning attack: • BS—Blocking sources. Actions •...
Page 853: Display Attack-Defense Policy Ip
Field Description Ports that are protected against the flood attack. This field displays port Ports numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-). # Display brief information about all attack defense policies. <Sysname>...
Page 854 network-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). ack-flood: Specifies ACK flood attack. dns-flood: Specifies DNS flood attack.
Page 855 IP address VPN instance Type Rate threshold(PPS) Dropped 123.123.123.123 a012345678901234 SYN-ACK-FLOOD 100 4294967295 201.55.7.45 ICMP-FLOOD 192.168.11.5 DNS-FLOOD Slot 2: IP address VPN instance Type Rate threshold(PPS) Dropped 123.123.123.123 a012345678901234 SYN-ACK-FLOOD 100 2543 201.55.7.45 ICMP-FLOOD 192.168.11.5 DNS-FLOOD # (Distributed devices in IRF mode.) Display information about all IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.
Page 856: Display Attack-Defense Policy Ipv6
Field Description MPLS L3VPN instance to which the protected IPv4 address belongs. If VPN instance the protected IPv4 address is on the public network, this field displays hyphens (--). Type Type of the flood attack. Threshold for triggering the flood attack prevention, in units of packets Rate threshold(PPS) sent to the IP address per second.
Page 857 syn-ack-flood: Specifies SYN-ACK flood attack. syn-flood: Specifies SYN flood attack. udp-flood: Specifies UDP flood attack. ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays information about all protected IPv6 addresses. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs.
Page 858: Display Attack-Defense Scan Attacker Ip
2013::127f a012345678901234 SYN-ACK-FLOOD 100 4294967295 2::5 ACK-FLOOD 1::5 ACK-FLOOD Slot 2 in chassis 2: IPv6 address VPN instance Type Rate threshold(PPS) Dropped 2013::127f a012345678901234 SYN-ACK-FLOOD 100 5465 2::5 ACK-FLOOD 1::5 ACK-FLOOD # (Centralized devices in standalone mode.) Display the number of IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.
Page 859 display attack-defense scan attacker ip [ interface interface-type interface-number | local ] [ count ] Distributed devices in standalone mode/centralized devices in IRF mode: display attack-defense scan attacker ip [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ] Distributed devices in IRF mode: display attack-defense scan attacker ip [ [ interface interface-type interface-number | local ] [ chassis chassis-number slot slot-number ] ] [ count ]...
Page 860 2.2.2.3(--) GE1/0/2 Slot 2: IP addr(DslitePeer) VPN instance Protocol Detected on Duration(min) 192.168.1.100(--) GE1/0/2 1586 202.2.1.172(--) GE1/0/2 # (Distributed devices in IRF mode.) Display information about all IPv4 scanning attackers. <Sysname> display attack-defense scan attacker ip Slot 1 in chassis 1: IP addr(DslitePeer) VPN instance Protocol Detected on...
Page 861: Display Attack-Defense Scan Attacker Ipv6
scan detect display attack-defense scan attacker ipv6 Use display attack-defense scan attacker ipv6 to display information about IPv6 scanning attackers. Syntax Centralized devices in standalone mode: display attack-defense scan attacker ipv6 [ interface interface-type interface-number | local ] [ count ] Distributed devices in standalone mode/centralized devices in IRF mode: display attack-defense scan attacker ipv6 [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]...
Page 862 IPv6 address VPN instance Protocol Detected on Duration(min) 2013::2 GE1/0/4 1234 1230::22 GE1/0/4 # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all IPv6 scanning attackers. <Sysname> display attack-defense scan attacker ipv6 Slot 1: IPv6 address VPN instance Protocol Detected on...
Page 863: Display Attack-Defense Scan Victim Ip
Field Description MPLS L3VPN instance to which the attacker IPv6 address belongs. If the VPN instance attacker IPv6 address is on the public network, this field displays hyphens (--). Protocol Name of the protocol. Detected on Where the attack is detected, on the device (Local) or an interface. Duration(min) The amount of time the attack lasts, in minutes.
Page 864 device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays information about IPv4 scanning attack victims for all cards. (Distributed devices in IRF mode.) count: Displays the number of matching IPv4 scanning attack victims. Usage guidelines If you do not specify any parameters, this command displays information about all IPv4 scanning attack victims.
Page 865: Display Attack-Defense Scan Victim Ipv6
Table 130 Command output Field Description Totally 3 victim IP addresses Total number of IPv4 scanning attack victims. IP address IPv4 address of the victim. MPLS L3VPN instance to which the victim IPv4 address belongs. If the VPN instance victim IPv4 address is on the public network, this field displays hyphens (--).
Page 866 do not specify a member device, this command displays information about IPv6 scanning attack victims for all member devices. (Centralized devices in IRF mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card.
Page 867: Display Attack-Defense Statistics Interface
<Sysname> display attack-defense scan victim ipv6 count Slot 1 in chassis 1: Totally 3 victim IP addresses. Slot 2 in chassis 2: Totally 0 victim IP addresses. Table 131 Command output Field Description Totally 3 victim IP addresses Total number of IPv6 scanning attack victims. IPv6 address IPv6 address of the victim.
Page 868 slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this commands displays attack detection and prevention statistics for all member devices.
Page 869 Large ICMP TCP NULL flag TCP all flags TCP SYN-FIN flags TCP FIN only flag TCP invalid flag TCP Land Winnuke UDP Bomb Snork Fraggle Large ICMPv6 ICMP echo request ICMP echo reply ICMP source quench ICMP destination unreachable ICMP redirect ICMP time exceeded ICMP parameter problem ICMP timestamp request...
Page 870 SYN-ACK flood 5000 RST flood FIN flood UDP flood ICMP flood ICMPv6 flood DNS flood HTTP flood Signature attack defense statistics: AttackType AttackTimes Dropped IP option record route IP option security IP option stream ID IP option internet timestamp IP option loose source routing IP option strict source routing IP option route alert Fragment...
Page 871 ICMP address mask request ICMP address mask reply ICMPv6 echo request ICMPv6 echo reply ICMPv6 group membership query ICMPv6 group membership report ICMPv6 group membership reduction ICMPv6 destination unreachable ICMPv6 time exceeded ICMPv6 parameter problem ICMPv6 packet too big # (Distributed devices in IRF mode.) Display attack detection and prevention statistics on interface GigabitEthernet 1/0/1 for the card in slot 1 on member device 1.
Page 872 Ping of death Traceroute Large ICMP TCP NULL flag TCP all flags TCP SYN-FIN flags TCP FIN only flag TCP invalid flag TCP Land Winnuke UDP Bomb Snork Fraggle Large ICMPv6 ICMP echo request ICMP echo reply ICMP source quench ICMP destination unreachable ICMP redirect ICMP time exceeded...
Page 873: Display Attack-Defense Statistics Local
display attack-defense statistics local Use display attack-defense statistics local to display attack detection and prevention statistics for the device. Syntax Centralized devices in standalone mode: display attack-defense statistics local Distributed devices in standalone mode/centralized devices in IRF mode: display attack-defense statistics local [ slot slot-number ] Distributed devices in IRF mode: display attack-defense statistics local [ chassis chassis-number slot slot-number ] Views...
Page 874 ICMP flood ICMPv6 flood DNS flood HTTP flood Signature attack defense statistics: AttackType AttackTimes Dropped IP option record route IP option security IP option stream ID IP option internet timestamp IP option loose source routing IP option strict source routing IP option route alert Fragment Impossible...
Page 875 ICMPv6 group membership query ICMPv6 group membership report ICMPv6 group membership reduction ICMPv6 destination unreachable ICMPv6 time exceeded ICMPv6 parameter problem ICMPv6 packet too big # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display attack detection and prevention statistics for the device. <Sysname>...
Page 876 TCP all flags TCP SYN-FIN flags TCP FIN only flag TCP invalid flag TCP Land Winnuke UDP Bomb Snork Fraggle Large ICMPv6 ICMP echo request ICMP echo reply ICMP source quench ICMP destination unreachable ICMP redirect ICMP time exceeded ICMP parameter problem ICMP timestamp request ICMP timestamp reply ICMP information request...
Page 877 UDP flood ICMP flood ICMPv6 flood DNS flood HTTP flood Signature attack defense statistics: AttackType AttackTimes Dropped IP option record route IP option security IP option stream ID IP option internet timestamp IP option loose source routing IP option strict source routing IP option route alert Fragment Impossible...
Page 878: Display Blacklist Ip
ICMPv6 echo reply ICMPv6 group membership query ICMPv6 group membership report ICMPv6 group membership reduction ICMPv6 destination unreachable ICMPv6 time exceeded ICMPv6 parameter problem ICMPv6 packet too big Table 133 Command output Field Description AttackType Type of the attack. Number of times that the attack occurred. AttackTimes This command output displays only attacks that are detected.
Page 879 slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv4 blacklist entries for all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv4 blacklist entries for all member devices.
Page 880: Display Blacklist Ipv6
# (Distributed devices in IRF mode.) Display the number of IPv4 blacklist entries. <Sysname> display blacklist ip count Slot 1 in chassis 1: Totally 3 blacklist entries. Slot 2 in chassis 2: Totally 3 blacklist entries. Table 134 Command output Field Description IP address...
Page 881 Parameters source-ipv6-address: Specifies the IPv6 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network. slot slot-number: Specifies a card by its slot number.
Page 882: Display Blacklist User
2013:fe07:221a:4011 67890123456789 # (Centralized devices in standalone mode.) Display the number of IPv6 blacklist entries. <Sysname> display blacklist ipv6 count Totally 3 blacklist entries. # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of IPv6 blacklist entries on the card or IRF member device in slot 1. <Sysname>...
Page 883: Display Client-Verify Protected Ip
count: Displays the number of matching user blacklist entries. Examples # Display all user blacklist entries. <Sysname> display blacklist user User name Type TTL(sec) Dropped Alex Manual 353452 Manual 4294967295 Cary Manual Never 14478 # Display the number of user blacklist entries. <Sysname>...
Page 884 Predefined user roles network-admin network-operator Parameters dns: Specifies the DNS client verification feature. http: Specifies the HTTP client verification feature. tcp: Specifies the TCP client verification feature. ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays all protected IPv4 addresses.
Page 885 # (Distributed devices in IRF mode.) Display the protected IPv4 addresses for TCP client verification. <Sysname> display client-verify tcp protected ip Slot 1 in chassis 1: IP address VPN instance Port Type Requested Trusted 192.168.11.5 Dynamic 353452 201.55.7.45 Manual 15000 123.123.123.123 VPN1 65535 Dynamic 4294967295...
Page 886 201.55.7.45 Manual 123.123.123.123 VPN1 Dynamic 5458 8863 # (Distributed devices in IRF mode.) Display the protected IPv4 addresses for DNS client verification. <Sysname> display client-verify dns protected ip Slot 1 in chassis 1: IP address VPN instance Port Type Requested Trusted 192.168.11.5 Dynamic 353452...
Page 887 IP address VPN instance Port Type Requested Trusted 192.168.11.5 Dynamic 0 201.55.7.45 8080 Manual 3258 123.123.123.123 VPN1 Dynamic 8666 15863 # (Distributed devices in IRF mode.) Display the protected IPv4 addresses for HTTP client verification. <Sysname> display client-verify http protected ip Slot 1 in chassis 1: IP address VPN instance...
Page 888: Display Client-Verify Protected Ipv6
Field Description Requested Number of packets destined for the protected IPv4 address. Trusted Number of packets that passed the client verification. Related commands client-verify protected ip display client-verify protected ipv6 Use display client-verify protected ipv6 to display protected IPv6 addresses for client verification. Syntax Centralized devices in standalone mode: display client-verify { dns | http | tcp } protected ipv6 [ ipv6-address [ vpn vpn-instance-name ] ]...
Page 889 chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays protected IPv6 addresses for all cards.
Page 890 Totally 3 protected IPv6 addresses. Slot 2 in chassis 2: Totally 3 protected IPv6 addresses. # (Centralized devices in standalone mode.) Display the protected IPv6 addresses for DNS client verification. <Sysname> display client-verify dns protected ipv6 IPv6 address VPN instance Port Type Requested...
Page 891 # (Centralized devices in standalone mode.) Display the protected IPv6 addresses for HTTP client verification. <Sysname> display client-verify http protected ipv6 IPv6 address VPN instance Port Type Requested Trusted 1:2:3:4:5:6:7:8 8080 Manual 14478 5501 1023::1123 vpn1 Dynamic 4294967295 15151 # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the protected IPv6 addresses for HTTP client verification.
Page 892: Display Client-Verify Trusted Ip
Table 138 Command output Field Description Totally protected IPv6 Total number of protected IPv6 addresses. addresses IPv6 address Protected IPv6 address. MPLS L3VPN instance to which the protected IPv6 address belongs. If VPN instance the protected IPv6 address is on the public network, this field displays hyphens (--).
Page 893 slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays trusted IPv4 addresses for all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays trusted IPv4 addresses for all member devices.
Page 894 # (Distributed devices in IRF mode.) Display the number of trusted IPv4 addresses for DNS client verification. <Sysname> display client-verify dns trusted ip count Slot 1 in chassis 1: Totally 3 trusted IP addresses. Slot 2 in chassis 2: Totally 3 trusted IP addresses. # (Centralized devices in standalone mode.) Display the trusted IPv4 addresses for HTTP client verification.
Page 895 Totally 3 trusted IP addresses. Slot 2 in chassis 2: Totally 3 trusted IP addresses. # (Centralized devices in standalone mode.) Display the trusted IPv4 addresses for TCP client verification. <Sysname> display client-verify tcp trusted ip IP address VPN instance DS-Lite tunnel peer TTL(sec) 11.1.1.2...
Page 896: Display Client-Verify Trusted Ipv6
Table 139 Command output Field Description Totally protected Total number of trusted IPv4 addresses. addresses IP address Trusted IPv4 address. MPLS L3VPN instance to which the trusted IPv4 address belongs. If the VPN instance trusted IPv4 address is on the public network, this field displays hyphens (--).
Page 897 slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays trusted IPv6 addresses for all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays trusted IPv6 addresses for all member devices.
Page 898 # (Distributed devices in IRF mode.) Display the number of trusted IPv6 addresses for DNS client verification. <Sysname> display client-verify dns trusted ipv6 count Slot 1 in chassis 1: Totally 3 trusted IPv6 addresses. Slot 2 in chassis 2: Totally 3 trusted IPv6 addresses. # (Centralized devices in standalone mode.) Display the trusted IPv6 addresses for HTTP client verification.
Page 899 Slot 2 in chassis 2: Totally 3 trusted IPv6 addresses. # (Centralized devices in standalone mode.) Display the trusted IPv6 addresses for TCP client verification. <Sysname> display client-verify tcp trusted ipv6 IPv6 address VPN instance TTL(sec) 1::3 vpn1 1643 1234::1234 a012345678901234 1234 # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the trusted IPv6 addresses for TCP client verification.
Page 900: Dns-Flood Action
Table 140 Command output Field Description Totally protected IPv6 Number of trusted IPv6 addresses. addresses IPv6 address Trusted IPv6 address. MPLS L3VPN instance to which the trusted IPv6 address belongs. If the VPN instance trusted IPv6 address is on the public network, this field displays hyphens (--).
Page 901: Dns-Flood Detect
dns-flood threshold client-verify dns enable dns-flood detect Use dns-flood detect to configure IP address-specific DNS flood attack detection. Use undo dns-flood detect to remove the IP address-specific DNS flood attack detection configuration. Syntax dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } *| none } ] undo dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default...
Page 902: Dns-Flood Detect Non-Specific
Examples # Configure DNS flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] dns-flood detect ip 192.168.1.2 port 53 threshold 2000 Related commands dns-flood action dns-flood detect non-specific dns-flood threshold dns-flood port dns-flood detect non-specific Use dns-flood detect non-specific to enable global DNS flood attack detection.
Page 903: Dns-Flood Threshold
Use undo dns-flood port to restore the default. Syntax dns-flood port port-list undo dns-flood port Default The global DNS flood attack prevention protects port 53. Views Attack defense policy view Predefined user roles network-admin Parameters port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number.
Page 904: Exempt Acl
Predefined user roles network-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of DNS packets sent to an IP address per second. Usage guidelines The global threshold applies to global DNS flood attack detection. Adjust the threshold according to the application scenarios.
Page 905: Fin-Flood Action
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. Usage guidelines The attack defense policy uses an ACL to identify exempted packets. The policy does not check the packets permitted by the ACL.
Page 906: Fin-Flood Detect
Parameters client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers. drop: Drops subsequent FIN packets destined for the victim IP addresses. logging: Enables logging for FIN flood attack events.
Page 907: Fin-Flood Detect Non-Specific
threshold threshold-value: Specifies the threshold for triggering FIN flood attack prevention. The value range is 1 to 1000000 in units of FIN packets sent to the specified IP address per second. action: Specifies the actions when a FIN flood attack is detected. If no action is specified, the global actions set by the fin-flood action command apply.
Page 908: Fin-Flood Threshold
Examples # Enable global FIN flood attack detection in the attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] fin-flood detect non-specific Related commands fin-flood action fin-flood detect fin-flood threshold fin-flood threshold Use fin-flood threshold to set the global threshold for triggering FIN flood attack prevention. Use undo fin-flood threshold to restore the default.
Page 909: Http-Flood Action
fin-flood detect fin-flood detect non-specific http-flood action Use http-flood action to specify global actions against HTTP flood attacks. Use undo http-flood action to restore the default. Syntax http-flood action { client-verify | drop | logging } * undo http-flood action Default No global action is specified for HTTP flood attacks.
Page 910 Syntax http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ] undo http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default IP address-specific HTTP flood attack detection is not configured.
Page 911: Http-Flood Detect Non-Specific
http-flood detect non-specific http-flood threshold http-flood port http-flood detect non-specific Use http-flood detect non-specific to enable global HTTP flood attack detection. Use undo http-flood detect non-specific to disable global HTTP flood attack detection. Syntax http-flood detect non-specific undo http-flood detect non-specific Default Global HTTP flood attack detection is disabled.
Page 912: Http-Flood Threshold
Views Attack defense policy view Predefined user roles network-admin Parameters port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.
Page 913: Icmp-Flood Action
large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold. With global HTTP flood attack detection configured, the device is in attack detection state. When the sending rate of HTTP packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions.
Page 914: Icmp-Flood Detect Ip
icmp-flood detect ip Use icmp-flood detect ip to configure IP address-specific ICMP flood attack detection. Use undo icmp-flood detect ip to remove the IP address-specific ICMP flood attack detection configuration. Syntax icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ] undo icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ] Default...
Page 915: Icmp-Flood Detect Non-Specific
icmp-flood detect non-specific Use icmp-flood detect non-specific to enable global ICMP flood attack detection. Use undo icmp-flood detect non-specific to disable global ICMP flood attack detection. Syntax icmp-flood detect non-specific undo icmp-flood detect non-specific Default Global ICMP flood attack detection is disabled. Views Attack defense policy view Predefined user roles...
Page 916: Icmpv6-Flood Action
Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ICMP packets sent to an IP address per second. Usage guidelines The global threshold applies to global ICMP flood attack detection. Adjust the threshold according to the application scenarios.
Page 917: Icmpv6-Flood Detect Ipv6
[Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood action drop Related commands icmpv6-flood detect ipv6 icmpv6-flood detect non-specific icmpv6-flood threshold icmpv6-flood detect ipv6 Use icmpv6-flood detect ipv6 to configure IPv6 address-specific ICMPv6 flood attack detection. Use undo icmpv6-flood detect ipv6 to remove the IPv6 address-specific ICMPv6 flood attack detection configuration.
Page 918: Icmpv6-Flood Detect Non-Specific
[Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood detect ipv6 2012::12 threshold 2000 Related commands icmpv6-flood action icmpv6-flood detect non-specific icmpv6-flood threshold icmpv6-flood detect non-specific Use icmpv6-flood detect non-specific to enable global ICMPv6 flood attack detection. Use undo icmpv6-flood detect non-specific to disable global ICMPv6 flood attack detection. Syntax icmpv6-flood detect non-specific undo icmpv6-flood detect non-specific...
Page 919: Reset Attack-Defense Policy Flood
undo icmpv6-flood threshold Default The global threshold is 1000 for triggering ICMPv6 flood attack prevention. Views Attack defense policy view Predefined user roles network-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ICMPv6 packets sent to an IP address per second.
Page 920: Reset Attack-Defense Statistics Interface
ip: Specifies protected IPv4 addresses. ipv6: Specifies protected IPv6 addresses. statistics: Clears flood attack detection and prevention statistics. Examples # Clear flood attack detection and prevention statistics for protected IPv4 addresses in the attack defense policy abc. <Sysname> reset attack-defense policy abc flood protected ip statistics # Clear flood attack detection and prevention statistics for protected IPv6 addresses in the attack defense policy abc.
Page 921: Reset Blacklist Ip
Examples Clear attack detection and prevention statistics for the device. <Sysname> reset attack-defense statistics local Related commands display attack-defense statistics local reset blacklist ip Use rest blacklist ip to clear dynamic IPv4 blacklist entries. Syntax reset blacklist ip { source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] | all } Views User view...
Page 922: Reset Blacklist Statistics
Parameters source-ipv6-address: Specifies the IPv6 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network. all: Specifies all dynamic IPv6 blacklist entries.
Page 923: Reset Client-Verify Trusted
Parameters dns: Specifies the DNS client verification feature. http: Specifies the HTTP client verification feature. tcp: Specifies the TCP client verification feature. ip: Specifies the protected IPv4 list. ipv6: Specifies the protected IPv6 list. Examples # Clear the protected IPv4 statistics for TCP client verification. <Sysname>...
Page 924: Rst-Flood Detect
undo rst-flood action Default No global action is specified for RST flood attacks. Views Attack defense policy view Predefined user roles network-admin Parameters client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
Page 925: Rst-Flood Detect Non-Specific
Predefined user roles network-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Page 926: Rst-Flood Threshold
Views Attack defense policy view Predefined user roles network-admin Usage guidelines The global RST flood attack detection applies to all IP addresses except for those specified by the rst-flood detect command. The global detection uses the global trigger threshold set by the rst-flood threshold command and global actions specified by the rst-flood action command.
Page 927: Scan Detect
Examples # Set the global threshold to 100 for triggering RST flood attack prevention in the attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] rst-flood threshold 100 Related commands rst-flood action rst-flood detect rst-flood detect non-specific scan detect Use scan detect to configure scanning attack detection.
Page 928: Signature { Large-Icmp | Large-Icmpv6 } Max-Length
Usage guidelines To collaborate with the IP blacklist feature, make sure the blacklist feature is enabled on the interface to which the attack defense policy is applied. The aging timer set by the timeout minutes option must be longer than the statistics collection interval.
Page 929: Signature Detect
Examples # Set the maximum length of safe ICMP packets for large ICMP attack to 50000 bytes in the attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] signature large-icmp max-length 50000 Related commands signature detect signature detect Use signature detect to enable signature detection for single-packet attacks and specify the prevention actions.
Page 930 Views Attack defense policy view Predefined user roles network-admin Parameters fraggle: Specifies the fraggle attack. fragment: Specifies the IP fragment attack. icmp-type: Specifies an ICMP packet attack by the packet type. You can specify the packet type by a number or a keyword: •...
Page 931 • security: Specifies the security option. • stream-id: Specifies the stream identifier option. • strict-source-routing: Specifies the strict source route option. ip-option-abnormal: Specifies the abnormal IP option attack. ipv6-ext-header ext-header-value: Specifies an IPv6 extension header by its value in the range of 0 to 255.
Page 932: Signature Level Action
signature level action Use signature level action to specify the actions against single-packet attacks on a specific level. Use undo signature level action to restore the default. Syntax signature level { high | info | low | medium } action { { drop | logging } * | none } undo signature level { high | info | low | medium } action Default For informational-level and low-level single-packet attacks, the action is logging.
Page 933: Signature Level Detect
signature level detect Use signature level detect to enable signature detection for single-packet attacks on a specific level. Use undo signature level detect to disable signature detection for single-packet attacks on a specific level. Syntax signature level { high | info | low | medium } detect undo signature level { high | info | low | medium } detect Default Signature detection is disabled for all levels of single-packet attacks.
Page 934: Syn-Ack-Flood Detect
Use undo syn-ack-flood action to restore the default. Syntax syn-ack-flood action { client-verify | drop | logging } * undo syn-ack-flood action Default No global action is specified for SYN-ACK flood attacks. Views Attack defense policy view Predefined user roles network-admin Parameters client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification.
Page 935: Syn-Ack-Flood Detect Non-Specific
Default IP address-specific SYN-ACK flood attack detection is not configured. Views Attack defense policy view Predefined user roles network-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Page 936: Syn-Ack-Flood Threshold
Syntax syn-ack-flood detect non-specific undo syn-ack-flood detect non-specific Default Global SYN-ACK flood attack detection is disabled. Views Attack defense policy view Predefined user roles network-admin Usage guidelines The global SYN-ACK flood attack detection applies to all IP addresses except for those specified by the syn-ack-flood detect command.
Page 937: Syn-Flood Action
Usage guidelines The global threshold applies to global SYN-ACK flood attack detection. Adjust the threshold according to the application scenarios. If the number of SYN-ACK packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services.
Page 938: Syn-Flood Detect
Examples # Specify drop as the global action against SYN flood attacks in the attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] syn-flood action drop Related commands syn-flood detect syn-flood detect non-specific syn-flood threshold syn-flood detect Use syn-flood detect to configure IP address-specific SYN flood attack detection. Use undo syn-flood detect to remove the IP address-specific SYN flood attack detection configuration.
Page 939: Syn-Flood Detect Non-Specific
Usage guidelines With SYN flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of SYN packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Page 940: Syn-Flood Threshold
syn-flood threshold Use syn-flood threshold to set the global threshold for triggering SYN flood attack prevention. Use undo syn-flood threshold to restore the default. Syntax syn-flood threshold threshold-value undo syn-flood threshold Default The global threshold is 1000 for triggering SYN flood attack prevention. Views Attack defense policy view Predefined user roles...
Page 941: Udp-Flood Detect
Default No global action is specified for UDP flood attacks. Views Attack defense policy view Predefined user roles network-admin Parameters drop: Drops subsequent UDP packets destined for the victim IP addresses. logging: Enables logging for UDP flood attack events. Examples # Specify drop as the global action against UDP flood attacks in the attack defense policy atk-policy-1.
Page 942: Udp-Flood Detect Non-Specific
threshold threshold-value: Specifies the threshold for triggering UDP flood attack prevention. The value range is 1 to 64000 in units of UDP packets sent to the specified IP address per second. action: Specifies the actions when a UDP flood attack is detected. If no action is specified, the global actions set by the udp-flood action command apply.
Page 943: Udp-Flood Threshold
[Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] udp-flood detect non-specific Related commands udp-flood action udp-flood detect udp-flood threshold udp-flood threshold Use udp-flood threshold to set the global threshold for triggering UDP flood attack prevention. Use undo udp-flood threshold to restore the default. Syntax udp-flood threshold threshold-value undo udp-flood threshold...
Page 944: Whitelist Enable
whitelist enable Use whitelist enable to enable the whitelist feature on an interface. Use undo whitelist enable to disable the whitelist feature on an interface. Syntax whitelist enable undo whitelist enable Default The whitelist feature is disabled on an interface. Views Interface view Predefined user roles...
Page 945: Whitelist Object-Group
[Sysname] whitelist global enable whitelist object-group Use whitelist object-group to add an address object group to the whitelist. Use undo whitelist object-group to restore the default. Syntax whitelist object-group object-group-name undo whitelist object-group Default No address object group is added to the whitelist. Views System view Predefined user roles...
Page 946: Display Ip Source Binding
IP source guard commands Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. Static IPSG is supported only on the following ports: •...
Page 947 Distributed devices in IRF mode: display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-snooping | dot1x | wlan-snooping ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles...
Page 948: Display Ipv6 Source Binding
Field Description IPv4 address in the IPv4SG binding. If no IP address is bound in the IP Address binding, this field displays N/A. MAC address in the IPv4SG binding. If no MAC address is bound in the MAC Address binding, this field displays N/A. Interface Interface of the binding.
Page 949 vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The VPN instance name is a case-sensitive string of 1 to 31 characters. To display dynamic IPSG bindings for the public network, do not specify a VPN instance. dhcpv6-snooping: Specifies the DHCPv6 snooping module. wlan-snooping: Specifies the WLAN snooping module.
Page 950: Ip Source Binding (Interface View)
Related commands ipv6 source binding ipv6 verify source ip source binding (interface view) Use ip source binding to configure a static IPv4SG binding on an interface. Use undo ip source binding to delete the static IPv4SG bindings configured on an interface. Syntax ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]...
Page 951: Ip Verify Source
ip verify source Use ip verify source to enable both static and dynamic IPv4SG on an interface. Use undo ip verify source to disable IPv4SG on an interface. Syntax ip verify source { ip-address | ip-address mac-address | mac-address } undo ip verify source Default The IPv4SG feature is disabled on an interface.
Page 952: Ipv6 Verify Source
Default No static IPv6SG bindings exist on an interface. Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters all: Removes all the static IPv6SG bindings on the interface. ip-address ipv6-address: Specifies an IPv6 address for the static binding. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address.
Page 953 Syntax ipv6 verify source { ip-address | ip-address mac-address | mac-address } undo ipv6 verify source Default The IPv6SG feature is disabled on an interface. Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters ip-address: Filters incoming packets by source IPv6 addresses. ip-address mac-address: Filters incoming packets by source IPv6 addresses and source MAC addresses.
Page 954: Arp Attack Protection Commands
ARP attack protection commands Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. Unresolvable IP attack protection commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing.
Page 955: Arp Resolving-Route Probe-Interval
Use undo arp resolving-route probe-count to restore the default. Syntax arp resolving-route probe-count count undo arp resolving-route probe-count Default The device performs three ARP blackhole route probes for each unresolved IP address. Views System view Predefined user roles network-admin Parameters count: Sets the number of probes, in the range of 1 to 25.
Page 956: Arp Source-Suppression Enable
Related commands arp resolving-route enable arp resolving-route probe-count arp source-suppression enable Use arp source-suppression enable to enable the ARP source suppression feature. Use undo arp source-suppression enable to disable the ARP source suppression feature. Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression feature is disabled.
Page 957: Display Arp Source-Suppression
Parameters limit-value: Specifies the limit in the range of 2 to 1024. Usage guidelines If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse. Examples # Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.
Page 958: Arp Source-Mac Aging-Time
Syntax arp source-mac { filter | monitor } undo arp source-mac [ filter | monitor ] Default The source MAC-based ARP attack detection feature is disabled. Views System view Predefined user roles network-admin Parameters filter: Generates log messages and discards subsequent ARP packets from the MAC address. monitor: Only generates log messages.
Page 959: Arp Source-Mac Exclude-Mac
<Sysname> system-view [Sysname] arp source-mac aging-time 60 arp source-mac exclude-mac Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection. Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection. Syntax arp source-mac exclude-mac mac-address&<1-10>...
Page 960: Display Arp Source-Mac
Predefined user roles network-admin Parameters threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range for this argument is 1 to 5000. Examples # Set the threshold for source MAC-based ARP attack detection to 30. <Sysname> system-view [Sysname] arp source-mac threshold 30 display arp source-mac Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP...
Page 961: Arp Packet Source Mac Consistency Check Commands
23f3-1122-33ad 4094 GE1/0/4 23f3-1122-33ce 4094 GE1/0/5 ARP packet source MAC consistency check commands arp valid-check enable Use arp valid-check enable to enable ARP packet source MAC address consistency check. Use undo arp valid-check enable to disable ARP packet source MAC address consistency check. Syntax arp valid-check enable undo arp valid-check enable...
Page 962: Authorized Arp Commands
Predefined user roles network-admin Parameters strict: Enables strict mode for ARP active acknowledgement. Usage guidelines Configure this feature on gateways to prevent user spoofing. In strict mode, a gateway learns an entry only when ARP active acknowledgement is successful based on the correct ARP resolution. Examples # Enable the ARP active acknowledgement feature.
Page 963: Arp Detection Enable
HMIM-8GSWF.  HMIM-24GSW.  HMIM-24GSW-PoE.  SIC-4GSW.  SIC-4GSWP.  • Fixed Layer 2 Ethernet ports on the following routers: MSR1002-4.  MSR1003-8S.  MSR2004-24.  MSR2004-48.  MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A).  MSR958 (JH300A/JH301A).  arp detection enable Use arp detection enable to enable ARP attack detection. Use undo arp detection enable to disable ARP attack detection.
Page 964: Arp Detection Trust
Default No user validity check rule is configured. Views System view Predefined user roles network-admin Parameters rule-id: Assigns an ID to the user validity check rule. The ID value range is 0 to 511. A smaller value represents a higher priority. deny: Denies matching ARP packets.
Page 965: Arp Detection Validate
undo arp detection trust Default An interface is an ARP untrusted interface. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin Examples # Configure GigabitEthernet 1/0/1 as an ARP trusted interface. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] arp detection trust arp detection validate Use arp detection validate to enable ARP packet validity check.
Page 966: Arp Restricted-Forwarding Enable
Examples # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. <Sysname> system-view [Sysname] arp detection validate dst-mac src-mac ip arp restricted-forwarding enable Use arp restricted-forwarding enable to enable ARP restricted forwarding. Use undo arp restricted-forwarding enable to disable ARP restricted forwarding. Syntax arp restricted-forwarding enable undo arp restricted-forwarding enable...
Page 967: Display Arp Detection Statistics
display arp detection statistics Use display arp detection statistics to display ARP attack detection statistics. Syntax display arp detection statistics [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Displays the ARP attack detection statistics of an interface.
Page 968: Arp Scanning And Fixed Arp Commands
Syntax reset arp detection statistics [ interface interface-type interface-number ] Views User view Predefined user roles network-admin Parameters interface interface-type interface-number: Clears the ARP attack detection statistics of an interface. Usage guidelines If you do not specify an interface, this command clears the statistics of all interfaces. Examples # Clear the ARP attack detection statistics of all interfaces.
Page 969: Arp Scan
[Sysname] arp fixup arp scan Use arp scan to trigger an ARP scanning in an address range. Syntax arp scan [ start-ip-address to end-ip-address ] Views Layer 3 Ethernet interface/subinterface view Layer 3 aggregate interface/subinterface view VLAN interface view Predefined user roles network-admin Parameters start-ip-address: Specifies the start IP address of the scanning range.
Page 970: Arp Gateway Protection Commands
ARP gateway protection commands arp filter source Use arp filter source to enable ARP gateway protection for a gateway. Use undo arp filter source to disable ARP gateway protection for a gateway. Syntax arp filter source ip-address undo arp filter source ip-address Default ARP gateway protection is disabled.
Page 971 Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin Parameters ip-address: Specifies a permitted sender IP address. mac-address: Specifies a permitted sender MAC address. Usage guidelines If the sender IP and MAC addresses of an ARP packet match an ARP permitted entry, the ARP packet is permitted.
Page 972: Ipv4 Urpf Commands
IPv4 uRPF commands Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. display ip urpf Use display ip urpf to display uRPF configuration.
Page 973 Check type: strict Allow default route # (Centralized devices in standalone mode.) Display uRPF configuration on GigabitEthernet 1/0/1. <Sysname> display ip urpf interface gigabitethernet 1/0/1 uRPF configuration information of interface GigabitEthernet1/0/1: Check type: strict Allow default route Link check Suppress drop ACL: 3000 # (Distributed devices in IRF mode.) Display uRPF configuration on GigabitEthernet 1/0/1 of the card in slot 1 on IRF member device 1.
Page 974 strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry. allow-default-route: Allows using the default route for uRPF check. acl acl-number: Specifies an ACL by its number.
Page 975: Ipv6 Urpf Commands
IPv6 uRPF commands Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. display ipv6 urpf Use display ipv6 urpf to display IPv6 uRPF configuration.
Page 976: Ipv6 Urpf
IPv6 uRPF configuration information of interface GigabitEthernet1/0/1: Check type: loose Allow default route Suppress drop ACL: 2000 # (Distributed devices in IRF mode.) Display IPv6 uRPF configuration on GigabitEthernet 1/0/1 of the card in slot 1 on IRF member device 1. <Sysname>...
Page 977 Usage guidelines IPv6 uRPF can be deployed on a CE or on a PE connected to either a CE or another ISP. Configure strict IPv6 uRPF check on a PE interface connected to a CE, and configure loose IPv6 uRPF check on a PE interface connected to another ISP. For asymmetrical routing, configure loose IPv6 uRPF to avoid discarding valid packets.
Page 978: Crypto Engine Commands
Crypto engine commands Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. display crypto-engine Use display crypto-engine to display crypto engine information, including crypto engine names and supported algorithms.
Page 979: Display Crypto-Engine Statistics
Slot ID: 0 CPU ID:0 Crypto engine ID: 1 Symmetric algorithms: des-cbc des-ecb 3des-ecb aes-ecb sha1 sha2-256 sha1-hmac sha2-256-hmac Asymmetric algorithms: Random number generation function: Supported # (Devices without hardware crypto engines.) Display crypto engine information. <Sysname> display crypto-engine Crypto engine name: Software crypto engine Crypto engine state: Enabled Crypto engine type: Software Slot ID: 0...
Page 980 Distributed devices in standalone mode/centralized devices in IRF mode: display crypto-engine statistics [ engine-id engine-id slot slot-number ] Distributed devices in IRF mode: display crypto-engine statistics [ engine-id engine-id chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator Parameters...
Page 981 CPU ID: 0 Crypto engine ID: 0 Submitted sessions: 0 Failed sessions: 0 Symmetric operations: 0 Symmetric errors: 0 Asymmetric operations: 0 Asymmetric errors: 0 Get-random operations: 0 Get-random errors: 0 # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display statistics for all crypto engines.
Page 982 Get-random operations: 0 Get-random errors: 0 Chassis ID: 1 Slot ID: 2 CPU ID: 0 Crypto engine ID: 0 Submitted sessions: 0 Failed sessions: 0 Symmetric operations: 0 Symmetric errors: 0 Asymmetric operations: 0 Asymmetric errors: 0 Get-random operations: 0 Get-random errors: 0 # (Centralized devices in standalone mode.) Display statistics for crypto engine 1.
Page 983: Reset Crypto-Engine Statistics
Submitted sessions: 0 Failed sessions: 0 Symmetric operations: 0 Symmetric errors: 0 Asymmetric operations: 0 Asymmetric errors: 0 Get-random operations: 0 Get-random errors: 0 Table 148 Command output Field Description Submitted sessions Number of established sessions. Failed sessions Number of failed sessions. Symmetric operations Number of operations using symmetric algorithms.
Page 984 chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (Distributed devices in IRF mode.) Usage guidelines If you do not specify any parameters, this command clears statistics for all crypto engines.
Page 985: Fips Commands
FIPS commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled.
Page 986 a. Create a default FIPS configuration file named fips-startup.cfg. b. Specify the default file as the startup configuration file. c. Require you to configure the username and password for next login. You can press Ctrl+C to exit the configuring process so the fips mode enable command will not be executed.
Page 987: Fips Self-Test
Enter password(15-63 characters): Confirm password: Waiting for reboot... After reboot, the device will enter FIPS mode. # Enable FIPS mode, and choose the manual reboot method to enter FIPS mode. <Sysname> system-view [Sysname] fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y Reboot the device automatically? [Y/N]:n Change the configuration to meet FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter FIPS mode.
Page 988 FIPS Known-Answer Tests are running ... CPU 1 of slot 1 in chassis 1: Starting Known-Answer tests in the user space. Known-answer test for SHA1 passed. Known-answer test for SHA224 passed. Known-answer test for SHA256 passed. Known-answer test for SHA384 passed. Known-answer test for SHA512 passed.
Page 989 Known-Answer tests in the kernel passed. CPU 1 of slot 0 in chassis 2: Starting Known-Answer tests in the user space. Known-answer test for SHA1 passed. Known-answer test for SHA224 passed. Known-answer test for SHA256 passed. Known-answer test for SHA384 passed. Known-answer test for SHA512 passed.
Page 990 Known-Answer tests in the user-space passed. Starting Known-Answer tests in the kernel. Known-answer test for SHA1 passed. Known-answer test for HMAC-SHA1 passed. Known-answer test for AES passed. Known-answer test for SHA1 passed. Known-Answer tests in the kernel passed. FIPS Known-Answer Tests passed.
Page 991: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Page 992: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 993: Support And Other Resources
Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials IMPORTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements.
Page 994: Websites
Websites Website Link Networking websites Hewlett Packard Enterprise Information Library for www.hpe.com/networking/resourcefinder Networking Hewlett Packard Enterprise Networking website www.hpe.com/info/networking Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty General websites Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs Hewlett Packard Enterprise Support Center...
Page 995 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 996: Index
Index A B C D E F G H I K L M N O P Q R S T U V W arp detection rule,945 arp detection trust,946 authorization,553 arp detection validate,947 authorization,517 arp filter binding,952 device-id,81 arp filter source,952 aaa nas-id profile,1...
Page 997 authentication-server,136 common-name,405 authentication-timeout,207 company,53 authorization advpn,25 config-exchange,557 authorization command,26 connection-limit,761 authorization default,27 connection-limit apply,762 authorization ike,29 connection-limit apply global,762 authorization ipoe,29 copy app-group,679 authorization lan-access,30 country,405 check,406 authorization login,32 authorization portal,33 url,406 Customer self repair,976 authorization ppp,34 authorization-attribute (ISP domain view),35 authorization-attribute (local user view/user group data-flow-format (HWTACACS scheme...
Page 998 display attack-defense scan attacker ipv6,843 display object-policy accelerate,793 display attack-defense scan victim ip,845 display object-policy ip,794 display attack-defense scan victim ipv6,847 display object-policy ipv6,795 display attack-defense statistics interface,849 display object-policy statistics zone-pair security,796 display attack-defense statistics local,855 display object-policy zone-pair security,797 display blacklist ip,860...
Page 999 display ssl server-policy,648 authentication-algorithm,477 display user-group,59 encryption-algorithm,478 display user-profile,347 exchange-mode,530 display web-redirect rule,249 exclude-attribute,252 dns-flood action,882 exempt acl,886 dns-flood detect,883 exit,617 dns-flood detect non-specific,884 dns-flood port,884 fin-flood action,887 dns-flood threshold,885 fin-flood detect,888 Documentation feedback,976 fin-flood detect non-specific,889 domain,41 fin-flood threshold,890 domain default enable,42 fips mode...
Page 1000 keychain,535 ipv6 source binding (interface view),933 limit,536 ipv6 urpf,958 ike logging negotiation enable,537 ipv6 verify source,934 nat-keepalive,538 policy,151 profile,538 ita-policy,44 proposal,539 ike signature-identity from-certificate,540 key,376 ike-profile,480 key (HWTACACS scheme view),120 ikev2 address-group,572 key (RADIUS scheme view),91 ikev2 cookie-challenge,572 keychain,581 ikev2 dpd,573 keychain,541 ikev2...

HP FlexNetwork MSR Series Command Reference Manual

Quick Links

Related Manuals for HP FlexNetwork MSR Series

Summary of Contents for HP FlexNetwork MSR Series