Page 1: Command Reference
HPE FlexFabric 7900 Switch Series Security Command Reference Part number: 5998-8251R Software version: Release 231x Document version: 6W101-20151113...
Page 2 © Copyright 2015 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents AAA commands ······························································································ 1 General AAA commands ··································································································································· 1 aaa session-limit ········································································································································ 1 accounting command ································································································································· 2 accounting default ······································································································································ 2 accounting login ········································································································································· 3 authentication default ································································································································· 5 authentication login ···································································································································· 6 ...
Page 4 hwtacacs nas-ip ······································································································································· 57 hwtacacs scheme ····································································································································· 58 key (HWTACACS scheme view) ·············································································································· 59 nas-ip (HWTACACS scheme view) ·········································································································· 60 primary accounting (HWTACACS scheme view) ····················································································· 61 primary authentication (HWTACACS scheme view) ················································································ 62 ...
Page 5 display pki certificate attribute-group ······································································································ 121 display pki certificate domain ················································································································· 122 display pki certificate request-status ······································································································ 127 display pki crl ·········································································································································· 128 fqdn ························································································································································ 130 ip ···························································································································································· 130 ldap-server ············································································································································· 131 locality ····················································································································································...
Page 6 ipsec df-bit ·············································································································································· 193 ipsec global-df-bit ··································································································································· 194 ipsec policy ············································································································································· 194 ipsec policy local-address ······················································································································ 195 ipsec sa global-duration ························································································································· 196 ipsec sa idle-time ··································································································································· 197 ipsec transform-set ································································································································· 198 local-address ·········································································································································· 199 ...
Page 7 display ssh user-information ·················································································································· 245 scp server enable ··································································································································· 246 sftp server enable ··································································································································· 247 sftp server idle-timeout ··························································································································· 247 ssh server acl ········································································································································· 248 ssh server authentication-retries ············································································································ 249 ssh server authentication-timeout ·········································································································· 250 ...
Page 8 ARP packet source MAC consistency check commands ·············································································· 287 arp valid-check enable ··························································································································· 287 ARP active acknowledgement commands ····································································································· 288 arp active-ack enable ····························································································································· 288 Authorized ARP commands ··························································································································· 289 arp authorized enable ···························································································································· 289 ...
Page 9: Aaa Commands
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.
Page 10: Accounting Command
accounting command Use accounting command to specify the command line accounting method. Use undo accounting command to restore the default. Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting method of the ISP domain is used for command line accounting. Views ISP domain view Predefined user roles...
Page 11: Accounting Login
accounting default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounting default Default The default accounting method of an ISP domain is local. Views ISP domain view Predefined user roles network-admin mdc-admin...
Page 12 Use undo accounting login to restore the default. Syntax In non-FIPS mode: accounting login hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting login In FIPS mode: accounting...
Page 13: Authentication Default
[Sysname-isp-test] accounting login radius-scheme rd local Related commands • accounting default • hwtacacs scheme • local-user • radius scheme authentication default Use authentication default to specify the default authentication method for an ISP domain. Use undo authentication default to restore the default. Syntax In non-FIPS mode: authentication...
Page 14: Authentication Login
command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid. Examples # Configure the default authentication method for ISP domain test to use RADIUS scheme rd and use local authentication as the backup.
Page 15: Authentication Super
Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication).
Page 16: Authorization Command
Usage guidelines You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid. If you specify a scheme to provide the method for user role authentication, the method applies only to users whose user role is in the format of level-n.
Page 17: Authorization Default
mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.
Page 18 In FIPS mode: authorization default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authorization default Default The default authorization method of an ISP domain is local. Views ISP domain view Predefined user roles...
Page 19: Authorization Login
authorization login Use authorization login to configure the authorization method for login users. Use undo authorization login to restore the default. Syntax In non-FIPS mode: authorization login hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization login In FIPS mode:...
Page 20: Display Domain
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization login local # In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization login radius-scheme rd local Related commands •...
Page 21: Domain
Domain:dm State: Active Access-limit: 2222 Access-Count: 0 login Authentication Scheme: radius: rad login Authorization Scheme: tacacs: hw default Authentication Scheme: radius: rad, local, none default Authorization Scheme: local default Accounting Scheme: none Authorization attributes : Idle-cut : Disable Default Domain Name: system Table 1 Command output Field Description...
Page 22: Domain Default Enable
Syntax domain isp-name undo domain isp-name Default There is a system-defined ISP domain named system. Views System view Predefined user roles network-admin mdc-admin Parameters isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Page 23: State (Isp Domain View)
Views System view Predefined user roles network-admin mdc-admin Parameters isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines There can be only one default ISP domain. The specified ISP domain must already exist. An ISP domain cannot be deleted when it is the default ISP domain.
Page 24: Local User Commands
Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. Examples # Place the ISP domain test in blocked state. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] state block Related commands display domain Local user commands...
Page 25: Authorization-Attribute
authorization-attribute Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to restore the default. Syntax authorization-attribute { acl acl-number | idle-cut minute | user-role role-name | vlan vlan-id | work-directory directory-name } *...
Page 26: Display Local-User
• For FTP users, only the authorization attributes user-role and work-directory are effective. • For other types of local users, no authorization attribute is effective. Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency.
Page 27 user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name. vlan vlan-id: Specifies all local users in a VLAN. The value range for the vlan-id argument is 1 to 4094.
Page 28: Display User-Group
Field Description minimum password length is displayed in parentheses. This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: Password composition • Minimum number of character types that the password must contain.
Page 29: Group
ACL Number: 2000 VLAN ID: Password control configurations: Password aging: Enabled (2 days) Table 3 Command output Field Description Idle TimeOut Idle timeout period, in minutes. Work Directory Directory that FTP, SFTP, or SCP users in the group can access. ACL Number Authorization ACL.
Page 30: Local-User
Predefined user roles network-admin mdc-admin Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Examples # Assign device management user 111 to user group abc. <Sysname> system-view [Sysname] local-user 111 class manage [Sysname-luser-manage-111] group abc Related commands display local-user local-user...
Page 31: Password
Examples # Add a device management user named user1. <Sysname> system-view [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] Related commands • display local-user • service-type password Use password to configure a password for a local user. Use undo password to delete the password of a local user. Syntax In non-FIPS mode: password [ { hash | simple } password ]...
Page 32: Service-Type
In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user. In FIPS mode, only password-protected users can pass authentication. Device management users support plaintext and hashed passwords. For security purposes, all passwords, including passwords configured in plain text, are saved in hashed text.
Page 33: State (Local User View)
telnet: Authorizes the user to use the Telnet service. terminal: Authorizes the user to use the terminal service and log in from a console port. Usage guidelines You can assign multiple service types to a user. Examples # Authorize the device management user user1 to use the Telnet and FTP services. <Sysname>...
Page 34: User-Group
user-group Use user-group to create a user group and enter user group view. Use undo user-group to delete a user group. Syntax user-group group-name undo user-group group-name Default There is a user group named system in the system. Views System view Predefined user roles network-admin mdc-admin...
Page 35: Attribute 15 Check-Mode
Default The accounting-on feature is disabled. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default setting is 3 seconds. send send-times: Specifies the maximum number of accounting-on packet transmission attempts.
Page 36: Data-Flow-Format (Radius Scheme View)
mdc-admin Parameters loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services. strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively. Usage guidelines Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.
Page 37: Display Radius Scheme
<Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet Related commands display radius scheme display radius scheme Use display radius scheme to display the configuration of RADIUS schemes. Syntax display radius scheme [ radius-scheme-name ] Views Any view Predefined user roles network-admin network-operator...
Page 38 Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 12 NAS IP Address : Not configured : Not configured User Name Format : without-domain ------------------------------------------------------------------ RADIUS Scheme Name : rad2 Index : 1 Primary Auth Server: Host name: radius.com : 82.0.0.37 Port: 1812 State: Active VPN : 1 Primary Acct Server:...
Page 39: Display Radius Statistics
Field Description Service port number of the server. If no port number is specified, this field Port displays the default port number. State Status of the server: active or blocked. VPN to which the server belongs. If no VPN is specified for the server, this field displays Not configured.
Page 40 Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display RADIUS packet statistics. <Sysname> display radius statistics Auth. Acct. SessCtrl. Request Packet: Retry Packet: Timeout Packet: Access Challenge: Account Start: Account Update: Account Stop: Terminate Request: Set Policy: Packet With Response: Packet Without Response: Access Rejects: Dropped Packet:...
Page 41: Key (Radius Scheme View)
Field Description Dropped Packet Number of discarded packets. Check Failures Number of packets with checksum errors. Related commands reset radius statistics key (RADIUS scheme view) Use key to set the shared key for secure RADIUS communication. Use undo key to restore the default. Syntax key { accounting | authentication } { cipher | simple } string undo key { accounting | authentication }...
Page 42: Nas-Ip (Radius Scheme View)
Examples # For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting simple ok Related commands display radius scheme nas-ip (RADIUS scheme view) Use nas-ip to specify a source IP address for outgoing RADIUS packets. Use undo nas-ip to delete a source IP address for outgoing RADIUS packets.
Page 43: Primary Accounting (Radius Scheme View)
If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. As a best practice, configure a loopback interface address as the source IP address for outgoing RADIUS packets. A RADIUS scheme can have only one source IP address for outgoing RADIUS packets.
Page 44: Primary Authentication (Radius Scheme View)
In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Page 45 Default No primary RADIUS authentication server is specified. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the hostname of the primary RADIUS authentication server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server. port-number: Specifies the service port number of the primary RADIUS authentication server.
Page 46: Radius Nas-Ip
[Sysname] radius scheme radius1 [Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&! Related commands • display radius scheme • key (RADIUS scheme view) • secondary authentication (RADIUS scheme view) • vpn-instance (RADIUS scheme view) radius nas-ip Use radius nas-ip to specify a source IP address for outgoing RADIUS packets. Use undo radius nas-ip to delete a source IP address for outgoing RADIUS packets.
Page 47: Radius Session-Control Enable
A newly specified public-network source IPv4 address overwrites the previous address. Each VPN can have a maximum of one private-network source IPv4 address. When you use both the nas-ip and radius nas-ip commands, the following guidelines apply: • The setting configured by the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
Page 48: Reset Radius Statistics
Syntax radius scheme radius-scheme-name undo radius scheme radius-scheme-name Default No RADIUS scheme is defined. Views System view Predefined user roles network-admin mdc-admin Parameters radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be used by more than one ISP domain at the same time. The device supports a maximum of 16 RADIUS schemes.
Page 49: Retry
retry Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Use undo retry to restore the default. Syntax retry retry-times undo retry Default The maximum number of RADIUS packet transmission attempts is 3. Views RADIUS scheme view Predefined user roles...
Page 50: Secondary Accounting (Radius Scheme View)
undo retry realtime-accounting Default The maximum number of accounting attempts is 5. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255. Usage guidelines Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period from the NAS, it considers that a line or device failure has occurred, and stops accounting for the user.
Page 51 Default No secondary RADIUS accounting server is specified. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the hostname of the secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server. port-number: Specifies the service port number of the secondary RADIUS accounting server.
Page 52: Secondary Authentication (Radius Scheme View)
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either. Examples # For RADIUS scheme radius1, specify a secondary accounting server with the IP address 10.110.1.1 and the UDP port 1813.
Page 53 key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS authentication server. • cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 117 characters. In FIPS mode, the key is a string of 15 to 117 characters.
Page 54: Security-Policy-Server
• vpn-instance (RADIUS scheme view) security-policy-server Use security-policy-server to specify a security policy server. Use undo security-policy-server to remove a security policy server. Syntax security-policy-server ipv4-address [ vpn-instance vpn-instance-name ] undo security-policy-server { ipv4-address [ vpn-instance vpn-instance-name ] | all } Default No security policy server is specified.
Page 55: State Primary
Default All types of notifications for RADIUS are enabled. Views System view Predefined user roles network-admin mdc-admin Parameters accounting-server-down: Sends a notification when the RADIUS accounting server becomes unreachable. accounting-server-up: Sends a notification when the RADIUS accounting server becomes reachable. authentication-error-threshold: Sends a notification when the number of authentication failures exceeds the specified threshold.
Page 56: State Secondary
Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Usage guidelines During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state.
Page 57: Timer Quiet (Radius Scheme View)
Predefined user roles network-admin mdc-admin Parameters accounting: Sets the status of a secondary RADIUS accounting server. authentication: Sets the status of a secondary RADIUS authentication server. host-name: Specifies the hostname of a secondary RADIUS server, a case-insensitive string of 1 to 253 characters.
Page 58: Timer Realtime-Accounting (Radius Scheme View)
Syntax timer quiet minutes undo timer quiet Default The server quiet timer period is 5 minutes in a RADIUS scheme. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters minutes: Specifies the server quiet period in minutes, in the range of 1 to 255. Usage guidelines Make sure the server quiet timer is set correctly.
Page 59: Timer Response-Timeout (Radius Scheme View)
Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Usage guidelines When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval. When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server.
Page 60: User-Name-Format (Radius Scheme View)
Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval. The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300 seconds.
Page 61: Vpn-Instance (Radius Scheme View)
Examples # Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] user-name-format without-domain Related commands display radius scheme vpn-instance (RADIUS scheme view) Use vpn-instance to specify a VPN for a RADIUS scheme.
Page 62: Display Hwtacacs Scheme
Use undo data-flow-format to restore the default. Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default Traffic is counted in bytes and packets.
Page 63 Parameters hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, the command displays the configuration of all HWTACACS schemes. statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the HWTACACS scheme.
Page 64 Single-connection: Disabled Primary Acct Server: Host name: tacacs.com : 82.0.0.37 Port: 49 State: Active VPN Instance: 1 Single-connection: Disabled VPN Instance : Not configured NAS IP Address : Not configured Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 12 Response Timeout Interval(seconds) Username Format : without-domain ------------------------------------------------------------------...
Page 65: Hwtacacs Nas-Ip
Field Description Realtime Accounting Real-time accounting interval, in minutes. Interval(minutes) Response Timeout Interval(seconds) HWTACACS server response timeout period, in seconds. Format for the usernames sent to the HWTACACS server. Possible values include: • with-domain—Includes the domain name. Username Format • without-domain—Excludes the domain name.
Page 66: Hwtacacs Scheme
• Zero or one public-network source IPv4 address. • Private-network source IPv4 addresses. A newly specified public-network source IPv4 address overwrites the previous address. Each VPN can have a maximum of one private-network source IPv4 address. When you use both the nas-ip and hwtacacs nas-ip commands, the following guidelines apply: •...
Page 67: Key (Hwtacacs Scheme View)
[Sysname-hwtacacs-hwt1] Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to remove the configuration. Syntax key { accounting | authentication | authorization } { cipher | simple } string undo key { accounting | authentication | authorization } Default No shared key is configured.
Page 68: Nas-Ip (Hwtacacs Scheme View)
[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&! # Set the shared key for secure HWTACACS authorization communication to 123456TESTautr&! in plain text. [Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&! # Set the shared key for secure HWTACACS accounting communication to 123456TESTacct&! in plain text. [Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&! Related commands display hwtacacs scheme...
Page 69: Primary Accounting (Hwtacacs Scheme View)
• The setting in HWTACACS scheme view takes precedence over the setting in system view. If you execute the command multiple times, the most recent configuration takes effect. Examples # Set the source address for outgoing HWTACACS packets to 10.1.1.1 for HWTACACS scheme hwt1.
Page 70: Primary Authentication (Hwtacacs Scheme View)
device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
Page 71 Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the hostname of the primary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server. port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
Page 72: Primary Authorization
Related commands • display hwtacacs scheme • key (HWTACACS scheme view) • secondary authentication (HWTACACS scheme view) • vpn-instance (HWTACACS scheme view) primary authorization Use primary authorization to specify the primary HWTACACS authorization server. Use undo primary authorization to remove the configuration. Syntax primary authorization { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *...
Page 73: Reset Hwtacacs Statistics
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authorization server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
Page 74: Secondary Accounting (Hwtacacs Scheme View)
Examples # Clear all HWTACACS statistics. <Sysname> reset hwtacacs statistics all Related commands display hwtacacs scheme secondary accounting (HWTACACS scheme view) Use secondary accounting to specify a secondary HWTACACS accounting server. Use undo secondary accounting to remove a secondary HWTACACS accounting server. Syntax secondary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *...
Page 75: Secondary Authentication (Hwtacacs Scheme View)
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines You can configure a maximum of 16 secondary HWTACACS accounting servers for an HWTACACS scheme.
Page 76 Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the hostname of the secondary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server. port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
Page 77: Secondary Authorization
Examples # Specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1 <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&! Related commands •...
Page 78: Timer Quiet (Hwtacacs Scheme View)
single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user.
Page 79: Timer Realtime-Accounting (Hwtacacs Scheme View)
Default The server quiet timer period is 5 minutes in an HWTACACS scheme. Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters minutes: Specifies the server quiet period in minutes, in the range of 1 to 255. Examples # Set the server quiet timer to 10 minutes. <Sysname>...
Page 80: Timer Response-Timeout (Hwtacacs Scheme View)
Table 8 Recommended real-time accounting intervals Number of users Real-time accounting interval 1 to 99 3 minutes 100 to 499 6 minutes 500 to 999 12 minutes 1000 or more 15 minutes or longer Examples # Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1. <Sysname>...
Page 81: User-Name-Format (Hwtacacs Scheme View)
user-name-format (HWTACACS scheme view) Use user-name-format to specify the format of the username to be sent to an HWTACACS server. Use undo user-name-format to restore the default. Syntax user-name-format { keep-original | with-domain | without-domain } undo user-name-format Default The ISP domain name is included in the usernames sent to an HWTACACS server. Views HWTACACS scheme view Predefined user roles...
Page 82 Syntax vpn-instance vpn-instance-name undo vpn-instance Default The HWTACACS scheme belongs to the public network. Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters vpn-instance-name: Specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified by using this command takes effect on all servers in the HWTACACS scheme for which no VPN is specified.
Page 83: Password Control Commands
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Page 84: Display Password-Control Blacklist
Table 9 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the Password aging expiration time. Whether the minimum password length restriction feature is enabled Password length and, if enabled, the setting. Whether the password composition restriction feature is enabled Password composition and, if enabled, the settings.
Page 85: Password-Control { Aging | Composition | History | Length } Enable
Usage guidelines If you do not specify any arguments, this command displays information about all users in the password control blacklist. If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist. You can use this command to view information about these users in the blacklist.
Page 86: Password-Control Aging
mdc-admin Parameters aging: Enables the password expiration feature. composition: Enables the password composition restriction feature. history: Enables the password history feature. length: Enables the minimum password length restriction feature. Usage guidelines To enable a specific password control feature, first enable the global password control feature. The system stops recording history passwords after you execute the undo password-control history enable command, but it does not delete the prior records.
Page 87: Password-Control Alert-Before-Expire
Views System view, user group view, local user view Predefined user roles network-admin mdc-admin Parameters aging-time: Specifies the password expiration time in days, in the range of 1 to 365. Usage guidelines The expiration time depends on the view: • The time in system view has global significance and applies to all user groups.
Page 88: Password-Control Complexity
Default The default is 7 days. Views System view Predefined user roles network-admin mdc-admin Parameters alert-time: Specifies the number of days before a user password expires during which the user is notified of the pending password expiration. The value range is 1 to 30. Usage guidelines This command is effective only for non-FTP users.
Page 89: Password-Control Composition
user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough. Usage guidelines The password complexity checking policy depends on the view: •...
Page 90 Predefined user roles network-admin mdc-admin Parameters type-number type-number: Specifies the minimum number of character types that a password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode. The following character types are available: •...
Page 91: Password-Control Enable
• If no policy is configured for the user group, the system uses the global policy. The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of passwords. Examples # Specify that all passwords must each contain at least four character types and at least five characters for each type.
Page 92: Password-Control Expired-User-Login
commands. The configuration for network access user passwords can be displayed. The first password configured for device management users must contain at least four different characters. Examples # Enable the password control feature globally. <Sysname> system-view [Sysname] password-control enable Related commands •...
Page 93: Password-Control History
password-control history Use password-control history to set the maximum number of history password records for each user. Use undo password-control history to restore the default. Syntax password-control history max-record-num undo password-control history Default The maximum number of history password records for each user is 4. Views System view Predefined user roles...
Page 94 undo password-control length Default In non-FIPS mode, the global minimum password length is 10 characters. In FIPS mode, the global minimum password length is 15 characters. In both non-FIPS and FIPS modes, the minimum password length for a user group equals the global setting.
Page 95: Password-Control Login Idle-Time
• password-control length enable password-control login idle-time Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, you can no longer use this account to log in to the device. Use undo password-control login idle-time to restore the default.
Page 96 • The locking period is 1 minute. The login-attempt settings for a user group equal the global settings. The login-attempt settings for a local user equal those for the user group to which the local user belongs. Views System view, user group view, local user view Predefined user roles network-admin mdc-admin...
Page 97: Password-Control Super Aging
The password-control login-attempt command takes effect immediately after being executed, and can affect the users already in the password control blacklist. Examples # Allow a maximum of four consecutive login failures on a user account, and disable the user account if the limit is reached. <Sysname>...
Page 98: Password-Control Super Composition
Syntax password-control super aging aging-time undo password-control super aging Default A super password expires after 90 days. Views System view Predefined user roles network-admin mdc-admin Parameters aging-time: Specifies the super password expiration time in days in the range of 1 to 365. Examples # Set the super passwords to expire after 10 days.
Page 99: Password-Control Super Length
Parameters type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode. type-length type-length: Specifies the minimum number of characters for each character type. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.
Page 100: Password-Control Update-Interval
• password-control length password-control update-interval Use password-control update-interval to set the minimum password update interval, which is the minimum interval at which users can change their passwords. Use undo password-control update-interval to restore the default. Syntax password-control update-interval interval undo password-control update-interval Default The minimum password update interval is 24 hours.
Page 101: Reset Password-Control History-Record
Parameters user-name name: Specifies the username of a user account to be removed from the password control blacklist. The name argument is a case-sensitive string of 1 to 55 characters. Usage guidelines You can use this command to remove a user account that is blacklisted due to excessive login failures.
Page 102: Public Key Management Commands
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Page 103 Key type: RSA Time when key pair created: 15:40:48 2013/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2013/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7 9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03 92D8C6D940890BF4290203010001 # Display all local DSA public keys. <Sysname>...
Page 104 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys. <Sysname> display public-key local ecdsa public ============================================= Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2013/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2013/05/12 Key code:...
Page 105: Display Public-Key Peer
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of the local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2013/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58...
Page 106 Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer public key, including its key code. The publickey-name argument specifies the peer public key name, a case-sensitive string of 1 to 64 characters.
Page 107: Peer-Public-Key End
--------------------------- 1024 idrsa 1024 10.1.1.1 Table 14 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits. Name Name of the peer public key. Related commands • public-key peer • public-key peer import sshkey peer-public-key end Use peer-public-key end to exit public key view to system view and save the configured peer public key.
Page 108: Public-Key Local Create
[Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands • display public-key local public • display public-key peer • public-key peer public-key local create Use public-key local create to create local asymmetric key pairs. Syntax public-key local create { dsa | ecdsa | rsa } [ name key-name ] Default No local asymmetric key pair exists.
Page 109 The name of a key pair must be unique among all manually named key pairs that use the same key algorithm, but can be the same as a key pair that uses a different key algorithm. If a name conflict occurs, the system asks whether you want to overwrite the existing key pair.
Page 110 ..+..+..+........+..+.......+..+....+.....+...+..+....+..+..+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the default name. <Sysname> system-view [Sysname] public-key local create ecdsa Generating Keys... Create the key pair successfully. # Create a local RSA key pair with the name rsa1. <Sysname>...
Page 111: Public-Key Local Destroy
The range of public key modulus is (2048 ~ 2048). It will take a few minutes.Press CTRL+C to abort. Input the modulus length [default = 2024]: Generating Keys..++++++ .++++++ ..++++++++ ..++++++++ Create the key pair successfully. # In FIPS mode, create a local DSA key pair with the default name. <Sysname>...
Page 112: Public-Key Local Export Dsa
Usage guidelines To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs: • An intrusion event has occurred. • The storage media of the device is replaced. • The local certificate has expired. For more information about local certificates, see Security Configuration Guide.
Page 113 Predefined user roles network-admin mdc-admin Parameters name key-name: Specifies the name of a local DSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is provided, the command displays or exports the host public key of the local DSA key pair with the default name.
Page 114: Public-Key Local Export Rsa
vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local DSA key pair with the default name in OpenSSH format. <Sysname> system-view [Sysname] public-key local export dsa openssh ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxw vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= dsa-key...
Page 115 Syntax In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ] In FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles...
Page 116: Public-Key Peer
# Display the host public key of the local RSA key pair with the default name in SSH2.0 format. <Sysname> system-view [Sysname] public-key local export rsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "rsa-key-2013/05/12" AAAAB3NzaC1yc2EAAAADAQABAAAAgQDapKr+/gTCyWZyabuCJuJjMeMPQaj/kixzOCCAl+hDMmEGMrSfddq/b YcbgM7Buit1AgB3x0dFyTPi85DcCznTW4goPXAKFjuzCbGfj4chakSr+/aj1k3rM+XOvyvPJilneKJqhPT0xd v4tlas+mLNloY0dImbwS2kwE71rgg1CQ== ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local RSA key pair with the default name in OpenSSH format.
Page 117: Public-Key Peer Import Sshkey
Execute the peer-public-key end command to save the public key and return to system view. The public key you type in the public key view must be in a correct format. If your device is an HPE device, use the display public-key local public command to display and record its public key.
Page 118 Predefined user roles network-admin mdc-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../.
Page 119: Pki Commands
PKI commands The PKI feature is available in Release 2137 and later versions. The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Page 120: Ca Identifier
• The alternative subject name can contain multiple FQDNs and IP addresses but zero DNs. An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed Table Table 17 Combinations of attribute-value pairs and operation keywords Operation FQDN/IP The DN contains the specified...
Page 121: Certificate Request Entity
Views PKI domain view Predefined user roles network-admin mdc-admin Parameters name: Specifies the name of the trusted CA, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate, you must specify the trusted CA name. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the same CA server.
Page 122: Certificate Request From
• State and country where the entity resides. • FQDN. • IP address. You can specify only one PKI entity for a PKI domain. If you configure this command for a PKI domain multiple times, the most recent configuration takes effect. Examples # Specify PKI entity en1 for certificate request in PKI domain aaa.
Page 123 Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ password { cipher | simple } password ] | manual } undo certificate request mode Default The certificate request mode is manual. Views PKI domain view Predefined user roles network-admin mdc-admin...
Page 124: Certificate Request Polling
certificate request polling Use certificate request polling to set the polling interval and the maximum number of attempts to query certificate request status. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } Default The polling interval is 20 minutes, and the maximum number of attempts is 50.
Page 125: Common-Name
Syntax certificate request url url-string [ vpn-instance vpn-instance-name ] undo certificate request url Default The URL of the certificate request reception authority is not specified. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters url-string: Specifies the URL of the certificate request reception authority, a case-sensitive string of 1 to 511 characters.
Page 126: Country
Default No common name is set for a PKI entity. Views PKI entity view Predefined user roles network-admin mdc-admin Parameters common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set the username of the PKI entity as the common name. Examples # Specify test as the common name of the PKI entity en.
Page 127: Crl Url
Use undo crl check enable to disable CRL checking. Syntax crl check enable undo crl check enable Default CRL checking is enabled. Views PKI domain view Predefined user roles network-admin mdc-admin Usage guidelines A CA signs and publishes a list of revoked certificates, which is called CRL. Revoked certificates should no longer be trusted.
Page 128: Display Pki Certificate Access-Control-Policy
Parameters url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters. The URL format is ldap://server_location or http://server_location. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
Page 129: Display Pki Certificate Attribute-Group
mdc-operator Parameters policy-name: Specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you do not specify a policy name, this command displays information about all certificate-based access control policies. Examples # Display information about the certificate-based access control policy mypolicy.
Page 130: Display Pki Certificate Domain
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you do not specify a certificate attribute group, this command displays information about all certificate attribute groups.
Page 131 Syntax display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] } Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Page 132 28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40: 4a:9e:8d:c0:cb:d9:10:9b:61:eb:0c:e0:22:ce:f6: 57:7c:bb:bb:1b:1d:b6:81:ad:90:77:3d:25:21:e6: 7e:11:0a:d8:1d:3c:8e:a4:17:1e:8c:38:da:97:f6: 6d:be:09:e3:5f:21:c5:a0:6f:27:4b:e3:fb:9f:cd: c1:91:18:ff:16:ee:d8:cf:8c:e3:4c:a3:1b:08:5d: 84:7e:11:32:5f:1a:f8:35:25:c0:7e:10:bd:aa:0f: 52:db:7b:cd:5d:2b:66:5a:fb Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 6d:b1:4e:d7:ef:bb:1d:67:53:67:d0:8f:7c:96:1d:2a:03:98: 3b:48:41:08:a4:8f:a9:c1:98:e3:ac:7d:05:54:7c:34:d5:ee: 09:5a:11:e3:c8:7a:ab:3b:27:d7:62:a7:bb:bc:7e:12:5e:9e: 4c:1c:4a:9f:d7:89:ca:20:46:de:c5:b3:ce:36:ca:5e:6e:dc: e7:c6:fe:3f:c5:38:dd:d5:a3:36:ad:f4:3d:e6:32:7f:48:df: 07:f0:a2:32:89:86:72:22:cd:ed:e5:0f:95:df:9c:75:71:e7: fe:34:c5:a0:64:1c:f0:5c:e4:8f:d3:00:bd:fa:90:b6:64:d8: 88:a6 # Display information about te local certificates in the PKI domain aaa. <Sysname> display pki certificate domain aaa local Certificate: Data: Version: 3 (0x2)
Page 133 Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 91:95:51:DD:BF:4F:55:FA:E4:C4:D0:10:C2:A1:C2:99:AF:A5:CB:30 X509v3 Authority Key Identifier: keyid:DF:D2:C9:1A:06:1F:BC:61:54:39:FE:12:C4:22:64:EB:57:3B:11:9F X509v3 Subject Alternative Name: email:fips@ccc.com...
Page 134 Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver # Display detailed information about a peer certificate in the PKI domain aaa. <Sysname> display pki certificate domain aaa peer serial 9a0337eb2156ba1f5476e4d754a5a9f7 Certificate: Data: Version: 3 (0x2) Serial Number: 9a:03:37:eb:21:56:ba:1f:54:76:e4:d7:54:a5:a9:f7 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=ccc, OU=sec, CN=ssl Validity Not Before: Oct 15 01:23:06 2010 GMT Not After : Jul 26 06:30:54 2012 GMT...
Page 135: Display Pki Certificate Request-Status
Signature Algorithm: sha1WithRSAEncryption 61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3: 31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59: 36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c: 85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5: 17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72: ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2: ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8: f0:a5 Related commands • pki domain • pki retrieve-certificate display pki certificate request-status Use display pki certificate request-status to display certificate request status. Syntax display pki certificate request-status [ domain domain-name ] Views Any view Predefined user roles...
Page 136: Display Pki Crl
Domain name: domain1 Status: Pending Key usage: General Remain polling attempts: 10 Next polling attempt after : 1191 seconds Certificate Request Transaction 2 Domain name: domain2 Status: Pending Key usage: Signature Remain polling attempts: 10 Next polling attempt after : 188 seconds Table 20 Command output Field Description...
Page 137 Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Page 138: Fqdn
Field Description Issuer Name of the CA that issued the CRL. Last Update Most recent CRL update time. Next Update Next CRL update time. X509v3 Authority Key Identifier X509v3 ID of the CA that issues the CRL. Key ID. keyid This field identifies the key pair used to sign the CRL.
Page 139: Ldap-Server
Syntax ip { ip-address | interface interface-type interface-number } undo ip Default No IP address is assigned to the PKI entity. Views PKI entity view Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies an IPv4 address. interface interface-type interface-number: Specifies an interface by its type and number. The primary IPv4 address of the interface will be used as the IP address of the PKI entity.
Page 140: Locality
port port-number: Specifies the port number of the LDAP server. The value range is 1 to 65535, and the default is 389. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the LDAP server is on the public network, do not specify this option.
Page 141: Organization
Examples # Specify pukras as the locality of the PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] locality pukras organization Use organization to set an organization name for a PKI entity. Use undo organization to remove the configuration. Syntax organization org-name undo organization...
Page 142: Pki Abort-Certificate-Request
mdc-admin Parameters org-unit-name: Specifies an organization unit name, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Specify rdtest as the organization unit name for the PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] organization-unit rdtest pki abort-certificate-request Use pki abort-certificate-request to abort the certificate request for a PKI domain.
Page 143: Pki Certificate Access-Control-Policy
pki certificate access-control-policy Use pki certificate access-control-policy to create a certificate-based access control policy and enter its view. Use undo pki certificate access-control-policy to remove a certificate-based access control policy. Syntax pki certificate access-control-policy policy-name undo pki certificate access-control-policy policy-name Default No certificate-based access control policies exist.
Page 144: Pki Delete-Certificate
Predefined user roles network-admin mdc-admin Parameters group-name: Specifies a group name, a case-insensitive string of 1 to 31 characters. Usage guidelines A certificate attribute group is a set of attribute rules configured by using the attribute command. Each attribute rule defines a matching criterion for an attribute in the issuer name, subject name, or alternative subject name field of certificates.
Page 145: Pki Domain
Usage guidelines When you remove the CA certificate in a PKI domain, the system also removes the local certificates, peer certificates, and the CRL in the PKI domain. Examples # Remove the CA certificate in the PKI domain aaa. <Sysname> system-view [Sysname] pki delete-certificate domain aaa ca Local certificates, peer certificates and CRL will also be deleted while deleting the CA certificate.
Page 146: Pki Entity
mdc-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Page 147: Pki Export
pki export Use pki export to export the CA certificate and the local certificates in a PKI domain to local files or display them on a terminal. Syntax pki export domain domain-name der { all | ca | local } filename filename pki export domain domain-name p12 { all | local } passphrase p12passwordstring filename filename pki export domain domain-name pem { { all | local } [ { 3des-cbc | aes-128-cbc | aes-192-cbc |...
Page 148 • If the PKI domain has a CA certificate chain, this command exports the certificate chain to a file or displays it on the terminal. When you export the local certificates, the local file names might not be the same as specified in the command.
Page 149 [Sysname] pki export domain domain1 pem ca filename cacert # Export the local certificates and their private keys in the PKI domain to a file named local.pem in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111. <Sysname>...
Page 150 friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIAbfcE+KoYYoCAggA MBEGBSsOAwIHBAjB+UsJM07JRQSCAoABqtASbjGTQbdxL3n4wNHmyWLxbvL9v27C Uu6MjYJDCipVzxHU0rExgn+6cQsK5uK99FPBmy4q9/nnyrooTX8BVlXAjenvgyii WQLwnIg1IuM8j2aPkQ3wbae1+0RACjSLy1u/PCl5sp6CDxI0b9xz6cxIGxKvUOCc /gxdgk97XZSW/0qnOSZkhgeqBZuxq6Va8iRyho7RCStVxQaeiAZpq/WoZbcS5CKI /WXEBQd4AX2UxN0Ld/On7Wc6KFToixROTxWTtf8SEsKGPDfrEKq3fSTW1xokB8nM bkRtU+fUiY27V/mr1RHO6+yEr+/wGGClBy5YDoD4I9xPkGUkmqx+kfYbMo4yxkSi JdL+X3uEjHnQ/rvnPSKBEU/URwXHxMX9CdCTSqh/SajnrGuB/E4JhOEnS/H9dIM+ DN6iz1IwPFklbcK9KMGwV1bosymXmuEbYCYmSmhZb5FnR/RIyE804Jz9ifin3g0Q ZrykfG7LHL7Ga4nh0hpEeEDiHGEMcQU+g0EtfpOLTI8cMJf7kdNWDnI0AYCvBAAM 3CY3BElDVjJq3ioyHSJca8C+3lzcueuAF+lO7Y4Zluq3dqWeuJjE+/1BZJbMmaQA X6NmXKNzmtTPcMtojf+n3+uju0le0d0QYXQz/wPsV+9IYRYasjzoXE5dhZ5sIPOd u9x9hhp5Ns23bwyNP135qTNjx9i/CZMKvLKywm3Yg+Bgg8Df4bBrFrsH1U0ifmmp...
Page 151 dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6 Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12 X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK 7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw== -----END CERTIFICATE----- Bag Attributes: <No Attributes> subject=/C=CN/O=OpenCA Labs/OU=software/CN=abcd issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd -----BEGIN CERTIFICATE----- MIIEYTCCA0mgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDTjEU MBIGA1UECgwLT3BlbkNBIExhYnMxETAPBgNVBAsMCHNvZnR3YXJlMQ0wCwYDVQQD DARhYmNkMB4XDTExMDQxODExNDQ0N1oXDTEzMDQxNzExNDQ0N1owRTELMAkGA1UE BhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2FyZTEN MAsGA1UEAwwEYWJjZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1g vomMF8S4u6q51bOwjKFUBwxyvOy4D897LmOSedaCyDt6Lvp+PBEHfwWBYBpsHhk7 kmnSNhX5dZ6NxunHaARZ2VlcctsYKyvAQapuaThy1tuOcphAB+jQQL9dPoqdk0xp jvmPDlW+k832Konn9U4dIivS0n+/KMGh0g5UyzHGqUUOo7s9qFuQf5EjQon40TZg BwUnFYRlvGe7bSQpXjwi8LTyxHPy+dDVjO5CP+rXx5IiToFy1YGWewkyn/WeswDf Yx7ZludNus5vKWTihgx2Qalgb+sqUMwI/WUET7ghO2dRxPUdUbgIYF0saTndKPYd 4oBgl6M0SMsHhe9nF5UCAwEAAaOCAVowggFWMA8GA1UdEwEB/wQFMAMBAf8wCwYD VR0PBAQDAgEGMB0GA1UdDgQWBBQzEQ58yIC54wxodp6JzZvn/gx0CDAfBgNVHSME GDAWgBQzEQ58yIC54wxodp6JzZvn/gx0CDAZBgNVHREEEjAQgQ5wa2lAb3BlbmNh Lm9yZzAZBgNVHRIEEjAQgQ5wa2lAb3BlbmNhLm9yZzCBgQYIKwYBBQUHAQEEdTBz MDIGCCsGAQUFBzAChiZodHRwOi8mdcGl0YW4vcGtpL3B1Yi9jYWNlcnQvY2FjZXJ0 LmNydDAeBggrBgEFBQcwAYYSaHR0cDovL3RpdGFuOjI1NjAvMB0GCCsGAQUFBzAM hhFodHRwOi8mdcGl0YW46ODMwLzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vMTky LjE2OC40MC4xMjgvcGtpL3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBCwUA A4IBAQC0q0SSmvQNfa5ELtRKYF62C/Y8QTLbk6lZDTZuIzN15SGKQcbNM970ffCD Lk1zosyEVE7PLnii3bZ5khcGO3byyXfluAqRyOGVJcudaw7uIQqgv0AJQ+zaQSHi d4kQf5QWgYkQ55/C5puOmcMRgCbMpR2lYkqXLDjTIAZIHRZ/sTp6c+ie2bFxi/YT 3xYbO0wDMuGOKJJpsyKTKcbG9NdfbDyFgzEYAobyYqAUB3C0/bMfBduwhQWKSoYE...
Page 152 f9liWQ2CImy/hjgFCD9nqSLN8wUzP7O2SdLVlUb5z4FR6VISZdgTFE8j7ko2HtUs HVSg0nm114EwPtPMMbHefcuQ6b82y1M+dWfVxBN9K03lN4tZNfPWwLSRrPvjUzBG dKtjf3/IFdV7/tUMy9JJSpt4iFt1h7SZPcOoGp1ZW+YUR30I7YnFE+9Yp/46KWT8 bk7j0STRnZX/xMy/9E52uHkLdW1ET3TXralLMYt/4jg4M0jUvoi3GS2Kbo+czsUn gKgqwYnxVfRSvt8d6GBYrpF2tMFS9LEyngPKXExd+m4mAryuT5PhdFTkb1B190Lp UIBjk3IXnr7AdrhvyLkH0UuQE95emXBD/K0HlD73cMrtmogL8F4yS5B2hpIr/v5/ eW35+1QMnJ9FtHFnVsLx9wl9lX8iNfsoBhg6FQ/hNSioN7rNBe7wwIRzxPVfEhO8 5ajQxWlidRn5RkzfUo6HuAcq02QTpSXI6wf2bzsVmr5sk+fRaELD/cwL6VjtXO6x ZBLJcUyAwvScrOtTEK7Q5n0I34gQd4qcF0D1x9yQ4sqvTeU/7Jkm6XCPV05/5uiF RLCfFAwaJMBdIQ6jDQHnpWT67uNDwdEzaPmuTVMme5Woc5zsqE5DY3hWu4oqFdDz kPLnbX74IZ0gOLki9eIJkVswnF5HkBCKS50ejlW6TgbMNZ+JPk2w -----END ENCRYPTED PRIVATE KEY----- # Display the CA certificate in the PKI domain in PEM format. <Sysname> system-view [Sysname]pki export domain domain1 pem ca -----BEGIN CERTIFICATE----- MIIB+TCCAWICEQDMbgjRKygg3vpGFVY6pa3ZMA0GCSqGSIb3DQEBBQUAMD0xCzAJ BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxETAPBgNVBAsTCGgzYy10ZXN0MQ0wCwYD VQQDEwQ4MDQzMB4XDTExMDMyMjA0NDQyNFoXDTE0MDMyMzA0MzUyNFowPTELMAkG A1UEBhMCY24xDDAKBgNVBAoTA2gzYzERMA8GA1UECxMIaDNjLXRlc3QxDTALBgNV BAMTBDgwNDMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOvDAYQhyc++G7h5 eNDzJs22OQjCn/4JqnNKIdKz1BbaJT8/+IueSn9JIsg64Ex2WBeCd/tcmnSW57ag...
Page 153: Pki Import
MIIB8DCCAVkCEQD2PBUx/rvslNw9uTrZB3DlMA0GCSqGSIb3DQEBBQUAMDoxCzAJ BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEPMA0GA1UEAxMG cm9mdcGNhMB4XDTExMDEwNjAyNTY1OFoXDTEzMTIwNDAzMTMxMFowNzELMAkGA1UE BhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQwwCgYDVQQDEwNhY2Ew gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOeklR7DpeEV72N1OLz+dydIDTx0 zVZDdPxF1gQYWSfIBwwFKJEyQ/4y8VIfDIm0EGTM4dsOX/QFwudhl/Czkio3dWLh Q1y5XCJy68vQKrB82WZ2mah5Nuekus3LSZZBoZKTAOY5MCCMFcULM858dtSq15Sh xF7tKSeAT7ARlJxTAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEADJQCo6m0RNup0ewa ItX4XK/tYcJXAQWMA0IuwaWpr+ofqVVgYBPwVpYglhJDOuIZxKdR2pfQOA4f35wM Vz6kAujLATsEA1GW9ACUWa5PHwVgJk9BDEXhKSJ2e7odmrg/iROhJjc1NMV3pvIs CuFiCLxRQcMGhCNHlOn4wuydssc= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB8jCCAVsCEFxy3MSlQ835MrnBkI/dUPYwDQYJKoZIhvcNAQEFBQAwOjELMAkG A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ8wDQYDVQQDEwZy b290Y2EwHhcNMTEwMTA2MDI1MTQxWhcNMTMxMjA3MDMxMjA1WjA6MQswCQYDVQQG EwJjbjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNoM2MxDzANBgNVBAMTBnJvb3Rj YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxP2XLFE230zq6MhwZvAomOxa 7tc1r4bESXZu3UBKno3Ay9kQm2HrDOAizvZXfLu7Gx22ga2Qdz0lIeZ+EQrYHTyO pBcejDjal/ZtvgnjXyHFoG8nS+P7n83BkRj/Fu7Yz4zjTKMbCF2EfhEyXxr4NSXA fhC9qg9S23vNXStmWvsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBtsU7X77sdZ1Nn 0I98lh0qA5g7SEEIpI+pwZjjrH0FVHw01e4JWhHjyHqrOyfXYqe7vH4SXp5MHEqf 14nKIEbexbPONspebtznxv4/xTjd1aM2rfQ95jJ/SN8H8KIyiYZyIs3t5Q+V35x1 cef+NMWgZBzwXOSP0wC9+pC2ZNiIpg== -----END CERTIFICATE----- # Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format.
Page 154 Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Page 155 • If the local certificate to be imported contains a key pair, the system asks you to enter the challenge password used for encrypting the private key. When you import a local certificate file that contains a key pair, you can choose to update the domain with the key pair.
Page 156 Key Attributes X509v3 Key Usage: 10 -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,8DCE37F0A61A4B8C k9C3KHY5S3EtnF5iQymvHYYrVFy5ZdjSasU5y4XFubjdcvmpFHQteMjD0GKX6+xO kuKbvpyCnWsPVg56sL/PDRyrRmqLmtUV3bpyQsFXgnc7p+Snj3CG2Ciow9XApybW Ec1TDCD75yuQckpVQdhguTvoPQXf9zHmiGu5jLkySp2k7ec/Mc97Ef+qqpfnHpQp GDmMqnFpp59ZzB21OGlbGzlPcsjoT+EGpZg6B1KrPiCyFim95L9dWVwX9sk+U1s2 +8wqac8jETwwM0UZ1NGJ50JJz1QYIzMbcrw+S5WlPxACTIz1cldlBlb1kpc+7mcX 4W+MxFzsL88IJ99T72eu4iUNsy26g0BZMAcc1sJA3A4w9RNhfs9hSG43S3hAh5li JPp720LfYBlkQHn/MgMCZASWDJ5G0eSXQt9QymHAth4BiT9v7zetnQqf4q8plfd/ Xqd9zEFlBPpoJFtJqXwxHUCKgw6kJeC4CxHvi9ZCJU/upg9IpiguFPoaDOPia+Pm GbRqSyy55clVde5GOccGN1DZ94DW7AypazgLpBbrkIYAdjFPRmq+zMOdyqsGMTNj jnheI5l784pNOAKuGi0i/uXmRRcfoMh6qAnK6YZGS7rOLC9CfPmy8fgY+/Sl9d9x Q00ruO1psxzh9c2YfuaiXFIx0auKl6o5+ZZYn7Rg/xy2Y0awVP+dO925GoAcHO40 cCl6jA/HsGAU9HkpwKHL35lmBDRLEzQeBFcaGwSm1JvRfE4tkJM7+Uz2QHJOfP10 0VLqMgxMlpk3TvBWgzHGJDe7TdzFCDPMPhod8pi4P8gGXmQd01PbyQ== -----END RSA PRIVATE KEY----- Bag Attributes localKeyID: 01 00 00 00 subject=/CN=sldsslserver issuer=/C=cn/O=ccc/OU=sec/CN=ssl -----BEGIN CERTIFICATE----- MIICjzCCAfigAwIBAgIRAJoDN+shVrofVHbk11SlqfcwDQYJKoZIhvcNAQEFBQAw NzELMAkGA1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYD...
Page 157: Pki Request-Certificate
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt8QSMetQ70GONiFh7iJkvGQ8nC15zCF1 cqC/RcJhE/88LkKyQcu9j+Tz8Bk9Qj2UPaZdrk8fOrgtBsa7lZ+UO3j3l30q84l+ HjWq8yxVLRQahU3gqJze6pGR2l0s76u6GRyCX/zizGrHKqYlNnxK44NyRZx2klQ2 tKQAfpXCPIkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBWsaMgRbBMtYNrrYCMjY6g c7PBjvajVOKNUMxaDalePmXfKCxl91+PKM7+i8I/zLcoQO+sHbva26a2/C4sNvoJ 2QZs6GtAOahP6CDqXC5VuNBU6eTKNKjL+mf6uuDeMxrlDNha0iymdrXXVIp5cuIu fl7xgArs8Ks6aXDXM1o4DQ== -----END CERTIFICATE----- Please input the password:******** Local certificate already exist, confirm to overwrite it? [Y/N]:y The PKI domain already has a CA certificate. If it is overwritten, local certificates, peer certificates and CRL of this domain will also be deleted. Overwrite it? [Y/N]:y The system is going to save the key pair.
Page 158: Pki Retrieve-Certificate
password password: Sets the password for certificate revocation, a case-sensitive string of 1 to 31 characters. The password is contained in the certificate request and must be provided if the certificate is revoked. pkcs10: Displays BASE64-encoded PKCS#10 certificate request information, which can be used to request a certificate by an out-of-band means, like phone, disk, or email.
Page 159 Predefined user roles network-admin mdc-admin Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Page 160: Pki Retrieve-Crl
pki retrieve-crl Use pki retrieve-crl to obtain CRLs and save them locally. Syntax pki retrieve-crl domain domain-name Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Page 161: Pki Validate-Certificate
Syntax pki storage { certificates | crls } dir-path undo pki storage { certificates | crls } Default The storage path for the certificates and CRLs is the PKI directory on the storage media of the device. Views System view Predefined user roles network-admin mdc-admin...
Page 162 Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Page 163: Public-Key Dsa
Subject: C=cn O=ccc OU=ppp CN=rootca Verify result: OK # Verify the local certificates in the PKI domain aaa. <Sysname> system-view [Sysname] pki validate-certificate domain aaa local Verifying certificate..Serial Number: bc:05:70:1f:0e:da:0d:10:16:1e Issuer: C=CN O=sec OU=software CN=bca Subject: O=OpenCA Labs OU=Users CN=fips fips-sec Verify result: OK Related commands...
Page 164: Public-Key Rsa
Parameters name key-name: Specifies a key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name contains only letters, digits, and hyphens (-). length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024.
Page 165 Predefined user roles network-admin mdc-admin Parameters encryption: Specifies a key pair for encryption. name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key pair name contains only letters, digits, and hyphens (-). signature: Specifies a key pair for signing. name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters.
Page 166: Root-Certificate Fingerprint
[Sysname-pki-domain-aaa] public-key rsa encryption name rsa1 length 2048 [Sysname-pki-domain-aaa] public-key rsa signature name sig1 length 2048 Related commands • pki import • public-key local create (see Security Command Reference) root-certificate fingerprint Use root-certificate fingerprint to set the fingerprint for verifying the validity of the CA root certificate.
Page 167: Rule
If you specify the fingerprint in the PKI domain, the device automatically verifies the fingerprint of the CA certificate to be imported or obtained against that configured in the domain. If the two fingerprints do not match, the device rejects the CA certificate. If no fingerprint is specified in the domain, the device asks you to manually verify the fingerprint of the CA certificate.
Page 168: Source
Usage guidelines When you create an access control rule, you can associate it with a nonexistent certificate attribute group. The system determines that a certificate matches an access control rule when either of the following conditions exists: • The associated certificate attribute group does not exist. •...
Page 169: State
Make sure there is a route between the source IP address and the CA server. You can specify only one source IP address in a PKI domain. If you configure this command multiple times, the most recent configuration takes effect. Examples # Specify 111.1.1.8 as the source IP address for PKI protocol packets.
Page 170 Default No extension is specified. A certificate can be used for all applications, including IKE, SSL clients, and SSL servers. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters ike: Specifies the IKE certificate extension so IKE peers can use the certificates. ssl-client: Specifies the SSL client certificate extension so the SSL clients can use the certificates.
Page 171: Ssl Commands
SSL commands The SSL feature is available in Release 2137 and later versions. The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Page 172: Client-Verify Enable
rsa_aes_128_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit AES_CBC, and the MAC algorithm SHA. rsa_aes_256_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 256-bit AES_CBC, and the MAC algorithm SHA. rsa_des_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm DES_CBC, and the MAC algorithm SHA.
Page 173: Display Ssl Client-Policy
Default The SSL server does not authenticate SSL clients. Views SSL server policy view Predefined user roles network-admin mdc-admin Usage guidelines The SSL client and server use digital certificates to authenticate each other. For more information about digital certificates, see Security Configuration Guide. If you execute the client-verify enable command, an SSL client must send its own digital certificate to the SSL server for authentication.
Page 174: Display Ssl Server-Policy
PKI domain: client-domain Preferred ciphersuite: RSA_AES_128_CBC_SHA Server-verify: enabled Table 22 Command output Field Description Indicates whether the client is enabled to use digital certificates to Server-verify authenticate servers. display ssl server-policy Use display ssl server-policy to display SSL server policy information. Syntax display ssl server-policy [ policy-name ] Views...
Page 175: Pki-Domain
pki-domain Use pki-domain to specify a PKI domain for an SSL client policy or an SSL server policy. Use undo pki-domain to restore the default. Syntax pki-domain domain-name undo pki-domain Default No PKI domain is specified for an SSL client policy or an SSL server policy. Views SSL client policy view, SSL server policy view Predefined user roles...
Page 176 prefer-cipher dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } undo prefer-cipher In FIPS mode: prefer-cipher dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha } undo prefer-cipher Default In non-FIPS mode: The preferred cipher suite of an SSL client policy is rsa_rc4_128_md5. In FIPS mode: The preferred cipher suite of an SSL client policy is rsa_aes_128_cbc_sha.
Page 177: Server-Verify Enable
• Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms, such as DES_CBC, 3DES_EDE_CBC, AES_CBC, and RC4. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key. •...
Page 178: Session Cachesize
Examples # Enable the SSL client to use digital certificates to authenticate SSL servers. <Sysname> system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] server-verify enable Related commands display ssl client-policy session cachesize Use session cachesize to set the maximum number of sessions that the SSL server can cache. Use undo session cachesize to restore the default.
Page 179: Ssl Server-Policy
Syntax ssl client-policy policy-name undo ssl client-policy policy-name Default No SSL client policies exist on the device. Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.
Page 180: Ssl Version Ssl3.0 Disable
Parameters policy-name: Specifies a name for the SSL server policy, a case-insensitive string of 1 to 31 characters. Usage guidelines This command creates an SSL server policy for which you can configure SSL parameters such as a PKI domain and supported cipher suits. An SSL server policy takes effect only after it is associated with an application such as HTTPS.
Page 181: Version
version Use version to specify an SSL version for an SSL client policy. Use undo version to restore the default. Syntax In non-FIPS mode: version { ssl3.0 | tls1.0 } undo version In FIPS mode: version tls1.0 undo version Default The SSL protocol version for an SSL client policy is TLS 1.0.
Page 182: Ipsec Commands
IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
Page 183: Description
Examples # Create an IPsec transform set, and specify the AH authentication algorithm for the transform set as HMAC-SHA1. <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1 description Use description to configure description for an IPsec policy. Use undo description to restore the default. Syntax description text undo description...
Page 184 mdc-admin mdc-operator Parameters policy: Displays information about IPv4 IPsec policies. policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535. Usage guidelines •...
Page 185: Related Commands
ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Table 24 Command output Field Description IPsec Policy IPsec policy name. Interface Interface applied with the IPsec policy. Sequence number Sequence number of the IPsec policy entry. Negotiation mode of the IPsec policy: •...
Page 186: Display Ipsec Sa
display ipsec sa Use display ipsec sa to display information about IPsec SAs. Syntax display ipsec sa [ brief | count | interface interface-type interface-number | policy policy-name [ seq-number ] | remote ip-address ] Views Any view Predefined user roles network-admin network-operator mdc-admin...
Page 187 <Sysname> display ipsec sa count Total IPsec SAs count: 4 # Display information about all IPsec SAs. <Sysname> display ipsec sa ------------------------------- Interface: Vlan-interface1 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: manual ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Path MTU: 1427 Tunnel: local...
Page 188: Display Ipsec Statistics
Field Description • 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) Path MTU Path MTU of the IPsec SA. Tunnel Local and remote addresses of the IPsec tunnel. local address Local end IP address of the IPsec tunnel. remote address Remote end IP address of the IPsec tunnel. Flow Information about the data flow protected by the IPsec tunnel.
Page 189 Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels. Usage guidelines If you do not specify any parameters, this command displays statistics for all IPsec packets.
Page 190: Display Ipsec Transform-Set
Loopback limit exceeded: 0 Table 27 Command output Field Description Received/sent packets Number of received/sent IPsec-protected packets. Received/sent bytes Number of bytes of received/sent IPsec-protected packets. Dropped packets (received/sent) Number of dropped IPsec-protected packets (received/sent). No available SA Number of dropped packets due to lack of available IPsec SA. Wrong SA Number of dropped packets due to wrong IPsec SA.
Page 191: Display Ipsec Tunnel
<Sysname> display ipsec transform-set IPsec transform set: mytransform State: incomplete Encapsulation mode: tunnel Transform: ESP IPsec transform set: completeTransform State: complete Encapsulation mode: transport Transform: AH-ESP AH protocol: Integrity: SHA1 ESP protocol: Integrity: SHA1 Encryption: AES-CBC-128 Table 28 Command output Field Description IPsec transform set...
Page 192 Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number of IPsec tunnels. tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. Usage guidelines IPsec transmits data in a secure channel established between two endpoints (such as two security gateways).
Page 193 Tunnel ID: 1 Status: active Perfect forward secrecy: SA's SPI: outbound: 6000 (0x00001770) [AH] inbound: 5000 (0x00001388) [AH] outbound: 8000 (0x00001f40) [ESP] inbound: 7000 (0x00001b58) [ESP] Tunnel: local address: 1.2.3.1 remote address: 2.2.2.2 Flow: as defined in ACL3100 # Display information about IPsec tunnel 1. <Sysname>...
Page 194: Encapsulation-Mode
Field Description Range of data flow protected by the IPsec tunnel that is established as defined in ACL 3001 manually. This information shows that the IPsec tunnel protects all data flows defined by ACL 3001. encapsulation-mode Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.
Page 195: Esp Authentication-Algorithm
[Sysname-ipsec-transform-set-tran1] encapsulation-mode transport Related commands ipsec transform-set esp authentication-algorithm Use esp authentication-algorithm to specify an authentication algorithm for ESP. Use undo esp authentication-algorithm to remove all authentication algorithms specified for ESP. Syntax In non-FIPS mode: esp authentication-algorithm { md5 | sha1 } * undo esp authentication-algorithm In FIPS mode: esp authentication-algorithm sha1...
Page 196: Esp Encryption-Algorithm
Related commands ipsec transform-set esp encryption-algorithm Use esp encryption-algorithm to specify encryption algorithms for ESP. Use undo esp encryption-algorithm to remove all encryption algorithms specified for ESP. Syntax In non-FIPS mode: esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null } undo esp encryption-algorithm In FIPS mode: esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*...
Page 197: Ike-Profile
[Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 Related commands ipsec transform-set ike-profile Use ike-profile to specify an IKE profile for an IPsec policy. Use undo ike-profile to remove the configuration. Syntax ike-profile profile-name undo ike-profile Default An IPsec policy does not reference any IKE profile, and the device selects an IKE profile configured in system view for negotiation.
Page 198: Ipsec Anti-Replay Window
Default IPsec anti-replay checking is enabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not necessary but consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste.
Page 199: Ipsec Apply Policy
Usage guidelines Changing the anti-replay window size affects only the IPsec SAs negotiated later. In some cases, some service data packets might be received in a very different order than their original order, and the IPsec anti-replay function might drop them as replayed packets, affecting normal communications.
Page 200: Ipsec Decrypt-Check Enable
• ipsec policy ipsec decrypt-check enable Use ipsec decrypt-check enable to enable ACL checking for de-encapsulated IPsec packets. Use undo ipsec decrypt-check to disable ACL checking for de-encapsulated IPsec packets. Syntax ipsec decrypt-check enable undo ipsec decrypt-check enable Default ACL checking for de-encapsulated IPsec packets is enabled. Views System view Predefined user roles...
Page 201: Ipsec Df-Bit
Usage guidelines After logging for IPsec packets is enabled, the device outputs a log when an IPsec packet is discarded due to, for example, lack of inbound SA, AH/ESP authentication failure, or ESP encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason it was discarded.
Page 202: Ipsec Global-Df-Bit
Related commands ipsec global-df-bit ipsec global-df-bit Use ipsec global-df-bit to set the DF bit for outer IP headers of encapsulated IPsec packets on all interfaces. Use undo ipsec global-df-bit to restore the default. Syntax ipsec global-df-bit { clear | copy | set } undo ipsec global-df-bit Default The DF bit of original IP headers is copied to the outer IP headers for encapsulated IPsec packets.
Page 203: Ipsec Policy Local-Address
Default No IPsec policy is created. Views System view Predefined user roles network-admin mdc-admin Parameters policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535. isakmp: Establishes IPsec SAs through IKE negotiation.
Page 204: Ipsec Sa Global-Duration
Syntax ipsec policy policy-name local-address interface-type interface-number undo ipsec policy policy-name local-address Default No IPsec policy is bound to a source interface. Views System view Predefined user roles network-admin mdc-admin Parameters policy: Specifies an IPv4 IPsec policy. policy-name: Name of an IPsec policy, a case-insensitive string of 1 to 63 characters. local-address interface-type interface-number: Specifies the shared source interface by its type and number.
Page 205: Ipsec Sa Idle-Time
Syntax ipsec sa global-duration { time-based seconds | traffic-based kilobytes } undo ipsec sa global-duration { time-based | traffic-based } Default The time-based global lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 bytes. Views System view Predefined user roles network-admin mdc-admin Parameters...
Page 206: Ipsec Transform-Set
Default The global IPsec SA idle timeout function is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds. Usage guidelines This function applies only to IPsec SAs negotiated by IKE. The IPsec SA idle timeout can also be configured in IPsec policy view, which takes precedence over the global IPsec SA timeout.
Page 207: Local-Address
Examples # Create an IPsec transform set named tran1 and enter its view. <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-transform-set-tran1] Related commands display ipsec transform-set local-address Use local-address to configure the local IP address for the IPsec tunnel. Use undo local-address to restore the default. Syntax local-address ipv4-address undo local-address...
Page 208: Protocol
Syntax In non-FIPS mode: pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 } undo pfs In FIPS mode: pfs dh-group14 undo pfs Default The PFS feature is disabled for the IPsec transform set. Views IPsec transform set view Predefined user roles network-admin mdc-admin...
Page 209: Qos Pre-Classify
Default The IPsec transform set uses the ESP protocol. Views IPsec transform set view Predefined user roles network-admin mdc-admin Parameters ah: Specifies the AH protocol. ah-esp: Specifies using the ESP protocol first and then using the AH protocol. ah: Specifies the AH protocol. Usage guidelines The two tunnel ends must use the same security protocol in the IPsec transform set.
Page 210: Remote-Address
[Sysname-ipsec-policy-manual-policy1-100] qos pre-classify remote-address Use remote-address to configure the remote IP address for the IPsec tunnel. Use undo remote-address to restore the default. Syntax remote-address { host-name | ipv4-address } undo remote-address { host-name | ipv4-address } Default No remote IP address is specified for the IPsec tunnel. Views IPsec policy view Predefined user roles...
Page 211: Reset Ipsec Sa
[Sysname] ipsec policy policy1 1 isakmp [Sysname -ipsec-policy-isakmp-policy1-1] remote-address test Examples # Specify the remote IP address 10.1.1.2 for the IPsec tunnel. <Sysname> system-view [Sysname] ipsec policy policy1 10 manual [Sysname-ipsec-policy-policy1-10] remote-address 10.1.1.2 Related commands • ip host (see Layer 3—IP Services Commands Reference) •...
Page 212: Reset Ipsec Statistics
An outbound SA is uniquely identified by an SA triplet and an inbound SA is uniquely identified by an SPI. To clear IPsec SAs by specifying a triplet in the outbound direction, you should provide the remote IP address, the security protocol, and the SPI. To clear IPsec SAs by specifying a triplet in the inbound direction, you should provide the SPI and use any valid values for the other two parameters.
Page 213: Sa Duration
sa duration Use sa duration to set an SA lifetime for an IPsec policy. Use undo sa duration to remove the SA lifetime. Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy is the current global SA lifetime.
Page 214 Syntax sa hex-key authentication { inbound | outbound } { ah | esp } { cipher | simple } key-value undo sa hex-key authentication { inbound | outbound } { ah | esp } Default No authentication key is configured for manual IPsec SAs. Views IPsec policy view Predefined user roles...
Page 215: Sa Hex-Key Encryption
sa hex-key encryption Use sa encryption-hex to configure a hexadecimal encryption key for manual IPsec SAs. Use undo sa encryption-hex to remove the hexadecimal encryption key. Syntax sa hex-key encryption { inbound | outbound } esp { cipher | simple } key-value undo sa hex-key encryption { inbound | outbound } esp Default No encryption key is configured for manual IPsec SAs.
Page 216: Sa Idle-Time
Related commands • display ipsec sa • sa string-key sa idle-time Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted. Use undo sa idle-time to restore the default.
Page 217: Sa String-Key
Default No SPI is configured for IPsec SAs. Views IPsec policy view Predefined user roles network-admin mdc-admin Parameters inbound: Specifies an SPI for inbound SAs. outbound: Specifies an SPI for outbound SAs. ah: Uses AH. esp: Uses ESP. spi-number: Specifies a Security parameters index (SPI) in the range of 256 to 4294967295. Usage guidelines This command applies to only manual IPsec policies.
Page 218: Security Acl
Predefined user roles network-admin mdc-admin Parameters inbound: Sets a key string for inbound IPsec SAs. outbound: Sets a key string for outbound IPsec SAs. ah: Uses AH. esp: Uses ESP. cipher: Sets a ciphertext key. simple: Sets a plaintext key. key-value: Specifies a case-sensitive key string.
Page 219 Default An IPsec policy references no ACL. Views IPsec policy view Predefined user roles network-admin mdc-admin Parameters acl-number: Specifies an ACL by its number in the range of 3000 to 3999. name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. aggregation: Specifies the data protection mode as aggregation.
Page 220: Snmp-Agent Trap Enable Ipsec
• display ipsec tunnel snmp-agent trap enable ipsec Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec. Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec. Syntax snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach tunnel-start | tunnel-stop] * undo snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global |...
Page 221: Transform-Set
[Sysname] snmp-agent trap enable ipsec global # Enable SNMP notifications for events of creating IPsec tunnels. [Sysname] snmp-agent trap enable ipsec tunnel-start transform-set Use transform-set to reference an IPsec transform set for an IPsec policy. Use undo transform-set to remove the IPsec transform set referenced by an IPsec policy. Syntax transform-set transform-set-name&<1-6>...
Page 222: Ike Commands
IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
Page 223: Certificate Domain
Use undo authentication-method to restore the default. Syntax authentication-method { dsa-signature | pre-share | rsa-signature } undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles network-admin mdc-admin Parameters dsa-signature: Specifies the DSA signatures as the authentication method.
Page 224 Syntax certificate domain domain-name undo certificate domain domain-name Default No PKI domains are specified for signature authentication. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. Usage guidelines This command is available in Release 2137 and later versions.
Page 225: Display Ike Proposal
Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal. Use undo dh to restore the default. Syntax In non-FIPS mode: dh { group1 | group14 | group2 | group24 | group5 } undo dh In FIPS mode: dh group14...
Page 226: Display Ike Sa
Syntax display ike proposal Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal. Examples # Display the configuration information about all IKE proposals.
Page 227 Syntax display ike sa [ verbose [ connection-id connection-id | remote-address remote-address [ vpn-instance vpn-name ] ] ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000.
Page 228 Connection ID: 2 Outside VPN: 1 Inside VPN: 1 Profile: prof1 Transmitting entity: Initiator --------------------------------------------- Local IP: 4.4.4.4 Local ID type: IPV4_ADDR Local ID: 4.4.4.4 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.5 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: SHA1 Encryption-algorithm: AES-CBC-128 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main...
Page 229: Dpd
NAT traversal: Not detected Table 33 Command output Field Description Connection ID Identifier of the IKE SA. VPN instance name of the MPLS L3VPN to which the receiving Outside VPN interface belongs. VPN instance name of the MPLS L3VPN to which the protected data Inside VPN belongs.
Page 230: Encryption-Algorithm
Predefined user roles network-admin mdc-admin Parameters interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300. • If the on-demand keyword is specified, this parameter specifies the number of seconds during which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send.
Page 231: Exchange-Mode
In FIPS mode, an IKE proposal uses the 128-bit AES encryption algorithm in CBC mode. Views IKE proposal view Predefined user roles network-admin mdc-admin Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption.
Page 232: Ike Dpd
Views IKE profile view Predefined user roles network-admin mdc-admin Parameters aggressive: Specifies the aggressive mode. main: Specifies the main mode. Usage guidelines As a best practice, specify the aggressive mode at the local end if the following conditions are met: •...
Page 233: Ike Identity
retry seconds: Specifies the number of seconds between DPD retries if the DPD message fails. The value for the second argument is from 1 to 60 seconds, and it defaults to 5 seconds. on-demand: Sends DPD messages on demand. periodic: Sends DPD messages at regular intervals. Usage guidelines DPD is triggered periodically or on-demand.
Page 234: Ike Invalid-Spi-Recovery Enable
Usage guidelines The global identity can be used by the device for all IKE SA negotiations, and the local identity (set by the local-identity command) can be used only by the device that uses the IKE profile. In pre-shared key authentication, you cannot set the DN as the identity. Examples # Set the IP address 2.2.2.2 as the identity.
Page 235: Ike Keepalive Interval
ike keepalive interval Use ike keepalive interval to enable sending IKE keepalives and set the sending interval. Use undo ike keepalive interval to restore the default. Syntax ike keepalive interval seconds undo ike keepalive interval Default No IKE keepalives are sent. Views System view Predefined user roles...
Page 236: Ike Keychain
Predefined user roles network-admin mdc-admin Parameters seconds: Specifies the number of seconds between IKE keepalives. The value is in the range of 20 to 28800. Usage guidelines If the local end receives no keepalive packets from the peer during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
Page 237: Ike Limit
Examples # Create IKE keychain key1 and enter its view. <Sysname> system-view [Sysname] ike keychain key1 [Sysname-ike-keychain-key1] Related commands • authentication-method • pre-shared-key ike limit Use ike limit to set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs.
Page 238: Ike Nat-Keepalive
ike nat-keepalive Use ike nat-keepalive to set the NAT keepalive interval. Use undo ike nat-keepalive to restore the default. Syntax ike nat-keepalive seconds undo ike nat-keepalive Default The NAT keepalive interval is 20 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters...
Page 239: Ike Proposal
Examples # Create IKE profile 1 and enter its view. <Sysname> system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] ike proposal Use ike proposal to create an IKE proposal and enter IKE proposal view. Use undo ike proposal to delete an IKE proposal. Syntax ike proposal proposal-number undo ike proposal proposal-number...
Page 240: Ike Signature-Identity From-Certificate
<Sysname> system-view [Sysname] ike proposal 1 [Sysname-ike-proposal-1] Related commands display ike proposal ike signature-identity from-certificate Use ike signature-identity from-certificate to configure the local device to obtain the identity information from the local certificate for signature authentication. Use undo ike signature-identity from-certificate to restore the default. Syntax ike signature-identity from-certificate undo ike signature-identity from-certificate...
Page 241: Local-Identity
Syntax keychain keychain-name undo keychain keychain-name Default No IKE keychain is specified for an IKE profile. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. Usage guidelines An IKE profile can reference up to six IKE keychains.
Page 242: Match Local Address (Ike Keychain View)
Parameters address ipv4-address: Uses an IPv4 address as the local ID. dn: Uses the DN in the local certificate as the local ID. fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.
Page 243: Match Local Address (Ike Profile View)
vpn-instance vpn-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To specify an IP address on the public network, do not specify this option. Usage guidelines Use this command to specify which address or interface can use the IKE keychain for IKE negotiation.
Page 244: Match Remote
Usage guidelines Use this command to specify which address or interface can use the IKE profile for IKE negotiation. Specify the local address configured in IPsec policy view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that references the IPsec policy.
Page 245: Pre-Shared-Key
• address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address. • fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKE profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
Page 246: Priority (Ike Keychain View)
mdc-admin Parameters address: Specifies a peer by its address. ipv4-address: Specifies the IPv4 address of the peer. mask: Specifies the mask in dotted decimal notation. The default mask is 255.255.255.255. mask-length: Specifies the mask length in the range of 0 to 32. The default mask length is 32. hostname host-name: Specifies a peer by its hostname, a case-sensitive string of 1 to 255 characters.
Page 247: Priority (Ike Profile View)
Views IKE keychain view Predefined user roles network-admin mdc-admin Parameters priority number: Specifies a priority number in the range of 1 to 65535. The lower the priority number, the higher the priority. Usage guidelines To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number.
Page 248: Proposal
<Sysname> system-view [Sysname] ike profile prof1 [Sysname-ike-profile-prof1] priority 10 proposal Use proposal to specify the IKE proposals for an IKE profile to reference. Use undo proposal to remove the IKE proposal references. Syntax proposal proposal-number&<1-6> undo proposal Default An IKE profile references no IKE proposals and uses the IKE proposals configured in system view for IKE negotiation.
Page 249: Reset Ike Statistics
Predefined user roles network-admin mdc-admin Parameters connection-id connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000. Usage guidelines When you delete an IKE SA, the device automatically sends a notification to the peer. Examples # Display the current IKE SAs.
Page 250: Sa Duration
Related commands snmp-agent trap enable ike sa duration Use sa duration to set the IKE SA lifetime for an IKE proposal. Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The IKE SA lifetime is 86400 seconds. Views IKE proposal view Predefined user roles...
Page 251 invalid-id invalid-proposal | invalid-protocol invalid-sign no-sa-failure | proposal-add | proposal–delete | tunnel-start | tunnel-stop | unsupport-exch-type ] * Default All SNMP notifications for IKE are enabled. Views System view Predefined user roles network-admin mdc-admin Parameters attr-not-support: Specifies SNMP notifications for attribute-unsupported failures. auth-failure: Specifies SNMP notifications for authentication failures.
Page 252: Ssh Commands
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Page 253: Display Ssh User-Information
Field Description SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer.
Page 254: Scp Server Enable
mdc-admin mdc-operator Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured by using the ssh user command on the SSH server.
Page 255: Sftp Server Enable
Predefined user roles network-admin mdc-admin Examples # Enable the SCP server. <Sysname> system-view [Sysname] scp server enable Related commands display ssh server sftp server enable Use sftp server enable to enable the SFTP server. Use undo sftp server enable to restore the default. Syntax sftp server enable undo sftp server enable...
Page 256: Ssh Server Acl
Views System view Predefined user roles network-admin mdc-admin Parameters time-out-value: Specifies an idle timeout timer in the range of 1 to 35791 minutes. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection.
Page 257: Ssh Server Authentication-Retries
• The specified ACL does not have any rules. The ACL takes effect only on SSH connections that are initiated after the ACL configuration. If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure ACL 2001 and permit only the users at 1.1.1.1 to initiate SSH connections to the server. <Sysname>...
Page 258: Ssh Server Authentication-Timeout
[Sysname] ssh server authentication-retries 4 Related commands display ssh server ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. Use undo ssh server authentication-timeout to restore the default. Syntax ssh server authentication-timeout time-out-value undo ssh server authentication-timeout Default The authentication timeout timer is 60 seconds.
Page 259: Ssh Server Dscp
Views System view Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command is not available in FIPS mode. This configuration does not affect logged-in users. It affects only new SSH users. Examples # Enable the SSH server to support SSH1 clients. <Sysname>...
Page 260: Ssh Server Enable
ssh server enable Use ssh server enable to enable the Stelnet server. Use undo ssh server enable to restore the default. Syntax ssh server enable undo ssh server enable Default The Stelnet server is disabled. Views System view Predefined user roles network-admin mdc-admin Examples...
Page 261: Ssh User
Updating the RSA server key pair periodically prevents malicious hacking to the key pair and enhances security of the SSH connections. This command takes effect only on the SSH clients that use SSH1 client software. Examples # Set the RSA server key pair update interval to 3 hours. <Sysname>...
Page 262 • password: Specifies password authentication. This authentication method provides easy and fast encryption, but it is vulnerable. It can work with AAA to implement user authentication, authorization, and accounting. • any: Specifies either password authentication or publickey authentication. • password-publickey: Specifies both password authentication and publickey authentication (featuring higher security) if the client runs SSH2, and specifies either type of authentication if the client runs SSH1.
Page 263: Ssh Client Commands
Examples # Create an SSH user named user1, and specify the service type as sftp and the authentication method as password-publickey for the user. Assign the host public key key1 to the user. <Sysname> system-view [Sysname] ssh user user1 service-type sftp authentication-type password-publickey assign publickey key1 # Create a local device management user named user1, specify the password as 123456TESTplat&! in plain text and the service type as ssh for the user.
Page 264: Cdup
Views SFTP client view Predefined user roles network-admin mdc-admin Parameters remote-path: Specifies the name of a directory on the server. Usage guidelines You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system. Examples # Change the working directory to new1.
Page 265: Dir
Syntax delete remote-file Views SFTP client view Predefined user roles network-admin mdc-admin Parameters remote-file: Specifies a file. Usage guidelines This command has the same function as the remove command. Examples # Delete the file temp.c from the server. sftp> delete temp.c Removing /temp.c Use dir to display information about the files and subdirectories under a directory.
Page 266: Display Sftp Client Source
pub1 new1 new2 pub2 # Display detailed information about the files and subdirectories under the current working directory in a list. sftp> dir –l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup...
Page 267: Exit
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command only displays the Stelnet client's source IP address that is configured by using the ssh client source command. The default source IP address of the Stelnet client is not provided in the command output. Examples # Display the source IP address configured for the Stelnet client.
Page 268: Help
Views SFTP client view Predefined user roles network-admin mdc-admin Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file. If you do not specify this argument, the file will be saved locally with the same name as the file on the server.
Page 269 List all filenames List filename including the specific information of the file mkdir path Create remote directory put local-path [remote-path] Upload file Display remote working directory quit Quit sftp rename oldpath newpath Rename remote file remove path Delete remote file rmdir path Delete remote empty directory Synonym for help...
Page 270: Mkdir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone...
Page 271: Pwd
startup01.bak 100% 1424 1.4KB/s 00:00 Use pwd to display the current working directory of an SFTP server. Syntax Views SFTP client view Predefined user roles network-admin mdc-admin Examples # Display the current working directory of the SFTP server. sftp> pwd Remote working directory: / The output shows that the current working directory is the root directory.
Page 272: Rename
Predefined user roles network-admin mdc-admin Parameters remote-file: Specifies a file. Usage guidelines This command has the same function as the delete command. Examples # Delete the file temp.c from the SFTP server. sftp> remove temp.c Removing /temp.c rename Use rename to change the name of a file or directory on an SFTP server. Syntax rename old-name new-name Views...
Page 273: Scp
mdc-admin Parameters remote-path: Specifies a directory. Examples # Delete the subdirectory temp1 under the current directory on the SFTP server. sftp> rmdir temp1 Use scp to establish a connection to an IPv4 SCP server and transfer files with the server. Syntax In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name...
Page 274 • rsa: Specifies the public key algorithm rsa. prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.
Page 275: Sftp
• Preferred client-to-server HMAC algorithm sha1. • Preferred server-to-client HMAC algorithm sha1-96. • Preferred compression algorithm zlib. <Sysname> scp 200.1.1.1 get abc.txt prefer-kex dh-group14 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib publickey svkey sftp Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view. Syntax In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |...
Page 276 • 3des: Specifies the encryption algorithm 3des-cbc. • aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. • des: Specifies the encryption algorithm des-cbc. prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithms sha1 and sha1-96 provide stronger security but cost more computation time than md5 and md5-96.
Page 277: Sftp Client Source
sftp client source Use sftp client source to specify the source IPv4 address for SFTP packets. Use undo sftp client source to restore the default. Syntax sftp client source { interface interface-type interface-number | ip ip-address } undo sftp client source Default The source IP address for SFTP packets is not configured.
Page 278: Ssh2
Default The source IP address for SSH packets is not configured. The SSH packets use the primary IPv4 address of the output interface specified in the routing entry as their source IP address. Views System view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a source interface by its type and number.
Page 279 Views User view Predefined user roles network-admin mdc-admin Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
Page 280 dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets sent by the SSH client, in the range of 0 to 63. The default value is 48. The DSCP value determines the transmission priority of the packet. escape character: Specifies an escape character. By default, the escape character is a tilde (~). publickey keyname: Specifies the host public key of the server, which is used to authenticate the server.
Page 281: Ip Source Guard Commands
IP source guard commands The IPSG feature is available on Layer 2 and Layer 3 Ethernet interfaces and VLAN interfaces. The term "interface" in this chapter collectively refers to these types of interfaces. You can use the port link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see Layer 2—LAN Switching Configuration Guide).
Page 282: Ip Source Binding (Interface View)
Usage guidelines If you do not specify any parameter, the command displays the following bindings: • Static and dynamic IPv4SG bindings on all interfaces on the public network. • Global static IPv4SG bindings. In standalone mode, if you specify neither an interface nor a card, the command displays IPv4SG bindings obtained by the switching fabric modules from all interfaces.
Page 283: Ip Source Binding (System View)
Use undo ip source binding to remove the static IPv4SG bindings configured on an interface. Syntax ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ] undo ip source binding { all | ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ] Default No static IPv4SG binding exists on an interface.
Page 284: Ip Verify Source
Syntax ip source binding ip-address ip-address mac-address mac-address undo ip source binding { all | ip-address ip-address mac-address mac-address } Default No global static IPv4SG binding exists. Views System view Predefined user roles network-admin mdc-admin Parameters ip-address ip-address: Specifies the IPv4 address for the static binding. The IPv4 address cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address.
Page 285 Parameters ip-address: Filters incoming packets by source IPv4 addresses. ip-address mac-address: Filters incoming packets by source IPv4 addresses and source MAC addresses. mac-address: Filters incoming packets by source MAC addresses. Usage guidelines The matching criterion in this command applies only to dynamic IPSG. Static IPv4SG uses static bindings configured by using the ip source binding command.
Page 286: Arp Attack Protection Commands
ARP attack protection commands Unresolvable IP attack protection commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing. Use undo arp resolving-route enable to disable ARP blackhole routing. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP blackhole routing is enabled.
Page 287: Arp Resolving-Route Probe-Interval
Examples # Configure the device to perform three ARP blackhole route probes. <Sysname> system-view [Sysname] arp resolving-route probe-count 3 arp resolving-route probe-interval Use arp resolving-route probe-interval to set the interval at which the device probes ARP blackhole routes. Use undo arp resolving-route probe-interval to remove the configuration. Syntax arp resolving-route probe-interval interval undo arp resolving-route probe-interval...
Page 288: Arp Source-Suppression Limit
Examples # Enable the ARP source suppression feature. <Sysname> system-view [Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit Use arp source-suppression limit to set the maximum number of unresolvable packets that can be received from a device in 5 seconds. Use undo arp source-suppression limit to restore the default.
Page 289: Arp Packet Rate Limit Commands
Predefined user roles network-admin network-operator Examples # Display information about ARP source suppression configuration. <Sysname> display arp source-suppression ARP source suppression is enabled Current suppression limit: 100 Table 38 Command output Field Description Maximum number of unresolvable packets that can be received from a Current suppression limit host in 5 seconds.
Page 290: Arp Rate-Limit Log Enable
Examples # Set the maximum ARP packet rate to 50 pps on FortyGigE 1/0/1. <Sysname> system-view [Sysname] interface fortygige 1/0/1 [Sysname-FortyGigE1/0/1] arp rate-limit 50 arp rate-limit log enable Use arp rate-limit log enable to enable logging for ARP packet rate limit. Use undo arp rate-limit log enable to disable logging for ARP packet rate limit.
Page 291: Snmp-Agent Trap Enable Arp
Views System view Predefined user roles network-admin mdc-admin Parameters Seconds: Specifies an interval in the range of 1 to 86400 seconds. Usage guidelines To change the default interval and activate it, you must enable ARP packet rate limit and enable sending of notifications or log messages for ARP packet rate limit.
Page 292: Source Mac-Based Arp Attack Detection Commands
Examples # Enable SNMP notifications for ARP packet rate limit. <Sysname> system-view [Sysname] snmp-agent trap enable arp rate-limit Source MAC-based ARP attack detection commands The source MAC-based ARP attack detection feature is available in Release 2137 and later versions. arp source-mac Use arp source-mac to enable the source MAC-based ARP attack detection feature and specify a handling method.
Page 293: Arp Source-Mac Aging-Time
arp source-mac aging-time Use arp source-mac aging-time to set the aging time for ARP attack entries. Use undo arp source-mac aging-time to restore the default. Syntax arp source-mac aging-time time undo arp source-mac aging-time Default The aging time for ARP attack entries is 300 seconds. Views System view Predefined user roles...
Page 294: Arp Source-Mac Threshold
Usage guidelines If you do not specify a MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses. Examples # Exclude a MAC address from source MAC-based ARP attack detection. <Sysname> system-view [Sysname] arp source-mac exclude-mac 2-2-2 arp source-mac threshold Use arp source-mac threshold to set the threshold for source MAC-based ARP attack detection.
Page 295: Arp Packet Source Mac Consistency Check Commands
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ARP attack entries for the active MPU.
Page 296: Arp Active Acknowledgement Commands
Predefined user roles network-admin mdc-admin Usage guidelines Configure this feature on gateways. The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. Examples # Enable ARP packet source MAC address consistency check. <Sysname>...
Page 297: Authorized Arp Commands
Authorized ARP commands The authorized ARP feature is available in Release 2137 and later versions. arp authorized enable Use arp authorized enable to enable authorized ARP on an interface. Use undo arp authorized enable to restore the default. Syntax arp authorized enable undo arp authorized enable Default Authorized ARP is disabled on the interface.
Page 298: Arp Detection Log Enable
<Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] arp detection enable arp detection log enable Use arp detection log enable to enable ARP detection logging. Use undo arp detection log enable to disable ARP detection logging. Syntax arp detection log enable undo arp detection log enable Default ARP detection logging is disabled.
Page 299: Arp Detection Validate
[Sysname] interface fortygige 1/0/1 [Sysname-FortyGigE1/0/1] arp detection trust arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line. Use undo arp detection validate to disable ARP packet validity check. If no keyword is specified, this command deletes all objects.
Page 300: Display Arp Detection
Views VLAN view Predefined user roles network-admin Examples # Enable ARP restricted forwarding in VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] arp restricted-forwarding enable display arp detection Use display arp detection to display the VLANs enabled with ARP detection. Syntax display arp detection Views...
Page 301: Reset Arp Detection Statistics
Usage guidelines This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces. Examples # Display the ARP detection statistics for all interfaces. <Sysname>...
Page 302: Arp Scanning And Fixed Arp Commands
Parameters interface interface-type interface-number: Clears the ARP detection statistics of a specific interface. Usage guidelines If you do not specify any interface, this command clears the statistics of all interfaces. Examples # Clear the ARP detection statistics of all interfaces. <Sysname>...
Page 303: Arp Scan
<Sysname> system-view [Sysname] undo arp fixup arp scan Use arp scan to trigger an ARP scanning in an address range. Syntax arp scan [ start-ip-address to end-ip-address ] Views Layer 3 Ethernet interface view, Layer 3 aggregate interface view, VLAN interface view Predefined user roles network-admin mdc-admin...
Page 304: Arp Filter Source
arp filter source Use arp filter source to enable ARP gateway protection for a gateway. Use undo arp filter source to disable ARP gateway protection for a gateway. Syntax arp filter source ip-address undo arp filter source ip-address Default ARP gateway protection is disabled. Views Layer 2 Ethernet interface view, Layer 2 aggregate interface view Predefined user roles...
Page 305 Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies a permitted sender IP address. mac-address: Specifies a permitted sender MAC address. Usage guidelines You can configure a maximum of eight ARP permitted entries on an interface. You cannot configure both the arp filter source and arp filter binding commands on the same interface.
Page 306: Urpf Commands
uRPF commands display ip urpf Use display ip urpf to display uRPF configuration. Syntax In standalone mode: display ip urpf [ slot slot-number ] In IRF mode: display ip urpf [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin...
Page 307 Use undo ip urpf to disable uRPF. Syntax ip urpf { loose | strict } undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
Page 308: Fips Commands
FIPS commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled.
Page 309 After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: • Automatic reboot Select the automatic reboot method. The system automatically performs the following tasks: a. Create a default FIPS configuration file named fips-startup.cfg. b.
Page 310: Fips Self-Test
Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically. Enter username(1-55 characters): root Enter password(15-63 characters): Confirm password: Waiting for reboot...
Page 311 Examples # Trigger a self-test on the cryptographic algorithms. <Sysname> system-view [Sysname] fips self-test FIPS Known-Answer Tests are running ... Slot 10 in chassis 1: Starting Known-Answer tests in the user space. Known-answer test for SHA1 passed. Known-answer test for SHA224 passed. Known-answer test for SHA256 passed.
Page 312: Attack Detection And Prevention Commands
Attack detection and prevention commands attack-defense tcp fragment enable Use attack-defense tcp fragment enable to enable TCP fragment attack prevention. Use undo attack-defense tcp fragment enable to disable TCP fragment attack prevention. Syntax attack-defense tcp fragment enable undo attack-defense tcp fragment enable Default TCP fragment attack prevention is enabled.
Page 313: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Page 314: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 315: Support And Other Resources
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
Page 316: Websites
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 317: Index
Index A B C D E F G H I K L M N O P Q R S T U V aaa session-limit,1 bye,255 access-limit,16 accounting command,2 ca identifier,112 accounting default,2 cd,255 accounting login,3 cdup,256 accounting-on enable,26 certificate domain,215 ah authentication-algorithm,174 certificate request entity,113 arp active-ack enable,288...
Page 318 display password-control blacklist,76 ike profile,230 display pki certificate access-control-policy,120 ike proposal,231 display pki certificate attribute-group,121 ike signature-identity from-certificate,232 display pki certificate domain,122 ike-profile,189 display pki certificate request-status,127 ip,130 display pki crl,128 ip source binding (interface view),274 display public-key local public,94 ip source binding (system view),275 display public-key peer,97 ip urpf,298...
Page 319 password-control aging,78 put,262 password-control alert-before-expire,79 pwd,263 password-control complexity,80 password-control composition,81 qos pre-classify,201 password-control enable,83 quit,263 password-control expired-user-login,84 password-control history,85 password-control length,85 radius nas-ip,38 password-control login idle-time,87 radius scheme,39 password-control login-attempt,87 radius session-control enable,39 password-control super aging,89 remote-address,202 password-control super composition,90 remove,263 password-control super length,91 rename,264...
Page 320 sftp,267 state primary,47 sftp client source,269 state secondary,48 sftp server enable,247 sftp server idle-timeout,247 timer quiet (HWTACACS scheme view),70 snmp-agent trap enable arp,283 timer quiet (RADIUS scheme view),49 snmp-agent trap enable ike,242 timer realtime-accounting (HWTACACS scheme snmp-agent trap enable ipsec,212 view),71 snmp-agent trap enable radius,46 timer realtime-accounting (RADIUS scheme...

HPE FlexFabric 7900 Series Security Command Reference

AAA Commands

Password Control Commands

Public Key Management Commands

PKI Commands

SSL Commands

Ipsec Commands

IKE Commands

SSH Commands

IP Source Guard Commands

ARP Attack Protection Commands

Quick Links

Command Reference

Related Manuals for HPE FlexFabric 7900 Series

Summary of Contents for HPE FlexFabric 7900 Series