Page 1 HP MSR Router Series Security Command Reference(V7) Part number: 5998-6475 Software version: CMW710-R0106 Document version: 6PW101-20140807...
Page 2: Legal And Notice Information
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
Page 3: Table Of Contents
Contents Legal and notice information ·········································································································································i AAA commands ··························································································································································· 1 General AAA commands ················································································································································· 1 aaa session-limit ······················································································································································· 1 access-limit enable ··················································································································································· 2 accounting command ··············································································································································· 2 accounting default ···················································································································································· 3 accounting lan-access ·············································································································································· 4 ...
Page 4 display radius scheme ·········································································································································· 49 display radius statistics ········································································································································· 52 key (RADIUS scheme view)··································································································································· 53 nas-ip (RADIUS scheme view) ······························································································································ 54 port ·········································································································································································· 55 primary accounting (RADIUS scheme view) ······································································································· 56 primary authentication (RADIUS scheme view) ·································································································· 58 ...
Page 5 login-password ···················································································································································· 104 protocol-version ··················································································································································· 105 search-base-dn ····················································································································································· 106 search-scope ························································································································································ 107 server-timeout ······················································································································································· 107 user-parameters ··················································································································································· 108 802.1X commands ················································································································································· 110 display dot1x ······················································································································································· 110 display dot1x connection ··································································································································· 113 dot1x ·····································································································································································...
Page 6 display portal web-server ··································································································································· 161 ip ··········································································································································································· 162 ipv6 ······································································································································································· 163 port ········································································································································································ 164 portal { bas-ip | bas-ipv6 } ································································································································· 165 portal apply web-server ······································································································································ 166 portal delete-user ················································································································································· 167 portal domain ······················································································································································ 168 ...
Page 7 password-control expired-user-login ·················································································································· 216 password-control history ····································································································································· 217 password-control length ······································································································································ 218 password-control login idle-time ························································································································ 219 password-control login-attempt ·························································································································· 220 password-control super aging ···························································································································· 222 password-control super composition ················································································································· 222 password-control super length ··························································································································· 223 ...
Page 8 pki retrieve-certificate ·········································································································································· 284 pki retrieve-crl ······················································································································································ 285 pki storage ··························································································································································· 286 pki validate-certificate ········································································································································· 287 public-key dsa ······················································································································································ 289 public-key rsa ······················································································································································· 290 root-certificate fingerprint···································································································································· 291 rule ········································································································································································ 293 source ··································································································································································· 294 ...
Page 9 sa spi ···································································································································································· 344 sa string-key ························································································································································· 345 security acl ··························································································································································· 347 snmp-agent trap enable ipsec ···························································································································· 348 transform-set ························································································································································· 349 IKE commands ························································································································································· 351 authentication-algorithm ····································································································································· 351 authentication-method ········································································································································· 351 certificate domain ················································································································································ 352 ...
Page 10 ssh server ipv6 dscp ············································································································································ 392 ssh server rekey-interval ······································································································································ 392 ssh user ································································································································································· 393 SSH client commands ·················································································································································· 395 bye ········································································································································································ 395 cd ·········································································································································································· 396 cdup ······································································································································································ 396 delete ···································································································································································· 397 dir ··········································································································································································...
Page 11 display aspf policy ·············································································································································· 436 display aspf session ············································································································································ 437 icmp-error drop ···················································································································································· 440 reset aspf session ················································································································································· 441 tcp syn-check ························································································································································ 442 APR commands ························································································································································ 443 app-group ····························································································································································· 443 application statistics enable ······························································································································· 443 ...
Page 12 display object group ··········································································································································· 502 network (IPv4 address object group view) ······································································································· 504 network (IPv6 address object group view) ······································································································· 506 object-group ························································································································································· 508 port (port object group view) ····························································································································· 509 service (service object group view) ··················································································································· 511 ...
Page 13 Crypto engine commands ······································································································································ 544 crypto-engine accelerator disable ····················································································································· 544 display crypto-engine ·········································································································································· 544 display crypto-engine statistics ··························································································································· 546 reset crypto-engine statistics ······························································································································· 547 FIPS commands ······················································································································································· 549 display fips status ················································································································································ 549 fips mode enable ·················································································································································...
Page 14 ··················································································································································· 657 udp-flood detect non-specific ······························································································································ 658 udp-flood threshold ·············································································································································· 658 Support and other resources ·································································································································· 660 Contacting HP ······························································································································································ 660 Subscription service ············································································································································ 660 Related information ······················································································································································ 660 Documents ···························································································································································· 660 ...
Page 15: Aaa Commands
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.
Page 16: Access-Limit Enable
Examples # Set the maximum number of concurrent FTP users to 4. <Sysname> system-view [Sysname] aaa session-limit ftp 4 access-limit enable Use access-limit enable to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users are accepted. Use undo access-limit enable to restore the default.
Page 17: Accounting Default
Default The default accounting method of the ISP domain is used for command line accounting. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The command line accounting function works with the accounting server to record all commands that have been successfully executed on the device.
Page 18: Accounting Lan-Access
Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 19 accounting lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo accounting lan-access In FIPS mode: accounting lan-access { local | radius-scheme radius-scheme-name [ local ] } undo accounting lan-access Default The default accounting method for the ISP domain is used for LAN users.
Page 20: Accounting Login
accounting login Use accounting login to specify the accounting method for login users. Use undo accounting login to restore the default. Syntax In non-FIPS mode: accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting login In FIPS mode:...
Page 21: Accounting Portal
[Sysname] domain test [Sysname-isp-test] accounting login local # Configure ISP domain test to use RADIUS scheme rd for login user accounting and use local accounting as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting login radius-scheme rd local Related commands accounting default •...
Page 22: Accounting Ppp
primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
Page 23: Authentication Default
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 24 authentication default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication default Default The default authentication method of an ISP domain is local. Views ISP domain view Predefined user roles...
Page 25: Authentication Lan-Access
authentication lan-access Use authentication lan-access to configure the authentication method for LAN users. Use undo authentication lan-access to restore the default. Syntax In non-FIPS mode: authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication lan-access In FIPS mode:...
Page 26: Authentication Login
# Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication lan-access radius-scheme rd local Related commands • authentication default hwtacacs scheme • ldap scheme •...
Page 27: Authentication Portal
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication).
Page 28: Authentication Ppp
Default The default authentication method of the ISP domain is used for portal users. Views ISP domain view Predefined user roles network-admin Parameters ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication.
Page 29 Syntax In non-FIPS mode: authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication ppp In FIPS mode: authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ]...
Page 30: Authentication Super
[Sysname-isp-test] authentication ppp radius-scheme rd local Related commands • authentication default hwtacacs scheme • • local-user radius scheme • authentication super Use authentication super to specify a method for user role authentication. Use undo authentication super to restore the default. Syntax authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } undo authentication super...
Page 31: Authorization Command
Examples # Configure ISP domain test to use HWTACACS scheme tac for user role authentication. <Sysname> system-view [Sysname] super authentication-mode scheme [Sysname] domain test [Sysname-domain-test] authentication super hwtacacs-scheme tac Related commands • authentication default hwtacacs scheme • • radius scheme authorization command Use authorization command to specify the command authorization method.
Page 32: Authorization Default
When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user role. The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server.
Page 33 authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authorization default Default The default authorization method of an ISP domain is local. Views ISP domain view Predefined user roles network-admin...
Page 34: Authorization Lan-Access
Related commands hwtacacs scheme • local-user • • radius scheme authorization lan-access Use authorization lan-access to configure the authorization method for LAN users. Use undo authorization lan-access to restore the default. Syntax In non-FIPS mode: authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization lan-access In FIPS mode: authorization lan-access { local | radius-scheme radius-scheme-name [ local ] }...
Page 35: Authorization Login
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization lan-access local # Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use local authorization as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization lan-access radius-scheme rd local Related commands authorization default •...
Page 36: Authorization Portal
FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory, but they • do not have the access permission to the root directory. Other login users are assigned the default user role. For more information about the default user •...
Page 37: Authorization Ppp
undo authorization portal Default The default authorization method of the ISP domain is used for portal users. Views ISP domain view Predefined user roles network-admin Parameters local: Performs local authorization. none: Does not perform authorization. An authenticated portal user directly accesses the network. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 38 Syntax In non-FIPS mode: authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization ppp In FIPS mode: authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ]...
Page 39: Authorization-Attribute (Isp Domain View)
[Sysname-isp-test] authorization ppp radius-scheme rd local Related commands • authorization default hwtacacs scheme • • local-user radius scheme • authorization-attribute (ISP domain view) Use authorization-attribute to configure authorization attributes for users in an ISP domain. Use undo authorization-attribute to restore the default of an authorization attribute. Syntax authorization-attribute { idle-cut minute [ flow ] | ip-pool pool-name } undo authorization-attribute { idle-cut | ip-pool }...
Page 40: Display Domain
[Sysname] domain test [Sysname-isp-test] authorization-attribute idle-cut 30 10240 Related commands display domain display domain Use display domain to display the ISP domain configuration. Syntax display domain [ isp-name ] Views Any view Predefined user roles network-admin network-operator Parameters isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.
Page 41 Idle-cut : Enabled Idle timeout: 2 minutes Flow: 10240 bytes IP pool: appy Session time: Include idle time Default domain name: system Table 1 Command output Field Description Domain ISP domain name. State Status of the ISP domain. Limit to the number of user connections. If the number is not limited, Access limit this field displays Disabled.
Page 42: Domain
Field Description Command authorization scheme Command line authorization method. Command accounting scheme Command line accounting method. Super authentication scheme Authentication method for obtaining a temporary user role. domain Use domain to create an ISP domain and enter ISP domain view. Use undo domain to remove an ISP domain.
Page 43: Domain Default Enable
domain if-unknown • • state (ISP domain view) domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain. Use undo domain default enable to restore the default. Syntax domain default enable isp-name undo domain default enable...
Page 44: Session-Time Include-Idle-Time
Syntax domain if-unknown isp-domain-name undo domain if-unknown Default No ISP domain is specified for users that include unknown domain names. Views System view Predefined user roles network-admin Parameters isp-domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain the forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Page 45: State (Isp Domain View)
Default The device does not include the idle cut period or online detection interval in the user online duration sent to the server. Views ISP domain view Predefined user roles network-admin Usage guidelines Configure the idle cut period feature based on the accounting policy in your network. If the user goes offline due to connection failure or malfunction, the user online duration sent to the server is not the same as the actual online duration.
Page 46: Local User Commands
Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services.
Page 47: Authorization-Attribute (Local User View/User Group View)
[Sysname] local-user abc [Sysname-luser-manage-abc] access-limit 5 Related commands display local-user authorization-attribute (local user view/user group view) Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.
Page 48: Bind-Attribute
work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 512 characters. The directory must already exist. By default, an FTP, SFTP, or SCP user can access the root directory of the device. Usage guidelines Configure authorization attributes according to the application environments and purposes.
Page 49: Display Local-User
Views Local user view Predefined user roles network-admin Parameters call-number call-number: Specifies a calling number for PPP user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users. subcall-number: Specifies the subcalling number. The total length of the calling number and the subcalling number cannot be more than 62 characters.
Page 50 Views Any view Predefined user roles network-admin network-operator Parameters class: Specifies the local user type. • manage: Device management user. network: Network access user. • idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled. service-type: Specifies the local users who use a specific type of service.
Page 51 Password aging: Enabled (3 days) Network access user jj: State: Active Service Type: Lan-access User Group: system Bind Attributes: IP Address: 2.2.2.2 Location Bound: 3/3/2 (slot/subslot/port) MAC Address: 0001-0001-0001 VLAN ID: Calling Number: Authorization Attributes: Idle TimeOut: 33 (min) Work Directory: flash: ACL Number: 2000...
Page 52: Display User-Group
Field Description This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: • Whether the password can contain the username or the reverse of the Password complexity username. • Whether the password can contain any character repeated consecutively three or more times.
Page 53: Group
Table 3 Command output Field Description Idle TimeOut Idle timeout period, in minutes. Callback-number Authorized PPP callback number. Work Directory Directory that FTP, SFTP, or SCP users in the group can access. ACL Number Authorization ACL. VLAN ID Authorized VLAN. Password control configurations Password control attributes that are configured for the user group.
Page 54: Local-User
Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Examples # Assign device management user 1 1 1 to user group abc. <Sysname> system-view [Sysname] local-user 111 class manage [Sysname-luser-manage-111] group abc Related commands display local-user local-user Use local-user to add a local user and enter local user view.
Page 55: Password
ssh: SSH users. • • telnet: Telnet users. terminal: Terminal users who log in through console ports, AUX ports, or async ports. • Usage guidelines If you do not specify the class { manage | network } option, this command adds a device management user.
Page 56: Service-Type
hash: Sets a hashed password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive. • In non-FIPS mode: A cipher password is a string of 1 to 1 17 characters. A hashed password is a string of 1 to 1 10 characters. A plaintext password is a string of 1 to 63 characters.
Page 57: State (Local User View)
Syntax In non-FIPS mode: service-type { ftp | lan-access | { ssh | telnet | terminal } * | portal | ppp } undo service-type { ftp | lan-access | { ssh | telnet | terminal } * | portal | ppp } In FIPS mode: service-type { lan-access | { ssh | terminal } * | portal | ppp } undo service-type { lan-access | { ssh | terminal } * | portal | ppp }...
Page 58: User-Group
Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Predefined user roles network-admin Parameters active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services.
Page 59: Radius Commands
Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.
Page 60: Attribute 15 Check-Mode
Parameters set with the accounting-on enable command take effect immediately. Examples # Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] accounting-on enable interval 5 send 15 Related commands display radius scheme...
Page 61: Attribute 25 Car
attribute 25 car Use attribute 25 car to configure the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters. Use undo attribute 25 car to restore the default. Syntax attribute 25 car undo attribute 25 car Default The RADIUS class attribute is not interpreted as CAR parameters.
Page 62: Data-Flow-Format (Radius Scheme View)
Predefined user roles network-admin Parameters ip ipv4-address: Specifies a DAE client by its IPv4 address. ipv6 ipv6-address: Specifies a DAE client by its IPv6 address. key { cipher | simple } string: Sets the shared key for secure communication between the RADIUS DAE client and server.
Page 63: Display Radius Scheme
Predefined user roles network-admin Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Page 64 Primary Auth Server: : 2.2.2.2 Port: 1812 State: Active VPN : vpn1 Test profile: 132 Probe username: test Probe interval: 60 minutes Primary Acct Server: IP : 1.1.1.1 Port: 1813 State: Active VPN : Not configured Second Auth Server: IP : Not configured Port: 1812 State: Block VPN : Not configured...
Page 65 Field Description Second Acct Server Information about the secondary accounting server. IP address of the server. If no server is configured, this field displays Not configured. Service port number of the server. If no port number is specified, this field Port displays the default port number.
Page 66: Display Radius Statistics
Field Description RADIUS attribute 15 check mode for SSH, FTP, and terminal users: • Strict—The device matches the SSH, FTP, and terminal services to the Attribute 15 check-mode extended Login-Service attribute values of 50, 51, and 52, respectively. • Loose—The device matches the SSH, FTP, and terminal services to the standard Login-Service attribute value of 0.
Page 67: Key (Radius Scheme View)
Field Description Acct. Accounting packets. SessCtrl. Session-control packets. Request Packet Number of request packets. Retry Packet Number of retransmitted request packets. Timeout Packet Number of request packets timed out. Access Challenge Number of access challenge packets. Account Start Number of start-accounting packets. Account Update Number of accounting update packets.
Page 68: Nas-Ip (Radius Scheme View)
simple: Sets a plaintext shared key. string: Specifies the shared key string. This argument is case sensitive. In non-FIPS mode: • A ciphertext shared key is a string of 1 to 1 17 characters. A plaintext shared key is a string of 1 to 64 characters. In FIPS mode: •...
Page 69: Port
If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. HP recommends you to configure a loopback interface address as the source IP address for outgoing RADIUS packets.
Page 70: Primary Accounting (Radius Scheme View)
undo port Default The port number is 3799. Views RADIUS DAE server view Predefined user roles network-admin Parameters port-number: Specifies a UDP port number in the range of 1 to 65535. Usage guidelines The destination port in DAE packets on the DAE client must be the same as the RADIUS DAE server port on the DAE server.
Page 71 port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535, and the default setting is 1813. key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS accounting server.
Page 72: Primary Authentication (Radius Scheme View)
vpn-instance (RADIUS scheme view) • primary authentication (RADIUS scheme view) Use primary authentication to specify the primary RADIUS authentication server. Use undo primary authentication to remove the configuration. Syntax primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name ] * undo primary authentication Default...
Page 73: Radius-Server Test-Profile
The shared key configured by this command takes precedence over the shared key configured with the key authentication command. When you specify a test profile for the primary authentication server, make sure the test profile already exists on the device. Otherwise, the device cannot detect the server status. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
Page 74: Radius Dynamic-Author Server
username name: Specifies the username in the detection packets. The name argument is a case-sensitive string of 1 to 253 characters. interval interval: Specifies the interval for sending a detection packet, in minutes. The value range for the interval argument is 1 to 3600, and the default value is 60. Usage guidelines You can execute this command multiple times to configure multiple test profiles.
Page 75: Radius Dscp
[Sysname] radius dynamic-author server [Sysname-radius-da-server] Related commands client • port • radius dscp Use radius dscp to change the DSCP priority of RADIUS packets. Use undo radius dscp to restore the default. Syntax radius [ ipv6 ] dscp dscp-value undo radius [ ipv6 ] dscp Default The DSCP priority of RADIUS packets is 0.
Page 76 Default The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface. Views System view Predefined user roles network-admin Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Page 77: Radius Session-Control Enable
Related commands nas-ip (RADIUS scheme view) radius session-control enable Use radius session-control enable to enable the session-control feature. Use undo radius session-control enable to restore the default. Syntax radius session-control enable undo radius session-control enable Default The session-control feature is disabled and the UDP port 1812 is closed. Views System view Predefined user roles...
Page 78: Reset Radius Statistics
Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. The device supports at most 16 RADIUS schemes. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] Related commands...
Page 79: Retry Realtime-Accounting
Predefined user roles network-admin Parameters retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response •...
Page 80: Secondary Accounting (Radius Scheme View)
considers that a line or device failure has occurred, and stops accounting for the user. To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.
Page 81 port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535, and the default setting is 1813. key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS accounting server.
Page 82: Secondary Authentication (Radius Scheme View)
[Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary accounting 10.110.1.1 1813 [Sysname-radius-radius2] secondary accounting 10.110.1.2 1813 Related commands display radius scheme • key (RADIUS scheme view) • primary accounting (RADIUS scheme view) • • vpn-instance (RADIUS scheme view) secondary authentication (RADIUS scheme view) Use secondary authentication to specify a secondary RADIUS authentication server.
Page 83 vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure that the port number and shared key settings of each secondary RADIUS authentication server are the same as those configured on the corresponding server.
Page 84: Security-Policy-Server
security-policy-server Use security-policy-server to specify a security policy server. Use undo security-policy-server to remove a security policy server. Syntax security-policy-server { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] undo security-policy-server { { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] | all } Default No security policy server is specified.
Page 85: State Primary
undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] * Default All types of notifications for RADIUS are enabled. Views System view Predefined user roles network-admin Parameters accounting-server-down: Sends a notification when the RADIUS accounting server becomes unreachable.
Page 86: State Secondary
Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication server. active: Specifies the active state, the normal operation state.
Page 87 Syntax state secondary { accounting | authentication } [ ip-address [ port-number | vpn-instance vpn-instance-name ] * ] { active | block } Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters...
Page 88: Timer Quiet (Radius Scheme View)
[Sysname-radius-radius1] state secondary authentication block Related commands • display radius scheme radius-server test-profile • • state primary timer quiet (RADIUS scheme view) Use timer quiet to set the quiet timer for the servers specified in an RADIUS scheme. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet...
Page 89: Timer Response-Timeout (Radius Scheme View)
Syntax timer realtime-accounting minutes undo timer realtime-accounting Default The real-time accounting interval is 12 minutes. Views RADIUS scheme view Predefined user roles network-admin Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Usage guidelines When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.
Page 90: User-Name-Format (Radius Scheme View)
undo timer response-timeout Default The RADIUS server response timeout period is 3 seconds. Views RADIUS scheme view Predefined user roles network-admin Parameters seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds. Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service.
Page 91: Vpn-Instance (Radius Scheme View)
with-domain: Includes the ISP domain name in the username sent to the RADIUS server. without-domain: Excludes the ISP domain name from the username sent to the RADIUS server. Usage guidelines A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs.
Page 92: Hwtacacs Commands
Usage guidelines The VPN specified here applies to all servers in the RADIUS scheme for which no VPN is specified. Examples # Specify VPN test for RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] vpn-instance test Related commands display radius scheme HWTACACS commands data-flow-format (HWTACACS scheme view)
Page 93: Display Hwtacacs Scheme
Related commands display hwtacacs scheme display hwtacacs scheme Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes. Syntax display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ] Views Any view Predefined user roles network-admin network-operator Parameters hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 94: Hwtacacs Nas-Ip
Response Timeout Interval(seconds) Username Format : with-domain ------------------------------------------------------------------ Table 7 Command output Field Description Index Index number of the HWTACACS scheme. Primary Auth Server Primary HWTACACS authentication server. Primary Author Server Primary HWTACACS authorization server. Primary Acct Server Primary HWTACACS accounting server. Secondary Auth Server Secondary HWTACACS authentication server.
Page 95 Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets. Syntax hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] undo hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default The source IP address of a packet sent to the server is the IP address of the outbound interface.
Page 96: Hwtacacs Scheme
Examples # Set the IP address for the device to use as the source address for HWTACACS packets to 129.10.10.1. <Sysname> system-view [Sysname] hwtacacs nas-ip 129.10.10.1 Related commands nas-ip (HWTACACS scheme view) hwtacacs scheme Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view. Use undo hwtacacs scheme to delete an HWTACACS scheme.
Page 97 Syntax key { accounting | authentication | authorization } { cipher | simple } string undo key { accounting | authentication | authorization } Default No shared key is configured. Views HWTACACS scheme view Predefined user roles network-admin Parameters accounting: Sets the shared key for secure HWTACACS accounting communication. authentication: Sets the shared key for secure HWTACACS authentication communication.
Page 98: Nas-Ip (Hwtacacs Scheme View)
Related commands display hwtacacs scheme nas-ip (HWTACACS scheme view) Use nas-ip to specify a source address for outgoing HWTACACS packets. Use undo nas-ip to delete a source address for outgoing HWTACACS packets. Syntax nas-ip { ipv4-address | ipv6 ipv6-address } undo nas-ip [ ipv6 ] Default The source IP address of an outgoing HWTACACS packet is the IP address configured by using the...
Page 99: Primary Accounting (Hwtacacs Scheme View)
TCP connection each time it exchanges accounting packets with the primary accounting server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 100: Primary Authentication (Hwtacacs Scheme View)
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure that the port number and shared key settings of the primary HWTACACS accounting server are the same as those configured on the server.
Page 101 TCP connection each time it exchanges authentication packets with the primary authentication server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 102: Primary Authorization
TCP connection each time it exchanges authorization packets with the primary authorization server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 103: Reset Hwtacacs Statistics
Usage guidelines Make sure that the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server. Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.
Page 104: Secondary Accounting (Hwtacacs Scheme View)
TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 105: Secondary Authentication (Hwtacacs Scheme View)
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure that the port number and shared key settings of the secondary HWTACACS accounting server are the same as those configured on the server.
Page 106 TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 107: Secondary Authorization
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
Page 108 TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Page 109: Timer Quiet (Hwtacacs Scheme View)
timer quiet (HWTACACS scheme view) Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default The server quiet period is 5 minutes. Views HWTACACS scheme view Predefined user roles...
Page 110: Timer Response-Timeout (Hwtacacs Scheme View)
Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically.
Page 111: User-Name-Format (Hwtacacs Scheme View)
Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server. Examples # Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1. <Sysname>...
Page 112: Vpn-Instance (Hwtacacs Scheme View)
Examples # Configure the device to remove the ISP domain name from the username sent to the HWTACACS servers specified in HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain Related commands display hwtacacs scheme vpn-instance (HWTACACS scheme view) Use vpn-instance to specify a VPN for an HWTACACS scheme.
Page 113: Display Ldap Scheme
Use undo authentication-server to remove the LDAP authentication server. Syntax authentication-server server-name undo authentication-server server-name Default No LDAP authentication server is specified. Views LDAP scheme view Predefined user roles network-admin Parameters server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters.
Page 114 Examples # Display the configuration of all LDAP schemes. <Sysname> display ldap scheme Total 1 LDAP schemes ------------------------------------------------------------------ LDAP Scheme Name : ldap-sch Authentication Server : cc : 2.2.2.2 Port : 389 VPN Instance LDAP Protocol Version : LDAPv2 Server Timeout Interval : 10 (seconds) Login Account DN : lda...
Page 115: Ipv6
Field Description Username Format Format for the username sent to the server. Use ip to configure the IP address and port number of the LDAP server. Use undo ip to delete the LDAP server IP address and port number. Syntax ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ip Default...
Page 116: Ldap Scheme
Use undo ipv6 to delete the LDAP server IPv6 address and port number. Syntax ipv6 ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ipv6 Default An LDAP server does not have an IP address. Views LDAP server view Predefined user roles network-admin Parameters...
Page 117: Ldap Server
Views System view Predefined user roles network-admin Parameters ldap-scheme-name: LDAP scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines An LDAP scheme can be referenced by more than one ISP domain at the same time. You can configure up to 16 LDAP schemes. Examples # Create an LDAP scheme named ldap1 and enter LDAP scheme view.
Page 118: Login-Dn
login-dn Use login-dn to specify the administrator DN. Use undo login-dn to remove the configuration. Syntax login-dn dn-string undo login-dn Default No administrator DN is specified. Views LDAP server view Predefined user roles network-admin Parameters dn-string: Administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters. Usage guidelines The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server.
Page 119: Protocol-Version
Views LDAP server view Predefined user roles network-admin Parameters cipher: Sets a ciphertext password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive. If simple is specified, the password must be a string of 1 to 128 characters. •...
Page 120: Search-Base-Dn
v3: Specifies the LDAP version LDAPv3. Usage guidelines For successful LDAP authentication, the LDAP version used by the device must be consistent with the version used by the LDAP server. If you change the LDAP version, the change is effective only for LDAP authentication that occurs after your change.
Page 121: Search-Scope
search-scope Use search-scope to specify the user search scope. Use undo search-scope to restore the default. Syntax search-scope { all-level | single-level } undo search-scope Default The user search scope is all-level. Views LDAP server view Predefined user roles network-admin Parameters all-level: Specifies that the search goes through all subdirectories of the base DN.
Page 122: User-Parameters
Predefined user roles network-admin Parameters time-interval: Specifies the LDAP server timeout period in the range of 5 to 20 seconds. Usage guidelines If you change the LDAP server timeout period, the change is effective only for LDAP authentication that occurs after your change. Examples # Set the LDAP server timeout period to 15 seconds.
Page 123 Usage guidelines If the username on the LDAP server does not contain the domain name, specifies the without-domain keyword. If the username contains the domain name, specify the with-domain keyword. Examples # Set the user object class to person. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] user-parameters user-object-class person Related commands...
Page 124: 802.1X Commands
802.1X commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The commands configured in Ethernet interface view are available only on the following ports: The fixed Layer 2 Ethernet ports on the MSR1000, MSR2004-24 and MSR2004-48 routers.
Page 125 Reauth period : 3600 s Max auth requests SmartOn switch ID : 30 SmartOn supp timeout : 30 s SmartOn retry counts Domain delimiter Max 802.1X users : 1024 per slot Online 802.1X users GigabitEthernet2/1/1 is link-down 802.1X authentication : Enabled Handshake : Enabled Handshake security...
Page 126 Field Description Performs EAP termination and uses CHAP to communicate with the RADIUS server. CHAP authentication: Enabled If EAP or PAP is enabled, this field is not available. Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. EAP authentication: Enabled If CHAP or PAP is enabled, this field is not available.
Page 127: Display Dot1X Connection
Field Description Mandatory auth domain Mandatory authentication domain on the port. 802.1X guest VLAN configured on the port. Guest VLAN If no 802.1X guest VLAN is configured on the port, this field displays Not configured. 802.1X Auth-Fail VLAN configured on the port. Auth-Fail VLAN If no 802.1X Auth-Fail VLAN is configured on the port, this field displays Not configured.
Page 128 # Display information about all online 802.1X users on the MSR1000, MSR2000 or MSR3000 router. <Sysname> display dot1x connection User MAC address: 0015-e9a6-7cfe Access interface: GigabitEthernet2/1/1 Username: ias Authentication domain: HP IPv4 address: 192.168.1.1 IPv6 address: 2000:0:0:0:1:2345:6789:abcd Authentication method: CHAP Initial VLAN: 1...
Page 129 Username: ias Authentication domain: HP Authentication method: CHAP Initial VLAN: 1 Authorization untagged VLAN: N/A Authorization tagged VLAN list: 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33 35 37 40 to 100...
Page 130: Dot1X
Field Description Action attribute assigned by the server when the session timeout timer expires. • Default—Logs off the online authenticated 802.1X user. This attribute does not take effect when periodic online user reauthentication is enabled and the periodic reauthentication timer is shorter than the Termination action session timeout timer.
Page 131: Dot1X Authentication-Method
PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an HP iNode 802.1X client. CHAP transports username in plaintext and encrypted password over the network. CHAP is more secure than PAP.
Page 132: Dot1X Auth-Fail Vlan
view does not take effect. For more information about the user-name-format command, see "RADIUS commands." Some network access devices provide the EAP server function so you can use EAP relay even if the RADIUS server does not support any EAP authentication method or no RADIUS server is available. Local authentication supports PAP and CHAP.
Page 133: Dot1X Critical Vlan
[Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] dot1x auth-fail vlan 100 Related commands display dot1x dot1x critical vlan Use dot1x critical vlan to configure an 802.1X critical VLAN on a port. Use undo dot1x critical vlan to restore the default. Syntax dot1x critical vlan vlan-id undo dot1x critical vlan Default No 802.1X critical VLAN is configured on any port.
Page 134: Dot1X Guest-Vlan
Syntax dot1x domain-delimiter string undo dot1x domain-delimiter Default The device supports only the at sign (@) delimiter for 802.1X users. Views System view Predefined user roles network-admin Parameters string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters.
Page 135: Dot1X Handshake
Predefined user roles network-admin Parameters guest-vlan-id: Specifies the ID of the 802.1X guest VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created. Usage guidelines An 802.1X guest VLAN accommodates users who have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
Page 136: Dot1X Handshake Secure
Examples # Enable the online user handshake function on GigabitEthernet 2/1/1. <Sysname> system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] dot1x handshake Related commands display dot1x • dot1x timer handshake-period • dot1x retry • dot1x handshake secure Use dot1x handshake secure to enable the online user handshake security function. Use undo dot1x handshake secure to disable the function.
Page 137: Dot1X Mandatory-Domain
dot1x mandatory-domain Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port. Use undo dot1x mandatory-domain to remove the mandatory authentication domain. Syntax dot1x mandatory-domain domain-name undo dot1x mandatory-domain Default No mandatory authentication domain is specified. Views Ethernet interface view Predefined user roles network-admin...
Page 138: Dot1X Multicast-Trigger
Views Ethernet interface view Predefined user roles network-admin Parameters user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1 to 256. Usage guidelines Set the maximum number of concurrent 802.1X users on a port to prevent the system resources from being overused.
Page 139: Dot1X Port-Control
[Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] dot1x multicast-trigger Related commands display dot1x • dot1x timer tx-period • dot1x unicast-trigger • dot1x port-control Use dot1x port-control to set the authorization state for the port. Use undo dot1x port-control to restore the default. Syntax dot1x port-control { authorized-force | auto | unauthorized-force } undo dot1x port-control...
Page 140: Dot1X Port-Method
dot1x port-method Use dot1x port-method to specify an access control method for the port. Use undo dot1x port-method to restore the default. Syntax dot1x port-method { macbased | portbased } undo dot1x port-method Default MAC-based access control applies. Views Ethernet interface view Predefined user roles network-admin Parameters...
Page 141: Dot1X Re-Authenticate
Default The quiet timer is disabled. Views System view Predefined user roles network-admin Usage guidelines When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. You can use the dot1x timer quiet-period command to set the quieter timer.
Page 142: Dot1X Re-Authenticate Server-Unreachable Keep-Online
<Sysname> system-view [Sysname] dot1x timer reauth-period 1800 [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] dot1x re-authenticate Related commands display dot1x • dot1x timer • dot1x re-authenticate server-unreachable keep-online Use dot1x re-authenticate server-unreachable keep-online to enable the keep-online feature on a port. This feature keeps authenticated 802.1X users online when no server is reachable for 802.1X reauthentication.
Page 143: Dot1X Smarton
Default The maximum number of attempts that the device can send an authentication request to a client is two. Views System view Predefined user roles network-admin Parameters max-retry-value: Specifies the maximum number of attempts for sending an authentication request to a client.
Page 144: Dot1X Smarton Password
When a SmartOn-enabled port receives an EAPOL-Start packet from an 802.1X client, it sends a unicast EAP-Request/Notification packet to the client. The client will respond with an EAP-Response/Notification packet, which contains the SmartOn switch ID and the MD5 digest of the SmartOn password. If the SmartOn switch ID and MD5 digest in the packet match the SmartOn switch ID and MD5 digest on the device, the device continues to perform 802.1X authentication for the client.
Page 145: Dot1X Smarton Retry
If you execute the dot1x smarton password command multiple times, the most recent configuration takes effect. Examples # Set the SmartOn password to abc in plain text. <Sysname> system-view [Sysname] dot1x smarton password simple abc Related commands • display dot1x dot1x smarton •...
Page 146: Dot1X Smarton Switchid
dot1x smarton timer supp-timeout • dot1x smarton switchid Use dot1x smarton switchid to configure a SmartOn switch ID. Use undo dot1x smarton switchid to restore the default. Syntax dot1x smarton switchid switch-string undo dot1x smarton switchid Default No SmartOn switch ID is configured. Views System view Predefined user roles...
Page 147: Dot1X Timer
Views System view Predefined user roles network-admin Parameters time-value: Sets the SmartOn client timeout timer. The value range is 10 to 120, in seconds. Usage guidelines The SmartOn client timeout timer starts when the device sends an EAP-Request/Notification packet to the client.
Page 148 Predefined user roles network-admin Parameters handshake-period handshake-period-value: Sets the handshake timer in seconds. The value range for the handshake-period-value argument is 5 to 1024. quiet-period quiet-period-value: Sets the quiet timer in seconds. The value range for the quiet-period-value argument is 10 to 120. reauth-period reauth-period-value: Sets the periodic reauthentication timer in seconds.
Page 149: Dot1X Unicast-Trigger
Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity • packet to a client in response to an authentication request. If the device receives no response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.
Page 150: Reset Dot1X Guest-Vlan
reset dot1x guest-vlan Use reset dot1x guest-vlan to remove users from the 802.1X guest VLAN on a port. Syntax reset dot1x guest-vlan interface interface-type interface-number [ mac-address mac-address ] Views User view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies the MAC address of an 802.1X user in the guest VLAN.
Page 151: Mac Authentication Commands
MAC authentication commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The commands configured in Ethernet interface view are available only on the following ports: The fixed Layer 2 Ethernet ports on the MSR1000, MSR2004-24 and MSR2004-48 routers.
Page 152 Online MAC-auth users Silent MAC users: MAC address VLAN ID From port Port index 0001-0000-0000 GigabitEthernet2/1/2 0001-0000-0000 GigabitEthernet2/1/3 0001-0000-0000 GigabitEthernet2/1/4 GigabitEthernet2/1/1 is link-up MAC authentication : Enabled Authentication domain : Not configured Auth-delay timer : Enabled Auth-delay period : 60 s Re-auth server-unreachable : Logoff Host mode : Multiple VLAN...
Page 153: Display Mac-Authentication Connection
Field Description MAC authentication domain specified in system view. Authentication domain If no authentication domain is specified in system view, this field displays "Not configured, use default domain." Max MAC-auth users Maximum number of MAC authentication users each card supports. Online MAC-auth users Number of online MAC authentication users.
Page 154 # Display information about all online MAC authentication users on the MSR1000, MSR2000 or MSR3000 router. <Sysname> display mac-authentication connection User MAC address: 0015-e9a6-7cfe Access interface: GigabitEthernet2/1/1 Username: ias Authentication domain: HP Initial VLAN: 1 Authorization untagged VLAN: 100 Authorization ACL ID: 3001 Authorization user profile: N/A Termination action: Radius-request...
Page 155: Mac-Authentication
Authorization ACL ID: 3001 Authorization user profile: N/A Termination action: Radius-request Session timeout period: 2 s Online from: 2013/03/02 13:14:15 Online duration: 0h 2m 15s Total 1 connection(s) matched. Table 13 Command output Field Description Slot ID Slot number of the card. (MSR4000.) User MAC address MAC address of the user.
Page 156: Mac-Authentication Domain
Syntax mac-authentication undo mac-authentication Default MAC authentication is not enabled globally or on any port. Views System view, Ethernet interface view Predefined user roles network-admin Usage guidelines To use MAC authentication on a port, you must enable the feature both globally and on the port. Examples # Enable MAC authentication globally.
Page 157: Mac-Authentication Host-Mode
Usage guidelines The global authentication domain applies to all MAC authentication-enabled ports. A port-specific authentication domain applies only to the port. You can specify different authentication domains on different ports. A port chooses an authentication domain for MAC authentication users in this order: Authentication domain specified on the port.
Page 158: Mac-Authentication Max-User
When the MAC authentication multi-VLAN mode is enabled, do not specify authorization VLANs for MAC authentication users on the port. Examples # Enable MAC authentication multi-VLAN mode on GigabitEthernet 2/1/1. <Sysname> system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] mac-authentication host-mode multi-vlan Related commands display mac-authentication mac-authentication max-user...
Page 159: Mac-Authentication Timer
Use undo mac-authentication re-authenticate server-unreachable to restore the default. Syntax mac-authentication re-authenticate server-unreachable keep-online undo mac-authentication re-authenticate server-unreachable Default The keep-online feature is disabled. The device logs off online MAC authentication users if no server is reachable for MAC reauthentication. Views Ethernet interface view Predefined user roles...
Page 160: Mac-Authentication Timer Auth-Delay
Predefined user roles network-admin Parameters offline-detect offline-detect-value: Sets the offline detect timer in the range of 60 to 65535, in seconds. quiet quiet-value: Sets the quiet timer in the range of 1 to 3600, in seconds. server-timeout server-timeout-value: Sets the server timeout timer in the range of 100 to 300, in seconds. Usage guidelines MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before the device...
Page 161: Mac-Authentication User-Name-Format
Usage guidelines When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is triggered or if 802.1X authentication fails within the delay period, the port continues to process MAC authentication.
Page 162: Reset Mac-Authentication Statistics
simple: Sets a plaintext password. password: Specifies the password. This argument is case sensitive. If simple is specified, the password must be a string of 1 to 1 17 characters. If cipher is specified, the password must be a ciphertext string of 1 to 88 characters. mac-address: Uses MAC-based user accounts for MAC authentication users.
Page 163 Parameters interface interface-type interface-number: Specifies a port by its type and number. Usage guidelines If you do not specify a port, the command clears all global and port-specific MAC authentication statistics. Examples # Clear MAC authentication statistics on port GigabitEthernet 2/1/1. <Sysname>...
Page 164: Portal Commands
Portal commands display portal interface Use display portal interface to display portal configuration and portal running state on an interface. Syntax display portal interface interface-type interface-number Views Any view Predefined user roles network-admin network-operator Parameters interface-type interface-number: Specifies an interface by its type and number. Examples # Display portal configuration and portal running state on interface GigabitEthernet 2/1/1.
Page 165 Authentication domain: my-domain BAS-IPv6:Not configured User detection: Type: ICMPv6 Interval: 300s Attempts: 5 Idle time: 180s Action for server detection: Server type Server name Action Web server wbsv6 fail-permit Portal server ptsv6 fail-permit Layer3 source network: IP address Prefix length 11::5 Destination authentication subnet: IP address...
Page 166: Display Portal Packet Statistics
Field Description Destination authentication Information of the portal authentication destination subnet. subnet IP address IP address of the portal authentication subnet. Mask Subnet mask of the portal authentication subnet. Prefix length Prefix length of the IPv6 portal authentication subnet address. Related commands portal domain •...
Page 167 ACK_CHALLENGE REQ_AUTH ACK_AUTH REQ_LOGOUT ACK_LOGOUT AFF_ACK_AUTH NTF_LOGOUT REQ_INFO ACK_INFO NTF_USERDISCOVER NTF_USERIPCHANGE AFF_NTF_USERIPCHAN ACK_NTF_LOGOUT NTF_HEARTBEAT NTF_USER_HEARTBEAT ACK_NTF_USER_HEARTBEAT NTF_CHALLENGE NTF_USER_NOTIFY AFF_NTF_USER_NOTIFY Table 15 Command output Field Description Portal server Name of the portal authentication server. Invalid packets Number of invalid packets. Pkt-Type Packet type.
Page 168: Display Portal Rule
Field Description REQ_INFO Information request packet. ACK_INFO Information acknowledgement packet. User discovery notification packet the portal authentication server sent to the NTF_USERDISCOVER access device. User IP change notification packet the access device sent to the portal NTF_USERIPCHANGE authentication server. User IP change success notification packet the portal authentication server AFF_NTF_USERIPCHAN sent to the access device.
Page 169 Parameters all: Displays all portal rules, including dynamic and static portal rules. dynamic: Displays dynamic portal rules, which are generated after users pass portal authentication. These rules allow packets with specific source IP addresses to pass the interface. static: Displays static portal rules, which are generated after portal authentication is enabled. The interface filters packets by these rules when portal authentication is enabled.
Page 170 Source: : 0.0.0.0 Mask : 0.0.0.0 Interface : GigabitEthernet2/1/1 VLAN : Any Protocol : TCP Destination: : 0.0.0.0 Mask : 0.0.0.0 Port : 80 Rule 4: Type : Static Action : Deny Status : Active Source: : 0.0.0.0 Mask : 0.0.0.0 Interface : GigabitEthernet2/1/1 VLAN...
Page 171 : 0015-e9a6-7cfe Interface : GigabitEthernet2/1/1 VLAN : Any Author ACL: Number : 3001 Rule 3 Type : Static Action : Redirect Status : Active Source: : :: Prefix length Interface : GigabitEthernet2/1/1 VLAN : Any Protocol : TCP Destination: : :: Prefix length Port : 80...
Page 172: Display Portal Server
Field Description Transport layer protocol permitted by the portal rule: • Any—Permits any transport layer protocol. Protocol • TCP—Permits TCP. • UDP—Permits UDP. Status of the portal rule: • Status Active—The portal rule is effective. • Unactuated—The portal rule is not activated. Source Source information of the portal rule.
Page 173 Parameters server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines If you do not specify the server-name argument, this command displays information about all portal authentication servers. Examples # Display information about portal authentication server pts. <Sysname>...
Page 174: Display Portal User
display portal user Use display portal user to display information about portal users. Syntax display portal user { all | interface interface-type interface-number } Views Any view Predefined user roles network-admin network-operator Parameters all: Displays information about portal users on all interfaces. interface interface-type interface-number: Specifies an interface by its type and number.
Page 175: Display Portal Web-Server
Field Description Authorized ACL for the portal user. If the portal user does not have an Authorization ACL authorized ACL, this field displays None. MPLS L3VPN where the portal user resides. If the portal user is on a public VPN instance network, this field displays two hyphens (--).
Page 176 Table 19 Command output Field Description Portal Web server Name of the portal Web server. URL of the portal Web server. URL parameters URL parameters for the portal Web server. VPN instance Name of the MPLS L3VPN where the portal Web server resides. Parameters for portal Web server detection: •...
Page 177: Ipv6
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN where the portal authentication server resides by the VPN instance name, a case-sensitive string of 1 to 31 characters. If the portal authentication server is on the public network, do not specify this option. key: Specifies a shared key for communication with the portal authentication server.
Page 178: Port
Parameters ipv6-address: Specifies the IP address of the IPv6 portal authentication server. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN where the portal authentication server resides by the VPN instance name, a case-sensitive string of 1 to 31 characters. If the portal authentication server is on the public network, do not specify this option.
Page 179: Portal { Bas-Ip | Bas-Ipv6
Predefined user roles network-admin Parameters port-id: Specifies a destination UDP port number the access device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534. Usage guidelines The specified port must be the port that listens to portal packets on the portal authentication server. Examples # Configure the destination UDP port number as 50000 for the device to send unsolicited portal packets to portal authentication server pts.
Page 180: Portal Apply Web-Server
IPv4 or IPv6 address specified on the portal authentication server. You must configure the BAS-IP/BAS-IPv6 attribute on an authentication-enabled interface if the portal device IPv4 or IPv6 address specified on an HP IMC portal authentication server is not the IPv4 or IPv6 address of the interface.
Page 181: Portal Delete-User
server-name: Specifies a portal Web server to be referenced on the interface by its name, a case-sensitive string of 1 to 32 characters. The name must already exist. fail-permit: Enables the portal fail-permit function on the interface. The portal fail-permit function allows portal users to access the Internet without authentication when the portal Web server is unreachable.
Page 182: Portal Domain
Related commands display portal user portal domain Use portal [ ipv6 ] domain to configure a portal authentication domain on an interface. All portal users accessing through the interface must use the authentication domain. Use undo portal [ ipv6 ] domain to delete the configured portal authentication domain. Syntax portal [ ipv6 ] domain domain-name undo portal [ ipv6 ] domain...
Page 183: Portal Fail-Permit Server
Syntax portal enable method { direct | layer3 | redhcp } portal ipv6 enable method { direct | layer3 } undo portal [ ipv6 ] enable Default Portal authentication is disabled on the interface. Views Interface view Predefined user roles network-admin Parameters ipv6: Enables IPv6 portal authentication.
Page 184: Portal Free-All Except Destination
undo portal [ ipv6] fail-permit server Default Portal fail-permit is disabled for the portal authentication server. Views Interface view Predefined user roles network-admin Parameters ipv6: Specifies an IPv6 portal authentication server. Do not specify this keyword for an IPv4 portal authentication server.
Page 185: Portal Free-Rule
Views Interface view Predefined user roles network-admin Parameters ipv4-network-address: Specifies an IPv4 portal authentication subnet address. mask-length: Specifies the subnet mask length for the authentication subnet address, in the range of 0 to mask: Specifies the subnet mask in dotted decimal format. Usage guidelines Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules).
Page 186 Default No IP-based portal-free rule is configured. Views System view Predefined user roles network-admin Parameters rule-number: Specifies a portal-free rule number in the range of 0 to 4294967295. destination: Specifies the destination information. source: Specifies the source information. ip ip-address: Specifies an IPv4 address for the portal-free rule. { mask-length | mask }: Specifies the subnet mask of the IPv4 address.
Page 187: Portal Free-Rule Source
Related commands display portal rule portal free-rule source Use portal free-rule source to configure a source-based portal-free rule. The filtering criteria include source MAC address, source interface, and source VLAN. Use undo portal free-rule to delete portal-free rules. Syntax portal free-rule rule-number source { interface interface-type interface-number | mac mac-address | vlan vlan-id } * undo portal free-rule { rule-number | all } Default...
Page 188: Portal Ipv6 Layer3 Source
Syntax portal ipv6 free-all except destination ipv6-network-address prefix-length undo portal ipv6 free-all except destination [ ipv6-network-address ] Default No IPv6 portal authentication destination subnet is configured on the interface. Portal users must pass portal authentication to access any IPv6 subnet. Views Interface view Predefined user roles...
Page 189: Portal Ipv6 User-Detect
Default No IPv6 portal authentication source subnet is configured on the interface. Portal users from any IPv6 subnet must pass portal authentication. Views Interface view Predefined user roles network-admin Parameters ipv6-network-address: Specifies an IPv6 portal authentication source subnet address. prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128. Usage guidelines With IPv6 authentication source subnets configured, only packets from IPv6 users on the authentication source subnets can trigger portal authentication.
Page 190 Views Interface view Predefined user roles network-admin Parameters type: Specifies the type of detection packets. nd—ND packets. • icmpv6—ICMPv6 packets. • retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10, and the default is 3.
Page 191: Portal Layer3 Source
portal layer3 source Use portal layer3 source to configure an IPv4 portal authentication source subnet on an interface. Use undo portal layer3 source to delete IPv4 portal authentication source subnets. Syntax portal layer3 source ipv4-network-address { mask-length | mask } undo portal layer3 source [ ipv4-network-address ] Default No IPv4 portal authentication source subnet is configured on the interface.
Page 192: Portal Max-User
portal max-user Use portal max-user to set the maximum number of total portal users allowed in the system. Use undo portal max-user to restore the default. Syntax portal max-user max-number undo portal max-user Default The total number of portal users allowed in the system is not limited. Views System view Predefined user roles...
Page 193: Portal Server
Predefined user roles network-admin Usage guidelines This command applies only to portal users that log in from VLAN interfaces. If portal roaming is enabled, an online portal user can access network resources from any Layer 2 port in its local VLAN. If portal roaming is disabled, the portal user can access network resources only from the Layer 2 port on which it passes authentication.
Page 194: Portal User-Detect
Examples # Create portal authentication server pts and enter its view. <Sysname> system-view [Sysname] portal server pts [Sysname-portal-server-pts] Related commands display portal server portal user-detect Use portal user-detect to enable online detection of IPv4 portal users on an interface. Use undo portal user-detect to restore the default. Syntax portal user-detect type { arp | icmp } [ retry retries] [ interval interval ] [ idle time ] undo portal user-detect...
Page 195: Portal Web-Server
If the device receives a reply, it stops sending detection packets. Then the device restarts the idle • timer and waits for the packets from the user. Direct authentication and re-DHCP authentication support both ARP detection and ICMP detection. Cross-subnet authentication only supports ICMP detection. If firewall policies on the access device filter out ICMP packets, ICMP detection might fail and result in the logout of portal users.
Page 196: Reset Portal Packet Statistics
[Sysname-portal-websvr-wbs] Related commands • display portal web-server portal apply web-server • reset portal packet statistics Use reset portal packet statistics to clear packet statistics for portal authentication servers. Syntax reset portal packet statistics [ server server-name ] Views Use view Predefined user roles network-admin Parameters...
Page 197: Server-Detect (Portal Web Server View)
Predefined user roles network-admin Parameters timeout timeout: Specifies the detection timeout in the range of 10 to 3600 seconds. The default is 60 seconds. { log | trap } *: Specifies the action to be taken after the device detects reachability status change of the portal authentication server.
Page 198: Url
Predefined user roles network-admin Parameters interval interval: Specifies a detection interval in the range of 10 to 1200 seconds. The default is 20 seconds. retry retries: Specifies the maximum number of consecutive detection failures, in the range of 1 to 10. The default is 3.
Page 199: Url-Parameter
Predefined user roles network-admin Parameters url-string: Specifies a URL for the portal Web server, a case-sensitive string of 1 to 256 characters. Usage guidelines This command specifies a URL that can be accessed through standard HTTP or HTTPS. The URL should start with http:// or https://.
Page 200: User-Sync
If you configure a URL parameter multiple times, the most recent configuration takes effect. After you configure the URL parameters, the access device sends the portal Web server URL with these parameters to a portal users. For example, assume that the URL of a portal Web server is http://www.test.com/portal, and you execute the url-parameter userip source-address and url-parameter userurl value http://www.test.com/welcome commands.
Page 201: Vpn-Instance
authentication server. Make sure the user heartbeat interval configured on the portal authentication server is not greater than the synchronization detection timeout configured on the access device. Deleting a portal authentication server on the device also deletes the user synchronization configuration for the server.
Page 202 Examples # Configure the MPLS L3VPN for portal Web server wbs as abc. <Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] vpn-instance abc...
Page 203: Port Security Commands
Port security commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The commands configured in Layer 2 Ethernet interface view are available only on the following ports: The fixed Layer 2 Ethernet ports on the MSR1000, MSR2004-24 and MSR2004-48 routers.
Page 204 Max secure MAC addresses : 64 Current secure MAC addresses : 1 Authorization : Permitted Table 20 Command output Field Description Port security Status of the port security feature: Enabled or Disabled. AutoLearn aging time Sticky MAC address aging timer, in minutes. Disableport timeout Silence period (in seconds) of the port that receives illegal packets.
Page 205: Display Port-Security Mac-Address Block
Field Description Current secure MAC addresses Number of secure MAC addresses stored. Indicates whether the authorization information from the authentication server (RADIUS server or local device) is ignored or not: • Authorization Permitted—Authorization information from the authentication server takes effect. •...
Page 206 MAC ADDR Port VLAN ID 000f-3d80-0d2d GE2/1/1 --- On slot 2, 1 MAC address(es) found --- --- 1 mac address(es) found --- # Display the count of all blocked MAC addresses on the MSR1000, MSR2000 or MSR3000 router. <Sysname> display port-security mac-address block count --- 2 mac address(es) found --- # Display the count of all blocked MAC addresses on the MSR4000 router.
Page 207: Display Port-Security Mac-Address Security
<Sysname> display port-security mac-address block interface gigabitethernet 2/1/1 MAC ADDR Port VLAN ID 000f-3d80-0d2d GE2/1/1 --- On slot 2, 1 MAC address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses of port GigabitEthernet 2/1/1 in VLAN 1 on the MSR1000, MSR2000 or MSR3000 router.
Page 208 Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. count: Displays only the count of the secure MAC addresses. Usage guidelines If you do not specify any parameters, the command displays information about all secure MAC addresses.
Page 209: Port-Security Authorization Ignore
1 mac address(es) found Table 22 Command output Field Description MAC ADDR Secure MAC address. VLAN ID ID of the VLAN to which the port belongs. Type of the MAC address added. Security means it is a secure MAC STATE address.
Page 210: Port-Security Enable
<Sysname> system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] port-security authorization ignore Related commands display port-security port-security enable Use port-security enable to enable port security. Use undo port-security enable to disable port security. Syntax port-security enable undo port-security enable Default Port security is disabled. Views System view Predefined user roles...
Page 211: Port-Security Mac-Address Security
Use undo port-security intrusion-mode to restore the default. Syntax port-security intrusion-mode { blockmac | disableport | disableport-temporarily } undo port-security intrusion-mode Default Intrusion protection is disabled. Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses.
Page 212 undo port-security mac-address security [ sticky ] mac-address vlan vlan-id In system view: port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] Default No secure MAC address entry is configured.
Page 213: Port-Security Mac-Move Permit
Examples # Enable port security, set port GigabitEthernet 2/1/1 in autoLearn mode, and set the maximum number of secure MAC addresses allowed on the port to 100. <Sysname> system-view [Sysname] port-security enable [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] port-security max-mac-count 100 [Sysname-GigabitEthernet2/1/1] port-security port-mode autolearn # Specify MAC address 0001-0002-0003 in VLAN 4 as a sticky MAC address.
Page 214: Port-Security Max-Mac-Count
Examples # Enable MAC move. <Sysname> system-view [Sysname] port-security mac-move permit Related commands display port-security port-security max-mac-count Use port-security max-mac-count to set the maximum number of secure MAC addresses that port security allows on a port. Use undo port-security max-mac-count to restore the default. Syntax port-security max-mac-count count-value undo port-security max-mac-count...
Page 215: Port-Security Ntk-Mode
Related commands display port-security port-security ntk-mode Use port-security ntk-mode to configure the NTK feature. Use undo port-security ntk-mode to restore the default. Syntax port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } undo port-security ntk-mode Default NTK is disabled on a port and all frames are allowed to be sent. Views Layer 2 Ethernet interface view Predefined user roles...
Page 216: Port-Security Port-Mode
Syntax port-security oui index index-value mac-address oui-value undo port-security oui index index-value Default No OUI value is configured. Views System view Predefined user roles network-admin Parameters index-value: Specifies the OUI index, in the range of 1 to 16. oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.
Page 217 Default A port operates in noRestrictions mode, where port security does not take effect. Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters Keyword Security mode Description A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address but to the secure MAC address table as secure MAC addresses.
Page 218 The port security automatically modifies these settings in different security modes. HP recommends that you do not enable the mac-else-userlogin-secure or mac-else-userlogin-secure-ext mode on the port where the MAC authentication delay is enabled. The two modes are mutually exclusive...
Page 219: Port-Security Timer Autolearn Aging
with the MAC authentication delay function. For more information about MAC authentication delay, see "MAC authentication commands." Examples # Enable port security and configure port GigabitEthernet 2/1/1 to operate in secure mode. <Sysname> system-view [Sysname] port-security enable [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] port-security port-mode secure # Change the port security mode of port GigabitEthernet 2/1/1 to userLogin.
Page 220: Port-Security Timer Disableport
Related commands display port-security • port-security mac-address security • port-security timer disableport Use port-security timer disableport to set the silence period during which the port remains disabled. Use undo port-security timer disableport to restore the default. Syntax port-security timer disableport time-value undo port-security timer disableport Default The port silence period is 20 seconds.
Page 221: Password Control Commands
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Page 222: Display Password-Control Blacklist
Password composition: Enabled (1 types, 1 characters per type) Table 23 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the Password aging expiration time. Whether the minimum password length restriction function is enabled Password length and, if enabled, the setting.
Page 223: Password-Control { Aging | Composition | History | Length } Enable
Parameters user-name name: Specifies a user by its name, a case-sensitive string of 1 to 55 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines If you do not specify any arguments, this command displays information about all users in the password control blacklist.
Page 224: Password-Control Aging
Default The password control functions (aging, composition, history, and length) are all enabled. Views System view Predefined user roles network-admin Parameters aging: Enables the password expiration function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function.
Page 225 Use undo password-control aging to restore the default. Syntax password-control aging aging-time undo password-control aging Default A password expires after 90 days. The password expiration time for a user group equals the global setting. The password expiration time for a local user equals that of the user group to which the local user belongs.
Page 226: Password-Control Alert-Before-Expire
password-control aging enable • password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default...
Page 227: Password-Control Composition
setting. The password complexity checking policy for a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Predefined user roles network-admin Parameters same-character: Refuses a password that contains any character appearing consecutively three or more times.
Page 228 Default In non-FIPS mode, the password using the global composition policy must contain at least one character type and at least one character for each type. In FIPS mode, the password using the global composition policy must contain at least four character types and at least one character for each type.
Page 229: Password-Control Enable
type-length type-length: Specifies the minimum number of characters that are from each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode. Usage guidelines The password composition policy depends on the view: The policy in system view has global significance and applies to all user groups.
Page 230: Password-Control Expired-User-Login
Default In non-FIPS mode, the password control feature is disabled globally. In FIPS mode, the password control feature is enabled globally and cannot be disabled. Views System view Predefined user roles network-admin Usage guidelines A specific password control function takes effect only after the global password control feature is enabled.
Page 231: Password-Control History
times times: Sets the maximum number of times a user can log in after the password expires. The value range is 0 to 10 and 0 means that a user cannot log in after the password expires. Usage guidelines This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires.
Page 232: Password-Control Length
Related commands display password-control • password-control history enable • • reset password-control blacklist password-control length Use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length Default In non-FIPS mode, the global minimum password length is 10 characters.
Page 233: Password-Control Login Idle-Time
<Sysname> system-view [Sysname] password-control length 16 # Set the minimum password length to 16 characters for user group test. [Sysname] user-group test [Sysname-ugroup-test] password-control length 16 [Sysname-ugroup-test] quit # Set the minimum password length to 16 characters for device management user abc. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control length 16 Related commands...
Page 234: Password-Control Login-Attempt
Related commands display password-control password-control login-attempt Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached. Use undo password-control login-attempt to restore the default. Syntax password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] undo password-control login-attempt...
Page 235 If an FTP or VTY user fails to log in after making the maximum login attempts, the system adds the user account and the user's IP address to the password control blacklist. This user account is locked for only this user. Other users can still use this user account, and the blacklisted user can use other user accounts. Whether a blacklisted user and user account are locked depends on the locking setting: If a user account is permanently locked for a user, the user cannot use this account unless this user •...
Page 236: Password-Control Super Aging
# Verify that after 3 minutes, the user account is removed from the password control blacklist and the user at 192.168.44.1 can use this user account. Related commands display local-user • display password-control • display password-control blacklist • • display user-group reset password-control blacklist •...
Page 237: Password-Control Super Length
Default In non-FIPS mode, a super password must contain at least one character type and at least one character for each type. In FIPS mode, a super password must contain at least four character types and at least one character for each type.
Page 238: Password-Control Update-Interval
Predefined user roles network-admin Parameters length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-FIPS mode, and 15 to 63 in FIPS mode. Examples # Set the minimum length of super passwords to 16 characters. <Sysname>...
Page 239: Reset Password-Control Blacklist
reset password-control blacklist Use reset password-control blacklist to remove blacklisted users. Syntax reset password-control blacklist [ user-name name ] Views User view Predefined user roles network-admin Parameters user-name name: Specifies the username of a user account to be removed from the password control blacklist.
Page 240 If you do not specify the role role name option, this command deletes the history records of all super passwords. Examples # Clear the history password records of all local users (enter Y to confirm). <Sysname> reset password-control history-record Are you sure to delete all local user's history records? [Y/N]:y Related commands password-control history...
Page 241: Public Key Management Commands
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Page 242 Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7 9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03 92D8C6D940890BF4290203010001 # Display all local DSA public keys.
Page 243 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys. <Sysname> display public-key local ecdsa public ============================================= Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2011/05/12...
Page 244 308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of the local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58...
Page 245: Display Public-Key Peer
display public-key peer Use display public-key peer to display information about peer public keys. Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name.
Page 246: Peer-Public-Key End
Field Description Key code Public key string. # Display brief information about all peer public keys. <Sysname> display public-key peer brief Type Modulus Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 28 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits.
Page 247: Public-Key Local Create
[Sysname-pkey-public-key-key1]30819F300D06092A864886F70D010101050003818D0030818902818 100C0EC8014F82515F6335A0A [Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E 719D1643135877E13B1C531B4 [Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B 952ADF6B80EB5F52698FCF3D6 [Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050 BD4A9B1DDE675AC30CB020301 [Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands • display public-key local public display public-key peer • • public-key peer public-key local create Use public-key local create to create local asymmetric key pairs. Syntax public-key local create { dsa | ecdsa | rsa } [ name key-name ] Default...
Page 248 The key pairs are automatically saved and can survive system reboots. Table 30 A comparison of different types of asymmetric key pairs Type Number of key pairs Modulus length HP recommendation • In non-FIPS mode: If you specify a key pair name, the command creates a host key pair.
Page 249 ..++++++++ ..++++++++ Create the key pair successfully. # Create a local DSA key pair with the default name. <Sysname> system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 250: Public-Key Local Destroy
......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. <Sysname> system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # In FIPS mode, create a local RSA key pair with the default name. <Sysname>...
Page 251 Views System view Predefined user roles network-admin Parameters dsa: Specifies the DSA type. ecdsa: Specifies the ECDSA type. rsa: Specifies the RSA type. name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names.
Page 252: Public-Key Local Export Dsa
Confirm to destroy the key pair? [Y/N]:y Related commands public-key local create public-key local export dsa Use public-key local export dsa to display local DSA host public keys in a specific format, or export the key in a specific format to a file. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views...
Page 253 Examples # Export the host public key of the local DSA key pair with the default name in OpenSSH format to a file named key.pub. <Sysname> system-view [Sysname] public-key local export dsa openssh key.pub # Display the host public key of the local DSA key pair with the default name in SSH2.0 format. <Sysname>...
Page 254: Public-Key Local Export Rsa
ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98 qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088NEY ZullatZRH0km+DdpZ7CrcV+ft7UUvBF0FV3W4HOx/LOidJ5sX+qBAD4WcpSX0OrZEF4+dq dsa-key Related commands public-key local create • public-key peer import sshkey • public-key local export rsa Use public-key local export rsa to display the local RSA host public key in a specific format, or export the key to a specific file.
Page 255 Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } command to display the host public key in the specified format, copy and paste it to a file. Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to the file.
Page 256: Public-Key Peer
Execute the peer-public-key end command to save the public key and return to system view. The public key you type in the public key view must be in a correct format. If your device is an HP device, use the display public-key local public command to display and record its public key.
Page 257: Public-Key Peer Import Sshkey
Related commands display public-key local public • display public-key peer • • peer-public-key end public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname...
Page 258: Pki Commands
PKI commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure an attribute rule for certificate issuer name, subject name, or alternative subject name.
Page 259: Ca Identifier
Each of the subject name and the issuer name can contain only one DN, but they can contain • multiple FQDNs and IP addresses. The alternative subject name cannot contain the DN, but it can contain multiple FQDNs and IP •...
Page 260: Certificate Request Entity
Syntax ca identifier name undo ca identifier Default No trusted CA is specified. Views PKI domain view Predefined user roles network-admin Parameters name: Specifies the name of the trusted CA, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate, you must specify the trusted CA name.
Page 261: Certificate Request From
Usage guidelines A PKI entity describes the identity attributes of an entity for certificate request, including the following information: Common name. • • Organization. Unit in the organization. • Locality. • State and country where the entity resides. • FQDN. •...
Page 262: Certificate Request Mode
An independent RA is recommended as the authority to accept certificate requests. Examples # Specify the RA to accept certificate requests. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request from ra certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default.
Page 263: Certificate Request Polling
Examples # Set the certificate request mode to auto. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request mode auto # Set the certificate request mode to auto, and set a plaintext password for certificate revocation to 123456. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request mode auto password simple 123456 Related commands...
Page 264: Certificate Request Url
<Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request polling interval 15 [Sysname-pki-domain-aaa] certificate request polling count 40 Related commands display pki certificate request-status certificate request url Use certificate request url to specify the URL of the registration server for certificate request through the SCEP protocol.
Page 265: Common-Name
<Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request url http:// mytest.net /certsrv/mscep/mscep.dll vpn-instance vpn1 common-name Use common-name to set the common name for a PKI entity. Use undo common-name to remove the configuration. Syntax common-name common-name-sting undo common-name Default No common name is set for a PKI entity.
Page 266: Crl Check
Parameters country-code-string: Specifies a country code, a case-sensitive string of two characters, for example, CN for China. Examples # Set CN as the country code of the PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] country CN crl check Use crl check enable to enable CRL checking.
Page 267 Syntax crl url url-string [ vpn-instance vpn-instance-name ] undo crl url Default The URL of the CRL repository is not specified. Views PKI domain view Predefined user roles network-admin Parameters url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 51 1 characters in the format of ldap://server_location or http://server_location, where server_location can be an IP address or a domain name.
Page 268: Display Pki Certificate Access-Control-Policy
Related commands ldap-server • pki retrieve-crl • display pki certificate access-control-policy Use display pki certificate access-control-policy to display information about certificate access control policies. Syntax display pki certificate access-control-policy [ policy-name ] Views Any view Predefined user roles network-admin network-operator Parameters policy-name: Specifies the name of a certificate access control policy, a case-insensitive string of 1 to 31 characters.
Page 269: Display Pki Certificate Attribute-Group
Field Description If the attributes of a certificate match the attribute rules defined in the permit attribute group that the policy references, the certificate passes the check and is regarded valid. If the attributes of a certificate match the attribute rules defined in the deny attribute group that the policy references, the certificate fails the check and is regarded invalid.
Page 270: Display Pki Certificate Domain
Attribute 2 issuer-name fqdn nctn Table 33 Command output Field Description Total PKI certificate attribute groups Total number of certificate attribute groups. Contain operation. nctn Not-contain operation. Equal operation. nequ Not-equal operation. Attribute rule 1 defines that the DN in the subject name Attribute 1 subject-name ctn abc contains the string of abc.
Page 271 If you specify the peer keyword without a serial number, this command displays brief information about all peer certificates. If you specify a serial number, this command display detailed information about the specified peer certificate. Examples # Display information about the CA certificate in the PKI domain aaa. <Sysname>...
Page 272 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, O=sec, OU=software, CN=ipsec Validity Not Before: Jan 7 20:05:44 2011 GMT Not After : Jan 7 20:05:44 2012 GMT Subject: O=OpenCA Labs, OU=Users, CN=fips fips-sec Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:b2:38:ad:8c:7d:78:38:37:88:ce:cc:97:17:39: 52:e1:99:b3:de:73:8b:ad:a8:04:f9:a1:f9:0d:67:...
Page 273 URI:http://titan/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 94:ef:56:70:48:66:be:8f:9d:bb:77:0f:c9:f4:65:77:e3:bd: ea:9a:b8:24:ae:a1:38:2d:f4:ab:e8:0e:93:c2:30:33:c8:ef: f5:e9:eb:9d:37:04:6f:99:bd:b2:c0:e9:eb:b1:19:7e:e3:cb: 95:cd:6c:b8:47:e2:cf:18:8d:99:f4:11:74:b1:1b:86:92:98: af:a2:34:f7:1b:15:ee:ea:91:ed:51:17:d0:76:ec:22:4c:56: da:d6:d1:3c:f2:43:31:4f:1d:20:c8:c2:c3:4d:e5:92:29:ee: 43:c6:d7:72:92:e8:13:87:38:9a:9c:cd:54:38:b2:ad:ba:aa: f9:a4:68:b5:2a:df:9a:31:2f:42:80:0c:0c:d9:6d:b3:ab:0f: dd:a0:2c:c0:aa:16:81:aa:d9:33:ca:01:75:94:92:44:05:1a: 65:41:fa:1e:41:b5:8a:cc:2b:09:6e:67:70:c4:ed:b4:bc:28: 04:50:a6:33:65:6d:49:3c:fc:a8:93:88:53:94:4c:af:23:64: cb:af:e3:02:d1:b6:59:5f:95:52:6d:00:00:a0:cb:75:cf:b4: 50:c5:50:00:65:f4:7d:69:cc:2d:68:a4:13:5c:ef:75:aa:8f: 3f:ca:fa:eb:4d:d5:5d:27:db:46:c7:f4:7d:3a:b2:fb:a7:c9: de:18:9d:c1 # Display brief information about all peer certificates in the PKI domain aaa. <Sysname> display pki certificate domain aaa peer Total peer certificates: 1 Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver...
Page 274: Display Pki Certificate Request-Status
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement Netscape Cert Type: SSL Server X509v3 Subject Alternative Name: DNS:docm.com X509v3 Subject Key Identifier: 3C:76:95:9B:DD:C2:7F:5F:98:83:B7:C7:A0:F8:99:1E:4B:D7:2F:26 X509v3 CRL Distribution Points: Full Name: URI:http://s03130.ccc.hp.com:447/ssl.crl Signature Algorithm: sha1WithRSAEncryption 61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3: 31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59: 36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c: 85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5: 17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72: ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2: ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8: f0:a5...
Page 275 Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), backslash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Page 276: Display Pki Crl
Related commands certificate request polling • pki domain • • pki retrieve-certificate display pki crl Use display pki crl domain to display information about the locally saved CRLs. Syntax display pki crl domain domain-name Views Any view Predefined user roles network-admin network-operator Parameters...
Page 277: Fqdn
Serial Number: FCADFA81E1F56F43D3F2D3EF7EB56DE5 Revocation Date: Apr 28 01:33:28 2011 GMT CRL entry extensions: Invalidity Date: Apr 28 01:33:09 2011 GMT Signature Algorithm: sha1WithRSAEncryption 57:ac:00:3e:1e:e2:5f:59:62:04:05:9b:c7:61:58:2a:df:a4: 5c:e5:c0:14:af:c8:e7:de:cf:2a:0a:31:7d:32:da:be:cd:6a: 36:b5:83:e8:95:06:bd:b4:c0:36:fe:91:7c:77:d9:00:0f:9e: 99:03:65:9e:0c:9c:16:22:ef:4a:40:ec:59:40:60:53:4a:fc: 8e:47:57:23:e0:75:0a:a4:1c:0e:2f:3d:e0:b2:87:4d:61:8a: 4a:cb:cb:37:af:51:bd:53:78:76:a1:16:3d:0b:89:01:91:61: 52:d0:6f:5c:09:59:15:be:b8:68:65:0c:5d:1b:a1:f8:42:04: ba:aa Table 35 Command output Field Description Version CRL version number. Signature Algorithm Signature algorithm used by the CA to sign the CRL.
Page 278 Predefined user roles network-admin Parameters fqdn-name-string: Specifies an FQDN, a case-sensitive string of 1 to 255 characters. Usage guidelines An FQDN uniquely identifies a PKI entity on a network. It consists of a host name and a domain name in the format of hostname@domainname. Examples # Set pki.domain-name.com as the FQDN of the PKI entity en.
Page 279: Ldap-Server
ldap-server Use ldap-server to specify an LDAP server for a PKI domain. Use undo ldap-server to remove the configuration. Syntax ldap-server host hostname [ port port-number ] [ vpn-instance vpn-instance-name ] undo ldap-server Default No LDAP server is specified for a domain. Views PKI domain view Predefined user roles...
Page 280: Locality
pki retrieve-crl • locality Use locality to set the locality for a PKI entity. Use undo locality to remove the configuration. Syntax locality locality-name undo locality Default No locality is set for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters locality-name: Specifies a locality, a case-sensitive string of 1 to 63 characters.
Page 281: Organization-Unit
Parameters org-name: Specifies an organization name, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Set abc as the organization name of the PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] organization abc organization-unit Use organization-unit to set the organization unit name for a PKI entity.
Page 282: Pki Certificate Access-Control-Policy
Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), backslash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Page 283: Pki Certificate Attribute-Group
Related commands display pki certificate access-control-policy • rule • pki certificate attribute-group Use pki certificate attribute-group to create a certificate attribute group and enter its view. Use undo pki certificate attribute-group to remove a specified certificate attribute group. Syntax pki certificate attribute-group group-name undo pki certificate attribute-group group-name Default No certificate attribute group exists.
Page 284 Views System view Predefined user roles network-admin Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), backslash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Page 285: Pki Domain
Related commands display pki certificate pki domain Use pki domain to create a PKI domain and enter its view. Use undo pki domain to remove a PKI domain. Syntax pki domain domain-name undo pki domain domain-name Default No PKI domain exists. Views System view Predefined user roles...
Page 286: Pki Export
Views System view Predefined user roles network-admin Parameters entity-name: Specifies the name of a PKI entity, a case-insensitive string of 1 to 31 characters. Usage guidelines You can configure a variety of attributes for a PKI entity, such as common name, organization, organization unit, locality, state, country, FQDN, and IP address.
Page 287 all: Specifies all certificates, including the CA certificate and local certificates in the PKI domain, excluding the RA certificate. ca: Specifies the CA certificate. local :Specifies the local certificates or the local certificates and their private keys. passphrase p12passwordstring: Specifies a password for encrypting the private key of a local PKCS12 certificate.
Page 288 When you export the local certificates or all certificates in PEM format, if you do not specify the cryptographic algorithm and the challenge password for the private key, this command does not export the private keys of the local certificates. If you specify the cryptographic algorithm and the password, and the local certificates have their private keys, this command can export the local certificates with their private keys.
Page 289 A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0 CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6 Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12 X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK 7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw== -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: <No Attributes>...
Page 290 <Sysname> system-view [Sysname] pki export domain domain1 pem all des-cbc 111 %The signature usage local certificate: Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd -----BEGIN CERTIFICATE-----...
Page 291 BwUnFYRlvGe7bSQpXjwi8LTyxHPy+dDVjO5CP+rXx5IiToFy1YGWewkyn/WeswDf Yx7ZludNus5vKWTihgx2Qalgb+sqUMwI/WUET7ghO2dRxPUdUbgIYF0saTndKPYd 4oBgl6M0SMsHhe9nF5UCAwEAAaOCAVowggFWMA8GA1UdEwEB/wQFMAMBAf8wCwYD VR0PBAQDAgEGMB0GA1UdDgQWBBQzEQ58yIC54wxodp6JzZvn/gx0CDAfBgNVHSME GDAWgBQzEQ58yIC54wxodp6JzZvn/gx0CDAZBgNVHREEEjAQgQ5wa2lAb3BlbmNh Lm9yZzAZBgNVHRIEEjAQgQ5wa2lAb3BlbmNhLm9yZzCBgQYIKwYBBQUHAQEEdTBz MDIGCCsGAQUFBzAChiZodHRwOi8mdcGl0YW4vcGtpL3B1Yi9jYWNlcnQvY2FjZXJ0 LmNydDAeBggrBgEFBQcwAYYSaHR0cDovL3RpdGFuOjI1NjAvMB0GCCsGAQUFBzAM hhFodHRwOi8mdcGl0YW46ODMwLzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vMTky LjE2OC40MC4xMjgvcGtpL3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBCwUA A4IBAQC0q0SSmvQNfa5ELtRKYF62C/Y8QTLbk6lZDTZuIzN15SGKQcbNM970ffCD Lk1zosyEVE7PLnii3bZ5khcGO3byyXfluAqRyOGVJcudaw7uIQqgv0AJQ+zaQSHi d4kQf5QWgYkQ55/C5puOmcMRgCbMpR2lYkqXLDjTIAZIHRZ/sTp6c+ie2bFxi/YT 3xYbO0wDMuGOKJJpsyKTKcbG9NdfbDyFgzEYAobyYqAUB3C0/bMfBduwhQWKSoYE 6vZsPGAEisCmAl3dIp49jPgVkixoShraYF1jLsWzJGlzem8QvWYzOqKEDwq3SV0Z cXK8gzDBcsobcUMkwIYPAmd1kAPX -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: <No Attributes>...
Page 292 dCvNIUYXXVOGca2iaSOElqCF4CQfV9zLrBtA7giHD49T+JbxLrrJLmdIQMJ+vYdC sCxIp3YMAiuCahVLZeXklooqwqIXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAElm7 W2Lp9Xk4nZVIpVV76CkNe8/C+Id00GCRUUVQFSMvo7Pded76bmYX2KzJSz+DlMqy TdVrgG9Fp6XTFO80aKJGe6NapsfhJHKS+Q7mL0XpXeMONgK+e3dX7rsDxsY7hF+j 0gwsHrjV7kWvwJvDlhzGW6xbpr4DRmdcao19Cr6o= -----END CERTIFICATE----- # Export the CA certificate in the PKI domain to a file named cacert in PEM format. <Sysname> system-view [Sysname] pki export domain domain1 pem ca filename cacert # Display the CA certificate or the CA certificate chain in the PKI domain on the terminal. <Sysname>...
Page 293: Pki Import
14nKIEbexbPONspebtznxv4/xTjd1aM2rfQ95jJ/SN8H8KIyiYZyIs3t5Q+V35x1 cef+NMWgZBzwXOSP0wC9+pC2ZNiIpg== -----END CERTIFICATE----- # Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format. The password for the private keys is 123. <Sysname> system-view [Sysname] pki export domain domain1 pkcs12 local passphrase 123 filename cert-lo.der # Export all certificates in the PKI domain to a file named cert-all.p7b in PKCS12 format.
Page 294 Use a certificate that is packed with the server generated key pair in a single file. Only certificate • files in PKCS12 or PEM format might contain key pairs. Before you import the certificates, complete the following tasks: Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not •...
Page 295 The import operation automatically updates or generates the proper key pair. When you perform the import operation, be sure to save the configuration file to avoid data loss. Examples # Import the CA certificate file rootca_pem.cer in PEM format to the PKI domain aaa. The certificate file contains the root certificate.
Page 296 Xqd9zEFlBPpoJFtJqXwxHUCKgw6kJeC4CxHvi9ZCJU/upg9IpiguFPoaDOPia+Pm GbRqSyy55clVde5GOccGN1DZ94DW7AypazgLpBbrkIYAdjFPRmq+zMOdyqsGMTNj jnheI5l784pNOAKuGi0i/uXmRRcfoMh6qAnK6YZGS7rOLC9CfPmy8fgY+/Sl9d9x Q00ruO1psxzh9c2YfuaiXFIx0auKl6o5+ZZYn7Rg/xy2Y0awVP+dO925GoAcHO40 cCl6jA/HsGAU9HkpwKHL35lmBDRLEzQeBFcaGwSm1JvRfE4tkJM7+Uz2QHJOfP10 0VLqMgxMlpk3TvBWgzHGJDe7TdzFCDPMPhod8pi4P8gGXmQd01PbyQ== -----END RSA PRIVATE KEY----- Bag Attributes localKeyID: 01 00 00 00 subject=/CN=sldsslserver issuer=/C=cn/O=ccc/OU=sec/CN=ssl -----BEGIN CERTIFICATE----- MIICjzCCAfigAwIBAgIRAJoDN+shVrofVHbk11SlqfcwDQYJKoZIhvcNAQEFBQAw NzELMAkGA1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYD VQQDEwNzc2wwHhcNMTAxMDE1MDEyMzA2WhcNMTIwNzI2MDYzMDU0WjAXMRUwEwYD VQQDEwxzbGRzc2xzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLP N3aTKV7NDndIOk0PpiikYPgxVih/geMXR3iYaANbcvRX07/FMDINWHJnBAZhCDvp rFO552loGiPyl0wmFMK12TSL7sHvrxr0OdrFrqtWlbW+DsNGNcFSKZy3RvIngC2k ZZqBeFPUytP185JUhbOrVaUDlisZi6NNshcIjd2BAgMBAAGjgbowgbcwHwYDVR0j BBgwFoAUmoMpEynZYoPLQdR1LlKhZjg8kBEwDgYDVR0PAQH/BAQDAgP4MBEGCWCG SAGG+EIBAQQEAwIGQDASBgNVHREECzAJggdoM2MuY29tMB0GA1UdDgQWBBQ8dpWb 3cJ/X5iDt8eg+JkeS9cvJjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vczAzMTMw LmgzYy5odWF3ZWktM2NvbS5jb206NDQ3L3NzbC5jcmwwDQYJKoZIhvcNAQEFBQAD gYEAYS15x0kW474lu4twNzEy5dPjMSwtwfm/UK01S8GQjGV5tl9ZNiTHFGNEFx7k zxBp/JPpcFM8hapAfrVHdQ/wstq0pVDdBkrVF6XKIBks6XgCvRl32gcaQt9yrQd9 5RbWdetuBljudjFj25airYO2u7pLeVmdWWx3WVvZBzOo8KU= -----END CERTIFICATE----- Bag Attributes: <Empty Attributes> subject=/C=cn/O=ccc/OU=sec/CN=ssl issuer=/C=cn/O=ccc/OU=sec/CN=ssl -----BEGIN CERTIFICATE-----...
Page 297: Pki Request-Certificate
Overwrite it? [Y/N]:y The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name [default name: bbb]: The key pair already exists.
Page 298: Pki Retrieve-Certificate
Examples # Display information about the certificate request in the PKCS#10 format. <Sysname> system-view [Sysname] pki request-certificate domain aaa pkcs10 *** Request for general certificate *** -----BEGIN NEW CERTIFICATE REQUEST----- MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAw5Drj8ofs9THA4ezkDcQPBy8pvH1kumampPsJmx8sGG52NFtbrDTnTT5 ALx3LJijB3d/ndKpcHT/DfbJVDCn5gdw32tBZyCkEwMHZN3ol2z7Nmdcu5TED6iN8 4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c -----END NEW CERTIFICATE REQUEST----- # Request the local certificates.
Page 299: Pki Retrieve-Crl
You can obtain the CA certificate through the SCEP protocol. If a CA certificate already exists • locally, do not obtain the CA certificate again. To obtain a new one, use the pki delete-certificate command to remove the CA certificate and local certificates, and then obtain the CA certificate again.
Page 300: Pki Storage
vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe ('). Usage guidelines CRLs are used to verify the validity of the local certificates and the peer certificates in a PKI domain. To obtain CRLs, a PKI domain must have the proper CA certificate.
Page 301: Pki Validate-Certificate
crls: Specifies a storage path for the CRLs. dir-path: Specifies a storage path, a case-sensitive string, which cannot start with a slash (/) or contains two dots plus a slash (../). The dir-path argument specifies an absolute path or a relative path, and the path must exist.
Page 302 When CRL checking is enabled: • To verify the local certificates, if the PKI domain has no CRLs, the device looks up the locally save CRLs. If a proper CRL is found, the device loads the CRL to the PKI domain. Otherwise, the device obtains the proper CRL from the CA server and saves it locally.
Page 303: Public-Key Dsa
C=CN O=sec OU=software CN=bca Subject: O=OpenCA Labs OU=Users CN=fips fips-sec Verify result: OK Related commands crl check • • pki domain public-key dsa Use public-key dsa to specify a DSA key pair for certificate request. Use undo public-key to remove the configuration. Syntax public-key dsa name key-name [ length key-length ] undo public-key...
Page 304: Public-Key Rsa
If RSA is used, a PKI domain can have two key pairs: one is the signing key pair, and the other is • the encryption key pair. In a PKI domain, key pairs for different purposes (RSA signing and RSA encryption) do not overwrite •...
Page 305: Root-Certificate Fingerprint
name key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters, which can include only letters, digits, and hyphen (-). length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024.
Page 306 Syntax In non-FIPS mode: root-certificate fingerprint { md5 | sha1 } string undo root-certificate fingerprint In FIPS mode: root-certificate fingerprint sha1 string undo root-certificate fingerprint Default No fingerprint is set. Views PKI domain view Predefined user roles network-admin Parameters md5: Sets an MD5 fingerprint. sha1: Sets a SHA1 fingerprint.
Page 307: Rule
<Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 Related commands • certificate request mode pki import • pki retrieve-certificate • rule Use rule to create a rule (or statement). Use undo rule to remove a statement. Syntax rule [ id ] { deny | permit } group-name undo rule id Default...
Page 308: Source
[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup Related commands • attribute display pki certificate access-control-policy • • pki certificate attribute-group source Use source to specify the source IP address for PKI protocol packets. Use undo source to remove the configuration. Syntax source { ip | ipv6 } { ip-address | interface interface-type interface-number } undo source Default The source IP address is the outgoing interface IP address of the route to the CA.
Page 309: State
[Sysname] pki domain 1 [Sysname-pki-domain-1] source ipv6 1::8 # Specify the IP address of the interface GigabitEthernet 1/0/1 as the source IPv4 address of PKI protocol packets. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] source ip interface gigabitethernet 1/0/1 # Specify the IPv6 address of the interface GigabitEthernet 1/0/1 as the source IPv6 address of PKI protocol packets.
Page 310 undo usage [ ike | ssl-client | ssl-server ] * Default No extension is specified, and a certificate can be used for all applications, including IKE, SSL clients, and SSL servers. Views PKI domain view Predefined user roles network-admin Parameters ike: Specifies the IKE certificate extension so IKE peers can use the certificates.
Page 311: Ipsec Commands
IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Page 312: Description
[Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1 description Use description to configure description for an IPsec policy, IPsec policy template, or IPsec profile. Use undo description to restore the default. Syntax description text undo description Default No description is defined. Views IPsec policy view, IPsec policy template view, IPsec profile view Predefined user roles network-admin Parameters...
Page 313 policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec policies. •...
Page 314 ESP authentication hex key: ----------------------------- Sequence number: 2 Mode: isakmp ----------------------------- The policy configuration is incomplete: Remote-address not set ACL not specified Transform-set not set Description: This is my first IPv4 Isakmp policy Security data flow: Selector mode: standard Local address: Remote address: Transform set: IKE profile:...
Page 315 AH authentication hex key: Outbound ESP setting: ESP SPI: 8000 (0x00001f40) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------- Sequence number: 2 Mode: isakmp ----------------------------- Description: This is my complete policy Security data flow: 3200 Selector mode: standard Local address: Remote address: 5.3.6.9 Transform set:...
Page 316 AH SPI: 1237 (0x000004d5) AH string-key: ****** AH authentication hex key: Outbound ESP setting: ESP SPI: 1238 (0x000004d6) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Table 36 Command output Field Description IPsec Policy IPsec policy name. Sequence number Sequence number of the IPsec policy entry.
Page 317: Display Ipsec { Ipv6-Policy-Template | Policy-Template
Field Description ESP encryption hex key (****** is displayed if the key is ESP encryption hex key configured). ESP authentication hex key (****** is displayed if the key is ESP authentication hex key configured). Related commands ipsec { ipv6-policy | policy } display ipsec { ipv6-policy-template | policy-template } Use display ipsec { ipv6-policy-template | policy-template } to display information about IPsec policy templates.
Page 318: Display Ipsec Profile
--------------------------------- Description: This is policy template Security data flow : IKE profile: None Remote address: 162.105.10.2 Transform set: testprop IPsec SA local duration(time based): 3600 seconds IPsec SA local duration(traffic based): 1843200 kilobytes # Display information about all IPv6 IPsec policy templates. <Sysname>...
Page 319 Syntax display ipsec profile [ profile-name ] Views Any view Predefined user roles network-admin network-operator Parameters profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec profiles. Examples # Display information about all IPsec profiles.
Page 320: Display Ipsec Sa
Field Description Negotiation mode used by the IPsec profile. Only the manual Mode mode is available. Description Description of the IPsec profile. Transform set IPsec transform set referenced by the IPsec profile. Related commands ipsec profile display ipsec sa Use display ipsec sa to display information about IPsec SAs. Syntax display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy } policy-name [ seq-number ] | profile profile-name | remote [ ipv6 ] ip-address ]...
Page 321 Interface/Global Dst Address Protocol Status ----------------------------------------------------------------------- GE2/1/1 10.1.1.1 active GE2/1/1 255.255.255.255 4294967295 active GE2/1/1 100::1/64 active global active Table 39 Command output Field Description Interface where the IPsec SA belongs to or global IPsec SA (created by using an IPsec Interface/Global profile).
Page 322 SA duration (kilobytes/sec): 4294967295/604800 SA remaining duration (kilobytes/sec): 1843200/2686 Max received sequence-number: 5 Anti-replay check enable: Y Anti-replay window size: 32 UDP encapsulation used for NAT traversal: N Status: active [Outbound ESP SAs] SPI: 801701189 (0x2fc8fd45) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 4294967295/604800 SA remaining duration (kilobytes/sec): 1843200/2686 Max sent sequence-number: 6...
Page 323: Display Ipsec Statistics
Field Description Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: • 768-bit Diffie-Hellman group (dh-group1) • 1024-bit Diffie-Hellman group (dh-group2) Perfect Forward Secrecy • 1536-bit Diffie-Hellman group (dh-group5) • 2048-bit Diffie-Hellman group (dh-group14) • 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) Path MTU Path MTU of the IPsec SA.
Page 324 Syntax display ipsec statistics [ tunnel-id tunnel-id ] Views Any view Predefined user roles network-admin network-operator Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel ID is 0 to 4294967295. You can use the display ipsec tunnel brief command to display the IDs of established IPsec tunnels.
Page 325: Display Ipsec Transform-Set
Authentication failure: 0 Encapsulation failure: 0 Decapsulation failure: 0 Replayed packets: 0 ACL check failure: 0 MTU check failure: 0 Loopback limit exceeded: 0 Crypto speed limit exceeded: 0 Table 41 Command output Field Description Received/sent packets Number of received/sent IPsec-protected packets. Received/sent bytes Number of bytes of received/sent IPsec-protected packets.
Page 326: Display Ipsec Tunnel
Parameters transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets. Examples # Display information about all IPsec transform sets. <Sysname>...
Page 327 Syntax display ipsec tunnel { brief | count | tunnel-id tunnel-id } Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number of IPsec tunnels. tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel ID is 0 to 4294967295.
Page 328 <Sysname> display ipsec tunnel count Total IPsec Tunnel Count: 2 # Display information about all IPsec tunnels. <Sysname> display ipsec tunnel Tunnel ID: 0 Status: active Perfect forward secrecy: SA's SPI: outbound: 2000 (0x000007d0) [AH] inbound: 1000 (0x000003e8) [AH] outbound: 4000 (0x00000fa0) [ESP]...
Page 329: Encapsulation-Mode
Table 44 Command output Field Description Tunnel ID IPsec ID, used to uniquely identify an IPsec tunnel. Status IPsec tunnel status. Only active is available. Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: • 768-bit Diffie-Hellman group (dh-group1) •...
Page 330: Esp Authentication-Algorithm
Usage guidelines IPsec supports the following encapsulation modes: Transport mode—The security protocols protect the upper layer data of an IP packet. Only the • transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header.
Page 331: Esp Encryption-Algorithm
Views IPsec transform set view Predefined user roles network-admin Parameters md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key. sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key. Usage guidelines In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
Page 332: Ike-Profile
Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode, which uses a 168-bit key. aes-cbc-128: Uses the AES algorithm in CBC mode, which uses a 128- bit key. aes-cbc-192: Uses AES algorithm in CBC mode, which uses a 192-bit key. aes-cbc-256: Uses AES algorithm in CBC mode, which uses a 256-bit key.
Page 333: Ipsec Anti-Replay Check
Usage guidelines The IKE profile referenced by an IPsec policy or IPsec policy template defines the parameters used for IKE negotiation. An IPsec policy or IPsec policy template can reference only one IKE profile and they cannot reference any IKE profile that is already referenced by another IPsec policy or IPsec policy template. Examples # Specify IPsec policy policy1 to reference IKE profile profile1.
Page 334: Ipsec Anti-Replay Window
Related commands ipsec anti-replay window ipsec anti-replay window Use ipsec anti-replay window to set the anti-replay window size. Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The anti-replay window size is 64. Views System view Predefined user roles...
Page 335: Ipsec Decrypt-Check Enable
IPsec policy that is already applied to the interface. An IKE-based IPsec policy can be applied to multiple interfaces. However, HP recommends that you apply an IKE-based IPsec policy to only one interface. A manual IPsec policy can be applied to only one interface.
Page 336: Ipsec Logging Packet Enable
Usage guidelines In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security.
Page 337: Ipsec Global-Df-Bit
IPsec packets, the packets will not be fragmented. In this case, make sure the MTU on each interface along the forwarding path is larger than the IPsec packet length. Otherwise, the packets are discarded. If you cannot make sure of the MTU value, HP recommends that you clear the DF bit. Examples # Set the DF bit for outer IP headers of encapsulated IPsec packets on GigabitEthernet2/1/2.
Page 338: Ipsec { Ipv6-Policy | Policy
IPsec packets, the packets will not be fragmented. In this case, make sure the MTU on each interface along the forwarding path is larger than the IPsec packet length. Otherwise, the packets are discarded. If you cannot make sure of the MTU value, HP recommends that you clear the DF bit. Examples # Set the DF bit for outer IP headers of encapsulated IPsec packets on all interfaces.
Page 339: Ipsec { Ipv6-Policy | Policy } Isakmp Template
Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535. isakmp: Establishes IPsec SAs through IKE negotiation.
Page 340: Ipsec { Ipv6-Policy | Policy } Local-Address
undo ipsec { ipv6-policy | policy } policy-name [ seq-number ] Default No IPsec policy is created. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535.
Page 341: Ipsec { Ipv6-Policy-Template | Policy-Template } Policy-Template
A source interface can be bound to multiple IPsec policies. HP recommends that you use a stable interface, such as a Loopback interface, as a source interface. Examples # Bind the IPsec policy map to source interface Loopback 1 1.
Page 342: Ipsec Profile
Syntax ipsec { ipv6-policy-template | policy-template } template-name seq-number undo ipsec { ipv6-policy-template | policy-template } template-name [ seq-number ] Default No IPsec policy template is created. Views System view Predefined user roles network-admin Parameters ipv6-policy-template: Specifies an IPv6 IPsec policy template. policy-template: Specifies an IPv4 IPsec policy template.
Page 343: Ipsec Sa Global-Duration
Syntax ipsec profile profile-name [ manual ] undo ipsec profile profile-name Default No IPsec profile is created. Views System view Predefined user roles network-admin Parameters profile-name: Specifies a name for the IPsec profile, a case-insensitive string of 1 to 63 characters. manual: Specifies the IPsec SA setup mode as manual.
Page 344: Ipsec Sa Idle-Time
Parameters time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds. traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires. Usage guidelines You can also configure IPsec SA lifetimes in IPsec policy view or IPsec policy template view.
Page 345: Ipsec Transform-Set
Usage guidelines This function applies only to IPsec SAs negotiated by IKE. The IPsec SA idle timeout can also be configured in IPsec policy view or IPsec policy template view, which takes precedence over the global IPsec SA timeout. Examples # Set the IPsec SA idle timeout to 600 seconds.
Page 346: Local-Address
local-address Use local-address to configure the local IP address for the IPsec tunnel. Use undo local-address to restore the default. Syntax local-address { ipv4-address | ipv6 ipv6-address } undo local-address Default The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4 address.
Page 347: Protocol
pfs dh-group14 undo pfs Default The PFS feature is disabled for the IPsec transform set. Views IPsec transform set view Predefined user roles network-admin Parameters dh-group1: Uses 768-bit Diffie-Hellman group. dh-group2: Uses 1024-bit Diffie-Hellman group. dh-group5: Uses 1536-bit Diffie-Hellman group. dh-group14: Uses 2048-bit Diffie-Hellman group.
Page 348: Qos Pre-Classify
Views IPsec transform set view Predefined user roles network-admin Parameters ah: Specifies the AH protocol. ah-esp: Specifies using the ESP protocol first and then using the AH protocol. ah: Specifies the AH protocol. Usage guidelines The two tunnel ends must use the same security protocol in the IPsec transform set. Examples # Specify the AH protocol for the IPsec transform set.
Page 349: Remote-Address
remote-address Use remote-address to configure the remote IP address for the IPsec tunnel. Use undo remote-address to restore the default. Syntax remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address } undo remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address } Default No remote IP address is specified for the IPsec tunnel.
Page 350: Reset Ipsec Sa
[Sysname] ip host test 2.2.2.2 In this case, you must reconfigure the remote host name for the IPsec policy policy1 so that the local end can obtain the latest IP address of the remote host. # Reconfigure the remote host name to test for the IPsec tunnel in the IPsec policy policy1. [Sysname] ipsec policy policy1 1 isakmp [Sysname -ipsec-policy-isakmp-policy1-1] remote-address test Examples...
Page 351: Reset Ipsec Statistics
ah: Specifies the AH protocol. • • esp: Specifies the ESP protocol. spi-num: Specifies the security parameter index in the range of 256 to 4294967295. • Usage guidelines If you do not specify any parameters, this command clears all IPsec SAs. If you specify an SA triplet, this command clears the IPsec SA matching the triplet, and all the other IPsec SAs that were established during the same negotiation process, including the corresponding IPsec SA in the other direction, and the inbound and outbound IPSec SAs using the other security protocol (AH or...
Page 352: Reverse-Route Dynamic
Parameters tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id is 0 to 4294967295. If you do not specify this option, the command clears all IPsec packet statistics. Examples # Clear IPsec packet statistics. <Sysname>...
Page 353: Reverse-Route Preference
# Display the routing table. You can see a created static route. (Other information is not shown.) [Sysname] display ip routing-table … Destination/Mask Proto Cost NextHop Interface 3.0.0.0/24 Static 60 1.1.1.2 GigabitEthernet2/1/1 Related commands display ip routing-table (Layer 3—IP Routing Command Reference) •...
Page 354: Reverse-Route Tag
reverse-route tag Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. This tag helps in implementing flexible route control through routing policies. Use undo reverse-route tag to restore the default. Syntax reverse-route tag tag-value undo reverse-route tag Default The tag value is 0 for the static routes created by IPsec RRI.
Page 355: Sa Hex-Key Authentication
Predefined user roles network-admin Parameters time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds. traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes. Usage guidelines IKE prefers the SA lifetime of the IPsec policy over the global SA lifetime. If the IPsec policy is not configured with the SA lifetime, IKE uses the global SA lifetime configured by the ipsec sa global-duration command for SA negotiation.
Page 356: Sa Hex-Key Encryption
Parameters inbound: Specifies a hexadecimal authentication key for inbound SAs. outbound: Specifies a hexadecimal authentication key for outbound SAs. ah: Uses AH. esp: Uses ESP. cipher key-value: Sets a ciphertext authentication key, a case-sensitive string of 1 to 85 characters. simple key-value: Sets a plaintext authentication key.
Page 357 Default No encryption key is configured for manual IPsec SAs. Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: Specifies a hexadecimal encryption key for inbound SAs. outbound: Specifies a hexadecimal encryption key for outbound SAs. esp: Uses ESP.
Page 358: Sa Idle-Time
sa idle-time Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy or IPsec policy template. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted. Use undo sa idle-time to restore the default. Syntax sa idle-time seconds undo sa idle-time...
Page 359: Sa String-Key
Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: Specifies an SPI for inbound SAs. outbound: Specifies an SPI for outbound SAs. ah: Uses AH. esp: Uses ESP. spi-number: Specifies a security parameters index (SPI) in the range of 256 to 4294967295. Usage guidelines This command applies to only manual IPsec policies and IPsec profiles.
Page 360 Default No key string is configured for IPsec SAs. Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: Sets a key string for inbound IPsec SAs. outbound: Sets a key string for outbound IPsec SAs. ah: Uses AH. esp: Uses ESP.
Page 361: Security Acl
# In an IPsec policy for an IPv6 routing protocol, configure the inbound and outbound SAs that use AH to use the plaintext key abcdef. <Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef [Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple abcdef Related commands display ipsec sa...
Page 362: Snmp-Agent Trap Enable Ipsec
A manual IPsec policy supports only the standard mode. Examples # Reference ACL 3001 for the IPsec policy policy1. <Sysname> system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Sysname-acl-adv-3001] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] security acl 3001 # Reference ACL 3002 for the IPsec policy policy2 and specify the data protection mode as aggregation.
Page 363: Transform-Set
decrypt-failure: Specifies SNMP notifications for decryption failures. encrypt-failure: Specifies SNMP notifications for encryption failures. global: Specifies SNMP notifications globally. invalid-sa-failure: Specifies SNMP notifications for invalid-SA failures. no-sa-failure: Specifies SNMP notifications for SA-not-found failures. policy-add: Specifies SNMP notifications for events of adding IPsec policies. policy-attach: Specifies SNMP notifications for events of applying IPsec policies to interfaces.
Page 364 Predefined user roles network-admin Parameters transform-set-name&<1-6>: Specifies a space-separated list of up to six IPsec transform sets by their names, a case-insensitive string of 1 to 63 characters. Usage guidelines A manual IPsec policy can reference only one IPsec transform set. If you specify an IPsec transform set for the manual IPsec policy multiple times, the most recent configuration takes effect.
Page 365: Ike Commands
IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.
Page 366: Certificate Domain
Use undo authentication-method to restore the default. Syntax authentication-method { dsa-signature | pre-share | rsa-signature } undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles network-admin Parameters dsa-signature: Specifies the DSA signatures as the authentication method. pre-share: Specifies the pre-shared key as the authentication method.
Page 367 Default No PKI domain is specified for IKE negotiation. Views IKE profile view Predefined user roles network-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. If you do not specify this argument, all PKI domains configured on the device are used for enrollment, authentication, certificate issuing, validation, and signature.
Page 368: Display Ike Proposal
dh group14 undo dh Default In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used. In FIPS mode, group14, the 2048-bit Diffie-Hellman group, is used. Views IKE proposal view Predefined user roles network-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group.
Page 369: Display Ike Sa
Usage guidelines This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal. Examples # Display the configuration information about all IKE proposals. <Sysname>...
Page 370 network-operator Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000. remote-address: Displays detailed information about IKE SAs with the specified remote address. ipv6: Specifies an IPv6 address. remote-address: Remote IP address.
Page 371 Local IP: 4.4.4.4 Local ID type: IPV4_ADDR Local ID: 4.4.4.4 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.5 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: SHA1 Encryption-algorithm: AES-CBC-128 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Display detailed information about the IKE SA with the remote address of 4.4.4.5.
Page 372: Dpd
Field Description VPN instance name of the MPLS L3VPN to which the receiving interface Outside VPN belongs. VPN instance name of the MPLS L3VPN to which the protected data Inside VPN belongs. Name of the matching IKE profile found in the IKE SA negotiation. Profile If no matching profile is found, this field displays nothing.
Page 373: Encryption-Algorithm
Parameters interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300. If the on-demand keyword is specified, this parameter specifies the number of seconds during • which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send. •...
Page 374: Exchange-Mode
Views IKE proposal view Predefined user roles network-admin Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption. aes-cbc-128: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 128-bit key for encryption.
Page 375: Ike Dpd
Usage guidelines When a user at the local end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends specifying the aggressive mode at the local end. Examples # Specify that IKE negotiation operates in main mode.
Page 376: Ike Identity
periodic: Sends DPD messages at regular intervals. Usage guidelines DPD is triggered periodically or on-demand. The on-demand mode is recommended when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodical triggering mode, which consumes more bandwidth and CPU.
Page 377: Ike Invalid-Spi-Recovery Enable
Usage guidelines The global identity can be used by the device for all IKE SA negotiations. The local identity (set by the local-identity command) can be used only by the device that uses the IKE profile. In pre-shared key authentication, you cannot set the DN as the identity. In signature authentication: •...
Page 378: Ike Keepalive Interval
Use caution when you enable the invalid SPI recovery feature, because using this feature can result in a DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer. Examples # Enable invalid SPI recovery. <Sysname>...
Page 379: Ike Keychain
Syntax ike keepalive timeout seconds undo ike keepalive timeout Default The negotiated aging time for the IKE SA applies. Views System view Predefined user roles network-admin Parameters seconds: Specifies the number of seconds between IKE keepalives. The value is in the range of 20 to 28800.
Page 380: Ike Limit
Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IKE keychain belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters. To create an IKE keychain for the public network, do not specify this option.
Page 381: Ike Nat-Keepalive
The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system. Examples # Set the maximum number of half-open IKE SAs to 200. <Sysname>...
Page 382: Ike Proposal
Syntax ike profile profile-name undo ike profile profile-name Default No IKE profile is configured. Views System view Predefined user roles network-admin Parameters profile-name: Specifies an IKE profile name, a case-insensitive string of 1 to 63 characters. Examples # Create IKE profile 1 and enter its view. <Sysname>...
Page 383: Ike Signature-Identity From-Certificate
Parameters proposal-number: Specifies an IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal. Usage guidelines During IKE negotiation: • The initiator sends its IKE proposals to the peer. If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals referenced by the IKE profile to the peer.
Page 384: Inside-Vpn
If the ike signature-identity from-certificate command is not configured, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration. Examples # Configure the local device to always obtain the identity information from the local certificate for signature authentication.
Page 385: Keychain
keychain Use keychain to specify an IKE keychain for pre-shared key authentication. Use undo keychain to remove the IKE keychain reference. Syntax keychain keychain-name undo keychain keychain-name Default No IKE keychain is specified for an IKE profile. Views IKE profile view Predefined user roles network-admin Parameters...
Page 386: Match Local Address (Ike Keychain View)
Views IKE profile view Predefined user roles network-admin Parameters address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID. dn: Uses the DN in the local certificate as the local ID. fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
Page 387: Match Local Address (Ike Profile View)
Views IKE keychain view Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs.
Page 388: Match Remote
Views IKE profile view Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs.
Page 389 low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } } Default No peer ID is configured for IKE profile matching. Views IKE profile view Predefined user roles network-admin Parameters certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID for IKE profile matching.
Page 390: Pre-Shared-Key
# Configure a peer ID with the identity type of IP address and the value of 10.1.1.1. [Sysname-ike-profile-prof1] match remote identity address 10.1.1.1 Related commands local-identity pre-shared-key Use pre-shared-key to configure a pre-shared key. Use undo pre-shared-key to remove a pre-shared key. Syntax pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key { cipher cipher-key | simple simple-key }...
Page 391: Priority (Ike Keychain View)
Usage guidelines The address option or the hostname option specifies the peer with which the device can use the pre-shared key to perform IKE negotiation. Two peers must be configured with the same pre-shared key to pass pre-shared key authentication. For security purposes, all pre-shared keys, including those configured in plain text, are saved in cipher text to the configuration file.
Page 392: Priority (Ike Profile View)
<Sysname> system-view [Sysname] ike keychain key1 [Sysname-ike-keychain-key1] priority 10 priority (IKE profile view) Use priority to specify a priority for an IKE profile. Use undo priority to restore the default. Syntax priority number undo priority Default The priority of an IKE profile is 100. Views IKE profile view Predefined user roles...
Page 393: Reset Ike Sa
Views IKE profile view Predefined user roles network-admin Parameters proposal-number&<1-6>: Specifies a space-separated list of up to six IKE proposals by their numbers in the range of 1 to 65535. An IKE proposal specified earlier has a higher priority. Usage guidelines When acting as the initiator, the device sends the specified IKE proposals to its peer for IKE negotiation.
Page 394: Reset Ike Statistics
Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT # Delete the IKE SA with the connection ID 2. <Sysname> reset ike sa 2 # Display the current IKE SAs. <Sysname> display ike sa Total IKE SAs: Connection-ID Remote Flag ---------------------------------------------------------- 202.38.0.2 RD|ST IPSEC Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT...
Page 395: Snmp-Agent Trap Enable Ike
Predefined user roles network-admin Parameters Seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800. Usage guidelines If the communicating peers are configured with different IKE SA lifetime settings, the smaller setting takes effect. Before an IKE SA expires, IKE negotiates a new SA. The new SA takes effect immediately after it is negotiated.
Page 396 cert-unavailable: Specifies SNMP notifications for certificate-unavailable failures. decrypt-failure: Specifies SNMP notifications for decryption failures. encrypt-failure: Specifies SNMP notifications for encryption failures. global: Specifies SNMP notifications globally. invalid-cert-auth: Specifies SNMP notifications for invalid-certificate-authentication failures. invalid-cookie: Specifies SNMP notifications for invalid-cookie failures. invalid-id: Specifies SNMP notifications for invalid-ID failures.
Page 397: Ssh Commands
SSH commands Some MSR routers support the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Page 398: Display Ssh User-Information
Field Description SSH server key generating interval SSH server key pair update interval. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server function is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer. # Display the SSH server sessions.
Page 399: Sftp Server Enable
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured by using the ssh user command on the SSH server.
Page 400: Sftp Server Idle-Timeout
Predefined user roles network-admin Examples # Enable the SFTP server function. <Sysname> system-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default.
Page 401: Ssh Server Authentication-Retries
Syntax ssh server acl acl-number undo ssh server acl Default An SSH server allows all IPv4 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters acl-number: Specifies an ACL number in the range of 2000 to 4999. Usage guidelines You can use this command to filter the IPv4 SSH clients' request packets by referencing an ACL: If the ACL has rules configured, only the IPv4 SSH clients whose request packets match the permit...
Page 402: Ssh Server Authentication-Timeout
Views System view Predefined user roles network-admin Parameters times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5. Usage guidelines You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only on the users at the next login.
Page 403: Ssh Server Compatible-Ssh1X Enable
You can set a small value for the timeout timer to prevent malicious occupation of TCP connections while authentications are suspended. Examples # Set the SSH user authentication timeout timer to 10 seconds. <Sysname> system-view [Sysname] ssh server authentication-timeout 10 Related commands display ssh server ssh server compatible-ssh1x enable...
Page 404: Ssh Server Enable
undo ssh server dscp Default The DSCP value in IPv4 packets sent by the SSH server is 48. Views System view Predefined user roles network-admin Parameters dscp-value: Specifies the DSCP value in the outbound IPv4 packets, in the range of 0 to 63. Usage guidelines The DSCP value of a packet specifies the priority of the packet and affects the transmission priority of the packet.
Page 405: Ssh Server Ipv6 Acl
ssh server ipv6 acl Use ssh server ipv6 acl to control access to the IPv6 SSH server. Use undo ssh server ipv6 acl to restore the default. Syntax ssh server ipv6 acl [ ipv6 ] acl-number undo ssh server ipv6 acl Default An SSH server allows all IPv6 SSH clients to access the server.
Page 406: Ssh Server Ipv6 Dscp
ssh server ipv6 dscp Use ssh server ipv6 dscp to set the DSCP value in the IPv6 packets that the SSH server sends to the SSH clients. Use undo ssh server ipv6 dscp to restore the default. Syntax ssh server ipv6 dscp dscp-value undo ssh server ipv6 dscp Default The DSCP value in IPv6 packets sent by the SSH server is 48.
Page 407: Ssh User
Parameters hours: Specifies an interval for updating the server key pair, in the range of 1 to 24 hours. Usage guidelines This command is not available in FIPS mode. Updating the RSA server key pair periodically can prevent malicious hacking to the key pair and enhance security of the SSH connections.
Page 408 scp: Specifies the service type as SCP. • • sftp: Specifies the service type as SFTP. stelnet: Specifies the service type as Stelnet. • authentication-type: Specifies an authentication method for an SSH user: password: Specifies password authentication. This authentication method features easy and fast •...
Page 409: Ssh Client Commands
If the authentication method is publickey or password-publickey, the working directory is specified • by the authorization-attribute command in the associated local user view. For an SSH user, the user role also depends on the authentication method: If the authentication method is password, the user role is authorized by the remote AAA server or •...
Page 410: Cdup
Examples # Terminate the connection with the SFTP server. sftp> bye <Sysname> Use cd to change the working path on an SFTP server. Syntax cd [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies the name of a path on the server. Usage guidelines You can use the cd ..
Page 411: Delete
sftp> pwd Remote working directory: /test1 sftp> cdup Current Directory is:/ sftp> pwd Remote working directory: / sftp> delete Use delete to delete a file from the SFTP server. Syntax delete remote-file Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies a file to delete from the server.
Page 412: Display Sftp Client Source
Usage guidelines If the –a and –l keywords are not specified, the command displays the names of the files and subdirectories under a directory. This command functions as the ls command. Examples # Display detailed information about the files and subdirectories under the current working directory. sftp>...
Page 413: Display Ssh Client Source
Related commands sftp client ipv6 source • sftp client source • display ssh client source Use display ssh client source to display the source IP address or source interface configured for the Stelnet client. Syntax display ssh client source Views Any view Predefined user roles network-admin...
Page 414: Get
Use get to download a file from an SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file.
Page 415 information of the file exit Quit sftp get remote-path [local-path] Download file help Display this help text ls [-a|-l][path] Display remote directory List all filenames List filename including the specific information of the file mkdir path Create remote directory put local-path [remote-path] Upload file Display remote working directory quit Quit sftp...
Page 416: Mkdir
sftp> ls -a drwxrwxrwx 512 Dec 18 14:12 . drwxrwxrwx 512 Dec 18 14:12 .. -rwxrwxrwx 301 Dec 18 14:11 010.pub -rwxrwxrwx 301 Dec 18 14:12 011.pub -rwxrwxrwx 301 Dec 18 14:12 012.pub sftp> ls -l -rwxrwxrwx 301 Dec 18 14:11 010.pub -rwxrwxrwx 301 Dec 18 14:12 011.pub -rwxrwxrwx...
Page 417: Pwd
sftp> put startup.bak startup01.bak Uploading startup.bak to /startup01.bak startup01.bak 100% 1424 1.4KB/s 00:00 Use pwd to display the current working directory of an SFTP server. Syntax Views SFTP client view Predefined user roles network-admin Examples # Display the current working directory of the SFTP server. sftp>...
Page 418: Rename
Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies a file to delete from an SFTP server. Usage guidelines This command functions as the delete command. Examples # Delete the file temp.c from the SFTP server. sftp> remove temp.c Removing /temp.c rename Use rename to change the name of a file or directory on an SFTP server.
Page 419: Scp
Predefined user roles network-admin Parameters remote-path: Specifies a directory to delete from an SFTP server. Examples # Delete the sub-directory temp1 under the current directory on the SFTP server. sftp> rmdir temp1 Use scp to establish a connection to an IPv4 SCP server and transfer files with the server. Syntax In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name...
Page 420 identity-key: Specifies a public key algorithm for the client, either dsa or rsa. The default is dsa. If the server uses publickey authentication, this keyword must be specified. dsa: Specifies the public key algorithm dsa. • rsa: Specifies the public key algorithm rsa. •...
Page 421: Scp Ipv6
Usage guidelines In publickey authentication, the client must get the local private key for digital signature. Because the publickey authentication uses either RSA or DSA algorithm, you must specify an algorithm by using the identity-key keyword. In this way, the client can get the correct local private key. Examples # Connect an SCP client to the SCP server 200.1.1.1.
Page 422 -i interface-type interface-number: Specifies an output interface by its type and number. This option is only used when the server uses a link-local address. The specified output interface on the client must have a link-local address. get: Downloads the file. put: Uploads the file.
Page 423: Sftp
Specify the loopback interface as the source interface. • • Specify the IPv6 address of the loopback interface as the source IPv6 address. interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IPv6 address of the IPv6 SCP packets. ipv6 ipv6-address: Specifies a source IPv6 address.
Page 424 Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.
Page 425: Sftp Client Ipv6 Source
Specify the loopback interface or dialer interface as the source interface. • • Specify the IP address of the loopback interface or dialer interface as the source IP address. interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IP address of the SFTP packets.
Page 426: Sftp Client Source
This command takes effect on all IPv6 SFTP connections. The source IPv6 address specified in the sftp ipv6 command takes effect only on the current IPv6 SFTP connection. If you specify the source IPv6 address both in this command and the sftp ipv6 command, the source IPv6 address specified in the sftp ipv6 command takes effect.
Page 427: Sftp Ipv6
Related commands display sftp client source sftp ipv6 Use sftp ipv6 to connect an SFTP client to an IPv6 SFTP server and enter SFTP client view. Syntax In non-FIPS mode: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 |...
Page 428 prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security strength and calculation time. • 3des: Specifies the encryption algorithm 3des-cbc. aes128: Specifies the encryption algorithm aes128-cbc. •...
Page 429: Ssh Client Ipv6 Source
Preferred server-to-client encryption algorithm is aes128. • • Preferred client-to-server HMAC algorithm is sha1. Preferred server-to-client HMAC algorithm is sha1-96. • Preferred compression algorithm between the server and client is zlib. • <Sysname> sftp ipv6 2000::1 prefer-kex dh-group14 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib publickey svkey Username: ssh client ipv6 source...
Page 430: Ssh Client Source
ssh client source Use ssh client source to specify the source IPv4 address for SSH packets. Use undo ssh client source to restore the default. Syntax ssh client source { interface interface-type interface-number | ip ip-address } undo ssh client source Default The source IP address for SSH packets is not configured.
Page 431 sha1-96 } ] * [ dscp dscp-value | publickey keyname | source { interface interface-type interface-number | ip ip-address } ] * In FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ip ip-address } ] *...
Page 432: Ssh2 Ipv6
dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. • • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128. prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1. dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets sent by the SSH client, in the range of 0 to 63.
Page 433 In FIPS mode: ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * Views...
Page 434 prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode. Algorithm dh-group14 features stronger security but costs more time in calculation than dh-group1 • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.
Page 435: Ssl Commands
SSL commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSL server policy configuration commands ciphersuite Use ciphersuite to specify the cipher suites supported by an SSL server policy.
Page 436 exp_rsa_rc4_md5: Specifies the export cipher suite that uses the key exchange algorithm RSA, the data encryption algorithm RC4, and the MAC algorithm MD5. rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 3DES_EDE_CBC, and the MAC algorithm SHA. rsa_aes_128_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit AES_CBC, and the MAC algorithm SHA.
Page 437: Client-Verify Enable
client-verify enable Use client-verify enable to enable the SSL server to use digital certificates to authenticate clients. Use undo client-verify enable to restore the default. Syntax client-verify enable undo client-verify enable Default The SSL server does not authenticate SSL clients. Views SSL server policy view Predefined user roles...
Page 438: Pki-Domain (Ssl Server Policy View)
network-operator Parameters policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify this argument, the command displays information about all SSL server policies. Examples # Display information about the SSL server policy policy1. <Sysname>...
Page 439: Session Cachesize
<Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] pki-domain server-domain Related commands display ssl server-policy • pki domain • session cachesize Use session cachesize to set the maximum number of sessions that the SSL server can cache. Use undo session cachesize to restore the default. Syntax session cachesize size undo session cachesize...
Page 440: Ssl Client Policy Configuration Commands
Syntax ssl server-policy policy-name undo ssl server-policy policy-name Default No SSL server policy exists on the device. Views System view Predefined user roles network-admin Parameters policy-name: Specifies a name for the SSL server policy, a case-insensitive string of 1 to 31 characters. Usage guidelines This command creates an SSL server policy for which you can configure SSL parameters such as a PKI domain and supported cipher suits.
Page 441: Pki-Domain (Ssl Client Policy View)
Examples # Display information about the SSL client policy policy1. <Sysname> display ssl client-policy policy1 SSL client policy: policy1 SSL version: SSL 3.0 PKI domain: client-domain Preferred ciphersuite: RSA_AES_128_CBC_SHA Server-verify: enabled Table 52 Command output Field Description Indicates whether the client is enabled to use digital certificates to Server-verify authenticate servers.
Page 442: Prefer-Cipher
prefer-cipher Use prefer-cipher to specify a preferred cipher suite for an SSL client policy. Use undo prefer-cipher to restore the default. Syntax In non-FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } undo prefer-cipher In FIPS mode:...
Page 443: Server-Verify Enable
rsa_rc4_128_md5: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit RC4, and the MAC algorithm MD5. rsa_rc4_128_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit RC4, and the MAC algorithm SHA. Usage guidelines SSL employs the following algorithms: •...
Page 444: Ssl Client-Policy
Predefined user roles network-admin Usage guidelines The SSL client and server use digital certificates to authenticate each other. For more information about digital certificates, see Security Configuration Guide. If you execute the server-verify enable command, an SSL server must send its own digital certificate to the SSL client for authentication.
Page 445: Version
[Sysname-ssl-client-policy-policy1] Related commands display ssl client-policy version Use version to specify an SSL version for an SSL client policy. Use undo version to restore the default. Syntax In non-FIPS mode: version { ssl3.0 | tls1.0 } undo version In FIPS mode: version tls1.0 undo version Default...
Page 446: Aspf Commands
ASPF commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. aspf apply policy Use aspf apply policy to apply an ASPF policy to an interface. Use undo aspf apply policy to remove an ASPF policy application from an interface.
Page 447: Aspf Policy
aspf policy Use aspf policy to create an ASPF policy and enter its view. Use undo aspf policy to remove an ASPF policy. Syntax aspf policy aspf-policy-number undo aspf policy aspf-policy-number Default No ASPF policy exists. Views System view Predefined user roles network-admin Parameters aspf-policy-number: Assigns a number to the ASPF policy.
Page 448 For a multi-channel protocol, if you enable TCP or UDP inspection without configuring application layer protocol inspection, the device might not be able to receive response packets. HP recommends that you enable application layer protocol inspection together with TCP/UDP inspection.
Page 449: Display Aspf All
display aspf all Use display aspf all to display the configuration of all ASPF policies and their applications. Syntax display aspf all Views Any view Predefined user roles network-admin network-operator Examples # Display the configuration of all ASPF policies and their applications. <Sysname>...
Page 450: Display Aspf Interface
display aspf interface Use display aspf interface to display ASPF policy application on interfaces. Syntax display aspf interface Views Any view Predefined user roles network-admin network-operator Examples # Display ASPF policy application on interfaces. <Sysname> display aspf interface Interface configuration: GigabitEthernet2/1/1 Inbound policy : 1 Outbound policy: none...
Page 451: Display Aspf Session
Examples # Display the configuration of ASPF policy 1. <Sysname> display aspf policy 1 ASPF policy configuration: Policy number: 1 Disable ICMP error message check Disable TCP SYN packet check Detect these protocols: Table 55 Command output Field Description Enable ICMP error message check ICMP error message check is enabled.
Page 452 <Sysname> display aspf session ipv4 Initiator: Source IP/port: 192.168.1.18/1877 Destination IP/port: 192.168.1.55/22 VPN instance/VLAN ID/VLL ID: -/-/- Protocol: TCP(6) Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 VPN instance/VLAN ID/VLL ID: -/-/- Protocol: ICMP(1) Total sessions found: 2 # (MSR4000.) Display brief information about IPv4 ASPF sessions. <Sysname>...
Page 453 Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 VPN instance/VLAN ID/VLL ID: -/-/- Protocol: ICMP(1) Responder: Source IP/port: 192.168.1.55/1792 Destination IP/port: 192.168.1.18/0 VPN instance/VLAN ID/VLL ID: -/-/- Protocol: ICMP(1) App: INVALID State: ICMP_REQUEST Start time: 2011-07-29 19:12:33 TTL: 55s Interface(in) : GigabitEthernet2/1/1 Interface(out): GigabitEthernet2/1/2 Initiator->Responder: 1 packets...
Page 454: Icmp-Error Drop
Protocol: ICMP(1) App: INVALID State: ICMP_REQUEST Start time: 2011-07-29 19:12:33 TTL: 55s Interface(in) : GigabitEthernet2/1/1 Interface(out): GigabitEthernet2/1/2 Initiator->Responder: 1 packets 6048 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 2 Table 56 Command output Field Description Initiator Session information from initiator to responder. Responder Session information from responder to initiator.
Page 455: Reset Aspf Session
Use undo icmp-error drop to restore the default. Syntax icmp-error drop undo icmp-error drop Default The ICMP error message check is disabled. Views ASPF policy view Predefined user roles network-admin Usage guidelines An ICMP error message carries information about the corresponding connection. ICMP error message check verifies the information.
Page 456: Tcp Syn-Check
Related commands display aspf session tcp syn-check Use tcp syn-check to enable TCP SYN check. TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet. If the first packet is not a SYN packet, ASPF drops the packet. Use undo tcp syn-check to restore the default.
Page 457: Apr Commands
APR commands app-group Use app-group to create an application group and enter application group view. Use undo app-group to remove the specified application group. Syntax app-group group-name undo app-group group-name Default Multiple pre-defined application groups exist on the device. Views System view Predefined user roles network-admin...
Page 458 Syntax application statistics enable [ inbound | outbound ] undo application statistics enable [ inbound | outbound ] Default The application statistics function is disabled on an interface. Views Layer 3 interface view Predefined user roles network-admin Parameters inbound: Specifies the inbound direction of the interface. outbound: Specifies the outbound direction of the interface.
Page 459: Copy App-Group
copy app-group Use copy app-group to copy all application protocols in an application group to another group. Syntax copy app-group group-name Views Application group view Predefined user roles network-admin Parameters group-name: Specifies the name of the source application group, a case-insensitive string of 1 to 63 characters.
Page 460: Display App-Group
Parameters group-description: Configures a description for the user-defined application group. It is a case-sensitive string of 1 to 127 characters. Spaces are allowed. Examples # Configure a description for the application group aaa. <Sysname> system-view [Sysname] app-group aaa [Sysname-app-group-aaa] description User defined aaa group Related commands app-group display app-group...
Page 461 email Pre-defined 0x00000002 file-share Pre-defined 0x00000009 games Pre-defined 0x00000004 Pre-defined 0x0000000a internet Pre-defined 0x00000005 multimedia Pre-defined 0x00000008 network-management Pre-defined 0x0000000e network-service Pre-defined 0x0000000f news Pre-defined 0x0000000d Pre-defined 0x00000006 productivity-tools Pre-defined 0x00000012 routing Pre-defined 0x00000011 shopping-and-bank Pre-defined 0x0000000c stock Pre-defined 0x0000000b voip Pre-defined 0x00000007...
Page 462: Display Application
app1 User-defined 0x80000001 bapp3 User-defined 0x80000006 pop3 Pre-defined 0x00000e75 smtp Pre-defined 0x00001135 Table 57 Command output Field Description Group name Application group name. Group ID Application group ID. Application protocol or application group attribute: • Type Pre-defined. • User-defined. Number of application protocols in the application Application count group.
Page 463 Examples # Display information about all pre-defined application protocols. <Sysname> display application pre-defined Pre-defined count: Application name Type App ID Tunnel Encrypted ambit-lm Pre-defined 0x000000b9 amdsched Pre-defined 0x000000ba amidxtape Pre-defined 0x000000bb amiganetfs Pre-defined 0x000000bc aminet Pre-defined 0x000000bd Pre-defined 0x000000be amt-soap-https Pre-defined 0x000000cc appserv-http...
Page 464: Display Application Statistics
l2c-connect Pre-defined 0x000009b6 l2c-info Pre-defined 0x000009b7 l2tp Pre-defined 0x000009b8 l3-exprt Pre-defined 0x000009b9 l3-hawk Pre-defined 0x000009ba # Display information about the application protocol Telnet. <Sysname> display application name telnet Application name: telnet Application ID: 0x000012b7 Tunnel: Encrypted: Table 58 Command output Field Description Total count...
Page 465 Views User view Predefined user roles network-admin network-operator Parameters direction: Specifies the direction of the interface. inbound: Specifies the inbound direction. outbound: Specifies the outbound direction. interface interface-type interface-number: Specifies an interface by its type and number. name application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters.
Page 466 11111111111100 01234567890100 0123456 # Display application statistics for VLAN-interface 1. <Sysname> display application statistics interface vlan-interface 1 Interface : Vlan-interface1 Application In/Out Packets Bytes appaaaaasg 190023111111111111 252334402111111111 2342222222 3411222222 170034 270011351 3211 451134 app2 2195 18560000 654222 21986666666 655555555123123101 55551 5454125111 APP3 2195...
Page 467: Display Application Statistics Top
Table 59 Command output Field Description Interface Interface name. Application Name of the application protocol. Interface direction: • In/Out • Out. Packets Number of packets received or sent by the interface. Bytes Number of bytes received or sent by the interface. Packets received or sent per second.
Page 468 The system uses the sum of inbound and outbound statistics to rank the application protocols. If the sum statistics for multiple application protocols is the same, the system displays these protocols in alphabetical order. Examples # Display the top three application protocols that have received and sent the most packets on interface GigabitEthernet 2/1/1.
Page 469: Display Port-Mapping Pre-Defined
appaaaaasg 190023111111111111 252334402111111111 2342222222 9411222222 170034 270011351 3211 451134 app2 2196 18560000 654222 21986666666 155555555123123101 55551 5454125111 aPP3 2195 17560000 45161 21986666666 5555555551231231 55551 5454125111 Table 60 Command output Field Description Interface Interface name. Application Name of the application protocol. Interface direction: •...
Page 470: Display Port-Mapping User-Defined
tftp Table 61 Command output Field Description Application Application protocol using the port mapping. Protocol Transport layer protocol. Port number to which the application protocol is Port mapped. Related commands display port-mapping • port-mapping • display port-mapping user-defined Use display port-mapping user-defined to display information about the user-defined port mappings. Syntax display port-mapping user-defined [ application application-name | port port-number ] Views...
Page 471: Include Application
Table 62 Command output Field Description Application Application protocol using port mapping. Port Port number to which the application protocol is mapped. Protocol Transport layer protocol. Match types: • ---—No match types or match conditions are specified, and all packets that have the specified port are recognized as the packets of the specified application protocol.
Page 472: Port-Mapping
Parameters application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. Valid characters include digits, letters, hyphens (-), and underlines (_). "invalid" or "other" are not allowed. Usage guidelines Execute this command multiple times to add multiple pre-defined or user-defined application protocols to a user-defined application group.
Page 473: Port-Mapping Acl
sctp: Specifies SCTP. • • tcp: Specifies TCP. udp: Specifies UDP. • udp-lite: Specifies UDP-Lite. • Usage guidelines If no transport layer protocol is specified, packets encapsulated by any transport layer protocol and that have the specified port are recognized as the specified application protocol's packets. If the destination port of a packet matches a general port mapping, APR recognizes the packet as the specified application protocol's packet.
Page 474: Port-Mapping Host
sctp: Specifies SCTP. • • tcp: Specifies TCP. udp: Specifies UDP. • udp-lite: Specifies UDP-Lite. • acl [ ipv6 ] acl-number: Specifies the number of an ACL, in the range of 2000 to 2999. To specify an IPv6 ACL, include the ipv6 keyword. To specify an IPv4 ACL, do not include the ipv6 keyword. Usage guidelines If you do not specify a transport layer protocol, all packets encapsulated by the transport layer protocols and that have the specified port are recognized as the specified application protocol's packets.
Page 475: Port-Mapping Subnet
protocol protocol-name: Specifies a transport layer protocol by its name, including: • dccp: Specifies DCCP. sctp: Specifies SCTP. • tcp: Specifies TCP. • • udp: Specifies UDP. udp-lite: Specifies UDP-Lite. • { ip | ipv6 } start-ip-address [ end-ip-address ]: Specifies a range of IPv4 or IPv6 addresses. The ip keyword specifies the IPv4 addresses, and the ipv6 keyword specifies the IPv6 addresses.
Page 476 undo port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ] Default An application protocol is mapped to a well-known port. Views System view Predefined user roles network-admin Parameters...
Page 477: Reset Application Statistics
[Sysname] port-mapping application ftp port 3456 subnet ip 1.1.1.0 24 # Create a mapping of port 3456 to FTP for the packets sent to the IPv6 hosts on subnet 1:: /120. <Sysname> system-view [Sysname] port-mapping application ftp port 3456 subnet ipv6 1:: 120 Related commands display port-mapping user-defined reset application statistics...
Page 478: Session Management Commands
Session management commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. display session aging-time application Use display session aging-time application to display the aging time for sessions of different application layer protocols.
Page 479: Display Session Aging-Time State
Table 63 Command output Field Description Application Application layer protocol. Aging Time(s) Aging time in seconds. Related commands application aging-time display session aging-time state Use display session aging-time stat to display the aging time for sessions in different protocol states. Syntax display session aging-time state Views...
Page 480: Display Session Relation-Table
Table 64 Command output Field Description State Protocol state. Aging Time(s) Aging time in seconds. Related commands session aging-time state display session relation-table Use display session relation-table to display relation entries. Syntax MSR1000/MSR2000/MSR3000: display session relation-table { ipv4 | ipv6 } MSR4000: display session relation-table { ipv4 | ipv6 } [ slot slot-number ] Views...
Page 481 Application: FTP-DATA Total entries found: # (MSR4000.) Display all IPv4 relation entries. <Sysname> display session relation-table ipv4 Slot 1: Source IP/port: 192.168.1.100/- Destination IP/port: 192.168.2.100/99 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: 1/-/- Protocol: TCP(6) TTL: 1234s Application: FTP-DATA Source IP/port: Destination IP/port: 192.168.2.200/1212 DS-Lite tunnel peer: -...
Page 482: Display Session Statistics
Table 65 Command output Field Description Source IP address and port number of the session. If the IP or port number is not specified, this field displays a hyphen (-). Source IP/port For an IPv6 relation entry, the source port number is not displayed. Destination IP/port Destination IP address and port number of the session.
Page 483 TCP sessions: UDP sessions: ICMP sessions: ICMPv6 sessions: UDP-Lite sessions: SCTP sessions: DCCP sessions: RAWIP sessions: Current relation-table entries: 0 Session establishment rate: 0/s TCP: UDP: ICMP: ICMPv6: UDP-Lite: SCTP: DCCP: RAWIP: Received TCP 0 packets 0 bytes Received UDP 118 packets 13568 bytes Received ICMP...
Page 484: Display Session Table
Field Description Number of Raw IP sessions and number of Raw IP sessions in RAWIP sessions different states. Current relation-table entries Total number of relation entries. Session establishment rate, and rates for establishing sessions of Session establishment rate different protocols. Received TCP Number of received TCP packets and packet bytes.
Page 485 destination-ip destination-ip: Specifies a destination IP address. The destination-ip argument specifies the destination IP address of a session from the initiator to the responder. verbose: Displays detailed information about session entries. If you do not specify this keyword, this command displays brief information about session entries. Usage guidelines If no parameter except IPv4 or IPv6 is specified, this command displays all IPv4 or IPv6 session entries.
Page 486 Destination IP/port: 192.168.1.55/22 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/- Protocol: TCP(6) Responder: Source IP/port: 192.168.1.55/22 Destination IP/port: 192.168.1.18/1877 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/- Protocol: TCP(6) State: TCP_SYN_SENT Application: SSH Start time: 2011-07-29 19:12:36 TTL: 28s Interface(in) : GigabitEthernet2/1/1 Interface(out): GigabitEthernet2/1/2...
Page 487 Responder: Source IP/port: 192.168.1.55/22 Destination IP/port: 192.168.1.18/1877 DS-Lite tunnel peer:- VPN instance/VLAN ID/VLL ID: -/-/- Protocol: TCP(6) State: TCP_SYN_SENT Application: SSH Start time: 2011-07-29 19:12:36 TTL: 28s Interface(in) : GigabitEthernet2/1/1 Interface(out): GigabitEthernet2/1/2 Initiator->Responder: 1 packets 48 bytes Responder->Initiator: 0 packets 0 bytes Initiator: Source...
Page 488 Initiator: Source IP/port: 2011::2/58473 Destination IP/port: 2011::8/32768 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/- Protocol: IPV6-ICMP(58) Total sessions found: 1 # (MSR1000/MSR2000/MSR3000.) Display detailed information about all IPv6 session entries. <Sysname> display session table ipv6 verbose Initiator: Source IP/port: 2011::2/58473 Destination IP/port: 2011::8/32768 VPN instance/VLAN ID/VLL ID: -/-/-...
Page 489 Interface(in) : GigabitEthernet2/1/1 Interface(out): GigabitEthernet2/1/2 Initiator->Responder: 1 packets 104 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 1 Table 67 Command output Field Description Initiator Information about the session from the initiator to the responder. Responder Information about the session from the responder to the initiator. Address of the DS-Lite tunnel peer.
Page 490: Reset Session Table Ipv4
reset session table ipv4 Use reset session table ipv4 to clear IPv4 session entries. Syntax MSR1000/MSR2000/MSR3000: reset session table ipv4 [ destination-ip destination-ip ] [ destination-port destination-port ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-ip source-ip ] [ source-port source-port ] [ vpn-instance vpn-instance-name ] MSR4000: reset session table ipv4 ] [ destination-ip destination-ip ] [ destination-port destination-port ] [ protocol...
Page 491: Reset Session Table Ipv6
Related commands display session table reset session table ipv6 Use reset session table ipv6 to clear IPv6 session entries. Syntax MSR1000/MSR2000/MSR3000: reset session table ipv6 [ destination-ip destination-ip ] [ destination-port destination-port ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-ip source-ip ] [ source-port source-port ] [ vpn-instance vpn-instance-name ] MSR4000: reset session table ipv6 [ destination-ip destination-ip ] [ destination-port destination-port ] [ protocol...
Page 492: Reset Session Table
<Sysname> reset session table ipv6 # Clear the IPv6 session entries with the source IP address of 201 1::0002. <Sysname> reset session table ipv6 source-ip 2011::0002 Related commands display session table reset session table Use reset session table to clear IPv4 and IPv6 session entries. Syntax MSR1000/MSR2000/MSR3000: reset session table...
Page 493: Reset Session Relation-Table
Predefined user roles network-admin Parameters slot slot-number: Specifies a card by its slot number. If no card is specified, this command clears session statistics for all cards. (MSR4000.) Examples # Clear all session statistics. <Sysname> reset session statistics Related commands display session statistics reset session relation-table Use reset session relation-table to clear relation entries.
Page 494: Session Aging-Time Application
session aging-time application Use session aging-time application to set the aging time for sessions of an application layer protocol. Use undo session aging-time application to restore the default. If no application layer protocol is specified, this command restores the default aging time for all sessions of the supported application layer protocols.
Page 495: Session Aging-Time State
ras: Specifies the RAS protocol. rtsp: Specifies the Real Time Streaming Protocol (RTSP) protocol. sip: Specifies the Session Initiation Protocol (SIP) protocol. tftp: Specifies the TFTP protocol. ils: Specifies the Internet Locator Service (ILS) protocol. mgcp: Specifies the Media Gateway Control Protocol (MGCP) protocol. nbt: Specifies the NetBIOS over TCP/IP (NBT) protocol.
Page 496 Default The aging time for sessions in different protocol states is as follows: TCP SYN-SENT and SYN-RCV: 30 seconds. • • TCP ESTABLISHED: 3600 seconds. FIN_WAIT: 30 seconds. • UDP-OPEN: 30 seconds. • UDP-READY: 60 seconds. • ICMP-REQUEST: 60 seconds. •...
Page 497: Session Log Bytes-Active
session log bytes-active Use session log bytes-active to set the byte-based threshold for traffic-based logging. Use undo session log bytes-active to restore the default. Syntax session log bytes-active bytes-value undo session log bytes-active Default The device does not output session logs based on the byte-based threshold. Views System view Predefined user roles...
Page 498: Session Log Packets-Active
Views Interface view Predefined user roles network-admin Parameters ipv4: Logs IPv4 sessions. ipv6: Logs IPv6 sessions. acl acl-number: Specifies an ACL by its number in the range of 2000 to 3999. inbound: Specifies the inbound direction. outbound: Specifies the outbound direction. Usage guidelines If no ACL is specified, this command enables session logging for all IPv4 or IPv6 sessions on the interface.
Page 499: Session Log Time-Active
Syntax session log packets-active packets-value undo session log packets-active Default The device does not output session logs based on the packet-based threshold. Views System view Predefined user roles network-admin Parameters packets-value: Sets the packet-based threshold in the range of 1 to 1000 mega-packets. Usage guidelines If you set both the traffic-based and time-based logging, the device outputs a session log when whichever is reached.
Page 500: Session Persistent Acl
Parameters time-value: Sets the interval in minutes. The value range for the time-value argument is 10 to 120 and the value must be integer times of 10. Usage guidelines If you set both time-based and traffic-based logging, the device outputs a session log when whichever is reached.
Page 501 Aging time for sessions of application layer protocols. • • Aging time for sessions in different protocol states. A never-age-out session is not removed until the device receives a connection close request from the initiator or responder, or you manually clear the session entries. Examples # Specify IPv4 ACL 2000 for identifying persistent sessions and set the aging time to 72 hours, so that the IPv4 sessions that permitted by ACL 2000 are persistent sessions with the aging time as 72 hours.
Page 502: Connection Limit Commands
Connection limit commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. connection-limit apply Use connection-limit apply to apply a connection limit policy to an interface. Use undo connection-limit apply to remove the application.
Page 503: Connection-Limit Apply Global
connection-limit apply global Use connection-limit apply global to apply a connection limit policy globally. Use undo connection-limit apply global to remove the application. Syntax connection-limit apply global { ipv6-policy | policy } policy-id undo connection-limit apply global { ipv6-policy | policy } Default No connection limit policy is applied globally.
Page 504: Display Connection-Limit
Default No connection limit policy exists. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 connection limit policy. policy: Specifies an IPv4 connection limit policy. policy-id: Specifies a connection limit policy by its ID, in the range of 1 to 32. An IPv4 or IPv6 connection limit policy has its own number.
Page 505 policy-id: Specifies a connection limit policy by its ID in the range of 1 to 32. all: Specifies all connection limit policies. Examples # Display information about all IPv4 connection limit policies. <Sysname> display connection-limit policy all 3 policies in total: Policy Rule Stat Type...
Page 506 3020 100000 89000 2005 # Display information about the IPv6 connection limit policy 3. <Sysname> display connection-limit ipv6-policy 3 IPv6 connection limit policy 3 has been applied 3 times, and has 2 limit rules. Limit rule list: Policy Rule Stat Type HiThres LoThres --------------------------------------------------------------------------------...
Page 507: Display Connection-Limit Ipv6-Stat-Nodes
display connection-limit ipv6-stat-nodes Use display connection-limit ipv6-stat-nodes to display statistics about IPv6 connections that match connection limit rules globally or on an interface. Syntax MSR1000/MSR2000/MSR3000: display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ destination destination-ip | service-port port-number | source source-ip ] * [ count ] MSR4000: display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ slot slot-number ] [ destination destination-ip | service-port port-number | source source-ip ] * [ count ]...
Page 508 If you specify none of the source source-ip, destination destination-ip, and service-port port-number options, this command displays statistics about all IPv6 connections that match connection limit rules. Examples # (MSR1000/MSR2000/MSR3000.) Display statistics about all IPv6 connections that match the connection limit rule on GigabitEthernet 2/1/1. <Sysname>...
Page 509: Display Connection-Limit Statistics
<Sysname> display connection-limit ipv6-stat-nodes interface vlan-interface 10 slot 2 count Slot 2: Current limit statistic nodes count is 1. Table 69 Command output Field Description Src IP address Source IPv6 address. Dst IP address Destination IPv6 address. MPLS L3VPN to which the IP address belongs. "---" indicates that IP address is on the VPN instance public network.
Page 510: Display Connection-Limit Stat-Nodes
Parameters global: Displays the global connection limit statistics. interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card or virtual interface by its slot number. This option is available only when you specify the global keyword or specify a virtual interface (such as a VLAN interface or tunnel interface).
Page 511 display connection-limit stat-nodes { global | interface interface-type interface-number } [ slot slot-number ] [ destination destination-ip | service-port port-number | source source-ip ] * [ count ] Views User view Predefined user roles network-admin network-operator Parameters global: Displays statistics about IPv4 connections that match connection limit rules globally. interface interface-type interface-number: Specifies an interface by its type and number.
Page 512 DS-Lite tunnel peer : -- Service : tcp/12345 Limit rule ID : 12345(ACL: 3001) Sessions threshold Hi/Lo: 1100000/980000 Sessions count : 1050000 New session flag : Permit # (MSR1000/MSR2000/MSR3000.) Display statistics about all IPv4 connections that match the connection limit rule on VLAN-interface 2. <Sysname>...
Page 513: Limit
Field Description Dst IP address Destination IP address. MPLS L3VPN to which the IP address belongs. "---" indicates that IP address is on the VPN instance public network. ID of DS Lite Tunnel. "---" indicates that the connection does not belong to any DS Lite DS-Lite tunnel peer Tunnel.
Page 514 ipv6: References an IPv6 ACL. If this keyword is not specified, an IPv4 ACL is referenced. This keyword exists only in IPv6 connection limit policy view. acl-number: Specifies an ACL by its number in the range of 2000 to 3999. name acl-name: Specifies an ACL by its name.
Page 515: Reset Connection-Limit Statistics
[Sysname-acl6-basic-2001] rule permit source 2:1::/96 [Sysname-acl6-basic-2001] quit Limit connections that match ACL 2001 by the source and destination IP addresses, with the upper limit 200 and lower limit 100. [Sysname] connection-limit ipv6-policy 12 [Sysname-connlmt-ipv6-policy-12] limit 2 acl ipv6 2001 per-destination amount 200 100 Verify that when the connection number exceeds 200, new connections cannot be established until the connection number drops below 100.
Page 516: Object Group Commands
Object group commands description Use description to configure a description for an object group. Use undo description to delete the description for an object group. Syntax description text undo description Default An object group does not have a description. Views Object group view Predefined user roles network-admin...
Page 517 ipv6 address: Specifies the IPv6 address object group. port: Specifies the port object group. service: Specifies the service object group. default: Specifies the default object group. name object-group-name: Specifies an object group by its name, a case-insensitive string of 1 to 31 characters.
Page 518: Network (Ipv4 Address Object Group View)
0 network host address 1.1.1.1 10 network host name host 20 network subnet 1.1.1.1 255.255.255.0 30 network range 1.1.1.1 1.1.1.2 40 network group-object obj1 # Display information about all IPv4 object groups. <Sysname> display object-group ip address Ip address object-group obj1: 0 object(in use) Ip address object-group obj2: 5 objects(out of use) 0 network host address 1.1.1.1 10 network host name host...
Page 519 Predefined user roles network-admin Parameters Object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not specify an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30.
Page 520: Network (Ipv6 Address Object Group View)
# Configure an IPv4 address object with the host name of pc3. <Sysname> system-view [Sysname] object-group ip address ipgroup [Sysname-obj-grp-ip-ipgroup] network host name pc3 # Configure an IPv4 address object with the IPv4 address of 192.167.0.0 and mask length of 24. <Sysname>...
Page 521 address ipv6-address: Specifies an IPv6 host address. name host-name: Specifies a host name, a case-insensitive string of 1 to 60 characters. subnet ipv6-address prefix-length: Configures an IPv6 address object with the subnet address followed by the prefix length in the range of 1 to 128. range ipv6-address1 ipv6-address2: Configures an IPv6 address object with the address range starting with ipv6-address1 and ending with ipv6-address2 group-object object-group-name: Specifies an IPv6 address object group to be referenced by its name,...
Page 522: Object-Group
# Configure an IPv6 address object with the address range of 1:1:1::1 to 1:1:1::100 <Sysname> system-view [Sysname] object-group ipv6 address ipv6group [Sysname-obj-grp-ipv6-ipv6group] network range 1:1:1::1 1:1:1::100 # Configure an IPv6 address object referencing object group ipv6group2. <Sysname> system-view [Sysname] object-group ipv6 address ipv6group [Sysname-obj-grp-ipv6-ipv6group] network group-object ipv6group2 object-group Use object-group to configure an object group and enter the object group view.
Page 523: Port (Port Object Group View)
If the specified group exists but the group type is different from that in the command, the command • fails. If the specified object group is being referenced by an ACL, object policy, or object group, the • command fails. Examples # Configure an IPv4 address object group named ipgroup.
Page 524 range port1 port2: Configures a port object with a port range starting with port1 and ending with port2. The value range for the port1 and port2 arguments is 0 to 65535. group-object object-group-name: Specifies a port object group to be referenced by its name, a case-insensitive string of 1 to 31 characters.
Page 525: Service (Service Object Group View)
<Sysname> system-view [Sysname] object-group port portgroup [Sysname-obj-grp-port-portgroup] port gt 60000 # Configure a port object with a port number in the range of 1000 to 2000. <Sysname> system-view [Sysname] object-group port portgroup [Sysname-obj-grp-port-portgroup] port range 1000 2000 # Configure a port object referencing object group portgroup2. <Sysname>...
Page 526 port: Specifies a port number in the range of 0 to 65535. range port1 port2: Configures a service object with a port range starting with port1 and ending with port2. The value range for the port1 and port2 arguments is 0 to 65535. icmp-type icmp-code: Configures the ICMP message type in the range of 0 to 255, and the message code in the range of 0 to 255.
Page 527 # Configure a service object with the source and destination port numbers for the TCP service. <Sysname> system-view [Sysname] object-group service servicegroup [Sysname-obj-grp-service-servicegroup] service tcp source eq 100 destination range 10 100 # Configure a service object with the message type and code for the ICMP service. <Sysname>...
Page 528: Ip Source Guard Commands
IP source guard commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The IP source guard commands are supported on the following hardware: MSR routers installed with the Layer 2 switching module HMIM-24GSW/24GSWP or •...
Page 529 vlan vlan-id: Displays IPv4 source guard binding entries for a VLAN. The vlan-id argument specifies the VLAN ID in the range of 1 to 4094. interface interface-type interface-number: Displays IPv4 source guard binding entries on an interface. The interface-type interface-number argument specifies the interface type and the interface number. slot slot-number: Specifies the number of the slot that holds the card.
Page 530: Display Ipv6 Source Binding
display ipv6 source binding Use display ipv6 source binding to display IPv6 source guard binding entries. Syntax MSR2000/MSR3000: display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] MSR4000: display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping ] ]...
Page 531: Ip Source Binding (Interface View)
Total entries found: 2 IPv6 Address MAC Address Interface VLAN Type 2012:1222:2012:1222: 000f-2202-0435 GE2/1/1 DHCPv6 snooping 2012:1222:2012:1222 2012:1222:2012:1222: 000f-2202-0436 GE2/1/1 Static 2012:1222:2012:1223 Table 74 Command output Field Description Total entries found Total number of IPv6 source guard binding entries. IPv6 address in the IPv6 source guard binding entry. If no IPv6 address is IPv6 Address bound in the entry, this field displays N/A.
Page 532: Ip Verify Source
Parameters all: Removes all the static IPv4 source guard binding entries on the interface. ip-address ip-address: Specifies an IPv4 address for the static binding entry. The IPv4 address must be a class A, B, or C address, and cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address. mac-address mac-address: Specifies a MAC address for the static binding entry.
Page 533: Ipv6 Source Binding (Interface View)
Parameters ip-address: Filters incoming packets by source IPv4 addresses. ip-address mac-address: Filters incoming packets by source IPv4 addresses and source MAC addresses. mac-address: Filters incoming packets by source MAC addresses. Usage guidelines This command enables both static and dynamic IPv4 source guard on the interface. Dynamic IP source guard obtains user information from other modules to generate dynamic binding entries, and uses the entries to filter incoming packets based on the matching criteria.
Page 534: Ipv6 Verify Source
Predefined user roles network-admin Parameters all: Removes all the static IPv6 source guard binding entries on the interface. ip-address ipv6-address: Specifies an IPv6 address for the static binding entry. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address. mac-address mac-address: Specifies a MAC address for the static binding entry.
Page 535 Predefined user roles network-admin Parameters ip-address: Filters incoming packets by source IPv6 addresses. ip-address mac-address: Filters incoming packets by source IPv6 addresses and source MAC addresses. mac-address: Filters incoming packets by source MAC addresses. Usage guidelines This command enables both static and dynamic IPv6 source guard on the interface. Dynamic IPv6 source guard obtains information from DHCPv6 snooping entries to generate dynamic binding entries, and uses the entries to filter incoming packets based on the matching criteria.
Page 536: Arp Attack Protection Commands
ARP attack protection commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Unresolvable IP attack protection commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing.
Page 537: Arp Source-Suppression Limit
Use undo arp source-suppression enable to restore the default. Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression function is disabled. Views System view Predefined user roles network-admin Usage guidelines Configure this feature on the gateways. Examples # Enable the ARP source suppression function.
Page 538: Display Arp Source-Suppression
Examples # Set the maximum number of unresolvable packets that can be received from a device in 5 seconds to 100. <Sysname> system-view [Sysname] arp source-suppression limit 100 Related commands display arp source-suppression. display arp source-suppression Use display arp source-suppression to display information about the current ARP source suppression configuration.
Page 539: Arp Source-Mac Aging-Time
undo arp source-mac [ filter | monitor ] Default The source MAC-based ARP attack detection function is disabled. Views System view Predefined user roles network-admin Parameters filter: Generates log messages and discards subsequent ARP packets from the MAC address. monitor: Only generates log messages. Usage guidelines Configure this feature on the gateways.
Page 540: Arp Source-Mac Exclude-Mac
<Sysname> system-view [Sysname] arp source-mac aging-time 60 arp source-mac exclude-mac Use arp anti-attack source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection. Use undo arp anti-attack source-mac exclude-mac to remove the excluded MAC addresses. Syntax arp source-mac exclude-mac mac-address&<1-n> undo arp source-mac exclude-mac [ mac-address&<1-n>...
Page 541: Display Arp Source-Mac
Views System view Predefined user roles network-admin Parameters threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range is 1 to 5000. Examples # Configure the threshold for source MAC-based ARP attack detection as 30. <Sysname> system-view [Sysname] arp source-mac threshold 30 display arp source-mac Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP attack...
Page 542: Arp Packet Source Mac Consistency Check Commands
23f3-1122-33ce 4094 GE2/1/5 ARP packet source MAC consistency check commands arp valid-check enable Use arp valid-check enable to enable ARP packet source MAC address consistency check on the gateway. Use undo arp valid-check enable to disable ARP packet source MAC address consistency check. Syntax arp valid-check enable undo arp valid-check enable...
Page 543: Authorized Arp Commands
Views System view Predefined user roles network-admin Parameters Strict: Enables strict mode for ARP active acknowledgement. Usage guidelines Configure this feature on gateways to prevent user spoofing. In strict mode, a gateway can learn an entry only when ARP active acknowledgement is successful based on the correct ARP resolution.
Page 544: Arp Detection Commands
ARP detection commands This feature is available on only the routers installed with Layer 2 switching modules. arp detection enable Use arp detection enable to enable ARP detection. Use undo arp detection enable to restore the default. Syntax arp detection enable undo arp detection enable Default ARP detection is disabled.
Page 545: Arp Detection Validate
[Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] arp detection trust arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line. Use undo arp detection validate to disable ARP packet validity check. If no keyword is specified, this command deletes all objects.
Page 546: Display Arp Detection
Views VLAN view Predefined user roles network-admin Examples # Enable ARP restricted forwarding in VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] arp restricted-forwarding enable display arp detection Use display arp detection to display the VLANs enabled with ARP detection. Syntax display arp detection Views...
Page 547: Reset Arp Detection Statistics
Parameters interface interface-type interface-number: Displays the ARP detection statistics of the specified interface. Usage guidelines This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces. Examples # Display the ARP detection statistics for all interfaces.
Page 548: Arp Scanning And Fixed Arp Commands
Examples # Clear the ARP detection statistics of all interfaces. <Sysname> reset arp detection statistics ARP scanning and fixed ARP commands arp fixup Use arp fixup to convert existing dynamic ARP entries to static ARP entries. Syntax arp fixup Views System view Predefined user roles network-admin...
Page 549: Arp Gateway Protection Commands
Layer 3 aggregate interface/subinterface view VLAN interface view Predefined user roles network-admin Parameters start-ip-address: Specifies the start IP address of the scanning range. end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.
Page 550: Arp Filtering Commands
undo arp filter source ip-address Default ARP gateway protection is disabled. Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters ip-address: Specifies the IP address of a protected gateway. Usage guidelines You can enable ARP gateway protection for up to eight gateways on an interface. You cannot configure both arp filter source and arp filter binding commands on the same interface.
Page 551 Usage guidelines You can configure up to eight ARP permitted entries on an interface. You cannot configure both the arp filter source and arp filter binding commands on the same interface. Examples # Configure an ARP permitted entry. <Sysname> system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] arp filter binding 1.1.1.1 2-2-2...
Page 552: Ipv4 Urpf Commands
IPv4 uRPF commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. display ip urpf Use display ip urpf to display uRPF configuration. Syntax MSR1000/MSR2000/MSR3000: display ip urpf [ interface interface-type interface-number ]...
Page 553: Ip Urpf
Check type: strict Allow default route Link check Suppress drop ACL: 3000 Table 77 Command output Field Description uRPF configuration information of interface uRPF configuration on the interface. Check type uRPF check mode: loose or strict. Allow default route Allow use of the default route. Link check Link layer check is enabled.
Page 554 Configure strict uRPF check on a PE interface connected to a CE, and configure loose uRPF check on a PE interface connected to another ISP. For asymmetrical routing where the interface receiving upstream traffic is different from the interface forwarding downstream traffic on a PE device, configure loose uRPF to avoid discarding valid packets. If the two interfaces are the same (symmetrical routing), configure strict uRPF.
Page 555: Ipv6 Urpf Commands
IPv6 uRPF commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. display ipv6 urpf Use display ipv6 urpf to display IPv6 uRPF configuration. Syntax MSR1000/MSR2000/MSR3000: display ipv6 urpf [ interface interface-type interface-number ]...
Page 556: Ipv6 Urpf
IPv6 uRPF configuration information of interface GigabitEthernet2/1/1: Check type: loose Allow default route Suppress drop ACL: 2000 Table 78 Command output Field Description IPv6 uRPF configuration information of interface IPv6 uRPF configuration on the interface. Check type IPv6 uRPF check mode: loose or strict. Allow default route Allow use of the default route.
Page 557 For asymmetrical routing where the interface receiving upstream traffic is different from the interface forwarding downstream traffic on a PE device, configure loose IPv6 uRPF to avoid discarding valid packets. If the two interfaces are the same (symmetrical routing), configure strict IPv6 uRPF. An ISP usually adopts symmetrical routing on a PE device.
Page 558: Crypto Engine Commands
IPsec services, enabling or disabling hardware crypto engines affects only newly established IPsec SAs. The existing IPsec SAs still use the previously selected crypto engine for data encryption. HP recommends that you use the reset ipsec sa command to delete all existing IPsec SAs before you enable or disable hardware crypto engines.
Page 559 Syntax display crypto-engine Views Any view Predefined user roles network-admin network-operator Examples # Display information about crypto engines. <Sysname> display crypto-engine Crypto engine name: cavium crypto driver Crypto engine state: Enabled Crypto engine type: Hardware Slot ID: 0 CPU ID: 0 Crypto engine ID: 0 Symmetric algorithms: des-ecb 3des-cbc 3des-ecb aes-cbc aes-ecb aes-ctr camellia_cbc sha1 sha2-256 sha2-384 sha2-512 md5-hmac sha1hmac sha2-256-hmac sha2-384-hmac...
Page 560: Display Crypto-Engine Statistics
Field Description Crypto engine types: • Crypto engine type Hardware. • Software. Slot ID ID of the LPU that holds the crypto engine. CPU ID ID of the CPU that holds the crypto engine. Symmetric algorithms Supported symmetric algorithms. Asymmetric algorithms Supported asymmetric algorithms.
Page 561: Reset Crypto-Engine Statistics
Submitted sessions: 0 Failed sessions: 0 Symmetric operations: 0 Symmetric errors: 0 Asymmetric operations: 0 Asymmetric errors: 0 Get-random operations: 0 Get-random errors: 0 # (MSR4000.) Display statistics for crypto engine 1 on card 2. <Sysname> display crypto-engine statistics engine-id 1 slot 2 Submitted sessions: 0 Failed sessions: 0 Symmetric operations: 0...
Page 562 Views Any view Predefined user roles network-admin Parameters engine-id engine-id: Specifies a crypto engine by its ID in the range of 0 to 4294967295. If you do not specify a crypto engine, this command clears statistics for all crypto engines. slot slot-number: Specifies a card by its slot number.
Page 563: Fips Commands
FIPS commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled.
Page 564 After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: Automatic reboot • Select the automatic reboot method. The system automatically performs the following tasks: Create a default FIPS configuration file named fips-startup.cfg. Specify the default file as the startup configuration file.
Page 565: Fips Self-Test
Examples # Enable FIPS mode, and choose the automatic reboot method to enter FIPS mode. <Sysname> system-view [Sysname] fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically.
Page 566 Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. A successful self-test requires that all cryptographic algorithms pass the self-test. If the self-test fails, the card where the self-test process exists reboots.
Page 567 Known-answer test for RSA(signature/verification) passed. Known-answer test for RSA(encrypt/decrypt) passed. Known-answer test for DSA(signature/verification) passed. Known-answer test for random number generator passed. Known-Answer tests in the user-space passed. Starting Known-Answer tests in the kernel. Known-answer test for SHA1 passed. Known-answer test for HMAC-SHA1 passed. Known-answer test for AES passed.
Page 568 Known-answer test for HMAC-SHA1 passed. Known-answer test for HMAC-SHA224 passed. Known-answer test for HMAC-SHA256 passed. Known-answer test for HMAC-SHA384 passed. Known-answer test for HMAC-SHA512 passed. Known-answer test for AES passed. Known-answer test for RSA(signature/verification) passed. Known-answer test for RSA(encrypt/decrypt) passed. Known-answer test for DSA(signature/verification) passed.
Page 569: Attack Detection And Prevention Commands
Attack detection and prevention commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. ack-flood action Use ack-flood action to specify global actions against ACK flood attacks. Use undo ack-flood action to restore the default.
Page 570: Ack-Flood Detect
ack-flood detect non-specific • • client-verify tcp enable ack-flood detect Use ack-flood detect to configure IP-specific ACK flood attack detection. Use undo ack-flood detect to remove the ACK flood attack detection configuration for an IP address. Syntax ack-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { client-verify | drop | logging } * ] undo ack-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default...
Page 571: Ack-Flood Detect Non-Specific
Examples # Configure ACK flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] ack-flood detect ip 192.168.1.2 threshold 2000 Related commands • ack-flood action ack-flood detect non-specific • ack-flood threshold • client-verify tcp enable •...
Page 572: Ack-Flood Threshold
ack-flood threshold Use ack-flood threshold to set the global threshold for triggering ACK flood attack prevention. Use undo ack-flood threshold to restore the default. Syntax ack-flood threshold threshold-value undo ack-flood threshold Default The global threshold is 1000 for triggering ACK flood attack prevention. Views Attack defense policy view Predefined user roles...
Page 573: Attack-Defense Local Apply Policy
Default No attack defense policy is applied to any interface. Views Layer 3 interface view Predefined user roles network-admin Parameters policy-name: Specifies the name of an attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Page 574: Attack-Defense Policy
Usage guidelines Applying an attack defense policy to a device can improve the efficiency of processing attack packets destined for the device. Each device can have only one attack defense policy applied. If you use this command multiple times, the most recent configuration takes effect.
Page 575: Attack-Defense Signature Log Non-Aggregate
Source and destination IP addresses. • VPN instance. • HP recommends that you disable non-aggregated log output. A large number of logs will consume the display resources of the console. Examples # Enable non-aggregated log output for single-packet attack events.
Page 576: Blacklist Global Enable
Syntax blacklist enable undo blacklist enable Default The blacklist function on an interface is disabled. Views Layer 3 interface view Predefined user roles network-admin Usage guidelines If the global blacklist function is enabled, the blacklist function is enabled on all interfaces. If the global blacklist function is disabled, you must use this command to enable the blacklist function on individual interfaces.
Page 577: Blacklist Ip
Examples # Enable the global blacklist function. <Sysname> system-view [Sysname] blacklist global enable Related commands blacklist enable • blacklist ip • blacklist ip Use blacklist ip to add an IPv4 blacklist entry. Use undo blacklist ip to delete a manually added IPv4 blacklist entry. Syntax blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] [ timeout minutes ] undo blacklist ip source-ip-address [ vpn-instance vpn-instance-name ]...
Page 578: Blacklist Ipv6
blacklist global enable • • display blacklist ip blacklist ipv6 Use blacklist ipv6 to add an IPv6 blacklist entry. Use undo blacklist ipv6 to delete a manually added IPv6 blacklist entry. Syntax blacklist ipv6 source-ipv6-address [ vpn-instance vpn-instance-name ] [ timeout minutes ] undo blacklist ipv6 source-ipv6-address [ vpn-instance vpn-instance-name ] Default No IPv6 blacklist entry exists.
Page 579: Blacklist Logging Enable
blacklist logging enable Use blacklist logging enable to enable logging for the blacklist function. Use undo blacklist logging enable to disable logging for the blacklist function. Syntax blacklist logging enable undo blacklist logging enable Default Logging is disabled for the blacklist function. Views System view Predefined user roles...
Page 580: Client-Verify Dns Enable
blacklist ipv6 • client-verify dns enable Use client-verify dns enable to enable DNS client verification on an interface. Use undo client-verify dns enable to restore the default. Syntax client-verify dns enable undo client-verify dns enable Default DNS client verification is disabled on an interface. Views Layer 3 interface view Predefined user roles...
Page 581: Client-Verify Protected Ip
Default HTTP client verification is disabled on an interface. Views Layer 3 interface view Predefined user roles network-admin Usage guidelines Enable HTTP client verification on the interface that connects to the external network. This function protects internal HTTP servers against HTTP flood attacks. To configure the HTTP client verification to collaborate with HTTP flood attack prevention, specify client-verify as the HTTP flood attack prevention action.
Page 582: Client-Verify Protected Ipv6
Parameters dns: Specifies the DNS client verification function. http: Specifies the HTTP client verification function. tcp: Specifies the TCP client verification function. destination-ip-address: Specifies the IPv4 address to be protected. All connection requests destined for this address are verified by the client verification function. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv4 address belongs.
Page 583: Client-Verify Tcp Enable
Predefined user roles network-admin Parameters dns: Specifies the DNS client verification function. http: Specifies the HTTP client verification function. tcp: Specifies the TCP client verification function. destination-ipv6-address: Specifies the IPv6 address to be protected. All connection requests destined for this address are verified by the client verification function. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv6 address belongs.
Page 584: Display Attack-Defense Flood Statistics Ip
Parameters mode: Specifies a working mode for the TCP client verification function. If you do not specify this keyword, the SYN cookie mode is used. syn-cookie: Specifies the SYN cookie mode. In this mode, bidirectional TCP proxy is enabled. safe-reset: Specifies the safe reset mode. In this mode, unidirectional TCP proxy is enabled. Usage guidelines Enable TCP client verification on the interface that connects to the external network to check incoming packets.
Page 585 display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ interface interface-type interface-number | local ] [ slot slot-number ] [ count ] Views Any view Predefined user roles...
Page 586 IP address Detected on Detect type State Dropped 192.168.100.221 a0123456789 GE2/1/2 SYN-ACK-FLOOD Normal 1000 4294967295 201.55.7.45 GE2/1/2 SYN-ACK-FLOOD Normal 1000 111111111 192.168.11.5 GE2/1/3 ACK-FLOOD Normal 1000 222222222 201.55.7.44 GE2/1/4 DNS-FLOOD Normal 1000 111111111 192.168.11.4 GE2/1/5 ACK-FLOOD Normal 1000 22222222 # (MSR4000.) Display flood attack detection and prevention statistics for all IPv4 addresses. <Sysname>...
Page 587: Display Attack-Defense Flood Statistics Ipv6
Field Description Dropped Number of attack packets dropped by the interface or the device. Totally 2 flood entries Total number of IPv4 addresses that are protected. display attack-defense flood statistics ipv6 Use display attack-defense flood statistics ipv6 to display flood attack detection and prevention statistics for a protected IPv6 address.
Page 588 slot slot-number: Specifies a card by its slot number. This option is available only when you specify a global interface, such as a VLAN interface or tunnel interface. If no card is specified, this command displays IPv6 flood attack detection and prevention statistics on all cards. (MSR4000.) count: Displays the number of matching protected IPv6 addresses.
Page 589: Display Attack-Defense Policy
Table 82 Command output Field Description IPv6 address Protected IPv6 address. MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--). Detected on Where the attack is detected, on the device (Local) or an interface. Detect type Type of the detected flood attack.
Page 590 Policy name : abc Applied list : GE2/1/1 Vlan1 -------------------------------------------------------------------------- Exempt IPv4 ACL: : Not configured Exempt IPv6 ACL: : vip -------------------------------------------------------------------------- Actions: CV-Client verify BS-Block source L-Logging D-Drop N-None Signature attack defense configuration: Signature name Defense Level Actions Fragment Enabled Info Impossible...
Page 591 ICMP timestamp reply Disabled Info ICMP information request Disabled Info ICMP information reply Disabled Medium ICMP address mask request Disabled Medium ICMP address mask reply Disabled Medium ICMPv6 echo request Enabled Medium ICMPv6 echo reply Disabled Medium ICMPv6 group membership query Disabled Medium ICMPv6 group membership report...
Page 592 Field Description Exempt IPv4 ACL IPv4 ACL used for attack detection exemption. Exempt IPv6 ACL IPv6 ACL used for attack detection exemption. Attack prevention actions: • CV—Client verification. • BS—Blocking sources. Actions • L—Logging. • D—Dropping packets. • N—No action. Signature attack defense Configuration information about single-packet attack detection and configuration...
Page 593 Field Description Global prevention actions against the flood attack: • D—Dropping packets. • Global actions L—Logging. • CV—Client verification. • -—Not configured. Ports that are protected against the flood attack. This field is displays port Service ports numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-).
Page 594: Display Attack-Defense Policy Ip
Related commands attack-defense policy display attack-defense policy ip Use display attack-defense policy ip to display information about IPv4 addresses protected by flood attack detection and prevention. Syntax MSR1000/MSR2000/MSR3000: display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ count ] MSR4000:...
Page 595 slot slot-number: Specifies a card by its slot number. If no card is specified, this command displays information about IPv4 addresses protected by flood attack detection and prevention on all cards. (MSR4000.) count: Displays the number of matching IPv4 addresses protected by flood attack detection and prevention.
Page 596: Display Attack-Defense Policy Ipv6
Field Description MPLS L3VPN instance to which the protected IPv4 address belongs. If the VPN instance protected IPv4 address is on the public network, this field displays hyphens (--). Type Type of the flood attack. Threshold for triggering the flood attack prevention, in units of packets sent Rate threshold(PPS) to the IP address per second.
Page 597 syn-flood: Specifies SYN flood attack. udp-flood: Specifies UDP flood attack. Ipv6-address: Specifies a protected IPv6 address. If no IPv6 address is specified, this command displays information about all protected IPv6 addresses. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Page 598: Display Attack-Defense Scan Attacker Ip
Table 86 Command output Field Description Totally 3 flood protected IP Total number of the IPv6 addresses protected by flood attack detection and addresses prevention. IPv6 address Protected IPv6 address. MPLS L3VPN instance to which the protected IPv6 address belongs. If the VPN instance protected IPv6 address is on the public network, this field displays hyphens (--).
Page 599: Display Attack-Defense Scan Attacker Ipv6
IP address VPN instance DS-Lite tunnel peer Detected on Duration(min) 192.168.31.2 GE2/1/2 1284 2.2.2.3 GE2/1/2 # (MSR4000.) Display information about all IPv4 scanning attackers. <Sysname> display attack-defense scan attacker ip Slot 0: IP address VPN instance DS-Lite tunnel peer Detected on Duration(min) 192.168.31.2 GE2/1/2...
Page 600 Syntax MSR1000/MSR2000/MSR3000: display attack-defense scan attacker ipv6 [ interface interface-type interface-number | local ] [ count ] MSR4000: display attack-defense scan attacker ipv6 [ interface interface-type interface-number | local ] [ slot slot-number ] [ count ] Views Any view Predefined user roles network-admin network-operator...
Page 601: Display Attack-Defense Scan Victim Ip
Totally 3 attackers. Slot 1: Totally 3 attackers. Table 88 Command output Field Description Totally 3 attackers Total number of IPv6 scanning attackers. IPv6 address IPv6 address of the attacker. MPLS L3VPN instance to which the attacker IPv6 address belongs. If the VPN instance attacker IPv6 address is on the public network, this field displays hyphens (--).
Page 602: Display Attack-Defense Scan Victim Ipv6
Examples # (MSR1000/MSR2000/MSR3000.) Display information about all IPv4 scanning attack victims. <Sysname> display attack-defense scan victim ip IP address VPN instance Detected on Duration(min) 192.168.31.2 GE2/1/4 2.2.2.3 GE2/1/4 1234 # (MSR4000.) Display information about all IPv4 scanning attack victims. <Sysname> display attack-defense scan victim ip Slot 0: IP address VPN instance...
Page 603 Syntax MSR1000/MSR2000/MSR3000: display attack-defense scan victim ipv6 [ interface interface-type interface-number | local ] [ count ] MSR4000: display attack-defense scan victim ipv6 [ interface interface-type interface-number | local ] [ slot slot-number ] [ count ] Views Any view Predefined user roles network-admin network-operator...
Page 604: Display Attack-Defense Statistics Interface
Totally 3 victim IP addresses. Slot 1: Totally 3 victim IP addresses. Table 90 Command output Field Description Totally 3 victim IP addresses Total number of IPv6 scanning attack victims. IPv6 address IPv6 address of the victim. MPLS L3VPN instance to which the victim IPv6 address belongs. If the victim VPN instance IPv6 address is on the public network, this field displays hyphens (--).
Page 605 Scan attack defense statistics: AttackType AttackTimes Dropped Port scan IP sweep Distribute port scan Flood attack defense statistics: AttackType AttackTimes Dropped SYN flood ACK flood SYN-ACK flood 5000 RST flood FIN flood UDP flood ICMP flood ICMPv6 flood DNS flood HTTP flood Signature attack defense statistics: AttackType...
Page 606 ICMP source quench ICMP destination unreachable ICMP redirect ICMP time exceeded ICMP parameter problem ICMP timestamp request ICMP timestamp reply ICMP information request ICMP information reply ICMP address mask request ICMP address mask reply ICMPv6 echo request ICMPv6 echo reply ICMPv6 group membership query ICMPv6 group membership report ICMPv6 group membership reduction...
Page 607 IP option loose source routing IP option strict source routing IP option route alert Fragment Impossible Teardrop Tiny fragment IP options abnormal Smurf Ping of death Traceroute Large ICMP TCP NULL flag TCP all flags TCP SYN-FIN flags TCP FIN only flag TCP invalid flag TCP Land Winnuke...
Page 608: Display Attack-Defense Statistics Local
Table 91 Command output Field Description AttackType Type of the attack. AttackTimes Number of times that the attack occurred. Dropped Number of dropped packets. display attack-defense statistics local Use display attack-defense statistics local to display attack detection and prevention statistics for the device.
Page 609 ICMPv6 flood DNS flood HTTP flood Signature attack defense statistics: AttackType AttackTimes Dropped IP option record route IP option security IP option stream ID IP option internet timestamp IP option loose source routing IP option strict source routing IP option route alert Fragment Impossible Teardrop...
Page 610 ICMPv6 group membership report ICMPv6 group membership reduction ICMPv6 destination unreachable ICMPv6 time exceeded ICMPv6 parameter problem ICMPv6 packet too big # (MSR4000.) Display attack detection and prevention statistics for the device. <Sysname> display attack-defense statistics local Slot 0: Attack policy name: abc Scan attack defense statistics: AttackType AttackTimes Dropped...
Page 611 TCP FIN only flag TCP invalid flag TCP Land Winnuke UDP Bomb Snork Fraggle Large ICMPv6 ICMP echo request ICMP echo reply ICMP source quench ICMP destination unreachable ICMP redirect ICMP time exceeded ICMP parameter problem ICMP timestamp request ICMP timestamp reply ICMP information request ICMP information reply ICMP address mask request...
Page 612 HTTP flood Signature attack defense statistics: AttackType AttackTimes Dropped IP option record route IP option security IP option stream ID IP option internet timestamp IP option loose source routing IP option strict source routing IP option route alert Fragment Impossible Teardrop Tiny fragment IP options abnormal...
Page 613: Display Blacklist Ip
ICMPv6 destination unreachable ICMPv6 time exceeded ICMPv6 parameter problem ICMPv6 packet too big Table 92 Command output Field Description AttackType Type of the attack. AttackTimes Number of times that the attack occurred. Dropped Number of dropped packets. Related commands reset attack-defense statistics local display blacklist ip Use display blacklist ip to display IPv4 blacklist entries.
Page 614: Display Blacklist Ipv6
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped 123.123.123.123 a0123456789012 2013::fe07:221a:4011 Dynamic 123 4294967295 201.55.7.45 2013::1 Manual Never 14478 192.168.11.5 Dynamic 10 353452 # (MSR4000.) Display IPv4 blacklist entries on the card in slot 0. <Sysname> display blacklist ip slot 0 Slot 0: IP address VPN instance...
Page 615 MSR4000: display blacklist ipv6 [ source-ipv6-address [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ count ] Views Any view Predefined user roles network-admin network-operator Parameters source-ipv6-address: Specifies the IPv6 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Page 616: Display Client-Verify Protected Ip
Totally 3 blacklist entries. Table 94 Command output Field Description IPv6 address IPv6 address of the blacklist entry. MPLS L3VPN instance to which the blacklisted IPv6 address belongs. If the VPN instance blacklisted IPv6 address is on the public network, this field displays hyphens (--).
Page 617 port port-number: Specifies a protected port in the range of 1 to 65535. If no port is specified, this command displays protected IPv4 addresses with port 53 for DNS client verification, port 80 for HTTP client verification, and all ports for TCP client verification. slot slot-number: Specifies a card by its slot number.
Page 618 123.123.123.123 VPN1 Dynamic 4294967295 15151 201.55.7.45 Manual 15000 192.168.11.5 Dynamic 353452 Slot 1 IP address VPN instance Port Type Requested Trusted 123.123.123.123 VPN1 Dynamic 4294967295 15151 201.55.7.45 Manual 15000 192.168.11.5 Dynamic 353452 # (MSR1000/MSR2000/MSR3000.) Display the number of protected IPv4 addresses for DNS client verification.
Page 619: Display Client-Verify Protected Ipv6
Table 95 Command output Field Description Totally 3 protected IP addresses Total number of protected IPv4 addresses. IP address Protected IPv4 address. MPLS L3VPN instance to which the protected IPv4 address belongs. If the VPN instance protected IPv4 address is on the public network, this field displays hyphens (--).
Page 620 port port-number: Specifies a protected port in the range of 1 to 65535. If no port is specified, this command displays protected IPv6 addresses with port 53 for DNS client verification, port 80 for HTTP client verification, and all ports for TCP client verification. slot slot-number: Specifies a card by its slot number.
Page 621 1023::1123 vpn1 Dynamic 4294967295 15151 1:2:3:4:5:6:7:8 Manual 14478 5501 # (MSR1000/MSR2000/MSR3000.) Display the number of protected IPv6 addresses for DNS client verification. <Sysname> display client-verify dns protected ipv6 count Totally 3 protected IPv6 addresses. # (MSR4000.) Display the number of protected IPv6 addresses for DNS client verification. <Sysname>...
Page 622: Display Client-Verify Trusted Ip
Field Description Port protected by TCP client verification. If TCP client verification protects all Port ports, this field displays any. Type Type of the protected IPv6 address, Manual or Dynamic. Requested Number of packets destined for the protected IPv6 address. Trusted Number of packets that passed the client verification.
Page 623 11.1.1.2 vpn1 3600 123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550 # (MSR4000.) Display the trusted IPv4 list for DNS client verification. <Sysname> display client-verify dns trusted ip Slot 0: IP address VPN instance DS-Lite tunnel peer TTL(sec) 11.1.1.2 vpn1 3600 123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550 Slot 1: IP address...
Page 624: Display Client-Verify Trusted Ipv6
# (MSR1000/MSR2000/MSR3000.) Display the trusted IPv4 list for TCP client verification. <Sysname> display client-verify tcp trusted ip IP address VPN instance DS-Lite tunnel peer TTL(sec) 11.1.1.2 vpn1 3600 123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550 # (MSR4000.) Display the trusted IPv4 list for TCP client verification. <Sysname>...
Page 625 MSR4000: display client-verify { dns | http | tcp } trusted ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ] Views Any view Predefined user roles network-admin network-operator Parameters dns: Specifies the DNS client verification function. http: Specifies the HTTP client verification function.
Page 626 Totally 3 trusted IPv6 addresses. Slot 1: Totally 3 trusted IPv6 addresses. # (MSR1000/MSR2000/MSR3000.) Display the trusted IPv6 list for HTTP client verification. <Sysname> display client-verify http trusted ipv6 IPv6 address VPN instance TTL(sec) 1::3 vpn1 1643 1234::1234 a012345678901234 1234 # (MSR4000.) Display the trusted IPv6 list for HTTP client verification.
Page 627: Dns-Flood Action
<Sysname> display client-verify tcp trusted ipv6 count Slot 0: Totally 3 trusted IPv6 addresses. Slot 1: Totally 3 trusted IPv6 addresses. Table 98 Command output Field Description Totally 3 protected IPv6 Number of trusted IPv6 addresses. addresses IPv6 address Trusted IPv6 address. MPLS L3VPN instance to which the trusted IPv6 address belongs.
Page 628: Dns-Flood Detect
Examples # Specify drop as the global action against DNS flood attacks in attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] dns-flood action drop Related commands dns-flood detect • dns-flood detect non-specific • dns-flood threshold • • client-verify dns enable dns-flood detect Use dns-flood detect to configure IP-specific DNS flood attack detection.
Page 629: Dns-Flood Detect Non-Specific
client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client verification is enabled, the device provides proxy services for protected servers. drop: Drops subsequent DNS packets destined for the protected IP address. logging: Enables logging for DNS flood attack events.
Page 630: Dns-Flood Port
Usage guidelines This command enables global DNS flood attack detection. It applies to all IP addresses except for those specified by the dns-flood detect command. The system uses the global trigger threshold set by the dns-flood threshold command and global actions specified by the dns-flood action command. Examples # Enable DNS flood attack detection for non-specific IP addresses in attack defense policy atk-policy-1.
Page 631: Dns-Flood Threshold
Related commands dns-flood action • dns-flood detect • • dns-flood detect non-specific dns-flood threshold Use dns-flood threshold to set the global threshold for triggering DNS flood attack prevention. Use undo dns-flood threshold to restore the default. Syntax dns-flood threshold threshold-value undo dns-flood threshold Default The global threshold is 1000 for triggering DNS flood attack prevention.
Page 632: Fin-Flood Action
Use undo exempt acl to restore the default. Syntax exempt acl [ ipv6 ] { acl-number | name acl-name } undo exempt acl [ ipv6 ] Default Attack defense exemption is not configured. The attack defense policy applies to all incoming packets. Views Attack defense policy view Predefined user roles...
Page 633: Fin-Flood Detect
undo fin-flood action Default No action is taken against detected FIN flood attacks. Views Attack defense policy view Predefined user roles network-admin Parameters client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
Page 634: Fin-Flood Detect Non-Specific
Views Attack defense policy view Predefined user roles network-admin Parameters ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. The ipv6-address argument cannot be a multicast address or all 0s.
Page 635: Fin-Flood Threshold
Use undo fin-flood detect non-specific to restore the default. Syntax fin-flood detect non-specific undo fin-flood detect non-specific Default FIN flood attack detection is not enabled for non-specific IP addresses. Views Attack defense policy view Predefined user roles network-admin Usage guidelines This command enables global FIN flood attack detection.
Page 636: Http-Flood Action
Parameters threshold-value: Specifies the threshold for triggering FIN flood attack prevention. The value range is 1 to 1000000 in units of FIN packets sent to an IP address per second. Usage guidelines The global threshold applies to FIN flood attack detection for non-specific IP addresses. Adjust the threshold according to the application scenarios.
Page 637: Http-Flood Detect
Usage guidelines To configure the HTTP flood attack detection to collaborate with the HTTP client verification, make sure the client-verify keyword is specified and the HTTP client verification is enabled. To enable HTTP client verification, use the client-verify http enable command. Examples # Specify drop as the global action against HTTP flood attacks in attack defense policy atk-policy-1.
Page 638: Http-Flood Detect Non-Specific
threshold threshold-value: Sets the threshold for triggering HTTP flood attack prevention. The value range is 1 to 1000000 in units of HTTP packets sent to the specified IP address per second. action: Specifies the actions when an HTTP flood attack is detected. If no action is specified, the global actions set by the http-flood action command apply.
Page 639: Http-Flood Port
Predefined user roles network-admin Usage guidelines This command enables global HTTP flood attack detection. It applies to all IP addresses except for those specified by the http-flood detect command. The system uses the global trigger threshold set by the http-flood threshold command and global actions specified by the http-flood action command. Examples # Enable HTTP flood attack detection for non-specific IP addresses in attack defense policy atk-policy-1.
Page 640: Http-Flood Threshold
<Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] http-flood port 80 8080 Related commands http-flood action • http-flood detect • http-flood detect non-specific • http-flood threshold Use http-flood threshold to set the global threshold for triggering HTTP flood attack prevention. Use undo http-flood threshold to restore the default. Syntax http-flood threshold threshold-value undo http-flood threshold...
Page 641: Icmp-Flood Action
icmp-flood action Use icmp-flood action to specify global actions against ICMP flood attacks. Use undo icmp-flood action to restore the default. Syntax icmp-flood action { drop | logging } * undo icmp-flood action Default No action is taken against detected ICMP flood attacks. Views Attack defense policy view Predefined user roles...
Page 642: Icmp-Flood Detect Non-Specific
Views Attack defense policy view Predefined user roles network-admin Parameters ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Page 643: Icmp-Flood Threshold
undo icmp-flood detect non-specific Default ICMP flood attack detection is not enabled for non-specific IPv4 addresses. Views Attack defense policy view Predefined user roles network-admin Usage guidelines This command enables global ICMP flood attack detection. It applies to all IP addresses except for those specified by the icmp-flood detect ip command.
Page 644: Icmpv6-Flood Action
Usage guidelines The global threshold applies to ICMP flood attack detection for non-specific IP addresses. Adjust the threshold according to the application scenarios. If the number of ICMP packets to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services.
Page 645: Icmpv6-Flood Detect Ipv6
Related commands icmpv6-flood detect ipv6 • icmpv6-flood detect non-specific • • icmpv6-flood threshold icmpv6-flood detect ipv6 Use icmpv6-flood detect ipv6 to configure IPv6-specific ICMPv6 flood attack detection. Use undo icmpv6-flood detect ipv6 to remove the ICMPv6 flood attack detection configuration for an IPv6 address.
Page 646: Icmpv6-Flood Detect Non-Specific
Examples # Configure ICMPv6 flood attack detection for 2012::12 in attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood detect ipv6 2012::12 threshold 2000 Related commands • icmpv6-flood action icmpv6-flood detect non-specific • icmpv6-flood threshold • icmpv6-flood detect non-specific Use icmpv6-flood detect non-specific to enable ICMPv6 flood attack detection for non-specific IPv6 addresses.
Page 647: Icmpv6-Flood Threshold
icmpv6-flood threshold Use icmpv6-flood threshold to set the global threshold for triggering ICMPv6 flood attack prevention. Use undo icmpv6-flood threshold to restore the default. Syntax icmpv6-flood threshold threshold-value undo icmpv6-flood threshold Default The global threshold is 1000 for triggering ICMPv6 flood attack prevention. Views Attack defense policy view Predefined user roles...
Page 648: Reset Attack-Defense Statistics Interface
Predefined user roles network-admin network-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). ip: Clears flood attack detection and prevention statistics for IPv4 addresses.
Page 649: Reset Blacklist Ip
Syntax reset attack-defense statistics local Views User view Predefined user roles network-admin network-operator Examples Clear attack detection and prevention statistics for the device. <Sysname> reset attack-defense statistics local Related commands display attack-defense statistics local reset blacklist ip Use rest blacklist ip to clear dynamic IPv4 blacklist entries. Syntax reset blacklist ip { source-ip-address [ vpn-instance vpn-instance-name ] | all } Views...
Page 650: Reset Blacklist Ipv6
reset blacklist ipv6 Use rest blacklist ipv6 to clear dynamic IPv6 blacklist entries. Syntax reset blacklist ipv6 { source-ipv6-address [ vpn-instance vpn-instance-name ] | all } Views User view Predefined user roles network-admin network-operator Parameters source-ipv6-address: Specifies the IPv6 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs.
Page 651: Reset Client-Verify Protected Statistics
Related commands display blacklist ip • display blacklist ipv6 • reset client-verify protected statistics Use reset client-verify protected statistics to clear protected IP statistics for client verification. Syntax reset client-verify { dns | http | tcp } protected { ip | ipv6 } statistics Views User view Predefined user roles...
Page 652: Rst-Flood Action
Parameters dns: Specifies the DNS client verification function. http: Specifies the HTTP client verification function. tcp: Specifies the TCP client verification function. ip: Specifies the trusted IPv4 list. ipv6: Specifies the trusted IPv6 list. Examples # Clear the trusted IPv4 list for DNS client verification. <Sysname>...
Page 653: Rst-Flood Detect
<Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] rst-flood action drop Related commands client-verify tcp enable • rst-flood detect • rst-flood detect non-specific • • rst-flood threshold rst-flood detect Use rst-flood detect to configure IP-specific RST flood attack detection. Use undo rst-flood detect to remove the RST flood attack detection configuration for an IP address. Syntax rst-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { client-verify | drop | logging } * ]...
Page 654: Rst-Flood Detect Non-Specific
Usage guidelines You can configure RST flood attack detection for multiple IP addresses in one attack defense policy. With RST flood attack detection configured, the device is in attack detection state. An attack occurs when the device detects that the sending rate of RST packets to a protected IP address reaches or exceeds the threshold.
Page 655: Rst-Flood Threshold
Related commands rst-flood action • rst-flood detect • • rst-flood threshold rst-flood threshold Use rst-flood threshold to set the global threshold for triggering RST flood attack prevention. Use undo rst-flood threshold to restore the default. Syntax rst-flood threshold threshold-value undo rst-flood threshold Default The global threshold is 1000 for triggering RST flood attack prevention.
Page 656 Use undo scan detect to restore the default. Syntax scan detect level { high | low | medium } action { { block-source [ timeout minutes ] | drop } | logging } undo scan detect level { high | low | medium } Default Scanning attack detection is disabled.
Page 657: Signature { Large-Icmp | Large-Icmpv6 } Max-Length
# Configure scanning attack detection in attack defense policy atk-policy-1. Specify the detection level as low and the prevention actions as block-source and logging. Set the aging time for the dynamically added blacklist entries to 10 minutes. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] scan detect level low action logging block-source timeout 10 Related commands...
Page 658: Signature Detect
signature detect Use signature detect to configure signature detection for single-packet attacks. Use undo signature detect to remove the signature detection configuration for single-packet attacks. Syntax signature detect { fraggle | fragment | impossible | ip-option-abnormal | land | large-icmp | large-icmpv6 | ping-of-death | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | teardrop | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]...
Page 659 icmp-type: Specifies an ICMP packet attack by its signature type. You can specify the signature by the ICMP packet type value or keyword: icmp-type-value: Specifies the ICMP type value in the range of 0 to 255. • address-mask-reply: Specifies the ICMP address mask reply type. •...
Page 660 ipv6-ext-header ext-header-value: Specifies an IPv6 extension header by its value in the range of 0 to 255. An IPv6 extension header attack occurs when the specified IPv6 extension header value is detected. land: Specifies the Land attack. large-icmp: Specifies the large ICMP packet attack. large-icmpv6: Specifies the large ICMPv6 packet attack.
Page 661: Signature Level Action
signature level action Use signature level action to specify the actions against single-packet attacks of a specific level. Use undo signature level action to restore the default. Syntax signature level { high | info | low | medium } action { { drop | logging } * | none } undo signature level { high | info | low | medium } action Default For informational-level and low-level single-packet attacks, the action is logging.
Page 662: Signature Level Detect
signature level detect Use signature level detect to enable signature detection for single-packet attacks of a specific level. Use undo signature level detect to disable signature detection for single-packet attacks of a specific level. Syntax signature level { high | info | low | medium } detect undo signature level { high | info | low | medium } detect Default Signature detection is disabled for all levels of single-packet attacks.
Page 663: Syn-Ack-Flood Action
syn-ack-flood action Use syn-ack-flood action to specify global actions against SYN-ACK flood attacks. Use undo syn-ack-flood action to restore the default. Syntax syn-ack-flood action { client-verify | drop | logging } * undo syn-ack-flood action Default No action is taken against detected SYN-ACK flood attacks. Views Attack defense policy view Predefined user roles...
Page 664 Syntax syn-ack-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { client-verify | drop | logging } * ] undo syn-ack-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default SYN-ACK flood attack detection is not configured for any IP address.
Page 665: Syn-Ack-Flood Detect Non-Specific
Related commands syn-ack-flood action • syn-ack-flood detect non-specific • • syn-ack-flood threshold syn-ack-flood detect non-specific Use syn-ack-flood detect non-specific to enable SYN-ACK flood attack detection for non-specific IP addresses. Use undo syn-ack-flood detect non-specific to restore the default. Syntax syn-ack-flood detect non-specific undo syn-ack-flood detect non-specific Default SYN-ACK flood attack detection is not enabled for non-specific IP addresses.
Page 666: Syn-Flood Action
Syntax syn-ack-flood threshold threshold-value undo syn-ack-flood threshold Default The global threshold is 1000 for triggering SYN-ACK flood attack prevention. Views Attack defense policy view Predefined user roles network-admin Parameters threshold-value: Specifies the threshold for triggering SYN-ACK flood attack prevention. The value range is 1 to 1000000 in units of SYN-ACK packets sent to an IP address per second.
Page 667: Syn-Flood Detect
Predefined user roles network-admin Parameters client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers. drop: Drops subsequent SYN packets destined for the victim IP addresses. logging: Enables logging for SYN flood attack events.
Page 668: Syn-Flood Detect Non-Specific
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The ipv6-address argument cannot be a multicast address or all 0s. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
Page 669: Syn-Flood Threshold
Views Attack defense policy view Predefined user roles network-admin Usage guidelines This command enables global SYN flood attack detection. It applies to all IP addresses except for those specified by the syn-flood detect command. The system uses the global trigger threshold set by the syn-flood threshold command and global actions specified by the syn-flood action command.
Page 670: Udp-Flood Action
Examples # Set the global threshold to 100 for triggering SYN flood attack prevention in attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] syn-flood threshold 100 Related commands syn-flood action • syn-flood detect • syn-flood detect non-specific •...
Page 671: Udp-Flood Detect
udp-flood detect Use udp-flood detect to configure IP-specific UDP flood attack detection. Use undo udp-flood detect to remove the UDP flood attack detection configuration for an IP address. Syntax udp-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { drop | logging } * ] undo udp-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default...
Page 672: Udp-Flood Detect Non-Specific
[Sysname-attack-defense-policy-atk-policy-1] udp-flood detect ip 192.168.1.2 threshold 2000 Related commands udp-flood action • udp-flood detect non-specific • • udp-flood threshold udp-flood detect non-specific Use udp-flood detect non-specific to enable UDP flood attack detection for non-specific IP addresses. Use undo udp-flood detect non-specific to restore the default. Syntax udp-flood detect non-specific undo udp-flood detect non-specific...
Page 673 undo udp-flood threshold Default The global threshold is 1000 for triggering UDP flood attack prevention. Views Attack defense policy view Predefined user roles network-admin Parameters threshold-value: Specifies the threshold for triggering UDP flood attack prevention. The value range is 1 to 64000 in units of UDP packets sent to an IP address per second.
Page 674: Support And Other Resources
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Page 675: Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 676 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 677: Index
Index A B C D E F G H I K L M N O P Q R S T U V W attack-defense apply policy,558 attack-defense local apply policy,559 session-limit,1 attack-defense policy,560 access-limit,32 attack-defense signature log non-aggregate,561 access-limit enable,2 attribute,244 accounting command,2...
Page 678 certificate domain,352 display aspf session,437 certificate request entity,246 display attack-defense flood statistics ip,570 certificate request from,247 display attack-defense flood statistics ipv6,573 certificate request mode,248 display attack-defense policy,575 certificate request polling,249 display attack-defense policy ip,580 certificate request url,250 display attack-defense policy ipv6,582 ciphersuite,421 display attack-defense scan attacker...
Page 679 display mac-authentication,137 domain if-unknown,29 display mac-authentication connection,139 dot1x,1 16 display object group,502 dot1x authentication-method,1 17 display password-control,207 dot1x auth-fail vlan,1 18 display password-control blacklist,208 dot1x critical vlan,1 19 display pki certificate access-control-policy,254 dot1x domain-delimiter,1 19 display pki certificate attribute-group,255 dot1x guest-vlan,120 display pki certificate domain,256...
Page 680 get,400 ipsec { ipv6-policy-template | policy-template } policy-template,327 group,39 ipsec anti-replay check,319 ipsec anti-replay window,320 help,400 ipsec apply,320 http-flood action,622 ipsec decrypt-check enable,321 http-flood detect,623 ipsec df-bit,322 http-flood detect non-specific,624 ipsec global-df-bit,323 http-flood port,625 ipsec logging packet enable,322 http-flood threshold,626 ipsec profile,328 hwtacacs...
Page 681 mac-authentication user-name-format,147 retrieve-certificate,284 match local address (IKE keychain view),372 retrieve-crl,285 match local address (IKE profile view),373 storage,286 match remote,374 validate-certificate,287 mkdir,402 pki-domain (SSL client policy view),427 pki-domain (SSL server policy view),424 port,55 nas-ip (HWTACACS scheme view),84 port,164 nas-ip (RADIUS scheme view),54 port (port object group view),509...
Page 682 primary accounting (RADIUS scheme view),56 reset crypto-engine statistics,547 primary authentication (HWTACACS scheme view),86 reset dot1x guest-vlan,136 primary authentication (RADIUS scheme view),58 reset dot1x statistics,136 primary authorization,88 reset hwtacacs statistics,89 priority (IKE keychain view),377 reset ike sa,379 priority (IKE profile view),378 reset ike statistics,380 proposal,378...
Page 683 secondary accounting (RADIUS scheme view),66 ssh server ipv6 acl,391 secondary authentication (HWTACACS scheme ssh server ipv6 dscp,392 view),91 ssh server rekey-interval,392 secondary authentication (RADIUS scheme view),68 user,393 secondary authorization,93 ssh2,416 security acl,347 ssh2 ipv6,418 security-policy-server,70 client-policy,430 server-detect (portal authentication server view),182 server-policy,425 server-detect (portal Web server...
Page 684 user-sync,186 vpn-instance (HWTACACS scheme view),98 vpn-instance (RADIUS scheme view),77 version,431 vpn-instance,187 Websites,660...

HP MSR Series Command Reference Manual

Quick Links

Related Manuals for HP MSR Series

Summary of Contents for HP MSR Series